PAN-OS 9.0.6 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.0.6 Addressed Issues
PAN-OS® 9.0.6 addressed issues.
Issue ID | Description |
---|---|
WF500-5343 | Fixed an issue on WF-500 that caused cloud
queries to fail when the cloud verdict did not match the local verdict. |
PAN-135141 | Fixed an issue where the Log Processing
Card (LPC) did not come up intermittently in a fully loaded PA-7000
Series. |
PAN-134242 | (PA-7000b Series firewalls with Log
Forwarding Cards (LFC) only) A security fix was made to restrict
improper communications to the LFC (CVE-2019-17440/PAN-SA-2019-0040). |
PAN-133883 | Fixed an issue where a race condition caused pan_task and pan_com to
exit unexpectedly. |
PAN-133491 | Fixed an issue where Internet Protocol (IP)
to user mappings were not synced from the HUB virtual system (vsys)
to the non-hub vsys. |
PAN-133443 | Fixed an issue where an XML API call incorrectly
masked the response, which prevented role based administrators from
running the response. |
PAN-132501 | Fixed an issue where after you switched
the Context from Panorama™ to a firewall,
the DESTINATION ZONE (Policies > Security > <policy-name>
> Destination) incorrectly displayed none. |
PAN-132104 | Fixed an issue on Panorama M-Series and
virtual appliances where the <show><object><registered-ip></registered-ip></object></show> XML
API call did not retrieve more than 500 entries. |
PAN-131939 | Fixed an issue where DP crashed during file
transfer due to one or more content updates being installed. |
PAN-130640 | Fixed an issue where the management plane
CPU on the firewall was high due to index generation on summary
logs. |
PAN-130465 | Fixed an issue where required fields were
masked incorrectly in a XML API call, which hid the response. |
PAN-130073 | Fixed an issue where a large number (65,000)
of GlobalProtect™ user connections caused a process (sslvpn)
to stop responding after you upgraded from PAN-OS® 8.1.10
to PAN-OS 8.1.11. |
PAN-130069 | Fixed an issue where the firewall incorrectly
interpreted an external dynamic list MineMeld instability error
code as an empty external dynamic list. |
PAN-129668 | Fixed an issue on the firewalls where the
dataplane restarted unexpectedly when processing HTTP/2 traffic
if packet-diag debugs were enabled. |
PAN-129658 | Fixed an issue where GTP inspection stopped
functioning after unrelated changes in policy and a commit followed
by a high availability (HA) failover. |
PAN-129441 | Fixed an issue where the concurrent file
limitation for WildFire® submissions didn't work when
the firewall had many files waiting to be uploaded, which caused /opt/panlogs/wildfire/tmpfile to
become full and destabilize the firewall (for example, the process
crashed or system logs were not written). |
PAN-129327 | Fixed a rare timing window that caused an
Internal packet path monitoring failure. |
PAN-129127 | Fixed an issue where log export from maintenance
mode failed with the following error message: no ip address configured, can't export logs even
though the management interface Internet Protocol (IP) address was configured. |
PAN-128856 | Fixed an issue where the disk usage calculation
was getting corrupted and purging logs. |
PAN-128269 | (PA-5250, PA-5260, and PA-5280 firewalls
with 100GB AOC cables only) Fixed an issue where after you
upgraded the first peer in a high availability (HA) configuration
to a PAN-OS 9.0 release, the High Speed Chassis Interconnect (HSCI)
port did not come up due to an FEC mismatch until after you finished
upgrading the second peer. |
PAN-128248 | A fix was made to address a vulnerability
with a race condition due to an insecure creation of a file in a
temporary directory in PAN-OS (CVE-2020-2016). |
PAN-127649 | Fixed an issue where a purge script stopped
responding, which caused a process (logrcvr) to discard
incoming logs. |
PAN-127089 | Fixed an intermittent issue where the default
route did not redistribute to an OSPF Not-So-Stubby Area (NSSA). |
PAN-126882 | A security fix was made to address an OpenSSL
vulnerability (CVE-2019-1547/CVE-2019-1563). |
PAN-126627 | Fixed an issue where a process (all_pktproc) stopped
responding due to a NULL pointer exception while cleaning up SSL
