PAN-OS 8.0.7 Addressed Issues
The following tables lists the issues that are addressed in the PAN-OS® 8.0.7 release. For new features, associated software versions, known issues, and changes in default behavior in PAN-OS 8.0 releases, see PAN-OS 8.0 Release Information.
Issue ID Description
WF500-4510 Fixed an issue where WildFire intermittently returned incorrect verdicts for Microsoft Office documents opened in Protected View mode.
WF500-4388 Fixed an issue where a cluster of WF-500 appliances that did not have a WildFire public cloud explicitly defined in their configurations randomly disabled public cloud communication, causing cluster commits to fail. With this fix, WF-500 appliances in a cluster always connect to wildfire.paloaltonetworks.com when you don't specify a WildFire public cloud in their configurations.
WF500-4366 Fixed an issue on a WildFire appliance cluster in a high availability (HA) configuration where the vm-interface on the passive HA peer allowed inbound SSH connections.
PAN-89936 A security-related fix was made to prevent the decryption of captured sessions through the ROBOT attack (CVE-2017-17841).
PAN-89568 Fixed an issue where VM-Series and PA-5200 Series firewalls prevented the setup of GTPv2-C tunnels when create session response messages had GTP cause value 18, which the firewall associated with stateful failure. With this fix, the firewalls recognizes messages with that cause value as normal.
PAN-89078 Fixed an issue where PA-5220 and PA-5250 firewalls did not support the correct number of policy rules for Security, Decryption, Application Override, QoS, and Tunnel Inspection policy.
PAN-88863 Fixed an issue where PA-5200 Series firewalls intermittently dropped packets in Generic Routing Encapsulation (GRE) tunnels that used Point-to-Point Tunneling Protocol (PPTP).
PAN-88846 Fixed an issue where PA-7000 Series, PA-5200 Series, and PA-5000 Series firewalls dropped packets in VPN tunnels when processing the tunnels and traffic on separate dataplanes within the same firewall.
PAN-88775 Fixed an issue where the PA-220 firewall reset memory usage every day because the logrcvr process had a memory leak.
PAN-88286 Fixed an issue on a Panorama management server where the web interface became inaccessible because PAN-OS did not delete temporary files and therefore the root partition ran out of free storage space.
PAN-87779 Fixed an issue on VM-Series firewall on Azure where a virtual network interface card (vNIC) driver introduced a TCP packet out-of-order condition that reduced throughput.
PAN-87363 Fixed an issue where selecting to Generate Tech Support File ( Device > Support) caused Bidirectional Forwarding Detection (BFD) flapping while the firewall generated the file.
PAN-87277 Fixed an issue on the Panorama management server where the following PAN-OS XML API call caused the configd process to stop responding after you changed the Panorama configuration but did not yet commit the change: /api/?type=op&cmd=<show><config><list><admins><partial><template></template></partial></admins></list></config></show> .
PAN-87160 Fixed an issue on PA-5200 Series firewalls where the dataplanes did not have enough memory to support large configurations.
PAN-87145 Fixed an issue where importing a firewall configuration into a Panorama management server deleted certain Panorama shared objects.
PAN-86859 Fixed an issue where commits and other operations failed because the mprelay process stopped responding after you committed an interface configuration change after loading a configuration, reverting to the running configuration, or restarting the management server.
PAN-86775 Fixed an issue where firewalls in an active/active HA configuration dropped Q-in-Q traffic (traffic with nested VLAN tags) when traversing the HA3 interface.
PAN-86576 Fixed an issue where end users encountered application failures because child TCP sessions closed prematurely after their parent UDP sessions closed.
PAN-86232 Fixed an issue where the Panorama management server displayed No HIP Report Found when you clicked the log details icon (magnifying glass) for host information profile (HIP) logs.
PAN-86226 Fixed an issue on PA-5000 Series firewalls running PAN-OS 8.0.5 or a later release where insufficient proxy memory caused decryption failures and prevented users from accessing the GlobalProtect portal or gateway.
PAN-86178 Fixed an issue where the firewall or Panorama management server did not display an error message when it ran out of free disk space, so commits failed without explanation. With this fix, the firewall or Panorama aborts commits before starting them when it has insufficient free disk space.
PAN-85744 Fixed an issue where the User-ID process (useridd) produced an error message ( Server error : Client useridd not ready ) and stopped responding during a commit operation.
PAN-85640 Fixed an issue where the firewall could not refresh external dynamic lists (EDLs) through a proxy server.
