PAN-OS 6.0.0: Addressed Issues
0
Created On 09/25/18 18:40 PM - Last Modified 11/27/18 17:33 PM
Resolution
The following issues have been addressed in PAN-OS 6.0 release.
| Issue | Description |
|---|---|
| 60347 | Some service route settings could not be configured when the web interface was set to a language other than English. |
| 59772 | Traffic logs from log collectors are not visible on the Panorama web interface. |
| 59707 | NTP information on the firewall was displayed in way that could lead to confusion; for example, stating that the server the device is synced with is not connected (connected: false). NTP information is now displayed more clearly. |
| 59407 | NetFlow (type 4) messages were appearing in the traffic log database and reports. |
| 59128 | After logging in to Panorama using the CLI with RADIUS credentials, the following error message was printed: Server error : show -> system -> setting -> multi-vsys is unexpected. |
| 59031 | When admin users tried to log into the CLI without previously logging into the web interface and a RADIUS authentication profile was configured, the firewall sent out a request to the RADIUS server with an invalid password different from the one submitted by the user. This resulted in valid users being unable to authenticate to the RADIUS server. |
| 59030 | Certificates generated during SSL decryption were not adhering to the ASN.1 format. This was leading to the SSL connection being dropped by some servers. |
| 58885 | The test nat-policy-match command now properly displays results for no-nat rules. |
| 58736 | WildFire email notifications did not contain a date header. |
| 58733 | The fields in the CSV report were displayed incorrectly after performing a CSV export on the Monitor > HIP Match page on the Panorama web interface. |
| 58614 | Local users discovered by WMI query were mapped as the local user of the computer, instead of Unknown as is the expected behavior. |
| 58347 | Suppressed extraneous messages (for example, disabling an interrupt request that occurs within the underlying subsystem) from displaying on the console. These messages are now logged in the system log only. |
| 58264 | Previously, the debug software virt-limit limit command showed an incorrect max value: 4294967295. The max value has been fixed to display in kilobytes. |
| 58223 | Captive portal was not presenting a complete certificate chain to the client. It presented only the end certificate and not the intermediate certificate. |
| 58215 | The output from the CLI command show routing protocol ospf area was rearranged to provide greater clarity in the values defined. |
| 57975 | It was not possible using Panorama to proxy a REST API call for retrieving report information from a firewall. |
| 57960 | When the Palo Alto Networks firewall was configured to support several virtual systems, the firewall administrator could not revert the Destination Interface in a NAT Policy Rule back to the option any after an interface had been selected. This was because the any field in the NAT to-interface configuration had an incorrect schema value. The incorrect schema was fixed by adding any as a default NAT to-interface value in the configuration. |
| 57927 | When authenticating through captive portal, there was a delay after the authentication redirect for Firefox and Chrome browsers. This has been corrected by closing the socket after the redirect. |
| 57874 | DNS resolution did not turn off when the Resolve Hostname checkbox was cleared in the Monitor tab, and the Palo Alto firewall continued to display the hostnames instead of the IP addresses. IP addresses are now displayed when the Resolve Hostname checkbox is cleared. |
| 57768 | A DHCP server did not differentiate between DHCP Clients when the DHCP Client Identifier in the DHCP request exceeded 32 bytes. The maximum size of the DHCP Client Identifier has been increased to 312 bytes. |
| 57660 | PA-2000 Series platform management ports did not link up when connected directly using a straight or cross cable. |
| 57608 | When using multiple NetFlow hosts across multiple profiles, instances of the FlowSequence number were skipped. The expected behavior is that the value is PAN-OS Release Notes, Version 6.0 [27] cumulative, and should be used by the Collector to identify whether any Export Packets have been missed. |
| 57535 | Fixed an issue where the user was not able to create a QoS profile with an egress bandwidth greater than 50 Mbps on a virtual firewall (Network > Network Profiles > QoS Profile). |
| 57507 | The option L3 Forwarding Enabled in the configuration of a VLAN has been removed. In pre-6.0 releases, enabling or disabling this option did not affect traffic forwarding. Enabling or disabling L3 forwarding on a VLAN should be performed by adding or removing an L3 VLAN interface to the VLAN configuration. |
| 57448 | The IRC checkbox in the Botnet Configuration window (Monitor > Botnet) was not displayed on the web interface when the language was set to Japanese and a Chrome browser was being used. |
| 57360 | CLI help for show session all filter destination command is showinginstead of. |
| 57258 | Both HTTP and HTTPS were available when accessed directly from the management interface; however, HTTP was unavailable when accessed using a subinterfaceS |
| 57159 | The dataplane was passing traffic even though the management plane was rebooted and could not boot. |
| 57154 | On a PA-5000 Series firewall, the QoS rate is adjusted slightly to accommodate hardware limitations. The following help message now is displayed on the configuration window on the web interface: Bandwidth limits shown include hardware adjustment factor. |
