PAN-OS 8.0.9 Addressed Issues

PAN-OS® 8.0.9 addressed issues
Issue ID
Description
WF500-4599
Fixed an issue on WF-500 appliance clusters where attempts to submit samples for analysis through the WildFire XML API failed with a 499 or 502 error in the HTTP response when the local worker was fully loaded.
WF500-4535
Fixed an issue where the WF-500 appliance could not forward logs over TCP or SSL to a syslog server.
WF500-4473
Fixed an issue where the root partition on the WF-500 appliance reached its maximum storage capacity because the following log files had no size limit and grew continuously: appweb_access.log, trap-access.log, wpc_build_detail.log, rsyncd.log, cluster-mgr.log, and cluster-script.log. With this fix, the appweb_access.log, trap-access.log, and wpc_build_detail.log logs have a limit of 10MB and the WF-500 appliance maintains one rotating backup file for each of these logs to store old data when a log exceeds the limit. Also with this fix, the rsyncd.log, cluster-mgr.log, and cluster-script.log logs have a limit of 5MB and the WF-500 appliance maintains eight rotating backup files for each of these logs.
WF500-4472
Fixed an issue where the WF-500 appliance restarted because the virtual memory limit was too small for the management server (mgmtsrvr) process. With this fix, mgmtsrvr has a higher virtual memory limit.
WF500-4190
Fixed an issue on WF-500 appliances where the show cluster all-peers CLI command displayed siggen-db: Ready (signature generation database ready) for worker nodes in a WildFire cluster even though worker nodes don't generate signatures. With this fix, the command displays siggen-db: Stopped for worker nodes.
PAN-94845
Fixed an issue where App-ID did not recognize GPRS Tunneling Protocol User Plane (GTP-U) in GTP messages on port 2152 when only single-direction message packets arrived (Traffic logs indicated application insufficient-data).
PAN-94386
Fixed an issue where the firewall dropped packet data protocol (PDP) context update and delete messages that had a tunnel endpoint identifier (TEID) of zero in GPRS Tunneling Protocol (GTP) traffic, and the traffic failed when the dropped messages were valid.
PAN-94170
Fixed an issue where GPRS Tunneling Protocol (GTP) traffic failed because the firewall dropped GTP-U echo request packets.
PAN-93106
Fixed an issue where the Google Chrome browser displayed certificate warnings for self-signed ECDSA certificates that you generated on the firewall.
PAN-92916
Fixed an issue where firewalls configured for User-ID redistribution did not redistribute IP address-to-username mappings due to a memory leak.
PAN-92604
Fixed an issue where a Panorama Collector Group did not forward logs to some external servers after you configured multiple server profiles (PanoramaCollector Groups<Collector_Group>Collector Log Forwarding).
PAN-92564
Fixed an issue where a small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks®) stopped working or experienced other issues after you upgraded the firewall to which the SFPs are connected to PAN-OS 8.0.8 or an earlier 8.0 release. With this fix, you must not reboot the firewall after you download and install the PAN-OS 8.0 base image until after you download and install the PAN-OS 8.0.9 release. For additional details, upgrade considerations, and instructions for upgrading your firewalls, refer to the PAN-OS 8.0 upgrade information .
PAN-92560
Fixed an issue where SSL Forward Proxy decryption did not work after you excluded every predefined Hostname from decryption (DeviceCertificate ManagementSSL Decryption Exclusion).
PAN-92268
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where one or more dataplanes did not pass traffic when you ran several operational commands (from any firewall user interface or from the Panorama management server) while committing changes to device or network settings or while installing a content update.
PAN-92254
Fixed an issue on PA-7000 Series firewalls with 20GXM Magnum NPC cards where commits failed when the firewall configuration was large. With this fix, the 20GXM Magnum NPC cards have a larger internal configuration memory allocator and CTD memory buffer.
PAN-92170
Fixed an issue on VM-500 and VM-700 firewalls where you could not configure connections to more than 400 Terminal Services (TS) agents even though those firewall models were designed to support up to 1,000 TS agent connections.
PAN-91776
Fixed an issue where end users could not authenticate to GlobalProtect when you specified a User Domain with Microsoft-supported symbols such as the dollar symbol ($) in the authentication profile (DeviceAuthentication Profile).
PAN-91774
Fixed an issue on Panorama management servers in an HA configuration where the primary peer did not synchronize template changes to the secondary peer.
