Critical Issues Addressed in PAN-OS Releases
476749
Created On 09/26/18 21:07 PM - Last Modified 08/30/23 19:23 PM
Symptom
Historical Critical Issue List Addressed in PAN-OS Releases
Environment
All current PAN-OS
Resolution
Last Updated On : Aug 30th , 2023
This list is limited to critical severity issues as determined by Palo Alto Networks and is provided for informational purposes only.
- Please doublecheck the information in release notes to see the latest info about fixed versions.
- Please create a case with your support provider for a detailed investigation if you feel you have encountered one of these issues.
- Maintenance releases are the primary mechanism to fix issues.
- A maintenance release is signified by the third digit in the release version number (for example the .2 in PAN-OS 10.1.2 ).
- Asterisk(*) in Fixed release is used for internal check. Please ignore it.
| Bugs |
Affected Platform /Affected Version | Description (release note) | Impact |
Root cause | Workaround |
Fixed release |
|---|---|---|---|---|---|---|
| PAN-225183 | M-Series, Panorama/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.2 | The SSH tunnels between the log collectors of a collector group go down intermittently causing the Elasticsearch cluster health status to degrade to yellow or red. This has been fixed. | Elasticsearch cluster breaks and is unable to write forwarded logs to disk. | Ciphers used for the SSH tunnels occasionally would result in too large a packet causing the connection to break. | No workaround | 10.1.11, 10.2.5, 11.0.3 |
| PAN-221984 | VM-Series NGFWs in Microsoft Azure environments/ 10.1.0-10.1.10, 10.2.0-10.2.4, 11.0.0-11.0.2 | Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall. | Dataplane interfaces go down after a hotplug event. | PANOS process makes a DPDK call on an invalid port ID after hot removal on Azure. | None | 10.1.10-h2, 10.1.11, 10.2.4-h4, 10.2.5, 11.0.2-h1, 11.0.3 |
| PAN-216984 | All PAN-OS NGFWs/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0.-11.0.1 | Fixed an issue where a stale httpd process caused a buildup of the sysd queues, which further led to either path monitoring failures and process crashes or out of memory crashes. | Multiple crashes on the management plane and unexpected HA failovers and loss to GUI and CLI. | httpd process does not exit cleanly and holds on to resources which causes the sysd queue to get stuck and processes to not respond to heartbeats. | Among the HA peers, find the unit that has stale httpd process with large Recv-Q which either seems to be stuck or increasing. And then restart web-backend service on the unit. This recovery step will stop crashes and stabilize the devices, but the issue could appear again. | 10.1.10-h1 , 10.1.11, 10.2.5, 11.0.2 |
| PAN-216043 | All PAN-OS NGFWs/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.1 | Continuous crashes of the wifclient process have been fixed. The repeated process restarts would lead to a reboot of the PANOS device. | Continuous wifclient process crashes and unexpected devices restarts. | Caused by memory corruption when large amounts of traffic are sent to certain cloud services (such as Enhanced Application Logs in IOT). | Disable IOT service. | 10.1.11, 10.2.4-h4, 10.2.5, 11.0.2 |
| PAN-215315 | All PAN-OS NGFWs/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.2 | Fixed an issue where the dataplane stopped responding due to ager and inline packet processing occurring concurrently on different cores for the same session. | Multiple cores result in dataplane instability and unexpected reboots. | Race condition where the same packet is processed simultaneously by two different functions. | No workaround | 10.1.10-h1, 10.1.11, 10.2.4-h3, 10.2.5, 11.0.2 |
| PAN-210607 | All PAN-OS NGFWs/ 11.0.0-11.0.1 | Fixed an issue where enabling Inline Cloud Analysis on Anti-Spyware, Vulnerability Protection, or URL Filtering Security profiles caused the dataplane to stop responding. | Multiple cores result in dataplane instability and unexpected reboots. | Enabling Inline Cloud Analysis leads to a situation where a memory structure is used after being freed. | Disable Inline Cloud Analysis. From CLI, set profiles spyware <name> cloud-inline-analysis no set profiles url-filtering <name> cloud-inline-cat no | 11.0.1-h2, 11.0.2 |
