Critical Issues Addressed in PAN-OS Releases
Historical Critical Issue List Addressed in PAN-OS Releases
All current PAN-OS
Last Updated On : Sep 30th , 2022
This list is limited to critical severity issues as determined by Palo Alto Networks and is provided for informational purposes only.
- Please doublecheck the information in release notes to see the latest info about fixed versions.
- Please create a case with your support provider for a detailed investigation if you feel you have encountered one of these issues.
- Maintenance releases are the primary mechanism to fix issues.
- A maintenance release is signified by the third digit in the release version number (for example the .2 in PAN-OS 10.1.2 ).
- asterisk(*) in Fixed release is used for internal check. please ignore it.
Affected Platform(if any)
|Description (release note)||Impact||
|PAN-198266||PA-400, PA-3400, PA-5400|
|Fixed an issue where, when predicts for UDP packets were created, a configuration change occurred that triggered a new policy lookup, which caused the dataplane stopped responding when converting the predict. This resulted in the policy lookup returning a policy denial.||DP crash||The logging code access a non-existent field when generating a deny log for a predict. This happens when an allow policy is removed or changed to deny and pre-exiting predicts created by ALG are no longer valid.||clear all predicts before a config commit.|
"clear session all filter type predict"
|PAN-191216||10.2.0-10.2.2||Fixed an issue where, on Apple iOS devices, SAML authentication did not connect to the GlobalProtect portal.||GP on iOS with SAML does not work||Since 10.2.0, GP server is missing to SAML related result in HTTP header||N/A||10.2.3|
|PAN-196005||PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only|
(only 10.1.6 is reported)
|Fixed an issue where GlobalProtect IPSec tunnels disconnected at half the inactivity logout timer value.||GP tunnel goes down every 30minutes||Because of local time handling difference in MP and DP for a GP tunnel timeout feature, NGFW mistakenly disconnects GP tunnel.||To sync time for this, power off the fw then power up. NOT reboot.||10.1.7,10.2.3|
|PAN-191558||10.0.10, 10.1.5-10.1.6, 10.2.1-10.2.2||Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item.||Global does not||A searchAttribute instance throwing a null pointer error on searching causes endless loading||N/A||10.0.11, 10.2.3, 10.1.7, 10.1.6-h3|
|PA-400 Series firewalls only: Fixed an issue where running a PAN-OS 10.2 release caused dataplane processes to restart unexpectedly.||dataplane process restart||memory leak in memory buffer||No workaround||10.2.2|
|Fixed an issue where sessions were dropped with the message `resource-unavailable` due to the content inspection queue filling up.||session drops due to 'resource-unavailable'||ctd memory space is held due to wrong memory freeing||set system setting ctd nonblocking-pattern-match disable|
(This will cause higher packet buffer CPU usage.)
|Fixed an issue where, after clicking **WildFire Analysis Report**, the web interface failed to display the report with the following error message: `refused to connect`.||WildFire Analysis Report can't be seen in WebUI|
The issue is because the x-frame-options is set to deny so the WF report is unable to display within the iframe
|"View frame source" on right click menu on failed analysis report.|
remove "viewsource" from the opened link. the link starts with "viewsourcehttps://x.x.x.x/wf_report/".
then open the page.
|Fixed a memory leak issue in the mgmtsrvr process.||mgmtsvr process memory leak||When there is constant reconnect from FW to Panorama, old SSL structure is not freed and newly allocated SSL structure overwrites a memory space leaks.||No workaround||9.0.16, 9.1.13, 10.0.9, 10.1.4|
|PAN-187183(PLUG-10024)||All PA-VM in 10.1.4|
VM Plugin 2.1.4
|Fixed an issue with `vm_license_response.log` that consumed a large portion of the root partition.||root partition full|
License fetch log is consuming root space
|From admin CLI,|
admin@PA-VM> delete debug-log mp-log file vm_license_response.log_backup.gz
successfully removed vm_license_response.log_backup.gz
|VM Plugin: 2.1.5, 3.0.0|
|PAN-181116||10.1.0-10.1.4||Fixed memory corruption issues in PAN-OS 10.1.3 and 10.1.4 that caused the *pan_comm* process to stop responding and the dataplane to restart. These issues also caused GlobalProtect tunnels to fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.||GP does not connect with IPSEC ESP and instead switches to SSL||In original design, mix mode was not supported.|
If ssl tunnel and ipsec tunnel established together, their config are messed up.
It caused tunnel failed.
