PAN-OS 8.0.1 Addressed Issues
The following tables lists the issues that are addressed in the PAN-OS® 8.0.1 release. For new features, associated software versions, known issues, and changes in default behavior in PAN-OS 8.0 releases, see PAN-OS 8.0 Release Information.
Issue ID Description
PAN-74932 Fixed an issue where the direction (dir) parameter used in type=log XML API requests was incorrectly made a required parameter, which caused applications that use the type=log request to fail when the dir argument was not included in the request. With this fix, the direction parameter is again optional.
PAN-74829 Fixed an issue where Authentication policy incorrectly matched traffic coming from known users—those included in the Terminal Services (TS) agent user mapping—and displayed the captive portal page. With this fix, only unknown users are directed to the captive portal page.
PAN-74367 Fixed an issue where some platforms did not connect to BrightCloud after you upgraded to PAN-OS 8.0.
PAN-74264 Fixed an issue where new fields in Threat and HIP Match logs were inserted between existing fields, which disrupted some third-party integrations. With this fix, the new fields are appended at the end of all pre-existing fields.
PAN-73977 Fixed an issue where firewalls and Panorama did not forward logs as expected when the local machine time was not set to current local time and was set to a time between current UTC time and current UTC time plus <n>, where <n> is the UTC+<n> value for the current time zone.
PAN-73964 Fixed an issue where you could not upgrade VM-Series firewalls on AWS in an HA configuration to PAN-OS 8.0. With this fix, you can upgrade VM-Series firewalls on AWS in an HA configuration to PAN-OS 8.0.1 or a later PAN-OS 8.0 release.
PAN-73877 Fixed an issue where you were unable to generate a SAML metadata file for Captive Portal or GlobalProtect when the firewall had multiple virtual systems because there were no virtual systems available for you to select when you clicked the Metadata link associated with an authentication profile.
PAN-73579 Fixed an issue where, after you upgraded a firewall to PAN-OS 8.0, the firewall didn't apply updates to the predefined Palo Alto Networks malicious IP address feeds (delivered through the daily antivirus content updates) until after you performed a commit on the firewall. With this fix, changes to the predefined malicious IP address feeds are automatically applied when delivered to the firewall.
PAN-73545 Fixed an issue on VM-300, VM-500, and VM-700 firewalls where you were required to commit changes a second time after adding an interface before traffic would pass normally.
PAN-73466 Fixed an issue where content installations failed on a firewall after you configured an interface to reference an IPv6 address object and you enabled router advertisement on that interface ( Network > Interfaces > <Ethernet/VLAN_interface> > IPv6 > Router Advertisement).
PAN-73360 Fixed an issue where the passive Panorama peer in an HA configuration showed shared policy to be out of sync even when the device group commit from the active peer was successful.
PAN-73291 Fixed an issue where authentication failed for client certificates signed by a CA certificate that was not listed first in the Certificate Profile configured with client certificate authentication for GlobalProtect portals and gateways.
PAN-73207 Fixed an issue where you could not push notifications as an authentication factor if the firewall was integrated with Okta Adaptive as the multi-factor authentication (MFA) vendor.
PAN-73168 Fixed an issue where your web browser displayed the error message 400 Bad Request when you tried to access a PAN-OS web interface that shared the same FQDN as the GlobalProtect portal that hosted Clientless VPN applications.
PAN-73006 Fixed an issue where the App Scope Change Monitor and Network Monitor reports failed to display data if you filtered by Source or Destination IP addresses when logging rates were high. This fix also addresses an issue where the App Scope Summary report failed to display data for the Top 5 Bandwidth Consuming Sources and Top 5 Threats when logging rates were high.
PAN-72952 Improved file-type identification for Office Open XML (OOXML) files, which improves the ability for WildFire to accurately classify OOXML files as benign or malicious.
PAN-72875 Fixed an issue where the severity level of the Failed to sync PAN-DB to peer: Peer user failure syslog message was too high. With this fix, the message severity level is info instead of medium .
PAN-72849 Fixed an issue in Panorama active/passive HA configurations where Elasticsearch parameters were not pushed to the passive peer.
PAN-72843 Fixed an issue where commits failed for configurations that enabled clientless VPN on multiple GlobalProtect portals using different DNS proxies.
PAN-72726 Fixed an issue where the firewall was unable to mark BFD packets with appropriate DSCP values.
PAN-72667 Fixed an issue where the firewall web interface displayed incorrect values for the log storage quota settings.
PAN-72547 Fixed an issue where running the clear session all CLI command on a PA-5200 Series firewall in an HA configuration caused the firewall to fail over due to an issue with path monitoring.
PAN-72402 Fixed an issue where the firewall advertised only the aggregate address and did not advertise the specific routes covered by the Advertise Filter when you configured a BGP IPv6 aggregate address with an Advertise Filter that consisted of both a prefix filter and a next-hop filter.
PAN-72246 Fixed an issue where the firewall generated an ECDSA certificate signing request (CSR) using the SHA1 algorithm instead of the selected algorithm.
