PAN-OS 8.0.10 Addressed Issues
PAN-OS® 8.0.10 addressed issues
Fixed an issue where the WF-500 appliance provided no option to configure the master key. With this fix, you can use the request master-key new-master-key <key> lifetime <lifetime> CLI command to configure the master key.
Fixed an issue where firewalls and Panorama management servers could not retrieve reports from a WF-500 appliance due to an interruption in its data migration after you upgraded the appliance from a PAN-OS 7.1 release to a PAN-OS 8.0 or later release. With this fix, you can run the new debug device data-migration status CLI command on the WF-500 appliance after each upgrade to verify data migration finished successfully (output is Migration inMySQL is successful). Don't perform additional upgrades on the WF-500 appliance until the data migration finishes.
Fixed an issue on the firewall and Panorama management server where the web interface became unresponsive because the management server process (mgmtsrvr) restarted after you set its debugging level to debug (through the debug management-server on debug CLI command).
Fixed an issue where mobile endpoints that used GPRS Tunneling Protocol (GTP) lost traffic and had to reconnect because the firewall dropped the response message that a Gateway GPRS support node (GGSN) sent for a second Packet Data Protocol (PDP) context update.
Fixed an issue where PA-5200 Series and PA-3200 Series firewalls in an active/active HA configuration sent packets in the wrong direction in a virtual wire deployment.
Fixed an issue where mobile endpoints that use GPRS Tunneling Protocol (GTP) lose GTP-U traffic because the firewall dropped all GTP-U packets as packets without sessions after receiving two GTP requests with the same tunnel endpoint identifiers (TEIDs) and IP addresses.
Fixed an issue in a Panorama deployment with a Collector Group containing multiple Log Collectors where the logging search engine restarted after you changed the SSH keys used for HA. The disruption to the search engine caused an out-of-memory condition and caused Panorama to display logs and report data from only one Log Collector in the Collector Group.
Fixed an issue where a firewall forwarded a deleted or expired IP address-to-username mapping to another firewall through User-ID Redistribution but the receiving firewall still displayed the mapping as an active IP address-to-username mapping.
Fixed an issue where administrators failed to log in to the firewall due to an out-of-memory condition that intermittently caused the firewall to continuously restart processes. (PAN-90143 provided an initial memory enhancement in PAN-OS 8.0.9 that reduced the frequency of these out-of-memory events.)
In certain customer environments, enhancements in PAN-OS 8.0.10 to change fan speeds may help reduce rare cases of drive communication failure in PA-5200 Series firewalls.
Fixed an issue on firewalls in an HA configuration where traffic was disrupted because the dataplane restarted unexpectedly when the firewall concurrently processed HA messages and packets for the same session. This issue occurred on all firewall models except the PA-200 and VM-50 firewalls.
Fixed an issue where the firewall intermittently became unresponsive because the management server process (mgmtsrvr) stopped responding during a commit after you configured policy rules to use external dynamic lists (EDLs).
|A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack through the PAN-OS session browser (CVE-2018-9335).|
Fixed an issue where a Panorama management server running PAN-OS 8.0 could not switch Context to a firewall running PAN-OS 7.1 or an earlier release.
Fixed an issue where PA-7000 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption when the tunnel session and inner traffic session were on different dataplanes.
A security-related fix was made to prevent denial of service (DoS) to the management web interface (CVE-2018-8715).
Fixed an issue where IPv6 BGP peering persisted (not all BGP routes were withdrawn) after the associated firewall interface went down.
Fixed an issue where VM-Series firewalls deleted logs by reinitializing the logging disk when the periodic file system integrity check (FSCK) took over 30 minutes during bootup.
Fixed an issue on the firewall and Panorama management server where the web interface became unresponsive because the cord process restarted after you configured multiple log forwarding destinations in a single forwarding rule for Correlation logs (DeviceLog Settings).
Fixed an issue on Panorama management servers in an HA configuration where, after failover caused the secondary HA peer to become active, it failed to deploy scheduled dynamic updates to Log Collectors and firewalls.
Fixed an issue where enabling jumbo frames (DeviceSetupSession) reduced throughput because:
Fixed an issue where VM-Series firewalls used the incorrect MAC address in DHCP messages initiated from a subinterface after you configured that subinterface as a DHCP Client (NetworkInterfacesEthernet<subinterface>IPv4) and disabled the Use Hypervisor Assigned MAC Address option (DeviceManagementSetupGeneral Settings).
Fixed an issue where the firewall web interface displayed a blank DeviceLicenses page when you had 10 x 5 phone support with empty feature.
