PAN-OS 8.0.5 Addressed Issues
The following tables lists the issues that are addressed in the PAN-OS® 8.0.5 release. For new features, associated software versions, known issues, and changes in default behavior in PAN-OS 8.0 releases, see PAN-OS 8.0 Release Information.
Issue ID Description
PAN-83393 Fixed an issue where a firewall with GTP Security enabled ( Device > Setup > Management > General Settings) did not mark a GTP control message packet as invalid when the packet payload had multiple access point names (APN).
PAN-82651 Fixed an issue where a memory leak caused commit failures with the following error message: Threat database handler failed.
PAN-82616 Fixed an issue where the firewall prevented file transfers over HTTPS when the session offload feature was enabled.
PAN-82275 Fixed an issue where VM-Series firewalls dropped traffic on interfaces with QoS enabled due to QoS timeouts.
PAN-82234 Fixed an issue on M-Series appliances in Panorama mode where running scheduled reports caused a memory leak that resulted in errors such as commit failures and process termination.
PAN-82221 Fixed an issue on PA-5200 Series firewalls where the dataplane restarted because the flow_ctrl process stopped responding during heavy IPv6 traffic when the firewall interface that handled the traffic had 32,000 or more Neighbor Discovery Protocol (NDP) entries ( Network > Interfaces > <interface_configuration> > Advanced > ND Entries).
PAN-82200 Fixed an issue where an OSPFv3 not-so-stubby area (NSSA) update for an IPv6 default route caused the routed process to stop responding.
PAN-82089 Fixed an issue on PA-3000, PA-5000, PA-5200, and PA-7000 Series firewalls where heavy IPv6 traffic caused session offloading to fail, which reduced throughput.
PAN-82076 Fixed an issue on PA-5200 Series and PA-7000 Series firewalls where traffic delays occurred due to packet buffer congestion after the all_pktproc process stopped responding because of an incorrect Policy Based Forwarding (PBF) policy rule ID that referenced an invalid egress interface.
PAN-81990 Fixed an issue on PA-5220 and PA-5250 firewalls running PAN-OS 8.0.4 where the dataplane restarted multiple times after the all_pktproc process stopped responding due to memory pool exhaustion.
PAN-81951 Fixed an issue where errors associated with a Commit > Commit All Changes operation caused FQDN refresh operations to fail on the firewall. With this fix, commit failures don't cause FQDN refresh failures.
PAN-81590 Fixed an issue where a firewall intermittently dropped packets when an internal communication link failed to initialize.
PAN-81497 Fixed an issue where web pages accessed through GlobalProtect Clientless VPN did not load properly.
PAN-81287 Fixed an issue where a firewall in FIPS/CC mode intermittently switched to maintenance mode.
PAN-81218 Fixed an issue on the PA-500 firewall where OSPF was stuck in a loading state when OSPF neighbors connected over a tunnel interface.
PAN-81118 Fixed an issue where client systems could use a translated IP address-and-port pair for only one connection even if you configured the Dynamic IP and Port (DIPP) NAT Oversubscription Rate to allow multiple connections ( Device > Setup > Session > Session Settings > NAT Oversubscription). This issue is fixed on all firewall models except the PA-7000 Series and PA-5200 Series firewalls (see PAN-84488).
PAN-81031 Fixed an issue on firewalls with Captive Portal enabled where Authentication policy blocked any non-HTTP applications.
PAN-80837 Fixed an issue where, after upgrading from PAN-OS 7.1 to PAN-OS 8.0, the Panorama management server did not convert Threat logs into URL Filtering or Data Filtering logs when you had log forwarding filters based on severity levels.
PAN-80802 Fixed an issue on Panorama appliances in Panorama or Log Collector mode where an out-of-memory condition occurred because a memory leak in the reportd process raised CPU usage and swap memory.
PAN-80606 Fixed an issue where the firewall stopped uploading files to WildFire after you enabled Passive DNS Monitoring ( Device > Setup > Telemetry).
PAN-80535 Fixed an issue on a firewall with multiple virtual systems where policy rules defined for a specific virtual system could not access shared EDL objects.
PAN-80479 Fixed an issue where an end user could not use Kerberos single sign-on to authenticate to the GlobalProtect portal or gateway when user membership in many Kerberos groups resulted in an HTTP header that exceeded the size that the firewall allowed. With this fix, the firewall allows a larger size for HTTP headers.
PAN-80465 Fixed an issue where PAN-OS never performed the Action configured in an update schedule on a firewall ( Device > Dynamic Updates > <update_type_schedule>) or a Panorama management server ( Panorama > Dynamic Updates > <update_type_schedule>) when the Threshold age for updates exceeded the frequency at which Palo Alto Networks released the updates. For example, if a firewall had a Threshold of 48 hours for Applications and Threats content updates but Palo Alto Networks released successive content updates every 24 hours, the latest update would never reach the 48-hour age Threshold required to trigger the Action. With this fix, PAN-OS checks the last five content release versions, instead of just the newest version, and performs the Action for the latest version that matches the Threshold. For example, if content update version 701 is available for 24 hours and version 700 is available for 72 hours, and you set the Threshold to 48 hours for Applications and Threats content updates, PAN-OS performs the Action for version 700. PAN-OS checks the last five content release versions for Antivirus updates also.
