Professional Documents
Culture Documents
8ReleaseNotes
RevisionDate:July1,2016
ReviewimportantinformationaboutPaloAltoNetworksPANOS7.0software,includingnewfeatures
introducedinthisrelease,workaroundsforopenissues,andresolvedissues.Forthelatestversionofthese
releasenotes,refertothePaloAltoNetworkstechnicaldocumentationportal.
PANOS7.0ReleaseInformation ....................................... 3
FeaturesIntroducedinPANOS7.0 .................................................. 4
ManagementFeatures .......................................................... 5
PanoramaFeatures ............................................................. 7
WildFireFeatures............................................................... 8
ContentInspectionFeatures....................................................10
AuthenticationFeatures ........................................................11
DecryptionFeatures ...........................................................12
UserIDFeatures..............................................................12
VirtualizationFeatures .........................................................12
NetworkingFeatures...........................................................13
PolicyFeatures ................................................................15
VPNFeatures.................................................................15
GlobalProtectFeatures .........................................................16
LicensingFeatures .............................................................17
ChangestoDefaultBehavior .......................................................18
CLIChangesinPANOS7.0 ........................................................20
AssociatedSoftwareVersions.......................................................23
KnownIssues .....................................................................24
PANOS7.0.8AddressedIssues....................................... 33
PANOS7.0.7AddressedIssues....................................... 37
PANOS7.0.6AddressedIssues....................................... 41
PANOS7.0.5h2AddressedIssues.................................... 45
PANOS7.0.5AddressedIssues....................................... 47
PANOS7.0.4AddressedIssues....................................... 53
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 1
TableofContents
PANOS7.0.3AddressedIssues .......................................59
PANOS7.0.2AddressedIssues .......................................67
PANOS7.0.1AddressedIssues .......................................75
GettingHelp.........................................................85
RelatedDocumentation......................................................... 85
RequestingSupport ............................................................ 86
2 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation
FeaturesIntroducedinPANOS7.0
ChangestoDefaultBehavior
CLIChangesinPANOS7.0
AssociatedSoftwareVersions
KnownIssues
PANOS7.0.8AddressedIssues
PANOS7.0.7AddressedIssues
ForWF500appliances,thePANOS7.0.7maintenancereleaseaddressesanissuethatwasintroducedin
PANOS7.0.6thatcausesfrequentfalsepositiveverdictsforMicrosoftOfficedocuments.Youareadvisedto
upgradeWF500appliancesto7.0.7orlaterreleasesandareadvisednottoinstallthe7.0.6image.
PANOS7.0.6AddressedIssues
PANOS7.0.5h2AddressedIssues
PANOS7.0.5AddressedIssues
PANOS7.0.4AddressedIssues
PANOS7.0.3AddressedIssues
PANOS7.0.2AddressedIssues
PANOS7.0.1AddressedIssues
GettingHelp
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 3
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
FeaturesIntroducedinPANOS7.0
ThefollowingtopicsdescribethenewfeaturesintroducedinthePANOS7.0release.Thisreleaserequires
ContentReleaseversion497orlater.Fordetailsonhowtousethenewfeatures,refertothePANOS7.0
NewFeaturesGuide.
ManagementFeatures
PanoramaFeatures
WildFireFeatures
ContentInspectionFeatures
AuthenticationFeatures
DecryptionFeatures
UserIDFeatures
VirtualizationFeatures
NetworkingFeatures
PolicyFeatures
VPNFeatures
GlobalProtectFeatures
LicensingFeatures
4 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
ManagementFeatures
NewManagement Description
Feature
AllNewApplication TheACCisredesignedtoprovideimprovedvisibilityintonetworktrafficandactionable
CommandCenter(ACC) informationonthreats.Thenewlayoutincludesatabbedviewofnetworkactivity,threat
activity,andblockedactivityandeachtabincludespertinentwidgetsforbetter
visualizationoftrafficpatternsonyournetwork.Forapersonalizedviewofyournetwork,
youcanalsoaddacustomtabandincludewidgetsthatallowyoutodrilldownintothe
informationthatismostimportanttoyou.
AutomatedCorrelation Thenewautomatedcorrelationengineisananalyticstoolthatdetectssecurityeventson
Engine yournetwork.Itcollectsisolatedeventsacrossmultiplelogtypesonthefirewall,queries
thedataforspecificpatterns,andcorrelatesnetworkeventstoidentifyactionable
informationsuchashostbasedactivitiesthatindicateacompromisedhost.
TheautomatedcorrelationengineincludescorrelationobjectsthataredefinedbythePalo
AltoNetworksMalwareResearchteam.Theseobjectsidentifysuspicioustrafficpatterns
orasequenceofeventsthatindicateamaliciousoutcome;somecorrelationobjectscan
identifydynamicpatternsthathavebeenobservedfrommalwaresamplesinWildFire.
Correlationobjectstriggercorrelationeventswhentheymatchontrafficpatternsand
networkartifactsthatindicateacompromisedhostonyournetwork.Thus,correlated
eventsprovideactionableintelligencethatyoucanusetoremediateincidents,mitigate
risks,andsecureyournetwork.YoucanviewthecorrelatedeventlogsintheMonitortab
orseeagraphicaldisplayintheCompromisedHostswidgetontheThreatActivitytabof
theACC.TheautomatedcorrelationengineissupportedonPA3000Series,PA5000
Series,PA7000Seriesplatforms,andonPanorama.
Newcorrelationobjectswillbedeliveredwiththeweeklycontentupdates.Toobtainnew
correlationobjects,thefirewallmusthaveaThreatPreventionlicense;Panoramarequires
asupportlicenseforgettingthecorrelationobjectswiththeweeklycontentupdates.
GlobalFind TomakethemanagementofyourPaloAltoNetworksdevicesmoreefficient,anewglobal
findfeatureisintroducedtoenableyoutosearchtheentireconfigurationofaPANOSor
Panoramawebinterfaceforaparticularstring,suchasanIPaddress,objectname,policy
name,threatID,orapplicationname.Thesearchresultsaregroupedbycategoryand
providelinkstotheconfigurationlocationinthewebinterface,sothatyoucanquicklyand
easilyfindalloftheplaceswherethestringisreferenced.Forexample,ifyoutemporarily
deniedanapplicationthatisdefinedinmultiplesecuritypolicyrulesandyounowwantto
allowthatapplication,youcansearchontheapplicationnameandquicklylocateall
referencedpolicestochangetheactionbacktoallow.
TagBrowser Thetagbrowserintroducesawaytoviewallthetagsusedwithinarulebase.Inrulebases
withalargenumberofrules,thetagbrowsersimplifiesthedisplaybypresentingthetags,
thecolorcode,andtherulenumbersinwhichthetagsareused;italsoallowsyoutogroup
rulesusingthefirsttagappliedtotherule.Youcan,forexample,filterrulesbythefirsttag
applied,andviewtherulesgroupedbyahighlevelfunctionsuchasinternetaccessordata
centeraccess.Inthisgroupedruleview,ifyouidentifygapsincoverage,thetagbrowser
allowsyoutomoverulesoraddnewruleswithintherulebase.
ConfigurationValidation TheoptiontovalidateaPANOSorPanoramacandidateconfigurationbeforeyoucommit
Improvements (todeterminewhetheryourrecentchangeswillcommitsuccessfully)isenhancedtodo
syntacticandsemanticvalidationoftheconfiguration.Itthendisplaysthesameerrorsand
warningsaswoulddisplayforafullcommitorvirtualsystemcommit,suchasrule
shadowingorapplicationdependencywarnings,orerrorsindicatinganinvalidroute
destinationoramissingaccount/passwordtoqueryaserver.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 5
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
NewManagement Description
Feature
MoveandClonePolicies, Youcannowmoveorclonepoliciesandobjectstoadifferentdevicegrouporvirtual
Objects,andTemplates system.Thissavesyoutheeffortofdeleting,recreating,orrenamingtheseitemswhen
onlyamoveorcopyisneeded.YoucanalsoclonetemplatesandTemplateStacks.
ExtendedSNMPSupport ExtendedSNMPsupportincludes:
GlobalcountersforDenialofService(DoS),IPfragmentation,TCPstate,anddropped
packets,bywhichtomonitorthehealthandsecurityofyourdevicesandnetwork.
Previously,youhadtousetheCLIorXMLAPItomonitorglobalcounters.
SNMPInterfaceMIBforLogicalInterfacesThePANOSimplementationofthe
interfacesandIfMIBhasbeenextendedtosupportalllogicalinterfacesonthefirewall,
includingtunnels,aggregategroups,L2subinterfaces,L3subinterfaces,loopback
interfaces,andVLANinterfaces.ThisisinadditiontotheSNMPInterfaceMIBsupport
onphysicalinterfaces.Inaddition,theVPNtunnelstatuscannowbemonitored.
LLDPV2MIBInformationtransmittedandreceivedfromneighborsusingLinkLayer
DiscoveryProtocol(LLDP)isstoredforSNMPaccess.AllMIBobjectsunderthe
standardLLDPMIBdefinitionsaresupported.Neighborentriesareagedoutwhentheir
TTLvaluecontainedinthereceivedLLDPmessagereacheszero.
SaaSApplicationUsage AnewpredefinedreportisintroducedtoprovidevisibilityintoSoftwareasaService
Report (SaaS)applicationusage,enablingyoutoassessandsubsequentlymitigatetherisksto
yourenterprise'sdatawhentakingadvantageofSaaSapplications.Thereportwillalso
helptoassessriskstothesecurityofyourenterprisenetwork,suchasthedeliveryof
malwarethroughSaaSapplicationsadoptedbyyourusers.
PolicyImpactReviewfor Beforeinstallinganewcontentrelease,youcannowreviewthepolicyimpactfornew
NewContentReleases AppIDsandstageanynecessarypolicyupdates.Thisenablesyoutoassessthe
treatmentanapplicationreceivesbothbeforeandafterthenewcontentisinstalledand
thenpreparepolicyupdatestotakeeffectatthesametimethatthecontentupdateis
installed.Thisfeaturespecificallyincludesthecapabilitytomodifyexistingsecurity
policiesusingthenewAppIDscontainedinadownloadedcontentrelease(priorto
installingthenewcontent).Youcanthensimultaneouslyupdateyoursecuritypolicyrules
andinstallnewcontent,allowingforaseamlessshiftinpolicyenforcement.Youcanalso
choosetodisablenewAppIDswheninstallinganewcontentreleaseversion;thisenables
protectionagainstthelatestthreats,whilegivingyoutheflexibilitytoenablethenew
AppIDsafteryou'vehadthechancetoprepareanypolicychanges.
SecurityProfileand Thesecurityprofilecapacitiesandnumberofaddressobjectsperaddressgrouphavebeen
AddressObjectsPer increasedasfollows:
AddressGroupCapacity SecurityProfileCapacityincreasedonallplatformsbyapproximately50%forthe
Increase followingsecurityprofiles:Antivirus,AntiSpyware,VulnerabilityProtection,URL
Filtering,FileBlocking,WildFireAnalysis,DataFiltering,andDecryption.Forexample,
thePA7050firewallsupported500securityprofilesinPANOS6.1,andnowsupports
750profilesinPANOS7.0.
AddressobjectsperaddressgroupIncreasedfrom500to2500forallplatforms.
Fordetailsonplatformcapacities,referto
https://www.paloaltonetworks.com/products/productselection.html.
VirtualSystem/Device Youcannowvieworsearchlogsorcreateareportbasedonavirtualsystemnameora
NameinReportsandLogs devicename,whicharemoreuserfriendlyattributestousethanthevirtualsystemIDor
deviceserialnumber.NowyouneednotmanuallymapavirtualsystemnametoitsID,or
mapadevicenametoitsserialnumber,inordertovieworsearchlogsorcreatereports.
VirtualSystemNameandDeviceNameareaddedasavailableattributestoPANOSand
Panoramareportsandlogs.
6 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
NewManagement Description
Feature
TimeBasedLogand Youcannowconfigureautomaticdeletionoflogsandreportsbasedontimeinsteadof
ReportDeletion justonspacequotas.Thisisusefulindeploymentswhereperiodicallydeletingmonitored
dataisdesiredornecessary.Forexample,deletinguserdataafteracertainperiodmight
bemandatoryinyourorganizationforlegalreasons.
SoftwareUpload Devicesnowdisplaydetailsaboutuploadedsoftwareupdatesthatenableyoutocheck,
Improvements beforeinstallinganupdate,thatitistheintendedone.Installinguploadedsoftwarenow
involvesfewersteps,whichmakesdeploymenteasierwhenadevicedoesnothave
externalnetworkaccess.
PanoramaFeatures
NewPanoramaFeature Description
DeviceGroupHierarchy Youcannowcreatenesteddevicegroupsinatreehierarchy,withlowerlevelgroups
inheritingthesettingsofhigherlevelgroups.Thisenablesyoutoorganizedevicesbased
onfunctionandlocationwithoutredundantconfiguration.Forexample,youcould
configureSharedsettingsthatareglobaltoallfirewalls,configuredevicegroupswith
functionspecificsettingsatthefirstlevel,andconfiguredevicegroupswith
locationspecificsettingsatsubsequentlevels.Withoutahierarchy,youwouldhaveto
configurebothfunctionandlocationspecificsettingsforeverydevicegroupinasingle
levelunderShared.CombinedwiththeRoleBasedAccessControlEnhancementsinthis
release,ahierarchyalsoenablesyoutocontroladministratoraccesstodataaccordingto
areas/levelsofresponsibility.
TemplateStacks Youcannowdefineatemplatestack,whichisacombinationoftemplates.Byassigning
firewallstoastack,youcanpushallthenecessarysettingstothemwithoutthe
redundancyofaddingeverysettingtoeverytemplate.Forexample,youcouldassignthe
firewallsinaCaliforniadatacentertoastackthathasonetemplatewithglobalsettings,
onetemplatewithCaliforniaspecificsettings,andonetemplatewithdatacenterspecific
settings.TomanagefirewallsinaCaliforniabranchoffice,youcouldthenreusetheglobal
andCaliforniaspecifictemplatesbyaddingthemtoanotherstackthatincludesatemplate
withbranchspecificsettings.
RoleBasedAccess Youcannowassociateeachaccessdomainwithanadministratorroletoenforcethe
ControlEnhancements separationofinformationamongthefunctionalorregionalareasofyourorganization.You
canassignmultipleaccessdomain/rolepairstoanadministrator(localorexternal),who
canthenfilterthePanoramawebinterfacetodisplayonlyinformationthatisrelevantto
aparticulardomain.Forcustomroles,youcanalsodefinefeaturespecificaccessto
firewalls(throughcontextswitching)separatelyfromPanoramaaccess,andprovide
additionalaccesstologsandreports,sothatadministratorscanhaveabroaderrangeof
responsibilities.
FirewallConfiguration YoucannowimportfirewallconfigurationsintoPanoramainsteadofrecreatingthem.
ImportintoPanorama PanoramaprovidestheoptiontoimportobjectsfromSharedonthefirewallintoShared
inPanorama,andimportotherobjects,policies,andsettingsintonewdevicegroupsand
templates.Aftertheimport,youcanMoveandClonePolicies,Objects,andTemplatesto
differentdevicegroups.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 7
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
NewPanoramaFeature Description
PanoramaSupportfor Panoramanowsupportsmuchlargerconfigurationfiles,whichenableyoutoaddmore
LargerConfigurationFiles informationandgreatercomplexitytoindividualdevicegroups,templates,andother
configurationswithoutaffectingsystemperformanceorstability.Panoramaalsosupports
ahighernumberofconcurrent,activeadministrators.
LogRedundancyWithina YoucannowenablelogduplicationforaCollectorGroupsothateachlogwillhavetwo
CollectorGroup copiesandeachcopywillresideonadifferentLogCollector.Thisredundancyensures
that,ifanyoneLogCollectorbecomesunavailable,nologsarelost:youcanstilldisplayall
thelogsforwardedtotheCollectorGroupandrunreportsforallthelogdata.
FirewallHAStatein ThePanoramawebinterfacenowdisplaysthehighavailabilitystateoffirewalls(for
Panorama example,activeorpassive)inplaceswhereknowingthatstateisuseful.Forexample,the
ContextdropdownnowdisplaysHAstatesothatyoucanswitchcontexttothe
activeprimaryfirewallwhenyouneedtochangethefirewallconfiguration.
ScheduledUpdatesfor InPANOS7.0.3andlaterreleases,youcanscheduleAntivirus,WildFire,andURL
Antivirus,WildFire,and Filtering(BrightCloudonly)updatesforLogCollectorsusingthePanoramawebinterface
URLFilteringonLog (Panorama > Device Deployment>Dynamic Updates>Schedules)ortheCLI.For
Collectors reportingconsistency,configurescheduledcontentupdatesforalllogcollectorstoensure
theystayinsync.
WildFireFeatures
NewWildFireFeatures Description
GraywareVerdict TheWildFiregraywareverdictisintroducedtoclearlyidentifyexecutablesthatbehave
similarlytomalware,butarenotmaliciousinnatureorintent.Agraywareverdictmightbe
assignedtoexecutablesthatdonotposeadirectsecuritythreat,butdisplayotherwise
obtrusivebehavior(forexample,installingunwantedsoftware,changingvarioussystem
settings,orreducingsystemperformance).Examplesofgraywaresoftwarecantypically
includeadware,spyware,andBrowserHelperObjects(BHOs).Thegraywareverdict
allowsthesecurityrespondertoquicklydistinguishmaliciousfilesonthenetworkfrom
grayware,andtoprioritizeaccordingly.Whileantivirussignaturesarenotgeneratedfor
grayware,WildFirelogscancontinuetoalertthesecurityrespondertoendpoints
downloadinggrayware,inordertoassessifsucheventsareconcerning.
8 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
NewWildFireFeatures Description
WildFireHybridCloud EnableaWildFirehybridclouddeploymentsothatasinglefirewallcanforwardunknown
samples(filesoremaillinks)toeitheraWF500applianceortheWildFirepubliccloud,
dependingonthesample.Thisfeatureallowstheflexibilitytoanalyzeprivatedocuments
insidethenetwork,whilefilessourcedfromtheinternetcanbeanalyzedbytheWildFire
publiccloud.Forexample,PaymentCardIndustry(PCI)andProtectedHealthInformation
(PHI)datacanbeexclusivelyforwardedtotheWF500applianceforprivatecloud
analysisandlesssensitivefiles,suchasPortableExecutables(PEs),canbeforwardedto
theWildFirepubliccloud.Whenpossible,offloadingfilestotheWildFirepubliccloud
allowsyoutobenefitfromapromptverdictforfilesthathavebeenpreviouslyprocessed
bythepubliccloud,andalsofreesupWF500appliancecapacitytoprocesssensitive
content.Additionally,inaWildFirehybridclouddeployment,youcanusetheWildFire
publiccloudtoanalyzefiletypesthatarenotcurrentlysupportedforWF500appliance
analysis,suchasAndroidApplicationPackage(APK)files.
ThisfeaturealsointroducestheWildFireAnalysisprofile,tobeusedinplaceofthefile
blockingprofiletoforwardsamplesforWildFireanalysis.ExistingFileBlockingprofile
ruleswiththeactionsettoforwardorcontinue and forwardaremigratedtothenew
WildFireAnalysisprofile.ForeachWildFireanalysisprofilerule,definetraffictoforward
toeithertheWildFireprivatecloudortheWildFirepubliccloudbasedonfiletype,
application,orfiletransferdirection(uploadordownload).
WildFireAppliance TheWildFireappliancecannowlocallygenerateantivirussignaturesformaliciousJava
SupportforJavaAntivirus files(.jarand.class),sothatmaliciousJavafilesdetectedbytheWildFireapplianceno
Signatures longerhavetobeforwardedtotheWildFireCloudforsignaturegeneration.
WildFireAppliance ThefirewallcannowextractHTTP/HTTPSlinkscontainedinSMTPandPOP3email
SupportforEmailLink messagesandforwardthelinkstotheWildFireapplianceforanalysis(thisfeaturewas
Analysis supportedonlyfortheWildFirepubliccloudinPANOS6.1).Enablethisfunctionalityby
configuringthefirewalltoforwardtheemaillinkfiletype(Objects>Security Profiles>
WildFire Analysis).Notethatthefirewallonlyextractslinksandassociatedsession
information(sender,recipient,andsubject)fromtheemailmessagesthattraversethe
firewall;itdoesnotreceive,store,forward,orviewtheemailmessage.
Afterreceivinganemaillinkfromafirewall,theWildFireappliancevisitsthelinksto
determineifthecorrespondingwebpagehostsanyexploits.Ifitdetectsmalicious
behavioronthepage,itreturnsamaliciousverdictand:
GeneratesadetailedanalysisreportandlogsittotheWildFireSubmissionslogonthe
firewallthatforwardedthelinks.
CategorizestheURLasmalwareandgeneratesanddistributesasignaturetoconnected
firewalls,toallowthemtoidentifyandblockthemalware.
Ifthelinkcorrespondstoafiledownload,theWildFireappliancedoesnotanalyzethefile.
However,thefirewallwillforwardthecorrespondingfiletotheWildFireappliancefor
analysisiftheenduserclicksthelinktodownloaditaslongasthecorrespondingfiletype
isenabledforforwarding.
TheWildFireappliancedoesnotsendalogtothefirewallifitdeterminesalinktobe
benignorgrayware,evenifyouhaveenabledloggingofbenignorgraywarefilesbecause
ofthelargenumberoflogsthiswouldgenerate.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 9
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
ContentInspectionFeatures
NewContentInspection Description
Features
ConfigurableDropActions TheVulnerabilityProtection,AntiSpyware,andAntivirusprofilesincludenewactionsto
inSecurityProfiles droporresetconnections.Inadditiontotheallow/alert/blockactionswithinthesecurity
profile,youcannowgranularlydefinehowtodroporresetconnectionswhenthefirewall
detectsathreat.Forexample,tosecuretheMicrosoftwebserversonyournetwork,you
cancreatearuleintheVulnerabilityProtectionprofilewithanactiontoeitherdropthe
trafficandsendaresetonlytotheserver,ordropthetrafficandblocktheoffendingclient
IPaddressfromcreatingnewconnectionsforaspecifiedtimeinterval.
IncreasedInspection Thefirewallnowidentifiesandinspectsfilesthathavebeenencodedorcompressedupto
DepthforMultiLevel fourtimes,wherepreviouslythefirewallsupportedonlytwolevelsofdecoding.Multiple
Compressionand levelsofcompressionandencodingarefrequentlyintroducedtofilesbasedonthefile
Encoding formatandtheapplicationusedforfiletransfer.Forexample,aMicrosoftOfficeOpen
XMLfile(.docx)thatiscompressed(.zip)andissentasanemailattachmenthasthreelevels
ofencoding:theOOXMLformatisonelevelofencoding,thecompressionofthefileto
theZIPformatisthesecondlevelofencoding,andthethirdlevelofencodingisadded
whentheemailattachmentisembeddedusingBase64.Inthiscase,thefirewallnow
decodesthefile,correctlyidentifiesitasaMicrosoftWorddocument,andperforms
policyenforcementincludingfileblocking,threatinspection,andWildFireanalysis.
BlockingofEncoded Anewfiletypeclassification,MultiLevelEncoding,cannowbeusedtologorblock
Content contentthathasbeencompressedorotherwiseencodedtoahighdegree.Asthefirewall
cannowdecodeandinspectuptofourlevelsofencoding(seeIncreasedInspectionDepth
forMultiLevelCompressionandEncoding),thenewclassificationcanbeusedtoblock
filesthathavebeenencodedfivetimesormore.Multiplelevelsofencodingcanbeused
asanevasiontechniquetocircumventsecuritydevices;usingtheMultiLevelEncoding
filetypetoperformfileblockingensuresthatunidentifiedfilesthathavenotbeen
processedforthreatsarenotpassedthroughthefirewall.
NegateOperatorfor AnewNegateoperatorisnowavailablewhencreatingcustomvulnerabilityorspyware
CustomThreatSignatures signatures.TheNegateoperatorcanbeusedtoensurethatthevulnerabilityorspyware
signatureisnottriggeredundercertainconditions.Forexample,createacustomsignature
totriggerwhenaUniformResourceIdentifier(URI)patternismatchedtotraffic,butonly
whentheHTTPrefererfieldisnotequaltoacertainvalue.Acustomsignaturemust
includeatleastonepositiveconditioninorderforanegatedconditiontobespecified.
PANDBPrivateCloud IfthesecurityandcompliancerequirementsinyourenterpriseprohibitthePaloAlto
Networksnextgenerationfirewallsfromdirectlyaccessingtheinternetforperforming
URLlookups,youcandeployaPANDBprivatecloud.Toprotectusersfrommalwareand
undesirablewebcontent,thefirewallscanquerythePANDBprivateclouddeployed
withinyournetworkinsteadofaccessingthePANDBpubliccloud.ThePANDBprivate
cloudsolutionensuresinformationprivacyanddoesnotsendanydataoranalyticstothe
publiccloud.
10 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
AuthenticationFeatures
NewAuthentication Description
Features
Authenticationand Theworkflowtoconfigureauthenticationserversandprofilesisnowmoreintuitiveand
Authorization consistent.YoucanalsoenableGlobalProtectclientstosendRADIUSvendorspecific
Enhancements attributestoRADIUSserverssothatRADIUSadministratorscanmakepolicydecisions
basedonthoseattributes.Forexample,RADIUSadministratorsmightusetheclient
operatingsystemattributetodefineapolicythatmandatesregularpassword
authenticationforMicrosoftWindowsusersandonetimepassword(OTP)authentication
forGoogleAndroidusers.
SSL/TLSServiceProfiles YoucannowassignSSL/TLSserviceprofilestodeviceservicesthatuseSSL/TLS,including
CaptivePortal,managementtrafficaccessusingthewebinterfaceorXMLAPI,theURL
AdminOverridefeature,theUserIDSysloglisteningservice,andtoGlobalProtect
portalsandgateways.SSL/TLSserviceprofilesspecifyacertificateandtheallowed
protocolversionorrangeofversions(nowincludingTLSv1.2).Bydefiningtheprotocol
versions,theprofilesenableyoutorestricttheciphersuitesthatareavailabletosecure
communicationwiththeclientsrequestingtheservices.Thisimprovesnetworksecurity
byenablingdevicestoavoidSSL/TLSversionsthathaveknownweaknesses.
TACACS+Authentication DevicesnowsupportTerminalAccessControllerAccessControlSystemPlus(TACACS+)
protocolforauthenticatingadministrativeusers.TACACS+providesgreatersecuritythan
RADIUSinsofarasitencryptsusernamesandpasswords(insteadofjustpasswords),and
isalsomorereliable(itusesTCPinsteadofUDP).
KerberosSingleSignon DevicesnowsupportKerberosV5singlesignonforadministratorauthenticationand
CaptivePortalauthentication.Singlesignonminimizesthenumberofloginsrequiring
userinputwhileensuringsecurityforwebservices.
SuiteBCryptography YoucannowuseSuiteBcipherstoauthenticateadministratorsandtosecuresitetosite
Support VPN,andGlobalProtectremoteaccessandlargescaleVPN(LSVPN).TosecuretheVPN
tunnelsbetweenGlobalProtectLSVPNgatewaysandendpointdevices,thelattermust
runGlobalProtectclientsoftware2.2orlaterreleases.ThenewGlobalProtectIPSec
CryptoprofilesupportsSuiteBencryptionalgorithms(andotheralgorithms)forLSVPN.
