PAN-OS 8.0.11 Addressed Issues

PAN-OS® 8.0.11 addressed issues
Issue ID
Description
PAN-97084
Fixed a rare issue where the task manager failed to load in the web interface when a pending job caused subsequent completed jobs to be inappropriately held in memory.
PAN-96587
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls intermittently failed to forward logs to Log Collectors or the Logging Service due to DNS resolution failure for the FQDNs of those log receivers.
PAN-96490
Fixed an issue where syslog servers misrepresented HIP Match, Authentication, and User-ID logs received from the firewall because the order changed in the first seven syslog fields for those log types. With this fix, the first seven syslog fields are the same for all log types.
PAN-96150
Fixed a memory corruption error that caused the dataplane to restart when content decode length was zero.
PAN-95884
Fixed an issue where routing FIB entries that were learned from a BGP peer were not deleted when BGP Peering went down.
PAN-95740
Fixed an issue where multicast FIB entries were inconsistent across dataplanes, which caused the firewall to intermittently drop multicast packets.
PAN-94920
Fixed an issue where PA-5200 Series firewalls in a high availability (HA) active/active configuration experienced internal packet corruption that caused the firewalls to stop passing traffic when the active member of a cluster came back up as passive after being either suspended or rebooted (moving from tentative to passive state).
PAN-94646
Fixed an issue with firewalls in a high availability (HA) configuration where a an HA sync initiated from the active peer caused a race condition while processing the previous request.
PAN-94586
Fixed an issue where the Panorama management server exported reports slowly or not at all due to DNS resolution failures.
PAN-94578
Fixed an issue where WildFire submissions with a filename that contained %20n or a subject that contained %n caused the management server (mgmtsrvr) process to stop responding.
PAN-94452
Fixed an issue where the firewall recorded GPRS Tunneling Protocol (GTP) packets multiple times in firewall-stage packet captures (PCAPs).
PAN-94450
Fixed an issue where QSFP+ interfaces (13 and 14) on a PA-7000-20GQ-NPC Network Processing Card (NPC) unexpectedly flapped when the card was booting up.
PAN-94165
Fixed an issue where the firewall used an incorrect next hop in the Border Gateway Protocol (BGP) route that it advertised to External BGP (eBGP) peers in the BGP peer group.
PAN-94122
Fixed an issue where firewalls intermittently blocked SSL traffic due to a certificate timeout error after you enabled SSL Forward Proxy decryption and selected to Block sessions on certificate status check timeout (ObjectsDecryption Profile<Decryption_profile>SSL DecryptionSSL Forward Proxy).
PAN-94070
Fixed an issue where Bidirectional Forwarding Detection (BFD) sessions were active in only one virtual router when two or more virtual routers had active BGP sessions (with BFD enabled) using the same peer IP address.
PAN-94023
Fixed an issue where the request system external-list show type ip name <EDL_name> CLI command did not display external dynamic list entries after you restarted the management server (mgmtsrvr) process.
PAN-93854
Fixed an issue where the VM-Series firewall for NSX randomly disrupted traffic due to high CPU usage by the pan_task process.
PAN-93753
Fixed an issue on PA-200 firewalls where disk space usage was constantly running high and often reaching maximum capacity. With this fix, the PA-200 firewall purges logs more quickly and it no longer requires as much space for monitor daemons.
PAN-93722
Fixed an issue where the firewall failed to perform decryption because endpoints tried to resume decrypted inbound perfect forward secrecy (PFS) sessions.
PAN-93687
Fixed an issue where the firewall dataplane restarted, disrupting traffic, because the all_pktproc process stopped responding when the firewall decoded HTTP message bodies with chunked transfer encoding or gzip-compressed data.
PAN-93609
Fixed an issue where the firewall silently dropped the first packet of a session when that packet was received as a fragmented packet (typically with UDP traffic).
PAN-93431
Fixed an issue where the Panorama management server failed to export Traffic logs as a CSV file (MonitorLogsTraffic) after you set the Max Rows in CSV Export to more than 500,000 rows (PanoramaSetupManagementLogging and Reporting SettingsLog Export and Reporting).
PAN-93411
Fixed an issue on VM-Series firewalls for KVM where applications that relied on multicasting failed because the firewalls filtered multicast traffic by the physical function (PF) after you configured them to use single root I/O virtualization (SR-IOV) virtual function (VF) devices.
PAN-93318
Fixed an issue where firewall CPU usage reached 100 per cent due to SNMP polling for logical interfaces based on updates to the Link Layer Discovery Protocol (LLDP) MIB (LLDP-V2-MIB.my).
PAN-93254
Fixed an issue where automatic threat packet captures on the firewall displayed a File not found error when attempting to retrieve these captures from a threat log entry.
PAN-93242
A security-related fix was made to prevent a Cross-Site Scripting (XSS) vulnerability in a PAN-OS web interface administration page (CVE-2018-9337).
PAN-92958
Fixed an issue where disk utilization increased unnecessarily because the firewall did not archive and rotate the /var/on file, which therefore grew to over 40MB.
PAN-92944
Fixed an issue where the firewall assigned the wrong URL filtering category to traffic that contained a malformed host header. With this fix, the firewall enables the blocking of any traffic with a malformed URL.
PAN-92738
Fixed an issue on the Panorama management server where administrators with read-only privileges could not view deployment Schedules for content updates (PanoramaDevice DeploymentDynamic Updates).
PAN-92481
Fixed an issue where the root partition became full. With this fix, the /tmp/tplsp_to_validate.xml file and the /tmp/panorama_pushed folder are moved to the /opt/pancfg/mgmt/tmp folder.
PAN-92456
Fixed an issue on the Panorama management server where administrators couldn't log in to the web interface because disk space utilization reached 100 per cent due to the continuous growth of cmserror log files.
