PAN-OS 8.0.0 Addressed Issues
The following tables lists the issues that are addressed in the PAN-OS® 8.0.0 release. For new features, associated software versions, known issues, and changes in default behavior in PAN-OS 8.0 releases, see PAN-OS 8.0 Release Information.
Issue ID Description
PAN-76702 Fixed an issue where several dataplane processes stopped responding when the firewall processed VPN traffic with IP packet chains, which were usually triggered by IP fragmentation or SSL decryption operations.
PAN-72346 Fixed an issue where exporting botnet reports failed with the following error: Missing report job id .
PAN-72242 Fixed an issue where configuring a source address exclusion in Reconnaissance Protection tab under zone protection profile was not allowed.
PAN-71892 Fixed an issue where an LDAP profile did not use the configured port; the profile used the default port, instead.
PAN-71615 Fixed an issue where the intrazone block rule shadowed the universal rule that has different source and destination zones.
PAN-71400 Fixed an issue where the DNS Proxy feature did not work because the associated process ( dnsproxy ) stopped running on a firewall that had an address object ( Objects > Address) with the same FQDN as one of the Static Entries in a DNS proxy configuration ( Network > DNS Proxy).
PAN-71384 Fixed an issue with the passive firewall in an HA configuration that had LACP pre-negotiation enabled where the firewall stopped correctly processing LACP BPDU packets through an interface that had previously physically flapped.
PAN-71311 Fixed an issue where, if you configured a User-ID agent with an FQDN instead of an IP address ( Device > User Identification > User-ID Agents), the firewall generated a System log with the wrong severity level ( informational instead of high ) after losing the connection to the User-ID agent.
PAN-71307 Fixed an issue where the scp stats-dump report did not run correctly because source (src) and destination (dst) options were determined to be invalid arguments.
PAN-71192 Fixed an issue where performing a log query or log export with a specific number of logs caused the management server to stop responding. This occurred only when the number of logs was a multiple of 64 plus 63. For example, 128 is a multiple of 64 and if you add 63 to 128 that equals 191 logs. In this case, if you performed a log query or export and there were 191 logs, the management server stopped responding.
PAN-70969 Fixed an issue on a virtual wire where, if you enabled Link State Pass Through ( Network > Virtual Wires), there were significant delays in link-state propagation or even instances where an interface stayed down permanently even when ports were re-enabled on the neighbor device.
PAN-70541 A security-related fix was made to address an information disclosure issue that was caused by a firewall that did not properly validate certain permissions when administrators accessed the web interface over the management (MGT) interface (CVE-2017-7644).
PAN-70483 Fixed an issue on an M-Series appliance in Panorama mode where shared service groups did not populate in the service pull down when attempting to add a new item to a security policy. The issue occurred when the drop down contained 5,000 or more entries.
PAN-70428 A security-related fix was made to prevent inappropriate information disclosure to authenticated users (CVE-2017-5583).
PAN-70323 Fixed an issue where firewalls running in FIPS-CC mode did not allow import of SHA-1 CA certificates even when the private key was not included; instead, firewalls displayed the following error: Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
PAN-70057 Fixed an issue where running the validate option on a candidate configuration in Panorama caused changes to the running configuration on the managed device. The configuration change occurred after a subsequent FQDN refresh occurred.
PAN-69951 Fixed an issue where the firewall failed to forward system logs to Panorama when the dataplane was under severe load.
PAN-69235 Fixed an issue where committing a configuration with several thousand Layer 3 subinterfaces caused the dataplane to stop responding.
PAN-69194 Fixed an issue where performing a device group commit from a Panorama server running version 7.1 to a managed firewalls running PAN-OS 6.1 failed to commit when the custom spyware profile action was set to Drop. With this fix, Panorama translates the action from Drop to Drop packets for firewalls running PAN-OS 6.1, which allows the device group commit to succeed.
PAN-69146 Fixed an issue where the Remote Users link for a gateway ( Network > GlobalProtect > Gateways) became inactive and prevented you from reopening the User Information dialog if you closed the dialog using the Esc key instead of clicking Close.
PAN-68873 Fixed an issue where customizing the block duration for threat ID 40015 in a Vulnerability Protection profile did not adhere to the defined block interval. For example, if you set Number of Hits (SSH hello messages) to 3 and per seconds to 60, after three consecutive SSH hello messages from the client, the firewall failed to block the client for the full 60 seconds.
PAN-68831 Fixed an issue where CSV exports for Unified logs ( Monitor > Logs > Unified) had no log entries if you limited the effective queries to one log type.
PAN-68823 Fixed an issue where custom threat reports failed to generate data when you specified Threat Category for either the Group By or Selected Column setting.