PAN-85497 Fixed an issue where, after the Panorama management server successfully downloaded a scheduled content update but firewalls or Log Collectors could not automatically retrieve and install the update at the scheduled time (because of temporary connection issues for example), Panorama did not display an Action option to Install the update manually ( Panorama > Device Deployment > Dynamic Updates).
PAN-85394 Fixed an issue on the Panorama management server where you could not use the web interface to install a GlobalProtect Cloud Services plugin after modifying the plugin filename.
PAN-85348 Fixed an issue where PAN-OS indicated the master key was invalid when you configured it to use an ampersand (&) character. With this fix, the ampersand is an allowed character in the master key.
PAN-85299 Fixed an issue on firewalls in an active/passive HA configuration with link or path monitoring enabled where a failover resulting from a link or path failure intermittently caused PAN-OS to delete host, connected, static, and dynamic routes (both OSPF and BGP) from the forwarding information base (FIB) on the firewall peer that became active. The failover also caused PAN-OS to intermittently send unnecessary BGP withdrawal messages to BGP peers. With this fix, you can prevent these issues by using the new set system setting delay-interface-process interface <interface-name> delay <0-5000> CLI command (default is 0ms; range is 0 to 5000ms). This command specifies a delay period, after a link fails and before PAN-OS brings down its associated interface, to give enough time after failover for the newly active firewall HA peer to become fully active and to synchronize the correct route information with its peer. In most deployments, the best practice is to set the delay to a period that is greater than the sum of the Promotion Hold Time (default 2000ms) and Monitor Fail Hold Up Time (default 0ms).
PAN-85238 A security-related fix was made to prevent a cross-site scripting (XSS) attack through the PAN-OS Captive Portal (CVE-2017-16878).
PAN-85047 Fixed an issue where the firewall failed to retrieve a domain list from an external dynamic list (EDL) server over a TLSv1.0 connection.
PAN-85035 Fixed an issue where end users could not access applications and services due to DNS resolution failures that occurred because the firewall associated the destination port with Bidirectional Forwarding Detection (BFD) packets instead of DNS packets.
PAN-84950 Fixed an issue where the Panorama management server did not push changes to the Content Update Server value of WildFire clusters after a commit on the WF-500 appliances in that cluster ( Panorama > Managed WildFire Clusters > General).
PAN-84903 Fixed an issue where selecting Check Now in Device > Dynamic Updates caused PAN-OS to apply a global configuration lock that prevented any administrators from performing tasks on the firewall while it checked the Palo Alto Networks Update Server for new content updates. With this fix, PAN-OS no longer locks the configuration when checking for content updates.
PAN-84856 Fixed an issue where the firewall misidentified Signiant-based traffic as HTTP-proxy traffic and therefore did not apply policy correctly to that traffic.
PAN-84808 Fixed an issue where high packet-descriptor utilization caused the firewall to drop traffic over an IPSec tunnel that used the Authentication Header protocol for key exchange.
PAN-84781 Fixed an issue on firewalls with Decryption policy enabled where intermittent packet loss and decryption failures occurred because the firewall depleted its software packet buffer pool.
PAN-84617 Fixed an issue on the Panorama management server where the Task Manager displayed Commit , Download , and Software Install tasks as stuck in a pending state after the configd process restarted. This issue is not fixed for the Commit All task, which remains stuck at 0% completion after configd restarts.
PAN-84546 Fixed an issue where the Panorama management server failed to download scheduled content or Antivirus updates that overlapped with other scheduled downloads.
PAN-84186 Fixed an issue where, after the Panorama management server rebooted, it deleted known hosts for SSH sessions and therefore disrupted scheduled configuration exports ( Panorama > Scheduled Config Export).
PAN-84165 Fixed an issue where, after a NetApp NFS server was temporarily unreachable, NetApp NFS clients failed to reconnect to it because the firewall blocked the challenge ACK signal required for RFC-5961 sessions. With this fix, you must run the set deviceconfig setting tcp allow-challenge-ack yes CLI command in configuration mode to enable NFS clients to reconnect with the NFS server in cases where new connections are required.
PAN-84082 Fixed an issue on the Panorama management server where the management server restarted because the configd process stopped responding due to memory corruption.
PAN-84018 Fixed an issue where Data Filtering logs did not display files that had spaces in their filenames.
PAN-83689 Fixed an issue on PA-5200 Series firewalls where missing LACP packets caused aggregate Ethernet groups to intermittently drop interfaces.
