PAN-OS 9.0.5 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.0.5 Addressed Issues
PAN-OS® 9.0.5 addressed issues.
Issue ID | Description |
|---|---|
WF500-5137 | Fixed an issue where the show wildfire global last-device-registration all CLI
command incorrectly returned an error message: Failed, even
when you registered the firewall correctly. |
PAN-128561 | Fixed an issue where a process (all_pktproc)
stopped responding after you upgraded the firewall to PAN-OS® 9.0.4. |
PAN-128324 | (PA-7000 Series firewalls only)
Fixed an issue where internal path monitoring failures occurred
due to either a buffer leak or buffer corruption. |
PAN-127932 | Fixed an issue where the REST API reference
did not display the web browser documentation, which resulted in an
error when running a PAN-OS 9.0.4 release. |
PAN-127807 | Fixed an issue on Panorama™ M-Series and
virtual appliances where a process (configd) stopped
responding when you performed a commit to a large number of firewalls. |
PAN-127189 | Fixed an issue where images displayed through
the Clientless VPN were corrupted. |
PAN-126921 | (PA-7000 Series firewalls only)
Fixed an issue where internal path monitoring failed when the firewall
processed corrupt packets. |
PAN-126697 | Fixed an HTTPD issue with PHP where it leaked memory. |
PAN-126547 | Fixed an issue where a process (configd)
stopped responding when an XML API call with type=config&action=get triggered
during a commit. |
PAN-126534 | (PAN-OS 8.1.10 and later releases only) Fixed
an issue where the data from Security policies did not export as
expected. |
PAN-126354 | Fixed an issue where log in and commits
took longer than expected when you used XML API calls to create
new address objects. |
PAN-125933 | Fixed an issue where the receiving firewall
deleted the host information profile (HIP) report due to the report containing
the same IPv4 address in the IP and IP2 fields and caused a process
(useridd) to stop responding. |
PAN-125833 | Fixed an issue on a firewall in a high availability
(HA) active/passive configuration where a daemon (routed)
did not receive the updated interface status after an HA failover,
which caused routes to remain in the routing and FIB tables. |
PAN-125775 | Fixed an issue where Panorama management
servers deployed using the C5 or M5 instance types on Amazon Web
Services (AWS) caused the Panorama instance to stop responding in
regions that supported these instance types. |
PAN-125517 | An enhancement was made to improve firewall performance
for stream control transmission protocol (SCTP) flows. To enable
this enhancement, run the set sctp fast-sack yes CLI command. |
PAN-125515 | Fixed an issue on VM-Series firewalls where
the firewall dropped all traffic traversing from the dataplane to the
management plane. |
PAN-125478 | Fixed an issue on a firewall in an HA active/passive configuration
where the route to the passive firewall dropped during a failover. |
PAN-125452 | Fixed an issue where the firewall did not
list registered addresses from the Dynamic Address Group when the
same IP-tag information was received from two sources, which caused
the traffic flow to stop responding as expected. |
PAN-125346 | An enhancement was made to enable you to configure
IPv6 in the web interface and through a CLI command when you added
IPv6 virtual addresses to a firewall in an HA active/active configuration. |
PAN-125121 | (VM-Series firewalls only) Fixed
an issue where custom images did not function as expected for PAN-OS
9.0. |
PAN-125069 | An enhancement was made to enable you to
delete the GTP-C tunnel with all GTP-U tunnel sessions after the firewall
received a Delete Bearer Response message where default bearer ID=5.