Updated an issue to eliminate failed `pan_comm` software issues that caused the dataplane to restart unexpectedly
|pan_comm process crash||timestamp variable was not cleared properly and it'||No workaround||10.1.5, 10.1.4-h4|
|PAN-186937||9.1.0-9.1.11||Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when **Strict IP Address Check** was enabled in the zone protection profile (**Packet Based Attack > IP Drop**) and the packet's source IP address was the same as the egress interface address.||packet drop on SSL decryption and ESP IPsec on the same FW||
The bug was caused when strict IP was on and packet source IP == egress IP. This caused packets, like ESP and SSL decrypt for example, to be erroneously dropped"
|Disable the Strict IP Address Check option in the Zone Protection profile. Alternatively, downgrade to 9.1.11 or earlier or upgrade to 10.0.0 or later if you want to enable the Strict IP Address Check.||9.1.14|
|Fixed an issue on high availability configurations where, after upgrading to PAN-OS 9.1.10, PAN-OS 10.0.6, or PAN-OS 10.1.0, the HA1 and HA1-Backup link stayed down. This issue occurred when the peer firewall IP address was in a different subnet.||HA1/HA1 backup link not coming up||Internal routing lookup mechanism didn't work as expected||No workaround||9.1.13,10.0.10,10.1.5,10.2.0|
|PAN-177762||10.0.0-10.0.8,10.1.0-10.1.3||Fixed an issue where `wificlient` in PAN-OS 10.0 and later releases caused processing delays, on-chip descriptor spikes, and buffer usage.||Traffic is intermittently dropped||from 10.0, new feature tends to hold cores. It can cause high packet descriptor on-chip or buffer usage.||Disable EAL||10.0.9,10.1.4|
|Fixed an issue where NetFlow traffic triggered a packet buffer leak.||packet buffer full should cause general traffic processing in DP||Netflow saved packet leaked on commit as netflow profile changes memory space||Disable Netflow||8.1.22,9.0.15,9.1.13,|
|PAN-183767||8.1.21,9.1.12,10.0.8, 10.1.3||Fixed an issue where downloading Dynamic Updates files failed when connected to the static update server at `us-static.updates.paloaltonetworks.com`.||PAN-OS is not abl e to download software image from update server||A code change in affected version provided wrong option for a download command.||use "updates.paloaltonetworks.com" instead.||8.1.21-h1, 9.0.15,9.1.12-h3, 10.0.8-h8,10.0.9,10.1.4|
|Fixed an issue where the `bcm.log` and `brdagent_stdout.log-<datestamp>` files filled up the root disk space||Root partition full||Unnecessary logs are generated on file system||Use ports 1-8 on LFC for log forwarding.||10.0.8, 10.1.3|
|Fixed an intermittent issue where commits failed after a commit validation and were modified for custom URL category objects.||Intermittent commit failures||Candidate internal ids are not cleaned up for validate job during phase1 abort. It affects the subsequent commit for such.||Restore the url pattern changes made after the validate job and commit.|
Skip Validate and enforce commit
|Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.||memory leak on useridd||1) hip report xml buffer was not released after message was sent out which caused memory leak|
2) High CPU issue is caused by a busy loop ,because a big number of jobs are scheduled and FD is alway readable during the job waiting period.
|Reducing the number of configured userid agents/clients can alleviate the issue.||10.1.1, 10.0.7 and 9.1.11|
|PAN-169551||9.1.8-9.1.9||Fixed an issue where custom URL categories hit incorrect URL categories, which caused the firewall to miss or deny the security policies for the configured custom URL||URL category lookup fails||Id-manager mis-manage the table on commit , caused URL pattern lost on DP||
For customers using custom URL categories only (NO EDL-URL), before committing any URL pattern changes,
For customers using EDL-URL,
|Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.||dns response is corrupted||code of license check and TTL modification had a bug to handle DNS response||Remove anti-spyware that contains dns security profile||9.1.11,10.0.7,10.1.1|
|Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.||DP crash||For inter-vsys scenario, the same sw packet buffer could be processed in two different sessions at the same time, which in turn cause the issue.||Use IPsec VPN instead of using SSL||8.1.20,9.0.14,9.1.10,10.0.7|
|PAN-156017||9.1.0-9.1.6, 10.0.0-10.0.2||Fixed an issue where a host information profile (HIP) report XML buffer caused a memory leak||Out of Memory in MP||HIP report buffer was not released after message was sent out which caused memory leak||Disable hip redistribution||9.1.7,10.0.3|
|Fixed an issue where HA1-B port on PA-3200 series remain down after upgrade from 9.1.4 to 9.1.5||HA1-B link down||failed to fetch a related sysd node||None||8.1.20,9.0.14, 9.1.9,10.0.5|
|PAN-136347||8.1.0-8.1.18, 9.0.0-9.0.13, 9.1.0-9.1.8 , 10.0.0-10.0.4||Fixed an issue wherer DNS proxy TCP connections were processed incorrectly, which caused a process (`dnsproxy`) to stop responding.||dnspropyd crash / high CPU||tcp_wait_timer on the daemon didn't cleared correctly||Workaround is to disable TCP connection through DNSproxy daemon, to safely avoid any ability issues with proxied TCP requests.||8.1.19, 9.0.14, 9.1.9,10.0.5|
|PAN-150852||8.1.0-8.1.18 ,9.0.0-9.0.12 ,9.1.0-9.1.6 ,10.0.0-10.0.4||Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent.||DP crash /SMTP packet drop||buffer handling issue when processing SMTP mult-part filename||None||8.1.19|
|PAN-143485||8.1.0-8.1.18, 9.0.0-9.0.12 , 9.1.0-9.1.6, 10.0.0-10.0.4||Fixed a memory leak issue related to a process (*devsrvr*).||device server memory leak||multiple leaks (URL,confg,etc) are fixed||Restarting devsrvr before device memory gets depleted||9.0.13,9.1.8,10.0.0|
|Fixed an issue where some zip files did not download and the following error message displayed: `resources-unavailable`.||L7 feature does not work when hitting 'resource-unavailable' error||The decoder buffer would go through a high number of loop in L7 processing. It hits the max limit.||
"set deviceconfig setting session resource-limit-behavior bypass" helps to bypass sessions hitting the error.