| PAN-209305 | All PAN-OS NGFWs/ 10.2.0-10.2.3 | Fixed an issue where enabling Inline Cloud Analysis caused the content and threat detection (CTD) process flow cleanup to not be done correctly if a threat was encountered during the traffic inspection. | Multiple cores result in dataplane instability and unexpected reboots. | Enabling Inline Cloud Analysis leads to a freed content and threat detection process flow getting accessed. | Disable Inline Cloud Analysis. From CLI, set profiles spyware <name> cloud-inline-analysis no set profiles url-filtering <name> cloud-inline-cat no | 10.2.4 |
| PAN-208325 | PA-5400, PA-3400, PA-400/ 10.1.0-10.1.9 10.2.0-10.2.4 11.0.0-11.0.1 | Fixed an issue where the firewall was unable to automatically renew the device certificate. | Impacted devices cannot connect to CDL, Wildfire cloud, PANDB or send telemetry data. | Devices with TPM (Trusted Platform Module) send the wrong device type for the renewal command. | No workaround | 10.1.10, 10.2.5, 11.0.2 |
| PAN-207533 | All PAN-OS NGFWs/ 10.2.0-10.2.3 11.0.0 | Fixed an issue with firewalls in HA configurations where ARP and IPv6 multicast packets were transmitted from the passive firewall. | Split brain in an HA environment. | Passive firewall allowed ARP and IPv6 packets to leak. | Suspend the passive device. | 10.2.4, 11.0.1 |
| PAN-222712 | PA-5450/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.2 | Fixed a low frequency DPC restart issue. | Path monitoring failures causes device to go down. | Switching frequency of the hardware component not optimal on occasion causing the card to not respond. | No workaround | 10.1.10-h2, 10.1.11, 10.2.4-h4, 10.2.5, 11.0.2-h1, 11.0.3 |
| PAN-206933 | PA-400/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.1 | Fixed a silent reboot or port flaps that would occur on PA-400s due to a race condition between PDT register read and brdagent polling. | Unexpected reboots or flapping of links. | Race condition between PDT register read and brdagent polling. | No workaround | 10.1.11, 10.2.4-h3, 10.2.5, 11.0.2 |
| PAN-205729 | PA-3200, PA-7000/ 10.1.0-10.1.8 10.2.0-10.2.3 11.0.0 | Fixed an issue where the CPLD watchdog timeout caused the firewall to reboot unexpectedly. | Unexpected reboots or freezes. | No workaround | 10.1.9, 10.2.4, 11.0.1 | |
| PAN-205255 |
PA-800, PA-3200, PA-5200, PA-7000/ | Fixed a rare issue that caused the dataplane to restart unexpectedly. | Multiple crashes cause the card/device to restart. | Due to a race condition, two different cores were working on the same packet. | No workaround | 10.1.9-h1, 10.1.10, 10.2.4, 11.0.1 |
| PAN-201858 | All PAN-OS NGFWs/ 10.1.0-10.1.8 10.2.0-10.2.3 | Fixed an issue where the SD-WAN interface Maximum Transmission Unit (MTU) led to incorrect fragmentation of IPSec traffic. | Packets incorrectly fragmented on the egress interface impacting network performance. | MTU size incorrectly calculated after packets are decapsulated from SD-WAN tunnel interface. | Perform a commit with configuration change or a commit force. | 10.1.8-h2, 10.1.9, 10.2.4 |
| PAN-201085 | PA-5450/ 10.1.0-10.1.9 10.2.0-10.2.3 | Fixed an issue where inserting the NPC and DPC on slot2 created excessive logs in the `bcm.log file`. | Crashes seen on the brdagent process along with unexpected reboots. | Collection of certain type of SNMP stats on some ports was not supported causing the log files to fill up. | No workaround | 10.1.10, 10.2.4 |
| PAN-199807 | All PAN-OS NGFWs/ 10.1.0-10.1.8 10.2.0-10.2.3 11.0.0 | Fixed an issue where the dataplane frequently restarted due to high memory usage on wifclient. | Dataplane restarts unexpectedly. | High wifclient usage can cause memory corruption. | No workaround | 10.1.9, 10.2.4, 11.0.1 |
| PAN-199738 | PA-5400/ 10.1.0-10.1.9 10.2.0-10.2.3 11.0.0 | Fixed an issue where upgrades remained at 71%, which caused the firewall to stop responding until it was manually power cycled. | Upgrade fails. | File system gets corrupted due to the BIOS upgrade. | No workaround | 10.1.10, 10.2.4, 11.0.1 |
| PAN-198174 | All PAN-OS NGFWs/ 10.1.0-10.1.8 10.2.0-10.2.3 | Fixed an issue where, when viewing traffic or threat logs from the **Application Command Center** (ACC) or **Monitor** tabs, performing a reverse DNS lookup caused the *dnsproxy* process to restart if DNS server settings were not configured. | dnsproxyd crashes cause unexpected reboot. | Same memory was being freed twice during error handling. | Configure a DNS server IP in device DNS setting. | 10.1.9, 10.2.4 |
