PAN-OS 8.0.4 Addressed Issues
PAN-OS 8.0.4 addressed issues
Fixed an issue where the WF-500 appliance incorrectly assigned a malicious verdict to samples due to Web Proxy Auto-Discovery Protocol (WPAD) DNS lookups.
Fixed an issue where commits failed after upgrading a firewall to PAN-OS 8.0 if, before the upgrade, that firewall had a tunnel interface configured as the Source Interface for QoS cleartext traffic (NetworkQoS<QoS_interface>Clear Text Traffic).
Fixed an issue where the reportd process had a memory leak.
A security-related fix was made to address a vulnerability that allowed XML External Entity (XXE) attacks on the GlobalProtect external interface because PAN-OS did not properly parse XML input (CVE-2017-9458).
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where users failed to authenticate when the Captive Portal host session incorrectly timed out after 5 seconds.
Fixed an issue where the firewall used an incorrect source MAC address for aggregate Ethernet interfaces, which caused traffic offload failures.
Fixed an issue where firewalls running PAN-OS 8.0.3 displayed the error message Not authorized when administrators with local firewall accounts tried to log in using Kerberos single sign-on.
Fixed an issue where the firewall dropped packets when GlobalProtect end users generated IPv6 traffic.
Fixed an issue where the firewall randomly dropped packets for traffic that end users generated after connecting to GlobalProtect.
Fixed an issue where the firewall could not delete old HA keys, which prevented the generation of new keys for HA1 encryption.
Fixed an issue where firewall administrators that PAN-OS authenticated through RADIUS and authorized through RADIUS Vendor-Specific Attributes (VSAs) could not commit configuration changes on the firewall.
Fixed an issue where PA-7000 Series firewalls did not apply changes to the Syslog server profile configuration until you restarted the syslog-ng process.
Fixed an issue where pushing template configurations to VM-Series firewalls for NSX removed those firewalls as managed devices on Panorama.
Fixed an issue on PA-220 firewalls where, after you modified Security policy, the firewalls did not rematch the policy against sessions involving file transfers that were in progress during the policy modification.
Fixed an issue where fragmented packets in GlobalProtect traffic caused PA-5200 Series firewalls to stop responding.
Fixed an issue on PA-5250 and PA-5260 firewalls where QSFP ports 21 to 24 did not come up when connecting over LR optic connections.
Fixed an issue where loading definitions for 8.0 SNMP MIBs failed for the PAN-TRAPS.my MIB. With this fix, you can download the latest enterprise MIBs from https://www.paloaltonetworks.com/documentation/misc/snmp-mibs.html .
Fixed an issue where the firewall ignored Authentication policy rules for websites that you added to a custom URL category.
Fixed an issue where PA-5200 Series firewalls became unresponsive if they used Tap interfaces for high-throughput traffic.
Fixed an issue where Panorama failed to export a custom report if you set the Database to a Remote Device Data option (MonitorManage Custom Reports).
Fixed an issue where the firewall stopped responding and processing traffic due to a packet buffer leak.
Fixed an issue where the firewall truncated passwords to 40 characters when end users tried to authenticate through RADIUS in the Captive Portal web form.
Fixed an issue where the passive firewall in an active/passive HA deployment lost HA session updates when the active peer had a heavy processing load.
Fixed an issue on Panorama in NSX deployments where dynamic address updates took several minutes to complete.
Fixed an issue where the firewall identified traffic to www.online-translator.com as the translator-5 application instead of as web-browsing.
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls forwarded a SIP INVITE based on route lookup instead of on Policy-Based Forwarding (PBF) policy.
Fixed an issue where PA-5200 Series firewalls throttled packet diagnostic logs even if log throttling was disabled.
Fixed an issue where Panorama failed to forward logs to a syslog server over TCP.
Fixed an issue where GlobalProtect endpoints configured to use the pre-logon Connection Method with cookie authentication failed to authenticate because they failed to retrieve framed (static) IP addresses.
Fixed an issue where administrators with a custom role could not delete packet captures.
Fixed an issue on PA-7000 Series firewalls where the Egress Interface in a PBF policy rule (PoliciesPolicy Based Forwarding<rule>Forwarding) was reset to a null value, which brought down all the interfaces in the slot associated with the Egress Interface and caused HA failover.
Fixed an issue where the firewall evaluated URL filtering-based Security policy rules without evaluating application-based rules that were higher in the rule evaluation order.
Fixed an issue in virtual routers where modifying a BFD profile configuration (NetworkNetwork ProfilesBFD Profile) or assigning a different BFD profile (NetworkVirtual RoutersBGP) caused the associated routing protocol (BGP) to flap.
Fixed an issue on PA-7000 Series firewalls where committing configuration changes caused the management server to stop responding and made the web interface and CLI inaccessible.
Fixed an issue on the PA-5020 firewall where the dataplane restarted continuously when a user accessed applications over a GlobalProtect clientless VPN.
Fixed an issue where the firewall wrote random URIs in Threat logs for Anti-Spyware DNS signatures.
Fixed an issue where operations that required heavy memory usage on Log Collectors (such as ingesting logs at a high rate) caused some other processes to restart.
Fixed an issue where a large number of LDAP connections caused commit failures.
