PAN-OS 8.0.6 Addressed Issues
PAN-OS® 8.0.6 addressed issues
Fixed an issue where the WF-500 appliance failed to synchronize verdicts when more than 500 SHA-256 hash values required verdict checks.
Fixed an issue where a WildFire® two-node high availability (HA) cluster failed to recover from a split-brain condition.
Fixed an issue where WF-500 appliances running a PAN-OS® 8.0 release incorrectly allowed telnet access to the CLI on vm-interface, eth2, and eth3.
Fixed an issue on a WildFire appliance cluster with two controller nodes in an HA configuration where, under certain circumstances, synchronizing the controller node running configurations caused a validation error that prevented the configuration from committing on the peer controller.
When you ran the request high-availability sync-to-remote running-configuration command on one controller node, it overwrote the candidate configuration on the peer controller and committed the new (synchronized) configuration. However, if you then changed the configuration on the peer controller and committed the change, the commit failed and returned the following error: Validation Error: template unexpected here.
Fixed an issue where the firewall generated too many GTP state failure logs.
Fixed an issue where the log memory process (logd) stopped responding when Panorama received logs that were more than one week old.
Fixed an issue on the Panorama management server where combinations of reports and log queries intermittently produced a slow memory leak that causes memory-related errors such as commit failures.
Fixed an issue on firewalls in an active/active HA configuration where the firewall dataplane restarted after the all_pktproc process stopped responding due to an invalid ingress interface.
Fixed an issue on Panorama appliances in Panorama or Log Collector mode where an out-of-memory condition occurred because a memory leak in the reportd process raised CPU usage and swap memory.
Fixed an issue where firewalls in an HA configuration intermittently dropped DHCP packets.
Fixed a kernel issue that caused the firewall to reboot.
Fixed an issue where the firewall listed dynamic updates with a Type set to Unknown (DeviceDynamic Updates and PanoramaDynamic Updates).
Fixed an issue on firewalls in an active/passive HA configuration where PAN-OS sent an unnecessary BGP withdrawn message to the BGP peer after the active firewall changed to a suspended HA state.
Fixed an issue on firewalls that authorized virtual system administrators through RADIUS Vendor-Specific Attributes (VSAs), including the PaloAlto-Admin-Access-Domain VSA, where the following error message displayed after administrators accessed MonitorLogs in the web interface: syntax error at end of input.
Fixed an issue where PA-5200 Series firewalls did not populate the next-hop table based on your configured policy rules (PoliciesPolicy Based Forwarding).
Fixed an issue on PA-5200 Series firewalls where the Link Speed and Link Duplex settings of copper RJ-45 ports displayed as Unknown. With this fix, the settings correctly display as auto (automatic negotiation), which is the only available option for copper ports.
Fixed an issue where the firewall web service stopped responding after you configured credential phishing prevention (ObjectsSecurity ProfilesURL FilteringUser Credential Detection).
Fixed an issue where the firewall web service stopped responding after you configured credential phishing prevention (ObjectsSecurity ProfilesURL FilteringUser Credential Detection).
Fixed an issue where PA-800 Series firewalls became unresponsive until you rebooted them, and the firewalls generated no logs from when they stopped responding to when they finished rebooting.
Fixed an issue where firewalls in an active/passive HA configuration stopped passing traffic when OSPF hello packets contained a duplicate router ID or when the passive peer leaked packets during a reboot.
Fixed an issue where the web portal landing page for GlobalProtect Clientless VPN became unresponsive due to a race condition between one user logging in to the GlobalProtect portal and another user requesting an update.
Fixed an issue on a VM-Series firewall on Azure where upgrading the PAN-OS version caused a process (vm_agent) to stop responding due to a bug in the Azure Linux Agent library (waagentlib) package.
Fixed an issue where users could not authenticate when you configured an authentication sequence containing an authentication profile based on RADIUS with challenge-response authentication.