| PAN-195201 | All PAN-OS NGFWs/ 10.1.0-10.1.8 10.2.0-10.2.3 | Fixed an issue where high volume DNS Security traffic caused the firewall to reboot. | Unexpected reboot. | Race condition where shared variables were not protected through locks. | No workaround | 10.2.4 |
| PAN-195149 | All PAN-OS NGFWs | Fixed an issue where firewall administrators were unable to log in to the web interface when RADIUS two-factor authentication was used. | Administrators are unable to log into the web interface. | Incorrect parameters picked when the https process that initiates the auth request is not the one that receives the auth request. | No workaround | 10.2.3-h4, 10.2.4, 11.0.1 |
| PAN-193808 | All PAN-OS NGFWs | Fixed a memory leak issue in the mgmtsrvr process that resulted in an OOM condition. | Device runs out of memory causing processes to restart or the device to reboot. | When the connection between the firewall and Panorama flaps, SSL connection related memory is not freed. | Maintain a stable connection between firewall and Panorama/Log Collector | 10.1.9, 10.2.4 |
| PAN-192456 | All PAN-OS NGFWs | Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding. | Repeated crashes causes the DP to exit. | The dataplane operations are not atomic when the GP tunnel is in SSL VPN mode. | No workaround | 10.1.9, 10.2.4, 11.0.2 |
| PAN-188912 | All PAN-OS NGFWs/ 9.1.0-9.1.15 10.1.0-10.1.8 10.2.0-10.2.3 | Fixed an issue where authentication failed due to a process responsible for handling authentication requests getting corrupted. | Authd might crash and cause commit failures. | Race condition when an FQDN commit and a normal commit occur within milliseconds of each other. | Avoid using an FQDN object for the LDAP server. | 9.1.16, 10.1.9, 10.2.4 |
| PAN-186412 | PA-220/ 10.1.0-10.1.8 10.2.0-10.2.3 11.0.0 | Fixed an issue where invalid `packet-ptr` was seen in work entries. | Crashes can cause instability in the DP | The shared packet buffer pool between MP and DP can cause crashes. | No workaround | 10.1.9-h1, 10.1.10, 10.2.4, 11.0.1 |
| PAN-160633 | PA-3200, PA-5200, PA-7K/ 9.1.0-9.1.16 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.2 | Fixed an issue where the dataplane restarted repeatedly after a reboot due to an internal path monitoring failures until a power cycle. | DP might go down after a reboot or an upgrade. | The MP to CP ports do not come up after a bios upgrade or reboot. | Hard reboot the device. |
9.1.17, 10.1.10-h2, 10.1.11, 10.2.5, 11.0.3
|
| PAN-215461 | PA-5250,PA-5260,PA-7K 10.1.0-10.1.9 10.2.0-10.2.3 | Fixed an issue where the GRE keepalive packets leaked and filled up the packet buffers. | Packet buffer leak affects DP stability. | GRE keepalive packets on a multi-DP platform were not freed | Disable GRE keepalive and reboot the FW to recover | 10.2.4, 10.1.10, 10.1.9-h3 |
| PAN-215488 | 11.0.0 10.2.0-10.2.3 10.1.0-10.1.9 9.1.0-9.1.15 | Fixed an issue where an expired Trusted Root CA was used to sign the forward proxy leaf certificate during SSL Decryption. | SSL decryption fails. | Mistakenly using cache for expired intermediate certificate | Clear certificate cache | 11.0.1,10.2.4,10.1.10,10.1.9-h3,9.1.17 |
| PAN-206921 | GP against all on-prem NGFWs 10.2.2-10.2.3 | Fixed an issue where GlobalProtect client certificate authentication failed on a gateway when the gateway was placed behind a NAT. | GlobalProtect client certificate authentication fails. | The change in the IP address, due to the NAT caused incorrect processing by the gateway. | No workaround | 10.2.3-h4, 10.2.4 |
| PAN-206005 | PA-1400,PA-3400, PA-5400f 10.2.0-10.2.3 11.0.0 | Fixed an issue where the `l7_misc` memory pool was undersized and caused connectivity loss when the limit was reached. | User access to traffic is impacted. | l7_misc pool size was undersized | Enable "Strip ALPN" if http2 is affected. | 10.2.4, 11.0.1 |
|
PAN-206243 |
mainly seen in PA200,PA200R/ |
Fixed an issue where the firewall reached the maximum disk usage capacity repeatedly in one day. |
Disk full issue |
The existing cleaning methods are not efficient /fast enough to clean the old logs/compress them. |
Enable aggressive cleaning debug software disk-usage aggressive-cleaning enable Set the cleanup threshold to 90 debug software disk-usage cleanup threshold 90 |
10.2.4,10.1.9 |
|
PAN-194068 |
PA5200/ |
Fixed an issue where the firewall unexpectedly rebooted with the log message "Heartbeat failed previously" |
Unexpectedly reboot |
MP lockup due to a bug in BIOS | No workaround |
10.1.8-h2, 10.1.9, 10.2.4, 11.0.1 |
|
PAN-201872 |
All PAN-OS NGFWs/ |
