PAN-OS 8.0.5 Addressed Issues
PAN-OS® 8.0.5 addressed issues
Fixed an issue where a firewall with GTP Security enabled (DeviceSetupManagementGeneral Settings) did not mark a GTP control message packet as invalid when the packet payload had multiple access point names (APN).
Fixed an issue where a memory leak caused commit failures with the following error message: Threat database handler failed.
Fixed an issue where the firewall prevented file transfers over HTTPS when the session offload feature was enabled.
Fixed an issue where VM-Series firewalls dropped traffic on interfaces with QoS enabled due to QoS timeouts.
Fixed an issue on M-Series appliances in Panorama mode where running scheduled reports caused a memory leak that resulted in errors such as commit failures and process termination.
Fixed an issue on PA-5200 Series firewalls where the dataplane restarted because the flow_ctrl process stopped responding during heavy IPv6 traffic when the firewall interface that handled the traffic had 32,000 or more Neighbor Discovery Protocol (NDP) entries (NetworkInterfaces<interface_configuration>AdvancedND Entries).
Fixed an issue where an OSPFv3 not-so-stubby area (NSSA) update for an IPv6 default route caused the routed process to stop responding.
Fixed an issue on PA-3000, PA-5000, PA-5200, and PA-7000 Series firewalls where heavy IPv6 traffic caused session offloading to fail, which reduced throughput.
Fixed an issue on PA-5200 Series and PA-7000 Series firewalls where traffic delays occurred due to packet buffer congestion after the all_pktproc process stopped responding because of an incorrect Policy Based Forwarding (PBF) policy rule ID that referenced an invalid egress interface.
Fixed an issue on PA-5220 and PA-5250 firewalls running PAN-OS 8.0.4 where the dataplane restarted multiple times after the all_pktproc process stopped responding due to memory pool exhaustion.
Fixed an issue where errors associated with a CommitCommit All Changes operation caused FQDN refresh operations to fail on the firewall. With this fix, commit failures don't cause FQDN refresh failures.
Fixed an issue where a firewall intermittently dropped packets when an internal communication link failed to initialize.
Fixed an issue where web pages accessed through GlobalProtect Clientless VPN did not load properly.
Fixed an issue where a firewall in FIPS/CC mode intermittently switched to maintenance mode.
Fixed an issue on the PA-500 firewall where OSPF was stuck in a loading state when OSPF neighbors connected over a tunnel interface.
Fixed an issue where client systems could use a translated IP address-and-port pair for only one connection even if you configured the Dynamic IP and Port (DIPP) NAT Oversubscription Rate to allow multiple connections (DeviceSetupSessionSession SettingsNAT Oversubscription). This issue is fixed on all firewall models except the PA-7000 Series and PA-5200 Series firewalls (see PAN-84488 ).
Fixed an issue on firewalls with Captive Portal enabled where Authentication policy blocked any non-HTTP applications.
Fixed an issue where, after upgrading from PAN-OS 7.1 to PAN-OS 8.0, the Panorama management server did not convert Threat logs into URL Filtering or Data Filtering logs when you had log forwarding filters based on severity levels.
Fixed an issue on Panorama appliances in Panorama or Log Collector mode where an out-of-memory condition occurred because a memory leak in the reportd process raised CPU usage and swap memory.
Fixed an issue where the firewall stopped uploading files to WildFire after you enabled Passive DNS Monitoring (DeviceSetupTelemetry).
Fixed an issue on a firewall with multiple virtual systems where policy rules defined for a specific virtual system could not access shared EDL objects.
Fixed an issue where an end user could not use Kerberos single sign-on to authenticate to the GlobalProtect portal or gateway when user membership in many Kerberos groups resulted in an HTTP header that exceeded the size that the firewall allowed. With this fix, the firewall allows a larger size for HTTP headers.
Fixed an issue where PAN-OS never performed the Action configured in an update schedule on a firewall (DeviceDynamic Updates<update_type_schedule>) or a Panorama management server (PanoramaDynamic Updates<update_type_schedule>) when the Threshold age for updates exceeded the frequency at which Palo Alto Networks released the updates. For example, if you configured the firewall with a threshold of 48 hours for Applications and Threats content updates but Palo Alto Networks released successive content updates every 24 hours, the latest update would never reach the 48-hour age threshold required to trigger the specified action. With this fix, PAN-OS checks the last five content release versions, instead of just the newest version, and performs the action for the latest version that matches the threshold you specified. For example, if content update version 701 is available for 24 hours and version 700 is available for 72 hours, and you set the threshold to 48 hours for Applications and Threats content updates, PAN-OS performs the action for version 700. PAN-OS checks the last five content release versions for Antivirus updates also.
