PAN-OS 9.0.7 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.0.7 Addressed Issues
PAN-OS® 9.0.7 addressed issues.
Issue ID | Description |
---|---|
WF500-5185 | (WF-500 Series only) Fixed an issue
where high disk use was observed due to an inadequate rotation of
log files. |
PAN-140090 | Fixed an issue where HA links were down
in VLAN access mode for KVM. This fix is only applicable for KVM
deployments that are configured in VLAN access mode with SR-IOV. |
PAN-137458 | Fixed an issue where system logs with new
event IDs caused a memory leak in a process (mgmtsrvr). |
PAN-136698 | Fixed an issue where a process (all_pktproc) stopped
responding and the dataplane restarted when the firewall processed
a malformed GPRS tunneling protocol (GTP) packet. |
PAN-136696 | Fixed an issue where the dataplane restarted
due to excessive logs from the pan_comm process. |
PAN-135703 | (PA-7000 Series firewalls only)
Fixed an issue where the switch ports connected to Quad Small Form-factor
Pluggable (QSFP+) interfaces were up while Network Processing Cards
(NPCs) were still rebooting. |
PAN-135260 | (PA-7000 Series firewalls running PAN-OS®
8.1.12 only) Fixed an intermittent issue where the dataplane
process (all_pktproc_X) on a Network Processing Card
(NPC) restarted when processing IPSec tunnel traffic. |
PAN-135103 | A fix was made to address a format string
vulnerability on PA-7000 Series firewalls with a Log Forwarding
Card (LFC) (CVE-2020-1992). |
PAN-135089 | Fixed an issue where the CPU for a process (ikemgr)
spiked when third-party VPN clients connected to the GlobalProtect
gateway with more than three DNS servers configured. |
PAN-134678 | (PA-5200 Series firewalls only)
Fixed an issue where the Quad Small Form-factor Pluggable (QSFP)
28 ports 21 and 22 did not respond when plugged in with a Finisar
100G AOC cable. |
PAN-134370 | Fixed an issue where a process (mp-relay) restarted
due to missing routes or next hops. |
PAN-134244 | Fixed an issue where connections proxied
by the firewall (such as SSL Decryption, GlobalProtect portal and
gateway connections, and SIP over TCP) failed due to insufficient
buffer allocation. Some connections failed with the following error
message: proxy decrypt failure. |
PAN-133582 | Fixed an issue in the firewalls where some
Dynamic Address Groups pushed from Panorama were missing member
IP addresses. |
PAN-133440 | Fixed an issue where fragmented traffic
caused high dataplane use and firewall performance issues. |
PAN-133378 | Fixed an issue in Panorama where a process (configd)
restarted while doing a commit using a RADIUS super admin role. |
PAN-133048 | (PA-5200 and PA-7000 Series firewalls
only) Fixed an issue where firewalls processed traffic asymmetrically
when using Internet Protocol (IP) classifiers on virtual wire (vwire) subinterfaces. |
PAN-133042 | (PA-5200 and PA-7000 Series firewalls
only) Fixed an issue where firewalls dropped certain GPRS tunneling
protocol (GTP) traffic even when gtp nodrop was enabled. |
PAN-133040 | Fixed an issue on a WF-500 appliance where
a VM-Series firewall controller stopped responding, which caused
the appliance to stop file analysis. |
PAN-131993 | Fixed an issue where a process (reportd)
would crash while running a log query. |
PAN-131907 | Fixed an issue where GPRS tunneling protocol
(GTP) version 2 handling was unable to handle fully qualified tunnel
endpoint IDs (FTEID) received in reverse order, which resulted in
GTP-C and GTP-U flows with incorrect IP addresses and tunnel endpoint
IDs (TEID). This caused a GTP stateful inspection failure for subsequent
packets on the respective flows. |
PAN-131486 | Fixed an issue where autocommits failed
due to invalid access routes after an upgrade. |
PAN-131193 | Fixed an issue where firewalls dropped generic
routing encapsulation (GRE) packets with the following error message: Packet dropped, prepend failure. |
PAN-130573 | Fixed an issue where the software pool for
Regex results was depleted and caused connection failures. |
PAN-130447 | Fixed an issue where the firewall dropped
offloaded traffic every time there was an explicit commit (Commit on the
firewall locally or Commit All Changes in Panorama)
or an implicit commit (such as an Antivirus update, Dynamic Update,
or WildFire® update) on the firewall. |
PAN-130361 | A fix was made to address an external control
of filename vulnerability in the SD-WAN component of Palo Alto Networks
Panorama (CVE-2020-2009). |
PAN-130345 | Fixed an issue where the Panorama VM rebooted
