PAN-OS Release Notes Upto 8.0.4

PANOS8.
0ReleaseNotes
Release8.0.4h2
RevisionDate:August17,2017
ReviewimportantinformationaboutPaloAltoNetworksPANOS8.0software,includingnewfeatures
introduced,workaroundsforopenissues,andissuesthatareaddressedinPANOS8.0releases.For
installation,upgrade,anddowngradeinstructions,refertothePANOS8.0NewFeaturesGuide.Forthe
latestversionofthesereleasenotes,refertothePaloAltoNetworkstechnicaldocumentationportal.
HSMstorageofthemasterkeyonfirewallsrunningPANOS8.0.0orPANOS8.0.1isnotsupported.Seethe
PAN75960knownissuedescriptionfordetails.
PANOS8.0ReleaseInformation ....................................... 3
FeaturesIntroducedinPANOS8.0 .................................................. 4
ManagementFeatures .......................................................... 5
PanoramaFeatures ............................................................. 6
ContentInspectionFeatures..................................................... 8
WildFireFeatures..............................................................11
AuthenticationFeatures ........................................................12
UserIDFeatures..............................................................13
AppIDFeatures ...............................................................14
DecryptionFeatures ...........................................................14
VirtualizationFeatures .........................................................15
NetworkingFeatures...........................................................17
GlobalProtectFeatures .........................................................20
ChangestoDefaultBehavior .......................................................22
AuthenticationChanges........................................................22
ContentInspectionChanges ....................................................23
GlobalProtectChanges.........................................................24
ManagementChanges..........................................................25
PanoramaChanges ............................................................26
VMSeriesFirewallChanges ....................................................26
WildFireChanges ..............................................................27
CLIandXMLAPIChangesinPANOS8.0............................................28
AuthenticationCLIChanges.....................................................28
ContentInspectionCLIChanges .................................................29
GlobalProtectCLIChanges......................................................30
ManagementCLIChanges......................................................30
UserIDCLIChanges ...........................................................31
AssociatedSoftwareandContentVersions ...........................................32
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 1
TableofContents
Limitations ........................................................................ 33
KnownIssues ..................................................................... 34
KnownIssuesRelatedtoPANOS8.0Releases.................................... 34
KnownIssuesSpecifictotheWF500Appliance ................................... 53
PANOS8.0.4h2AddressedIssues....................................59
PANOS8.0.4AddressedIssues .......................................61
PANOS8.0.3h4AddressedIssues....................................67
GettingHelp.........................................................93
RelatedDocumentation......................................................... 93
RequestingSupport ............................................................ 94
2 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation
FeaturesIntroducedinPANOS8.0
ChangestoDefaultBehavior
CLIandXMLAPIChangesinPANOS8.0
AssociatedSoftwareandContentVersions
Limitations
KnownIssues
HSMstorageofthemasterkeyonfirewallsrunningPANOS8.0.0orPANOS8.0.1isnotsupported.Seethe
PAN75960knownissuedescriptionfordetails.
PreviouslyknownissuescarriedoverfrompreviousreleasenotesandthatwereidentifiedusinglegacyIDnumbers
(5or6digitswithoutaprefix)arenowassignednewissueIDnumbersthatalsoincludeproductspecificprefixes.
PANOS8.0.4h2AddressedIssues
PANOS8.0.4AddressedIssues
GettingHelp
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
FeaturesIntroducedinPANOS8.0
ThefollowingtopicsdescribethenewfeaturesintroducedinthePANOS8.0release,whichrequires
contentreleaseversion655oralaterversion.Forupgradeanddowngradeconsiderationsandforspecific
informationabouttheupgradepathforafirewall,refertotheUpgradesectionofthePANOS8.0New
FeaturesGuide.Thenewfeaturesguidealsoprovidesadditionalinformationabouthowtousethenew
featuresinthisrelease.
ManagementFeatures
PanoramaFeatures
ContentInspectionFeatures
WildFireFeatures
AuthenticationFeatures
UserIDFeatures
AppIDFeatures
DecryptionFeatures
VirtualizationFeatures
NetworkingFeatures
GlobalProtectFeatures
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
ManagementFeatures
NewManagement Description
Features
Administrator-Level Youcannowcommit,validate,preview,save,andrevertchangesthatyoumadeina
Commit and Revert Panoramaorfirewallconfigurationindependentofchangesthatotheradministratorshave
made.Thissimplifiesyourconfigurationworkflowbecauseyoudon'thavetocoordinate
commitswithotheradministratorswhenyourchangesareunrelatedtotheirs,orworry
aboutrevertingchangesotheradministratorsmadethatweren'tready.
NetFlow Support for PA7000SeriesfirewallsnowhavethesameabilityasotherPaloAltoNetworksfirewalls