PAN-71833 Fixed an issue where the output of the test authentication authentication-profile CLI command intermittently displayed authentication/authorization failed for user for TACACS+ authentication profiles even though the administrator could successfully log in to the web interface or CLI using the same credentials as were specified in the test command.
PAN-71829 Fixed an issue on PA-5000 Series firewalls where the dataplane restarted due to specific changes related to certificates or SSL profiles in a GlobalProtect configuration; specifically, configuring a new gateway, changing a certificate linked to GlobalProtect, or changing the minimum or maximum version of the TLS profile linked to GlobalProtect.
PAN-71556 Fixed an issue where MAC address table entries with a time-to-live (TTL) value of 0 were not removed as expected, which caused the table to continually increase in size.
PAN-71530 Fixed an issue where LDAP authentication failed intermittently due to a race condition.
PAN-71334 Fixed an issue with delays of up to 10 seconds before the firewall transmitted the audio/video stream when you set up a VoIP call on a PA-5200 Series firewall using the Session Initiation Protocol (SIP).
PAN-71312 Fixed an issue where custom reports did not display results for queries that specified the Negate option, Contains operator, and a Value that included a period (.) character preceding a filename extension.
PAN-71271 Fixed an issue where new logs were lost if the log purging process started running before you started log migration after an upgrade to PAN-OS 8.0.
PAN-70366 Fixed an issue where SMTP email servers did not receive PDF reports from the firewall because the report emails had line separators that used bare LF instead of CRLF.
PAN-70323 Fixed an issue where firewalls running in FIPS-CC mode did not allow import of SHA-1 CA certificates even when the private key was not included; instead, firewalls displayed the following error: Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
PAN-69622 Fixed an issue where the firewall did not properly close a session after receiving a reset (RST) message from the server if the SYN Cookies action was triggered.
PAN-69585 Fixed an issue where the URL link included in the email for a SaaS Application Usage report (so that you could retrieve the report from the firewall web interface) triggered third-party spam filters deployed in your network.
PAN-69340 Fixed an issue where PAN-OS did not apply the capacity license when you used a license authorization code (capacity license or a bundle) to bootstrap a VM-Series firewall because the firewall did not reboot after the license was applied.
PAN-68795 Fixed an issue where the SaaS Application Usage report displayed upload and download bandwidth usage numbers incorrectly in the Data Transfer by Application section.
PAN-68185 Fixed an issue where the 7.1 SNMP traps MIB (PAN-TRAPS.my) had an incorrect description for the panHostname attribute.
PAN-67629 Fixed an issue where existing users were removed from user-group mapping when the Active Directory (AD) did not return an LDAP Page Control in response to an LDAP refresh, which resulted in the following User-ID (useridd) logs: debug: pan_ldap_search(pan_ldap.c:602): ldap_parse_result error code: 4 Error: pan_ldap_search(pan_ldap.c:637): Page Control NOT found
PAN-66122 Fixed an issue where tunnel content inspection was not supported in a virtual system-to-virtual system topology.
PAN-64725 Fixed an issue where PA-7000 Series firewalls and Panorama Log Collectors consumed excess memory and didn't process logs as expected. This issue occurred when DNS response times were slow and scheduled reports contained fields that required DNS lookups.
PAN-64164 Fixed an issue on Panorama virtual appliances in an HA configuration where, if you enabled log forwarding to syslog, both the active and passive peers sent logs. With this fix, only the active peer sends logs when you enable log forwarding to syslog.
PAN-63274 Fixed an issue on firewalls with multiple virtual systems where inner flow sessions installed on dataplane 1 (DP1) failed if you configured tunnel content inspection for traffic in a shared gateway topology. Additionally with this fix, when networking devices behind the shared gateway initiate traffic, that traffic can now reach the networking devices behind the virtual systems.
PAN-61840 Fixed an issue where the show global-protect-portal statistics CLI command was not supported.
PAN-61544 Fixed an issue on firewalls deployed in a virtual wire configuration where the show interface CLI command displayed more packets transmitted on the egress interface than packets received on the ingress interface.
PAN-60101 Fixed an issue on the M-500 and M-100 appliances in Panorama mode where emailed custom reports contained no data if you configured a report query that used an Operator set to contains ( Monitor > Manage Custom Reports).
PAN-58979 Fixed an issue where the dataplane restarted due to a memory leak in a process (mprelay) that occurred if you did not disable LLDP when you disabled an interface with LLDP enabled ( Network > Interfaces > < interface > > Advanced > LLDP).
PAN-57553 Fixed an issue where a QoS profile failed to work as expected when applied to a clear text node configured with an Aggregate Ethernet (AE) source interface that included AE subinterfaces.
PAN-57142 Fixed an issue on PA-7000 Series firewalls in an active/passive HA configuration where QoS limits were not correctly enforced on Aggregate Ethernet (AE) subinterfaces.

Related Documentation