Critical Issues Addressed in PAN-OS Releases

Critical Issues Addressed in PAN-OS Releases

569774
Created On 09/26/18 21:07 PM - Last Modified 02/26/24 02:09 AM


Symptom


Historical Critical Issue List Addressed in PAN-OS Releases

Environment


All current PAN-OS

Resolution


Last Updated On : Feb 20th , 2024


This list is limited to critical severity issues as determined by Palo Alto Networks and is provided for informational purposes only.

  • Please doublecheck the information in release notes to see the latest info about fixed versions.
  • Please create a case with your support provider for a detailed investigation if you feel you have encountered one of these issues.
  • Maintenance releases are the primary mechanism to fix issues.
  • A maintenance release is signified by the third digit in the release version number (for example the .2 in PAN-OS 10.1.2 ).
  • Asterisk(*) in Fixed release is used for internal check. Please ignore it.

 

 
Bugs

Affected Platform

/Affected Version

Description (release note)Impact

Root cause

Workaround

Fixed release

PAN-21862010.1.0-10.1.11
10.2.0-10.2.4
11.0.0-11.0.3
Fixed an issue where scheduled configuration exports and SCP server connection testing failed.  Scheduled configuration exports via SCP does not workan internal config in ssh had an issue No workaround 10.1.12, 10.2.5, 10.2.4-h3, 
11.0.3-h3,11.0.4, 11.1.0
        PAN-219659Mostly seen in PA-220/
10.1.0-10.1.10
10.2.0-10.2.4
11.0.0-11.0.2
Fixed an issue where root partition frequently filled up and the following error message was displayed: `Disk usage for / exceeds limit, xx percent in use, cleaning filesystem`.  Disk usage fullDangling fds are created when .log files are deletedNo workaround10.1.11, 10.1.10-h1
,10.2.5
,11.0.3, 11.1.0
PAN-221126              10.1.0-10.1.11
10.2.0-10.2.6
11.0.0-11.0.2
Fixed an issue where email server profiles (**Device > Server Profiles > Email and Panorama > Server Profiles > Email**) to forward logs as email notifications were not forwarded in a readable format.Email alerts are not in readable formatThe encode html is missed to encode the fields like to, from, cc & reply id's while sending the mail from mailclientUse custom log format instead10.1.11,10.2.7,
11.0.3,11.1.0 
 PAN-216984  10.1.0-10.1.10Fixed an issue where internal path monitoring failed due to the `sysdagent` not respondingsysdagent crash / system unresponsivenanosleep in sysdagent caused by stale httpd worker processes sees httpd processes piling upNo workaround10.1.11, 10.1.10-h1
PAN-225183M-Series, Panorama/
10.1.0-10.1.10
10.2.0-10.2.4
11.0.0-11.0.2
The SSH tunnels between the log collectors of a collector group go down intermittently causing the Elasticsearch cluster health status to degrade to yellow or red. This has been fixed.Elasticsearch cluster breaks and is unable to write forwarded logs to disk.Ciphers used for the SSH tunnels occasionally would result in too large a packet causing the connection to break.
 
