Critical Issues Addressed in PAN-OS Releases
Symptom
Historical Critical Issue List Addressed in PAN-OS Releases
Environment
All current PAN-OS
Resolution
Last Updated On : Aug 12th , 2024
This list is limited to critical severity issues as determined by Palo Alto Networks and is provided for informational purposes only.
- Please doublecheck the information in release notes to see the latest info about fixed versions.
- Please create a case with your support provider for a detailed investigation if you feel you have encountered one of these issues.
- Maintenance releases are the primary mechanism to fix issues.
- A maintenance release is signified by the third digit in the release version number (for example the .2 in PAN-OS 10.1.2 ).
- Asterisk(*) in Fixed release is used for internal check. Please ignore it.
Bugs |
Affected Platform /Affected Version | Description (release note) | Impact |
Root cause | Workaround |
Fixed release |
---|---|---|---|---|---|---|
PAN-251847 | 10.1.14 | Fixed an issue on log collectors where the incoming log rate was lower than expected. | Logging rate degradation | Paramater definition change on FW interacted Panorama unintentionally | N/A | 11.2.0, 11.1.3, 11.0.5, 10.2.11, 10.1.15,10.1.14-h2 |
PAN-251639 | 11.1.3, 10.2.9 | Fixed an issue where an out-of-memory condition occurred due to a memory leak related to the varrvcr process when a WildFire Analysis security profile was enabled. | system instability due to memory leak on varrcvr | new debugability to varrcvr caused memory leak | repeat restarting varrcvr before memory usage grows too high | 11.2.0, 11.1.4, 11.0.5 10.2.10, 10.2.9-h9, 10.1.14 |
PAN-244907 | 11.1.0-11.1.2 11.0.4, 10.2.7-10.2.9 | (PA-3400, PA-5400, and PA-1400 Series firewalls only) Fixed an issue where virtual wire ports did not go down when moving from an active state to a suspended state. | see Description | brdagent skipped board port reset and only disable the MAC which is why port is not brought down. | N/A | 12.1.0, 11.2.0, 11.1.3, 11.0.5, 10.2.10, |
PAN-244648 | 11.1.0-11.1.2, 11.0.0-11.0.4, 10.2.0-10.2.8 | (PA-5200 Series only) Fixed an issue where the firewall did not boot up after a factory reset, and, with FIPS mode enabled, the firewall rebooted into maintenance mode. | System does not boot after factory reset | Rebooted from Factory rest while partition is not ready | ask customer support | 12.1.0, 11.2.0, 11.1.3, 11.0.5,11.0.3-h12, 10.2.10,10.2.8-h4, |
PAN-242561 | 11.1.0-11.1.1 11.0.3, 10.2.7-h3, 10.1.11-h4,10.1.12, 9.1.17 | Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol. | SSLVPN connection get disconnected | Unexpected OS behavior that uses IPv6 neighbor discovery to learn MAC address for IPv4. | For Microsoft Windows, disable IPv6 on virtual adapter. | 11.2.0, 11.1.2, 11.0.4, 11.0.3-h5 10.2.8,10.2.7-h6, 10.1.13, 9.1.18 |
PAN-240197 | 11.1.0, 10.2.7 | Fixed an issue where configuration changes made in Panorama and pushed to the firewall were not reflected on the firewall. | Config push fails | When service groups have a tag then during processing there is logical error which results in error during validation of the service group | Enable the Share unused object from panorama setting - may cause significant increase the config size OR Remove tags from the service group objects - if they use tags elsewhere, it will impact. The above workarounds might not be feasible - it would depend on the config | 11.2.0, 11.1.1, 11.0.4,11.0.3-h5, 10.2.8, 10.2.7-h3 |
PAN-239279 | 11.1.0-11.1.2 11.0.0-11.0.3 | Fixed an issue where the SWG proxy did not accept new connections. | system instability due to memory leak in SWG proxy. No new connection can be accepted | memory usage management issue | N/A | 11.2.0, 11.1.3, 11.1.2-h1, 11.0.4 |
PAN-238586 | 11.1.1, 11.0.3, 10.1.11-h4, 10.1.11-h5, | Fixed an issue where DNS resolution failure from the LFC resulted in WildFire public cloud connectivity failure. | Logging/WF connection from LFC fails | Name resolution was not properly populated | N/A | 11.2.0, 11.1.2, 11.0.4, 10.2.8, 10.1.12, |
PAN-235741 | 11.1.1 10.1.11-h4, 9.1.16-h7 | Fixed an issue where DNS resolution failed for Panorama and firewall plugins if the DNS Server IP was obtained through DHCP. | can't resolve IP for cloud servers for plugins | dns related file in plugin was broken | N/A | 11.2.0, 11.1.1, 11.0.3,10.2.8, 10.1.12, |
