Critical Issues Addressed in PAN-OS Releases

Critical Issues Addressed in PAN-OS Releases

Created On 09/26/18 21:07 PM - Last Updated 09/17/20 21:22 PM


Last Updated On : Sept 15th , 2020

This list is limited to critical severity issues as determined by Palo Alto Networks and is provided for informational purposes only.

  • Please doublecheck the information in release notes to see the latest info about fixed versions.
  • Please create a case with your support provider for a detailed investigation if you feel you have encountered one of these issues.
  • Maintenance releases are the primary mechanism to fix issues.
  • A maintenance release is signified by the third digit in the release version number (for example the .2 in PAN-OS 9.0.2 ).
  • asterisk(*) in Fixed release is used for internal check. please ignore it.



Affected Platform(if any)

/Affected Version

Description (release note)Impact

Root cause


Fixed release

Fixed an issue where a process (*authd*) restarted when an administrator authenticated to the firewall with an Active Directory (AD) account. This issue occurred when LDAP was configured with FQDN, used DHCP instead of a static management IP address, and used the management interface to connect to the LDAP server.Authd crashThe boundary case that DHCP assigned mgmt IPUse service route for LDAP9.0.10, 9.1.4, 10.0.1
Fixed an issue where a commit or content update operation with an error was not prevented from executing in the dataplane, which caused corruption in the dataplane policy cache.DP crash- When DP phase1 parse error happens on config commit, the abort signal didn't cleanup properly,thus policy cache is corrupted
Make sure the config does not error out in DP
9.0.10, 9.1.3
Fixed an issue where dataplane free memory was depleted, which affected new GlobalProtect connections to the firewallGP connection failureThe URL data structure is not being freed during the clientless VPN app access.No8.1.16, 9.0.10, 9.1.3
PAN-1501728.1.15,9.0.9,9.1.3Fixed an issue where dataplane processes restarted when attempting to access websites that had the `NotBefore` attribute less than or equal to Unix Epoch Time in the server certificate with forward proxy enabled.DP restart when parsing certificateThe 'NotBefore' value was not initialized properly1) Import the server's issuer CA to the firewall and mark it trusted, OR
2) Disable decryption to those servers with NotBefore <= 1970/1/1 00:00:00 UTC
This is not practical solution
8.1.15-h3, 8.1.16, 9.0.9-h1, 9.0.10, 9.1.3-h1, 9.1.4, 
Fixed an issue where URL filtering used the IP address instead of the hostname, which led to incorrect URL categorization.Issue on Host header handling causes URL filter functionmiss handling when Host header does not come in 1st packetEnable jumbo frame, or use custom-url-category or custom-appid to detect string "/webapp/wcs/stores/".8.1.15, 9.0.9, 9.1.3
Fixed an issue where SSL connections were blocked if you enabled decryption with the option to block sessions that have expired certificates. This issue included servers that sent an expired AddTrust certificate authority (CA) in the certificate chain.SSL decryption fails to some sitefixed SSL cert verification processDisable certificate expiration check.
(if no expiration check is acceptable)
8.1.15, 9.0.9, 9.1.3
8.1.14 only
Fixed an issue where the firewall stopped recording dataplane diagnostic data in dp-monitor.log after a few hours of uptime.DP crashday-one issue crash when handingNo workaround8.1.15
Fixed an issue where high and continuous CPU utilization was seen on dataplanes after IPSec Encapsulating Security Payload (ESP) rekeying occurred for multiple tunnels.High CPU/ High packet descriptorESP rekey issueAfter failover, reboot the failing FW8.1.15, 9.0.9 , 9.1.4
PAN-1444798.1.14 onlyFixed an issue where SNMP objects from the HOST-RESOURCES-MIB returned incorrect values when queried.snmp for the specific MIB does not workregression of a snmp fixNo workaround8.1.15
Added the following CLI commands to address an issue where packets for new sessions dropped when handling predict sessions:
- `set session hwpredict disable yes`
- `show session hwpredict status`
packet drop on predict session matchingadded workaround commandto disable predict lookup in FPP-HW and use FPP-SW. This is controlled using a operational command.9.0.8, 9.1.2


Fixed an intermittent issue where firewalls dropped packets, which caused issues such as traffic latency, slow file transfers, reduced throughput, internal path monitoring failures, and application failures.Traffic issue Issue on  memory timingNo workaround8.1.14,9.0.7,9.1.2

Fixed an issue where firewalls experienced high packet descriptor (on-chip) usage during uploads to the WildFire Cloud or WF-500 appliance.Excessive WF uploads caused high packet descriptorExcessive WF uploads surpress platform resources.

