PAN-OS 9.0.11 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.0.11 Addressed Issues
PAN-OS® 9.0.11 addressed issues.
Issue ID | Description |
---|---|
PAN-154092 | An enhancement was made to provide an option
to increase Data Plane Development Kit (DPDK) ring size and DPDK
queue number for VM-Series firewalls deployed on ESXi. |
PAN-153983 | Fixed an issue where the IPSec encapsulation
sequence was not properly synced to the dataplanes on a high availability
(HA) active/passive cluster. |
PAN-153813 | Fixed an issue where the proxy configuration
did not get honored, which caused certificate revocation list (CRL)
checks from the firewall to fail. |
PAN-153673 | Fixed an issue where traffic logs were not
shown due to a thread timeout that was causing the reading of the
logs from the dataplane to slow. |
PAN-153436 | Added CLI commands to increase thread limits
to reduce task thread exhaustion on a process (configd). |
PAN-153111 | Fixed an issue where packet buffer unavailability
caused host-bound sessions to remain in an opening state in the dataplane. |
PAN-152706 | Fixed an intermittent issue where Panorama
did not retrieve firewall logs from Cortex Data Lake. |
PAN-152285 | Fixed an issue where certain GPRS tunneling
protocol (GTP-U) sessions that could not complete installation still
occupied the flow table, which led to higher-than-expected session
table usage. |
PAN-152106 | Fixed an issue where a process (genindex.sh) caused
the management plane CPU usage to remain high for a longer period
of time than expected. |
PAN-152027 | Fixed an issue with URL Filtering where
websites that were previously in the malicious category but have
since been cleared remained in the malicious category in the dataplane
cache. These websites were moved to the benign category only after
you manually cleared the cache. |
PAN-151203 | Fixed an issue where the firewall dropped
certain GTPv1 Update PDP Context packets. |
PAN-151057 | Fixed an issue where upgrading the capacity
license on a VM-Series HA pair resulted in both firewalls going
into a non-functional state instead of only the higher capacity
license firewall. |
PAN-150750 | (PA-5200 Series and PA-7000 Series firewalls
only) Fixed an intermittent issue where the firewall dropped
packets when two or more GTP packets on the same GTP tunnel were
very close to each other. |
PAN-150748 | Fixed an issue where the firewall silently
dropped GTPv2-C Delete Session Response packets. |
PAN-150746 | Fixed an issue where the firewall dropped
GTP packets with Delete Bearer messages for EBI 6 if they were received
within two seconds of receiving the Delete Bearer messages for EBI
5. |
PAN-150613 | Fixed an issue that caused a process (mprelay) to
stop responding when committing changes in the Netflow Server Profile
configuration (Device > Server Profiles > Netflow). |
PAN-150243 | Fixed an issue where the candidate configuration
was not updated to the running configuration after a successful
commit when the commit was initiated by an API-privileges-only custom
role-based administrator. |
PAN-149912 | Fixed an issue where FIB entries were unexpectedly
removed due to miscommunication between internal processes. |
PAN-149480 | Fixed an issue where a custom report query
from Panorama, which includes new fields not supported in prior
releases, triggered a restart of a process (reportd)
when Panorama was connected to log collectors running an earlier
PAN-OS release. |
PAN-149426 | Fixed an issue where non-superuser administrators
with all rights enabled were unable to Review Policies or Review
Apps for downloaded or installed content versions. |
PAN-149296 | Fixed an issue on Panorama where system
and configuration logs from dedicated Log Collectors did not display
on Panorama appliances in Management Only mode. |
PAN-148564 | Fixed an issue where Panorama stopped showing
new logs when url_category_list was
in the URL payload format of the HTTP(S) server profile used to
forward URL logs from the Panorama Log Collector. |
PAN-147741 | Fixed an issue where an API call for correlated
events did not return any events . |
PAN-147595 | Fixed an issue where stream control transmission
protocol (SCTP) logs for an existing SCTP session still showed old
rule information after a policy commit and session rematch. |
PAN-147285 | Fixed an issue where host information profile
(HIP) details were not available on Panorama even with a valid and