PAN-236120 | 11.1.0-11.1.1 11.0.0-11.0.3 10.2.0-10.2.7 10.1.0-10 | Fixed an issue where the /opt/panlogs partition reached capacity due to the logdb-quota for the User-ID log folder not being matched. | panlogs partition full due affect log related features (i.e. reporting/ACC) | offline and online purging mechanism caused race condition when log is continuously created | Restart log-receiver | 11.2.0,11.1.2, 11.0.3-h5,11.0.4, 10.2.8, |
PAN-234929/ (use fix of PAN-236120) | 11.1.0, 11.0.2-h2, 11.0.3, 10.2.6-10.2.7, 10.1.11-h1 | Fixed an issue where tabs in the ACC such as Network Activity Threat Activity and Blocked Activity did not display data when you applied a Time filter of Last 15 Minutes, Last Hour, Last 6 Hours, or Last 12 Hours, and the data that was displayed with the Last 24 Hours filter was not accurate. Reports that were run against summary logs also did not display accurate results. | report/ACC do not work due to summary log quotas are not purged properly | report/ACC do not work due to summary log quotas are not purged properly | restart log-receiver | 11.1.1, 11.0.4,11.0.3-h5 10.2.8 , 10.1.12, 10.1.11-h4, |
PAN-231507 | PA-1400s only 11.0.2-11.0.3 | (PA-1400 Series firewalls only) Fixed an issue where, when an HSCI interface was used as an HA2 interface, HA2 packets were intermittently dropped on the passive firewall, which caused the HA2 connection to flap due to missing HA2 keepalive messages. | HA2 flap realtime sync delay | When HSCI interface is used as HA2 interface, HA2 packets were not processed properly. | Use Data interface for HA2 | 11.2.0, 11.1.3, 11.0.4, 11.0.3-h3 |
PAN-229599 | 11.1.0-11.1.1 | Fixed an issue where log collectors did not form an Elasticsearch cluster. | ES cluster does not work | Old indices (5.x from PANOS9.1) not allowing ES to form cluster | Ask customer support | 11.2.0, 11.1.2, |
PAN-227435 | (mainly seen in PA400) 11.1.0, 11.0.2-h2, 10.1.11-h1 | Fixed an issue where the logrcvr process stopped responding and caused the autocommit process to fail or remain at 0%. | Auto commit failure | Double free of system settings function | N/A | 11.2.0, 11.1.1, 11.0.3, 10.2.6, 10.1.12 |
PAN-227368 | 11.0.2-11.0.3, 10.2.5-10.2.6 | Fixed an issue where the GlobalProtect app was unable to connect to a portal or gateway and GlobalProtect Clientless VPN users were unable to access applications if authentication took more than 20 seconds. | GP connection fails | In affected versions, proxy session timeout was set to 20 seconds. in case auth server reply is slower than that, login fails. | TCP handshake timeout to max 60 seconds and finish SAML auth till it's timed out. (the change affects all sessions) | 11.1.0, 11.0.4, 11.0.3-h5 , 10.2.7 |
PAN-226792 | 11.0.3, 10.1.11 | Fixed an issue where the logrcvr process stored older content versions in the shared memory even when newer content updates were installed. | Memory leak in Logrcvr. It causes instability of system | The leak is tied with DAG updates. Each time a DAG update (adding or removing DAG) is received by logrcvr, then it will grab a pointer of the current content version. | A workaround is to restart logrcvr. | 11.1.0, 11.0.4,11.0.3-h3, 10.2.5 10.1.12 |
PAN-224036 | 11.0.0-11.0.2, 10.2.0-10.2.7 10.1.0-10.1.11, | (PA-5450 firewalls only) Fixed an issue where a firewall with QoS configured was not able to send packets out of its interfaces after a reboot. | System instability i.e. Internal path monitor failure/ DPC unresponsive | fpp process can't get a proper state of DPC on boot when QoS is enabled. | Restart the NC card | 11.1.0, 11.0.3, 10.2.8,10.1.12, |
PAN-223798 | 11.0.2-11.0.3, | Fixed an issue on the firewall where, when Advanced Routing was enabled, PIM join messages were not sent to the RN due to a missing OIF. | Multicast routing communication failure can happen | stale entry installed in RP causing lookup failure | N/A | 11.2.0,11.1.0, 11.0.4, |
PAN-223317 | 11.0.1-11.0.2 10.2.4, 10.1.10 9.1.16 | Fixed an issue where SSL traffic failed with the error message: `Error: General TLS protocol error`. | Decryption error causes user can't access to the website | ssl key generation took longer time due to version in compatibility | Ask customer support | 11.1.0, 11.0.3 , 10.2.5, 10.1.11, 10.1.10-h1, 9.1.17 |
PAN-220907 | 11.0.2-11.0.3 10.2.5-10.2.7 10.1.10-10.1.13 9.1.16- | (VM-Series firewalls only) Fixed an issue where large packets were dropped from the dataplane to the management plane, which caused OSPF neighborship to fail. | Various failures i.e. OSPF neibhour down, WF upload failure | Internal mtu issue | Enable jumbo frame (> set system setting jumbo-frame on) | 11.1.0, 11.0.4, 11.0.3-h5, 10.2.8, 10.1.14, 10.1.13-h1 |