| 57098 | In some Layer 2 configurations, multicast traffic passing through the firewall was resulting in both forward and drop counters incrementing due to the packets being broadcast. Additionally, the multicast packet was included in both the transmit and drop stage dataplane packet capture. New global counters were added to clarify the actions being taken by the firewall when processing multicast packets in a Layer 2 configuration. |
| 56905 | When a PA-5000 Series firewall received more than 3000 BGP prefixes, the web interface showed an error when displaying the Local RIB for BGP: op command for client routed timed out. Additionally, when the command show routing protocol bgp loc-rib-detail was issued, the CLI returned the error: Server error : op command for client routed timed out. |
| 56858 | A cache corruption prevented the user from downloading files when clicking the Continue button in the File Blocking Continue page. |
| 56802 | In a single-vsys setup, a Log Forwarding Profile created on the web interface was not displayed after issuing the CLI command: show shared log-settings profile. |
| 56787 | After an upgrade, the captive portal custom response page shows ::ffff: before the IP address. |
| 56703 | In the web interface, global timeout values were displayed in addition to the application-level timeout values that actually took effect. This has been updated to show only application level timeout values. |
| 56367 | Fixed an issue where NetFlow data could not be exported for all subinterface types. NetFlow records were not picked up by the log-receiver. |
| 56107 | Addressed dataplane restarts that occurred intermittently on the PA-3000 Series devices deployed in an HA configuration. |
| 56087 | Log collectors were optimized in PAN-OS 6.0.0 for quicker failover and failback. |
| 55833 | GRE port information was not mapped correctly on the VM-series platforms, causing predict sessions to not match and leading to dropped packets. |
| 55774 | On the web interface, setting the value for max-rows-in-csv-export did not work when set to more than 65535. |
| 55696 | Misspellings were displayed in the output for the command set session processing-cpu. The misspellings have been corrected. |
| 55693 | Added an enhancement to reduce the routed log in order to help reduce OSPF flaps. |
| 55407 | User-ID virtual memory was exceeding its limit in a multi-VSYS environment when a large number of LDAP objects were returned to the firewall. With this fix, LDAP queries made by the firewall will filter on groups specified in the include-list. |
| 55387 | When using local user groups to assign users to particular gateways, the connection to the Global Protect server for the users in that local group failed. |
| 55111 | When traffic triggered session reuse and was offloaded, sometimes a FIN was dropped when the sequence number was out of window. This has been fixed so that the sequence number check on an offloaded re-used session is skipped, as the dataplane processor cannot track sequence numbers after offloading. |
| 54958 | Upon opening a PCAP on the firewall, escape sequences were displayed instead of the special characters in data part. A fix is provided to display the characters correctly. |
| 54949 | A commit failed when DHCPv6 relay was configured on an interface that did not have an IPv4 address. |
| 54755 | An issue was addressed where creating a static route with the next hop set to None and cloning it or going back into it was changing the next hop settings tofrom None. |
| 54676 | In the web interface, on the Device > User Identification > Group Mapping Settings > Group Mapping > Group Include List tab, the list of Available Groups to add to the Included Group list displayed approximately the first 200 groups, with the option to select more... to view more group entries. However, clicking more... failed to display more group entries, even when several more groups are defined and should be available. |
| 54547 | Fixed an issue where peer HA2 IP information was not getting updated after issuing the CLI command show high-availability all. |
| 54486 | Added support for both single quote and double quote values when entering options using the Command Line Interface (CLI). |
| 54283 | An auto commit failed during a threat database update, displaying the error Threat database handler failed. |
| 54265 | The system log message Antivirus job failed has been updated and the following will be reported in the system log instead: Antivirus update job failed. |
| 54113 | A Forwarding Information Base (FIB) table entry discrepancy caused SSH packets to be sent back. This occurred only on PA-2000 Series firewalls. |
| 53888 | On PA-5000 Series devices, the DIPP limit was causing the following system error when trying to add more NAT policies to the firewall: Error: Number of dynamic-ip-and-port rules (251) exceeds vsys capacity (250) Error: Failed to parse nat policy. The maximum number of DIPP has now been increased. |
| 53632 | Fixed a BGP aggregate policy issue where the aggregate route was no longer advertised when a more specific prefix within the aggregate range was learned. |
| 53615 | When enabling IPv6 on an interface, link local IPv6 routes were counted towards the rtm_total/connected/ipv6; however, the Link Local IPv6 routes were not installed to the Forward Information Base (FIB) on the dataplane. |
| 53554 | Disks in a Panorama VM OVF were misaligned with NetApp and caused performance degradation with some storage devices. |
| 53514 | An HA Active/Active configuration for IPv6 using FCoE Initialization Protocol (FIP) did not behave consistently when SLAAC was also configured. |
| 53148 | Output of debug dataplane packet-diag show setting command truncates the interface name to 15 characters. |
| 53059 | Role-based admin users without privileges to access logs or the Monitor tab were able to view logs using the Dashboard widgets. |
