Palo Alto Networks Knowledgebase: PAN-OS 6.0.3: Addressed Issues

PAN-OS 6.0.3: Addressed Issues

Created On 02/07/19 23:36 PM - Last Updated 02/07/19 23:36 PM

The following issues have been addressed in PAN-OS 6.0.3 release.


63862A backend process was using an excessive amount of memory, causing an out of memory condition. An update has been made to improve how out of memory conditions are addressed. When an out of memory condition occurs, the backend process will be terminated in place of any other critical processes. This ensures that any critical processes will continue to run despite an out of memory condition, and the backend process will later restart automatically.
63859A PA-500 device was not sending out scheduled email reports. This was due to a rare issue where report generation was suspended and a race condition caused it to be unable to resume, resulting in subsequent scheduled reports failing to generate. This issue has been addressed so that the report generation process is able to correctly resume after being suspended.
63635Addressed an issue where Panorama restarted unexpectedly due to a backend reporting process that stopped responding.
63608Upgrading from PAN-OS 5.0.X releases to a PAN-OS 6.0.X releases failed when the PAN-OS 5.0.X configuration included a custom application configuration with the spyware identification option (CLI command: spyware-ident). This was related to the spyware identification option not being supported in PAN-OS 6.0.X. This issue has been addressed so that upgrading to PAN-OS 6.0.3 is successful, even when the PAN- OS 5.0.X configuration includes a custom application configuration with the spyware identification option.
63602An issue was resolved where a User-Id process on the firewall stopped working when a connected User-ID Agent sent an XML API logout message containing a valid IP address but no entry name.
63587Custom signatures added as exceptions to a Vulnerability Protection Profile were not being displayed on the Exceptions tab on the Panorama web interface (Objects > Vulnerability Protection > Exceptions). This issue has been addressed so that custom signatures added as exceptions to a Vulnerability Protection Profile are correctly displayed on the Exceptions tab.
63582On the Panorama web interface, attempting to filter target devices to which specific security rules have been applied did not display results. This issue has been addressed so that the filter works correctly.
63570Addressed a race condition that caused scheduled report generation to stall and scheduled reports were not generated.
63551Selecting Sync to Peer on the High Availability widget on the web interface's Dashboard did not display the expected pop up to confirm the sync to peer. This issue and another minor display issue were seen using an Internet Explorer 9 or Internet Explorer 10 browser to use the web interface. These display issues have been addressed.
63472Smart card authentication for GlobalProtect was displaying the following error message: Authentication failed: empty password. This issue has been addressed so that authentication is successful and the password field is correctly populated.
63422Scheduled reports were not showing resolved host names. This was caused by an attribute value that was incorrectly set in one of the functions responsible for resolving the hostname for a given IP address. The value for this attribute has been corrected.
63383Addressed an issue where DNS Proxy did not use the expected DNS server (according to the configured DNS Proxy rule) to perform a name server lookup.
63316Addressed an issue that occurred when attempting to log in to the Panorama web interface. After authenticating login credentials and displaying the message: Creating administrative session. Please wait..., a white screen was displayed instead of the Panorama web interface Dashboard. This issue has been resolved so that logging in to the Panorama web interface correctly displays the Dashboard.
63298Addressed an issue where syncing a configuration between Panorama HA peers did not work correctly.
63247During SIP registration, if there is no port specified in the SIP payload, the device did not add any NAT information to the SIP payload. This caused some SIP servers to use more aggressive registration intervals using RTCP. This has been fixed by adding a new application: sipviaheader-nat. An app-override is required to use this new application.
63242A Field-Programmable Gate Array (FPGA) change was made to handle microbursts of multicast traffic and improve recovery mechanisms in latency conditions.
63161Resolved an issue where the NetBIOS name was removed from the IP address to username mapping when the NetBIOS name contained a period punctuation mark.
63147Fixed an issue in the migration script for the Routing Information Protocol (RIP) export rules from PAN-OS 5.0.X releases to PAN-OS 6.0.X releases which was causing Panorama template commits to fail.
