PAN-OS 8.0.5 Addressed Issues

PAN-OS® 8.0.5 addressed issues
Issue ID
Description
PAN-83393
Fixed an issue where a firewall with GTP Security enabled (DeviceSetupManagementGeneral Settings) did not mark a GTP control message packet as invalid when the packet payload had multiple access point names (APN).
PAN-82651
Fixed an issue where a memory leak caused commit failures with the following error message: Threat database handler failed.
PAN-82616
Fixed an issue where the firewall prevented file transfers over HTTPS when the session offload feature was enabled.
PAN-82275
Fixed an issue where VM-Series firewalls dropped traffic on interfaces with QoS enabled due to QoS timeouts.
PAN-82234
Fixed an issue on M-Series appliances in Panorama mode where running scheduled reports caused a memory leak that resulted in errors such as commit failures and process termination.
PAN-82221
Fixed an issue on PA-5200 Series firewalls where the dataplane restarted because the flow_ctrl process stopped responding during heavy IPv6 traffic when the firewall interface that handled the traffic had 32,000 or more Neighbor Discovery Protocol (NDP) entries (NetworkInterfaces<interface_configuration>AdvancedND Entries).
PAN-82200
Fixed an issue where an OSPFv3 not-so-stubby area (NSSA) update for an IPv6 default route caused the routed process to stop responding.
PAN-82089
Fixed an issue on PA-3000, PA-5000, PA-5200, and PA-7000 Series firewalls where heavy IPv6 traffic caused session offloading to fail, which reduced throughput.
PAN-82076
Fixed an issue on PA-5200 Series and PA-7000 Series firewalls where traffic delays occurred due to packet buffer congestion after the all_pktproc process stopped responding because of an incorrect Policy Based Forwarding (PBF) policy rule ID that referenced an invalid egress interface.
PAN-81990
Fixed an issue on PA-5220 and PA-5250 firewalls running PAN-OS 8.0.4 where the dataplane restarted multiple times after the all_pktproc process stopped responding due to memory pool exhaustion.
PAN-81951
Fixed an issue where errors associated with a CommitCommit All Changes operation caused FQDN refresh operations to fail on the firewall. With this fix, commit failures don't cause FQDN refresh failures.
PAN-81590
Fixed an issue where a firewall intermittently dropped packets when an internal communication link failed to initialize.
PAN-81497
Fixed an issue where web pages accessed through GlobalProtect Clientless VPN did not load properly.
PAN-81287
Fixed an issue where a firewall in FIPS/CC mode intermittently switched to maintenance mode.
PAN-81218
Fixed an issue on the PA-500 firewall where OSPF was stuck in a loading state when OSPF neighbors connected over a tunnel interface.
PAN-81118
Fixed an issue where client systems could use a translated IP address-and-port pair for only one connection even if you configured the Dynamic IP and Port (DIPP) NAT Oversubscription Rate to allow multiple connections (DeviceSetupSessionSession SettingsNAT Oversubscription). This issue is fixed on all firewall models except the PA-7000 Series and PA-5200 Series firewalls (see PAN-84488 ).
PAN-81031
Fixed an issue on firewalls with Captive Portal enabled where Authentication policy blocked any non-HTTP applications.
PAN-80837
Fixed an issue where, after upgrading from PAN-OS 7.1 to PAN-OS 8.0, the Panorama management server did not convert Threat logs into URL Filtering or Data Filtering logs when you had log forwarding filters based on severity levels.
PAN-80802
Fixed an issue on Panorama appliances in Panorama or Log Collector mode where an out-of-memory condition occurred because a memory leak in the reportd process raised CPU usage and swap memory.
PAN-80606
Fixed an issue where the firewall stopped uploading files to WildFire after you enabled Passive DNS Monitoring (DeviceSetupTelemetry).
PAN-80535
Fixed an issue on a firewall with multiple virtual systems where policy rules defined for a specific virtual system could not access shared EDL objects.
PAN-80479
Fixed an issue where an end user could not use Kerberos single sign-on to authenticate to the GlobalProtect portal or gateway when user membership in many Kerberos groups resulted in an HTTP header that exceeded the size that the firewall allowed. With this fix, the firewall allows a larger size for HTTP headers.
PAN-80465
Fixed an issue where PAN-OS never performed the Action configured in an update schedule on a firewall (DeviceDynamic Updates<update_type_schedule>) or a Panorama management server (PanoramaDynamic Updates<update_type_schedule>) when the Threshold age for updates exceeded the frequency at which Palo Alto Networks released the updates. For example, if you configured the firewall with a threshold of 48 hours for Applications and Threats content updates but Palo Alto Networks released successive content updates every 24 hours, the latest update would never reach the 48-hour age threshold required to trigger the specified action. With this fix, PAN-OS checks the last five content release versions, instead of just the newest version, and performs the action for the latest version that matches the threshold you specified. For example, if content update version 701 is available for 24 hours and version 700 is available for 72 hours, and you set the threshold to 48 hours for Applications and Threats content updates, PAN-OS performs the action for version 700. PAN-OS checks the last five content release versions for Antivirus updates also.
