PAN-OS 8.0.3 Addressed Issues
The following tables lists the issues that are addressed in the PAN-OS® 8.0.3 release. For new features, associated software versions, known issues, and changes in default behavior in PAN-OS 8.0 releases, see PAN-OS 8.0 Release Information.
Issue ID Description
WF500-4291 Fixed an issue where the WF-500 appliance returned false positives for known, benign Portable Executable (PE) files.
PAN-78448 Fixed an issue where the firewall dropped some logs that it was configured to forward to syslog servers.
PAN-77849 Fixed an issue where the Captive Portal web form did not display to end users after you pushed device group configurations from a Panorama management server running Panorama 8.0 to a firewall running PAN-OS 7.1.
PAN-77802 Fixed an issue where every commit cleared tunnel flow sessions such as GRE and IPSec ESP/AH sessions.
PAN-77595 Fixed an issue where PA-7000 Series and PA-5200 Series firewalls forwarded a SIP INVITE based on route lookup instead of Policy-Based Forwarding (PBF) policy.
PAN-77520 Fixed an issue on PA-7000 Series firewalls with AMC hard drives, model ST1000NX0423, where the firewalls rebuilt Disk Pair B in the LPC card after a reboot.
PAN-77516 A security-related fix was made to address a Remote Code Execution (RCE) vulnerability when the PAN-OS DNS Proxy service resolved FQDNs (CVE-2017-8390).
PAN-77400 Fixed an issue on a firewall running PAN-OS 8.0.1 or 8.0.2 where you could not log in to the web interface after performing a private data reset.
PAN-77339 SafeNet Client 6.2.2 did not support the necessary MAC algorithm (HMAC-SHA1) to work with Palo Alto Networks firewalls running in FIPS-CC mode.
PAN-77290 Fixed an issue where Panorama displayed a missing vsys error message when you tried to update dynamic address groups through PAN-OS XML API calls, even if you specified a virtual system.
PAN-77250 Fixed an issue where the firewall lost offloaded sessions on a subinterface that belonged to an aggregate interface group and that had QoS enabled.
PAN-77173 A security-related fix was made to prevent remote code execution within the Linux kernel that the firewall management plane uses (CVE-2016-10229).
PAN-77127 Fixed an issue where the firewall reduced the range of local and remote IKEv2 traffic selectors in a way that disrupted traffic in a VPN tunnel that a Cisco Adaptive Security Appliance (ASA) initiated.
PAN-77033 Fixed an issue where using the debug skip-condor-reports no CLI command to force a Panorama management server running PAN-OS 8.0 to query PA-7000 Series firewalls caused PA-7000 Series firewalls running a PAN-OS 7.0 release to reboot. This fix requires Panorama to run PAN-OS 8.0.3 or a later release and requires the PA-7000 Series firewalls to run PAN-OS 7.0.16 or a later release.
PAN-76964 Fixed an issue where interfaces went down due to packet buffers being overwhelmed after the firewall tried to close the connection to a rogue client that ignored the URL Filtering block page.
PAN-76890 Fixed an issue where traffic that included a ZIP file caused the all_task process to restart and the firewall dropped packets while waiting for that process to resume.
PAN-76746 Fixed an issue on the PA-7080 firewall where authentication traffic from a wireless controller to a RADIUS server failed due to buffer depletion on the firewall.
PAN-76651 Fixed an issue where VM-Series firewalls dropped multicast traffic if you enabled Data Plane Development Kit (DPDK) on VMXNET3 interfaces.
PAN-76650 Fixed an issue where renaming a shared object on Panorama that Panorama has pushed to firewalls caused a commit failure if the firewalls referenced that object in local policies.
PAN-76615 Fixed an issue where Panorama failed to Generate Tech Support File ( Panorama > Support).
PAN-76565 Fixed an issue where dynamic content updates failed on the firewall when DNS response times were slow.
PAN-76454 Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where Generic Routing Encapsulation (GRE) session creation failed when the firewalls received GRE packets with a Point-to-Point Protocol (PPP) payload.