Youcanuseellipticcurve(ECDSA)certificatesforadministratorandGlobalProtect
authentication.SuiteBsupportenablesyoutomeetU.S.federalnetworksecurity
standards.
AuthenticationServer YoucannowtestanauthenticationprofiletodetermineifyourfirewallorPanorama
ConnectivityTesting managementservercancommunicatewithabackendauthenticationserverandifthe
authenticationrequestwassuccessful.Youcanperformauthenticationtestsonthe
candidateconfiguration,sothatyouknowtheconfigurationiscorrectbeforecommitting.
Authenticationserverconnectivitytestingissupportedforlocaldatabase,RADIUS,
TACACS+,LDAP,andKerberosauthentication.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 11
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
DecryptionFeatures
NewDecryptionFeatures Description
SSLDecryption WhenusingSSLdecryptiontoinspectandenforcesecurityrulesforconnections
Enhancements betweenclientsanddestinationservers,enablethefollowingnewoptionsas
increasedsecuritymeasures:
Enforcetheuseofstrongciphersuites.Thisincludessupporttospecifically
enforcetheuseofAES128GCMandAES256GCMciphers.
Enforcetheuseofminimumandmaximumprotocolversions.
Enforcecertificatevalidationonaperpolicybasis(wherepreviously,certificate
validationwasperformedatthedevicelevel).
DefinetrafficthatyouwanttobedecryptedbasedonTCPportnumbers.This
enablesyoutoapplydifferentdecryptionpoliciestoasingleserver'straffic;traffic
beingtransmittedusingdifferentprotocolscanreceivedifferenttreatment.
Enforcevalidcertificatesandtrustedissuesfortrafficthatisnotdecrypted,with
theoptionstoterminateanSSLsessioniftheservercertificateisexpiredorifthe
servercertificateissueisuntrusted.
UserIDFeatures
NewUserIDFeature Description
UserAttributionBasedon YoucannowconfigureUserIDtoreaduserIPaddressesfromtheXForwardedFor(XFF)
XForwardedForHeaders headerinclientrequestsforwebserviceswhenthefirewallisdeployedbetweenthe
internetandaproxyserverthatwouldotherwisehidetheuserIPaddresses.UserID
matchestheIPaddresseswithusernamesthatyourpoliciesreferencesothatthose
policiescancontrolandlogaccessfortheassociatedusersandgroups.
CustomGroupsBasedon YoucannowdefinecustomgroupsbasedonLDAPfilterssothatyoucanbasefirewall
LDAPFilters policiesonuserattributesthatdonotmatchexistingusergroupsinanLDAPbased
servicesuchasActiveDirectory(AD).Definingcustomgroupscanbequickerthan
creatingnewgroupsorchangingexistingonesontheLDAPserver,anddoesnotrequire
anLDAPadministratortointervene.
VirtualizationFeatures
NewVirtualization Description
Feature
SupportforHigh TheVMSeriesfirewallonESXi,Xen(onSDX),andKVMnowsupportsboth
Availabilityonthe Active/PassiveHAandActive/ActiveHAwithsessionsynchronization.TheVMSeriesin
VMSeriesFirewall AmazonWebServices(AWS)supportsActive/PassiveHAonly.
InanHAconfiguration,youmustdeploybothpeersonthesametypeofhypervisor,have
identicalhardwareresourcesassignedtothem,andhavethesamesetof
licenses/subscriptions.
12 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
NewVirtualization Description
Feature
SupportforJumboFrames TheVMSeriesfirewallcannowsupportjumboframes,whichareEthernetpacketslarger
than1500bytes.Likewiththehardwarebasedfirewalls,whenyouenablejumboframes
ontheVMSeriesfirewall,thedefaultMaximumTransmissionUnit(MTU)sizeforall
Layer 3interfacesissetto9192bytes;theMTUcanrangebetween512and9216bytes.
YoucanoverridetheglobalMTU,andconfigureanexplicitvaluebetween512and9216
bytesonaperinterfacebasis.
SupportforHypervisor TheVMSeriesfirewallsupportstheabilitytodetecttheMACaddressassignedtothe
AssignedMACAddress physicalinterfacebythehost/hypervisorandusethatMACaddressontheinterfaces
assignedtotheVMSeriesfirewall. InLayer3deployments,thiscapabilityallowsa
vSwitchtoforwardtraffictothecorrectinterfaceonthefirewallwithoutrequiringthat
promiscuousmodebeenabledonthevSwitch.HypervisorassignedMACaddressesare
alsosupportedonPCIpassthroughandSRIOVcapablenetworkadapters.
ForlicensingfeaturesontheVMSeriesfirewall,seeLicensingFeatures.
NetworkingFeatures
NewNetworkingFeature Description
ECMP ThefirewallnowsupportsEqualCostMultipath(ECMP).EnableECMPfortheforwarding
tabletohaveuptofourequalcostpathstoasingledestination,whichallowsyoutoload
balancetraffic,usemoreoftheavailablebandwidth,andhavetrafficdynamicallyshiftto
anotherECMPmemberifonepathfails.Youcanchooseoneofseveralloadbalancing
algorithmstodeterminewhichequalcostpathavirtualrouterusesforanewsessionto
thedestination.
DHCPOptions AfirewallconfiguredasaDHCPservercannowsendafullrangeofDHCPoptionsto
clients,includingvendorspecificandcustomizedoptionsthatsupportawidevarietyof
officeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncode
supportsmultiplevalues,whichcanbeIPaddresses,ASCIItext,orhexadecimalvalues.
WiththeenhancedDHCPoptionsupportenabledonthefirewall,branchoffice
administratorsdonotneedtopurchaseandmanagetheirownDHCPserversinorderto
providevendorspecificandcustomizedoptionstoDHCPclients.
GranularActionsfor Whenyouconfigurethefirewalltoblocktraffic,thefirewalleitherresetstheconnection
BlockingTrafficinSecurity orsilentlydropspackets.Whenthefirewallsilentlydropspackets,itcausessome
Policy applicationstobreakandappearunresponsivetotheuser.Newactionstogracefullyblock
trafficprovideabetteruserexperience.Thenewactionsavailableare:
Droptrafficsilently,andoptionallysendanICMPUnreachableresponsetotheuser.
Blocktraffic,andautomaticallyusethedenyactionpredefinedfortheapplication.You
canviewthepredefineddenyactionforanapplicationinApplipedia.
ResettheconnectionwithaTCPresetontheclientsideconnection,ontheserverside
connection,orresetbothsidesoftheconnection.
ThesenewactionswillbeloggedintheTrafficlogsandareavailableforlogqueries.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 13
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
NewNetworkingFeature Description
SessionBasedDSCP DifferentiatedServicesCodePoint(DSCP)isusedtoindicatethelevelofservice
Classification requestedfortraffic,suchashighpriorityorbesteffortdelivery.Setupsessionbased
DSCPclassificationtoenablethefirewalltohonortheserviceclassrequestedfortraffic
andtomarkasessiontoreceiveprioritytreatment.SessionbasedDSCPextendsthe
powerofQualityofService(QoS),whichpolicestrafficasitpassesthroughthefirewall,
byallowingallnetworkdevicesbetweenthefirewallandtheclienttoalsopolicetraffic
basedontheDSCPvaluefortraffic.Forexample,inboundreturntrafficfromanexternal
servercannowbetreatedwiththesameprioritythatthefirewallinitiallyenforcedforthe
outboundflow.Networkdevicesintermediatetothefirewallandenduserwillalsothen
enforcethesamepriorityforthereturntraffic.
QoSonAggregate YoucannowenableQoSonAEinterfacesconfiguredonPA7000Series,PA5000Series,
Ethernet(AE)Interfaces PA3000Series,PA2000Series,andPA500platforms.AnAEinterfaceistwoormore
interfaceslinkedtogetherforcombinedbandwidthandlinkredundancy.WhenusingAE
interfacestoscaleyournetwork,enableQoSonanAEinterfacetoprioritize,allocate,and
guaranteetheincreasedbandwidthsupportedontheAEinterface.
SupportforQoSonAEinterfacesonPA7050firewallsbeganinPANOS6.0.
ImprovedPerformancefor IndeploymentswhereasingleVPNtunnelissetupbetweenaPaloAltoNetworksfirewall
aSingleVPNTunnel andanotherIPSecVPNdevice,andthetunnelsupportsmultiplesessions,thefirewallcan
nowusemultipleCPUcores(simultaneously)todecrypttraffic.WhenthevolumeofVPN
trafficishigh,thisenhancementminimizeslatencyandimprovesperformance.
PerVirtualSystemService ThesourceinterfaceandsourceIPaddressofserviceroutescannowbeconfiguredfor
Routes individualvirtualsystems,inadditiontotheglobalconfigurationofserviceroutes.
Pervirtualsystemserviceroutesprovidetheflexibilitytocustomizeserviceroutesfor
numeroustenantsordepartmentsonasinglefirewall.Anyvirtualsystemthatdoesnot
haveaservicerouteconfiguredtoaccessaparticularexternalserviceinheritsthesource
interfaceandsourceIPaddressthataresetgloballyforthatservice.ThePA7000Series
firewallsuseLogProcessingCard(LPC)subinterfacestoseparatetheloggingservicesfor
eachvirtualsystem.PriortoPANOS7.0,eachserviceroutetoaservicewasconfigured
globallyandappliedtotheentirefirewall.
LLDP YoucannowconfigureLinkLayerDiscoveryProtocol(LLDP)toenablethefirewallto
automaticallydiscoverneighboringdevicesandtheircapabilitiesatthelinklayer.LLDP
allowsthefirewalltosendandreceiveEthernetframescontainingLLDPdataunitstoand
fromneighbors.ThereceivingdevicestorestheinformationinaMIB,whichcanbe
accessedbySNMP.LLDPenablesnetworkdeviceslearncapabilitiesoftheconnected
devices,andcanbeusedtomapnetworktopology.Thismakestroubleshootingeasier,
especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygoundetected
byapingortraceroute.
NPTv6 YoucannowenableIPv6toIPv6NetworkPrefixTranslation(NPTv6)onthefirewall,to
performastateless,statictranslationofoneIPv6prefixtoanotherIPv6prefix(port
numbersarenotchanged).OnebenefitofNPTv6isthepreventionofasymmetrical
routingproblemsthatresultfromproviderindependentaddressesbeingadvertisedfrom
multipledatacenters.NPTv6allowsmorespecificroutestobeadvertisedsothatreturn
trafficarrivesatthesamefirewallthattransmittedthetraffic.Anotherbenefitisthe
independenceofprivateandpublicaddresses;youcanchangeonewithoutaffectingthe
other.AthirdbenefitofNPTv6istheabilitytotranslateuniquelocaladdresses(ULAs)to
globallyroutableaddresses.
14 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
NewNetworkingFeature Description
TCPSplitHandshakeDrop PaloAltoNetworksfirewallsbydefaultcorrectlysecureTCPsessions,whethertheyuse
awellknown3wayhandshakeoravariation,suchasa4wayor5waysplithandshake
orasimultaneousopen.ThefirewallnowoffersanadditionaloptiontosimplydropaTCP
sessionthattriestousesuchavariationbecauseitispossiblymalicious.
PolicyFeatures
NewPolicyFeature Description
DoSProtectionAgainst InPANOS7.0.2andlaterreleases,youcanconfigureDoSprotectiontobetterblockIP
FloodingofNewSessions addressestohandlehighvolumesinglesessionandmultiplesessionattacksmore
efficiently.Forconfigurationdetails,seeDoSProtectionAgainstFloodingofNew
Sessions.
VPNFeatures
NewVPNFeature Description
IKEv2SupportforVPN SitetositeIPSecVPNisenhancedtosupportinternetKeyExchangeVersion2(IKEv2),
Tunnels inadditiontoIKEv1(GlobalProtectclientsarenotincludedinthisfeaturesupport).IKEv2:
ExchangesfewermessagesthanIKEv1whensettingupthetunnelendpoints.
Cannegotiatemultiplesetsoftrafficselectorstocontrolwhichtrafficcanaccessthe
tunnel.
Providesalivenesschecktodetermineifapeergatewayandtunnelarestillup.
SupportsNATTraversal.
SupportstheHashandURLcertificateexchange,whichreducesfragmentation.
SupportscookievalidationofaconnectionifathresholdnumberofconcurrentIKESA
sessionsisexceeded,reducingthepotentialforDoSattacks.
IPv6IPSecVPNSupport SitetositeIPSecVPNnowsupportsIPv6sitetositeconnections,allowingyouto
establishIKEandIPSecSecurityAssociations(SAs)betweenIPv6gateways.
IPSecVPNEnhancements Youcannowusethewebinterfacetoenable,disable,restart,orrefreshanIKEgateway
oranIPSecVPNtunneltosimplifytroubleshooting.ThisfeatureappliestoIPv4andIPv6.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 15
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
GlobalProtectFeatures
ForinformationaboutnewauthenticationfeaturessupportedonGlobalProtect(SuiteB
cryptographyandSSL/TLSserviceprofiles),seeAuthenticationFeatures.
NewGlobalProtect Description
Feature
DisableDirectAccessto Youcannowdisabledirectaccesstolocalnetworkssothatuserscannotsendtrafficto
LocalNetworks proxiesorlocalresourceswhileconnectedtoaGlobalProtectVPN.Forexample,ifauser
establishesaGlobalProtectVPNtunnelwhileconnectedtoapublichotspotorhotel
WiFi,andthisfeatureisenabled,alltrafficisroutedthroughthetunnelandissubjectto
policyenforcementbythefirewall.
StaticIPAddress AnenhancementtotheIPaddressallocationlogicenablestheGlobalProtectgatewayto
Allocation maintainanindexofclientsandIPaddressessothattheendpointautomaticallyreceives
thesameIPaddressforallsubsequentGlobalProtectVPNconnections.Thegateway
continuestoissueIPaddressesinaroundrobinfashionuntilallIPaddressesare
exhausted.ToensurethatanendpointreceivesthesameaddressandtoavoidIPaddress
conflicts,createanIPaddresspoollargeenoughtoaccommodatethenumberof
endpoints.
Alternatively,youcannowconfigureaGlobalProtectgatewaytoassignfixedIPaddresses
usinganexternalauthenticationserver.Thisisusefulwhendownstreamresourcessuch
asprinters,servers,andapplicationsuseafixedsourceIPaddress/IPaddresspooltoallow
accessforaspecificuser,usergroup,orOS.Whenenabled,theGlobalProtectgateway
allocatestheIPaddresstoconnectingdevicesusingtheFramedIPattributefromthe
authenticationserver.
ApplyaGateway Youcannowspecifyoneormoreusersorusergroupsand/orclientoperatingsystemsto
ConfigurationtoUsers, whichtoapplyaremoteusertunnelconfiguration.Forexample,byconfiguringdifferent
Groups,and/orOperating IPaddresspoolsandaccessroutesforWindowsbasedclientsorforusersinusergroups
Systems suchasEngineering,youcanensurethateachclientreceivesthecorrectnetworksettings.
WelcomePage TheGlobalProtectclientconfigurationnowincludesasettingtoforcetheWelcomePage
Management todisplayeachtimeauserinitiatesaconnection.Thispreventstheuserfromdismissing
importantinformationsuchastermsandconditionsthatmayberequiredbyyour
organizationtomaintaincompliance.Alternativelyyoucanprovidetheusertheabilityto
dismissseeingtheWelcomepageatsubsequentlogins.
RemoteDesktop TheGlobalProtectVPNtunnelfunctionalityhasbeenenhancedtoallowusers,suchasIT
ConnectiontoaRemote HelpDesk,toRDPtoaclientdevicewhenconnectedoverGlobalProtectVPNenabling
Client troubleshootingandsupportforremoteWindowsusers.
Now,whenITHelpDeskpersonnellogintoaclientdevice,theGlobalProtectappcan
detectanewloginwithoutbringingdowntheRDPtunnel.Aftertheadministratorlogs
intotheremotemachineandsuccessfullyauthenticateswiththegateway,the
GlobalProtectappreassignstheRDPtunneltotheremoteadministrator.Thissecurity
measurepreventsunauthorizedaccesstoVPNresourcesbecausepolicyenforcementfor
trafficthroughtheRDPtunnelisnowenforcedandloggedbasedontheprivilegesofthe
RDPuser.
16 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
NewGlobalProtect Description
Feature
SimplifiedGlobalProtect YoucannowuseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivate
LicenseStructure network(VPN)solutionviasingleormultipleexternalgateways,withoutany
GlobalProtectlicenses.Theportallicense,whichwasrequiredtoenablethisfunctionality,
hasbeendeprecated.However,advancedfeaturesincludingHostInformationProfile
(HIP)checksandsupportfortheGlobalProtectmobileappforiOSandAndroidstillrequire
agatewaysubscription.Totakeadvantageofthenewlicensestructure,youneedto
upgradeonlythedevicerunningtheGlobalProtectportaltoaPANOS7.0orlaterrelease.
LicensingFeatures
NewLicensingFeature Description
SelfServiceLicense& ThefirewallandPanoramanowprovidethecapabilitytounassignordeactivatetheactive
SubscriptionManagement licensesonafirewallandassignthelicensestoanotherfirewall.Toreleasetheactive
licensesattributedtoafirewall,younowhavetwooptions:
DeactivateafeaturelicenseorsubscriptiononafirewallIfyouaccidentallyinstalleda
license/subscriptiononafirewallandneedtoreassignthelicensetoanotherfirewall,
youcandeactivateanindividuallicenseandreusethesameauthorizationcodeon
anotherfirewallwithouthelpfromTechnicalSupport.Thiscapabilityissupportedon
theCLIofboththehardwarebasedfirewallsandtheVMSeriesfirewalls.
DeactivatelicensesonaVMSeriesfirewallWhenyounolongerneedaninstanceof
theVMSeriesfirewall,youcanfreeupallactivelicensessubscriptionlicenses,
VMCapacitylicenses,andsupportentitlementsusingthewebinterface,CLI,orthe
XMLAPIonthefirewallorPanorama.Thelicensesarecreditedbacktoyouraccount
andyoucanusethesameauthorizationcodesonadifferentinstanceoftheVMSeries
firewall.
SupportforUsageBased TheVMSeriesfirewallinAWSnowsupportstheusagebasedpricingmodel,inaddition
LicensinginAmazonWeb totheBringYourOwnLicense(BYOL)model.Thiscapabilitymakesiteasiertoconsolidate
Services(AWS) thebillingofAWSresourcesandtheusagefeesfortheVMSeriesfirewall.
TheusagebasedmodelintheAWSMarketplaceisavailableinhourlyandannualpricing
bundles:
VMSeriescapacitylicensewiththeThreatPreventionlicenseforeachmodel
VM100,VM200,VM300,orVM1000HV.Itincludesapremiumsupport
entitlement.
VMSeriescapacitylicensewiththecompletesuiteoflicenses,whichincludesThreat
Prevention,GlobalProtect,WildFire,andPANDBURLFilteringcapabilitiesforeach
modelVM100,VM200,VM300,orVM1000HV.Itincludesapremiumsupport
entitlement.
Usagebasedsubscriptions/licensesarehandledautomaticallybyAWS;theselicenses
cannotbeactivatedonthefirewallormanagedfromPanorama.
TermBasedCapacity AtermbasedlicenseisalicensethatallowsyoutousetheVMSeriesfirewallfora
LicensesontheVMSeries specifiedperiodoftime.AtermbasedVMSeriescapacitylicensewillhaveanexpiration
Firewall dateandthewebinterfacewilldisplayrenewalnotificationsbeforethelicenseexpires.If
thecapacitylicenseexpires,althoughthefirewallwillcontinuetooperateatthelicensed
capacity,youcannotobtainsoftwareupdatesorcontentupdatesuntilyourenewthe
capacitylicense.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 17
ChangestoDefaultBehavior PANOS7.0ReleaseInformation
ChangestoDefaultBehavior
ThefollowingarechangestodefaultbehaviorinPANOS7.0:
FIPSmodeisnolongersupportedinPANOS7.0.1andlaterreleases.IfyourfirewallisrunningaPANOS
6.1orearlierreleaseandisinFIPSmode,youmustEnableFIPSandCommonCriteriaSupportbeforeyou
upgradetoPANOS7.0.1oralaterrelease.ThePANOS7.0Upgrade/DowngradeConsiderationstopic
providesmoredetails.
FileBlockingprofileswiththeactionsettoforwardorcontinue and forwardaremigratedtothenew
WildFireAnalysisprofileinPANOS7.0.Toeditthemigratedprofilesortocreatenewprofilestoforward
filesandemaillinksforWildFireanalysis,selectObjects>Security Profiles>WildFire Analysis.Additionally,
samplesforwardedbythefirewallforWildFireanalysisarenolongeraddedasentriestotheData
Filteringlogs(Monitor>Data Filtering);instead,usetheCLItoverifythatthefirewallisforwarding
samples.SeetheWildFireAnalysisProfileforfulldetailsonthisenhancedWildFireworkflow.
Thedefaultactionsforhandlingthreatsarenowalertorreset-both(sidesoftheconnection).Inreleases
priortoPANOS7.0,thedefaultswerealertorblock.Onupgrade,theblockactionwillbeconvertedto
reset-bothandthedrop-packetsoptionisnowrenamedasdrop.
Ondowngrade,allactionsconfiguredasdroporresetwillbeconvertedtoblock.
Previously,tocheckforlicensingchangestothemanagedfirewalls,youhadtomanuallyclicktheRefresh
buttononthePanorama>Device Deployment>Licensestab.Now,Panoramaperformsadailycheckin
withthelicensingserverandretrieveslicenseupdates/renewalsandpushesthemtothemanaged
firewalls.Thedailycheckintakesplacebetween1:00amand2:00am,accordingtotheTime Zone
configuredforPanorama(Panorama>Setup>Management).
ThereisachangeinthewayvirtualsystemreportingandserverprofilesmakequeriesusingDNSproxy.
Previously,thefirewallwouldsendvirtualsystemreportqueriesandvirtualsystemserverprofilequeries
totheDNSproxythatwasspecifiedforthefirewall,eveniftherewasaDNSproxyspecifiedforthe
virtualsystem.Now,thevirtualsystemreportandvirtualsystemserverprofilesendtheirqueriestothe
DNSserverspecifiedforthevirtualsystemifthereisone.IfthereisnoDNSserverspecifiedforthe
virtualsystem,theDNSserverspecifiedforthefirewallisqueried.(ThevsysspecificDNSserverusedis
definedinDevice>Virtual Systems>General>DNS Proxy.)
Previously,whenauserloggedintoaGlobalProtectgatewaythatwasonthesamefirewallastheportal,
theportalgeneratedashortlivedgatewayuserauthenticationcookie(expiresin60seconds).The
gatewaywouldusethatcookietoauthenticatetheuserwithoutrequiringtheusertoenterasecond
onetimepassword(OTP).Thisfeatureisnowdeprecated.Toenablethesameuserexperience,whereby
theuserisonlyrequiredtoenteranOTPoncetoconnecttoGlobalProtect,youmustsetthe
Authentication ModifiertoCookie authentication for config refreshwhenconfiguringtheportal
authenticationbehavior.
ThemaximumnumberoftagsthatthefirewallandPanoramasupportisnowincreasedfrom2,500to
10,000.Thislimitisenforcedacrossthefirewall/Panoramaandisnotallocatedbyvirtualsystemor
devicegroup.
TheGlobalProtectportallicenseisnowdeprecated.Now,youcanuseallGlobalProtectportal
functionalitythatwaspreviouslyavailablewithoutinstallinganadditionallicense.However,advanced
featuresincludingHostInformationProfile(HIP)checksandsupportfortheGlobalProtectmobileapp
foriOSandAndroidstillrequireagatewaysubscription.Totakeadvantageofthenewlicensestructure,
youneedtoupgradeonlythedevicerunningtheGlobalProtectportaltoaPANOS7.0orlaterrelease
(theGlobalProtectgatewaycanrunPANOS7.0andearlierreleases).
18 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation ChangestoDefaultBehavior
Withtheenhancedcapabilitytovalidateyourconfigurationbeforecommittingitonthefirewalloron
Panorama,thecommit validatecommandisnolongeravailable.Instead,youcanfullyorpartiallyvalidate
yourconfigurationtovalidate full|partial.
ThechangeintheXMLAPIsyntaxisasfollows:
PANOS6.1andearlierreleases:
/api/?type=op&cmd=<commit><validate></validate></commit>
PANOS7.0andlaterreleases:
/api/?type=op&cmd=<validate><full></full></validate>,and
/api/?type=op&cmd=<validate><partial></partial></validate>
TheXMLdocumentformattocommitsharedpoliciestodevicegroupsonPanoramausingthePANOS
XMLAPIhaschangedinPANOS7.0.Thischangeisduetoanenhancementtopermitacommitto
deviceswithinthedevicegroup:thedevicegroupnameisnowanattributenodeinsteadofatextnode.
ThechangeintheXMLAPIrequestisasfollows:
PANOS6.1andearlierreleases:
/api/?type=commit&action=all&cmd=<commit-all><shared-policy><device-group>
<name>DeviceGroupName</name></device-group></shared-policy></commit-all>
PANOS7.0andlaterreleases:
/api/?type=commit&action=all&cmd=<commit-all><shared-policy><device-group>
<entryname='DeviceGroupName'/></device-group></shared-policy></commit-all>
RADIUSadministratorscannowlogintothefirewallCLIasSSHuserswithoutfirstloggingintotheweb
interface.
WhensendingauthenticationrequeststoaRADIUSserver,PANOSandPanorama7.0andlaterreleases
alwaysusetheauthenticationprofilenameasthenetworkaccessserver(NAS)identifier,evenifthe
profileisassignedtoanauthenticationsequence.Inpre7.0releases,thefirewallandPanoramausethe
nameofwhicheverauthenticationprofileorsequenceisconfiguredfortheservicethatinitiatesthe
authenticationprocess(suchasadministratorauthentication).
Whenyoucloneanobjectorrule,thenamingconventionforthecloneisnow<originalname><n>,
where<originalname>isthenameoftheoriginalobjectorruleand<n>isanumericsuffix(startingat1
forthefirstclone)thatmakestheclonenameuniqueinitscurrentscope(virtualsystem,devicegroup,
orSharedlocation).Forexample,ifyoutwiceclonearulenamedIngressTraffic,thefirewallnamesthe
firstcloneIngressTraffic1andnamesthesecondcloneIngressTraffic2.
OnPA7000SeriesfirewallsandPanorama,APIrequestsforcustomreportsnolongersupportthe
synchronous(asynch=no)option.APIrequestsnowprovideajobID,whichyoucanusetoretrievethe
report.Additionally,APIrequestsforreports(type=report)arenowprocessedasynchronouslybydefault
onallfirewallplatforms.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 19
CLIChangesinPANOS7.0 PANOS7.0ReleaseInformation
CLIChangesinPANOS7.0
ThefollowingtablelistsCLIcommandsthatchangedbetweenPANOS6.1(orangetext)andPANOS7.0
(greentext).Thechangesincludecommandoptionsthataredeprecatedorhavenewnames,values,or
commandpathsinPANOS7.0.