Limit maximum number of outstanding WF uploads

Configure Device > Setup > WildFire > General Settings > File Size Limits
to specify the following recommended values for WildFire file size limits:

- pe 8 MB
- apk 10 MB
- pdf 500 KB
- ms-office 500 KB
- jar 5 MB
- flash 5 MB
- MacOSX 1 MB
- archive 10 MB
- linux 10 MB
- script 20 KB

PAN-135260PA7000series only
8.1.12 only
Fixed an intermittent issue where the dataplane process (*all_pktproc_X*) on a Network Processing Card (NPC) restarted when processing IPSec tunnel traffic.DP crashCrash during flow lookup
Added a validation code 
No workaround8.1.13,9.0.7,9.1.2
PAN-1368208.1.0-8.1.13Fixed an issue where a high availability (HA) failover occurred after the firewall reported the following error message in the **System** log: `Dataplane down: controlplane exit failure`.DP crash / down
Internal path monitor fails
NFS transfer issue on DP
Tweaking NFS options
No workaround8.1.14,9.0.0
Fixed an issue where first packet processor packet buffer is not allocated with proper alignment, which caused memory corruption.internal path monitor failure , FPP crashPossible memory corruption on FPPNo workaround8.1.13
Fixed an issue where fragmented traffic caused high dataplane use and firewall performance issues.high CPU/ high packet bufferfragment reassemble issueConsider blocking fragments via zone protection. 8.1.13,9.0.7,9.1.2
PAN-131993Panorama series
Fixed an issue where a process (*reportd*) would crash while running a log query.reportd crashdoublefree while trying cleanup when handling a log queryAllow the query to run to completion before closing the Tab/browser8.1.13,9.0.7,9.1.2
Fixed an issue where a PA-7080b HA pair rebooted when large sized packet traffic impacted the front panel ports of the Log Forwarding Card (LFC).LFC restartLFC front port error handling failure on receiving jumbo framesAvoid connecting the Front Panel ports to networks with jumbo frames9.0.6 and 9.1.0
PAN-1236679.0.0-9.0.5Fixed an issue where the "snmpd" process was crashing when polling for global counters.snmpd crash and OOM(out of memory) in kernelmemory leak of snmpd when accessing global counter OIDsWorkaround to avoid this crash is to avoid polling OIDs in the global counters table.9.0.6 and 9.1.0
"PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls running PAN-OS "<8.1.11 | 9.0.5>" only") There is an intermittent issue where a process ("all_pktproc") stops responding due to a Work Query Entry (WQE) corruption that is caused by duplicate child sessions.dataplane crashCrash when handing packet in predict sessionNone8.1.12,9.0.6 and 9.1.0
PAN-128269PA5200series only
"PA-5250, PA-5260, and PA-5280 firewalls with 100GB AOC cables only") When you upgrade the first peer in a high availability (HA) configuration to "[PAN-OS 8.1.9-h4 or a later] / [a PAN-OS 9.0]" release, the High Speed Chassis Interconnect (HSCI) port does not come up due to an FEC mismatch until after you finish upgrading the second peer.HSCI interface downInternal chip configuration affected AOC moduleConsult Techsupport for upgrade procedure, otherwise avoid the releases8.1.12,9.0.6 and 9.1.0
PAN-1244819.0.0-9.0.4Fixed an issue where the dataplane stopped responding when SMTP sessions were used.DP crash/ Internal Path Monitor FailureMIME boundary is mistakenly calculatedapp-override the smtp9.0.5


Fixed an issue where a process ("configd") stopped responding when an XML API call with "type=config&action=get" triggered during a commit.configd crashNull was not set to a pointer when xml node is freedDo not run xml api to get predefined xpath8.1.11 and 9.0.5

PA-7000 series only(XM cards are not affected)

