PAN-OS 9.0.3 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.0.3 Addressed Issues
PAN-OS® 9.0.3 addressed issues.
Issue ID | Description |
---|---|
WF500-4995 | Fixed an issue on Panorama™ M-Series and
WF-500 appliances where administrators were unable to run the debugsoftware disk-usage aggressive-cleaning enable CLI
command and resulted in the following error message: Server error:Failed to execute op command. |
PAN-118949 | Fixed an issue where after you changed the
filter configuration in the user.src notin 'cns\proxy full profile,
the firewall displayed the following error message: Unknown user group cns\Proxy Full. |
PAN-118640 | Fixed an issue where the GTP-U session did
not match the correct policy, which caused the IMSI and IMEI not
to display in the inner session traffic and threat logs. |
PAN-118525 | (PA-5250, PA-5260, PA-5280, and PA-7000 Series
firewalls only) Fixed an issue where the QSFP28 port did not
come up with the TR-FC13L-N00 version of the PAN-QSFP28-100GBASE-LR4
optical transceiver on firewalls running a PAN-OS 9.0 release. |
PAN-118008 | (PA-3000 Series firewalls only)
Fixed an intermittent issue where a low memory condition prevented decoders
from loading, which led to traffic inspection issues related to
the impacted decoder(s). |
PAN-117424 | Cortex Data Lake without Panorama—where
we removed Panorama as a requirement to send logs to Cortex Data
Lake—was introduced in PAN-OS® 9.0.2, and was not initially
supported for PA-220 and PA-800 Series firewalls. This issue details
a change we've made in PAN-OS 9.0.3 to support this feature across
all firewall platforms. Here’s how you can get
started with Cortex Data Lake now. |
PAN-117359 | (Firewalls with an AutoFocus license
only) Fixed an issue where AutoFocus™ threat intelligence did
not display when hovering over source and destination addresses
in the logs when you configure a service route or proxy. |
PAN-117249 | Fixed an issue where end users who don't
have REST API authentication roles were able to list and edit configuration
rules. |
PAN-117149 | Fixed an issue on firewalls configured with authentication
policies where sessions matching an authentication policy did not
generate traffic logs as defined in the security policy when sessions
were redirected or denied. |
PAN-116969 | Fixed an issue where authentication failed
when you configured a User Principal Name (UPN) and included a group
in the profile. |
PAN-116848 | Fixed an issue where multiple device group administrators
simultaneously enabled configuration locks caused a race condition. |
PAN-116828 | Fixed an issue on Panorama M-Series and
virtual appliances where the management server and a process (configd)
used higher than expected CPU and memory. |
PAN-116069 | (PA-200 firewalls only) Fixed a
rare out-of-memory (OOM) condition. |
PAN-116579 | Fixed an issue where the firewall sent truncated
URLs to the Captive Portal Redirect message when HTTPS traffic sent
through a proxy server was subjected to decryption. |
PAN-116188 | Fixed an issue where communication between
tunnel interfaces did not respond when you configured a generic routing
encapsulation (GRE) tunnel. |
PAN-116022 | Fixed an issue where the NSX Manager passed
a blank string to Panorama, which added a null entry into the configuration
and caused commits to fail. |
PAN-115930 | Fixed an intermittent issue where after
a configuration change, a commit caused the dataplane to stop responding. |
PAN-115526 | Fixed an issue where a dataplane process (all_pktproc)
stopped responding due to a packet buffer protection feature. |
PAN-115494 | Fixed an issue where the /opt/pancfg/ partition became
full due to a configuration preview operation not responding. |
PAN-115415 | Fixed an issue where a session created from
a predict session went into DISCARD state. |
PAN-115379 | Fixed an issue where you were unable to
create a custom log forwarding profile when you configured a filter with
the "in" and "not in" configurations (ObjectsLog ForwardingAddAddFilterFilter Builder)
and resulted in the following error message: Invalid filter policy-logging-cf-ent -> match-list -> ITS_url_logs -> filteris invalid. |
PAN-115339 | Fixed a rare issue where a commit caused
the firewall to stop responding when you enabled flow debug and configured
a NAT policy. |
PAN-115035 | Fixed a rare issue where Traffic logs, Threat logs
and URL filtering logs stopped generating. |
PAN-115012 | Fixed an issue where a process (appweb)
stopped responding, which caused the web interface to stop responding. |
PAN-114867 | Fixed an issue where GlobalProtect™ gateway
client configuration generation failed when a matching rule existed. |
PAN-114743 | Fixed an issue on Panorama M-Series and
virtual appliances where, after you upgraded the firewall to PAN-OS
