PAN-OS 10.0.2 Addressed Issues
Focus
Focus

PAN-OS 10.0.2 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 10.0.2 Addressed Issues

PAN-OS® 10.0.2 addressed issues.
Issue ID
Description
PAN-156026
Fixed an issue where using the lscan/hyperscan feature with custom signatures caused a shared resource pool to be depleted, which resulted in a dataplane restart.
PAN-156023
Fixed an issue where a file system integrity check failed in FIPS-CC mode, which caused the appliance to enter maintenance mode.
PAN-155517
Fixed an issue where a sudden increase in URL-cloud data challenged the cache capacity of the device.
PAN-155459
Fixed an issue where an interface placed in a pre-defined zone was removed by the SD-WAN plugin after a commit to the firewall.
PAN-155373
Fixed a discrepancy between flag values on Panorama and the firewall for the same traffic log entry.
PAN-154930
Fixed an issue on Panorama where the ACC tab was blank.
PAN-154902
Fixed an issue where the IP address-to-tag mappings for dynamic address groups and FQDN objects were not retained if there was a content update for IoT.
PAN-154591
Fixed an issue where NULL users in panGlobalProtectGetConfig were not checked for before calling strcmp().
PAN-154274
Fixed an intermittent issue on Panorama where context switching to and from the managed firewall web interface caused the Panorama administrator to be logged out.
PAN-154092
An enhancement was made to provide an option to increase Data Plane Development Kit (DPDK) ring size and DPDK queue number for VM-Series firewalls deployed on ESXi.
PAN-154016
Fixed an issue where auto-commits failed for VM-Series firewalls bootstrapped with new content installation during bootstrap. The firewalls displayed the following error message: Details:Error: Undefined application <application-name>.
PAN-153998
Fixed an issue where port flaps and a delay in interface state changes occurred with commits.
PAN-153983
Fixed an issue where the IPSec encapsulation sequence was not properly synced to the dataplanes on a high availability (HA) active/passive cluster.
PAN-153952
Fixed an issue where the firewall treated external dynamic list entries with nested carets as invalid.
PAN-153874
Fixed a capacity issue caused by high operational activity and large configurations on Panorama. This fix increased the virtual memory limit on the configd process to 32GB.
PAN-153814
Fixed an issue where the firewall displayed the URL Filtering Safe Search Block Page on the specific site only, even when the traffic was matched to a specific rule that did not have any URL filtering policies.
PAN-153813
Fixed an issue where the proxy configuration did not get honored, which caused certificate revocation list (CRL) checks from the firewall to fail.
PAN-153791
Fixed an issue in DPDK code that cause a system restart on a process (brdagent).
PAN-153673
Fixed an issue where traffic logs were not shown due to a thread timeout that was causing the reading of the logs from the dataplane to slow.
PAN-153631
Fixed an issue where the firewalls did not generate traffic logs for implicitly allowed applications.
PAN-153516
Fixed an issue where PAN-OS software images that were manually uploaded to Panorama failed to be deployed on managed firewalls using the Panorama device deployment feature.
PAN-153382
Fixed an issue where the per-minute resource monitor was three minutes behind.
PAN-153328
Fixed a commit failure issue that occurred when IPv6 IP-pool range was configured on the gateway but IPv6 was not enabled on the interface.
PAN-153294
Fixed an issue on the firewall where a GlobalProtect username authenticated via Kerberos was unnecessarily normalized to SAMAccountName format.
PAN-153286
Fixed an issue on Panorama deployed on Amazon Web Services (AWS) where the Log Collector disk was on Admin disabled state when changing the instance type from m4 to m5.
PAN-153231
(PA-7080 Series firewalls only) Fixed an issue where firewalls deployed with PA-7000 100G Network Processing Cards (NPCs) and legacy cards using the older system management controller with over 2500 IPSec tunnels commit successfully, but the NPCs fail and display as down.
PAN-153210
Fixed an issue where the MLAV cloud server rejected the connection from the firewall when the Threat Prevention license was not installed on the firewall.
PAN-153207
Fixed an issue for VM-Series firewalls deployed on Azure where a process (pan_comm) restarted if DPDK was on.
PAN-153174
Fixed an issue where using XML API to download packet captures (pcap) did not work if the pcap file was larger than 8MB.
PAN-153113
Fixed an issue where the GlobalProtect gateway failed with the following error message: gateway does not exist.
PAN-153111
Fixed an issue where packet buffer unavailability caused host-bound sessions to remain in an opening state in the dataplane.