debug dataplane fpga set sw_aho yes debug dataplane fpga set sw_dfa yes
|Debug commands were added to address an issue where the firewall connect to Cortex Data Lake due to the Online Certificate Status Protocol (OCSP) message missing the `nextUpdate` value in the OCSP response.||sslmgr memory leak caused an issue on OCSP||Failed OCSP queries are cached for long time. It affects normal behaviour of sslmgr and its memory usage goes up||Restart sslmgr process||9.0.13,9.1.8,10.0.4|
|Fixed a buffer overflow issue on the management server, which forced the administrator to log out on the web interface.||management server crash||Missing close calls for an internal dbs||Avoid doing multiple validate commits, commitAlls||9.1.7,10.0.2|
Technically all FW platform can be affected. but we only get reports from PA5200,PA7000series
|Fixed an issue where traffic logs were not shown due to a thread timeout that was causing the reading of the logs from the dataplane to slow.||Logging intermittently stops||the main thread was busy doing cache age out, cause the reading of the logs from the link from the DP slows down greatly.||None||8.1.18, 9.0.11, 9.1.6, 10.0.2|
|Fixed an issue where a process (*genindex.sh*) caused the management plane CPU usage to remain high for a longer period of time than expected.||High MP CPU||The script searches log directories intensively||Configure Max Days for the Log Types to reduce retention days to reduce amount of logs to index.||8.1.17, 9.0.11, 9.1.6,10.0.2|
|Fixed an issue where, on Panorama, context switching to the web interface of a managed firewall running PAN-OS 8.1.16 did not work.||Context switch is unable||A bug fix prevented context switch from working||None||8.1.17|
|Fixed an issue where a process (*authd*) restarted when an administrator authenticated to the firewall with an Active Directory (AD) account. This issue occurred when LDAP was configured with FQDN, used DHCP instead of a static management IP address, and used the management interface to connect to the LDAP server.||Authd crash||The boundary case that DHCP assigned mgmt IP||Use service route for LDAP||9.0.10, 9.1.4, 10.0.1|
|Fixed an issue where a commit or content update operation with an error was not prevented from executing in the dataplane, which caused corruption in the dataplane policy cache.||DP crash||- When DP phase1 parse error happens on config commit, the abort signal didn't cleanup properly,thus policy cache is corrupted|
Make sure the config does not error out in DP
|Fixed an issue where dataplane free memory was depleted, which affected new GlobalProtect connections to the firewall||GP connection failure||The URL data structure is not being freed during the clientless VPN app access.||No||8.1.16, 9.0.10, 9.1.3|
|PAN-150172||8.1.15,9.0.9,9.1.3||Fixed an issue where dataplane processes restarted when attempting to access websites that had the `NotBefore` attribute less than or equal to Unix Epoch Time in the server certificate with forward proxy enabled.||DP restart when parsing certificate||The 'NotBefore' value was not initialized properly||1) Import the server's issuer CA to the firewall and mark it trusted, OR|
2) Disable decryption to those servers with NotBefore <= 1970/1/1 00:00:00 UTC
This is not practical solution
|8.1.15-h3, 8.1.16, 9.0.9-h1, 9.0.10, 9.1.3-h1, 9.1.4,|
|Fixed an issue where URL filtering used the IP address instead of the hostname, which led to incorrect URL categorization.||Issue on Host header handling causes URL filter function||miss handling when Host header does not come in 1st packet||Enable jumbo frame, or use custom-url-category or custom-appid to detect string "/webapp/wcs/stores/".||8.1.15, 9.0.9, 9.1.3|
|Fixed an issue where SSL connections were blocked if you enabled decryption with the option to block sessions that have expired certificates. This issue included servers that sent an expired AddTrust certificate authority (CA) in the certificate chain.||SSL decryption fails to some site||fixed SSL cert verification process||Disable certificate expiration check.|
(if no expiration check is acceptable)
|8.1.15, 9.0.9, 9.1.3|
|Fixed an issue where the firewall stopped recording dataplane diagnostic data in dp-monitor.log after a few hours of uptime.||DP crash||day-one issue crash when handing||No workaround||8.1.15|
|Fixed an issue where high and continuous CPU utilization was seen on dataplanes after IPSec Encapsulating Security Payload (ESP) rekeying occurred for multiple tunnels.||High CPU/ High packet descriptor||ESP rekey issue||After failover, reboot the failing FW||8.1.15, 9.0.9 , 9.1.4|
|PAN-144479||8.1.14 only||Fixed an issue where SNMP objects from the HOST-RESOURCES-MIB returned incorrect values when queried.||snmp for the specific MIB does not work||regression of a snmp fix||No workaround||8.1.15|
