PAN-OS 8.1.11 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 8.1.11 Addressed Issues
PAN-OS® 8.1.11 addressed issues
Issue ID | Description |
---|---|
WF500-5137 | Fixed an issue where the show wildfire global last-device-registration all CLI
command incorrectly returned an error message: Failed, even
when you registered the firewall correctly. |
PAN-126547 | Fixed an issue where a process (configd)
stopped responding when an XML API call with type=config&action=get triggered
during a commit. |
PAN-126354 | Fixed an issue where log in and commits
took longer than expected when you used XML API calls to create
new address objects. |
PAN-125517 | An enhancement was made to improve firewall
performance for stream control transmission protocol (SCTP) flows.
To enable this enhancement, run the set sctp fast-sack yes CLI
command. |
PAN-125346 | An enhancement was made to enable you to
configure IPv6 in the web interface and through a CLI command when
you added IPv6 virtual addresses to a firewall in a high availability
(HA) active/active configuration. |
PAN-125069 | An enhancement was made to enable you to
delete the GTP-C tunnel with all GTP-U tunnel sessions after the
firewall received a Delete Bearer Response message where default
bearer ID=5. To enable this enhancement, run the set gtp ebi5-del-gtpc [yes/no] CLI
command. |
PAN-124996 | Fixed an issue where a GlobalProtect™ daemon (rasmgr)
stopped responding when you connected with an overlapping IPv6 address,
which caused subsequent GlobalProtect connections to fail. |
PAN-124658 | Fixed an issue where the timer system call
activated more frequently than expected, which caused higher than
expected CPU usage. |
PAN-124299 | Fixed an issue on VM-Series firewalls in
an HA active/passive configuration where the active firewall leaked
packet buffers when links were disconnected from the hypervisor. |
PAN-123850 | (PA-5200 and PA-7000 Series firewalls
only) Fixed an issue where conflicting GTP sessions were installed
in short interval, which caused the firewall to queue GTP packets
and deplete packet buffers. |
PAN-123446 | Fixed an issue where an administrator with
a Superuser role could not reset administrator credentials. |
PAN-123371 | Fixed an issue where the Wildfire
Analysis Report incorrectly displayed the following
error message: You are not authorized to access this page on the web interface. |
PAN-123030 | Fixed an issue with a memory leak associated
with a process (mgmtsrvr) when you pushed a commit. |
PAN-122662 | (PA-5260 firewalls only) Fixed
an issue where a process (mpreplay) stopped responding
after a commit when you configured the firewall with more than 200
virtual systems (vsys) running on PAN-OS® 8.1.9. |
PAN-122601 | Fixed a memory leak issue with a process (configd)
when you performed device group related operations. |
PAN-122550 | Fixed an issue where VM-Series firewalls
on Microsoft Azure experienced traffic latency due to an incompatible
driver. |
PAN-121911 | Fixed an issue where a process (logrcvr) restarted
during commits. |
PAN-121523 | Fixed an issue where an API call triggered
memory errors, which caused a process (configd) to
stop responding and triggered SIGABRT logs. |
PAN-121447 | Fixed an issue where the BGP did not remove
the IPv6 default route from the forwarding table after the route
was withdrawn. |
PAN-121133 | Fixed an issue on Panorama M-Series and
virtual appliances where a validation job triggered a memory leak
in a process (configd), which caused context switching
between Panorama and the web interface to respond slower than expected. |
PAN-121001 | Fixed an issue where the firewall only reported
a maximum of two logs when you configured more than two hardware
security modules (HSM). |
PAN-120901 | Fixed an issue on Panorama M-Series and
virtual appliances where partial commits did not apply configuration
changes as expected. |
PAN-120662 | (PA-7000 Series firewalls using PA-7000-20G-NPC
cards only) Fixed an intermittent issue where an out-of-memory
(OOM) condition caused the dataplane or internal path monitoring
to stop responding. |
PAN-120361 | Fixed an issue on Panorama M-Series and
virtual appliances where objects were not compressed, which caused
higher than expected CPU and memory usage. |
PAN-120287 | Fixed a JavaScript error due to an incorrect
HTTP response, which prevented GlobalProtect Clientless VPN applications
to load. |
PAN-120151 | Fixed an issue where the DNS packet parser
incorrectly processed DNS packet headers when the QD count is 0,
which caused the DNS server to stop responding. |
PAN-119862 | (PA-5050 firewalls only) Fixed
an intermittent issue where an out-of-memory (OOM) condition caused
the dataplane or internal path monitoring to stop responding. With
this fix, session capacity is reduced by 400,000. |
PAN-119765 | Fixed an intermittent issue where the firewall