active HIP redistribution configuration. |
PAN-146878 | Fixed an issue where TCP traffic dropped
due to TCP sequence checking in an HA active/active configuration
where traffic was asymmetric. |
PAN-146650 | A fix was made to address an authentication
bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS
that allowed an attacker to bypass all client certificate checks
with an invalid certificate. As a result, the attacker was able
to authenticate as any user and gain access to restricted VPN network
resources when the gateway or portal was configured to rely only
on certificate-based authentication (CVE-2020-2050). |
PAN-146531 | Fixed an issue where conversion from Panorama
mode to logger mode was enabled even when an administrative user
named admin did not exist in the configuration,
which prevented access to the appliance after conversion. |
PAN-146506 | Fixed an issue where memory usage on a process (useridd)
was high, which caused the process to restart on the firewall that
was acting as the User-ID redistribution agent. This issue occurred
when multiple clients requested IP address-to-user mappings at the
same time. |
PAN-146284 | Fixed an issue where Applications and Threats
content installation failed on the firewall with the following error
message: Error: Threat database handler failed. |
PAN-146117 | Fixed an issue on the firewall where memory
usage on a process (devsrvr) increased after running
the show object dynamic-address-group all CLI
command. |
PAN-146115 | Fixed an issue where GlobalProtect™ IPSec
connections flapped when the peer address to the gateway changed
due to NAT. |
PAN-145823 | Fixed an issue where BGP-learned routes
were incorrectly populated with a VR error as a next hop. |
PAN-145757 | Fixed an issue where a firewall process (all_pktproc)
restarted while processing Session Traversal Utilities for NAT (STUN)
over TCP. |
PAN-145752 | Fixed an issue where exporting policies
to PDF or CSV files did not include all policies and contained duplicates. |
PAN-145188 | Fixed an issue on Panorama in PAN-DB mode
where content updates did not successfully install, which caused
the cloud state to degrade. |
PAN-145133 | A fix was made to address a vulnerability
in the PAN-OS signature-based threat detection engine that allowed
an attacker to evade threat prevention signatures using specifically
crafted TCP packets (CVE-2020-1999). |
PAN-144919 | Fixed an issue on an M-600 appliance where
the Panorama management server stopped receiving new logs from firewalls
because delayed log purging caused log storage on the Log Collectors
to reach maximum capacity. |
PAN-144448 | Fixed an issue with the automated correlation
engine that caused firewalls to stop generating correlated event
logs for the beacon-heuristics object
(ID 6005). |
PAN-143959 | Fixed an issue on Panorama where a custom
administrator with all rights enabled was not able to display the
content of the external dynamic list (EDL) on the Panorama web interface. |
PAN-143809 | Fixed an issue where Log Collectors had
problems ingesting older logs for previous days received at a high
rate. |
PAN-143796 | Fixed an issue where commits failed on the
firewall due to memory allocation failure. You can check configuration
memory using the debug dataplane show cfg-memstat statistics CLI
command. |
PAN-141980 | Fixed an issue where random member ports
in a link aggregate group failed to join the aggregate group due
to the following error: Link speed mismatch. |
PAN-141923 | Fixed an issue where authentication stopped
working after a commit and a process (authd) exited,
which caused other processes to exit. |
PAN-141793 | Fixed an issue where Panorama did not show
correct logs filtered with not, leq,
and geq. |
PAN-141717 | Fixed an issue where an administrative user
using custom admin roles and without access to the Device tab
was unable to expand the detailed views of Monitor > Logs. |
PAN-141551 | Fixed an issue where SSH service restart
management did not take effect in the SSH management server profile. |
PAN-141262 | Fixed an issue where the resolution of FQDN
for a policy on the web interface did not work as expected if the
FQDN contained CAPITAL letters. |
PAN-140900 | Fixed an issue where IP address-to-tag mapping
entries had negative time-to-live (TTL) values instead of being
removed after expiry. |
PAN-140883 | Fixed an issue where, after rebooting the
firewall, the SNMP object identifier (OID) for TCP connections per
