PAN-OS 8.1.3 Addressed Issues
Focus
Focus

PAN-OS 8.1.3 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 8.1.3 Addressed Issues

PAN-OS® 8.1.3 addressed issues
Issue ID
Description
WF500-4645
Fixed an issue where RAID rebuilding after disk replacement either failed or took longer than expected.
PAN-101101
Fixed an issue with inconsistencies in the IP address-to-username mappings after upgrading the User-ID agent to a User-ID agent 8.1 release.
PAN-100896
Fixed an issue where the dataplane restarted multiple times when multiple processes stopped responding when accessing invalid memory.
PAN-100870
Fixed an issue where the GlobalProtect app incorrectly displays a warning (Password Warning:Password expires in 0 days) even though the password has not, yet, expired.
PAN-100312
Fixed an intermittent issue where the dataplane restarted when processing Clientless VPN traffic.
PAN-100015
Fixed an issue where a PA-7000 Series firewall with a 20GQ Network Processing Card (NPC) failed to properly initiate all QSFP modules.
PAN-99968
Fixed an issue where the firewall incorrectly dropped GTPv2-C Modify Bearer Response packets due to a sequence-number mismatch.
PAN-99896
Fixed an issue where the route (routed) process on a passive firewall in a high availability (HA) cluster restarted when receiving an update from the active peer for a multicast route destined for a multicast group that does not exist on the firewall.
PAN-99624
Fixed an issue where emails were not sent using the configured email service route as expected.
PAN-99585
Fixed an issue where a PA-3200 Series firewall processed traffic that was in suspended mode
PAN-99584
Fixed an issue where a PA-5200 Series firewall processed traffic that was in suspended mode.
PAN-99380
Fixed an issue where the dataplane stopped responding when a tunnel interface on the firewall received fragmented packets.
PAN-99362
Fixed an issue on a VM-Series firewall on Azure where a process (logrcvr) stopped responding.
PAN-99316
Fixed an issue where the SAP Success Factor app failed to load because the Cipher-cloud was configuring cookies with the at ( @ ) character in the cookie name but Palo Alto Networks firewalls used the @ character as a separator for storing cookies locally, which caused the firewall to misinterpret the cookies.
PAN-99263
Fixed an issue where NetFlow caused an invalid memory-access issue that caused the pan_task process to stop responding.
PAN-99212
Fixed an issue where the firewall incorrectly dropped ARP packets and increased the flow_arp_throttle counter.
PAN-99067
Fixed an issue where a firewall frequently flapped a BGP session when the firewall did not receive any response from the BFD peer or when BFD was configured only on the firewall.
PAN-98735
Fixed an issue where upgrading a Panorama management server on Microsoft Azure from PAN-OS 8.1.0 to PAN-OS 8.1.1 or PAN-OS 8.1.2 resulted in an autocommit failure.
PAN-98624
Fixed an issue where an administrator who has all administrative rights is unable to add a device to Panorama from the web interface.
PAN-98530
Fixed a memory leak associated with the logrcvr process when using custom syslog filters in a syslog profile.
PAN-98470
Fixed an issue on a firewall with GTP stateful inspection enabled where the firewall incorrectly identified GTP echo packets as GTP-U application packets.
PAN-98397
Fixed an issue on PA-3200 series firewalls where the offload processor did not process route-deletion update messages , which left behind stale route entries and caused sessions to become unresponsive during the session-offload stage.
PAN-98329
(PA-3200 Series firewalls only) Fixed an issue where an SFP+ (10Gbps PAN-SFP-PLUS-CU-5M) transceiver was incorrectly identified as an SFP (1Gbps) transceiver.
PAN-98217
Fixed an issue where user-account group members in subgroups (n+1) were unnecessarily queried when nested level was set to n.
PAN-98116
Fixed an issue where PA-3000 Series firewalls passed file descriptors in a dataplane process (pan_comm) during content (apps and threats) installation and FQDNRefresh job execution, which caused the hardware Layer 7 engine to identify applications incorrectly.
PAN-98097
Fixed an issue on PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where Captive Portal was inaccessible for traffic on Secure HTTP (https) websites when SSL decryption was enabled and users were behind a proxy server.
PAN-98088
Fixed an issue where an error (mailsend: failed to get stat of file) appeared in the System log due to an incorrect condition check even though there were no issues with the firewall sending PDF reports.
PAN-97905
Fixed an issue where device-group operations were discarded when a concurrent commit was triggered by a different administrator.
PAN-97810
Fixed an issue where, after upgrading to PAN-OS 8.1.1, User-ID usernames were not populated in traffic logs as expected even though User-ID mappings were present on the dataplane.