PAN-91689
Fixed an issue where the Panorama management server removed address objects and, in the Network tab settings and NAT policy rules, used the associated IP address values without reference to the address objects before pushing configurations to firewalls.
PAN-91564
A security-related fix was made to prevent a local privilege escalation vulnerability that allowed administrators to access the GlobalProtect password hashes of local users (CVE-2018-9334).
PAN-91559
Fixed an issue where PA-5200 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption.
PAN-91452
Fixed an issue where end users could not access applications through GlobalProtect Clientless VPN when the HTTP responses had both Transfer-Encoding and Content-Length headers.
PAN-91113
Fixed an issue where the mprelay process stopped responding when processing IPv6 neighbor discovery updates.
PAN-90970
Fixed an issue on the Panorama management server where a policy rule dialog automatically closed within a couple of seconds after you opened it to create or edit a rule.
PAN-90956
Fixed an issue where the firewall did not forward Correlation logs to syslog servers over UDP.
PAN-90899
Fixed an issue on Panorama management servers in an HA configuration where a firewall did not resume forwarding logs to the Log Collector on the passive Panorama peer after disconnecting and reconnecting to that peer.
PAN-90858
Fixed an issue on the Panorama management server where, after you clicked Send Test Log to verify that an external web server could receive firewall logs (PanoramaServer ProfilesHTTP<HTTP_server_profile>Payload Format), the configd process restarted and the Panorama user interfaces became unresponsive until the process finished restarting.
PAN-90755
Fixed an issue on firewalls in an HA configuration where endpoints did not decapsulate VPN tunnel traffic after HA failover and had to reconnect to the GlobalProtect gateway.
PAN-90753
Fixed an issue where firewalls in an active/passive HA configuration did not synchronize multicast sessions between the firewall HA peers.
PAN-90683
Fixed an issue on PA-5200 Series firewalls in an active/passive HA configuration where the passive firewall displayed 10Gbps copper interfaces (ethernet1/1 to ethernet1/4) as up even when the connecting device (such as a switch) indicated the interfaces were down.
PAN-90622
Fixed an issue where accessing websites took longer than expected when the firewall applied SSL Inbound Inspection decryption to the websites and used CRL or OCSP to verify the status of certificates.
PAN-90565
Fixed an issue where the firewall did not accept wildcards (*) as standalone characters to match all IMSI identifiers when you configured IMSI Filtering in a GTP Protection profile (ObjectsSecurity ProfilesGTP Protection).
PAN-90411
Fixed an issue where PA-5200 Series firewalls did not forward buffered logs to Panorama Log Collectors after connectivity between the firewalls and Log Collectors was disrupted and then restored.
PAN-90301
Fixed an issue where the firewall generated false positives during GTP-in-GTP checks because it detected some DNS-in-GTP packets as GTP-in-GTP packets (ObjectsSecurity ProfilesGTP Protection<GTP_Protection_profile>GTP InspectionGTP-U).
PAN-90143
Enhanced memory usage to reduce the frequency of out-of-memory events that intermittently caused the firewall to continuously restart processes, which prevented administrators from logging in to the firewall. PAN-93839 provides the complete and final fix for this out-of-memory condition in PAN-OS 8.0.10.
PAN-90096
Fixed an issue where Threat logs recorded incorrect IMSI values for GTP packets when you enabled Packet Capture in Vulnerability Protection profiles (ObjectsSecurity ProfilesVulnerability Protection<Vulnerability_Protection_profile>Rules).
PAN-89471
Fixed an issue where firewalls rebooted because the userid process restarted too often due to a socket binding failure that caused a memory leak.
PAN-89175
Fixed an issue where a firewall acting as an endpoint of an IPSec VPN tunnel dropped Encapsulating Security Payload (ESP) packets received on the old IPSec security association (SA) after rekeying and before receiving a delete message for the old IPSec SA. With this fix, the firewall retains the old IPSec SA for 30 seconds while waiting for a delete message from the tunnel peer.
PAN-89171
Fixed an issue on firewalls in an HA configuration where an auto-commit failed (the error message was Error: Duplicate user name) after you connected a new suspended-secondary peer to an active-primary peer.
PAN-89030
Fixed an issue where the firewall could not authenticate to a hardware security module (HSM) partition when the partition password contained special characters.