PAN-76330 Fixed an issue where the pan_task process stopped, which caused a loss of service and interruption to OSPF.
PAN-76271 Fixed an issue where you could not access the Panorama web interface or CLI because the configd process stopped after a Preview Changes operation ( Commit > Commit to Panorama).
PAN-76270 Fixed an issue where operations that required heavy memory usage on Log Collectors (such as ingesting logs at a high rate) caused some other processes to restart. With this fix, you can free up memory for processes other than logging and reporting by running the new debug logdb show-heap-size [4-32] CLI command and setting the memory heap to a lower size than the default 8GB.
PAN-76184 Fixed an issue where disabling the option to Turn on QoS feature on this interface ( Network > QoS) reduced throughput on 40Gbps interfaces.
PAN-76162 Fixed an issue where a Panorama management server running a PAN-OS 8.0 release or a PAN-OS 7.1.8 or later 7.1 release did not display logs from PA-7000 Series firewalls running a PAN-OS 7.0 or 7.1 release.
PAN-76158 Fixed an issue where the firewall allowed Psiphon application sessions to continue without applying policy rules to them after the firewall ran out of resources (such as while processing heavy traffic). With this fix, the firewall drops Psiphon sessions after running out of resources.
PAN-76153 Fixed an issue where PA-5000 Series firewalls dropped traffic because predict sessions incorrectly matched Policy-Based Forwarding (PBF) policy rules for non-related sessions.
PAN-76144 Fixed an issue where throughput was reduced on PA-5000 Series firewalls that used a single UDP session on one dataplane to process high rates of tunneled traffic. With this fix, you can use the set session filter-ip-proc-cpu CLI command to use multiple dataplanes to process traffic for up to 32 destination server IP addresses. This setting persists after reboots and upgrades.
PAN-76003 A security-related fix was made to prevent cross-site scripting (XSS) attacks through the GlobalProtect external interface (CVE-2017-12416).
PAN-76032 Fixed an issue where the firewall web interface displayed a misspelling in the tooltip that opened when you hovered over Commit when no configuration changes were pending.
PAN-75977 Fixed an issue where users failed to authenticate through a Ucopia LDAP server.
PAN-75617 Fixed an issue where the firewall performed the default signature action for threat vulnerability exceptions instead of performing the Action you set in the Vulnerability Protection profile ( Objects > Security Profiles > Vulnerability Protection > Exceptions).
PAN-75580 Fixed an issue where a PAN-OS XML API query to fetch all dynamic address groups failed with an Opening and ending tag mismatch error due to a command buffer limitation.
PAN-75512 Fixed an issue where the firewall failed to decrypt VPN traffic for packets of certain sizes if you set the Encryption algorithm to aes-256-gcm in the IPSec Crypto profile used for the VPN tunnel ( Network > Network Profiles > IPSec Crypto).
PAN-75413 Fixed an issue where DHCP servers did not assign IP addresses to new end users (DHCP clients) because the firewall failed to process and relay DHCP messages between the servers and clients after you configured a firewall interface as a DHCP relay agent.
PAN-75372 Fixed an issue where Panorama dropped all administrative users because the management-server process restarted.
PAN-75337 Fixed an issue where CPU usage spiked on the firewall during Diffie-Hellman (DHE) or elliptical curve Diffie-Hellman (ECDHE) key exchange for SSL decryption. With this fix, the firewall has enhanced performance for DHE and ECDHE key exchange.
PAN-75304 Fixed an issue where the firewall populated default values for IPSec Crypto profiles that did not have an IPSec Protocol (ESP or AH) defined ( Network > Network Profiles > IPSec Crypto); the default values caused an IKE configuration parsing error that prevented IPSec VPN tunnels from coming up.
PAN-75215 Fixed an issue where PA-5000 Series firewalls kept sessions active for an hour instead of discarding them after 90 seconds as expected when the sessions matched a policy rule that was set to deny those sessions or when the sessions matched an allow rule that triggered a block page.