PANOS6.1Commands PANOS7.0Commands
ConfigurationModeCommands
commit validate validate [full | partial]
set deviceconfig setting wildfire cloud-server set deviceconfig setting wildfire [public-cloud-server
| private-cloud-server]
set network ike crypto-profiles ike-crypto-profiles set network ike crypto-profiles ike-crypto-profiles
<name> lifetime days <value: 1-65535> <name> lifetime days <value: 1-365>
set network ike crypto-profiles ipsec-crypto-profiles set network ike crypto-profiles ipsec-crypto-profiles
<name> lifetime days <value: 1-65535> <name> lifetime days <value: 1-365>
set network tunnel global-protect-gateway <name> set vsys <name> global-protect global-protect-gateway
client ip-pool <name> remote-user-tunnel-configs <name> ip-pool
set network tunnel global-protect-gateway <name> set vsys <name> global-protect global-protect-gateway
client split-tunneling <name> remote-user-tunnel-configs <name>
split-tunneling
set network dhcp interface <name> server option set network dhcp interface <name> server option
ippool-subnet subnet-mask
set [shared | vsys <name>] profiles virus <name> set [shared | vsys <name>] profiles virus <name>
decoder <name> [action | wildfire-action] [block] decoder <name> [action | wildfire-action] [reset-both]
set [shared | vsys <name>] profiles virus <name> set [shared | vsys <name>] profiles virus <name>
application <name> action [block] application <name> action [reset-both]
set [shared | vsys <name>] profiles [spyware | set [shared | vsys <name>] profiles [spyware |
vulnerability] <name> rules action action [block] vulnerability] <name> rules action action [reset-both]
set [shared | vsys <name>] profiles file-blocking The forward and continue-and-forward optionsare
<name> rules <name> action [forward |
continue-and-forward] deprecated.ToforwardfilestoWildFire,youmustnow
configureaWildFireAnalysisprofile:
set profiles wildfire-analysis <name>
set reports <name> type url sortby user_agent The user_agent optionisdeprecated.
set reports <name> type wildfire sortby filetype The filetype optionisdeprecated.
set application-group <name> [<value1> | <value2> | ] set application-group <name> members [<value1> |
<value2> | ]
set scheduled <name> [non-recurring | recurring] set scheduled <name> schedule-type [non-recurring |
recurring]
set threats [spyware | vulnerability] <threat-id> set threats [spyware | vulnerability] <threat-id>
default-action drop-packets default-action drop
20 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation CLIChangesinPANOS7.0
PANOS6.1Commands PANOS7.0Commands
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] authentication-profile
checkgroup <name> method radius checkgroup
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] server-profile radius <name>
timeout <value: 1-30> timeout <value: 1-120>
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] server-profile radius <name>
server <name> port <value: 0-65535> server <name> port <value: 1-65535>
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] authentication-profile
<name> domain <name> user-domain
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] authentication-profile
<name> realm <name> method kerberos realm
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] server-profile kerberos
<name> server <name> port 0-65535 <name> server <name> port 1-65535
set [vsys <name>] global-protect global-protect-portal set [vsys <name>] global-protect global-protect-portal
<name> portal-config server-certificate <name> portal-config ssl-tls-service-profile
OperationalModeCommands
clear session id <value> <value: 1-2147483648> clear session id <value> <value: 1-4294967295>
show session id <value> <value: 1-2147483648> show session id <value> <value: 1-4294967295>
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 21
CLIChangesinPANOS7.0 PANOS7.0ReleaseInformation
PANOS6.1Commands PANOS7.0Commands
show user ip-user-mapping all type [NTLM | SSL/VPN] The SSL/VPN and NTLM optionsaredeprecated.Thenew
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping all type SSO
show user ip-user-mapping all option [count | detail] The SSL/VPN and NTLM optionsaredeprecated.Thenew
type [NTLM | SSL/VPN]
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping all option [count | detail]
type SSO
show user ip-user-mapping-mp all option [count | The SSL/VPN and NTLM optionsaredeprecated.Thenew
detail] no-group-only [no | yes] type [NTLM | SSL/VPN]
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping-mp all option [count |
detail] no-group-only [no | yes] type SSO
show log [threat | url | data] action [equal | show log [threat | url | data] action [equal |
not-equal] drop-all-packets not-equal] drop-all
debug software restart <process> debug software restart [core | process] <process>
22 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation AssociatedSoftwareVersions
AssociatedSoftwareVersions
ThefollowingminimumsoftwareversionsaresupportedwithPANOS7.0:
PaloAltoNetworksSoftware MinimumSupportedVersionwithPANOS7.0
Panorama 7.0.1
UserIDAgent 6.0.0
TerminalServerAgent 6.0.0
NetConnect NotsupportedwithPANOS7.0
GlobalProtectAgent 2.2.0
GlobalProtectMobileSecurity 6.1.0
Manager
ContentReleaseVersion 497
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 23
KnownIssues PANOS7.0ReleaseInformation
KnownIssues
ThefollowinglistdescribesknownissuesinthePANOS7.0release:
ForrecentupdatestoknownissuesforagivenPANOSrelease,referto
https://live.paloaltonetworks.com/t5/Articles/CriticalIssuesAddressedinPANOSReleases/tap/52882.
IssueID Description
98112 ForafirewallinanHAactive/activeconfiguration,sessiontimeoutsforsometraffic
unexpectedlyrefreshafteracommitorHAsyncattempt.
97806 ForfirewallsrunningPANOS7.0.7inanHAactive/activeconfiguration,thepeerthatis
notthesessionownerintermittentlyincorrectlyagesoutsessions,whichresultsinthe
prematureremovalofthosesessionsfrombothpeers.
97584 Theautomaticlicensedeactivationworkflowforfirewallswithdirectinternetaccessdoes
notwork.
Workaround:Usethe request license deactivate key features <name> mode
manual CLIcommandtoDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.To
DeactivateaVM,chooseComplete Manually(insteadofContinue)andfollowthesteps
tomanuallydeactivatetheVM.
95611 ThereisacachingissuewiththemanagementplanethatresultsinWildFirereportsand
alertsforfilesthatarealreadyuploadedatleastoncetothefirewallandthatarefollowed
byaconfigurationchangeorthreatcontentupdateonthefirewallthatspecificallyblocks
thosesamefiles.
91395 SimultaneoustransferoflargefilesfromtwodifferentSMBserversoveraGlobalProtect
connectionfromaWindows8clientcausestheconnectiontofail.
Workaround:InPANOS7.0.8andlaterreleases,enableHeuristicsonWindows8clients
orsetthetunnelinterfaceMTUsizeto1,300toavoidthisissue.
91075 IfyouconfigureLSVPNtunnelinterfacesbetweenaGlobalProtectLSVPNgatewayand
This issue is now resolved. anLSVPNsatellite,youcannotupgradetheLSVPNsatellitetoaPANOS7.0releasewhile
See PAN-OS 7.0.7 theLSVPNgatewaycontinuestorunaPANOS6.1orearlierrelease;ifyoudo,theLSVPN
Addressed Issues. tunnelsnolongerpasstrafficasexpectedduetochangesmadetotheencryption
algorithmnameswhenintroducingSuiteBciphersinPANOS7.0.
Workaround:UpgradebothfirewallstoPANOS7.0oralaterrelease.Ifyoucannot
upgradetheLSVPNgatewaytoPANOS7.0oralaterrelease,thenupgradetheLSVPN
satellitetoPANOS7.0.7oralaterrelease(ortoaPANOS7.1release)toavoidthisissue.
90326 ThebotnetlogcleanupjobonaPA7000Seriesfirewallrunstwohoursbeforethe
This issue is now resolved. systemgeneratedbotnetreportsaretriggered,whichresultsinemptyornobotnet
See PAN-OS 7.0.8 reportswhennologsarecollectedbetweenjobs.
Addressed Issues.
24 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues
IssueID Description
90256 DecryptedSSHsessionsarenotmirroredtothedecryptmirrorinterfaceasexpected.
This issue is now resolved.
See PAN-OS 7.0.8
Addressed Issues.
89385 ForafirewallinanHAactive/activeconfiguration,sessiontimeoutsforsometraffic
unexpectedlyrefreshafteracommitorHAsyncattempt.
This issue is now resolved.
Thisfixintroducedaknownissue:97806.
See PAN-OS 7.0.7
Addressed Issues.
88141 LoginattemptsonPanoramaforadministratorswithanaccessdomainnamelongerthan
31characterswillfailwiththefollowingerror: Login could not be completed. Please
contact the administrator. ThisisbecausetheAccessDomainfieldallowsupto63
charactersbutloginoperationsallowamaximumofonly31characters.
Workaround:Ensurethattheaccessdomainnameforalladministratorsisnolongerthan
31charactersorupgradetoaPANOS7.1release,whichallowsthelongeraccessdomain
names(upto63characters).
88029 Ifyouhaveasystemwidefirewallproxyconfiguration(Device>Setup>Services)ina
PANOS6.1orearlierreleaseandthenupgradetoPANOS7.0,theupgradeprocesswill
notautomaticallyextendtheproxyconfigurationtotheWildFirepubliccloud,which
includesaseparateproxyconfiguration(Device>Setup>WildFire)inPANOS7.0.
Workaround:AfteryouupgradeafirewalltoPANOS7.0,addthenecessaryproxy
configurationforaccessingtheWildFirepubliccloud(Device>Setup>WildFire).
86623 AfirewallinanHAactive/passiveconfigurationwithanestablishedFTPsessiondrops
This issue is now resolved. FTPPORTcommandpacketsafterafailover.
See PAN-OS 7.0.8
Addressed Issues.
85397 APaloAltoNetworksfirewall,M100appliance,orWF500applianceconfiguredtouse
FIPSoperationalmodewillfailtobootwhenrebootingafteranupgradetoaPANOS7.0
release.
Workaround:EnableFIPSandCommonCriteriasupportonanyPaloAltoNetworks
firewallorappliancebeforeyouupgradetoaPANOS7.0release.
82849 APanoramavirtualapplianceusingaNetworkFileSystem(NFS)storagepartition
This issue is now resolved. incorrectlyfailsthefilesystemintegritycheckfortheNFSdirectorywhenrebooting
See PAN-OS 7.0.6 PanoramaafteranupgradetoaPanorama7.0release.
Addressed Issues.
82605 Offloadedpolicybasedforwarding(PBF)sessionswillfailtoegressafirewallrunning
This issue is now resolved. PANOS6.1.4andlaterreleasesifyouEnforce Symmetric Return(Policies > Policy
See PAN-OS 7.0.4 Based Forwarding >pbfrule> Forwarding).
Addressed Issues. Workaround:DisableEnforce Symmetric ReturnandcreatebidirectionalPBFpolicies.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 25
KnownIssues PANOS7.0ReleaseInformation
IssueID Description
82470 Insomeenvironments,IPSectunnelthroughputperformanceislowerthanexpecteddue
This issue is now resolved. toincorrecthardwaretagging.
See PAN-OS 7.0.7
Addressed Issues.
82299 ThereisacriticalsecurityvulnerabilityaffectingPANOS7.0.0.Thisissuespecifically
This issue is now resolved. affectsdevicesrunningPANOS7.0.0thatareconfiguredtouseLDAPauthenticationfor
See PAN-OS 7.0.1 CaptivePortalorfordevicemanagement,includingPanorama.Thisissuedoesnotaffect
Addressed Issues. devicesconfiguredtouseRADIUSorlocalauthenticationinsteadofLDAPauthentication,
nordoesitaffectanyPANOSreleaseotherthanPANOS7.0.0.Duetothecriticalnature
ofthisvulnerability,westronglyadviseallcustomerswhohaveinstalledPANOS7.0.0to
upgradeassoonaspossibletoPANOS7.0.1.Alternatively,youcandowngradetoan
olderversionofPANOS,suchasPANOS6.1orPANOS6.0.
81373 WhenthefirewallisconfiguredtocommunicatewithaWildFirecloud(publicorprivate)
This issue is now resolved. throughaproxyserver,WildFireAnalysisreportsforsamplesanalyzedintheWildFire
See PAN-OS 7.0.2 publiccloudarenotdisplayedintheWildFireSubmissionslog(Monitor>WildFire
Addressed Issues. Submissions).
Workaround:UsetheWildFireportal(https://wildfire.paloaltonetworks.com)orthe
WildFireAPItoretrieveWildFireAnalysisreports.
80903 APA7050firewallrunningaPANOS6.1orearlierreleaseandmanagedbyPanorama
This issue is now resolved. runningPANOS7.0.0cannotaccuratelyhandlequeriesfromPanorama.Thisresultsin
See PAN-OS 7.0.1 theinabilitytodisplaydataintheApplicationCommandCenter(ACC)widgetsand
Addressed Issues. preventslogdatafromthePA7050firewallfrombeingincludedinreportsgeneratedon
Panorama.
80799 FilesandemaillinkssentusingSimpleMailTransferProtocol(SMTP)orPostOffice
This issue is now resolved. Protocolversion3(POP3)arenotforwardedtotheWildFirepubliccloudforanalysis
See PAN-OS 7.0.1 unlessthefirewallisalsoconfiguredtoforwardfilestoaWildFireprivatecloud.For
Addressed Issues. firewallsconnectedtoaWildFire Private Cloud,forwardingtoboththeWildFirepublic
cloudandWildFireprivatecloudworkscorrectly(Device>Setup>WildFire).
80750 WhenspecifyingthedevicegroupandtemplatefortheVMSeriesNSXeditionfirewall,
youcannotselectatemplatestackoradescendantdevicegroupdefinedinadevicegroup
hierarchyonPanorama.Youcanassignthefirewallstoatemplateandaparentdevice
grouponly.
80589 TheVMSeriesfirewallonCitrixSDXdoesnotsupportjumboframes.
26 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues
IssueID Description
80561 SoftwareforwardingofLayer3multicasttrafficwithProtocolIndependentMulticast
This issue is now resolved. (PIM)doesnotfunctioncorrectly.
See PAN-OS 7.0.1
Addressed Issues.
80398 Ifyouconfigurethefirewalltouseclientcertificatestoauthenticateadministratorswhen
This issue is now resolved. theyaccessthewebinterface,andyouenableOnlineCertificateStatusProtocol(OCSP)
See PAN-OS 7.0.1 verification,thentheauthenticationwillfailandadministratorscan'tlogin.
Addressed Issues. Workaround:CleartheBlock session if certificate status is unknownandBlock session
if certificate status cannot be retrieved within timeoutcheckboxesinthecertificate
profilethatthefirewallusestoauthenticateadministrators.
80387 IPv6toIPv6NetworkPrefixTranslation(NPTv6)isnotsupportedwhenconfiguredona
sharedgateway.
80373 TheoptionstoCloneobjectsorpoliciesinasharedgatewaylocationandtoMoveobjects
This issue is now resolved. orpoliciesfromavirtualsystemtoasharedgatewaylocationdonotworkcorrectly.
See PAN-OS 7.0.1
Addressed Issues.
80323 Onreboot,thelinkstatesforfirewallinterfacesdonotcomeup.Thisissueoccurswhen
This issue is now resolved. youdisablehighavailability(HA)onafirewallthatwasconfiguredinHAandthenreboot
See PAN-OS 7.0.1 thefirewall.
Addressed Issues. Workaround:Usethedelete deviceconfig high-availability enabledCLI
commandinconfigurationmodetodeletethehighavailabilityconfigurationnode.
80268 WhenswitchingtoCommonCriteria(CC)modeonaPA7050firewallrunningPANOS
This issue is now resolved. 7.0.0,theoperationdoesnotcompleteandshowsthefollowingerror:Set CCEAL4 Mode
Sysd Error.ThisissueoccursbecausetheCCmodeoperationattemptstochangethe
See PAN-OS 7.0.1
Addressed Issues. operationalmodebeforethesystemprocess(sysd)isfullyloaded.Thisoperationsetsthe
firewalltothefactorydefaultconfigurationwithoutCCconfigurationchanges.
Workaround:ChangetoCCmodewhilerunningaPANOS6.1releasebeforeupgrading
toPANOS7.0.0.
80266 IfyouconfigurethePA200,PA500,orPA2050firewalltouseaservicerouteinstead
This issue is now resolved. ofthemanagement(MGT)interfacetoconnecttoanLDAPserver,theconnectionwont
See PAN-OS 7.0.1 workandanyfirewallfunctionsthatrelyontheconnectionwillfail.
Addressed Issues. Workaround:IfyouconfiguredaserviceroutebeforeupgradingtoaPANOS7.0release,
reconfigureitasadestinationservicerouteortosettheSource InterfaceandSource
Addressfieldsoftheserviceroute(Device>Setup>Services>Global>Service Route
Configuration>IPv4orIPv6)toUse default.
80177 TheURLblockpagedoesnotdisplayasexpectedwhenproxiedrequestsfromclientuse
CONNECTmethod.
79470 PanoramadoesnotdisplayWildFireAnalysisreportscorrectlyintheWildFire
This issue is now resolved. Submissionslog.
See PAN-OS 7.0.2 Workaround:IntheContextdropdown,selectthefirewallthatforwardedthelogand
Addressed Issues. displaythereportinthefirewallcontext.
79462 IfyoulogintoPanoramaasaDeviceGroupandTemplateadministratorandrenamea
devicegroup,thePanorama>Device Groupspagenolongerdisplaysanydevicegroups.
Workaround:Afteryourenameadevicegroup,performacommit,logout,andlogback
in;thepagethendisplaysthedevicegroupswiththeupdatedvalues.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 27
KnownIssues PANOS7.0ReleaseInformation
IssueID Description
78803 InPanorama,templatesettingsthatareglobaltoeveryvirtualsystem(vsys)onafirewall
This issue is now resolved. (forexample,Systemlogsettings)cantreferenceconfigurationelements(forexample,an
See PAN-OS 7.0.2 Emailserverprofile)thatyouaddtoaspecificvsysinsteadoftotheSharedlocation.Only
Addressed Issues. templateanddevicegroupsettingsthatPanoramacanpushtoaspecificvsys(for
example,LogForwardingprofiles)canreferenceelementsthatyouaddtoaspecificvsys.
Tocreateanelementthatbothglobalandvsysspecificsettingscanreference,youmust
setthetemplateModetoMulti VSYSenabledand,whenaddingtheelement,setits
LocationtoShared.
77850 WebpagesusingtheHTTPStrictTransportSecurity(HSTS)protocolsometimesdonot
displayproperlyforendusers.
Workaround:Endusersshouldimportanappropriateforwardproxycertificatefortheir
browsers.
77775 Avalidationerroroccurswhenyoutrytomoveanobjectfromitscurrentdevicegroupto
This issue is now resolved. adestinationdevicegroupthatislowerinthehierarchyevenifthepolicyrulesorobjects
See PAN-OS 7.0.2 thatreferencetheobjectareinthesamedestinationorareinadevicegroupthatshould
Addressed Issues. inherittheobject.
Workaround:Clonetheobjecttothedestination.
77299 WhenusingaFirefoxbrowsertoaccessthefirewallwebinterface,WildFireAnalysis
This issue is now resolved. reportsdonotshowtheCoverageStatusforthesample,evenwhenasignatureis
See PAN-OS 7.0.3 generatedtoidentifythesample(Monitor>Logs>WildFire Submissions>Detailed Log
Addressed Issues. View>WildFire Analysis Report).
Workaround:ToviewthecorrectCoverageStatusforasample,useChromeorinternet
ExplorerbrowserstoaccessWildFire Submissions logsonthefirewallwebinterface.
76601 WhenyouuseaMacOSSafaribrowser,clientcertificateswillnotworkforCaptivePortal
authentication.
Workaround:OnaMacOSsystem,instructenduserstouseadifferentbrowser(for
example,MozillaFirefoxorGoogleChrome).
75806 Inafirewallwithmultiplevirtualsystems,ifyouaddanauthenticationprofiletoavirtual
systemandgivetheprofilethesamenameasanauthenticationsequenceinShared,
referenceerrorsoccur.ThesameerrorsoccuriftheprofileisinSharedandthesequence
withthesamenameisinavirtualsystem.
Workaround:Whencreatingauthenticationprofilesandsequences,alwaysenterunique
names,regardlessoftheirlocation.Forexistingauthenticationprofilesandsequences
withsimilarnames,renametheonesthatarecurrentlyassignedtoconfigurations(for
example,aGlobalProtectgateway)toensureuniqueness.
74423 Whenfetchingadynamicblocklist,afirewallrunningPANOS7.0.1incorrectlyusesthe
This issue is now resolved. URLUpdatesservicerouteinsteadoftheserviceroutethatisattachedtothePaloAlto
See PAN-OS 7.0.2 Updatesintheservicerouteconfiguration(Device>Setup>Services>Global).
Addressed Issues.
28 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues
IssueID Description
73674 Thelinkona1GbpsSFPportonaVMSeriesfirewalldeployedonaCitrixSDXserverdoes
notcomeupwhensuccessivefailoversaretriggered.Thisbehaviorisonlyobservedinan
HAactive/activeconfiguration.
Workaround:Usea10GbpsSFPportinsteadofthe1GbpsSFPportontheVMSeries
firewalldeployedonaCitrixSDXserver.
73518 WildFireAnalysisreportscannotbeviewedonfirewallsrunningPANOS6.1release
versionsifconnectedtoaWF500applianceinCommonCriteriamodethatisrunninga
PANOS7.0release.
71624 VulnerabilitydetectionofSSLv3failswhenSSLdecryptionisenabled.Thiscanoccur
whenyouattachaVulnerabilityProtectionprofile(thatdetectsSSLv3CVE20143566)
toaSecuritypolicyruleandthatSecuritypolicyruleandanSSLDecryptionpolicyruleare
configuredonthesamevirtualsysteminthesamezone.AfterperformingSSLdecryption,
thefirewallseesdecrypteddataandnolongerseestheSSLversionnumber.Inthiscase,
theSSLv3vulnerabilityisnotidentified.
Workaround:SSLDecryptionEnhancementswereintroducedinPANOS7.0thatenable
youtoprohibittheinherentlyweakerSSL/TLSversions,whicharemorevulnerableto
attacks.Forexample,youcanuseaDecryptionprofiletoenforceaminimumprotocol
versionofTLS1.2orselectBlock sessions with unsupported versionstodisallow
unsupportedprotocolversions(Objects>Decryption Profile>SSL Decryption>SSL
Forward Proxyand/orSSL Inbound Inspection).
70335 WhenatunnelmonitorisenabledforalargescaleVPN(LSVPN)andthetunnelmonitor
This issue is now resolved. isinwaitrecovermode,accessroutesfromtheGlobalProtectgatewaycannotbeinstalled
See PAN-OS 7.0.1 ontheGlobalProtectsatellite.
Addressed Issues.
70222 IfthepasswordfortheadministratoraccountontheNSXManagercontainsspecial
characters,suchas$,PanoramacannotcommunicatewiththeNSXManager.The
inabilitytocommunicatepreventscontextbasedinformation,suchasDynamicAddress
Groups,frombeingavailabletoPanorama.
Workaround:RemovespecialcharactersfromtheadministratorpasswordontheNSX
Manager.
69458 WhenyouuseafirewallloopbackinterfaceasaGlobalProtectgatewayinterface,traffic
isnotroutedcorrectlyforthirdpartyIPSecclients,suchasStrongSwan.
Workaround:Useaphysicalfirewallinterfaceinsteadofaloopbackfirewallinterfaceas
theGlobalProtectgatewayinterfaceforthirdpartyIPSecclients.Alternatively,configure
theloopbackinterfacethatisusedastheGlobalProtectgatewaytobeinthesamezone
asthephysicalingressinterfaceforthirdpartyIPSectraffic.
68330 WhenyouconfigureafirewalltoretrieveaWildFiresignaturepackage,theSystemlog
shows unknown version forthepackage.Forexample,afterascheduledWildFire
packageupdate,thesystemlogshows: Wildfire package upgraded from version
<unknown version> to 38978-45470. Thisisacosmeticissueonlyanddoesnotprevent
theWildFirepackagefrominstalling.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 29
KnownIssues PANOS7.0ReleaseInformation
IssueID Description
67713 PANOSallowsdowngradetocontentreleaseversions(ApplicationsandThreats)onthe
This issue is now resolved. firewalltoversionsthatthecurrentPANOSreleasedoesnotsupport.Forexample,ifthe
See PAN-OS 7.0.1 firewallisrunningPANOS7.0.1andtheminimumcontentreleaseversionis497,the
Addressed Issues. administratorshouldnotbeabletodowngradetoaversionearlierthan497.
67624 WhenusingawebbrowsertoviewaWildFireAnalysisreportfromafirewallthatisusing
aWF500applianceforfilesampleanalysis,thereportmaynotappearuntilthebrowser
downloadstheWF500certificate.Thisissueoccursafterupgradingafirewallandthe
WF500appliancetoaPANOS6.1orlaterrelease.
Workaround:BrowsetotheIPaddressorhostnameoftheWF500appliance,whichwill
downloadthecertificateintothebrowser.Forexample,iftheIPaddressoftheWF500
applianceis10.3.4.99,openabrowserandenterhttps://10.3.4.99.Youcanthen
accessthereportfromthefirewallbyselectingMonitor>WildFire Submissions,clickthe
logdetailsiconandthenclicktheWildFire Analysis Reporttab.
67552 FirewallsrunningPANOS6.0andearlierreleasessendaNILvalue(orendash)tothe
syslogserverwhennodomainorhostnamevalueisconfiguredonthefirewall.InPANOS
6.1andlaterreleases,thefirewalldoesnotsendanyvaluewhenthedomainand
hostnamefieldsareempty;instead,thisfieldisleftblankinsyslogheaders.
66976 IntheWildFireSubmissionlogs,theemailrecipientaddressisnotcorrectlymappedtoa
usernamewhenconfiguringmappingwithgroupmappingprofilesthatarepushedina
Panoramatemplate.
66887 TheVMSeriesfirewallonKVM,forallsupportedLinuxdistributions,doesnotsupportthe
BroadcomnetworkadaptersforPCIpassthroughfunctionality.
66879 TheVMSeriesfirewallonKVMrunningonUbuntu12.04LTSdoesnotsupportPCI
passthroughfunctionality.
66745 OnmanagedmobiledevicesrunningiOS8,unenrollingthedevicedoesnotalwaysremove
theVPNprofileandtheMobileSecurityManagerprofile.
66233 TheURLloggingrateisreducedwhenHTTPheaderloggingisenabledintheURLFiltering
profile(Objects>Security Profiles>URL Filtering><URLFilteringprofile>>Settings).
65824 UnusedNATIPaddresspoolsarenotclearedafterasinglecommit,soacommitfailsifthe
totalcacheofunusedpools,existingusedpools,andnewpoolsexceedthememorylimit.
Workaround:Commitasecondtime,whichclearstheoldpoolallocation.
30 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues
IssueID Description
63962 ConfigurationspushedfromPanorama6.1andlaterreleasestofirewallsrunningPANOS
6.0.3orearlierreleaseswillfailtocommitduetoanunexpectedRule Typeerror.This
issueiscausedbythenewRule Typesettinginsecuritypolicyrulesthatwasnotincluded
intheupgradetransformand,therefore,thenewruletypesarenotrecognizedondevices
runningPANOS6.0.3orearlierreleases.
Workaround:OnlyupgradePanoramatoversion6.1orlaterreleasesifyouarealso
planningtoupgradeallmanagedfirewallstoaPANOS6.0.4orlaterreleasebefore
pushingconfigurationtofirewalls.
