PAN-OS 8.0.0 Addressed Issues

PAN-OS® 8.0.0 addressed issues
Issue ID
Description
PAN-76702
Fixed an issue where several dataplane processes stopped responding on the firewall after it applied SSL Forward Proxy Decryption policy to traffic that then traversed a VPN tunnel.
PAN-72346
Fixed an issue where exporting botnet reports failed with the following error: Missing report job id.
PAN-72242
Fixed an issue where configuring a source address exclusion in Reconnaissance Protection tab under zone protection profile was not allowed.
PAN-71892
Fixed an issue where an LDAP profile did not use the configured port; the profile used the default port, instead.
PAN-71615
Fixed an issue where the intrazone block rule shadowed the universal rule that has different source and destination zones.
PAN-71400
Fixed an issue where the DNS Proxy feature did not work because the associated process (dnsproxy) stopped running on a firewall that had an address object (ObjectsAddress) with the same FQDN as one of the Static Entries in a DNS proxy configuration (NetworkDNS Proxy).
PAN-71384
Fixed an issue with the passive firewall in a high availability (HA) configuration that had LACP pre-negotiation enabled where the firewall stopped correctly processing LACP BPDU packets through an interface that had previously physically flapped.
PAN-71311
Fixed an issue where, if you configured a User-ID agent with an FQDN instead of an IP address (DeviceUser IdentificationUser-ID Agents), the firewall generated a System log with the wrong severity level (informational instead of high) after losing the connection to the User-ID agent.
PAN-71307
Fixed an issue where the scp export stats-dump report did not run correctly because source (src) and destination (dst) options were determined to be invalid arguments.
PAN-71192
Fixed an issue where performing a log query or log export with a specific number of logs caused the management server to stop responding. This occurred only when the number of logs was a multiple of 64 plus 63. For example, 128 is a multiple of 64 and if you add 63 to 128 that equals 191 logs. In this case, if you performed a log query or export and there were 191 logs, the management server would stop responding.
PAN-70969
Fixed an issue on a virtual wire where, if you enabled Link State Pass Through (NetworkVirtual Wires), there were significant delays in link-state propagation or even instances where an interface stayed down permanently even when ports were re-enabled on the neighbor device.
PAN-70541
A security-related fix was made to address an information disclosure issue that was caused by a firewall that did not properly validate certain permissions when administrators accessed the web interface over the management (MGT) interface (CVE-2017-7644).
PAN-70483
Fixed an issue on an M-Series appliance in Panorama mode where shared service groups did not populate in the service pull down when attempting to add a new item to a security policy. The issue occurred when the drop down contained 5,000 or more entries.
PAN-70428
A security-related fix was made to prevent inappropriate information disclosure to authenticated users (CVE-2017-5583).
PAN-70323
Fixed an issue where firewalls running in FIPS-CC mode did not allow import of SHA-1 CA certificates even when the private key was not included; instead, firewalls displayed the following error:
Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
PAN-70057
Fixed an issue where running the validate option on a candidate configuration in Panorama caused changes to the running configuration on the managed device. The configuration change occurred after a subsequent FQDN refresh occurred.
PAN-69951
Fixed an issue where the firewall failed to forward system logs to Panorama when the dataplane was under severe load.
PAN-69901
Fixed an issue where the hyphen ("-") character was not supported in a DNS proxy domain name (NetworkDNS Proxy<dns-proxy-name>DNS Proxy Rules<rule-name>Domain Name").
PAN-69235
Fixed an issue where committing a configuration with several thousand Layer 3 subinterfaces caused the dataplane to stop responding.
PAN-69194
Fixed an issue where performing a device group commit from a Panorama server running version 7.1 to a managed firewalls running PAN-OS 6.1 failed to commit when the custom spyware profile action was set to Drop. With this fix, Panorama translates the action from Drop to Drop packets for firewalls running PAN-OS 6.1, which allows the device group commit to succeed.
PAN-69146
Fixed an issue where the Remote Users link for a gateway (NetworkGlobalProtectGateways) became inactive and prevented you from reopening the User Information dialog if you closed the dialog using the Esc key instead of clicking Close.
PAN-68873
Fixed an issue where customizing the block duration for threat ID 40015 in a Vulnerability Protection profile did not adhere to the defined block interval. For example, if you set Number of Hits (SSH hello messages) to 3 and perseconds to 60, after three consecutive SSH hello messages from the client, the firewall failed to block the client for the full 60 seconds.
PAN-68831
Fixed an issue where CSV exports for Unified logs (MonitorLogsUnified) had no log entries if you limited the effective queries to one log type.
PAN-68823
Fixed an issue where custom threat reports failed to generate data when you specified Threat Category for either the Group By or Selected Column setting.
