PAN-OS 8.0.9 Addressed Issues
PAN-OS® 8.0.9 addressed issues
Fixed an issue on WF-500 appliance clusters where attempts to submit samples for analysis through the WildFire XML API failed with a 499 or 502 error in the HTTP response when the local worker was fully loaded.
|Fixed an issue where the WF-500 appliance could not forward logs over TCP or SSL to a syslog server.|
|Fixed an issue where the root partition on the WF-500 appliance reached its maximum storage capacity because the following log files had no size limit and grew continuously: appweb_access.log, trap-access.log, wpc_build_detail.log, rsyncd.log, cluster-mgr.log, and cluster-script.log. With this fix, the appweb_access.log, trap-access.log, and wpc_build_detail.log logs have a limit of 10MB and the WF-500 appliance maintains one rotating backup file for each of these logs to store old data when a log exceeds the limit. Also with this fix, the rsyncd.log, cluster-mgr.log, and cluster-script.log logs have a limit of 5MB and the WF-500 appliance maintains eight rotating backup files for each of these logs.|
|Fixed an issue where the WF-500 appliance restarted because the virtual memory limit was too small for the management server (mgmtsrvr) process. With this fix, mgmtsrvr has a higher virtual memory limit.|
Fixed an issue on WF-500 appliances where the show cluster all-peers CLI command displayed siggen-db: Ready (signature generation database ready) for worker nodes in a WildFire cluster even though worker nodes don't generate signatures. With this fix, the command displays siggen-db: Stopped for worker nodes.
Fixed an issue where App-ID did not recognize GPRS Tunneling Protocol User Plane (GTP-U) in GTP messages on port 2152 when only single-direction message packets arrived (Traffic logs indicated application insufficient-data).
Fixed an issue where the firewall dropped packet data protocol (PDP) context update and delete messages that had a tunnel endpoint identifier (TEID) of zero in GPRS Tunneling Protocol (GTP) traffic, and the traffic failed when the dropped messages were valid.
Fixed an issue where GPRS Tunneling Protocol (GTP) traffic failed because the firewall dropped GTP-U echo request packets.
|Fixed an issue where the Google Chrome browser displayed certificate warnings for self-signed ECDSA certificates that you generated on the firewall.|
|Fixed an issue where firewalls configured for User-ID redistribution did not redistribute IP address-to-username mappings due to a memory leak.|
|Fixed an issue where a Panorama Collector Group did not forward logs to some external servers after you configured multiple server profiles (PanoramaCollector Groups<Collector_Group>Collector Log Forwarding).|
Fixed an issue where a small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks®) stopped working or experienced other issues after you upgraded the firewall to which the SFPs are connected to PAN-OS 8.0.8 or an earlier 8.0 release. With this fix, you must not reboot the firewall after you download and install the PAN-OS 8.0 base image until after you download and install the PAN-OS 8.0.9 release. For additional details, upgrade considerations, and instructions for upgrading your firewalls, refer to the PAN-OS 8.0 upgrade information .
|Fixed an issue where SSL Forward Proxy decryption did not work after you excluded every predefined Hostname from decryption (DeviceCertificate ManagementSSL Decryption Exclusion).|
|Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where one or more dataplanes did not pass traffic when you ran several operational commands (from any firewall user interface or from the Panorama management server) while committing changes to device or network settings or while installing a content update.|
|Fixed an issue on PA-7000 Series firewalls with 20GXM Magnum NPC cards where commits failed when the firewall configuration was large. With this fix, the 20GXM Magnum NPC cards have a larger internal configuration memory allocator and CTD memory buffer.|
|Fixed an issue on VM-500 and VM-700 firewalls where you could not configure connections to more than 400 Terminal Services (TS) agents even though those firewall models were designed to support up to 1,000 TS agent connections.|
|Fixed an issue where end users could not authenticate to GlobalProtect when you specified a User Domain with Microsoft-supported symbols such as the dollar symbol ($) in the authentication profile (DeviceAuthentication Profile).|
Fixed an issue on Panorama management servers in an HA configuration where the primary peer did not synchronize template changes to the secondary peer.