proxy sessions previously configured for GlobalProtect. |
PAN-126283 | Fixed an intermittent issue where after
you configured Cache EDNS Responses (Network
> DNS Proxy > <DNS Proxy-name> > Advanced) a process
(dnsproxy) stopped responding. |
PAN-126159 | Fixed an issue where the firewall did not
match the Security policy when you configured the match condition
to a shared local group. |
PAN-125996 | Fixed an issue on Panorama M-Series and
VM-Series where the configd process would crash. |
PAN-125898 | Fixed an issue where a process (openssl)
caused higher than expected management CPU usage due to the incompletion of
the Online Certificate Status Protocol (OCSP) during the logging service
certificate validation. |
PAN-125793 | Fixed an issue where multiple No valid URL filtering license warning
messages were generated during a commit due to an expired URL filtering
license. With this fix, the warning messages are grouped into a
single message per virtual system (vsys). |
PAN-125594 | Fixed an issue where the configd process
on a Panorama appliance had a memory leak during commit operations. |
PAN-125302 | Fixed an issue where the real-time clock
(RTC) battery voltage exceeded the maximum threshold and triggered
alerts in the system log. |
PAN-125157 | Fixed an issue on the firewalls where the rasmgr process
restarted unexpectedly when using third-party VPN clients to connect
to GlobalProtect. |
PAN-125122 | A fix was made to address a cleartext transmission
of sensitive information vulnerability in Palo Alto Networks PAN-OS
and Panorama that disclosed an authenticated PAN-OS administrator's
PAN-OS session cookie (CVE-2020-2013). |
PAN-125018 | Fixed an issue on Panorama M-Series and
virtual appliances where after you configure the firewall with an
API call commits took longer than expected. |
PAN-125017 | (PA-7000b Series firewalls only)
Fixed an issue where logs were unexpectedly discarded. |
PAN-124948 | Fixed an issue where a null point (policy)
dereference was causing a crash. |
PAN-124882 | Fixed an issue where traffic logs that contained
incorrect Security policies were generated during an active commit
process when the Security policies were being added or removed. |
PAN-124858 | Fixed an issue on PA-220, PA-820, and PA-850
firewalls where Custom Signatures caused the CTD memory depletion
(OOM), which led to a dataplane crash. |
PAN-124781 | Fixed an issue in Panorama where the Policies
> Security web interface flashes and the selected security rule
did not stay selected when making a change to a rule that was part of
device group that included more than 200 rules. |
PAN-124593 | A fix was made to address a missing XML
validation vulnerability in the PAN-OS web interface (CVE-2020-1975). |
PAN-124565 | Fixed an issue where an out of memory condition
caused commits to fail with the following error: Error unserializing profile objects failed to handle CONFIG_UPDATE_START. |
PAN-124435 | Fixed an issue where the firewall dropped
pre-VLAN spanning tree (PVST+) packets from the virtual wire interface
when you executed the set session rewrite-pvst-pvid yes CLI command. |
PAN-124428 | Fixed an issue where Address Resolution
Protocol (ARP) randomly failed on one of the interfaces for a firewall
deployed in the KVM/GCP/ESXi clouds. |
PAN-123857 | Fixed an issue where HTTP/2 traffic inspection
caused a software buffer leak over time and affected decryption
traffic. |
PAN-123843 | Fixed an issue for Cloud/VM platforms where
the tunnels between the log collectors did not come up when a public
IP was used for the log collectors in an environment with a Panorama
management server and two or more log collectors. |
PAN-123747 | Fixed an issue where App-ID™ signatures
failed to match when there were more than 12 partial App-ID matches
within the same session. |
PAN-123667 | Fixed an issue where the snmpd process
was crashing when polling for global counters. |
PAN-123661 | A fix was made to address an authentication
bypass vulnerability in the Panorama context switching feature (CVE-2020-2018). |
PAN-123322 | (PA-3200 Series, PA-5200 Series, and
PA-7000 Series firewalls running PAN-OS 9.0.5 only) Fixed an intermittent issue
where a process (all_pktproc) stopped responding due