PAN-218928 | 11.0.0-11.0.3 10.2.4-10.2.7 10.1.9 | Fixed an issue where the reportd process stopped responding after querying logs or generating ACC reports with some filters. | Segmentation fault in reportd process | Reportd process crash | N/A | 11.1.0, 11.0.4, 11.0.3-h5 10.2.8, 10.1.10, |
PAN-218267 | 11.0.2, 10.2.4 10.1.11-h4 | Fixed an issue where a commit and push operation from Panorama to managed firewalls did not complete or took longer to complete than expected. | Failure in lookup reference in config/DG while partial commit | Config push failure in partial commit | Please use Full commit instead | 11.1.0, 11.0.3, 10.2.5, 10.2.4-h3, 10.1.12 |
PAN-217208 | 10.1.0-10.1.10 | Fixed an issue where a memory leak related to the *snmpd* process caused an out-of-memory (OOM) condition or caused the process to restart when using SNMPv3. | memory leak on netsnmpd | OOM/snmpd memory leak | N/A | 10.1.11 |
PAN-214234 | 11.1.0-11.1.2, 11.0.0-11.0.4, 10.2.0-10.2.7 | Fixed an issue where a CRL destination file increased in size and an OpenSSL related process caused an OOM condition on the firewall. | OOM during CRL processing | OOM/system or process restarts | N/A | 11.2.0,11.1.3, 11.0.5,10.2.8 |
PAN-211255 | 11.0.0-11.0.3 10.2.0-10.2.4 10.1.0-10.1.11 | Fixed an issue third-party VPNC IPSec clients were disconnected after a few seconds for firewalls in active/active HA configurations. | VPN failure | - On AA setup, one peer HA doesn't handle the traffic. - the timestamp of the latest traffic doesn't update on that peer. It caused VPN failure | (tentative workaround) suspend non-owner peer | 11.1.0, 11.0.4, 10.2.5, 10.1.12 |
new | ||||||
PAN-218620 | 10.1.0-10.1.11 10.2.0-10.2.4 11.0.0-11.0.3 | Fixed an issue where scheduled configuration exports and SCP server connection testing failed. | Scheduled configuration exports via SCP does not work | an internal config in ssh had an issue | No workaround | 10.1.12, 10.2.5, 10.2.4-h3, 11.0.3-h3,11.0.4, 11.1.0 |
PAN-219659 | Mostly seen in PA-220/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.2 | Fixed an issue where root partition frequently filled up and the following error message was displayed: `Disk usage for / exceeds limit, xx percent in use, cleaning filesystem`. | Disk usage full | Dangling fds are created when .log files are deleted | No workaround | 10.1.11, 10.1.10-h1 ,10.2.5 ,11.0.3, 11.1.0 |
PAN-221126 | 10.1.0-10.1.11 10.2.0-10.2.6 11.0.0-11.0.2 | Fixed an issue where email server profiles (**Device > Server Profiles > Email and Panorama > Server Profiles > Email**) to forward logs as email notifications were not forwarded in a readable format. | Email alerts are not in readable format | The encode html is missed to encode the fields like to, from, cc & reply id's while sending the mail from mailclient | Use custom log format instead | 10.1.11,10.2.7, 11.0.3,11.1.0 |
PAN-216984 | 10.1.0-10.1.10 | Fixed an issue where internal path monitoring failed due to the `sysdagent` not responding | sysdagent crash / system unresponsive | nanosleep in sysdagent caused by stale httpd worker processes sees httpd processes piling up | No workaround | 10.1.11, 10.1.10-h1 |
PAN-225183 | M-Series, Panorama/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.2 | The SSH tunnels between the log collectors of a collector group go down intermittently causing the Elasticsearch cluster health status to degrade to yellow or red. This has been fixed. | Elasticsearch cluster breaks and is unable to write forwarded logs to disk. | Ciphers used for the SSH tunnels occasionally would result in too large a packet causing the connection to break. | No workaround | 10.1.11, 10.2.5, 11.0.3 |
PAN-221984 | VM-Series NGFWs in Microsoft Azure environments/ 10.1.0-10.1.10, 10.2.0-10.2.4, 11.0.0-11.0.2 | Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall. | Dataplane interfaces go down after a hotplug event. | PANOS process makes a DPDK call on an invalid port ID after hot removal on Azure. | None | 10.1.10-h2, 10.1.11, 10.2.4-h4, 10.2.5, 11.0.2-h1, 11.0.3 |
PAN-216984 | All PAN-OS NGFWs/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0.-11.0.1 | Fixed an issue where a stale httpd process caused a buildup of the sysd queues, which further led to either path monitoring failures and process crashes or out of memory crashes. | Multiple crashes on the management plane and unexpected HA failovers and loss to GUI and CLI. | httpd process does not exit cleanly and holds on to resources which causes the sysd queue to get stuck and processes to not respond to heartbeats. | Among the HA peers, find the unit that has stale httpd process with large Recv-Q which either seems to be stuck or increasing. And then restart web-backend service on the unit. This recovery step will stop crashes and stabilize the devices, but the issue could appear again. | 10.1.10-h1 , 10.1.11, 10.2.5, 11.0.2 |