63186 IfyouperformafactoryresetonaPanoramavirtualapplianceandconfiguretheserial
number,loggingdoesnotworkuntilyourebootPanoramaorexecutethedebug
software restart management-serverCLIcommand.
61720 Bydefault,theGlobalProtectappaddsarouteoniOSmobiledevicesthatcausestraffic
totheGP100GlobalProtectMobileSecurityManagertobypasstheVPNtunnel.
Workaround:ToconfiguretheGlobalProtectapponiOSmobiledevicestorouteall
trafficincludingtraffictotheGP100GlobalProtectMobileSecurityManagertopass
throughtheVPNtunnel,performthefollowingtasksonthefirewallhostingthe
GlobalProtectgateway(Network>GlobalProtect>Gateways>Client Configuration>
Network Settings > Access Route):
Add 0.0.0.0/0 asanaccessroute.
EntertheIPaddressfortheGlobalProtectMobileSecurityManagerasanadditional
accessroute.
60851 DuetoalimitationrelatedtotheEthernetchipdrivingtheSFP+ports,PA5050and
PA5060firewallswillnotperformlinkfaultsignalingasstandardizedwhenafiberinthe
fiberpairiscutordisconnected.
59856 AfterdeployingtheVMSeriesfirewall,whenthefirewallconnectstoPanorama,youmust
issueaPanoramacommittoensurethatPanoramarecognizesthefirewallasamanaged
device.IfyourebootPanoramawithoutcommittingthechanges,thefirewallwillnot
connectbacktoPanorama;althoughthedevicegroupwilldisplaythelistofdevices,the
devicewillnotdisplayinPanorama>Managed Devices.
Further,ifPanoramaisconfiguredinanHAconfiguration,theVMSeriesfirewallisnot
addedtothepassivePanoramapeeruntiltheactivePanoramapeersynchronizesthe
configuration.Duringthistime,thepassivePanoramapeerwilllogacriticalmessage:
vm-cfg: failed to process registration from svm device. vm-state: active.
ThismessageisloggeduntilyoucommitthechangesontheactivePanorama,whichthen
initiatessynchronizationbetweenthePanoramaHApeersandtheVMSeriesfirewallis
addedtothepassivePanoramapeer.
Workaround:Toreestablishtheconnectiontothemanageddevices,commityour
changestoPanorama(clickCommitandselectCommitTypePanorama).IncaseofanHA
setup,thecommitwillinitiatethesynchronizationoftherunningconfigurationbetween
thePanoramapeers.
59573 LivemigrationoftheVMSeriesfirewallisnotsupportedwhenyouenableSSLdecryption
usingtheSSLforwardproxymethod.UseSSLinboundinspectionifyouneedsupportfor
livemigration.
58839 WhendeletingtheVMSeriesdeployment,allVMsaredeletedsuccessfully;however,
sometimesafewinstancesstillremaininthedatastore.
Workaround:ManuallydeletetheVMSeriesfirewallsfromthedatastore.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 31
KnownIssues PANOS7.0ReleaseInformation
IssueID Description
58260 IfanHAfailoveroccursonPanoramaatthetimethattheNSXManagerisdeployingthe
VMSeriesNSXeditionfirewall,thelicensingprocessfailswiththeerror:vm-cfg: failed
to process registration from svm device. vm-state: active.
Workaround:DeletetheunlicensedinstanceoftheVMSeriesfirewalloneachESXihost
andthenredeploythePaloAltoNetworksnextgenerationfirewallservicefromtheNSX
Manager.
49742 Thefollowingissuesapplywhenconfiguringafirewalltouseahardwaresecuritymodule
(HSM):
ThalesnShieldConnectThefirewallrequiresatleastfourminutestodetectthatan
HSMhasbeendisconnected,causingSSLfunctionalitytobeunavailableduringthe
delay.
SafeNetNetworkWhenlosingconnectivitytoeitherorbothHSMsinanHA
configuration,thedisplayofinformationfromthe show ha-statusandshow hsm info
commandsisblockedfor20seconds.
49322 AfteryouconfigureaPanoramaMSeriesapplianceforHAandsynchronizethe
configuration,theLogCollectorofthepassivepeercannotconnecttotheactivepeeruntil
yourebootthepassivepeer.
45464 ThePanoramavirtualappliancedoesnotwritesummarylogsfortrafficandthreatsas
expectedafteryouenterthe clear log command.
Workaround:Reboot Panoramamanagementserver(Panorama>Setup>Operations)
toenablesummarylogs.
40436 FirewallsrunningPANOS6.1andlaterreleasesdonotupdateFQDNentriesunlessyou
enabletheDNSproxyCacheoption(Network>DNS Proxy><DNSProxyconfig>>
Advanced).
32 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.8AddressedIssues
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.8release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.
IssueID Description
97313 FixedanissuewherethemanagementplaneofPanoramaM100andM500
appliancesstoppedrespondingwhenrenamingobjectsorsecuritypoliciesdueto
memorycorruption.
96792 FixedanissuewherecommitsfailedduetoamemoryleakrelatedtoHAsyncofthe
candidateconfigurationthatcausedthepassivePanoramapeertostopresponding.
94757 FixedarareissueonfirewallswhereSecuritypolicyrulesincludedemptydynamic
blocklists(0.0.0.0/0)afteraCommitfromPanoramawithForce Template Values
enabled.
93729 FixedanissuewhereSSHdecryptioncausedadataplanememoryleakandrestart.
93072 Asecurityrelatedchangewasmadetoaddressanissueinthepolicyconfiguration
dialog.
92763 Fixedanissuewherecommitsfailedduetoavalidationerrorthatoccurredwhen
PanoramapushedAuthenticationSequenceprofilesthatincludedavirtualsystem
thatwasnotmigratedproperlyduringanupgradefromaPanorama6.1releasetoa
Panorama7.0orlaterrelease.
92391 FixedanissuewherefirewallTrafficlogsdisplayedunusuallylargebytecountsfor
sessionspassingthroughproxyservers.
92293 AsecurityrelatedfixwasmadetoaddressCVE20161712.
91900 FixedanissuewhereaPanoramavalidateoperationfollowedbyanFQDNrefresh
causedthevalidateconfigtocommittothefirewall.
91886 AsecurityrelatedfixwasmadetoaddressCVE20157547.
91876 FixedanissuewherethepassivefirewallinaVMSeriesESXiconfigurationwas
processingandforwardingtraffic.
91799 FixedanissuewereaPA7050firewalldidnotdisplaylogsasexpectedandcaused
aprocess(logrcvr)tostopresponding.
91728 AsecurityrelatedfixwasmadetoaddressaDenialofServiceconditionrelatedto
theAPI.
91724 Fixedanissuewhereanautocommitofanincrementalantivirusupdatefailedaftera
reloadduetoacorruptvirussignaturesfileandafailedincrementalinstallation.With
thisfix,incrementalcontentinstallationhasenhancedprotectionstoprevent
autocommitfailures,andwilllogadditionalinformationtoassistwith
troubleshooting.
91653 FixedanissuewhereSSLdecryptiondidnotworkasexpectedforresumedsessions.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 33
PANOS7.0.8AddressedIssues
IssueID Description
91643 FixedarareissuewheretrafficthattriggeredanSSLdecryptURLproxyaction
causedaprocess(all_task)torestart.
91497 FixedanissuewherestalenexthopMACentriespersistedonthesessionoffload
processorafteryoumodifiedasubinterfaceconfiguration,whichcausedSSH
connectionstofail.Withthisfix,themanagementplanecachenolongerduplicates
nexthopMACentries,whichpreventsthestaleentriesthatcausedSSHconnections
tofail.
91336 Fixedanissuewherethepacketprocessorstoppedrespondingwhenproxypackets
wereswitchedtothefastpathgrouponthedataplane.
90982 FixedanissuewhereupgradingfromaPANOS6.1releasetoPANOS7.0.3ora
laterPANOS7.0releasecausedtheGlobalProtectportalorgatewayandSSL
decryptionprocessestostopresponding.ThisissueoccurredbecauseSSL/TLS
ServiceProfiles(introducedinPANOS7.0)werenotcreatedsuccessfullyifyoudid
notenablemultiplevirtualsystem(multivsys)functionalityonthefirewall.Withthis
fix,SSL/TLSServiceprofilesarenowsuccessfullycreatedonnonmultivsys
platformswhenupgradingtoPANOS7.0.8orlaterreleasesortoPANOS7.1
releases.
90857 FixedanissuewithaPanoramapassivepeerinanHAconfigurationwhere
administratorswereunabletoconfiguretheDynamicUpdatesschedulefor
ApplicationsandThreatsupdates.
90856 Fixedanissuewherethedialogforcreatingcertificatesandthedialogforediting
certificateshaddifferentcharacterlimitsforthecertificatename.Withthisfix,the
certificatenamefieldinbothdialogsallowsupto63characters.
90842 FixedanissuewherethefirewallreceivedanunencryptedemptyISAKMPpacketin
quickmodethatcausedaprocess(ikemgr)tostopresponding.
90794 Fixedanissuewherealogfile(/var/log/wtmp)inflatedandconsumedthe
availablediskspace.Withthisfix,PANOSusesalogrotationfunctiontopreventlog
filesfromconsumingmorediskspacethannecessary.
90680 FixedanissueonPA500firewallswherecertainprocesses(l3svcandsslvpn)stopped
respondingafterthefirewallattemptedadynamicupdate.
90635 Asecurityrelatedfixwasmadetoaddressacrosssitescriptingconditioninthe
ApplicationCommandCenter(ACC).
90553 FixedanissuewhereDataFilteringandWildFireSubmissionslogsfornonNAT
sessionscontainedincorrectorinvalidNATinformation.
90326 FixedanissueonPA7000Seriesfirewallswherebotnetreportswerenotcreated
consistentlyduetoalogcleanupjobthatranjustpriortowhenthebotnetreports
weregenerated,whichonsomedaysresultedinemptyornobotnetreports.With
thisfix,thebotnetlogcleanupjobtakesplaceafterthedailygenerationofbotnet
reportssothatdailyreportsarecreatedandpopulatedasexpected.
90256 FixedanissuewheredecryptedSSHsessionswerenotmirroredtothedecrypt
mirrorinterfaceasexpected.
90249 FixedanissuewhereupgradingfromaPANOS6.1orearlierreleaseprevented
administratorsfromoverridingLDAPgroupmappingsthatwerepushedfrom
Panorama.
34 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.8AddressedIssues
IssueID Description
90044 FixedanissuewherelogforwardinginPanoramafailedwhenusingsyslogoverTCP.
89979 FixedanissuewheretheAggregateEthernet(AE)interfaceportinvirtualwiremode
withlinkstatepassthroughenabledcameupafteracommit;althoughitspeerAE
interfaceportwasdown.Withthisfix,theotherAEinterfaceportwillcomeupafter
thecommitandisthenbroughtdowninapproximately10seconds.Thiscausesboth
AEinterfacestostaydownuntilthefirstAEinterfacerecovers.
89917 FixedanintermittentissuewhereoneormoreinterfacesonaVMSeriesfirewall
deployedintheAmazonWebServices(AWS)cloudcouldnotobtainIPaddresses
fromaDHCPserverafterbootingup.
89910 FixedanissuewhereallLLDPpacketsweresentwiththesourceMACaddressofthe
MGTinterfaceinsteadofthedataplaneinterfacefromwhichtheyweretransmitted.
Withthisfix,LLDPpacketsareencapsulatedwiththesourceMACaddressofthe
interfacethattransmittedthepacket.
89743 Fixedanissuewherecommitsfailedduetoprocesses(configdandmgmtsrvr)that
stoppedresponding.Thisissuewascausedbymemorycorruptionrelatedtothe
schedulingofWildFiredynamicupdates.
89551 FixedanissuewhereUserActivityReportsdeliveredviatheEmailSchedulerdidnot
includeusernamesthatcontainedGermancharacters.
88646 FixedanissuewherepredictedFTPsessionswerenotestablishedasexpectedfrom
theparentFTPsession.
88346 FixedanissuewhereafirewallwassendingBGPpacketswiththewrongMD5
authenticationvalue.
88327 FixedanissuewhereseveralvalidcountrycodesweremissingintheCertificate
Attributessectionwhengeneratingacertificatefromthewebinterface.
88157 Fixedanissuewithreducedthroughputfortrafficoriginatingonthefirewalland
traversingaVPNtunnel.
87851 Fixedanissuewherehighratesoffragmentedpacketscausedthefirewallto
experienceaspikeinpacketbuffer,descriptor,andCPUusage.
87741 FixedanissueonPA3000Seriesfirewallswherethedataplanerestartedafteran
upgrade.
87179 Fixedanissuewhereavirtualsystem(vsys)inaPanoramatemplatewasassigned
duplicatevsysnumbersduringcommittothefirewall.
86623 FixedanissuewhereafirewallinanHAactive/passiveconfigurationdroppedFTP
PORTcommandpacketsafterafailover.
86123 FixedanissuewhereanM100applianceinanHApairhadaprocess(configd)
repeatedlyrestart,causingHAsynctofail.
85160 Fixedanissuewhereafirewalllostmembersofadomaingroupafterafailoverfrom
theprimarytothesecondaryLDAPserverwhenthelastmodifiedtimestampforthe
groupwasnotthesameonbothservers.
84115 Fixedanissuewherevirtualsystemadministrators(fullaccessorreadonly)were
unabletoaccesssettingsundertheNetworktab(Panel for undefined not
registeredwasdisplayed,instead).
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 35
PANOS7.0.8AddressedIssues
IssueID Description
83239 FixedanissuewhereinboundSSLdecryptiondidnotworkasexpectedwhenyou
enabledSYNcookies.
80953 FixedanissueonfirewallsinanHAactive/activeconfigurationthatincludedvirtual
wireinterfaceswherepacketsdidnotadheretovirtualwireforwardingpathsand
causedMACaddressflappingonneighbor.
77822 FixedanissueonaVMSeriesNSXeditionfirewallthatsentDynamicAddressGroup
informationonlytotheprimaryvirtualsystem(VSYS1)ontheintegratedphysical
firewallatthedatacenterperimeter.Withthisfix,aVMSeriesNSXeditionfirewall
configuredtoNotifyDeviceGroupsendsDynamicAddressGroupupdatestoall
virtualsystemsonaphysicalfirewallrunningPANOS7.0.8oralaterPANOS7.0
release.
36 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.7AddressedIssues
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.7release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
94912 FixedanissueinPANOS7.0.6whereWF500appliancesreturnedfalsepositive
resultsprimarilyforMicrosoftWord(.docx)files.
93775 Fixedanissuewherepacketdiagnosticsfailedduetoanunnecessarilylargedebug
logrelatedtoHA3packetforwarding.
93644 FixedanissueonPA3000Seriesfirewallswhereprocessingjumboframesthatwere
largerthan7,000bytesduringaperiodofheavytrafficcausedtheFPGAtostop
responding.Withthisfix,theFPGAthresholdsareadjustedtocorrectlyhandleupto
9KBjumboframes.
93612 Asecurityrelatedfixwasmadetoaddressaprivilegeescalationissue.
93228 FixedanissueonPA7050firewallsinanHAactive/activeconfigurationwhere
jumboframesthatincludedtheDF(donotfragment)bitweredroppedwhencrossing
dedicatedHA3ports.
92413 Asecurityrelatedchangewasmadetoaddressaboundarycheckthatcauseda
servicedisruptionofthecaptiveportal.
91771 FixedanissuewhereafirewalldidnotsendTCPpacketsoutduringthetransmit
stageinthesameorderasthosepacketswerereceived.
91443 FixedanissuewhereaPanoramaM100appliancepurgedlogsduetoanincorrect
quotasize.
91079 FixedanissueonaVMSeriesfirewallwhereanungracefulrebootcausedDynamic
IPaddressinformationtogetoutofsync.
91075 FixedanissuewheretheLSVPNtunnelinterfacefailedtopasstrafficafterupgrading
aGlobalProtectLSVPNsatellitetoaPANOS7.0releasewhiletheGlobalProtect
LSVPNgatewaywasstillrunningaPANOS6.1orearlierrelease.Additionally,the
tunnelinterfaceflappedifyouenabledtunnelmonitoring.Theseissuesoccurreddue
tochangestotheencryptionalgorithmnameswhenintroducingSuiteBciphersin
PANOS7.0.Withthisfix,GlobalProtectLSVPNsatellitesrunningPANOS7.0.7(or
PANOS7.1)orlaterreleasessuccessfullyrecognizetheoldnamesusedinPANOS
6.1andearlierreleasessothatLSVPNtunnelsareestablishedandpasstrafficas
expected.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 37
PANOS7.0.7AddressedIssues
IssueID Description
90433 FixedanissuewhereoverridesofthedefaultrulesintheSharedpolicytook
precedenceovertheoverridesofdefaultrulesinadevicegroup.Withthisfix,
overrideprecedencenowbehavesasdesigned(overridesofdefaultrulesinthe
lowestleveldevicegrouptakeprecedenceoverthosesettingsinthehigherlevel
devicegroupsandShared).
90194 FixedanissuewherefirewallswithoutanyWildFirepublicsignatures(hadnever
downloadedanyoroldsignatureshadbeendeleted)didnotproperlyleverage
WildFireprivatecloudsignatureswhenmonitoringtraffic.
90158 FixedanissueonPA7000Seriesfirewallswhereaggregateoutboundtrafficwas
incorrectlylimitedbythechassisswitchfabricswitchingcapacity.
90070 Fixedanissuewhereamemoryleakassociatedwiththeauthenticationprocess
(authd)causedintermittentaccessandauthenticationissues.
90029 FixedanissuewhereaGlobalProtectgatewayrejectedthesamerouteslearnedfrom
differentLSVPNsatelliteswhentheroutesweredestinedforadifferentvirtual
router.
89761 Fixedanissuewhereascheduledlogexportfailedtoexportthelogsifthepassword
intheconfigurationcontainedthedollarsign("$")character.
89588 FixedanissuewherepacketsthathadtoberetransmittedduringSSLdecryption
werenothandledcorrectly,whichresultedinadepletedsoftwarepacketbuffer.
89503 Fixedanissuewhereusergroupmappingswerenotproperlypopulatedintothe
dataplaneafterafirewallreboot.
89413 FixedanissuewherePanoramatemplatecommitsfailedwhenthenamesofseveral
certificatesintheDefaultTrustedCertificateAuthoritieslistchanged.Thisoccurred
whenPanoramawasrunningaPANOS7.0releaseandpushedatemplatetoa
firewallrunningaPANOS6.1orearlierrelease.
89385 FixedanissuewithfirewallsinanHAactive/activeconfigurationwheresession
timeoutsforsometrafficwereunexpectedlyrefreshedafteracommitorHAsync
attempt.
Thisfixintroducedaknownissue:97806.
89296 FixedanissuewhereacommitfailedafterrenamingaPanoramasharedobjectthat
wasalreadyreferencedintherulesonalocalfirewall.
89108 FixedanissuewhereafirewalldidnotadvertiseprefixestosomeBGPpeerswhen
expected.
88689 Fixedanissuewhereamemoryleakassociatedwiththeauthenticationprocess
(authd)causedcommitattemptstofail.
88450 FixedanissuewhereLayer3interfaceswithoutdefinedIPaddresses,zones,or
virtualroutersdroppedLLDPpackets,whichpreventedthefirewallfromobtaining
anddisplayingneighborinformation.
88421 FixedanissuewhereWildFirereportsweregeneratedforfilesalreadyblockedbythe
AntivirusprofileSMTPdecoder.
88325 FixedanissuewhereaPA500firewallrunningaPANOS7.0.1orlaterreleaseand
withDNSProxyenabledfailedtoconnecttoUserIDagentsusingFQDN.
38 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.7AddressedIssues
IssueID Description
88313 Fixedanissuewherereadonlydeviceadministratorswereunabletoviewlogsonthe
ACCtab.
87911 Fixedanissuewherescheduleddynamicupdatestomanagedfirewallsstopped
functioningaftermigratingthePanoramaVMtoanM500appliance.
87880 FixedanissuewheretheXMLAPIrequesttotestSecuritypolicywasnotproperly
targetedtoaspecifiedvirtualsystem(vsys),whichmadetherequestapplicableonly
tothedefaultvsys.Withthisfix,theXMLAPIrequesttotestSecuritypolicyisable
toretrieveresultsforanypreviouslytargetedvsys.
87833 FixedanissuewhereWildFireupdatescausedtheinterfacetoflap.
87729 FixedanissuewherethedataplaneonthepassivefirewallinasyncedHA
configurationrestartedduetoaDecryptionprofilethatdidn'thaveanyassociated
Decryptionpolicyrules,whichresultedinSSLproxysessionsthatweredroppedon
thepassivefirewallwhentheactivefirewallbecamesuspendedduringafailover.
87094 FixedanissuewherecommittingapolicyonPanoramathatcontainedinterfacesthat
weremanuallydefinedgeneratedtheerror: [interface name] is not an allowed
keyword.
86977 FixedanissuewhereLDAPsessionssourcedfromPanorama,afirewall,oranM100
appliancewerekeptopenandnotactivelyrefreshed,whichcausedsessionsto
timeoutwhentheytraversedthepeerfirewall(orthedataplaneonthesamefirewall)
and,ultimately,causedauthenticationattemptstofailwhenrequestscouldnolonger
reachtheLDAPserver.Withthisfix,akeepalivemechanismisaddedthatis
triggeredafter15minutesofsessioninactivityandthatallowsamaximumoffive
failedprobesbeforedroppingaconnection(probesoccurin60secondintervals).
86821 Fixedanissuewheretheserverprocess(devsrvr)stoppedrespondingwhen
attemptingtoaccessaURLwithmultiplenestedchildren,whichcausedthe
dataplanetorestart.
86686 SecurityrelatedfixesweremadetoaddressissuesreportedintheOctober2015
NTP4.2.8p4SecurityVulnerabilityAnnouncement.
86202 Fixedanissuewherethemanagementplanestoppedrespondingifyoumodifiedan
objectreferencedinalargenumberofrules.
86189 FixedanissuewherethefirewalldidnotsendSNMPv3trapsthatusedanIPv6server
address.
86122 FixedanissuewhereanLACPAggregateEthernet(AE)interfaceusingSFPcopper
portsremaineddownafteradataplanerestart.
85344 FixedanissuewherescheduleddynamicupdateinstallationcausedtheHAlinkto
flap.
85265 FixedanissueintheXMLAPIthatpreventedareadonlysuperuserfrom
downloadingcustompacketcaptures.
84997 FixedanissueonPA7000Seriesfirewallswherethefirstautocommitattemptfailed.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 39
PANOS7.0.7AddressedIssues
IssueID Description
84461 FixedaPanoramaissuewherethevirtualmemoryforaprocess(configd)exceededits
allocation,whichcausedcommitandHAsyncattemptstofail.
84146 FixedanissueinPANOS7.0releaseswherethesourceanddestinationfieldwasno
longerincludedasexpectedinerrormessagesthatweretriggeredwhenrequeststo
deleteaddressobjectsfailed.Withthisfix,thesourceanddestinationinformationis
againincludedintheerrormessage.
84027 FixedanissuewhereafirewallallowedsomeHTTPGETpacketstopassthrough
evenwhentheURLFilteringprofilewasconfiguredtoblockpacketsinthisURL
category.
83564 FixedanissuewhereacertificateCommonName(CN)containingUTF8characters
causedcommitrequeststofailbecausethedecodedCNstringexceededthe
64characterlimit.
82918 FixedanissuewherereenteringanLDAPbindpasswordthroughtheCLIusinga
hashvalue(insteadofaregularpassword)wasrejectedforhavingtoomany
characters.
82470 FixedanissuewithIPSectunnelthroughputperformancecausedbyincorrect
hardwaretagging.
77460 FixedanissueonafirewallwithanexpiredBrightCloudlicensewherethespecified
vendorwasunexpectedlyandautomaticallychangedfromBrightCloudtoPANDB
whenanyfeatureauthcodewaspushedfromPanoramatothefirewall.
76661 Fixedanissuewherevoltagealarmsweretriggeredincorrectly(voltagewaswithin
theappropriaterange).
74443 AsecurityrelatedfixwasmadetoaddressCVE20150235.
73082 Fixedanissuewhereafirewallprocess(all_pktproc)stoppedrespondingduetoan
issuewithNATpoolallocation.
40 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.6AddressedIssues
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.6release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowto
upgradeafirewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyour
firewallorappliance,youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyou
upgradetoPANOS7.0.3oralaterrelease.
ForWF500appliances,thePANOS7.0.7maintenancereleaseaddressesanissuethatwasintroducedin
PANOS7.0.6thatcausesfrequentfalsepositiveverdictsforMicrosoftOfficedocuments.Youareadvisedto
upgradeWF500appliancesto7.0.7orlaterreleasesandareadvisednottoinstallthe7.0.6image.
IssueID Description
92671 Fixedanissuewheretrafficthatwasoffloadedtohardwarewasnotforwarded
properly.ThisoccurredonPA3050andPA3060firewallsandprimarilywithSSL
traffic.
90992 FixedanintermittentissuewheretheinitialGlobalProtectclientconnectiontoa
GlobalProtectportalorgatewayfailedwiththeerror: Valid client certificate
is required.ThisoccurredwhenthecertificateprofileusedCRL/OCSPtocheck
certificatevalidityandwasduetoaproblemwiththecertificatenotbeingavailable
inthedataplanecache.Subsequentconnectionsworkedbecausethecertificatewas
addedtothecacheduringtheinitialconnectionattempt.
90904 FixedapacketdropissueonPA7000SeriesfirewallsinHAconfigurationsrunning
aPANOS7.0.3throughPANOS7.0.5release.ThisoccurredduetoaMACaddress
lookupissueoninterfacesinanAggregateEthernet(AE)interfacegroupthatwere
partofaVLAN.
89881 FixedanissuewheretheUserIDagenttruncatedNetBIOSnameswithmorethan
14characters.Asaresult,userswithdomainnameslongerthan14characterswere
notgrantedaccess.
89317 Fixedanissuewhereimproperdatapatternorderingoccurredafteranadministrator
deleteddatapatternsfromanexistingDataFilteringprofile,whichsubsequently
causedanerror(rule is already in use)whenattemptingtoaddanewdata
pattern.Withthisfix,youcanaddordeletedatapatternsinanyorder.
88794 Fixedanissuewhereonetimepassword(OTP)RADIUSauthenticationfailedwhen
thedomainselectionfieldwasusedintheauthenticationprofile.
88696 Fixedanissuewhere,undercertainconditions,aprocess(mpreplay)frequently
restartedduetoexcessiveinternalmessaging.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 41
PANOS7.0.6AddressedIssues
IssueID Description
88570 FixedanissuewhereaNeighborSolicitation(NS)packetusedtorefreshIPv6
neighbortableswassentoutthroughaVLANinterfacewithoutaVLANtag.TheNS
packetwastaggedcorrectlywhentheneighborentrywasinitiallycreatedbutthe
packetusedtorefreshthetablewassentwithoutthetag,whichcausedthetable
updatetofailwhentheneighbordidnotreceiveanappropriatelytaggedresponse.
88168 FixedanissuewhereVMSeriesfirewallsrunningonan8coreplatformchangedthe
passivefirewalltoactivewhenasocketerroroccurred.Thesocketremainedclosed
untilaninterfacerelatedchangewasmade.