PAN-80155
Fixed an issue where firewalls that were deployed in an active/passive high availability (HA) configuration and that acted as DHCP relay agents used physical MAC addresses instead of HA virtual MAC addresses for DHCP packets.
PAN-79977
Fixed an issue where the snmpd process restarted due to a memory leak that caused it to exceed the virtual memory limit.
PAN-79939
As an enhancement on VM-Series firewalls, you can now enable or disable Data Plane Development Kit (DPDK) mode during the bootstrap process. DPDK enhances firewall performance by increasing the packet processing speed of network interface cards (NICs). To enable DPDK, add the op-cmd-dpdk-pkt-io=on command to the init-cfg.txt bootstrap configuration file. If you disable DPDK by adding the op-cmd-dpdk-pkt-io=off command, the firewall uses Packet_mmap mode instead.
PAN-79874
Fixed an issue where end users could not send email because the all_pktproc process stopped responding after the firewall tried to process an empty filename in email traffic.
PAN-79844
Fixed an issue on Panorama where scheduled custom reports returned no data.
PAN-79804
Fixed an issue where VM-Series firewalls for VMware NSX did not register on Panorama when they belonged to a device group that contained applications from a content release version that was newer than the version included with the PAN-OS software image for fresh installations.
PAN-79607
Fixed an issue where a spike in dataplane memory utilization caused bus errors and caused the dataplane and control plane to restart until you rebooted the firewall.
PAN-79575
Fixed an issue where commit operations failed and the firewall became unresponsive after responding to SNMP queries associated with certain OIDs that triggered an snmpd memory leak.
PAN-79555
Fixed an issue on VM-Series firewalls on Azure where dataplane interfaces did not come up as expected because they did not successfully negotiate Layer 2 settings during bootup.
PAN-79313
Fixed an issue where VM-Series firewalls did not successfully apply pre-licensed serial numbers for Cloud Security Service Provider (CSSP) licenses.
PAN-79238
Fixed an issue on firewalls in an HA configuration where HA path monitoring failed when the Ping Interval had a low value, such as 600ms (DeviceHigh AvailabilityLink and Path Monitoring<path_group_configuration>).
PAN-79174
Fixed an issue where commits took longer to complete than expected on firewalls with hundreds of policy rules that referenced application filters or application groups that specified thousands of applications.
PAN-78818
Fixed an issue where VM-Series firewalls deleted logs when you upgraded the base system disk from 40GB to 60GB.
PAN-78778
Fixed an issue where VM-Series firewalls for Hyper-V that used VLAN tagging dropped Ethernet frames that exceeded 1,496 bytes.
PAN-78770
Fixed an issue on PA-500 firewalls in an HA configuration where the HA1 interface went down due to a missed HA1 heartbeat.
PAN-78572
Fixed an issue where the Panorama management server delayed the display of new firewall logs because the logd process consumed too much memory.
PAN-78385
Fixed an issue where a Panorama management server running PAN-OS 8.0 did not display logs that were related to VPN tunnels or authentication and that were collected from PA-7000 Series firewalls running PAN-OS 7.1 or an earlier release.
PAN-78362
Fixed an issue where the Panorama management server intermittently became unresponsive due to errors in the configd process.
PAN-78044
Fixed an issue where the firewall dropped packets that were destined for IP address FD00::/8 when you configured a Zone Protection profile with a Strict IP Address Check (NetworkNetwork ProfilesZone ProtectionPacket Based Attack ProtectionIP Drop). With this fix, FD00::/8 is no longer a reserved IP address.
PAN-77939
Fixed an issue where the Panorama virtual appliance in Legacy mode purged older Traffic logs even when space was available to store new logs.
PAN-77935
Fixed an issue where, after you upgraded a firewall to PAN-OS 8.0, it forwarded the same logs to a syslog server multiple times instead of once.
PAN-77866
Fixed an issue where the authentication process (authd) stopped responding when a third-party device blocked the transmission of authentication packets between the firewall and an LDAP server. With this fix, authentication fails without authd becoming unresponsive when a third-party device blocks LDAP authentication packets.
PAN-77747
Fixed an issue where a firewall with ECMP enabled on a virtual router (NetworkVirtual RoutersRouter SettingsECMP) did not load balance the traffic among egress interfaces when the traffic originated from another virtual router.
PAN-77702
Fixed an issue on Panorama in NSX deployments where dynamic address updates took several minutes to complete.
PAN-77652
Fixed an issue on PA-7000 Series firewalls where the mprelay process stopped responding due to a memory leak on the management plane.
PAN-77645
Fixed an issue where Dedicated Log Collectors did not forward logs to a syslog server over TCP.
PAN-77581
Fixed an issue where the web interface displayed no information in the Previous User tab (NetworkGlobalProtectGatewaysRemote Users: Info column).
PAN-77469
Fixed an issue on a Panorama management server running PAN-OS 8.0 where an administrator with a custom role who accessed the Context of a managed firewall running PAN-OS 7.1 or an earlier release could not commit changes on that firewall.
