>
    PAN-OS 9.1.11 Addressed Issues
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS 9.1 Addressed Issues
    4. PAN-OS 9.1.11 Addressed Issues
    Download PDF

    PAN-OS 9.1.11 Addressed Issues

    Table of Contents
    End-of-Life (EoL)

    PAN-OS 9.1.11 Addressed Issues

    PAN-OS® 9.1.11 addressed issues.
    Issue ID
    Description
    WF500-5509
    (WF-500 appliance only) Fixed an issue where cloud inquiries were logged under the SD-WAN subtype.
    PAN-174448
    Fixed an issue where Zero-Touch Provisioning (ZTP) configuration wasn't removed after disabling it, which resulted in predefined configurations to be loaded after a reboot.
    PAN-174326
    A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator to execute arbitrary OS commands to escalate privileges (CVE-2021-3050).
    PAN-173848
    Fixed an issue where DNS Security web service was not reachable and retransmission did not occur.
    PAN-172490
    Fixed an issue on firewalls in a high availability (HA) configuration where HA-2 links continuously flapped on HSCI interfaces after upgrading to PAN-OS 8.1.19.
    PAN-172464
    Fixed an issue where unicast DHCP discover or request packets were silently dropped.
    PAN-171290
    Fixed an issue where Panorama deployed in Google Cloud Platform (GCP) failed to the renew management server DHCP IP.
    PAN-171174
    Console debug output was enhanced to address issues that led to a loss of SSH and web interface access.
    PAN-170936
    Fixed an issue where the firewall egressed offloaded frames out of order after an explicit commit (Commit on the firewall or Commit All Changes on Panorama) or an implicit comment such as an Antivirus update, Dynamic Update, or WildFire update.
    Note This issue persists for a network-related configuration and commit.
    PAN-170825
    Fixed an issue where, when a partial Preview Change job failed, a process (configd) stopped responding.
    PAN-170740
    Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.
    PAN-170314
    Fixed an issue where PAN-DB URL cloud updates failed because a process (devsrvr) did not fetch serial numbers, which prevented the PAN_DB URL cloud from connecting after first deployment.
    PAN-170103
    Fixed an issue where a process (ikemgr) stopped responding while making configuration changes. This issue occurred if Site-to-Site IPSec was using certification-based authentication.
    PAN-169793
    Fixed an issue where using cookies to authenticate MacOS users didn't work due to the client agent not providing the phpsessionid set from the sent GlobalProtect messages during the connection. As a result, the firewall was unable to find and include the portal authentication cookie in the response message.
    PAN-169197
    Fixed a rare issue where generating a tech support file caused the useridd process to stop responding.
    PAN-169064
    Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.
    PAN-168921
    Fixed an issue in an HA active/active configuration where traffic with complete packets showed up as incomplete and were disconnected due to a non-session owner device closing the session prematurely.
    PAN-167989
    Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.
    PAN-167872
    Fixed an issue related to a process (all_pktproc) that occurred in long-lived sessions that spanned two content upgrades.
    PAN-167858
    Fixed an issue where a DNS Security inspection identified a TCP DNS request that had two requests in one segment as a malformed packet and dropped the packet.
    PAN-167805
    Fixed an intermittent issue where traffic ingressing through a VPN tunnel failed to match predict session, which resulted in child sessions failing.
    PAN-167637
    Fixed an issue where users connecting to the US East gateway encountered a delay in DNS responses.
    PAN-167266
    Fixed an issue on multi-dataplane firewalls with high CPU use on dataplane 0 that caused an internal loop of forward/host sessions on the firewall.
    PAN-167099
    Fixed a configuration management issue that resulted in a process (ikemgr) failing to recognize changes in subsequent commits.
    PAN-166836
    Fixed an issue where session failed due to resource unavailability.
    PAN-166572
    Fixed an issue where a process (configd) restarted when browsing policies on Panorama.
