PAN-OS 8.1.8 Addressed Issues
Focus
Focus

PAN-OS 8.1.8 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 8.1.8 Addressed Issues

PAN-OS® 8.1.8 addressed issues
Issue ID
Description
WF500-5023
Fixed an issue on WF-500 appliances where the cluster service took longer than expected to start due to a large number of queued sample data.
WF500-4974
Fixed an issue on WF-500 appliances where the static analysis results displayed in the PDF report but did not display in the WildFire® analysis summary of the web interface.
WF500-4844
Fixed an issue on WildFire appliance clusters where the passive-controller responded with the incorrect Common Name (CN) in the certificate, which caused the registration to fail.
WF500-4838
Fixed an intermittent issue on a WF-500 appliance where WildFire reports took longer than expected to generate, which caused the task to automatically timeout.
WF500-4785
Fixed a rare issue on WF-500 appliances where the firewall did not respond after you upgraded the appliance from a PAN-OS® 8.0.1 release to a PAN-OS 8.0.10 or later release. With this fix, you can run the new debug software raid fixup auto CLI command to recover the RAID controller.
WF500-4784
Fixed an issue on a WF-500 appliance where during a reboot, the following error message displayed: FATAL: module nbd not found.
WF500-4743
Fixed an intermittent issue on a WF-500 appliance where the CLI command debug wildfire reset global-database fix stopped responding.
PAN-116316
Fixed an issue where RTP and RTCP predict sessions failed, which caused RTSP based video streaming to stop processing.
PAN-116084
Fixed a file descriptor issue that caused an interface on a VM-Series firewall on Azure to stop receiving traffic.
PAN-114984
Fixed OpenSSL vulnerability CVE-2019-1559, see PAN-SA-2019-0039 for details.
PAN-114403
Fixed an issue on Panorama™ M-Series and virtual appliances where serial numbers for deployed firewalls did not display in the web interface with the exception of GlobalProtect™ cloud service firewalls.
PAN-114181
Fixed an issue where the firewall incorrectly triggered Reverse Path Forwarding (RPF), which caused packet leaks.
PAN-113692
Fixed an intermittent issue on a firewall in a high availability (HA) active/passive configuration where five minutes after a failover test IP routes disappeared, which caused traffic interruptions.
PAN-113446
Fixed an issue where the firewall unintentionally generated the following system log: Installed content package WildFire is newer than available package, skipping, when you checked for WildFire updates.
PAN-112815
Fixed an issue on a firewall in an HA active/passive configuration where a process (useridd) did not respond to the alternate user attribute (DeviceUser IdentificationGroup Mapping Settings<group mapping-name>User and Group Attributes) on the passive firewall during a restart.
PAN-112814
Fixed an issue where H.323-based calls lost audio because the predicted H.245 session was not converted to Active status, which caused the firewall to drop the H.245 traffic.
PAN-112729
Fixed an issue on Panorama M-Series and virtual appliances where Decrypted Sessions Info (PanoramaManaged DevicesHealthAll Devices<device-name>Sessions) did not display as expected for VM-Series firewalls.
PAN-112445
Fixed an issue on a firewall in an HA active/passive configuration where a race condition caused the firewall to stop responding after an HA1 link flap.
PAN-112194
Fixed an issue where packet buffers did not release GlobalProtect clientless VPN packets, which caused the firewall to stop responding.
PAN-112187
Fixed an issue where a process (report_gen) ran out-of-memory, which caused the dataplane to restart.
PAN-111897
Fixed an issue where the tags were not set on OSPFv3 routes redistributed to BGP-3.
PAN-111844
(VM-50 and VM-50 Lite firewalls only) Fixed a rare out-of-memory (OOM) condition.
PAN-111822
(PA-3200, PA-5200, and PA-7000 Series firewalls only) Fixed an intermittent issue on a firewall configured with policy-based forwarding (PBF) and symmetric return, where traffic dropped because the ARP table did not get updated.
PAN-111679
Fixed an issue where URL filtering profiles were being incorrectly applied to security policies during a commit.
PAN-111653
Fixed an issue on PA-7000 Series firewalls where an internal packet buffer leak caused heartbeat failures.
PAN-111052
Fixed an issue where a firewall silently dropped TCP packets when you enabled the Antivirus profile while the software deterministic finite automation (DFA) option is disabled (DFA is disabled by default).
PAN-111048
Fixed an issue where the show object dynamic address group XML API command returned an invalid error message: You must specify a valid Device Group.