8.1, commits failed when Panorama was configured to manage shared
gateway objects for managed firewalls. |
PAN-114695 | Fixed an issue where a daemon (authd)
stopped responding when you configured a GlobalProtect portal and
gateway with Security Assertion Markup Language (SAML) authentication. |
PAN-114642 | Fixed an issue where firewall logs incorrectly
included the end-user IP address in GTP message logs when you configured
PAA IE with IPv4 and IPv6 dual stack in the Create Session Response
message. |
PAN-114607 | Fixed an issue where all the log collectors
did not get queued when you configured more than 32 collector groups. |
PAN-114593 | Fixed an issue where the setsystem setting layer4-checksum disable CLI command
did not disable the Layer 4 checksum check as expected. |
PAN-114577 | Fixed an issue on Panorama M-Series and
virtual appliances where you were unable to authenticate when the authentication
profile contained a server profile that used the FQDN of the server. |
PAN-114437 | Fixed an issue on Panorama M-Series and
virtual appliances where, after you upgraded the firewall from PAN-OS
8.0.8 to PAN-OS 8.1.4, commits took longer than expected when you
configured the Device Group with large group hierarchies. |
PAN-114435 | Fixed an issue where multiple dataplanes
stopped responding and caused traffic outages after you enabled IPSec
tunnels. |
PAN-114434 | Fixed an issue where the firewall created
incorrect predict sessions, which caused flow sessions to fail for applications. |
PAN-114403 | Fixed an issue on Panorama M-Series and
virtual appliances where serial numbers for deployed firewalls did not
display in the web interface with the exception of GlobalProtect
cloud service firewalls. |
PAN-114395 | Fixed an issue on a VM-Series firewall where
a process (all_task) stopped responding, which caused
the firewall to reboot. |
PAN-114275 | Fixed an issue where the firewall dropped
GTPv1 DELETE PDP response packets that
had a termination endpoint ID (TEID) value of 0. |
PAN-114181 | Fixed an issue where the firewall incorrectly
triggered Reverse Path Forwarding (RPF), which caused packet leaks. |
PAN-113795 | Fixed an issue on a firewall configured
with GlobalProtect Clientless VPN where a process (all_pkts)
stopped responding, which caused the dataplane to restart. |
PAN-113775 | Fixed an issue where the firewall dropped UpdatePDPContext reponse
packets and displayed the following GTP log event: 122113. |
PAN-113631 | A security-related fix was made to address
a use-after-free (UAF) vulnerability in the Linux kernel (PAN-SA-2019-0017 / CVE-2019-8912) |
PAN-113614 | Fixed an issue with a memory leak on Panorama appliances
associated with commits that eventually caused an unexpected restart
of the configuration (configd) process. |
PAN-113340 | (PA-200 firewalls only) Fixed an
issue where the management plane (MP) memory was lower than expected,
which caused the MP to restart. |
PAN-113189 | A security-related fix was made to correct
log file string-conversion errors that caused parsing issues, which caused
the User-ID™ (useridd) process to stop running. |
PAN-113117 | Fixed an issue on Panorama VM-Series firewalls where
you were logged out of the web interface and had to log back in
to push a device group and template configuration from a newly launched
bootstrapped firewall. |
PAN-113046 | (PA-5200 Series firewalls only)Fixed
an issue where a process (brdagent) stopped responding,
which caused the management plane to stop responding. |
PAN-112674 | Fixed an issue where an escape ( “\” ) character
was added to HTTP log s when a log contained a comma. |
PAN-112577 | Fixed an issue on a VM-Series firewall in
an HA active/passive configuration where the HA1 port flapped and
caused a split-brain condition. |
PAN-112446 | Fixed an issue where a predefined report (blocked
credential post) generated reports using the incorrect query
builder (flags has credential-builder), which
caused the report to incorrectly display logs for alerts. |
PAN-112293 | Fixed an issue where the connection between
the firewall and Log Collector flapped. |
PAN-112167 | Fixed an issue where IPv4 BGP routes were
missing from the routing table and FIB after a failover event. |
PAN-112106 | Fixed an issue where the firewall was unable
to add IPv6 loopback IP address ::1 to
the external dynamic list and displayed the following error message: Invalid ips: ::1. |
PAN-111976 | Fixed an issue where you were unable to
generate user activity reports when the username included a colon
( : ), ampersand ( & ), single parenthesis ( ' ) character. |
PAN-111872 | A security-related fix was made to address
a command injection vulnerability (PAN-SA-2019-0018 / CVE-2019-1576). |
PAN-111708 | (PA-3200 Series firewalls only)
Fixed a rare software issue that caused the dataplane to restart unexpectedly.