| 52847 | Link monitoring and Path monitoring were on hold when a commit started and until one minute after the commit was done. Changes are introduced to remove the hold on the Link and Path monitoring during Phase -1 of commits. |
| 52777 | Link and Path monitoring were not always working properly during the commit process. |
| 52738 | Reset was sent to Captive Portal clients when trying to load multiple pages before logging in to the portal. |
| 52629 | PAN-DB reverted back to Brightcloud due lack of management connection for first reboot. |
| 52567 | The loading icon was not shown when using the list of users to add a source user to a security policy on the web interface. |
| 52214 | Some traffic was getting dropped if the number of routes in the routing table was high. |
| 52184 | Changing the Jumbo Frame settings on the device without restarting the entire device caused the dataplane to experience an unexpected restart. This has since been fixed so that when you change Jumbo Frame settings, an entire device reboot is no longer required and a dataplane restart will work. |
| 52128 | Fixed an issue where a management profile was configured on an interface and the clients were not getting IP addresses from the DHCP server when the device was configured as a DHCP relay agent. |
| 52050 | After manually upgrading PAN-OS, no Reboot button was visible, as it was in previous releases. A message was displayed instead that the user must reboot the device by closing the current window and then rebooting. |
| 51955 | The CLI displayed two counters listed under IPv6 filter, even though they also applied to IPv4. A change was made to list them under IPv(4/6) filter. |
| 51880 | Dynamic role based device admins did not have the ability to save, export, load, and revert a configuration on the firewall or Panorama. This fix provides these capabilities to the admins. |
| 51824 | Device Groups added to multiple virtual systems were not always shown as managed devices on the web interface (Panorama > Device Groups > Device Group). |
| 51648 | In an HA Active/Passive setup, if NAT exists for outbound FTP connections and the interface IP address is used for the NAT, the ftp-data session would not synchronize to the passive device. |
| 51597 | When the XML API was used to push IP address, port range and username information to a firewall deployed in HA, the details were not synchronized with the HA peer. |
| 51091 | Two-factor authentication (where both a client certificate profile and an authentication profile are configured) was not functioning as expected. The client was not required to provide the login credentials associated with the authentication profile after successfully authenticating with the client certificate. |
| 51089 | Fixed an issue where repeat count in threat logs resulted in incorrect values. |
| 51062 | Inter-vsys sessions that traverse the firewall and terminate on a firewall interface would fail. This has been fixed. |
| 51042 | Certificates that were generated prior to master key changes could continue to be used. |
| 51000 | On a redundant Power Supply system on a PA-5000 Series device, there was no system log was visible when removing or adding redundant Power Supply. Logging for these events has been added. |
| 50963 | Panorama software deployment failed to deploy when the OK button was clicked. |
| 50936 | Crypto Cores were created when a SIGTERM signal was received while the management plane was starting. |
| 50817 | When a GlobalProtect gateway’s external facing interface is configured with dynamic PPPoE and a loopback interface is configured for the destination interface to the GlobalProtect portal, GlobalProtect users are not able to connect. Issue is due to a problem with the gateway determining the tunnel ID of the portal in this configuration causing a problem with the gateway reaching the portal. The workaround is to not use the loopback interface; the PPPoE interface should be used in this configuration. The issue occurs in 4.1.6 and later versions of 4.1.x and all versions of 5.0. This issue is was fixed to allow the use of a loopback interface when the external facing interface for the gateway is dynamic. |
| 50606 | Captive Portal authentication failed when the username contained the character &. This issue has been addressed so that & is a valid character and Captive Portal authentication is successful when a username contains the character &. |
| 50478 | The Certificate Signing Request (CSR) generated by the firewall had a Challenge Attribute set by default. If configured, the signing entity could use this attribute or ignore it. Since this attribute was not being ignored by some signing entities, the behavior has been updated so that the Challenge Attribute is not set by default. |
| 50310 | A destination-based service route for DNS prevented an FQDN query from refreshing. |
| 50091 | A possible memory leak caused management plane services to not perform optimally during peak traffic periods. |
| 50079 | Added logging enhancements in order to help identify root cause. |
| 50048 | The CLI command show session all filter from to displayed no active sessions, when there were active sessions that should have been displayed in the output. |
| 49851 | In PAN-OS 6.0, DoS enforcement is now performed in the CPU prior to session installation. |
| 49828 | In custom reports, source and destination country are now available in the Query Builder as grouping options to organize the report. |
| 49727 | Navigating to the Network > Interface > Ethernet tab took 12-15 seconds for the screen to populate the interface data. |