PAN-110996
Fixed an issue where the dataplane stopped responding due to an incorrectly calculated offset when you configured Exclude video traffic from the tunnel (NetworkGlobalProtectGateways<gateway-name>AgentVideo Traffic).
PAN-110873
Fixed an issue where member interfaces of the aggregate interface did not display on web interface (PanoramaManaged DevicesHealthAll Devices<device-name>Interfaces).
PAN-110796
Fixed an issue on PA-3200 and PA-5200 Series firewalls where an erroneous dataplane error (power status is bad, shutting system down) caused the firewall to shutdown.
PAN-110758
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to configure the firewall to disable the portal log-in page.
PAN-110628
Fixed an issue where user groups were deleted from the Group Include List (DeviceUser identificationGroup Mapping Settings<group-name>Group Include List) if you changed the LDAP server profile account password.
PAN-110441
(PA-5200 Series firewall only) Fixed an intermittent issue where the internal path monitoring failed, which caused the firewall to unexpectedly restart.
PAN-110390
Fixed an issue on PA-7000 Series firewalls where invalid filters caused the device management server to stop responding when you generated a database (DB) report from a remote firewall.
PAN-110336
(PA-3000, PA-3200, PA-5000, PA-5200, and PA-7000 Series firewalls only)Fixed an issue where a process (mpreplay) restarted and caused the offload traffic to drop.
PAN-110273
Fixed an issue where you were unable to establish OSPF neighborship when an OSPF routing protocol was configured with MD5 authentication and one of the firewalls was restarted.
PAN-109966
Fixed an issue where the content update threshold downloaded and installed an older content version after you manually installed a newer content version.
PAN-109954
Fixed an issue where a commit failed with an error message: cluster is missing 'encryption' when HA Traffic Encryption (PanoramaManaged WildFire Clusters<appliance-name>Communication) was not configured and after upgrading from PAN-OS 8.0.12 to PAN-OS 8.1.4.
PAN-109944
Fixed an intermittent issue where a process (configd) restarted due to a race condition when generating custom reports.
PAN-109837
Fixed an issue where a race condition occurred when a configuration push and Netflow update occurred simultaneously, which caused the dataplane to restart.
PAN-109803
Fixed an issue where credential phishing prevention did not detect user or password phishing when passwords, which contained two discontiguous character spaces were used.
PAN-109759
Fixed an issue where the firewall did not generate a notification for the GlobalProtect client when the firewall denied unencrypted TLS sessions due to an authentication policy match.
PAN-109757
Fixed an issue on Panorama M-Series and virtual appliances where the management server stopped responding when the log collector disconnected and reconnected to Panorama.
PAN-109665
Fixed an issue where you were unable to disable the Graceful Restart (NetworkVirtual Routers<router-name>BGPAdvanced) configuration.
PAN-109619
Fixed an issue where a physical or Aggregate Ethernet (AE) Layer 3 configuration edit (NetworkInterfaces<interface-name>) removed the DHCP Client setting when it was configured in the subinterface.
PAN-109575
Fixed an issue where you were unable to configure more than one device certificate (DeviceCertificate ManagementCertificates<device certificate-name>) with Trusted Root CA.
PAN-109344
Fixed an issue where service objects did not import into Panorama when you configured them identically but with different names.
PAN-109101
Fixed an issue where you were unable to override IKE Gateway configurations (NetworkIKE Gateways<template-name>) in the template stack. However, with this fix, you still cannot override template stacks when you configure any value with "none." Additionally, to override the Local Identification, select Authentication in the pop-up dialogue.
PAN-108878
Fixed an issue where host traffic ICMP packets larger than 9,180 bytes dropped when you configured a jumbo frame with a maximum MTU value of 9,216 bytes and with the DF option enabled.
PAN-108846
Fixed an issue where a higher than expected rate of tunnel resolution packets occurred due to an internal loop, which caused a spike in dataplane CPU usage for firewalls that support distributed tunnel ownership.
PAN-108715
Fixed an issue where the firewall did not update the dataplane DNS cache after the management plane (MP) DNS entries expired, which caused evasion signatures to erroneously trigger a Suspicious TLS/HTTP Evasion Found event.
PAN-108620
Fixed an issue where Traps ESM (MonitorTraps ESM) logs were sent to the Log Collector but did not display in the web interface.
PAN-108459
Fixed an issue where Network Activity (ACCNetwork Activity) incorrectly displayed no session activity at random time points.
PAN-108409
Fixed an issue on a firewall in an HA active/passive configuration where scheduled dynamic updates pushed from Panorama to the managed firewalls failed.
