PAN-OS 9.0.11 Addressed Issues
Focus
Focus

PAN-OS 9.0.11 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 9.0.11 Addressed Issues

PAN-OS® 9.0.11 addressed issues.
Issue ID
Description
PAN-154092
An enhancement was made to provide an option to increase Data Plane Development Kit (DPDK) ring size and DPDK queue number for VM-Series firewalls deployed on ESXi.
PAN-153983
Fixed an issue where the IPSec encapsulation sequence was not properly synced to the dataplanes on a high availability (HA) active/passive cluster.
PAN-153813
Fixed an issue where the proxy configuration did not get honored, which caused certificate revocation list (CRL) checks from the firewall to fail.
PAN-153673
Fixed an issue where traffic logs were not shown due to a thread timeout that was causing the reading of the logs from the dataplane to slow.
PAN-153436
Added CLI commands to increase thread limits to reduce task thread exhaustion on a process (configd).
PAN-153111
Fixed an issue where packet buffer unavailability caused host-bound sessions to remain in an opening state in the dataplane.
PAN-152706
Fixed an intermittent issue where Panorama did not retrieve firewall logs from Cortex Data Lake.
PAN-152285
Fixed an issue where certain GPRS tunneling protocol (GTP-U) sessions that could not complete installation still occupied the flow table, which led to higher-than-expected session table usage.
PAN-152106
Fixed an issue where a process (genindex.sh) caused the management plane CPU usage to remain high for a longer period of time than expected.
PAN-152027
Fixed an issue with URL Filtering where websites that were previously in the malicious category but have since been cleared remained in the malicious category in the dataplane cache. These websites were moved to the benign category only after you manually cleared the cache.
PAN-151203
Fixed an issue where the firewall dropped certain GTPv1 Update PDP Context packets.
PAN-151057
Fixed an issue where upgrading the capacity license on a VM-Series HA pair resulted in both firewalls going into a non-functional state instead of only the higher capacity license firewall.
PAN-150750
(PA-5200 Series and PA-7000 Series firewalls only) Fixed an intermittent issue where the firewall dropped packets when two or more GTP packets on the same GTP tunnel were very close to each other.
PAN-150748
Fixed an issue where the firewall silently dropped GTPv2-C Delete Session Response packets.
PAN-150746
Fixed an issue where the firewall dropped GTP packets with Delete Bearer messages for EBI 6 if they were received within two seconds of receiving the Delete Bearer messages for EBI 5.
PAN-150613
Fixed an issue that caused a process (mprelay) to stop responding when committing changes in the Netflow Server Profile configuration (Device > Server Profiles > Netflow).
PAN-150243
Fixed an issue where the candidate configuration was not updated to the running configuration after a successful commit when the commit was initiated by an API-privileges-only custom role-based administrator.
PAN-149912
Fixed an issue where FIB entries were unexpectedly removed due to miscommunication between internal processes.
PAN-149480
Fixed an issue where a custom report query from Panorama, which includes new fields not supported in prior releases, triggered a restart of a process (reportd) when Panorama was connected to log collectors running an earlier PAN-OS release.
PAN-149426
Fixed an issue where non-superuser administrators with all rights enabled were unable to Review Policies or Review Apps for downloaded or installed content versions.
PAN-149296
Fixed an issue on Panorama where system and configuration logs from dedicated Log Collectors did not display on Panorama appliances in Management Only mode.
PAN-148564
Fixed an issue where Panorama stopped showing new logs when url_category_list was in the URL payload format of the HTTP(S) server profile used to forward URL logs from the Panorama Log Collector.
PAN-147741
Fixed an issue where an API call for correlated events did not return any events .
PAN-147595
Fixed an issue where stream control transmission protocol (SCTP) logs for an existing SCTP session still showed old rule information after a policy commit and session rematch.
PAN-147285
Fixed an issue where host information profile (HIP) details were not available on Panorama even with a valid and active HIP redistribution configuration.
PAN-146878
Fixed an issue where TCP traffic dropped due to TCP sequence checking in an HA active/active configuration where traffic was asymmetric.
PAN-146650
A fix was made to address an authentication bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS that allowed an attacker to bypass all client certificate checks with an invalid certificate. As a result, the attacker was able to authenticate as any user and gain access to restricted VPN network resources when the gateway or portal was configured to rely only on certificate-based authentication (CVE-2020-2050).
PAN-146531
Fixed an issue where conversion from Panorama mode to logger mode was enabled even when an administrative user named admin did not exist in the configuration, which prevented access to the appliance after conversion.
PAN-146506
Fixed an issue where memory usage on a process (useridd) was high, which caused the process to restart on the firewall that was acting as the User-ID redistribution agent. This issue occurred when multiple clients requested IP address-to-user mappings at the same time.
PAN-146284
Fixed an issue where Applications and Threats content installation failed on the firewall with the following error message: Error: Threat database handler failed.
PAN-146117
Fixed an issue on the firewall where memory usage on a process (devsrvr) increased after running the show object dynamic-address-group all CLI command.
