PAN-OS 10.0.7 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 10.0.7 Addressed Issues
PAN-OS® 10.0.7 addressed issues.
Issue ID | Description |
---|---|
WF500-5568 | Fixed an issue where a firewall in FIPS
mode running PAN-OS 8.1.18 or a later version failed to connect
with a WildFire appliance in normal mode. |
WF500-5559 | Fixed an issue where an intermittent error
while analyzing signed PE samples on the WildFire appliance might
have caused analysis failures. |
WF500-5509 | (WF-500 appliance only) Fixed an
issue where cloud inquiries were logged under the SD-WAN subtype. |
PAN-173080 | Fixed an issue where the User-ID connection
limit was reached even when only a few User-ID agents were connected
to the service. |
PAN-172518 | Fixed an issue where a race condition occurred
and caused a process (useridd) to restart. |
PAN-172125 | Fixed an intermittent issue where processing
HIP messages in the (useridd) process caused a memory
leak. |
PAN-171878 | Fixed an issue with SD-WAN path selection
logic that caused a dataplane to stop responding. |
PAN-171442 | Fixed an issue on Amazon Web Services (AWS)
Gateway Load Balancer (GWLB) deployments with overlay routing and
cross-zone load balancing enabled where packets were forwarded to
the incorrect GWLB interface. |
PAN-171203 | Fixed an issue in a high availability (HA)
configuration where, when one firewall was active and its peer was
in a suspended state, the suspended firewall continued to send traffic,
which triggered the detection of duplicate MAC addresses. |
PAN-170989 | Fixed an issue memory usage consumption
issue on a process (useridd). |
PAN-170932 | Fixed an issue in Telemetry settings where
the OK button was disabled when Telemetry
Region was set to None. |
PAN-170825 | Fixed an issue where, when a partial Preview Change job
failed, a process (configd) stopped responding. |
PAN-170740 | Fixed an issue with the google-docs-uploading
application that occurred if a Security policy rule was applied
to a Security profile and traffic was decrypted. |
PAN-170681 | Fixed an issue where the data redistribution
agent and the data redistribution client failed to connect due to
the agent not sending a SSL Server hello response. |
PAN-170610 | Fixed an issue where SD-WAN SaaS monitoring
traffic was incorrectly dropped by a Security policy that included
a deny rule. |
PAN-170314 | Fixed an issue where PAN-DB URL cloud updates
failed because a process (devsrvr) did not fetch serial
numbers, which prevented the PAN_DB URL cloud from connecting after
first deployment. |
PAN-170083 | Fixed an intermittent issue where packet
pointer corruption occurred, which resulted in a dataplane restart. |
PAN-169712 | Fixed an intermittent issue where traffic
falsely matched a converted Suricata rule. |
PAN-169197 | Fixed a rare issue where generating a tech
support file caused the useridd process to stop responding. |
PAN-169161 | Fixed an issue where, after a pan_comm process restart,
the configuration wasn't synced between the management and the dataplane
pod. |
PAN-169064 | Fixed an issue where the management CPU
remained at 100% due to a large number of configured User-ID agents. |
PAN-168888 | Fixed an issue where, when a maximum session
count was configured, the SD-WAN plugin caused commit failures on Panorama. |
PAN-168718 | Fixed an issue where, when a client or server
received partial application data, the record was partially processed
by legacy code. This caused decryption to fail when a decryption
profile protocol was set to a maximum of TLSv1.3. |
PAN-168574 | Fixed an issue on Panorama where, after
an upgrade to a PAN-OS 10.0 release version, a configuration pushed
to firewalls running on PAN-OS 9.1 failed during an autocommit with
the following error message: Need to config WMI account and password for querying Microsoft directory servers. |
PAN-168418 | Fixed an issue where, when an MLAV URL with
an exception list was configured and forward proxy was enabled,
a process (all_pktproc) repeatedly restarted, which
resulted in the firewall rebooting. |
PAN-167989 | Fixed a timing issue between downloading
and installing threads that occurred when Panorama pushed content
updates and the firewall fetched content updates simultaneously. |
PAN-167872 | Fixed an issue related to a process (all_pktproc) that
occurred in long-lived sessions that spanned two content upgrades. |
PAN-167637 | Fixed an issue where users connecting to