PA-7000 Series Firewalls toexportNetFlowrecordsforIPtrafficflowstoaNetFlowcollector.Thisgivesyoumore
comprehensivevisibilityintohowusersanddevicesareusingnetworkresources.
PA-7000 Series Firewall YoucannowforwardlogsfromPA7000SeriesfirewallstoPanoramaforimprovedlog

Log Forwarding to retention,whichhelpsyoumeetregulatoryrequirementsforyourindustryaswellasyour
Panorama internallogarchivalrequirements.
Selective Log Toenableyourorganizationtoprocessandrespondtoincidentalertsmorequickly,you

Forwarding Based on cannowcreatecustomlogforwardingfiltersbasedonanylogattributes.Insteadof
Log Attributes forwardinglogsbasedonlyonseveritylevels,youcanforwardjusttheinformationthat
variousteamsinyourorganizationwanttomonitororacton.Forexample,asecurity
operationsanalystwhoinvestigatesmalwareincidentsmightbeinterestedonlyinThreat
logswiththetypeattributesettowildfirevirus.
Action-Oriented Log ThefirewallcannowdirectlyforwardlogsusingHTTP/HTTPSsothatyoucantriggeran

Forwarding using HTTP automatedactionwhenaspecificeventoccurs.Thiscapabilityallowsthefirewallto
integratewithexternalsystemsthatprovideanHTTPbasedAPI.And,combinedwiththe
SelectiveLogForwardingBasedonLogAttributes,youcannowautomatesecurity
workflowmoreefficiently,applyingdynamicpolicy,andrespondingtosecurityincidents.
TriggeranactionoraworkflowonathirdpartyservicethatprovidesanHTTPbased
API:ThefirewallcannowsendanHTTPrequestasanAPIcall.YoucanselecttheHTTP
method,andcustomizetheheader,requestformat,andpayloadtotriggeranaction.
Forexample,onanHAfailoverevent,thefirewallcangenerateanHTTPrequesttoan
ITmanagementservicetoautomaticallycreateanincidentreportwiththedetailsinthe
systemlog.ThisautomatedworkflowcanhelptheITinfrastructureteamtoeasilytrack
andfollowupontheissue.
Enabledynamicpolicyandenforcement:TagthesourceordestinationIPaddressina
logentry,registerthetagstoconnectedUserIDagents,andtakeactiontoenforce
policyateverylocationonyournetwork.Forexample,whenaThreatlogindicatesthat
thefirewallhasdetectedmalware,youcantagthesourceordestinationIPaddressto
quarantinethemalwareinfecteddevice.Basedonthetag,theIPaddressassociated
withthedevicebecomesthememberofadynamicaddressgroup,andtheSecurity
policyruleinwhichthedynamicaddressgroupisreferencedlimitsaccesstocorporate
resourcesuntilITclearsthedeviceforuse.
NewManagement Description
Features(Continued)
Extended SNMP Support PANOSsupportforSimpleNetworkManagementProtocol(SNMP)nowincludesthe

followingfeatures:
LoggingstatisticsUsingSNMPtomonitorloggingstatisticsforfirewallsandLog
Collectorshelpsyouplanimprovementstoyourlogcollectionarchitecture,evaluate
thehealthoffirewallandPanoramaloggingfunctions,andtroubleshootissuessuchas
droppedlogs.Youcannowmonitorabroaderrangeofloggingstatistics,includinglog
rate,diskusage,retentionperiods,theforwardingstatusfromindividualfirewallsto
Panoramaandexternalservers,andthestatusoffirewalltoLogCollectorconnections.
HA2statisticsandtrapsMonitoringSNMPstatisticsandtrapsfortheinterfacesthat
firewallsuseforhighavailability(HA)synchronizationhelpsyoutroubleshootand
verifythehealthofHAfunctionssuchasstatechanges.YoucannowuseanSNMP
managertomonitorthededicatedHA2interfacesoffirewalls,inadditiontotheHA1,
HA2backup,andHA3interfaces.
Increased Storage on ToprovidelongerretentionperiodsforlogsonthePA7000Seriesfirewall,youcannow