PAN-97724
Fixed an issue with the Japanese language mode where a firewall displayed garbled characters when an administrator was logging in to the web interface.
PAN-97634
Fixed an issue where the firewall rebooted when the management (MGT) interface was connected to a network that contained a network loop, which caused excessive traffic flow on the interface. This issue was observed only on a PA-220 firewall.
PAN-97594
Fixed an issue where administrators could not use the new colors that were introduced in PAN-OS 8.1 for creating and modifying banners and messages; these colors were unavailable from the CLI and, though available from the web interface (DeviceSetupManagementBanners and MessagesBanners), administrators received an Operation Failed error when attempting to use them.
PAN-97561
Fixed an issue where a Panorama appliance running PAN-OS 8.1.2 was unable to connect to the Logging Service.
PAN-97497
Fixed an issue where the default for newly added cloned security rules was Move Top, which placed the new rule at the top of the list. With this fix, the default is After Rule as it was in PAN-OS 8.0 and earlier releases.
PAN-97282
Fixed an issue where Inbound inspection failed when a cipher was cleared from the TLS structure during session resumption.
PAN-97225
Fixed an issue where new Vendor names for the HIP check were not included when Panorama pushed the configuration to firewalls.
PAN-97208
Fixed an issue where a firewall in a high availability (HA) active/active virtual wire (vwire) configuration with SSL decryption enabled passed traffic through the wrong firewall.
PAN-97082
Fixed an issue where the firewall incorrectly blocked SSL sessions subjected to Inbound decryption due to UnsupportedVersion when the Decryption rule referenced a decryption profile with Min - Max TLS Version, even though Block sessions with unsupported versions was disabled (ObjectsDecryptionDecryption Profile). With this fix, the firewall checks the TLS version that the server accepted and compares it with the decryption profile settings when evaluating whether to allow or bypass sessions based on Decryption rules.
PAN-97060
Fixed an issue where the User-ID (useridd) process stopped responding due to an out-of-memory issue related to User-ID group mapping.
PAN-97045
Fixed an issue on PA-850 firewalls where the session rematch option failed to execute when you added an IP address to the External Dynamic List (EDL) block list.
PAN-96997
Fixed an intermittent issue where detecting an unreachable WF-500 node took longer than expected.
PAN-96978
Fixed an issue where the GlobalProtect Clientless VPN and GlobalProtect Data options did not display as expected on Panorama (TemplateDeviceDynamic Updates).
PAN-96918
Fixed an issue where an unreachable DNS server due to aggressive timers increased the time of PPPoE negotiation and, in some cases, caused negotiation to fail.
PAN-96909
A security-related fix was made to address a Denial of Service (DoS) that existed in the PAN-OS management web interface and allowed an authenticated user to shut down all management sessions, which causes the firewall to redirect all logged-in users to the login page (CVE-2018-10140).
PAN-96889
Fixed an issue where administrators were required to perform a commit force before pushing a partial or regular commit operation to managed appliances when the management server (mgmtsrvr) or configuration (configd) process encountered a virtual memory leak and restarted.
PAN-96779
Fixed an issue where using the the XML API to retrieve Hit Count on a security rule returned an error message: Anerror occurred. See dagger.log for information.
PAN-96737
Fixed an issue with an incorrect policy match because google-docs-base was incorrectly identified as SSL.
PAN-96388
Fixed an issue in a non-vsys configuration where a firewall dropped the Client Hello packet from tunneled traffic when inbound decryption was enabled because the firewall considered that packet to be an inter-vsys inbound packet.
PAN-96326
Fixed an issue where endpoints could not authenticate to a GlobalProtect portal or gateway through client certificate authentication due to an OCSP status of Unknown when the portal or the gateway used a Certificate profile that specified Online Certificate Status Protocol (OCSP) to validate certificates (NetworkGlobalProtectPortals<portal>Authentication).
PAN-96200
Fixed an issue where PA-220 firewalls that were bootstrapped with a configuration that enabled jumbo frames did not change the packet buffer size as expected, which resulted in a dataplane restart.
PAN-96150
Fixed a memory corruption error that caused the dataplane to restart when content decode length was zero.
PAN-96113
Fixed an issue where the show routing protocol bgp rib-out CLI command did not display advertised routes that the firewall sent to the BGP peer. This issue was observed only in a deployment where a firewall is connected to a Border Gateway Protocol (BGP) peer that advertised a route for which the next hop is not in the same subnetwork as the BGP peer interface.
PAN-96003
Fixed an issue where the GTP Protection profile name did not appear in the Global Find and Filter options in the Profile column of the security rule to which the GTP profile was attached.