the US East gateway encountered a delay in DNS responses. |
PAN-167541 | Fixed an issue where large External Dynamic
Lists (EDLs) caused commit issues due to a hard limit being reached. |
PAN-167443 | Fixed an issue where commits failed and
generated pan_comm SIGSEGV CORE files. |
PAN-167306 | (VM-Series firewalls on Microsoft Azure
only) Fixed an issue where, when a second disk was added, /opt/panlogs was
mounted on an incorrect partition. |
PAN-167099 | Fixed a configuration management issue that
resulted in a process (ikemgr) failing to recognize
changes in subsequent commits. |
PAN-167098 | Fixed an issue where a configd process
memory corruption occurred when Panorama was exposed to multiple
XML API calls on Dynamic Address Groups updates. |
PAN-166836 | Fixed an issue where session failed due
to resource unavailability. |
PAN-166572 | Fixed an issue where a process (configd) restarted
when browsing policies on Panorama. |
PAN-166420 | In 10.0.x Query Traffic log option is missing
for Address groups under source and destination in the security
policy tab |
PAN-166328 | (PA-7000 Series firewalls with NPCs
only) Fixed an issue where path monitoring failure occurred
while hot inserting a 100G NPC (network processing card) into the
firewall. |
PAN-166296 | Fixed an issue where an unavailable certificate
revocation list (CRL) from the server side caused an infinite loop
on a process (sslmgr), which resulted in it not responding
for other tasks. |
PAN-166021 | Fixed an issue where log queries that included
a username did not return with any output. |
PAN-165661 | Fixed an issue in an HA active/active configuration
where an administrative shutdown message was not sent to the BGP
peer when the firewall went into a suspended state, which delayed convergence. |
PAN-165399 | Fixed an issue where the multi-factor authentication
(MFA) Challenge message did not display during login when the GlobalProtect portal
was accessed by the web browser. |
PAN-165235 | Fixed an issue where the handover handling
between LTE and 3G on S5 and S8 to Gn/Gp was not working properly
and led to stateful inspection failures. |
PAN-165025 | Fixed an issue where, when default interzone
and intrazone Security policy rules were overwritten, the rules
did not display hit counts. |
PAN-164646 | Fixed an issue where tunnel monitoring in
the Large Scale VPN (LSVPN) displayed as down in both the CLI and
the web interface due to incorrect dataplane ownership. |
PAN-164571 | Fixed an issue where DHCP leases were not
properly synchronized between HA peers after a device or dhcpd process restart.
With this fix, the DHCP lease details display correctly on both
the active and the passive device. |
PAN-164446 | Fixed an issue on Panorama where a commit
failed with the following error message: Local-AS number does not fit in 2-byte AS format,
even though the AS format was set to 4 bytes. |
PAN-164431 | (VM-Series firewalls only) Fixed
an issue where the firewall rebooted into maintenance mode after
installing a capacity license in FIPS-CC mode. |
PAN-164392 | Fixed an issue where an out-of-memory (OOM)
condition occurred due to a memory leak related to a process (logrcvr). |
PAN-164338 | Fixed an issue where, when using the CLI
or API, configurations for policy rule services or applications
that either used custom settings and default settings together,
or used multiple default settings together, successfully commit
instead of failing or displaying a warning. Note To
use this fix, you must delete previous application or service settings
in the configuration. |
PAN-164056 | Fixed a memory issue for Large Scale VPN
with multiple dataplane systems. |
PAN-163940 | Fixed an issue where the firewall truncated
the application name when doing a NetFlow export to the NetFlow
analyzer. |
PAN-163800 | Fixed an intermittent issue where the presence
of an Anti-Spyware profile in a Security policy rule that matched
DNS traffic caused DNS responses to be malformed in transit. |
PAN-163280 | Fixed an issue where, after upgrading to
a PAN-OS 10.0 release version, a commit failed due to an admin-role-related
validation error that displayed the following message: device unexpected here. |
PAN-163270 | Fixed an issue where the login banner was
not aligned properly when it contained multiple sequential whitespaces. |
PAN-162600 | Fixed an issue where, when the GlobalProtect
