PAN-OS 8.0.1 Addressed Issues

PAN-OS 8.0.1 addressed issues
Issue ID
Description
WF500-4098
Fixed an issue in a WildFire appliance cluster that had three nodes where decommissioning the active (primary) controller node failed.
PAN-74932
Fixed an issue where the direction (dir) parameter used in type=log XML API requests was incorrectly made a required parameter, which caused applications that use the type=log request to fail when the dir argument was not included in the request. With this fix, the direction parameter is again optional.
PAN-74829
Fixed an issue where Authentication policy incorrectly matched traffic coming from known users—those included in the Terminal Services (TS) agent user mapping—and displayed the captive portal page. With this fix, only unknown users are directed to the captive portal page.
PAN-74367
Fixed an issue where some platforms did not connect to BrightCloud after you upgraded to PAN-OS 8.0.
PAN-74264
Fixed an issue where new fields in Threat and HIP Match logs were inserted between existing fields, which disrupted some third-party integrations. With this fix, the new fields are appended at the end of all pre-existing fields.
PAN-73977
Fixed an issue where firewalls and Panorama did not forward logs as expected when the local machine time was not set to current local time and was set to a time between current UTC time and current UTC time plus <n>, where <n> is the UTC+<n> value for the current time zone.
PAN-73964
Fixed an issue where you could not upgrade VM-Series firewalls on AWS in an HA configuration to PAN-OS 8.0. With this fix, you can upgrade VM-Series firewalls on AWS in an HA configuration to PAN-OS 8.0.1 or a later PAN-OS 8.0 release.
PAN-73877
Fixed an issue where you were unable to generate a SAML metadata file for Captive Portal or GlobalProtect when the firewall had multiple virtual systems because there were no virtual systems available for you to select when you clicked the Metadata link associated with an authentication profile.
PAN-73579
Fixed an issue where, after you upgraded a firewall to PAN-OS 8.0, the firewall didn't apply updates to the predefined Palo Alto Networks malicious IP address feeds (delivered through the daily antivirus content updates) until after you performed a commit on the firewall. With this fix, changes to the predefined malicious IP address feeds are automatically applied when delivered to the firewall.
PAN-73545
Fixed an issue on VM-300, VM-500, and VM-700 firewalls where you were required to commit changes a second time after adding an interface before traffic would pass normally.
PAN-73363
Fixed an issue where Panorama did not display any results when you filtered logs or generated reports based on user groups even after you enabled reporting and filtering on groups.
PAN-73360
Fixed an issue where the passive Panorama peer in an HA configuration showed shared policy to be out of sync even when the device group commit from the active peer was successful.
PAN-73291
Fixed an issue where authentication failed for client certificates signed by a CA certificate that was not listed first in the Certificate Profile configured with client certificate authentication for GlobalProtect portals and gateways.
PAN-73207
Fixed an issue where you could not push notifications as an authentication factor if the firewall was integrated with Okta Adaptive as the multi-factor authentication (MFA) vendor.
PAN-73168
Fixed an issue where your web browser displayed the error message 400 Bad Request when you tried to access a PAN-OS web interface that shared the same FQDN as the GlobalProtect portal that hosted Clientless VPN applications.
PAN-73006
Fixed an issue where the App Scope Change Monitor and Network Monitor reports failed to display data if you filtered by Source or Destination IP addresses when logging rates were high. This fix also addresses an issue where the App Scope Summary report failed to display data for the Top 5 Bandwidth Consuming Sources and Top 5 Threats when logging rates were high.
PAN-72952
Improved file-type identification for Office Open XML (OOXML) files, which improves the ability for WildFire to accurately classify OOXML files as benign or malicious.
PAN-72875
Fixed an issue where the severity level of the Failed to sync PAN-DB to peer: Peer user failure syslog message was too high. With this fix, the message severity level is info instead of medium.
PAN-72849
Fixed an issue in Panorama HA active/passive configurations where Elasticsearch parameters were not pushed to the passive peer.
PAN-72726
Fixed an issue where the firewall was unable to mark BFD packets with appropriate DSCP values.
PAN-72667
Fixed an issue where the Panorama web interface and CLI displayed a negative value for the Log Storage capacity (PanoramaCollector Groups<Collector_GroupsGeneral).
PAN-72547
Fixed an issue where running the clear session all CLI command on a PA-5200 Series firewall in a high availability (HA) configuration caused the firewall to fail over due to an issue with path monitoring.
PAN-72402
Fixed an issue where, after you configured a BGP IPv6 aggregate address with an Advertise Filter that had both a prefix filter and a next-hop filter, the firewall advertised only the aggregate address and did not advertise the specific routes that the Advertise Filter covered (NetworkVirtual Routers<router>BGPAggregate<address>Advertise Filters<advertise_filter>).
PAN-72246
Fixed an issue where the firewall generated an ECDSA certificate signing request (CSR) using the SHA1 algorithm instead of the selected algorithm.
PAN-71833
Fixed an issue where the output of the test authentication authentication-profile CLI command intermittently displayed authentication/authorization failed for user for TACACS+ authentication profiles even though the administrator could successfully log in to the web interface or CLI using the same credentials as were specified in the test command.