PA-7000 Series Firewall increasethelogstoragecapacityto4TBbyinstalling2TBdisksinthetwoRAIDdiskpairs
(formerlyonly1TBdisksweresupported).Forlogstoragebeyond4TB,youcanenable
PA7000SeriesFirewallLogForwardingtoPanorama,whichsupportsupto24TBfor
eachM500applianceintheCollectorGroup.
PanoramaFeatures
NewPanorama Description
Features
Log Query Panoramahasanimprovedlogqueryandreportingenginetoenableasignificant

Acceleration improvementinspeedwhengeneratingreportsandexecutingqueries.Alllogsgenerated
aftertheupgradetoPANOS8.0automaticallytakeadvantageoftheimprovedquery
processingarchitecture.Withthisenhancement,theloggingrateontheMSeriesappliance
islowerthaninpreviousPanoramareleases.Formaximumloggingrates,seePanorama
Models.
Toextendtheperformanceimprovementsforolderlogs,youcanmigratethelogstothe
newformat.
Logging YoucannowcreateaLogCollectorthatrunslocallyonthePanoramavirtualappliance.
Enhancements on the BecausethelocalLogCollectorsupportsmultiplevirtualloggingdisks,youcanincreaselog
Panorama Virtual storageasneededwhilepreservingexistinglogs.Youcanincreaselogstoragetoamaximum
Appliance of24TBforasinglePanoramaandupto48TBforahighavailabilitypair.UsingalocalLog
Collectoralsoenablesfasterreportgeneration(seeLogQueryAcceleration).
Increased Log Storage Toprovideadequatediskspaceforalongerlogretentionperiod,youcanincreasethelog

Capacity storagecapacityontheM500applianceandPanoramavirtualapplianceto24TB(formerly
8TB).TheM500appliancenowsupports2TBdisksandupto12RAIDdiskpairs(formerly
1TB*8RAIDdiskpairs).Inaddition,thePanoramavirtualappliancenowsupportsalocal
LogCollectorwithupto24TBofvirtualdiskspace(seeLoggingEnhancementsonthe
PanoramaVirtualAppliance).
NewPanoramaFeatures Description
(Continued)
Traps Logs on PanoramacannowingestTrapslogssentbytheTrapsEndpointSecurityManagerusing

Panorama syslogoverUDP,TCP,orSSLsothatyoucanmonitorsecurityeventsrelatingtoprotected
processesandexecutablefilesonTrapsprotectedendpoints.Youcanfilteronanylog
attributeandanswerdaytodayoperationalquestionssuchas,Howmanydifferent
preventioneventsdidaspecificusertrigger?
TheabilitytoseeTrapslogsinthesamecontextasthefirewalllogsallowsyoutocorrelate
discreteactivityobservedonthenetworkandtheendpoints.Correlatedeventshelpyousee
theoverallpictureacrossyournetworkandtheendpointssothatyoucandetectanyrisks
thatevadedetectionortakeadvantageofblindspots,andstrengthenyoursecurityposture
wellbeforeanydamageoccurs.
Extensible Plug-in Panoramanowsupportsapluginarchitecturetoenablenewthirdpartyintegrationsor

Architecture updatestoexistingintegrations(suchastheVMwareNSXintegration)outsideofanew
PANOSfeaturerelease.Panoramadisplaysonlytheinterfaceelementspertinenttothe
pluginsyouinstall.
ThefirstimplementationofthisarchitectureenablesVMSeriesNSXIntegration
ConfigurationthroughPanorama.
Extended Support for Tosupport thedemandsfornetworksegmentationandsecurityinlargescaledeployments,