88125 FixedanissuewhereTCPsegmentsforDNSqueriesweredroppedwhenthe
segmentsweresmallerthan12bytes.
87482 Asecurityrelatedchangewasmadetomanagementplaneaccountrestrictionsto
avoidservicedisruption.
87285 FixedanissuewhereaUserActivityReportPDFforthelast30daysgeneratedan
errorwhenthereportcontainedmorethan100,000lines.
87257 Fixedanissuethatcausedadataplanerestartwhenthefirewallwasconfiguredasa
DHCPrelayandreceivedDHCPrequestsfromathirdpartyDHCPserverorclient
thatexceededthepayloadlengthspecifiedinRFC2132.
87158 Fixedanissuewheresomepacketswereduplicatedintheegressstage.Thisoccurred
onmultidataplanefirewallswhentrafficflowedfromvirtualsystemtovirtualsystem
orfromvirtualsystemtoasharedgateway.Anupdatehasbeenmadetoprevent
packetduplication.
86980 Fixedanintermittentissuewherecommitsfailedduetoinvalidfilepermission
warningsrelatedtoSSHauthentication.
86970 FixedanissuewheredecryptiononthefirewalldidnotfunctionwhenusingChrome
tobrowsecertainwebsitesbecauseChromeeliminatedinsecurefallbacktoTLS1.0.
86916 FixedanissuewheretrafficburstsenteringaPA3000Seriesfirewallcaused
shorttermpacketlosseventhoughtheoveralldataplaneutilizationremainedlow.
Thisissuewastypicallyobservedwhentwofirewallinterfacesonthesamefirewall
wereconnectedtoeachother.Withthisfix,internalthresholdsweremodifiedto
preventpacketlossintheseconditions.
86671 FixedanissuewherePanoramadidnotrecognizethreatIDsgeneratedbyaWF500
appliance,whichpreventedyoufromconfiguringanexemptionforthesethreatsin
Panoramathatcouldbepushedtomanagedfirewalls.
86633 FixedanissuewherethewebinterfaceindicatedthatanewDHCPrelayconfigured
intheCLIwasenabledeventhoughtherelaywasnot,yet,enabledfromtheCLI.
86321 FixedanissuewhereSSHdecryptioncausedadataplanememoryleakandrestart.
86251 Fixedanissuewhereanadministratorwasunabletoretrievelogpartitionutilization
usingSNMPafteraddingadditionalvirtualdiskspaceonPanorama.
85913 FixedanissuewhereanadministratorwasunabletoaddmorethanoneXAuth
GlobalProtectgatewayonthesameinterface.
42 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.6AddressedIssues
IssueID Description
85110 FixedanissuewherethefirewallsentgratuitousARP(GARP)packetsforaninterface
IPaddressusedinadestinationNATrulefromallinterfacesinthezonewherethat
interfacebelonged.Withthisfix,theGARPpacketsaresentonlyfromtheinterface
thatownstheIPaddress.
84949 FixedanissuewhereM100appliancesinanHAactive/activeconfiguration
forwardedlogsonlytoonesyslogserver,eventhoughtwosyslogserverswere
defined.Thisissueoccurredonlyontheprimarysecondaryapplianceandwasdueto
anHAsyncissue.
84665 FixedanissuewheretheCommiticonincorrectlyindicatedpendingconfiguration
changesafteranApplicationsandThreatsupdate.
84641 FixedanissuewheresomeDNSrequestswereforwardedtothewrongDNSserver
theonepreviouslybutnolongerconfiguredonthefirewall.
84339 Fixedanissuewhereasinglesessionconsumedthemajorityofthepacketbuffer
resources.Withthisfix,youcanuseinformationintheoutputoftheshow running
resource-monitor ingress-backlogscommandtoIdentifySessionsThatUsean
ExcessivePercentageofthePacketBufferandthenusetherequest
session-discardCLIoperationalcommandtomanuallydiscardsessionsasneeded.
Thesecommandsareonlyavailableonfirewallsthatsupporthardwareoffload.
84236 FixedanissuewherespecialcharactersintheSNMPv3Usersfieldcausedencryption
tofailandcausedthefirewalltorestart.
83722 FixedanissuewheredestinationbasedserviceroutesdidnotworkforRADIUS
authenticationservers.
83702 FixedanissueonPA7000SeriesfirewallsrunningPANOS7.0.2andlaterreleases
whereWildFireAnalysisreportsdidnotdisplayintheWildFire Analysis Reporttab
(Monitor > Logs > WildFire Submissions > Detailed Log View).
83361 FixedanissuewheretheDoSclassificationcounterstoppedatanabnormallyhigh
value.ThiscausedfloodtypefalsepositivesintheThreatlogs,causingthefirewallto
appearasifitreachedmaximumsessioncapacity.
83135 FixedanissuewheretheinitialredirectfailedforsomeSSLsites.(TheerrorBad
Record MACappearedaftertheuserclickedcontinuebuttheusercouldthen
refreshthepagetosuccessfullyenterthewebsite.)
83100 FixedanissuewherePanoramaHAsynchronizationfailedwhenattemptingto
upgradetoaPANOS7.0.1throughPANOS7.0.5h2release.
82756 FixedanissuewherecustomreportswerenotsentoutbytheEmailScheduler.
82443 Fixedanissuewhereunwantedcharactersweredisplayedontheloginpageaftera
failedlogin.
80507 FixedanissueinPanoramawhereThreatandContentnamesforcertainthreatsdid
notappearinACCreports,predefinedreports,andspywarereports.Thisissue
occurredonlyonPA7000SeriesfirewallsmanagedbyPanoramaandonlyduringan
Antivirusupdate.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 43
PANOS7.0.6AddressedIssues
IssueID Description
79729 FixedanissuewithfirewallsinanHAconfigurationwhereacommitoperation
abortedforalldaemonsandthentheDHCPdaemonstoppedresponding.This
occurredwhenthe set deviceconfig high-availability group {group-name}
configuration-synchronization enabled option wassetto no.
78090 FixedanissuewheretheUserIDprocessstoppedrespondingonbothpeersinanHA
active/passiveconfiguration.Thisissueoccurredafteranupgradeandwasduetoa
problemwiththeLDAPlibrary.
74333 FixedanissuewhereincrementalupdatesfornewandupdatedregisteredIP
addresseswerefailingwhenregistrationeventswereoccurringthroughtheXML
API.Withthisfix,integratingtheupdatesforregisteredIPaddressesnolongerfails
whenusingtheXMLAPI(oneitherstandalonefirewallsandappliancesorthosein
HAconfigurations).
44 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.5h2AddressedIssues
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.5h2release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
89750 Asecurityrelatedfixwasmadetoaddressastackunderflowcondition.
89706 AsecurityrelatedfixwasmadetopreventsomeCLIcommandsfromimproperly
executingcode.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 45
PANOS7.0.5h2AddressedIssues
46 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.5AddressedIssues
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.5release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
89752 Asecurityrelatedfixwasmadetoaddressabufferoverflowcondition.
89717 Asecurityrelatedfixwasmadetoensuretheappropriateresponsetospecialrequests
receivedthroughtheAPIinterface.
88550 FixedanissueonfirewallsrunninginCommonCriteria(CC)modewhereseedingusingan
OpenSSLdeterministicrandombitgenerator(DRBG)causedaprocess(cryptod)tostop
respondingandresultedincommitfailures.
88439 FixedanissueonaPA3000Seriesfirewallwhereadataplaneconstantlyrestarteddueto
ahardwarecontentmatchingmemoryissue.
88382 Fixedanissueinahighavailability(HA)active/activeconfigurationwithunexpectedly
short(20second)timeoutsthatoccurredwhenanHA2sessionsyncmessagefailed.This
issuewasduetoanARPproblembetweendataplanesintheHAconfigurationwhenthe
HA2backupwasinuseandusingeitherIPorUDPtransportmode.Withthisfix,
unexpectedlyshortsessiontimeoutsnolongeroccurduetothisissue.
88191 Asecurityrelatedfixwasmadetoaddressinformationleakageinsystemslogthat
impactedthewebinterface.
87565 Fixedanissuewhereafirewalldidnotforwardcorrelationeventstothesyslogserver.
87170 Fixedanissuewhereafirewalldidnotfiltergroupsusingthefiltersappliedinsearch
parameters;instead,thefirewallignoredfiltersanddisplayedallgroupsinsearchresults.
86947 Fixedarareissuewhereanactivefirewallinahighavailability(HA)configuration
incorrectlysyncedtotheconfigurationfromthepassivefirewallwhenasecondcommit
wasperformedontheactivefirewallbeforeapreviouscommitwascompleted.
86723 Fixedanissuewhereadataplanerestartedwhenclienttoservertrafficexceeded4GB
andincludedHTTPGETorPOSTrequeststhathadthesourceIPaddressintheOrigin
header.
86664 FixedanissuewithIKEv2thatcausedachildsecurityassociation(SA)toinstallincorrectly
onafirewallwhenthetunnelwasconnectedtothirdpartyequipmentusingPFS.
86390 Fixedanissuewhereavirtualsystem(vsys)createdinaPanoramatemplatedidnotdisplay
whereexpectedwhenthefirsttwocharactersofthevsysnamewas"sg"(suchas"sg01").
Withthisfix,Panoramanolongerallowsyoutocreateavsyswithanamethatbeginswith
"sg"inaPanoramatemplate.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 47
PANOS7.0.5AddressedIssues
IssueID Description
86319 Fixedanissuewhereaprocess(routed)onthefirewallstoppedrespondingandresultedin
highCPUusagewhenapplyingaBGPautonomoussystem(AS)pathfilter.
86193 Fixedanissueinahighavailability(HA)configurationwhereLDAPgroupmappingsdidnot
properlyrefreshafterafirewallbecametheactivepeeragainaftergoingthroughthe
passivestate.Thiswasduetoavariablethatwasnotinitializedproperlyandwasthenused
inanerrorcase.Withthisfix,LDAPvariablesareproperlyinitializedtoavoidthisLDAP
groupmappingissue.
86136 FixedanissuewheretheGlobalProtectgatewaysentanaccessrequestpacketwith
malformeddatainsidetheFramedIPAddressfieldtotheRADIUSserver.
86126 Fixedanissuewhereauserwithacustomrolebasedadministrativeaccountcouldn't
previewruleslistedasCombinedrules.
86091 Fixedanissuewhereacommittoconfigureatunnelinterfacethatusedastringinsteadof
anintegercausedaprocess(routed)onthefirewalltostopresponding.
86075 FixedanissueonaPA3060firewallwherethesizeoftheSMLVMEmlInfosoftwarepool
waslessthanexpected.Withthisfix,thesizeoftheSMLVMEmlInfosoftwarepoolis
increasedtotheexpectedvalue.
85888 Fixedanissuewherethefirewallignoredthesessiontimeoutvalueandautomatically
refreshedadministratorswhowerestillloggedintothefirewallevenwhenthosesessions
wereinactiveforaperiodlongerthantheconfiguredtimeout.
85879 Fixedanissuewhereafirewallinahighavailability(HA)configurationgeneratedafalse
positiveevent(Running configuration not synchronized after retries)75
secondsaftereachHAsync.Withthisfix,thiserrorisreturnedonlyforcommitsthattake
longerthan45minutestocomplete.
85878 InresponsetoanissuewhereDNSqueriessometimescausedaLogCollectortoruntoo
slowlyandcauseddelaysinlogprocessing,the debug management-server
report-namelookup disable CLIcommandisaddedtodisableDNSlookupsfor
reportingpurposes.
85863 Fixedanissuewheremulticasttrafficsentoveravirtualwire(vwire)withMulticast
Firewallingdisabled(Network > Virtual Wires > <vwire>)causedhighCPUandpacket
bufferdepletion.
85821 Fixedanissuewhereadataplanestoppedrespondingduetomemorycorruption.
85754 FixedanissuewhereaVMSeriesdiskwascorruptedandwentintomaintenancemode
afterprocessingmutatedtrafficfromthirdpartysignaturedetectionsoftware.
85675 Fixedanintermittentissuewhereaprocess(mprelay)restartedand,aftermultiplerestarts,
causedthefirewalltorestart.Thisissuewasassociatedwiththeprocessingofaddand
deleteeventsforIPv4ARPandIPv6neighborupdates.Withthisfix,IPv4ARPandIPv6
neighborupdatesnolongercausethemprelayprocessorfirewalltorestart.
48 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.5AddressedIssues
IssueID Description
85484 FixedanintermittentissuewheretheGlobalProtectportalusedthecookieinsteadofthe
authenticationinformationprovidedbytheGlobalProtectclient,whichcaused
authenticationtofail.Withthisfix,ifaclientconnectsusingacookie,theGlobalProtect
portalignoresthecookieinfavoroftheauthenticationinformationprovidedbythe
GlobalProtectclientsothatauthenticationissuccessful.
85245 Fixedanissuewhereavirtualsystem(vsys)configurationremainedinthefirewall
configurationevenafterthevsyswasdeleted.Thiscausedcommitstofailwhen
attemptingtoaddanewvsysusingthesameIDasthevsysthatwasnotsuccessfully
deleted.
85193 Fixedanissueinahighavailability(HA)configurationwheremultipleoverlappingqueries
resultedinaraceconditionthatcausedHAsyncjobstofail.
84963 FixedanissueinPanoramatemplateswhereadministratorscouldmarkacertificateas
ForwardTrustorForwardUntrustbutforwardingdidnottakeplaceasexpectedwhenthe
templatewasconfiguredtoapplyonlytoonevirtualsystem(singlevsysmode).Withthis
fix,markingacertificateasForwardTrustorForwardUntrustworksasexpectedeven
whenthetemplateisinsinglevsysmode.
84908 FixedanissuewheretheloggedsessionendreasonfordecryptedSSLsessionsalways
displayedas aged out regardlesswhetherthatwastheactualTCPsessionendreason.
Withthisfix,thesessionendreasonnowdisplayscorrectlyfordecryptedSSLsessions.
84729 FixedanissueonMSeriesappliancesandwithPA7000SeriesLogProcessingcards
whereoutputofthe show system logdb-quota CLIcommanddidn'tmatchthevalues
inLoggingandReportingSettingsinthewebinterface(Device > Setup > Management >
Logging and Reporting Settings > Log (Card) Storage)duetoadiscrepancyinspace
calculation.Withthisfix,thevaluesinthewebinterfaceaccuratelyreflectavailable
storagespaceandmatchtheoutputfromthe show system logdb-quota CLIcommand.
84538 FixedanissuewhereadataplanerestartedunexpectedlyonafirewallwithSSLdecryption
enabled.ThisoccurredduringtheSSLhandshakewhenthefirewallreceivedaHello
packetfromtheserverthathadahigherSSLprotocolversionthantheHellopacket
receivedfromtheclient.
84496 FixedanissueonPA7000Seriesfirewallswhereexcessiveorprolongedlogqueries
causedamemoryleakontheLogProcessingCard(LPC).
84239 FixedanissuewhereareadonlySuperuserwasabletoperformacommitwhenusing
XMLAPI(butnotviathewebinterface).Withthisfix,readonlySuperuserscannotuse
XMLAPItoperformcommits.
83764 Fixedanissuewhereusingwebinterfacecertificateauthenticationcausedloginfailures.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 49
PANOS7.0.5AddressedIssues
IssueID Description
83731 FixedanissueinavirtualwireconfigurationwhereafirewallincorrectlymodifiedtheMAC
addressfortrafficwhendecryptionwasenabled.Withthisfix,thefirewallnolonger
modifiestheMACaddressoftraffic.
83454 FixedanissuewithIPv6trafficthathadanextensionheaderandcausedjitterwhen
passingthroughaPA7000Seriesfirewallinahighavailability(HA)active/active
configuration.
83362 FixedanissuewhereacommitfailedwhenasubinterfacethatwaspushedfromPanorama
lostitsreferencetoitsassociatedVLANafterthesubinterfaceconfigurationonthe
firewallwasoverriddenandthenrevertedinthetemplate.Withthisfix,afteraninterface
isreverted,subinterfacesdonotlosetheirmappingtoVLANs.
83337 Fixedanissuewherefirewallsgeneratedmultiplecoredumpsafterarebootwhen
incomingpacketswereforwardedtothedataplanewhileanautocommitwasstill
processing.Withthisfix,packetsarenotforwardedtothedataplaneuntilaninprocess
autocommitiscomplete.
83328 FixedanissuewhereanM100applianceexperiencedamemorylimitcondition.Withthis
fix,thevirtualmemoryforthemanagementserverprocessisincreasedtoavoidthisissue.
83145 FixedanissueonaPA7000Seriesfirewallwhereaninterfaceintapmodeunexpectedly
transmittedtrafficthatwasreceivedonthatinterface.
82916 FixedanissuewherethetrustedCAstoreonthefirewallwasmissingtheQuoVadisroot
CA2androotCA3G3certificates.Withthisfix,boththeseQuoVadiscertificatesare
includedinthetrustedCAlist.
82873 FixedanissuewithmissingfieldsandinconsistenciesintheSyslogformatforCorrelated
Eventsthatwereexportedtoasyslogserver.
82862 Fixedanissuewherethedeviceserverprocess(devsrvr)restartedunexpectedlywhen
Panoramapushedatemplatethatcontainedacertificatewithacorruptpublickey.
82667 FixedanissuewherethePANOSintegratedUserIDagentfailedtoconnecttoa
monitoredserverwhentheUserIDagentwasconfiguredtousetheFQDNinsteadofthe
IPaddressfortheserver.
82358 Fixedanissuewhere,whenusingLDAPauthentication,aGlobalProtectclientincorrectly
showeda Password expired messageevenwhenthepasswordhadnotexpired.
81812 Fixedanissuewhereafirewalldidnotaccuratelycheckcertificaterevocationstatusvia
OSCPbecausetheOCSPrequestdidnotincludetheHOSTheaderoption.Withthisfix,
thefirewallusestheHOSTheaderoptionasexpectedandsuccessfullyretrievesthe
revocationstatusofthecertificateinresponsetoOCSPrequests.
81743 FixedanissuewhereURLcategorizationfailedforsomeURLsduetoanissuewith
messagebuffersize.
81425 FixedanissuewhereIPSecrenegotiationwasnotinitiatedasexpectedafteraPPPoE
interfacereceivedanewIPaddress.
81062 Fixedanissuewheretheemailactionforscheduledreportstimedoutduetoreportsthat
tooktoolongtogenerate.Withthisfix,theemailtimeoutisincreasedandreport
generationisenhancedtoavoidthisissue.
50 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.5AddressedIssues
IssueID Description
80415 FixedanissuewhereafirewallwasnotpresentingtheCaptivePortalresponsepageto
users.ThisoccurredwhentheURLcategorywasmarked not-resolved,suchaswhen
cloudserverswereunavailable.
79596 FixedanintermittentissueonPA5000Seriesfirewallswherethedataplanestopped
responding.Withthisfix,thereareadditionalsanitychecksandloggingtoavoidthisissue.
73177 FixedanissuewhereredistributedNotSoStubbyArea(NSSA)type7routesconverted
toNSSAtype5routeswerenotflushedfromtheOSPFdatabasequicklyenoughafterthe
redistributingNSSArouterwentdown.Withthisfix,theOSPFisflushedwithinthe
expectedperiodoftimesothatroutesthatgodownarenotadvertisedasstillavailable.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 51
PANOS7.0.5AddressedIssues
52 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.4AddressedIssues
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.4release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
88869 FixedaperformancedegradationissueonaVMSeriesfirewallwith8coreswhenthreat
scanningwasenabledwhenattemptingtoprocesslargetransactionspecificSSLtraffic
types.Additionally,thisfixaddressedanintermittentissuewheretheGlobalProtectMSI
filefailedtodownloadafterauserauthenticatedtotheportalpage.
87422 Fixedanissuewheremulticasttrafficwasdroppedwhenthesourcestartedsendinggroup
trafficbecausetherewasnot,yet,acorrespondingmulticastrouteorFIBentryonthe
firewall.Withthisfix,themulticastrouteisupdatedmorequicklyandpacketsare
enqueuedinsteadofdroppedwhilethefirewallwaitsfortheupdatedrouteinformation.
87410 FixedanissuewhereanAPIcalltoadd,delete,ormodifyaURLentryfailedwhentheURL
includedasingle(')ordouble(")quotecharacterasanXMLattribute.Withthisfixto
complywithXMLXpath1.0,APIinstructionsarecompletedsuccessfullyevenwhen
actingonaURLthatincludesasingleordoublequoteusedasanXMLattribute.
87385 FixedanissuewhereallthewidgetsontheACCtabofamanagedfirewall(andwhen
exportedinaPDFfile)display Report Error whenyouaccessthefirewallthrougha
contextswitchfromPanorama(whethervirtualorMSeriesappliance).
87280 FixedanissuewherethenumberofSSLfreememorychunkswasdepletedto0,which
causedadisruptioninSSLdecryptionrelatedtraffic.
87231 FixedanissuewhereaPA7000Seriesfirewalldidnotloadbalanceegresstrafficon
AggregateEthernet(AE)interfacesasexpected.
87078 Fixedanissuewherethemanagementserverstoppedrespondingwheretherewasahigh
loggingrate,whichcausedtheLogCollectortodisconnectfromPanorama.
86938 TheclientcertificateusedbyPANOSandPanoramatoauthenticatetothePANDB
cloudservice,theWildFirecloudservice,andtoWF500appliancesexpiredonJanuary
21,2016.Theexpirationresultsinanoutageoftheseservices.Toavoidanoutage,either
upgradetocontentreleaseversion550(oralaterversion)orupgradePANOSand
PanoramainstancesrunningaPANOSorPanorama7.0releasetoPANOS(orPanorama)
7.0.4oralaterrelease.
86895 FixedanissueonMSeriesandWF500applianceswheretheEthernet1/2interface
unexpectedlybroadcastedDHCPdiscoverpacketswiththeinternalBMCIPMILANMAC
addressasthesourceMACaddresswhentheinternalBMCIPMILANwasconfiguredto
useDHCPasthesourceaddress.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 53
PANOS7.0.4AddressedIssues
IssueID Description
86803 FixedanintermittentissuewheretheidletimerforGlobalProtectIPSectunnelseitherdid
notexpireappropriately(suchaswhenthetunnelwastorndown)orexpiredatthe
configuredidletimeexpirationevenwhenauserwasactivelyusingtheconnection.With
thisfix,theGlobalProtectIPSectunnelidletimerbehavesasexpected.
86467 FixedanissueinPANOS7.0.3wherefirewallsdidnotcheckforsuperuseraccountsthat
werepushedthroughaPanoramatemplate,whichcausedanupgradeprocesserrorwhen
allsuperuseraccountswerepushedthroughaPanoramatemplate(firewallsmusthaveat
leastonesuperuseraccountintheconfiguration).Withthisfix,firewallscorrectly
recognizesuperuseraccountsthatarepushedthroughaPanoramatemplate.
85801 FixedanissuewhereafirewallthatwasforwardinglogstomultiplePanorama
managementserversandLogCollectorsstoppedforwardinglogstoanyapplianceafteran
administratorsuspendedlogforwardingontheactiveprimaryPanoramaserver.Withthis
fix,thefirewallcontinuestoforwardlogstoallPanoramamanagementserversandLog
Collectorsexceptanyapplianceforwhichanadministratorspecificallysuspendslog
forwarding.
85721 FixedanissuewherefirewallswithaspecificOCZDenevaharddisk(model
DENCSTE251M21)configuredinaRAIDandrunningPANOS7.0.1orlaterreleases
experiencedRAIDerrors.
85514 Fixedanissuewhereacommitrequestfailedduetoprocesses(configdandmongod)with
highmemoryusage.
85364 FixedanissuewhereHTTPandHTTPOnlineCertificateStatusProtocol(OCSP)
managementserviceswereenabledonlyforthefirstIPaddressonaninterfacewith
multipleIPaddresses.Withthisfix,whenHTTPandHTTPOCSPmanagementservices
areenabledonaninterface,servicesareenabledforallIPaddressesassociatedwiththat
interface.
85166 FixedanissueonaPA7000Seriesfirewallwherethefirstpacketinasessionwas
droppedwhenitarrivedbeforethefirewallfreedupaprevioussessionthatusedthesame
5tuple.Withthisfix,thefirewalltreatstheprevioussessionasaninactiveflowand
successfullycreatesthenewsession.
85091 Fixedanissueonafirewallwheresoftwarepacketbufferswerebeingdepleted.Withthis
fix,thefirewallwilldynamicallyadjusttheTCPreceivewindowbasedonpeertrafficto
avoidsoftwarepacketbufferdepletion.Additionally,thereisafixforamemoryleakin
errorhandlingofSSLForwardProxymodeandthesizeofthesoftwarebufferpoolsis
increased.
54 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.4AddressedIssues
IssueID Description
84851 Fixedanissuewherethevirtualsystem(vsys)IDonthefirewallwascomputedincorrectly
whenPanoramapushedatemplatewithForce template valueenabledandcontaining
virtualsysteminformationtothefirewall.
84811 FixedanissueonaVMSeriesfirewall(KVMonCentos7/Redhat)whereaprocess
(vmuuid)displayedasemptyafterboot.Withthisfix,thevmuuidprocessisdisplayed
correctly.
84678 FixedanissuewiththewaythemanagementplaneperformedupdatesthroughHTTPand
HTTPScalls,suchasforblocklistandcontentupdates.
84595 FixedanissuewithHTTPrequestsgeneratedbythefirewallwhenretrievingcustom
DynamicBlockLists.
84494 FixedanissuewherethesessionendreasonforasinglethreatIDwasreporteddifferently
dependingonwhichdecoderwasused.Withthisfix,onlyonesessionendreason(threat)
isreportedforallblockedSMTPtrafficregardlesswhichdecoderisused.
84465 FixedanissuewheretheexternalinterfaceonanLSVPNsatellitewasunabletoestablish
anLSVPNconnectiontotheactiveprimaryfirewallinanHAactive/activeconfiguration
thatwasactingastheGlobalProtectportalorgatewaywhentheexternalinterfaceofthe
satellitewasconfiguredasaDHCPclient.(ThisfailureoccurredeventhoughanLSVPN
connectionwassuccessfullyestablishedwiththeactivesecondaryfirewall.)Withthisfix,
theLSVPNsatellite(withtheexternalinterfaceconfiguredasaDHCPclient)successfully
establishesanLSVPNconnectiontobothfirewalls(activeprimaryandactivesecondary)
afterareboot.
84454 Fixedanissuewhereattemptstoloadapartialconfigurationforadevicegroupfroman
XMLfileresultedinanerrormessage.Withthisfix,youcansuccessfullyloadapartial
configurationforadevicegroupandmergeitwithanexistingdevicegroup.
84433 Fixedanissuewhereawebpagewouldnotloadsuccessfullywithoutrefreshingthe
browsermultipletimeswhenOpenCertificateStatusProtocol(OCSP)validationwas
enabled.Thisoccurredwhenablockpagemessagewaspresentedwithinonesecondof
theattempttoloadanHTTPSsitewhiledecryptionwasenabledonthefirewallwiththe
OCSPvalidationtimeoutsetto60seconds.
84167 FixedanissuewhereafirewallincorrectlyreorderedcertainTCPtrafficduringtransmit
stage.