to a Work Query Entry (WQE) corruption that was caused by duplicate
child sessions. |
PAN-123306 | Fixed an issue where the Dashboard did not
display the release dates for Application Version, Threat Version,
and Antivirus Version. |
PAN-123167 | Fixed an issue where a process (mprelay) stopped
responding. |
PAN-122788 | Fixed an issue where the firewall incorrectly
logged target filenames when an antivirus signature was triggered
over a Server Message Block (SMB) protocol. |
PAN-122779 | Fixed an issue where the firewall did not
respond to TCP DNS requests when the firewall acted as a DNS proxy. |
PAN-122778 | Fixed an issue where the routing daemon
restarted due to a deadlock on the path monitoring heartbeat processing,
leading to a SIGABRT. |
PAN-122565 | Fixed an issue where a log collector with
a dynamically assigned IP address could not establish communication
between other log collectors. |
PAN-122455 | Fixed an issue where the DHCP server incorrectly
processed bootp unicast flag requests. |
PAN-122311 | Fixed an issue where parent sessions were
dropped when you installed duplicate predict session. |
PAN-122181 | (PA-3200 Series and PA-5200 Series firewalls
only) Fixed an issue where the firewall did not capture inbound
Encapsulating Security Payload (ESP) protocol 50 packets at the
receive stage. |
PAN-121917 | (PA-800 Series and PA-220 firewalls
only) Fixed an issue where the hrProcessorLoad.2 OID displayed
incorrect values. |
PAN-121827 | Fixed an issue where allow lists and auth
profiles in multi-vsys systems would not allow a user to be identified
in user groups.Users would show as Not in allow list because
the multi-vsys (vsys1) was shown as vsys0. |
PAN-121609 | (PA-7000 Series firewalls using PA-7000-20G-NPC
cards only) Fixed an issue where the firewall restarted due
to an internal path monitoring heartbeat failure during periods
of more than expected traffic load. |
PAN-121484 | (PA-3200 Series, PA-5200 Series, and
PA-7000 Series firewalls only) Fixed an issue where the dataplane
sent positive acknowledgments to predict-status checks from FPP
when the corresponding predict was deleted, which caused SIP and
RTSP applications to perform less than the expected achievable performance. |
PAN-121481 | Fixed an issue where downloading the GlobalProtect
app software on your GlobalProtect portal took longer than expected. |
PAN-121472 | Fixed an intermittent issue where the dataplane
stopped responding when processing compressed traffic. |
PAN-121374 | Fixed an issue where Internet Protocol (IP)
tags with timeouts generated alert messages. |
PAN-121184 | Fixed an issue where the varrcvr process crashed
due to memory corruption issues. |
PAN-121058 | A fix was made to address a DOM-based cross
site scripting vulnerability in the PAN-OS and Panorama management
web interfaces (CVE-2020-2017). |
PAN-121022 | Fixed an issue involving unexpected behavior
within the GlobalProtect app where the Active viewed Template does
not populate when clicking the hyperlink to trigger a redirect to
the Template area and list. |
PAN-120986 | Fixed an issue where a process (routed)
stopped responding when you configured virtual interfaces. |
PAN-120965 | Fixed an issue where certificate revocation
list (CRL) and Online Certificate Status Protocol (OCSP) checks
did not respond as expected when you configured Block
session if certificate status is unknown. |
PAN-120909 | Fixed an issue to improve the validation
of certain field inputs in the web interface. |
PAN-120900 | Fixed an issue on a firewall in a high availability
(HA) active/passive configuration where after you submitted a host information
profile (HIP) report a duplicate User-ID™ log was generated on the
passive firewall. |
PAN-120893 | Fixed an issue where the Security Parameter
Index (SPI) size was incorrectly set in the IKE Phase 2 packet when
you configured commit-bit on the neighboring
device, which caused IKE negotiations to fail on the neighboring
device. |
PAN-120730 | Fixed an issue where pushing a config bundle
from Panorama M-Series to a firewall failed with the following error: log-card -> iptag unexpected here. |
PAN-120701 | Fixed an issue where URL filtering blocked