To leverage this fix, you must run the debug dataplane set pow no-desched yes CLI
command. |
PAN-111380 | (PA-5200, PA-3200, and PA-7000 Series
firewalls with 100Gbps cards only) Fixed an issue where the show qos interface ae1 throughput 0 CLI
command incorrectly displayed the active data stream only and QoS
was not working as expected on the first subinterface. |
PAN-111286 | Fixed an issue where you were unable to
generate a custom report (MonitorManage Custom Report<device-name>Report Setting). |
PAN-110996 | Fixed an issue where the dataplane stopped responding
due to an incorrectly calculated offset when you configured Exclude
video traffic from the tunnel (NetworkGlobalProtectGateways<gateway-name>AgentVideo Traffic). |
PAN-110962 | Fixed an issue where a process (all_pktproc)
stopped responding when SSH decryption was enabled, which caused
the dataplane to restart. |
PAN-110883 | Fixed an issue on a VM-Series firewall where
all jobs did not execute and returned the following error message: Error- time out sending/receiving message. |
PAN-110873 | Fixed an issue where member interfaces of
the aggregate interface did not display on web interface (PanoramaManaged DevicesHealthAll Devices<device-name>Interfaces). |
PAN-110758 | Fixed an issue on Panorama M-Series and
virtual appliances where you were unable to configure the firewall to
disable the portal log in page. |
PAN-110638 | Fixed an issue where you were unable to
establish a GlobalProtect connection on IPv6 and displayed the following
error message: Packet too big due to the firewall MTU value set lower than normal on
the neighboring firewall. |
PAN-110548 | Fixed an intermittent issue where heartbeats
failed on the management plane (MP), which caused the dataplane
to stop responding and displayed the following error message: Dataplaneis down: controlplane exit failure. |
PAN-110526 | Fixed an issue where Captive Portal authentication required
two log-in attempts when the authentication sequence was configured
as an authentication profile. |
PAN-110293 | Fixed an issue where GTP-U traffic dropped
when the GTP tunnel endpoint ID (TEID) was not updated correctly during
a GTP-C update. |
PAN-109966 | Fixed an issue where the content update
threshold downloaded and installed an older content version after
you manually installed a newer content version. |
PAN-109954 | Fixed an issue where a commit failed with
an error message: cluster is missing 'encryption' when
HA Traffic Encryption (PanoramaManaged WildFire Clusters<appliance-name>Communication) was not configured
and after upgrading from PAN-OS 8.0.12 to PAN-OS 8.1.4. |
PAN-109944 | Fixed an intermittent issue where a process (configd)
restarted due to a race condition when generating custom reports. |
PAN-109663 | Fixed an intermittent issue where the firewall dropped
packets when the policy rule was set to allow but denied the packets
during a commit or high availability (HA) sync. |
PAN-109837 | Fixed an issue where a race condition occurred
when a configuration push and NetFlow update occurred simultaneously,
which caused the dataplane to restart. |
PAN-109575 | Fixed an issue where you were unable to
configure more than one device certificate (DeviceCertificate ManagementCertificates<device certificate-name>)
with Trusted Root CA. |
PAN-109336 | (PA-500 and PA-800 Series firewalls
only) Fixed an issue where commits failed after you imported
a device state from Panorama the template configuration referenced
Bidirectional Forwarding Detection (BFD). |
PAN-109186 | Fixed an issue where the dataplane stopped responding
and caused a failover event. |
PAN-109101 | Fixed an issue where you were unable to
override IKE Gateway configurations (NetworkIKE Gateways<template-name>)
in the template stack. However, with this fix, you still cannot