PAN-108215
Fixed an issue where the test security-policy-match CLI command ignored source-user when matching security policies.
PAN-108164
Fixed an issue where a process (tund) caused the dataplane to restart during a commit.
PAN-107998
Fixed an issue where you could not log-in to GlobalProtect and resulted in the following error message: The client certificate is invalid. Please contact your IT administrator.
PAN-107662
Fixed an issue on a firewall in an HA active/active configuration where client-bound DHCPv6 packets dropped when you configured the firewall as a DHCPv6 relay agent.
PAN-107370
Fixed an issue where IPv6 traffic throughput reduced more than expected after you updated a static ND entry (NetworkInterfaces<interface-name>AdvancedND Entries) by moving the interface to a different virtual router.
PAN-107126
Fixed an issue where an SSL inbound session cache corruption caused a process (all_pktproc) to stop responding.
PAN-106950
Fixed an intermittent issue where authd CPU usage is higher than expected during RADIUS authentication.
PAN-106861
Fixed an issue where stale route entries remained in the FIB after the routes were removed from the routing table when you used a redistribution rule without a profile.
PAN-106783
Fixed an issue where after a SAML authentication an incorrect query was sent to the web browser.
PAN-106746
Fixed an issue where VoIP traffic dropped when policy-based forwarding (PBF) was configured as a rule.
PAN-106735
Fixed an issue where the firewall incorrectly set the FPGA, which caused the dataplane to stop responding.
PAN-106695
Fixed an issue on a firewall in an HA active/passive configuration where the Panorama management server enabled the administrator to clone a rule on the passive firewall.
PAN-106433
Fixed an issue where after you configured Packet Buffer Protection on a firewall, a process (all_pktproc) stopped responding.
PAN-106259
Fixed an issue on a firewall in an HA active/passive configuration where the passive firewall reported a higher number of GlobalProtect user accounts than the active firewall.
PAN-106249
(PA-200, PA-220, and PA-800 Series firewalls only) Fixed an issue where the Block IP List option, which is not supported, displayed in the administrator role profile (DeviceAdmin RoleWeb UI).
PAN-106069
Fixed an issue on a firewall in an HA active/active configuration where the iBGP peer default route did not get added to the routing table after a reboot of either firewall.
PAN-105925
Fixed an issue where the GlobalProtect Gateway web interface did not display the list of previous users.
PAN-105466
Fixed an issue where the Allow matching usernames without domain (DeviceUser IdentificationUser-ID Agent SetupCache) configuration did not respond without a domain when you used the PAN-OS XML API.
PAN-105397
Fixed an issue where a firewall incorrectly processed path monitoring, which originated from a NAT firewall on the same network segment.
PAN-105252
Fixed an intermittent issue on a firewall where dataplane CPU spikes occurred, which caused an LACP flap.
PAN-105086
Fixed an issue where the firewall incorrectly calculated the password expiry time for admin accounts, which caused Panorama to push locked user accounts.
PAN-104578
(PA-800 Series firewalls only) Fixed an issue on a firewall in an HA active/passive configuration where the HA failover took longer than expected.
PAN-104568
Fixed an issue where the firewall did not send emails when you configured the email gateway with an FQDN.
PAN-104274
Addressed an issue where in a slow network environment the firewall displayed an error message: error on line 1 at column 1: document is empty when you used an API call to fetch a license even when the auth code was successfully applied. Extremely slow networks may still see this issue.
PAN-104264
Fixed an issue where the Panorama management server stopped responding when you upgraded from PAN-OS 8.0.9 to PAN-OS 8.1.3.
PAN-104007
Fixed an issue where the WildFire signatures sent Windows Server Updates Services (WSUS) traffic when the virus identification was incorrectly enabled in the ms-sms app definition.
PAN-103863
Fixed an issue where the IPSec tunnel restart (NetworkIPSec TunnelsIKE Info) did not display properly on the web interface.
PAN-103844
Fixed an issue where Global Find incorrectly returned the query when there were more than one users or groups listed in the security rule.
PAN-103367
Fixed an issue where Detailed Log View (MonitorTrafficDetailed Log View) did not display the file blocking logs as expected.
PAN-103061
Fixed an issue where special characters contained in the comment field of the Ethernet Interface web interface caused a process (devsrvr) to stop responding.
PAN-102979
Fixed an issue where Dynamic Updates did not display expired threat prevention licenses when you tried to install an application from Panorama.
PAN-102595
Fixed an intermittent issue on a firewall in an HA active/active configuration where fragmented ICMP and UDP packets dropped from the packet transmission.
