PAN-OS 9.1.3 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.1.3 Addressed Issues
PAN-OS® 9.1.3 addressed issues.
Issue ID | Description |
---|---|
PAN-148988 | A fix was made to address a Security Assertion
Markup Language (SAML) authentication issue (CVE-2020-2021). |
PAN-148068 | Fixed an issue where SSL connections were
blocked if you enabled decryption with the option to block sessions
that have expired certificates. This issue included servers that
sent an expired AddTrust certificate authority (CA) in the certificate
chain. |
PAN-147424 | Fixed an issue with internal buffer and
file sizes where logs were discarded due to slow log purging when
the incoming log rate was high. |
PAN-145195, PAN-145151, PAN-145150, and PAN-145149 | A fix was made to address a buffer overflow
vulnerability in PAN-OS that allowed an unauthenticated attacker
to disrupt system processes and potentially execute arbitrary code
with root privileges by sending a malicious request to the Captive
Portal or Multi-Factor Authentication interface (CVE-2020-2040). |
PAN-145026 | Fixed an issue where Cortex Data Lake certificates
on the firewall were not automatically renewed after the certificates
expired. |
PAN-144782 | Fixed an issue where a configuration audit
created a large number of opresult.out files, which filled up the
session/pan/user_tmp directory in opt/pancfg. This caused a slow
Panorama response until a device restart was performed or the files
were manually deleted from the root of the device. |
PAN-144646 | Fixed an issue where a process (varrcvr) stopped
responding on the PA-7000 Series Log Forwarding Card (LFC) when
it received a verdict from the WildFire cloud. |
PAN-144221 | (Microsoft Azure only) Fixed an
issue where a process (brdagent) stopped responding,
which caused the firewall to restart unexpectedly. |
PAN-144073 | Fixed an issue where on the Panorama management
server, hub and branch firewall latency, jitter, and packet loss
data was not updated when monitoring SD-WAN link performance (Panorama
> SD-WAN > Monitoring). |
PAN-143957 | Fixed an issue where, after loading a saved
configuration snapshot by API, a custom role-based administrator
required Superuser privileges to perform a full commit. |
PAN-143845 | Fixed an issue where the firewall repeatedly
rebooted due to a process (rasmgr) restarting when
GlobalProtect was used in pre-logon mode. |
PAN-143537 | (VM-Series firewalls only) Fixed
an issue where disk utilization of the root partition increased
until it reached 100%. |
PAN-143493 | Fixed an memory issue associated with a
process (mgmtsrvr) due to a large number of ACK packets
in logs on Panorama or the log collector. |
PAN-143442 | Fixed an issue where Amazon Web Services
(AWS) Nitro System based VM-Series firewalls unexpectedly rebooted
due to input/output (I/O) errors caused by improper NMVE I/O timeout
settings. |
PAN-143169 | Fixed an issue where running a test security-policy-match API
command truncated the rule name to 31 characters. |
PAN-143130 | Fixed an issue where, in Panorama, cloning
a shared Security policy rule failed if done via the web interface
and resulted in a process (configd) restarting with
the following error message: Failed security rule(s): undefined The request could not be handled. |
PAN-142674 | Fixed an issue where a process (brdagent)
failed in a high availability (HA) configuration using High Speed
Chassis Interconnect (HSCI) ports due to a memory leak. |
PAN-142302 | Fixed an issue where the firewalls faced
connection issues with Cortex Data Lake. |
PAN-142089 | Fixed an internal logging issue for a daemon (authd). |
PAN-141923 | Fixed an issue where authentication stopped
working after a commit and a process (authd) exited,
which caused other processes to exit. |
PAN-141844 | Fixed an issue where promiscuous VLAN mode
did not work with the new host drivers being used on the ESXi and
single-root input/output virtualization (SR-IOV) with VLAN tagging
did not work as expected. Both Data Plane Development Kit and packet
mmap mode did not work. |
PAN-141563 | Fixed an issue where Slot 8 path monitoring
failure occurred due to a memory buildup in a process (logrcvr)
that was caused by slow communication and connection between log
forwarding and Cortex Data Lake. |
PAN-141262 | Fixed an issue where the resolution of FQDN
for a policy on the web interface did not work as expected if the