Fixed an issue where firewalls that were deployed in an active/passive high availability (HA) configuration and that acted as DHCP relay agents used physical MAC addresses instead of HA virtual MAC addresses for DHCP packets.
Fixed an issue where the snmpd process restarted due to a memory leak that caused it to exceed the virtual memory limit.
As an enhancement on VM-Series firewalls, you can now enable or disable Data Plane Development Kit (DPDK) mode during the bootstrap process. DPDK enhances firewall performance by increasing the packet processing speed of network interface cards (NICs). To enable DPDK, add the op-cmd-dpdk-pkt-io=on command to the init-cfg.txt bootstrap configuration file. If you disable DPDK by adding the op-cmd-dpdk-pkt-io=off command, the firewall uses Packet_mmap mode instead.
Fixed an issue where end users could not send email because the all_pktproc process stopped responding after the firewall tried to process an empty filename in email traffic.
Fixed an issue on Panorama where scheduled custom reports returned no data.
Fixed an issue where VM-Series firewalls for VMware NSX did not register on Panorama when they belonged to a device group that contained applications from a content release version that was newer than the version included with the PAN-OS software image for fresh installations.
Fixed an issue where a spike in dataplane memory utilization caused bus errors and caused the dataplane and control plane to restart until you rebooted the firewall.
Fixed an issue where commit operations failed and the firewall became unresponsive after responding to SNMP queries associated with certain OIDs that triggered an snmpd memory leak.
Fixed an issue on VM-Series firewalls on Azure where dataplane interfaces did not come up as expected because they did not successfully negotiate Layer 2 settings during bootup.
Fixed an issue where VM-Series firewalls did not successfully apply pre-licensed serial numbers for Cloud Security Service Provider (CSSP) licenses.
Fixed an issue on firewalls in an HA configuration where HA path monitoring failed when the Ping Interval had a low value, such as 600ms (DeviceHigh AvailabilityLink and Path Monitoring<path_group_configuration>).
Fixed an issue where commits took longer to complete than expected on firewalls with hundreds of policy rules that referenced application filters or application groups that specified thousands of applications.
Fixed an issue where VM-Series firewalls deleted logs when you upgraded the base system disk from 40GB to 60GB.
Fixed an issue where VM-Series firewalls for Hyper-V that used VLAN tagging dropped Ethernet frames that exceeded 1,496 bytes.
Fixed an issue on PA-500 firewalls in an HA configuration where the HA1 interface went down due to a missed HA1 heartbeat.
Fixed an issue where the Panorama management server delayed the display of new firewall logs because the logd process consumed too much memory.
Fixed an issue where a Panorama management server running PAN-OS 8.0 did not display logs that were related to VPN tunnels or authentication and that were collected from PA-7000 Series firewalls running PAN-OS 7.1 or an earlier release.
Fixed an issue where the Panorama management server intermittently became unresponsive due to errors in the configd process.
Fixed an issue where the firewall dropped packets that were destined for IP address FD00::/8 when you configured a Zone Protection profile with a Strict IP Address Check (NetworkNetwork ProfilesZone ProtectionPacket Based Attack ProtectionIP Drop). With this fix, FD00::/8 is no longer a reserved IP address.
Fixed an issue where the Panorama virtual appliance in Legacy mode purged older Traffic logs even when space was available to store new logs.
Fixed an issue where, after you upgraded a firewall to PAN-OS 8.0, it forwarded the same logs to a syslog server multiple times instead of once.
Fixed an issue where the authentication process (authd) stopped responding when a third-party device blocked the transmission of authentication packets between the firewall and an LDAP server. With this fix, authentication fails without authd becoming unresponsive when a third-party device blocks LDAP authentication packets.
Fixed an issue where a firewall with ECMP enabled on a virtual router (NetworkVirtual RoutersRouter SettingsECMP) did not load balance the traffic among egress interfaces when the traffic originated from another virtual router.
Fixed an issue on Panorama in NSX deployments where dynamic address updates took several minutes to complete.
Fixed an issue on PA-7000 Series firewalls where the mprelay process stopped responding due to a memory leak on the management plane.
Fixed an issue where Dedicated Log Collectors did not forward logs to a syslog server over TCP.
Fixed an issue where the web interface displayed no information in the Previous User tab (NetworkGlobalProtectGatewaysRemote Users: Info column).
