PAN-OS 7.1.9 Addressed Issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.9 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID Description
WF500-3605 Fixed an issue where the WF-500 appliance created too many logs when generating PDF reports.
PAN-76265 Fixed an issue where the firewall failed to retrieve user groups from an LDAP server because the server response did not have a page control value.
PAN-75048 Fixed an issue where the firewall used the default route (instead of the next best available route) when the eBGP next hop was unavailable, which resulted in dropped packets. Additionally with this fix, the default time-to-live (TTL) value for a single hop eBGP peer is changed to 1 (instead of 2).
PAN-75005 Fixed an issue where loading a configuration other than running-config.xml when downgrading from PAN-OS 7.1.8 to a PAN-OS 7.0 release removed authentication profiles from GlobalProtect portals and gateways, which caused an auto-commit failure.
PAN-74161 Fixed an issue where firewalls configured in a virtual wire deployment where Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets were dropped.
PAN-74128 Fixed an issue where a session caused the dataplane to restart if the session was active during and after you installed a content update on the firewall and the update contained a decoder change.
PAN-74048 Fixed an issue where numerous NSX dynamic address updates caused Panorama to perform slower and to delay deployment of updates to firewalls. With this fix, you can use the request partner vmware-service-manager dau-updater-time-interval time-interval <time_interval_in_seconds> CLI command to set the interval at which Panorama processes the NSX dynamic updates.
PAN-72779 Fixed an issue where the Panorama management server restarted after you installed the latest content database.
PAN-72769 A security-related fix was made to prevent brute-force attacks on the GlobalProtect external interface (CVE-2017-7945).
PAN-72350 Fixed an issue where high-volume SSL traffic intermittently added latency to SSL sessions.
PAN-71530 Fixed an issue where LDAP authentication failed intermittently when the firewall tried to connect to the LDAP server through a service route or after HA failover.
PAN-71455 Fixed an issue where users could not access a secure website if the certificate authority that signed the web server certificate also signed multiple certificates with the same subject name in the Default Trusted Certificate Authorities list on the firewall.
PAN-71319 Updated PAN-OS to address NTP issues (CVE-2016-7433).
PAN-71284 Fixed an issue where Panorama failed to deploy BrightCloud URL filtering database updates to firewalls.
PAN-71073 Fixed an issue where a commit associated with a dynamic update caused an HA failover when the path-monitoring target IP address aged out or when the first path-monitoring health check failed.
PAN-71004 Fixed an issue where, when the firewall killed a process (l3svc), the process produced child processes that continued running. With this fix, the firewall cleans up the child processes before respawning the l3svc process.
PAN-70620 Fixed an issue where an uninitialized general-purpose I/O (GPIO) controller driver caused the firewall to become unresponsive and require a reboot.
PAN-70541 A security-related fix was made to address an information disclosure issue that was caused by a firewall that did not properly validate certain permissions when administrators accessed the web interface over the management (MGT) interface (CVE-2017-7644).
PAN-70483 Fixed an issue on M-Series appliances in Panorama mode where Security policy rules did not display shared service groups in the service drop-down on the Service/URL Category tab if the drop-down had 5,000 or more entries.
PAN-70436 A security-related fix was made to prevent tampering with files that are exported from the firewall web interface (CVE-2017-7217).
PAN-70434 A security-related fix was made to prevent inappropriate disclosure of information through the firewall web interface (CVE-2017-721).
PAN-70426 A security-related fix was made to prevent firewall administrators from performing actions through the web interface that require higher privileges than their administrator roles allow (CVE-2017-7218).
PAN-70345 Fixed an issue where the M-Series appliances did not forward logs to a syslog server over TCP ports.
PAN-70323 Fixed an issue where firewalls running in FIPS-CC mode did not allow import of SHA-1 CA certificates even when the private key was not included; instead, firewalls displayed the following error: Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode .
PAN-69882 Fixed an issue where firewalls that had multiple virtual systems and that were deployed in an HA active/active configuration dropped TCP sessions.
