PAN-OS 8.0.2 Addressed Issues
The following tables lists the issues that are addressed in the PAN-OS® 8.0.2 release. For new features, associated software versions, known issues, and changes in default behavior in PAN-OS 8.0 releases, see PAN-OS 8.0 Release Information.
Issue ID Description
WF500-4266 Fixed an issue with WF-500 appliances that displayed the disk full error message when the log rotation process failed to clear or overwrite older logs. With this fix, older logs are overwritten as expected.
WF500-4218 Fixed an issue where, as part of and after upgrading a WildFire appliance to a PAN-OS 8.0 release, using the request cluster reboot-local-node CLI command to reboot a cluster node intermittently caused the node to go offline or fail to reboot.
WF500-4186 Fixed an issue in a three-node WildFire appliance cluster where, if you decommissioned the backup controller node or the worker node ( request cluster decommission start ) and then deleted the cluster-related configuration (high-availability and cluster membership) from the decommissioned node, the cluster intermittently stopped functioning. Running the show cluster membership CLI command on the primary controller node showed the message: Service Summary: Cluster:offline, HA:peer-offline . In this state, the cluster did not function and did not accept new samples for processing.
WF500-4176 Fixed an issue where, after you removed a node from a cluster that stored sample information on the node, the node serial number appeared in the list of storage nodes when you displayed the sample status ( show wildfire global sample-status sha256 equal <value> ) even though the node no longer belonged to the cluster.
WF500-4173 Fixed an issue where integrated reports were not available for firewalls connected to a WF-500 appliance running in FIPS mode.
WF500-4158 Fixed an issue where selecting Reboot device after Install when upgrading WildFire appliance clusters from Panorama caused an ungraceful reboot that intermittently made the cluster unresponsive.
PAN-81061 Fixed an issue where PA-3000 Series firewalls dropped long-lived sessions that were active during a content update followed immediately by an Antivirus or WildFire update.
PAN-76517 Fixed an issue where Panorama did not automatically push the updated IP addresses of dynamic address groups from device groups to VM-Series firewalls for NSX.
PAN-76447 Fixed an issue where Panorama running PAN-OS 8.0 did not push aggregate BGP configurations in a template to firewalls running PAN-OS 7.1 or an earlier release.
PAN-76424 Fixed an issue where Security Lifecycle Review reports ( Generate Stats Dump File under Device > Support) displayed incorrect subtype values due to Threat ID changes.
PAN-76402 Fixed an issue where the firewall generated System logs of critical severity with the message Could not connect to Cloud : SSL/TLS Authentication Failed even though the firewall had no connection failures.
PAN-76331 Fixed an issue where, after upgrading to PAN-OS 8.0.1, a Network > DNS Proxy object with ten or more Static Entries that mapped to the same IP address caused the firewall DNS daemon to restart, which prevented users from accessing applications that required DNS lookups.
PAN-76265 Fixed an issue where the firewall failed to retrieve user groups from an LDAP server because the server response did not have a page control value.
PAN-76258 Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where users could not access applications and services through GlobalProtect when session distribution was set to round robin (default).
PAN-76244 Fixed an issue where firewalls were missing a GlobalProtect satellite configuration pushed from a Panorama template.
PAN-76105 Fixed an issue where you had to configure a license deactivation API key to manually deactivate licenses for VM-Series firewalls.
PAN-76104 Fixed an issue where the firewall stopped receiving IP port-to-username mappings from a Terminal Services (TS) agent if you set its Host field to an FQDN instead of an IP address.
PAN-76092 Fixed an issue where reports delivered through the Email Scheduler ( Monitor > PDF Reports > Email Scheduler) displayed data totals as bytes instead of kilobytes (K), megabytes (M), or gigabytes (G), which made the totals hard to read.
PAN-76069 Fixed an issue where the firewall could not decrypt SSL connections due to a cache issue, which prevented users from accessing SSL websites.
PAN-76054 Fixed an issue where you could not delete a tunnel interface from a Panorama template ( Network > Interfaces > Tunnel).
PAN-76051 Fixed an issue where you could not push a Management (MGT) interface configuration from a Panorama template ( Device > Setup > Interfaces) to firewalls unless you specified an IP Address for the interface.
