Known Issues
The following topics describe known issues in PAN-OS 8.0 releases.
For recent updates to known issues for a given PAN-OS release, refer to https://live.paloaltonetworks.com/t5/Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/ta-p/52882.
Known Issues Related to PAN-OS 8.0 Releases
The following list includes known issues specific to PAN-OS 8.0 releases, which includes known issues specific to Panorama and GlobalProtect, as well as known issues that apply more generally or that are not identified by an issue ID. See also the Known Issues Specific to the WF-500 Appliance.
Issue ID Description
Upgrading a PA-200 or PA-500 firewall to PAN-OS 8.0 can take 30 to 60 minutes to complete. Ensure uninterrupted power to your firewall throughout the upgrade process.
A Panorama management server running PAN-OS 8.0 does not currently support management of appliances running WildFire 7.1 or earlier releases. Even though these management options are visible on the Panorama 8.0 web interface ( Panorama > Managed WildFire Clusters and Panorama > Managed WildFire Appliances), making changes to these settings for appliances running WildFire 7.1 or an earlier release has no effect.
GPC-2742 When you configure GlobalProtect portals and gateways to use client certificates and LDAP as two factors of authentication, Chromebook users who run Chrome OS 47 or a later version encounter excessive prompts to select a client certificate. Workaround: To prevent excessive prompts, configure a policy to specify the client certificate in the Google Admin console and deploy that policy to your managed Chromebooks: Log in to the Google Admin console ( https://admin.google.com) and select Device management > Chrome management > User settings. In the Client Certificates section, enter the following URL pattern to Automatically Select Client Certificate for These Sites: {""pattern"": ""https://[*.]"", ""filter"":{}} Click Save. The Google Admin console deploys the policy to all devices within a few minutes.
GPC-1737 By default, the GlobalProtect app adds a route on iOS mobile endpoints that causes traffic to the GP-100 GlobalProtect Mobile Security Manager to bypass the VPN tunnel. Workaround: To configure the GlobalProtect app on iOS mobile devices to route all traffic—including traffic to the GP-100 GlobalProtect Mobile Security Manager—to pass through the VPN tunnel, perform the following tasks on the firewall hosting the GlobalProtect gateway ( Network > GlobalProtect > Gateways > <gateway-config> > Agent > Client Settings > <client-settings-config> > Network Settings > Access Route): Add 0.0.0.0/0 as an access route. Enter the IP address for the GlobalProtect Mobile Security Manager as an additional access route.
GPC-1517 For the GlobalProtect app to access an MDM server through a Squid proxy, you must add the MDM server SSL access ports to the proxy server allow list. For example, if the SSL access port is 8443, add acl SSL_ports port 8443 to the allow list.
PAN-87122 Running the clear session all filter source CLI command eleven or more times simultaneously causes Bidirectional Forwarding Detection (BFD) flapping. Workaround: Run the clear session all filter source commands one at a time instead of as a batch.
PAN-86936 On Panorama Log collectors, logs are temporarily unavailable because the vldmgr process restarts.
PAN-86903 In rare cases, PA-800 Series firewalls shut themselves down due to a false overcurrent measurement. Workaround: To reduce the likelihood that this issue will occur, upgrade to PAN-OS 8.0.7.
PAN-86226 This issue is now resolved. See PAN-OS 8.0.7 Addressed Issues . On PA-5000 Series firewalls running PAN-OS 8.0.5 or a later 8.0 release, insufficient proxy memory causes decryption failures and prevents users from accessing the GlobalProtect portal or gateway.
PAN-86210 On M-500 appliances, running an ACC report for a large amount of data causes Panorama to restart because of heartbeat failure.
PAN-85938 This issue is now resolved. See PAN-OS 8.0.7 Addressed Issues . PAN-OS removes the IP address-to-username mappings of end users who log in to a GlobalProtect internal gateway within a second of logging out from it.
PAN-85691 Authentication policy rules based on multi-factor authentication (MFA) don't block connections to an MFA vendor when the MFA server profile specifies a Certificate Profile that has the wrong certificate authority (CA) certificate.
PAN-85299 This issue is now resolved. See PAN-OS 8.0.7 Addressed Issues . On firewalls in an active/passive HA configuration with link or path monitoring enabled, a failover resulting from a link or path failure intermittently causes PAN-OS to delete host, connected, static, and dynamic routes (both OSPF and BGP) from the forwarding information base (FIB) on the firewall peer that becomes active. The link or path failure also intermittently causes PAN-OS to send unnecessary BGP withdrawal messages to BGP peers.
PAN-85228 Even though PAN-OS 8.0.5 is the minimum supported release for VMware NSX plugin 2.0.0, a Panorama management server running an earlier release does not block you from installing that plugin. After you install the NSX plugin 2.0.0, a Panorama management server running PAN-OS 8.0.4 or an earlier release does not display the status of its connection with the NSX Manager.
PAN-85103 This issue is now resolved. See PAN-OS 8.0.7 Addressed Issues . The Panorama management server stops communicating with firewalls when the incoming log rate from firewalls exceeds the capacity of the Panorama buffers.
PAN-84488 On PA-7000 Series and PA-5200 Series firewalls, client systems can use a translated IP address-and-port pair for only one connection even if you configure the Dynamic IP and Port (DIPP) NAT Oversubscription Rate to allow multiple connections ( Device > Setup > Session > Session Settings > NAT Oversubscription).
PAN-84445 On occasion, the App-ID for an application that is using SSL is identified incorrectly. This issue occurs when a server hosts multiple applications on the same port, and the firewall has identified traffic for an application using this port on the server and then inaccurately records other applications on this server-port combination as the previously identified application.
PAN-84406 This issue is now resolved. See PAN-OS 8.0.7 Addressed Issues . On a firewall configured to collect username-to-group mappings from multiple LDAP servers over SSL/TLS-secured connections ( Device > Server Profiles > LDAP), the firewall reboots because the User-ID process (useridd) restarts several times during initialization.
PAN-84045 VM-Series firewalls in an HA configuration with Data Plane Development Kit (DPDK) enabled experienced HA path monitoring failures and (in active/passive deployments) HA failover. Workaround: Disable DPDK.
PAN-83610 PA-5200 Series firewalls that use the network processor and have session offload enabled intermittently reset the checksum of UDP packets. Workaround: In PAN-OS 8.0.6 and later releases, you can disable session offload for only UDP traffic using the set session udp-offload [yes | no] CLI command.
PAN-83451 When you push licenses to managed firewalls (from Panorama > Device Deployment > License), the Panorama management server displays an incorrect error message that reads License Feature Unknown along with the list of licenses that were successfully installed. You can ignore this error message because the licenses install successfully.
PAN-82251 This issue is now resolved. See PAN-OS 8.0.7 Addressed Issues . Bootstrapping is not supported on the VM-Series firewall on AWS GovCloud.
PAN-82117 This issue is now resolved. See PAN-OS 8.0.7 Addressed Issues . PA-5000 Series firewalls in an active/active HA configuration intermittently drop packets due to a race condition that occurs when the session owner and session setup are on different HA peers.
PAN-82125 This issue is now resolved. See PAN-OS 8.0.7 Addressed Issues . The firewall management plane or control plane continuously reboots after an upgrade to PAN-OS 8.0, and displays the following error message: rcu_sched detected stalls on CPUs/tasks .
PAN-82109 This issue is now resolved. See PAN-OS 8.0.3 Addressed Issues . On VM-Series firewalls, the session capacity drops to 1,248 after you activate a capacity license.
PAN-81125 ( PAN-OS 8.0.3 and later releases ) On a firewall configured to connect to Terminal Services (TS) agents, importing a configuration file ( Device > Setup > Operations > Import named configuration snapshot) that does not define TS agent connections causes the User-ID service to stop responding. Workaround: Add an empty TS agent node <ts-agent/> under <devices><entry><vsys><entry> in the configuration file before importing it.