84008 FixedanissuewhereanLSVPNIPSectunnelwentdownwhenthehardkeylifetime
expiredduringarekey.Withthisfix,thesoftkeylifetimeisadjustedsothatthehardkey
lifetimedoesnotexpirebeforetherekeyfinishes.
83907 Fixedanissuewhereadministratorscouldnotdisablecountersinsystemlogsusingthe
debug dataplane packet-diag set log counter <counter-name> CLIcommand
whenthosecountershadnameslongerthan31characters.
83902 FixedanissuewheremonitoringanSNMPOID(.1.3.6.1.2.1.25.2.3.1.5.41)fordiskspace
resultedinincorrectvaluesonvolumesover2TBinsize.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 55
PANOS7.0.4AddressedIssues
IssueID Description
83898 FixedanissueonPanoramaMSeriesandvirtualapplianceswhereexportingareportas
acommaseparatedvalue(CSV)file(Monitor > Reports)failedandresultedinaweb
interfaceerror(Error enqueuing export job).
83889 FixedanissuewhereaPA7000SeriesfirewallincorrectlydroppednonTCPand
nonUDPfragmentedtraffic,suchasEtherIPtraffic.
83844 FixedanissuewhereamemoryleakcausedaPA200firewalltoreboot.
83657 FixedanissuewherePanoramadidnotproperlypushdeviceortemplateconfigurations
forNTP,sendhostnameinsyslog,orWildFiresettingstoadevice.
83592 FixedanissuewheretheUserIDprocess(useridd)wentintoarebootloopandcausedthe
passivefirewallinahighavailability(HA)configurationtorestart.Thiswasduetobulkand
incrementalupdatesofterminalservicesusers.
83253 FixedanissuewherevideocallsfailedwhenH.245(openlogicalchannelack)packets
referencedapreNATaddress.
82913 FixedanissuewhereToSheaderswerenotsetcorrectlyinEncapsulatingSecurityPayload
(ESP)packetsacrossVPNtunnels.
82865 FixedanissuewithaPA5000Seriesfirewallwheresessionsownedbydataplane1(DP1)
orDP2didnotdisplayintheoutputwhenexecutingthe show session commandon
DP0.
82710 Fixedanissuewhereunexpecteddataplanerestartsoccurredduetooutofmemoryerrors
andhighresourceusageonpacketdescriptorswhenSSLForwardProxywasenabled.This
fixalsoaddressesadataplaneprocessmemoryleak.
82621 FixedanintermittentissueonaPA7000Seriesfirewallwheretrafficwasdroppedwhen
theloginterfaceanddataplaneinterfaceswerebothconfiguredonthesameNetwork
ProcessingCard(NPC).
82424 FixedanissueonaPA5000Seriesfirewallwherepacketsweredroppedorthedataplane
stoppedrespondingwhenreceivingspecificingressoregresstrafficassociatedwith
offloadedsessions.Withthisfix,afieldprogrammablegatearray(FPGA)changewas
madetoaddresstheseissues.
82138 FixedanissuewhereWildFirereportswerenotdisplayedonthewebinterfacewhen
proxysettingswereconfiguredforthemanagementinterface.
82095 Fixedanissuewhereacommitrequestdidnotfinishprocessingduetoaprocess(routed)
thatstoppedresponding.
81996 FixedanissuewhereaHIPProfiledidnotsyncbetweentheactiveandpassivefirewalls
inahighavailability(HA)configuration,whichcausedtheHIPProfiletonolongerbein
effectafterafailover.Withthisfix,theHIPProfileiscorrectlysyncedbetweentheactive
andpassivefirewallsandremainsineffectafterafailover.
56 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.4AddressedIssues
IssueID Description
81949 FixedanissuewhereDynamicAddressGroupspushedfromPanoramatoafirewallwere
notdisplayedintheoutputofCLI show commands.
81830 FixedanissuewhereSSLForwardProxydidnotincludetheappropriateTLS1.2extension
(SignatureAlgorithms)inClientHellomessages,whichpreventedsuccessful
interoperabilitywithsomeMicrosoftwebsites.
81333 Fixedanissuewheremanagedfirewallsandapplianceswereunabletoconnectto
Panoramausingthemasterkeyafterafactoryreset(orRMA).
81241 FixedarareissuewhereNATtrafficwasdroppedafterafailedcommitattempt.
80631 Fixedanissueinahighavailability(HA)configurationwheretheportsonthepassive
firewalldidnotcomeupwhenthepassivelinkstatewassettoauto(Device > High
Availability > General >ActivePassiveSettings).
79917 FixedanissueonaPA3000Seriesfirewallwherethedataplanestoppedresponding
whenreceivingspecificingressoregresstrafficassociatedwithoffloadedsessions.With
thisfix,afieldprogrammablegatearray(FPGA)changewasmadetoaddressthisissue.
78624 FixedanissuewheretheactivesecondaryfirewallinanHAactive/activeconfiguration
wasincorrectlyrespondingtoARPrequestsfortheIPaddressusedinthedestinationNAT
rulewithbindingtotheactiveprimaryfirewall.
78482 FixedanissuewhereVMInformationSourcesbypassedproxysettings.
78317 FixedanissuewherethemanagementplaneinanHAactive/passiveconfiguration
restartedduetoadataplaneprocess(mprelay)thatstoppedrespondingwhenit
experiencedmemorycorruptionandencounteredunexpectedbehaviorfromtheFIB
pointer.
77236 Fixedanissuewhereimportingacertificatemorethanoncewithdifferentnamescaused
thedataplanetostoprespondingwhenthecertificatewasusedforSSLInbound
inspection.
76269 FixedanissuewhereanactiveprimaryM100applianceinanHAconfigurationwas
unabletoestablishaconnectionwiththepassivesecondaryoractivesecondaryHApeer
forlogcollection.
76197 FixedanissuewherefirewallTrafficlogsdisplayedunusuallylargebytecountsfor
http-proxy and httpy-video countersduetofrequentapplicationshiftsbetween
thoseapplicationtypepacketswithinasingleproxysession.
76103 FixedanissuewhereaddingathreatexceptiontoaVulnerabilityProtectionprofile
(Objects > Security Profiles > Vulnerability Protection >profile> Exceptions)resultedin
anerror(Schema node for Xpath was not found).
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 57
PANOS7.0.4AddressedIssues
IssueID Description
70719 InresponsetoanissuewhereadataplanerestartedduetoanincorrectflowID,PANOS
6.1.4andlaterreleasesincludedadditionalcheckstohelppreventthedataplanefrom
restartingduetothisissue.InPANOS7.0.3,thosePANOS6.1.4modificationswere
furthermodifiedtoprovideamorecompletesolutionthatavoidsinadvertentlydropping
IPv4trafficaffectedbythisissue;inPANOS7.0.4,thesolutionincludesanadditionalfix
toavoidinadvertentlydroppingIPv6trafficrelatedtothisissue.
66285 FixedanissuewherethewebinterfacecertificatedidnotproperlysyncbetweenHA
peers,whichledtoaraceconditionthatcausedacommitrequesttofail.
58 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.3release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
85065 FixedaCLIinputparsingissuethatcausedaprocessonthemanagementplanetostop
respondingwhenprocessingunexpectedinput.
84711 FixedanintermittentissuewheresomepacketsincorrectlymatchedSecuritypolicyrules,
whichresultedinAppIDpolicylookuperrorsanddiscardingofpackets.
84599 FixedanissueinPANOS7.0releaseswhereaprocess(dhcpd)didnotcorrectlyhandle
DHCPpaddingOption0whenreceivingDHCPrequestfromtheDHCPclient.This
preventedthefirewallthatwasactingastheDHCPserverfromallocatingandcommitting
theofferedIPaddresstotheDHCPclient,whichcausedthefirewalltobestuckinoffered
state.Withthisfix,theDHCPprocesscorrectlyhandlesDHCPpaddingOption0and
successfullycommitsIPaddressesofferedtoDHCPclients.
84246 FixedanissuewhereaPA7050firewallrunningPANOS7.0assignedthesameMAC
addresstoallinterfacesontwodifferentPA7050chassiswhenthechassisbaseMAC
addressesdifferedonlyinthe10thbit.WiththisfixinPANOS7.0.3,twosuchdifferent
PA7050chassisareassigneddifferentinterfaceMACaddressesasexpected.
84046 FixedanissuewhereSSLdecryptionfailedwhenacertificatewasrejectedduetoamissing
oremptybasicConstraintsextension.Withthisfix,anexceptionisaddedtoallowamissing
oremptybasicConstraintsextensionforselfsignednonCAcertificates.
84012 Fixedanissuewhereaprocess(ikemgr)stoppedrespondingduetoamissingIKEprofile.
83867 Fixedarareissuewhereoneoftheinternaldatabaseswascorruptedafteranimproper
shutdown(poweroff)ofthefirewall.Whenthishappened,thefirewallwasunableto
automaticallyrestartandwouldnotstartupproperlythereafter.
83819 FixedanissueonanM100appliancerunningPanorama7.0whereacustomreportfailed
torunwhensettingtheDatabase(Monitor > Manage Custom Reports)toSummary
Databases > Remote Device Data > ThreatandselectingSeverityfromthelistofAvailable
ColumnswhenanyremotefirewallusedforcustomreportingwasrunningaPANOS6.1
orearlierrelease.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 59
PANOS7.0.3AddressedIssues
IssueID Description
83637 FixedanissuewherepacketprocessingonaVMSeriesfirewallcausedthefirewalltostop
forwardingtraffic.
83574 Fixedarareissuewhere,insomescenariossuchaswhenafirewallisrestartedandIPSec
securityassociations(SAs)arenotestablishedwhenaremoteVPNpeerisunreachable
thetunnelinterfaceconfiguredwithIPSectunnelmonitoringispresentintheroutingtable
andstatusis Up.
83519 AsecurityrelatedfixwasmadetoaddressCVE20155600.
83293 FixedanissueinPanoramawhereSNMPv3settingswereremovedandcouldnotbe
updatedwhenmodifyinganexistingSNMPv3devicetemplate.
83288 FixedanissuewhereautocommitfailedwhentheGlobalProtectgatewayorCaptivePortal
certificatewaspushedthroughPanoramaafterupgradingafirewallfromaPANOS6.1
releasetoPANOS7.0.2.
83256 FixedanissuewherethefirewalldidnotblockunsupportedellipticcurveDiffieHellman
(ECDH)exchangeciphersuitesduringSSLforwardproxyevenwhenBlock sessions with
unsupported cipher suiteswasenabled(Objects > Decryption Profile > <decryptprofile>
> SSL Decryption > SSL Forward Proxy).
83149 Fixedanissuewhereamissingnode(user)intheunlockcommandprevented
administratorsfromusingthePanoramawebinterfacetounlockalockedLDAPuser.
83142 FixedanissuewheretriggeringaDHCPreleasedidnotcleartheoriginalsettingsfora
DHCPclientthatwasin renew state.
83113 Fixedanissuewhereattemptstoregeneratemetadatacausedaprocess
(update_vld_itvl_idx)tostoprespondingwhenencounteringacorruptlogfile(alogfilethat
containedinvaliddata).Withthisfix,themetadataregenerationprocessskipslogfilesthat
containinvaliddatasothatregenerationtaskissuccessfullycompleted.
83102 AddedfunctionalitytoallowcommitstosucceedevenwhenthereisnoNetwork
ProcessingCard(NPC)installed,yet,orwhentheNPCisnotsupportedorrecognizedinthe
currentPANOSrelease.Withthisfix,youcaninstallPA7000Seriescardsthatarenot
supportedinthePANOSversionshippedwithorrunningonthefirewallandthenupgrade
totheappropriatePANOSversion.
83041 Fixedanissuewhereadjustmentstothewidthofcolumnsinthewebinterfacearenot
saved,causingcolumnstoreverttoprevioussettingswhenyouviewadifferenttab.With
thisfix,changestothewidthofcolumnsinthewebinterfaceareretaineduntilchanged
again.
83004 FixedanissuewhereaZoneProtectionprofilewithstrictIPcheckingenabledresultedin
incorrectlydroppedpackets.Thesedropswerecausedbyanimpropercheckofwhether
thesourceIPaddresswasabroadcastaddress.
83001 FixedanissueonanM100appliancewhereavailabledisksizewasreportedas0bytes
duringanupgrade.ThisincorrectlycausedoldlogstobepurgedfromtheotherLog
Collectorsinthegroupinanattempttoadheretotheconfiguredlogquotaforthegroup.
Additionally,Panorama6.1.8andPanorama7.0.3(andlaterreleases)onanM100
appliancewithzerodiskspacedisplaysanerrorwhenattemptingtocommittoCollector
Group(Failed to commit collector config)orawarningwhenattemptingtocommit
toPanorama(Disk <disk-ID> on log collector <log-collector-id> in group
<group-ID> has a size of zero bytes).
60 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues
IssueID Description
82887 Fixedanissuewhereauthenticationattemptsagainstalocalauthenticationprofilewithin
anauthenticationsequencefailedwhenthelocalprofilewasnotthefirstprofileinthe
sequence.
82853 FixedanissuewhererolebasedadministratorswerenotallowedtoperformAPIcalls.
82849 FixedanissueonaPanoramavirtualapplianceusingaNetworkFileSystem(NFS)storage
partitionwherethefilesystemintegritycheckincorrectlyfailedfortheNFSdirectory,
whichcausedtheNFSmounttofailwhenrebootingPanoramaafteranupgradeto
Panorama7.0.
82838 FixedanissuewheretheUserIDprocess(useridd)stoppedrespondingwhenreading
configmessagesfromtheTerminalServices(TS)agent.
82778 Fixedanissuewherefailedauthenticationattemptswerenotclearedwhenthe
authenticationattemptwaseventuallysuccessful.Withthisfix,thefailedauthentication
attemptcounterforagivenuserisresetasexpectedaftereverysuccessfullogin.
82534 FixedanissuewhereafirewallincorrectlyinjectedSSLmessagesintotrafficonport443.
82533 FixedanissuewheretheOSCPresponderfailedtocheckthevalidityofclientcertificates
andshowedstatusas unknown whenunabletolocatethecustomrootCAusedinthe
certificateprofilefortheGlobalProtectportalconfiguration.
82377 Fixedanissuewhere,inaLargeScaleVPN(LSVPN)configuration,aGlobalProtectgateway
incorrectlyinstalledthepreviouslyallocatedIPaddressfortheGlobalProtectsatelliteas
thenexthopfortheroutesadvertisedbysatellites.Withthisfix,theGlobalProtectgateway
removesanyoldIPaddressesallocatedtothesatelliteandcorrectlyinstallsthenewIP
addressallocatedtothesatelliteasthenexthopfortheroutesadvertisedbysatellites.
82338 Fixedanissuewhereonetimepassword(OTP)RADIUSauthenticationfailedwhen
configuredinthesameauthenticationsequenceasthedomainselection.Thisissuewas
causedbythefirewallincorrectlytruncatingtheRADIUSchallengestate.AlsofixedOTP
RADIUSauthenticationissueswherethebackslash(\)characterwasincorrectlyremoved
fromtheusernameentryandwhereanincorrectpasswordresultedinlongdelaysbefore
returningapassworderrormessage.
82326 FixedanissuewhereadditionallockedusersarenotdisplayedwhenyouclickMoreinthe
webinterface(Devices > Authentication-Sequence > Locked Users).
82136 Fixedanissuewherepacketsthatmatchedapolicybasedforwarding(PBF)rulewith
ActionsettoNo PBF(Policies > Policy Based Forwarding > pbfrule> Forwarding)were
droppedwhenoffloadingwasenabled.Withthisfix,offloadedsessionsarepassedas
expectedevenwhenthetrafficmatchesaPBFrulewithForwardingsettoNo PBF.
82109 FixedanissueonaPA7000SeriesfirewallwherepassiveFTPSwithinbounddecryption
failedafterenteringpassivemode.Thisoccurredwhenpredictsessionsdidnotmergeas
expectedduetothepredictqueue.Withthisfix,proxyingressexecutesbeforethepredict
queuesothatalldatasessionsmergeasexpectedandFTPtransferissuccessfuloverTLS.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 61
PANOS7.0.3AddressedIssues
IssueID Description
82099 Fixedanissuewheretheremotehost(From)IPaddressforthePanoramasessiondisplayed
inreverseorderdisplayedtheadministratorIPaddressintheLoggedinAdminswidget
ontheDashboard.
81944 FixedanissuewherepatchmanagementforaGlobalProtecthostinformationprofile(HIP)
checkfailedtoidentifymissingpatcheswhentheChecksettingforpatchmanagementin
HIPObjectscriteriawassettohas-all,has-any,orhas-none(Objects > GlobalProtect >
HIP Objects > Patch Management > Criteria).
81927 FixedanissuewhereafirewallstoppedsubmittingfilestoaWildFirecloud(publicor
private)whenaCPUprocess(varrcvr)stoppedresponding.Thisissueoccurredwhen
receivinganemailwithasubjectlinecontainingmorethan252characters.
81868 Fixedanissuewithapacketbuffer(FPTCP)leakandresolvedafew
dataplanetomanagementplaneconnectionissues,aswell.
81581 Fixedanissuewhereaprocess(useridd)wasunabletoaccommodatealargenumberofHIP
reportsduringHAsynchronization,whichcausedabnormallyhighCPUandmemory
utilizationonthefirewall.
81522 Fixedanissuewhereafirewallallowedcommitstosucceedevenwhentherewereno
superuseradministratoraccountsincludedintheconfiguration.Thiswouldcausethe
firewalltobeinaccessible(exceptwhenthefirewallwasmanagedbyPanorama,which
couldstillprovideaccesstothefirewallthroughPanoramacontextswitching).Withthisfix,
acommitsucceedsonlyifthereisatleastonelocalsuperuseraccountintheconfiguration;
ifnoneexist,thecommitfails.
81415 FixedanissueonPA7000Series,PA5000Series,PA3000Series,andPA500firewalls
whereanAggregateEthernet(AE)interfacewasunabletotransmitanARPrequestona
taggedsubinterfacetotheneighboringdevice.
81408 Fixedanissuewheresharedaddressobjectsthatarenotusedinsecuritypolicyruleswere
pushedtofirewallsevenwhenPanoramaSettings(Panorama > Setup > Management)was
configuredtonotShare Unused Address and Service Objects with Devices.
81370 Fixedanissuewherethefirewallwasunabletoallocatealargememoryblock,which
causedsessionstofail.Thisfixensuresadequateresourcesareavailableforalargememory
blockwhenneeded.
81367 AsecurityrelatedfixwasmadetoaddressCVE20154024.
81301 Fixedanissueonafirewallwithdecryptionenabledwhereinsufficientbufferspace
resultedindiscardedSSLsessions.
81170 FixedanissuewheretheSNMPmanagerreturnedawarning(subtype-illegal)relatedto
panVsysEntryOBJECTTYPE(panVsysName)whenaddingthePANCOMMONMIB.my
MIBfile.Withthisfix,addingthecurrentversionofMIBfilestotheSNMPmanagerdoes
nottriggera subtype-illegal warning.
62 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues
IssueID Description
81058 FixedanissueonPA7000SeriesfirewallswhereNATDynamicIPfallbackdidnotcorrectly
translateresources,whichresultedindroppedpackets.
80932 FixedanissuewherepasswordsfornonadministratorsenteredintheGlobalProtectlogin
windowweretruncatedto40characterswhenusingRADIUSauthentication.
80831 FixedanissuewhereSSLdecryptionfailedforsomesiteswhenthesizeofthecertificate
waslargerthan1.5KB.
80766 Fixedanissuewheredataplane0(DP0)onthepassivefirewallinahighavailability(HA)
configurationrestartedafterasessionwasestablishedontheactivefirewallinterfacewhen
thatsameinterfacedidnotalsoexistonthepassivefirewall.
80753 FixedanissueonaPA3060firewallwhereanetworkoutageoccurredwhenthenumber
ofactivesessionsreached100,000.Withthisfix,themaximumnumberofdetectorthreats
(dthreats)isincreasedtoavoidthisissue.
80702 Fixedanissueinahighavailability(HA)configurationwheretheARPtablesyncedwiththe
primarypeerbutwasrefreshedonlyondataplane0(DP0)ofthepassivepeer,which
causedARPentriestoexpireprematurelyonthepassivefirewallwhentheirTTLreached0.
80648 Fixedanissuewhereadevicegroupcommitfailedwhenusingthedestinationinterfacein
aNATruleconfiguredonPanorama.
80533 FixedanissuewhereadministratorscouldviewaddressesandusernamesintheApplication
CommandCenter(ACC)viewevenwhentheShow Full IP AddressesorShow User
Names In Logs And ReportsoptionwasdisabledfortheAdminRoleprofileassociatedwith
thoseadministrators(Device > Admin Roles ><AdminRoleProfile>> Web UI >Privacy
settings).
80397 FixedanissuewhereyoucouldcreateanewMonitorprofilewhencreatingapolicybased
forwarding(PBF)ruleonPanoramaevenwhenthetargettemplatewasunknown(thePBF
ruleispartofadevicegroupandtheMonitorprofileispartofatemplateconfiguration).
Withthisfix,youcannolongercreateanewMonitorprofilewhencreatingaPBFruleon
Panorama.
80389 FixedanissueonaPA5060firewallwhereinternalpacketpathmonitoringfailedwhen
underaheavyload.Withthisfix,internalpacketpathmonitoringisforwardedusinga
prioritysettingthatpreventsthesefailuresevenwhenexperiencinghightrafficconditions.
80086 Fixedanissuewereafirewalldisplayedanincorrectlocationforthesourceordestination
ontheTrafficMap.
79841 Fixedanissuewhere,incertaincircumstances,therewerediscrepanciesbetweena
scheduledreportandthatsamereportgeneratedusingtherun nowoption(Monitor >
Manage Custom Reports > <CustomReport>).
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 63
PANOS7.0.3AddressedIssues
IssueID Description
79746 FixedanissueonaPA2000SeriesfirewallwhereanAggregateEthernet(AE)interfacewas
unabletotransmitanARPrequestonataggedsubinterfacetotheneighboringdevice.
78848 Fixedarareissuewhereacommit(suchasanantivirusupdateorFQDNrefresh)caused
thefirewalltostopprocessingtraffic.Thisissueoccurredafterahighavailability(HA)
synchronizationeventwhentheautocommittriggeredbythesynchronizationeventwas
ignored.Withthisfix,aforcecommitrequestisautomaticallyandrepeatedlygenerated
untilsuccessful.
78426 FixedanissuewhereaCPUprocess(pan_dhcpd)spikedwhenDHCPNAKpacketswere
receivedontheDHCPrelayinterface.
78210 Fixedanissueinahighavailability(HA)active/passiveconfigurationwherethemulticast
treefailedtoconvergenonoffloadedmulticasttrafficasquicklyasexpectedaftera
failover.Withthisfix,themulticasttreeconvergencetimeisreducedfornonoffloaded
multicasttrafficafteranHAactive/passivefailover.
77299 FixedanissuewhereWildFireanalysisreportsdidnotdisplayCoverageStatusforthe
samplewhenusingaFirefoxbrowserevenwhenasignaturewasgeneratedtoidentifythe
sample(Monitor > Logs > WildFire Submissions > Detailed Log View > WildFire Analysis
Report).Withthisfix,youcanviewthecorrectCoverageStatusforasamplewhenusinga
Firefoxbrowser.
76811 FixedanissuewherepacketlosscouldoccurwithasymmetrictrafficwhentwoPA4060
firewallsweresetupaspeersinahighavailability(HA)active/activeconfiguration.This
issueoccurredwithVLANtaggedtrafficwhenjumboframesprocessingwasdisabledand
largenonjumboframespassedovertheHA3linkandbecamejumboframes.
76481 FixedanintermittentissuewhereaCategoryforasessionintheURLFilteringlogdidnot
matchtheactualcategorizationofthatsession.Withthisfix,thelogicforremovingexpired
orunresolvedURLcacheentriesisimprovedsothataCategoryintheURLFilteringlog
staysinsyncwiththeactualcategorizationofasession.
64 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues
IssueID Description
72115 WhenthewebinterfacewassettodisplayinanylanguageotherthanEnglish,service
routestospecifyhowthefirewallcommunicateswithotherserversordevicescouldnotbe
configured(Device > Setup > Services > Service Route Configuration).Thisissuehasbeen
fixedsothatserviceroutescanbeconfiguredandworkcorrectlywhenthewebinterface
issettoanylanguagepreference.
70719 InresponsetoanissuewhereadataplanerestartedduetoanincorrectflowID,PANOS
6.1.4andlaterreleasesincludedadditionalcheckstohelppreventthedataplanefrom
restartingduetothisissue.WiththisfixinPANOS7.0.3,thosePANOS6.1.4
modificationsarefurthermodifiedtoprovideamorecompletesolutionthatavoids
inadvertentlydroppingIPv4trafficaffectedbythisissue.
67254 FixedanissuewhereanXMLAPIcallforsystemRAIDfailedwithanattributeerrorfor
raid_handler object.
66607 FixedanissueonaPA200firewallwhereadministratorscouldconfigureafirewalldirectly
orusePanoramatopushexternalblocklists(EBLs)withatotalnumberofEBLlistsorIP
addressesthatexceededlimitationsanddidnotreceiveanerrormessage.(Lowend
platformssupportamaximumof10listsand50,000IPaddresses;highendplatforms
supportamaximumof30listsand150,000IPaddresses;thereisnoperlistmaximumfor
anyplatform.)Withthisfix,anerrormessageisdisplayedasexpectedwhenconfiguringa
PA200firewalldirectlyorthroughapushfromPanorama(orPANOSreleasedowngrade)
wherethenumberofEBLlistsorIPaddressesexceedsthelimitationsofthatfirewallorof
thecurrentPANOSrelease.
34340 Fixedanissuewherealargenumberofinformationallogsforthekeymanagerprocess
(keymgr)wereincludedinreportswhenlogsettingforkeymgrlogswassetto normal.With
thisfix,informationallogsforkeymgrareincludedonlywhenyouconfigureloggingfor
keymgrmessagestothedebugsettingusingthe debug keymgr on debug CLIcommand.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 65
PANOS7.0.3AddressedIssues
66 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.2AddressedIssues
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.2release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.
IssueID Description
82724 FixedanissuewhereoldregisteredIPaddressesinaDynamicAddressGrouponahigh
availability(HA)active/passivepairweredeletedfromthepassivefirewallwhenthat
firewallswitchedfromnonfunctionaltopassivestateandreceivedanincrementalupdate
ofregisteredIPaddressesfromtheactivefirewall.Thisfixalsoaddressedarelatedissuein
anHAactive/activeconfigurationwheretheactivesecondaryfirewallretainedoldIP
addressesintheDynamicAddressGroupafterswitchingtoafunctionalstatewhenthe
activesecondaryfirewallswitchedtononfunctionalstateandallIPaddressesinthe
DynamicAddressGroupbecameunregisteredontheactiveprimaryfirewall.
82717 Fixedanissuewhereadataplanestoppedrespondingafterarebootduetoaninitialization
issueonSFP+ports.
82675 FixedanissueonanM100appliancewhere,afteranupgradetoPANOS7.0.1,an
authenticationprocess(authd)stoppedrespondingwhentheLDAPbindingpassword
containedspecialcharacters.
82370 Fixedanintermittentissuewhereadataplaneprocess(mprelay)experiencedamemoryleak
thatcausedthevirtualmemorytoincreaseuntilittriggeredadataplanerestart.