["PA-7000 Series firewalls using PA-7000-20G-NPC cards only"] Fixed an intermittent issue where an out-of-memory (OOM) condition caused the dataplane or internal path monitoring to stop responding.DP crash/ Internal Path Monitor Failure
Insufficient memory was allocated to Linux kernel
No workaround8.1.11 and 9.0.4
PAN-119862PA5050 only
Fixed an intermittent issue where an out-of-memory (OOM) condition caused the dataplane or internal path monitoring to stop responding. With this fix, session capacity is reduced by 400,000.DP crash/ Internal Path Monitor FailureOut of memory on DP0No workaround8.1.11
Fixed an intermittent issue where a large number of packets were received before acknowledgments were complete, which depleted descriptor queue entries and resulted in high latency during data transfers even though CPU usage looked normalHigh packet descriptor and packet bufferAs a result, one or a few aggressive TCP sessions can take all descriptor queue entries due to ack packetsclear session causing the issue 8.1.10 and 9.0.4
Fixed an issue on a VM-Series firewall deployed in Microsoft Azure where packets dropped silently due to a kernel errortraffic drop when burst traffica kernel error when processing bust traffic on AzureNo workaround8.1.9 and 9.0.4
("Virtual and M-Series Panorama appliances and Log Collectors only") Fixed an issue where closed Elasticsearch (ES) indices were continuing to receive and re-queue logs, which resulted in high CPU usage.Log ingestion failure and high CPUmonthly index closed unexpectedlyContact Techsupport8.1.10 and 9.0.4
Fixed an issue where an internal path monitoring failure due to a buffer leak caused the firewall to rebootDP restart due to Internal packet path monitoring failuremess-up of buffer poolNo workaround8.1.9 and 9.0.4
("GlobalProtect Clientless VPN environments only") Fixed an issue where a process ("all_pktproc") stopped responding and caused the firewall to restart unexpectedly when processing GlobalProtect Clientless VPN traffic. To leverage this fix, you must first upgrade ("Devices>Dynamic Updates") to GlobalProtect Clientless VPN content release 79 or a later release.DP crashexception when handling clientless VPN packet with large packetchange clientlessVPN to GP(SSLVPN)
or downgrade to 8.1.8 or older
8.1.10 and 9.0.4
("PA-7000 Series firewalls only") Fixed an issue where the High Speed Chasis Interconnect (HSCI) link flapped after you rebooted the firewall.HSCI flapSignal errors on SMC 8.1.9 and 9.0.4
("PA-3200 Series firewalls only") Fixed a rare software issue that caused the dataplane to restart unexpectedly. To leverage this fix, you must run the "debug dataplane set pow no-desched yes" CLI command (increases CPU utilization).DP crashDeschedule issue on CPU used in PA3200No workaround8.1.9 and 9.0.3
PAN-1177298.1.8 onlyFixed an issue where the firewall incorrectly displayed application dependency
warnings ("Policies > Security") after you initiated a commit
Application dependency shows up on commitdue to incomplete fix of PAN-98386No workaround8.1.9
PAN-107005PA3200 series only
Fixed an issue on PA-3200 Series firewalls where packets dropped when a VSS-Monitoring Ethernet trailer was being appended by an external device. L4checksum fails for VSS monitoring trailer and the packet dropsNetwork offload processor drops the packet due to its L4 checkup validationNo workaround. upgrade PANOS8.1.5 and 9.0.3
PAN-1128148.1.6-8.1.7 and 
Fixed an issue where H.323-based calls lost audio because the predicted H.245 session was not converted to Active status, which caused the firewall to drop the H.245 traffic. predict session failurepredict session fails to create when the predict session is created by S2C flow and it's source NATedDo not use Source NAT8.1.8 and 9.0.2