PAN-75158 Fixed an issue with network outages on firewalls in a virtual wire HA configuration with HA Preemptive failback enabled ( Device > High Availability > General > Election Settings) due to Layer 2 looping after failover events while the firewalls processed broadcast traffic.
PAN-75154 Fixed an issue where the Monitor > Traffic Map displayed the Northwestern Somali region as Solomon Islands instead of Somalia.
PAN-75119 Fixed an issue where IP Address Exemptions in Anti-Spyware profiles ( Objects > Security Profiles > Anti-Spyware Profile) did not work for the following threats: Threat ID 14978, Threat ID 14984, and Raven.
PAN-75118 Fixed an issue where commits failed after you added an IPv6 peer group to a virtual router that had Border Gateway Protocol (BGP) enabled ( Network > Virtual Routers > BGP > Peer Group) and that had import, export and aggregate rules configured.
PAN-75029 Fixed an issue where the PA-5060 firewall randomly dropped packets and displayed the reason in Traffic logs as resources unavailable .
PAN-74938 Fixed an issue on PA-3000 Series firewalls where SSL sessions failed due to memory depletion in the proxy memory pool; Traffic logs displayed the reason decrypt-error .
PAN-74865 Fixed an issue where Panorama could not push address objects to managed firewalls when zones specified the objects in the User Identification ACL include or exclude lists ( Network > Zones) and you configured Panorama to not Share Unused Address and Service Objects with Devices ( Panorama > Setup > Management > Panorama Settings).
PAN-74639 Fixed an issue where the root partition on the firewall was low on disk space (requiring you to run the debug dataplane packet-diag clear log log CLI command to free disk space) because the pan_task process generated logs for H.225 sessions.
PAN-74601 Fixed an issue on Panorama where Device Group and Template administrators who had access domains assigned to their accounts could not edit shared security profiles ( Objects > Security Profiles) after committing those profiles.
PAN-74579 Fixed an issue where the debug dataplane internal pdt oct show-all CLI command restarted the firewall dataplane.
PAN-74440 Fixed an issue where the firewall generated System logs indicating the l3svc process stopped repeatedly because the cryptod daemon deleted a certificate key associated with an SSL/TLS Service Profile that was used for the URL Admin Override feature ( Device > Setup > Content ID) or for Captive Portal ( Device > User Identification > Captive Portal Settings).
PAN-74369 Fixed an issue where modifying the BFD profile in a virtual router ( Network > Virtual Routers) caused the routed process to stop.
PAN-74334 Fixed an issue on Panorama where the replace device CLI command did not replace the serial numbers of firewalls that policy rules referenced as targets.
PAN-74243 Fixed an issue where, after you used a Panorama template to push DNS server IP addresses ( Device > Setup > Services) to a bootstrapped VM-Series firewall, the firewall failed to resolve FQDNs.
PAN-73919 Fixed an issue where you could not use the web interface or CLI to configure a multicast IP address as the Source or Destination in packet filters ( Monitor > Packet Capture).
PAN-73916 Fixed an issue where, after you logged in to the firewall with an administrator account that does not have a superuser role and you then tried to Disable an application ( Objects > Applications > <application-name>), the firewall displayed an error message that did not indicate the need for superuser privileges.
PAN-73707 Fixed an issue where you could not generate a SCEP certificate if the SCEP Challenge (password) had a semicolon ( Device > Certificate Management > SCEP).
PAN-73631 Fixed an issue where end user clients failed on their first attempt to authenticate when you configured Captive Portal for certificate-based authentication and the client certificates exceeded 2,000 bytes.
PAN-73556 Fixed an issue where the firewall did not delete multicast forwarding information base (FIB) entries for multicast groups that stopped receiving traffic.
PAN-73551 Fixed an issue where commits failed with the error syntax error [kmp_sa_lifetime_time ;] if the firewall had IKE Crypto profiles without a Key Lifetime defined ( Network > Network Profiles > IKE Crypto).