PAN-102532
Fixed an issue where the firewall used an expired certificate, which caused connecting to Cortex Data Lake to fail.
PAN-102327
Fixed an issue on PA-3200 Series firewalls in an HA active/passive configuration where the copper ports of passive firewall were active when the passive link state was set to shutdown.
PAN-102145
Fixed an issue where the API keys did not update after you changed the master key.
PAN-102029
Fixed an issue on a firewall where the DNS resolution routed through the dataplane and configured with a service route, stopped responding when the management interface was not configured.
PAN-101764
Fixed an issue where a process (slmgr) stopped responding during an auto-commit.
PAN-101391
Fixed an issue where the scheduled nightly custom report was not generated or emailed as expected.
PAN-101379
Fixed an issue where an invalid Captive Portal authentication policy was successfully pushed to managed firewalls, which caused autocommits to fail.
PAN-100832
Fixed an issue where, when you performed a Commit from Panorama to bring a firewall back to sync, the rule order displayed a random distribution instead of reflecting the order configured in Panorama.
PAN-100742
Fixed an issue on Panorama M-Series and virtual appliances where scheduled reports generated more than one DNS lookups, which caused inconsistent name resolutions for DNS deployments.
PAN-100693
Fixed an issue where you were unable to process Address Group match criteria when the match name included the double quotation ( " ) character.
PAN-99976
Fixed an issue where a process (pan_threatvault_reports) caused the elastic search script and another process (configd) to stop responding.
PAN-99707
Fixed an issue where the command-line interface (CLI) displayed an error message when you used a parenthesis character in a Global Protect External Gateway name.
PAN-99640
A security-related fix was made to address a denial of service (DoS) vulnerability in PAN-OS Linux Kernel (CVE-2017-8890).
PAN-99478
Fixed an issue where a daemon (authd) took longer than expected to fetch group mapping, which caused commits to take longer than expected.
PAN-99354
Fixed an issue where the firewall incorrectly denied URL access when the URL filtering profile was configured to alert.
PAN-98746
Fixed an issue where GlobalProtect clientless VPN did not get redirected to the application URL when you used Internet Explorer as a web browser.
PAN-98386
Fixed an issue where a security rule with an "Any" destination address did not shadow rules with IPv6 destination addresses when you performed a commit or configuration validation.
PAN-98107
Fixed an issue on PA-7000 Series firewalls where Encapsulating Security Payload (ESP) sequence numbers were reused when multiple proxy IDs were in use, which caused ESP traffic to drop while you conducted an ESP sequence check.
PAN-97953
Fixed an issue where Threats (MonitorReportsThreat ReportsThreats) did not display resolved Threat IDs to Threat/Content Names for disabled signatures as expected.
PAN-97862
Fixed an issue where an administrator with a custom configuration role could not export custom reports and returned the following error message: Error enqueuing export job.
PAN-97700
Fixed an issue where administrators could not view Managed Collectors (PanoramaManaged Collectors) web interface.
PAN-97488
Fixed an issue on Panorama M-Series and virtual appliances where the commit preview did not display as expected.
PAN-97288
Fixed an issue on GlobalProtect Clientless VPN where the URL gets truncated when you exclude the domain from the rewrite exclude domain list.
PAN-97187
Fixed an issue on VM-Series firewalls where a configuration commit failed due to a reversed bootstrapping process where the configuration was applied before the auth code.
PAN-96036
Fixed an issue on Panorama M-Series and virtual appliances where the Group Include List (DeviceUser Identification<group-name>Group Include List) search function did not respond as expected.
PAN-95644
Fixed an issue on a firewall where the web interface did not display traffic and unified logs due to a race condition.
PAN-94475
(Panorama virtual appliances only) Improved a condition where a disk calculation error resulted in an erroneous opt/panlogs/ partition full condition and caused a process (CDB) to stop responding.
PAN-94161
Fixed an issue where the log collector mode did not display logs as expected after you rebooted Panorama.
PAN-92872
Fixed an intermittent issue where the firewall sent packets incorrectly to an outgoing interface.
PAN-92161
Fixed an issue where an internal power status reported as abnormal caused the firewall to shutdown.
PAN-92155
Fixed an issue where administrators were unable to configure an IP address using templates for HA2 (DeviceHigh AvailabilityData Link (HA2)) after setting the configuration to IP or Ethernet for Panorama management servers in an HA configuration.
PAN-81778
Fixed an issue where scheduled reports did not generate as expected due to a race condition.
PAN-79640
Fixed an issue where the firewall intermittently logged incorrect actions for WildFire submissions and reports.