Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.

Fixed an issue where cloud queries failed, which generated system logs. The issue occurred because a hash was not found in the cloud.

Fixed an issue where custom URL categories hit incorrect URL categories, which caused the firewall to miss or deny the security policies for the configured custom URL.

Fixed an issue where a firewall superuser using an LDAP authentication profile that was pushed from Panorama was unable to save the filter under Monitor > Logs.

(VM-Series firewalls on Microsoft Azure only) Fixed an issue where, when a second disk was added, /opt/panlogs was mounted on an incorrect partition.

Fixed an issue where a configd process memory corruption occurred when Panorama was exposed to multiple XML API calls on Dynamic Address Groups updates.

Fixed an issue where authentication failure messages were overwritten when a commit was in progress.

(PA-7000 Series firewalls with NPCs only) Fixed an issue where path monitoring failure occurred while hot inserting a 100G NPC (network processing card) into the firewall.

Fixed an issue where commit jobs failed when validating HIP objects and profiles.

Fixed an issue where an unavailable certificate revocation list (CRL) from the server side caused an infinite loop on a process (sslmgr), which resulted in it not responding for other tasks.

A fix was made to address an improper restriction of XML external identity (XXE) reference in the PAN-OS web interface that enabled an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that caused the service to crash (CVE-2021-3055).

Fixed an issue where log queries that included a username did not return with any output.

Fixed an issue on Panorama where a context switch to a managed firewall running PAN-OS 8.1.0 to PAN-OS 8.1.19 failed.

Fixed an issue where packet buffers were depleted.

Fixed an issue where tunnel monitoring in the Large Scale VPN (LSVPN) displayed as down in both the CLI and the web interface due to incorrect dataplane ownership.

Fixed an issue where DHCP leases were not properly synchronized between high availability peers after a device or dhcpd process restart. With this fix, the DHCP lease details display correctly on both the active and the passive device.

Fixed an issue where an out-of-memory (OOM) condition occurred due to a memory leak related to a process (logrcvr).

Fixed an issue where, when using the CLI or API, configurations for policy rule services or applications that either used custom settings and default settings together, or used multiple default settings together, successfully commit instead of failing or displaying a warning.

Note To use this fix, you must delete previous application or service settings in the configuration.

Fixed a memory issue for LSVPNs with multiple dataplane systems.

Fixed an issue on Panorama where a user with an admin role was able to set the Block IP List option via the CLI but not the web interface.

Fixed an intermittent issue on the firewall where packets dropped in decrypted SSL/TLS sessions.

Fixed an issue where, when the GlobalProtect client sent UDP/4501 traffic that was destined for the GlobalProtect gateway inside the GlobalProtect tunnel, the firewall still processed the traffic, which caused routing loops.

Fixed an issue where blank configuration for tokens in a content-driven FreeDNS Afraid.org Dynamic API v1 DDNS configuration were not enabled.

Fixed an issue where a core dump occurred on a process (flow_ctrl) after a commit if a policy-based forwarding (PBF) rule referenced an interface that had a DHCP IP address assignment.

Fixed an issue where the Device Namefield was missing when GlobalProtect logs were exported to CSV from the Panorama management server.

Fixed a memory leak issue related to a process (useridd) that occurred when processing high amount of HIP reports as well as aa memory leak issue related to the sslvpn process that occurred when the firewall was configured as a GlobalProtect satellite.

Fixed an issue where a process (useridd) repeatedly exceeded the virtual memory limit, which caused the process to stop responding.

Fixed an issue in Panorama where an administrator with the role of Panorama administrator did not have the option to download or install GlobalProtect clients (Panorama > Device Deployment > GlobalProtect).

Fixed an issue where the metadata from the firewall's authentication profile was unable to export. This issue occurred when the authentication profile and the SAML Identity Provider sever profile were created with VSYS in the Location and pushed from Panorama template stack values. To utilize this fix, you must upgrade both Panorama and the firewall.

(ZTP-capable firewalls only) Fixed an issue where the default Zero Touch Provisioning (ZTP) configuration was still present on the firewall even when ZTP was disabled, which caused commit failures.

Fixed an issue where tunnel traffic was dropped intermittently when a Quality of Service (QoS) Profile was assigned but the profile had no limits defined.

Fixed an issue where system logs incorrectly displayed as Critical.

Fixed an issue where intermittent VXLAN packet drops occurred if the TCI was not configured for inspecting VXLAN traffic. This issue occurred when traffic was migrated from a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or later.

Fixed an issue in Panorama where a process (configd) stopped responding due to a race condition in the mongodbprocess.

Fixed an issue where a local commit in the Panorama management server caused the status to get out of sync on the managed WildFire appliance.

Fixed an issue where a Japanese keyword search displayed garbled characters during SAML authentication.