To enable this enhancement, run the set gtp ebi5-del-gtpc [yes/no] CLI
command. |
PAN-124996 | Fixed an issue where a GlobalProtect™ daemon (rasmgr)
stopped responding when you connected with an overlapping IPv6 address,
which caused subsequent GlobalProtect connections to fail. |
PAN-124890 | Fixed a configuration lock issue where you
were unable to log in after you upgraded from PAN-OS 8.1.6 to PAN-OS
8.1.9. |
PAN-124630 | Fixed an issue where new logs were not ingested
due to a buffer exhaustion condition caused by invalid messages incorrectly
handled by elastic search. |
PAN-124481 | Fixed an issue where the dataplane stopped responding
when SMTP sessions were used. |
PAN-124299 | Fixed an issue on VM-Series firewalls in
an HA active/passive configuration where the active firewall leaked
packet buffers when links were disconnected from the hypervisor. |
PAN-123850 | (PA-5200 and PA-7000 Series firewalls only)
Fixed an issue where conflicting GTP sessions were installed in
short interval, which caused the firewall to queue GTP packets and
deplete packet buffers. |
PAN-123600 | Fixed an issue where the firewall was unable
to establish a connection to the DNS Security feature domain (dns.service.paloaltonetworks.com)
when the firewall could not connect with the primary DNS server
but could connect with the secondary DNS server. |
PAN-123446 | Fixed an issue where an administrator with
a Superuser role could not reset administrator credentials. |
PAN-123362 | Fixed an issue where the firewall used more
than expected virtual memory when you decreased the maximum elastic
search heap size. |
PAN-123190 | Fixed an issue on a firewall in an HA active/passive configuration
where a process (useridd) restarted multiple times
and caused the firewall to reboot. |
PAN-123030 | Fixed an issue with a memory leak associated
with a process (mgmtsrvr) when you pushed a commit. |
PAN-122662 | (PA-5260 firewalls only) Fixed
an issue where a process (mpreplay) stopped responding
after a commit when you configured the firewall with more than 200
virtual systems (vsys) running on PAN-OS 8.1.9. |
PAN-122601 | Fixed a memory leak issue with a process (configd)
when you performed device group related operations. |
PAN-122550 | Fixed an issue where VM-Series firewalls
on Microsoft Azure experienced traffic latency due to an incompatible driver. |
PAN-121945 | Fixed an issue on Panorama M-Series and
virtual appliances where after you deployed the firewall in Google Cloud
the Panorama serial console stopped responding. |
PAN-121911 | Fixed an issue where a process (logrcvr)
restarted during commits. |
PAN-121667 | Fixed an issue where traffic incorrectly
matched Security policies when configured static address groups
and FQDN IP addresses on Security policies overlapped. |
PAN-121523 | Fixed an issue where an API call triggered
memory errors, which caused a process (configd) to
stop responding and triggered SIGABRT logs. |
PAN-121447 | Fixed an issue where the BGP did not remove
the IPv6 default route from the forwarding table after the route was
withdrawn. |
PAN-121133 | Fixed an issue on Panorama M-Series and
virtual appliances where a validation job triggered a memory leak in
a process (configd), which caused context switching
between Panorama and the web interface to respond slower than expected. |
PAN-121001 | Fixed an issue where the firewall only reported
a maximum of two logs when you configured more than two hardware
security modules (HSM). |
PAN-120901 | Fixed an issue on Panorama M-Series and
virtual appliances where partial commits did not apply configuration
changes as expected. |
PAN-120361 | Fixed an issue on Panorama M-Series and
virtual appliances where objects were not compressed, which caused
higher than expected CPU and memory usage. |
PAN-120287 | Fixed a JavaScript error due to an incorrect
HTTP response, which prevented GlobalProtect Clientless VPN applications
to load. |
PAN-120151 | Fixed an issue where the DNS packet parser incorrectly
processed DNS packet headers when the QD count is 0. With this fix,
the DNS packet parser aborts further processing when QD != 1. |
PAN-119765 | Fixed an intermittent issue where the firewall dropped
sessions that used a large number of predict sessions. |
PAN-119680 | Fixed a rare issue where the show running CLI
commands for policy addresses caused file descriptor leaks. |
