PAN-OS 8.0.3 Addressed Issues
PAN-OS® 8.0.3 addressed issues
Fixed an issue where the WF-500 appliance returned false positives for known, benign Portable Executable (PE) files.
Fixed an issue where the firewall dropped some logs that it was configured to forward to syslog servers.
Fixed an issue where the Captive Portal web form did not display to end users after you pushed device group configurations from a Panorama management server running Panorama 8.0 to a firewall running PAN-OS 7.1.
Fixed an issue where every commit cleared tunnel flow sessions such as GRE and IPSec ESP/AH sessions.
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls forwarded a SIP INVITE based on route lookup instead of Policy-Based Forwarding (PBF) policy.
Fixed an issue on PA-7000 Series firewalls with AMC hard drives, model ST1000NX0423, where the firewalls rebuilt Disk Pair B in the LPC card after a reboot.
A security-related fix was made to address a Remote Code Execution (RCE) vulnerability when the PAN-OS DNS Proxy service resolved FQDNs (CVE-2017-8390).
Fixed an issue on a firewall running PAN-OS 8.0.1 or 8.0.2 where you could not log in to the web interface after performing a private data reset.
Fixed an issue where the SafeNet Client 6.2.2 did not support the necessary MAC algorithm (HMAC-SHA1) to work with Palo Alto Networks firewalls that ran in FIPS-CC mode.
Fixed an issue where Panorama displayed a missing vsys error message when you tried to update dynamic address groups through PAN-OS XML API calls, even if you specified a virtual system.
Fixed an issue where the firewall lost offloaded sessions on a subinterface that belonged to an aggregate interface group and that had QoS enabled.
A security-related fix was made to prevent remote code execution within the Linux kernel that the firewall management plane uses (CVE-2016-10229).
Fixed an issue where the firewall reduced the range of local and remote IKEv2 traffic selectors in a way that disrupted traffic in a VPN tunnel that a Cisco Adaptive Security Appliance (ASA) initiated.
Fixed an issue where using a Panorama management server running PAN-OS 8.0 to generate a report that queried an unsupported log field from a PA-7050 firewall running PAN-OS 7.1 slowed the performance of Panorama because the mgmtsrvr process stopped responding.
Fixed an issue where interfaces went down due to packet buffers being overwhelmed after the firewall tried to close the connection to a rogue client that ignored the URL Filtering block page.
Fixed an issue where traffic that included a ZIP file caused the all_task process to restart and the firewall dropped packets while waiting for that process to resume.
Fixed an issue on the PA-7080 firewall where authentication traffic from a wireless controller to a RADIUS server failed due to buffer depletion on the firewall.
Fixed an issue where VM-Series firewalls dropped multicast traffic if you enabled Data Plane Development Kit (DPDK) on VMXNET3 interfaces.
Fixed an issue where renaming a shared object on Panorama that Panorama has pushed to firewalls caused a commit failure if the firewalls referenced that object in local policies.
Fixed an issue where Panorama failed to Generate Tech Support File (PanoramaSupport).
Fixed an issue where dynamic content updates failed on the firewall when DNS response times were slow.
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where Generic Routing Encapsulation (GRE) session creation failed when the firewalls received GRE packets with a Point-to-Point Protocol (PPP) payload.
Fixed an issue where the pan_task process stopped, which caused a loss of service and interruption to OSPF.
Fixed an issue where you could not access the Panorama web interface or CLI because the configd process stopped after a Preview Changes operation (CommitCommit to Panorama).
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where disabling the option to Turn on QoS feature on this interface (NetworkQoS) reduced throughput on 40Gbps interfaces.
Fixed an issue where Panorama 8.0 did not display logs from PA-7000 Series firewalls running PAN-OS 7.0 or PAN-OS 7.1.
Fixed an issue where the firewall, when processing heavy traffic, did not properly identify and block the Psiphon application when the Psiphon client was configured to use a specific source country.
Fixed an issue where PA-5000 Series firewalls dropped traffic because predict sessions incorrectly matched Policy-Based Forwarding (PBF) policy rules for non-related sessions.
Fixed an issue where throughput was reduced on PA-5000 Series firewalls that used a single UDP session on one dataplane to process high rates of tunneled traffic. With this fix, you can use the set session filter-ip-proc-cpu CLI command to use multiple dataplanes to process traffic for up to 32 destination server IP addresses. This setting persists after reboots and upgrades.
Fixed an issue where the firewall web interface displayed a misspelling in the tooltip that opened when you hovered over Commit when no configuration changes were pending.
