PAN-OS 8.0.8 Addressed Issues

PAN-OS® 8.0.8 addressed issues
Issue ID
Description
PAN-89718
Fixed an issue where PA-7000 Series firewalls rebooted continuously because the brdagent process stopped responding during bootup due to HSCI interface initialization.
PAN-89697
Fixed an issue on the Panorama™ virtual appliance where the NFS mount failed during system bootup.
PAN-89650
Fixed an issue where the Panorama management server did not push default Security policy rule settings (PoliciesSecurityDefault Rules) to firewalls when the settings were inherited from a parent device group.
PAN-89646
Fixed an issue where firewalls rebooted continuously because the routed process stopped responding after the Panorama management server pushed invalid configurations to the firewalls. With this fix, Panorama performs an additional sanity check during push operations that causes the operations to stop with errors instead of making routed unresponsive.
PAN-89575
Fixed an issue where the firewall intermittently dropped traffic after failing to decrypt it due to proxy memory depletion.
PAN-89556
Fixed an issue where, after an administrator with the read-only superuser role changed his or her password and then an administrator with the superuser role performed a partial commit, neither administrator could authenticate to the firewall.
PAN-89349
Fixed an issue on firewalls in an active/active high availability (HA) configuration where the primary firewall, with a floating IP address bound to it, sent ARP probes containing the MAC address of the secondary firewall instead of the primary. Sending ARP probes with the incorrect MAC address caused the secondary firewall to drop traffic.
PAN-89176
Fixed an issue where firewalls in an HA configuration did not map IP addresses to the usernames of GlobalProtect™ end users because the User-ID™ manager (idmgr) on the active firewall continuously reset after reaching its maximum capacity for User-ID information (such as user mappings and group mappings).
PAN-89169
Fixed an issue on VM-Series firewalls in an HA configuration where HA path monitoring failed and triggered failover.
PAN-88981
Fixed an issue where the firewall failed to generate reports based on URL Filtering logs due to a syntax error when the logs contained single quotation mark characters (').
PAN-88953
Fixed an issue where a Panorama management server in an HA configuration became unresponsive after initiating HA synchronization.
PAN-88882
Fixed an issue on the Panorama management server where the web interface displayed a 502 bad gateway error and the configd process stopped responding after you selected the more option for a dynamic address group in a Security policy rule (PoliciesSecurity<rule_type><rule>Source/Destination).
PAN-88809
Fixed an issue where FQDN refresh operations produced a Not Resolved error because the DNS proxy engine incorrectly stopped converting ASCII encoded characters at the second-last character instead of the last character.
PAN-88671
As an enhancement to PA-5200 Series firewalls, you can now disable or enable (default) L4 checksum checking by running the new set system setting layer4-checksum {disable | enable} CLI command and then rebooting the firewall. Disabling the checking enables the firewall to allow packets it would otherwise drop when some wireless access points add a VSS-monitoring Ethernet trailer (6 bytes) to HTTP request packets.
PAN-88507
Fixed an issue where firewall performance degraded because ICMP ping packets associated with static route monitoring caused a hardware buffer leak.
PAN-88474
Fixed an issue where session offloading failed because offloaded packets related to Policy-Based Forwarding (PBF) used the incorrect PBF return MAC address.
PAN-88456
Fixed an issue where firewalls did not refresh FQDN objects during the initial boot-up phase of the bootstrapping process.
PAN-88213
Fixed an issue where firewalls that had ECMP and session offloading enabled sent offloaded traffic to the incorrect next hop.
PAN-87880
Fixed an issue where root partition utilization approached the maximum capacity because the firewall did not remove WildFire® download logs that were due for removal.
PAN-87481
Fixed an issue where SNMP managers did not display object identifiers (OIDs) for the Ethernet1/3, Ethernet1/4, and Ethernet1/5 interfaces of M-500 appliances.
PAN-87215
Fixed an issue where a Panorama management server in an HA configuration generated group mapping synchronization errors because the passive HA peer did not verify whether the Enable reporting and filtering on groups option was disabled (PanoramaSetupManagement: Panorama Settings).