override template stacks when you configure any value with none. Additionally,
to override the Local Identification, select Authentication in
the pop-up dialogue. |
PAN-109024 | Fixed an issue where, after you upgrade
the firewall from PAN-OS 8.0 to PAN-OS 8.1, firewalls configured
with the User-ID agent and group mapping incorrectly mapped users
to groups. |
PAN-108990 | Fixed an intermittent issue on a firewall
where configuring Force Template Values (NetworkInterfacesCommitPush to DevicesTemplates) deleted the zone assigned
to an interface. |
PAN-108878 | Fixed an issue where host traffic ICMP packets
larger than 9,180 bytes dropped when you configured a jumbo frame
with a maximum MTU value of 9,216 bytes and with the DF option enabled. |
PAN-108846 | Fixed an issue where a higher than expected
rate of tunnel resolution packets occurred due to an internal loop, which
caused a spike in dataplane CPU usage for firewalls that support
distributed tunnel ownership. |
PAN-108785 | Fixed an intermittent issue on a firewall
in an HA active/passive configuration where a ping test stopped responding
on Ethernet 1/1, 1/2, and 1/4 due to input errors on the corresponding
switch port after a HA failover. |
PAN-108715 | Fixed an issue where the firewall did not
update the dataplane DNS cache after the management plane (MP) DNS
entries expired, which caused evasion signatures to erroneously
trigger a Suspicious TLS/HTTP(S)Evasion Found event. |
PAN-108164 | Fixed an issue where a process (tund)
caused the dataplane to restart during a commit. |
PAN-107989 | Fixed an issue where the Strict IP Address
Check incorrectly triggered when you enabled ECMP (NetworkVirtual RoutersAddRouter settingsECMP). |
PAN-107662 | Fixed an issue on a firewall in an HA active/active configuration
where client-bound DHCPv6 packets dropped when you configured the
firewall as a DHCPv6 relay agent. |
PAN-107370 | Fixed an issue where IPv6 traffic throughput
reduced more than expected after you updated a static ND entry (NetworkInterfaces<interface-name>AdvancedND Entries)
by moving the interface to a different virtual router. |
PAN-107126 | Fixed an issue where an SSL inbound session
cache corruption caused a process (all_pktproc) to
stop responding. |
PAN-106861 | Fixed an issue where stale route entries
remained in the FIB after the routes were removed from the routing table
when you used a redistribution rule without a profile. |
PAN-106857 | Fixed an issue where the dataplane restarted
due to an internal path monitoring failure Caused by large SSL decrypted
file transfer sessions. |
PAN-106543 | Fixed an issue on a firewall in an HA active/active configuration
where the show vpn ipsec-sa CLI command incorrectly
returned an error message: Server error: An error occurred. See dagger.log for information when
you ran the command on the active secondary firewall. |
PAN-106344 | Fixed an issue where the log collector within
a collector group retained varying numbers of detailed firewall
logs when you enabled log redundancy. |
PAN-106274 | Fixed an issue on a firewall where a Layer
2 interface that contained a VLAN sub-interface in conjunction with policy
based forwarding (PBF) caused the firewall to forward the return
traffic to the incorrect web interface. |
PAN-106259 | Fixed an issue on a firewall in an HA active/passive configuration
where the passive firewall reported a higher number of GlobalProtect
user accounts than the active firewall. |
PAN-105925 | Fixed an issue where the GlobalProtect Gateway
web interface did not display the list of previous users. |
PAN-105412 | Fixed an issue where forward error correction
(FEC) was disabled by default for AOC modules, which caused QSFP
ports to flap or remain in the DOWN state.