second (panVsysActiveTcpCps / .1.3.6.1.4.1.25461.2.1.2.3.9.1.6.1)
returned 0 until another OID was pulled. Additionally, after a restart
of a process (snmpd), if the above OID was called before
other OIDs, there was an approximate 10-second delay in populating
the data pulled by each OID. |
PAN-140628 | Fixed an issue where a memory leak on a
process (useridd) caused multiple processes to restart
during device serial number checks. |
PAN-140382 | Fixed an issue where the Host Evasion Threat
ID signature did not trigger for the initial session even when the
DNS response was received before the session expired. |
PAN-140227 | (PA-7000 Series firewalls only)
Fixed a rare issue where the firewall rebooted due to a path monitoring
failure on the Log Processing Card (LPC). |
PAN-140173 | Fixed an issue where a large number of groups
in group mapping caused a process (useridd) to stop
responding. |
PAN-140157 | A fix was made to address a vulnerability
where the password for a configured system proxy server for a PAN-OS
appliance was displayed in cleartext when using the CLI in PAN-OS (CVE-2020-2048). |
PAN-140121 | Fixed an issue where a process (authid)
used a large amount of memory due to many incomplete authentication requests,
which caused an out-of-memory (OOM) condition. |
PAN-140084 | (PA-3200 Series firewalls only)
Fixed an issue where the default Dynamic IP and Port (DIPP) NAT
oversubscription rate was set to 2. |
PAN-139991 | Fixed an issue where the web interface and
the CLI were inaccessible, which caused the following error message
to display on the web interface: Timed out while getting config lock. |
PAN-139680 | Fixed an issue where dynamic route updates
triggered an unintentional refresh of the DHCP client interface
IP address, which led to the removal and re-addition of the default
route associated with the DHCP client IP address and caused traffic
disruption. |
PAN-139233 | Fixed an issue where HIP reports failed
to display on either the web interface or the CLI. |
PAN-139136 | Fixed an issue where a large number of groups
in group mappings caused a process (useridd) to stop
responding. |
PAN-138938 | An enhancement was made to reduce the memory
usage of a process (logrcvr) to avoid out-of-memory
(OOM) conditions on lower-end platforms. |
PAN-138674 | Fixed an issue where custom role-based admins
were able to reset the rule hit counter for disabled device groups. |
PAN-138427 | Fixed an issue where pushing a configuration
from a Panorama management server running PAN-OS 9.0 to a firewall
running PAN-OS 8.1 produced a HTTP/2 warning. To leverage this fix,
update both Panorama and the firewall to PAN-OS 9.0.11 or a later
PAN-OS 9.0 release. |
PAN-137770 | Fixed an issue where the dataplane restarted
due to a loop in DoS protection source-destination IP address classification. |
PAN-137716 | Fixed an issue where, for users with admin
roles, logs for only one device group were displayed due to a query
string with multiple device groups. |
PAN-137663 | Fixed a cosmetic issue where misleading
App-ID and rule shadowing warnings populated after a commit. |
PAN-136791 | Fixed an intermittent issue where the first
response to a SIP INVITE message created incorrect appinfo2ip entries
and caused Via header translation failure. |
PAN-136716 | (Panorama virtual appliances only)
Fixed an issue where SNMP monitoring of ifSpeed reported the interface
speed as 0 for interfaces other than eth0. |
PAN-136650 | Fixed an issue where a Log Collector remained
in an out-of-sync state after configuring an IP address (local or
public) on an additional Ethernet interface. |
PAN-135887 | Fixed an issue where the inner GTP-U flows
were installed using incorrect zones, which led to traffic issues
when the firewall was in line for the S1-U interface. |
PAN-135071 | Fixed an issue in Panorama where the template
stack drop-down was missing templates when using access domain. This
issue is fixed only for existing template stacks. |
PAN-134907 | Fixed an issue where IP tags were not evaluated
in the filter evaluation criteria when Dynamic Address Groups were
configured. |
PAN-134745 | Fixed an issue where Panorama commits failed
due to a process (useridd) exceeding the maximum number
of file descriptors while a large number of firewalls were connecting
to Panorama for User-ID redistribution. |
PAN-134226 | Fixed an issue where AdminStatus for HA1
and High Speed Chassis Interconnect (HSCI) interfaces were incorrectly