PAN-87147
As an enhancement for GlobalProtect gateways, you can now add up to 100 DNS suffixes instead of 10 for resolving the unqualified hostnames of GlobalProtect clients (NetworkGlobalProtectGateways<gateway>AgentNetwork Services).
PAN-87122
Fixed an issue where running the clear session all filter source CLI command eleven or more times simultaneously caused Bidirectional Forwarding Detection (BFD) flapping.
PAN-86882
Fixed an issue where the firewall dataplane slowed significantly and, in some cases, stopped responding if you used nested wildcards (*) with "." or "/" as delimiters in the URLs of a custom URL category (ObjectsCustom ObjectsURL Category) or in the Allow List of a URL Filtering profile (ObjectsSecurity ProfilesURL Filtering<URL-filtering-profile>Overrides). With this fix, the firewall does not allow you to use nested wildcards in such cases. For details, see how Nested Wildcard in URLs May Severely Affect Performance .
PAN-86814
Fixed an issue where the Panorama management server displayed more policy rules than were applicable to the targeted Device when you selected to Preview Rules.
PAN-86676
Fixed an issue on firewalls configured as DHCP servers and deployed in an HA configuration where, after HA failover, commits failed and the following error message displayed: Management server failed to send phase 1 to client dhcpd.
PAN-86671
Fixed an issue where firewalls that had tunnel inspection enabled for GTP-U traffic did not generate END entries in Tunnel Inspection logs after the GTP-U sessions cleared.
PAN-86595
Fixed an issue on M-Series appliances in Panorama mode in an active/passive HA configuration where commit jobs were stuck at 99% and all subsequent jobs entered a pending state.
PAN-86115
Fixed an issue where PA-7000 Series firewalls intermittently displayed incorrect usernames for Traffic logs.
PAN-86076
As an enhancement to improve security for GlobalProtect deployments, the GlobalProtect portal now includes the following HTTP security headers in responses to end user login requests: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.
PAN-85650
Fixed an issue on firewalls with multiple virtual systems where SSL decryption failed when you installed the Forward Trust Certificate in a specific virtual system instead of in the Shared location.
PAN-85515
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls with NetFlow monitoring configured where dataplanes restarted because too many processes stopped responding.
PAN-85456
Fixed an issue where switching firewalls to FIPS-CC mode set the Base DN to None and disabled the Verify Server Certificate for SSL sessions option for LDAP server profiles that you viewed or edited in the web interface (DeviceServer ProfilesLDAP).
PAN-85103
Fixed an issue where the Panorama management server stopped communicating with firewalls when the incoming log rate from firewalls exceeded the capacity of the Panorama buffers.
PAN-85066
Fixed an issue where, after the Panorama management server pushed configurations to a firewall, the firewall restarted because its cordd process stopped responding.
PAN-84806
Fixed an issue where firewalls in an active/active HA configuration enforced user-based policies inconsistently because port-to-username mappings did not synchronize between the primary and secondary HA peers.
PAN-84752
Fixed an issue where the firewall rebooted repeatedly because the User-ID process (useridd) stopped responding after you committed a mobile device management (MDM) configuration that failed to connect the firewall to the MDM (NetworkGlobalProtectMDM).
PAN-84703
Fixed an issue where pushing a custom application named http or smb (ObjectsApplications) from the Panorama management server to firewalls interfered with antivirus detection on the firewalls.
PAN-84445
Fixed an issue where the firewall intermittently misidentified the App-ID for SSL applications. This issue occurred when a server hosted multiple applications on the same port, and the firewall identified traffic for an application using this port on the server and then inaccurately recorded other applications on this server-port combination as the previously identified application. The fix requires running the set application use-appid-cache-ssl-sni no CLI command to disable the SSL-based App-ID cache.
PAN-84406
Fixed an issue where, on a firewall configured to collect username-to-group mappings from multiple LDAP servers over SSL/TLS-secured connections (DeviceServer ProfilesLDAP), the firewall rebooted because the User-ID process (useridd) restarted several times during initialization.
PAN-84219
Fixed an issue on PA-7000 Series firewalls where the logrcvr process had a memory leak.