FQDN contained capital letters. |
PAN-141239 | Fixed an issue where dataplane free memory
was depleted, which affected new GlobalProtect connections to the
firewall. |
PAN-141221 | Fixed an issue where a commit or content
update operation with an error was not prevented from executing
in the dataplane, which caused corruption in the dataplane policy
cache. |
PAN-140982 | (PA-7000 Series firewalls only)
Fixed an issue where a process (mprelay) on the control
plane was restarted due to an internal heartbeat miss. |
PAN-140846 | Fixed an issue where the dataplane restarted
during a commit when Netflow was enabled. |
PAN-140669 | Fixed a memory leak issue caused by a process (mgmtsrvr). |
PAN-140628 | Fixed an issue where a memory leak on a
process (useridd) caused multiple processes to restart
during device serial number checks. |
PAN-140618 | Fixed an issue on Panorama where SNMP monitoring
of the logging rate per device was incorrect. |
PAN-140465 | (VM-Series firewalls only) Fixed
connection issues between IPv6 peers when the IPv6 neighbor cache
was synchronized in an HA cluster where, after failover, the newly
active firewall did not send multicast neighbor solicitation from
its global unicast address. |
PAN-140389 | Fixed an issue on Panorama in Legacy mode
where configuring Network File System (NFS) log storage (Device
> Setup > Operations) caused all plugin installations
to fail. |
PAN-140386 | Fixed an intermittent issue where the firewall
used IP addresses instead of domain names for URL category lookup
after upgrading to 9.0.6. |
PAN-140375 | Fixed an issue where a process (logrcvr)
exited due to a race condition. |
PAN-140270 | Added additional debugging to periodically
collect the debug dataplane internal pdt bcm counters graphicalCLI
command's output in the Tech Support File (TSF). |
PAN-140121 | Fixed an issue where a process (authid)
used a large amount of memory due to many incomplete authentication requests,
which caused an out-of-memory (OOM) condition. |
PAN-140043 | (PA-7050 firewalls running on PA-7000
100G NPCs only) Fixed an issue where the PA-7000 100G NPC Native
Implemented Function (NIF) initialization took longer than expected,
which caused internal path monitoring failure and sent the firewall
into a non-functional state while rebooting. |
PAN-139935 | Fixed an issue in the URL process where
a process (devsrvr) stopped responding. |
PAN-139858 | Fixed an issue where Policy >
Security > Test Policy Match did not work when the source
user or group length was greater than 20 characters. |
PAN-139727 | Fixed an issue where disabling predefined
trusted root certificates did not have any effect. |
PAN-139718 | Fixed an issue where the firewall failed
stateful inspection for GTP forward relocation requests greater
than 1,500 bytes and could not parse Access Point Name (APN) information
in forward relocation requests. |
PAN-139661 | Fixed an issue that led to exhaustion of
memory, which resulted in path monitoring failures when Cortex Data
Lake was configured. |
PAN-139595 | Fixed an issue on Panorama in Legacy mode
where a process (logd) repeatedly restarted while processing
incoming logs and caused Panorama to reboot. |
PAN-139555 | Fixed an issue where after upgrading the
passive firewall, the outer UDP sessions synced from the active
firewall did not retain the rule information and after failover,
GPRS tunneling protocol (GTP) inspection did not work. |
PAN-139391 | Fixed an issue where unique GlobalProtect
portal profiles were not selected in the correct order. |
PAN-139371 | Fixed an issue where a commit failed with
the following error message: destination is invalid when
using objects from static routes. |
PAN-138870 | Fixed an issue where a process (configd) restarted
and administrators received one of the following error messages: Timed out while getting config lock. Please try again or Please wait while the server reboots... due
to a database error. |
PAN-138813 | Fixed a performance drop issue seen when
using API to configure larger sets of objects (more than 25 objects). |
PAN-138739 | Fixed an issue where, in an HA active/active
configuration in a virtual wire deployment with asymmetric traffic,
decryption did not work for some sites. |
PAN-138674 | Fixed an issue where custom role-based admins
were able to reset the rule hit counter for disabled device groups. |