PAN-146115
Fixed an issue where GlobalProtect™ IPSec connections flapped when the peer address to the gateway changed due to NAT.
PAN-145823
Fixed an issue where BGP-learned routes were incorrectly populated with a VR error as a next hop.
PAN-145757
Fixed an issue where a firewall process (all_pktproc) restarted while processing Session Traversal Utilities for NAT (STUN) over TCP.
PAN-145752
Fixed an issue where exporting policies to PDF or CSV files did not include all policies and contained duplicates.
PAN-145188
Fixed an issue on Panorama in PAN-DB mode where content updates did not successfully install, which caused the cloud state to degrade.
PAN-145133
A fix was made to address a vulnerability in the PAN-OS signature-based threat detection engine that allowed an attacker to evade threat prevention signatures using specifically crafted TCP packets (CVE-2020-1999).
PAN-144919
Fixed an issue on an M-600 appliance where the Panorama management server stopped receiving new logs from firewalls because delayed log purging caused log storage on the Log Collectors to reach maximum capacity.
PAN-144448
Fixed an issue with the automated correlation engine that caused firewalls to stop generating correlated event logs for the beacon-heuristics object (ID 6005).
PAN-143959
Fixed an issue on Panorama where a custom administrator with all rights enabled was not able to display the content of the external dynamic list (EDL) on the Panorama web interface.
PAN-143809
Fixed an issue where Log Collectors had problems ingesting older logs for previous days received at a high rate.
PAN-143796
Fixed an issue where commits failed on the firewall due to memory allocation failure. You can check configuration memory using the debug dataplane show cfg-memstat statistics CLI command.
PAN-141980
Fixed an issue where random member ports in a link aggregate group failed to join the aggregate group due to the following error: Link speed mismatch.
PAN-141923
Fixed an issue where authentication stopped working after a commit and a process (authd) exited, which caused other processes to exit.
PAN-141793
Fixed an issue where Panorama did not show correct logs filtered with not, leq, and geq.
PAN-141717
Fixed an issue where an administrative user using custom admin roles and without access to the Device tab was unable to expand the detailed views of Monitor > Logs.
PAN-141551
Fixed an issue where SSH service restart management did not take effect in the SSH management server profile.
PAN-141262
Fixed an issue where the resolution of FQDN for a policy on the web interface did not work as expected if the FQDN contained CAPITAL letters.
PAN-140900
Fixed an issue where IP address-to-tag mapping entries had negative time-to-live (TTL) values instead of being removed after expiry.
PAN-140883
Fixed an issue where, after rebooting the firewall, the SNMP object identifier (OID) for TCP connections per second (panVsysActiveTcpCps / .1.3.6.1.4.1.25461.2.1.2.3.9.1.6.1) returned 0 until another OID was pulled. Additionally, after a restart of a process (snmpd), if the above OID was called before other OIDs, there was an approximate 10-second delay in populating the data pulled by each OID.
PAN-140628
Fixed an issue where a memory leak on a process (useridd) caused multiple processes to restart during device serial number checks.
PAN-140382
Fixed an issue where the Host Evasion Threat ID signature did not trigger for the initial session even when the DNS response was received before the session expired.
PAN-140227
(PA-7000 Series firewalls only) Fixed a rare issue where the firewall rebooted due to a path monitoring failure on the Log Processing Card (LPC).
PAN-140173
Fixed an issue where a large number of groups in group mapping caused a process (useridd) to stop responding.
PAN-140157
A fix was made to address a vulnerability where the password for a configured system proxy server for a PAN-OS appliance was displayed in cleartext when using the CLI in PAN-OS (CVE-2020-2048).
PAN-140121
Fixed an issue where a process (authid) used a large amount of memory due to many incomplete authentication requests, which caused an out-of-memory (OOM) condition.
PAN-140084
(PA-3200 Series firewalls only) Fixed an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate was set to 2.
PAN-139991
Fixed an issue where the web interface and the CLI were inaccessible, which caused the following error message to display on the web interface: Timed out while getting config lock.
PAN-139680
Fixed an issue where dynamic route updates triggered an unintentional refresh of the DHCP client interface IP address, which led to the removal and re-addition of the default route associated with the DHCP client IP address and caused traffic disruption.
PAN-139233
Fixed an issue where HIP reports failed to display on either the web interface or the CLI.
PAN-139136
Fixed an issue where a large number of groups in group mappings caused a process (useridd) to stop responding.
PAN-138938
An enhancement was made to reduce the memory usage of a process (logrcvr) to avoid out-of-memory (OOM) conditions on lower-end platforms.
PAN-138674
Fixed an issue where custom role-based admins were able to reset the rule hit counter for disabled device groups.
PAN-138427
Fixed an issue where pushing a configuration from a Panorama management server running PAN-OS 9.0 to a firewall running PAN-OS 8.1 produced a HTTP/2 warning. To leverage this fix, update both Panorama and the firewall to PAN-OS 9.0.11 or a later PAN-OS 9.0 release.
PAN-137770
Fixed an issue where the dataplane restarted due to a loop in DoS protection source-destination IP address classification.