Fixed an issue where VM-Series firewalls in an HA configuration experienced HA path monitoring failures and (in active/passive deployments) HA failover. This fix applies only to firewalls with Data Plane Development Kit (DPDK) disabled; the bug remains unresolved when DPDK is enabled (see PAN-84045 in the Known Issues).
Fixed an issue on the Panorama management server in an HA configuration where the passive HA peer did not display managed firewalls that you added to the active HA peer.
Fixed an issue where a process (vm_agent) on a VM-Series firewall on Azure stopped responding after an update was applied on Azure.
Fixed an issue where Panorama rebooted when receiving logs that contained non-UTF-8 characters.
Fixed an issue on firewalls in an active/passive HA configuration where, after HA failover, the dataplane restarted on the newly active firewall while processing GlobalProtect Clientless VPN traffic.
Fixed an issue on firewalls in an active/passive HA configuration where a link-monitoring failure caused a network outage after you enabled OSPF routing.
Fixed an issue where the log receiver (logrcvr) process randomly restarted during a content update while the firewall was forwarding logs.
Fixed an issue where firewalls didn't send queries for updated user mappings to User-ID agents; instead, the firewalls waited until the agents learned and forwarded new user mappings. By default with this fix, the firewall sends queries to the User-ID agents for unknown users. You can turn off the queries by running the persistent CLI command debug user-id query-unknown-ip off.
Fixed an issue on VM-Series firewalls where the dataplane restarted after you configured User-ID to collect IP address-to-username mappings from Active Directory servers.
Fixed an issue where PA-5000 Series and PA-3000 Series firewalls that were running low on memory briefly became unresponsive, stopped processing traffic, and stopped generating logs.
Fixed an issue where the Panorama management server did not push authentication enforcement objects to managed firewalls.
Fixed an issue where the Panorama management server stopped responding after you used a PAN-OS XML API call to rename a policy rule or object and you accidentally used its old name as the new name. With this fix, Panorama stops you from renaming a rule or object with its old name and displays an error message indicating this is not allowed.
Fixed an issue where the firewall incorrectly blocked URLs and generated false positives when users entered non-corporate passwords to access websites after you configured a URL Filtering profile to Use Domain Credential Filter (ObjectsSecurity ProfilesURL Filtering<URL_Filtering_profile>User Credential Detection).
Fixed an issue where connection flapping between Log Collectors and firewalls running PAN-OS 8.0 prevented the firewalls from forwarding logs to the Log Collectors.
Fixed an issue where PA-7000 Series, PA-5200 Series, PA-5000 Series, PA-3060, and PA-3050 firewalls dropped ARP updates after a flood of exception messages.
Fixed an issue where a BFD link temporarily went down when you selected to Generate Tech Support File (DeviceSupport) or run the show running appinfo2ip CLI command while the appinfo2ip cache was full (the cache stores application-specific IP address mapping information).
Fixed an issue where a firewall configured for route-monitoring sent ICMP messages with a ping ID of 0, which caused the firewall to drop the ping replies when you enabled zone protection.
Fixed an issue where blocking proxy sessions to enforce Decryption policy rules caused packet buffer depletion, which eventually resulted in packet loss.
Fixed an issue where the firewall intermittently categorized most URLs as unknown and dropped SSL ClientHello packets after you upgraded the firewall to a PAN-OS 8.0 release.
Fixed an issue where a Denial of Service (DoS) attack resulted in high CPU utilization on the firewall because it centralized session distribution on a single core instead of over all the cores.
Fixed an issue where, after you upgraded a Panorama management server and firewalls to PAN-OS 8.0, the firewalls ignored changes to IPSec tunnel configurations that Panorama pushed, and didn't display the Panorama template icons (gear icons) for those configurations.
Fixed an issue where the Panorama virtual appliance in Legacy mode intermittently stopped processing logs, which caused its firewall connections to flap.
Fixed an issue where the PA-850 firewall couldn't establish an IPSec tunnel because IKE phase 2 negotiation failed on a network with latency.
Fixed an issue on PA-3000 Series, PA-800 Series, PA-500, PA-220, PA-200, and VM-Series firewalls where QoS throughput dropped on interfaces configured to use a QoS profile with an Egress Max set to 0Mbps or more than 1,143Mbps (NetworkNetwork ProfilesQoS Profile).