PAN-81061 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . PA-3000 Series firewalls intermittently drop long-lived sessions that are active during a content update if you immediately follow the update with an Antivirus or WildFire update.
PAN-80564 The firewall mgmtsrvr process and other processes repeatedly restart due to abnormal system memory usage when a connection failure occurs between the firewall and a syslog server that use TCP over SSL/TLS to communicate. Workaround: In PAN-OS 8.0.4 and later 8.0 releases, you can stop the continuous restarts by running the debug syslog-ng restart CLI command to restart the syslog-ng process. Alternatively, for all PAN-OS 8.0 releases, you can use UDP for communication between the firewall and syslog server.
PAN-79423 Panorama cannot push address group objects from device groups to managed firewalls if zones specify the objects in the User Identification ACL include or exclude lists ( Network > Zones) and if the Share Unused Address and Service Objects with Devices option is disabled ( Panorama > Setup > Management > Panorama Settings).
PAN-79365 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . Pushing Panorama template configurations to VM-Series firewalls for NSX removes those firewalls as managed devices on Panorama. Workaround: Make minor configuration changes to Panorama and select Commit > Commit and Push. Panorama then displays the VM-Series firewalls for NSX as managed devices. You can then select Config > Revert Changes to revert the minor configuration changes to Panorama.
PAN-78718 This issue is now resolved. See PAN-OS 8.0.6 Addressed Issues . A PA-7000 Series firewall running PAN-OS 7.1.12, PAN-OS 7.0.17, or a PAN-OS 6.1 release (or an earlier PAN-OS 7.1 or PAN-OS 7.0 release) stops saving and displaying new logs due to a memory leak after a Panorama management server running PAN-OS 8.0 pushes a predefined GTP report that specifies a field that is unrecognized by the firewall running the earlier PAN-OS release ( Monitor > Reports > Mobile Network Reports).
PAN-78224 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . The firewall truncates passwords to 40 characters when end users try to authenticate through RADIUS in the Captive Portal web form.
PAN-78055 This issue is now resolved. See PAN-OS 8.0.5 Addressed Issues . On PA-220, PA-500, and PA-800 Series firewalls, VPN tunnel traffic intermittently fails because the keymgr stops processing sysd messages. Workaround: Run the debug software restart process keymgr CLI command to restart the keymgr process.
PAN-78034 This issue is now resolved. See PAN-OS 8.0.6 Addressed Issues . The Threat logs that Zone Protection profiles trigger for scan and packet type events do not record IMSI and IMEI values. Workaround: Select Monitor > Threat, click the spyglass icon for the Threat log to display additional details, and then double-click the related logs to see the IMSI and IMEI of the subscriber that triggered the Threat log.
PAN-77702 This issue is now resolved. See PAN-OS 8.0.5 Addressed Issues . Dynamic address updates take several minutes to complete on Panorama in NSX deployments.
PAN-77671 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . The firewall identifies traffic to www.online-translator.com as the translator-5 application instead of as web-browsing.
PAN-77595 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . PA-7000 Series and PA-5200 Series firewalls forward a SIP INVITE based on route lookup instead of Policy-Based Forwarding (PBF) policy.
PAN-77339 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . The SafeNet Client 6.2.2 does not support the necessary MAC algorithm (HMAC-SHA1) to work with Palo Alto Networks firewalls that run in FIPS-CC mode.
PAN-77213 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . Panorama does not forward logs to a syslog server over TCP.
PAN-77116 After bootup, the firewall displays error messages such as Error: sysd_construct_sync_importer(sysd_sync.c:328): sysd_sync_register() failed: (111) Unknown error code , even though the bootup is successful. Workaround: Ignore the error messages; they do not affect the firewall operations.
PAN-77062 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . Administrators with a custom role cannot delete packet captures.
PAN-77033 This issue is now resolved. See PAN-OS 8.0.3 Addressed Issues . Using the debug skip-condor-reports no CLI command to force a Panorama management server running PAN-OS 8.0 to query PA-7000 Series firewalls causes PA-7000 Series firewalls running a PAN-OS 7.0 release to reboot. Do not use this command if you use Panorama running PAN-OS 8.0 to manage a PA-7000 Series firewall running a PAN-OS 7.0 release.
PAN-76832 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . Modifying a BFD profile configuration ( Network > Network Profiles > BFD Profile) or assigning a different BFD profile ( Network > Virtual Routers > BGP) in a virtual router causes the associated routing protocol (BGP) to flap.
PAN-76779 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . On the PA-5020 firewall, the dataplane restarts continuously when a user accesses applications over a GlobalProtect clientless VPN.
PAN-76509 This issue is now resolved. See PAN-OS 8.0.5 Addressed Issues . On firewalls with multiple virtual systems, custom spyware signatures work only on vsys1.
PAN-76270 This issue is now resolved. See PAN-OS 8.0.3 Addressed Issues . Operations that require heavy memory usage on Log Collectors (such as ingesting logs at a high rate) cause some other processes to restart.
PAN-76162 This issue is now resolved. See PAN-OS 8.0.3 Addressed Issues . A Panorama management server running a PAN-OS 8.0 release or a PAN-OS 7.1.8 or later 7.1 release does not display logs from PA-7000 Series firewalls running a PAN-OS 7.0 or 7.1 release. Workaround: Run the debug skip-condor-reports no command and then the debug software restart process reportd command on the Panorama management server so that it can successfully query PA-7000 Series firewalls running a PAN-OS 7.1 release. Do not use the debug skip-condor-reports no command to work around this issue if you use Panorama running a PAN-OS 8.0 release to manage a PA-7000 Series firewall running a PAN-OS 7.0 release (see PAN-77033).
PAN-76058 This issue is now resolved (requires content release version 718 or later). See PAN-OS 8.0.4 Addressed Issues . When migrating URL categories from BrightCloud to PAN-DB, Panorama does not apply the migration to pre-rules and post-rules.
PAN-75960 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . You cannot store the master key on an HSM in PAN-OS 8.0. Doing so will cause the firewall to enter maintenance mode after a reboot, which will require a factory reset.
PAN-75908 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . Multicast packets with stale session IDs cause the firewall dataplane to restart.
PAN-75881 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . A regression introduced in PAN-OS 8.0.0 and 8.0.1 causes the firewall dataplane to restart in certain cases when combined with content updates. For details, including the relevance of content release version 709, refer to the associated Customer Advisory.
PAN-75457 ( PAN-OS 8.0.1 and later releases ) In WildFire appliance clusters that have three or more nodes, Panorama does not support changing node roles. For example, on Panorama, in a three-node cluster, you cannot configure the worker node as a controller node by adding the high availability and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit will fail and the cluster becomes unresponsive.
PAN-74886 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . Panorama does not push a shared address object to firewalls if the object is part of a dynamic address group that uses a tag.
PAN-74652 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . After a firewall successfully installs a content update received from Panorama, Panorama displays a failure message for that update when the associated job ID on the firewall is higher than 65536.
PAN-74632 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . The firewall does not clear IP address-to-username mappings or username-to-group mappings after reaching the limit for the number of user groups (100,000), which causes commit failures with the following errors: user-id is not registered and ser-ID manager was reset. Commit is required to reinitialize User-ID .
PAN-74293 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . The firewall drops sessions after only 30 seconds of idle traffic instead of after the session timeout associated with the application.
PAN-74139 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . On the PA-500 firewall, insufficient memory allocation causes SSL decryption errors that result in SSL session failures, and Traffic logs display the Session End Reason as decrypt-error or decrypt-cert-validation .
PAN-73964 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . Do not upgrade VM-Series firewalls on AWS to PAN-OS 8.0.0 if they are deployed in an HA configuration.
