PAN-OS 6.0.1: Addressed Issues
19279
Created On 09/26/18 13:48 PM - Last Modified 06/08/23 08:54 AM
Resolution
The following issues have been addressed in PAN-OS 6.0.1 release.
| Issue | Description |
|---|---|
| 61193 | A certificate chain error was causing commit failures due to an IKE code change in 6.0.0. The fix changes the error that causes the commit to fail to a warning so that the commit can be successful. |
| 61004 | Addressed an issue where a user in a custom admin role could only view HIP match logs but was unable to view log details. Clicking the spyglass icon on the web interface opened the Detailed Log View, but the no information was displayed. |
| 60971 | Following an upgrade to PAN-OS 6.0.0, scheduled Dynamic Updates failed to be pushed from Panorama to managed devices. |
| 60826 | Issues relating to Tags with brackets were occurring after upgrading to PAN- OS 6.0.0, and Tags with brackets could not be created, edited or deleted. In PAN-OS 6.0.1, the brackets in existing Tags are replaced with quotes and new Tags that you create cannot include brackets. |
| 60816 | Following an upgrade to PAN-OS 6.0.0, syslog connection status warnings for all defined syslog connections appeared in the system log every hour and were categorized as critical. This was caused by a scheduled hourly rotation of the syslog-ng log file, during which the syslog-ng daemon would restart. This issue has been fixed by adding a condition to the log file rotation process requiring the log file to be 10 MB or more and the connection status warning will only be seen once every few months. |
| 60780 | On PA-5000 Series firewalls, restarts were seen under heavy load conditions and were due to internal path monitoring failure. Enhancements have been made to avoid such restarts. |
| 60700 | 1GB copper SFP interfaces belonging to an Aggregate Group would sometimes show the link status as down after a reboot of the firewall. |
| 60677 | Group mapping queries failed when nested groups with long group names were searched. The search queries showed group members to be missing. This was due to the query string (groups/nested groups) being truncated at 39 characters. |
| 60650 | When using the web interface to configure SNMPv3 on a HA pair, the EngineID field should be optional; however, the OK button could be clicked when this field was blank. This has been fixed so that the EngineID field is optional. |
| 60564 | On Panorama, a system log message was generated when a log file used for internal processing was truncated. This system log message is not relevant for the administrator and not will not be displayed in the system log. |
| 60510 | An attempt to revoke SSL certificates generated on Panorama failed. The issue was caused by an internal verification check failure involving shared certificate objects used in device groups that included firewalls enabled for multiple virtual systems. The verification check has been corrected. |
| 60505 | SYN packets were dropped if a session with the same source and destination IP addresses and port and IP protocols comes to existing session at the timing of aged- out TIME-WAIT period. |
| 60502 | On the Panorama web interface Monitor, the maximum number of pages displayed for logs is not consistent depending on the log numbers displayed per page. |
| 60412 | The user was unable to modify custom logo due to an unrecognized 'mime- type' option (Device > Setup > Operations > Custom Logos). |
| 60347 | Some service route settings could not be configured when the web interface was set to a language other than English. |
| 60337 | Fixed an issue where XML API showed empty hardware counters for show interface dedicated-ha1. |
| 60274 | Fixed an issue where the XML API showed an error when running show high-availability interface ha1 using the rest API. |
| 60225 | Fixed an issue where the XML API showed an error when running show session rematch using the rest API. |
| 60201 | In an Active/Active HA setup, an IPSec key renegotiation timing issue caused the new IPSec session to be set to DISCARD until the next rekey. This caused traffic loss until the next tunnel key renegotiation. |
| 60189 | When High Availability Active/Passive peers lost communication on HA1 and HA2 links, a race condition caused the dataplane to restart. |
| 60070 | In order for Android devices to be able to connect to the Mobile Security Manager’s device check-in for enrollment and subsequent check-ins, the Root CA certificate had to be used to sign the server certificate for the device check-in interface in the portal configuration that was being delivered to Android devices. This applied even if you purchased a server certificate from a well-known, trusted CA as recommended. This was because the GlobalProtect Android app does not look in its system store for certificate verification With this fix, GlobalProtect Android app will first look in its system store for certificate verification. If this fails, the app will proceed to verify certificates against the CAs from the portal configuration. |