|Fixed an issue where the Panorama management server removed address objects and, in the Network tab settings and NAT policy rules, used the associated IP address values without reference to the address objects before pushing configurations to firewalls.|
|A security-related fix was made to prevent a local privilege escalation vulnerability that allowed administrators to access the GlobalProtect password hashes of local users (CVE-2018-9334).|
|Fixed an issue where PA-5200 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption.|
|Fixed an issue where end users could not access applications through GlobalProtect Clientless VPN when the HTTP responses had both Transfer-Encoding and Content-Length headers.|
|Fixed an issue where the mprelay process stopped responding when processing IPv6 neighbor discovery updates.|
|Fixed an issue on the Panorama management server where a policy rule dialog automatically closed within a couple of seconds after you opened it to create or edit a rule.|
|Fixed an issue where the firewall did not forward Correlation logs to syslog servers over UDP.|
|Fixed an issue on Panorama management servers in an HA configuration where a firewall did not resume forwarding logs to the Log Collector on the passive Panorama peer after disconnecting and reconnecting to that peer.|
|Fixed an issue on the Panorama management server where, after you clicked Send Test Log to verify that an external web server could receive firewall logs (PanoramaServer ProfilesHTTP<HTTP_server_profile>Payload Format), the configd process restarted and the Panorama user interfaces became unresponsive until the process finished restarting.|
|Fixed an issue on firewalls in an HA configuration where endpoints did not decapsulate VPN tunnel traffic after HA failover and had to reconnect to the GlobalProtect gateway.|
|Fixed an issue where firewalls in an active/passive HA configuration did not synchronize multicast sessions between the firewall HA peers.|
|Fixed an issue on PA-5200 Series firewalls in an active/passive HA configuration where the passive firewall displayed 10Gbps copper interfaces (ethernet1/1 to ethernet1/4) as up even when the connecting device (such as a switch) indicated the interfaces were down.|
|Fixed an issue where accessing websites took longer than expected when the firewall applied SSL Inbound Inspection decryption to the websites and used CRL or OCSP to verify the status of certificates.|
|Fixed an issue where the firewall did not accept wildcards (*) as standalone characters to match all IMSI identifiers when you configured IMSI Filtering in a GTP Protection profile (ObjectsSecurity ProfilesGTP Protection).|
|Fixed an issue where PA-5200 Series firewalls did not forward buffered logs to Panorama Log Collectors after connectivity between the firewalls and Log Collectors was disrupted and then restored.|
|Fixed an issue where the firewall generated false positives during GTP-in-GTP checks because it detected some DNS-in-GTP packets as GTP-in-GTP packets (ObjectsSecurity ProfilesGTP Protection<GTP_Protection_profile>GTP InspectionGTP-U).|
|Enhanced memory usage to reduce the frequency of out-of-memory events that intermittently caused the firewall to continuously restart processes, which prevented administrators from logging in to the firewall. PAN-93839 provides the complete and final fix for this out-of-memory condition in PAN-OS 8.0.10.|
|Fixed an issue where Threat logs recorded incorrect IMSI values for GTP packets when you enabled Packet Capture in Vulnerability Protection profiles (ObjectsSecurity ProfilesVulnerability Protection<Vulnerability_Protection_profile>Rules).|
|Fixed an issue where firewalls rebooted because the userid process restarted too often due to a socket binding failure that caused a memory leak.|
|Fixed an issue where a firewall acting as an endpoint of an IPSec VPN tunnel dropped Encapsulating Security Payload (ESP) packets received on the old IPSec security association (SA) after rekeying and before receiving a delete message for the old IPSec SA. With this fix, the firewall retains the old IPSec SA for 30 seconds while waiting for a delete message from the tunnel peer.|
|Fixed an issue on firewalls in an HA configuration where an auto-commit failed (the error message was Error: Duplicate user name) after you connected a new suspended-secondary peer to an active-primary peer.|
|Fixed an issue where the firewall could not authenticate to a hardware security module (HSM) partition when the partition password contained special characters.|
|Fixed an issue where the Panorama management server did not return values based on the match criteria you configured in dynamic address groups (ObjectsAddress Groups).|
|Fixed an issue where Threat logs and WildFire Submissions logs were not consistent with each other in terms of indicating whether the firewall blocked a file that had multiple threat identifiers. With this fix, the firewall ensures the logs are consistent by forwarding only one threat identifier for each file that it sends to WildFire.|
|Fixed an issue where, after you disabled session offloading (using the set session offload no CLI command), flapping occurred for sessions that completed Layer 7 inspection.|
Fixed an issue where the firewall flooded the logrcvr.log file with the following error message: Error reading the log record from logdb, Last read seqno: 0.