PAN-153019
Fixed an issue where the following error message appeared: Error: pan_tdb_load_sml_dfa_serialize(pan_tdb_ser.c:2424): pan_util_file_to_buf /opt/pancfg/mgmt/content//cache/common//sml_dfa.cache.ser error, even though the cache file got regenerated if it was missing.
PAN-152974
Fixed an issue where manually inputting lowercase protocol values to Test Security Policy Match resulted in a blank error window displaying on the web interface. With this fix, values cannot be manually input.
PAN-152912
Fixed an issue where a content update caused the Panorama XML cache build to fail. This resulted references of the used objects on Panorama being removed, which caused commits on the managed firewalls to fail.
PAN-152746
Fixed an issue where the firewall dropped GPRS tunneling protocol (GTPv2-x) Create Session Response packets with the following error message: bad port 84b.
PAN-152706
Fixed an intermittent issue where Panorama did not retrieve firewall logs from Cortex Data Lake.
PAN-152699
Fixed an issue where the firewall added a redundant 0\r\n packet while processing Clientless VPN traffic.
PAN-152648
Fixed an issue where multiple all_pktproc processes stopped responding, which caused the dataplane to restart.
PAN-152592
Fixed an issue where the following error message: globalprotectgateway-invalid-license daily even when the firewall did not use GlobalProtect features that required a license.
PAN-152559
(Japanese language only) Fixed an issue where the NAT From Address attribute in the Add Log Filter (Monitor > Logs - Traffic) popup window was mistranslated.
PAN-152440
Fixed an issue where the syntax on GlobalProtect DNS suffixes was not validated.
PAN-152408
Fixed an issue where the firewall restarted if X-Forwarded-For (XFF) parsing was enabled either for Security policy lookup or User-ID.
PAN-152285
Fixed an issue where certain GTP-U sessions that could not complete installation still occupied the flow table, which led to higher-than-expected session table usage.
PAN-152106
Fixed an issue where a process (genindex.sh) caused the management plane CPU usage to remain high for a longer period of time than expected.
PAN-152103
Fixed a memory leak issue where a process (dnsproxy) did not properly release memory after usage.
PAN-152098
Fixed an issue where the Policy Optimizer for some device groups showed incorrect data with a - character in the rule usage column.
PAN-152027
Fixed an issue with URL Filtering where websites that were previously in the malicious category but have since been cleared remained in the malicious category in the dataplane cache. These websites were moved to the benign category only after you manually cleared the cache.
PAN-152026
Fixed an issue where the session browser did not display results when filtered for IPv6 addresses with more than 31 characters.
PAN-152008
Fixed an intermittent issue in firewalls where configuring group-mapping without an include list resulted in zero or a partial number of Domain Users group members.
PAN-151888
Fixed an issue where remote users were able to save log filters, which created a local user with the same username. With this fix, remote users cannot save a log filter.
PAN-151806
Fixed an issue where the Panorama web interface showed the SD-WAN license status as red despite having the correct batch license information for the managed firewalls.
PAN-151692
Fixed a permission issue where a Panorama administrator was unable to download or install dynamic updates (Panorama > Device Deployment).
PAN-151691
Fixed an issue where the number of items under Add match criteria for Dynamic Address Groups did not update after setting a search filter string.
PAN-151679
Fixed an issue where it was possible via the CLI to create a Security policy rule with the any and application-default options simultaneously configured.
PAN-151503
Fixed an intermittent issue where memory was not fully freed after a Panorama commitAll completion on the firewall.
PAN-151489
Fixed an issue where configuration changes for collector group device log forwarding were not logged in Panorama configuration logs.
PAN-151483
Fixed an issue where, when an out-of-order stream of TCP packets was subjected to HTTP header insertion, the packets were duplicated.
PAN-151469
Fixed an issue where packets were dropped unexpectedly due to errors parsing the IP version field.
PAN-151430
Fixed an issue where logs sent from the firewall to Panorama were delayed, and the current log summary database was inaccurate because the delayed logs were included.
PAN-151264
Fixed an issue where using the ampersand (&) character in URLs submitted via XML API caused an error.
PAN-151210
Fixed an issue where the dynamic address group learned in the parent dynamic group was not pushed to the child dynamic address group if the child dynamic address group was not configured with notify groups under the respective plugin.
When using the CLI command debug dau settings device-group recursive yes/no, clear previous dynamic address group entries from the Panorama database using the CLI command debug dau clear database device-group <dynamic address group name> for all dynamic address groups under the hierarchy for the dynamic address group configured in the monitoring definition. Also, do a full sync from the plugins configured using the command request plugins <plugin-name> sync.
