PAN-OS 8.0.10 Addressed Issues

PAN-OS® 8.0.10 addressed issues
Issue ID
Description
WF500-4625
Fixed an issue where the WF-500 appliance provided no option to configure the master key. With this fix, you can use the request master-key new-master-key <key> lifetime <lifetime> CLI command to configure the master key.
WF500-4363
Fixed an issue where firewalls and Panorama management servers could not retrieve reports from a WF-500 appliance due to an interruption in its data migration after you upgraded the appliance from a PAN-OS 7.1 release to a PAN-OS 8.0 or later release. With this fix, you can run the new debug device data-migration status CLI command on the WF-500 appliance after each upgrade to verify data migration finished successfully (output is Migration in MySQL is successful). Don't perform additional upgrades on the WF-500 appliance until the data migration finishes.
PAN-95504
Fixed an issue on the firewall and Panorama management server where the web interface became unresponsive because the management server process (mgmtsrvr) restarted after you set its debugging level to debug (through the debug management-server on debug CLI command).
PAN-95197
Fixed an issue where mobile endpoints that used GPRS Tunneling Protocol (GTP) lost traffic and had to reconnect because the firewall dropped the response message that a Gateway GPRS support node (GGSN) sent for a second Packet Data Protocol (PDP) context update.
PAN-94912
Fixed an issue where PA-5200 Series and PA-3200 Series firewalls in an active/active HA configuration sent packets in the wrong direction in a virtual wire deployment.
PAN-94853
Fixed an issue where mobile endpoints that use GPRS Tunneling Protocol (GTP) lose GTP-U traffic because the firewall dropped all GTP-U packets as packets without sessions after receiving two GTP requests with the same tunnel endpoint identifiers (TEIDs) and IP addresses.
PAN-94379
Fixed an issue in a Panorama deployment with a Collector Group containing multiple Log Collectors where the logging search engine restarted after you changed the SSH keys used for HA. The disruption to the search engine caused an out-of-memory condition and caused Panorama to display logs and report data from only one Log Collector in the Collector Group.
PAN-94167
Fixed an issue on firewalls configured to redistribute IP address-to-username mappings where a firewall received mappings that were already deleted after querying another firewall that functioned as a User-ID agent.
PAN-93839
Fixed an issue where administrators failed to log in to the firewall due to an out-of-memory condition that intermittently caused the firewall to continuously restart processes. (PAN-90143 provided an initial memory enhancement in PAN-OS 8.0.9 that reduced the frequency of these out-of-memory events.)
PAN-93715
In certain customer environments, enhancements in PAN-OS 8.0.10 to change fan speeds may help reduce rare cases of drive communication failure in PA-5200 Series firewalls.
PAN-93522
Fixed an issue on firewalls in an HA configuration where traffic was disrupted because the dataplane restarted unexpectedly when the firewall concurrently processed HA messages and packets for the same session. This issue occurred on all firewall models except the PA-200 and VM-50 firewalls.
PAN-93336
Fixed an issue where the firewall intermittently became unresponsive because the management server process (mgmtsrvr) stopped responding during a commit after you configured policy rules to use external dynamic lists (EDLs).
PAN-93244
A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack through the PAN-OS session browser (CVE-2018-9335).
PAN-93234
Fixed an issue where a Panorama management server running PAN-OS 8.0 could not switch Context to a firewall running PAN-OS 7.1 or an earlier release.
PAN-93233
Fixed an issue where PA-7000 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption when the tunnel session and inner traffic session were on different dataplanes.
PAN-93089
A security-related fix was made to prevent denial of service (DoS) to the management web interface (CVE-2018-8715).
PAN-93052
Fixed an issue where IPv6 BGP peering persisted (not all BGP routes were withdrawn) after the associated firewall interface went down.
PAN-92789
Fixed an issue where VM-Series firewalls deleted logs by reinitializing the logging disk when the periodic file system integrity check (FSCK) took over 30 minutes during bootup.