dropped sessions that used a large number of predict sessions. |
PAN-119680 | Fixed a rare issue where the show running CLI
commands for policy addresses caused file descriptor leaks. |
PAN-119647 | Fixed an issue where a process (mgmtsrvr) stopped
responding due to an out-of-memory (OOM) condition. |
PAN-119225 | Fixed an issue where an inaccurate sequence
number check for an RST packet caused the packet to drop. |
PAN-119172 | Fixed an issue where the firewall incorrectly
enforced URL category policies and erroneously triggered alert instead of block. |
PAN-118985 | Fixed an issue on Panorama M-Series and
virtual appliances where a process (configd) experienced
high memory utilization and a memory leak condition, which caused
slower than expected performance. |
PAN-118720 | Fixed an issue on a firewall in an HA active/active
configuration where Oracle traffic SYN packets dropped intermittently
with the flow_fpp_owner_err_no_predict counter. |
PAN-118583 | Fixed a memory allocation issue that prevented
URL filtering logs from displaying the full URL. |
PAN-118509 | Fixed an issue on Panorama M-Series and
virtual appliances where shared policies were out of sync due to
an empty stream control transmission protocol (SCTP) after you upgraded
the firewall from PAN-OS 8.0.16 to PAN-OS 8.1.8. |
PAN-118180 | Fixed an issue on firewalls configured with
authentication policies where UDP and ICMP packets matching an authentication
policy did not generate traffic logs as defined in the Security
policy when sessions were redirected or denied. |
PAN-118057 | Fixed an issue on a firewall in an HA active/passive
configuration where a process (all_pkts) stopped responding
and the dataplane restarted due to an internal path monitoring failure
and an HA failover event. |
PAN-118055 | Fixed an issue where administrators were
unable to export Security Assertion Markup Language (SAML) metadata
files from virtual system (vsys) specific authentication profiles. |
PAN-117959 | Fixed an issue where LDAP authentication
failed when you configured the authentication server with an FQDN. |
PAN-117900 | Fixed an issue where commits failed when
you moved an object referenced in a policy to a shared group. |
PAN-117888 | Fixed an issue where the firewall was unable
to detect the hardware security module (HSM), which caused the firewall
to drop SSL traffic. |
PAN-117738 | (PA-3050 and PA-3060 firewalls only)
Fixed an issue where a higher than expected number of flow_fpga_flow_update messages occurred
when you configured QoS. |
PAN-117727 | Fixed an issue where job threads were deadlocked,
which prevented log in attempts and displayed the following error
message: CONFIG_LOCK: write lock TIMEDOUT for cmd. |
PAN-117303 | Fixed an issue where the BGP aggregate prefix,
which is advertised to multiple BGP peers was removed from RIB OUT
when you disabled one of the BGP peers. |
PAN-117120 | Fixed an issue on Panorama M-Series and
virtual appliances where a process (configd) restarted
due to virtual memory issues. |
PAN-117086 | Fixed an issue where community attributes
to BGP routes had a character limit of 31 characters, which caused
expressions to take longer than expected to process. |
PAN-117026 | Fixed an issue where eBGP peers connected
by a VPN tunnel failed to come up when you configured eBGP Multi Hop to 0. |
PAN-116949 | Fixed a memory leak issue with a process (mprelay),
which caused the dataplane to restart. |
PAN-116903 | Fixed an issue on Panorama M-Series and
virtual appliances where you were unable to configure Enable
X-Auth Support (NetworkGlobalProtectGatewaysTemplate<Template-stack>AgentTunnel Settings)
at the Template-stack level. |
PAN-116772 | Fixed an issue where the firewall sent empty
attributes in the LDAP query when you did not configure Alternate
Username 1 - 3 (DeviceUser IdentificationGroup Mapping Settings<group-name>User and Group Attributes)
in the User Attributes web interface. |
PAN-116729 | Fixed an issue where you were unable to
deploy bootstrapped content in offline environments due to content
validity checks. |
PAN-116611 | Fixed an issue where an API call for correlated
events did not return any events. |
PAN-116473 | Fixed an issue where the firewall logged
URL categories configured for Allow in the URL filtering logs. |
PAN-116384 | An enhancement was made to enable firewalls,
Panorama management servers, and log collectors running a PAN-OS
8.1 release to receive new App-ID™ signatures in the new ID signature
range (7,020,001 to 7,040,000). To enable this enhancement, you
must reinstall the current content update or install a later content
update. |
PAN-116334 | Fixed an issue where a process (mgmtsrvr) leaked
memory caused by SNMP traps. |
PAN-116286 | Fixed an issue where commits failed after
you upgraded from PAN-OS 8.0.16 to PAN-OS 8.1.6 due to an invalid
encryption state for a host information profile (HIP) object. |
