PAN-OS 8.0.4 Addressed Issues

PAN-OS 8.0.4 addressed issues
Issue ID
Description
WF500-4314
Fixed an issue where the WF-500 appliance incorrectly assigned a malicious verdict to samples due to Web Proxy Auto-Discovery Protocol (WPAD) DNS lookups.
PAN-80766
Fixed an issue where commits failed after upgrading a firewall to PAN-OS 8.0 if, before the upgrade, that firewall had a tunnel interface configured as the Source Interface for QoS cleartext traffic (NetworkQoS<QoS_interface>Clear Text Traffic).
PAN-80445
Fixed an issue where the reportd process had a memory leak.
PAN-80122
A security-related fix was made to address a vulnerability that allowed XML External Entity (XXE) attacks on the GlobalProtect external interface because PAN-OS did not properly parse XML input (CVE-2017-9458).
PAN-80077
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where users failed to authenticate when the Captive Portal host session incorrectly timed out after 5 seconds.
PAN-80064
Fixed an issue where the firewall used an incorrect source MAC address for aggregate Ethernet interfaces, which caused traffic offload failures.
PAN-80062
Fixed an issue where firewalls running PAN-OS 8.0.3 displayed the error message Not authorized when administrators with local firewall accounts tried to log in using Kerberos single sign-on.
PAN-79935
Fixed an issue where the firewall dropped packets when GlobalProtect end users generated IPv6 traffic.
PAN-79833
Fixed an issue where the firewall randomly dropped packets for traffic that end users generated after connecting to GlobalProtect.
PAN-79780
Fixed an issue where the firewall could not delete old HA keys, which prevented the generation of new keys for HA1 encryption.
PAN-79779
Fixed an issue where firewall administrators that PAN-OS authenticated through RADIUS and authorized through RADIUS Vendor-Specific Attributes (VSAs) could not commit configuration changes on the firewall.
PAN-79436
Fixed an issue where PA-7000 Series firewalls did not apply changes to the Syslog server profile configuration until you restarted the syslog-ng process.
PAN-79365
Fixed an issue where pushing template configurations to VM-Series firewalls for NSX removed those firewalls as managed devices on Panorama.
PAN-79311
Fixed an issue on PA-220 firewalls where, after you modified Security policy, the firewalls did not rematch the policy against sessions involving file transfers that were in progress during the policy modification.
PAN-79084
Fixed an issue where fragmented packets in GlobalProtect traffic caused PA-5200 Series firewalls to stop responding.
PAN-79001
Fixed an issue on PA-5250 and PA-5260 firewalls where QSFP ports 21 to 24 did not come up when connecting over LR optic connections.
PAN-78932
Fixed an issue where loading definitions for 8.0 SNMP MIBs failed for the PAN-TRAPS.my MIB. With this fix, you can download the latest enterprise MIBs from https://www.paloaltonetworks.com/documentation/misc/snmp-mibs.html .
PAN-78886
Fixed an issue where the firewall ignored Authentication policy rules for websites that you added to a custom URL category.
PAN-78390
Fixed an issue where PA-5200 Series firewalls became unresponsive if they used Tap interfaces for high-throughput traffic.
PAN-78342
Fixed an issue where Panorama failed to export a custom report if you set the Database to a Remote Device Data option (MonitorManage Custom Reports).
PAN-78256
Fixed an issue where the firewall stopped responding and processing traffic due to a packet buffer leak.
PAN-78224
Fixed an issue where the firewall truncated passwords to 40 characters when end users tried to authenticate through RADIUS in the Captive Portal web form.
PAN-77973
Fixed an issue where the passive firewall in an active/passive HA deployment lost HA session updates when the active peer had a heavy processing load.
PAN-77702
Fixed an issue on Panorama in NSX deployments where dynamic address updates took several minutes to complete.
PAN-77671
Fixed an issue where the firewall identified traffic to www.online-translator.com as the translator-5 application instead of as web-browsing.