web traffic by the security policy that did not have URL filtering
enabled. |
PAN-120665 | (PA-800 Series) Fixed an issue where the
deployment of the Master Key through the web interface failed. |
PAN-120545 | Fixed an issue on VM-Series firewalls where
the ager ran faster than expected, which prematurely caused the
master key to expire. |
PAN-120420 | Fixed an issue in Panorama where you could
not see Certificate Profile in the drop-down
when adding an HTTP Server Profile. |
PAN-120397 | A fix was made to address an external control
of path and data vulnerability in the Palo Alto Networks Panorama
XSLT processing logic (CVE-2020-2001). |
PAN-120351 | Fixed an issue where the firewall caused
unnecessary fragmentation when traffic and tunnel were content inspected,
which caused retransmission and slowed response time. |
PAN-120300 | Fixed an issue where you were unable to
view DHCP leases from the web interface or through the show dhcp server lease interface all CLI
command due to the request taking longer than expected, which resulted
in a time out. |
PAN-120157 | Fixed an issue where temporary files created
on a firewall during an API call execution were not properly cleaned
up, leading to increased disk space usage. |
PAN-120106 | Fixed an issue where Panorama did not send
correlation events and logs to the syslog server after you upgraded
the firewall from PAN-OS 8.0.9 to PAN-OS 8.1.7. |
PAN-120005 | Fixed an issue where the firewall incorrectly
forwarded incomplete and corrupted files through the Server Message
Block (SMB) protocol to WildFire. This fix requires content release
version 8219 or a later version. |
PAN-119950 | Fixed an issue on a firewall in a high availability
(HA) active/passive configuration where a process (flow_ctrl)
received and restarted due to a malformed ICMPv6 neighbor advertisement
packet. |
PAN-119922 | Fixed an issue in Panorama where the show config diff command
was not working correctly and produced unexpected output. |
PAN-119822 | Fixed an issue where you were not redirected
to the application URL after authentication. |
PAN-119820 | Fixed an issue where the firewall incorrectly
calculated the TCP segment size when performing forward proxy decryption. |
PAN-119819 | Fixed an issue where Discover (Device
> User Identification > User Mapping > Server Monitoring)
stopped responding after you configured a DNS proxy. |
PAN-119818 | Fixed an issue where corrupt logs caused
buffered log forwarding to stop responding. |
PAN-119801 | Fixed an issue where the firewall web interface
did not display the BGP MED attribute value
in the BGP Rib-Out tab (Virtual
Routers > More Runtime Stats). |
PAN-119545 | Fixed an issue where updates (including
WildFire, antivirus, and so on) were intermittently failing. |
PAN-119452 | An enhancement was made to improve subsequent
loading times of device groups after the first load. |
PAN-119349 | Fixed an issue on Panorama M-Series and
virtual appliances where custom reports from the User-ID log displayed
the incorrect receive date. |
PAN-119047 | Fixed an issue where local user group names
that contained upper case characters were not converted to lower
case characters prior to encoding, which caused the firewall not
to load user groups names with upper case characters. |
PAN-119046 | Fixed an issue where moving multiple rules
in Panorama using the Move All rules in Group and Move
rules in group to different rule base group actions
caused the rules to move in a reversed order. |
PAN-118991 | Fixed an issue in Panorama where on a high
availability (HA) pair working in legacy mode, the following error
message displayed in the system log: Panorama has lost connection to its peer, no log will be forwarded. |
PAN-118957 | A fix was made to address an authentication
bypass spoofing vulnerability in the authentication daemon and User-ID
components of Palo Alto Networks PAN-OS (CVE-2020-2002). |
PAN-118851 | Fixed an issue where the BGP Conditional
Advertisement suppress condition was not met, which caused the Conditional Adv (Network
> Virtual Routers > <router-name> > BGP) not to apply
the NEXT HOPS prefix range. |
PAN-118777 | Fixed an issue on a firewall in a high availability