PAN-216043 | All PAN-OS NGFWs/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.1 | Continuous crashes of the wifclient process have been fixed. The repeated process restarts would lead to a reboot of the PANOS device. | Continuous wifclient process crashes and unexpected devices restarts. | Caused by memory corruption when large amounts of traffic are sent to certain cloud services (such as Enhanced Application Logs in IOT). | Disable IOT service. | 10.1.11, 10.2.4-h4, 10.2.5, 11.0.2 |
PAN-215315 | All PAN-OS NGFWs/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.2 | Fixed an issue where the dataplane stopped responding due to ager and inline packet processing occurring concurrently on different cores for the same session. | Multiple cores result in dataplane instability and unexpected reboots. | Race condition where the same packet is processed simultaneously by two different functions. | No workaround | 10.1.10-h1, 10.1.11, 10.2.4-h3, 10.2.5, 11.0.2 |
PAN-210607 | All PAN-OS NGFWs/ 11.0.0-11.0.1 | Fixed an issue where enabling Inline Cloud Analysis on Anti-Spyware, Vulnerability Protection, or URL Filtering Security profiles caused the dataplane to stop responding. | Multiple cores result in dataplane instability and unexpected reboots. | Enabling Inline Cloud Analysis leads to a situation where a memory structure is used after being freed. | Disable Inline Cloud Analysis. From CLI, set profiles spyware <name> cloud-inline-analysis no set profiles url-filtering <name> cloud-inline-cat no | 11.0.1-h2, 11.0.2 |
PAN-209305 | All PAN-OS NGFWs/ 10.2.0-10.2.3 | Fixed an issue where enabling Inline Cloud Analysis caused the content and threat detection (CTD) process flow cleanup to not be done correctly if a threat was encountered during the traffic inspection. | Multiple cores result in dataplane instability and unexpected reboots. | Enabling Inline Cloud Analysis leads to a freed content and threat detection process flow getting accessed. | Disable Inline Cloud Analysis. From CLI, set profiles spyware <name> cloud-inline-analysis no set profiles url-filtering <name> cloud-inline-cat no | 10.2.4 |
PAN-208325 | PA-5400, PA-3400, PA-400/ 10.1.0-10.1.9 10.2.0-10.2.4 11.0.0-11.0.1 | Fixed an issue where the firewall was unable to automatically renew the device certificate. | Impacted devices cannot connect to CDL, Wildfire cloud, PANDB or send telemetry data. | Devices with TPM (Trusted Platform Module) send the wrong device type for the renewal command. | No workaround | 10.1.10, 10.2.5, 11.0.2 |
PAN-207533 | All PAN-OS NGFWs/ 10.2.0-10.2.3 11.0.0 | Fixed an issue with firewalls in HA configurations where ARP and IPv6 multicast packets were transmitted from the passive firewall. | Split brain in an HA environment. | Passive firewall allowed ARP and IPv6 packets to leak. | Suspend the passive device. | 10.2.4, 11.0.1 |
PAN-222712 | PA-5450/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.2 | Fixed a low frequency DPC restart issue. | Path monitoring failures causes device to go down. | Switching frequency of the hardware component not optimal on occasion causing the card to not respond. | No workaround | 10.1.10-h2, 10.1.11, 10.2.4-h4, 10.2.5, 11.0.2-h1, 11.0.3 |
PAN-206933 | PA-400/ 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.1 | Fixed a silent reboot or port flaps that would occur on PA-400s due to a race condition between PDT register read and brdagent polling. | Unexpected reboots or flapping of links. | Race condition between PDT register read and brdagent polling. | No workaround | 10.1.11, 10.2.4-h3, 10.2.5, 11.0.2 |
PAN-205729 | PA-3200, PA-7000/ 10.1.0-10.1.8 10.2.0-10.2.3 11.0.0 | Fixed an issue where the CPLD watchdog timeout caused the firewall to reboot unexpectedly. | Unexpected reboots or freezes. | No workaround | 10.1.9, 10.2.4, 11.0.1 | |
PAN-205255 |
PA-800, PA-3200, PA-5200, PA-7000/ | Fixed a rare issue that caused the dataplane to restart unexpectedly. | Multiple crashes cause the card/device to restart. | Due to a race condition, two different cores were working on the same packet. | No workaround | 10.1.9-h1, 10.1.10, 10.2.4, 11.0.1 |