No workaround10.1.11, 10.2.5, 11.0.3
PAN-221984VM-Series NGFWs in Microsoft Azure environments/
10.1.0-10.1.10,
10.2.0-10.2.4,
11.0.0-11.0.2
Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.Dataplane interfaces go down after a hotplug event.PANOS process makes a DPDK call on an invalid port ID after hot removal on Azure.None10.1.10-h2, 10.1.11, 10.2.4-h4, 10.2.5, 11.0.2-h1, 11.0.3
PAN-216984All PAN-OS NGFWs/
10.1.0-10.1.10
10.2.0-10.2.4
11.0.0.-11.0.1
Fixed an issue where a stale httpd process caused a buildup of the sysd queues, which further led to either path monitoring failures and process crashes or out of memory crashes.Multiple crashes on the management plane and unexpected HA failovers and loss to GUI and CLI.httpd process does not exit cleanly and holds on to resources which causes the sysd queue to get stuck and processes to not respond to heartbeats.Among the HA peers, find the unit that has stale httpd process with large Recv-Q which either seems to be stuck or increasing. And then restart web-backend service on the unit.
This recovery step will stop crashes and stabilize the devices, but the issue could appear again.
10.1.10-h1 , 10.1.11, 10.2.5, 11.0.2
PAN-216043All PAN-OS NGFWs/
10.1.0-10.1.10
10.2.0-10.2.4
11.0.0-11.0.1
Continuous crashes of the wifclient process have been fixed. The repeated process restarts would lead to a reboot of the PANOS device.Continuous wifclient process crashes and unexpected devices restarts.Caused by memory corruption when large amounts of traffic are sent to certain cloud services (such as Enhanced Application Logs in IOT).Disable IOT service.10.1.11, 10.2.4-h4, 10.2.5, 11.0.2
PAN-215315All PAN-OS NGFWs/
10.1.0-10.1.10
10.2.0-10.2.4
11.0.0-11.0.2
Fixed an issue where the dataplane stopped responding due to ager and inline packet processing occurring concurrently on different cores for the same session.Multiple cores result in dataplane instability and unexpected reboots.Race condition where the same packet is processed simultaneously by two different functions.No workaround10.1.10-h1, 10.1.11, 10.2.4-h3, 10.2.5, 11.0.2
PAN-210607All PAN-OS NGFWs/
11.0.0-11.0.1
Fixed an issue where enabling Inline Cloud Analysis on Anti-Spyware, Vulnerability Protection, or URL Filtering Security profiles caused the dataplane to stop responding.Multiple cores result in dataplane instability and unexpected reboots.Enabling Inline Cloud Analysis leads to a situation where a memory structure is used after being freed.Disable Inline Cloud Analysis.
From CLI,
set profiles spyware <name> cloud-inline-analysis no
set profiles url-filtering <name> cloud-inline-cat no
11.0.1-h2, 11.0.2
PAN-209305All PAN-OS NGFWs/
10.2.0-10.2.3
Fixed an issue where enabling Inline Cloud Analysis caused the content and threat detection (CTD) process flow cleanup to not be done correctly if a threat was encountered during the traffic inspection.Multiple cores result in dataplane instability and unexpected reboots.Enabling Inline Cloud Analysis leads to a freed content and threat detection process flow getting accessed.Disable Inline Cloud Analysis.
From CLI,
set profiles spyware <name> cloud-inline-analysis no
set profiles url-filtering <name> cloud-inline-cat no
10.2.4
PAN-208325PA-5400, PA-3400, PA-400/
10.1.0-10.1.9
10.2.0-10.2.4
11.0.0-11.0.1
Fixed an issue where the firewall was unable to automatically renew the device certificate.Impacted devices cannot connect to CDL, Wildfire cloud, PANDB or send telemetry data.Devices with TPM (Trusted Platform Module) send the wrong device type for the renewal command.No workaround10.1.10, 10.2.5, 11.0.2
PAN-207533All PAN-OS NGFWs/
10.2.0-10.2.3
11.0.0
Fixed an issue with firewalls in HA configurations where ARP and IPv6 multicast packets were transmitted from the passive firewall.Split brain in an HA environment.Passive firewall allowed ARP and IPv6 packets to leak.Suspend the passive device.10.2.4, 11.0.1
PAN-222712PA-5450/
10.1.0-10.1.10
10.2.0-10.2.4
11.0.0-11.0.2
Fixed a low frequency DPC restart issue.Path monitoring failures causes device to go down.Switching frequency of the hardware component not optimal on occasion causing the card to not respond.No workaround10.1.10-h2, 10.1.11, 10.2.4-h4, 10.2.5, 11.0.2-h1, 11.0.3
PAN-206933PA-400/
10.1.0-10.1.10
10.2.0-10.2.4
11.0.0-11.0.1
Fixed a silent reboot or port flaps that would occur on PA-400s due to a race condition between PDT register read and brdagent polling.Unexpected reboots or flapping of links.Race condition between PDT register read and brdagent polling.No workaround10.1.11, 10.2.4-h3, 10.2.5, 11.0.2
PAN-205729PA-3200, PA-7000/
10.1.0-10.1.8
10.2.0-10.2.3
11.0.0
Fixed an issue where the CPLD watchdog timeout caused the firewall to reboot unexpectedly.Unexpected reboots or freezes.No workaround10.1.9, 10.2.4, 11.0.1
PAN-205255