PAN-76030 Fixed an issue on VM-Series firewalls where the dataplane restarted if jumbo frames were enabled on single root input/output virtualization (SR-IOV) interfaces.
PAN-75969 Fixed an issue where the routed process stopped responding after you checked the static route monitoring status through the web interface ( Network > Virtual Routers > Routing > Static Route Monitoring) or CLI ( show routing path-monitor ).
PAN-75960 Fixed an issue where storing the master key on an HSM caused the firewall to enter maintenance mode after a reboot (which required a factory reset).
PAN-75914 Fixed an issue where the M-100 or M-500 appliance lost logs after upgrading from a PAN-OS 7.1 release to a PAN-OS 8.0 release.
PAN-75896 Fixed an issue where the firewall did not accept local IPv6 addresses that were longer than 31 characters when you configured IPv6 BGP peering.
PAN-75881 Fixed an issue where a regression introduced in PAN-OS 8.0.0 and 8.0.1 caused the firewall dataplane to restart in certain cases when combined with content updates. For details, including the relevance of content release version 709, refer to the associated Customer Advisory.
PAN-75863 Fixed an issue on HA Panorama M-100 appliances where the passive peer did not update the local VMware NSX manager plugin after you upgraded from a PAN-OS 7.1 release to a PAN-OS 8.0 release, which caused a plugin mismatch with the active peer.
PAN-75721 Fixed an issue where you could not set the authentication profile Type to None ( Device > Authentication Profile) on a firewall in FIPS mode.
PAN-75684 Fixed an issue where a management server memory leak caused several tasks to fail, including commits, PAN-DB URL downloads, dynamic updates, and FQDN or External Dynamic List (EDL) refreshes.
PAN-75397 Fixed an issue where the Panorama management server restarted because the configd process stopped running after an upgrade.
PAN-75358 Fixed an issue where firewalls configured to use a SafeNet hardware security module (HSM) server successfully created a support file when you selected to export support file from the web interface but they incorrectly returned the following error message: op command for client cryptod time out as client is not available. This issue also occurred when requesting the support file using the request hsm support-info CLI command but you could confirm that the support info file was created successfully by using a different HSM-related command, such as show hsm state , after you requested the HSM support file.
PAN-75132 Fixed an issue where locally created certificates had duplicate serial numbers because the firewall did not check the serial numbers of existing certificates signed by the same CA when generating new certificates.
PAN-75048 Fixed an issue where the firewall used the default route (instead of the next best available route) when the eBGP next hop was unavailable, which resulted in dropped packets. Additionally with this fix, the default time-to-live (TTL) value for a single hop eBGP peer is changed to 1 (instead of 2).
PAN-74877 Fixed an issue where Panorama took a long time to push configurations from multiple device groups to firewalls.
PAN-74655 Fixed an issue where users experienced slow network connectivity due to CPU utilization spikes in the firewall network processing cards (NPCs) when the URL cache exceeded one million entries.
PAN-74640 Fixed an issue where VM-Series firewalls failed to create predict sessions for RTP and RTCP, which disrupted H.323-based video conferencing traffic. Additionally, fixed an issue where all firewall models dropped RTP packets because policy matching failed for RTP traffic.
PAN-74613 Fixed an issue where the show running url-cache statistics CLI command did not display enough information to diagnose issues related to URL category resolution. With this fix, the error messages indicate what failed and the exact point of failure.
PAN-74575 Fixed an issue where the firewall did not release IP addresses assigned to interfaces after you changed the addressing Type from DHCP Client to Static.
PAN-74548 Fixed an issue where the Export Named Configuration dialog did not let you filter configuration snapshots by Name, which prevented you from selecting snapshots beyond the first 500. With this fix, you can now enter a filter string in the Name field to display any matching snapshots.
PAN-74412 Fixed an issue where, in Decryption policy rules with an Action set to No Decrypt, you could not use the web interface to set the decryption Type for matching traffic.
PAN-74403 Fixed an issue on Panorama where the web interface became unresponsive after you selected Export to CSV for a custom report, which forced you to log in to the CLI and reboot Panorama or restart the management server.
PAN-74368 Fixed an issue where commits failed due to configuration memory limits on firewalls that had numerous Security policy rules that referenced many address objects. With this fix, the number of address objects that a policy rule references does not impact configuration memory.