PAN-80155 Fixed an issue where firewalls that were deployed in an active/passive high availability (HA) configuration and that acted as DHCP relay agents used physical MAC addresses instead of HA virtual MAC addresses for DHCP packets.
PAN-79977 Fixed an issue where the snmpd process restarted due to a memory leak that caused it to exceed the virtual memory limit.
PAN-79939 As an enhancement on VM-Series firewalls, you can now enable or disable Data Plane Development Kit (DPDK) mode during the bootstrap process. DPDK enhances firewall performance by increasing the packet processing speed of network interface cards (NICs). To enable DPDK, add the op-cmd-dpdk-pkt-io=on command to the init-cfg.txt bootstrap configuration file. If you disable DPDK by adding the op-cmd-dpdk-pkt-io=off command, the firewall uses Packet_mmap mode instead.
PAN-79874 Fixed an issue where end users could not send email because the all_pktproc process stopped responding after the firewall tried to process an empty filename in email traffic.
PAN-79844 Fixed an issue on Panorama where scheduled custom reports returned no data.
PAN-79804 Fixed an issue where VM-Series firewalls for VMware NSX did not register on Panorama when they belonged to a device group that contained applications from a content release version that was newer than the version included with the PAN-OS software image for fresh installations.
PAN-79607 Fixed an issue where a spike in dataplane memory utilization caused bus errors and caused the dataplane and control plane to restart until you rebooted the firewall.
PAN-79575 Fixed an issue where commit operations failed and the firewall became unresponsive after responding to SNMP queries associated with certain OIDs that triggered an snmpd memory leak.
PAN-79555 Fixed an issue on VM-Series firewalls on Azure where dataplane interfaces did not come up as expected because they did not successfully negotiate Layer 2 settings during bootup.
PAN-79313 Fixed an issue where VM-Series firewalls did not successfully apply pre-licensed serial numbers for Cloud Security Service Provider (CSSP) licenses.
PAN-79238 Fixed an issue on firewalls in an HA configuration where HA path monitoring failed when the Ping Interval had a low value, such as 600ms ( Device > High Availability > Link and Path Monitoring > <path_group_configuration>).
PAN-79174 Fixed an issue where commits took longer to complete than expected on firewalls with hundreds of policy rules that referenced application filters or application groups that specified thousands of applications.
PAN-78818 Fixed an issue where VM-Series firewalls deleted logs when you upgraded the base system disk from 40GB to 60GB.
PAN-78778 Fixed an issue where VM-Series firewalls for Hyper-V that used VLAN tagging dropped Ethernet frames that exceeded 1,496 bytes.
PAN-78770 Fixed an issue on PA-500 firewalls in an HA configuration where the HA1 interface went down due to a missed HA1 heartbeat.
PAN-78572 Fixed an issue where the Panorama management server delayed the display of new firewall logs because the logd process consumed too much memory.
PAN-78385 Fixed an issue where a Panorama management server running PAN-OS 8.0 did not display logs that were related to VPN tunnels or authentication and that were collected from PA-7000 Series firewalls running PAN-OS 7.1 or an earlier release.
PAN-78362 Fixed an issue where the Panorama management server intermittently became unresponsive due to errors in the configd process.
PAN-78055 Fixed an issue on PA-220, PA-500, and PA-800 Series firewalls where VPN tunnel traffic intermittently failed because the keymgr stopped processing sysd messages.
PAN-78044 Fixed an issue where the firewall dropped packets that were destined for IP address FD00::/8 when you configured a Zone Protection profile with a Strict IP Address Check ( Network > Network Profiles > Zone Protection > Packet Based Attack Protection > IP Drop). With this fix, FD00::/8 is no longer a reserved IP address.
PAN-77939 Fixed an issue where the Panorama virtual appliance in Legacy mode purged older Traffic logs even when space was available to store new logs.
PAN-77935 Fixed an issue where, after you upgraded a firewall to PAN-OS 8.0, it forwarded the same logs to a syslog server multiple times instead of once.
PAN-77866 Fixed an issue where the authentication process (authd) stopped responding when a third-party device blocked the transmission of authentication packets between the firewall and an LDAP server. With this fix, authentication fails without authd becoming unresponsive when a third-party device blocks LDAP authentication packets.
PAN-77747 Fixed an issue where a firewall with ECMP enabled on a virtual router ( Network > Virtual Routers > Router Settings > ECMP) did not load balance the traffic among egress interfaces when the traffic originated from another virtual router.
PAN-77702 Fixed an issue on Panorama in NSX deployments where dynamic address updates took several minutes to complete.
PAN-77652 Fixed an issue on PA-7000 Series firewalls where the mprelay process stopped responding due to a memory leak on the management plane.
PAN-77645 Fixed an issue where Dedicated Log Collectors did not forward logs to a syslog server over TCP.
PAN-77581 Fixed an issue where the web interface displayed no information in the Network > GlobalProtect > Gateways > Remote Users (Info column) > Previous User tab.
