PAN-OS 8.0.4 Addressed Issues
The following tables lists the issues that are addressed in the PAN-OS® 8.0.4 release. For new features, associated software versions, known issues, and changes in default behavior in PAN-OS 8.0 releases, see PAN-OS 8.0 Release Information.
Issue ID Description
WF500-4314 Fixed an issue where the WF-500 appliance incorrectly assigned a malicious verdict to samples associated with Web Proxy Auto-Discovery Protocol (WPAD) DNS lookups.
PAN-81053 Fixed an issue where the Panorama virtual appliance did not migrate logs from NFS storage to the virtual disks on a local Log Collector after you switched from Legacy mode to Panorama mode.
PAN-80766 Fixed an issue where commits failed after upgrading a firewall to PAN-OS 8.0 if, before the upgrade, that firewall had a tunnel interface configured as the Source Interface for QoS cleartext traffic ( Network > QoS > <QoS_interface> > Clear Text Traffic).
PAN-80445 Fixed an issue where the reportd process had a memory leak.
PAN-80122 A security-related fix was made to address a vulnerability that allowed XML External Entity (XXE) attacks on the GlobalProtect external interface because PAN-OS did not properly parse XML input (CVE-2017-9458).
PAN-80077 Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where users failed to authenticate when Captive Portal was configured in Redirect mode because the Captive Portal host session incorrectly timed out after 5 seconds.
PAN-80064 Fixed an issue where the firewall used an incorrect source MAC address for aggregate Ethernet (AE) interfaces, which caused traffic offload failures.
PAN-80062 Fixed an issue where firewalls running PAN-OS 8.0.3 displayed the error message Not authorized when administrators with local firewall accounts tried to log in using Kerberos single sign-on.
PAN-79935 Fixed an issue where the firewall dropped packets when GlobalProtect end users generated IPv6 traffic.
PAN-79833 Fixed an issue where the firewall randomly dropped packets for traffic that end users generated after connecting to GlobalProtect.
PAN-79780 Fixed an issue where the firewall could not delete old HA keys, which prevented the generation of new keys for HA1 encryption.
PAN-79779 Fixed an issue where firewall administrators that PAN-OS authenticated through RADIUS and authorized through RADIUS Vendor-Specific Attributes (VSAs) could not commit configuration changes on the firewall.
PAN-79436 Fixed an issue where PA-7000 Series firewalls did not apply changes to the Syslog server profile configuration until you restarted the syslog-ng process.
PAN-79365 Fixed an issue where pushing template configurations to VM-Series firewalls for NSX removed those firewalls as managed devices on Panorama.
PAN-79311 Fixed an issue on PA-220 firewalls where, after you modified Security policy, the firewalls did not rematch the policy against sessions involving file transfers that were in progress during the policy modification.
PAN-79084 Fixed an issue where fragmented packets in GlobalProtect traffic caused PA-5200 Series firewalls to stop responding.
PAN-79001 Fixed an issue on PA-5250 and PA-5260 firewalls where QSFP ports 21 to 24 did not come up when connecting over LR optic connections.
PAN-78932 Fixed an issue where loading definitions for 8.0 SNMP MIBs failed for the PAN-TRAPS.my MIB. With this fix, you can download the latest enterprise MIBs from https://www.paloaltonetworks.com/documentation/misc/snmp-mibs.html.
PAN-78886 Fixed an issue where the firewall ignored Authentication policy rules for websites that you added to a custom URL category.
PAN-78456 As an enhancement to the firewall bootstrapping process, you can specify a template stack in the template parameter (tplname) of the bootstrapping configuration file (init-cfg.txt).
PAN-78390 Fixed an issue where PA-5200 Series firewalls became unresponsive in deployments with high throughput traffic.
PAN-78342 Fixed an issue where Panorama failed to export a custom report if you set the Database to a Remote Device Data option ( Monitor > Manage Custom Reports).
PAN-78256 Fixed an issue where the firewall stopped responding and processing traffic due to a packet buffer leak.
PAN-78224 Fixed an issue where the firewall truncated passwords to 40 characters when end users tried to authenticate through RADIUS in the Captive Portal web form.
PAN-77973 Fixed an issue where the passive firewall in an active/passive HA deployment lost HA session updates when the active peer had a heavy processing load.