63106Addressed an issue that affected an upgrade from PAN-OS 5.0.X releases to PAN-OS 6.0.X releases, where an IPsec validation error occurred when the dynamic peer type on an IKE gateway had the Local and Peer IDs defined.
63086Resolved an issue that occurred in an HA Active/Active setup, where the parent application sessions on a HA peer were not updated with traffic from the child application session and the parent applications sessions timed out. This caused the parent applications to close on both devices in the HA pair. This has been updated so that when the parent application session is refreshed on the primary device, it is now also refreshed on the secondary device.
63052When attempting to connect to GlobalProtect with token-based authentication configured, and a token could not be found, different error messages were previously displayed depending on the GlobalProtect or PAN-OS release version. This error message has been updated to be consistent across release versions.
62995Addressed an issue where the Application usage and Traffic summary by URL Category information in User Activity Reports was not in sync with the information displayed on the ACC tab in the web interface, in the Top Applications and URL Filtering sections.
62985An issue with the FPGA code for some PA-3000 Series devices was causing a small amount of VLAN tagged and offloaded packets to be truncated by 4 bytes.
62969OCSP requests were using the OCSP location in the certificate instead of the location configured on the firewall. This has been adjusted so that the firewall's OCSP configuration will take precedence. If no OCSP location is configured on the firewall, the certificate OCSP location will be used.
62895Addressed an issue where members of groups on non-Active Directory LDAP servers were not displayed as group members on the firewall.
62883Addressed an issue where fiber port down detection on SFP ports on a PA-2000 Series device took 10 - 20 seconds.
62876A Panorama role-based administrator with privileges for Device Groups and Templates could view devices which were not included in any device groups or templates. An update has been made in the web interface to eliminate visibility into devices that are not a part of a device group for administrators limited to Device Groups and Templates privileges.
62827Addressed an upgrade schema issue for Panorama running PAN-OS 6.0.1 where address objects were causing commit errors when attempting to push a configuration from Panorama to managed devices.
62801Traffic was blocked during SSL decryption when a certificate was signed with an untrusted CA and when the option to use OCSP to check certificate status was enabled (Device > Setup > Session > Certificate Revocation Checking). This has been resolved so that decryption works with untrusted certificates, with the option to use OCSP to check certificate status enabled.
62763Group mapping queries failed if the group name, or Active Directory organizational unit (OU) path, contained characters that were used in the standard LDAP query syntax (for example, parenthesis). These characters were not escaped correctly during the query building process causing the query to fail. An update was made so that the special characters are escaped.
62663Resolved an issue where the status for Tor was inaccurately reported in the outputs for the CLI commands show wildfire status and test wildfire tor.
62596A shadow rule warning message was incorrectly displayed and was not accurate in indicating that a security rule's match criteria was met by a preceding rule (the match criteria had not been met by a preceding rule). The incorrect error messages were being displayed while performing a commit and a fix was made to eliminate the incorrect warning messages.
62595Addressed an issue that was seen when using a filter to define search criteria for WildFire logs on the web interface. When adding a log filter for WildFire logs, selecting Category as the Attribute to include in the search displayed URL categories to select from in the Value column (Monitor > Wildfire > Add Log Filter). The Value column should have only displayed the options Malicious or Benign to select from.
62591During extremely high rates of logging over an extended period of time, traffic and threat logs could not be displayed on the web interface or the CLI. This was due to the data plane logging process consuming too much memory when attempting to write very large amounts of traffic logs and has been resolved.
62586When upgrading Panorama, commits to device groups would fail if Panorama had Service Groups and Address Groups configured with the same name. This has been resolved so that group objects are independent and unique names are not required.
62559Resolved an issue where creating or modifying policy rules took a long time for large configurations (for example, a configuration with 3000 rules and 20,000 objects). An update was made to increase the speed for creating and modifying policy rules for large configurations.