PAN-119289 | Fixed an issue on Panorama M-Series and
virtual appliances where you were unable to query Cortex™ Data Lake
by the serial number filter. |
PAN-119225 | Fixed an issue where an inaccurate sequence
number check for an RST packet caused the packet to drop. |
PAN-119185 | Fixed an issue where a process (panio)
caused more than expected CPU consumption. |
PAN-119172 | Fixed an issue where the firewall incorrectly
enforced URL category policies and erroneously triggered alert instead
of block. |
PAN-118985 | Fixed an issue on Panorama M-Series and
virtual appliances where a process (configd) experienced
high memory utilization and a memory leak condition, which caused
slower than expected performance. |
PAN-118881 | Fixed an issue where the user domain information was
missing from the user IP mapping entry when you configured Allow
Authentication with User Credentials or Client Certificate to Yes while
using a client certificate for GlobalProtect authentication. |
PAN-118783 | Fixed an intermittent issue where a daemon (dnsproxy)
stopped responding when you configured an HTTP proxy on the firewall. |
PAN-118762 | Fixed an issue where the GlobalProtect portal
used an outdated jQuery library. |
PAN-118720 | Fixed an issue on a firewall in an HA active/active configuration
where Oracle traffic SYN packets dropped intermittently with the flow_fpp_owner_err_no_predict counter. |
PAN-118628 | Fixed an issue where after you deployed
Panorama in Azure, you were unable to log in to Panorama with the username
and password that was provided during the deployment process. |
PAN-118583 | Fixed a memory allocation issue that prevented
URL filtering logs from displaying the full URL. |
PAN-118430 | Fixed an issue where pushed template configurations were
overridden when you made a configuration change in the Master Key Lifetime (DeviceMaster Key and DiagnosticEdit) field. |
PAN-118370 | Fixed an issue where the firewall displayed
incorrect application dependency warnings during commits when a Security
policy used a wildcard address. |
PAN-118277 | Fixed an issue where the firewall stopped
responding due to a race condition. |
PAN-118256 | Fixed an issue where a DNS Security signature response
from a cloud service caused a daemon (dnsproxyd) to
stop responding. |
PAN-118183 | Fixed an issue where a process (dnsproxyd)
stopped responding due to higher than expected CPU usage. |
PAN-118180 | Fixed an issue on firewalls configured with authentication
policies where UDP and ICMP packets matching an authentication policy
did not generate traffic logs as defined in the Security policy
when sessions were redirected or denied. |
PAN-118057 | Fixed an issue on a firewall in an HA active/passive configuration
where a process (all_pktproc) stopped responding and
the dataplane restarted, which caused an internal path monitoring
failure and an HA failover event. |
PAN-118055 | Fixed an issue where administrators were
unable to export Security Assertion Markup Language (SAML) metadata
files from virtual system (vsys) specific authentication profiles. |
PAN-117959 | Fixed an issue where LDAP authentication
failed when you configured the authentication server with an FQDN. |
PAN-117907 | Fixed an issue where the date and time provided
for a request license information output did not match the show
clock output provided by the NTP server. |
PAN-117900 | Fixed an issue where commits failed when
you moved an object referenced in a policy to a shared group. |
PAN-117888 | Fixed an issue where the firewall was unable
to detect the hardware security module (HSM), which caused the firewall
to drop SSL traffic. |
PAN-117878 | Fixed an issue where you were unable to
add a service definition to the NSX manager and the following error
message displayed: Failed to create object service-definition. Ret code is 400. |
PAN-117835 | Fixed an intermittent issue where a process (all_pktproc)
stopped responding, which caused a heartbeat failure and the firewall
to drop LACP and OSPF connections. |
PAN-117738 | (PA-3050 and PA-3060 firewalls only)
Fixed an issue where a higher than expected number of flow_fpga_flow_update messages
occurred when you configured QoS. |
PAN-117727 | Fixed an issue where job threads were deadlocked, which
prevented log in attempts and displayed the following error message: CONFIG_LOCK: write lock TIMEDOUT for cmd. |
PAN-117384 | Fixed an issue on Panorama M-Series and