|Added the following CLI commands to address an issue where packets for new sessions dropped when handling predict sessions:|
- `set session hwpredict disable yes`
- `show session hwpredict status`
|packet drop on predict session matching||added workaround command||to disable predict lookup in FPP-HW and use FPP-SW. This is controlled using a operational command.||9.0.8, 9.1.2|
|Fixed an intermittent issue where firewalls dropped packets, which caused issues such as traffic latency, slow file transfers, reduced throughput, internal path monitoring failures, and application failures.||Traffic issue||Issue on memory timing||No workaround||8.1.14,9.0.7,9.1.2|
|Fixed an issue where firewalls experienced high packet descriptor (on-chip) usage during uploads to the WildFire Cloud or WF-500 appliance.||Excessive WF uploads caused high packet descriptor||Excessive WF uploads surpress platform resources.|
Limit maximum number of outstanding WF uploads
Configure Device > Setup > WildFire > General Settings > File Size Limits
- pe 8 MB
|Fixed an intermittent issue where the dataplane process (*all_pktproc_X*) on a Network Processing Card (NPC) restarted when processing IPSec tunnel traffic.||DP crash||Crash during flow lookup|
Added a validation code
|PAN-136820||8.1.0-8.1.13||Fixed an issue where a high availability (HA) failover occurred after the firewall reported the following error message in the **System** log: `Dataplane down: controlplane exit failure`.||DP crash / down|
Internal path monitor fails
|NFS transfer issue on DP|
Tweaking NFS options
|Fixed an issue where first packet processor packet buffer is not allocated with proper alignment, which caused memory corruption.||internal path monitor failure , FPP crash||Possible memory corruption on FPP||No workaround||8.1.13|
|Fixed an issue where fragmented traffic caused high dataplane use and firewall performance issues.||high CPU/ high packet buffer||fragment reassemble issue||Consider blocking fragments via zone protection.||8.1.13,9.0.7,9.1.2|
|Fixed an issue where a process (*reportd*) would crash while running a log query.||reportd crash||doublefree while trying cleanup when handling a log query||Allow the query to run to completion before closing the Tab/browser||8.1.13,9.0.7,9.1.2|
|Fixed an issue where a PA-7080b HA pair rebooted when large sized packet traffic impacted the front panel ports of the Log Forwarding Card (LFC).||LFC restart||LFC front port error handling failure on receiving jumbo frames||Avoid connecting the Front Panel ports to networks with jumbo frames||9.0.6 and 9.1.0|
|PAN-123667||9.0.0-9.0.5||Fixed an issue where the "snmpd" process was crashing when polling for global counters.||snmpd crash and OOM(out of memory) in kernel||memory leak of snmpd when accessing global counter OIDs||Workaround to avoid this crash is to avoid polling OIDs in the global counters table.||9.0.6 and 9.1.0|
|"PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls running PAN-OS "<8.1.11 | 9.0.5>" only") There is an intermittent issue where a process ("all_pktproc") stops responding due to a Work Query Entry (WQE) corruption that is caused by duplicate child sessions.||dataplane crash||Crash when handing packet in predict session||None||8.1.12,9.0.6 and 9.1.0|
|"PA-5250, PA-5260, and PA-5280 firewalls with 100GB AOC cables only") When you upgrade the first peer in a high availability (HA) configuration to "[PAN-OS 8.1.9-h4 or a later] / [a PAN-OS 9.0]" release, the High Speed Chassis Interconnect (HSCI) port does not come up due to an FEC mismatch until after you finish upgrading the second peer.||HSCI interface down||Internal chip configuration affected AOC module||Consult Techsupport for upgrade procedure, otherwise avoid the releases||8.1.12,9.0.6 and 9.1.0|
|PAN-124481||9.0.0-9.0.4||Fixed an issue where the dataplane stopped responding when SMTP sessions were used.||DP crash/ Internal Path Monitor Failure||MIME boundary is mistakenly calculated||app-override the smtp||9.0.5|
|Fixed an issue where a process ("configd") stopped responding when an XML API call with "type=config&action=get" triggered during a commit.||configd crash||Null was not set to a pointer when xml node is freed||Do not run xml api to get predefined xpath||8.1.11 and 9.0.5|
PA-7000 series only(XM cards are not affected)
|["PA-7000 Series firewalls using PA-7000-20G-NPC cards only"] Fixed an intermittent issue where an out-of-memory (OOM) condition caused the dataplane or internal path monitoring to stop responding.||DP crash/ Internal Path Monitor Failure|
Insufficient memory was allocated to Linux kernel
|No workaround||8.1.11 and 9.0.4|
|Fixed an intermittent issue where an out-of-memory (OOM) condition caused the dataplane or internal path monitoring to stop responding. With this fix, session capacity is reduced by 400,000.||DP crash/ Internal Path Monitor Failure||Out of memory on DP0||No workaround||8.1.11|