PAN-151203
Fixed an issue where the firewall dropped certain GTPv1 Update PDP Context packets.
PAN-151198
Fixed an issue where Panorama admin users with read-only privileges were able to manage backups and load configurations on the firewall.
PAN-151164
Fixed an issue where logs weren't able to be migrated from PA-5200 Series firewalls manually via the CLI.
PAN-151120
Fixed an issue where the SYN-ACK packet matched stale entries in the session flow table and was dropped on the firewall with the following error message: Inactive flow state 0.
PAN-151061
Fixed an issue where certificate domains were not used for GlobalProtect portal getconfig actions, which resulted in a process (useridd) returning the wrong user group. This caused the wrong client configuration to be matched.
PAN-151057
Fixed an issue where upgrading the capacity license on a VM-Series HA pair resulted in both firewalls going into a non-functional state instead of only the higher capacity license firewall.
PAN-150750
(PA-5200 Series and PA-7000 Series firewalls only) Fixed an intermittent issue where the firewall dropped packets when two or more GTP packets on the same GTP tunnel were very close to each other.
PAN-150748
Fixed an issue where the firewall silently dropped GTPv2-C Delete Session Response packets.
PAN-150746
Fixed an issue where the firewall dropped GTP packets with Delete Bearer messages for EBI 6 if they were received within two seconds of receiving the Delete Bearer messages for EBI 5.
PAN-150729
Fixed an issue where a process (useridd) stopped responding when a User-ID agent was configured using the HA peer's management IP address.
PAN-150613
Fixed an issue that caused a process (mprelay) to stop responding when committing changes in the Netflow Server Profile configuration (Device > Server Profiles > Netflow).
PAN-150534
Fixed an issue where authentication logs with the subtype SAML were not forwarded to the syslog server.
PAN-150467
Fixed a memory leak issue with a unified query that caused a process (mprelay) to restart due to an out-of-memory (OOM) condition.
PAN-150445
Fixed an issue where the firewall did not translate IP addresses in Layer 7 payloads as per NAT translation for Oracle Application Server traffic.
PAN-150337
A fix was made to address a reflect cross-site scripting (XSS) vulnerability in the PAN-OS web interface that enabled an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performed arbitrary actions in the web interface as the targeted authenticated administrator (CVE-2021-3052).
PAN-150305
Fixed an issue where the output for show user ip-user-mapping-mp all, when called via XML API, was written to a file instead of returned via the API.
PAN-150247
Fixed an issue on the firewall where GlobalProtect Clientless VPN portal landing page customization for the navbar_bg_color variable did not take effect.
PAN-150110
Fixed an issue where Elasticsearch restarted unexpectedly when it ran out of memory. This was due to the vm.max-map-count value being set incorrectly in the newer version of Elasticsearch (starting from PAN-OS 9.0). With this fix, the value is set correctly.
PAN-150018
Fixed an issue warnings did not generate for shadowed IP range addresses with /32 mask based IP addresses.
PAN-150008
Fixed an issue on the firewall where configuring auto-tagging based on URL filtering logs resulted in tags being added to source IP addresses and not matching the log forwarding filter match criteria.
PAN-149912
Fixed an issue where FIB entries were unexpectedly removed due to miscommunication between internal processes.
PAN-149696
Fixed an intermittent issue where the GlobalProtect portal stopped responding with a 502 Bad Gateway response page when trying to access the portal URL using a web browser.
PAN-149645
Fixed an issue in a virtual wire deployment configured with Link State Pass Through enabled where, when one member port went down, the peer port took longer than expected to change the status to Down.
PAN-149641
Fixed an issue where firewalls stopped refreshing IP tag information when configured with the VM Information Sources feature with a VMWare vCenter Server.
PAN-149480
Fixed an issue where a custom report query from Panorama, which includes new fields not supported in prior releases, triggered a restart of a process (reportd) when Panorama was connected to log collectors running an earlier PAN-OS release.
PAN-149381
Fixed an issue where HSCI-A and HSCI-B displayed AdminStatus as down regardless of whether OperStatus was Up or Down.
PAN-149314
Fixed an issue where lookup of a security rule with a custom URL category on a multi-virtual system (vsys) failed when vsys<id>+ was not in the beginning the category name.
PAN-149297
Fixed a buffer overflow issue on the management server, which forced the administrator to log out on the web interface.