PAN-201858 | All PAN-OS NGFWs/ 10.1.0-10.1.8 10.2.0-10.2.3 | Fixed an issue where the SD-WAN interface Maximum Transmission Unit (MTU) led to incorrect fragmentation of IPSec traffic. | Packets incorrectly fragmented on the egress interface impacting network performance. | MTU size incorrectly calculated after packets are decapsulated from SD-WAN tunnel interface. | Perform a commit with configuration change or a commit force. | 10.1.8-h2, 10.1.9, 10.2.4 |
PAN-201085 | PA-5450/ 10.1.0-10.1.9 10.2.0-10.2.3 | Fixed an issue where inserting the NPC and DPC on slot2 created excessive logs in the `bcm.log file`. | Crashes seen on the brdagent process along with unexpected reboots. | Collection of certain type of SNMP stats on some ports was not supported causing the log files to fill up. | No workaround | 10.1.10, 10.2.4 |
PAN-199807 | All PAN-OS NGFWs/ 10.1.0-10.1.8 10.2.0-10.2.3 11.0.0 | Fixed an issue where the dataplane frequently restarted due to high memory usage on wifclient. | Dataplane restarts unexpectedly. | High wifclient usage can cause memory corruption. | No workaround | 10.1.9, 10.2.4, 11.0.1 |
PAN-199738 | PA-5400/ 10.1.0-10.1.9 10.2.0-10.2.3 11.0.0 | Fixed an issue where upgrades remained at 71%, which caused the firewall to stop responding until it was manually power cycled. | Upgrade fails. | File system gets corrupted due to the BIOS upgrade. | No workaround | 10.1.10, 10.2.4, 11.0.1 |
PAN-198174 | All PAN-OS NGFWs/ 10.1.0-10.1.8 10.2.0-10.2.3 | Fixed an issue where, when viewing traffic or threat logs from the **Application Command Center** (ACC) or **Monitor** tabs, performing a reverse DNS lookup caused the *dnsproxy* process to restart if DNS server settings were not configured. | dnsproxyd crashes cause unexpected reboot. | Same memory was being freed twice during error handling. | Configure a DNS server IP in device DNS setting. | 10.1.9, 10.2.4 |
PAN-195201 | All PAN-OS NGFWs/ 10.1.0-10.1.8 10.2.0-10.2.3 | Fixed an issue where high volume DNS Security traffic caused the firewall to reboot. | Unexpected reboot. | Race condition where shared variables were not protected through locks. | No workaround | 10.2.4 |
PAN-195149 | All PAN-OS NGFWs | Fixed an issue where firewall administrators were unable to log in to the web interface when RADIUS two-factor authentication was used. | Administrators are unable to log into the web interface. | Incorrect parameters picked when the https process that initiates the auth request is not the one that receives the auth request. | No workaround | 10.2.3-h4, 10.2.4, 11.0.1 |
PAN-193808 | All PAN-OS NGFWs | Fixed a memory leak issue in the mgmtsrvr process that resulted in an OOM condition. | Device runs out of memory causing processes to restart or the device to reboot. | When the connection between the firewall and Panorama flaps, SSL connection related memory is not freed. | Maintain a stable connection between firewall and Panorama/Log Collector | 10.1.9, 10.2.4 |
PAN-192456 | All PAN-OS NGFWs | Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding. | Repeated crashes causes the DP to exit. | The dataplane operations are not atomic when the GP tunnel is in SSL VPN mode. | No workaround | 10.1.9, 10.2.4, 11.0.2 |
PAN-188912 | All PAN-OS NGFWs/ 9.1.0-9.1.15 10.1.0-10.1.8 10.2.0-10.2.3 | Fixed an issue where authentication failed due to a process responsible for handling authentication requests getting corrupted. | Authd might crash and cause commit failures. | Race condition when an FQDN commit and a normal commit occur within milliseconds of each other. | Avoid using an FQDN object for the LDAP server. | 9.1.16, 10.1.9, 10.2.4 |
PAN-186412 | PA-220/ 10.1.0-10.1.8 10.2.0-10.2.3 11.0.0 | Fixed an issue where invalid `packet-ptr` was seen in work entries. | Crashes can cause instability in the DP | The shared packet buffer pool between MP and DP can cause crashes. | No workaround | 10.1.9-h1, 10.1.10, 10.2.4, 11.0.1 |
PAN-160633 | PA-3200, PA-5200, PA-7K/ 9.1.0-9.1.16 10.1.0-10.1.10 10.2.0-10.2.4 11.0.0-11.0.2 | Fixed an issue where the dataplane restarted repeatedly after a reboot due to an internal path monitoring failures until a power cycle. | DP might go down after a reboot or an upgrade. | The MP to CP ports do not come up after a bios upgrade or reboot. | Hard reboot the device. |
9.1.17, 10.1.10-h2, 10.1.11, 10.2.5, 11.0.3
|
PAN-215461 | PA-5250,PA-5260,PA-7K 10.1.0-10.1.9 10.2.0-10.2.3 | Fixed an issue where the GRE keepalive packets leaked and filled up the packet buffers. | Packet buffer leak affects DP stability. | GRE keepalive packets on a multi-DP platform were not freed | Disable GRE keepalive and reboot the FW to recover | 10.2.4, 10.1.10, 10.1.9-h3 |