PAN-92725
Fixed an issue on the firewall and Panorama management server where the web interface became unresponsive because the cord process restarted after you configured multiple log forwarding destinations in a single forwarding rule for Correlation logs (DeviceLog Settings).
PAN-92678
Fixed an issue on Panorama management servers in an HA configuration where, after failover caused the secondary HA peer to become active, it failed to deploy scheduled dynamic updates to Log Collectors and firewalls.
PAN-92487
Fixed an issue where enabling jumbo frames (DeviceSetupSession) reduced throughput because:
  • The firewalls hardcoded the maximum segment size (TCP MSS) within TCP SYN packets and in server-to-client traffic at 1,460 bytes when packets exceed that size. With this fix, the firewalls no longer hardcode the TCP MSS value for TCP sessions.
  • PA-7000 Series and PA-5200 Series firewalls hardcoded the maximum transmission unit (MTU) at 1,500 bytes for the encapsulation stage when tunneled clear-text traffic and the originating tunnel session were on different dataplanes. With this fix, the firewalls use the MTU configured for the interface (NetworkInterfaces<interface>AdvancedOther Info) instead of hardcoding the MTU at 1,500 bytes.
PAN-92251
Fixed an issue where VM-Series firewalls used the incorrect MAC address in DHCP messages initiated from a subinterface after you configured that subinterface as a DHCP Client (NetworkInterfacesEthernet<subinterface>IPv4) and disabled the Use Hypervisor Assigned MAC Address option (DeviceManagementSetupGeneral Settings).
PAN-92152
Fixed an issue where the firewall web interface displayed a blank DeviceLicenses page when you had 10 x 5 phone support with empty feature.
PAN-92082
Fixed an issue where the firewall didn't generate URL Filtering logs for user credential submissions associated with a URL that was not a container page after you selected Log container page only and set the User Credential Submission action to alert for the URL category in a URL Filtering profile (ObjectsSecurity ProfilesURL Filtering<ULR_Filtering_profile>). With this fix, the firewall generates URL Filtering logs for user credential submissions regardless of whether you enable Log container page only in the URL Filtering profile.
PAN-92017
Fixed an issue where Panorama Log Collectors did not receive some firewall logs and took longer than expected to receive all logs when the Collector Group had spaces in its name.
PAN-91591
Fixed an issue where the Globalprotect agent failed to establish a TCP connection with the Globalprotect gateway when TCP SYN packets had unsupported congestion notification flag bits set (ECN or CWR).
PAN-91429
Fixed an issue where PA-5200 Series firewalls rebooted when you ran the set ssh service-restart mgmt CLI command multiple times.
PAN-91360
Fixed an issue where, in rare cases, the firewall couldn't establish connections with GlobalProtect agents because the rasmgr process stopped responding when hundreds of end users logged in and out of GlobalProtect at the same time.
PAN-91194
Fixed an issue where a firewall dataplane running with high CPU utilization became unstable and the all_pktproc process stopped responding when the firewall processed a high rate of IP addresses with unknown usernames for User-ID mappings.
PAN-91098
Fixed an issue in Layer 2 deployments where using ECDHE ciphers for SSL Inbound Inspection decryption caused sessions to become stuck and ultimately time out.
PAN-91088
Fixed an issue on PA-7000 Series firewalls in an HA configuration where the HA3 link did not come up after you upgraded to PAN-OS 8.0.6 or a later 8.0 release.
PAN-90959
Fixed an issue where PA-5200 Series firewalls dropped offloaded sessions after you selected to Enforce Symmetric Return in a Policy Based Forwarding (PBF) policy rule (PoliciesPolicy Based Forwarding<PBF_rule>Forwarding).
PAN-90954A security-related fix was made to prevent a local privilege escalation vulnerability that could potentially result in the deletion of files (CVE-2018-9242).
PAN-90920
Fixed an issue on PA-5200 Series firewalls where the dataplane restarted due to an internal path monitoring failure.
PAN-90890
Fixed an issue where the User-ID process (useridd) stopped responding when a virtual system connected to more than one User-ID agent with NT LAN Manager (NTLM) enabled.
