A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where secrets in PAN-OS XML API requests were logged in cleartext in the web server logs when the API was used incorrectly (CVE-2021-3036).

Fixed an intermittent issue where, when using the Chrome browser on an Apple MAC laptop, firewalls managed by a Panorama appliance running PAN-OS 10.0.1 did not display when editing selections (CommitCommit and Push or CommitPush to DevicesEdit Selections) before pushing a configuration change to the managed firewalls.

Fixed a memory corruption issue that caused two forwarding daemons (flow_mgmt and flow_ctrl_pktlog) to restart.

Fixed an issue where pushing changes from Panorama to the firewalls did not work, and the commit all operation failed with the following validation error: azure-ha-config is missing 'client-id'.

Fixed an issue where role-based administrators were unable to import certificate key pairs onto firewalls.

Fixed an issue where platforms using AHO for content and application inspection run into dataplane process (all_pktproc) restarts.

Fixed an issue where the Azure auto-scaling templates in the GitHub repository (https://github.com/PaloAltoNetworks/azure-autoscaling/tree/master/Version-1-0) required a Panorama virtual appliance with the Panorama plugin for Azure v2.0.0.

Fixed an issue where the SYSD variable cfg.lcass-license was set to True on Panorama.

Fixed an issue where commits failed due to a User-ID log collector secret setting.

Fixed an issue where a VM-Series firewall on Amazon Web Services (AWS) failed on first reboot after enabling FIPS mode.

Modified the diff algorithm for when a configuration audit was performed because certain objects incorrectly displayed as either New or Modified/Unchanged due to the XML format being added.

(PA-7080 firewalls only) After upgrading to PAN-OS 10.0.0, commits failed and displayed the following error message: max-session should be equal to or between 1 and 320000040.

Fixed an issue for AWS Panorama M4/C4 instances where logging disks in Panorama mode go into an unavailable/admin disabled state after upgrade to PAN-OS 10.0.0.

Fixed an issue where including TLSv1.3 in the SSL Forward Proxy decryption profile caused entries to not populate in the ssl-decrypt exclude-cache.

Fixed an issue on Panorama where you were unable to commit configuration changes after successfully downgrading from a PAN-OS 10.0 release version to a PAN-OS 9.1 or earlier release version.

Fixed an issue where a process (authd) restarted when an administrator authenticated to the firewall with an Active Directory (AD) account. This issue occurred when LDAP was configured with FQDN, used DHCP instead of a static management IP address, and used the management interface to connect to the LDAP server.

Fixed an issue where certificates, custom logos, and Security Assertion Markup Language (SAML) metadata were unable to be uploaded from the web interface using a Chromium-based browser running version 84 or later.

Fixed an issue where, if a Security rule used an IP Address External Dynamic List (EDL) for IPv6 traffic, the information for the EDL did not display under Source EDL or Destination EDL in the logs.

Fixed an issue where multi-plugin support for Panorama was not enabled by default.

Fixed an issue where, when deploying a VM-Series firewall on VMware NSX that had been assigned a serial number that was used by a previously deactivated firewall, the new firewall was deployed in a deactivated or partially deactivated state.

Fixed an issue where, if the HA1 interface was not configured, downgrading from a PAN-OS 10.0 release version to a PAN-OS 9.1 release version caused a commit error.

(PA-220 and PA-800 Series firewalls only) Fixed an issue where samples processed using WildFire Inline ML didn't support automatic false positive correction.

Fixed an issue where the Panorama management server continues to forward syslogs to a syslog server over the management interface when configured to forward syslogs over the Ethernet1/1 interface (PanoramaSetupInterfaces).

Fixed an issue where the firewall web interface did not load Vulnerability Protection profiles with high numbers of exceptions.

Fixed an issue in Panorama where Variable CSV file imports of template stack variables failed with the following error message: Template Stack Variable Configuration Import - Invalid CSV file.

