A security issue has been fixed (CVE-2021-3064).

Fixed an issue where, on Panorama, context switching to the web interface of a managed firewall running PAN-OS 8.1.16 did not work.

Fixed an issue where the proxy configuration did not get honored, which caused certificate revocation list (CRL) checks to fail from the firewall.

Fixed an issue where certain GPRS tunneling protocol (GTP-U) sessions that could not complete installation still occupied the flow table, which led to higher session table usage.

Fixed an issue where the management plane CPU usage remained high for a longer period of time than expected due to a process (genindex.sh).

Fixed an issue where administrators were unable to export Security Assertion Markup Language (SAML) metadata files from virtual system (vsys) specific authentication profiles.

Fixed an issue where the firewall dropped certain GTPv1 Update PDP Context packets.

Fixed an issue where upgrading the capacity license on a virtual machine (VM) high availability (HA) pair resulted in both firewalls going into a non-functional state instead of only the higher capacity license firewall.

(PA-5200 Series firewalls only) Fixed an intermittent issue where the firewall dropped packets when two or more GTP packets on the same GTP tunnel were very close to each other.

Fixed an issue where the firewall silently dropped GTPv2-C Delete Session Response packets.

Fixed an issue where the firewall dropped GTP packets with Delete Bearer messages for EBI 6 if they were received within two seconds of receiving the Delete Bearer messages for EBI 5.

Fixed an issue that caused a process (mprelay) to stop responding when committing changes in the Netflow Server Profile configuration (Device > Server Profiles > Netflow).

Fixed an issue where FIB entries were removed incorrectly due to miscommunication between internal processes.

(PA-7000 Series firewalls only) Added CLI commands to enable/disable resource-control groups and CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr). To enable resource-control groups, use debug software resource-control enable and to disable them, use debug software resource-control disable. To set the memory limit, use debug management-server limit-memory enable, and to remove the limit, use debug management-server limit-memory disable. For the memory limit change to take effect, the firewall must be rebooted.

(PA-7000b Series firewalls only) Fixed a buffer overflow issue.

Fixed an issue where an API call for correlated events did not return any events.

Fixed an issue where, after a policy commit and session rematch, stream control transmission protocol (SCTP) logs for an existing SCTP session still showed old rule information.

Fixed an issue where a process (useridd) stopped responding to requests.

A fix was made to address an authentication bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS that allowed an attacker to bypass all client certificate checks with an invalid certificate. As a result, the attacker was able to authenticate as any user and gain access to restricted VPN network resources when the gateway or portal was configured to rely only on certificate-based authentication (CVE-2020-2050).

Fixed an issue where memory usage on a process (useridd) was high, which caused the process to restart on the firewall acting as the User-ID redistribution agent. This issue occurred when multiple clients requested IP address-to-user mappings at the same time.

Fixed an issue where Application and Threat Content installation failed on the firewall with the following error message: Error: Threat database handler failed.

Fixed an issue where BGP learned routes were incorrectly populated with a VR error as a next hop.

A fix was made to address a vulnerability in the PAN-OS signature-based threat detection engine that allowed an attacker to evade threat prevention signatures using specifically crafted TCP packets (CVE-2020-1999).

Fixed an issue on an M-600 appliance where the Panorama management server stopped receiving new logs from firewalls because delayed log purging caused log storage on the Log Collectors to reach maximum capacity.

Fixed an issue with the automated correlation engine that caused firewalls to stop generating correlated event logs for the beacon-heuristics object (ID 6005).

Fixed an issue on Panorama where a custom administrator with all rights enabled was not able to display the content of the external dynamic list (EDL) on the Panorama web interface.

Fixed an issue where Log Collectors had problems ingesting logs for older days received at a high rate.

Fixed an issue where the firewall unexpectedly stopped processing traffic to due a buffer allocation failure under the QOS-based buffer allocation method.

Fixed an issue where SSH service restart management did not take effect in the SSH management server profile.

Fixed an issue where, after rebooting the firewall, the SNMP object identifier (OID) for TCP connections per second (panVsysActiveTcpCps / .1.3.6.1.4.1.25461.2.1.2.3.9.1.6.1) returned 0 until another OID was pulled. Additionally, after a restart of a daemon (snmpd), if the above OID was called before other OIDs, there was an approximate 10 second delay in populating the data pulled by each OID.