PAN-95996
Fixed an issue where Panorama virtual appliances converted from legacy mode to Panorama mode did not properly purge logs, which caused low disk space issues in /opt/panlogs partition.
PAN-95993
Fixed an issue where the firewall did not properly identify the google-translate application.
PAN-95955
Fixed an issue on PA-3200 Series firewalls where incorrect internal memory allocation reduced the number of simultaneous SSL decryption sessions that the firewall could support.
PAN-95884
Fixed an issue where routing FIB entries that were learned from a BGP peer were not deleted when BGP Peering went down.
PAN-95854
Fixed an issue where the Filter drop-down did not display properly when you keep the default Target for a Policy rule set to Any.
PAN-95766
Fixed an issue where Q-in-Q-tagged packets passed through a firewall without inspection or session creation.
PAN-95740
Fixed an issue where multicast FIB entries were inconsistent across dataplanes, which caused the firewall to intermittently drop multicast packets.
PAN-95730
Fixed an issue where a firewall dropped SIP-RTP packets flowing through a GRE tunnel when a Tunnel Inspection Policy was configured with Security Options (Tunnel Inspection zones).
PAN-95712
Fixed an issue where browsers failed to load custom response pages on decrypted websites when those pages were larger than 8,191 bytes. With this fix, the firewall supports decryption of custom response pages up to 17,999 bytes.
PAN-95509
Fixed an issue where the parent device group in the hierarchy did not automatically acquire read-only access for a URL Profile as expected after you assigned write access to a child device group of that parent.
PAN-95476
Fixed an issue where a certificate failed to load when the certificate public key exceeded the supported number of characters (2,048).
PAN-95439
Fixed an issue where using the test nat-policy-match command from the XML API does not result in any matches when the matching policy is a destination NAT policy.
PAN-95339
Fixed an issue where a firewall sent packets out of order when the sending rate was too high.
PAN-95192
Fixed an issue where the SSL Certificate Error Notify page didn't display the <certname/> <issuer/> variables in the SSL-cert-status-page.
PAN-95120
Fixed an issue where VM-Series firewall bootstrapping failed when you transferred the bootstrap package using a base64 encoded user-data file.
PAN-95114
Fixed an issue where TACACS+ authorization responded with Illegal packet version because a firewall was incorrectly sending minor version 1, which impacts TACACS+ servers and causes a failed authorization.
PAN-95113
Fixed an where issue where non-local administrators using TACACS were unable to log in to the CLI.
PAN-95090
Fixed an issue where imported custom applications did not display in Security Policies that were created through the web interface.
PAN-95061
Fixed an issue on PA-220 firewalls where either a commit or an EDLRefresh job failed with the following error message: failed to handle CONFIG_UPDATE_START. This issue occurred after an increase in the number of type URL entries in an external dynamic list.
PAN-95046
Fixed an issue where the dataplane restarted on a VM-Series firewall on KVM.
PAN-94920
Fixed an issue where PA-5200 Series firewalls in a high availability (HA) active/active configuration experienced internal packet corruption that caused the firewalls to stop passing traffic when the active member of a cluster came back up as passive after being either suspended or rebooted (moving from tentative to passive state).
PAN-94864
Fixed an issue where firewalls receiving IP addresses via DHCP failed to resolve FQDN objects to an IP address.
PAN-94777
Fixed an issue where a 500Internal Server error occurred for traffic that matched a Security policy rule with a URL Filtering profile that specified a continue action (ObjectsSecurity ProfilesURL Filtering) because the firewall did not treat the API keys as binary strings.
PAN-94698
Fixed an issue on PA-5000 Series firewalls where a process (all_pktproc) on the dataplane stopped responding if you enabled the send icmp unreachable Action Setting (Policies<rule>Actions).
PAN-94646
Fixed an issue with firewalls in a high availability (HA) configuration where a an HA sync initiated from the active peer caused a race condition while processing the previous request.
PAN-94637
Fixed an issue where an XML API call to execute the request system external-list show command did not escape the ampersand ( & ) character in the Source section of the XML output, which resulted in a parse error.
PAN-94571
Fixed an issue on PA-800 Series, PA-3200 Series, and PA-5200 Series firewalls where tunnel-bound traffic was incorrectly routed through an ECMP route instead of a PBF route as expected.
PAN-94497
Fixed an issue where the default static route was not present in the routing table after you removed the DHCP-provided default gateway when you configured a default static route and DHCP provided the same default route.