Fixed an intermittent issue where a content install (content) caused a firewall configuration failure and the firewall to stop responding.FQDN objects are resolved as and pushed to DP. that causes traffic issueContent install job involves wrong config mistakenlyCommit force or force another FQDN refresh.8.0.16 ,8.1.7 and 9.0.0
PAN-108241PA-3200 series/ 8.1.0-8.1.5Fixed an issue on a PA-3200 Series firewall where multiple dataplane processes (all_pktproc, flow_mgmt, flow_ctrl, and pktlog_forwarding) stopped responding when overloaded with traffic.DP crashflow ager process double freeEnable software aho/dfa and pscan can greatly reduce likelihood of seeing issue.8.1.6 and 9.0.0
PAN-1095948.0.14, 8.1.5 onlyFixed an issue where the dataplane restarted when an IPsec rekey event occurred and caused a tunnel process (tund) failure when one--but not both--HA peer is running PAN-OS 8.0.14 or PAN-OS 8.1.5.DP restart due to tund crash during version mismatch in HA peers during upgrade processDP restart due to tund crash which is caused by ike rekey in HA pairPrior to upgrading HA peers, temporarily adjust IKE lifetimes to longer than default to ensure that rekey event does not occur during upgrade process. Can also break HA between peers and upgrade individually as standalone.8.0.15, 8.1.6
PAN-108785PA3200 series/ 8.1.0-8.1.5Fixed an intermittent issue on a firewall in an HA active/passive configuration where a ping test stopped responding on Ethernet 1/1, 1/2, and 1/4 due to input errors on the corresponding switch port after an HA failover.eth1/1,2,4 corrupts packet on transmit after HA failoverinterface initialization steps after HA failover called unnecessary instructionsmanually shut/no shut the interfaces8.1.6 and 9.0.0
PAN-1077918.1.4Fixed an issue where after upgrading from PAN-OS 8.1.3 to 8.1.4 the CLI two-factor administrator authentication failed.2FA failssocket handling bug for 2FAnone8.1.5 and 9.0.0
PAN-1073658.1.4Fixed an issue on Panorama M-Series and virtual appliances where after you make a change to a template and attempt to push to a target device, the device does not appear in the Push Scope Selection list ("Commit > Push to Devices > Edit Selections > Device Groups").Cannot specify device in templateException in php codenone8.1.5
PAN-1072718.1.4Fixed an issue on a PA-3200 Series firewall running PAN-OS 8.1.4 in an HA configuration where the HA1-B (backup) port did not come up as expected.HA1B port is unusableadditional fix of PAN-89402use other interface for HA18.1.5
PAN-1002448.0.x,8.1.xFixed an issue where a failed commit or commit validation followed by a non-user-committed event (such as an FQDN refresh, an external dynamic list refresh, or an antivirus update) resulted in an unexpected change to the configuration that caused the firewall to drop traffic.traffic drop due to wrong policy appliedlast-candidatecfg.xml has been changed which should not happen when commit fails.  That config was involved in next FQDN/EDL updatePerforming manual FQDN refresh or commit appears to resolve the issue, until the next occurence.8.0.14,8.1.5
PAN-1006138.0.10-,8.1.2-8.1.4Fixed an issue on a PA-5200 Series firewall in a high availability (HA) active/active configuration with a virtual wire (vwire) subinterface where session setup packets sent to peer firewalls were sent back as HA2/HA3 race conditions, which caused an increase in packet descriptors and traffic to stop responding.traffic can be affected intermittently due to high packet descriptorDue to the race condition on session setup, packets loop in HA2/HA3 that affects Packet descriptorSession setup/owner set for first-packet/first-packet.  Otherwise, use Active/Passive mode8.1.5
PAN-1060168.0.x,8.1.xFixed an issue on PA-800 Series firewalls where a kernel memory spike caused the firewall to restart.unexpected system restartlack of kernel memorynone8.0.14,8.1.5
PAN-1069368.0.x,8.1.xFixed and issue where PA-800 Series firewalls intermittently restarted due to a kernel error.unexpected system restartheavy use of serial driver caused watch dog timeoutnone8.0.14,8.1.5


