PAN-OS 8.0.2 Addressed Issues

PAN-OS 8.0.2 addressed issues
Issue ID
Description
WF500-4218
Fixed an issue where, as part of and after upgrading a WildFire appliance to a PAN-OS 8.0 release, using the request cluster reboot-local-node CLI command to reboot a cluster node intermittently caused the node to go offline or fail to reboot.
WF500-4186
Fixed an issue in a three-node WildFire appliance cluster where, if you decommissioned the backup controller node or the worker node (request cluster decommission start) and then deleted the cluster-related configuration (high-availability and cluster membership) from the decommissioned node, the cluster intermittently stopped functioning. Running the show cluster membership CLI command on the primary controller node showed the message: Service Summary: Cluster:offline, HA:peer-offline. In this state, the cluster did not function and did not accept new samples for processing.
WF500-4176
Fixed an issue where, after you removed a node from a cluster that stored sample information on the node, the node serial number appeared in the list of storage nodes when you displayed the sample status (show wildfire global sample-status sha256 equal <value>) even though the node no longer belonged to the cluster.
WF500-4173
Fixed an issue where integrated reports were not available for firewalls connected to a WF-500 appliance running in FIPS mode.
WF500-4158
Fixed an issue where selecting Reboot device after Install when upgrading WildFire appliance clusters from Panorama caused an ungraceful reboot that intermittently made the cluster unresponsive.
PAN-81061
Fixed an issue where PA-3000 Series firewalls dropped long-lived sessions that were active during a content update followed immediately by an Antivirus or WildFire update.
PAN-76517
Fixed an issue where Panorama did not automatically push the updated IP addresses of dynamic address groups from device groups to VM-Series firewalls for NSX.
PAN-76447
Fixed an issue where Panorama running PAN-OS 8.0 did not push aggregate BGP configurations in a template to firewalls running PAN-OS 7.1 or an earlier release.
PAN-76424
Fixed an issue where Security Lifecycle Review reports (Generate Stats Dump File under DeviceSupport) displayed incorrect subtype values due to Threat ID changes.
PAN-76402
Fixed an issue where the firewall generated System logs of critical severity with the message Could not connect to Cloud : SSL/TLS Authentication Failed even though the firewall had no connection failures.
PAN-76331
Fixed an issue where, after upgrading to PAN-OS 8.0.1, a NetworkDNS Proxy object with ten or more Static Entries that mapped to the same IP address caused the firewall DNS daemon to restart, which prevented users from accessing applications that required DNS lookups.
PAN-76316
Fixed an issue where Panorama incorrectly calculated the number of Terminal Services (TS) agent configurations to be beyond the maximum that the managed firewalls supported and then failed to push device group configurations after you upgraded Panorama to PAN-OS 8.0.1.
PAN-76265
Fixed an issue where the firewall failed to retrieve user groups from an LDAP server because the server response did not have a page control value.
PAN-76258
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where users could not access applications and services through GlobalProtect when session distribution was set to round robin (default).
PAN-76244
Fixed an issue where firewalls were missing a GlobalProtect satellite configuration pushed from a Panorama template.
PAN-76105
Fixed an issue where you had to configure a license deactivation API key to manually deactivate licenses for VM-Series firewalls.
PAN-76104
Fixed an issue where the firewall stopped receiving IP port-to-username mappings from a Terminal Services (TS) agent if you set its Host field to an FQDN instead of an IP address.
PAN-76092
Fixed an issue where reports delivered through the Email Scheduler (MonitorPDF ReportsEmail Scheduler) displayed data totals as bytes instead of kilobytes (K), megabytes (M), or gigabytes (G), which made the totals hard to read.
PAN-76069
Fixed an issue where the firewall could not decrypt SSL connections due to a cache issue, which prevented users from accessing SSL websites.
PAN-76054
Fixed an issue where you could not delete a tunnel interface from a Panorama template (NetworkInterfacesTunnel).
PAN-76051
Fixed an issue where you could not push a Management (MGT) interface configuration from a Panorama template (DeviceSetupInterfaces) to firewalls unless you specified an IP Address for the interface.