PAN-68766 Fixed an issue where navigating to the IPSec tunnel configuration in a Panorama template caused the Panorama management web interface to stop responding and displayed a 502 Bad Gateway error.
PAN-68658 Fixed an issue where handling out-of-order TCP FIN packets resulted in dropped packets due to TCP reassembly that was out-of-sync.
PAN-68654 Fixed an issue where the firewall did not populate User-ID mappings based on the defined Syslog Parse profiles ( Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Syslog Filters).
PAN-68074 A security-related fix was made to address CVE-2016-5195.
PAN-68034 The show netstat CLI command was removed in the 7.1 release for Panorama, Panorama log collector, and WildFire. With this fix, the show netstat command is reintroduced.
PAN-67987 Fixed an issue where the GlobalProtect agent failed to connect using a client certificate if the intermediate CA is signed using the ECDSA hash algorithm.
PAN-67944 Fixed an issue where a process (all_pktproc) stopped responding because a race condition occurred when closing sessions.
PAN-67639 Fixed an issue where Auth Password and Priv Password for the SNMPv3 server profile were not properly masked when viewing the configuration change in the configuration log.
PAN-67599 In PAN-OS 7.0 and 7.1 releases, a restriction was added to prevent an administrator from configuring OSPF router ID 0.0.0.0. This restriction is removed in PAN-OS 8.0.
PAN-67224 Fixed an issue where the firewall displayed a validation error after Panorama imported the firewall configuration and then pushed the configuration back to the firewall so it could be managed by Panorama. This issue occurred because log forwarding profiles were not replaced with the profiles configured in Panorama. With this fix, Panorama will properly remove the existing configuration on the managed firewall before applying the pushed configuration.
PAN-67090 Fixed an issue where the web interface displayed an obsolete flag for the nation of Myanmar.
PAN-67079 Fixed an issue in PAN-OS 7.1.6 where SSL sessions were discarded if the server certificate chain size exceeded 23KB.
PAN-66873 Fixed an issue where PAN-OS deleted critical content files when the management plane ran out of memory, which caused commit failures until you updated or reinstalled the content.
PAN-66838 A security-related fix was made to address a Cross Site-Scripting (XSS) vulnerability on the management web interface (CVE-2017-5584).
PAN-66675 Fixed an issue where extended packet captures were consuming an excessive amount of storage space in /opt/panlogs.
PAN-66654 Fixed an issue where the status of a tunnel interface remained down even after disabling the tunnel monitoring option for IPSec tunnels.
PAN-66531 Fixed an issue where the Commit Scope column in the Commit window was empty after manually uploading and installing a content update and then committing. Although the content update was not listed under Commit Scope, the commit continued and showed 100% complete.
PAN-66104 Fixed an issue where vsys-specific custom response pages (Captive portal, URL continue, and URL override) did not display; they were replaced by shared response pages, instead.
PAN-65918 Fixed an issue on the Panorama virtual appliance where the third-party backup software BackupExec failed to back up a quiesced snapshot of Panorama (Panorama in a temporary state where all write operations are flushed). With this fix, the VMware Tools bundled with Panorama supports the quiescing option.
PAN-64981 Fixed an issue where an internal buffer could be overwritten, causing the management plane to stop responding.
PAN-64884 Fixed an issue where firewalls in an HA configuration did not synchronize the Layer 2 MAC table; after failover, the MAC table was rebuilt only on the peer that became active, which caused excessive packet flooding.
PAN-64870 Fixed an issue where a zone with the Type set to Virtual Wire ( Network > Zones) dropped all incoming traffic when you configured the Zone Protection profile for that zone with a Strict IP Address Check ( Network > Network Profiles > Zone Protection > Packet Based Attack Protection > IP Drop).
PAN-64723 Fixed an issue where the test authentication CLI command was incorrectly sending vsys-specific information to the User-ID process for group-mapping query that allowed the authentication test to succeed when it should have failed.
PAN-64638 Fixed an issue where the firewall failed to send a RADIUS access request after changing the IP address of the management interface.
PAN-64579 Error message is now displayed when installing apps package manually from file on passive Panorama.
PAN-64525 Fixed an issue where User-ID failed to update the allow list for a group name that was larger than 128 bytes.
PAN-64520 Fixed an issue where H.323-based video calls failed when using source NAT (dynamic or static) due to incorrect translation of the destCallSignalAddress payload in the H.225 call setup.
PAN-64436 Fixed an issue where creation of IGMP sessions failed due to a timeout issue.
PAN-64419 Fixed an issue where firewall displays inconsistent shadow rule warnings during a commit for QOS policies.