    PAN-166557
    Fixed an issue where ElasticSearch didn't register to the masterd process when setting up a new Log Collector configuration.
    PAN-166081
    Fixed an issue where role based admin users with tag disabled were unable to view applications under ObjectsApplication.
    PAN-165913
    Fixed an issue on United States GlobalProtect portals where HTTP health checks failed and no authentication events occurred for about 10 minutes.
    PAN-165843
    Fixed an issue on the firewalls where generating SCEP Certificates did not work when the value of a Relative Distinguished Name (RDN) in the subject string contained a space.
    PAN-165661
    Fixed an issue in an HA active/active configuration where an administrative shutdown message was not sent to the BGP peer when the firewall went into a suspended state, which delayed convergence.
    PAN-165660
    Fixed an issue where, in scenarios with Fragmented Session Initiation Protocol (SIP), where the first packet arrived out of order, bypassing App-ID and Content and Threat Detection (CTD). With this fix, the out-of-order packet is transmitted after it has been queued and processed by App-ID and CTD.
    PAN-165179
    Fixed an issue where Panorama missed address group objects during a template configuration due to Panorama not sending the required strings for a query.
    PAN-165120
    Fixed an issue where the Application Command Center (ACC) did not display data when the Device Group was set with VSYS in its name.
    PAN-165025
    Fixed an issue where, when default interzone and intrazone Security policy rules were overwritten, the rules did not display hit counts.
    PAN-164422
    (VM-Series firewalls only) A fix was made to address improper access control that enabled an attacker with authenticated access to GlobalProtect portals and GlobalProtect gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062).
    PAN-164431
    (VM-Series firewalls only) Fixed an issue where the firewall rebooted into maintenance mode after installing a capacity license in FIPS-CC mode.
    PAN-164429
    Fixed an issue where the Panorama web interface displayed an unavailable setting.
    PAN-164402
    A CLI command was added to immediately disable or enable restarting the syslog-ng connection during an FQDN refresh IP address change.
    PAN-163800
    Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.
    PAN-163695
    Fixed an issue where multiple dataplane process (all_task, flow_mgmt, flow_ctrl, and pktlog_forwarding) stopped responding and caused the dataplane to restart. This issue occurred when the firewall received unexpected packets during an SSL handshake when SSL inbound inspection was configured.
    PAN-162884
    Fixed a rare issue where an external dynamic list (EDL) entry became corrupt due to an erroneous string being inserted while generating the list.
    PAN-161618
    Fixed an issue where the commit time increased after upgrading from PAN-OS 9.0 to PAN-OS 9.1.
    PAN-161289
    Fixed an issue where predict session didn't update the associated rules when Security policies shifted after a commit.
    PAN-161218
    The following CLI commands were added to enable the customer to set the dataplane utilization limit: debug dataplane show ctd wildfire max -debug dataplane set ctd wildfire max <0-5000> The default setting is the recommended value of 500; a value of 0 removes dataplane CTD limits.
    PAN-161208
    Fixed an issue where the Service Route Configuration (Device > Setup > Services > Service Route Configuration) was unchangeable when the web interface language was set to a language other than English.
    PAN-160831
    Fixed an intermittent issue where importing a new firewalls configuration into Panorama failed due to conflicting virtual system (vsys) names, even when the Device Group Name Prefix was used to make the name unique.
    PAN-160544
    Fixed an issue where a user was able to clone, edit, and commit a configuration that had been locked by another user.
    PAN-160254
    Fixed a memory leak issue related to a process (reportd) where memory was not freed after an ElasticSearch request.
    PAN-160253
    Fixed an issue where only one medium-severity system log was generated if either the EDL file wasn't updated at the remote end or the downloaded file wasn't a text file.
    PAN-160150
    Fixed an intermittent issue where, when a race condition occurred, a process (rasmgr) stopped responding, which caused GlobalProtect user authentication failure.
    PAN-159954
    Fixed an issue where scheduled configuration bundle exports via Secure Copy (SCP) displayed following error message in the system log: Failed to export config bundle after already displaying a Success message in the log.