PAN-88999
Fixed an issue where the Panorama management server did not return values based on the match criteria you configured in dynamic address groups (ObjectsAddress Groups).
PAN-88930
Fixed an issue where Threat logs and WildFire Submissions logs were not consistent with each other in terms of indicating whether the firewall blocked a file that had multiple threat identifiers. With this fix, the firewall ensures the logs are consistent by forwarding only one threat identifier for each file that it sends to WildFire.
PAN-88904
Fixed an issue where, after you disabled session offloading (using the set session offload no CLI command), flapping occurred for sessions that completed Layer 7 inspection.
PAN-88879
Fixed an issue where the firewall flooded the logrcvr.log file with the following error message: Error reading the log record from logdb, Last read seqno: 0.
PAN-88760
Fixed an issue where firewalls in an HA configuration stayed in a non-functional state after a dataplane restart because they did not boot up properly.
PAN-88665
Fixed an issue where SSL connections failed because the firewall did not properly initialize certificates during a reboot.
PAN-88547
Fixed an issue where the firewall did not accept AS:0 as a value in the Set Community list of a BGP redistribution profile (NetworkVirtual Routers<router>BGPRedist Rules).
PAN-88537
Fixed an issue where the Panorama management server displayed commit errors and failed to push configurations to firewalls when the configurations included an Anti-Spyware security profile that contained a threat exception (ObjectsSecurity ProfilesAnti-Spyware<Anti-Spyware_profile>Exceptions).
PAN-88535
Fixed an issue on the Panorama management server where the exported device state for a firewall contained a GTP Protection profile even though the firewall did not support GPRS Tunneling Protocol (GTP). After importing the device state into the firewall, commit operations failed on the firewall.
PAN-88487
Fixed an issue where the firewall stopped enforcing policy after you manually refreshed an external dynamic list (EDL) that had an invalid IP address or that resided on an unreachable web server.
PAN-88459
Fixed an issue where the firewall returned an empty response for the PAN-OS XML API call used to display the number of IP address-to-username mappings.
PAN-88229
Fixed an issue where the firewall rebooted because the dnsproxy process restarted multiple times.
PAN-88159
Fixed an issue on PA-5200 Series firewalls in an active/active HA configuration where traffic latency was higher than expected because PAN-OS intermittently looped OSPF, PIM, and IGMP packets between the HA peers.
PAN-88104
Fixed an issue on the Panorama management server where, after you cloned an object or policy rule, the user interfaces became unresponsive and displayed an error when you attempted to log back in.
PAN-87990
Fixed an issue where the WF-500 appliance became inaccessible over SSH and became stuck in a boot loop after you upgraded from a release lower than PAN-OS 8.0.1 to PAN-OS 8.0.5 or a later release.
PAN-87964
Fixed an issue where the firewall couldn't render URL content for end users after you configured GlobalProtect Clientless VPN with an Interface that is a Layer 3 subinterface or VLAN interface (NetworkGlobalProtectPortals<portal>General).
PAN-87783
Fixed an issue where a custom report configuration did not display the Description value after you configured the report, closed it, and reopened it (MonitorManage Custom Reports<custom_report>).
PAN-87655
Fixed an issue where clicking the refresh button in the MonitorSession Browser page cleared the filters you configured.
PAN-87303
Fixed an issue where the Panorama management server displayed WF-500 appliances in the list of devices that were available to Install Panorama M-Series software updates (PanoramaDevice DeploymentSoftware).
PAN-87271
Fixed an issue in Large-Scale VPN (LSVPN) deployments where the firewall used incorrect traffic routes because it did not flush routes learned from GlobalProtect Satellites from the routing table in a GlobalProtect gateway after you disabled the Accept published routes option (NetworkGlobalProtectGateways<gateway>SatelliteRoute Filter).
PAN-86936
Fixed an issue on Panorama Log collectors where logs were temporarily unavailable because the vldmgr process restarted.
PAN-86873
Fixed an issue where the firewall advertised the OSPF not-so-stubby area (NSSA) link-state advertisement (LSA) type 7 default route to NSSA neighbors even when the OSPF backbone area was down.
PAN-86164
Fixed an issue where the PA-220 firewall intermittently performed slower than expected when processing heavy traffic. With this fix, the comm, dha, tund, and mprelay processes have improved performance.
PAN-85919
Fixed an issue where you could not select check boxes in the firewall web interface when using the Safari v11 browser.