PAN-77595
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls forwarded a SIP INVITE based on route lookup instead of on Policy-Based Forwarding (PBF) policy.
PAN-77527
Fixed an issue where PA-5200 Series firewalls throttled packet diagnostic logs even if log throttling was disabled.
PAN-77213
Fixed an issue where Panorama failed to forward logs to a syslog server over TCP.
PAN-77096
Fixed an issue where GlobalProtect endpoints configured to use the pre-logon Connection Method with cookie authentication failed to authenticate because they failed to retrieve framed (static) IP addresses.
PAN-77062
Fixed an issue where administrators with a custom role could not delete packet captures.
PAN-77053
Fixed an issue on PA-7000 Series firewalls where the Egress Interface in a PBF policy rule (PoliciesPolicy Based Forwarding<rule>Forwarding) was reset to a null value, which brought down all the interfaces in the slot associated with the Egress Interface and caused HA failover.
PAN-77012
Fixed an issue where the firewall evaluated URL filtering-based Security policy rules without evaluating application-based rules that were higher in the rule evaluation order.
PAN-76832
Fixed an issue in virtual routers where modifying a BFD profile configuration (NetworkNetwork ProfilesBFD Profile) or assigning a different BFD profile (NetworkVirtual RoutersBGP) caused the associated routing protocol (BGP) to flap.
PAN-76831
Fixed an issue on PA-7000 Series firewalls where committing configuration changes caused the management server to stop responding and made the web interface and CLI inaccessible.
PAN-76779
Fixed an issue on the PA-5020 firewall where the dataplane restarted continuously when a user accessed applications over a GlobalProtect clientless VPN.
PAN-76381
Fixed an issue where the firewall wrote random URIs in Threat logs for Anti-Spyware DNS signatures.
PAN-76270
Fixed an issue where operations that required heavy memory usage on Log Collectors (such as ingesting logs at a high rate) caused some other processes to restart.
PAN-76160
Fixed an issue where a large number of LDAP connections caused commit failures.
PAN-76130
A security-related fix was made to address OpenSSL vulnerabilities relating to the Network Time Protocol (NTP) library (CVE-2016-9042/CVE-2017-6460).
PAN-76058
Fixed an issue where Panorama failed to migrate URL categories from BrightCloud to PAN-DB in policy pre-rules and post-rules.
PAN-76042
Fixed an issue where PAN-OS XML API calls for retrieving all threat details associated with a threat ID returned only threat names.
PAN-75908
Fixed an issue where multicast packets with stale session IDs caused the firewall dataplane to restart.
PAN-75769
Fixed an issue where the firewall enabled new applications associated with Applications updates received from Panorama even if you chose to Disable new apps in content update (PanoramaDevice DeploymentDynamic Updates).
PAN-75505
Fixed an issue where the firewall failed to export a report to PDF, XML, or CSV format if the report job ID was higher than 65535.
PAN-75412
Fixed an issue where the MonitorBotnet report displayed the wrong portion of the URL when the HTTP GET request was too long, while the MonitorLogsURL Filtering logs displayed the URL correctly.
PAN-75045
Fixed an issue where the firewall rejected the default route advertised by an OSPFv3 neighbor with the link-local address fe80::1.
PAN-74959
Fixed an issue where the firewall or Panorama web server stopped responding, which made the web interface inaccessible until you rebooted.
PAN-74954
Fixed an issue where firewalls did not take template settings from Panorama when you pushed a template stack that had multiple templates with a Default VSYS (PanoramaTemplates<template_configuration>).
PAN-74886
Fixed an issue where Panorama failed to push a shared address object to firewalls if the object was part of a dynamic address group that used a tag.
PAN-74652
Fixed an issue where, after a firewall successfully installed a content update received from Panorama, Panorama displayed a failure message for that update when the associated job ID on the firewall was higher than 65536.
PAN-74632
Fixed an issue where the firewall did not clear IP address-to-username mappings or username-to-group mappings after reaching the maximum supported number of user groups, which caused commit failures with the following errors:
user-id is not registerd
and
ldmgr manager was reset. Commit is required to reinitialize User-ID.