PAN-77405
Fixed an issue where the PA-220 firewall incorrectly displayed packet descriptor utilization as 51% even when the firewall was not processing traffic.
PAN-77327
Fixed an issue where the PA-220 firewall did not send the correct interface indexes to NetFlow collectors, which prevented it from forwarding IP traffic statistics for analysis.
PAN-77171
Fixed an issue where the firewall discarded sessions that required the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher for SSL decryption.
PAN-76997
Fixed an issue on the PA-3020 firewall where SSL connections failed due to memory allocation issues if you configured a Decryption profile with Key Exchange Algorithms that included ECDHE (ObjectsDecryption Profile<decryption_profile>SSL Protocol Settings).
PAN-76830
Fixed an issue on PA-5000 Series firewalls where insufficient memory allocation caused SSL decryption errors that resulted in SSL session failures, and the firewall displayed the reason in Traffic logs as decrypt-error or decrypt-cert-validation.
PAN-76509
Fixed an issue on firewalls with multiple virtual systems where custom spyware signatures worked only on vsys1 (ObjectsCustom ObjectsSpyware).
PAN-76373
Fixed an issue on PA-5000 Series firewalls where using the web interface to display QoS Statistics (NetworkQoS) caused the control plane and dataplane to restart due to a memory leak.
PAN-76263
Fixed an issue where the Panorama management server retained the threshold value for update schedules (DeviceDynamic Updates<update_type_schedule>) in a template stack even after you removed the value from templates in the stack.
PAN-76155
Fixed an issue where the logs for the VM Monitoring Agent did not indicate the reason for events that cause it to exit. With this fix, the logs display debug-level details when the VM Monitoring Agent exits.
PAN-76040
Fixed an issue where configuring an aggregate interface group with interfaces of different media (such as copper and fiber optic) caused a commit failure. With this fix, an aggregate interface group can have interfaces with different media.
PAN-76019
Fixed an issue where the dataplane restarted because the firewall used incorrect zone identifiers for deleting flows when untagged subinterfaces had parent interfaces with no zone assignment.
PAN-75890
Fixed an issue where the Applications report (MonitorReportsApplication Reports) listed untunneled as one of the top HTTP applications even though no such application existed.
PAN-75724
Fixed an issue where the PAN-OS integrated User-ID agent allowed weak ciphers for SSL/TLS connections. With this fix, the User-ID agent allows only the following ciphers for SSL/TLS connections:
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-ECDSA-AES128-SHA
  • DHE-RSA-AES256-SHA
  • DHE-RSA-AES128-SHA
  • AES256-SHA256
  • AES256-SHA
  • AES128-SHA256
  • AES128-SHA
PAN-75371
Fixed an issue where firewalls configured to perform destination NAT misidentified applications after incorrectly adding the public IP addresses of destination servers to the App-ID cache.
PAN-74880
Fixed an issue where retrieving threat packet captures took longer than expected through the web interface (MonitorLogsThreat) or PAN-OS XML API.
PAN-74366
Fixed an issue on the firewall and Panorama where the management server (mgmtserver) process restarted after you tried to filter a policy list (Policies<policy_type>) based on specific strings such as 00 or 000.
PAN-74067
Fixed an issue in large-scale deployments where the User-ID process (useridd) stopped responding due to a loop condition because firewalls configured as User-ID agents repeatedly redistributed the same IP address-to-username mappings.
PAN-73933
Fixed an issue where the log receiver (logrcvr) process restarted due to a memory leak after the firewall performed a log query for correlation objects or reports and the query included the Threat Category field.
PAN-73711
Fixed an issue where firewalls configured as DHCP clients did not receive IP addresses from the DHCP server because the firewalls did not set the gateway IP address (giaddr) value to zero in DHCP client reply messages.
PAN-72495
Fixed an issue where PA-7000 Series firewalls intermittently dropped packets from GlobalProtect end users if the GlobalProtect IKE gateway used a local interface that was in a different security zone than the physical ingress interface.
PAN-72334
Fixed an issue where firewalls did not resume forwarding logs to Log Collectors after Panorama management servers in an HA configuration recovered from a split-brain condition.
PAN-69932
Fixed an issue where the Panorama web interface and CLI responded slowly when numerous NSX plugins were in progress.
PAN-69283
As an enhancement for controlling access to GlobalProtect portals and gateways (internal or external), even when user endpoints have valid authentication override cookies, PAN-OS now matches the users against the Allow List of authentication profiles (DeviceAuthentication Profile<authentication_profile>Advanced). Modifying the Allow List is an easy way to prevent unauthorized access by users who have valid cookies but disabled accounts.
PAN-69014
Fixed an issue where the Panorama management server did not display logs collected from PA-7000 Series firewalls assigned to a child device group of the Device Group selected in the Monitor tab of the web interface.
PAN-68363
Fixed an issue where logs exported in CSV format had misaligned columns.
PAN-62675
Fixed an issue where a firewall frequently and continuously refreshed username-to-group mappings.

Related Documentation