Multiple Panorama youcannowseparatethemanagementfunctionsfromthedevicemanagementandlog
Interfaces collectionfunctionsonthePanoramaMSeriesappliances.Thekeyimprovementsare:
ForwardlogsfromthemanagedfirewallstoPanoramaandtheLogCollectorsonmultiple
interfaces,insteadofasingleinterface.Thischangereducesthetrafficloadonan
interfaceandprovidesflexibilityinloggingtoacommoninfrastructureacrossdifferent
subnetswithoutrequiringchangestothenetworkconfigurationandaccesscontrollists
inyourinfrastructure.
Managetheconfigurationforfirewallsandlogcollectorsusingmultipleinterfaceson
Panorama.Thiscapabilitysimplifiesthemanagementofdevicesthatbelongtodifferent
subnetsoraresegmentedforbettersecurity.
Deploysoftwareandcontentupdatestomanagedfirewallsandlogcollectorsusingan
interfaceofyourchoice.Youcancontinuetousethemanagementportorselecta
differentinterfacefordeployingupdatestomanagedfirewallsandlogcollectorsrunning
PANOS8.0.SeeStreamlinedDeploymentofSoftwareandContentUpdatesfrom
Panorama.
Theabilitytoseparatethesefunctionsacrossmultipleinterfacesreducesthetrafficonthe
dedicatedmanagement(MGT)port.Youcannowlockdownthemanagementportfor
administrativeaccesstoPanorama(HTTPSandSSH)andtheLogCollectors(SSH)only;by
defaultCollectorGroupcommunicationisenabledonthemanagementportbutyoucan
assignadifferentportforthistraffic.
Device Group, Panoramanowsupportsupto1,024devicegroupsand1,024templates(previously512

Template, and each),and1,024templatestacks(previously128).Inlargescaledeployments,these
Template Stack capacityimprovementsincreaseadministrativeeaseincentrallymanagingfromPanorama
Capacity Increase andreducetheconfigurationexceptionsandoverridesthatyoumustmanagelocallyon
individualfirewalls.
Streamlined Youcannowdeploysoftwareandcontentupdatestomanageddevicesmorequickly.
Deployment of Insteadofpushingtheupdatestoonedeviceatatime,Panoramanownotifiesfirewallsand
Software and Content LogCollectorswhenupdatesareavailableandthedevicesthenretrievetheupdatesin
Updates from parallel.
Panorama TheExtendedSupportforMultiplePanoramaInterfacesenablesyoutoconfigureaseparate
interface,insteadofusingthemanagement(MGT)interface,fordeployingcontentand
softwareupdatestomanageddevices.
ContentInspectionFeatures
NewContentInspection Description
Features
Credential Phishing Phishingsitesaresitesthatattackersdisguiseaslegitimatewebsiteswiththeaimtosteal

Prevention userinformation,especiallythepasswordsthatprovideaccesstoyournetwork.Youcan
nowidentifyandpreventinprogressphishingattacksbycontrollingsitestowhichusers
cansubmitcorporatecredentialsbasedonthesitesURLcategory.Thisfeatureintegrates
withUserID(groupmappingorusermapping,dependingonwhichmethodyouchoose
todetectcredentials)toenablethefirewalltodetectwhenusersareattemptingtosubmit
theircorporateusernameandorusernameandpasswordandblockthesubmission.
Telemetry Youcannowparticipateinacommunitydrivenapproachtothreatpreventionthrough
telemetry.Telemetryallowsyourfirewalltoperiodicallycollectandshareinformation
aboutapplications,threats,anddevicehealthwithPaloAltoNetworks.PaloAlto
Networksusesthethreatintelligencecollectedfromyouandothercustomerstoimprove
thequalityofintrusionpreventionsystem(IPS)andspywaresignaturesandthe
classificationofURLsinPANDB.Forexample,whenathreateventtriggersvulnerability
orspywaresignatures,thefirewallsharestheURLsassociatedwiththethreatwiththe
PaloAltoNetworksthreatresearchteam,sotheycanproperlyclassifytheURLsas
malicious.TelemetryalsoallowsPaloAltoNetworkstorapidlytestandevaluate
experimentalthreatsignatureswithnoimpacttoyournetwork,sothatcriticalthreat
preventionsignaturescanbereleasedtoallcustomersfaster.
Youhavefullcontroloverwhichdatathefirewallsharesthroughtelemetry,andsamples
ofthisdataareavailabletoviewthroughyourTelemetrysettings.PaloAltoNetworks
doesnotshareyourtelemetrydatawithothercustomersorthirdpartyorganizations.
Palo Alto Networks PaloAltoNetworksnowprovidesmaliciousIPaddressfeedsthatyoucanusetohelp