PAN-76030
Fixed an issue on VM-Series firewalls where the dataplane restarted if jumbo frames were enabled on single root input/output virtualization (SR-IOV) interfaces.
PAN-75969
Fixed an issue where the routed process stopped responding after you checked the static route monitoring status through the web interface (NetworkVirtual RoutersRoutingStatic Route Monitoring) or CLI (show routing path-monitor).
PAN-75914
Fixed an issue where the M-100 or M-500 appliance lost logs after upgrading from a PAN-OS 7.1 release to a PAN-OS 8.0 release.
PAN-75896
Fixed an issue where the firewall did not accept local IPv6 addresses that were longer than 31 characters when you configured IPv6 BGP peering.
PAN-75881
Fixed an issue where a regression introduced in PAN-OS 8.0.0 and 8.0.1 caused the firewall dataplane to restart in certain cases when combined with content updates. For details, including the relevance of content release version 709, refer to the associated Customer Advisory .
PAN-75863
Fixed an issue on HA Panorama M-100 appliances where the passive peer did not update the local VMware NSX manager plugin after you upgraded from a PAN-OS 7.1 release to a PAN-OS 8.0 release, which caused a plugin mismatch with the active peer.
PAN-75721
Fixed an issue where you could not set the authentication profile Type to None (DeviceAuthentication Profile) on a firewall in FIPS mode.
PAN-75684
Fixed an issue where a management server memory leak caused several tasks to fail, including commits, PAN-DB URL downloads, dynamic updates, and FQDN or External Dynamic List (EDL) refreshes.
PAN-75397
Fixed an issue where the Panorama management server restarted because the configd process stopped running after an upgrade.
PAN-75132
Fixed an issue where locally created certificates had duplicate serial numbers because the firewall did not check the serial numbers of existing certificates signed by the same CA when generating new certificates.
PAN-75048
Fixed an issue where the firewall used the default route (instead of the next best available route) when the eBGP next hop was unavailable, which resulted in dropped packets. Additionally with this fix, the default time-to-live (TTL) value for a single hop eBGP peer is changed to 1 (instead of 2).
PAN-74934
Fixed an issue where, after upgrading M-500 private cloud appliances to a release later than PAN-OS 8.0.0, queried URLs did not resolve to a category when they were a best match to an entry in the URL database that had many subdomains and path levels. With this fix, you can upgrade the appliances to PAN-OS 8.0.2; do not upgrade the appliances to PAN-OS 8.0.1.
PAN-74877
Fixed an issue where Panorama took a long time to push configurations from multiple device groups to firewalls.
PAN-74655
Fixed an issue where users experienced slow network connectivity due to CPU utilization spikes in the firewall network processing cards (NPCs) when the URL cache exceeded one million entries.
PAN-74640
Fixed an issue where VM-Series firewalls failed to create predict sessions for RTP and RTCP, which disrupted H.323-based video conferencing traffic. Additionally, fixed an issue where all firewall models dropped RTP packets because policy matching failed for RTP traffic.
PAN-74613
Fixed an issue where the show running url-cache statistics CLI command did not display enough information to diagnose issues related to URL category resolution. With this fix, the error messages indicate what failed and the exact point of failure.
PAN-74575
Fixed an issue where the firewall did not release IP addresses assigned to interfaces after you changed the addressing Type from DHCP Client to Static.
PAN-74548
Fixed an issue where the Export Named Configuration dialog did not let you filter configuration snapshots by Name, which prevented you from selecting snapshots beyond the first 500. With this fix, you can now enter a filter string in the Name field to display any matching snapshots.
PAN-74412
Fixed an issue where, in Decryption policy rules with an Action set to No Decrypt, you could not use the web interface to set the decryption Type for matching traffic.
PAN-74403
Fixed an issue on Panorama where the web interface became unresponsive after you selected Export to CSV for a custom report, which forced you to log in to the CLI and reboot Panorama or restart the management server.
PAN-74368
Fixed an issue where commits failed due to configuration memory limits on firewalls that had numerous Security policy rules that referenced many address objects. With this fix, the number of address objects that a policy rule references does not impact configuration memory.