Fixed an issue where a hardware packet buffer leak caused firewall performance to degrade.Hardware packet buffers depletionIn rare condition, the hardware packet buffer is not releasednone8.1.4,8.0.13



PA-3200 series/


Fixed an issue on a PA 3200 Series firewall where the dataplane failed due to an internal path monitoring failure.Internal path monitor failureCommunication failure in link between MP and DP none8.1.4 and 9.0.0

PA-3200 series/


Fixed an intermittent issue on a PA-3200 Series firewall where the forwarding information base (FIB) did not update correctly, which prevented successful forwarding of offloaded traffic.Some offloaded traffic is not forwarded correctly.FIB entry in DP is no update properly due to programming errorDisable session offload8.1.4 and 9.0.0

PA-3000 series /


Fixed an issue where the PA-3000 series firewalls passed file-descriptors in a dataplane ("pan_comm") process during content (apps and threat) installation as well as FQDNRefresh job execution, which caused the hardware Layer 7 engine to incorrectly identify applications.App-ID(L7 process) stop working

 DP crash

File descriptor leak in pan_comm process in charge of commit in DPnone




, 8.1.0-8.1.2

 Fixed an issue where the firewall incorrectly dropped ARP packets and increased the "flow_arp_throttle" counter. ARP does not work /Traffic stopARP packet throttling feature mistakenly counts number of arp inspected and drops arp packets none 

8.0.12 and  8.1.3


 PA-3200 series/


 Fixed an issue on PA-3200 series firewalls where the offload processor did not process route-deletion update messages , which left behind stale route entries and caused sessions to become unresponsive during the session-offload stage. Packet drop due to routing table problem in Offload chipFIB in Offload chip(FE100) has not updated properly after route deletion Disabling session offload 8.1.3

PA-5200 series/



  Fixed an issue where PA-5200 Series and PA-3200 Series firewalls in an active/active high availability (HA) configuration sent packets in the wrong direction in a virtual wire deployment. 

MAC flapping happen on neighouring switch.

Traffic disruption can happen

 In ha Active-Active vwire case, when device forwards packets through ha3 link. the header info is correctly set in some cases, causing such packets are forwarded back to the HA peer, instead of forwarding locally. In one of the cases (00810651), disabling session offload has resolved the issue. 8.0.10 and 8.1.2



Fixed an issue where the User-ID process ("useridd") stopped responding when a virtual system connected to more than one User-ID agent with NT LAN Manager (NTLM) enabled.

useridd process crash/

Useridd high file descriptor/ Useridd


memory corruption of connection stateconfigure only one user-id-agent with NTLM enabled in each vsys.

8.0.10 and 8.1.1


PAN-3000series and PAN-5000series




Fixed an issue where administrators failed to log in to the firewall due to an out-of-memory condition that intermittently caused the firewall to continuously restart processes. (PAN-90143 provided an initial memory enhancement in PAN-OS 8.0.9 that reduced the frequency of these out-of-memory events.)

low memory in MP kernel leads system instability such as admin login failure

/ Out of memory in MP

Linux kernels on PANOS 8.x/9.x have the memory leak which being fixed in the main stream linux. Port the patch from the main stream linux kernel.Reboot system

8.0.10 and 8.1.1

PAN-799898.0.0-8.0.8Fixed an issue on firewalls with custom signatures configured where low memory conditions intermittently caused commit or content installation failures with the following error: "Threat database handler failed."commit failuredevsrvr use fork() system call to spawn a child process(tdb_compile) to compile content during commit. When free memory is low, this fork() call can fail, which will fail commit or content installation.reboot system8.1.0, 8.0.9

PA-5000 series/

8.0.0-8.0.8 and 8.1.0

Fixed an issue where administrators intermittently failed to log in to the firewall because it intermittently restarted processes continuously due to an out-of-memory condition. system stability/System unresponsiveKernel trackable memory is constantly decreasing. Changing the kernel configuration by disabling page mobility could stop the dropping.reboot system8.1.1, 8.0.9

PA-7000,PA5200,PA3200 Series/

7.1.0-7.1.16 and 8.0.0-8.0.8

Fixed an issue on PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls where one or more dataplanes did not pass traffic when you ran several operational commands (from any firewall user interface or from the Panorama management server) while committing changes to device or network settings or while installing a content update. 

Traffic dropmiss-programing on Pancomm use wrong bypass queue iddo another commit if this happens.