PAN-74236 Fixed an issue where the User-ID process (useridd) stopped responding when there were a lot of non-browser based requests from clients, which resulted in too many pan_errors disk writes.
PAN-74188 Fixed an issue where conflicting next-hop entries in the egress routing table caused the firewall to incorrectly route traffic that matched Policy-Based Forwarding (PBF) policy rules configured to Enforce Symmetric Return.
PAN-74161 Fixed an issue where firewalls configured in a virtual wire deployment where Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets were dropped.
PAN-74128 Fixed an issue where a session caused the dataplane to restart if the session was active during and after you installed a content update on the firewall and the update contained a decoder change.
PAN-73995 Fixed an issue where firewall management interfaces that were configured through DHCP released or renewed every time you pushed configurations from Panorama instead of releasing or renewing when the DHCP leases expired.
PAN-73993 Fixed an issue where App-ID signature matching did not work on the firewall, which caused it to misidentify applications.
PAN-73914 A security-related fix was made to address OpenSSL vulnerabilities (CVE-2017-3731).
PAN-73859 Fixed an issue where the VM-Series firewall on Azure supported only five interfaces (one management interface and four dataplane interfaces) instead of eight (one management interface and seven dataplane interfaces).
PAN-73783 Fixed an issue where cookie-based authentication for the GlobalProtect gateway failed with the following error: Invalid user name .
PAN-73710 Fixed an issue where the firewall did not commit changes to the NTP servers configuration ( Device > Setup > Services) when the firewall connected to the servers through a service route and the management (MGT) interface was down.
PAN-73553 Fixed an issue where SSL Inbound Decryption failed when the private key was stored on a hardware security module (HSM).
PAN-73502 Fixed an issue where the firewall did not purge expired IP address-to-username mappings, which caused one of the root partitions to run out of free space.
PAN-73461 Fixed an issue where enabling encryption on the HA1 control link ( Device > High Availability > General) and rebooting one HA firewall peer in an active/passive configuration caused split-brain to occur.
PAN-73381 Fixed an issue on firewalls with multiple virtual systems where end users could not authenticate to a GlobalProtect portal or gateway that specified an authentication profile for which the Allow List referenced user groups instead of usernames.
PAN-73213 Fixed an issue where, when the GlobalProtect Portal Login Page was set to Disable ( Network > GlobalProtect > Portals > General) and the user entered https://portal in the browser URL field, the browser redirected to https://portal/global-protect/login.esp, which exposed that the firewall functioned as a GlobalProtect VPN. With this fix, the firewall now responds with a 502 Bad Gateway response and does not expose the function of the firewall.
PAN-73196 Fixed an issue on VM-Series firewalls where attempts to shut down the firewall from the VCenter Client or from a Web Client resulted in the following error: A general system error occurred: Invalid Fault.” This issue was caused by a VM tools integration issue.
PAN-73191 Fixed an issue where OSPF adjacency flapping occurred between the firewall and an OSPF peer due to a heavy processing load on the dataplane and queued OSPF hello packets.
PAN-73045 Fixed an issue where HA failover and fail-back events terminated sessions that started before the failover.
PAN-72871 Fixed an issue where the firewall displayed only part of the URL Filtering Continue and Override response page.
PAN-72769 A security-related fix was made to prevent brute-force attacks on the GlobalProtect external interface (CVE-2017-7945).
PAN-72697 Fixed an issue where, after a DoS attack ended, the firewall continued generating Threat logs and incrementing the session drop counter.
PAN-72350 Fixed an issue where high-volume SSL traffic intermittently added latency to SSL sessions.
PAN-72149 Fixed an issue where URL values did not display for the top websites in URL Filtering reports ( Monitor > PDF Reports > Manage PDF Summary).
PAN-71627 Fixed an issue where the firewall failed to authenticate to a SafeNet hardware security module (HSM). With this fix, the firewall supports multiple SafeNet HSM client versions; you can use the request hsm client-version CLI command to select the version that is compatible with your SafeNet HSM server.
PAN-71612 Fixed an issue where the logs that the firewall forwarded to a syslog server had syslog header timestamps that did not match the times when the firewall generated the logs.