while filtering for configuration logs when the query value was
not one of the predefined string results. |
PAN-130290 | Fixed an issue in the web interface where
traffic logs did not display the destination zone (Monitor
> Logs > Traffic > To Zone) for multicast sessions. |
PAN-130262 | Fixed an issue where firewalls dropped HTTP
200 OK messages during the offload of traffic for App-ID™ inspection. |
PAN-130229 | Fixed an issue on Panorama appliances where
you could not change maximum transmission unit (MTU) values from
the web interface; attempting to do so caused the appliance to display
the following error message: Malformed Request. |
PAN-129518 | Fixed an issue where the firewall restarted
due to an out-of-memory (OOM) condition caused by a leak in a process (ikemgr). |
PAN-129490 | Fixed an issue where CRL/OCSP verifications
failed due to requests routing through the management interface
even when service route was configured. |
PAN-128908 | If a user password was changed but no commit
was performed afterward, the new password did not persist after
a reboot. Instead, the user could still use the old password to
log in, and the calculation of expiry days was incorrect based on
the password change timestamp in the database. |
PAN-128717 | Fixed an issue in Panorama where, after
switching context to a managed device, the session idle timeout
was not updated, and the web session timed out even while the administrator
was actively working in the interface. |
PAN-127616 | Fixed an issue where you could not push FQDN Minimum
Refresh Time from Panorama to managed firewalls. |
PAN-127438 | Fixed an issue where GlobalProtect portal
configuration selection based on certificate template OID failed. |
PAN-127219 | Fixed an issue where you could not select
existing certificates when creating an authentication profile by
using the Security Assertion Markup Language (SAML) method on the
template stack. |
PAN-127118 | A fix was made to address an OS command
line injection vulnerability in the PAN-OS management server where
authenticated users were able to inject arbitrary shell commands
with root privileges (CVE-2020-2014). |
PAN-127087 | Fixed an issue where a push operation (Commit
All Changes) from Panorama failed on passive firewalls
when pushing a large number of new Security policy rules to both
firewalls in a high availability (HA) pair. |
PAN-126944 | Fixed an issue where the Panorama Template
did not allow for Ethernet Interface Link Speed configurations
greater than 1,000Mpbs. |
PAN-126817 | Fixed an issue where Security Assertion
Markup Language (SAML) response validation failed with a certificate
mismatch error even if the firewall had the same certificate on
IdP. |
PAN-126775 | (PA-800 and PA-220 Series only)
Fixed an issue where NTP sync failures occurred when using NTP servers
configured with IPv6. |
PAN-126573 | Fixed an issue on Panorama where, after
overriding a Layer 3 Aggregate Group subinterface,
all subinterfaces in the stack template disappeared. |
PAN-126412 | Fixed an issue where hardware security model
(HSM) authentication from the web interface failed if the password
contained an ampersand (&). |
PAN-126362 | A fix was made to address a command injection
vulnerability in the PAN-OS management interface where an authenticated administrator
was able to execute arbitrary OS commands with root privileges (CVE-2020-2010). |
PAN-126278 | Fixed an issue where a burst of VLAN-tagged
packets in a congested system caused an overflow and locked up the
firewall. With this fix, the threshold is increased. |
PAN-126202 | Fixed an issue where a process (routed)
stopped responding when users accessed the web interface to view
the OSPF interface data (Network > Virtual Routers >
More Runtime Stats > OSPF > Interface) if OSPF MD5 was configured
in the OSPF Auth profile. |
PAN-126017 | Fixed an issue where the set application dump on rule CLI
command did not accept rule names with more than than 32 characters
despite a stated limit of 63 characters. |
PAN-126014 | Fixed an issue for GlobalProtect gateways
where the Login At and Logout At time
fields in the Previous User PDF/CSV report
for User Information used the Epoch standard
for displaying time. |
PAN-125889 | (PA-7000 Series firewalls only)
Fixed an issue where auto-tagging in log forwarding didn't work. |
PAN-125804 | A fix was made to address an issue where
an OS command injection vulnerability in the PAN-OS management server