virtual appliances where the connection between Panorama and managed
firewalls timed out when you upgraded PAN-OS 9.0.0 to PAN-OS 9.0.1
and displayed the following error message: Error - time out sending/receiving message. |
PAN-117303 | Fixed an issue where the BGP aggregate prefix,
which is advertised to multiple BGP peers was removed from RIB OUT
when you disabled one of the BGP peers. |
PAN-117120 | Fixed an issue on Panorama M-Series and
virtual appliances where a process (configd) restarted
due to virtual memory issues. |
PAN-117086 | Fixed an issue where community attributes
to BGP routes had a character limit of 31 characters, which caused expressions
to take longer than expected to process. |
PAN-117068 | Fixed an issue on Panorama M-Series and
virtual appliances where memory utilization increased more than expected
when you deleted several rules with an XML API delete command. |
PAN-116977 | Fixed an issue on VM-Series firewalls where
you could not upgrade to PAN-OS 9.0.1 or a later release with a pre-licensed
firewall. |
PAN-116949 | Fixed a memory leak issue with a process (mprelay),
which caused the dataplane to restart. |
PAN-116903 | Fixed an issue on Panorama M-Series and
virtual appliances where you were unable to configure Enable
X-Auth Support (NetworkGlobalProtectGatewaysTemplate<Template-stack>AgentTunnel Settings)
at the Template-stack level. |
PAN-116772 | Fixed an issue where the firewall sent empty attributes
in the LDAP query when you did not configure Alternate
Username 1 - 3 (DeviceUser IdentificationGroup Mapping
Settings<group-name>User and Group Attributes)
in the User Attributes web interface. |
PAN-116708 | Fixed an issue where administrators were
unable to export policies and objects in PDF format. |
PAN-116611 | Fixed an issue where an API call for correlated
events did not return any events. |
PAN-116473 | Fixed an issue where the firewall logged
URL categories configured for Allow in the URL filtering logs. |
PAN-116334 | Fixed an issue where a process (mgmtsrvr)
leaked memory caused by SNMP traps. |
PAN-116286 | Fixed an issue where commits failed after
you upgraded from PAN-OS 8.0.16 to PAN-OS 8.1.6 due to an invalid
encryption state for a host information profile (HIP) object. |
PAN-116274 | Fixed an issue where the firewall was unable
to authenticate when you pushed a public key from Panorama. |
PAN-116189 | Fixed an issue where Session Initiation
Protocol (SIP) calls failed and displayed the following error message: end-reason: resources-unavailable. |
PAN-115990 | Fixed an issue where the FQDN address object (PolicySecurity<address-object>Value) displayed the following
unrelated error: <FQDN-name> Not used. |
PAN-115959 | Fixed an issue where DNS names with more
than 63 characters did not resolve FQDN address objects during an FQDN
refresh. |
PAN-115890 | Fixed an issue where the show system info CLI
command incorrectly displayed VMware ESXi as VMWare ESXi. |
PAN-115879 | Fixed an issue on a firewall where a bypass
switch sent heartbeat messages to the firewall, which triggered non-stop
link status change interrupts through a Marvell switch. |
PAN-115697 | Fixed CVE-2019-17437, see PAN-SA-2019-0038 for details. |
PAN-115549 | Fixed an issue where predict sessions were incorrectly
created with a captive-portal zone, which
caused the firewall to drop RTP traffic. |
PAN-115349 | Fixed an issue where an incorrect predict
session was created when a policy-based forwarding (PBF) policy
was used without a NAT in the parent session, which caused the firewall
to drop RTP and RTCP packets. |
PAN-115344 | Fixed an issue where the Username Modifier%USERDOMAIN%\%USERINPUT% enabled
you to log in to a locked out user account. |
PAN-115340 | Fixed an issue on a firewall in an HA active/passive configuration
where the passive firewall experienced higher than expected dataplane
CPU usage caused by HA IPSec messages bouncing between dataplanes. |
PAN-115282 | Fixed an issue where temporary download
files were deleted before a download job was completed, which caused
the progress bar to remain at 0% and prevented a timeout when downloads
fail. |
PAN-115281 | Fixed an issue where the firewall did not
resolve an external dynamic list server address when the DNS proxy configured
it as a static entry. |
PAN-115110 | An enhancement was made to enable you to configure
syslog parameters through the CLI debug command. To view the available