client sent UDP/4501 traffic that was destined for the GlobalProtect
gateway inside the GlobalProtect tunnel, the firewall still processed
the traffic, which caused routing loops. |
PAN-161869 | Fixed an issue where a core dump occurred
on a process (flow_ctrl) after a commit if a policy-based
forwarding (PBF) rule referenced an interface that had a DHCP IP
address assignment. |
PAN-161289 | Fixed an issue where predict session didn't
update the associated rules when Security policies shifted after
a commit. |
PAN-161218 | The following CLI commands were added to
enable the customer to set the dataplane utilization limit. The
default setting is the recommended value of 500; a value of 0 removes
dataplane CTD limits: -debug dataplane show ctd wildfire max -debug dataplane set ctd wildfire max <0-5000> |
PAN-161025 | Fixed an issue in Panorama where an administrator
with the role of Panorama administrator did not have the option
to download or install GlobalProtect clients (Panorama
> Device Deployment > GlobalProtect). |
PAN-160997 | Fixed an issue where the metadata from the
firewall's authentication profile was unable to export. This issue
occurred when the authentication profile and the SAML Identity Provider
sever profile were created with VSYS in the Locationand
were pushed from Panorama template stack values. To utilize this
fix, you must upgrade both Panorama and the firewall. |
PAN-160843 | Fixed an issue where the Multiprotocol Label
Switching (MPLS) interface wasn't monitored when private traffic
wasn't VPN encapsulated. |
PAN-160831 | Fixed an intermittent issue where importing
a new firewalls configuration into Panorama failed due to conflicting
virtual system (vsys) names, even when the Device Group
Name Prefix was used to make the name unique. |
PAN-160818 | Fixed an issue where Panorama repeatedly
displayed the following error message: HA Failover: updates not received from all sources: Pending plugins. |
PAN-160540 | Fixed an issue where tunnel traffic was
dropped intermittently when Quality of Service (QoS) Profile was
assigned but the profile had no limits defined. |
PAN-160432 | Fixed an issue where, after selecting a
PAN-OS release to upgrade to in Device Association >
To SW Version, the upgrade failed after connecting to
Panorama. |
PAN-160254 | Fixed a memory leak issue related to a process (reportd)
where memory was not freed after an ElasticSearch request. |
PAN-160253 | Fixed an issue where only one medium-severity
system log was generated if either the EDL file wasn't updated at
the remote end or the downloaded file wasn't a text file. |
PAN-160247 | Fixed an issue where system logs incorrectly
displayed as Critical. |
PAN-160238 | Fixed an issue where intermittent virtual
extensible LAN (VXLAN) packet drops occurred if the TCI was not
configured for inspecting VXLAN traffic. This issue occurred when
traffic was migrated from a firewall running a PAN-OS version earlier
than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or later. |
PAN-160150 | Fixed an intermittent issue where, when
a race condition occurred, a process (rasmgr) stopped
responding, which caused GlobalProtect user authentication failure. |
PAN-159973 | Fixed an issue where a local commit in the
Panorama management server caused the status to get out of sync
on the managed WildFire appliance. |
PAN-159700 | Fixed an issue where importing PAN-TRAPS.my
to the SNMP manager caused the following error to display: Registration failed, registration failed, because there are unreferenced definition names in the MIB file. |
PAN-159592 | Fixed an issue where a Japanese keyword
search displayed garbled characters during SAML authentication. |
PAN-159536 | Fixed an issue where, when the CLI command oscp-exclude-nonce-yes was
enabled for a certificate profile, a nonce value was still included
in the Online Certificate Status Protocol (OCSP) request. |
PAN-159499 | Fixed an issue where you were unable to
select the configured QoS profile under the template stack. |
PAN-159293 | (VM-Series firewalls only) Fixed
an issue where the Certification Revocation List (CRL) in Distinguished
Encoding Rules (DER) format incorrectly returned errors despite
being able to successfully pull the CRL to verify that the syslog
server certificate was still valid. |
PAN-159224 | Fixed an memory leak issue related to a
process (mgmtsrvr), which was caused by a certificate
loading operation. |
PAN-159214 | Fixed an issue where a .txt file was corrupted,