Fixed an issue with unified logs where effective query filters were not properly applied.

Fixed an issue where using a filter with an address range of 0.0.0.0 to 255.255.255.255 in the Application Command Center (ACC) caused the CPU utilization to be unusually high.

A fix was made to address a buffer overflow vulnerability in the PAN-OS management web interface that allowed authenticated administrators to disrupt system processes and execute arbitrary code with root privileges (CVE-2020-2042).

Fixed an issue with a race condition that caused the firewall to start forwarding logs to a Panorama appliance in Management Only mode. The issue occurred when the lcs-pref.xml file was first deployed to the firewall.

Workaround: Restart the management server on the firewall to reconnect it with the log collectors.

Fixed an issue where after a successful commit, the candidate configuration was not updated to running configuration when initiated by an API-privileges-only custom role based administrator.

A fix was made to address an OS command injection and memory corruption vulnerability in the PAN-OS management web interface that allowed authenticated administrators to disrupt system processes and execute arbitrary code and OS commands with root privileges (CVE-2020-2000).

Fixed an issue where hourly URL summary log generation failed.

Fixed an issue where the description for proxy_ssl_invalid_cert contained the word unvalid instead of invalid.

(PA-7000 Series firewalls only) Added CLI commands to enable/disable resource-control groups and CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr). To enable resource-control groups, use debug software resource-control enable and to disable them, use debug software resource-control disable. To set the memory limit, use debug management-server limit-memory enable, and to remove the limit, use debug management-server limit-memory disable. For the memory limit change to take effect, the firewall must be rebooted.

Fixed an issue where the reply to an XML API call from Panorama was in a different format after upgrading to PAN-OS 8.1.14-h1 and later releases, which caused automated systems to fail the API call.

Fixed an issue with debug file handling that led to a process (mgmtsrvr) restart.

A fix was made to address a memory corruption vulnerability in the GlobalProtect Clientless VPN that enabled an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication (CVE-2021-3056).

Fixed an issue where non-superuser administrators with all rights enabled were unable to Review Policies or Review Apps for downloaded or installed content versions.

A fix was made to address a vulnerability regarding information exposure through log files in PAN-OS that made it possible for configuration secrets for HTTP, email, and SNMP trap v3 log forwarding server profiles to be logged to the logrcvr.log system log (CVE-2021-3032).

Fixed an issue where, when an ECMP route changed, the flow table in the offload engine was not updated.

Fixed an issue on Panorama where the web interface took more time than expected to load changes when the virtual router was large or when there was a large configuration change request from the web interface.

Fixed an issue on Panorama where system and configuration logs of dedicated Log Collectors did not show up on Panorama appliances in Management Only mode.

Fixed an issue where editing device log forwarding in the collector group then filtering specific firewalls and adding new firewalls caused the old firewalls to disappear from the log forwarding preferences list.

Fixed an issue where overridden TCP timeout values for service-based sessions did not take effect, and sessions timed out according to default application values.

Fixed an issue where the Authentication Settings for the template stack on the firewall incorrectly displayed as overridden.

Fixed an issue in Panorama where a commit-all to managed firewalls failed after renaming a device group.

Fixed an issue where the CLI command Show config running following the CLI command set cli op-command-xml-output on produces an unreadable output.

Fixed an issue where XML API failed to fetch logs larger than 10MB.

A fix was made to address an uncontrolled resource consumption vulnerability in PAN-OS that allowed for a remote unauthenticated user to upload temporary files through the management web interface that were not properly deleted after the request was finished. An attacker could disrupt the availability of the management web interface by repeatedly uploading files until available disk space was exhausted (CVE-2020-2039).

Fixed an issue where the firewall incorrectly created GPRS tunneling protocol (GTP-U) sessions from Create Session Request and Create Session Response packets.

Fixed an issue for PAN-DB where certain situations caused performance issues.