PAN-116274 | Fixed an issue where the firewall was unable
to authenticate when you pushed a public key from Panorama. |
PAN-116123 | Fixed an issue where a process (devsrvr)
stopped responding when you performed a commit or a configuration
validation when the proxy ID contained 24 or more characters. |
PAN-115990 | Fixed an issue where the FQDN address object (PolicySecurity<address-object>Value) displayed the following
unrelated error: <FQDN-name> Not used. |
PAN-115959 | Fixed an issue where DNS names with more
than 63 characters did not resolve FQDN address objects during an
FQDN refresh. |
PAN-115890 | Fixed an issue where the show system info CLI
command incorrectly displayed VMware ESXi as VMWare ESXi. |
PAN-115879 | Fixed an issue on a firewall where a bypass
switch sent heartbeat messages to the firewall, which triggered
non-stop link status change interrupts through a Marvell switch. |
PAN-115738 | Fixed an issue where data logs were generated
but the firewall did not forward the logs to the syslog server. |
PAN-115697 | Fixed CVE-2019-17437, see PAN-SA-2019-0038 for details. |
PAN-115549 | Fixed an issue where predict sessions were
incorrectly created with a captive-portal zone,
which caused the firewall to drop RTP traffic. |
PAN-115349 | Fixed an issue where an incorrect predict
session was created when a policy-based forwarding (PBF) policy
was used without a NAT in the parent session, which caused the firewall
to drop RTP and RTCP packets. |
PAN-115344 | Fixed an issue where the Username Modifier %USERDOMAIN%\%USERINPUT% enabled you
to log in to a locked out user account. |
PAN-115287 | Fixed an issue where commits failed and
displayed the following error message: Commit job was not queued. All daemons are not available. |
PAN-115282 | Fixed an issue where temporary download
files were deleted before a download job was completed, which caused
the progress bar to remain at 0% and prevented a timeout when downloads
fail. |
PAN-115281 | Fixed an issue where the firewall did not
resolve an external dynamic list server address when the DNS proxy
configured it as a static entry. |
PAN-115108 | Fixed an issue on Panorama M-Series and
virtual appliances where scheduled uploading and installation of
WildFire® content meta files to WF-500 appliances failed and displayed
the following error message: device not supported. |
PAN-114880 | Fixed an issue where the debug management-server summary-logs flush-options max-keys CLI
command did not persist through a system reboot. |
PAN-114856 | A change was made to limit debug log visibility
to superusers only. |
PAN-114771 | Fixed an issue on Panorama M-Series and
virtual appliances where Decrypt Mirror (ObjectsDecryptionDecryption Profile<Device Group-name>)
did not appear in the Interface drop-down
menu when you tried to configure a Decryption Profile. |
PAN-114667 | Fixed an issue on a firewall in an HA active/passive
configuration where a split-brain condition occurred after you upgraded
from PAN-OS 8.1.3 to PAN-OS 8.1.6. |
PAN-114628 | Fixed an issue where Panorama was unable
to query logs forwarded from the firewall to the log collector. |
PAN-114540 | Fixed an issue where renaming a template
stack did not change the value and reset to the original value after
you commit the change. |
PAN-114456 | Fixed an issue where extended packet capture
(pcap) for threat logs caused a process (mgmtsrvr) to stop responding. |
PAN-114427 | Fixed an issue where an empty host name
in the HTTP header caused a web server process (websrvr)
to stop responding when you accessed the captive portal redirect
page. |
PAN-114270 | Fixed an issue where the firewall dropped
TCP trace route traffic after you upgraded to PAN-OS 8.1.5. To leverage
this fix, run the set session tcp-reject-diff-syn no CLI command. |
PAN-114247 | Fixed an issue where a larger than expected
number of Could not find entry for interface ethernet1/<interface>.<subinterface> in CPS table filled
the snmpd.log, which caused the log file to rotate more frequently
than expected. |
PAN-113610 | Fixed an issue where Panorama incorrectly
deleted valid device group directories and was unable to generate
reports. |
PAN-113606 | Fixed an issue where the Throughput column (PanoramaManaged DevicesHealth) was incorrectly labeled. |
PAN-113261 | (PA-5200 Series firewalls only)
Fixed an issue where the total entries for the URL filtering allow
list, block list, and custom categories was incorrectly changed
to a 100,000 entries limit. |
PAN-112661 | Fixed an issue where you were unable to
access a firewall due to a defective small form-factor pluggable
(SFP)/SFP+ module inserted into the firewall. |
PAN-112321 | Fixed an issue where a daemon (sslmgr)
caused an out-of-memory condition. |
PAN-111850 | Fixed an issue where the firewall did not
capture the number of packets in the threat packet capture (pcap)