PAN-215488 | 11.0.0 10.2.0-10.2.3 10.1.0-10.1.9 9.1.0-9.1.15 | Fixed an issue where an expired Trusted Root CA was used to sign the forward proxy leaf certificate during SSL Decryption. | SSL decryption fails. | Mistakenly using cache for expired intermediate certificate | Clear certificate cache | 11.0.1,10.2.4,10.1.10,10.1.9-h3,9.1.17 |
PAN-206921 | GP against all on-prem NGFWs 10.2.2-10.2.3 | Fixed an issue where GlobalProtect client certificate authentication failed on a gateway when the gateway was placed behind a NAT. | GlobalProtect client certificate authentication fails. | The change in the IP address, due to the NAT caused incorrect processing by the gateway. | No workaround | 10.2.3-h4, 10.2.4 |
PAN-206005 | PA-1400,PA-3400, PA-5400f 10.2.0-10.2.3 11.0.0 | Fixed an issue where the `l7_misc` memory pool was undersized and caused connectivity loss when the limit was reached. | User access to traffic is impacted. | l7_misc pool size was undersized | Enable "Strip ALPN" if http2 is affected. | 10.2.4, 11.0.1 |
PAN-206243 |
mainly seen in PA200,PA200R/ |
Fixed an issue where the firewall reached the maximum disk usage capacity repeatedly in one day. |
Disk full issue |
The existing cleaning methods are not efficient /fast enough to clean the old logs/compress them. |
Enable aggressive cleaning debug software disk-usage aggressive-cleaning enable Set the cleanup threshold to 90 debug software disk-usage cleanup threshold 90 |
10.2.4,10.1.9 |
PAN-194068 |
PA5200/ |
Fixed an issue where the firewall unexpectedly rebooted with the log message "Heartbeat failed previously" |
Unexpectedly reboot |
MP lockup due to a bug in BIOS | No workaround |
10.1.8-h2, 10.1.9, 10.2.4, 11.0.1 |
PAN-201872 |
All PAN-OS NGFWs/ |
Fixed an issue where SMB performance caused overall network latency after an upgrade. |
Users might experience network latency. |
Regex lookup is not freed in certain code path |
Application override the traffic that uses regex lookup memory. In many but not all instances, the traffic that needs to be overridden is SMB traffic. |
9.1.15, 10.1.8, 10.2.3-h2, 10.2.4 |
PAN-201627 |
10.1.6-h6,10.1.7 |
Fixed an issue in NGFW's where, when SD-WAN was configured, the dataplane restarted if all SD-WAN member links were down due to an out-of-memory (OOM) condition or during a reboot when all SD-WAN tunnels were down. |
DP restart |
Fork process created zombie processes. |
Avoid to use 10.1.6-h6, 10.1.7 |
10.1.8, 10.2.3 |
PAN-199099 |
10.1.7,10.2.2 |
Fixed an issue where, when decryption was enabled, Safari and Google Chrome browsers on Apple Mac computers rejected the server certificate created by the firewall because the Authority Key Identifier was copied from the original server certificate and did not match the Subject Key Identifier on the forward trust certificate. |
Decryption issue when using GP via Safari or Google chrome browsers |
An issue mistakenly copying AKID extension to a new cert, causing validation failures on some browsers. |
Use a Forward Trust CA that does not contain an Authority Key Identifier (AKID) nor a Server Key Identifier (SKID). This is standard in PAN firewall created certs. |
10.2.3,10.1.8 |
PAN-198266 | PA-400, PA-3400, PA-5400 10.2.2 | Fixed an issue where, when predicts for UDP packets were created, a configuration change occurred that triggered a new policy lookup, which caused the dataplane stopped responding when converting the predict. This resulted in the policy lookup returning a policy denial. | DP crash | The logging code access a non-existent field when generating a deny log for a predict. This happens when an allow policy is removed or changed to deny and pre-exiting predicts created by ALG are no longer valid. | clear all predicts before a config commit. "clear session all filter type predict" | 10.1.8,10.2.3 |
PAN-191216 | 10.2.0-10.2.2 | Fixed an issue where, on Apple iOS devices, SAML authentication did not connect to the GlobalProtect portal. | GP on iOS with SAML does not work | Since 10.2.0, GP server is missing to SAML related result in HTTP header | N/A | 10.2.3 |
PAN-196005 | PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only 10.1.0-10.1.6 10.2.0-10.2.2 (only 10.1.6 is reported) | Fixed an issue where GlobalProtect IPSec tunnels disconnected at half the inactivity logout timer value. | GP tunnel goes down every 30minutes | Because of local time handling difference in MP and DP for a GP tunnel timeout feature, NGFW mistakenly disconnects GP tunnel. | To sync time for this, power off the fw then power up. NOT reboot. | 10.1.7,10.2.3 |
