PAN-OS 10.1.6 Addressed Issues
Focus
Focus

PAN-OS 10.1.6 Addressed Issues

Table of Contents

PAN-OS 10.1.6 Addressed Issues

PAN-OSĀ® 10.1.6 addressed issues.
Issue ID
Description
WF500-5509
(WF-500 appliance only) Fixed an issue where cloud inquiries were logged under the SD-WAN subtype.
PAN-193579
Fixed an issue where new logs viewed from the CLI (show log <log_type>) and new syslogs forwarded to a syslog server contained additional, erroneous entries.
PAN-192930
Fixed an issue where, when the default port was not TCP/443, implicitly used SSL applications were blocked by the Security policy as an SSL application and did not shift to the correct application.
PAN-191629
(PA-5450 firewalls only) Fixed an issue where the hourly summary log was limited to 100,001 lines when summarized, which resulted in inconsistent report results when using summary logs.
PAN-191470
Fixed an issue on Panorama where encrypted passwords were sent to firewalls on PAN-OS 10.1 releases during a multi-device group push, which caused client-based External Dynamic Lists (EDL) to fail.
PAN-191466
Fixed an issue where you were unable to use the web interface to override IPsec tunnels pushed from Panorama
PAN-191222
Fixed an issue where Panorama became inaccessible when after a push to the collector group.
PAN-190728
Fixed an issue in an active/passive high availability (HA) configurations with link or path monitoring enabled where the aggregate ethernet interface went down before member interfaces went down.
PAN-190675
Fixed an IoT cloud connectivity issue with the firewall dataplane when the Data Services service route was used and the egress interface had VLAN tagging.
PAN-190660
Fixed an issue where the vld process stopped responding when Elasticsearch had no data.
PAN-190644
Fixed an issue where Elasticsearch removed indices earlier than the configured retention period.
PAN-190409
(PA-5450 and PA-3200 Series firewalls that use an FE101 processor only) Fixed an issue where packets in the same session were forwarded through a different member of an aggregate ethernet group when the session was offloaded. The fix is that you can use the following CLI command to change the default tag setting to the tuple setting:
admin@firewall> set session lag-flow-key-type ?
> tag tag
> tuple tuple
tag is the default behavior (tag based on the CPU, tuple based on the FE).
tuple is the new behavior, where both CPU and FE use the same selection algorithm.
Use the following command to display the algorithm:
admin@firewall> show session lag-flow-key-type
dp0: tuple based on fe100
dp1: tuple based on fe100
PAN-189982
Fixed an issue where, when inputting tags, the scrollbar in the dialog box for the tag field obscured the down arrow.
PAN-189643
Fixed an issue where, when Quality of Service (QoS) was enabled on an IPSec tunnel, traffic failed due to applying the wrong tunnel QoS ID.
PAN-189182
Fixed an issue where the change summary didn't work after upgrading the Panorama appliance.
PAN-189010
Fixed an issue on Panorama where a deadlock in the configd process caused both the web interface and the CLI to be inaccessible.
PAN-188872
Fixed an out-of-memory (OOM) condition caused by a memory leak issue on the useridd process.
PAN-188776
(PA-5200 Series firewalls only) Fixed an issue where the AUX-2 port required a reboot to link up after factory resetting the firewall.
PAN-188336
Fixed an issue with the dnsproxyd process that caused the firewall to unexpectedly reboot.
PAN-188303
Fixed an issue where the serial number displayed as unknown after running the show system state CLI command.
PAN-188272
(PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue where Support UTF-8 For Log Output wasn't visible on the web interface.
PAN-188097
Fixed an issue where the firewall stopped allocating new sessions with increments in the counter session_alloc_failure. This was caused by GPRS tunneling protocol (GTP-U) tunnel session aging processing issue.
PAN-188009
Fixed an issue where a firewall import to Panorama running a PAN-OS 10.1 release or a PAN-OS 10.2 release resulted in corrupted private information when the master key was not used.
PAN-188005
Fixed an issue where the var/off file consumed more space than expected, which caused 100% root partition.
PAN-187829
Fixed an issue where the web_backend and httpd processes leaked descriptors, which caused activities that depended on the processes, such as logging in to the web interface, to fail.
PAN-187630
Fixed an issue where the all_task process stopped responding with a stack trace that contained the function pan_agent_userpolicy_cache_find.
PAN-187558
Fixed an issue where the following error message flooded the system log: Incremental update to DP failed.