Fixed an issue where you were unable to select the configured QoS profile under the template stack.

Fixed an issue where scheduled configuration export files saved in the /tmp folder in root were not periodically purged, which caused the root partition to fill up.

Fixed an memory leak issue related to a process (mgmtsrvr), which was caused by a certificate loading operation.

Fixed an issue where you were unable to add more than 500 DHCP relay agent objects in the firewall templates from Panorama.

Fixed an issue where an increase was observed on spyware_state, which caused latency.

Fixed an issue where the PBF monitor was failing on the tunnel interface when QoS was enabled.

(PA-7000 Series firewalls only) Fixed an issue where TFTP traffic with a high packet rate was not offloaded even after hitting an application override policy with a custom application.

Fixed an issue where HIP reports were not visible on the web interface due to a domain override configuration.

Fixed an issue where adding a container application from the Apps Seen list did not remove the child application from the list.

Fixed an issue where false system alarms for the IP tag log database exceeded the alarm threshold value.

Fixed an issue where the To field of an email was truncated in threat logs when the original email exceeded 512 bytes.

Fixed an intermittent issue where the firewall dropped GPRS tunneling protocol (GTP-U) traffic with the message TEID=0x00000000.

Fixed an issue where device deployment from Panorama to the firewalls failed with the error message Failed to get DLSRVR client key. This issue occurred only on firewalls where the request system-private-data-reset CLI command had been issued in the past.

Fixed an issue on the firewall where a process (useridd) stopped responding when group-mapping profiles were configured with an LDAP server profile with the type e-directory.

(PA_5200 Series firewalls only) Fixed an issue where, after a factory reset, the firewall displayed the following error message: data_plane_X: Exited 1 times, must be manually recovered..

Fixed an issue where a process (flow_mgmt) repeatedly restarted with a segmentation violation (SIGSEGV) signal and the following trace: flow_mgmt:pan_flow_dos_ager_invoke pan_sw_timer_100ms pan_sw_timer_invoke.

Fixed an issue where, if the OK button is clicked before tags are loaded when editing an address object that contained tags via the firewall web interface, associated tags are removed.

(ZTP firewalls only) Fixed an issue where the firewall failed to connect to Panorama when ZTP was disabled.

Fixed an issue where a process (configd) stopped responding, which caused corruption.

(PA-5200 Series firewalls only) Fixed an intermittent issue where multicast packets traversing the firewall in VLAN configurations experienced higher drop rates than expected.

Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.

A fix was made to address an issue where a cryptographically weak pseudo-random number (PRNG) was used during authentication to the PAN-OS interface. As a result, attackers with the capability to observe their own authentication secrets over a long duration on the firewall had the ability to impersonate another authenticated web interface administrator’s session (CVE-2021-3047).

Fixed an issue where the management interface incorrectly used the configured default gateway for local network traffic when service routes were configured.

Fixed an issue where netflow packets sent from the firewall contained excess padding, which resulted in the packet length exceeding 1400 bytes.

Fixed an issue where the Panorama web interface did not display the secondary IP address configuring it under the template stack.

(7000-Series firewalls only) Fixed an issue where, when a subinterface was configured as a Log Card interface, the commit failed unless an IP address was assigned to the parent interface.

Fixed an issue where individual users were unable to populate the allowed user/user group field when configuring the GlobalProtect Clientless VPN.

Fixed an issue where the default log level for mprelay was set to INFO and caused commits to stop working on VM-Series firewalls in AWS using EBS backed volumes when route monitor is configured.

Fixed an issue where the firewall was unable to match HIP objects with a 3-digit code version.

Fixed an issue where an interface placed in a pre-defined zone was removed by the SD-WAN plugin after a commit to the firewall.

Fixed an issue where editing the LDAP server IP address (Device > Templates > Server Profiles > LDAP > LDAP Server Profile) removed the bind password.

Fixed an issue where, when SSL/TLS was required, LDAP server authentication attempted StartTLS first.

Fixed an issue where a process (genindex.sh) caused high memory usage on the management plane. Due to the resulting OOM condition, multiple processes stopped responding.

Fixed an issue where the Radius EAP authentication stopped working and the authd process restarted.

Fixed an issue where the firewall was unable to detect end-user IP address spoofing on the GTP-U for a user data session when using an IPv6 address.

Fixed an issue where Panorama failed to push dynamic user groups to the managed firewalls.

Fixed an issue where the inactivity logout timeout did not reflect on the GlobalProtect mapping timeout.

(VM-Series firewalls only) Fixed an issue where the management plane CPU was incorrectly reported to be high.

Fixed an issue where using XML special characters in the Uninstalled GlobalProtect APP password in the application configuration (Networks > GlobalProtect > Portals > Agent > App) disrupted portal connectivity.