PA-800, PA-3200, PA-5200, PA-7000/
10.1.0-10.1.9
10.2.0-10.2.3
11.0.0

Fixed a rare issue that caused the dataplane to restart unexpectedly.Multiple crashes cause the card/device to restart.Due to a race condition, two different cores were working on the same packet.No workaround10.1.9-h1, 10.1.10, 10.2.4, 11.0.1
PAN-201858All PAN-OS NGFWs/
10.1.0-10.1.8
10.2.0-10.2.3
Fixed an issue where the SD-WAN interface Maximum Transmission Unit (MTU) led to incorrect fragmentation of IPSec traffic.Packets incorrectly fragmented on the egress interface impacting network performance.MTU size incorrectly calculated after packets are decapsulated from SD-WAN tunnel interface.Perform a commit with configuration change or a commit force.10.1.8-h2, 10.1.9, 10.2.4
PAN-201085PA-5450/
10.1.0-10.1.9
10.2.0-10.2.3
Fixed an issue where inserting the NPC and DPC on slot2 created excessive logs in the `bcm.log file`.Crashes seen on the brdagent process along with unexpected reboots.Collection of certain type of SNMP stats on some ports was not supported causing the log files to fill up.No workaround10.1.10, 10.2.4
PAN-199807All PAN-OS NGFWs/
10.1.0-10.1.8
10.2.0-10.2.3
11.0.0
Fixed an issue where the dataplane frequently restarted due to high memory usage on wifclient.Dataplane restarts unexpectedly.High wifclient usage can cause memory corruption.No workaround10.1.9, 10.2.4, 11.0.1
PAN-199738PA-5400/
10.1.0-10.1.9
10.2.0-10.2.3
11.0.0
Fixed an issue where upgrades remained at 71%, which caused the firewall to stop responding until it was manually power cycled.Upgrade fails.File system gets corrupted due to the BIOS upgrade.No workaround10.1.10, 10.2.4, 11.0.1
PAN-198174All PAN-OS NGFWs/
10.1.0-10.1.8
10.2.0-10.2.3
Fixed an issue where, when viewing traffic or threat logs from the **Application Command Center** (ACC) or **Monitor** tabs, performing a reverse DNS lookup caused the *dnsproxy* process to restart if DNS server settings were not configured.dnsproxyd crashes cause unexpected reboot.Same memory was being freed twice during error handling. Configure a DNS server IP in device DNS setting.10.1.9, 10.2.4
PAN-195201All PAN-OS NGFWs/
10.1.0-10.1.8
10.2.0-10.2.3
Fixed an issue where high volume DNS Security traffic caused the firewall to reboot.Unexpected reboot.Race condition where shared variables were not protected through locks.No workaround10.2.4
PAN-195149All PAN-OS NGFWsFixed an issue where firewall administrators were unable to log in to the web interface when RADIUS two-factor authentication was used.Administrators are unable to log into the web interface.Incorrect parameters picked when the https process that initiates the auth request is not the one that receives the auth request.No workaround10.2.3-h4, 10.2.4, 11.0.1
PAN-193808All PAN-OS NGFWsFixed a memory leak issue in the mgmtsrvr process that resulted in an OOM condition.Device runs out of memory causing processes to restart or the device to reboot.When the connection between the firewall and Panorama flaps, SSL connection related memory is not freed.Maintain a stable connection between firewall and Panorama/Log Collector10.1.9, 10.2.4
PAN-192456All PAN-OS NGFWsFixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding.Repeated crashes causes the DP to exit.The dataplane operations are not atomic when the GP tunnel is in SSL VPN mode.No workaround10.1.9, 10.2.4, 11.0.2
PAN-188912All PAN-OS NGFWs/
9.1.0-9.1.15
10.1.0-10.1.8
10.2.0-10.2.3
Fixed an issue where authentication failed due to a process responsible for handling authentication requests getting corrupted.Authd might crash and cause commit failures.Race condition when an FQDN commit and a normal commit occur within milliseconds of each other. Avoid using an FQDN object for the LDAP server.9.1.16, 10.1.9, 10.2.4
PAN-186412PA-220/
10.1.0-10.1.8
10.2.0-10.2.3
11.0.0
Fixed an issue where invalid `packet-ptr` was seen in work entries.Crashes can cause instability in the DPThe shared packet buffer pool between MP and DP can cause crashes.No workaround10.1.9-h1, 10.1.10, 10.2.4, 11.0.1
PAN-160633PA-3200, PA-5200, PA-7K/
9.1.0-9.1.16
10.1.0-10.1.10
10.2.0-10.2.4
11.0.0-11.0.2
Fixed an issue where the dataplane restarted repeatedly after a reboot due to an internal path monitoring failures until a power cycle.DP might go down after a reboot or an upgrade.The MP to CP ports do not come up after a bios upgrade or reboot.Hard reboot the device.