Malicious IP Address secureyournetworkfromknownmalicioushostsontheInternet.OnefeedcontainsIP
Feeds addressesverifiedasmaliciousbyPaloAltoNetworks,andanotherfeedcontains
maliciousIPaddressesfromreputablethirdpartythreatadvisories.PaloAltoNetworks
maintainsbothfeeds,whichyoucanreferenceinSecuritypolicyrulestoalloworblock
traffic.Youcanalsocreateyourownexternaldynamiclistsbasedonthesefeedsand
customizethemasneeded.YoumusthaveanactiveThreatPreventionlicensetoviewand
usethePaloAltoNetworksmaliciousIPaddressfeeds.
Enhanced Coverage for C2signaturessignaturesthatdetectwhereacompromisedsystemissurreptitiously

Command-and-Control communicatingwithanattackersremoteserverarenowgeneratedautomatically.While
(C2) Traffic C2protectionisnotnew,previoussignatureslookedforanexactmatchtoadomainname
oraURLtoidentifyaC2host.Thenew,automaticallygeneratedC2signaturesdetect
certainpatternsinC2traffic,providingmoreaccurate,timely,androbustC2detection
evenwhentheC2hostisunknownorchangesrapidly.
Features(Continued)
GPRS Tunneling YoucannowdeploythePaloAltoNetworksfirewalltoprotectthecorenetworkinMobile

Protocol (GTP) Security NetworkOperatorenvironmentsthatuseGTPbetweenGPRSSupportNodes(GSNs)
(PAN-OS 8.0.4 and later frommalformedGTPpackets,denialofserviceattacks,outofstateGTPmessages,and
releases) protectsubscribersfromspoofedIPpacketsandoverbillingattacks.Equippedwith
AppIDsforGTPv1C,GTPv2C,GTPU,GTPv0andGTP,thefirewallcanperform
statefulinspectionandprotocolvalidationonGTPcontrol(GTPv1Cand/orGTPv2C)
anduserdata(GTPU)messages,anddecapsulateGTPUpacketstoinspectinnerIP
trafficforthreatsandprovidevisibilityintosubscriberactivity.
TheabilitytostatefullyinspectGTPCtrafficalsoprovidesvisibilityintoInternational
MobileSubscriberIdentity(IMSI)andInternationalMobileEquipmentIdentity(IMEI),
whichyoucancorrelatetothecorrespondinguserdatasessionsforthesubscriber.
Further,forregulatingsubscriberaccess,youcanfiltertrafficbasedontheIMSI/
IMSIPrefix,RadioAccessTechnology(RAT),andAccessPointNetwork(APN).
Data Filtering Support Datafilteringisenhancedtoworkwiththirdparty,endpointDLPsolutionsthatpopulate

for Data Loss Prevention filepropertiestoindicatesensitivecontent,enablingthefirewalltoenforceyourDLP
(DLP) Solutions policy.Tobettersecurethisconfidentialdata,youcannowcreateDataFilteringprofiles
thatidentifythefilepropertiesandvaluessetbyaDLPsolutionandthenlogorblockthe
filestheDataFilteringprofileidentifies.
External Dynamic List Newenhancementsprovidebettersecurity,flexibility,andeaseofusewhenworking

Enhancements withexternaldynamiclists.Theenhancementsincludetheoptionsto:
EnableAuthenticationforExternalDynamicListstovalidatetheidentityofalistsource
andtoforwardlogincredentialsforaccesstoexternaldynamicliststhatenforcebasic
HTTPauthentication.
UsenewPaloAltoNetworksMaliciousIPAddressFeedsinsecuritypolicyrulesto
blocktrafficfrommaliciousIPaddresses.
Viewthecontentsofanexternaldynamiclistdirectlyonthefirewall,withtheoptionto
excludeentriesorviewthreatintelligenceassociatedwithanentryinAutoFocus.
New Scheduling Options ThefirewallcannowcheckforthelatestAppID,vulnerabilityprotection,and

for Application and antispywaresignaturesevery30minutesorhourly,inadditiontobeingabletocheckfor
Threat Content Updates theseupdatesdailyandweekly.Thisfeatureenablesmoreimmediatecoveragefor
newlydiscoveredthreatsandstrengthenssafeenablementforupdatedand
newlydefinedapplications.
Five-Minute Updates for TheMalwareandPhishingURLcategoriesinPANDBarenowupdatedeveryfive