PAN-191558 | 10.0.10, 10.1.5-10.1.6, 10.2.1-10.2.2 | Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item. | Global does not | A searchAttribute instance throwing a null pointer error on searching causes endless loading | N/A | 10.0.11, 10.2.3, 10.1.7, 10.1.6-h3 |
PAN-189395 | PA-400 10.2.0-10.2.1 | PA-400 Series firewalls only: Fixed an issue where running a PAN-OS 10.2 release caused dataplane processes to restart unexpectedly. | dataplane process restart | memory leak in memory buffer | No workaround | 10.2.2 |
PAN-189468 | 9.1.13 10.0.10 10.2.0 | Fixed an issue where sessions were dropped with the message `resource-unavailable` due to the content inspection queue filling up. | session drops due to 'resource-unavailable' | ctd memory space is held due to wrong memory freeing | set system setting ctd nonblocking-pattern-match disable (This will cause higher packet buffer CPU usage.) | 9.1.14,10.0.10-h1,10.0.11,10.1.5,10.2.1 |
PAN-183826 | 9.1.12-9.1.13 10.0.8 10.1.0-10.1.6 10.2.0 | Fixed an issue where, after clicking "WildFire Analysis Report", the web interface failed to display the report with the following error message: `refused to connect`. | WildFire Analysis Report can't be seen in WebUI | The issue is because the x-frame-options is set to deny so the WF report is unable to display within the iframe | "View frame source" on right click menu on failed analysis report. remove "viewsource" from the opened link. the link starts with "viewsourcehttps://x.x.x.x/wf_report/". then open the page. | 9.1.14,10.0.9,10.1.7,10.2.1 |
PAN-175211 | 9.0.0-9.0.15 ,9.1.0-9.1.12 ,10.0.0-10.0.8 ,10.1.0-10.1.3 | Fixed a memory leak issue in the mgmtsrvr process. | mgmtsvr process memory leak | When there is constant reconnect from FW to Panorama, old SSL structure is not freed and newly allocated SSL structure overwrites a memory space leaks. | No workaround | 9.0.16, 9.1.13, 10.0.9, 10.1.4 |
PAN-187183(PLUG-10024) | All PA-VM in 10.1.4 VM Plugin 2.1.4 | Fixed an issue with `vm_license_response.log` that consumed a large portion of the root partition. | root partition full | License fetch log is consuming root space | From admin CLI, admin@PA-VM> debug-log mp-log file vm_license_response.log_backup.gz successfully removed vm_license_response.log_backup.gz | VM Plugin: 2.1.5, 3.0.0 |
PAN-181116 | 10.1.0-10.1.4 | Fixed memory corruption issues in PAN-OS 10.1.3 and 10.1.4 that caused the "pan_comm" process to stop responding and the dataplane to restart. These issues also caused GlobalProtect tunnels to fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall. | GP does not connect with IPSEC ESP and instead switches to SSL | In original design, mix mode was not supported. If ssl tunnel and ipsec tunnel established together, their config are messed up. It caused tunnel failed. | N/A | 10.1.5 |
PAN-185750 | 10.1.4 | Updated an issue to eliminate failed `pan_comm` software issues that caused the dataplane to restart unexpectedly | pan_comm process crash | timestamp variable was not cleared properly and it' | No workaround | 10.1.5, 10.1.4-h4 |
PAN-186937 | 9.1.0-9.1.11 | Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when **Strict IP Address Check** was enabled in the zone protection profile (**Packet Based Attack > IP Drop**) and the packet's source IP address was the same as the egress interface address. | packet drop on SSL decryption and ESP IPsec on the same FW |
The bug was caused when strict IP was on and packet source IP == egress IP. This caused packets, like ESP and SSL decrypt for example, to be erroneously dropped" | Disable the Strict IP Address Check option in the Zone Protection profile. Alternatively, downgrade to 9.1.11 or earlier or upgrade to 10.0.0 or later if you want to enable the Strict IP Address Check. | 9.1.14 |
PAN-179274 | 9.1.0-9.1.12,10.0.0-10.0.9, 10.1.0-10.1.4 | Fixed an issue on high availability configurations where, after upgrading to PAN-OS 9.1.10, PAN-OS 10.0.6, or PAN-OS 10.1.0, the HA1 and HA1-Backup link stayed down. This issue occurred when the peer firewall IP address was in a different subnet. | HA1/HA1 backup link not coming up | Internal routing lookup mechanism didn't work as expected | No workaround | 9.1.13,10.0.10,10.1.5,10.2.0 |
PAN-177762 | 10.0.0-10.0.8,10.1.0-10.1.3 | Fixed an issue where `wificlient` in PAN-OS 10.0 and later releases caused processing delays, on-chip descriptor spikes, and buffer usage. | Traffic is intermittently dropped | from 10.0, new feature tends to hold cores. It can cause high packet descriptor on-chip or buffer usage. | Disable EAL | 10.0.9,10.1.4 |