PAN-85633
Fixed an issue on firewalls with IPv6 routing enabled where the firewalls routed traffic to a single subnetwork instead of multiple subnetworks when the same link-local IP address was used as a next hop for routing in multiple IPv6 subnetworks over a tagged Layer 3 interface (NetworkInterfacesEthernet/VLAN<interface>IPV6).
PAN-85393
Fixed an issue where the Panorama management server displayed a File not found error after you tried to download a threat PCAP file when Panorama and Dedicated Log Collectors were in different timezones.
PAN-84885
Fixed an issue where configuring more than one EDL caused a memory leak in the device-server (devsrvr) process.
PAN-84879
Fixed an issue on the Panorama management server where the ACCThreat Activity report displayed the Others threat count as zero instead of the actual value.
PAN-83894
Fixed an issue on firewalls with multiple virtual systems where setting the Virtual System to All in the ACC tab enabled a virtual system administrator to see zones in all virtual systems instead of just the zones in the virtual system for which the administrator had the required role privileges.
PAN-83879
Fixed an issue on the Panorama management server where the debug log-collector log-collection-stats show incoming-logs CLI command did not display the correct log forwarding statistics for logs that Log Collectors forwarded to external services (such as a syslog server).
PAN-83001
Fixed an issue where the firewall dropped packets based on a QoS class even though traffic did not exceed the maximum bandwidth for that class.
PAN-81924
Fixed an issue on firewalls in an HA and DHCP configuration where the Peer HA1 IP Address displayed an outdated, static IP address instead of the DHCP-assigned IP address (DeviceHigh AvailabilityGeneral).
PAN-81698
Fixed an issue where the firewall did not correctly enforce administrative account expiration settings (DeviceSetupManagementMinimum Password Complexity).
PAN-80686
Fixed an issue where the firewall reported incorrect SNMP values for the received bytes (OID iso.3.6.1.2.1.2.2.1.10) and transmitted bytes (OID iso.3.6.1.2.1.2.2.1.16) of aggregate Ethernet subinterfaces.
PAN-80569
Fixed an issue where firewalls could not connect to M-500 appliances in PAN-DB mode due to certificate validation failures. With this fix, the appliances add an IP address to the Subject Alternative Name (SAN) field when generating the certificates used for firewall connections.
PAN-80222
Fixed an issue where the firewall did not update EDL information because the firewall sent EDL queries using its default service route interface as the Source Interface instead of the EDL-specific service route you configured (DeviceSetupServices).
PAN-79989
Fixed an issue on firewalls with custom signatures configured where low memory conditions intermittently caused commit or content installation failures with the following error: Threat database handler failed.
PAN-79872
Fixed an issue on PA-3000 Series and PA-5000 Series firewalls where the output of the show session info CLI command did not match the actual rate of traffic passing through the firewalls.
PAN-79319
Fixed an issue where the PAN-OS XML API returned incorrect information when you sent a call for entries in an EDL.
PAN-78903
Fixed an issue where, after you bootstrapped a VM-Series firewall, modified a template and device group on the Panorama management server, and then rebooted the firewall, Panorama displayed the firewall in the modified template and device group as well as in the original template and device group to which you assigned the firewall.
PAN-78634
Fixed an issue in Panorama templates where the Panorama management server allowed you to configure a firewall administrator Password (DeviceAdministrators<administrator>) that did not meet the minimum password length settings (DeviceSetupManagementMinimum Password Complexity). With this fix, Panorama prevents you from saving a firewall administrator account with a password that does not meet the minimum password length settings.
PAN-76632
Fixed an issue where administrators could not log in to the firewall web interface due to the root partition running out of space because management logs continued growing without the firewall ever deleting them.
PAN-75775
Fixed an issue where SNMP managers indicated syntax errors in PAN-OS MIBs, such as forward slash (/) characters not used within quotation marks (“”). You can find the updated MIBs at https://www.paloaltonetworks.com/documentation/misc/snmp-mibs.html .
PAN-49312
Fixed an issue on PA-3000 Series firewalls where, after you manually restarted the dataplane (DeviceSetupOperations), in rare cases it spontaneously restarted repeatedly due to an FPGA calibration failure. With this fix, after detecting an FPGA calibration failure, the firewall enters maintenance mode to prompt you to power cycle the firewall for recovery.

Related Documentation