    PAN-159936
    Fixed an issue where BGP routing stopped advertising a redistributed route when a similar new redistributed route was configured.
    PAN-159922
    Fixed an issue where, when the DNS Security feature was enabled, Linux clients experienced a delay in resolving domain names if the clients simultaneously attempted A and AAAA resolution.
    PAN-159700
    Fixed an issue where importing PAN-TRAPS.my to the SNMP manager caused the following error to display: Registration failed, registration failed, because there are unreferenced definition names in the MIB file.
    PAN-159536
    Fixed an issue where, when the CLI command oscp-exclude-nonce-yes was enabled for a certificate profile, a nonce value was still included in the Online Certificate Status Protocol (OCSP) request.
    PAN-159435
    Fixed an issue where SD-WAN routes weren't withdrawn after a bootup when all SD-WAN tunnels were down.
    PAN-159293
    Fixed an issue where the Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format incorrectly returned errors despite being able to successfully pull the CRL to verify that the syslog server certificate was still valid.
    PAN-159122
    Fixed an issue where, when a new tag was created, a custom application with the same name was also created.
    PAN-158958
    Fixed an issue where the debug sslmgr view crl command failed when ampersand (&) character was included in the URL for the certificate revocation list (CRL).
    PAN-158654
    Fixed a memory leak issue in the management server process.
    PAN-158649
    Fixed an issue where commits to the Prisma Access Remote networks from Panorama were failing when the management server on the cloud firewall failed to exit cleanly and reported the following error: pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT)
    PAN-158450
    (PA-3200 Series firewalls only) Fixed an issue where, for SNMPv2-MIB:sysServices, snmpwalk returned the following error message: No Such Instance currently exists at this OID.
    PAN-158439
    Fixed a memory leak on the management server process on Firewall.
    PAN-158372
    Fixed a buffer overflow issue related to the useridd process.
    PAN-158337
    Fixed an issue where warnings displayed during a commit or validate when BGP peers used in an import/export rule were disabled.
    PAN-158043
    Fixed an issue where the firewall dropped packets due to a race condition.
    PAN-157938
    (VM-Series firewalls with multiple DHCP interfaces only) Fixed an issue where leases renewed more quickly than needed, which caused unnecessary SPF recalculations.
    PAN-157835
    Fixed an issue where DNS Proxy rules that contained uppercase characters were not normalized to lowercase, which prevented the rules from being matched.
    PAN-157725
    Fixed an issue where, when decryption was enabled, the following error was displayed: Cannot contact reCAPTCHA. Check your connection and try again.
    PAN-157715
    Fixed an intermittent issue where SMB file transfer operations failed due to packet drops that were caused by the Content and Threat Detection (CTD) queue filling up quickly. This fix introduces a new CLI command which, when enabled, prevents these failures: set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable].
    PAN-157710
    Fixed an issue where admin users with custom roles were unable to create VLANs.
    PAN-157620
    (VM-Series firewalls deployed in Amazon Web Services (AWS) instance types M5 and C5 only) Fixed an issue where a Panorama Virtual Appliance in an HA configuration entered a suspended state due to a virtual machine (VM) memory size mismatch.
    PAN-157518
    Fixed an issue where using tags to target a device group in a Security policy rule did not work, and the rule was displayed in all device groups (Preview Rules).
    PAN-157459
    Fixed an issue where, after updating an address in an Address Group, a commit did not update GlobalProtect split tunnel access routes.
    PAN-157089
    (Panorama appliances in Log Collector mode only) The following CLI command was added to disable No valid device certificate found messages in the system log: debug skip-cert-renewal-check-syslog yes.
    PAN-157027
    Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
    PAN-157026
    Fixed an issue where the firewall did not display unified logs.
    PAN-156766
    Fixed an issue where, after upgrading to PAN-OS 9.1.5, VM-Series firewalls in HA configurations went into a non-functional state due to a virtual machine (VM) license mismatch.
