PAN-OS 6.0.6: Addressed Issues
0
Created On 09/26/18 13:48 PM - Last Modified 07/19/22 23:09 PM
Resolution
The following issues have been addressed in PAN-OS 6.0.6 release.
| Issue | Description |
|---|---|
| 58820 | On PA-5000 Series platforms, Static Source NAT, Dynamic IP NAT, and Destination NAT session processing has been enhanced to greatly improve the the throughput in these NAT scenarios, allowing the firewall to use multiple CPUs to process NAT sessions, rather than anchoring the sessions to a CPU based on destination IP hash. |
| 61205 | Using the web interface to export traffic logs in CSV format was showing an error that the query job failed. This issue has been addressed so that exporting traffic logs to CSV works correctly. |
| 62768 | Unreliable DNS servers might incorrectly provide NXDOMAIN responses. To help prevent incorrect WildFire sample categorization, NXDOMAIN responses are no longer shared across WildFire samples. Each NXDOMAIN response will be evaluated on a sample by sample basis. |
| 64309 | A WildFire threat log with the severity Informational was incorrectly showing the severity Emergency when forwarded to a syslog server. This issue has been fixed so that when WildFire logs are forwarded to a syslog server, the log entries show the correct severity for the log. |
| 64379 | This fixes an issue where older cached IP address to username on a User-ID agent could overwrite newer IP address to username mappings on the firewall. With this fix, IP address to username mappings with more recent timestamps take precedence over IP address to username mappings with older timestamps. |
| 64647 | Following an upgrade from a PAN-OS 5.0.X release to PAN-OS 6.0.X, High Availability (HA) synchronizations were failing intermittently. The HA sync failures were due to an issue where the HIP profile database was not syncing correctly during the HA sync between the peers. This issue has been fixed so that performing a HA synchronization works correctly. |
| 65176 | Resolved an issue that caused a dataplane restart on the VM-Series firewall, when using RC4 ciphers to decrypt SSL traffic. This issue is specific to ESXi servers using AMD processors. |
| 65488 | Resolved an issue that occurred with an Active/Passive High Availability (HA) configuration, where using the command request high-availability state suspend to suspend the Active peer and perform an HA failover resulted in some packet loss. |
| 65565 | Fixed an issue where selecting Replay attack detection in the GlobalProtect gateway satellite configuration on the web interface did not actually enable replay attack detection. |
| 65607 | If the last remaining user was removed from the Allow List for an LDAP authenticaton profile (meaning no users remained on the list), authd was not notified that the group was empty and retained the last user's information. That user could continue to be authenticated despite no longer be included in the allow list. This has been addressed so when the last user remaining on the allow list is removed, the user can no longer authenticate. |
| 66025 | Configuration files with names longer than 32 characters were allowed and could be successfully imported, but load and delete operations would fail. With this fix, configuration file names of up to 32 characters can be imported and configuration files with longer names are prevented from being imported with an error. |
| 66168 | Resolved an issue where adding an FQDN to the Servers table to specify an LDAP server in an LDAP server profile caused intermittent connection issues (Device > Server Profiles > LDAP). |
| 66220 | An issue was seen in an HA Active/Passive setup where the secondary device was not able to pass traffic after a failover until a routing process was restarted. This issue has been fixed so that when a failover occurs, the secondary device correctly becomes the Backup Designated Router (BDR). |
| 66466 | Addressed an issue for the PA-2000 platform, where a device failed to handle high volume of packets (larger than the MTU) on the management interface. Symptoms of this issue included device unresponsiveness, a random restart, traffic failures or ATA errors on the console. This issue has been resolved. |
| 66503 | Addressed an issue where the firewall dataplane experienced an out of memory condition, which could cause the dataplane to restart and the firewall to go into non-functional state. |
| 66690 | The dataplane restarted due to a process restart while running traffic in a High Availability configuration. Additional checks have been added to avoid a possible race condition, which had led to the dataplane process restart. |
| 66959 | Addressed an issue where configuring overlapping IPv6 addresses when adding a OSPFv3 range on the Network > Virtual Routers > OSPFv3 > Area > Ranges tab caused a restart to occur after attempting to commit. This issue has been fixed so that if an invalid range is entered, an error is displayed; if a valid range is entered, you can continue to commit successfully. |
| 67069 | Internal packet path monitoring failure errors caused the dataplane to restart. An enhancement was made to detection and recovery mechanisms to minimize the impacts of these errors. |
| 67344 | Fixed an issue for the M-100 appliance where the show log-collector detail command was presenting incorrect information. |
| 67399 | Fixed an issue that occurred in High Availability (HA) Active/Active mode, where log card interfaces were synced to the HA peer, and resulted in duplicate IP addresses. |
| 67436 | The commands debug software trace reportd and debug software core reportd were added to the CLI command structure. |
| 67483 | This fixes an issue where a firewall failed to email scheduled reports due to a race condition. |
| 67516 | Fixed an issue with an Active/Active HA setup where a physical MAC address was returned for a floating IP address instead of a virtual MAC address. This has been addressed so that the floating IP correctly responds to ARP requests with a virtual MAC address. |
| 67723 | Fixed an issue that occurred when an OSPF profile was configured with a tunnel interface and the Passive state was disabled for the tunnel interface. In this case, the runtime configuration incorrectly overrode the configured settings, and the tunnel interface was incorrectly enabled to be Passive. |
| 67860 | On the Panorama web interface, the Preview Changes button could not be clicked when Group HA Peers was selected. This has been fixed so that the Preview Changes button is correctly enabled when Group HA Peers is selected (Panorama > Templates). |
| 67873 | Resolved an issue where disabling OSPF and performing a commit caused a routing process to restart. This was due to a race condition related to running the show route command during a commit. |
| 67910 | While viewing the Combined Rules Preview on the Panorama web interface (Policies > Preview Rules > Combined Rules Preview), the Device dropdown selection displayed the virtual system number for some virtual systems and not the virtual system name. This issue has been fixed so that the Device dropdown selection in the Combined Rules Preview displayed the names of the virtual systems that you can select. |
| 68286 | An issue was seen where setting up a password for a proxy server caused the management plane to restart (Device > Setup > Services > Proxy Server). This was due to a backend process restarting when the password was configured and has been fixed. |
| 68708 | Addressed the bash vulnerability CVE-2014-7169 that relates to how environment variables are processed when the shell starts up. This fix prevents a user with an account on the firewall, from using the vulnerability to gain escalated privileges. |
| 68899 | Fixed an issue that affected PA-7050 firewalls. An HSCI port configured as an HA2 interface went down due to a dataplane board restarting. An improvement has been made so that if more than one dataplane board is installed, an HA2 interface on an HSCI port will stay up. |
owner: panagent