|Fixed an intermittent issue where a large number of packets were received before acknowledgments were complete, which depleted descriptor queue entries and resulted in high latency during data transfers even though CPU usage looked normal||High packet descriptor and packet buffer||As a result, one or a few aggressive TCP sessions can take all descriptor queue entries due to ack packets||clear session causing the issue||8.1.10 and 9.0.4|
|Fixed an issue on a VM-Series firewall deployed in Microsoft Azure where packets dropped silently due to a kernel error||traffic drop when burst traffic||a kernel error when processing bust traffic on Azure||No workaround||8.1.9 and 9.0.4|
|("Virtual and M-Series Panorama appliances and Log Collectors only") Fixed an issue where closed Elasticsearch (ES) indices were continuing to receive and re-queue logs, which resulted in high CPU usage.||Log ingestion failure and high CPU||monthly index closed unexpectedly||Contact Techsupport||8.1.10 and 9.0.4|
|Fixed an issue where an internal path monitoring failure due to a buffer leak caused the firewall to reboot||DP restart due to Internal packet path monitoring failure||mess-up of buffer pool||No workaround||8.1.9 and 9.0.4|
|("GlobalProtect Clientless VPN environments only") Fixed an issue where a process ("all_pktproc") stopped responding and caused the firewall to restart unexpectedly when processing GlobalProtect Clientless VPN traffic. To leverage this fix, you must first upgrade ("Devices>Dynamic Updates") to GlobalProtect Clientless VPN content release 79 or a later release.||DP crash||exception when handling clientless VPN packet with large packet||change clientlessVPN to GP(SSLVPN)|
or downgrade to 8.1.8 or older
|8.1.10 and 9.0.4|
|("PA-7000 Series firewalls only") Fixed an issue where the High Speed Chasis Interconnect (HSCI) link flapped after you rebooted the firewall.||HSCI flap||Signal errors on SMC||8.1.9 and 9.0.4|
|("PA-3200 Series firewalls only") Fixed a rare software issue that caused the dataplane to restart unexpectedly. To leverage this fix, you must run the "debug dataplane set pow no-desched yes" CLI command (increases CPU utilization).||DP crash||Deschedule issue on CPU used in PA3200||No workaround||8.1.9 and 9.0.3|
|PAN-117729||8.1.8 only||Fixed an issue where the firewall incorrectly displayed application dependency|
warnings ("Policies > Security") after you initiated a commit
|Application dependency shows up on commit||due to incomplete fix of PAN-98386||No workaround||8.1.9|
|PAN-107005||PA3200 series only|
|Fixed an issue on PA-3200 Series firewalls where packets dropped when a VSS-Monitoring Ethernet trailer was being appended by an external device.||L4checksum fails for VSS monitoring trailer and the packet drops||Network offload processor drops the packet due to its L4 checkup validation||No workaround. upgrade PANOS||8.1.5 and 9.0.3|
|PAN-112814||8.1.6-8.1.7 and |
|Fixed an issue where H.323-based calls lost audio because the predicted H.245 session was not converted to Active status, which caused the firewall to drop the H.245 traffic.||predict session failure||predict session fails to create when the predict session is created by S2C flow and it's source NATed||Do not use Source NAT||8.1.8 and 9.0.2|
|Fixed an intermittent issue where a content install (content) caused a firewall configuration failure and the firewall to stop responding.||FQDN objects are resolved as 0.0.0.0. and pushed to DP. that causes traffic issue||Content install job involves wrong config mistakenly||Commit force or force another FQDN refresh.||8.0.16 ,8.1.7 and 9.0.0|
|PAN-108241||PA-3200 series/ 8.1.0-8.1.5||Fixed an issue on a PA-3200 Series firewall where multiple dataplane processes (all_pktproc, flow_mgmt, flow_ctrl, and pktlog_forwarding) stopped responding when overloaded with traffic.||DP crash||flow ager process double free||Enable software aho/dfa and pscan can greatly reduce likelihood of seeing issue.||8.1.6 and 9.0.0|
|PAN-109594||8.0.14, 8.1.5 only||Fixed an issue where the dataplane restarted when an IPsec rekey event occurred and caused a tunnel process (tund) failure when one--but not both--HA peer is running PAN-OS 8.0.14 or PAN-OS 8.1.5.||DP restart due to tund crash during version mismatch in HA peers during upgrade process||DP restart due to tund crash which is caused by ike rekey in HA pair||Prior to upgrading HA peers, temporarily adjust IKE lifetimes to longer than default to ensure that rekey event does not occur during upgrade process. Can also break HA between peers and upgrade individually as standalone.||8.0.15, 8.1.6|