PAN-84000
Fixed an issue on the Panorama management server where, after you pushed device group settings without template settings to managed firewalls, Panorama excluded template files when you used the scp export device-state CLI command to export configurations.
PAN-83937
Fixed an issue where the VM-500 firewall stopped generating GTP logs when the session table reached 75% utilization.
PAN-83909
Fixed an issue where the WF-500 appliance sent ICMP unreachable messages from the VM Interface to the Management interface.
PAN-83495
Fixed an issue where SaaS Application Usage reports did not Include logs from the Selected Zone that you specified when configuring the report (MonitoringPDF ReportsSaaS Application Usage).
PAN-83270
Fixed an issue where firewalls generated System logs with cipher decrypt-final failure messages after switching from normal operational mode to FIPS-CC mode.
PAN-83153
Fixed an issue where a Panorama virtual appliance in Legacy mode that was deployed in an HA configuration did not receive logs forwarded from PA-7000 Series and PA-5200 Series firewalls.
PAN-83014
Fixed an issue on the Panorama management server where the Task Manager closed when you set the Show drop-down to All jobs after a CommitCommit and Push operation generated errors and warnings.
PAN-82949
Fixed an issue where commits failed because the routed process did not delete DHCP-assigned IP addresses that you removed from firewall interfaces.
PAN-82413
Fixed an issue where the Panorama web interface displayed serial numbers instead of device names when you scheduled an update to install on firewalls or Log Collectors, set the Type to Applications and Threats, and set the Recurrence to Hourly or Every 30 mins (PanoramaDevice DeploymentDynamic UpdatesSchedules<schedule>).
PAN-82370
Fixed an issue where Android endpoints could not establish VPN tunnels to GlobalProtect gateways that you configured to Enable X-Auth Support (NetworkGlobalProtectGateways<gateway>Agent<agent>Tunnel Settings). With this fix, GlobalProtect gateways use SHA1 first in the order of HMAC algorithms used for authenticating endpoints that use X-Auth.
PAN-82321
Fixed an issue where the firewall rebooted because the User-ID process (useridd) stopped responding after you performed clone or shutdown operations on VMware vCenter.
PAN-82138
Fixed an issue where, after you downgraded from PAN-OS® 8.0 to PAN-OS 7.1, firewalls without direct internet access did not display software images in the web interface (DeviceSoftware) or CLI regardless of whether you downloaded the images from the Palo Alto Networks® Update Server (at an earlier time when the firewalls had internet access) or manually uploaded the images from another system.
PAN-82105
Fixed an issue where attempting to commit a configuration that was invalid because different interfaces had overlapping subnetworks produced a commit error message that indicated duplicate IP addresses instead of the actual error condition.
PAN-82103
Fixed an issue where VM-Series firewalls on NSX failed to install content updates retrieved from the Panorama management server.
PAN-82091
Fixed an issue where PA-220 firewalls did not provide an SNMP object identifier (OID) for system disk usage.
PAN-82048
Fixed an issue on the Panorama management server where configuring a PanoramaScheduled Config Export based on FTP but with some fields unpopulated caused Panorama to use its default local host certificate instead of the SSL/TLS Service Profile for administrative access to the web interface (PanoramaSetupManagement).
PAN-81689
Fixed an issue where the test vpn ipsec-sa tunnel<tunnel-name>:<proxy-id-name> CLI command failed when the tunnel Name and Proxy ID values collectively exceeded 32 characters (NetworkIPSec Tunnels<tunnel>Proxy IDs). With this fix, the firewall allows 64 characters for the combined Name and Proxy ID values.
PAN-81637
Fixed an issue on VM-Series firewalls in Data Plane Development Kit (DPDK) mode where the all_task, mprelay, and pan_dha processes stopped responding.
PAN-81632
Fixed an issue where the show predefined xpath /predefined/threats CLI command did not displays threat identifiers.
PAN-81416
Fixed an issue where the Panorama management server did not display logs from PA-5000 Series or PA-7000 Series firewalls, did not display scheduled reports that included IP address fields, and did not email those reports.
PAN-81243
Fixed an issue on PA-200, PA-220, and PA-800 Series firewalls where specifying a Life Time for a master key (DeviceMaster Key and Diagnostics) caused the key expiration and reminder dates to have incorrect values.