PAN-138648 | Fixed an issue with internal buffer and
file sizes where logs were discarded due to slow log purging when
the incoming log rate was high. |
PAN-138476 | Fixed an intermittent issue where logs were
delayed or missing when querying for logs by applying filters. To
leverage this fix, you must upgrade Panorama to 9.0.9 and the Cloud
Services plugin to 1.6.0-h1. |
PAN-138213 | Fixed an issue where a Panorama Custom Report based
on the Detailed Logs > Panorama Data > Traffic database
was not able to report on decrypted sessions. |
PAN-138037 | Fixed an issue where the host information
profile (HIP) match message was automatically enabled when modifying
the GlobalProtect Agent settings. |
PAN-138034 | Fixed an issue where virtual machine (VM)
information source Dynamic Address Groups overrode static address
groups, which caused traffic to hit the wrong Security policy rule. |
PAN-137902 | (PA-7000 Series firewalls only)
Fixed an issue where hot swapping a PA-7000 100G NPC with a PA-7000
20G NPC caused packet buffer leak and slot restarts. |
PAN-137885 | (VM-Series firewalls in Microsoft Azure
environment only) Fixed an issue where a firewall with accelerated
networking enabled was unable to process packets efficiently because
of underlying Microsoft drivers. To leverage this fix, you must
upgrade to VM-Series Plugin 1.0.12. |
PAN-137867 | (PA-7000 Series firewalls only, running
with both a PA-7000 100G NPC and a PA-7000 20G NPC) Fixed an
issue where IPSec traffic caused dataplane restarts. |
PAN-137777 | Fixed an issue where GlobalProtect logs
failed to send to syslog servers over a TCP connection. |
PAN-137716 | Fixed an issue where, for users with admin
roles, logs for only one device group were displayed due to a query
string with multiple device groups. |
PAN-137673 | Fixed an issue where a memory leak associated
with a process (devsrvr) caused an out-of-memory (OOM)
condition on the firewall. |
PAN-137656 | Fixed an issue where the show config diff CLI
command did not work correctly and produced unexpected output. |
PAN-137401 | Fixed an issue where the authentication
policy did not redirect users for Captive Portal authentication
if the attached authentication profile did not have Enable
Additional Authentication Factors selected. |
PAN-137387 | Fixed an issue where URL filtering used
the IP address instead of the hostname, which led to incorrect URL
categorization. |
PAN-137251 | Fixed an issue where a Panorama appliance
running PAN-OS 9.1.0 was unable to export address objects and displayed
the following error message: Error while exporting. |
PAN-137152 | Fixed an issue where SSL decrypted traffic
was dropped due to a certificate status error during session resumption. |
PAN-136957 | Fixed an issue where access was denied if
a password contained more than 63 characters. |
PAN-136950 | Fixed an issue where, on a firewall managed
by Panorama, the XML API based IP tags were lost after a firewall
reboot or process (useridd) restart. |
PAN-136791 | Fixed an issue where, in a particular scenario,
the first response to a SIP INVITE message created incorrect appinfo2ip entries
and caused Via header translation failure. |
PAN-136765 | Fixed an issue where an FQDN update that
resolved to the same IP address of another FQDN across different
policies caused the other FQDN to be deleted due to missing FQDN
aggregation. |
PAN-136726 | Fixed an issue on the firewall where the
dataplane pan-task process (all_pktproc) stopped responding
while inspecting Server Message Block (SMB) traffic. |
PAN-136716 | (Panorama virtual appliances only)
Fixed an issue where SNMP monitoring of ifSpeed reported the interface
speed as 0 for interfaces other than eth0. |
PAN-136703 | (PA-3000 Series and PA-800 Series firewalls
only) Fixed an issue with insufficient memory allocation for
configurations to accommodate the PAN-OS 9.0 Dynamic Address Group
feature. |
PAN-136649 | Fixed an issue where PA-7000 20GXM and PA-7000
20GQXM Network Processing Cards (NPCs) failed to process some sessions
for Layer 7 inspection due to internal maximum threshold value that
was not set. |
PAN-136623 | Fixed an issue where a process (useridd)
failed due to internal user groups that were loading from the disk
taking over the lock. |
PAN-136612 | Fixed an issue where fragmented packets
leaked, which caused the depletion of Work Query Entry (WQE) pools. |