PAN-90842
Fixed an issue where commits failed after you changed the default Size Limit to a custom value for MacOSX files that the firewall forwarded to WildFire (DeviceSetupWildFire).
PAN-90692
Fixed an issue where PA-5200 Series firewalls dropped offloaded traffic after you enabled session offloading (enabled by default), configured subinterfaces on the second aggregate Ethernet (AE) interface group (ae2), and configured QoS on a non-AE interface.
PAN-90689
Fixed an issue where firewalls in an active/active HA configuration dropped packets in IPSec tunnel traffic because the secondary firewall didn't update the Encapsulating Security Payload (ESP) sequence number during failover.
PAN-90688
Fixed an issue where end users could not access applications through GlobalProtect Clientless VPN when the application server used cookie-based session persistence through HTML metadata.
PAN-90623
Fixed an issue where the Panorama management server displayed template configurations as Out of Sync for firewalls with multiple virtual systems even though the template configurations were in sync.
PAN-90514
Fixed an issue on firewalls in an active/active HA configuration where the secondary firewall dropped ping and SSH sessions on its virtual wire interfaces when the primary firewall was the session owner.
PAN-90509
Fixed an issue where end users could not access applications through GlobalProtect Clientless VPN because the firewall failed to respond correctly to a client certificate request from the application server.
PAN-90462
Fixed an issue on the Panorama management server where System logs displayed null as the client IP address for the log forwarding connections of PA-7000 Series firewalls that forwarded logs to Panorama.
PAN-90371
Fixed an issue where the firewall didn't record an IP address-to-username mapping for a user who successfully logged in to the GlobalProtect gateway.
PAN-90337
Fixed an issue where Panorama Log Collectors stopped forwarding URL Filtering logs over TCP to a syslog server after failing to create the required last-candidatecfg.xml file.
PAN-90291
Fixed an issue on Panorama virtual appliances in Panorama mode that were deployed in an HA configuration with local Log Collectors in a single Collector Group, where HA failover caused the logging search engine to stop functioning. This issue prevented the secondary HA peer from displaying existing logs or receiving new logs until the search engine recovered.
PAN-90290
Fixed an issue on the Panorama management server where commits failed with schema validation errors.
PAN-89998
Fixed an issue where the Panorama management server stopped receiving new logs from firewalls because delayed log purging caused log storage on the Log Collectors to reach maximum capacity.
PAN-89992
Fixed an issue where the firewall did not efficiently handle traffic in which the number of Address Resolution Protocol (ARP) packets exceeded the processing capacity of the firewall. With this fix, the firewall handles ARP packets more efficiently.
PAN-89461
Fixed an issue where accessing websites that had normal gzip content-encoding generated multi-level encoding errors.
PAN-89353
Fixed an issue where stale IP address-to-username mappings in the User-ID cache intermittently prevented the firewall from refreshing the mappings or creating new ones.
PAN-89162
Fixed an issue where commits and content update installations failed due to memory allocation errors.
PAN-88908
Fixed an issue where the Panorama management server generated custom reports in which the number of lines exceeded what you specified in the report configuration (MonitorManage Custom Reports).
PAN-88880
Fixed an issue where client browsers stopped responding after downloading a file that triggered a Security policy rule with a File Blocking profile in which the Action was continue (ObjectsSecurity ProfilesFileBlocking).
PAN-88852
Fixed an issue where VM-Series firewalls stopped displaying URL Filtering logs after you configured a URL Filtering profile with an alert action (ObjectsSecurity ProfilesURL Filtering).
PAN-88752
Fixed an issue where User-ID agents configured to detect credential phishing did not detect passwords that contained a blank space.
PAN-88388
Fixed an issue where you could not export certificates when you accessed the firewall web interface through a browser that ran Firefox v56 or later or ran Chrome v66 or later (DeviceCertificate ManagementCertificatesDevice Certificates).
PAN-88200
Fixed an issue where firewalls with multiple virtual systems did not import EDLs that you assigned to policy rules.