A security-related fix was made to prevent cross-site scripting (XSS) attacks through the GlobalProtect external interface (CVE-2017-12416).
Fixed an issue where users failed to authenticate through a Ucopia LDAP server.
Fixed an issue where the firewall performed the default signature action for threat vulnerability exceptions instead of performing the Action you set in the Vulnerability Protection profile (ObjectsSecurity ProfilesVulnerability ProtectionExceptions).
Fixed an issue where a PAN-OS XML API query to fetch all dynamic address groups failed with an Opening and ending tag mismatch error due to command buffer limitation.
Fixed an issue where the firewall failed to decrypt VPN traffic for packets of certain sizes if you set the Encryption algorithm to aes-256-gcm in the IPSec Crypto profile used for the VPN tunnel (NetworkNetwork ProfilesIPSec Crypto).
Fixed an issue where DHCP servers did not assign IP addresses to new end users (DHCP clients) because the firewall failed to process and relay DHCP messages between the servers and clients after you configured a firewall interface as a DHCP relay agent.
Fixed an issue where Panorama dropped all administrative users because the management-server process restarted.
Fixed an issue where CPU usage spiked on the firewall during Diffie-Hellman (DHE) or elliptical curve Diffie-Hellman (ECDHE) key exchange for SSL decryption. With this fix, the firewall has enhanced performance for DHE and ECDHE key exchange.
Fixed an issue where the firewall populated default values for IPSec Crypto profiles that did not have an IPSec Protocol (ESP or AH) defined (NetworkNetwork ProfilesIPSec Crypto); the default values caused an IKE configuration parsing error that prevented IPSec VPN tunnels from coming up.
Fixed an issue where the active firewall in an HA deployment kept sessions active for an hour instead of discarding them after 90 seconds when the sessions matched the URL category in a policy rule that was set to deny.
Fixed an issue with network outages on firewalls in a virtual wire HA configuration with HA Preemptive failback enabled (DeviceHigh AvailabilityGeneralElection Settings) due to Layer 2 looping after failover events while the firewalls processed broadcast traffic.
Fixed an issue where the MonitorTraffic Map displayed the Northwestern Somali region as Solomon Islands instead of Somalia.
Fixed an issue where IP Address Exemptions in Anti-Spyware profiles (ObjectsSecurity ProfilesAnti-Spyware Profile) did not work for certain threats.
Fixed an issue where commits failed after you added an IPv6 peer group to a virtual router that had Border Gateway Protocol (BGP) enabled (NetworkVirtual RoutersBGPPeer Group) and that had import, export and aggregate rules configured.
Fixed an issue where the PA-5060 firewall randomly dropped packets and displayed the reason in Traffic logs as resources unavailable.
Fixed an issue on PA-3000 Series firewalls where SSL sessions failed due to memory depletion in the proxy memory pool; Traffic logs displayed the reason decrypt-error.
Fixed an issue where Panorama could not push address objects to managed firewalls if zones specified the objects in the User Identification ACL include or exclude lists (NetworkZones) and if you configured Panorama not to Share Unused Address and Service Objects with Devices (PanoramaSetupManagementPanorama Settings).
Fixed an issue where the root partition on the firewall was low on disk space (requiring you to run the debug dataplane packet-diag clear log log CLI command to free disk space) because the pan_task process generated logs for H.225 sessions.
Fixed an issue on Panorama where Device Group and Template administrators who had access domains assigned to their accounts could not edit shared security profiles (ObjectsSecurity Profiles) after committing those profiles.
Fixed an issue where the debug dataplane internal pdt oct show-all CLI command restarted the firewall dataplane.
Fixed an issue where the firewall generated System logs indicating the l3svc process stopped repeatedly because the cryptod daemon deleted a certificate key associated with an SSL/TLS Service Profile that was used for the URL Admin Override feature (DeviceSetupContent ID) or for Captive Portal (DeviceUser IdentificationCaptive Portal Settings).
Fixed an issue where modifying the BFD profile in a virtual router (NetworkVirtual Routers) caused the routed process to stop.
Fixed an issue on Panorama where the replace device CLI command did not replace the serial numbers of firewalls that policy rules referenced as targets.
Fixed an issue where, after you used a Panorama template to push DNS server IP addresses (DeviceSetupServices) to a bootstrapped VM-Series firewall, the firewall failed to resolve FQDNs.