PAN-74411
Fixed an issue where PAN-OS indicated only late in the bootstrapping process when the init-cfg.txt file incorrectly specified an IPv6 address without a corresponding IPv4 address, which caused the process to abort. With this fix, PAN-OS warns you of such errors much earlier in the bootstrapping process (during the sanity check phase).
PAN-74293
Fixed an issue where the firewall dropped application sessions after only 30 seconds of idle traffic instead of after the session timeout associated with the application.
PAN-74139
Fixed an issue where SSL sessions failed due to SSL decryption errors and the firewall displayed the reason in Traffic logs as decrypt-error or decrypt-cert-validation.
PAN-74110
Fixed an issue where administrators could not log in to the firewall using LDAP credentials after a PAN-OS upgrade.
PAN-73270
Fixed an issue where the firewall rebooted if a Syslog Parse profile with the Type set to Regex Identifier (Devic eUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupSyslog Filters) matched a null character in a syslog message.
PAN-73053
Fixed an issue where incremental updates failed for registered IP addresses if the firewall retrieved the updates through VM information sources (DeviceVM Information Sources).
PAN-72894
Fixed an issue where Panorama failed to display HA firewalls (PanoramaManaged Devices) after the configd process stopped responding.
PAN-72831
Fixed an issue where rebooting the firewall caused it to generate a false critical alarm that indicated LDAP servers were down.
PAN-72698
Fixed an issue where the web interface did not display the character limit (2,048) when users tried to save log filters. With this fix, the firewall displays more information in error messages relating to saving log filters.
PAN-72342
Fixed an issue where end users ignored the Duo V2 authentication prompt until it timed out but still authenticated successfully to a GlobalProtect portal configured for two-factor authentication.
PAN-71931
Fixed an issue where Panorama allowed you to add multiple entries for the same firewall to a Log Forwarding Preferences list while configuring a Collector Group (PanoramaCollector Groups<Collector_Group_configuration>Device Log Forwarding), which caused a commit failure. With this fix, Panorama prevents you from adding multiple entries for the same firewall while configuring a Collector Group.
PAN-71226
Fixed an issue where the firewall dataplane restarted because packet processing processes stopped responding for HTTP traffic involving URL percent-encoding.
PAN-70119
Fixed an issue where the firewall mapped users to the Kerberos Realm defined in authentication profiles (DeviceAuthentication Profiles) instead of extracting the realm from Kerberos tickets.
PAN-69367
Fixed an issue where the firewall incorrectly generated packet diagnostic logs and captured packets for sessions that were not part of a packet filter (MonitorPacket Capture).
PAN-68974
Fixed an issue on PA-3000 Series firewalls where you could not configure a QoS Profile to have a maximum egress bandwidth (Egress Max) higher than 1Gbps for an aggregate group interface (NetworkNetwork ProfilesQoS Profile).
PAN-67618
Fixed an issue where the following Panorama XML API request to show all dynamic address groups did not respond with XML:
http://firewall/api/?type=op&cmd=<show><object><dynamic-address-group><all>
</all></dynamic-address-group></object></show>
PAN-67544
Fixed an issue where, when a multicast forwarding information base (MFIB) timed out, the packet processing process (flow_ctrl) stopped responding, which intermittently caused the firewall dataplane to restart.
PAN-63905
Fixed an issue where RTP sessions that were created from predict sessions went from an active state to a discard state after you installed a content update or committed configuration changes on the firewall.
PAN-61834
Fixed an issue where the firewall captured packets of IP addresses not included in the packet filter (MonitorPacket Capture).
PAN-57490
Fixed an issue where Panorama displayed an error message if you configured an access domain with 512 or more device groups. With this fix, you can configure up to 1,024 device groups in a single access domain.
PAN-54531
Fixed an issue where the firewall stopped writing new Traffic and Threat logs to storage because the Automated Correlation Engine used disk space in a way that prevented the firewall from purging older logs.

Related Documentation