PAN-71484 Fixed an issue where the firewall discarded long-lived SIP sessions after a content update, which disrupted SIP traffic.
PAN-71455 Fixed an issue where users could not access a secure website if the certificate authority that signed the web server certificate also signed multiple certificates with the same subject name in the Default Trusted Certificate Authorities list on the firewall.
PAN-71319 Updated PAN-OS to address NTP issues (CVE-2016-7433).
PAN-70731 Fixed an issue where the firewall failed to authenticate to a SafeNet hardware security module (HSM) if the Administrator Password (under Device > Setup > HSM) contained special characters.
PAN-70353 Fixed an issue where Clientless VPN did not work if its host was a GlobalProtect portal that you configured on an interface with DHCP Client enabled.
PAN-70345 Fixed an issue where the M-Series appliances did not forward logs to a syslog server over TCP ports.
PAN-69882 Fixed an issue where firewalls that had multiple virtual systems and that were deployed in an HA active/active configuration dropped TCP sessions.
PAN-69874 Fixed an issue where, when the PAN-OS XML API sent IP address-to-username mappings with no timeout value to a firewall that had the Enable User Identification Timeout option disabled, the firewall assigned the mappings a timeout of 60 minutes instead of never.
PAN-68763 Fixed an issue where path monitoring failures did not produce enough information for troubleshooting. With this fix, PAN-OS supports additional debug commands and the tech support file (click Generate Tech Support File under Device > Support) includes additional registry values to troubleshoot path monitoring failures.
PAN-67412 Fixed an issue on firewalls in an HA configuration where, when an end user accessed applications over a GlobalProtect clientless VPN, the web browser became unresponsive for about 30 seconds after a failover.
PAN-67029 Fixed an issue where the firewall stopped forwarding logs to external services (such as a syslog server) after the firewall management server restarted unexpectedly.
PAN-66997 Fixed an issue on PA-7000 Series, PA-5200 Series, and PA-5000 Series firewalls where end users who accessed applications over SSL VPN or IPSec tunnels through GlobalProtect experienced one-directional traffic.
PAN-65969 Fixed an issue on PA-7000 Series firewalls where the Switch Management Card (SMC) restarted due to false positive conditions (ATA errors) detected during a disk check.
PAN-63720 Fixed an issue where Monitor > App Scope > Network Monitor displayed incorrect byte totals and hourly distribution when you filtered the report by Source User/Address or Destination User/Address instead of by Application.
PAN-63205 Fixed an issue on VM-Series firewalls where commit operations failed after you configured HA with the HA2 and HA3 interfaces.
PAN-62791 Fixed an issue where the firewall could not use the certificates in its certificate store ( Device > Certificate Management > Certificates > Device Certificates) after a manual or automatic commit, which caused certificate authentication to fail.
PAN-62074 Fixed an issue where the User-ID agent incorrectly read the IP address in the security logs for Kerberos login events.
PAN-61644 Fixed an issue where Panorama displayed the Invalid term(device-group eq) error when you tried to display the logs for a specific device group.
PAN-61409 Fixed an issue where the firewall failed to connect to an HTTP server using the HTTPS protocol when the CA certificate that validated the firewall certificate was in a specific virtual system instead of the Shared location.
PAN-60555 Fixed an issue on VM-Series firewalls for NSX where the web interface let users specify a Tag Allowed value for virtual wire interfaces ( Network > Virtual Wires), which caused a commit error because the option is not configurable on that firewall model. With this fix, the Tag Allowed value has a read-only value of 0-4094 on VM-Series firewalls for NSX.
PAN-55619 Fixed an issue where new users that you added to an Active Directory (AD) user group intermittently failed to authenticate to the GlobalProtect portal.
PAN-48901 Fixed an issue on HA firewalls where, if you enabled application-level gateway (ALG) for the Unistim application, VoIP calls that used the UNIStim protocol had only one-way audio after an HA failover event.
FPGA-343 Fixed an issue on PA-7000 Series firewalls in a Layer 2 deployment where multicast sessions (such as HSRP) failed because PAN-OS did not reassign the sessions to an alternative Network Processing Card (NPC) if the original NPC was shut down.

Related Documentation