PAN-172243 | 8.1.0-8.1.21,9.0.0-9.0.14, 9.1.0-9.1.12,10.0.0-10.0.8, 10.1.4-10.1.4 | Fixed an issue where NetFlow traffic triggered a packet buffer leak. | packet buffer full should cause general traffic processing in DP | Netflow saved packet leaked on commit as netflow profile changes memory space | Disable Netflow | 8.1.22,9.0.15,9.1.13, ,10.0.9,10.1.5* |
PAN-183767 | 8.1.21,9.1.12,10.0.8, 10.1.3 | Fixed an issue where downloading Dynamic Updates files failed when connected to the static update server at `us-static.updates.paloaltonetworks.com`. | PAN-OS is not abl e to download software image from update server | A code change in affected version provided wrong option for a download command. | use "updates.paloaltonetworks.com" instead. | 8.1.22, 9.0.15,9.1.13, 10.0.8-h2,10.0.9,10.1.5 |
PAN-177941 | PA-70x0 (100G-NPC)/ 10.0.0-10.0.7 10.1.0-10.1.2 | Fixed an issue where the `bcm.log` and `brdagent_stdout.log-<datestamp>` files filled up the root disk space | Root partition full | Unnecessary logs are generated on file system | Use ports 1-8 on LFC for log forwarding. | 10.0.8, 10.1.3 |
PAN-172580 | 10.0.0-10.0.7 10.1.0-10.1.2 | Fixed an intermittent issue where commits failed after a commit validation and were modified for custom URL category objects. | Intermittent commit failures | Candidate internal ids are not cleaned up for validate job during phase1 abort. It affects the subsequent commit for such. | Restore the url pattern changes made after the validate job and commit. OR Skip Validate and enforce commit | 10.0.8, 10.1.3 |
PAN-169064 | 9.1.0-9.1.10 10.0.0-10.0.6 10.1.0 | Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents. | memory leak on useridd | 1) hip report xml buffer was not released after message was sent out which caused memory leak 2) High CPU issue is caused by a busy loop ,because a big number of jobs are scheduled and FD is alway readable during the job waiting period. | Reducing the number of configured userid agents/clients can alleviate the issue. | 10.1.1, 10.0.7 and 9.1.11 |
PAN-169551 | 9.1.8-9.1.9 | Fixed an issue where custom URL categories hit incorrect URL categories, which caused the firewall to miss or deny the security policies for the configured custom URL | URL category lookup fails | Id-manager mis-manage the table on commit , caused URL pattern lost on DP |
For customers using custom URL categories only (NO EDL-URL), before committing any URL pattern changes,
For customers using EDL-URL,
| 9.1.10 |
PAN-163800 | 9.1.0-9.1.10, 10.0.0-10.0.6, 10.1.0 | Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit. | dns response is corrupted | code of license check and TTL modification had a bug to handle DNS response | Remove anti-spyware that contains dns security profile | 9.1.11,10.0.7,10.1.1 |
PAN-146250 | 8.1.0-8.1.19, 9.0.0-9.0.13, 9.1.0-9.1.9, 10.0.0-10.0.6 | Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed. | DP crash | For inter-vsys scenario, the same sw packet buffer could be processed in two different sessions at the same time, which in turn cause the issue. | Use IPsec VPN instead of using SSL | 8.1.20,9.0.14,9.1.10,10.0.7 |
PAN-156017 | 9.1.0-9.1.6, 10.0.0-10.0.2 | Fixed an issue where a host information profile (HIP) report XML buffer caused a memory leak | Out of Memory in MP | HIP report buffer was not released after message was sent out which caused memory leak | Disable hip redistribution | 9.1.7,10.0.3 |
PAN-136347 | 8.1.0-8.1.18, 9.0.0-9.0.13, 9.1.0-9.1.8 , 10.0.0-10.0.4 | Fixed an issue wherer DNS proxy TCP connections were processed incorrectly, which caused a process (`dnsproxy`) to stop responding. | dnspropyd crash / high CPU | tcp_wait_timer on the daemon didn't cleared correctly | Workaround is to disable TCP connection through DNSproxy daemon, to safely avoid any ability issues with proxied TCP requests. | 8.1.19, 9.0.14, 9.1.9,10.0.5 |
PAN-150852 | 8.1.0-8.1.18 ,9.0.0-9.0.12 ,9.1.0-9.1.6 ,10.0.0-10.0.4 | Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent. | DP crash /SMTP packet drop | buffer handling issue when processing SMTP mult-part filename | None | 8.1.19 9.0.13 9.1.7 10.0.5 |
PAN-143485 | 8.1.0-8.1.18, 9.0.0-9.0.12 , 9.1.0-9.1.6, 10.0.0-10.0.4 | Fixed a memory leak issue related to a process (*devsrvr*). | device server memory leak | multiple leaks (URL,confg,etc) are fixed | Restarting devsrvr before device memory gets depleted | 9.0.13,9.1.8,10.0.0 |