Fixed an issue where the firewall didn't generate URL Filtering logs for user credential submissions associated with a URL that was not a container page after you selected Log container page only and set the User Credential Submission action to alert for the URL category in a URL Filtering profile (ObjectsSecurity ProfilesURL Filtering<ULR_Filtering_profile>). With this fix, the firewall generates URL Filtering logs for user credential submissions regardless of whether you enable Log container page only in the URL Filtering profile.
Fixed an issue where Log Collectors that belonged to a collector group with a space in its name failed to fully connect to one another, which affected log visibility and logging performance.
Fixed an issue where the Globalprotect agent failed to establish a TCP connection with the Globalprotect gateway when TCP SYN packets had unsupported congestion notification flag bits set (ECN or CWR).
Fixed an issue where PA-5200 Series firewalls rebooted when you ran the set ssh service-restart mgmt CLI command multiple times.
Fixed an issue where, in rare cases, the firewall couldn't establish connections with GlobalProtect agents because the rasmgr process stopped responding when hundreds of end users logged in and out of GlobalProtect at the same time.
Fixed an issue where a firewall dataplane running with high CPU utilization became unstable and the all_pktproc process stopped responding when the firewall processed a high rate of IP addresses with unknown usernames for User-ID mappings.
Fixed an issue in Layer 2 deployments where using ECDHE ciphers for SSL Inbound Inspection decryption caused sessions to become stuck and ultimately time out.
Fixed an issue on PA-7000 Series firewalls in an HA configuration where the HA3 link did not come up after you upgraded to PAN-OS 8.0.6 or a later 8.0 release.
Fixed an issue where PA-5200 Series firewalls dropped offloaded sessions after you selected to Enforce Symmetric Return in a Policy Based Forwarding (PBF) policy rule (PoliciesPolicy Based Forwarding<PBF_rule>Forwarding).
|PAN-90954||A security-related fix was made to prevent a local privilege escalation vulnerability that could potentially result in the deletion of files (CVE-2018-9242).|
Fixed an issue on PA-5200 Series firewalls where the dataplane restarted due to an internal path monitoring failure.
Fixed an issue where the User-ID process (useridd) stopped responding when a virtual system connected to more than one User-ID agent with NT LAN Manager (NTLM) enabled.
Fixed an issue where commits failed after you changed the default Size Limit to a custom value for MacOSX files that the firewall forwarded to WildFire (DeviceSetupWildFire).
Fixed an issue where PA-5200 Series firewalls dropped offloaded traffic after you enabled session offloading (enabled by default), configured subinterfaces on the second aggregate Ethernet (AE) interface group (ae2), and configured QoS on a non-AE interface.
Fixed an issue where firewalls in an active/active HA configuration dropped packets in IPSec tunnel traffic because the secondary firewall didn't update the Encapsulating Security Payload (ESP) sequence number during failover.
Fixed an issue where end users could not access applications through GlobalProtect Clientless VPN when the application server used cookie-based session persistence through HTML metadata.
Fixed an issue where the Panorama management server displayed template configurations as Out ofSync for firewalls with multiple virtual systems even though the template configurations were in sync.
Fixed an issue on firewalls in an active/active HA configuration where the secondary firewall dropped ping and SSH sessions on its virtual wire interfaces when the primary firewall was the session owner.
Fixed an issue where end users could not access applications through GlobalProtect Clientless VPN because the firewall failed to respond correctly to a client certificate request from the application server.
Fixed an issue on the Panorama management server where System logs displayed null as the client IP address for the log forwarding connections of PA-7000 Series firewalls that forwarded logs to Panorama.
Fixed an issue where the firewall didn't record an IP address-to-username mapping for a user who successfully logged in to the GlobalProtect gateway.
Fixed an issue where Panorama Log Collectors stopped forwarding URL Filtering logs over TCP to a syslog server after failing to create the required last-candidatecfg.xml file.
Fixed an issue on Panorama virtual appliances in Panorama mode that were deployed in an HA configuration with local Log Collectors in a single Collector Group, where HA failover caused the logging search engine to stop functioning. This issue prevented the secondary HA peer from displaying existing logs or receiving new logs until the search engine recovered.
Fixed an issue on the Panorama management server where commits failed with schema validation errors.
Fixed an issue where the Panorama management server stopped receiving new logs from firewalls because delayed log purging caused log storage on the Log Collectors to reach maximum capacity.
Fixed an issue where the firewall did not efficiently handle traffic in which the number of Address Resolution Protocol (ARP) packets exceeded the processing capacity of the firewall. With this fix, the firewall handles ARP packets more efficiently.
Fixed an issue where accessing websites that had normal gzip content-encoding generated multi-level encoding errors.
Fixed an issue where stale IP address-to-username mappings in the User-ID cache intermittently prevented the firewall from refreshing the mappings or creating new ones.