Fixed an issue where the Panorama management server restarted in maintenance mode after you configured an incomplete Admin Role profile through the CLI and then performed a Panorama commit.
Fixed an issue where the Panorama virtual appliance could not mount NFS storage because PAN-OS prepended an additional forward slash character to the configured NFS path, which made the path invalid (starting with //).
Fixed an issue on PA-5200 Series and PA-3000 Series firewalls where the dataplane restarted frequently because the all_pktproc process stopped responding in environments with a large amount of fragmented multicast traffic.
Fixed an issue where firewalls in a Layer 2 deployment with an HA configuration did not synchronize the media access control (MAC) address table between HA peers.
Fixed an issue where memory corruption caused the correlation engine process to restart.
Fixed an issue on a firewall configured to perform path monitoring for a static route on a VLAN subinterface where the firewall displayed the static route as down even though the destination IP address was reachable.
Fixed an issue on the Panorama management server where CommitCommit and Push operations failed because the configd process was coring.
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where packet captures (pcaps) didn't include packets that matched predict sessions.
Fixed an issue where the firewall dataplane restarted while processing traffic after you enabled SSL Inbound Inspection but not SSL Forward Proxy decryption.
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls in a hairpin virtual wire deployment dropped traffic when predict sessions were created. In a hairpin deployment, traffic crosses a firewall twice, in both directions, across the same virtual wire(s) in the same zones.
Fixed an issue on VM-Series firewalls where the all_task process stopped responding.
Fixed an issue on the Panorama management server where, after you renamed an object in a device group, a commit error occurred because policies in the child device groups still referenced the object by its old name.
Fixed an issue where BGP sessions between a gateway and a satellite in an LSVPN configuration started flapping after you upgraded the satellite to a PAN-OS 8.0 release.
Fixed an issue where pushing configurations from a Panorama management server running PAN-OS 8.0 or 7.1 to PA-7000 Series firewalls running PAN-OS 7.1 or 7.0 caused memory leaks.
Fixed an issue where the firewall stopped submitting samples to WildFire for analysis until you ran the debug wildfire reset dp-receiver CLI command.
Fixed an issue where IPSec tunnel phase 2 negotiations failed when attempting to connect to a remote peer when /32 traffic selectors were included in the configuration on the remote peer.
Fixed an issue where the delete admin-sessions username CLI command did not delete sessions for the specified user.
Fixed an issue on the firewall and Panorama management server where a memory leak caused several operations to fail, such as commits, FQDN refreshes, and content updates.
Fixed an issue where a PA-500 firewall remained in a booting loop when you tried to access maintenance mode.
A security-related fix was made to prevent remote code execution through the firewall Management (MGT) interface (CVE-2017-15944).
Fixed an issue where PA-5200 Series firewalls performed slowly for traffic involving session offloading because the firewalls populated the next hop table incorrectly after receiving incorrect source MAC (SMAC) addresses in incoming packets.
Fixed an issue where PA-3020 firewalls intermittently dropped sessions and displayed resources-unavailable in Traffic logs when a high volume of threat traffic depleted memory. With this fix, PA-3020 firewalls have more memory for processing threat traffic.
Fixed an issue where connections that the firewall handles as an Application Level Gateway (ALG) service were disconnected when destination NAT and decryption were enabled. This fix applies only when the ALG service does not change packet lengths before and after NAT translation.
Fixed an issue where the firewall dataplane restarted because the all_pktproc process suddenly started losing heartbeats.
Fixed an issue where the firewall flooded System logs with the following message: Traffic and logging are resumed since traffic-stop-on-logdb-full feature has been disabled.
Fixed an issue where the Panorama management server incorrectly displayed the job status as failed for a successful installation of a PAN-OS software update on firewalls.
Fixed an issue on the PA-820 firewall where the dataplane restarted while processing HTTPS traffic after you configured a URL Filtering profile to Use Domain Credential Filter (ObjectsSecurity ProfilesURL Filtering<URL_Filtering_profile>User Credential Detection).