PAN-77671 Fixed an issue where the firewall identified traffic to www.online-translator.com as the translator-5 application instead of as web-browsing.
PAN-77595 Fixed an issue where PA-7000 Series and PA-5200 Series firewalls forwarded a SIP INVITE based on route lookup instead of on Policy-Based Forwarding (PBF) policy.
PAN-77527 Fixed an issue where PA-5200 Series firewalls throttled packet diagnostic logs even if log throttling was disabled.
PAN-77213 Fixed an issue where Panorama failed to forward logs to a syslog server over TCP.
PAN-77096 Fixed an issue where GlobalProtect endpoints configured to use the pre-logon Connection Method with cookie authentication failed to authenticate because they failed to retrieve framed (static) IP addresses.
PAN-77062 Fixed an issue where administrators with a custom role could not delete packet captures.
PAN-77053 Fixed an issue on PA-7000 Series firewalls where the Egress Interface in a PBF policy rule ( Policies > Policy Based Forwarding > <rule> > Forwarding) was reset to a null value, which brought down all the interfaces in the slot associated with the Egress Interface and caused an HA failover.
PAN-77012 Fixed an issue where the firewall evaluated URL filtering-based Security policy rules without evaluating application-based rules that were higher in the rule evaluation order.
PAN-76832 Fixed an issue in virtual routers where modifying a BFD profile configuration ( Network > Network Profiles > BFD Profile) or assigning a different BFD profile ( Network > Virtual Routers > BGP) caused the associated routing protocol (BGP) to flap.
PAN-76831 Fixed an issue on PA-7000 Series firewalls where committing configuration changes caused the management server to stop responding and made the web interface and CLI inaccessible.
PAN-76779 Fixed an issue on a PA-5020 firewall where the dataplane restarted continuously when a user accessed applications over a GlobalProtect clientless VPN.
PAN-76160 Fixed an issue where a memory leak caused the firewall to create hundreds of LDAP connections, which resulted in commit failures.
PAN-76130 A security-related fix was made to address OpenSSL vulnerabilities relating to the Network Time Protocol (NTP) library (CVE-2016-9042/CVE-2017-6460).
PAN-76058 Fixed an issue where Panorama failed to migrate URL categories from BrightCloud to PAN-DB in policy pre-rules and post-rules; this fix requires content release version 718 or a later version.
PAN-76042 Fixed an issue where PAN-OS XML API calls for retrieving all threat details associated with a threat ID returned only threat names. With this fix, the new API call to retrieve this information is: https://<firewall>/api/?type=op&cmd=<show><predefined><xpath>/predefined/threats</xpath></predefined></show>
PAN-75908 Fixed an issue where multicast packets with stale session IDs caused the firewall dataplane to restart.
PAN-75769 Fixed an issue where the firewall enabled new applications associated with Applications updates received from Panorama even when you chose to Disable new apps in content update ( Panorama > Device Deployment > Dynamic Updates).
PAN-75571 Fixed an issue where the web interface did not display the full list of IPSec tunnels ( Network > IPSec Tunnels) after upgrading the firewall.
PAN-75505 Fixed an issue where the firewall failed to export a report to PDF, XML, or CSV format if the report job ID was higher than 65535.
PAN-75412 Fixed an issue where the Monitor > Botnet report displayed the wrong portion of the URL when the HTTP GET request was too long, while the Monitor > Logs > URL Filtering logs displayed the URL correctly.
PAN-75045 Fixed an issue where the firewall rejected the default route advertised by an OSPFv3 neighbor with the link-local address fe80::1.
PAN-74959 Fixed an issue where the firewall or Panorama web server stopped responding, which made the web interface inaccessible until you rebooted.
PAN-74954 Fixed an issue where firewalls did not take template settings from Panorama when you pushed a template stack that had multiple templates with a Default VSYS ( Panorama > Templates > <template_configuration>).
PAN-74886 Fixed an issue where Panorama failed to push a shared address object to firewalls when the object was part of a dynamic address group that used a tag.
PAN-74652 Fixed an issue where, after a firewall successfully installed a content update received from Panorama, Panorama displayed a failure message for that update when the associated job ID on the firewall was higher than 65536.