82310 Inresponsetoafragmentationissue,viruspatternsaresplitintosmallerchunkstoreduce
thepossibilityofmemoryallocationfailure.
82087 Fixedanissuewhereafirewalldisplayedanalertforlowdiskspace.Withthisfix,the
/opt/contentdirectorywasremovedtoimprovethediskcleanupprocess.
82009 FixedanissuewhereadocumentfiletriggeredanattempttopinganIPaddress.
81981 FixedanissuewheretheLLDPSystemNamefielddisplayedthefirewallmodelnumberand
couldnotbemodifiedtodifferentiatefromothersimilarfirewalls.Withthisfix,thefirewall
populatestheLLDPSystemNamefieldusingtheconfigurablehostnamevalue.
81970 FixedanissuewheresomeActiveDirectory(AD)serverswereincorrectlydisplayinga
Password expires in x daysmessageevenafterselectingPassword never expireson
theADserver.Withthisfix,theADserverignoresthemaximumpasswordage
(maxPwdAge)valuewhenthePassword never expiresoptionisselected.
81955 FixedanissueonafirewallwherefileswerenotsenttoWildFireasexpectedwhenthefirst
8bytesofthefileweresplitacrossdifferentpacketsordecryptedbuffers.
81941 FixedanissuewhereadataplanerestartedwhenencounteringresumedSSLsessionsusing
inboundSSLdecryption.
81819 FixedanissuewheretheSystemlogreportedthatafirewallinahighavailability(HA)
active/activeconfigurationReceived conflicting ARP forthefloatingIPaddressofits
HApeer.Withthisfix,duplicateIPaddressdetectioncontinuestologconflictsfor
nonfloatingIPaddresses,aswellasduplicateaddressesdetectedforafloatingIPaddress
receivedfromanyotherdevicethatisnotamemberoftheHApair.
81816 RemovedsupportforSSLv3onPanoramaforconnectionstomanageddevices.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 67
PANOS7.0.2AddressedIssues
IssueID Description
81797 FixedanissuewhereASCIIandspecialcharacterswerenotsupportedintheuseractivity
reportusernamefield.
81783 Fixedanissuewhereafirewallpickedthewrongdecryptioncipherwhenconfiguredwith
multipleIPSecCryptoprofilesforIKEv2negotiation.
81676 Fixedanissuewhereafirewallallowedadministratorstoconfiguresubinterfacewithusing
invalidnotation(suchasethernet1/1.1.1).
81577 FixedanissuewherecustomURLcategoriesassociatedwithaDecryptionpolicydidnot
matchtrafficdestinedforaproxyserver.
81572 FixedanissueonaPA7000SeriesfirewallthatdisplayedincorrecttimestampsinTraffic,
Threat,andURLFilteringlogs.
81535 Fixedanissuewherethegrouplistwasemptyafterpushingthegroupmapping
configurationfromPanoramatoamultivsysfirewallduringanattempttoconfigureusers
inaSecuritypolicyruleeventhoughthegroupmappingstatewassynchronized.
81510 FixedanissuewhereDeviceGroupandTemplateadministratorswereabletocreateand
modifySharedobjects.Withthisfix,DeviceGroupandTemplateadministratorsare
allowedtocreateandmodifyonlyobjectsspecifictothedevicegroupsandtemplatesto
whichtheyhaveaccessnotSharedobjects.
81500 FixedanissuewhereaVMSeriesfirewallinaVMwareNSXconfigurationrunningonan
ESXiserverrestartedwhenaprocess(all_task)stoppedresponding.
81485 FixedanissueonPA200andVMSeriesfirewallswherelocalobjectswerenotresolvedin
theTrafficlogafterselectingtheResolve hostnameoption(bottomoftheMonitor > Logs
> Traffictab).
81452 FixedanissuewhereswitchingcontextfromthePanoramawebinterfacetoamanaged
firewalldidnotindicatewhethertheadministratorwasloggedinoveranencryptedSSL
connection;theSystemlogmessagewasalwaysUser admin logged in via Panorama
from x.x.x.x using httpregardlesswhethertheconnectionwasencrypted.Withthis
fix,theSystemlognowspecificallyreportsUser admin logged in via Panorama from
x.x.x.x using http over an SSL connectionwhentheadministratorisconnected
throughanencryptedSSLconnectiontodifferentiatefromnonencryptedconnections.
81373 FixedanissuewhereWildFireAnalysisreportsforsamplesanalyzedinaWildFirecloud
(publicorprivate)werenotdisplayedintheWildFireSubmissionslog(Monitor > WildFire
Submissions)whenthefirewallwasconfiguredtocommunicatewiththeWildFirecloud
throughaproxyserver.
81312 FixedanissuewherefirewallDeviceadministratorswereunabletorunandviewoutputon
afirewallforthe show panorama-status CLIcommand.Withthisfix,Device
administrator,Deviceadministrator(readonly),Superuser,andSuperuser(readonly)
users(Device>Administrators><administrator>)canrunandviewoutputforthe show
panorama-status commandfromthefirewall.
81271 FixedanissuewherethesecondattempttoaccesssomewebsitesoverHTTPSfailedwhen
SSLForwardProxywasenabled.
68 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.2AddressedIssues
IssueID Description
81219 FixedanissuewithstabilitywhenaddingLogCollectorstoaCollectorGroup.
81115 Fixedanissuewhereadministratorsexperiencedlongdelayswhenexecutinglogqueries
consistingofmultipleattributes.
81110 FixedasessionreuseissuewhereanincomingSYN/ACKpacketforanestablishedsession
causedafailureinTCPreassembly,whichresultedinadroppedpacketeventheReject
NonSYNTCPoptionwasdisabled(Network > Network Profiles > Zone Protection >
<ZoneProtectionprofile> > Packet Based Attack Protection > TCP Drop).Withthisfix,
initiatingsessionreusewithaSYN/ACKpacketissuccessfulregardlessoftheReject
NonSYNTCPsetting.
80993 FixedanissueinPANOS7.0(aswellasinPanorama5.1andlaterreleases)whereXMLAPI
POSTrequestsfailedwhenincludingaQUERY_STRINGbutnocontentlengthheader.
Withthisfix(inbothPANOSandPanorama7.0.2releases),POSTrequestswitha
QUERY_STRINGandamissingcontentlengthheaderaresuccessful.
80933 FixedarareissuewhereaPA7000Seriesfirewallexperiencedheartbeatfailuresonthe
HA1andHA1backuplinksthatcausedsplitbraininahighavailability(HA)configuration.
80924 FixedanissuewhereaGlobalProtectLargeScaleVPN(LSVPN)satelliteconfiguration
causedthesatellitefirewalltoProxyARPforthedefinedaccessroutesubnetsonalllogical
andphysicalinterfaces.
80896 Fixedanissuewheresomeactionsthatutilizethe/opt/pancfg/partition,suchasdynamic
updatesandcommits,werefailingwhenthatpartitionranoutofspaceduetoalarge
numberofHIPreportsreceivedfromUserIDXMLAPI.Withthisfix,HIPreportsareno
longersavedinthe/opt/pancfg/partitionofthefirewall.
80840 FixedanissuewheretheURLfilterdidnotcorrectlyparsethecommonname(CN)value
whenaMACaddresswasspecifiedastheCNvalueintheservercertificate.
80767 InresponsetoaveryrareissuewheretheconfiguredNATpoolormethodwasnotutilized
asexpected,anenhancementwasmadetoTechSupportfilegenerationthatincludes
additionaldatatohelptroubleshoottheissue.
80720 Fixedanissuewhereafirewallexperiencedadataplanerestartwhenthepacketprocessing
daemonterminatedduetoadoublefreeconditionassociatedwithaspecificpacketbuffer
(fptcp).
80687 FixedanissueonPA7000Series,PA5000Series,andPA3000Seriesfirewallswhere
softwarepacketbuffersweredepleted(althougheventuallyrecovered)whenreceiving
TCPpacketswithlargepayloads.Withthisfix,modificationstoprocessesforallocating
softwarebuffersandhandlingTCPcongestionensurethatsoftwarepacketbuffersdonot
getdepletedduetopacketswithlargepayloads.
80669 FixedanissueonfirewallsinCCEALmodewherethemanagementserverwouldrestart
whenthefirewallattemptedtosendanSNMPv3trap.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 69
PANOS7.0.2AddressedIssues
IssueID Description
80624 Fixedanissuewhereadministratorsexperienceddelaysaccessingthefirewallweb
interfacewhenthefirewallreconnectedtoPanoramaandhadalargenumberoflogsto
send.
80592 Fixedanissuewherefirewallsinahighavailability(HA)active/passiveconfigurationdidnot
synctheDynamicAddressGroupwhenoneofthefirewallsstoppedfunctioningandthen
changedtoafunctionalstate.
80567 InresponsetoanissuewhereraceconditionsaffectingBlockIPtableoperations
inadvertentlycausedsomepacketstobemarkedas drop ip block withoutanyentryin
theBlockIPtable.
80532 FixedanissuewherefileswerenotbeingforwardedasexpectedtotheWildFirecloud
(publicorprivate)duetoaterminatedprocess(varrcvr).Thisissueoccurredwhenthe
SubjectfieldinforwardedemailscontainednonASCIIcharacters.
80404 FixedanissuewherePA2000Seriesfirewallsexperiencedconnectivityissueswhen
autonegotiatingduplexandspeedsettingsonthemanagementinterfaceconnectiontoa
thirdpartydevice.Withthisfix,anewdriverisaddedtoensurethatthemanagement
interfaceremainsaccessibleandtoprovideamorereliabletransitionwhenspeedsare
changed(suchasfrom1,000Mbpsoverfullduplex1000/Fullto100/Full)whenthereis
littleornotrafficflowingthroughthefirewall.Usethefollowingbestpractice
recommendationstoensuresuccessfultransitions:
Whenpossible,setboththePA2000Seriesfirewallandthethirdpartydeviceto
autonegotiatemode,whereeachsideselectsthehighestpossiblecommonmaximum
speedandduplexsetting.
Ifyoumustmanuallyconfigurethespeedandduplexsettingforeitherthefirewall
(Device > Setup > Management > Management Interface Settings)orthethirdparty
device,youshouldmanuallyconfigurethesamespeedandduplexsettingsonbothsides
sothattheyareinsync.Ifyoudonotmanuallyconfigurethesettingstobethesameat
bothendsoftheconnection,trafficflowwillbeimpactedbecausethePA2000Series
firewallcannotdeterminethecorrectduplexmodeandwilldefaulttohalfduplexmode,
whichcancauseaduplexmismatch.
Ifyoumanuallyconfigurebothsidesoftheconnection:
Donotsettheportonthethirdpartydeviceto1000Mbpsmastermode,asthis
willcompletelystoptrafficandtheportswillnotrecover(bothportstrytocontrol
thelinkandneitherissuccessful).
Donotattempttochangethespeedorduplexsettingwhiletrafficisflowing
throughtheconnection:pausetraffic,configurethetwopeerportsappropriately,
makesuretheportsaresettothesamespeedandduplexvalues,andthenresume
trafficflow.
80386 Fixedanissuewhereaconfigurationoverridefailedwhenpushingsystemlogsettingsto
firewallsfromPanoramaresultinginthefollowingerror: edit failed, may need to
override template object informational first.
80318 FixedanintermittentissueonaPA7000Seriesfirewallwheresomepacketsweredropped
duringtheinitialsessionsetupprocess.Thisissueoccurredwhentwopacketsinthesame
sessionweresentalmostsimultaneously,causingthesecondofthetwopacketstoget
dropped.
70 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.2AddressedIssues
IssueID Description
80251 Fixedanissueonafirewallwhereadataplanerestartedwithmultiplecorefiles(all_pktproc,
flow_ctrl,andflow_mgmt)afterthefirewallreceivedpercentencodedHTTPrequestsfrom
aproxyserverwhenboththeparsingofXForwardedFor(XFF)attributesandstrippingof
XFFfromHTTPHeaderswereenabled(configuredwiththe set system setting ctd
CLIcommand).Withthisfix,youcanenablebothXFFactionswithoutcausingthe
dataplanetorestartwhenthefirewallreceivespercentencodedHTTPrequestfroma
proxyserver.
80063 FixedanissueonanM100appliancewheretheconfigurationdaemon(configd)stopped
respondingwhenprocessinganullvalue.
79960 Fixedanissuewherethefirewallsentanextracarriagereturnlinefeed(CRLF)inHTTP/1.1
POSTpacketswhenrequestinganupdatefromtheBrightCloudURLdatabase.Thisissue
occurredwhenusingaproxyserver,whichcorrectlyrejectsthepacketsandreturns
HTTP/1.1400BadRequestmessagesduetotheextraCRLF(perRFC7230).
79929 Fixedanissuewhereaprocess(mprelay)stoppedrespondinganddidnotreceivearefresh
oftheconfigurationwhenitrestarted.
79925 Fixedanissuewherevirtualwire(vwire)pathmonitoringfailedandthefirewallstopped
sendingICMPpacketsoverthevwireinterfaceafterahighavailability(HA)failover.
79719 Fixedarareissuewhereadataplanerestartedwhenmultipleprocesses(flow_ctrland
mprelay)stoppedrespondingduetoasoftwarebufferleak.
79709 FixedanintermittentissuewhereZIPprocessingmaycausethedataplanetorestart.
79535 Fixedanissueinahighavailability(HA)configurationwherethemonitoreddestinationIP
addressforPathMonitoringdisplayedas up evenwhenunavailable,preventingthe
firewallfromdisplayingas tentative asexpected.Withthisfix,themonitoreddestination
IPaddresscorrectlyshowsas down whenunavailable,whichresultsinthefirewallcorrectly
changingstatusto tentative.
79504 FixedanissuewhereapassiveM100applianceinahighavailability(HA)configurationlost
itsdevicegroupandtemplateconfiguration.
79470 FixedanissuewherePanoramadidnotdisplayWildFireAnalysisreportscorrectlyinthe
WildFireSubmissionslogforWF500appliancesrunningPANOS6.1orearlierreleases.
YoucanfetchthesereportsusingasecurechannelonlyforWF500appliances
runningPANOS7.0.2orlaterreleases;asecurechannelisnotusedwhenfetching
reportsfromaWF500appliancerunningPANOS7.0.1orearlierreleases.
79382 FixedanissuewhereIPaddressregistrationthroughtheXMLAPIfailedtopopulatethe
DynamicAddressGroupfollowingan AddrObjRefresh jobfailureduringatemplate
commitfromPanoramawhentheForce Template Valuesoptionwaschecked,resultingin
an Error: Failed to parse security policy.
79347 Fixedanissuewhereafirewallstoppedrespondingandtriggeredadataplanerestartwhen
receivingincompleteandinsufficientparametersinAPIcalls.Withthisfix,checksarein
placetopreventthedataplanerestartwhenreceivingAPIrequestswithinvalidor
insufficientparameters.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 71
PANOS7.0.2AddressedIssues
IssueID Description
79046 FixedanissueonanMSeriesappliancerunninginLogCollectormodewherelog
forwardingtoanexternalsyslogserverstoppedworkingafteraPanoramacommitwhen
forwardinglogsthroughTCPport514(default)insteadofUDPport514(Device > Server
Profiles > Syslog).Withthisfix,younolongerneedtoperformaCollectorGroupcommit
toresumelogforwardingafteraPanoramacommitwhenthesyslogserverisconfiguredto
useTCP.
78891 FixedanissuewheretheuseofregionbasedobjectsintheSecuritypolicycaused
consistentlyhighdataplaneCPUutilization.
78803 FixedanissueinPanoramawheretemplatesettingsthatwereglobaltoeveryvirtual
system(vsys)onafirewall(forexample,Systemlogsettings)wereunabletoreference
configurationelements(forexample,anEmailserverprofile)whenthatelementwasadded
toaspecificvsysinsteadoftotheSharedlocation.Withthisfix,Panoramacanpush
templateanddevicegroupsettingseventhosethatarenotorcan'tbepushedtoaspecific
vsysregardlesswhetherthosesettingsrefertoSharedelementsorelementsthatare
specifictoavsys.
78571 FixedanintermittentissuewhereafirewallreceivedaVirtualSystemslicensethatallowed
forahighernumberofvirtualsystemsthanthemaximumamountsupportedforthe
platform.Withthisfix,thelicensedvirtualsystemsactivatedonafirewallcannotbehigher
thanthemaximumamountofvirtualsystemssupportedonthefirewall.
78568 FixedanissuewherePA3000,PA5000,andPA7000Seriesfirewallsexperienceda
memoryleakassociatedwithimproperpurgingofold,replacedentriesintheARP/NDtable
whenthetablereachedcapacity.
78511 FixedanissuewheretheDHCPrelayagentincorrectlysetthegatewayIPaddress(giaddr)
valuetozero(insteadoftheIPaddressoftheingressinterfaceasdefinedinRFC1542)
whenrespondingtoDHCPrequests.
78064 Fixedanintermittentissuewhereauthenticationfailedinatwophaseauthentication
processwhentheloginresponsecontainedcustomerdata.
77816 FixedanintermittentissuewheresomeWindows7GlobalProtectclientsusingtwofactor
authentication(LDAPandcertificate)lostconnectiontotheportalorgatewayandcould
notreconnectduetoafailedauthenticationwiththeerror Required client
certificate is not found evenwhenthecertificatewasavailable.
77775 Fixedanissuewhereavalidationerroroccurredwhenattemptingtomoveanobjectfrom
itscurrentdevicegrouptoadestinationdevicegroupthatwaslowerinthehierarchyeven
whenthepolicyrulesorobjectsthatreferencetheobjectbeingmovedwereinthesame
destinationorinadevicegroupthatshouldinherittheobject.
72 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.2AddressedIssues
IssueID Description
76875 Fixedanissuewherethedataplanerebootedwhenaprocess(brdagent)wasterminatedby
thefirewallinresponsetoanoutofmemorycondition.Withthefix,dataplanerebootsare
nolongertriggeredbytheseoutofmemoryeventsbecausethefirewallnolonger
considersthebrdagentprocessforterminationwhenattemptingtoaddressan
outofmemoryevent.
76781 FixedanissuewhereafirewallincorrectlycalculatedpacketlengthandTCPsequencedue
toaonebytezerowindowprobepacketwhenthatpacketwassentfromonevsysto
another.
76631 FixedanissueonPA7000SeriesfirewallswheretheLogProcessingCard(LPC)failedto
resolvetheFQDNofthesyslogserver.Withthisfix,thefirewallwillreinitiatetheDNS
lookuprequestuntilthelookupsucceeds.
76561 FixedanissuewheretheDHCPrelayagentdroppedDHCPDISCOVERpacketsthatthe
agentcouldnotprocessduetomultipleBOOTPflags.Withthisfix,theDHCPrelayagent
recognizesthefirstBOOTPflaginaDHCPDISCOVERpacketandignoresanyadditional
BOOTPflagsthatmayexist(perRFC1542)sothatmultipleBOOTPflagsdonotcause
DHCPDISCOVERpacketstobedropped.
76238 AsecurityrelatedfixwasmadetoaddressCVE20151873.
75803 AddressedanissueregardinghowoftenpasswordAPIkeysareregenerated.
75344 Fixedanissuewhereamemoryprocessrestartedandcausedaninvalidmemoryreference;
theinvalidmemoryreferenceresultedinamanagementplanerestart.
74423 FixedanissuewhereafirewallrunningPANOS7.0.1wasincorrectlyusingtheURL
UpdatesserviceroutewhenfetchingaDynamicBlockListinsteadofusingtheservice
routeattachedtothePaloAltoUpdatesintheServiceRouteConfiguration(Device > Setup
> Services > Global).
73443 Fixedanintermittentissuethatresultedincorruptedforwardingentriesontheoffload
processor.
71331 FixedanissueonaPA500firewallwherethefirewallassignedaDHCPaddressforthe
management(MGT)interfaceevenaftertheadministratorconfiguredastaticIPaddressfor
thatport.Withthisfix,DHCPinitiationfortheMGTinterfaceisdisabled.
70887 FixedanissuewhereclickingtheMorelinktoviewtheregisteredIPaddressunderObject
> Address GroupsresultedinanerrorifthenameofaDynamicAddressGroupincludeda
space.Withthisfix,spacesinDynamicAddressGroupnamesnolongercauseanerror
whendisplayingtheIPaddress.
70302 FixedanissuewheretheautocommitprocessfailedafterupgradingaPA7050orPA5000
SeriesfirewalltoaPANOS6.1orPANOS7.0release.
69132 Fixedanissuewhereoccasionaldataplanerestartsoccurredduetoakernelmemory
allocationfailure.
64602 Inresponsetoanissuewhereafirewallgeneratedcorefilesforaprocess(pktproc)whena
dataplanestoppedresponding,anadditionalcheckandassociatederroroutputisaddedto
helptroubleshootanissuewhereanFPGArunningtheAhoCorasickalgorithmreturnsa
sessionindexmappedtoaNULLpointer.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 73
PANOS7.0.2AddressedIssues
IssueID Description
64531 Fixedanissuewhereahighavailability(HA)failoveroccurredduetoinsufficientkernel
memoryonaPA5000Seriesfirewall.Withthisfix,PA5000Seriesfirewallsincludesome
cacheflushingeventsandincreasedkernelmemorytoensuresufficientkernelmemory
remainsavailableforpingrequestsandkeepalivemessagestoavoidtheseHAfailovers.
64266 Fixedarareissuewherecertainprocesses(l3svcandsslvpn)stoppedrespondingwhena
ContentupdateandFQDNrefreshoccurredsimultaneously.
74 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.1AddressedIssues
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.1release.(AsthebasePANOS7.0
image,thisreleaseandthelistbelowalsoincludeallissuesinitiallyaddressedforPANOS7.0.0.)Foran
overviewofnewfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistof
knownissues,seePANOS7.0ReleaseInformation.
IssueID Description
82299 FixedacriticalsecurityvulnerabilityforfirewallsandPanoramarunningPANOS7.0.0that
wereconfiguredtouseLDAPauthenticationforCaptivePortalorfordevicemanagement.
(ThisissuedoesnotaffectdevicesconfiguredtouseRADIUSorlocalauthentication.)
81374 FixedanissueonaPA200firewallwheretheMACaddressconfiguredforthe
managementinterfacewasinadvertentlychangedafteranupgradetoPANOS7.0.0.With
thisfix,themanagementinterfaceMACaddressconfiguredbeforeanupgraderemainsthe
sameaftertheupgrade.
81174 FixedanissuewhereanautocommitfailedafteranupgradetoPANOS7.0.0duetoafailed
IKECryptoprofileverificationwhentwoIKEgatewayswereconfiguredusingadynamic
peerinmainmodeonthesamelocalinterface.
81167 FixedanissuewheretheAppsonly(noThreats)versionofContentUpdatesfailedtoinstall
onadeviceregisteredwithstandardsupport.
81158 FixedanissuewhereanIPSectunnelfailedtonegotiateanewsessionanddroppedpackets
duringanSArekeyinIKEv2mode.
81024 FixedanissuewherePanorama7.0.0failedtoproperlypushDeviceGroupandService
GroupobjectstodevicesrunningPANOS6.1orearlierreleases.Withthisfix,Panorama
pushesDeviceGroupandServiceGroupobjectsasexpectedtodevicesrunningany
supportedPANOSrelease.
80903 FixedanissuewherePA7050firewallsrunningPANOS6.1orearlierreleasesdidnot
accuratelyhandlequeriesfromPanoramarunningPANOS7.0.0,whichresultedinthe
inabilitytodisplaydataintheApplicationCommandCenter(ACC)widgetsandprevented
logdatafromthePA7050firewallfrombeingincludedinreportsgeneratedonPanorama.
Withthisfix,PanoramaqueriestoPA7050firewallsaredisabledbydefaultsothatACC
widgetsdisplaycorrectlyforallotherdevicesyoumanagethroughPanorama.
80871 FixedanissuewhereWildFireanalysisreportswerenotdisplayedinDetailedLogView
(Monitor > WildFire Submissions > Detailed Log View > WildFire Analysis Report)for
WildFireSubmissionslogentrieswhenthefirewallwasconfiguredtouseaserviceroute
insteadofthemanagementinterfacetocommunicateeitherwithaWildFireprivatecloud
orwiththeWildFirepubliccloud.However,forfirewallsrunningPANOS7.0.1,toviewthe
integratedreportsfromwithinthewebinterfaceonthefirewall,youmustfirstconfigure
wildfire.paloaltonetworks.comastheWildFirepubliccloud;eitherintheweb
interface(Device > Setup > WildFire > General Settings)orusingtheset deviceconfig
setting wildfire public-cloud-server wildfire.paloaltonetworks.comCLI
command.
80849 FixedanissuewhereIPv4andIPv6trafficforwardingfailedwhensentthroughanLACP
AggregatedEthernet(AE)interfaceduetoanincorrectsystemMACaddress.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 75
PANOS7.0.1AddressedIssues
IssueID Description
80799 FixedanissuewherefilesandemaillinkssentusingSimpleMailTransferProtocol(SMTP)
orPostOfficeProtocolversion3(POP3)werenotforwardedtotheWildFirepubliccloud
foranalysisunlessthefirewallwasalsoconfiguredtoforwardfilestoaWildFireprivate
cloud.Withthisfix,firewallsconnectedonlytotheWildFirepubliccloudappropriately
forwardtotheWildFirepubliccloudallfilesandemaillinksthataresentusingSMTPor
POP3.
80607 Fixedanissuewhereafirewallrebootedwhenanunusuallylargenumberoffragmented
packetspassedthroughthefirewallwhentheNAT64 IPv6 Minimum Network MTUsetting
wasconfiguredtoavalueotherthan1500(Device > Setup > Session > Session Settings),
whichtriggeredamemoryleak.Withthisfix,fragmentedpacketsnolongercausea
memoryleak.Additionally,anewcounterwastomonitorwhetherresourcesareavailable
forfragmentingpacketswhenneeded.
80561 FixedanissuewheresoftwareforwardingofLayer3multicasttrafficwithProtocol
IndependentMulticast(PIM)didnotfunctionproperly.
80408 Fixedanissuewhere,insomeenvironments,newcontentupdatescouldnolongerbe
accommodatedbythememoryonthefirewallthatisallottedforthesefilesduetoa
continuallyincreasingnumberofapplicationsintheupdates.Withthisfix,allocated
memoryforcontentupdatesisincreasedsothatcontinuedgrowthofcontentupdateswill
notpreventsuccessfuldownloadandinstallationofthoseupdates.
80398 Fixedanissuewhereadministratorswereunabletologinthroughthewebinterfacewhen
thefirewallwasconfiguredtoauthenticateadministratorsusingclientcertificatesandwas
configuredwithOnlineCertificateStatusProtocol(OCSP)verificationenabled.
80373 FixedanissuewhereattemptstoCloneobjectsorpoliciesinasharedgatewaylocationor
Moveobjectsorpoliciesfromavirtualsystemtoasharedgatewaylocationdidnotwork
correctly.
80323 Fixedanissuewherethelinkstatesforfirewallinterfacesdidnotcomeupwhenrebooting
thefirewallafterdisablinghighavailability(HA).
80286 FixedanissuewhereacommitfailedafteranupgradetoPANOS7.0.0whenDefaultsfor
anapplicationwassettoICMP Type(Objects > Applications > application > Advanced).