Fixed an issue where SMB performance caused overall network latency after an upgrade. |
Users might experience network latency. |
Regex lookup is not freed in certain code path |
Application override the traffic that uses regex lookup memory. In many but not all instances, the traffic that needs to be overridden is SMB traffic. |
9.1.15, 10.1.8, 10.2.3-h2, 10.2.4 |
|
PAN-201627 |
10.1.6-h6,10.1.7 |
Fixed an issue in NGFW's where, when SD-WAN was configured, the dataplane restarted if all SD-WAN member links were down due to an out-of-memory (OOM) condition or during a reboot when all SD-WAN tunnels were down. |
DP restart |
Fork process created zombie processes. |
Avoid to use 10.1.6-h6, 10.1.7 |
10.1.8, 10.2.3 |
|
PAN-199099 |
10.1.7,10.2.2 |
Fixed an issue where, when decryption was enabled, Safari and Google Chrome browsers on Apple Mac computers rejected the server certificate created by the firewall because the Authority Key Identifier was copied from the original server certificate and did not match the Subject Key Identifier on the forward trust certificate. |
Decryption issue when using GP via Safari or Google chrome browsers |
An issue mistakenly copying AKID extension to a new cert, causing validation failures on some browsers. |
Use a Forward Trust CA that does not contain an Authority Key Identifier (AKID) nor a Server Key Identifier (SKID). This is standard in PAN firewall created certs. |
10.2.3,10.1.8 |
| PAN-198266 | PA-400, PA-3400, PA-5400 10.2.2 | Fixed an issue where, when predicts for UDP packets were created, a configuration change occurred that triggered a new policy lookup, which caused the dataplane stopped responding when converting the predict. This resulted in the policy lookup returning a policy denial. | DP crash | The logging code access a non-existent field when generating a deny log for a predict. This happens when an allow policy is removed or changed to deny and pre-exiting predicts created by ALG are no longer valid. | clear all predicts before a config commit. "clear session all filter type predict" | 10.1.8,10.2.3 |
| PAN-191216 | 10.2.0-10.2.2 | Fixed an issue where, on Apple iOS devices, SAML authentication did not connect to the GlobalProtect portal. | GP on iOS with SAML does not work | Since 10.2.0, GP server is missing to SAML related result in HTTP header | N/A | 10.2.3 |
| PAN-196005 | PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only 10.1.0-10.1.6 10.2.0-10.2.2 (only 10.1.6 is reported) | Fixed an issue where GlobalProtect IPSec tunnels disconnected at half the inactivity logout timer value. | GP tunnel goes down every 30minutes | Because of local time handling difference in MP and DP for a GP tunnel timeout feature, NGFW mistakenly disconnects GP tunnel. | To sync time for this, power off the fw then power up. NOT reboot. | 10.1.7,10.2.3 |
| PAN-191558 | 10.0.10, 10.1.5-10.1.6, 10.2.1-10.2.2 | Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item. | Global does not | A searchAttribute instance throwing a null pointer error on searching causes endless loading | N/A | 10.0.11, 10.2.3, 10.1.7, 10.1.6-h3 |
| PAN-189395 | PA-400 10.2.0-10.2.1 | PA-400 Series firewalls only: Fixed an issue where running a PAN-OS 10.2 release caused dataplane processes to restart unexpectedly. | dataplane process restart | memory leak in memory buffer | No workaround | 10.2.2 |
| PAN-189468 | 9.1.13 10.0.10 10.2.0 | Fixed an issue where sessions were dropped with the message `resource-unavailable` due to the content inspection queue filling up. | session drops due to 'resource-unavailable' | ctd memory space is held due to wrong memory freeing | set system setting ctd nonblocking-pattern-match disable (This will cause higher packet buffer CPU usage.) | 9.1.14,10.0.10-h1,10.0.11,10.1.5,10.2.1 |
| PAN-183826 | 9.1.12-9.1.13 10.0.8 10.1.0-10.1.6 10.2.0 | Fixed an issue where, after clicking "WildFire Analysis Report", the web interface failed to display the report with the following error message: `refused to connect`. | WildFire Analysis Report can't be seen in WebUI | The issue is because the x-frame-options is set to deny so the WF report is unable to display within the iframe | "View frame source" on right click menu on failed analysis report. remove "viewsource" from the opened link. the link starts with "viewsourcehttps://x.x.x.x/wf_report/". then open the page. | 9.1.14,10.0.9,10.1.7,10.2.1 |