Fixed an issue where required processes were not automatically restarted on the Log Processing Card (LPC) or the Log Forwarding Card (LFC).

Fixed an issue where SD-WAN server-to-client symmetric return did not function correctly in certain circumstances. This issue intermittently affected path selection of parent/child applications, such as FTP.

Fixed an issue where the object identifier (OID) being polled for the component hrStorageUsed was not unique after a PAN-OS upgrade.

Fixed an issue on the firewalls with an IPsec/Encapuslating Security Payload (ESP) traffic with GlobalProtect gateway configuration where multiple processes (flow_ctrl, pktlog_forwarding, and all_task) restarted, which caused the device to reboot.

Fixed an issue where an API call for correlated events did not return any events.

Fixed an issue where a daemon (ikemgr) repeatedly restarted, which resulted in the firewall rebooting.

Fixed an issue where, after a policy commit and session rematch, stream control transmission protocol (SCTP) logs for an existing SCTP session still showed old rule information.

(PA-7050 and PA-7080 firewalls with 100G NPC only) Fixed an issue where jumbo frames brought down the Network Processing Card (NPC) when traffic traversed the firewall at a high rate.

Fixed an issue where TCP traffic dropped due to TCP sequence checking in a high availability (HA) active/active configuration where traffic was asymmetric.

Fixed an issue in Panorama where a commit-all to the managed firewalls failed with the following error message: invalid object reference when address objects were uploaded using an external script.

Fixed an issue where traffic incorrectly matched URL based authentication policies.

A fix was made to address an authentication bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS that allowed an attacker to bypass all client certificate checks with an invalid certificate. As a result, the attacker was able to authenticate as any user and gain access to restricted VPN network resources when the gateway or portal was configured to rely only on certificate-based authentication (CVE-2020-2050).

Fixed an issue where a GlobalProtect client in a system with umlaut diacritics serial number is unable to log in to the GlobalProtect gateway.

Fixed an issue where Application and Threat Content installation failed on the firewall with the following error message: Error: Threat database handler failed.

Fixed an issue where, when previewing device group configurations from Panorama, the following error message was returned: Parameter device group missing.

Fixed an issue where Log Collectors had problems ingesting logs for older days received at a high rate.

Fixed an issue where DNS proxy was unable to handle a UDP DNS reply length greater than 512 bytes.

Fixed an issue where, when using AutoFocus remote search to find artifacts from the firewall, the redirect URL did not populate correctly and PAN-OS lost the query parameter sent. For every search request, a new session was created, and authentication was required.

Fixed an issue where a process (mprelay) stopped responding and invoked an out-of-memory (OOM) killer condition and displayed the following error messages: tcam full and pan_plfm_fe_cp_arp_delete.

Fixed an issue where random member ports in a link aggregate group failed to join the aggregate group due to the following error: Link speed mismatch.

Fixed an issue that prevented GTP tunnel session timeout values from being configured via the web interface.

Fixed an issue where a process (mgmtsrvr) stopped responding after a commit.

(PA-3200 Series firewalls only) Fixed an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate is set as 2.

Fixed an issue that prevented the addition of a secondary logging disk for a VM-Series firewall deployed on AWS using Nitro server instance types.

Fixed an issue with a address object limitation where platform limits were not enforced if all the addresses pushed to the firewall were from Panorama and there were no shared or local address objects.

(PA-7000 Series firewalls only) Fixed an issue where unplugging cables from Quad Small Form-factor Pluggable (QSFP) interfaces on 100G NPC causes path monitoring failures.

Fixed an intermittent issue on the firewall where H.225 VOIP signaling packets dropped.

(PA-800 Series firewalls only) Fixed an issue that prevented ports 9-12 from being powered down by hardware after being requested to do so.

Fixed an issue where the XML API used to retrieve hardware status periodically failed with a 200 OK message and no data.

Fixed an issue where removing a cipher from an SSL/TLS profile did not take effect if it was attached to the management interface.