PAN-94452
Fixed an issue where the firewall recorded GPRS Tunneling Protocol (GTP) packets multiple times in firewall-stage packet captures (pcaps).
PAN-94447
Fixed an issue where deleting all FQDN objects that are no longer in use did not remove them from the FQDN refresh table, which caused firewalls to continue resolving these old objects per the schedule.
PAN-94409
Fixed an issue where FTP traffic failed and hit an incorrect security policy due to missing predict sessions.
PAN-94291
Fixed an issue where a firewall failed to process packets if the previous session was cleared (either from the CLI or web interface), the client uses the same source port, and when the new session is installed on dataplane1 (dp1).
PAN-94290
Fixed an issue where fragmented packets were dropped when traversing a firewall in an HA active/active configuration.
PAN-94221
Fixed an issue when QoS was configured where the dataplane restarted due to a packet process failure.
PAN-94124
Fixed an issue where a PA-800 Series firewall dropped UDP packets traversing port 0.
PAN-94062
Fixed an issue where the dataplane stopped responding due to a failed packet buffer initialization after the firewall rebooted.
PAN-94043
Fixed an issue where, when an administrator made and committed partial changes, the disabled address objects used in a disabled security policy were pushed from Panorama and retained on the firewall but were deleted when an administrator performed a full commit from Panorama.
PAN-93990
Fixed an issue where a VM-Series firewall was unable to ping the gateway in a multiple virtual router configuration when interfaces received IP address through DHCP.
PAN-93973
Fixed an issue on an M-100 appliance where logging stopped when a process (vldmgr) stopped responding.
PAN-93864
Fixed an issue where the password field did not display in the GlobalProtect portal login dialog if you attached the certificate profile to the portal configuration.
PAN-93811
Fixed an issue where the Panorama task manager view on the web interface stopped responding after multiple appliances reported multiple errors and warnings in commit job details.
PAN-93754
A security-related fix was made to address vulnerabilities related to some SAML implementations (CVE-2018-0486 and CVE-2018-0489). Refer to www.kb.cert.org/vuls/id/475445 for details.
PAN-93753
Fixed an issue on PA-200 firewalls where disk space usage was constantly running high and often reaching maximum capacity. With this fix, the PA-200 firewall purges logs more quickly and it no longer requires as much space for monitor daemons.
PAN-93609
Fixed an issue where the firewall silently dropped the first packet of a session when that packet was received as a fragmented packet (typically with UDP traffic).
PAN-93457
Fixed an issue where continuous renewal for a session that went into DISCARD state when the firewall reached its resource limit prevented the creation of new sessions that matched that DISCARD session.
PAN-93331
Fixed an issue where the firewall applied the wrong checksum when a re-transmitted packet in a NAT session had different TCP flags, which caused the recipient to drop those packets.
PAN-93329
Fixed an issue where the non-session-owner firewall in a high availability (HA) active/active configuration with asymmetric traffic flow dropped TCP traffic when TCP reassembly failed.
PAN-93152
Fixed an intermittent Panorama issue where, after upgrading to PAN-OS 8.0 or a later release and when connected to a WF-500 appliance, commit validations failed due to a mismatched threat ID range on the WildFire private cloud.
PAN-93005
Fixed an issue where the firewall generated System logs with high severity for Dataplane undersevere load conditions that did not affect traffic. With this fix, the System logs have low severity for Dataplaneunder severe load conditions that do not affect traffic.
PAN-92745
Fixed an issue where the Vulnerability Protection profile exceptions view included threat IDs that were disabled or not supported for the PAN-OS release version. Now, only IDs for signatures that are included in the currently-installed content package are displayed.
PAN-92740
Fixed an issue in an NSX environment where the Panorama management server displayed an incorrect number of tags under Dynamic Address Groups when you configured a static tag in one or more address groups.
PAN-92609
Fixed an issue where the firewall could not forward full information for a Protocol-Independent Multicast (PIM) group to a peer PIM router when the PIM bootstrap message was larger than the maximum transmission unit (MTU) of the firewall interface.
PAN-92548
Fixed an intermittent issue where a race condition caused the Logging Service or WF-500 appliances to disconnect from or become unresponsive to firewalls or the Panorama management server.
PAN-92257
Fixed an issue where the firewall was intermittently sending incorrect bytes-per-packet values for some flows to the NetFlow collector.
PAN-92105
Fixed an issue where the Panorama Log Collectors did not receive some firewall logs and took longer than expected to receive all logs when a Collector Group had spaces in its name.
PAN-92033
Fixed an issue during the software download process that prevented some firewalls and appliances from properly receiving these images.