PAN-74236
Fixed an issue where the User-ID process (useridd) stopped responding when there were a lot of non-browser based requests from clients, which resulted in too many pan_errors disk writes.
PAN-74188
Fixed an issue where conflicting next-hop entries in the egress routing table caused the firewall to incorrectly route traffic that matched Policy-Based Forwarding (PBF) policy rules configured to Enforce Symmetric Return.
PAN-74161
Fixed an issue where firewalls configured in a virtual wire deployment where Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets were dropped.
PAN-74128
Fixed an issue where a session caused the dataplane to restart if the session was active during and after you installed a content update on the firewall and the update contained a decoder change.
PAN-73995
Fixed an issue where pushing configurations from Panorama caused firewall management interfaces that were configured through DHCP to release or renew every time instead of when the DHCP leases expired.
PAN-73993
Fixed an issue where App-ID signature matching did not work on the firewall, which caused it to misidentify applications.
PAN-73914
A security-related fix was made to address OpenSSL vulnerabilities (CVE-2017-3731).
PAN-73859
Fixed an issue where the VM-Series firewall on Azure supported only five interfaces (one management interface and four dataplane interfaces) instead of eight (one management interface and seven dataplane interfaces).
PAN-73783
Fixed an issue where cookie-based authentication for the GlobalProtect gateway failed with the following error: Invalid user name.
PAN-73710
Fixed an issue where the firewall did not commit changes to the NTP servers configuration (DeviceSetupServices) if the firewall connected to the servers through a service route and the management (MGT) interface was down.
PAN-73553
Fixed an issue where SSL Inbound Decryption failed when the private key was stored on a hardware security module (HSM).
PAN-73502
Fixed an issue where the firewall did not purge expired IP address-to-username mappings, which caused one of the root partitions to run out of free space.
PAN-73461
Fixed an issue where enabling encryption on the HA1 control link (DeviceHigh AvailabilityGeneral) and rebooting one HA firewall peer in an active/passive configuration caused split-brain to occur.
PAN-73381
Fixed an issue on firewalls with multiple virtual systems where end users could not authenticate to a GlobalProtect portal or gateway that specified an authentication profile for which the Allow List referenced user groups instead of usernames.
PAN-73213
Fixed an issue where, when the GlobalProtect Portal Login Page was set to Disable (NetworkGlobalProtectPortalsGeneral) and the user entered https://portal in the browser URL field, the browser redirected to https://portal/global-protect/login.esp, which exposed that the firewall functioned as a GlobalProtect VPN. With this fix, the firewall now responds with a 502 Bad Gateway response and does not expose the function of the firewall.
PAN-73191
Fixed an issue where OSPF adjacency flapping occurred between the firewall and an OSPF peer due to a heavy processing load on the dataplane and queued OSPF hello packets.
PAN-73045
Fixed an issue where HA failover and fail-back events terminated sessions that started before the failover.
PAN-72871
Fixed an issue where the firewall displayed only part of the URL Filtering Continue and Override response page.
PAN-72769
A security-related fix was made to prevent brute-force attacks on the GlobalProtect external interface (CVE-2017-7945).
PAN-72697
Fixed an issue where, after a DoS attack ended, the firewall continued generating Threat logs and incrementing the session drop counter.
PAN-72350
Fixed an issue where high-volume SSL traffic intermittently added latency to SSL sessions.
PAN-72149
Fixed an issue where URL values did not display for the top websites in URL Filtering reports (MonitorPDF ReportsManage PDF Summary).
PAN-71627
Fixed an issue where the firewall failed to authenticate to a SafeNet hardware security module (HSM). With this fix, the firewall supports multiple SafeNet HSM client versions; you can use the request hsm client-version CLI command to select the version that is compatible with your SafeNet HSM server.
PAN-71484
Fixed an issue where the firewall discarded long-lived SIP sessions after a content update, which disrupted SIP traffic.
PAN-71455
Fixed an issue where users could not access a secure website if the certificate authority that signed the web server certificate also signed multiple certificates with the same subject name in the Default Trusted Certificate Authorities list on the firewall.