Fixed an issue where, on PA-7000 Series and PA-5200 Series firewalls that had NAT policy rules with the Translation Type set to Dynamic IP (PoliciesNAT<policy_rule >Translated Packet), sessions were stuck in an OPENING state for fragmented packets.
Fixed an issue on M-Series appliances where the Panorama web interface didn't display logs in the Monitor tab after you updated the appliances to PAN-OS 8.0.3 or a later 8.0 release.
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls restarted after you set the source interface to an invalid option (Any, Use default, or MGT) for a NetFlow service route (DeviceSetupServicesService Route Configuration). With this fix, the firewall displays a commit error to indicate you cannot set the source interface to an invalid option.
Fixed an issue where firewalls intermittently failed to forward logs to Panorama after you configured Panorama as a log forwarding destination.
Fixed an issue where, after a PAN-OS upgrade, packet buffer and descriptor utilization spiked and caused latency in network traffic.
Fixed an issue where, after using a Panorama management server running PAN-OS 8.0 to Force Template Values when pushing configurations to firewalls running an earlier PAN-OS release, FQDN refreshes failed on the firewalls.
Fixed an issue where the Panorama management server took longer than expected to populate source or destination address objects when you configured Security policy rules.
Fixed an issue on the Panorama management server where the Deploy Content dialog listed Log Collectors, not just firewalls, when the update Type was Apps and Threats (PanoramaDevice DeploymentDynamic Updates), even though Log Collectors can receive only Apps updates.
Fixed an issue where using the PAN-OS XML API to collect User-ID mappings caused slow responsiveness in the firewall web interface and CLI.
Fixed an issue where the Panorama management server could not deploy antivirus or WildFire updates to firewalls that already had later versions of the updates.
Fixed an issue where the firewall web interface displayed a down status for IKE phase 1 and phase 2 of an IPSec VPN tunnel that was up and passing traffic.
Fixed an issue where only administrators with the superuser dynamic role could run the show logging-status CLI command. With this fix, the command is available to administrators with dynamic or custom roles that have the permissions associated with the following role types: superuser, superreader, deviceadmin, devicereader (DeviceAdmin Roles<admin_role_profile>Command Line).
Fixed an issue where a commit failed after an application name was moved to a container application.
Fixed an issue on a firewall with multiple GlobalProtect portal connections where the dataplane restarted after proxy_flow_alloc process failures occurred.
Fixed an issue where managed firewalls disconnected from an M-500 appliance after a partial commit and temporarily disappeared from the PanoramaManaged Devices list.
Fixed an issue on the Panorama management server where dynamic address groups defined in child device groups didn't include matching address objects defined in the parent device groups.
Fixed an issue where a firewall acting as an OSPF area border router (ABR) and configured to suppress subnetworks learned in one area from advertising in another area still advertised those subnetworks.
Fixed an issue on firewalls in an active/passive HA configuration where, after you manually suspended an active HA firewall, it continued sending route withdrawn messages to BGP peers.
Fixed an issue where the Panorama ACC tab and custom reports displayed data as expected for all device groups when viewed simultaneously but displayed no data when you selected and tried to view data for only a specific device group.
Fixed an issue where the dataplane restarted after you enabled automatically-generated C2 signature matching (ObjectsSecurity ProfilesAnti-Spyware).
Fixed an issue where the firewall failed to download a WF-Private content update and displayed the following error: Invalid content image, Failed to download file.
Fixed an issue where the firewall Reset both client and server after you set the Antivirus profile to default in a Security policy rule even though all WildFire actions in the default profile are set to allow (PoliciesSecurity<security_rule>Actions).
Fixed an issue where, after using a Panorama management server running PAN-OS 8.0 to push threat exceptions from ObjectsSecurity Profiles to firewalls running a release earlier than PAN-OS 8.0, the firewalls received invalid threat exceptions that were renamed to unknown and that retained the unique threat IDs from PAN-OS 8.0 instead of changing to the legacy threat IDs of the earlier PAN-OS release.