PAN-73933 This issue is now resolved. See PAN-OS 8.0.5 Addressed Issues . The log receiver (logrcvr) process restarts due to a memory leak after the firewall performs a log query for correlation objects or reports and the query includes the Threat Category field.
PAN-73879 This issue is resolved with content release version 658 and later releases. You cannot clone the strict file blocking profile in PAN-OS 8.0; however, cloning the basic file blocking profile (or any other Security Profile types) works as expected.
PAN-73877 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . You cannot use the firewall web interface to generate a SAML metadata file for Captive Portal or GlobalProtect if the firewall has multiple virtual systems; after you click the Metadata link associated with an authentication profile, no virtual systems are available to select. Workaround: Access the firewall CLI, switch to the virtual system where you assigned the authentication profile ( set system setting target-vsys <vsys-name> ), and generate the metadata file ( show sp-metadata [captive-portal | global-protect] vsys <value> authprofile <value> ip-hostname <value> ).
PAN-73859 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . The VM-Series firewall on Azure supports only five interfaces (one management interface and four dataplane interfaces) instead of eight (one management interface and seven dataplane interfaces).
PAN-73849 After you perform a factory reset or private data reset on a fresh installation of the Panorama virtual appliance, the Panorama > Plugins page does not display the pre-loaded VMware NSX plugin and therefore you cannot use the web interface to install the plugin. Workarounds: Use the request plugins install vmware_nsx-<version> CLI command to install the plugin. Download the plugin from the Palo Alto Networks Support Portal and then upload the plugin to Panorama. The web interface then displays the plugin for you to install.
PAN-73579 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . After you upgrade a firewall to PAN-OS 8.0, the firewall does not apply updates to the predefined Palo Alto Networks malicious IP address feeds (delivered through the daily antivirus content updates) until you perform a commit on the firewall. Workaround: Commit changes to the firewall daily to ensure you always have the latest version of the malicious IP address feeds.
PAN-73545 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . When adding interfaces to a VM-300, VM-500, or VM-700 firewall, you must commit twice for traffic to pass normally.
PAN-73530 The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
PAN-73401 ( PAN-OS 8.0.1 and later releases ) On a two-node WildFire appliance cluster, if you import the cluster into Panorama, the controller nodes report their state as out-of-sync if either of the following two conditions exist: You do not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as a high-availability pair. Adding a worker node would make the cluster a three-node cluster.) You do not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes). Workaround: There are three possible workarounds to sync the controller nodes: After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync. Configure a worker list on the cluster controller: admin@wf500(active-controller)# set deviceconfig cluster mode controller worker-list <worker-ip-address> (<worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. Import the cluster to Panorama and Panorama reports that the controller nodes are in sync. If you want the cluster to have only two nodes, use a different workaround. Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is enabled, or that DNS is not enabled: admin@wf500(active-controller)# set deviceconfig cluster mode controller service-advertisement dns-service enabled yes or admin@wf500(active-controller)# set deviceconfig cluster mode controller service-advertisement dns-service enabled no Both commands result in Panorama reporting that the controller nodes are in sync.
PAN-73316 When a GlobalProtect user first logs in with a RADIUS authentication profile, the Domain-UserName appears as user@domain (instead of domain\user) in the PAN-OS web interface. Workaround: Once a HIP report is generated, the username format is normalized and updated to the correct format.
PAN-73307 When you use the ACC tab to view Tunnel Activity and you Jump to Logs, the Tunnel Inspection logs display tunnel as the tunnel type. Workaround: Remove tunnel type from the query in tunnel logs.
PAN-73291 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . If you set up client certificate authentication for GlobalProtect portals and gateways, you can specify a Certificate Profile with multiple certificate authority (CA) certificates that have the same common name. However, authentication fails for client certificates signed by a CA certificate that is not listed first in the Certificate Profile.
PAN-73254 This issue is now resolved. See PAN-OS 8.0.3 Addressed Issues . After you install the VMware NSX plugin on Panorama in an HA deployment, Panorama does not automatically synchronize configuration changes between the HA peers unless you first update settings related to the NSX plugin. Workaround: Configure the NSX settings and commit your changes to Panorama.
PAN-73207 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . If the firewall integrates with Okta Adaptive as the multi-factor authentication (MFA) vendor, you cannot use push notification as an authentication factor.
PAN-73168 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . If the PAN-OS web interface and the GlobalProtect portal that hosts Clientless VPN applications are configured to share the same FQDN, you can get a 400 Bad Request error from your browser when you try to access the PAN-OS web interface. Workaround: Best practice is to configure separate FQDNs for the PAN-OS web interface and the GlobalProtect portal that hosts Clientless VPN applications. As a short-term fix, clear the browser cache or close all browser windows and then open a separate browser window to log in to the PAN-OS web interface.
PAN-73006 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . When logging rates are high, the App Scope Change Monitor and Network Monitor reports sometimes fail to display data when you filter by Source or Destination IP addresses. Additionally, the App Scope Summary report sometimes fails to display data for the Top 5 Bandwidth Consuming Source and Top 5 Threats when logging rates are high.
PAN-72894 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . Panorama does not display HA firewalls ( Panorama > Managed Devices) after the configd process stops responding.
PAN-72861 When you configure a PA-5200 Series or PA-7000 Series firewall to perform tunnel-in-tunnel inspection, which includes GRE keep-alive packets ( Policies > Tunnel Inspection > Inspection > Inspect Options), and you run the clear session all CLI command while traffic is traversing a tunnel, the firewall temporarily drops tunneled packets.
PAN-72843 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . If you commit a configuration that enables clientless VPN on multiple GlobalProtect portals using different DNS proxies, the commit fails. Workaround: Restart the firewall data plane and repeat the configuration commit.
PAN-72402 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . If you configure a BGP IPv6 aggregate address with an Advertise Filter that consists of both a prefix filter and a next-hop filter, the firewall advertises only the aggregate address and does not advertise the specific routes covered by the Advertise Filter. Workaround: Remove the next-hop filter so that the firewall advertises both the aggregate address and the more specific routes. This applies only to routes learned from another BGP peer; the firewall advertises locally-injected routes as expected without this workaround.
PAN-72342 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . End users who ignore the Duo V2 authentication prompt until it times out can still authenticate successfully to a GlobalProtect portal configured for two-factor authentication.
PAN-71833 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . For a TACACS+ authentication profile, the output of the test authentication authentication-profile CLI command intermittently displays authentication/authorization failed for user even though the administrator can successfully log in to the web interface or CLI using the same credentials as were specified in the test command.
PAN-71829 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . In some cases, when you make specific changes on a PA-5000 Series firewall related to certificates or SSL profiles for a GlobalProtect configuration, the dataplane restarts. Changes that result in a restart include configuring a new gateway, changing a certificate linked to GlobalProtect, or changing the minimum or maximum version of the TLS profile linked to GlobalProtect; other types of changes to GlobalProtect configurations do not trigger a dataplane restart.
PAN-71765 Deactivating a VM-Series firewall from Panorama completes successfully but the web interface does not update to show that deactivation is complete. Workaround: View deactivation status from Managed Devices ( Panorama > Managed Devices).
PAN-71556 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . MAC address table entries with a time-to-live (TTL) value of 0 are not removed as expected in Layer 2 deployments, which results in a table that continually grows larger in size. Workaround: Monitor the number of table entries and run the clear mac all CLI command or reboot as needed to clear the table.
PAN-71334 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . On a PA-5200 Series firewall, when you set up a VoIP call using the Session Initiation Protocol (SIP), you can experience a delay of up to 10 seconds before the firewall transmits the audio/video stream.