PAN-DB Malware and minutes,basedonthelatestmaliciousandphishingsitesWildFireidentifies.Thesemore
Phishing URL frequentupdatesensurethatthefirewallisequippedwiththeverylatestinformationto
Categories detectandthenblockaccesstomaliciousandphishingsites.
Globally Unique AllPaloAltoNetworksthreatsignaturesnowhavepermanent,globallyuniqueIDsthat

Threat IDs youcanusetolookupthreatsignatureinformationandcreatepermanentthreat
exceptions:
Changetheaction(forexample,blockoralert)thefirewallusestoenforceathreat
signaturethreatexceptionsareusefulifasignatureistriggeringfalsepositives.
Easilycheckifathreatsignatureisconfiguredasanexception.
UsethreatIDsintheThreatVaultandAutoFocustogaincontextforathreatsignature.
New Predefined File TwonewpredefinedFileBlockingprofilesbasicfileblockingandstrictfileblocking

Blocking Profiles havebeenaddedviacontentreleaseversion653.Youcanusetheseprofilestoquicklyand
easilyapplythebestpracticefileblockingsettingstoyourSecuritypolicyallowrulesto
ensurethatusersarenotinadvertentlydownloadingmaliciouscontentintoyournetwork
orexfiltratingsensitivedataoutofyournetworkinlegitimateapplicationtraffic.
Features(Continued)
Enhanced Unicode ThefirewallcannowdecodeUTF16andUTF32encodeddata,toprovidethreatanalysis

Decoding Support andinspectionfortheencodeddata.
(PAN-OS 8.0.3-h4 and
later releases)
WildFireFeatures
PANOS8.0.1isthebaseimageforWF500appliances(notPANOS8.0.0).
NewWildFireFeatures Description
WildFire Appliance InenvironmentswhereyoucannotusetheWildFirepubliccloud,youcannowconfigure

Clusters uptotwentyWF500appliancesinaclusteronasinglenetwork.CreatingWildFire
applianceclustershelpsyouscaleanalyticalandstoragecapabilitiestosupportamuch
largernetworkoffirewalls,increasesreliabilitybyallowingyoutoconfigurehigh
availability(HA)toprovidefaulttolerance,andprovidessinglesignaturepackage
distributionforallconnectedfirewallsbasedontheactivityinyourcluster.Youcan
manageWildFireclustersandstandaloneWF500appliancesfromPanorama.
Preferred Analysis for YoucannowchoosetodedicateWildFireapplianceanalysisresourcestoeither

Documents or documentsorexecutables.IfyouareusingtheWildFireappliancetoanalyzespecificfile
Executables types(forexample,WorddocumentsandPDFs),thisallowsyoutoutilizeallanalysis
resourcesforthosefiletypes.Previously,analysisenvironmentswerestaticallyallocated
andtheresourcesavailablefordocumentandexecutableanalysiswereevenlydivided.
Verdict Changes YoucannowmodifytheverdictthattheWildFireapplianceappliestoasample.Verdict

changesareappliedonlytolocallyanalyzedsamples.
Verdict Checks with the TheWildFireappliancecannowlookupsampleverdictsintheWildFireglobalcloud

WildFire Global Cloud beforelocallyanalyzingthesample.TheWildFireappliancecanthendeliveraquick
verdictforsamplesknowntotheWildFireglobalcloud,anddirectanalysisresources
towardfilesthataretrulyunknowntobothyourprivatenetworkandtheWildFireglobal
community.
WildFire Analysis of ThenewWildFireAnalysisofBlockedFilesenablesthefirewalltosubmitblockedfiles

Blocked Files thatmatchexistingantivirussignaturesforWildFireanalysis,inadditiontounknownfiles,
sothatWildFirecanextractvaluableinformationfromnewmalwarevariants.Malware
signaturesoftenmatchmultiplevariantsofthesamemalwarefamily,andassuch,block
newmalwarevariantsthatthefirewallhasneverseenbefore.Sendingtheseblocked
malwaresamplesforWildFireanalysisallowsWildFiretoanalyzethemforadditional
URLs,domainnames,andIPaddressesthatmustbeblocked.SinceallWildFireanalysis
dataisalsoavailableonAutoFocus,youcannowuseWildFireandAutoFocustogetherto
getamorecompleteperspectiveofallthreatstargetingyournetwork,improvingthe
efficacyofyoursecurityoperations,incidentresponse,andthreatintelligencefunctions.
WildFire Phishing ThenewWildFirePhishingVerdictclassifiesphishinglinksdetectedinemailsseparately