PAN-186750
Fixed an issue where, after upgrading to a PAN-OS 10.1 release, SaaS reports generated on Panorama did not display Applications at a glance and most charts were missing data on the right side of the chart.
PAN-186262
Fixed an issue where Panorama appliances in Panorama or Log Collector mode became unresponsive while Elasticsearch accumulated internal connections related to logging processes.
PAN-186143
Fixed an issue where no local changes could be made on a Zero Touch Provisioning (ZTP) enabled device after an upgrade to a PAN-OS 10.1 release.
PAN-185616
Fixed an issue where the firewall sent fewer logs to the system log server than expected. With this fix, the firewall accommodates a larger send queue for syslog forwarding to TCP syslog receivers.
PAN-185558
Fixed an issue where Panorama log migration failed when old logs migrated to a newer format. This was due to older indices failing to close.
PAN-185440
Fixed an issue where iOS devices incorrectly displayed as jailbroken under HIP match logs.
PAN-185416
(PA-220 firewalls only) Fixed an issue where the firewall repeatedly rebooted every few hours.
PAN-184979
Fixed an issue in multi-vsys environments where the DNS service route always used the management interface even when the dataplane interface was
PAN-184621
Fixed an issue on FIPS-enabled devices where modifying any configuration of an existing GlobalProtect portal failed with the following error message: Operation failed : Malformed request.
PAN-184291
Fixed an issue where the GlobalProtect portal generated a cookie with a domain as NULL instead of empty-domain, which caused users to be identified incorrectly.
PAN-184071
Fixed an issue where tech support files were not generated.
PAN-183788
Fixed an issue with SCEP certificate enrollment where the incorrect Registration Authority (RA) certificate was chosen to encrypt the enrollment request.
PAN-183579
Fixed an issue where SD-WAN path monitoring failed over the interface directly connected to the ISP due to an unsupported ICMP probe format.
PAN-183529
(PA-5450 firewalls only) Fixed an issue where upgrading the firewall caused corrupted log records to be created, which caused the logrcvr process to fail. This resulted in the auto-commit process required to bring up the firewall after a reboot to fail and, subsequently, the firewall to become unresponsive.
PAN-183339
Fixed an issue where line breaks in a description were not visible.
PAN-183327
(Firewalls in HA configurations only) Fixed an issue where policy based forwarding (PBF) sessions between virtual systems (vsys) weren't pushed to the high availability peer.
PAN-183322
(Firewalls in Hyper-V environments only) Fixed an issue where, when upgrading PAN-OS 10.0.5 to PAN-OS 10.0.6 or later, the default Maximum Transmission Unit (MTU) is restored to 1500 from 1496.
PAN-181604
Fixed an issue where audit comment archive configuration logs (between commits) were lost after each upgrade.
PAN-181568
Fixed an issue where high dataplane CPU occurred when DNS Security was enabled on a firewall with many DNS sessions but less overall traffic.
PAN-181277
Fixed an issue where VPN tunnels in SD-WAN flapped due to duplicate tunnel IDs.
PAN-181262
Fixed an issue where, when the data loss prevention (DLP) plugin was installed, the Panorama web interface froze after previewing changes.
PAN-181245
Fixed an internal path monitoring failure issue that caused the dataplane to go down.
PAN-181215
Fixed an issue where the authd process didn't receive authentication requests due to internal socket errors.
PAN-181031
Fixed an issue where the CN-NGFW (DP) folder on the CN-MGMT pod eventually consumed a large amount of space in the /var/log/pan because the old registered stale next-generation firewall logs were not being cleared.
PAN-180934
Fixed an issue where, when decrypting at TLS1.3, websites failed to load due to the firewall incorrectly handling payload padding from the server.
PAN-180661
Fixed an issue on Panorama where pushing an unsupported Minimum Password Complexity (Device > Setup > Management) to a managed firewall incorrectly displayed a commit timeout as the reason the commit failed.
PAN-180396
Fixed an issue where Panorama displayed an error when generating a ticket to disable GlobalProtect for Prisma Access.
PAN-180338
Fixed an issue where the CTD loop count wasn't accurately incremented.
PAN-180125
Fixed an issue where either Elasticsearch es-1 or es-2 didn't start after rebooting the log collector.
PAN-179184
Fixed an issue where Security Assertion Markup Language (SAML) authentication failed when multiple single sign-on (SSO) requests were sent at the same time from SSL VPN to the authd process on the firewall.