PAN-71329 Local users and user groups created under Shared (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications ( Clientless VPN > Applications on the GlobalProtect Portal). Workaround: Create users and user groups under vsys for multiple virtual systems. For single virtual systems (like VM), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
PAN-71271 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . If the log purging process starts running before log migration begins after an upgrade to PAN-OS 8.0, the log migration process fails and drops new logs. You cannot work around this issue if the log purging process starts before you start migration. To determine whether log purging has begun, run the less mp-log es_purge.log CLI command, enter a forward slash (" / "), enter deleting , and check the output. If there are any matches, you cannot migrate; if there are no matches, then you can start log migration.
PAN-71215 Deactivating a VM-Series firewall from Panorama fails when Panorama is configured to Verify Update Server Identity ( Panorama > Setup > Services > Verify Update Server Identity) and this setting is disabled on the firewall ( Device > Setup > Services); this failure causes the firewall to become unreachable. Workaround: Ensure that you configure both Panorama and the VM-Series firewall to Verify Update Server Identity before you deactivate the firewall.
PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out from the GlobalProtect portal, the administrative user is logged out from the PAN-OS web interface as well. This issue is compounded when the portal is configured for GlobalProtect Clientless VPN because it can increase the number of users who access the portal. Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
PAN-70353 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . Clientless VPN does not work if you configure the GlobalProtect portal that hosts the Clientless VPN on an interface with DHCP Client enabled. Workaround: Configure the interface to use static IP addresses.
PAN-70323 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . Firewalls running in FIPS-CC mode do not allow import of SHA-1 CA certificates even when the private key is not included; instead, firewalls display the following error: Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode .
PAN-70181 This issue is now resolved. See PAN-OS 8.0.6 Addressed Issues . PA-7000 Series firewalls that run a large number of scheduled daily reports (near 1,000 or more) will eventually experience a memory issue that causes CLI commands to fail and ultimately causes SSH connection attempts to the management IP address to fail also. Workaround: Monitor memory usage and restart the mgmtsrvr process when mgmtsrvr virtual memory exceeds 6GB or mgmtsrvr resident memory exceeds 4GB.
PAN-70119 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . The firewall maps users to the Kerberos Realm defined in authentication profiles ( Device > Authentication Profiles) instead of extracting the realm from Kerberos tickets.
PAN-70046 A standard 404 browser error displays if you try to use GlobalProtect Clientless VPN without the correct content release version. Workaround: Clientless VPN requires you to install a GlobalProtect subscription on the firewall that hosts the Clientless VPN from the GlobalProtect portal. Additionally, you need GlobalProtect Clientless VPN dynamic updates to use this feature.
PAN-70027 (PLUG-216) This issue is resolved with the VMware NSX 1.0.1 plugin. The output of the show object registered-IP all command does not include the Source of IP tag (service profile name and ID).
PAN-70023 Authentication using auto-filled credentials intermittently fails when you access an application using GlobalProtect Clientless VPN. Workaround: Manually enter the credentials.
PAN-69932 This issue is now resolved. See PAN-OS 8.0.5 Addressed Issues . The Panorama web interface and CLI respond slowly when numerous NSX plugins are in progress.
PAN-69874 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . When the PAN-OS XML API sends user mappings with no timeout value to a firewall that has the Enable User Identification Timeout option disabled, the firewall assigns the mappings a timeout of 60 minutes instead of never.
PAN-69505 When viewing an external dynamic list that requires client authentication and you Test Source URL, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error.
PAN-69367 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . The firewall incorrectly generates packet diagnostic logs and captures packets for sessions that are not part of a packet filter ( Monitor > Packet Capture).
PAN-69340 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . When you use a license authorization code (capacity license or a bundle) to bootstrap a VM-Series firewall, the capacity license is not applied. This issue occurs because the firewall does not reboot after the license is applied. Workaround: Use the request restart software CLI command or reboot the firewall manually to activate session capacity for a VM-Series firewall.
PAN-68974 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . On PA-3000 Series firewalls, you cannot configure a QoS Profile to have a maximum egress bandwidth ( Egress Max) higher than 1Gbps for an aggregate group interface ( Network > Network Profiles > QoS Profile).
PAN-68767 Panorama does not change the connection Status of an NSX manager ( Panorama > VMware NSX > Service Managers) from Unknown to Registered due to a non-existent null value entry in the NSX manager response.
PAN-67950 The firewall drops Encapsulating Security Payload (ESP) packets because IPSec sessions remain stuck in opening status when Extended Authentication (X-Auth) is enabled ( Network > GlobalProtect > Gateways > <gateway> > Agent > Tunnel Settings). Workaround: Disable X-Auth for the VPN tunnel.
PAN-67544 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . When a multicast forwarding information base (MFIB) times out, the packet processing process (flow_ctrl) stops responding, which intermittently causes the firewall dataplane to restart.
PAN-67422 ( PAN-OS 8.0.1 and later releases ) The Firewall re-registers with WildFire every 15 days unless a connection failure occurs. If a firewall registered with a standalone WildFire appliance and then you configure the firewall to register with a WildFire appliance cluster, the firewall shows as registered both to the cluster and to the standalone appliance, which creates duplicate entries. To verify that a firewall is connected to a WildFire appliance and a WildFire appliance cluster, run the following command on the WildFire cluster and standalone WildFire appliance to display all firewalls registered to that cluster and appliance: admin@Panorama> show wildfire-appliance last-device-registration all serial-number <value> The <value> is the 12-digit serial number of the WildFire cluster controller node or the WildFire appliance. For example, to view all firewalls on a cluster whose controller node has the serial number 002001000099, run the following command: admin@Panorama> show wildfire-appliance last-device-registration all serial-number <002001000099> Workaround: Run the show wildfire global devices-reporting-data command to show only firewalls that are reporting data to the WildFire appliance. If a firewall has not submitted a sample to the WildFire appliance during the past 24 hours, the firewall is not listed.
PAN-66997 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . On PA-7000 Series, PA-5200 Series, and PA-5000 Series firewalls, users who access applications over SSL VPN or IPSec tunnels through GlobalProtect experienced one-directional traffic.
PAN-66122 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . Tunnel content inspection is not supported in a virtual-system-to-virtual-system topology.
PAN-66032 When you monitor Block IP List entries, an IP address blocked by a Vulnerability Protection profile or Anti-Spyware profile displays the Block Source to be the Threat ID (TID) and virtual system (if applicable), instead of the name of the threat that blocked the IP address. For example, the Block Source displays 41000:vsys1 (or 41000:* if there is no virtual system).
PAN-64725 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . On PA-7000 Series firewalls and on Panorama log collectors, log collection processes consume excess memory and do not process logs as expected. This issue occurs when DNS response times are slow and scheduled reports contain fields that require DNS lookups. Workaround: Use the debug management-server report-namelookup disable CLI command to disable DNS lookups for reporting purposes and then restart the log receiver by running debug software restart process log-receiver .
PAN-63905 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . Installing a content update or committing configuration changes on the firewall causes RTP sessions that were created from predict sessions to move from an active state to a discard state.
PAN-63274 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . When you configure tunnel content inspection for traffic in a shared gateway topology (the firewall has multiple virtual systems), inner flow sessions installed on dataplane 1 (DP1) will fail. Additionally, when networking devices behind the shared gateway initiate traffic, that traffic doesn't reach the networking devices behind the virtual systems.
PAN-62820 If you use the Apple Safari browser in Private Browsing mode to request a service or application that requires multi-factor authentication (MFA), the firewall does not redirect you to the service or application even after authentication succeeds.
PAN-62453 Entering vSphere maintenance mode on a VM-Series firewall without first shutting down the Guest OS for the agent VMs causes the firewall to shut down abruptly and causes issues that persist after the firewall is powered on again. Refer to Issue 1332563 in the VMware release notes: https://www.vmware.com/support/pubs/nsx_pubs.html. Workaround: VM-Series firewalls are Service Virtual Machines (SVMs) pinned to ESXi hosts and should not be migrated. Before you enter vSphere maintenance mode, use the VMware tools to ensure a graceful shutdown of the VM-Series firewall.