9.1.17, 10.1.10-h2, 10.1.11, 10.2.5, 11.0.3
 

 

 

PAN-215461PA-5250,PA-5260,PA-7K
10.1.0-10.1.9
10.2.0-10.2.3
Fixed an issue where the GRE keepalive packets leaked and filled up the packet buffers.Packet buffer leak affects DP stability.GRE keepalive packets on a multi-DP platform were not freedDisable GRE keepalive and reboot the FW to recover10.2.4, 10.1.10, 10.1.9-h3
PAN-21548811.0.0
10.2.0-10.2.3
10.1.0-10.1.9
9.1.0-9.1.15
Fixed an issue where an expired Trusted Root CA was used to sign the forward proxy leaf certificate during SSL Decryption.SSL decryption fails.Mistakenly using cache for expired intermediate certificateClear certificate cache11.0.1,10.2.4,10.1.10,10.1.9-h3,9.1.17
PAN-206921GP against all on-prem NGFWs
10.2.2-10.2.3
Fixed an issue where GlobalProtect client certificate authentication failed on a gateway when the gateway was placed behind a NAT.GlobalProtect client certificate authentication fails.The change in the IP address, due to the NAT caused incorrect processing by the gateway.No workaround10.2.3-h4, 10.2.4
PAN-206005 PA-1400,PA-3400, PA-5400f
10.2.0-10.2.3 11.0.0
Fixed an issue where the `l7_misc` memory pool was undersized and caused connectivity loss when the limit was reached.User access to traffic is impacted.l7_misc pool size was undersizedEnable "Strip ALPN" if http2 is affected.
 
10.2.4, 11.0.1

PAN-206243

mainly seen in PA200,PA200R/
10.1.0-10.1.8,
10.2.0-10.2.3

Fixed an issue where the firewall reached the maximum disk usage capacity repeatedly in one day.

Disk full issue

The existing cleaning methods are not efficient /fast enough to clean the old logs/compress them.

Enable aggressive cleaning

debug software disk-usage aggressive-cleaning enable

Set the cleanup threshold to 90

debug software disk-usage cleanup threshold 90

10.2.4,10.1.9

PAN-194068

PA5200/
10.1.0-10.1.8,
10.2.0-10.2.3
11.0.0

Fixed an issue where the firewall unexpectedly rebooted with the log message "Heartbeat failed previously"

Unexpectedly reboot

MP lockup due to a bug in BIOS

No workaround

10.1.8-h2, 10.1.9, 10.2.4, 11.0.1

PAN-201872

All PAN-OS NGFWs/
9.1.14-9.1.14-h4,
10.0.11+,
10.1.5-10.1.7
10.2.0-10.2.3

Fixed an issue where SMB performance caused overall network latency after an upgrade.

Users might experience network latency.

Regex lookup is not freed in certain code path

Application override the traffic that uses regex lookup memory. In many but not all instances, the traffic that needs to be overridden is SMB traffic.

9.1.15, 10.1.8, 10.2.3-h2, 10.2.4

PAN-201627

10.1.6-h6,10.1.7

Fixed an issue in NGFW's where, when SD-WAN was configured, the dataplane restarted if all SD-WAN member links were down due to an out-of-memory (OOM) condition or during a reboot when all SD-WAN tunnels were down.

DP restart

Fork process created zombie processes.

Avoid to use 10.1.6-h6, 10.1.7

10.1.8, 10.2.3

PAN-199099

10.1.7,10.2.2

Fixed an issue where, when decryption was enabled, Safari and Google Chrome browsers on Apple Mac computers rejected the server certificate created by the firewall because the Authority Key Identifier was copied from the original server certificate and did not match the Subject Key Identifier on the forward trust certificate.

Decryption issue when using GP via Safari or Google chrome browsers

An issue mistakenly copying AKID extension to a new cert, causing validation failures on some browsers.