Fixed an issue where Panorama Log Collectors didn't receive logs from firewalls because the vldmgr process did not come up.
Fixed an issue where PA-800 Series firewalls displayed only the auto-negotiation option for the Link Speed and Link Duplex (transmission mode) of copper ports (NetworkInterfaces<interface>Advanced). With this fix, the firewalls display all the options for copper ports: 10Mbps/half duplex, 10Mbps/full duplex, 100Mbps/half duplex, 100Mbps/full duplex.
Fixed an issue where the Panorama management server generated Configuration logs that stored the passwords for VMware NSX plugins as plaintext. With this fix, Panorama encrypts the stored passwords.
Fixed an issue on the Panorama management server and firewalls with multiple virtual systems where the Add button in PanoramaMonitorManaged Custom Reports and DeviceMonitorManaged Custom Reports became unresponsive after you changed the Access Domain.
Fixed an issue where a PA-7000 Series firewall running PAN-OS 8.0.6 or an earlier PAN-OS 8.0 release stopped saving and displaying new logs due to a memory leak after a Panorama management server running a PAN-OS 8.0 or later release pushed a predefined report that specified a field that is unrecognized by the firewall running the earlier PAN-OS release (MonitorReportsMobile Network Reports).
Fixed an issue on the Panorama management server where the output of the show logging status device <serial-number> CLI command did not display any data.
Fixed an issue where the User-ID process (useridd) stopped responding due to initialization errors.
Fixed an issue on the Panorama management server where PanoramaManaged Devices displayed the Shared Policy as Out of Sync for firewalls on which shared policy was actually in sync with Panorama.
Fixed an issue where the firewall failed to export certificates that included certain special characters ($, ', &, ", ;, and |) in PKCS12 format.
Fixed an issue in PAN-OS 8.0.2 to 8.0.5 releases where the firewall took longer than expected to Check Now for software or content updates (DeviceSoftware/Dynamic Updates).
Fixed an issue where PAN-OS did not generate a System log to record which administrators ran the request restart system CLI command.
Fixed an issue where firewalls in an active/passive HA configuration with OSPF or BGP graceful restart enabled took longer than expected to fail over.
Fixed an issue with custom URL filtering where some characters in the URL that was accessed were transformed incorrectly when the URL was displayed on the Continue and Override response page. With this fix, ampersand and other special characters are transformed using percent-encoding (for example, & = %26).
Fixed an issue where the root partition ran out of space duringgeneration of a tech support file when the output of the show user user-ids command was extremely large. With this fix, the data saved to the tech support file is modified to show only statistics instead of raw output, which prevents the output from this command from being so large that it fills up all available disk space.
Fixed an issue on Panorama M-Series and virtual appliances where commits failed when virtual memory was exceeded while Panorama was attempting to copy a large number of shared nodes and simultaneously generating device group-specific configurations.
Fixed an issue where incorrect IP addresses were added to the hardware block table when using a DoS Protection profile on zones with names longer than 15 characters.
A security-related fix was made to prevent the firewall Management (MGT) interface from becoming unavailable for legitimate use (CVE-2017-15942).
Fixed an issue where the PAN-OS XML API query for show session distribution policy resulted in an error message (An error occurred).
Fixed an issue where the Threat logs that Zone Protection profiles triggered for packet-type events did not record IMSI and IMEI values.
Fixed an issue where the firewall could not establish BGP connections using a loopback interface over a large-scale VPN tunnel between a GlobalProtect satellite and gateway.
Fixed an issue where a firewall that had a dynamic IP address for the Management (MGT) interface sent the IP address of the internal loopback address instead of the MGT interface as the network access server (NAS) IP address in RADIUS access requests.
Fixed an issue where you could not Enable or Disable correlation objects (MonitorAutomated Correlation EngineCorrelation Objects) on a firewall for which you did not enable Multiple Virtual Systems Capability (DeviceSetupManagement).