allowed authenticated administrators to execute arbitrary OS commands
with root privileges when uploading a new certificate in FIPS-CC
mode (CVE-2020-2028). |
PAN-125546 | Fixed an issue where a process failed to
restart even when the system logs displayed the following message: virtual memory exceeded, restarting. |
PAN-125527 | Fixed an issue where a multilayer ZIP file
inspection caused software buffer corruption and the all_pktproc process to
restart. |
PAN-125306 | Fixed an issue where a Transmission Control
Protocol (TCP) connection reuse was incorrectly handled by an HA
active/active cluster with asymmetric flows. |
PAN-125194 | Fixed an issue where system startup failed
when the collector group was configured with an incorrect serial
number of invalid length. |
PAN-125032 | Fixed an issue where, when Minimum
Password Complexity was Enabled for
all local administrators, the setting was also applied to plugin
users. This caused API calls from plugin users to fail (HTTP Error code 502)
because the password change was not made for the users which caused
authentication to fail. |
PAN-124857 | Fixed an issue where a Microsoft Access
Database (MDB) file stopped and a process (mgmtsrvr)
stopped responding at the epoll_wait () system
call after the Panorama Virtual Appliance was stopped and started
from Azure. |
PAN-124802 | Fixed an issue where LACP connectivity issues
were observed due to high CPU utilization when multiple dataplanes
were used. |
PAN-124628 | Fixed an issue where REST API queries were
unable to pull shared region objects on Panorama. |
PAN-124495 | Fixed an issue on Panorama where the task
manager showed locally executed jobs but did not show tasks or jobs
pushed to managed firewalls. |
PAN-124087 | Fixed an issue where GPRS tunneling protocol
(GTP) v2 protocol handling failed to handle the secondary Modify
Bearer Request/Response in the GTP-C session. |
PAN-123858 | Fixed an issue on firewalls where a process (userid)
restarted while processing incorrect IP address-to-username mappings
that contained blank usernames from User-ID agents. |
PAN-123830 | Fixed an issue where the GlobalProtect™
portal used an outdated getbootstrap version. |
PAN-123736 | Fixed an issue where a Create Session Request
message looped internally, which caused continuous packet inspection
that consumed firewall resources. |
PAN-123724 | Fixed an issue in Panorama where shared
address objects were not configurable as a destination in a static
route configuration. |
PAN-123391 | A fix was made to address a predictable
temporary file vulnerability in PAN-OS (CVE-2020-1994). |
PAN-123295 | Fixed an issue where the dataplane restarted
due to a race condition when a configuration push and a Netflow
update occurred simultaneously. |
PAN-123135 | Fixed an issue where user group membership
lookup failed if the username source (for example, Security Assertion
Markup Language identity provider (SAML IdP)) did not provide the
user domain information. The issue occurred even if you configured
the firewall to Allow matching usernames without domains (Device
> User Identification > User Mapping > Palo Alto Networks User-ID
Agent Setup). |
PAN-122909 | Fixed an issue where enabling SSL
Forward Proxy using the hardware security module (HSM)
led to intermittent failures when loading random secure websites
and displayed the following message: ERR_CERT_INVALID.
This issue was most closely associated with servers presenting ECDSA certificates. |
PAN-122872 | Fixed an issue where the Aggregate Ethernet
(AE) subinterface showed a different status from the AE parent interface. |
PAN-122147 | Fixed an issue where the firewall dropped
IPv6 Bidirectional Forwarding Detection (BFD) packets due to a race
condition with the Neighbor Discovery Protocol (NDP). |
PAN-121822 | Fixed an issue with certificate authentication
where only the topmost certificate was used to validate the client
certificate. |
PAN-121654 | (PA-3000 Series firewalls only)
Fixed an issue where decrypting HTTP/2 traffic caused performance
issues due to low memory conditions. |
PAN-121626 | (PA-3200 Series firewalls only)
Fixed an intermittent issue where firewalls dropped packets, which
caused issues such as traffic latency, slow file transfers, reduced
throughput, internal path monitoring failures, and application failures. |
PAN-121598 | Fixed an issue where the PAN-OS XML API
packet capture (pcap) export failed with the following error message: Missing value for parameter device_name.