    PAN-156482
    Fixed a packet buffer issue where HTTP2 packets were held for category lookup and the HTTP request was across multiple packets.
    PAN-156393
    Fixed an issue where NetFlow updates were sent without honoring the configured active timeout value.
    PAN-156388
    Fixed an issue where a process (useridd) stopped responding while attempting to remove all HIP reports on the disk.
    PAN-155563
    Fixed an intermittent issue where the Panorama Cloud Services plugin reported the following error for its Cortex Data Lake status: Failed to validate server certificate for endpoint api.paloaltonetworks.com.
    PAN-154905
    (Panorama appliances on PAN-OS 10.0 releases only) Fixed an issue with Security policy rule configuration where, in the Source and Destination tabs, the Query Traffic setting was not available for Address Groups.
    PAN-154876
    Fixed an issue where the web interface did not display Release Date when updating the dynamic updates manually.
    PAN-153382
    Fixed an issue where the per-minute resource monitor was three minutes behind.
    PAN-153308
    Fixed an issue that caused the mouse cursor to remove focus from the search bar when hovering over a hyperlink inside of a cell menu (e.g., source zone, source address, destination zone, destination address, etc.).
    PAN-153113
    Fixed an issue where the GlobalProtect gateway failed with the following error message: gateway does not exist.
    PAN-151469
    Fixed an issue where packets were dropped unexpectedly due to errors parsing the IP version field.
    PAN-149911
    Fixed an issue where URL filtering logs for credential phishing displayed a slash character (/) in the URL field.
    PAN-149853
    Fixed an issue on Panorama where the loc attribute was not set as shared when creating dynamic-address-group-specific configurations during a Panorama commit.
    PAN-147684
    Fixed an issue where a daemon (ikemgr) repeatedly restarted, which resulted in the firewall rebooting.
    PAN-143426
    Fixed a memory leak issue where a process (devsrvr) restarted due to the memory limit being exceeded.
    PAN-141494
    Fixed an issue with the group-mapping mode credential detection feature that failed to block users when logging in using corporate credentials.
    PAN-138859
    Fixed an issue on Panorama appliances where exporting or pushing a device configuration bundle to PA-5000, PA-5200, PA-7000, or PA-7000b series firewalls failed with the following error message: Config bundle is too large to be exported to device.
    PAN-138727
    A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).
    PAN-136505
    (PA-5200 Series and PA-7000 Series firewalls with Log Processing Cards (LPCs) only) Fixed an issue where the log quota (Logging and Reporting Settings > Session Log Storage > Session Log Quota) exceeded 100%.
    PAN-134390
    Fixed an issue where commits didn't complete due to a race condition in the log receiver.
    PAN-133782
    Fixed an issue where Panorama was not accessible via the web interface due to insufficient available disk space in the opt/mongobuffer partition, which caused the mongodb process to stop responding.
    PAN-130003
    Fixed an issue where the show logging-status CLI command did not display any output on the firewall even though the firewall was connected to Panorama and was successfully forwarding logs.
    PAN-124956
    (VM-Series firewalls only) Fixed an issue where packet buffer protection was not supported.
    PAN-118846
    Fixed an issue where you were unable to locally override a user-group-mapping setting pushed from Panorama.
    PAN-116515
    Fixed an issue where IKE Gateway configurations with different crypto profiles on the same IP address with dynamic peers failed with the following error message: IKEv1 gateway should use the same crypto profiles configured on the same interface or local IP address.
    With this fix, you are able to configure IKE Gateways with different crypto profiles on the same IP address with dynamic peers when IKEv1 auto mode is applied.
    PAN-108197
    Fixed an issue in a multi-tenant deployment where, when a user-made configuration changed, the changes were unable to be committed, and the web interface displayed the following error message: No pending change to commit. With this fix, users with multiple access domains will now be able to see plugin information.

    © 2024 Palo Alto Networks, Inc. All rights reserved.