PAN-64081 Fixed an issue on PA-5000 Series firewalls where the dataplane stopped responding due to a race condition during hardware offload.
PAN-63969 Fixed an issue on PA-7000 Series firewalls in an HA configuration where the NPC 40Gbps (QSFP) Ethernet interfaces on the passive peer displayed link activity on a neighboring device (such as a switch) to which they connected even though the interfaces were down on the passive peer.
PAN-63925 Fixed an issue where a firewall did not generate a log when a content update failed or was interrupted.
PAN-63908 Fixed an issue where SSH sessions were incorrectly subjected to a URL category lookup even when SSH decryption was disabled. With this fix, SSH traffic is not subject to a URL category lookup when SSH decryption is disabled.
PAN-63612 Fixed an issue where User activity reports on Panorama did not include any entries when there was a space in the Device Group name.
PAN-63520 Fixed an issue where the wrong source zone was used when logging vsys-to-vsys sessions.
PAN-63207 Fixed an issue on PA-7000 Series firewalls where group mappings did not populate when the group include list was pushed from Panorama.
PAN-63054 Fixed an issue on VM-Series firewalls where enabling software QoS resulted in dropped packets under heavy traffic conditions. With this fix, VM-Series firewalls no longer drop packets due to heavy loads with software QoS enabled and software QoS performance in general is improved for all Palo Alto Networks firewalls.
PAN-63013 Fixed an issue where a commit validation error displayed when pushing a template configuration with a modified WildFire file-size setting. With this fix, commit validation takes place on the managed firewall that tries to commit new template values.
PAN-62937 Fixed an issue where establishing an LDAP connection over a slow or unstable connection caused commits to fail when you enabled TLS. With this fix, if you enable TLS, the firewall does not attempt to establish LDAP connections when you perform a commit.
PAN-62797 Fixed an issue where a process (cdb) intermittently restarted, which prevented jobs from completing successfully.
PAN-62513 Fixed an issue on PA-7000 Series firewalls in an active/passive HA configuration where the show high-availability path-monitoring command always showed the NPC as slot 1 even though the path monitoring IP address was assigned to an interface in a different NPC slot. This occurred only when the path monitoring IP address was assigned to an interface in an Aggregate Ethernet (AE) interface group and the interface group was in a slot other than slot 1.
PAN-62057 Fixed an issue where the GlobalProtect agent failed to authenticate using a client certificate that had a signature algorithm that was not SHA1/SHA256. With this fix, the firewall provides support for the SHA384 signature algorithm for client-based authentication.
PAN-61877 Fixed an issue where Authentication Override in the GlobalProtect portal configuration didn't work when the certificate used for encrypting and decrypting cookies was generated using RSA 4,096 bit keys.
PAN-61871 Fixed an issue where the firewall matched traffic to a URL category and on first lookup, which caused some traffic to be matched to the wrong security profile. With this fix, the firewall matches traffic to URL categories a second time to ensure that traffic is matched to the correct security profile.
PAN-61837 Fixed an issue on PA-3000 Series and PA-5000 Series firewalls where the dataplane stopped responding when a session crossed vsys boundaries and could not find the correct egress port. This issue occurred when zone protection was enabled with a SYN Cookies action ( Network > Zone Protection > Flood Protection).
PAN-61813 Fixed an issue on Panorama where a custom scheduled report configured for a device group was empty when exported.
PAN-61797 Fixed an issue on the passive peer in an HA configuration where LACP flapped when the link state was set to shutdown/auto and pre-negotiation was disabled.
PAN-61682 Fixed an issue where end users either did not see the Captive Portal web form or saw a page displaying raw HTML code after requesting an application through a web proxy because the HTTP body content length exceeded the specified size in the HTTP Header Content-Length.
PAN-61465 Fixed an issue where the web interface ( Objects > Decryption Profile > SSL Decryption > SSL Protocol Settings > Encryption Algorithms) still displayed the 3DES encryption algorithm as enabled even after you disabled it.
PAN-61365 Fixed an issue where data filtering logs ( Monitor > Logs > Data Filtering) do not take into account the file direction (upload or download) so it was not possible to differentiate uploaded files from downloaded files in the logs. With this fix, you configure the file direction ( upload, download, or both) in Objects > Security Profiles > Data Filtering and select the Direction column in Monitor > Logs > Data Filtering to view the file direction in the logs.
PAN-61284 Fixed an issue where User-ID consumed a large amount of memory when the firewall experienced a high rate of incoming IP address-to-username mapping data and there were more than ten redistribution client firewalls at the same time.