Fixed an issue where commits and content update installations failed due to memory allocation errors.
Fixed an issue where the Panorama management server generated custom reports in which the number of lines exceeded what you specified in the report configuration (MonitorManage Custom Reports).
Fixed an issue where client browsers stopped responding after downloading a file that triggered a Security policy rule with a File Blocking profile in which the Action was continue (ObjectsSecurity ProfilesFileBlocking).
Fixed an issue where VM-Series firewalls stopped displaying URL Filtering logs after you configured a URL Filtering profile with an alert action (ObjectsSecurity ProfilesURL Filtering).
Fixed an issue where User-ID agents configured to detect credential phishing did not detect passwords that contained a blank space.
Fixed an issue where you could not export certificates when you accessed the firewall web interface through a browser that ran Firefox v56 or later or ran Chrome v66 or later (DeviceCertificate ManagementCertificatesDevice Certificates).
Fixed an issue where firewalls with multiple virtual systems did not import EDLs that you assigned to policy rules.
Fixed an issue where the firewall couldn't render URL content for end users after you configured GlobalProtect Clientless VPN with a Hostname set to a Layer 3 subinterface or VLAN interface (NetworkGlobalProtectPortals<portal>Clientless VPNGeneral).
Fixed an issue where commit operations took longer than expected to finish on firewalls that had over 100 policy rules that referenced tens of thousands of IP addresses.
Fixed an issue where commit validation failed on firewalls after you disabled the option to Share Unused Address and Service Objects with Devices on the Panorama management server, assigned the firewalls to a template stack, and pushed an interface configuration that referenced an address object instead of an address that you typed.
Fixed an issue where the Cross-Origin Resource Sharing (CORS) policy on the firewall allowed requests from other domains to interact with the firewall through PAN-OS XML API requests and read responses. With this fix, the CORS policy is disabled on the firewall.
Fixed an issue where the Panorama management server displayed no output for the User Activity Report (MonitorPDF ReportsUser Activity Report).
Fixed an issue on the Panorama management server where editing the Description of a shared policy rule and clicking OK caused the Target setting to revert to Any firewalls instead of the selected firewalls.
Fixed an issue where the firewall dropped H.323 gatekeeper-assisted calls after failing to perform NAT translation of third-party addresses in H.323 messages.
Fixed an issue where VM-Series firewalls for NSX did not forward files to the WildFire cloud for analysis.
Fixed an issue on the Panorama management server where you could not preview configuration changes after you switched Context to a firewall, added an administrative account to the firewall, and then clicked Commit and Preview Changes.
Fixed an issue where Panorama Log Collectors did not receive firewall logs due to incorrect permissions after you upgraded the Panorama software.
Fixed an issue where the firewall rebooted because the User-ID process (useridd) restarted several times when endpoints, while requesting services that could not process HTTP 302 responses (such as Microsoft update services), authenticated to Captive Portal through NT LAN Manager (NTLM) and immediately disconnected.
Fixed an issue where the firewall displayed the following error when you tried to log in to the web interface after a report job took a configuration lock: Timedout while getting config lock. Please try again.
Fixed an issue where the ciphers you specified for access to the firewall management (MGT) interface didn't work after a PAN-OS upgrade because the sshd_config file containing the SSH running configuration became blank.
Fixed an issue where the firewall took longer than expected to collect group mapping information from Active Directory groups that had circular nesting (DeviceUser IdentificationGroup Mapping Settings<group_mapping_configuration>Group Include List).
Fixed an issue where the firewall generalizes messages received from back-end authentication servers instead of displaying the messages without modification.
Fixed an issue on PA-7000 Series, PA-5200 Series, and PA-5000 Series firewalls where the clear session all filter CLI command cleared sessions only on dp1 when that dataplane was the session owner instead of clearing sessions on all dataplanes. With this fix, the command clears sessions on all dataplanes regardless of which is the session owner.
Fixed an issue where the firewall failed to prepare a USB flash drive for bootstrapping when the drive had 8GB or more memory.
Fixed an issue where loading a partial configuration (using the load config partial CLI command) changed the port numbers in service and service group objects.
Fixed an issue where only administrators with the predefined superuser role could specify the Number of Bits and Digest algorithm when generating a certificate to be Signed By an External Authority (CSR) (DeviceCertificate ManagementCertificates).
Fixed an issue on firewalls with SSL Forward Proxy decryption enabled where the dataplane restarted due to an out-of-memory condition after you performed multiple commits.
Fixed an issue where, after you used a configuration mode CLI command to create a zone without specifying the interface type (set zone <zone_name> network), the firewall web interface displayed the type as layer3 (NetworkZones), which gave the misleading impression that the zone configuration was complete.