62552With both SSL Inbound Inspection and virus scanning enabled, the firewall was able to detect a virus being sent, but did not block the virus from being forwarded to the target. With this fix, the virus file is not forwarded to the target.
62545An update was made to support the export of threat PCAPs using the XML API.
62391When displaying the Detailed Log View of a traffic log entry, the value of the attribute Receive Time was incorrect and did not match the value from the Receive Time column on the traffic log list. With this fix, the value of the Receive Time attribute in the Detailed Log View is shown correctly.
62377Following an upgrade to PAN-OS 6.0.1, the following unexpected system log was generated daily: Got batch event for unknown child acc_rollup. An update has been made so that the log is no longer generated daily.
62366The data plane restarted with multiple cores due to a race condition caused by updating the aged out session. This issue has been fixed so that the race condition is resolved and will no longer trigger a restart.
62315Resolved an issue for devices running PAN-OS 5.X or PAN-OS 6.X releases, where the disk quota displayed on the Panorama web interface for a log-collector group was not reflective of the actual disk quota output.
62291An issue was occurring where any type of commit triggered the syslog-ng configuration to be reloaded and the connection to be reset. This issue was fixed so that only commits related to the syslog server configurations and syslog-related log forwarding configurations will trigger a syslog-ng configuration reload and the connection to be reset.
62219Unexpected XML data was present when loading an existing configuration version from the device. This resulted in a commit failure that cited the unexpected text. An update has been made to avoid this condition and to ensure a successful commit when loading an existing configuration version.
62179In certain situations, a tunnel interface appeared to be up and was present in the forwarding table, although the underlying IPsec tunnel was down. This issue occurred when the IPsec tunnel had a VPN Monitor profile configured with Fail Over enabled, and the device was restarted while the remote IPsec endpoint was down. With this fix, the status of the tunnel interface matches the state of its corresponding IPsec tunnel when a VPN Monitor profile with Fail Over enabled is configured, and regardless of the initial state of the tunnel.
62113Resolved an issue for a PA-7050 device, where TAP Mode traffic did not load balance properly on a Network Processing Card (NPC), and caused a much higher load on one data plane in comparison to another data plane.
61987Resolved an issue where virtual firewalls running PAN-OS 6.0.X release versions did not correctly sinkhole suspicious DNS queries.
61953When the IPv6 address ::/0 was configured under the Permitted IP Addresses section in an Interface Management Profile, IPv6 communication to the interface was not allowed. Since IPv6 address ::/0 is equivalent to any, IPv6 communication should be allowed from any IPv6 host. This has been addressed so that you can add the IPv6 address ::/0 under Permitted IP Addresses for an Interface Management Profile to successfully allow IPv6 communication from any IPv6 host.
61879IPsec VPN traffic could not be initiated following a restart of the SYSD process. This issue has been resolved so that IPsec VPN traffic can be initiated even if SYSD process is restarted.
61864Following an upgrade from a PAN-OS 5.0.X release version to a PAN-OS 6.0.X release version, a PA-5000 Series device was dropping Skinny Client Control Protocol (SCCP) traffic. This was due to the SCCP sessions timing out within 5 seconds, which was caused by communication issues between data planes. A fix was made so that the parent session now times out according to the application or protocol’s timeout settings.
61855Resolved an issue where multiple configuration pushes from Panorama to a managed device could cause that managed device's management server to restart. When this occurred, a system log would be indicating that the management server was restarted due to high memory utilization. This issue is resolved so that commits from Panorama to managed devices succeed for multiple configuration pushes and the management server remains stable.
61827Addressed an issue where a virtual wire with Link State Pass Through enabled had one interface that remained connected despite the other interface being physically disconnected.
61785Resolved an issue where an administrator for a single virtual system could delete logs for other virtual systems using the CLI.
61781Resolved an issue that occurred when using the Panorama web interface to set up SNMPv3 with a view. Adding a View with a space in the view's name caused SNMP polling to fail. This has been resolved so that an error is displayed if a space is used when naming a View and a new name can be entered without a space (Panorama > Setup > Operations > Miscellaneous > SNMP Setup > Views).