as configured in the extended packet capture length setting. |
PAN-111544 | Fixed an issue on Panorama M-Series and
virtual appliances configured as log collectors where SSH did not
respond after you enabled SSH on ethernet1/1. |
PAN-110685 | Fixed a rare issue where an incorrect User-ID™
match to the respective LDAP group caused a security policy mismatch. |
PAN-110098 | Fixed an issue on a firewall in an HA active/passive
configuration where you were unable to synchronize configurations
or dynamic updates between HA pairs. |
PAN-109874 | Fixed a memory leak issue on a firewall
during a commit, which prevented the firewall from generating GlobalProtect
client configurations. |
PAN-108876 | Fixed an issue where the firewall dropped
Session Initiation Protocol (SIP) registration packets, which caused
SIP sessions to fail. |
PAN-108488 | Fixed an issue where a typo in the MIB definition
file caused an error message: ERROR: Cannot find symbol panSctpDIamAvpCode when
you loaded a PAN-TRAPS.my file. |
PAN-108234 | Fixed an issue on a firewall configured
with a GlobalProtect gateway where after you upgraded from a PAN-OS
7.1 release to a PAN-OS 8.0 or later release and committed the configuration,
the following error message displayed: SSLVPN: Invalid access-routess (null) in tunnel GPgateway-N. |
PAN-107330 | Fixed an issue where when you configured
the URL Filtering Profile (ObjectsURL Filtering<filter-name>Categories)
to Shared all custom URL categories pushed displayed
on the web interface and returned the following error message: test -> credential-enforcement -> allow 'Blocked-Category-Exceptions' is not valid reference test -> credential-enforcement -> allow is invalid. |
PAN-107207 | Fixed an issue where the VPN tunnel operational
status incorrectly displayed “up" even
though the VPN tunnel is down. |
PAN-106889 | Fixed a rare issue on a firewall in an HA
active/passive configuration running in FIPS-CC mode where the passive
firewall rebooted in to maintenance mode. |
PAN-106434 | Fixed an issue where a process (keymgr)
stopped responding due to missed heartbeats, which caused IPSec
tunnels to stop responding. |
PAN-105806 | Fixed an issue where the firewall did not
detect duplicate Destination/Source IP Addresses entered into the Security Policy
Rule. |
PAN-105437 | Fixed an issue where a process (useridd)
ran out of file descriptors and stopped responding due to the rate
of concurrent Security Assertion Markup Language (SAML) requests
initiated by Authentication policy rules. |
PAN-104178 | Fixed an issue on Panorama M-Series and
virtual appliances where CLI commands returned the following error
message: Error: Timed out while getting config lock. Please try again when
a commit job was not pending. |
PAN-103500 | An enhancement was made to enable the firewalls
and Panorama M-Series and virtual appliances to set the SameSite
attribute to Strict and the GlobalProtect
portal to set the SameSite attribute to Lax. |
PAN-102195 | Fixed an issue where the firewall did not
detect all threat sessions while the App and Threat content installation
was processed. |
PAN-100977 | (VM-Series NSX edition firewalls only)
Fixed an issue where the existing logs for dynamic address updates
had insufficient information to debug the root cause of a bug and
where the dynamic address update logs were larger than expected,
which caused the file to roll over every five minutes and did not
provide a sufficient log history to debug issues. |
PAN-98584 | (PA-5200 Series and PA-3200 Series firewalls
only) Fixed a rare issue where invalid packets caused the firewall
to stop responding as expected when you configured the dataplane
port to traverse HA3 traffic. |
PAN-97784 | Fixed an issue on a firewall where repeated
failed validation errors were reported for validated configurations
due to a race condition. |
PAN-97232 | Fixed an issue on a firewall in an HA active/passive
configuration where a process (pan_comm) stopped responding
when you configured an external dynamic list, which caused commits
to fail and displayed the following error message: failed to handle CONFIG_UPDATE_START. |
PAN-95230 | Fixed an issue where the Security Assertion
Markup Language (SAML) schema size limit (100,000 characters) prevented
the SAML Identity Provider Server Profile Import (DeviceServer ProfilesSAML Identity ProviderImport)
from importing SAML metadata. |
PAN-90738 | Fixed an issue where a process (configd) exceeded
the virtual memory usage limit and caused the firewall to restart.
With this fix, you must run the debug management-server system globalfind disable-db-lookup and debug management-server system appweb-thread-count enhance commands. |
PAN-89649 | Fixed an issue where Panorama did not send
the preference list to managed firewalls, which caused logs to be
forwarded to the CMS instead of the log collector. |