 8.1.0 ,8.0.9

and 7.1.17,


 8.0.0-8.0-8, 8.1.0

 Fixed an issue where a small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks®) stopped working or experienced other issues after you upgraded the firewall to which the SFPs are connected to a PAN-OS [8.0 | 8.1] release. With this fix, you must not reboot the firewall after you download and install the PAN-OS [8.0 | 8.1] base image until after you download and install the PAN-OS [8.0.9 | 8.1.x] release. For additional details, upgrade considerations, and instructions for upgrading your firewalls, refer to the PAN-OS 8.1 upgrade information.  unsupported SFP stop working SDK had an I2C read error inserted. This caused PanOS 8.0, (and initial 8.1.0) to have this I2C bus driver to have this logical error in the Read functions, that messed up the Controller to Device protocol sequence.Use supported SFP






and all older Mainlines

Fixed an issue where PA-7000 Series firewalls rebooted continuously because the "brdagent" process stopped responding during bootup due to HSCI interface initializationFirewall reboots

FPP brdagent is tied up initializing the marvell PHYs and can't respond to heartbeats. As a result it gets killed by masterd

Disable HSCI ports or remove HSCI QSFP+ module during reboot




and all older Mainlines

Fixed an issue where the firewall dataplane stopped responding after you used nested wildcards ("*") with "." or "/" as delimiters in the URLs of a custom URL category ("Objects > Custom Objects > URL Category") or in the "Allow List" of a URL Filtering profile ("Objects > Security Profiles > URL Filtering > <URL-filtering-profile> > Overrides"). With this fix, the firewalls does not allow you to use nested wildcards in such cases. For details, see "NESTED WILDCARD(*) IN URLS MAY SEVERELY AFFECT PERFORMANCE". DP crash and restart due to custom URL lookup

Misconfiguration on custom URL category using nested asterisk causes DP cpu highload

Note: fix is addtional configuration check to prevent

Use fewer number of  asterisk in configuration. see the link in Description for details


PAN-836878.0.0-8.0.6Fixed an issue on Panorama M-Series appliances where the "configd" process stopped responding during a "Commit > Commit and Push" operation where Panorama pushed configuration changes to Collector Groups.

configd crash 


During commit, a tables data structures under collector settings is destructed. Do not do Panorama commit and collector group push at same time.8.1.0,8.0.7



Fixed an issue where PAN-OS removed the IP address-to-username mappings of end users who logged in to a GlobalProtect internal gateway within a second of logging out from it.

user-ip mapping information is not generated properlywhen Global protect Logout/login event happened in the same second, user-id in firewall can't determine the sequence of these events as we use timestamp(second granularity) to distinguish them. 

No Workaround available





Fixed an issue where the firewall management plane or control plane continuously rebooted after an upgrade to PAN-OS 8.0, and displayed the following error message: "rcu_sched detected stalls on CPUs/tasks".

continous MP/CP restarti2c issue due to SFP module holding the bus and cause i2c controller reset can't be finished.

Use supported SFP 

8.1.0, 8.0.7




Fixed an issue where blocking proxy sessions to enforce Decryption policy rules caused packet buffer depletion, which eventually resulted in packet loss.

Hardware buffer leak issue that could affect any type of traffic handled by DPLeaking packet buffer due to RST packets generated as part of policy-enforcement (denied traffic) in combination with no-decrypt rules



1. in ssl no-decrypt rule, in decryption profile remove actions from "No decrypt"


2. change deny rule in policy to drop


8.0.6, 7.1.14


PA-800 series



Fixed an issue where PA-800 Series firewalls became unresponsive until you rebooted them, and the firewalls generated no logs from when they stopped responding to when they finished rebooting.



System unresponsive. no CLI/console/ping response

manual restart is required to recover from the issue

PA-800 uses a proprietary MDIO kernel driver. This driver had a bug in it that was causing a deadlock condition to take place.



No workaround



PA-5000 series and PA-3000 series



Fixed an issue where PA-5000 Series and PA-3000 Series firewalls that were running low on memory briefly became unresponsive, stopped processing traffic, and stopped generating logs.


Firewall "hangs", and it cannot be accessed via SSH/GUI. No logs are being written, and there is no mgmt console output.

Larger memory footprint of 8.0 is causing the issue.

Downgrade to 7.1.x (issue only reported on 8.0.x so far)




With low memory platform such as PA-200 and M-100 primarily.  Other platforms can happen the same issue



Fixed an issue on the firewall and Panorama management server where a memory leak caused several operations to fail, such as commits, FQDN refreshes, and content updates.


Commit failing and/or memory leak with error: fork() failed!