PAN-61840 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . The show global-protect-portal statistics CLI command is not supported.
PAN-61834 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . The firewall captures packets of IP addresses that are not included in the packet filter ( Monitor > Packet Capture).
PAN-58872 The automatic license deactivation workflow for firewalls with direct internet access does not work. Workaround: Use the request license deactivate key features <name> mode manual CLI command to Deactivate a Feature License or Subscription Using the CLI. To Deactivate a VM, choose Complete Manually (instead of Continue) and follow the steps to manually deactivate the VM.
PAN-56217 You cannot configure multiple DNS proxy objects that specify for the firewall to listen for DNS requests on the same interface ( Network > DNS Proxy > Interfaces). If multiple DNS proxy objects are configured with the same interface, only the first DNS proxy object settings are applied. Workaround: If there are DNS proxy objects configured with the same interface, you must modify the DNS proxy objects so that each object specifies unique interfaces: To modify a DNS proxy object that specifies only one interface, delete the DNS proxy object and reconfigure the object with an interface that is not shared among any other objects. To modify a DNS proxy object configured with multiple interfaces, delete the interface that is shared with other DNS proxy objects, click OK to save the modified object, and then Commit.
PAN-55825 Performing an AutoFocus remote search that is targeted to a PAN-OS firewall or Panorama does not work correctly when the search condition contains a single or double quotation mark.
PAN-55437 High availability (HA) for VM-Series firewalls does not work in AWS regions that do not support the signature version 2 signing process for EC2 API calls. Unsupported regions include AWS EU (Frankfurt) and Korea (Seoul).
PAN-55203 When you change the reporting period for a scheduled report, such as the SaaS Application Usage PDF report, the report can have incomplete or no data for the reporting period. Workaround: If you need to change the reporting period for any scheduled report, create a new report for the desired time period instead of modifying the time period on an existing report.
PAN-54531 This issue is now resolved. See PAN-OS 8.0.4 Addressed Issues . The firewall stops writing new Traffic and Threat logs to storage because the Automated Correlation Engine uses disk space in a way that prevents the firewall from purging older logs.
PAN-54254 In Traffic logs, the following session end reasons for Captive Portal or a GlobalProtect SSL VPN tunnel indicated the incorrect reason for session termination: decrypt-cert-validation , decrypt-unsupport-param , or decrypt-error .
PAN-53825 For the VM-Series NSX edition firewall, when you add or modify an NSX service profile zone on Panorama, you must perform a Panorama commit and then perform a Device Group commit with the Include Device and Network Templates option selected. To successfully redirect traffic to the VM-Series NSX edition firewall, you must perform both a Template and a Device Group commit when you modify the zone configuration to ensure that the zones are available on the firewall.
PAN-53663 When you open the SaaS Application Usage report ( Monitor > PDF Reports > SaaS Application Usage) on multiple tabs in a browser, each for a different virtual system (vsys), and you then attempt to export PDFs from each tab, only the first request is accurate; all successive attempts will result in PDFs that are duplicates of the first report. Workaround: Export only one PDF at a time and wait for that export process to finish before you trigger the next export request.
PAN-53601 Panorama running on an M-500 appliance cannot connect to a SafeNet Network or Thales nShield Connect hardware security module (HSM).
PAN-51969 On the NSX Manager, when you unbind an NSX Security Group from an NSX Security Policy rule, the dynamic tag and registered IP address are updated on Panorama but are not sent to the VM-Series firewalls. Workaround: To push the Dynamic Address Group updates to the VM-Series firewalls, you must manually synchronize the configuration with the NSX Manager ( Panorama > VMware Service Manager and select NSX Config-Sync).
PAN-51952 If a security group overlap occurs in an NSX Security policy where the same security group is weighted with a higher and a lower priority value, the traffic may be redirected to the wrong service profile (VM-Series firewall instance). This issue occurs because an NSX Security policy with a higher weight does not always take precedence over a policy with a lower weight. Workaround: Make sure that members that are assigned to a security group are not overlapping with another Security group and that each security group is assigned to a unique NSX Security policy rule. This allows you to ensure that NSX Security policy does not redirect traffic to the wrong service profile (VM-Series firewall).
PAN-51870 When using the CLI to configure the management interface as a DHCP client, the commit fails if you do not provide all four DHCP parameters in the command. For a successful commit when using the set deviceconfig system type dhcp-client command, you must include each of the following parameters: accept-dhcp-domain , accept-dhcp-hostname , send-client-id , and send-hostname .
PAN-51869 Canceling pending commits does not immediately remove them from the commit queue. The commits remain in the queue until PAN-OS dequeues them.
PAN-51673 BFD sessions are not established between two RIP peers when there are no RIP advertisements. Workaround: Enable RIP on another interface to provide RIP advertisements from a remote peer.
PAN-51216 The NSX Manager fails to redirect traffic to the VM-Series firewall when you define new Service Profile zones for NSX on Panorama. This issue occurs intermittently on the NSX Manager when you define security rules to redirect traffic to the new service profiles that are available for traffic introspection and results in the following error: Firewall configuration is not in sync with NSX Manager. Conflict with Service Profile Oddhost on service (Palo Alto Networks NGFW) when binding to host<name>.
PAN-51181 A Palo Alto Networks firewall, M-100 appliance, or WF-500 appliance configured to use FIPS operational mode fails to boot when rebooting after an upgrade to PAN-OS 7.0 or later releases. Workaround: Enable FIPS and Common Criteria support on all Palo Alto Networks firewalls and appliances before you upgrade to a PAN-OS 7.0 or later release.
PAN-51122 For the VM-Series firewall, if you manually reset a heartbeat failure alarm on the vCenter server to indicate that the VM-Series firewall is healthy (change color to green), the vCenter server does not trigger a heartbeat failure alarm again.
PAN-50651 On PA-7000 Series firewalls, one data port must be configured as a log card interface because the traffic and logging capabilities of this platform exceed the capabilities of the management port. A log card interface performs WildFire file-forwarding and log forwarding for syslog, email, and SNMP and these services require DNS support. If you set up a custom service route for the firewall to perform DNS queries, services using the log card interface might not be able to generate DNS requests. This is only an issue if you’ve configured the firewall to use a service route for DNS requests and, in this case, you must perform a workaround to enable communication between the firewall dataplane and the log card interface. Workaround: Enable DNS Proxy on the firewall and do not specify an interface for the DNS proxy object to use (ensure that Network > DNS Proxy > Interface is not configured).
PAN-50641 This issue is now resolved. See PAN-OS 8.0.6 Addressed Issues . Enabling or disabling BFD for BGP or changing a BFD profile that a BGP peer uses causes BGP to flap.
PAN-50038 When you enable jumbo frames from the CLI on a VM-Series firewall in AWS, the maximum transmission unit (MTU) size on the interfaces does not increase. The MTU on each interface remains at a maximum value of 1500 bytes.
PAN-48565 The VM-Series firewall on Citrix SDX does not support jumbo frames.
PAN-48456 IPv6-to-IPv6 Network Prefix Translation (NPTv6) is not supported when configured on a shared gateway.
PAN-47969 If you log in to Panorama as a Device Group and Template administrator and you rename a device group, the Panorama > Device Groups page no longer displays any device groups. Workaround: After you rename a device group, perform a commit, log out, and log back in; the page then displays the device groups with the updated values.
PAN-47073 Web pages using the HTTP Strict Transport Security (HSTS) protocol do not always display properly for end users. Workaround: End users must import an appropriate forward-proxy-certificate for their browsers.
PAN-46344 When you use a Mac OS Safari browser, client certificates will not work for Captive Portal authentication. Workaround: On a Mac OS system, instruct end users to use a different browser (for example, Mozilla Firefox or Google Chrome).