PAN-83678 Fixed an issue on M-Series appliances where, after you upgraded the Panorama software or added logging disks of varying sizes, the appliances stopped collecting logs from firewalls because uneven log distribution across the logging disks caused the used storage on one disk to approach the maximum capacity.
PAN-83394 Fixed an issue where a firewall on which you enabled GTP inspection allowed malformed GTP packets with invalid IMSI or MSISDN numbers to pass inspection.
PAN-82827 Fixed an issue where, after you enabled Captive Portal, the firewall stopped logging traffic for applications it identified as incomplete or undecided for unknown users (users that User-ID has not mapped to IP addresses).
PAN-82825 Fixed an issue where a commit failed after you increased the number of external dynamic list (EDL) objects.
PAN-82760 Fixed an issue on Panorama Log Collectors where the show log-collector-es-indices CLI command displayed errors. Also fixed an issue where Collector Groups with log redundancy enabled started deleting the oldest logs when the used storage on Log Collectors approached half the maximum capacity instead of when used storage approached the full maximum capacity.
PAN-82731 Fixed an issue on the Panorama management server where System logs did not record disconnections with managed firewalls.
PAN-82497 Fixed an issue where the firewall intermittently dropped username-to-group mappings, which disrupted how it applied group-based policies.
PAN-82332 Fixed an issue where the firewall exported a configuration file of 0 bytes when you used the firewall web interface to export a configuration file ( Setup > Operations).
PAN-82251 Fixed an issue where the VM-Series firewall on AWS GovCloud did not support bootstrapping.
PAN-82181 Fixed an issue where the firewall blocked access to HTTPS websites that had DigiCert-signed certificates after you configured SSL Forward Proxy decryption, configured the firewall to Block sessions with unknown certificate status ( Objects > Decryption Profile > SSL Decryption > SSL Forward Proxy), and configured certificate status validation through certificate revocation lists (CRLs).
PAN-82125 Fixed an issue where the firewall management plane or control plane continuously rebooted after an upgrade to PAN-OS 8.0, and displayed the following error message: rcu_sched detected stalls on CPUs/tasks .
PAN-82117 Fixed an issue where PA-5000 Series firewalls in an active/active HA configuration intermittently dropped packets due to a race condition that occurred when the session owner and session setup were on different HA peers.
PAN-82070 Fixed an issue where PA-5020 firewalls supported a maximum bandwidth ( Egress Max) of only 1Gbps for classes of service ( Network > Network Profiles > QoS). With this fix, the Egress Max limit is 8Gbps on PA-5020 firewalls and 16Gbps on PA-5050 and PA5060 firewalls.
PAN-81885 Fixed an issue where the firewall did not display a warning when you deleted a shared object that Security policy rules used. With this fix, the firewall displays a message indicating that policy rules use the shared object you are trying to delete and prevents you from deleting that object until you remove it from policy rules.
PAN-81710 Fixed an issue where the Panorama management server failed to perform scheduled exports of configuration files to an FTP server ( Panorama > Scheduled Config Export).
PAN-81586 A security-related fix was made to prevent a cross-site scripting (XSS) vulnerability in GlobalProtect (CVE-2017-15941).
PAN-81573 Fixed an issue where a firewall configured as a DNS proxy ( Network > DNS Proxy) failed to resolve an address object with the Type set to FQDN and a name that ended with a period ( Objects > Addresses).
PAN-81539 Fixed an issue where commits failed because the logrcvr process restarted continuously on firewalls that had NetFlow exports configured.
PAN-81171 Fixed an issue where firewalls that performed SSL decryption slowed the download of large files over HTTPS on macOS endpoints.
PAN-80645 Fixed an issue where the VM-Series firewall lost OSPF adjacency with a peer device because the firewall dropped large OSPF link state packets.
PAN-80631 Fixed an issue where the Panorama management server failed to push configuration changes filtered by administrator to managed firewalls after you configured Panorama to not Share Unused Address and Service Objects with Devices.
PAN-80542 Fixed an issue where administrators whose roles have the Privacy privilege disabled ( Device > Admin Roles > Web UI) can view details about source IP addresses and usernames in scheduled reports.
PAN-80423 Fixed an issue where VM-Series firewalls in an active/passive HA configuration added a delay in traffic once every minute while sending Gratuitous Address Resolution Protocol (GARP) packets after you set the Link State to down on a Layer 3 interface ( Network > Interfaces > Ethernet > <interface> > Advanced).
