PAN-OS 8.0.3 Addressed Issues

PAN-OS® 8.0.3 addressed issues
Issue ID
Description
WF500-4291
Fixed an issue where the WF-500 appliance returned false positives for known, benign Portable Executable (PE) files.
PAN-78448
Fixed an issue where the firewall dropped some logs that it was configured to forward to syslog servers.
PAN-77849
Fixed an issue where the Captive Portal web form did not display to end users after you pushed device group configurations from a Panorama management server running Panorama 8.0 to a firewall running PAN-OS 7.1.
PAN-77802
Fixed an issue where every commit cleared tunnel flow sessions such as GRE and IPSec ESP/AH sessions.
PAN-77595
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls forwarded a SIP INVITE based on route lookup instead of Policy-Based Forwarding (PBF) policy.
PAN-77520
Fixed an issue on PA-7000 Series firewalls with AMC hard drives, model ST1000NX0423, where the firewalls rebuilt Disk Pair B in the LPC card after a reboot.
PAN-77516
A security-related fix was made to address a Remote Code Execution (RCE) vulnerability when the PAN-OS DNS Proxy service resolved FQDNs (CVE-2017-8390).
PAN-77400
Fixed an issue on a firewall running PAN-OS 8.0.1 or 8.0.2 where you could not log in to the web interface after performing a private data reset.
PAN-77339
Fixed an issue where the SafeNet Client 6.2.2 did not support the necessary MAC algorithm (HMAC-SHA1) to work with Palo Alto Networks firewalls that ran in FIPS-CC mode.
PAN-77290
Fixed an issue where Panorama displayed a missing vsys error message when you tried to update dynamic address groups through PAN-OS XML API calls, even if you specified a virtual system.
PAN-77250
Fixed an issue where the firewall lost offloaded sessions on a subinterface that belonged to an aggregate interface group and that had QoS enabled.
PAN-77173
A security-related fix was made to prevent remote code execution within the Linux kernel that the firewall management plane uses (CVE-2016-10229).
PAN-77127
Fixed an issue where the firewall reduced the range of local and remote IKEv2 traffic selectors in a way that disrupted traffic in a VPN tunnel that a Cisco Adaptive Security Appliance (ASA) initiated.
PAN-77033
Fixed an issue where using a Panorama management server running PAN-OS 8.0 to generate a report that queried an unsupported log field from a PA-7050 firewall running PAN-OS 7.1 slowed the performance of Panorama because the mgmtsrvr process stopped responding.
PAN-76964
Fixed an issue where interfaces went down due to packet buffers being overwhelmed after the firewall tried to close the connection to a rogue client that ignored the URL Filtering block page.
PAN-76890
Fixed an issue where traffic that included a ZIP file caused the all_task process to restart and the firewall dropped packets while waiting for that process to resume.
PAN-76746
Fixed an issue on the PA-7080 firewall where authentication traffic from a wireless controller to a RADIUS server failed due to buffer depletion on the firewall.
PAN-76651
Fixed an issue where VM-Series firewalls dropped multicast traffic if you enabled Data Plane Development Kit (DPDK) on VMXNET3 interfaces.
PAN-76650
Fixed an issue where renaming a shared object on Panorama that Panorama has pushed to firewalls caused a commit failure if the firewalls referenced that object in local policies.
PAN-76615
Fixed an issue where Panorama failed to Generate Tech Support File (PanoramaSupport).
PAN-76565
Fixed an issue where dynamic content updates failed on the firewall when DNS response times were slow.
PAN-76454
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where Generic Routing Encapsulation (GRE) session creation failed when the firewalls received GRE packets with a Point-to-Point Protocol (PPP) payload.
PAN-76330
Fixed an issue where the pan_task process stopped, which caused a loss of service and interruption to OSPF.
PAN-76271
Fixed an issue where you could not access the Panorama web interface or CLI because the configd process stopped after a Preview Changes operation (CommitCommit to Panorama).
PAN-76184
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where disabling the option to Turn on QoS feature on this interface (NetworkQoS) reduced throughput on 40Gbps interfaces.
PAN-76162
Fixed an issue where Panorama 8.0 did not display logs from PA-7000 Series firewalls running PAN-OS 7.0 or PAN-OS 7.1.
PAN-76158
Fixed an issue where the firewall, when processing heavy traffic, did not properly identify and block the Psiphon application when the Psiphon client was configured to use a specific source country.
PAN-76153
Fixed an issue where PA-5000 Series firewalls dropped traffic because predict sessions incorrectly matched Policy-Based Forwarding (PBF) policy rules for non-related sessions.
PAN-76144
Fixed an issue where throughput was reduced on PA-5000 Series firewalls that used a single UDP session on one dataplane to process high rates of tunneled traffic. With this fix, you can use the set session filter-ip-proc-cpu CLI command to use multiple dataplanes to process traffic for up to 32 destination server IP addresses. This setting persists after reboots and upgrades.