Use a Forward Trust CA that does not contain an Authority Key Identifier (AKID) nor a Server Key Identifier (SKID). This is standard in PAN firewall created certs.

10.2.3,10.1.8

PAN-198266PA-400, PA-3400, PA-5400
10.2.2
Fixed an issue where, when predicts for UDP packets were created, a configuration change occurred that triggered a new policy lookup, which caused the dataplane stopped responding when converting the predict. This resulted in the policy lookup returning a policy denial.DP crashThe logging code access a non-existent field when generating a deny log for a predict. This happens when an allow policy is removed or changed to deny and pre-exiting predicts created by ALG are no longer valid.clear all predicts before a config commit.
"clear session all filter type predict"
10.1.8,10.2.3
PAN-19121610.2.0-10.2.2Fixed an issue where, on Apple iOS devices, SAML authentication did not connect to the GlobalProtect portal.GP on iOS with SAML does not workSince 10.2.0, GP server is missing to SAML related result in HTTP headerN/A10.2.3
PAN-196005PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only

10.1.0-10.1.6
10.2.0-10.2.2
(only 10.1.6 is reported)
 
Fixed an issue where GlobalProtect IPSec tunnels disconnected at half the inactivity logout timer value.GP tunnel goes down every 30minutesBecause of local time handling difference in MP and DP for a GP tunnel timeout feature, NGFW mistakenly disconnects GP tunnel.To sync time for this, power off the fw then power up. NOT reboot.10.1.7,10.2.3
PAN-19155810.0.10, 10.1.5-10.1.6, 10.2.1-10.2.2Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item.Global does notA searchAttribute instance throwing a null pointer error on searching causes endless loadingN/A10.0.11, 10.2.3, 10.1.7, 10.1.6-h3
PAN-189395PA-400
10.2.0-10.2.1
PA-400 Series firewalls only: Fixed an issue where running a PAN-OS 10.2 release caused dataplane processes to restart unexpectedly.dataplane process restartmemory leak in memory bufferNo workaround10.2.2
PAN-1894689.1.13
10.0.10
10.2.0
Fixed an issue where sessions were dropped with the message `resource-unavailable` due to the content inspection queue filling up.session drops due to 'resource-unavailable'ctd memory space is held due to wrong memory freeingset system setting ctd nonblocking-pattern-match disable
(This will cause higher packet buffer CPU usage.)
9.1.14,10.0.10-h1,10.0.11,10.1.5,10.2.1
PAN-1838269.1.12-9.1.13
10.0.8
10.1.0-10.1.6
10.2.0
Fixed an issue where, after clicking "WildFire Analysis Report", the web interface failed to display the report with the following error message: `refused to connect`.WildFire Analysis Report can't be seen in WebUI
The issue is because the x-frame-options is set to deny so the WF report is unable to display within the iframe
"View frame source" on right click menu on failed analysis report.
remove "viewsource" from the opened link. the link starts with "viewsourcehttps://x.x.x.x/wf_report/".
then open the page.
9.1.14,10.0.9,10.1.7,10.2.1
PAN-1752119.0.0-9.0.15
,9.1.0-9.1.12
,10.0.0-10.0.8
,10.1.0-10.1.3
Fixed a memory leak issue in the mgmtsrvr process.mgmtsvr process memory leakWhen there is constant reconnect from FW to Panorama, old SSL structure is not freed and newly allocated SSL structure overwrites a memory space leaks.No workaround9.0.16, 9.1.13, 10.0.9, 10.1.4
PAN-187183(PLUG-10024)All PA-VM in 10.1.4
VM Plugin 2.1.4
Fixed an issue with `vm_license_response.log` that consumed a large portion of the root partition.root partition full
License fetch log is consuming root space
From admin CLI,
admin@PA-VM> debug-log mp-log file vm_license_response.log_backup.gz
successfully removed vm_license_response.log_backup.gz
VM Plugin: 2.1.5, 3.0.0
PAN-18111610.1.0-10.1.4Fixed memory corruption issues in PAN-OS 10.1.3 and 10.1.4 that caused the "pan_comm" process to stop responding and the dataplane to restart. These issues also caused GlobalProtect tunnels to fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.GP does not connect with IPSEC ESP and instead switches to SSLIn original design, mix mode was not supported.
If ssl tunnel and ipsec tunnel established together, their config are messed up.
It caused tunnel failed.
N/A10.1.5
PAN-18575010.1.4
Updated an issue to eliminate failed `pan_comm` software issues that caused the dataplane to restart unexpectedly
pan_comm process crashtimestamp variable was not cleared properly and it'No workaround10.1.5, 10.1.4-h4
PAN-1869379.1.0-9.1.11Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when **Strict IP Address Check** was enabled in the zone protection profile (**Packet Based Attack > IP Drop**) and the packet's source IP address was the same as the egress interface address.packet drop on SSL decryption and ESP IPsec on the same FW