PAN-69622 Fixed an issue where the firewall did not properly close a session after receiving a reset (RST) message from the server when the SYN Cookies action was triggered.
PAN-68934 Fixed an issue where the SNMP object panSessionActiveSslProxyUtilization contained inaccurate data.
PAN-68873 Fixed an issue where customizing the block duration for threat ID 40015 in a Vulnerability Protection profile did not adhere to the defined block interval. For example, if you set the Number of Hits (SSH hello messages) to 3 and per seconds to 60 , after three consecutive SSH hello messages from the client, the firewall failed to block the client for the full 60 seconds.
PAN-68520 Fixed an issue where having multiple IPSec IKE gateways configured to the same peer IP address caused VPN tunnels to flap.
PAN-68431 Fixed an issue where firewalls and Panorama failed to send SNMPv3 traps if you configured the service route to forward the traps over a dataplane interface.
PAN-68210 Fixed an issue where administrators with custom roles could not use the firewall CLI to change the HA state or initiate HA synchronization for the firewall.
PAN-68185 Fixed an issue where the 7.1 SNMP traps MIB file ( had an incorrect description for the panHostname attribute.
PAN-67629 Fixed an issue where existing users were removed from user-group mappings when the Active Directory (AD) did not return an LDAP Page Control in response to an LDAP refresh, which resulted in the following User-ID (useridd) logs: debug: pan_ldap_search(pan_ldap.c:602): ldap_parse_result error code: 4 Error: pan_ldap_search(pan_ldap.c:637): Page Control NOT found
PAN-67599 In PAN-OS 7.0 and 7.1 releases, a restriction was added to prevent an administrator from configuring OSPF router ID This restriction is removed in PAN-OS 7.1.9.
PAN-67503 Fixed an issue where the firewall automatically rebooted when you ran a Correlated Events query with more than 15 OR operators.
PAN-67029 Fixed an issue where the firewall stopped forwarding logs to external services (such as a syslog server) after the firewall management server restarted unexpectedly.
PAN-66610 Fixed an issue where memory usage errors occurred if the PAN-OS integrated User-ID agent was monitoring numerous servers for login events. With this fix, the User-ID agent queries five servers at a time to prevent the firewall from exhausting memory. If you check Status ( Device > User Identification > User Mapping > Server Monitoring) during the initial attempt by the PAN-OS integrated User-ID agent to learn IP address-to-username mappings (or relearn mappings after a User-ID process restart, HA failover, or firewall reboot), you will see Connected status only for those servers for which the agent has already begun to learn mappings. All servers will display as Connected when the agent begins to learn mappings for the last set of servers.
PAN-66399 Fixed an issue where the active firewall in an HA active/passive configuration did not synchronize GlobalProtect certificates with the passive firewall, which caused a commit failure on the passive firewall.
PAN-66104 Fixed an issue where the firewall displayed shared response pages instead of the custom response pages (Captive Portal, URL continue, and URL override) that were configured for specific virtual systems.
PAN-65969 Fixed an issue on PA-7000 Series firewalls where the Switch Management Card (SMC) restarted due to false positive conditions (ATA errors) detected during a disk check.
PAN-65939 Fixed an issue where you could not download WildFire private cloud updates because the firewall checked for the updates using a proxy server even when you configured the firewall not to Use Proxy Settings for Private Cloud ( Device > Setup > WildFire).
PAN-65669 Fixed an issue where the firewall did not apply a VLAN tag to BFD traffic on a VLAN subinterface.
PAN-64436 Fixed an issue on PA-7000 Series firewalls where creation of IGMP sessions failed because they were stuck in an OPENING state or the wrong state.
PAN-64317 Fixed an issue where IPv6 neighbor discovery failed intermittently due to a corrupted neighbor table.
PAN-63856 Fixed an issue where memory issues caused User-ID processes to restart when multiple firewalls redistributed a large number of IP address-to-username mappings.
PAN-63641 Fixed an issue where the firewall failed to establish connections from some virtual systems to Windows-based User-ID agents and Terminal Services agents.