| 60063 | SSL decryption with Internet Explorer was inconsistent with certificate common names, resulting in name mismatch errors for some sites. |
| 60035 | When an external zone was configured with a Zone Protection Profile applied to it, large IPv6 packets were causing dataplane processes to fail when sent through the zone. |
| 60012 | Addressed issues that were causing filtering on the web interface to return incorrect results. |
| 60011 | When a User ID Agent Setup template was pushed from Panorama to a managed device, the application content updates were not available for viewing or cloning in the syslog filters list in the web interface (Device > User Identification > User Mapping > User ID Agent Setup > Syslog Filters). |
| 59991 | In a shared gateway setup, when the firewall was configured to drop inbound Destination NATed traffic for a particular application, the traffic logs for Destination NATed traffic to be dropped showed the post-translated address instead of the pre- translated address. This issue was fixed by displaying the original source IP address in the traffic logs instead of the translated IP address. |
| 59989 | The Panorama web interface was not displaying data on the Monitor > Logs > WildFire Submissions page. A query for the data with no filters continued loading for a significant amount of time and then eventually timed out. This was due to threat logs that were not handled correctly by Panorama running PAN-OS 6.0.0 when received from log collectors running releases previous to PAN-OS 6.0.0. |
| 59973 | For Android devices that were being managed by the GlobalProtect Mobile Security Manager, when authenticating to the GlobalProtect gateway using client certificate authentication, the GlobalProtect app for Android did not look up the identity certificate issued to the device during enrollment. Identity certificates were therefore not being used for gateway authentication as expected. This has been fixed so that Android devices are able to use identity certificates for gateway authentication. |
| 59967 | When the firewall was configured as a GlobalProtect satellite and was receiving access routes from another firewall configured as the GlobalProtect gateway, the routing resource counter for static routes was not incrementing or decrementing correctly. This behavior caused the maximum number of routes to be artificially reached and the firewall stopped accepting routing updates. The fix for this issue readjusts the counters for static routes and total routes when creating a redundant static route or deleting a non-existent one. |
| 59915 | The filter field on the Policies > Security page of the web interface returned different results when strings with the same value, but different pattern were entered. For example, xx.xx.xx.0-24 is an address object name which includes the IP/netmask pattern xx.xx.xx.0/24. Entering either string in the filter should return the same search results but one query was showing fewer results than the other. |
| 59890 | When a PA-4050 firewall reached the limit for max supported concurrent decrypted sessions, the dataplane restarted. A fix has added to ensure that device will stop decrypting sessions once the limit is reached and a restart will not occur. |
| 59873 | A TCP session could not be established when SYN Cookies was enabled and when both Aggregate and Classified DoS Protection Profiles were configured. |
| 59772 | Traffic logs from log collectors were not visible on the Panorama web interface. |
| 59707 | NTP information on the firewall was displayed in way that could lead to confusion; for example, stating that the server the device is synced with is not connected (connected: false). NTP information is now displayed more clearly (Device > Setup > Services). |
| 59574 | Fixed an issue where an Antivirus profile on Internet Explorer and Firefox browsers was not showing the default action in parenthesis (alert/drop/) for the decoders. |
| 59471 | Resolved an issue with registering dynamic tags on the VM-Series firewall. The VM-Series firewall did not allow you to register dynamic tags that include the single quote character. |
| 59343 | When a security policy was configured that did not have a URL Filtering profile applied to it, URL Filtering logs were still being generated and were visible on the Monitor > URL Filtering page. |