Fixed an issue where the firewall treated external dynamic list entries with nested carets as invalid.

Fixed an issue where, after upgrading Panorama from PAN-OS 8.1.9 to PAN-OS 9.1.3, the option to preview changes for dynamic address groups or templates from Panorama did not work.

Fixed an issue where the software QoS shaping queue processing was not properly applied on multicast traffic.

Fixed an issue where, when IPSec tunnels had tunnel-monitor enabled, tunnel activation was sent every 3 seconds, even when the configured value was different. With this fix, tunnel activation will be sent according to the configured intervals and thresholds.

Modified the diff algorithm for when a configuration audit was performed because certain objects incorrectly displayed as either New or Modified/Unchanged due to the XML format being added.

Fixed an issue where GlobalProtect logs did not populate on the destination syslog server in Log Event Extended Format (LEEF) and common event format (CEF).

Fixed an issue where it was possible via the CLI to create a Security policy rule with the any and application-default options simultaneously configured.

(PA-7000 Series firewalls with Log Forwarding Cards (LFC) only) Fixed an issue where the logging rate for the LFC was not displayed in Panorama > Managed Devices > Health.

Fixed an issue where the commit event was not recorded in the config logs during a Commit and Push on the Panorama management server.

Fixed an issue where, when printing External Dynamic List (EDL) log messages, the messages repeated until the end of the description.

(PA-220 Series firewalls only) Fixed an issue where a process (mgmtsrvr) stopped responding when viewing logs in the web interface.

A fix was made to address a reflect cross-site scripting (XSS) vulnerability in the PAN-OS web interface that enabled an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performed arbitrary actions in the web interface as the targeted authenticated administrator (CVE-2021-3052).

Fixed an issue where Elasticsearch restarted unexpectedly when it ran out of memory. This was due to the vm.max-map-count value being set incorrectly in the newer version of Elasticsearch (starting from PAN-OS 9.0). With this fix, the value is set correctly.

Fixed an issue where, even when tunnel interface is set to down, the following alert displayed: Tunnel GRE_Tunnels is going down(critical).

Fixed an issue where a process (authd) ignored null domain authentication profiles in a sequence and only returned non-null domains to GlobalProtect.

Fixed an issue where, when SIP traffic traversing the firewall was sent with a high QoS Differentiated Services Code Point (DSCP) value, the DSCP value was reset to the default setting (CS0).

A fix was made to address an issue where an OS command argument injection vulnerability in the PAN-OS web interface enabled an authenticated administrator to read any arbitrary file from the file system (CVE-2021-3045).

Fixed an issue on the firewall web interface where the Cortex Data Lake Logging Service Status pop-up window did not show correct information.

Fixed an issue with the Panorama web interface where, when all device groups and templates were selected, a load configuration operation failed. This was caused by the XML cache rebuilding for each device group and template iteration.

Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.

Fixed an issue where a satellite firewall was unable to authenticate to an LSVPN gateway when the issued certificate from Simple Certificate Enrollment Protocol (SCEP) had encryption bits set to 3072. With this fix, the maximum private key size of 3072 bits, along with the 1024-bit size and the 2048-bit size, is able to authenticate when selected to create the SCEP profile.

Fixed an issue where administrators were unable to delete the GlobalProtect Data File update schedule (Device > Dynamic Updates).

Fixed an issue where merged configurations were unable to be exported from Panorama-managed firewalls using the PAN-OS XML API.

Fixed a rare issue where, when aggregate ethernet (AE) groups were deleted and re-added, the AE interface no longer had an SDB node to send link the location to. As a result, the dataplane was unable to identify a connected route for the interface address.

Fixed an issue where the firewall status was inaccurate (Panorama > Device Deployment).

Fixed an issue memory leak issue where a process (devsrvr) consumed excess memory, which resulted in OOM conditions.

Fixed an issue in Panorama where the GlobalProtect gateway configuration in the template stack for mobile users was not able to be overwritten.

Fixed an issue where the following settings were not pushed from Panorama to the firewall: Minimum Length, Failed Attempts, and Lockout Time (Template > Device > Setup > Management).

Added zram support to PAN-OS platforms.

Fixed an issue where period Windows Management Instrumentation (WMI) probing did not work until a process (useridd) was restarted.

Fixed an issue where some threat logs in Panorama were not displayed when filtered by Threat-ID name.

Fixed an issue where HIP-related objects were missing transformation logic, which caused commit failures.

Fixed an issue where firewall logs incorrectly include the end-user IP address in GTP message logs when you configure PAA IE with IPv4 and IPv6 dual stack in the Create Session Response message.

Fixed an intermittent issue where, when the DNS Security cloud was not reachable, DNS responses had bad UDP checksums.