PAN-80395 Fixed an issue where the User-ID agent mapped IP addresses to incorrect (obscured) usernames when the firewall authenticated users through a SAML identity provider (IdP) that excluded the username attribute from SAML assertions and used a persistent name-identifier policy ( NameIDPolicy ). With this fix, the firewall no longer mandates a transient NameIDPolicy for SAML assertions; the NameIDPolicy is entirely at the discretion of the IdP. An IdP that excludes the username attribute and has a transient NameIDPolicy still sends obscured usernames to the firewall.
PAN-80272 Fixed an issue where Data Filtering logs showed incorrect file names for file uploads and downloads.
PAN-80263 Fixed an issue where numerous simultaneous LDAP connections (in the order of tens or more) caused the connections between firewalls and User-ID agents to become stuck in the connecting state.
PAN-79753 Fixed an issue where the Panorama management server restarted after you ran the replace device old <old_SN#> new <new_SN#> CLI command to replace the serial number of an old managed firewall with that of a new managed firewall.
PAN-79671 Fixed an issue where firewalls ran out of disk space because they did not purge logs quickly enough.
PAN-79309 Fixed an issue where the firewall applied case sensitivity when matching domain names when you selected to Use domain to determine authentication profile in an authentication sequence ( Device > Authentication Sequence). With the fix, the name matching is case insensitive: users can log into to a Windows domain system using a domain name with upper or lower case characters.
PAN-79302 Fixed an issue where committing configuration changes took longer than expected when you configured Security policy rules with combinations of applications and service ports.
PAN-79247 Fixed an issue where the firewall did not apply your changes in HIP objects and profiles to Security policy rules and HIP Match logs unless GlobalProtect clients reconnected to the GlobalProtect gateway.
PAN-79167 Fixed an issue on the Panorama management server where the members count became zero for all existing shared address groups after you imported a firewall configuration.
PAN-79067 Fixed an issue where the firewall treated an address object as a region object when the address object had the same name as a deleted region object.
PAN-78716 Fixed an issue on the Panorama management server and firewall where, after you added new administrator accounts and those administrators logged in, the administrative roles you assigned to those accounts had incomplete and therefore invalid configurations.
PAN-78082 Fixed an issue where the firewall dropped sessions during SSL Inbound decryption because decryption errors caused TLS session resumption to fail.
PAN-77800 Fixed an issue where the firewall failed to generate a Simple Certificate Enrollment Protocol (SCEP) certificate when you selected a SCEP profile with the Subject containing an email address attribute ( Device > Certificate Management > SCEP).
PAN-77779 Fixed an issue where the Panorama management server did not release a commit lock after a successful commit.
PAN-77673 Fixed an issue where, when testing which policy rule applied to traffic between a specified destination and source, the PAN-OS XML API query did not display as much information as the corresponding CLI command ( test security-policy-match ).
PAN-77526 Fixed an issue where, after you used a Panorama management server to push the Require Password Change on First Login setting to managed firewalls ( Device > Setup > Management > Minimum Password Complexity), those firewalls did not prompt administrators to change their passwords during initial login.
PAN-77128 Fixed an issue on the Panorama management server where the Commit > Commit and Push operation did not push the running configuration to firewalls.
PAN-77019 Fixed an issue where PA-7000 Series firewalls in an active/active HA configuration randomly dropped packets because High Speed Chassis Interconnect (HSCI) links intermittently flapped.
PAN-76404 Fixed an issue where scheduled custom reports did not correctly display column headers.
PAN-76349 Fixed an issue where a Panorama management server running PAN-OS 8.0 pushed configurations to firewalls running PAN-OS 7.1 instead of just validating the push operation after you selected to Validate Template Push ( Commit > Commit and Push).
PAN-76220 Fixed an issue where Dedicated Log Collectors failed to connect to a Panorama management server when you specified an FQDN as the Panorama Server IP ( Panorama > Managed Collectors > <Log_Collector> > General) due to DNS resolution failure that resulted from PAN-OS adding an extra line character to the end of the FQDN.
PAN-75741 Fixed an issue where the firewall did not generate System logs to indicate registration or connection errors that prevented it from submitting files to the WildFire cloud.
PAN-58581 Fixed an issue where a GlobalProtect satellite sent the wrong certificate chain after you renewed the certificate authority (CA) certificates of GlobalProtect portals and gateways.

Related Documentation