PAN-76032
Fixed an issue where the firewall web interface displayed a misspelling in the tooltip that opened when you hovered over Commit when no configuration changes were pending.
PAN-76003
A security-related fix was made to prevent cross-site scripting (XSS) attacks through the GlobalProtect external interface (CVE-2017-12416).
PAN-75977
Fixed an issue where users failed to authenticate through a Ucopia LDAP server.
PAN-75617
Fixed an issue where the firewall performed the default signature action for threat vulnerability exceptions instead of performing the Action you set in the Vulnerability Protection profile (ObjectsSecurity ProfilesVulnerability ProtectionExceptions).
PAN-75580
Fixed an issue where a PAN-OS XML API query to fetch all dynamic address groups failed with an Opening and ending tag mismatch error due to command buffer limitation.
PAN-75512
Fixed an issue where the firewall failed to decrypt VPN traffic for packets of certain sizes if you set the Encryption algorithm to aes-256-gcm in the IPSec Crypto profile used for the VPN tunnel (NetworkNetwork ProfilesIPSec Crypto).
PAN-75413
Fixed an issue where DHCP servers did not assign IP addresses to new end users (DHCP clients) because the firewall failed to process and relay DHCP messages between the servers and clients after you configured a firewall interface as a DHCP relay agent.
PAN-75372
Fixed an issue where Panorama dropped all administrative users because the management-server process restarted.
PAN-75337
Fixed an issue where CPU usage spiked on the firewall during Diffie-Hellman (DHE) or elliptical curve Diffie-Hellman (ECDHE) key exchange for SSL decryption. With this fix, the firewall has enhanced performance for DHE and ECDHE key exchange.
PAN-75304
Fixed an issue where the firewall populated default values for IPSec Crypto profiles that did not have an IPSec Protocol (ESP or AH) defined (NetworkNetwork ProfilesIPSec Crypto); the default values caused an IKE configuration parsing error that prevented IPSec VPN tunnels from coming up.
PAN-75215
Fixed an issue where the active firewall in an HA deployment kept sessions active for an hour instead of discarding them after 90 seconds when the sessions matched the URL category in a policy rule that was set to deny.
PAN-75158
Fixed an issue with network outages on firewalls in a virtual wire HA configuration with HA Preemptive failback enabled (DeviceHigh AvailabilityGeneralElection Settings) due to Layer 2 looping after failover events while the firewalls processed broadcast traffic.
PAN-75154
Fixed an issue where the MonitorTraffic Map displayed the Northwestern Somali region as Solomon Islands instead of Somalia.
PAN-75119
Fixed an issue where IP Address Exemptions in Anti-Spyware profiles (ObjectsSecurity ProfilesAnti-Spyware Profile) did not work for certain threats.
PAN-75118
Fixed an issue where commits failed after you added an IPv6 peer group to a virtual router that had Border Gateway Protocol (BGP) enabled (NetworkVirtual RoutersBGPPeer Group) and that had import, export and aggregate rules configured.
PAN-75029
Fixed an issue where the PA-5060 firewall randomly dropped packets and displayed the reason in Traffic logs as resources unavailable.
PAN-74938
Fixed an issue on PA-3000 Series firewalls where SSL sessions failed due to memory depletion in the proxy memory pool; Traffic logs displayed the reason decrypt-error.
PAN-74865
Fixed an issue where Panorama could not push address objects to managed firewalls if zones specified the objects in the User Identification ACL include or exclude lists (NetworkZones) and if you configured Panorama not to Share Unused Address and Service Objects with Devices (PanoramaSetupManagementPanorama Settings).
PAN-74639
Fixed an issue where the root partition on the firewall was low on disk space (requiring you to run the debug dataplane packet-diag clear log log CLI command to free disk space) because the pan_task process generated logs for H.225 sessions.
PAN-74601
Fixed an issue on Panorama where Device Group and Template administrators who had access domains assigned to their accounts could not edit shared security profiles (ObjectsSecurity Profiles) after committing those profiles.
PAN-74579
Fixed an issue where the debug dataplane internal pdt oct show-all CLI command restarted the firewall dataplane.
PAN-74440
Fixed an issue where the firewall generated System logs indicating the l3svc process stopped repeatedly because the cryptod daemon deleted a certificate key associated with an SSL/TLS Service Profile that was used for the URL Admin Override feature (DeviceSetupContent ID) or for Captive Portal (DeviceUser IdentificationCaptive Portal Settings).
PAN-74369
Fixed an issue where modifying the BFD profile in a virtual router (NetworkVirtual Routers) caused the routed process to stop.
PAN-74334
Fixed an issue on Panorama where the replace device CLI command did not replace the serial numbers of firewalls that policy rules referenced as targets.
PAN-74243
Fixed an issue where, after you used a Panorama template to push DNS server IP addresses (DeviceSetupServices) to a bootstrapped VM-Series firewall, the firewall failed to resolve FQDNs.