| 49294 | The ACC (Application Command Center) tab on the Panorama web interface failed to display complete sections and appeared to be stalled, showing the error message: 3 requests sent 1 response received. |
| 49038 | Time zones were not automatically converted for Dynamic Update package release times. |
| 49015 | Fixed a dataplane restart issue that occurred when Jumbo Frames were enabled and the packets received buffer was high. |
| 48896 | In rare cases, abrupt restarting (for example, a power outage) lead to internal system file corruption. This was related to checking OS image integrity and cannot upgrade. Preventative measures were put in place to prevent issues before and after the internal file updating. |
| 48729 | In Panorama, disabling the Share Unused Address and Service Objects with Devices feature returned an error stating that the shared address is not a valid- reference. This occurred when a non-shared address group that was assigned to a specific device group contained a shared address or an address-group was pushed. This issue has been fixed so that such a configuration is supported. |
| 48709 | Fixed an issue where setting a PCAP filter in the web interface would not work until the filter was reset by removing the automatically added 0.0.0.0. |
| 48703 | This fixes a NAT pool leak issue when a SYN packet on TCP/443 was sent to an address on an interface on which GlobalProtect was configured but which was not its primary address. A NAT port was allocated, the connection failed, and the session was freed, but the allocated NAT port is not cleared. |
| 48584 | On Panorama, there were long delays committing a policy due the option Share Unused Address and Service Objects with Devices being cleared in large configurations. The delay was introduced as the system performs a calculation of the unused objects on commit. Commit times have been improved for large configurations. |
| 48093 | Configured address objects were not displayed as resolved on the Panorama web interface. On both the ACC tab and the Monitor > Logs > Traffic tab, host names defined in the address objects were not displayed, and the IP address was shown in the Host Name columns. |
| 47642 | Addressed the inability to write logs to disk. This issue occurred because the configuration on the Managed Collector and Collector Group was set up before the Managed Collector ever established a connection to Panorama. With this fix, Panorama allows you to configure the Collector Group only after the Managed Collector has connected at least once; Panorama can verify the availability of the disk(s) and its size. This ensures that the ring file is properly calculated and logs are written properly to disk. |
| 47616 | Devices which were no longer managed devices (had been managed devices previously but were not anymore) were displayed on the Panorama > Device Deployment > Licenses page on the Panorama web interface. |
| 47461 | Fixed an issue where SIP sessions were going into offload state after a content installation, causing SIP connectivity issues. |
| 47071 | In PAN-OS 6.0.0, you can now rename and push a shared object from Panorama to a managed firewall if you used that shared object in a local policy. |
| 47007 | An enhanced mechanism to hold control session packets being sent out before predict session is now installed on the master dataplane. |
| 46535 | When using an Internet Explorer browser and a Block / Continue page appears when attempting to download a file, clicking the Continue option did not download the file. |
| 46308 | The full User-IP Mapping table is now synchronized between peers in an HA cluster. |
| 46134 | On the Panorama web interface, DHCP server settings displayed for entries on the Network > DHCP page are not displayed on the DHCP Server window that is displayed when clicking on one of the specific DHCP server entries. |
| 45529 | In some User-ID implementations, server session reads picked up capitalized special characters such as Ü. Normally all capitals are set to lower case, but this operation was not supported for special characters, causing a mismatch between group mapping and ip mapping. |
| 44925 | When a Virtual Router interface was deleted, added, or updated with a new IP/mask, all local Virtual Router interfaces on the management plane were uninstalled and then re-installed. With this fix, the management plan will assess if all Virtual Router interfaces change before automatically uninstalling and reinstalling them all; the management plane will not continue to uninstall and reinstall all Virtual Router interfaces unless they have all been changed. |
| 43280 | Before PAN-OS 6.0.0, NetFlow data could not be exported on a per-subinterface basis. Starting in PAN-OS 6.0.0, NetFlow data can be exported on a per-subinterface basis. |
| 41472 | When a DNS Proxy object was configured with static entries, hostnames assigned to the DNS Proxy were resolved as expected to the IP addresses listed on the Static Entries tab (Network > DNS Proxy) . However, when setting the DNS Proxy Object as the DNS Service on the Device > Setup > Services dialog, all DNS queries from the management interface ignored the defined static entries. |
| 40648 | Validation logic has been added to PAN-OS software image files to prevent upgrade failures due to file corruption. |
| 39368 | Enhancements have been made to the web interface so that High Availability link status is displayed with green or red indicators on the High Availability widget on the Dashboard tab. A green indicator signifies that the link is up on the HA port and heartbeats or keepalives are being sent and received. A red indicator signifies that the link on the HA port is down or that heartbeats or keepalives are not being received at all (for HA3 interfaces, the green and red indicators signify only if the link is up or down). |
owner: panagent