| 59309 | User Activity Reports were showing inconsistent results. This was due to the User Activity Report generation taking too long and timing out. The timeout for User Activity Report generation has been extended so that requested reports will run until all data is completely gathered. |
| 59276 | Botnet reports failed to generate when using the BrightCloud database. |
| 59256 | Performing an SCP import of the logdb file failed with the error: failed to verify for logdb import. |
| 59180 | Session setup between a client and server was not completed in an HA Active/Active environment when configured with multi-VSYS and multi-VR. The client from one virtual system could not reach the server located on a second virtual system because the session in the second virtual system was not set up correctly. |
| 59126 | In an HA Active/Passive setup, OSPF and BGP neighbors went down on an Active device after the Passive device unexpectedly restarted. |
| 59031 | When admin users tried to login to the CLI without previously logging into the web interface and there was a RADIUS authentication profile configured, the firewall sent out a request to the RADIUS server with an invalid password that was different from the one submitted by the user. This resulted in valid users being unable to authenticate to the RADIUS server. |
| 58971 | The CLI output for the command show routing protocol bgp loc-rib- detail displayed the community field incorrectly when certain prefix combinations appeared in the IP addresses of the BGP neighbors. |
| 58736 | WildFire email notifications did not contain a date header. |
| 58586 | Fixed the inability to log into the Panorama web interface. This issue occurred because root partition on an M-100 appliance was at 100% usage due to old reports being incorrectly stored in the /tmp directory. |
| 58421 | Following an upgrade from 4.1.11 to 5.0.5, some firewalls infrequently experienced unexpected restarts. |
| 58268 | Traffic was sometimes blocked during SSL decryption when the option Use OCSP to check certificate status was enabled. |
| 58215 | The output of the CLI command show routing protocol ospf area was updated to provide greater clarity for the values defined. |
| 58212 | New virtual systems could not be added after applying a virtual systems license. New virtual systems could only be added after restarting the management server. |
| 57997 | In an HA Active/Active setup, the User-ID agent status was displayed as connected on the Active-Secondary device. This issue has been addressed and the Active-Secondary device will only show a User-ID agent status of disconnected as only the Active-Primary device connects to the User-ID servers. |
| 57660 | A PA-2000 Series firewall's management ports did not link-up when connected directly using a straight or crossover cable. |
| 57601 | Fixed an issue where Data Filtering logs were showing incorrect file names when the data pattern was matched against the files. |
| 57261 | A denied session was logged with the Action displayed as Allow. This occurred when the application denied was on port 80 and triggered the Captive Portal redirect. |
| 56905 | When a PA-5000 Series firewall received more than 3000 BGP prefixes, the web interface showed an error (op command for client routed timed out) when displaying the Local RIB for BGP and when the command show routing protocol bgp loc-rib-detail was issued, the CLI returned the error Server error : op command for client routed timed out. |
| 55318 | The following commit warning message is now included when nested wildcards are used in a URL Filtering configuration: Warning: Nested wildcard(*) in URLs may severely impact performance. It is recommended to use a single wildcard to cover multiple tokens or a caret(^) to target a single token. |
| 50932 | In an HA Active/Passive setup, the term seed was removed from PAN-DB sync seed with HA message as MP cache is the one which is synchronized rather than seed and fixed an issue where the synchronized MP cache is not loaded on the Passive device. |
| 47642 | Addressed the inability to write logs to disk. This issue occurred because the configuration on the Managed Collector and Collector Group was set up before the Managed Collector ever established a connection to Panorama. With this fix, Panorama allows you to configure the Collector Group only after the Managed Collector has connected at least once; Panorama can verify the availability of the disk(s) and its size. This ensures that the ring file is properly calculated and logs are written properly to disk. |
| 41347 | Packet capture filters were not filtering information accurately. The fix ensures that the pcap filters match the criteria defined on the device and accurately capture all relevant frames in the session. |
owner: panagent