PAN-77469 Fixed an issue on a Panorama management server running PAN-OS 8.0 where an administrator with a custom role who accessed the Context of a managed firewall running PAN-OS 7.1 or an earlier release could not commit changes on that firewall.
PAN-77405 Fixed an issue where the PA-220 firewall incorrectly displayed packet descriptor utilization as 51% even when the firewall was not processing traffic.
PAN-77327 Fixed an issue where the PA-220 firewall did not send the correct interface indexes to NetFlow collectors, which prevented it from forwarding IP traffic statistics for analysis.
PAN-77171 Fixed an issue where the firewall discarded sessions that required the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher for SSL decryption.
PAN-76997 Fixed an issue on the PA-3020 firewall where SSL connections failed due to memory allocation issues if you configured a Decryption profile with Key Exchange Algorithms that included ECDHE ( Objects > Decryption Profile > <decryption_profile> > SSL Protocol Settings).
PAN-76830 Fixed an issue on PA-5000 Series firewalls where insufficient memory allocation caused SSL decryption errors that resulted in SSL session failures, and the firewall displayed the reason in Traffic logs as decrypt-error or decrypt-cert-validation .
PAN-76509 Fixed an issue on firewalls with multiple virtual systems where custom spyware signatures worked only on vsys1 ( Objects > Custom Objects > Spyware).
PAN-76373 Fixed an issue on PA-5000 Series firewalls where using the web interface to display QoS Statistics ( Network > QoS) caused the control plane and dataplane to restart due to a memory leak.
PAN-76263 Fixed an issue where the Panorama management server retained the Threshold value for update schedules ( Device > Dynamic Updates > <update_type_schedule>) in a template stack even after you removed the value from templates in the stack.
PAN-76155 Fixed an issue where the logs for the VM Monitoring Agent did not indicate the reason for events that cause it to exit. With this fix, the logs display debug-level details when the VM Monitoring Agent exits.
PAN-76040 Fixed an issue where configuring an aggregate interface group with interfaces of different media (such as copper and fiber optic) caused a commit failure. With this fix, an aggregate interface group can have interfaces with different media.
PAN-76019 Fixed an issue where the dataplane restarted because the firewall used incorrect zone identifiers for deleting flows when untagged subinterfaces had parent interfaces with no zone assignment.
PAN-75890 Fixed an issue where the Applications report ( Monitor > Reports > Application Reports) listed untunneled as one of the top HTTP applications even though no such application existed.
PAN-75724 Fixed an issue where the PAN-OS integrated User-ID agent allowed weak ciphers for SSL/TLS connections. With this fix, the User-ID agent allows only the following ciphers for SSL/TLS connections: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA256 AES256-SHA AES128-SHA256 AES128-SHA
PAN-75371 Fixed an issue where firewalls configured to perform destination NAT misidentified applications after incorrectly adding the public IP addresses of destination servers to the App-ID cache.
PAN-74880 Fixed an issue where retrieving threat packet captures took longer than expected through the web interface ( Monitor > Logs > Threat) or PAN-OS XML API.
PAN-74366 Fixed an issue on the firewall and Panorama where the management server (mgmtserver) process restarted after you tried to filter a Policies > <policy_type> list based on specific strings such as 00 or 000 .
PAN-74067 Fixed an issue in large-scale deployments where the User-ID process (useridd) stopped responding due to a loop condition because firewalls configured as User-ID agents repeatedly redistributed the same IP address-to-username mappings.
PAN-73933 Fixed an issue where the log receiver (logrcvr) process restarted due to a memory leak after the firewall performed a log query for correlation objects or reports and the query included the Threat Category field.
PAN-73711 Fixed an issue where firewalls configured as DHCP clients did not receive IP addresses from the DHCP server because the firewalls did not set the gateway IP address (giaddr) value to zero in DHCP client reply messages.
PAN-72495 Fixed an issue where PA-7000 Series firewalls intermittently dropped packets from GlobalProtect end users if the GlobalProtect IKE gateway used a local interface that was in a different security zone than the physical ingress interface.
PAN-72334 Fixed an issue where firewalls did not resume forwarding logs to Log Collectors after Panorama management servers in an HA configuration recovered from a split-brain condition.
PAN-69932 Fixed an issue where the Panorama web interface and CLI responded slowly when numerous NSX plugins were in progress.
PAN-69283 As an enhancement for controlling access to GlobalProtect portals and gateways (internal or external), even when user endpoints have valid authentication override cookies, PAN-OS now matches the users against the Allow List of authentication profiles ( Device > Authentication Profile > <authentication_profile> > Advanced). Modifying the Allow List is an easy way to prevent unauthorized access by users who have valid cookies but disabled accounts.
PAN-69014 Fixed an issue where the Panorama management server did not display logs collected from PA-7000 Series firewalls assigned to a child device group of the Device Group selected in the Monitor tab of the web interface.
PAN-68363 Fixed an issue where logs exported in CSV format had misaligned columns.
PAN-62675 Fixed an issue where a firewall frequently and continuously refreshed username-to-group mappings.

Related Documentation