The bug was caused when strict IP was on and packet source IP == egress IP. This caused packets, like ESP and SSL decrypt for example, to be erroneously dropped"

Disable the Strict IP Address Check option in the Zone Protection profile. Alternatively, downgrade to 9.1.11 or earlier or upgrade to 10.0.0 or later if you want to enable the Strict IP Address Check.9.1.14
PAN-1792749.1.0-9.1.12,10.0.0-10.0.9,
10.1.0-10.1.4
Fixed an issue on high availability configurations where, after upgrading to PAN-OS 9.1.10, PAN-OS 10.0.6, or PAN-OS 10.1.0, the HA1 and HA1-Backup link stayed down. This issue occurred when the peer firewall IP address was in a different subnet.HA1/HA1 backup link not coming upInternal routing lookup mechanism didn't work as expectedNo workaround9.1.13,10.0.10,10.1.5,10.2.0
PAN-17776210.0.0-10.0.8,10.1.0-10.1.3Fixed an issue where `wificlient` in PAN-OS 10.0 and later releases caused processing delays, on-chip descriptor spikes, and buffer usage.Traffic is intermittently droppedfrom 10.0, new feature tends to hold cores. It can cause high packet descriptor on-chip or buffer usage.Disable EAL10.0.9,10.1.4
PAN-1722438.1.0-8.1.21,9.0.0-9.0.14,
9.1.0-9.1.12,10.0.0-10.0.8,
10.1.4-10.1.4
Fixed an issue where NetFlow traffic triggered a packet buffer leak.packet buffer full should cause general traffic processing in DPNetflow saved packet leaked on commit as netflow profile changes memory spaceDisable Netflow8.1.22,9.0.15,9.1.13,
,10.0.9,10.1.5*
PAN-1837678.1.21,9.1.12,10.0.8, 10.1.3Fixed an issue where downloading Dynamic Updates files failed when connected to the static update server at `us-static.updates.paloaltonetworks.com`.PAN-OS is not abl e to download software image from update serverA code change in affected version provided wrong option for a download command.use "updates.paloaltonetworks.com" instead.8.1.22, 9.0.15,9.1.13, 10.0.8-h2,10.0.9,10.1.5
PAN-177941PA-70x0 (100G-NPC)/
10.0.0-10.0.7
10.1.0-10.1.2
Fixed an issue where the `bcm.log` and `brdagent_stdout.log-<datestamp>` files filled up the root disk spaceRoot partition fullUnnecessary logs are generated on file systemUse ports 1-8 on LFC for log forwarding.10.0.8, 10.1.3
PAN-17258010.0.0-10.0.7
10.1.0-10.1.2
Fixed an intermittent issue where commits failed after a commit validation and were modified for custom URL category objects.Intermittent commit failuresCandidate internal ids are not cleaned up for validate job during phase1 abort. It affects the subsequent commit for such.Restore the url pattern changes made after the validate job and commit.
OR
Skip Validate and enforce commit
10.0.8, 10.1.3
PAN-1690649.1.0-9.1.10
10.0.0-10.0.6
10.1.0
Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.memory leak on useridd1) hip report xml buffer was not released after message was sent out which caused memory leak
2) High CPU issue is caused by a busy loop ,because a big number of jobs are scheduled and FD is alway readable during the job waiting period.
 
Reducing the number of configured userid agents/clients can alleviate the issue.10.1.1, 10.0.7 and 9.1.11
PAN-1695519.1.8-9.1.9Fixed an issue where custom URL categories hit incorrect URL categories, which caused the firewall to miss or deny the security policies for the configured custom URLURL category lookup failsId-manager mis-manage the table on commit , caused URL pattern lost on DP

For customers using custom URL categories only (NO EDL-URL), before committing any URL pattern changes,

  1. perform a "Commit force" job first. Then
  2. commit the URL pattern changes (or push changes from panorama).