With this fix, FEC is enabled by default for AOC modules. |
PAN-105397 | Fixed an issue where a firewall incorrectly
processed path monitoring, which originated from a NAT firewall
on the same network segment. |
PAN-105091 | Fixed an issue on a firewall where stateful
inspection failed, which caused the firewall to drop GTPv2-C Modify
Bearer Request packets. |
PAN-104568 | Fixed an issue where the firewall did not
send emails when you configured the email gateway with an FQDN. |
PAN-104274 | Addressed an issue where in a slow network environment
the firewall displayed an error message: error online 1 at column 1: document is empty when
you used an API call to fetch a license even when the auth code
was successfully applied. Extremely slow networks may still see
this issue. |
PAN-103285 | Fixed an issue where an API call (show system disk details),
responded with the following error message: An error occurred. See dagger.log for information. |
PAN-103225 | Fixed an issue on Panorama M-Series and
virtual appliances where the Task Manager did not display progress after
you pushed a configuration to a firewall. |
PAN-102979 | Fixed an issue where Dynamic Updates did
not display expired threat prevention licenses when you tried to install
an application from Panorama. |
PAN-102745 | Fixed an intermittent issue on a firewall
where a commit and FQDN refresh took longer than expected. |
PAN-101970 | Fixed an issue where the decode filter was
unable to detect the end characters of a file name, which caused
the firewall to bypass the file blocking profile. |
PAN-101764 | Fixed an issue where a process (slmgr)
stopped responding during an auto-commit. |
PAN-101379 | Fixed an issue where an invalid Captive
Portal authentication policy was successfully pushed to managed firewalls,
which caused auto-commits to fail. |
PAN-101052 | Fixed an issue on Panorama M-Series and
virtual appliances where Panorama unnecessarily checked and updated
licenses for VM-Series firewalls on AWS after every commit, which
resulted in new log entries. With this fix, Panorama no longer checks
licenses after every commit. |
PAN-100773 | (PA-7000 Series firewalls only)
Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) port
on a 20GQ NPC card took longer than expected to respond. |
PAN-100742 | Fixed an issue Panorama M-Series and virtual appliances
where scheduled reports generated more than one DNS lookups, which
caused inconsistent name resolutions for DNS deployments. |
PAN-100693 | Fixed an issue where you were unable to
process Address Group match criteria when the match name included
the double quotation ( " ) character. |
PAN-99483 | (PA-5250, PA-5260, and PA-5280)
Fixed an issue where, when you deployed the firewall in a network that
uses Dynamic IP and Port (DIPP) NAT translation with PPTP, client
systems were limited to using a translated IP address-and-port pair
for only one connection. See Limitations for PA-7000
Series firewalls that do not use second-generation PA-7050-SMC-B
or PA-7080-SMC-B Switch Management Cards. |
PAN-99354 | Fixed an issue where the firewall incorrectly
denied URL access when the URL filtering profile was configured
to alert. |
PAN-99134 | Fixed an issue where temporary files generated during
preview changes did not get cleared, which caused disk space issues. |
PAN-98746 | Fixed an issue where GlobalProtect clientless
VPN did not get redirected to the application URL when you used Internet
Explorer as a web browser. |
PAN-97288 | Fixed an issue on GlobalProtect Clientless
VPN where the URL gets truncated when you exclude the domain from the
Rewrite Exclude Domain List (NetworkGlobalProtectPortals<portal-name>Clientless
VPNAdvanced Settings). |
PAN-92872 | Fixed an intermittent issue where the firewall
sent packets incorrectly to an outgoing interface. |
PAN-89820 | Fixed an intermittent issue where the Data
Filtering (MonitorData Filtering)
and Threat Log (MonitorThreat)
did not display file names when you transferred multiple files into
a single session. |
PAN-81778 | Fixed an issue where scheduled reports did
not generate as expected due to a race condition. |