A security-related fix was made to address OpenSSL vulnerabilities relating to the Network Time Protocol (NTP) library (CVE-2016-9042/CVE-2017-6460).
Fixed an issue where Panorama failed to migrate URL categories from BrightCloud to PAN-DB in policy pre-rules and post-rules.
Fixed an issue where PAN-OS XML API calls for retrieving all threat details associated with a threat ID returned only threat names.
Fixed an issue where multicast packets with stale session IDs caused the firewall dataplane to restart.
Fixed an issue where the firewall enabled new applications associated with Applications updates received from Panorama even if you chose to Disable new apps in content update (PanoramaDevice DeploymentDynamic Updates).
Fixed an issue where the firewall failed to export a report to PDF, XML, or CSV format if the report job ID was higher than 65535.
Fixed an issue where the MonitorBotnet report displayed the wrong portion of the URL when the HTTP GET request was too long, while the MonitorLogsURL Filtering logs displayed the URL correctly.
Fixed an issue where the firewall rejected the default route advertised by an OSPFv3 neighbor with the link-local address fe80::1.
Fixed an issue where the firewall or Panorama web server stopped responding, which made the web interface inaccessible until you rebooted.
Fixed an issue where firewalls did not take template settings from Panorama when you pushed a template stack that had multiple templates with a Default VSYS (PanoramaTemplates<template_configuration>).
Fixed an issue where Panorama failed to push a shared address object to firewalls if the object was part of a dynamic address group that used a tag.
Fixed an issue where, after a firewall successfully installed a content update received from Panorama, Panorama displayed a failure message for that update when the associated job ID on the firewall was higher than 65536.
Fixed an issue where the firewall did not clear IP address-to-username mappings or username-to-group mappings after reaching the maximum supported number of user groups, which caused commit failures with the following errors:
user-id is not registerdand
ldmgr manager was reset. Commit is required to reinitialize User-ID.
Fixed an issue where PAN-OS indicated only late in the bootstrapping process when the init-cfg.txt file incorrectly specified an IPv6 address without a corresponding IPv4 address, which caused the process to abort. With this fix, PAN-OS warns you of such errors much earlier in the bootstrapping process (during the sanity check phase).
Fixed an issue where the firewall dropped application sessions after only 30 seconds of idle traffic instead of after the session timeout associated with the application.
Fixed an issue where SSL sessions failed due to SSL decryption errors and the firewall displayed the reason in Traffic logs as decrypt-error or decrypt-cert-validation.
Fixed an issue where administrators could not log in to the firewall using LDAP credentials after a PAN-OS upgrade.
Fixed an issue where the firewall rebooted if a Syslog Parse profile with the Type set to Regex Identifier (Devic eUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupSyslog Filters) matched a null character in a syslog message.
Fixed an issue where incremental updates failed for registered IP addresses if the firewall retrieved the updates through VM information sources (DeviceVM Information Sources).
Fixed an issue where Panorama failed to display HA firewalls (PanoramaManaged Devices) after the configd process stopped responding.
Fixed an issue where rebooting the firewall caused it to generate a false critical alarm that indicated LDAP servers were down.
Fixed an issue where the web interface did not display the character limit (2,048) when users tried to save log filters. With this fix, the firewall displays more information in error messages relating to saving log filters.
Fixed an issue where end users ignored the Duo V2 authentication prompt until it timed out but still authenticated successfully to a GlobalProtect portal configured for two-factor authentication.
Fixed an issue where Panorama allowed you to add multiple entries for the same firewall to a Log Forwarding Preferences list while configuring a Collector Group (PanoramaCollector Groups<Collector_Group_configuration>Device Log Forwarding), which caused a commit failure. With this fix, Panorama prevents you from adding multiple entries for the same firewall while configuring a Collector Group.
Fixed an issue where the firewall dataplane restarted because packet processing processes stopped responding for HTTP traffic involving URL percent-encoding.
Fixed an issue where the firewall mapped users to the Kerberos Realm defined in authentication profiles (DeviceAuthentication Profiles) instead of extracting the realm from Kerberos tickets.
Fixed an issue where the firewall incorrectly generated packet diagnostic logs and captured packets for sessions that were not part of a packet filter (MonitorPacket Capture).
Fixed an issue on PA-3000 Series firewalls where you could not configure a QoS Profile to have a maximum egress bandwidth (Egress Max) higher than 1Gbps for an aggregate group interface (NetworkNetwork ProfilesQoS Profile).
Fixed an issue where the following Panorama XML API request to show all dynamic address groups did not respond with XML:
Fixed an issue where, when a multicast forwarding information base (MFIB) timed out, the packet processing process (flow_ctrl) stopped responding, which intermittently caused the firewall dataplane to restart.
Fixed an issue where RTP sessions that were created from predict sessions went from an active state to a discard state after you installed a content update or committed configuration changes on the firewall.
Fixed an issue where the firewall captured packets of IP addresses not included in the packet filter (MonitorPacket Capture).
Fixed an issue where Panorama displayed an error message if you configured an access domain with 512 or more device groups. With this fix, you can configure up to 1,024 device groups in a single access domain.
Fixed an issue where the firewall stopped writing new Traffic and Threat logs to storage because the Automated Correlation Engine used disk space in a way that prevented the firewall from purging older logs.