parameters and change the configurations, run the debug syslogng-params settings CLI
command and perform a commit force to apply the edits. |
PAN-115108 | Fixed an issue on Panorama M-Series and
virtual appliances where scheduled uploading and installation of WildFire®
content meta files to WF-500 appliances failed and displayed the
following error message: device not supported. |
PAN-114880 | Fixed an issue where the debug management-server summary-logs flush-options max-keys CLI
command did not persist through a system reboot. |
PAN-114856 | A change was made to limit debug log visibility
to superusers only. |
PAN-114771 | Fixed an issue on Panorama M-Series and
virtual appliances where Decrypt Mirror (Objects DecryptionDecryption Profile<Device Group-name>) did
not appear in the Interface drop-down menu
when you tried to configure a Decryption Profile. |
PAN-114667 | Fixed an issue on a firewall in an HA active/passive configuration
where a split-brain condition occurred after you upgraded from PAN-OS
8.1.3 to PAN-OS 8.1.6. |
PAN-114628 | Fixed an issue where Panorama was unable
to query logs forwarded from the firewall to the log collector. |
PAN-114540 | Fixed an issue where renaming a template
stack did not change the value and reset to the original value after you
commit the change. |
PAN-114456 | Fixed an issue where extended packet capture
(pcap) for threat logs caused a process (mgmtsrvr)
to stop responding. |
PAN-114270 | Fixed an issue where the firewall dropped
TCP trace route traffic after you upgraded to PAN-OS 8.1.5. To leverage
this fix, run the set session tcp-reject-diff-syn no CLI command. |
PAN-114247 | Fixed an issue where a larger than expected
number of Could not find entry for interface ethernet1/<interface>.<subinterface> in CPS table filled
the snmpd.log, which caused the log file to rotate more frequently
than expected. |
PAN-113610 | Fixed an issue where Panorama incorrectly
deleted valid device group directories and was unable to generate reports. |
PAN-113606 | Fixed an issue where the Throughput column (PanoramaManaged DevicesHealth) was incorrectly labeled. |
PAN-113261 | (PA-5200 Series firewalls only)
Fixed an issue where the total entries for the URL filtering allow
list, block list, and custom categories were incorrectly set to
an entry limit value other than 100,000. |
PAN-113162 | Fixed an issue where you were unable to
create shared URL filtering profiles from the Panorama web interface. |
PAN-112661 | Fixed an issue where you were unable to
access a firewall due to a defective small form-factor pluggable (SFP)/SFP+
module inserted into the firewall. |
PAN-111544 | Fixed an issue on Panorama M-Series and
virtual appliances configured as log collectors where SSH did not respond
after you enabled SSH on ethernet1/1. |
PAN-110685 | Fixed a rare issue where an incorrect User-ID™ match
to the respective LDAP group caused a security policy mismatch. |
PAN-110098 | Fixed an issue on a firewall in an HA active/passive configuration
where you were unable to synchronize configurations or dynamic updates
between HA pairs. |
PAN-109874 | Fixed a memory leak issue on a firewall
during a commit, which prevented the firewall from generating GlobalProtect
client configurations. |
PAN-108876 | Fixed an issue where the firewall dropped
Session Initiation Protocol (SIP) registration packets, which caused SIP
sessions to fail. |
PAN-108373 | Fixed an issue where an application dependency warning
incorrectly displayed when you configured negate-source yes on
a security rule to deny an application. |
PAN-108012 | Fixed an issue on Panorama M-Series and
virtual appliances where you could not add and generate a certificate
as expected. |
PAN-106434 | Fixed an issue where a process (keymgr)
stopped responding due to missed heartbeats, which caused IPSec
tunnels to stop responding. |
PAN-102195 | Fixed an issue where the firewall did not
detect all threat sessions while the App and Threat content installation
was processed. |
PAN-100977 | (VM-Series NSX edition firewalls only) Fixed
an issue where the existing logs for dynamic address updates had
insufficient information to debug the root cause of an issue and
where the dynamic address update logs were larger than expected,
which caused the file to roll over every five minutes and did not
provide a sufficient log history to debug issues. |