Fixed an issue where you could not use the web interface or CLI to configure a multicast IP address as the Source or Destination in packet filters (MonitorPacket Capture).
Fixed an issue where, after you logged in to the firewall with an administrator account that does not have a superuser role and you then tried to Disable an application (ObjectsApplications<application-name>), the firewall displayed an error message that did not indicate the need for superuser privileges.
Fixed an issue where you could not generate a SCEP certificate if the SCEP Challenge (password) had a semicolon (DeviceCertificate ManagementSCEP).
Fixed an issue where end user clients failed on their first attempt to authenticate when you configured Captive Portal for certificate-based authentication and the client certificates exceeded 2,000 bytes.
Fixed an issue where the firewall did not delete multicast forwarding information base (FIB) entries for multicast groups that stopped receiving traffic.
Fixed an issue where commits failed with the error syntax error [kmp_sa_lifetime_time ;] if the firewall had IKE Crypto profiles without a Key Lifetime defined (NetworkNetwork ProfilesIKE Crypto).
Fixed an issue where the firewall used the global service route (DeviceSetupServicesGlobal) instead of service routes defined for specific virtual systems (DeviceSetupServicesVirtual Systems) if you configured DeviceServer Profiles in the Shared location.
Fixed an issue where the firewall server process (devsrvr) restarted during URL updates.
Fixed an issue where the firewall dropped multicast traffic on an egress VLAN interface when the traffic was offloaded.
Fixed an issue where, after you installed the VMware NSX plugin on Panorama in a high availability (HA) configuration, Panorama did not automatically synchronize configuration changes between the HA peers unless you first updated settings related to the NSX plugin.
Fixed an issue where successive HTTP GET requests in a single session failed if you configured SSL Decryption with the Strip X-Forwarded-For option enabled (DeviceSetupContent-ID).
Fixed an issue where HA firewalls displayed as out of sync if an SSL/TLS Service Profile without a certificate was assigned to the management (MGT) interface (DeviceSetupManagement). With this fix, PAN-OS unassigns the SSL/TLS Service Profile if it doesn't have a certificate.
Fixed an issue where the PAN-OS integrated User-ID agent or Windows-based User-ID agent stopped responding because the firewall sent numerous queries
Fixed an issue where you could not configure the 0.0.0.0/1 subnet as a Proxy ID for IPSec VPN tunnels.
Fixed an issue where the PA-7050 firewall displayed incorrect information for the packet counts and number of bytes associated with traffic on subinterfaces. With this fix, the firewall displays the correct information in the show interface CLI command output and in other sources of information for subinterfaces (such as SNMP statistics and NetFlow record exports).
Fixed an issue where pushing an ARP load-sharing configuration (DeviceHigh AvailabilityActive/Active ConfigVirtual Address) from Panorama to a firewall deleted it from the firewall.
Fixed an issue where the firewall did not generate Threat logs for classified DOS protection profiles that had an Action set to SYN Cookies (ObjectsSecurity ProfilesDoS ProtectionFlood ProtectionSYN Flood).
Fixed an issue on Panorama where PanoramaDevice DeploymentSoftware stopped displaying software images for a release after you performed a manual Upload for a software image of that release.
Fixed an issue on where the dataplane rebooted after multiple dataplane processes restarted due to memory corruption.
Fixed an issue where, after a clock change on the firewall (such as for Daylight Savings Time), the ACC did not display information for time periods before the change.
Fixed an issue on the PA-7050 firewall where the mprelay process experienced a memory leak and stopped responding, which caused slot failures and HA failover.
Fixed an issue where HA VM-Series firewalls displayed the wrong link state after a link-monitoring failure.
Fixed an issue where the GlobalProtect portal prompted end users to enter a one-time password (OTP) even after the users entered the OTP for the GlobalProtect gateway and Authentication Override is enabled (NetworkGlobalProtectPortals<portal-configuration>Agent<agent-configuration>Authentication).
Fixed an issue where HA firewalls failed to synchronize the PAN-DB URL database.
Fixed an issue where the firewall did not generate WildFire Submission logs when the number of cached logs exceeded storage resources on the firewall.
Fixed an issue where neither Panorama nor the firewall generated a System log indicating a password change after you used a Panorama template to push an administrator password change to the firewall.
Fixed an issue where the firewall discarded VoIP sessions that had multicast destinations.
Fixed an issue on PA-7000 Series firewalls where you had to power cycle the Switch Management Card (SMC) when it failed to come up after a soft reboot (such as after upgrading the PAN-OS software).