Fixed an issue where policy rules ignored changes to the risk factor in ObjectsApplication Filters after you upgraded the firewall to PAN-OS 8.0.
Added debug enhancements to capture more details about IKE when third-party VPN clients use the X-AUTH feature.
Fixed an issue on PA-7000 Series firewalls where packet capture intermittently failed.
As an enhancement to the BGP fast failover feature, you can now use the set system setting fast-fail-over enable no CLI command to disable the feature (it's enabled by default) for the rare cases when it causes flapping on an unstable interface. When you disable the feature, the firewall automatically ends the BGP session with any adjacent external BGP peer immediately after the link fails (instead of waiting for the BGP hold timer to expire). With this fix, you can also re-enable the feature through the set system setting fast-fail-over enable yes CLI command.
Fixed an issue where tunnel-bound traffic was incorrectly routed through an ECMP route instead of a PBF route as expected.
Fixed an issue where firewalls in an HA active/passive configuration did not always synchronize sessions.
Fixed an issue where SSL Forward Proxy decryption failed for SSL/TLS websites that had unused certificate chains containing algorithms that PAN-OS did not support. With this fix, the firewall verifies only the certificate chains that the websites use.
Fixed an issue where, after logging in to GlobalProtect, end users could access the Firewall PAN-OS XML API without additional authentication.
Fixed an issue where a Panorama management server that is running low on memory loses some logs, processes log forwarding slowly, and loses connections to firewalls.
Fixed an issue where the mprelay process stopped responding when processing IPv6 neighbor discovery updates.
Fixed an issue on firewalls in an active/passive HA configuration where rebooting the passive HA peer caused its interfaces to flap.
Fixed an issue where the User-ID process stopped responding when a virtual system that didn’t have NTLM configured received NTLM requests.
Fixed an issue where administrators could download a tech support file (DeviceSupport) even when their administrative roles did not have the corresponding privilege enabled.
Fixed an issue where a firewall with a disk full condition could not connect to WildFire or the PAN-DB cloud after a management process restarted. The show wildfire status CLI command displayed the following message: Unable to authenticate remote CA certificate.
Fixed an issue where the Panorama web interface displayed an error when you tried to create a new SSL/TLS server profile while configuring a Log Collector (PanoramaManaged Collectors<Log_Collector>Communication).
Fixed an issue where SSL decryption failed when the destination server provided a large certificate chain such that the firewall had to process a request exceeding 8,188 bytes. With this fix, the firewall has a larger buffer to accommodate requests containing large certificate chains.
Fixed an issue on PA-5200 Series firewalls where you could not configure QoS on a subinterface because subinterfaces didn't display in the Source Interface drop-down (NetworkQoS<QoS_interface>Clear Text Traffic).
Fixed an issue where the Panorama management server took longer than expected to display Traffic logs for specific device groups.
Fixed an issue in an HA active/passive configuration where the HA sync task did not completely remove the configuration for an ethernet1/x node on one peer firewall when ethernet1/x on the second peer firewall was empty (not configured) and that second peer firewall initiated the HA sync.
Fixed an issue on firewalls in an active/passive HA configuration where a link-monitoring failure caused a delay in OSPF convergence on the firewall that became active after HA failover.
Fixed an issue where the firewall did not record the sender or recipient in WildFire Submission logs for emails in which the header had no white space character between the display name and the email address.
As an enhancement for generating reports that span multiple days, PAN-OS now generates such reports quicker and compresses them in storage so that you can save more reports.
Fixed an issue where PA-7000 Series firewalls that ran a large number of scheduled daily reports (near 1,000 or more) eventually experienced a memory issue that caused CLI commands to fail and ultimately caused SSH connection attempts to the management IP address to fail also.
Fixed an issue on PA-7000 Series firewalls in an HA configuration where the HA data link (HSCI) interfaces intermittently failed to initialize properly during bootup.
Fixed an issue where administrators with custom roles could not perform packet captures or download and install software and content updates.
Fixed an issue where enabling or disabling BFD for BGP, or changing a BFD profile that a BGP peer used, caused the connection to the BGP peer to flap.