Fixed an issue where firewalls in an HA configuration stayed in a non-functional state after a dataplane restart because they did not boot up properly.
|Fixed an issue where SSL connections failed because the firewall did not properly initialize certificates during a reboot.|
|Fixed an issue where the firewall did not accept AS:0 as a value in the Set Community list of a BGP redistribution profile (NetworkVirtual Routers<router>BGPRedist Rules).|
|Fixed an issue where the Panorama management server displayed commit errors and failed to push configurations to firewalls when the configurations included an Anti-Spyware security profile that contained a threat exception (ObjectsSecurity ProfilesAnti-Spyware<Anti-Spyware_profile>Exceptions).|
|Fixed an issue on the Panorama management server where the exported device state for a firewall contained a GTP Protection profile even though the firewall did not support GPRS Tunneling Protocol (GTP). After importing the device state into the firewall, commit operations failed on the firewall.|
|Fixed an issue where the firewall stopped enforcing policy after you manually refreshed an external dynamic list (EDL) that had an invalid IP address or that resided on an unreachable web server.|
|Fixed an issue where the firewall returned an empty response for the PAN-OS XML API call used to display the number of IP address-to-username mappings.|
|Fixed an issue where the firewall rebooted because the dnsproxy process restarted multiple times.|
|Fixed an issue on PA-5200 Series firewalls in an active/active HA configuration where traffic latency was higher than expected because PAN-OS intermittently looped OSPF, PIM, and IGMP packets between the HA peers.|
|Fixed an issue on the Panorama management server where, after you cloned an object or policy rule, the user interfaces became unresponsive and displayed an error when you attempted to log back in.|
|Fixed an issue where the WF-500 appliance became inaccessible over SSH and became stuck in a boot loop after you upgraded from a release lower than PAN-OS 8.0.1 to PAN-OS 8.0.5 or a later release.|
Fixed an issue where the firewall couldn't render URL content for end users after you configured GlobalProtect Clientless VPN with an Interface that is a Layer 3 subinterface or VLAN interface (NetworkGlobalProtectPortals<portal>General).
|Fixed an issue where a custom report configuration did not display the Description value after you configured the report, closed it, and reopened it (MonitorManage Custom Reports<custom_report>).|
|Fixed an issue where clicking the refresh button in the MonitorSession Browser page cleared the filters you configured.|
|Fixed an issue where the Panorama management server displayed WF-500 appliances in the list of devices that were available to Install Panorama M-Series software updates (PanoramaDevice DeploymentSoftware).|
|Fixed an issue in Large-Scale VPN (LSVPN) deployments where the firewall used incorrect traffic routes because it did not flush routes learned from GlobalProtect Satellites from the routing table in a GlobalProtect gateway after you disabled the Accept published routes option (NetworkGlobalProtectGateways<gateway>SatelliteRoute Filter).|
|Fixed an issue on Panorama Log collectors where logs were temporarily unavailable because the vldmgr process restarted.|
|Fixed an issue where the firewall advertised the OSPF not-so-stubby area (NSSA) link-state advertisement (LSA) type 7 default route to NSSA neighbors even when the OSPF backbone area was down.|
|Fixed an issue where the PA-220 firewall intermittently performed slower than expected when processing heavy traffic. With this fix, the comm, dha, tund, and mprelay processes have improved performance.|
Fixed an issue where you could not select check boxes in the firewall web interface when using the Safari v11 browser.