reported. |
PAN-134029 | Fixed an intermittent issue on the firewall
where H.225 VOIP signaling packets dropped. |
PAN-133934 | Fixed an intermittent issue where user-to-IP
address mappings were not redistributed to client firewalls. |
PAN-133388 | Fixed an issue where an HA configuration
went out of sync when the HA sync job was queued and processed during
an ongoing content installation job on the passive firewall. |
PAN-133179 | Fixed a rare issue where the show ntp CLI
command showed the status as rejected even
when the NTP was synced with at least one NTP server. |
PAN-132285 | Fixed an intermittent issue where a Security
policy with Send ICMP Unreachable enabled
for certain drop or reset sessions caused a process (all-pktproc) to
restart. |
PAN-132053 | Added an enhancement to improve handling
for firewall management web interface sessions that timeout so that
the message Your session has expired does
not display. Now, the web interface will present a timeout page
that presents a button to redirect back to the login page. |
PAN-131750 | Fixed an issue where a configuration push
from Panorama to the firewall showed the Commit All status
as complete even though the job was still in process. |
PAN-130955 | Fixed an issue where templates on the secondary
Panorama appliance were out of sync with the primary Panorama appliance
due to an empty content-preview node. |
PAN-130357 | Fixed a memory leak issue where virtual
memory used by the SNMP process started to slowly increase when
the request was sent with a request-id of
0. |
PAN-129376 | (PA-800 Series firewalls only)
Fixed an issue that prevented ports 9-12 from being powered down
by hardware after being requested to do so. |
PAN-128172 | Fixed an issue on Panorama where the show system logdb-quota CLI
command took more time than expected, which caused the configuration
lock to time out. |
PAN-128048 | Fixed an issue where certificate-based authentication
with IKEv2 IPSec tunnels failed to establish with some third-party
vendors. |
PAN-125218 | A fix was made to address an information
exposure vulnerability in Panorama that disclosed the token for
the Panorama web interface administrator's session to a managed
device when the Panorama administrator performed a context switch (CVE-2020-2022). |
PAN-124819 | Fixed an issue where only the current day's
logs were visible on Panorama. |
PAN-124331 | Fixed an issue where the LDAP query took
longer than expected to populate in the web interface. |
PAN-122672 | Fixed an issue where the firewall returned
incorrect information about the logging service status when the
information was requested through the web interface. |
PAN-122115 | Fixed an issue with the session browser
search where using more than 32 characters caused an error. |
PAN-121944 | Fixed an issue where the Device Connectivity status
was grey on the firewall web interface even when the SSL session
with the logging service was successful. |
PAN-121035 | Added support for high powered module PAN-QSFP28-100GBASE-ER4. |
PAN-120245 | Fixed an issue on Panorama where WildFire® cloud
content download failed for content deployment to the WF-500 appliance. |
PAN-119982 | Fixed an issue where template variable view
failed to display some template variables when the Device
Priority type variable was configured. |
PAN-119329 | Fixed an issue where a process (devsrvr) stopped
responding when the firewall received corrupted data from the PAN-DB
cloud. |
PAN-118667 | Fixed an issue where firewall policy configurations
displayed [object Object] instead of the
object names. |
PAN-115896 | Fixed an issue where the static route path
monitoring status was not viewable from the CLI or web interface
and failed with the following error message: failed to execute op command. |
PAN-115541 | Fixed an issue where removing a cipher from
an SSL/TLS profile did not take effect if it was attached to the
management interface. |
PAN-112449 | Fixed an issue that caused a process (snmpd)
to stop responding when sending a Simple Network Management Protocol (SNMP)
GET request for LcLogUsageTable on
a Panorama appliance in Management Only mode. |
PAN-110511 | Fixed an issue where a passive Panorama
appliance reported that device groups were out of sync despite a
successful HA sync from the active Panorama appliance. This issue
occurred when the address objects defined in the device group were
in use under the corresponding template. |