|PAN-108785||PA3200 series/ 8.1.0-8.1.5||Fixed an intermittent issue on a firewall in an HA active/passive configuration where a ping test stopped responding on Ethernet 1/1, 1/2, and 1/4 due to input errors on the corresponding switch port after an HA failover.||eth1/1,2,4 corrupts packet on transmit after HA failover||interface initialization steps after HA failover called unnecessary instructions||manually shut/no shut the interfaces||8.1.6 and 9.0.0|
|PAN-107791||8.1.4||Fixed an issue where after upgrading from PAN-OS 8.1.3 to 8.1.4 the CLI two-factor administrator authentication failed.||2FA fails||socket handling bug for 2FA||none||8.1.5 and 9.0.0|
|PAN-107365||8.1.4||Fixed an issue on Panorama M-Series and virtual appliances where after you make a change to a template and attempt to push to a target device, the device does not appear in the Push Scope Selection list ("Commit > Push to Devices > Edit Selections > Device Groups").||Cannot specify device in template||Exception in php code||none||8.1.5|
|PAN-107271||8.1.4||Fixed an issue on a PA-3200 Series firewall running PAN-OS 8.1.4 in an HA configuration where the HA1-B (backup) port did not come up as expected.||HA1B port is unusable||additional fix of PAN-89402||use other interface for HA1||8.1.5|
|PAN-100244||8.0.x,8.1.x||Fixed an issue where a failed commit or commit validation followed by a non-user-committed event (such as an FQDN refresh, an external dynamic list refresh, or an antivirus update) resulted in an unexpected change to the configuration that caused the firewall to drop traffic.||traffic drop due to wrong policy applied||last-candidatecfg.xml has been changed which should not happen when commit fails. That config was involved in next FQDN/EDL update||Performing manual FQDN refresh or commit appears to resolve the issue, until the next occurence.||8.0.14,8.1.5|
|PAN-100613||8.0.10-,8.1.2-8.1.4||Fixed an issue on a PA-5200 Series firewall in a high availability (HA) active/active configuration with a virtual wire (vwire) subinterface where session setup packets sent to peer firewalls were sent back as HA2/HA3 race conditions, which caused an increase in packet descriptors and traffic to stop responding.||traffic can be affected intermittently due to high packet descriptor||Due to the race condition on session setup, packets loop in HA2/HA3 that affects Packet descriptor||Session setup/owner set for first-packet/first-packet. Otherwise, use Active/Passive mode||8.1.5|
|PAN-106016||8.0.x,8.1.x||Fixed an issue on PA-800 Series firewalls where a kernel memory spike caused the firewall to restart.||unexpected system restart||lack of kernel memory||none||8.0.14,8.1.5|
|PAN-106936||8.0.x,8.1.x||Fixed and issue where PA-800 Series firewalls intermittently restarted due to a kernel error.||unexpected system restart||heavy use of serial driver caused watch dog timeout||none||8.0.14,8.1.5|
|Fixed an issue where a hardware packet buffer leak caused firewall performance to degrade.||Hardware packet buffers depletion||In rare condition, the hardware packet buffer is not released||none||8.1.4,8.0.13
|Fixed an issue on a PA 3200 Series firewall where the dataplane failed due to an internal path monitoring failure.||Internal path monitor failure||Communication failure in link between MP and DP||none||8.1.4 and 9.0.0|
|Fixed an intermittent issue on a PA-3200 Series firewall where the forwarding information base (FIB) did not update correctly, which prevented successful forwarding of offloaded traffic.||Some offloaded traffic is not forwarded correctly.||FIB entry in DP is no update properly due to programming error||Disable session offload||8.1.4 and 9.0.0|
PA-3000 series /
|Fixed an issue where the PA-3000 series firewalls passed file-descriptors in a dataplane ("pan_comm") process during content (apps and threat) installation as well as FQDNRefresh job execution, which caused the hardware Layer 7 engine to incorrectly identify applications.||App-ID(L7 process) stop working
|File descriptor leak in pan_comm process in charge of commit in DP||none||
|Fixed an issue where the firewall incorrectly dropped ARP packets and increased the "flow_arp_throttle" counter.||ARP does not work /Traffic stop||ARP packet throttling feature mistakenly counts number of arp inspected and drops arp packets||none||
8.0.12 and 8.1.3
|Fixed an issue on PA-3200 series firewalls where the offload processor did not process route-deletion update messages , which left behind stale route entries and caused sessions to become unresponsive during the session-offload stage.||Packet drop due to routing table problem in Offload chip||FIB in Offload chip(FE100) has not updated properly after route deletion||Disabling session offload||8.1.3|
|Fixed an issue where PA-5200 Series and PA-3200 Series firewalls in an active/active high availability (HA) configuration sent packets in the wrong direction in a virtual wire deployment.||
MAC flapping happen on neighouring switch.