/ Symptoms include failing to commit, GUI unresponsive, HA config sync failing, MP memory leak, daemon crashes, high MP CPU.

In 8.0 we upgraded to 64-bits. Hence virt and res memory usage will go up slightly.


On M-100, upgrading to 32GB memory should  greatly reduce occurrences.

For PA-200 or other platforms, no workaround exists short of downgrading to 7.1.x.




PA-7000 series with Panorama



7.1.0-7.1.12, 7.0.0-7.0.18

PA7050 logging stops / Logrcvr crashing on PA-7050LPC stopped saving and displaying new logs due to a memory leak after a Panorama management server running a PAN-OS 8.0 or newer

The issue commonly happens on a 7K FW running 7.x release , which is managed by a Panorama running Rome (8.0).

FW fails processing GTP report definitions which causes memory leak. 




From Panorama running 8.0(or newer) CLI config:

set deviceconfig setting management disable-predefined-reports [ gtp-spoofed-end-ip gtp-malicious-wildfire-submissions top-gtp-attackers top-gtp-victims gtp-users-visiting-malicious-url ]


8.0.6, 7.1.13, 7.0.19


All software QoS platform listed in the description


8.0.0 to 8.0.5

7.1.0 to 7.1.14

Fixed an issue on PA-3000 Series, PA-800 Series, PA-500, PA-220, PA-200, and VM-Series firewalls where QoS throughput dropped on interfaces configured to use a QoS profile with an "Egress Max" set to 0Mbps or more than 1143 Mbps ("Network > Network Profiles > QoS Profile").

 QoS enforces max bandwidth with lesser traffic than configuredCoding error limitting max to 1Gbps


Lower the QoS bandwidth below 1143Mbit/s, downgrade to <=7.1.10 and/or <=8.0.3


8.0.6, 7.1.14




8.0.0 to 8.0.4
VM sereis: traffic getting dropped Traffic getting dropped due to flow_qos_pkt_timeout QoS packet is not dequeued after 82 days

The QoS timer variable was not reset properly.

Disable QoS config




PA-5200 series


8.0.0 to 8.0.4
Internal link instability between DP and CE(Content Engine)Affects 5200 platforms. System can continue to boot even if CE init fails. This causes issues with Layer7 inspection and HA pathmonitor,etc.

controlplane-console-output.log shows following error:

nac0: Memory channels init incomplete

It's internal link issue between DP and CE.
imporved link init and recovery mechanism


Use software aho and dfa.

> debug dataplane fpga set sw_aho yes
> debug dataplane fpga set sw_dfa yes






Multiple DP restarts by all_pktprocDP crash due to small memory pool size in 8.0.4. Seen only on PA-5220 and PA-5250. With same cause, Other symptoms such as GP(GlobalProtect) connections dropping and SSL decryption traffic failing could happen

fixed memory pool size on the affected platform


Use other platforms other than PA-5220 or PA-5250. Or downgrade to 8.0.3.






8.0.0 to 8.0.4
Logd high memory on M-seriesTypical symptoms:
-Traffic and threat logs delayed on Panorama for 24 hours.
-Oom kernel crash
-commit failure
-memory allocation failure

Due to indexing of messages in evtmgr queues start building up. This causes the memory buildup in logd and results in indexing process not being able to startup.

no workaround






8.0.0 to 8.0.3
Reportd memory leak on M-seriesReportd memory increases until you run out. Can cause sluggish performance or loss of ability to manage.

Reportd memory leak happens only on M-series in combo mode. 

fixed various memory leak in reportd process


Do not use combo mode. Use dedicated log collectors. 




Not platform specific


7.0.x, 7.1.x
High DP CPU with high urlcache_lookup processing timeHigh DP utilization and general traffic slowness caused by URL filtering. Urlcache related function process time goes up in "debug dataplane pow performance"

Issue with URL cache when cache gets above 1 million URLs in MP cache and device-server is consuming high CPUs. DP also consumed high CPU to lookup local cache grows big


Clear DP and MP cache:

>clear url-cache all

>delete url-database all


PAN-DB cloud update has the fix in March/2017

PANOS fix in 6.1.18, 7.0.16 and 7.1.10.


  • Print
  • Copy Link

Choose Language