PAN-73919
Fixed an issue where you could not use the web interface or CLI to configure a multicast IP address as the Source or Destination in packet filters (MonitorPacket Capture).
PAN-73916
Fixed an issue where, after you logged in to the firewall with an administrator account that does not have a superuser role and you then tried to Disable an application (ObjectsApplications<application-name>), the firewall displayed an error message that did not indicate the need for superuser privileges.
PAN-73707
Fixed an issue where you could not generate a SCEP certificate if the SCEP Challenge (password) had a semicolon (DeviceCertificate ManagementSCEP).
PAN-73631
Fixed an issue where end user clients failed on their first attempt to authenticate when you configured Captive Portal for certificate-based authentication and the client certificates exceeded 2,000 bytes.
PAN-73556
Fixed an issue where the firewall did not delete multicast forwarding information base (FIB) entries for multicast groups that stopped receiving traffic.
PAN-73551
Fixed an issue where commits failed with the error syntax error [kmp_sa_lifetime_time ;] if the firewall had IKE Crypto profiles without a Key Lifetime defined (NetworkNetwork ProfilesIKE Crypto).
PAN-73548
Fixed an issue where the firewall used the global service route (DeviceSetupServicesGlobal) instead of service routes defined for specific virtual systems (DeviceSetupServicesVirtual Systems) if you configured DeviceServer Profiles in the Shared location.
PAN-73484
Fixed an issue where the firewall server process (devsrvr) restarted during URL updates.
PAN-73281
Fixed an issue where the firewall dropped multicast traffic on an egress VLAN interface when the traffic was offloaded.
PAN-73254
Fixed an issue where, after you installed the VMware NSX plugin on Panorama in a high availability (HA) configuration, Panorama did not automatically synchronize configuration changes between the HA peers unless you first updated settings related to the NSX plugin.
PAN-73184
Fixed an issue where successive HTTP GET requests in a single session failed if you configured SSL Decryption with the Strip X-Forwarded-For option enabled (DeviceSetupContent-ID).
PAN-72946
Fixed an issue where HA firewalls displayed as out of sync if an SSL/TLS Service Profile without a certificate was assigned to the management (MGT) interface (DeviceSetupManagement). With this fix, PAN-OS unassigns the SSL/TLS Service Profile if it doesn't have a certificate.
PAN-72863
Fixed an issue where the PAN-OS integrated User-ID agent or Windows-based User-ID agent stopped responding because the firewall sent numerous queries
PAN-72753
Fixed an issue where you could not configure the 0.0.0.0/1 subnet as a Proxy ID for IPSec VPN tunnels.
PAN-72433
Fixed an issue where the PA-7050 firewall displayed incorrect information for the packet counts and number of bytes associated with traffic on subinterfaces. With this fix, the firewall displays the correct information in the show interface CLI command output and in other sources of information for subinterfaces (such as SNMP statistics and NetFlow record exports).
PAN-72258
Fixed an issue where pushing an ARP load-sharing configuration (DeviceHigh AvailabilityActive/Active ConfigVirtual Address) from Panorama to a firewall deleted it from the firewall.
PAN-71922
Fixed an issue where the firewall did not generate Threat logs for classified DOS protection profiles that had an Action set to SYN Cookies (ObjectsSecurity ProfilesDoS ProtectionFlood ProtectionSYN Flood).
PAN-71535
Fixed an issue on Panorama where PanoramaDevice DeploymentSoftware stopped displaying software images for a release after you performed a manual Upload for a software image of that release.
PAN-71133
Fixed an issue on where the dataplane rebooted after multiple dataplane processes restarted due to memory corruption.
PAN-69449
Fixed an issue where, after a clock change on the firewall (such as for Daylight Savings Time), the ACC did not display information for time periods before the change.
PAN-68808
Fixed an issue on the PA-7050 firewall where the mprelay process experienced a memory leak and stopped responding, which caused slot failures and HA failover.
PAN-68580
Fixed an issue where HA VM-Series firewalls displayed the wrong link state after a link-monitoring failure.
PAN-66076
Fixed an issue where the GlobalProtect portal prompted end users to enter a one-time password (OTP) even after the users entered the OTP for the GlobalProtect gateway and Authentication Override is enabled (NetworkGlobalProtectPortals<portal-configuration>Agent<agent-configuration>Authentication).
PAN-64639
Fixed an issue where HA firewalls failed to synchronize the PAN-DB URL database.
PAN-62159
Fixed an issue where the firewall did not generate WildFire Submission logs when the number of cached logs exceeded storage resources on the firewall.
PAN-59372
Fixed an issue where neither Panorama nor the firewall generated a System log indicating a password change after you used a Panorama template to push an administrator password change to the firewall.
PAN-56287
Fixed an issue where the firewall discarded VoIP sessions that had multicast destinations.
PAN-46374
Fixed an issue on PA-7000 Series firewalls where you had to power cycle the Switch Management Card (SMC) when it failed to come up after a soft reboot (such as after upgrading the PAN-OS software).

Related Documentation