PAN-63520 Fixed an issue where the firewall used the wrong source zone when logging virtual system-to-virtual system sessions.
PAN-63013 Fixed an issue where a commit validation error displayed when Panorama running a PAN-OS 7.1 or later release pushed a template configuration with a modified WildFire File Size Limits setting ( Device > Setup > WildFire) to a firewall running a PAN-OS 7.1 or earlier release.
PAN-62622 Fixed an issue where Traffic logs indicated a session was decrypted even though it matched a Decryption policy rule that specifies no decryption and even though no decryption occurred.
PAN-62338 Fixed an issue where the firewall performed NAT translation incorrectly on the passive IP address in data packets when sending passive FTP connections over a proxy tunnel.
PAN-62015 Fixed an issue on PA-7000 Series firewalls where, when creating the key for a GRE packet, the firewall did not use the same default values for the source and destination ports in the hardware and software, which slowed the firewall performance.
PAN-61439 Fixed an issue where a Panorama management server that was not connected to the internet failed to deploy content updates to Log Collectors when you chose to Install From File.
PAN-61300 Fixed an issue where removing and adding a large number of Security policy rules caused Traffic logs to lose their rule name field, which resulted in a commit failure.
PAN-61252 Fixed an issue on firewalls in an HA active/active configuration where the floating IP address was not active on the secondary firewall after the link went down on the primary firewall.
PAN-60333 Fixed an issue where the firewall deployed in an HA active/active configuration with asymmetric routing dropped packets in TCP, ICMP, and UDP traffic.
PAN-59654 Fixed an issue where commits failed on the firewall after upgrading from a PAN-OS 6.1 release due to incorrect settings for the HexaTech VPN application on the firewall. With this fix, upgrading from a PAN-OS 6.1 release to PAN-OS 7.1.9 (or a later release) does not cause commit failures related to these settings.
PAN-59542 Fixed an issue on firewalls with multiple virtual systems where the web interface displayed the Trusted Root CA option as disabled in certificates for which the option was actually enabled.
PAN-59275 Fixed an issue where processing Oracle application traffic caused the firewall to reboot.
PAN-58382 Fixed an issue where users were matched to the incorrect security policies.
PAN-58212 Fixed an issue where the dataplane restarted unexpectedly when firewalls deployed in an HA configuration missed heartbeats.
PAN-57888 Fixed an issue where the App Scope Traffic Map did not display the correct location of Samoa.
PAN-57529 Fixed an issue where the firewall acted as a DHCP relay and no wireless devices on a VLAN received a DHCP address (all other devices on the VLAN did receive a DHCP address). With this fix, all devices on a VLAN receive a DHCP address when the firewall acts as a DHCP relay.
PAN-57520 Fixed an issue where firewalls stopped connecting to Panorama when the root CA server certificate on Panorama expired. With this fix, Panorama replaces the original certificate with a new certificate that expires in 2024.
PAN-57440 Fixed an issue where OSPFv3 link-state updates were sent with the incorrect OSPF checksum when the OSPF packet needed to advertise more link-state advertisements (LSAs) than fit into a 1,500-byte packet. With this fix, the firewall sends the correct OSPF checksum to neighboring switches and routers even when the number of LSAs doesn’t fit into a 1,500-byte packet.
PAN-57349 Fixed an issue where numerous SSL sessions exhausted the memory pool that the firewall required to insert new certificates in its certificate cache.
PAN-57155 Fixed an issue where custom reports did not display a value for Day Received when running the report on demand ( Run Now) while the web interface language was set to Japanese. (This was not an issue when exporting the report as a PDF, CSV, or XML file.)
PAN-55536 Fixed an issue where commit failures caused by the firewall commit queue being full did not display the correct error message.
PAN-55048 Fixed an issue where the firewall did not forward logs in the syslog format that you selected.
PAN-52739 Fixed an issue where virtual system administrators saw commit warnings for virtual systems that were outside the scope of their administrative role privileges.
PAN-49764 Fixed an issue where SNMP traps that the firewall generated did not include its system name or hostname.

Related Documentation