PAN-136582 | Fixed an issue where, when the app-version from
the request header was long, the converted XML was truncated, which
caused parsing to fail by a process (rasmgr) due to
a limitation on the buffer length. |
PAN-136470 | Fixed an issue where a process (all_pktproc) restarted
while processing packets with 0.0.0.0 and destination protocol 251
that internally mapped to GTP-C traffic, which caused the dataplane to
restart. |
PAN-136173 | Fixed an issue where dataplane interfaces
remained down after active firewall bootup or a high availability
(HA) failover. |
PAN-136007 | Fixed an issue where generating subordinate
ECDSA Certificate Authority (CA) certificates from the web interface
failed if the Common Name field contained
a space. |
PAN-135946 | Fixed an intermittent issue where Panorama
was unable to query logs from the log collector due to large file
sizes in es_cache_cron.log. |
PAN-135865 | Fixed an issue that prevented Panorama from
being switched out of management-only mode when deployed in Amazon
Web Services (AWS) instance types M5 and C5. |
PAN-135844 | Fixed an issue where a commit job failed
due to a process (mgmtsrvr) exiting. |
PAN-135796 | Fixed an issue where the firewall dropped
DNS requests for root servers when the action of the DNS security
signature was set to alert or sinkhole in an Anti-Spyware Security
profile. |
PAN-135684 | Fixed an issue with log collectors on Panorama
where large index sizes caused higher CPU usage than expected when
disk space usage was high. |
PAN-135547 | Fixed an issue on Panorama where administrators
were unable to delete a shared address object even when it was not
referenced in the configuration. |
PAN-135504 | Fixed an issue where the GlobalProtect client
used IPv6 during gateway login but used IPv4 during IPsec tunnel
creation, which caused it to fallback to SSL. |
PAN-135418 | Fixed an issue on the firewall where configuring
uppercase User Domain values in authentication
profiles led to a failure in GlobalProtect Agent configuration selection
based on the domain user match condition. |
PAN-135356 | Fixed an issue where policies that contained
objects did not display correctly when exported to CSV or PDF format. |
PAN-135321 | Fixed an issue where all NAT rules using
the same FQDN entries as translated IP addresses were not updated
when the IP addresses changed for those FQDNs. |
PAN-135314 | Fixed an issue where, with a new Panorama
appliance running PAN-OS 9.1.0 and a firewall running an earlier
version, the following error message displayed: interface sdwan is not a valid reference. |
PAN-135262 | A fix was made to address a vulnerability
involving information exposure through log files where an administrator's
password or other sensitive information was logged in cleartext
while using the CLI in PAN-OS software. The opcmdhistory.log file
was introduced to track operational command (op-command) usage but
did not mask all sensitive information (CVE-2020-2044). |
PAN-135158 | Fixed an issue where setting an IPv6 destination
filter for the packet-diag option returned an error regarding a
character limit. |
PAN-134979 | Fixed an issue where TMP files were not
deleted, which caused the root partition to run out of disk space
and caused issues with accessing the firewall. |
PAN-134624 | (VM-Series firewalls only) Fixed
an issue where the VLAN interface failed to obtain the MAC address
when the interface was used as a DHCP relay agent. |
PAN-134431 | Fixed an issue with Security Assertion Markup
Language (SAML) authentication where the firewall used old authd_id values,
which resulted in failed authentication. |
PAN-133885 | Fixed an issue where DNS proxy failed due
to incorrect mapping of the DNS transaction ID. |
PAN-133727 | Fixed an issue where Session Initiation
Protocol (SIP) messages were not parsed correctly when the packet
was received in separate segments, which caused the receiver to
receive corrupted messages. |
PAN-133673 | Fixed an issue that caused a procses (ikemgr)
to exit when site-to-site VPNs experienced connectivity interruptions. |
PAN-133495 | Fixed an issue where the Terminal Server
(TS) Agent disconnected on the firewall after a failover or reboot. |
PAN-133285 | Fixed an issue on the firewalls where configuring
a default Online Certificate Status Protocol (OCSP) URL in front