PAN-68766
Fixed an issue where navigating to the IPSec tunnel configuration in a Panorama template caused the Panorama management web interface to stop responding and displayed a 502 Bad Gateway error.
PAN-68658
Fixed an issue where handling out-of-order TCP FIN packets resulted in dropped packets due to TCP reassembly that was out-of-sync.
PAN-68654
Fixed an issue where the firewall did not populate User-ID mappings based on the defined Syslog Parse profiles (DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupSyslog Filters).
PAN-68074
A security-related fix was made to address CVE-2016-5195.
PAN-68034
The show netstat CLI command was removed in the 7.1 release for Panorama, Panorama log collector, and WildFire. With this fix, the show netstat command is reintroduced.
PAN-67987
Fixed an issue where the GlobalProtect agent failed to connect using a client certificate if the intermediate CA is signed using the ECDSA hash algorithm.
PAN-67944
Fixed an issue where a process (all_pktproc) stopped responding because a race condition occurred when closing sessions.
PAN-67639
Fixed an issue where the firewall did not properly mask the Auth Password and Priv Password for an SNMPv3 server profile (DeviceServer ProfilesSNMP Trap) when you viewed the configuration change in a Configuration log.
PAN-67599
In PAN-OS 7.0 and 7.1 releases, a restriction was added to prevent an administrator from configuring OSPF router ID 0.0.0.0. This restriction is removed in PAN-OS 8.0.
PAN-67224
Fixed an issue where the firewall displayed a validation error after Panorama imported the firewall configuration and then pushed the configuration back to the firewall so it could be managed by Panorama. This issue occurred because log forwarding profiles were not replaced with the profiles configured in Panorama. With this fix, Panorama will properly remove the existing configuration on the managed firewall before applying the pushed configuration.
PAN-67090
Fixed an issue where the web interface displayed an obsolete flag for the nation of Myanmar.
PAN-67079
Fixed an issue where the firewall discarded SSL sessions when the server certificate chain size exceeded 23KB.
PAN-66873
Fixed an issue where PAN-OS deleted critical content files when the management plane ran out of memory, which caused commit failures until you updated or reinstalled the content.
PAN-66838
A security-related fix was made to address a Cross Site-Scripting (XSS) vulnerability on the management web interface (CVE-2017-5584).
PAN-66675
Fixed an issue where extended packet captures were consuming an excessive amount of storage space in /opt/panlogs.
PAN-66654
Fixed an issue where the status of a tunnel interface remained down even after disabling the tunnel monitoring option for IPSec tunnels.
PAN-66531
Fixed an issue where the Commit Scope column in the Commit window was empty after manually uploading and installing a content update and then committing. Although the content update was not listed under Commit Scope, the commit continued and showed 100% complete.
PAN-66104
Fixed an issue where vsys-specific custom response pages (Captive portal, URL continue, and URL override) did not display; they were replaced by shared response pages, instead.
PAN-65918
Fixed an issue on the Panorama virtual appliance where the third-party backup software BackupExec failed to back up a quiesced snapshot of Panorama (Panorama in a temporary state where all write operations are flushed). With this fix, the VMware Tools bundled with Panorama supports the quiescing option.
PAN-64981
Fixed an issue where an internal buffer could be overwritten, causing the management plane to stop responding.
PAN-64884
Fixed an issue where firewalls in an HA configuration did not synchronize the Layer 2 MAC table; after failover, the MAC table was rebuilt only on the peer that became active, which caused excessive packet flooding.
PAN-64870
Fixed an issue where a zone with the Type set to Virtual Wire (NetworkZones) dropped all incoming traffic when you configured the Zone Protection profile for that zone with a Strict IP Address Check (NetworkNetwork ProfilesZone ProtectionPacket Based Attack ProtectionIP Drop).
PAN-64723
Fixed an issue where the test authentication CLI command was incorrectly sending vsys-specific information to the User-ID process for group-mapping query that allowed the authentication test to succeed when it should have failed.
PAN-64638
Fixed an issue where the firewall failed to send a RADIUS access request after changing the IP address of the management interface.
PAN-64579
Error message is now displayed when installing apps package manually from file on passive Panorama.
PAN-64525
Fixed an issue where User-ID failed to update the allow list for a group name that was larger than 128 bytes.
PAN-64520
Fixed an issue where H.323-based video calls failed when using source NAT (dynamic or static) due to incorrect translation of the destCallSignalAddress payload in the H.225 call setup.
PAN-64436
Fixed an issue where creation of IGMP sessions failed due to a timeout issue.
PAN-64419
Fixed an issue where firewall displays inconsistent shadow rule warnings during a commit for QOS policies.