PAN-178975
Fixed an issue where the local log collector was out of sync and displayed a public IP address mismatch for the management interface.
PAN-178862
Fixed an issue where bootstrapped firewalls didn't associate with the configured template stack if the stack name had more than 31 characters.
PAN-178450
Fixed an issue where icons weren't displayed for clientless VPN applications.
PAN-177762
Fixed an issue where wifclient in PAN-OS 10.0 and later releases caused processing delays, on-chip descriptor spikes, and buffer usage.
PAN-177671
Fixed an issue where, when SIP traffic traversing the firewall was sent with a high QoS differentiated service code (DSCP) value, the DSCP value was reset to the default setting (CS0) for the first data packet.
PAN-177455
(PA-7000 Series firewalls with HA clustering enabled and using HA4 communication links only) Fixed an issue where loading PAN-OS 10.2.0 on the firewall caused the PA-7000 100G NPC (Network Processing Card) to go offline. As a result, the firewall failed to boot normally and entered maintenance.
PAN-177409
Fixed an issue where, when the quarantine feature was enabled, every hostid lookup created a new entry in the cache memory instead of having a single cache entry for each IP address, which led to memory exhaustion.
PAN-177063
Fixed an issue where decrypting large packets introduced congestion during content inspection, which caused processes to stop responding due to missed heartbeats.
PAN-176437
(PA-3200 Series firewalls only) Fixed an issue where multiple processes stopped responding, which caused the firewall to reboot.
PAN-175186
Fixed an issue where performing a commit-all operation with the API type op instead of commit resulted in Panorama returning the incorrect error message Use type [commit-all] instead of the correct error message to use the type commit.
PAN-175022
Fixed an issue where the PAN-OS web interface table of contents did not display or the help contents reloaded continuously.
PAN-175016
Fixed an issue where PDF summary reports were empty when they were generated by a user in a custom admin role.
PAN-174660
Fixed an issue where the devsrvr process stopped responding after a local or Panorama pushed commit. This occurred when a single NAT policy contained more than 64 address objects.
PAN-174514
(VM-Series firewalls on Amazon Web Services (AWS) with Gateway Load Balancer (GWLB) enabled only) Fixed an issue where the firewall didn't block access with a response page when accessing a blocked URL category.
PAN-174161
Fixed an issue in Panorama that occurred when attempting to disable override on an object from a child device group did not work after cloning and renaming the object.
PAN-173453
Fixed an issue where multiple heartbeat failures occurred, which resulted in high availability failover.
PAN-172768
Fixed an issue where HIP report generation caused a memory leak on a process (useridd).
PAN-172766
Fixed an issue on Panorama where a commit push to managed firewalls failed with sctp-init is invalid error even though SCTP settings were not configured in the corresponding template.
PAN-170462
Fixed an issue where Saas applications downloaded from the App-ID Cloud Engine (ACE) didn't appear in daily application reports (MonitorReportsApplication Reports) or in the Application column of the Application Usage widget in (ACCNetwork Activity.
PAN-168400
Fixed an issue where, after installing Cloud Services plugin 10.2, the Plugin cloud_services status (Dashboard > High Availability) displayed as Mismatch.
PAN-168339
Fixed an issue where replacing SSL certificates for inbound management traffic did not work when Block Private Key Export was enabled.
PAN-165660
Fixed an issue where, in scenarios with Fragmented Session Initiation Protocol (SIP), where the first packet arrived out of order, bypassing App-ID and Content and Threat Detection (CTD). With this fix, the out-of-order packet is transmitted after it has been queued and processed by APP-ID and CTD.
PAN-163174
Fixed an issue on the firewall where, after a commit, GlobalProtect users saw SAML authentication failure due to an improper certificate revocation check.
PAN-162444
Fixed an issue where the system state reported incorrect or missing capacity numbers for FQDN address objects.
PAN-162164
Fixed an issue where, when upgrading a multi-dataplane firewall from a PAN-OS 10.0 to a PAN-OS 10.1 release, the commit failed if the DHCP Broadcast Session option was enabled in the configuration.
PAN-159702
Fixed an issue where FQDN refresh did not work with the error No name servers found!, and no subsequent retries occur.
PAN-155730
Fixed an issue where corrupted log index files were not automatically removed.
PAN-142701
Fixed an issue where the firewall did not delete Stateless SCTP sessions after receiving an SCTP Abort packet.