| PAN-175211 | 9.0.0-9.0.15 ,9.1.0-9.1.12 ,10.0.0-10.0.8 ,10.1.0-10.1.3 | Fixed a memory leak issue in the mgmtsrvr process. | mgmtsvr process memory leak | When there is constant reconnect from FW to Panorama, old SSL structure is not freed and newly allocated SSL structure overwrites a memory space leaks. | No workaround | 9.0.16, 9.1.13, 10.0.9, 10.1.4 |
| PAN-187183(PLUG-10024) | All PA-VM in 10.1.4 VM Plugin 2.1.4 | Fixed an issue with `vm_license_response.log` that consumed a large portion of the root partition. | root partition full | License fetch log is consuming root space | From admin CLI, admin@PA-VM> debug-log mp-log file vm_license_response.log_backup.gz successfully removed vm_license_response.log_backup.gz | VM Plugin: 2.1.5, 3.0.0 |
| PAN-181116 | 10.1.0-10.1.4 | Fixed memory corruption issues in PAN-OS 10.1.3 and 10.1.4 that caused the "pan_comm" process to stop responding and the dataplane to restart. These issues also caused GlobalProtect tunnels to fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall. | GP does not connect with IPSEC ESP and instead switches to SSL | In original design, mix mode was not supported. If ssl tunnel and ipsec tunnel established together, their config are messed up. It caused tunnel failed. | N/A | 10.1.5 |
| PAN-185750 | 10.1.4 | Updated an issue to eliminate failed `pan_comm` software issues that caused the dataplane to restart unexpectedly | pan_comm process crash | timestamp variable was not cleared properly and it' | No workaround | 10.1.5, 10.1.4-h4 |
| PAN-186937 | 9.1.0-9.1.11 | Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when **Strict IP Address Check** was enabled in the zone protection profile (**Packet Based Attack > IP Drop**) and the packet's source IP address was the same as the egress interface address. | packet drop on SSL decryption and ESP IPsec on the same FW |
The bug was caused when strict IP was on and packet source IP == egress IP. This caused packets, like ESP and SSL decrypt for example, to be erroneously dropped" | Disable the Strict IP Address Check option in the Zone Protection profile. Alternatively, downgrade to 9.1.11 or earlier or upgrade to 10.0.0 or later if you want to enable the Strict IP Address Check. | 9.1.14 |
| PAN-179274 | 9.1.0-9.1.12,10.0.0-10.0.9, 10.1.0-10.1.4 | Fixed an issue on high availability configurations where, after upgrading to PAN-OS 9.1.10, PAN-OS 10.0.6, or PAN-OS 10.1.0, the HA1 and HA1-Backup link stayed down. This issue occurred when the peer firewall IP address was in a different subnet. | HA1/HA1 backup link not coming up | Internal routing lookup mechanism didn't work as expected | No workaround | 9.1.13,10.0.10,10.1.5,10.2.0 |
| PAN-177762 | 10.0.0-10.0.8,10.1.0-10.1.3 | Fixed an issue where `wificlient` in PAN-OS 10.0 and later releases caused processing delays, on-chip descriptor spikes, and buffer usage. | Traffic is intermittently dropped | from 10.0, new feature tends to hold cores. It can cause high packet descriptor on-chip or buffer usage. | Disable EAL | 10.0.9,10.1.4 |
| PAN-172243 | 8.1.0-8.1.21,9.0.0-9.0.14, 9.1.0-9.1.12,10.0.0-10.0.8, 10.1.4-10.1.4 | Fixed an issue where NetFlow traffic triggered a packet buffer leak. | packet buffer full should cause general traffic processing in DP | Netflow saved packet leaked on commit as netflow profile changes memory space | Disable Netflow | 8.1.22,9.0.15,9.1.13, ,10.0.9,10.1.5* |
| PAN-183767 | 8.1.21,9.1.12,10.0.8, 10.1.3 | Fixed an issue where downloading Dynamic Updates files failed when connected to the static update server at `us-static.updates.paloaltonetworks.com`. | PAN-OS is not abl e to download software image from update server | A code change in affected version provided wrong option for a download command. | use "updates.paloaltonetworks.com" instead. | 8.1.22, 9.0.15,9.1.13, 10.0.8-h2,10.0.9,10.1.5 |
| PAN-177941 | PA-70x0 (100G-NPC)/ 10.0.0-10.0.7 10.1.0-10.1.2 | Fixed an issue where the `bcm.log` and `brdagent_stdout.log-<datestamp>` files filled up the root disk space | Root partition full | Unnecessary logs are generated on file system | Use ports 1-8 on LFC for log forwarding. | 10.0.8, 10.1.3 |
| PAN-172580 | 10.0.0-10.0.7 10.1.0-10.1.2 | Fixed an intermittent issue where commits failed after a commit validation and were modified for custom URL category objects. | Intermittent commit failures | Candidate internal ids are not cleaned up for validate job during phase1 abort. It affects the subsequent commit for such. | Restore the url pattern changes made after the validate job and commit. OR Skip Validate and enforce commit | 10.0.8, 10.1.3 |