PAN-64081
Fixed an issue on PA-5000 Series firewalls where the dataplane stopped responding due to a race condition during hardware offload.
PAN-63969
Fixed an issue on PA-7000 Series firewalls in an HA configuration where the NPC 40Gbps (QSFP) Ethernet interfaces on the passive peer displayed link activity on a neighboring device (such as a switch) to which they connected even though the interfaces were down on the passive peer.
PAN-63925
Fixed an issue where the firewall did not generate a log when a content update failed or was interrupted.
PAN-63908
Fixed an issue where SSH sessions were incorrectly subjected to a URL category lookup even when SSH decryption was disabled. With this fix, SSH traffic is not subject to a URL category lookup when SSH decryption is disabled.
PAN-63612
Fixed an issue where User activity reports on Panorama did not include any entries when there was a space in the Device Group name.
PAN-63520
Fixed an issue where the wrong source zone was used when logging vsys-to-vsys sessions.
PAN-63207
Fixed an issue on PA-7000 Series firewalls where group mappings did not populate when the group include list was pushed from Panorama.
PAN-63054
Fixed an issue on VM-Series firewalls where enabling software QoS resulted in dropped packets under heavy traffic conditions. With this fix, VM-Series firewalls no longer drop packets due to heavy loads with software QoS enabled and software QoS performance in general is improved for all Palo Alto Networks firewalls.
PAN-63013
Fixed an issue where a commit validation error displayed when pushing a template configuration with a modified WildFire file-size setting. With this fix, commit validation takes place on the managed firewall that tries to commit new template values.
PAN-62937
Fixed an issue where establishing an LDAP connection over a slow or unstable connection caused commits to fail when you enabled TLS. With this fix, if you enable TLS, the firewall does not attempt to establish LDAP connections when you perform a commit.
PAN-62797
Fixed an issue where a process (cdb) intermittently restarted, which prevented jobs from completing successfully.
PAN-62513
Fixed an issue on PA-7000 Series firewalls in an HA active/passive configuration where the show high-availability path-monitoring command always showed the NPC as slot 1 even though the path monitoring IP address was assigned to an interface in a different NPC slot. This occurred only when the path monitoring IP address was assigned to an interface in an Aggregate Ethernet (AE) interface group and the interface group was in a slot other than slot 1.
PAN-62057
Fixed an issue where the GlobalProtect agent failed to authenticate using a client certificate that had a signature algorithm that was not SHA1/SHA256. With this fix, the firewall provides support for the SHA384 signature algorithm for client-based authentication.
PAN-61877
Fixed an issue where Authentication Override in the GlobalProtect portal configuration didn't work when the certificate used for encrypting and decrypting cookies was generated using RSA 4,096 bit keys.
PAN-61871
Fixed an issue where the firewall matched traffic to a URL category and on first lookup, which caused some traffic to be matched to the wrong security profile. With this fix, the firewall matches traffic to URL categories a second time to ensure that traffic is matched to the correct security profile.
PAN-61837
Fixed an issue on PA-3000 Series and PA-5000 Series firewalls where the dataplane stopped responding when a session crossed vsys boundaries and could not find the correct egress port. This issue occurred when zone protection was enabled with a SYN Cookies action (NetworkZone ProtectionFlood Protection).
PAN-61813
Fixed an issue where a custom scheduled report configured per device was empty when exported.
PAN-61797
Fixed an issue on the passive peer in an HA configuration where LACP flapped when the link state was set to shutdown/auto and pre-negotiation was disabled.
PAN-61682
Fixed an issue where end users either did not see the Captive Portal web form or saw a page displaying raw HTML code after requesting an application through a web proxy because the HTTP body content length exceeded the specified size in the HTTP Header Content-Length.
PAN-61465
Fixed an issue where the web interface (ObjectsDecryption ProfileSSL DecryptionSSL Protocol SettingsEncryption Algorithms) still displayed the 3DES encryption algorithm as enabled even after you disabled it.
PAN-61365
Fixed an issue where data filtering logs (MonitorLogsData Filtering) do not take into account the file direction (upload or download) so it was not possible to differentiate uploaded files from downloaded files in the logs. With this fix, you configure the file direction (upload, download, or both) in ObjectsSecurity ProfilesData Filtering and select the Direction column in MonitorLogsData Filtering to view the file direction in the logs.
PAN-61284
Fixed an issue where User-ID consumed a large amount of memory when the firewall experienced a high rate of incoming IP address-to-username mapping data and there were more than ten redistribution client firewalls at the same time.
PAN-61252
Fixed an issue on firewalls in an HA active/active configuration where the floating IP address was not active on the secondary firewall after the link went down on the primary firewall.