PAN-71829
Fixed an issue on PA-5000 Series firewalls where the dataplane restarted due to specific changes related to certificates or SSL profiles in a GlobalProtect configuration; specifically, configuring a new gateway, changing a certificate linked to GlobalProtect, or changing the minimum or maximum version of the TLS profile linked to GlobalProtect.
PAN-71556
Fixed an issue where MAC address table entries with a time-to-live (TTL) value of 0 were not removed as expected, which caused the table to continually increase in size.
PAN-71530
Fixed an issue where LDAP authentication failed intermittently due to a race condition.
PAN-71334
Fixed an issue with delays of up to 10 seconds before the firewall transmitted the audio/video stream when you set up a VoIP call on a PA-5200 Series firewall using the Session Initiation Protocol (SIP).
PAN-71312
Fixed an issue where custom reports did not display results for queries that specified the Negate option, Contains operator, and a Value that included a period (.) character preceding a filename extension.
PAN-71271
Fixed an issue where new logs were lost if the log purging process started running before you started log migration after an upgrade to PAN-OS 8.0.
PAN-70436
A security-related fix was made to prevent tampering with files that are exported from the firewall web interface (CVE-2017-7217/PAN-SA-2017-0008).
PAN-70366
Fixed an issue where SMTP email servers did not receive PDF reports from the firewall because the report emails had line separators that used bare LF instead of CRLF.
PAN-70323
Fixed an issue where firewalls running in FIPS-CC mode did not allow import of SHA-1 CA certificates even when the private key was not included; instead, firewalls displayed the following error:
Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
PAN-69932
Fixed an issue where the Panorama web interface and CLI respond slowly when numerous NSX plugins are in progress.
PAN-69622
Fixed an issue where the firewall did not properly close a session after receiving a reset (RST) message from the server if the SYN Cookies action was triggered.
PAN-69585
Fixed an issue where the URL link included in the email for a SaaS Application Usage report (so that you could retrieve the report from the firewall web interface) triggered third-party spam filters deployed in your network.
PAN-69340
Fixed an issue where PAN-OS did not apply the capacity license when you used a license authorization code (capacity license or a bundle) to bootstrap a VM-Series firewall because the firewall did not reboot after the license was applied.
PAN-68795
Fixed an issue where the SaaS Application Usage report displayed upload and download bandwidth usage numbers incorrectly in the Data Transfer by Application section.
PAN-68185
Fixed an issue where the 7.1 SNMP traps MIB (PAN-TRAPS.my) had an incorrect description for the panHostname attribute.
PAN-67952
Fixed an issue on PA-5000 Series firewalls where the dataplanes became unstable when jumbo frames and first packet broadcasting were both enabled. With this fix, first packet broadcasting is disabled by default on PA-5000 Series firewalls.
PAN-67629
Fixed an issue where existing users were removed from user-group mapping when the Active Directory (AD) did not return an LDAP Page Control in response to an LDAP refresh, which resulted in the following User-ID (useridd) logs:
debug: pan_ldap_search(pan_ldap.c:602): ldap_parse_result error code: 4 
Error: pan_ldap_search(pan_ldap.c:637): Page Control NOT found 
PAN-66122
Firewalls did not support tunnel content inspection in a virtual-system-to-virtual-system topology.
PAN-64725
Fixed an issue where Panorama did not maintains its connections to firewalls if it received logs at a high rate and the logs matched queries and other settings in scheduled reports.
PAN-64164
Fixed an issue on Panorama virtual appliances in an HA configuration where, if you enabled log forwarding to syslog, both the active and passive peers sent logs. With this fix, only the active peer sends logs when you enable log forwarding to syslog.
PAN-63274
Fixed an issue on firewalls with multiple virtual systems where inner flow sessions installed on dataplane 1 (DP1) failed if you configured tunnel content inspection for traffic in a shared gateway topology. Additionally with this fix, when networking devices behind the shared gateway initiate traffic, that traffic can now reach the networking devices behind the virtual systems.
PAN-61840
Fixed an issue where the show global-protect-portal statistics CLI command was not supported.
PAN-60101
Fixed an issue on the M-500 and M-100 appliances in Panorama mode where emailed custom reports contained no data if you configured a report query that used an Operator set to contains (MonitorManage Custom Reports).
PAN-59677
A security-related fix was made to prevent firewall administrators logged in as root from using GNU Wget to access remote servers and write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource (CVE 2016-4971).
PAN-58979
Fixed an issue where the dataplane restarted due to a memory leak (mprelay) that occurred if you did not disable LLDP when you disabled an interface with LLDP enabled (NetworkInterfaces<interface>AdvancedLLDP).
PAN-57553
Fixed an issue where a QoS profile failed to work as expected when applied to a clear text node configured with an Aggregate Ethernet (AE) source interface that included AE subinterfaces.
PAN-57142
Fixed an issue on PA-7000 Series firewalls in an HA active/passive configuration where QoS limits were not correctly enforced on Aggregate Ethernet (AE) subinterfaces.

Related Documentation