PAN-87964
Fixed an issue where the firewall couldn't render URL content for end users after you configured GlobalProtect Clientless VPN with a Hostname set to a Layer 3 subinterface or VLAN interface (NetworkGlobalProtectPortals<portal>Clientless VPNGeneral).
PAN-87926
Fixed an issue where commit operations took longer than expected to finish on firewalls that had over 100 policy rules that referenced tens of thousands of IP addresses.
PAN-87552
Fixed an issue where commit validation failed on firewalls after you disabled the option to Share Unused Address and Service Objects with Devices on the Panorama management server, assigned the firewalls to a template stack, and pushed an interface configuration that referenced an address object instead of an address that you typed.
PAN-87520
Fixed an issue where the Cross-Origin Resource Sharing (CORS) policy on the firewall allowed requests from other domains to interact with the firewall through PAN-OS XML API requests and read responses. With this fix, the CORS policy is disabled on the firewall.
PAN-87265
Fixed an issue where the Panorama management server displayed no output for the User Activity Report (MonitorPDF ReportsUser Activity Report).
PAN-86647
Fixed an issue on the Panorama management server where editing the Description of a shared policy rule and clicking OK caused the Target setting to revert to Any firewalls instead of the selected firewalls.
PAN-86630
Fixed an issue where the firewall dropped H.323 gatekeeper-assisted calls after failing to perform NAT translation of third-party addresses in H.323 messages.
PAN-85206
Fixed an issue where VM-Series firewalls for NSX did not forward files to the WildFire cloud for analysis.
PAN-83890
Fixed an issue on the Panorama management server where you could not preview configuration changes after you switched Context to a firewall, added an administrative account to the firewall, and then clicked Commit and Preview Changes.
PAN-83361
Fixed an issue where Panorama Log Collectors did not receive firewall logs due to incorrect permissions after you upgraded the Panorama software.
PAN-82942
Fixed an issue where the firewall rebooted because the User-ID process (useridd) restarted several times when endpoints, while requesting services that could not process HTTP 302 responses (such as Microsoft update services), authenticated to Captive Portal through NT LAN Manager (NTLM) and immediately disconnected.
PAN-81751
Fixed an issue where the firewall displayed the following error when you tried to log in to the web interface after a report job took a configuration lock: Timed out while getting config lock. Please try again.
PAN-81588
Fixed an issue where the ciphers you specified for access to the firewall management (MGT) interface didn't work after a PAN-OS upgrade because the sshd_config file containing the SSH running configuration became blank.
PAN-81382
Fixed an issue where the firewall took longer than expected to collect group mapping information from Active Directory groups that had circular nesting (DeviceUser IdentificationGroup Mapping Settings<group_mapping_configuration>Group Include List).
PAN-80664
Fixed an issue where the firewall generalizes messages received from back-end authentication servers instead of displaying the messages without modification.
PAN-79695
Fixed an issue on PA-7000 Series, PA-5200 Series, and PA-5000 Series firewalls where the clear session all filter CLI command cleared sessions only on dp1 when that dataplane was the session owner instead of clearing sessions on all dataplanes. With this fix, the command clears sessions on all dataplanes regardless of which is the session owner.
PAN-79317
Fixed an issue where the firewall failed to prepare a USB flash drive for bootstrapping when the drive had 8GB or more memory.
PAN-79071
Fixed an issue where loading a partial configuration (using the load config partial CLI command) changed the port numbers in service and service group objects.
PAN-78046
Fixed an issue where only administrators with the predefined superuser role could specify the Number of Bits and Digest algorithm when generating a certificate to be Signed By an External Authority (CSR) (DeviceCertificate ManagementCertificates).
PAN-77229
Fixed an issue on firewalls with SSL Forward Proxy decryption enabled where the dataplane restarted due to an out-of-memory condition after you performed multiple commits.
PAN-71902
Fixed an issue where, after you used a configuration mode CLI command to create a zone without specifying the interface type (set zone <zone_name> network), the firewall web interface displayed the type as layer3 (NetworkZones), which gave the misleading impression that the zone configuration was complete.

Related Documentation