PAN-149295
Fixed an issue where the Safe Search Block Page was visible for a few seconds when browsing HTTP2 websites, which resulted in latency when browsing.
PAN-149248
Fixed an issue that prevented Panorama from pushing dynamic content to VM-Series firewalls configured with a pay-as-you-go (PAYG) license.
PAN-149209
Fixed an issue where a process (useridd) restarted after calling gethostbyname(), which returned NULL pointer. The returned value was not checked, and an attempt to dereference NULL pointer caused segmentation failure.
PAN-149207
Fixed an issue where the clear log acc CLI command did not remove URL summary logs.
PAN-149006
Fixed an issue on VM-Series firewalls deployed on Google Cloud Platform (GCP) where traffic was backhauled after a reboot when the policy-based forwarding (PBF) enforced symmetric return with a next hop feature was enabled and interface IP addresses were learned via DHCP.
PAN-149001
Fixed an issue where, when using certificate profiles configured under specific vsys, the GlobalProtect Machine Certification Check and HIP Object fail during a client certificate check.
PAN-148767
Fixed an issue where the firewall incorrectly created GTP-U sessions from Create Session Request and Create Session Response packets.
PAN-148564
Fixed an issue where Panorama stopped showing new logs when url_category_list was in the URL payload format of the HTTP(S) server profile used to forward URL logs from the Panorama Log Collector.
PAN-147959
Fixed an issue where the last commit state did not change to config sent to device when pushing a device group configuration in the Managed Device > Summary page on Panorama.
PAN-147847
Fixed an issue where traffic didn't hit the intended Security policy if SSL forward proxy was enabled and service was set to application-default.
PAN-147529
Fixed an issue where ValidateAll jobs were incorrectly logged as CommitAll in the configuration log of the firewall.
PAN-147305
Fixed an issue where a process (useridd) stopped responding to requests.
PAN-147193
Fixed an issue with the Panorama web interface where, when all device groups and templates were selected, a load configuration operation failed. This was caused by the XML cache rebuilding for each device group and template iteration.
PAN-147036
Fixed an issue where TCP connections got stuck between the firewall and the Log Collector if some packets were dropped on the path between the two appliances.
PAN-146215
(FPP offload based hardware model only) Fixed an issue where, when UDP traffic that was received on a tunnel had back-to-back client-to-server packets, random packets dropped.
PAN-146178
Fixed an issue where some Panorama management connections did not adhere to the SSL/TLS Service Profile specified in Secure Communication Settings.
PAN-146115
Fixed an issue where GlobalProtect™ IPSec connections flapped when the peer address to the gateway changed due to NAT.
PAN-146030
Fixed an issue where enhanced application logging was not supported for devices connected to Cortex Data Lake through a proxy server.
PAN-146006
Fixed an issue where enabling or disabling redundancy did not take effect.
To utilize this fix, manually run es_restart.py -t from root login.
PAN-145996
An update was made to change the following system log message: DO NOT CHOOSE WMI in Active-Directory FOR YOUR USE CASE IF SEE THIS LOG AGAIN IN <number> SECONDS to Please change server monitor(log server) Transport Protocol from WMI to WinRM for better performance. This update also reduces the severity from High to Informational.
PAN-145475
Fixed an issue where the firewall sent Bidirectional Forwarding Detection (BFD) packets with the final bit always set to on. With this fix, the final bit is cleared after the first response.
PAN-143332
(PA-800 Series firewalls only) Fixed an issue where the deployment of the Master Key through the web interface failed.
PAN-142867
Fixed an issue where service session timeout override was not used for custom applications and the default value was chosen instead.
PAN-141495
Fixed an issue where the following settings were not pushed from Panorama to the firewall: Minimum Length, Failed Attempts, and Lockout Time (Template > Device > Setup > Management).
PAN-140492
Fixed an issue on the firewall where, with SSL forward proxy feature enabled, random file downloads over a decrypted session would stall or hang in the middle.
PAN-136652
(PA-3200 Series firewalls only) Fixed an issue where you were unable to disable auto negotiation on small form-factor pluggable (SFP) ports.
PAN-130955
Fixed an issue where templates on the secondary Panorama appliance were out of sync with the primary Panorama appliance due to an empty content-preview node.
PAN-123805
Fixed an issue on the firewall web interface where the Secure Communication Settings configuration didn't display a green cog widget to indicate that the configuration was pushed from Panorama.
PAN-118887
Fixed an issue where the PAN-OS 10.0 pattern-matching engine didn't support the regular expression (regex) element \C.