PAN-92017
Fixed an issue where Log Collectors that belonged to a collector group with a space in its name failed to fully connect to one another, which affected log visibility and logging performance.
PAN-91926
Fixed an issue where GlobalProtect users could not access some websites decrypted by the firewall due to an issue with premature deletion of proxy sessions.
PAN-91662
Fixed an issue where a certificate was loaded without a digital signature, which caused the configuration (configd) daemon to stop responding.
PAN-91316
Fixed an issue where you couldn't unlock administrator accounts with expired passwords because the firewall didn't display a lock icon for their accounts in the Locked User column (DeviceAdministrators).
PAN-91259
Fixed an issue where the predict session for the rmi-iiop application was not created correctly, which caused server-to-client initiated sessions to traverse slow-path inspection and, eventually, policy rules denied the traffic associated with these sessions.
PAN-91021
Fixed an issue where, in a multiple virtual system (vsys) configuration on Panorama, you could not add a certificate defined in vsys to a certificate profile in the same vsys unless the vsys was defined using the default name.
PAN-90952
Fixed an issue on PA-5000 Series firewalls where multicast traffic failed because PAN-OS did not remove stale sessions from the hardware session offload processor.
PAN-90752
Fixed an issue on Panorama where the Last Commit State column (PanoramaManaged Devices) did not get updated after a Template-Only configuration push to firewalls.
PAN-90535
Fixed an issue where the firewall unnecessarily sent an Authorize-only request to the RADIUS server which was denied during the login process if you disabled the Retrieve Framed-IP-Address attribute from authentication server (NetworkGlobalProtectGateways<gateway>AgentClient Settings<clients_configuration>IP Pools) in the GlobalProtect gateway configuration.
PAN-89620
Fixed an intermittent issue where traffic stopped flowing through the IPSec tunnel in a hub-and-spoke multiple-vendor configuration.
PAN-89346
Fixed an issue where an XML API call to execute the show system raid detail command returned an error.
PAN-88473
Fixed an issue where the firewall was sending incorrect bytes-per-packet values to the NetFlow collector when two servers were configured in the same NetFlow profile.
PAN-88048
Fixed an issue where a VM-Series firewall on KVM in MMAP mode didn't receive traffic after you enabled the i40e single-root input/output virtualization (SR-IOV) virtual function (VF).
PAN-87855
Fixed an issue where some ICMP Type 4 traffic was not blocked as expected after you created a deny Security policy rule with custom App-ID for ICMP Type 4 traffic.
PAN-87166
Fixed a rare issue on PA-7000 Series firewalls where 20GQ NPC QSFP+ ports didn't link up (during online insertion and removal (OIR), link-state change, or boot up events) and became unrecoverable until the NPC was restarted.
PAN-86769
Fixed an issue where a firewall did not forward logs when using the category eq command-and-control filter.
PAN-86630
Fixed an issue where the firewall dropped H.323 gatekeeper-assisted calls after failing to perform NAT translation of third-party addresses in H.323 messages.
PAN-86327
Fixed an issue where the firewall rebooted into maintenance mode.
PAN-85522
Fixed an issue on PA-5200 Series firewalls where an SFP+ (10Gbps) transceiver (PAN-SFP-PLUS-CU-5M) was incorrectly identified as an SFP (1Gbps) transceiver.
PAN-83153
Fixed an issue where a Panorama virtual appliance in Legacy mode that was deployed in a high availability (HA) configuration did not receive logs forwarded from PA-7000 Series and PA-5200 Series firewalls.
PAN-83047
Fixed an issue where the firewall displayed the following commit warning when you configured a GlobalProtect gateway with a Tunnel Interface set to the default tunnel interface (NetworkGlobalProtectGateways<gateway>General) even after you enabled IPv6: Warning: tunnel tunnel ipv6 is not enabled. IPv6 address will be ignored!
PAN-80091
Fixed an issue where no results were returned for a Global Find request when using the short name domain\group format.
PAN-79291
Fixed an intermittent issue with ZIP hardware offloading where firewalls identified ZIP files as threats when they were sent over Simple Mail Transfer Protocol (SMTP).
PAN-42036
Fixed a rare intermittent issue on PA-800 Series, PA-2000 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where the firewall unexpectedly rebooted due to memory page allocation failure, which generated a non-maskable interrupt (NMI) watchdog error on the serial console.
PAN-33746
Fixed an issue where the firewall dropped IKE traffic when another IKE session was in the discard state on the firewall because the the new session matched the discard session. This issue persisted because the discard sessions remained on the firewall longer than expected because the firewall refreshed the discard-session timeout each time the 5-tuple on a new session matched the 5-tuple on the discard session.