Traffic disruption can happen
|In ha Active-Active vwire case, when device forwards packets through ha3 link. the header info is correctly set in some cases, causing such packets are forwarded back to the HA peer, instead of forwarding locally.||In one of the cases (00810651), disabling session offload has resolved the issue.||8.0.10 and 8.1.2|
|Fixed an issue where the User-ID process ("useridd") stopped responding when a virtual system connected to more than one User-ID agent with NT LAN Manager (NTLM) enabled.||
useridd process crash/
Useridd high file descriptor/ Useridd
|memory corruption of connection state||configure only one user-id-agent with NTLM enabled in each vsys.||
8.0.10 and 8.1.1
PAN-3000series and PAN-5000series
|Fixed an issue where administrators failed to log in to the firewall due to an out-of-memory condition that intermittently caused the firewall to continuously restart processes. (PAN-90143 provided an initial memory enhancement in PAN-OS 8.0.9 that reduced the frequency of these out-of-memory events.)||
low memory in MP kernel leads system instability such as admin login failure
/ Out of memory in MP
|Linux kernels on PANOS 8.x/9.x have the memory leak which being fixed in the main stream linux. Port the patch from the main stream linux kernel.||Reboot system||
8.0.10 and 8.1.1
|PAN-79989||8.0.0-8.0.8||Fixed an issue on firewalls with custom signatures configured where low memory conditions intermittently caused commit or content installation failures with the following error: "Threat database handler failed."||commit failure||devsrvr use fork() system call to spawn a child process(tdb_compile) to compile content during commit. When free memory is low, this fork() call can fail, which will fail commit or content installation.||reboot system||8.1.0, 8.0.9|
8.0.0-8.0.8 and 8.1.0
|Fixed an issue where administrators intermittently failed to log in to the firewall because it intermittently restarted processes continuously due to an out-of-memory condition.||system stability/System unresponsive||Kernel trackable memory is constantly decreasing. Changing the kernel configuration by disabling page mobility could stop the dropping.||reboot system||8.1.1, 8.0.9|
7.1.0-7.1.16 and 8.0.0-8.0.8
Fixed an issue on PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls where one or more dataplanes did not pass traffic when you ran several operational commands (from any firewall user interface or from the Panorama management server) while committing changes to device or network settings or while installing a content update.
|Traffic drop||miss-programing on Pancomm use wrong bypass queue id||do another commit if this happens.||
|Fixed an issue where a small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks®) stopped working or experienced other issues after you upgraded the firewall to which the SFPs are connected to a PAN-OS [8.0 | 8.1] release. With this fix, you must not reboot the firewall after you download and install the PAN-OS [8.0 | 8.1] base image until after you download and install the PAN-OS [8.0.9 | 8.1.x] release. For additional details, upgrade considerations, and instructions for upgrading your firewalls, refer to the PAN-OS 8.1 upgrade information.||unsupported SFP stop working||SDK had an I2C read error inserted. This caused PanOS 8.0, (and initial 8.1.0) to have this I2C bus driver to have this logical error in the Read functions, that messed up the Controller to Device protocol sequence.||Use supported SFP||
and all older Mainlines
|Fixed an issue where PA-7000 Series firewalls rebooted continuously because the "brdagent" process stopped responding during bootup due to HSCI interface initialization||Firewall reboots||
FPP brdagent is tied up initializing the marvell PHYs and can't respond to heartbeats. As a result it gets killed by masterd
|Disable HSCI ports or remove HSCI QSFP+ module during reboot||
and all older Mainlines
|Fixed an issue where the firewall dataplane stopped responding after you used nested wildcards ("*") with "." or "/" as delimiters in the URLs of a custom URL category ("Objects > Custom Objects > URL Category") or in the "Allow List" of a URL Filtering profile ("Objects > Security Profiles > URL Filtering > <URL-filtering-profile> > Overrides"). With this fix, the firewalls does not allow you to use nested wildcards in such cases. For details, see "NESTED WILDCARD(*) IN URLS MAY SEVERELY AFFECT PERFORMANCE".||DP crash and restart due to custom URL lookup||
Misconfiguration on custom URL category using nested asterisk causes DP cpu highload
Note: fix is addtional configuration check to prevent
|Use fewer number of asterisk in configuration. see the link in Description for details||
|PAN-83687||8.0.0-8.0.6||Fixed an issue on Panorama M-Series appliances where the "configd" process stopped responding during a "Commit > Commit and Push" operation where Panorama pushed configuration changes to Collector Groups.||
|During commit, a tables data structures under collector settings is destructed.||Do not do Panorama commit and collector group push at same time.||8.1.0,8.0.7|
Fixed an issue where PAN-OS removed the IP address-to-username mappings of end users who logged in to a GlobalProtect internal gateway within a second of logging out from it.
|user-ip mapping information is not generated properly||when Global protect Logout/login event happened in the same second, user-id in firewall can't determine the sequence of these events as we use timestamp(second granularity) to distinguish them.||
No Workaround available
Fixed an issue where the firewall management plane or control plane continuously rebooted after an upgrade to PAN-OS 8.0, and displayed the following error message: "rcu_sched detected stalls on CPUs/tasks".
|continous MP/CP restart||i2c issue due to SFP module holding the bus and cause i2c controller reset can't be finished.||
Use supported SFP
Fixed an issue where blocking proxy sessions to enforce Decryption policy rules caused packet buffer depletion, which eventually resulted in packet loss.
|Hardware buffer leak issue that could affect any type of traffic handled by DP||Leaking packet buffer due to RST packets generated as part of policy-enforcement (denied traffic) in combination with no-decrypt rules
1. in ssl no-decrypt rule, in decryption profile remove actions from "No decrypt"
2. change deny rule in policy to drop
Fixed an issue where PA-800 Series firewalls became unresponsive until you rebooted them, and the firewalls generated no logs from when they stopped responding to when they finished rebooting.