Now, device_name and sessionid are
no longer required parameters. |
PAN-121596 | Fixed an issue where the OSPF protocol didn't
choose the correct loopback address for the forwarding address in
the Not-So-Stubby Area (NSSA). |
PAN-121483 | Fixed an issue where Data Filtering profiles
did not generate a packet capture (pcap) for Server Message Block
(SMB) when action was set to Alert. |
PAN-121395 | Fixed an issue where the bidirectional static
NAT policy rule hit count did not increase even when the policy
was used. |
PAN-121371 | Fixed an issue where autocommit stopped
at 99% if the firewall had an invalid customer ID. |
PAN-121319 | A fix was made to address a stack-based
buffer overflow vulnerability in the management server component
of PAN-OS (CVE-2020-1990). |
PAN-121258 | Fixed an issue where some SSLv3 session
traffic logs showed an Allow action even when the security rule
policy had a Deny action when url-proxy was
enabled. |
PAN-120726 | Fixed an issue where the firewall incorrectly
populated the username after the user was served an Anti-Phishing
Continue page due to credential phishing detection. |
PAN-120640 | Fixed an issue where show routing bfd related
commands triggered a memory leak in a process (routed). |
PAN-120350 | Fixed an issue where an Address Resolution
Protocol (ARP) broadcast storm overloaded the Log Processing Card
(LPC) and caused the device to reboot. |
PAN-119810 | A fix was made to address the improper restriction
of the XML external entity (XXE) vulnerability in the Palo Alto
Networks Panorama management server (CVE-2020-2012). |
PAN-119625 | Fixed an issue where configuring GlobalProtect
certificate enrollment using Simple Certificate Enrollment Protocol
(SCEP) with a dynamic SCEP challenge caused the firewall to initiate
a TLS 1.0 based connection for challenge authentication. |
PAN-119442 | Fixed an issue where Panorama did not display
the drop-down for part of a custom report after using Pick
up Later (Monitor > Manage Custom Reports). |
PAN-119173 | (PA-5000 and PA-3000 Series firewalls
only) Fixed an issue where the passive device in a high availability
(HA) pair started processing traffic, which resulted in a packet
buffer leak. |
PAN-118226 | A fix was made to address an improper input
validation vulnerability in the configuration daemon of Palo Alto
Networks Panorama (CVE-2020-2011). |
PAN-117480 | A fix was made to upgrade Nginx software
included with PAN-OS (PAN-SA-2020-0006 / CVE-2016-4450
and CVE-2013-0337). |
PAN-117108 | Fixed an issue where user mappings populated
by the XML API were lost after a reboot. |
PAN-117043 | Fixed an issue where using special characters
in the tag names of the Security policy rules returned the following
error message when committing or pushing a configuration: group-tag is invalid. |
PAN-116842 | Fixed an issue where, after enabling a Cortex
Data Lake license, the management plane memory utilization would
increase unexpectedly when some connections between the firewall
and Customer Support Portal server were blocked, leading to multiple
process restarts due to an out-of-memory (OOM) condition. |
PAN-116231 | Fixed an issue where invalid packet header content drop
counters were seen in global counters when packets from the network
or HA3 were hitting a stale flow. The following flow state verify
error was seen: flow_fpga_rcv_key_err - Packets dropped. |
PAN-116061 | Fixed an issue where traffic traversing
through an IPSec tunnel used did not use the default maximum interface
bandwidth, which caused the traffic to traverse through the IPSec
tunnel with latency. |
PAN-116002 | Fixed an issue where an incorrect optimization
could cause IP address-to-user mapping to not update within 60 seconds. |
PAN-115562 | Fixed an issue where superuser CLI permissions
for role-based administrators did not match superuser privileges. |
PAN-115093 | Fixed an issue where the firewall generated
excessive logs for content decoder (CTD) errors. |
PAN-114648 | (PA-3200 Series firewalls only)
Fixed an issue where the HA1 hearbeat backup connection flapped
due to ping failures caused by unavailable buffer space when Heartbeat Backup was
configured (Device > High Availability > Election Settings). |
PAN-111636 | A fix was made to address OpenSSH issues (PAN-SA-2020-0002 / CVE-2018-20685, CVE-2019-6109,
and CVE-2019-6111). |
PAN-102682 | A fix was made to address an OS command
injection vulnerability in the management component of PAN-OS where
an authenticated user was able to potentially execute arbitrary
commands with root privileges (CVE-2020-2007). |
PAN-100734 | A fix was made to address a buffer flow
vulnerability in the PAN-OS management interface where authenticated
users were able to crash system processes or execute arbitrary code
with root privileges (CVE-2020-2015). |
PAN-100415 | A fix was made to address an external control
of filename vulnerability in the command processing of PAN-OS (CVE-2020-2003). |
PAN-74442 | Fixed an issue where, after enabling debugging
on the dataplane, the debug logs contained information about unrelated
traffic. |