Fixed an issue on a Panorama management server running PAN-OS 8.0 where an administrator with a custom role who accessed the Context of a managed firewall running PAN-OS 7.1 or an earlier release could not commit changes on that firewall.
Fixed an issue where the PA-220 firewall incorrectly displayed packet descriptor utilization as 51% even when the firewall was not processing traffic.
Fixed an issue where the PA-220 firewall did not send the correct interface indexes to NetFlow collectors, which prevented it from forwarding IP traffic statistics for analysis.
Fixed an issue where the firewall discarded sessions that required the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher for SSL decryption.
Fixed an issue on the PA-3020 firewall where SSL connections failed due to memory allocation issues if you configured a Decryption profile with Key Exchange Algorithms that included ECDHE (ObjectsDecryption Profile<decryption_profile>SSL Protocol Settings).
Fixed an issue on PA-5000 Series firewalls where insufficient memory allocation caused SSL decryption errors that resulted in SSL session failures, and the firewall displayed the reason in Traffic logs as decrypt-error or decrypt-cert-validation.
Fixed an issue on firewalls with multiple virtual systems where custom spyware signatures worked only on vsys1 (ObjectsCustom ObjectsSpyware).
Fixed an issue on PA-5000 Series firewalls where using the web interface to display QoS Statistics (NetworkQoS) caused the control plane and dataplane to restart due to a memory leak.
Fixed an issue where the Panorama management server retained the threshold value for update schedules (DeviceDynamic Updates<update_type_schedule>) in a template stack even after you removed the value from templates in the stack.
Fixed an issue where the logs for the VM Monitoring Agent did not indicate the reason for events that cause it to exit. With this fix, the logs display debug-level details when the VM Monitoring Agent exits.
Fixed an issue where configuring an aggregate interface group with interfaces of different media (such as copper and fiber optic) caused a commit failure. With this fix, an aggregate interface group can have interfaces with different media.
Fixed an issue where the dataplane restarted because the firewall used incorrect zone identifiers for deleting flows when untagged subinterfaces had parent interfaces with no zone assignment.
Fixed an issue where the Applications report (MonitorReportsApplication Reports) listed untunneled as one of the top HTTP applications even though no such application existed.
Fixed an issue where the PAN-OS integrated User-ID agent allowed weak ciphers for SSL/TLS connections. With this fix, the User-ID agent allows only the following ciphers for SSL/TLS connections:
Fixed an issue where firewalls configured to perform destination NAT misidentified applications after incorrectly adding the public IP addresses of destination servers to the App-ID cache.
Fixed an issue where retrieving threat packet captures took longer than expected through the web interface (MonitorLogsThreat) or PAN-OS XML API.
Fixed an issue on the firewall and Panorama where the management server (mgmtserver) process restarted after you tried to filter a policy list (Policies<policy_type>) based on specific strings such as 00 or 000.
Fixed an issue in large-scale deployments where the User-ID process (useridd) stopped responding due to a loop condition because firewalls configured as User-ID agents repeatedly redistributed the same IP address-to-username mappings.
Fixed an issue where the log receiver (logrcvr) process restarted due to a memory leak after the firewall performed a log query for correlation objects or reports and the query included the Threat Category field.
Fixed an issue where firewalls configured as DHCP clients did not receive IP addresses from the DHCP server because the firewalls did not set the gateway IP address (giaddr) value to zero in DHCP client reply messages.
Fixed an issue where PA-7000 Series firewalls intermittently dropped packets from GlobalProtect end users if the GlobalProtect IKE gateway used a local interface that was in a different security zone than the physical ingress interface.
Fixed an issue where firewalls did not resume forwarding logs to Log Collectors after Panorama management servers in an HA configuration recovered from a split-brain condition.
Fixed an issue where the Panorama web interface and CLI responded slowly when numerous NSX plugins were in progress.
As an enhancement for controlling access to GlobalProtect portals and gateways (internal or external), even when user endpoints have valid authentication override cookies, PAN-OS now matches the users against the Allow List of authentication profiles (DeviceAuthentication Profile<authentication_profile>Advanced). Modifying the Allow List is an easy way to prevent unauthorized access by users who have valid cookies but disabled accounts.
Fixed an issue where the Panorama management server did not display logs collected from PA-7000 Series firewalls assigned to a child device group of the Device Group selected in the Monitor tab of the web interface.
Fixed an issue where logs exported in CSV format had misaligned columns.
Fixed an issue where a firewall frequently and continuously refreshed username-to-group mappings.