System unresponsive. no CLI/console/ping response
manual restart is required to recover from the issue
PA-800 uses a proprietary MDIO kernel driver. This driver had a bug in it that was causing a deadlock condition to take place.
PA-5000 series and PA-3000 series
Fixed an issue where PA-5000 Series and PA-3000 Series firewalls that were running low on memory briefly became unresponsive, stopped processing traffic, and stopped generating logs.
|Firewall "hangs", and it cannot be accessed via SSH/GUI. No logs are being written, and there is no mgmt console output.||
Larger memory footprint of 8.0 is causing the issue.
|Downgrade to 7.1.x (issue only reported on 8.0.x so far)||
With low memory platform such as PA-200 and M-100 primarily. Other platforms can happen the same issue
Fixed an issue on the firewall and Panorama management server where a memory leak caused several operations to fail, such as commits, FQDN refreshes, and content updates.
Commit failing and/or memory leak with error: fork() failed!
/ Symptoms include failing to commit, GUI unresponsive, HA config sync failing, MP memory leak, daemon crashes, high MP CPU.
In 8.0 we upgraded to 64-bits. Hence virt and res memory usage will go up slightly.
On M-100, upgrading to 32GB memory should greatly reduce occurrences.
For PA-200 or other platforms, no workaround exists short of downgrading to 7.1.x.
PA-7000 series with Panorama
|PA7050 logging stops / Logrcvr crashing on PA-7050||LPC stopped saving and displaying new logs due to a memory leak after a Panorama management server running a PAN-OS 8.0 or newer||
The issue commonly happens on a 7K FW running 7.x release , which is managed by a Panorama running Rome (8.0).
FW fails processing GTP report definitions which causes memory leak.
From Panorama running 8.0(or newer) CLI config:
set deviceconfig setting management disable-predefined-reports [ gtp-spoofed-end-ip gtp-malicious-wildfire-submissions top-gtp-attackers top-gtp-victims gtp-users-visiting-malicious-url ]
8.0.6, 7.1.13, 7.0.19
All software QoS platform listed in the description
8.0.0 to 8.0.5
7.1.0 to 7.1.14
Fixed an issue on PA-3000 Series, PA-800 Series, PA-500, PA-220, PA-200, and VM-Series firewalls where QoS throughput dropped on interfaces configured to use a QoS profile with an "Egress Max" set to 0Mbps or more than 1143 Mbps ("Network > Network Profiles > QoS Profile").
|QoS enforces max bandwidth with lesser traffic than configured||Coding error limitting max to 1Gbps
|Lower the QoS bandwidth below 1143Mbit/s, downgrade to <=7.1.10 and/or <=8.0.3||
/8.0.0 to 8.0.4
|VM sereis: traffic getting dropped Traffic getting dropped due to flow_qos_pkt_timeout||QoS packet is not dequeued after 82 days||
The QoS timer variable was not reset properly.
|Disable QoS config||
/8.0.0 to 8.0.4
|Internal link instability between DP and CE(Content Engine)||Affects 5200 platforms. System can continue to boot even if CE init fails. This causes issues with Layer7 inspection and HA pathmonitor,etc.|
controlplane-console-output.log shows following error:
nac0: Memory channels init incomplete
It's internal link issue between DP and CE.
|Use software aho and dfa.|
> debug dataplane fpga set sw_aho yes
> debug dataplane fpga set sw_dfa yes
|Multiple DP restarts by all_pktproc||DP crash due to small memory pool size in 8.0.4. Seen only on PA-5220 and PA-5250. With same cause, Other symptoms such as GP(GlobalProtect) connections dropping and SSL decryption traffic failing could happen||
fixed memory pool size on the affected platform
|Use other platforms other than PA-5220 or PA-5250. Or downgrade to 8.0.3.||
/8.0.0 to 8.0.4
|Logd high memory on M-series||Typical symptoms:|
-Traffic and threat logs delayed on Panorama for 24 hours.
-Oom kernel crash
-memory allocation failure
Due to indexing of messages in evtmgr queues start building up. This causes the memory buildup in logd and results in indexing process not being able to startup.
/8.0.0 to 8.0.3
|Reportd memory leak on M-series||Reportd memory increases until you run out. Can cause sluggish performance or loss of ability to manage.|
Reportd memory leak happens only on M-series in combo mode.
fixed various memory leak in reportd process
|Do not use combo mode. Use dedicated log collectors.||
Not platform specific
|High DP CPU with high urlcache_lookup processing time||High DP utilization and general traffic slowness caused by URL filtering. Urlcache related function process time goes up in "debug dataplane pow performance"||
Issue with URL cache when cache gets above 1 million URLs in MP cache and device-server is consuming high CPUs. DP also consumed high CPU to lookup local cache grows big
|Clear DP and MP cache:|
>clear url-cache all
>delete url-database all
PAN-DB cloud update has the fix in March/2017