PAN-92366
Fixed an issue where PA-5200 Series firewalls in an active/passive high availability (HA) configuration dropped Bidirectional Forwarding Detection (BFD) sessions when the passive firewall was in an initialization state after you rebooted it.
PAN-92257
Fixed an issue where the firewall was intermittently sending incorrect bytes-per-packet values for some flows to the NetFlow collector.
PAN-92163
Fixed an issue where firewalls in an active/passive high availability (HA) configuration took longer than expected to fail over after you configured them to redistribute routes between an Interior Gateway Protocol (IGP) and Border Gateway Protocol (BGP).
PAN-91785
Fixed an issue where the firewall intermittently did not apply antivirus exceptions after you added more than one in an Antivirus profile (ObjectsSecurity ProfilesAntivirus<Antivirus_profile>Virus Exception).
PAN-91662
Fixed an issue where a certificate was loaded without a digital signature, which caused the configuration daemon (configd) to stop responding.
PAN-91503
Fixed an issue where the firewall failed to generate tech support logs because there was not enough disk space available.
PAN-91370
Fixed an issue where the firewall dropped IPv6 traffic while enforcing IPv6 bidirectional NAT policy rules because the firewall incorrectly translated the destination address for a host that resided on a directly attached network.
PAN-91254
Fixed an issue where end user accounts were locked out after you configured authentication based on a RADIUS server profile with multiple servers (DeviceServer ProfilesRADIUS) and enabled the gateway to Retrieve Framed-IP-Address attribute from authentication server (NetworkGlobalProtectGateways<gateway>AgentClient Settings<clients_configuration>IP Pools). With this fix, instead of requesting framed IP addresses from all the servers in a RADIUS server profile at the same time, the firewall sends the request to only one server at a time until one of the servers responds.
PAN-91095
Fixed an issue where the firewall did not perform a validation check when you set the Subnet Mask while configuring the firewall as a DHCP server (NetworkDHCP<interface>Options).
PAN-90952
Fixed an issue on PA-5000 Series firewalls where multicast traffic failed because PAN-OS did not remove stale sessions from the hardware session offload processor.
PAN-90835
A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack through the URL Continue page (CVE-2018-7636).
PAN-90535
Fixed an issue where the firewall unnecessarily sent an Authorize-only request to the RADIUS server which was denied during the login process if you disabled the Retrieve Framed-IP-Address attribute from authentication server (NetworkGlobalProtectGateways<gateway>AgentClient Settings<clients_configuration>IP Pools) in the GlobalProtect gateway configuration.
PAN-90531
Fixed an issue where the firewall discarded any unsaved changes you made to the exceptions in a Vulnerability Protection profile after you enabled or disabled (cleared) the Show all signatures option (ObjectsSecurity ProfilesVulnerability Protect<Vulnerability_Protection_profile>Exceptions).
PAN-90418
Fixed an issue where PA-7000 Series, PA-5200 Series, PA-5000 Series, PA-3200 Series, and PA-3000 Series firewalls dropped packets because their dataplanes restarted due to QoS queue corruption.
PAN-89525
Fixed a configuration parsing issue where a default setup of the Authentication Profile caused the firewall to reboot during commit. If the administrator configured the Authentication Profile with any allowed values, including the default values, the configuration committed successfully. The issue was observed on a PA-500 firewall in FIPS-CC mode.
PAN-89177
Fixed an issue where the Panorama management server ran out of disk space because PAN-OS did not automatically purge configuration export files from the tmp folder after exporting them.
PAN-89164
Fixed an issue where content update failures (associated with the Content update job failed for user Auto update agent error message) had only a high severity level in System logs. With this fix, content update failures have a critical severity level for better visibility.
PAN-88897
Fixed an issue where SNMP managers could not retrieve firewall power supply information associated with the entPhysicalEntry (1.3.6.1.2.1.47.1.1.1) and entPhysicalDescr (1.3.6.1.2.1.47.1.1.1.1) SNMP objects.
PAN-88473
Fixed an issue where the firewall was sending incorrect bytes-per-packet values to the NetFlow collector when two servers were configured in the same NetFlow profile.
PAN-87166
Fixed a rare issue on PA-7000 Series firewalls where 20GQ NPC QSFP+ ports didn't link up (during online insertion and removal (OIR), link-state change, or boot up events) and became unrecoverable until the NPC was restarted.
PAN-86934
Fixed an issue where the firewall applied case sensitivity to the names of shared user groups that were defined in its local database and, as a result, users who belonged to those groups couldn't access applications through GlobalProtect Clientless VPN even after successful authentication. With this fix, the firewall ignores character case when evaluating the names of user groups in its local database.
PAN-86028
Fixed an issue in an HA active/active configuration where traffic in a GlobalProtect VPN tunnel in SSL mode failed after Layer 7 processing when asymmetric routing was involved.
PAN-85773
Fixed an issue where, after end users resumed their sessions, GlobalProtect connections failed with a client certificate error because the certificate host ID field was not cached in the session cache.
PAN-82502
Fixed an issue where the firewall web interface did not display the task manager when indices were corrupted and did not purge the old jobs as expected.
PAN-80922
Fixed an issue where the firewall failed to parse the merged configuration file after you changed the master key; it parsed only the running configuration file. With this fix, the firewall parses both files as expected after you change the master key.
PAN-80091
Fixed an issue where no results were returned for a Global Find request when using the short name domain\group format.
PAN-79786
Fixed an issue where Panorama was unable to pull any groups from a specific domain when the query for users included a domain name that ended with a backslash ( "\" ) character.
PAN-79450
Fixed an issue where all WildFire jobs on the firewall were stuck at zero percent progress, which prevented the firewall from installing the latest WildFire updates.

Related Documentation