| PAN-169064 | 9.1.0-9.1.10 10.0.0-10.0.6 10.1.0 | Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents. | memory leak on useridd | 1) hip report xml buffer was not released after message was sent out which caused memory leak 2) High CPU issue is caused by a busy loop ,because a big number of jobs are scheduled and FD is alway readable during the job waiting period. | Reducing the number of configured userid agents/clients can alleviate the issue. | 10.1.1, 10.0.7 and 9.1.11 |
| PAN-169551 | 9.1.8-9.1.9 | Fixed an issue where custom URL categories hit incorrect URL categories, which caused the firewall to miss or deny the security policies for the configured custom URL | URL category lookup fails | Id-manager mis-manage the table on commit , caused URL pattern lost on DP |
For customers using custom URL categories only (NO EDL-URL), before committing any URL pattern changes,
For customers using EDL-URL,
| 9.1.10 |
| PAN-163800 | 9.1.0-9.1.10, 10.0.0-10.0.6, 10.1.0 | Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit. | dns response is corrupted | code of license check and TTL modification had a bug to handle DNS response | Remove anti-spyware that contains dns security profile | 9.1.11,10.0.7,10.1.1 |
| PAN-146250 | 8.1.0-8.1.19, 9.0.0-9.0.13, 9.1.0-9.1.9, 10.0.0-10.0.6 | Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed. | DP crash | For inter-vsys scenario, the same sw packet buffer could be processed in two different sessions at the same time, which in turn cause the issue. | Use IPsec VPN instead of using SSL | 8.1.20,9.0.14,9.1.10,10.0.7 |
| PAN-156017 | 9.1.0-9.1.6, 10.0.0-10.0.2 | Fixed an issue where a host information profile (HIP) report XML buffer caused a memory leak | Out of Memory in MP | HIP report buffer was not released after message was sent out which caused memory leak | Disable hip redistribution | 9.1.7,10.0.3 |
| PAN-156225 |
PA-3200series | Fixed an issue where HA1-B port on PA-3200 series remain down after upgrade from 9.1.4 to 9.1.5 | HA1-B link down | failed to fetch a related sysd node | None | 8.1.20,9.0.14, 9.1.9,10.0.5 |
| PAN-136347 | 8.1.0-8.1.18, 9.0.0-9.0.13, 9.1.0-9.1.8 , 10.0.0-10.0.4 | Fixed an issue wherer DNS proxy TCP connections were processed incorrectly, which caused a process (`dnsproxy`) to stop responding. | dnspropyd crash / high CPU | tcp_wait_timer on the daemon didn't cleared correctly | Workaround is to disable TCP connection through DNSproxy daemon, to safely avoid any ability issues with proxied TCP requests. | 8.1.19, 9.0.14, 9.1.9,10.0.5 |
| PAN-150852 | 8.1.0-8.1.18 ,9.0.0-9.0.12 ,9.1.0-9.1.6 ,10.0.0-10.0.4 | Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent. | DP crash /SMTP packet drop | buffer handling issue when processing SMTP mult-part filename | None | 8.1.19 9.0.13 9.1.7 10.0.5 |
| PAN-143485 | 8.1.0-8.1.18, 9.0.0-9.0.12 , 9.1.0-9.1.6, 10.0.0-10.0.4 | Fixed a memory leak issue related to a process (*devsrvr*). | device server memory leak | multiple leaks (URL,confg,etc) are fixed | Restarting devsrvr before device memory gets depleted | 9.0.13,9.1.8,10.0.0 |
| PAN-156891 | 9.1.0-9.1.7 10.0.0-10.0.4 | Fixed an issue where some zip files did not download and the following error message displayed: `resources-unavailable`. | L7 feature does not work when hitting 'resource-unavailable' error | The decoder buffer would go through a high number of loop in L7 processing. It hits the max limit. |
"set deviceconfig setting session resource-limit-behavior bypass" helps to bypass sessions hitting the error. debug dataplane fpga set sw_aho yes debug dataplane fpga set sw_dfa yes | 9.1.8 10.0.5 |
| PAN-145417 |
9.0.0-9.0.12 | Debug commands were added to address an issue where the firewall connect to Cortex Data Lake due to the Online Certificate Status Protocol (OCSP) message missing the `nextUpdate` value in the OCSP response. | sslmgr memory leak caused an issue on OCSP | Failed OCSP queries are cached for long time. It affects normal behaviour of sslmgr and its memory usage goes up | Restart sslmgr process | 9.0.13,9.1.8,10.0.4 |
| PAN-149297 | 9.1.0-9.1.6 10.0.0-10.0.1 | Fixed a buffer overflow issue on the management server, which forced the administrator to log out on the web interface. | management server crash | Missing close calls for an internal dbs | Avoid doing multiple validate commits, commitAlls | 9.1.7,10.0.2 |
| PAN-153673 |