PAN-45793 On a firewall with multiple virtual systems, if you add an authentication profile to a virtual system and give the profile the same name as an authentication sequence in Shared, reference errors occur. The same errors occur if the profile is in Shared and the sequence with the same name is in a virtual system. Workaround: When creating authentication profiles and sequences, always enter unique names, regardless of their location. For existing authentication profiles and sequences with similar names, rename the ones that are currently assigned to configurations (for example, a GlobalProtect gateway) to ensure uniqueness.
PAN-44616 On the ACC > Network Activity tab, if you add the label Unknown as a global filter, the filter gets added as A1 and query results display A1 instead of Unknown.
PAN-44400 The link on a 1Gbps SFP port on a VM-Series firewall deployed on a Citrix SDX server does not come up when successive failovers are triggered. This behavior is only observed in an HA active/active configuration. Workaround: Use a 10Gbps SFP port instead of the 1Gbps SFP port on the VM-Series firewall deployed on a Citrix SDX server.
PAN-44300 WildFire analysis reports cannot be viewed on firewalls running PAN-OS 6.1 release versions if connected to a WF-500 appliance in Common Criteria mode that is running PAN-OS 7.0 or later releases.
PAN-43000 Vulnerability detection of SSLv3 fails when SSL decryption is enabled. This occurs when you attach a Vulnerability Protection profile (that detects SSLv3—CVE-2014-3566) to a Security policy rule and that Security policy rule and an SSL Decryption policy rule are configured on the same virtual system in the same zone. After performing SSL decryption, the firewall sees decrypted data and no longer sees the SSL version number. In this case, the SSLv3 vulnerability is not identified. Workaround: SSL Decryption Enhancements were introduced in PAN-OS 7.0 that enable you to prohibit the inherently weaker SSL/TLS versions, which are more vulnerable to attacks. For example, you can use a Decryption Profile to enforce a minimum protocol version of TLS 1.2 or you can Block sessions with unsupported versions to disallow unsupported protocol versions ( Objects > Decryption Profile > SSL Decryption > SSL Forward Proxy and/or SSL Inbound Inspection).
PAN-41558 When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as StrongSwan. Workaround: Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
PAN-40842 When you configure a firewall to retrieve a WildFire signature package, the System log shows unknown version for the package. For example, after a scheduled WildFire package update, the system log shows: WildFire package upgraded from version <unknown version> to 38978-45470. This is a cosmetic issue only and does not prevent the WildFire package from installing.
PAN-40714 If you access Device > Log Settings on a device running a PAN-OS 7.0 or later release and then use the CLI to downgrade the device to a PAN-OS 6.1 or earlier release and reboot, an error message appears the next time you access Log Settings. This occurs because PAN-OS 7.0 and later releases display Log Settings in a single page whereas PAN-OS 6.1 and earlier releases display the settings in multiple sub-pages. To clear the message, navigate to another page and return to any Log Settings sub-page; the error will not recur in subsequent sessions.
PAN-40130 In the WildFire Submissions logs, the email recipient address is not correctly mapped to a username when configuring LDAP group mappings that are pushed in a Panorama template.
PAN-40079 The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
PAN-40075 The VM-Series firewall on KVM running on Ubuntu 12.04 LTS does not support PCI pass-through functionality.
PAN-39728 The URL logging rate is reduced when HTTP header logging is enabled in the URL Filtering profile ( Objects > Security Profiles > URL Filtering > URL Filtering profile > Settings).
PAN-39636 Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report. For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame. Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
PAN-39501 Unused NAT IP address pools are not cleared after a single commit, so a commit fails if the combined cache of unused pools, existing used pools, and new pools exceeds the memory limit. Workaround: Commit a second time, which clears the old pool allocation.
PAN-38584 Configurations pushed from Panorama 6.1 and later releases to firewalls running PAN-OS 6.0.3 or earlier PAN-OS 6.0 releases will fail to commit due to an unexpected Rule Type error. This issue is caused by the Rule Type setting in Security policy rules that was not included in the upgrade transform and, therefore, the new rule types are not recognized on devices running PAN-OS 6.0.3 or earlier releases. Workaround: Only upgrade Panorama to version 6.1 or later releases if you are also planning to upgrade all managed firewalls running PAN-OS 6.0.3 or an earlier PAN-OS 6.0 release to a PAN-OS 6.0.4 or later release before pushing a configuration to the devices.
PAN-38255 If you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart management-server CLI command.
PAN-37511 Due to a limitation related to the Ethernet chip driving the SFP+ ports, PA-5050 and PA-5060 firewalls will not perform link fault signaling as standardized when a fiber in the fiber pair is cut or disconnected.
PAN-37177 After deploying the VM-Series firewall, when the firewall connects to Panorama, you must issue a Panorama commit to ensure that Panorama recognizes the firewall as a managed device. If you reboot Panorama without committing the changes, the firewall will not connect back to Panorama; although the device group will display the list of devices, the device will not display in Panorama > Managed Devices. Further, if Panorama is configured in an HA configuration, the VM-Series firewall is not added to the passive Panorama peer until the active Panorama peer synchronizes the configuration. During this time, the passive Panorama peer will log a critical message: vm-cfg: failed to process registration from svm device. vm-state: active. This message is logged until you commit the changes on the active Panorama, which then initiates synchronization between the Panorama HA peers and the VM-Series firewall is added to the passive Panorama peer. Workaround: To reestablish the connection to the managed devices, commit your changes to Panorama (click Commit and select Commit Type: Panorama). In case of an HA setup, the commit will initiate the synchronization of the running configuration between the Panorama peers.
PAN-37127 On the Panorama web interface, the Policies > Security > Post Rules > Combined Rules Preview window does not display post rules and local rules for managed devices.
PAN-37044 Live migration of the VM-Series firewall is not supported when you enable SSL decryption using the SSL forward proxy method. Use SSL inbound inspection if you need support for live migration.
PAN-36730 When deleting the VM-Series deployment, all VMs are deleted successfully; however, sometimes a few instances still remain in the datastore. Workaround: Manually delete the VM-Series firewalls from the datastore.
PAN-36728 In some scenarios, traffic from newly added guests or virtual machines is not steered to the VM-Series firewall even when the guests belong to a Security Group and are attached to a Security Policy that redirects traffic to the VM-Series firewall. Workaround: Reapply the Security Policy on the NSX Manager.
PAN-36727 The VM-Series firewall fails to deploy with an error message: Invalid OVF Format in Agent Configuration. Workaround: Use the following command to restart the ESX Agent Manager process on the vCenter Server: /etc/init.d/vmware-vpxd tomcat-restart .
PAN-36433 If an HA failover occurs on Panorama at the time that the NSX Manager is deploying the VM-Series NSX edition firewall, the licensing process fails with the error: vm-cfg: failed to process registration from svm device. vm-state: active . Workaround: Delete the unlicensed instance of the VM-Series firewall on each ESXi host and then redeploy the Palo Alto Networks next-generation firewall service from the NSX Manager.
PAN-36409 When viewing the Session Browser ( Monitor > Session Browser), using the global refresh option (top right corner) to update the list of sessions causes the Filter menu to display incorrectly and clears any previously selected filters. Workaround: To maintain and apply selected filters to an updated list of sessions, click the green arrow to the right of the Filters field instead of the global (or browser) refresh option.
PAN-36394 When the datastore is migrated for a guest, all current sessions are no longer steered to the VM-Series firewall. However, all new sessions are secured properly.
PAN-36393 When deploying the VM-Series firewall, the Task Console displays Error while enabling agent. Cannot complete the operation. See the event log for details. This error displays even on a successful deployment. You can ignore the message if the VM-Series firewall is successfully deployed.
PAN-36333 The Service dialog for adding or editing a service object in the web interface displays the incorrect port range for both source and destination ports: 1-65535 . The correct port range is 0-65535 and specifying port number 0 for either a source or destination port is successful.