PAN-71319
Updated PAN-OS to address NTP issues (CVE-2016-7433).
PAN-70731
Fixed an issue where the firewall failed to authenticate to a SafeNet hardware security module (HSM) if the Administrator Password (under DeviceSetupHSM) contained special characters.
PAN-70353
Fixed an issue where GlobalProtect Clientless VPN did not work when its host was a GlobalProtect portal that you configured on an interface with DHCP Client enabled (NetworkInterfaces<interface>IPv4).
PAN-70345
Fixed an issue where the M-Series appliances did not forward logs to a syslog server over TCP ports.
PAN-69882
Fixed an issue where firewalls that had multiple virtual systems and that were deployed in an HA active/active configuration dropped TCP sessions.
PAN-69874
Fixed an issue where, when the PAN-OS XML API sent IP address-to-username mappings with no timeout value to a firewall that had the Enable User Identification Timeout option disabled, the firewall assigned the mappings a timeout of 60 minutes instead of never (DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupCache).
PAN-68763
Fixed an issue where path monitoring failures did not produce enough information for troubleshooting. With this fix, PAN-OS supports additional debug commands and the tech support file (click Generate Tech Support File under DeviceSupport) includes additional registry values to troubleshoot path monitoring failures.
PAN-67412
Fixed an issue on firewalls in an HA configuration where, when an end user accessed applications over a GlobalProtect clientless VPN, the web browser became unresponsive for about 30 seconds after a failover.
PAN-67029
Fixed an issue where the firewall stopped forwarding logs to external services (such as a syslog server) after the firewall management server restarted unexpectedly.
PAN-66997
Fixed an issue on PA-7000 Series, PA-5200 Series, and PA-5000 Series firewalls where end users who accessed applications over SSL VPN or IPSec tunnels through GlobalProtect experienced one-directional traffic.
PAN-65969
Fixed an issue on PA-7000 Series firewalls where the Switch Management Card (SMC) restarted due to false positive conditions (ATA errors) detected during a disk check.
PAN-63720
Fixed an issue where MonitorApp ScopeNetwork Monitor displayed incorrect byte totals and hourly distribution when you filtered the report by Source User/Address or Destination User/Address instead of by Application.
PAN-63205
Fixed an issue on VM-Series firewalls where commit operations failed after you configured HA with the HA2 and HA3 interfaces.
PAN-62791
Fixed an issue where the firewall could not use the certificates in its certificate store (DeviceCertificate ManagementCertificatesDevice Certificates) after a manual or automatic commit, which caused certificate authentication to fail.
PAN-62074
Fixed an issue where the User-ID agent incorrectly read the IP address in the security logs for Kerberos login events.
PAN-61644
Fixed an issue where Panorama displayed the Invalid term(device-group eq) error when you tried to display the logs for a specific device group.
PAN-61409
Fixed an issue where the firewall failed to connect to an HTTP server using the HTTPS protocol when the CA certificate that validated the firewall certificate was in a specific virtual system instead of the Shared location.
PAN-60555
Fixed an issue on VM-Series firewalls for NSX where the web interface let users specify a Tag Allowed value for virtual wire interfaces (NetworkVirtual Wires), which caused a commit error because the option is not configurable on that firewall model. With this fix, the Tag Allowed value has a read-only value of 0-4094 on VM-Series firewalls for NSX.
PAN-56015
Fixed an issue where the syslog format for Correlation logs differed from the format of other log types, which prevented the firewall from integrating with some third-party syslog feeds.
PAN-55619
Fixed an issue where new users that you added to an Active Directory (AD) user group intermittently failed to authenticate to the GlobalProtect portal.
PAN-48901
Fixed an issue on HA firewalls where, if you enabled application-level gateway (ALG) for the Unistim application, VoIP calls that used the UNIStim protocol had only one-way audio after an HA failover event.
FPGA-343
Fixed an issue on PA-7000 Series firewalls in a Layer 2 deployment where multicast sessions (such as HSRP) failed because PAN-OS did not reassign the sessions to an alternative Network Processing Card (NPC) if the original NPC was shut down.

Related Documentation