Technically all FW platform can be affected. but we only get reports from PA5200,PA7000series | Fixed an issue where traffic logs were not shown due to a thread timeout that was causing the reading of the logs from the dataplane to slow. | Logging intermittently stops | the main thread was busy doing cache age out, cause the reading of the logs from the link from the DP slows down greatly. | None | 8.1.18, 9.0.11, 9.1.6, 10.0.2 |
| PAN-152106 | 8.1.14-8.1.16 9.0.8-9.0.10 9.1.0-9.1.5 10.0.0-10.0.1 | Fixed an issue where a process (*genindex.sh*) caused the management plane CPU usage to remain high for a longer period of time than expected. | High MP CPU | The script searches log directories intensively | Configure Max Days for the Log Types to reduce retention days to reduce amount of logs to index. | 8.1.17, 9.0.11, 9.1.6,10.0.2 |
| PAN-154181 | Panorama 8.1.16 | Fixed an issue where, on Panorama, context switching to the web interface of a managed firewall running PAN-OS 8.1.16 did not work. | Context switch is unable | A bug fix prevented context switch from working | None | 8.1.17 |
| PAN-151197 | 9.1.3 10.0.0 | Fixed an issue where a process (*authd*) restarted when an administrator authenticated to the firewall with an Active Directory (AD) account. This issue occurred when LDAP was configured with FQDN, used DHCP instead of a static management IP address, and used the management interface to connect to the LDAP server. | Authd crash | The boundary case that DHCP assigned mgmt IP | Use service route for LDAP | 9.0.10, 9.1.4, 10.0.1 |
| PAN-141221 | 9.0.0-9.0.9 9.1.0-9.1.2 | Fixed an issue where a commit or content update operation with an error was not prevented from executing in the dataplane, which caused corruption in the dataplane policy cache. | DP crash | - When DP phase1 parse error happens on config commit, the abort signal didn't cleanup properly,thus policy cache is corrupted | Make sure the config does not error out in DP | 9.0.10, 9.1.3 |
| PAN-144598 | 8.1.0-8.1.15 9.0.0-9.0.9 9.1.0-9.1.2 | Fixed an issue where dataplane free memory was depleted, which affected new GlobalProtect connections to the firewall | GP connection failure | The URL data structure is not being freed during the clientless VPN app access. | No | 8.1.16, 9.0.10, 9.1.3 |
| PAN-150172 | 8.1.15,9.0.9,9.1.3 | Fixed an issue where dataplane processes restarted when attempting to access websites that had the `NotBefore` attribute less than or equal to Unix Epoch Time in the server certificate with forward proxy enabled. | DP restart when parsing certificate | The 'NotBefore' value was not initialized properly | 1) Import the server's issuer CA to the firewall and mark it trusted, OR 2) Disable decryption to those servers with NotBefore <= 1970/1/1 00:00:00 UTC This is not practical solution | 8.1.15-h3, 8.1.16, 9.0.9-h1, 9.0.10, 9.1.3-h1, 9.1.4, |
| PAN-137387 | 8.1.0-8.1.14 9.0.0-9.0.8 9.1.0-9.1.2 | Fixed an issue where URL filtering used the IP address instead of the hostname, which led to incorrect URL categorization. | Issue on Host header handling causes URL filter function | miss handling when Host header does not come in 1st packet | Enable jumbo frame, or use custom-url-category or custom-appid to detect string "/webapp/wcs/stores/". | 8.1.15, 9.0.9, 9.1.3 |
| PAN-148068 | 8.1.0-8.1.14 9.0.0-9.0.8 9.1.0-9.1.2 | Fixed an issue where SSL connections were blocked if you enabled decryption with the option to block sessions that have expired certificates. This issue included servers that sent an expired AddTrust certificate authority (CA) in the certificate chain. | SSL decryption fails to some site | fixed SSL cert verification process | Disable certificate expiration check. (if no expiration check is acceptable) | 8.1.15, 9.0.9, 9.1.3 |
| PAN-103290 | PA3200series 8.1.14 only | Fixed an issue where the firewall stopped recording dataplane diagnostic data in dp-monitor.log after a few hours of uptime. | DP crash | day-one issue crash when handing | No workaround | 8.1.15 |
| PAN-139587 | PA5200,PA7000series 8.1.0-8.1.14 9.0.0-9.0.8 9.1.0-9.1.4 | Fixed an issue where high and continuous CPU utilization was seen on dataplanes after IPSec Encapsulating Security Payload (ESP) rekeying occurred for multiple tunnels. | High CPU/ High packet descriptor | ESP rekey issue | After failover, reboot the failing FW | 8.1.15, 9.0.9 , 9.1.4 |
| PAN-144479 | 8.1.14 only | Fixed an issue where SNMP objects from the HOST-RESOURCES-MIB returned incorrect values when queried. | snmp for the specific MIB does not work | regression of a snmp fix | No workaround | 8.1.15 |