PAN-36289 If you deploy the VM-Series firewall and then assign the firewall to a template, the change is not recorded in the bootstrap file. Workaround: Delete the Palo Alto Networks NGFW Service on the NSX Manager, and verify that the template is specified on Panorama > VMware Service Manager, register the service, and re-deploy the VM-Series firewall.
PAN-36088 When an ESXi host is rebooted or shut down, the functional status of the guests is not updated. Because the IP address is not updated, the dynamic tags do not accurately reflect the functional state of the guests that are unavailable.
PAN-36049 The vCenter Server/vmtools displayed the IP Address for a guest incorrectly after vlan tags were added to an Ethernet port. The display did not accurately show the IP addresses associated with the tagged Ethernet port and the untagged Ethernet port. This issue was seen on some Linux OS versions such as Ubuntu.
PAN-35903 When you edit a traffic introspection rule (to steer traffic to the VM-Series firewall) on the NSX Manager, an invalid (tcp) port number error—or invalid (udp) port number error—displays when you remove the destination (TCP or UDP) port. Workaround: Delete the rule and add a new one.
PAN-35875 When defining traffic introspection rules (to steer traffic to the VM-Series firewall) on the NSX Manager, either the source or the destination for the rule must reference the name of a Security Group; you cannot create a rule from any to any Security Group. Workaround: To redirect all traffic to the VM-Series firewall, you must create a Security Group that includes all the guests in the cluster. Then you can define a security policy that redirects traffic from and to the cluster so that the firewall can inspect and enforce policy on the east-west traffic.
PAN-35874 Duplicate packets are being steered to the VM-Series firewall. This issue occurs if you enable distributed vSwitch for steering in promiscuous mode. Workaround: Disable promiscuous mode.
PAN-34966 On a VM-Series NSX edition firewall, when adding or removing a Security Group (Container) that is bound to a Security Policy, Panorama does not get a dynamic update of the added or removed Security Group. Workaround: On Panorama > VMware Service Manager, click Synchronize Dynamic Objects to initiate a manual synchronization to get the latest update.
PAN-34855 On a VM-Series NSX edition firewall, Dynamic Tags (update) do not reflect the actual IP address set on the guest. This issue occurs because the vCenter Server cannot accurately view the IP address of the guest.
PAN-33316 Adding or removing ports on the SDX server after deploying the VM-Series firewall can cause a configuration mismatch on the firewall. To avoid the need to reconfigure the interfaces, consider the total number of data ports that you require on the firewall and assign the relevant number of ports on the SDX server when deploying the VM-Series firewall. For example, if you assign ports 1/3 and 1/4 on the SDX server as data interfaces on the VM-Series firewall, the ports are mapped to eth1 and eth2. If you then add port 1/1 or 1/2 on the SDX server, eth1 will be mapped to 1/1 or 1/2, eth2 will be mapped to 1/3 and eth3 to1/4. If ports 1/3 and 1/4 were set up as a virtual wire, this remapping will require you to reconfigure the network interfaces on the firewall.
PAN-31832 The following issues apply when configuring a firewall to use a hardware security module (HSM): Thales nShield Connect—The firewall requires at least four minutes to detect that an HSM has been disconnected, causing SSL functionality to be unavailable during the delay. SafeNet Network—When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show ha-status or show hsm info command is blocked for 20 seconds.
PAN-31593 After you configure a Panorama M-Series appliance for HA and synchronize the configuration, the Log Collector of the passive peer cannot connect to the active peer until you reboot the passive peer.
PAN-29441 The Panorama virtual appliance does not write summary logs for traffic and threats as expected after you enter the clear log command. Workaround: Reboot Panorama management server ( Panorama > Setup > Operations) to enable summary logs.
PAN-29411 In some configurations, when you switch context from Panorama and access the web interface of a managed device, you are unable to upgrade the PAN-OS software image. Workaround: Use the Panorama > Device Deployment > Software tab to deploy and install the software image on the managed device.
PAN-29385 You cannot configure the management IP address on an M-100 appliance while it is operating as the secondary passive peer in an HA pair. Workaround: To set the IP address for the management interface, you must suspend the active Panorama peer, promote the passive peer to active state, change the configuration, and then reset the active peer to active state.
PAN-29053 By default, the hostname is not included in the IP header of syslog messages sent from the firewall. However, some syslog implementations require this field to be present. Workaround: Enable the firewall to include the IP address of the firewall as the hostname in the syslog header by selecting Send Hostname in Syslog ( Device > Setup).
PAN-28794 If a Panorama Log Collector MGT port is configured with an IPv4 address and you want to have only an IPv6 address configured, you can use the Panorama web interface to configure the new IPv6 address but you cannot use Panorama to remove the IPv4 address. Workaround: Configure the MGT port with the new IPv6 address and then apply the configuration to the Log Collector and test connectivity using the IPv6 address to ensure that you do not lose access when you remove the IPv4 address. After you confirm the Log Collector is accessible using the IPv6 address, go to the CLI on the Log Collector and remove the IPv4 address (using the delete deviceconfig system ip-address command) and then commit your changes.
PAN-25101 If you add a Decryption policy rule that instructs the firewall to block SSL traffic that was not previously being blocked, the firewall will continue to forward the undecrypted traffic. Workaround: Use the debug dataplane reset ssl-decrypt exclude-cache command to clear the SSL decrypt exclude cache.
PAN-25046 SSH host keys used for SCP log export are stored in the known hosts file on the firewall. In an HA configuration, the SCP log export configuration is synchronized with the peer device, but the known host file is not synchronized. When a failover occurs, the SCP log export fails. Workaround: Log in to each peer in HA and Test SCP server connection to confirm the host key so that SCP log forwarding continues to work after a failover.
PAN-23732 When you use Panorama templates to schedule a log export ( Device > Scheduled Log Export) to an SCP server, you must log in to each managed device and Test SCP server connection after the template is pushed. The connection is not established until the firewall accepts the host key for the SCP server.
PAN-20656 Attempts to reset the master key from the web interface ( Panorama > Master Key and Diagnostics) or the CLI on Panorama will fail. However, this should not cause a problem when pushing a configuration from Panorama to a device because it is not necessary for the keys to match.
PAN-20162 If a client PC uses RDP to connect to a server running remote desktop services and the user logs in to the remote server with a different username, when the User-ID agent queries the Active Directory server to gather user to IP mapping from the security logs, the second username will be retrieved. For example, if UserA logs in to a client PC and then logs in to the remote server using the username for UserB, the security log on the Active Directory server will record UserA, but will then be updated with UserB. The username UserB is then picked up by the User-ID agent for the user to IP mapping information, which is not the intended user mapping.
Known Issues Specific to the WF-500 Appliance
The following list includes known issues specific to WildFire 8.0 releases running on the WF-500 appliance. See also the specific and general Known Issues Related to PAN-OS 8.0 Releases.
Issue ID Description
WF500-4218 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . As part of and after upgrading a WildFire appliance to a PAN-OS 8.0 release, rebooting a cluster node ( request cluster reboot-local-node ) sometimes results in the node going offline or failing to reboot. Workaround: Use the debug cluster agent restart-agent CLI command to bring the node back online and to restart the cluster agent as needed.
WF500-4200 The Create Date shown when using the show wildfire global sample-status sha256 equal <hash> and show wildfire global sample-analysis commands is two hours behind the actual time for WF-500 appliance samples.
WF500-4186 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . In a three-node WildFire appliance cluster, if you decommission the backup controller node or the worker node ( request cluster decommission start ) and then delete the cluster-related configuration (high-availability and cluster membership) from the decommissioned node, in some cases, the cluster stops functioning. Running the show cluster membership command on the primary controller node shows: Service Summary: Cluster:offline, HA:peer-offline In this state, the cluster does not function and does not accept new samples for processing. Workaround: Reboot the primary controller (run the request cluster reboot-local-node command on the primary controller’s local CLI). After the primary controller reboots, the cluster functions again and accepts new samples for processing.