61757The command show arp management timed out after 30 seconds without returning output if both primary and secondary DNS servers configured on the firewall were unreachable. The timeout has been increased up to 120 seconds to return ARP entries with or without DNS resolved names. The time taken to return the output could vary based on the number of DNS servers configured and the availability of the DNS servers to resolve host names.
61724When a custom report was exported to CSV format, the device name in the report was showing the device's serial number instead of the device name. This has been fixed so that exporting a custom report to CSV format correctly shows the device name in the device column.
61643Resolved an issue where email alerts were displaying all values on a single line. This occurred when the email alerts were based on custom log formats that were configured with a \n or a new line as a separator between fields.
61350Following an import of a license key file from the CLI, several checks were performed to verify the certificates validity and an error was seen where the file size of the key file could be misinterpreted and the file incorrectly rejected. This issue has been resolved so that importing a valid license key file is successful.
61329Using the web interface to add a an IP address to a security policy, where a subnet was added without a proper subnet mask (for example,, was not blocked as an error. The expected behavior would be to block adding an IP address ending with a / as that character could translate to a value of any on the data plane. An update was made to check for the / character.
61326Addressed an issue that occurred in an HA configuration, where link monitoring for a 10G port displayed the wrong status for the port when the port was down.
61284Traffic using Policy-Based Forwarding (PBF) with symmetric return enforced experienced packet loss due to failed return MAC address lookups. This issue was caused by another change made in PAN-OS 5.0.11 which changed the PBF return MAC learning from the forwarding state to the session start; the PAN-OS 5.0.11 change that caused this issue has been reversed, which fixes the issue.
61276While replacing a device following an RMA, a condition was encountered where after issuing the CLI command replace device, exporting the device state did not show the appropriate configuration fields to set up the replacement device. Resolved an issue that occurred while replacing a device following an RMA. After issuing the CLI Command replace device, exporting the device state did not show the appropriate configuration fields to set up the replacement device.
61254H.323 video calls were getting dropped intermittently when video call traffic was creating a multi-level Application-level Gateway (ALG) session dependency pattern. The issue was observed when the grandparent session had a low timeout value and then timed out, causing its dependent parent and grandchild sessions to be terminated and the video call was dropped. This has been addressed so that the parent and grandparent sessions' TTLs refresh and do not time out while the corresponding grandchild session continues to see traffic.
61101Resolved an issue where the Address Resolution Protocol (ARP) table was not updated following Spanning Tree Protocol (STP) re-convergence in the network.
61058Resolved an issue that occurred when a NAT Policy rule was configured to use a Dynamic IP pool for IP NAT translations and a fall back pool was also configured to perform Fall Back Dynamic IP Translation if the Dynamic IP pool ran out of addresses. In certain cases, the fall back pool was being used for translations when the IP pool was not exhausted.
60781A Dynamic Block List address object ( was being added to security rules where that Dynamic Block List was referenced, even though that object did not exist in the Dynamic Block List source file. This was due to issues with EBL Refresh, and has been addressed so that when a Dynamic Block List is referenced in a security policy, the Dynamic Block List objects displayed in the policy are accurate.
60634Inter-vsys multicast traffic caused the data plane to restart. The restart was due to a fragmented packet that was encapsulated into a Protocol Independent Multicast (PIM) packet and routed to another virtual system. The fix prevents this kind of fragmentation of the packets.
59852Fixed a high data plane CPU usage issue seen on PA-5000 Series devices that was caused by FPGA lock-up.
59331Syncing a High Availability configuration failed. This occurred when the MTU size on the management interface was set to a value smaller than the default MTU size, and data plane interfaces were using the MTU size value set on the management interface. This resulted in data plane interfaces (in this case, including the HA interfaces) to drop packets that were larger than the MTU size set on the management interface.


owner: panagent

  • Print
  • Copy Link

Choose Language