PAN-81102
Fixed an issue where the tftp export stats-dump CLI command failed to generate a Stats Dump file and displayed the following error: Failed to redirect error to /var/log/pan/report_gen.log (Permission denied).
PAN-81050
Fixed an issue on M-Series appliances, PA-7000 Series firewalls, and PA-5000 Series firewalls where the disk-failed, disk-faulty, and pair-disappeared RAID events had only a medium severity level in System logs. With this fix, these events have a critical severity level.
PAN-80908
Fixed an issue where administrators with the device administrator role did not have the role privileges required to run the scp import software CLI command.
PAN-80889
Fixed an issue where a Panorama management server deployed behind a NAT device could not manage firewalls running PAN-OS 8.0. With this fix, you must run a new operational mode CLI command on a Panorama management server that is behind a NAT device, runs PAN-OS 8.0 or a later release, and manages firewalls running PAN-OS 8.0 or a later release. The CLI command is set dlsrvr server <FQDN>, where <FQDN> is the FQDN of the Panorama Management interface.
PAN-79367
Fixed an issue where endpoints could not authenticate to a GlobalProtect portal through client certificate authentication due to an incorrect certificate status when the portal used a Certificate Profile that specified Online Certificate Status Protocol (OCSP) to validate certificates (NetworkGlobalProtectPortals<portal>Authentication).
PAN-79113Fixed an issue where, when you used the PAN-OS XML API to request updated port-to-username mappings from a multi-user terminal server after end users logged out, and the request specified an invalid IP address for the terminal server, the response had an incomplete error message that did not indicate the invalid IP address.
PAN-78015
Fixed an issue on a Panorama management server in an HA configuration where, in rare cases, the virtual machine (VM) auth key disappeared after you rebooted the active HA peer.
PAN-77648
Fixed an issue where the show system state filter-pretty sw.dev.interface.config CLI command did not display the MAC address (hwaddr) or maximum transmission unit (mtu) for aggregate Ethernet interfaces.
PAN-77519
As an enhancement to enable comparing SNMP output with CLI output for the rate of interface connections established per second (CPS), the show counter interface CLI command displays the following new counters: TCP CPS, UDP CPS, and other CPS (for all non-TCP and non-UDP connections).
PAN-77116
Fixed an issue where the firewall displayed error messages such as the following after bootup even though bootup succeeded: Error: sysd_construct_sync_importer(sysd_sync.c:328): sysd_sync_register() failed: (111) Unknown error code.
PAN-75340
Fixed an issue where the GlobalProtect portal did not comply with HTTP Strict Transport Security (HSTS) when redirecting users from HTTP to HTTPS upon accessing the portal login page. With this fix, HSTS is enabled to secure the redirect to HTTPS, the portal requires a valid server certificate, the endpoint browser displays a warning to users with invalid client certificates who access the login page using an IP address instead of an FQDN, and you cannot use the same FQDN for both the login page and firewall Management interface.
PAN-75068
Fixed an issue where VM-Series firewalls on NSX prevented client-server TCP sessions from closing at the correct time when you configured a reset Action in Security policy rules (PoliciesSecurity<rule>Actions).
PAN-68878
Fixed an issue where firewalls in an active/active HA configuration sent packets out of order.
PAN-64376
Fixed an issue where you could not set the QoS Egress Max to more than 16,000 Mbps for an aggregate Ethernet interface (NetworkQoS<interface>Physical Interface). With this fix, you can set the QoS Egress Max to a maximum of 60,000 Mbps.
If you downgrade from a PAN-OS 8.0 release to PAN-OS 7.1.15 or an earlier release, you must reset the QoS Egress Max to 16,000 Mbps or less to avoid commit failures.
PAN-59996
Fixed an issue where VM-Series firewalls did not apply NAT translation to the ports in the via and contact headers of Session Initiation Protocol (SIP) sessions after you enabled Dynamic IP and Port (DIPP) NAT.
PAN-59749
Fixed an issue where the firewall intermittently dropped VPN tunnel traffic between virtual systems.

Related Documentation