WF500-4176 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . After you remove a node from a cluster, if the cluster was storing sample information on that node, that serial number of that node may appear in the list of storage nodes when you show the sample status ( show wildfire global sample-status sha256 equal <value> ) even though the node no longer belongs to the cluster.
WF500-4173 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . Integrated reports are not available for firewalls connected to a WF-500 appliance running in FIPS mode.
WF500-4166 In a WildFire appliance cluster with three or more nodes and with two controller nodes, if you try to configure a worker node as a controller node, the change should fail because a cluster can have only two controller nodes (primary and backup controller nodes). However, the commit operation on the worker node succeeds and causes the cluster to see the worker node as a third controller node that cannot be allowed in the cluster. This prevents the converted worker node from connecting to the cluster manager and the node is removed from the cluster. The result when running the show cluster task local command displays: Server error: Cannot connect to ‘cluster-mgr’ daemon, please check it is running. Status Report: <node-ip-address>: reported leader <ip-address>, age 0. <node-ip-address>: quit cluster due to too many controllers. Workaround: Perform the following tasks to workaround this issue: Reconfigure the node to run in worker mode using the set deviceconfig cluster mode worker command. Run the commit force command. (A standard commit operation fails and returns a message that the cluster manager is non-responsive.) After the commit force operation succeeds, reboot the node using the request cluster reboot-local-node command. Until you reboot the node, the node’s application services do not respond.
WF500-4158 This issue is now resolved. See PAN-OS 8.0.2 Addressed Issues . When you upgrade WildFire appliance clusters from Panorama, do not Reboot device after Install. Rebooting the cluster from Panorama results in an ungraceful reboot that causes the cluster to become unresponsive in some cases. Workaround: Push the upgrade from Panorama with Reboot device after Install disabled. After the software upgrade is complete, reboot each cluster node individually using the request cluster reboot-local-node command on each node’s local CLI.
WF500-4132 If you remove a node from a two-node WildFire appliance cluster by deleting the high-availability configuration ( delete deviceconfig high-availability ) and the cluster configuration ( delete deviceconfig cluster ), the single remaining cluster node cannot process samples. Workaround: Use either of the follow workarounds to enable the remaining cluster node to process samples: Make the cluster node a standalone WildFire appliance —Delete the HA and cluster configurations on the remaining cluster node and reboot the node. The node comes back up as a standalone WildFire appliance. Re-create the cluster —Reconfigure the node you removed as a cluster node by adding the cluster and HA configurations using the following commands so that both nodes come back up as cluster nodes and can process samples: admin@WF-500# set deviceconfig cluster cluster-name <name> interface <cluster-communication-interface> node controller admin@WF-500# set deviceconfig high-availability enabled yes interface ha1 port <port> peer-ip-address <node-port-ip-address> admin@WF-500# set deviceconfig high-availability election-option priority (primary | secondary) admin@WF-500# set deviceconfig high-availability interface ha1-backup peer-ip-address <node-backup-ha-interface-ip-address>
WF500-4047 This issue is now resolved. See PAN-OS 8.0.1 Addressed Issues . In a three-node WildFire appliance cluster, decommissioning the active (primary) controller node fails. Attempting to decommission the active controller node by running the request cluster decommission start command results in a suspension of services on the node. Use the show cluster membership command to verify that the node services ( Service Summary and wildfire-apps-service ) are suspended. Workaround: Instead of using the request cluster decommission start command to decommission the active controller, failover the active controller so that it becomes the passive (backup) controller first and then decommission the passive controller: Ensure that preemption is not enabled ( Preemptive: no ) by running the show high-availability state command (preemption forces the active controller to resume its role as the active controller so that—after a failover, when the active controller comes back up—the active controller resumes its role as the active controller instead of becoming the passive backup controller). If preemption is enabled, disable preemption on the active controller by running the set deviceconfig high-availability election-option preemptive no command and then commit the configuration. Failover the active controller so that it becomes the passive (backup) controller by running the request cluster reboot-local-node operational command on the active controller. Wait for the former active controller to come up completely. Its new cluster role is the passive controller (as shown in the prompt). When the node is in the passive controller state, remove the HA configuration ( delete deviceconfig high-availability ) and the cluster configuration ( delete deviceconfig cluster ) and then commit the configuration. Decommission the node by running the request cluster decommission start command.
WF500-4044 Removing a node from a cluster using Panorama is not supported. Workaround: Remove a node from a cluster Locally.
WF500-4001 On Panorama, you can configure an authentication profile and Add groups or administrators to the Allow List in the profile ( Panorama > Authentication Profile > <auth-profile> > Advanced). However, WildFire appliances and appliance clusters support only the all value for the groups in the allow list for an authentication profile. The analogous WildFire appliance CLI command is set shared authentication-profile <name> allow-list [all] , with all as the only allowed parameter. Attempting to push and commit a configuration that specifies a group or name other than all in the authentication profile from Panorama to a WildFire appliance or appliance cluster is not successful. However, Panorama shows that the commit succeeded as the Last Commit State even though the configuration was not pushed to the WildFire appliance or appliance cluster. Config Status displays cluster nodes as Out of Sync and when you click Last Commit State > commit succeeded, the Last Push State Details displays an error message. For example, if you Add a group named abcd to an authentication profile named auth5 in Panorama and then attempt to push the configuration to a WildFire appliance cluster, Panorama returns the error authentication-profile auth5 allow-list ‘abcd’ is not an allowed keyword . This is because WildFire appliances and appliance clusters see the allow list argument as a keyword, not as a variable, and the only keyword allowed is all .
WF500-3966 The request cluster join ip <ip-address> CLI command is not functional and should not be used.
WF500-3935 WildFire appliances build and release all untested signatures to the connected firewalls every five minutes, which is the maximum time that a signature remains untested (not released to firewalls). When a WildFire appliance joins a cluster, if any untested (unreleased) signatures are on the appliance, they may be lost instead of migrating to the cluster, depending on when the last build of untested signatures occurred.
WF500-3892 The request cluster reboot-all-nodes CLI command is not functional and should not be used. Workaround: To reboot all nodes in a cluster, reboot each node individually using the request cluster reboot-local-node command from the node’s local CLI.
WF500-3868 This issue is now resolved. See PAN-OS 8.0.6 Addressed Issues . In a WildFire appliance cluster with two controller nodes in an HA configuration, under certain circumstances, synchronizing the controller node running configurations can cause a validation error that prevents the configuration from committing on the peer controller. When you run the request high-availability sync-to-remote running-configuration command on one controller node, it overwrites the candidate configuration on the peer controller and commits the new (synchronized) configuration. However, if you then change the configuration on the peer controller and commit the change, the commit fails and returns a validation error: Validation Error: template unexpected here Workaround: To avoid the validation error, on the controller node on which the commit failed, save the configuration to a file using the save config to <filename> operational command and then load the saved configuration using the load config from <filename> command.
WF500-1584 When using a web browser to view a WildFire Analysis Report from a firewall that is using a WF-500 appliance for file sample analysis, the report may not appear until the browser downloads the WF-500 certificate. This issue occurs after upgrading a firewall and the WF-500 appliance to a PAN-OS 6.1 or later release. Workaround: Browse to the IP address or hostname of the WF-500 appliance, which will temporarily download the certificate into the browser. For example, if the IP address of the WF-500 is 10.3.4.99, open a browser and enter https://10.3.4.99. You can then access the report from the firewall by selecting Monitor > WildFire Submissions, clicking log details, and then clicking the WildFire Analysis Report tab.

Related Documentation