PAN-61252 Fixed an issue on firewalls in an active/active HA configuration where the floating IP address was not active on the secondary firewall after the link went down on the primary firewall.
PAN-60797 Fixed an issue where read-only superusers were able to view threat packet captures (pcaps) on the firewall but received an error ( File not found ) when they attempted to export certain types of pcap files (threat, threat extpcap, app, and filtering).
PAN-60753 Fixed an issue where changing the RSA key from a 2,048-bit key to a 1,024-bit key forced the encryption algorithm to change from SHA256 to SHA1 for SSL forward proxy decryption.
PAN-60581 Added check to not include all the applications in the Application filter if no application category is selected by the user. User have to explicitly add all the categories to create an application filter with all the applications.
PAN-60577 Fixed an issue where an application filter with no selected categories caused the firewall to perform slowly because the filter defaulted to include all categories ( Objects > Application Filters). With this fix, you cannot configure an application filter without selecting one or more categories.
PAN-60556 Added support in the certificate profile to also configure a non CA certificate as an additional certificate to verify the OCSP response received for certificate status validation. The OCSP Verify CA field in the certificate profile has been changed to OCSP Verify Certificate.
PAN-60402 Fixed an issue where renaming an address object caused the commit to a Device Group to fail.
PAN-60340 Fixed an issue where the Panorama application database did not display all applications in the browser.
PAN-60035 Enhanced dynamic IP NAT translation to prevent conflicts between different packet processors and improve dynamic IP NAT pool utilization.
PAN-59676 Fixed an issue where firewall administrators with custom roles (Admin Role profiles) could not download content or software updates.
PAN-59654 Fixed an issue where commits failed on the firewall after upgrading from a PAN-OS 6.1 release due to incorrect settings for the HexaTech VPN application on the firewall. With this fix, upgrading from a PAN-OS 6.1 release to PAN-OS 8.0.0 (or a later release) does not cause commit failures related to these settings.
PAN-59614 Fixed an issue where administrators were unable to fully utilize the maximum of 64 address objects per FQDN due to the 512B DNS server response packet size; specified addresses that were not included in the first 512B were dropped and not resolved. With this fix, the size of the DNS server response packet is increased to 4,096B, which fully supports the maximum 64 combined address objects per FQDN (up to 32 each IPv4 and IPv6 addresses).
PAN-58636 Fixed an issue where configuring too many applications and individual ports in a security rule caused the firewall to stop responding. With this fix, the firewall continues responding and sends the following error message: Error: Security Policy '58636_rule' is exceeding maximum number of combinations supported for service ports(51) and applications(2291). To fix this, please convert this Security Policy into multiple policies by either splitting applications or service ports. Error: Failed to parse security policy (Module: device) Commit failed
PAN-58496 Fixed an issue where custom reports using threat summary were not populated.
PAN-58382 Fixed an issue where users were matched to the incorrect security policies.
PAN-58358 Fixed an issue where CSV exports for Unified logs ( Monitor > Logs > Unified) displayed information in the wrong columns.
PAN-57529 Fixed an issue where the firewall acted as a DHCP relay and wireless devices on a VLAN did not receive a DHCP address (all other devices on the VLAN did receive a DHCP address). With this fix, all devices on a VLAN receive a DHCP address when the firewall acts as a DHCP relay.
PAN-57440 Fixed an issue where OSPFv3 link-state updates were sent with the incorrect OSPF checksum when the OSPF packet needed to advertise more link-state advertisements (LSAs) than fit into a 1,500-byte packet. With this fix, the firewall sends the correct OSPF checksum to neighboring switches and routers even when the number of LSAs doesn’t fit into a 1,500-byte packet.
PAN-57215 Fixed an issue where an HTTP 416 error appeared when trying to download updates to a client from an IBM BigFix update server.
PAN-56700 Fixed an issue where the SNMP OID ifHCOutOctets did not contain the expected data.
PAN-56684 Fixed an issue where DNS proxy static entries stopped working when there were duplicate entries in the configuration.
PAN-53659 Fixed an issue where the sum of all link aggregation group (LAG) interfaces was greater than the value of the Aggregate Ethernet (AE) interface.
PAN-50973 Fixed an issue for VM-Series firewalls on Microsoft Hyper-V where, although the FIPS-CC mode option was visible in the maintenance mode menu, you could not enable it. With this fix, FIPS-CC mode is supported for and can be enabled from the maintenance mode menu in VM-Series firewalls on Microsoft Hyper-V.
PAN-48095 Fixed an issue on PA-200 firewalls where the Panorama dynamic update schedule ignored the currently installed dynamic update version and installed unnecessary dynamic updates.

Related Documentation