Fixed an issue where the Host Evasion Threat ID signature did not trigger for the initial session even after the DNS response was received before the session expired.

Fixed an issue where a process (logrcvr) exited due to a race condition.

(PA-7000 Series firewalls only) Fixed a rare issue where the firewall rebooted due to path monitoring failure on the Log Processing Card (LPC).

A fix was made to address a vulnerability where the password for a configured system proxy server for a PAN-OS appliance was displayed in cleartext when using the CLI in PAN-OS (CVE-2020-2048).

Fixed an issue where the web interface and the CLI were inaccessible, which caused the following error message to display on the web interface: Timed out while getting config lock.

Fixed an issue where dynamic route updates triggered an unintentional refresh of the DHCP client interface IP address, which led to the removal and re-addition of the default route associated with the DHCP client IP address and caused traffic disruption.

(PA-7000 Series firewalls only) Enhanced latency-sensitive protocols processing. With this fix, the following latency-sensitive control traffic will be prioritized: BGP, Bidirectional Forwarding Detection (BFD), LACP, OSPF, OSPFv3, Protocol Independent Multicast (PIM), and Internet Group Management Protocol (IGMP).

Fixed an issue where host information profile (HIP) reports failed to show up via the web interface or the CLI.

Fixed an issue where a large number of groups in group mappings caused a process (useridd) to exit.

Added an enhancement to reduce the memory usage of a process (logrcvr) to avoid out-of-memory (OOM) conditions on lower-end platforms.

Fixed an issue where the keyword [Disabled] was missing from the disabled policies exported in CSV/PDF format.

Fixed an issue where the data for a botnet report was deleted before the botnet report was completed.

Fixed an issue where the show config diff CLI command did not work correctly and produced unexpected output.

(PA-3220 firewalls only) Fixed an issue where the firewall generated some core files when generating tech support files

Fixed an issue where the paths between the control plane and the dataplanes in network processing cards (NPCs) stalled in the dataplane-to-control plane direction due to the Ring Descriptor entries becoming out of sync on each side. This produced unrecoverable data path monitoring failures, which caused the chassis to become nonfunctional.

Fixed an issue where AdminStatus for HA1 and High Speed Chassis Interconnect (HSCI) interfaces were incorrectly reported.

Fixed an intermittent issue where user-to-IP address mappings were not redistributed to client firewalls.

Fixed an issue where an HA configuration went out of sync when the HA sync job was queued and processed during an ongoing content installation job on the passive firewall.

Fixed an issue where templates on the secondary Panorama appliance were out of sync with the primary Panorama appliance due to an empty content-preview node.

Fixed a memory leak issue where virtual memory used by the SNMP process started to slowly increase when the request was sent with a request-id of 0.

(PA-800 Series firewalls only) Fixed an issue that prevented ports 9-12 from being powered down by hardware after being requested to do so.

Fixed an issue on Panorama where the show system logdb-quota CLI command took more time than expected, which caused the configuration lock to time out.

Fixed an issue where certificate-based authentication with IKEv2 IPSec tunnels failed to establish with some third-party vendors.

Fixed an issue where the firewall intermittently dropped DNS A or AAAA queries received over IPSec tunnels due to a session installation failure.

A fix was made to address an information exposure vulnerability in Panorama that disclosed the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performed a context switch (CVE-2020-2022).

Added two ciphers for GlobalProtect Portal TLS connections.

Fixed an issue where the LDAP query took longer than expected to populate in the web interface.

Fixed an issue where the firewall returned incorrect information about the logging service status when the information was requested through the web interface.

Fixed an issue where the Device Connectivity status was grey on the firewall web interface even when the SSL session to the logging service was successful.

Fixed an issue where Data Filtering profiles did not generate a packet capture (pcap) for Server Message Block (SMB) when action was set to Alert.

Fixed an issue on Panorama where WildFire cloud content download failed for content deployment to the WF-500 appliance.

Fixed an issue where BGP flapped continuously with Jumbo Frames enabled on the firewall.

Fixed a rare issue where a dataplane process stopped responding.

Fixed an issue where an incorrect subnet mask was displayed for redistributed routes in the show routing protocol redist all CLI command.

A fix was made to address a memory corruption vulnerability in the GlobalProtect portal and GlobalProtect gateway that enabled an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges (CVE-2021-3064).