PAN-73548 Fixed an issue where the firewall used the global service route ( Device > Setup > Services > Global) instead of service routes defined for specific virtual systems ( Device > Setup > Services > Virtual Systems) if you configured Device > Server Profiles in the Shared location.
PAN-73484 Fixed an issue where the firewall server process (devsrvr) restarted during URL updates.
PAN-73281 Fixed an issue where the firewall dropped multicast traffic on an egress VLAN interface when the traffic was offloaded.
PAN-73254 Fixed an issue where, after you installed the VMware NSX plugin on the Panorama management server in an HA configuration, Panorama did not automatically synchronize configuration changes between the HA peers unless you first updated settings related to the NSX plugin.
PAN-73184 Fixed an issue where successive HTTP GET requests in a single session failed if you configured SSL Decryption with the Strip X-Forwarded-For option enabled ( Device > Setup > Content-ID).
PAN-72946 Fixed an issue where HA firewalls displayed as out of sync if an SSL/TLS Service Profile without a certificate was assigned to the management (MGT) interface ( Device > Setup > Management). With this fix, PAN-OS unassigns the SSL/TLS Service Profile if it doesn't have a certificate.
PAN-72863 Fixed an issue where the User-ID agent (PAN-OS integrated or Windows-based) stopped responding because the firewall sent numerous queries for the IP address-to-username mappings of unknown users. With this fix, the firewall no longer queries User-ID agents for unknown users unless you run the debug user-id query-unknown-ip yes CLI command on the firewall (you must re-run this command whenever the firewall reboots).
PAN-72753 Fixed an issue where you could not configure the 0.0.0.0/1 subnet as a Proxy ID for IPSec VPN tunnels.
PAN-72433 Fixed an issue where the PA-7050 firewall displayed incorrect information for the packet counts and number of bytes associated with traffic on subinterfaces. With this fix, the firewall displays the correct information in the show interface CLI command output and in other sources of information for subinterfaces (such as SNMP statistics and NetFlow record exports).
PAN-72258 Fixed an issue where pushing an ARP load-sharing configuration ( Device > High Availability > Active/Active Config > Virtual Address) from Panorama to a firewall deleted it from the firewall.
PAN-71922 Fixed an issue where the firewall did not generate Threat logs for classified DOS protection profiles that had an Action set to SYN Cookies ( Objects > Security Profiles > DoS Protection > Flood Protection > SYN Flood).
PAN-71535 Fixed an issue on Panorama where Panorama > Device Deployment > Software stopped displaying software images for a release after you performed a manual Upload for a software image of that release.
PAN-71133 Fixed an issue on where the dataplane rebooted after multiple dataplane processes restarted due to memory corruption.
PAN-69449 Fixed an issue where, after a clock change on the firewall (such as for Daylight Savings Time), the ACC did not display information for time periods before the change.
PAN-68808 Fixed an issue on the PA-7050 firewall where the mprelay process experienced a memory leak and stopped responding, which caused slot failures and HA failover.
PAN-68580 Fixed an issue where HA VM-Series firewalls displayed the wrong link state after a link-monitoring failure.
PAN-66076 Fixed an issue where the GlobalProtect portal prompted end users to enter a one-time password (OTP) even after the users entered the OTP for the GlobalProtect gateway and Authentication Override is enabled ( Network > GlobalProtect > Portals > <portal-configuration> Agent <agent-configuration> Authentication).
PAN-64639 Fixed an issue where HA firewalls failed to synchronize the PAN-DB URL database.
PAN-62159 Fixed an issue where the firewall did not generate WildFire Submission logs when the number of cached logs exceeded storage resources on the firewall.
PAN-59372 Fixed an issue where neither Panorama nor the firewall generated a System log indicating a password change after you used a Panorama template to push an administrator password change to the firewall.
PAN-56287 Fixed an issue where the firewall discarded VoIP sessions that had multicast destinations.
PAN-46374 Fixed an issue on PA-7000 Series firewalls where you had to power cycle the Switch Management Card (SMC) when it failed to come up after a soft reboot (such as after upgrading the PAN-OS software).

Related Documentation