PAN-60797
Fixed an issue where read-only superusers were able to view threat packet captures (pcaps) on the firewall but received an error (File not found) when they attempted to export certain types of pcap files (threat, threat extpcap, app, and filtering).
PAN-60753
Fixed an issue where changing the RSA key from a 2,048-bit key to a 1,024-bit key forced the encryption algorithm to change from SHA256 to SHA1 for SSL forward proxy decryption.
PAN-60581
Added check to not include all the applications in the Application filter if no application category is selected by the user. User have to explicitly add all the categories to create an application filter with all the applications.
PAN-60577
Fixed an issue where an application filter with no categories selected caused the firewall to perform slowly because the filter defaulted to include all categories (ObjectsApplication Filters). With this fix, you cannot configure an application filter without selecting one or more categories.
PAN-60556
Added support in the certificate profile to also configure a non CA certificate as an additional certificate to verify the OCSP response received for certificate status validation.
The OCSP Verify CA field in the certificate profile has been changed to OCSP Verify Certificate.
PAN-60402
Fixed an issue where renaming an address object caused the commit to a Device Group to fail.
PAN-60340
Fixed an issue where the Panorama application database did not display all applications in the browser.
PAN-60035
Enhanced dynamic IP NAT translation to prevent conflicts between different packet processors and improve dynamic IP NAT pool utilization.
PAN-59676
Fixed an issue where firewall administrators with custom roles (Admin Role profiles) could not download content or software updates.
PAN-59654
Fixed an issue where commits failed on the firewall after upgrading from a PAN-OS 6.1 release due to incorrect settings for the HexaTech VPN application on the firewall. With this fix, upgrading from a PAN-OS 6.1 release to a PAN-OS 8.0.0 or later release does not cause commit failures related to these settings.
PAN-59614
Fixed an issue where administrators were unable to fully utilize the maximum of 64 address objects per FQDN due to the 512B DNS server response packet size; specified addresses that were not included in the first 512B were dropped and not resolved. With this fix, the size of the DNS server response packet is increased to 4,096B, which fully supports the maximum 64 combined address objects per FQDN (up to 32 each IPv4 and IPv6 addresses).
PAN-58636
Fixed an issue where configuring too many applications and individual ports in a security rule caused the firewall to stop responding. With this fix, the firewall continues responding and sends the following error message:
Error: Security Policy '58636_rule' is exceeding maximum number of combinations supported for 
service ports(51) and applications(2291). To fix this, please convert this 
Security Policy into multiple policies by either splitting applications or service ports. 
Error: Failed to parse security policy 
(Module: device) 
Commit failed  
PAN-58496
Fixed an issue where custom reports using threat summary were not populated.
PAN-58382
Fixed an issue where users were matched to the incorrect security policies.
PAN-58358
Fixed an issue where CSV exports for Unified logs (MonitorLogsUnified) displayed information in the wrong columns.
PAN-57529
Fixed an issue where the firewall acted as a DHCP relay and wireless devices on a VLAN did not receive a DHCP address (all other devices on the VLAN did receive a DHCP address). With this fix, all devices on a VLAN receive a DHCP address when the firewall acts as a DHCP relay.
PAN-57440
Fixed an issue where OSPFv3 link-state updates were sent with the incorrect OSPF checksum when the OSPF packet needed to advertise more link-state advertisements (LSAs) than fit into a 1,500-byte packet. With this fix, the firewall sends the correct OSPF checksum to neighboring switches and routers even when the number of LSAs doesn’t fit into a 1,500-byte packet.
PAN-57215
Fixed an issue where an HTTP 416 error appeared when trying to download updates to a client from an IBM BigFix update server.
PAN-56700
Fixed an issue where the SNMP OID ifHCOutOctets did not contain the expected data.
PAN-56684
Fixed an issue where DNS proxy static entries stopped working when there were duplicate entries in the configuration.
PAN-53659
Fixed an issue where the sum of all link aggregation group (LAG) interfaces was greater than the value of the Aggregate Ethernet (AE) interface.
PAN-50973
Fixed an issue for VM-Series firewalls on Microsoft Hyper-V where, although the FIPS-CC mode option was visible in the maintenance mode menu, you could not enable it. With this fix, FIPS-CC mode is supported for and can be enabled from the maintenance mode menu in VM-Series firewalls on Microsoft Hyper-V.
PAN-48095
Fixed an issue on PA-200 firewalls where the Panorama dynamic update schedule ignored the currently installed dynamic update version and installed unnecessary dynamic updates.
PAN-40842
Fixed a cosmetic issue where, when you configured a firewall to retrieve a WildFire signature package, the System log showed unknown version for that package. For example, after a scheduled WildFire package update, the System log showed:
WildFire package upgraded from version <unknown version> to 38978-45470. 

Related Documentation