Withthisfix,commitsdonotfailafteranupgradetoPANOS7.0.1orlaterreleases
regardlessofthisDefaultssetting.
80268 FixedanissueonaPA7050firewallrunningPANOS7.0.0whereattemptstoswitchto
CommonCriteria(CC)modefailedwiththefollowingerror:Set CCEAL4 Mode Sysd
Error.ThisissueoccurredbecausetheCCmodeoperationattemptedtochangethe
operationalmodebeforethesystemprocess(sysd)wasfullyloaded.Thisoperationresulted
insettingthefirewalltothefactorydefaultconfigurationwithoutCCconfiguration
changes.
80266 FixedanissuewherePA200,PA500,andPA2050firewallsrunningPANOS7.0.0and
configuredtouseaservicerouteinsteadofthemanagement(MGT)interfacetoconnect
toanLDAPserverwereunabletoestablishaconnection,whichcausedallfirewall
functionsthatreliedonthatconnectiontofail.Withthisfix,firewallssuccessfullyconnect
throughaconfiguredserviceroutetoanLDAPserver.
79854 FixedanissuewherePanoramawasunabletodisplaySystemandConfiglogsforPA7000
Seriesfirewalls.
76 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.1AddressedIssues
IssueID Description
79844 Fixedanissuewherelogssenttoalogcollectorgroupwerenotproperlysavedandcould
notbedisplayedwhenthatlogcollectorgroupcontainedaspaceinthename.Withthisfix,
logsaresavedanddisplayedcorrectlyevenwhenthereisaspaceinthelogcollectorgroup
name.
79522 Fixedanintermittentissuewhereafirewallwithhardwareoffloadenabledincludedan
incorrectIPchecksumvalueinoutgoingNATpackets,whichcausedsomepacketstobe
dropped.
79478 Fixedanissuewherethefirewallconnecteddirectlytoadirectoryserverinsteadofthe
UserIDagentconfiguredasanLDAPproxy.Withthisfix,thefirewallcorrectlyusesthe
UserIDagentwhentheagentisconfiguredforuseasanLDAPproxy.
79463 FixedanissuewhereCPUmemoryonaPA7050firewallspikedwhenattemptingtoview
reportsintheApplicationCommandCenter(ACC).Thisissueoccurredwhentaskcreation
notificationswerenotprocessedproperlyand,asaresult,theLogCollectordidnot
terminatefailedrequestsasexpected.Withthisfix,taskcreationnotificationsare
processedappropriatelyandfailedtasksareproperlyterminated.
79443 Fixedanissueinthewebinterfacewhere,insomecases,thePHPsessioncookie
(PHPSESSID)wasnotmarkedassecure.
79401 VM1000HVfirewallsrunningoneightvCPUsdidnotsaveanddisplayTrafficandThreat
logs.Withthisfix,VM1000HVfirewallsproperlysaveanddisplaythelogs.Thisissuedid
notaffectVMSeriesfirewallsrunningontwoorfourvCPUs.
79367 FixedanissueinPANOSwhereGlobalProtectclientsexperienceddelaysand
intermittentlyfailedtoretrievethegatewayconfigurationforconnectingtoa
GlobalProtectgatewaywhenthefirewallwasinahighavailability(HA)configurationand
underaheavyload.ThisissueoccurredduetoanissuewiththesynchronizationofHIP
reportsbetweengatewaysonHApeerswhentherewasahighnumberof
nearsimultaneousGlobalProtectconnectionrequests.Withthisfix,thesyncprocessis
modifiedsothatGlobalProtectclientsareabletodownloadtheconfigurationandconnect
tothenetworkasexpectedevenwhenmultipleclientsareattemptingtoconnectatthe
sametime.
79278 Fixedanissuewheretheactivedeviceinahighavailability(HA)configurationfailedto
generatetechsupportfilesduetoabufferlimitationthatcouldnotaccommodatethe
outputfromsomecommands.Withthisfix,thecommandsthatpreventgenerationoftech
supportfileshavebeenremovedsothatreportsaregeneratedasexpected.
79260 FixedarareissueonaWF500appliancewhereanICMPpacketcontainingaFIN+ACK
packetwasincorrectlyforwardedoutthroughthemanagement(MGT)interface.Withthis
fix,ICMPpacketscontainingaFIN+ACKpacketaredropped,instead.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 77
PANOS7.0.1AddressedIssues
IssueID Description
79104 FixedarareissueonaPA7000SeriesfirewallwheretheHA1andHA1backuplinks
experiencedheartbeatfailuresthatcausedsplitbraininahighavailability(HA)
configuration.
78652 FixedarareissuewhereafirewalldroppedURLrequestswhenthemanagementplane(MP)
URLtrie(datastructure)reached100%capacity.Withthisfix,whentheMPURLtrie
reaches90%capacity,URLsinthecachearecleareduntiltheMPURLtrieutilizesonly50%
ofcapacitysothatthetriecannotreachmaximumcapacityandcauserequeststobe
dropped.
78646 Fixedanissuewhereafirewallreplacedmultibytecharacterswithaperiodcharacter( . )
whenforwardinglogsoreventinformationtoSNMPtraps,toasyslogserver,through
email,orinscheduledlogexports.ThisissuealsooccurredwhenexportinglogstoCSV.
Withthisfix,multibytecharactersareforwardedandexportedcorrectlywithone
exception:inPANOS7.0.1,PA7000Seriesfirewallswillstillincorrectlyreplacemultibyte
characterswithperiodcharacterswhenexportinglogstoCSV.
78621 FixedanissuethatoccurredwhenChileadoptednewofficialtimesandtheofficialtimefor
ContinentalChilebecameUTC03:00.APA200firewallconfiguredtousetheChile
ContinentaltimeincorrectlycontinuedtodisplaytheofficialtimeasUTC04:00.
78556 FixedanissueinPanoramawhereusingtheoptiontoimportacertificatewhenconfiguring
aGlobalProtectgatewayorportaldidnotresultintheimportedcertificatebeingaddedto
thedropdown.TheimportedcertificatealsodidnotdisplayontheTemplates > Device >
Certificatespage.(However,theimportedcertificatediddisplaycorrectlyaftera
Panoramacommit.)Withthisfix,importedcertificatesaredisplayedimmediatelyonthe
webinterfacewhereexpected.
78448 Fixedanissuewhereacustomresponsepagecontaininganinvalidsubstringcausedthe
processforcommunicatingbetweenthedataplaneandmanagementplanes(mprelay)to
stoprespondingwhenattemptingtocommitconfigurationchanges.
78436 Fixedanissuewherethemanagementplanestoppedrespondingwhenmorethanone
processattemptedtomodifythedevicetableduringaconfigurationpushfrom
Panorama.Withthisfix,thedevicetableislockedandmodifiablebyonlyoneprocessat
atimetoavoidconflictingmodifications.
78413 FixedanissueonaPA7000Seriesfirewallwithmultiplevirtualsystemswhereamemory
leakwasobservedrelatedtotheFirstPacketProcessor(FPP)managementplaneprocess
whenrunningtheshow session meterCLIcommand.
78343 Fixedanissuethatoccurredwithdecryptionenabled,wheresomewebsiteswerenot
decryptedduetoanissuewithcertificateserialnumbers.
78304 Asecurityrelatedfixwasmadetoaddressacrosssiterequestforgery(CSRF)issueinthe
webinterface.
78197 HIPreportsforuserscannowberetrievedusingtheXMLAPI(inadditiontoviewingHIP
reportsusingtheCLI).
78187 Fixedanintermittentissuewithasystemprocess(all_task)thatcausedadevicetorestart
unexpectedly.Thisfixincludesanadjustmenttoaninternaltimertoavoidtheserestarts.
78 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.1AddressedIssues
IssueID Description
78166 FixedanissuewheretheVirusTotallinkintheCoverageStatussectionofWildFire
AnalysisreportsdidnotcorrectlyopentheVirusTotalpage.
78155 AddressedanissuewheretwoDoSprotectionpolicyrulesthatwerenotoverlapping
incorrectlyresultedinawarningthatoneoftheruleswasshadowingtheotherrule.
77907 FixedanissuewherelogforwardingtoaLogCollectordidnotstopasexpectedwhen
executingtherequest log-fwd-ctrl device <s/n> action stopCLIcommandon
Panorama.Withthisfix,logforwardingtoaLogCollectorstopsasexpectedwhen
executingtherequest log-fwd-ctrl device <s/n> action stopcommandsolongas
boththefirewallandPanoramaarerunningPANOS7.0.1orlaterreleases.
77784 FixedanissueonPanoramawhereadministratorswereunabletofilterDeviceGroupsby
tagsinthecommitwindow.
77721 FixedanissueonaPA200firewallwhereareboottookmuchlongerthanexpected(more
than20minutes).ThisissueoccurredwhentheContentUpdatesdatabasewascorrupted
andupdatesdidnotstoporpauseasexpectedtoallowthereboottotakeplace.Withthis
fix,thefirewallreinitializesthedatabaseifitiscorruptedtoallowtheContentUpdateand
systemreboottoproceedasexpected.
77477 FixedanissuewhereauserwasnolongerabletoconnecttoaVMSeriesfirewall
configuredasaGlobalProtectgatewayanddeployedinAmazonWebServices(AWS)after
theuserhadbeenconnectedforseveralhoursandtheusercouldnotreconnectuntilthe
gatewaywasrestarted.Withthisfix,usersnolongerlosetheirconnectiontothe
GlobalProtectgatewayiftheystayconnectedforseveralhours.
77413 FixedanissuewheretheauthenticationprocessfailedtoparsethebaseDistinguished
Name(DN)correctlywhenitcontainedaspace("")character.
77342 WhenusingtheXMLAPItoretrieveHAcontrollinkstatistics,thestatisticsretrievedwere
notthesameasthosedisplayedintheoutputfortheCLIoperationalcommandshow
high-availability and control-link statistics.
77163 Fixedanissuewherethe/var/log/securelogfileinflatedandconsumedavailabledisk
space.Withthisfix,PANOSusesalogrotationfunctionforthislogfiletoavoidconsuming
morediskspacethanisnecessary.
77140 FixedanissuewhereanerrorwasdisplayedwhenusingPanoramatochangeapassword
foramanagedfirewalladmin.
76847 FixedanissuewhereIKEphase2rekeywashappeningtoofrequentlyforanIPSec
sitetositeVPNconfiguredwithtunnelmonitoringonmultipleProxyIDswhenQoSwas
enabled.
76759 FixedanissuewhereanSSLscanofaWF500appliancereturnedSSLv3connectionsand
RC4cipherseventhoughtheWF500appliancenolongersupportsSSLv3.Withthisfix,
theWF500appliancereturnsonlyTLSv1connections.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 79
PANOS7.0.1AddressedIssues
IssueID Description
76688 FixedanissuewheretheIPv6sourceaddresswasnotdisplayedintheHostcolumnfor
Configlogs.Withthisfix,theIPv6sourceaddressisdisplayedintheHostcolumnas
expected(insteadof0.0.0.0).
76575 FixedanissueonaPA5000SeriesfirewallwhereanoccasionalinconsistencyintheIPv6
neighborcacheondifferentdataplanescausedIPv6trafficsenttocertainhoststoget
dropped.Withthisfix,thefirewallkeepstheIPv6neighborcacheinsyncbetween
dataplanessothatIPv6packetsarenotdropped.
76489 FixedanissuewherethreatupdatesdidnotinstallcorrectlyafteraddingaThreat
PreventionlicenseandinstallinganApplicationsandThreatscontentreleaseversion.This
occurredeventhoughtheoutputoftheshow system infoCLIcommandverifiedthatthe
ThreatPreventionlicensewasinstalled.
76282 FixedanissuewhereFQDNobjectswerenotresolvedwhenallthefollowingconditions
weretrue:
TheFQDNobjectwasbeingusedasataginaDynamicAddressGroup.
TheDynamicAddressGroupwasnotamemberofthesametag.
TheFQDNobjectwasnotattachedtoasecuritypolicyrule.
TheFQDNobjectwasnotincludedinaregularaddressgroupthatwasattachedtoa
securitypolicyrule.
76083 FixedanissuewherenoSystemlogsweregeneratedforfailedloginattemptsusingtheCLI
overanSSHconnection.Withthisfix,additionalSystemlogsnowprovidevisibilityfor
failedloginstothemanagementinterfaceevenifthoseattemptscomefromaCLIoveran
SSHconnection.
76079 FixedanissueonPA7000SeriesfirewallswhereTrafficlogsonAdvancedMezzanine
Cards(AMCs)couldnotberecoveredafterinstallingtheAMCsontoanewLogProcessing
Card(LPC).Withthisfix,anewCLIcommand(request metadata-regenerate slot
<slotnum>)isavailableforretrievinglogsfromtheoldAMCdisksafterinstallingthemina
newLPC.
Whenyouusethiscommand,youshouldensurethedeviceisnotprocessingtrafficuntil
theregenerationrequestiscomplete.Additionally,youcanignoretheerroneouserror
message(Failure communicating with given slot)thatdisplays60secondsafter
runningtherequest metadata-regeneratecommand:theregenerationprocesswill
continuetorunasexpectedandyouwillneedtowaitforittofinishbeforeresumingtraffic
flow.Itcantakeuptotwohours,orlonger,toregenerateallmetadatadependingonthe
numberoflogsrecovered.Todetermineifregenerationiscomplete,usethefollowingCLI
commandtolookfortheDone generating metadata for LD:xmessage:
less s8lp-log vld-<amcslotnum>-0.log
75881 FixedanissueonaPA5000Seriesfirewallwherethemanagementplaneanddataplane
restartedduetoaraceconditionthatoccurredwhentheEnforce Symmetric Return
optionwasenabledinthepolicybasedforwarding(PBF)rules(Policies > Policy Based
Forwarding > Forwarding).ThisraceconditioncausedinaccuratePBFreturn-mac ager
lists,whichcausedtherestarts.Withthisfix,thefirewallretrievesandchecksreturnMAC
entriestoavoidthisraceconditionandassociatedrestarts.
80 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.1AddressedIssues
IssueID Description
75825 FixedarareissueonaPA5000Seriesfirewallwherearaceconditionoccurredbetween
dataplanes1and2(DP1andDP2)anddataplane0(DP0)thatincorrectlycausedaresetof
thetimeoutvalueforparentsessionsownedbyDP1andDP2whencreatingpredict
sessions,whichcausedthoseparentsessionstotimeoutprematurely.Withthisfix,the
timeoutforparentsessionsisnotchangedwhenthepredictsessionsarecreated.
75758 FixedanissuewherethedataplanerestartedonaPA5000Seriesfirewallinahigh
availability(HA)clusterduetocorruptionofARPpackets.
75744 Fixedanissuewhereadataplanestoppedrespondingafteracommitthatchangedthe
interfaceindexwhenhighavailability(HA)sessionpacketswerereferencingthatinterface
indexusinganinterfacepointer.
75003 Fixedanissuewhereonlythefirst15charactersofazonenamewasdisplayedinlogs.
Completezonenamesarenowdisplayedinlogs.
74654 FixedanissueonanM100devicewhereanattempttodownloadContentUpdatesfailed
duetoalackofdiskspace.ThisissueoccurredwhencontinuousXMLAPIqueriesfilledthe
/opt/pancfgpartitionbecauseSTOPmessagesweregettingdroppedbetweenPanorama
andtheLogCollectorandquerieswerenotproperlyremovedwhennolongerneeded.
Withthisfix,STOPmessagesshouldnotbedropped.Additionally,incaseSTOPmessages
aredroppedforanyotherreason,atimeoutsettingforqueriesisinplacetoensurethat
stalequeriesareremovedfromdiskspacebeforecausingastoragespaceissue.
74609 FixedanissueonaPA5000SeriesfirewallwherePREDICTsessionswerehandledby
dataplane0(DP0)buttheSIPparentsessionswereonadifferentdataplane.Withthisfix,
youcanusetheset session filter-ip-proc-cpu dest-ip <IPaddr>CLIcommandto
specifyalldestinationSIPproxyIPaddressesinafilterlistonthefirewall.Youcanthenuse
thelisttoconfigurethefirewallsothatDP0receivesandhandlesanyinboundpacketthat
isdestinedforanyofthespecifiedSIPproxyIPaddresses.
74600 AsecurityrelatedfixwasmadetotheOpenSSLpackagetoaddressmultiplevulnerabilities
impactingtheOpenSSLlibraries.
74489 Fixedanissuewithregularexpressionwhereusingtheverticalbarorpipecharacter(|)
causederrors.
74315 FixedanissuewherecommentsaddedtoanAggregateEthernet(AE)interfacewerenot
savedalongwiththeAEinterfaceconfigurationandtheCommentfielddisplayedasempty
afterclosingtheconfigurationwindow.
73692 UpdatedanerrormessagethatoriginallynotedthatanAntiviruscontentdownloadfailed
becauseanAntiviruscontentdownloadwasinprogress.Theerrormessageisupdatedto
correctlystatethatthefailedAntiviruscontentdownloadwasduetoaWildFirecontent
downloadbeinginprogress.
73631 FixedanissuewhereseveralNTPsyncerrorsweredisplayedfollowingafirewallsoftware
upgrade.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 81
PANOS7.0.1AddressedIssues
IssueID Description
73317 FixedanissuewheretheSystemlogdisplayedanIPv4addressforafirewallthatwas
connectedtoanActiveDirectory(AD)serverthroughamanagementportusinganIPv6
address.Forexample:ldap cfg <group_name> connected to server <IPv6 address>,
initiated by: <IPv4 address>.Withthisfix,theappropriateIPaddressandformatis
displayedfortheinitiatingdeviceevenwhenconnectedusinganIPv6address.
73158 Theportrangeyoucanusetodefineportsforcustomapplicationshasbeenupdatedtobe
fromport065535.Theupdatematchestheportsyoucandefineforapplicationoverride
policyrules(also065535).Previously,youcouldnotdefineport0forcustom
applications.
73064 WhenafirewallwasconfiguredasaDHCPclient,itfailedtoreneworreleasethe
DHCPassignedIPaddresswhenthefirewallinterfacewasthenconnectedtoanewDHCP
server.
73058 FixedanissuewheresourceanddestinationfieldsinSNMPtrapswerenotpopulatedfor
trafficusingIPv6addresses.WiththisfixandRev.BofthePANOS6.1EnterpriseSNMP
MIBmodules,newIPversionneutralfieldswereadded(InetAddressandInetAddressType
inplaceoftheIpAddressfield)tofullysupportIPv6addresses.(TheIpAddressfieldis
retainedforbackwardcompatibilitybutisdeprecated;administratorsareexpectedto
transitiontothenewfields.)
72933 FixedanissuewherePanoramaadministratorswereunabletoviewtheBotnetreport
optionwhenswitchedtothefirewallcontext.
72806 TheGlobalProtectprelogonconnectmethoddidnotworkwhenacertificateprofilewas
configuredtouseasubjectalternativename(SAN)andthematchingdevicecertificatedid
notcontaintheSAN.
72756 Fixedanintermittentissuewherearaceconditioncausedbymultipleprocesses
asynchronouslyattemptingtoretrievethelastsavedconfigurationfilecausedCaptive
PortalortheFQDNrefreshjobtofail.
72719 FixedanissuewheretheTunnelMonitorThresholdvaluedisplayedforaGlobalProtect
satellitewasincorrectlydisplayedasaunitoftime(seconds).TheTunnelMonitor
Thresholdactuallyspecifiesthenumberofheartbeatstowaitforbeforethefirewalltakes
specifiedaction,andisnolongerdisplayedinseconds.
72544 AsecurityrelatedfixwasmadetoaddressCVE20148730.Foradditionalinformation,
refertothePANSA20140224securityadvisoryonthePaloAltoNetworksSecurity
Advisorieswebsiteathttps://securityadvisories.paloaltonetworks.com.
72371 WhenacustomQoSprofilewasenabledonaninterface,theQoSstatisticsforthecustom
profilewereinsteaddisplayedasthedefaultQoSprofilestatistics.Thisissuehasbeen
resolvedsoQoSstatisticsaredisplayedcorrectlywiththecorrespondingQoSprofile(and
foreachclassintheprofile).
72153 FixedanissuewherethefirstSYNpacketinaTCPconnectionthatpassedthroughtwo
virtualsystemsdidnotreachthedestinationserver.Thisoccurredwhen:
ThefirstvirtualsystemwasconfiguredwithDNAT.
ThesecondvirtualsystemwasconfiguredwithSNAT.
Sessionswereallocatedondifferentdataplanes(DPs),withthefirstsessiononDP0.
72075 WhenthefirewallwasconfiguredtoaccessanLDAPserverthroughadatainterface,the
firewallcouldnotconnecttotheLDAPserverifitwasalsoconfiguredtoaccessthe
UserIDagentusingadifferentdatainterface.
82 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.1AddressedIssues
IssueID Description
71860 Addressedanissuewhereconfigurationchangeswerenotreflectedintheconfiguration
logsafterimportingSSHkeys.
71682 FixedanissueonaPA5000Seriesdevicewhereaportthatwasinusewassometimes
reusedwhendynamicporttranslationwasenabledwithNATandsessionswereinitiated
ondifferentdataplanes.Withthisfix,ActiveFTPsessionssucceedwithaNATpolicysetup.
71340 Fixedanissuewherefirewalladministratorswereunabletocloneanyofthethree
predefinedcommoncriteriaadminroles;attemptingtodosoresultedinanerror.
71250 FixedanissuewheredecryptionpolicieswithadestinationaddressandaURLcategory
definedasmatchingcriteriacausedcommitfailures.
70431 FixedanissuewhereacustomURLcategorywiththenameanycausedunexpected
results.Withthisfix,thenameanyisnolongerallowedwhencreatingacustomURL
category(Objects > Custom Objects > URL Category).
70335 FixedanissuewhereaccessroutesfromtheGlobalProtectgatewaycouldnotbeinstalled
onasatellitewhenthetunnelmonitorwasenabledforaLargeScaleVPN(LSVPN)andthe
tunnelmonitorwasinwait recovermode.
69961 FixedanissuewherePanoramaandafirewallrunningthesamereleaseversion,didnot
displaythesamedropdownselectionstoaddasmatchingcriteriatoasecuritypolicyrule.
Now,ifPanoramaandafirewallarerunningthesamereleaseversion,thesameobjectsare
displayedandcanbeaddedtoasecuritypolicyrule,regardlessofwhethertheruleisbeing
definedonPanoramaorafirewall.
69752 Fixedanissuewherethewebinterfacedidnotdisplayconcurrentlyloggedin
administratorsifthoseadministratorshadnotlocallyauthenticatedtothefirewall.
69685 UpdatesweremadetoexistingRussiantimezonesandnewRussiantimezoneswereadded
totheavailablelistofglobaltimezonesforadevice,toaccommodatethe2014changesto
Russiantimezones.
69419 Fixedanissuethatwasseenwithpredictsessionswhentraffictraversedafirewallinvirtual
wiremodetwice.
68508 FixedanissuewheretheDHCPserversentDHCPleaseoffersonthewronginterfaceafter
ahighavailability(HA)failoverduetointerfaceIDsbeingoutofsyncontheHApeers.
68178 WhenconfiguringathreatexceptionforanAntiSpywareorVulnerabilityProtection
profile,addinganIPaddressexemptiontotheexceptiondidnotworkiftheinputincluded
asubnet(forexample,XXX.XXX.XXX.XXX/32).OnlyIPaddressexemptionsenteredwithout
asubnetwereacceptedbythefirewall.ThisissueisfixedsothatyoucanaddanIPaddress
withasubnetasanexemptionwithinathreatexception(Objects > Vulnerability
Protect/Anti-Spyware > Exceptions).
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 83
PANOS7.0.1AddressedIssues
IssueID Description
67713 Anadministratorwasallowedtodowngradethecontentversion(ApplicationsandThreats)
onthefirewalltoaversionthatwasnotsupportedwiththePANOSsoftwarerelease
versionrunningonthefirewall.Forexample,ifthefirewallwasrunningPANOS7.0and
theminimumcontentversionwas497,theadministratorwasincorrectlyableto
downgradetoaversionpriorto497.
66681 Resolvedadataplanerestartissueduetoraceconditions.
65959 AddedanenhancementtodisplaypredefinedURLcategoriesinadditiontocustom
URLcategoriesintheAllowCategoriescolumnforURLFilteringprofilerules(Objects >
Security Profiles > URL Filtering).
63652 FixedanissuewheresomefilesforwardedtoWildFirewerenotuploadedsuccessfullydue
toaCANCEL_OFFSET_NO_MATCHerror.Withthisfix,theoffset(causedbyabufferoverload)
isnolongeranissue.
63524 FixedanissuethatoccurredwhenperformingatemplatecommittoaPA200firewallon
Panorama.Theoperationfailedifyouchangedthevsys1displaynameonthefirewallusing
theset display-name <name>CLIcommand.
62276 FixedanissuewheretheApplicationCommandCenter(ACC)failedtoloadanywidgetsand
displayedthefollowingerror:The selected filters cannot be applied to any of
the acc reports.ThisissueoccurredwhennavigatingfromMonitor > Reports > HTTP
ApplicationstotheACC.
61259 RemovedwhitespaceprecedingaresponsethatwasdisplayedwhenusingtheXMLAPIto
submitafileforWildFireanalysis.
84 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
GettingHelp
Thefollowingtopicsprovideinformationonwheretofindmoreaboutourproductsandhowtorequest
support:
RelatedDocumentation
RequestingSupport
RelatedDocumentation
RefertothefollowingdocumentsontheTechnicalDocumentationportalat
https://www.paloaltonetworks.com/documentationformoreinformationonourproducts:
NewFeaturesGuideDetailedinformationonconfiguringthefeaturesintroducedinthisrelease.
PANOSAdministrator'sGuideProvidestheconceptsandsolutionstogetthemostoutofyourPalo
AltoNetworksnextgenerationfirewalls.Thisincludestakingyouthroughtheinitialconfigurationand
basicsetuponyourPaloAltoNetworksfirewalls.
PanoramaAdministrator'sGuideProvidesthebasicframeworktoquicklysetupthePanoramavirtual
applianceoranMSeriesapplianceforcentralizedadministrationofthePaloAltoNetworksfirewalls.
WildFireAdministrator'sGuideProvidesstepstosetupaPaloAltoNetworksfirewalltoforward
samplesforWildFireAnalysis,todeploytheWF500appliancetohostaWildFireprivateorhybrid
cloud,andtomonitorWildFireactivity.
VMSeriesDeploymentGuideProvidesdetailsondeployingandlicensingtheVMSeriesfirewallonall
supportedhypervisors.Itincludesexampleofsupportedtopologiesoneachhypervisor.
GlobalProtectAdministrator'sGuideTakesyouthroughtheconfigurationandmaintenanceofyour
GlobalProtectinfrastructure.
OnlineHelpSystemDetailed,contextsensitivehelpsystemintegratedwiththefirewallwebinterface.
OpenSourceSoftware(OSS)ListingsOSSlicensesusedwithPaloAltoNetworksproductsand
software:
PANOS7.0
Panorama7.0
WildFire7.0
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 85
GettingHelp
RequestingSupport
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopen
asupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
20152016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistof
ourtrademarkscanbefoundathttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarks
mentionedhereinmaybetrademarksoftheirrespectivecompanies.
RevisionDate:July1,2016
86 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.