For customers using EDL-URL,

  • if customer host the EDL-URL themselves, before they update the URL patterns, perform a "Commit force" job first.
  • if customer uses 3rd party provided EDL, there's no good workaround.
    • They can lower the EDL refresh frequency to reduce the chance of hitting this issue, and
    • if customer has hit this issue, do commit-force twice to temporarily resolve this issue.
9.1.10
PAN-1638009.1.0-9.1.10,
10.0.0-10.0.6,
10.1.0
Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.dns response is corruptedcode of license check and TTL modification had a bug to handle DNS responseRemove anti-spyware that contains dns security profile9.1.11,10.0.7,10.1.1
PAN-1462508.1.0-8.1.19,
9.0.0-9.0.13,
9.1.0-9.1.9,
10.0.0-10.0.6
Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.DP crashFor inter-vsys scenario,  the same sw packet buffer could be processed in two different sessions at the same time, which in turn cause the issue.Use IPsec VPN instead of using SSL8.1.20,9.0.14,9.1.10,10.0.7
PAN-156017 9.1.0-9.1.6, 10.0.0-10.0.2Fixed an issue where a host information profile (HIP) report XML buffer caused a memory leakOut of Memory in MPHIP report buffer was not released after message was sent out which caused memory leakDisable hip redistribution9.1.7,10.0.3
PAN-156225

PA-3200series
/
8.1.0-8.1.19, 9.0.0-9.0.13, 9.1.0-9.1.8 ,10.0.0-10.0.4

Fixed an issue where HA1-B port on PA-3200 series remain down after upgrade from 9.1.4 to 9.1.5HA1-B link downfailed to fetch a related sysd nodeNone8.1.20,9.0.14, 9.1.9,10.0.5
PAN-1363478.1.0-8.1.18, 9.0.0-9.0.13, 9.1.0-9.1.8 , 10.0.0-10.0.4Fixed an issue wherer DNS proxy TCP connections were processed incorrectly, which caused a process (`dnsproxy`) to stop responding.dnspropyd crash / high CPUtcp_wait_timer on the daemon didn't cleared correctlyWorkaround is to disable TCP connection through DNSproxy daemon, to safely avoid any ability issues with proxied TCP requests.8.1.19, 9.0.14, 9.1.9,10.0.5
PAN-1508528.1.0-8.1.18 ,9.0.0-9.0.12 ,9.1.0-9.1.6 ,10.0.0-10.0.4Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent.DP crash /SMTP packet dropbuffer handling issue when processing SMTP mult-part filenameNone8.1.19
9.0.13
9.1.7
10.0.5
PAN-1434858.1.0-8.1.18, 9.0.0-9.0.12 , 9.1.0-9.1.6, 10.0.0-10.0.4Fixed a memory leak issue related to a process (*devsrvr*).device server memory leakmultiple leaks (URL,confg,etc) are fixedRestarting devsrvr before device  memory gets depleted9.0.13,9.1.8,10.0.0
PAN-1568919.1.0-9.1.7
10.0.0-10.0.4
Fixed an issue where some zip files did not download and the following error message displayed: `resources-unavailable`.L7 feature does not work when hitting 'resource-unavailable' errorThe decoder buffer would go through a high number of loop in L7 processing. It hits the max limit.

"set deviceconfig setting session resource-limit-behavior bypass" helps to bypass sessions hitting the error.

Technically it generally happen. but "strip ALPN" in decryption profile may resolve the issue if it's caused by decoding http2.

"disabling hardware dfa" can be a workaround since it helps to reduce the number of loop.That can be done by the following commands

debug dataplane fpga set sw_aho yes
debug dataplane fpga set sw_dfa yes
9.1.8
10.0.5
PAN-145417

9.0.0-9.0.12
9.1.0-9.1.7
10.0.0-10.0.3

Debug commands were added to address an issue where the firewall connect to Cortex Data Lake due to the Online Certificate Status Protocol (OCSP) message missing the `nextUpdate` value in the OCSP response.sslmgr memory leak caused an issue on OCSPFailed OCSP queries are cached for long time. It affects normal behaviour of sslmgr and its memory usage goes upRestart sslmgr process9.0.13,9.1.8,10.0.4


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm68CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language