(HA) active/active configuration where larger than expected packets
sizes were silently dropped when traversing through an HA3 link
in an asymmetric network. |
PAN-118436 | (PA-5200 Series firewalls only)
Fixed an issue where applications using the GlobalProtect Clientless
VPN did not respond when the Clientless VPN used a VLAN interface. |
PAN-118413 | (PA-5200 Series firewalls only)
Fixed an issue where the show system logd-quota CLI
command did not display the Session log storage Quotas as expected. |
PAN-118259 | Fixed an issue where you were unable to
generate WildFire analysis reports in the WildFire Submissions log
when you configured Proxy Server (Device
> Setup > Services > Global). |
PAN-118249 | Fixed an issue where traffic logs and URL
Filtering logs did not display the URL for decrypted traffic. |
PAN-118207 | Fixed an issue where the Security Assertion
Markup Language (SAML) for GlobalProtect did not respond as expected
when you configured the IdP certificate as None on
the SAML IdP server profile. |
PAN-118108 | Fixed an issue where an API call against
a Panorama management server, which triggered the request analyze-shared-policy command,
caused Panorama to reboot after you executed the command. |
PAN-118091 | Fixed an issue where application dependency
warnings were displayed after a commit when the policy rules containing
the dependent applications used different sources (one used user
and the other used groups). |
PAN-118090 | Fixed an issue on Panorama M-Series and
virtual appliances where User Activity Report (Monitor
> PDF Reports) did not generate reports as expected. |
PAN-118075 | Fixed an issue where the BGP conditional
advertisement did not respond as expected, which caused the prefix
in the Advertise Filters (Network
> Virtual Router > BGP > Conditional Adv) to be incorrectly
advertised. |
PAN-118050 | Fixed an issue where some packets had incorrect
timestamps in the transmit stage during packet capture. |
PAN-117987 | Fixed an issue where the firewall did not
exclude video traffic from the GlobalProtect tunnel when you configured Exclude video
traffic from the tunnel (Windows and macOS only) (Network
> GlobalProtect > Gateways > <gateway-name> > Agent > Video Traffic). |
PAN-117969 | An enhancement was made to enable administrators
to select signature and digest algorithms for outgoing Security
Assertion Markup Language (SAML) messages through a CLI command. |
PAN-117774 | Fixed an Issue where the dataplane stopped
responding due to an incorrect parsing of cookies for GlobalProtect
Clientless VPN applications. |
PAN-117736 | Fixed an issue on a firewall in a high availability
(HA) active/active configuration where virtual MAC addresses pushed
from Panorama were overridden on the local firewall. |
PAN-117561 | Fixed an issue in Panorama where Packet Capture was
enabled with extended-capture (Objects
> Security Profiles > Anti-Spyware) for DNS signatures, but
the setting was not pushed to firewalls running PAN-OS 8.1. |
PAN-117479 | A fix was made to address a vulnerability
with the Nginx web server included with PAN-OS (CVE-2017-7529). |
PAN-117463 | Fixed an issue where the firewall did not
release the default DHCP route when a new IP address was obtained
on a DHCP configured interface. |
PAN-117446 | Fixed an issue where GlobalProtect authentication
failed when you used the domain in the group mapping and a User
Principle Name (UPN) format for authentication. |
PAN-117276 | Fixed an issue on a firewall in a high availability
(HA) active/active configuration where the names of the virtual
routers were pushed from the active-primary firewall to the active-secondary
firewall when you sync the configuration, which caused schema verification
to stop responding when you do a local commit on the active-secondary firewall. |
PAN-117251 | Fixed an issue where vsysadmins were unable
to view the locks on all the virtual systems they were assigned
to. To view the locks in CLI run the new show commit-locks vsys and show config-locks vsys CLI commands. |
PAN-117167 | Fixed an issue where a process (configd) exceeded
the memory limit and stopped responding. |
PAN-116889 | Fixed an issue where you were unable to
establish an SSH session through a CLI command using a Diffie-Hellman