of an intermediate certificate authority (CA) in a certificate profile
did not override the OCSP URL during the validation of client certificates
issued by the intermediate CA. |
PAN-132922 | Fixed an issue where service objects were
unable to be deleted if they were configured to exceed firewall
limits. |
PAN-131973 | Fixed an issue where both firewalls in an
HA active/passive configuration stopped responding at the same time. |
PAN-130562 | Fixed an issue where, in VM-Series firewalls
deployed using init-cfg.txt in the bootstrap process and set in
an HA configuration, the configuration did not display as synchronized
due to the initcfg configuration. |
PAN-130168 | Fixed an issue where a process (pan_comm) stopped
responding due to operation commands run during a commit. |
PAN-128761 | A fix was made to address an OS command
injection vulnerability in the PAN-OS management interface that
allowed authenticated administrators to execute arbitrary OS commands
with root privileges (CVE-2020-2037). |
PAN-128078 | Fixed an issue where a process (mgmtsrvr) stopped
responding and was inaccessible through SSH or HTTPS until the firewall
was power cycled. |
PAN-127434 | Fixed an issue where reports for URLs were
not generating the correct data output. |
PAN-127318 | Fixed an issue where the firewall intermittently
dropped DNS A or AAAA queries received over IPSec tunnels due to
a session installation failure. |
PAN-126938 | Fixed an issue where multiple daemons restarted
due to MP ARP overflow. |
PAN-125730 | Fixed an issue where packets tagged with
IP protocol 252 were incorrectly treated as GPRS tunneling protocol
(GTP) traffic, which caused the packet processor to terminate. |
PAN-125410 | Fixed an issue where a new GPRS tunneling
protocol version 2 control plane (GTPv2-C) session reused GTP-C
tunnel parameters within two seconds after deleting the old GTP-C
session, which caused a session conflict on the firewall. |
PAN-121598 | Fixed an issue where the PAN-OS XML API
packet capture (pcap) export failed with the following error message: Missing value for parameter device_name.
Now, device_name and sessionid are
no longer required parameters. |
PAN-119118 | Fixed an issue where license and content
error files received from the update and license servers were not
saved to disk. |
PAN-118468 | (VM-Series firewalls on VMware ESXi
only) Fixed an issue where the firewall stays in a boot loop
and enters maintenance mode after adding a 60GB disk. |
PAN-116843 | Fixed an issue on Panorama where, when navigating
through Policies, the following error message displayed: show rule hit count op-command failed. |
PAN-115093 | Fixed an issue where the firewall generated
excessive logs for content decoder (CTD) errors. |
PAN-114540 | Fixed an issue where renaming a template
stack did not change the value and reset to the original value after
you commit the change. |
PAN-114427 | Fixed an issue where an empty host name
in the HTTP header caused a web server process (websrvr)
to stop responding when you accessed the captive portal redirect
page. |
PAN-112988 | Fixed an issue where a process (useridd)
leaked memory, which caused the firewall to drop traffic and display
the following error message: Out-of-memory condition detected, kill process. |
PAN-112539 | Fixed an issue where the firewall stopped
forwarding logs to the log collector from the Log Processing Card
(LPC) after a commit push from Panorama due to a race condition. |
PAN-112120 | Fixed an issue where threat Name field of
a threat Custom Report displayed the threat
ID instead of the threat name. |
PAN-111614 | Fixed an issue with summary reports where
displayed dates were incorrect due to the date range calculation
not considering the change in year. |
PAN-102202 | Fixed an issue where the OSPF summary Link
State Advertisement (LSA) for the default 0.0.0.0/0 route were not
advertised by the Area Border Router (ABR). |
PAN-98803 | Fixed an issue where the IP address-to-tag
mappings for Dynamic Address Groups did not display as expected
on Panorama after you configured the Panorama plugin to monitor
virtual machines or endpoints in your AWS, Azure, or Cisco ACI environment
without installing the NSX plugin. |
PAN-98694 | Fixed an issue on a PA-5200 Series firewall
in a high availability (HA) active/passive configuration where the
firewall dropped TCP-FIN packets after a failover. |