|Fixed an issue on firewalls with IPv6 routing enabled where the firewalls routed traffic to a single subnetwork instead of multiple subnetworks when the same link-local IP address was used as a next hop for routing in multiple IPv6 subnetworks over a tagged Layer 3 interface (NetworkInterfacesEthernet/VLAN<interface>IPV6).|
Fixed an issue where the Panorama management server displayed a File not found error after you tried to download a threat PCAP file when Panorama and Dedicated Log Collectors were in different timezones.
|Fixed an issue where configuring more than one EDL caused a memory leak in the device-server (devsrvr) process.|
|Fixed an issue on the Panorama management server where the ACCThreat Activity report displayed the Others threat count as zero instead of the actual value.|
|Fixed an issue on firewalls with multiple virtual systems where setting the Virtual System to All in the ACC tab enabled a virtual system administrator to see zones in all virtual systems instead of just the zones in the virtual system for which the administrator had the required role privileges.|
Fixed an issue on the Panorama management server where the debug log-collector log-collection-stats show incoming-logs CLI command did not display the correct log forwarding statistics for logs that Log Collectors forwarded to external services (such as a syslog server).
|Fixed an issue where the firewall dropped packets based on a QoS class even though traffic did not exceed the maximum bandwidth for that class.|
|Fixed an issue on firewalls in an HA and DHCP configuration where the Peer HA1 IP Address displayed an outdated, static IP address instead of the DHCP-assigned IP address (DeviceHigh AvailabilityGeneral).|
|Fixed an issue where the firewall did not correctly enforce administrative account expiration settings (DeviceSetupManagementMinimum Password Complexity).|
|Fixed an issue where the firewall reported incorrect SNMP values for the received bytes (OID iso.220.127.116.11.18.104.22.168.10) and transmitted bytes (OID iso.22.214.171.124.126.96.36.199.16) of aggregate Ethernet subinterfaces.|
|Fixed an issue where firewalls could not connect to M-500 appliances in PAN-DB mode due to certificate validation failures. With this fix, the appliances add an IP address to the Subject Alternative Name (SAN) field when generating the certificates used for firewall connections.|
|Fixed an issue where the firewall did not update EDL information because the firewall sent EDL queries using its default service route interface as the Source Interface instead of the EDL-specific service route you configured (DeviceSetupServices).|
|Fixed an issue on firewalls with custom signatures configured where low memory conditions intermittently caused commit or content installation failures with the following error: Threat database handler failed.|
|Fixed an issue on PA-3000 Series and PA-5000 Series firewalls where the output of the show session info CLI command did not match the actual rate of traffic passing through the firewalls.|
|Fixed an issue where the PAN-OS XML API returned incorrect information when you sent a call for entries in an EDL.|
|Fixed an issue where, after you bootstrapped a VM-Series firewall, modified a template and device group on the Panorama management server, and then rebooted the firewall, Panorama displayed the firewall in the modified template and device group as well as in the original template and device group to which you assigned the firewall.|
|Fixed an issue in Panorama templates where the Panorama management server allowed you to configure a firewall administrator Password (DeviceAdministrators<administrator>) that did not meet the minimum password length settings (DeviceSetupManagementMinimum Password Complexity). With this fix, Panorama prevents you from saving a firewall administrator account with a password that does not meet the minimum password length settings.|
|Fixed an issue where administrators could not log in to the firewall web interface due to the root partition running out of space because management logs continued growing without the firewall ever deleting them.|
|Fixed an issue where SNMP managers indicated syntax errors in PAN-OS MIBs, such as forward slash (/) characters not used within quotation marks (“”). You can find the updated MIBs at https://www.paloaltonetworks.com/documentation/misc/snmp-mibs.html .|
|Fixed an issue on PA-3000 Series firewalls where, after you manually restarted the dataplane (DeviceSetupOperations), in rare cases it spontaneously restarted repeatedly due to an FPGA calibration failure. With this fix, after detecting an FPGA calibration failure, the firewall enters maintenance mode to prompt you to power cycle the firewall for recovery.|