which caused the web interface to not display the requested information. |
PAN-159122 | Fixed an issue where, when a new tag was
created, a custom application with the same name was also created. |
PAN-158932 | Fixed an issue where an increase was observed
on spyware_state, which caused latency. |
PAN-158654 | Fixed a memory leak issue in the management
server process. |
PAN-158649 | Fixed an issue where commits to the Prisma
Access Remote networks from Panorama were failing when the management
server on the cloud firewall failed to exit cleanly and reported
the following error: pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT) |
PAN-158639 | Fixed an issue on Panorama where logs that
were forwarded to a collector group did not appear, and the log
collector displayed the following error message: es.init-status not ready in logjobq. |
PAN-158450 | (PA-3200 Series firewalls only)
Fixed an issue where, for SNMPv2-MIB:sysServices, snmpwalk returned
the following error message: No Such Instance currently exists at this OID. |
PAN-158372 | Fixed a buffer overflow issue related to
the useridd process. |
PAN-158337 | Fixed an issue where warnings displayed
during a commit or validate when BGP peers used in an import/export
rule were disabled. |
PAN-158161 | Fixed an issue where the policy-based forwarding
(PBF) monitor was failing on the tunnel interface when QoS was enabled. |
PAN-158119 | (PA-7000 Series firewalls only)
Fixed an issue where TFTP traffic with a high packet rate was not
offloaded even after hitting an application override policy with
a custom application. |
PAN-158020 | Fixed an issue where HIP reports were not
visible on the web interface due to a domain override configuration. |
PAN-157938 | (VM-Series firewalls with multiple DHCP
interfaces only) Fixed an issue where leases renewed more quickly
than needed, which caused unnecessary SPF recalculations. |
PAN-157908 | Fixed an issue where false system alarms
for the IP tag log database exceeded the alarm threshold value. |
PAN-157903 | Fixed an issue where the To field
of an email was truncated in threat logs when the field of the original
email exceeded 512 bytes. |
PAN-157835 | Fixed an issue where DNS Proxy rules that
contained uppercase characters were not normalized to lowercase,
which prevented the rules from being matched. |
PAN-157715 | Fixed an intermittent issue where SMB file
transfer operations failed due to packet drops that were caused
by the Content and Threat Detection (CTD) queue filling up quickly.
This fix introduces a new CLI command which, when enabled, prevents
these failures: set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable]. |
PAN-157632 | Fixed an intermittent issue where the firewall
dropped GTP-U traffic with the message TEID=0x00000000. |
PAN-157570 | Fixed an issue where device deployment from
Panorama to the firewalls failed with the error message Failed to get DLSRVR client key.
This issue occurred only on firewalls where the request system-private-data-reset CLI
command had been issued in the past. |
PAN-157518 | Fixed an issue where using tags to target
a device group in a Security policy rule did not work, and the rule
was displayed in all device groups (Preview Rules). |
PAN-157472 | (PA_5200 Series firewalls only)
Fixed an issue where, after a factory reset, the firewall displayed
the following error message: data_plane_X: Exited 1 times, must be manually recovered.. |
PAN-157213 | (ZTP firewalls only) Fixed an issue
where the firewall failed to connect to Panorama when Zero Touch
Provisioning (ZTP) was disabled. |
PAN-157074 | Fixed an issue where a process (configd) stopped
responding, which caused corruption. |
PAN-157035 | (PA-5200 Series firewalls only)
Fixed an intermittent issue where multicast packets traversing the
firewall in VLAN configurations experienced higher drop rates than
expected. |
PAN-157027 | Fixed an issue where, when stateless GTP-U
traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation
loop occurred, which caused high dataplane resource usage. |
PAN-157026 | Fixed an issue where the firewall did not
display unified logs. |
PAN-156552 | Fixed a discrepancy in Panorama between
application usage data and the application name in the ACC tab. |
PAN-156393 | Fixed an issue where NetFlow updates were
sent without honoring the configured active timeout value. |