PAN-137716
Fixed an issue where, for users with admin roles, logs for only one device group were displayed due to a query string with multiple device groups.
PAN-137663
Fixed a cosmetic issue where misleading App-ID and rule shadowing warnings populated after a commit.
PAN-136791
Fixed an intermittent issue where the first response to a SIP INVITE message created incorrect appinfo2ip entries and caused Via header translation failure.
PAN-136716
(Panorama virtual appliances only) Fixed an issue where SNMP monitoring of ifSpeed reported the interface speed as 0 for interfaces other than eth0.
PAN-136650
Fixed an issue where a Log Collector remained in an out-of-sync state after configuring an IP address (local or public) on an additional Ethernet interface.
PAN-135887
Fixed an issue where the inner GTP-U flows were installed using incorrect zones, which led to traffic issues when the firewall was in line for the S1-U interface.
PAN-135071
Fixed an issue in Panorama where the template stack drop-down was missing templates when using access domain.
This issue is fixed only for existing template stacks.
PAN-134907
Fixed an issue where IP tags were not evaluated in the filter evaluation criteria when Dynamic Address Groups were configured.
PAN-134745
Fixed an issue where Panorama commits failed due to a process (useridd) exceeding the maximum number of file descriptors while a large number of firewalls were connecting to Panorama for User-ID redistribution.
PAN-134226
Fixed an issue where AdminStatus for HA1 and High Speed Chassis Interconnect (HSCI) interfaces were incorrectly reported.
PAN-134029
Fixed an intermittent issue on the firewall where H.225 VOIP signaling packets dropped.
PAN-133934
Fixed an intermittent issue where user-to-IP address mappings were not redistributed to client firewalls.
PAN-133388
Fixed an issue where an HA configuration went out of sync when the HA sync job was queued and processed during an ongoing content installation job on the passive firewall.
PAN-133179
Fixed a rare issue where the show ntp CLI command showed the status as rejected even when the NTP was synced with at least one NTP server.
PAN-132285
Fixed an intermittent issue where a Security policy with Send ICMP Unreachable enabled for certain drop or reset sessions caused a process (all-pktproc) to restart.
PAN-132053
Added an enhancement to improve handling for firewall management web interface sessions that timeout so that the message Your session has expired does not display. Now, the web interface will present a timeout page that presents a button to redirect back to the login page.
PAN-131750
Fixed an issue where a configuration push from Panorama to the firewall showed the Commit All status as complete even though the job was still in process.
PAN-130955
Fixed an issue where templates on the secondary Panorama appliance were out of sync with the primary Panorama appliance due to an empty content-preview node.
PAN-130357
Fixed a memory leak issue where virtual memory used by the SNMP process started to slowly increase when the request was sent with a request-id of 0.
PAN-129376
(PA-800 Series firewalls only) Fixed an issue that prevented ports 9-12 from being powered down by hardware after being requested to do so.
PAN-128172
Fixed an issue on Panorama where the show system logdb-quota CLI command took more time than expected, which caused the configuration lock to time out.
PAN-128048
Fixed an issue where certificate-based authentication with IKEv2 IPSec tunnels failed to establish with some third-party vendors.
PAN-125218
A fix was made to address an information exposure vulnerability in Panorama that disclosed the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performed a context switch (CVE-2020-2022).
PAN-124819
Fixed an issue where only the current day's logs were visible on Panorama.
PAN-124331
Fixed an issue where the LDAP query took longer than expected to populate in the web interface.
PAN-122672
Fixed an issue where the firewall returned incorrect information about the logging service status when the information was requested through the web interface.
PAN-122115
Fixed an issue with the session browser search where using more than 32 characters caused an error.
PAN-121944
Fixed an issue where the Device Connectivity status was grey on the firewall web interface even when the SSL session with the logging service was successful.
PAN-121035
Added support for high powered module PAN-QSFP28-100GBASE-ER4.
PAN-120245
Fixed an issue on Panorama where WildFire® cloud content download failed for content deployment to the WF-500 appliance.
PAN-119982
Fixed an issue where template variable view failed to display some template variables when the Device Priority type variable was configured.
PAN-119329
Fixed an issue where a process (devsrvr) stopped responding when the firewall received corrupted data from the PAN-DB cloud.
PAN-118667
Fixed an issue where firewall policy configurations displayed [object Object] instead of the object names.
PAN-115896
Fixed an issue where the static route path monitoring status was not viewable from the CLI or web interface and failed with the following error message: failed to execute op command.
PAN-115541
Fixed an issue where removing a cipher from an SSL/TLS profile did not take effect if it was attached to the management interface.
PAN-112449
Fixed an issue that caused a process (snmpd) to stop responding when sending a Simple Network Management Protocol (SNMP) GET request for LcLogUsageTable on a Panorama appliance in Management Only mode.
PAN-110511
Fixed an issue where a passive Panorama appliance reported that device groups were out of sync despite a successful HA sync from the active Panorama appliance. This issue occurred when the address objects defined in the device group were in use under the corresponding template.