| PAN-136701 | PA7000series 9.0.0-9.0.7 9.1.0-9.1.1 | Added the following CLI commands to address an issue where packets for new sessions dropped when handling predict sessions: - `set session hwpredict disable yes` - `show session hwpredict status` | packet drop on predict session matching | added workaround command | to disable predict lookup in FPP-HW and use FPP-SW. This is controlled using a operational command. | 9.0.8, 9.1.2 |
| PAN-121626 |
PA3200series | Fixed an intermittent issue where firewalls dropped packets, which caused issues such as traffic latency, slow file transfers, reduced throughput, internal path monitoring failures, and application failures. | Traffic issue | Issue on memory timing | No workaround | 8.1.14,9.0.7,9.1.2 |
| PAN-125534 | PA5200,PA7000series 8.1.0-8.1.13 9.0.0-9.0.7 | Fixed an issue where firewalls experienced high packet descriptor (on-chip) usage during uploads to the WildFire Cloud or WF-500 appliance. | Excessive WF uploads caused high packet descriptor | Excessive WF uploads surpress platform resources. Limit maximum number of outstanding WF uploads |
Configure Device > Setup > WildFire > General Settings > File Size Limits - pe 8 MB | 8.1.14,9.0.8,9.1.2 |
| PAN-135260 | PA7000series only 8.1.12 only | Fixed an intermittent issue where the dataplane process (*all_pktproc_X*) on a Network Processing Card (NPC) restarted when processing IPSec tunnel traffic. | DP crash | Crash during flow lookup Added a validation code | No workaround | 8.1.13,9.0.7,9.1.2 |
| PAN-136820 | 8.1.0-8.1.13 | Fixed an issue where a high availability (HA) failover occurred after the firewall reported the following error message in the System log: `Dataplane down: controlplane exit failure`. | DP crash / down Internal path monitor fails | NFS transfer issue on DP Tweaking NFS options | No workaround | 8.1.14,9.0.0 |
| PAN-102096 | PA7000series 8.1.0-8.1.12 | Fixed an issue where first packet processor packet buffer is not allocated with proper alignment, which caused memory corruption. | internal path monitor failure , FPP crash | Possible memory corruption on FPP | No workaround | 8.1.13 |
| PAN-133440 | PA5200,PA7000series 8.1.8-8.1.12 9.0,9.1 | Fixed an issue where fragmented traffic caused high dataplane use and firewall performance issues. | high CPU/ high packet buffer | fragment reassemble issue | Consider blocking fragments via zone protection. | 8.1.13,9.0.7,9.1.2 |
| PAN-131993 | Panorama series 8.1.11-8.1.12 9.0,9.1 | Fixed an issue where a process (*reportd*) would crash while running a log query. | reportd crash | doublefree while trying cleanup when handling a log query | Allow the query to run to completion before closing the Tab/browser | 8.1.13,9.0.7,9.1.2 |
| PAN-115875 | LFC(PA7000) 9.0.0-9.0.5 | Fixed an issue where a PA-7080b HA pair rebooted when large sized packet traffic impacted the front panel ports of the Log Forwarding Card (LFC). | LFC restart | LFC front port error handling failure on receiving jumbo frames | Avoid connecting the Front Panel ports to networks with jumbo frames | 9.0.6 and 9.1.0 |
| PAN-123667 | 9.0.0-9.0.5 | Fixed an issue where the "snmpd" process was crashing when polling for global counters. | snmpd crash and OOM(out of memory) in kernel | memory leak of snmpd when accessing global counter OIDs | Workaround to avoid this crash is to avoid polling OIDs in the global counters table. | 9.0.6 and 9.1.0 |
| PAN-123322 | PA3200,PA5200,PA7000series 8.1.0-8.1.11 9.0.0-9.0.5 | "PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls running PAN-OS "<8.1.11 | 9.0.5>" only") There is an intermittent issue where a process ("all_pktproc") stops responding due to a Work Query Entry (WQE) corruption that is caused by duplicate child sessions. | dataplane crash | Crash when handing packet in predict session | None | 8.1.12,9.0.6 and 9.1.0 |
| PAN-128269 | PA5200series only 8.1.10-8.1.11 9.0.0-9.0.5 | "PA-5250, PA-5260, and PA-5280 firewalls with 100GB AOC cables only") When you upgrade the first peer in a high availability (HA) configuration to "[PAN-OS 8.1.9-h4 or a later] / [a PAN-OS 9.0]" release, the High Speed Chassis Interconnect (HSCI) port does not come up due to an FEC mismatch until after you finish upgrading the second peer. | HSCI interface down | Internal chip configuration affected AOC module | Consult Techsupport for upgrade procedure, otherwise avoid the releases | 8.1.12,9.0.6 and 9.1.0 |