PAN-156388 | Fixed an issue where a process (useridd) stopped
responding while attempting to remove all HIP reports on the disk. |
PAN-155903 | Fixed an issue where zone protection and
spoofed IP address protection didn't properly drop unroutable packets. |
PAN-155659 | Fixed an issue where individual users were
unable to populate the allowed user/user group field
when configuring the GlobalProtect Clientless VPN. |
PAN-155657 | Fixed an issue where the default log level
for mprelay was set to INFO and caused commits
to stop working on VM-Series firewalls in AWS using EBS backed volumes
when route monitor was configured. |
PAN-154905 | (Panorama appliances on PAN-OS 10.0
releases only) Fixed an issue with Security policy rule configuration
where, in the Source and Destination tabs,
the Query Traffic setting was not available
for Address Groups. |
PAN-154526 | Fixed an issue where a process (genindex.sh) caused
high memory usage on the management plane. Due to the resulting
out-of-memory (OOM) condition, multiple processes stopped responding. |
PAN-154441 | Fixed an issue where the Radius EAP authentication
stopped working and the authd process restarted. |
PAN-154433 | Fixed an issue where the firewall was unable
to detect end-user IP address spoofing on the GTP-U for a user data
session when using an IPv6 address. |
PAN-154362 | Fixed an issue where Panorama failed to
push dynamic user groups to the managed firewalls. |
PAN-154334 | Fixed an issue where the inactivity logout
timeout did not reflect on the GlobalProtect mapping timeout. |
PAN-153288 | Fixed an issue where the software QoS shaping
queue processing was not properly applied on multicast traffic. |
PAN-151751 | Fixed an issue where GlobalProtect logs
did not populate on the destination syslog server in Log Event Extended
Format (LEEF) and common event format (CEF). |
PAN-151273 | Fixed an issue where the commit event was
not recorded in the config logs during a Commit and Push on
the Panorama management server. |
PAN-150530 | Fixed an issue in the External Dynamic List
(EDL) where printed log messages repeated until the end of the description
field. |
PAN-150388 | Fixed an issue where a process (mgmtsrvr) stopped
responding when viewing logs in the web interface. |
PAN-150080 | Fixed an issue where, even when tunnel interface
was set to down, the following alert displayed: Tunnel GRE_Tunnels is going down(critical). |
PAN-147736 | Fixed an issue on the firewall web interface
where the Cortex Data Lake Logging Service Status pop-up
window did not show correct information. |
PAN-146250 | Fixed an issue where, in two separate but
simultaneous sessions, the same software packet buffer was owned
and processed. |
PAN-144305 | Fixed an issue where merged configurations
were unable to be exported from Panorama-managed firewalls using
the PAN-OS XML API. |
PAN-144057 | Fixed a rare issue where, when aggregate
ethernet (AE) groups were deleted and re-added, the AE interface
no longer had an SDB node to send link the location to. As a result,
the dataplane was unable to identify a connected route for the interface
address. |
PAN-141494 | Fixed an issue with the group-mapping mode
credential detection feature that failed to block users when logging
in using corporate credentials. |
PAN-138727 | A fix was made to address a time-of-check
to time-of-use (TOCTOU) race condition in the PAN-OS web interface
that enabled an authenticated administrator with permission to upload
plugins to execute arbitrary code with root user privileges (CVE-2021-3054). |
PAN-138134 | Fixed an issue on Panorama where a template
configuration push was blocked when the managed firewall did not
have a plugin referenced in the template configuration. |
PAN-138066 | Fixed an issue where an incorrect Certificate
Authority (CA) was used for communicating to the Zero Touch Provisioning
(ZTP) service. |
PAN-116515 | Fixed an issue where IKE Gateway configurations
with different crypto profiles on the same IP address with dynamic
peers failed with the following error message: IKEv1 gateway should use the same crypto profiles configured on the same interface or local IP address. With
this fix, you are able to configure IKE Gateways with different crypto
profiles on the same IP address with dynamic peers when IKEv1 auto
mode is applied. |
PAN-113093 | Fixed an intermittent issue where, when
the DNS Security cloud was not reachable, DNS responses had bad
UDP checksums. |