PAN-74632 Fixed an issue where the firewall did not clear IP address-to-username mappings or username-to-group mappings after reaching the maximum supported number of user groups, which caused commit failures with the following errors: user-id is not registered and ldmgr manager was reset. Commit is required to reinitialize User-ID .
PAN-74411 Fixed an issue where PAN-OS warned you too late during the firewall bootstrapping process of an error that would cause the process to abort. The late warning occurred when the error was an init-cfg.txt file that specified an IPv6 address without a corresponding IPv4 address. With this fix, PAN-OS warns you of this error much earlier in the bootstrapping process (during the sanity check phase).
PAN-74293 Fixed an issue where the firewall dropped application sessions after only 30 seconds of idle traffic instead of after the session timeout associated with the application.
PAN-74139 Fixed an issue on the PA-500 firewall where insufficient memory allocation caused SSL decryption errors that resulted in SSL session failures, and Traffic logs displayed the Session End Reason as decrypt-error or decrypt-cert-validation .
PAN-74110 Fixed an issue where administrators could not log in to the firewall using LDAP credentials after a PAN-OS upgrade.
PAN-73270 Fixed an issue where the firewall rebooted if a Syslog Parse profile with the Type set to Regex Identifier ( Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Syslog Filters) matched a null character in a syslog message.
PAN-73053 Fixed an issue where incremental updates failed for registered IP addresses if the firewall retrieved the updates through VM information sources ( Device > VM Information Sources).
PAN-72894 Fixed an issue where Panorama failed to display HA firewalls ( Panorama > Managed Devices) after the configd process stopped responding.
PAN-72831 Fixed an issue where rebooting the firewall caused it to generate a false critical alarm that indicated LDAP servers were down.
PAN-72698 Fixed an issue where the web interface did not display the character limit (2,048) when users tried to save log filters. With this fix, the firewall displays more information in error messages relating to saving log filters.
PAN-72342 Fixed an issue where end users ignored the Duo V2 authentication prompt until it timed out but still authenticated successfully to a GlobalProtect portal configured for two-factor authentication.
PAN-71931 Fixed an issue where Panorama allowed you to add multiple entries for the same firewall to a Log Forwarding Preferences list while configuring a Collector Group ( Panorama > Collector Groups > <Collector_Group_configuration> > Device Log Forwarding), which caused a commit failure. With this fix, Panorama prevents you from adding multiple entries for the same firewall while configuring a Collector Group.
PAN-71226 Fixed an issue where the firewall dataplane restarted because the processes that perform packet processing stopped responding for HTTP traffic involving URL percent-encoding.
PAN-70119 Fixed an issue where the firewall mapped users to the Kerberos Realm defined in authentication profiles ( Device > Authentication Profiles) instead of extracting the realm from Kerberos tickets.
PAN-69367 Fixed an issue where the firewall incorrectly generated packet diagnostic logs and captured packets for sessions that were not part of a packet filter ( Monitor > Packet Capture).
PAN-68974 Fixed an issue on PA-3000 Series firewalls where you could not configure a QoS Profile to have a maximum egress bandwidth ( Egress Max) higher than 1Gbps for an aggregate group interface ( Network > Network Profiles > QoS Profile).
PAN-67618 Fixed an issue where the Panorama XML API request to show all dynamic address groups responded with improperly formatted XML.
PAN-67544 Fixed an issue where, when a multicast forwarding information base (FIB) timed out, the process for packet processing (flow_ctrl) stopped responding, which intermittently caused the firewall dataplane to restart.
PAN-63905 Fixed an issue where RTP sessions that were created from predict sessions went from an active state to a discard state after you installed a content update or committed configuration changes on the firewall.
PAN-61834 Fixed an issue where the firewall captured packets of IP addresses not included in the packet filter ( Monitor > Packet Capture).
PAN-60535 Fixed an issue on PA-7000 Series firewalls where NPC slots went down due to missing heartbeats.
PAN-57490 Fixed an issue where Panorama displayed an error message when you configured an access domain with 512 or more device groups. With this fix, you can configure up to 1,024 device groups in a single access domain.
PAN-54531 Fixed an issue where the firewall stopped writing new Traffic and Threat logs to storage because the Automated Correlation Engine used disk space in a way that prevented the firewall from purging older logs.

Related Documentation