(DH) algorithm. |
PAN-116841 | Fixed an issue where commits failed when
address objects were used in static route configurations. |
PAN-116615 | Fixed an issue where authentication failed
for newly added groups in the authentication profile Allow List. |
PAN-116383 | Fixed an issue with Panorama on AWS where
the configuration of the high availability (HA) pair became out
of sync due to different plugin versions being detected even though
the same versions were installed on both peers. |
PAN-116355 | (PA-5200 Series firewalls only)
Fixed an issue on a firewall in a high availability (HA) active/passive
configuration where an HA1 heartbeat backup connection flap occurred
and displayed the following error message: ha_ping_send/No buffer space available. |
PAN-116173 | Fixed an intermittent issue on a firewall
in a high availability (HA) active/passive configuration where traffic
interruptions occurred until you triggered a manual failover. |
PAN-116100 | Fixed an issue where a process (mprelay) stopped
responding and invoked an out-of-memory (OOM) killer condition and
displayed the following error messages: tcam full and pan_plfm_fe_cp_arp_delete. |
PAN-115875 | Fixed an issue where a PA-7080b HA pair
rebooted when large sized packet traffic impacted the front panel
ports of the Log Forwarding Card (LFC). |
PAN-115238 | Fixed an issue where SSL renegotiation sessions
incorrectly identified URL categories. |
PAN-115018 | Fixed an issue where the firewall was unable
to access the CPU information and caused the CPU frequency to set
to 0, which resulted in a divide by zero error and caused a process
(devsrvr) to stop responding. |
PAN-114966 | Fixed an issue where trunk interfaces were
not working on Hyper-V. |
PAN-114784 | Fixed an issue where a process (devsrvr) stopped
responding after you pushed a configuration from Panorama to a firewall. |
PAN-114438 | Fixed an issue where the system log incorrectly
reported intermittent certificate revocation list (CRL) fetches
as successful even though the fetches were not successful. |
PAN-114197 | Fixed an issue where a configured certificate
profile was not visible from the web interface in Network
> Network Profiles > IKE Gateways > Add > General > Certificate Profile. |
PAN-113144 | Fixed an issue where BGP peers were not
enabled when transitioning from Active/Passive to Active/Active
or Active/Active to Active/Passive config on both IPv4 and IPv6
peer groups. |
PAN-112145 | Fixed an intermittent issue where a process (useridd)
incorrectly reported successful Ops commands and did not download
Dynamic Address Group updates, which prevented virtual machines
from updating Dynamic Address Groups. |
PAN-111333 | An enhancement was made to increase the
pattern match limit to recognize applications and threats accurately. |
PAN-111135 | Fixed an issue where Panorama displayed
incorrect device monitoring values (Panorama > Managed
Devices > Health) for the firewall. |
PAN-109528 | Fixed an issue where an old GPRS tunneling
protocol (GTP) event was unexpectedly freed when an update message
arrived, causing a crash. |
PAN-109406 | Fixed an issue where the firewall restarted
when you unplugged the QSFP+ module from the High Speed Chassis
Interconnect (HSCI) port. |
PAN-108992 | A fix was made to address an improper authorization
vulnerability in PAN-OS (CVE-2020-1998). |
PAN-107358 | Fixed an issue where a firewall had a race
condition in the error handling code in the write thread, causing
memory corruption in the sslmgr session cache ring
buffer. |
PAN-105763 | An enhancement was made to enable you to
set the signing algorithm to sha-1 or sha-256 in
the Security Assertion Markup Language (SAML) message on the firewall. |
PAN-100946 | Fixed an issue where VM-Series firewalls
were unable to support the maximum number of tunnel interfaces due
to less than expected memory allocation. |
PAN-95651 | (PA-3200 Series firewalls only)
Fixed an issue where incomplete core dump files were generated during
dataplane process crashes, making the crash analysis difficult. |
PAN-71148 | Fixed an issue on Panorama where the ACC tab
would not show data for the period before the daylight saving time
(DST) change. |