Verdict fromotheremailedlinksfoundtobeexploitsormalware.ThefirewalllogsWildFire
submissionsthatarephishinglinkstoindicatethatsuchalinkhasbeendetectedinan
email.
WithbothaWildFirelicenseandaPANDBlicense,youcanblockaccesstophishingsites
within5minutesofinitialdiscovery.
TheWF500appliancedoesnotsupportthenewphishingverdict,andcontinuesto
classifysuspectedphishingsitesasmalicious.
AuthenticationFeatures
NewAuthentication Description
Features
SAML 2.0 Authentication ThefirewallandPanoramacannowfunctionasSecurityAssertionMarkupLanguage

(SAML)2.0serviceproviderstoenablesinglesignonandsinglelogoutforendusers(see
SAML2.0AuthenticationforGlobalProtect)andforadministrators.SAMLenhancesthe
userexperiencebyenablingasingle,interactivelogintoprovideautomaticaccessto
multipleauthenticatedservicesthatareinternalorexternaltoyourorganization.
Inadditiontoauthenticatingadministratoraccountsthatarelocaltothefirewalland
Panorama,youcanuseSAMLtoauthenticateandassignrolestoexternaladministrator
accountsintheidentityprovider(IdP)identitystore.
Authentication Policy Toprotectyournetworkresourcesfromattackers,youcanusethenewAuthentication

and Multi-Factor policytoensureallyourendusersauthenticatewhentheyaccessthoseresources.
Authentication AuthenticationpolicyisanimprovedreplacementforCaptivePortalpolicy,which
enforcedauthenticationonlyforsomeusers.Authenticationpolicyhastheadditional
benefitofenablingyoutochoosehowmanyauthenticationchallengesofdifferenttypes
(factors)usersmustrespondto.Usingmultiplefactorsofauthentication(MFA)is
particularlyusefulforprotectingyourmostsensitiveresources.Forexample,youcan
forceuserstoenteraloginpasswordandthenenteraverificationcodethattheyreceive
byphone.Thisapproachensuresattackerscantinvadeyournetworkandmovelaterally
throughitjustbystealingpasswords.Ifyouwanttospareusersthehassleofresponding
tomultiplechallengesforresourcesthatdontneedsuchahighdegreeofprotection,you
canalsohaveAuthenticationpolicyrulesthatenforceonlypasswordorcertificate
authentication.
ThefirewallmakesiteasytoimplementMFAinyournetworkbyintegratingdirectlywith
severalMFAplatforms(Duov2,OktaAdaptive,andPingID)andintegratingthrough
RADIUSwithallotherMFAplatforms.
TACACS+ User Account TouseaTerminalAccessControllerAccessControlSystemPlus(TACACS+)serverfor

Management centrallymanagingalladministrativeaccounts,youcannowuseVendorSpecific
Attributes(VSAs)tomanagetheaccountsoffirewallandPanoramaadministrators.
TACACS+VSAsenableyoutoquicklyreassignadministratorrolesandaccessdomains
withoutreconfiguringsettingsonthefirewallandPanorama.
Authentication Using Youcannowdeploycustomcertificatestoreplacethepredefinedcertificatesshippedon

Custom Certificates PaloAltoNetworksdevicesformanagementconnectionsbetweenPanorama,firewalls,
andLogCollectors.Bygeneratinganddeployinguniquecertificatesforeachdevice,you
canestablishauniquechainoftrustbetweenPanoramaandthemanageddevices.You
cangeneratethesecustomcertificateslocallyorimportthemfromanexistingenterprise
publickeyinfrastructure(PKI).Panoramacanmanagedevicesinenvironmentswithamix
ofpredefinedandcustomcertificates.
Youcanalsodeploycustomcertificatesformutualauthenticationbetweenthefirewall
andWindowsUserIDAgent.ThisallowsthefirewalltoconfirmtheWindowsUserID
Agent'sidentitybeforeacceptingUserIDinformationfromtheagent.Deployacustom
certificateontheWindowsUserIDAgentandacertificateprofileonthefirewall,
containingtheCAofthecertificate,toestablishauniquetrustchainbetweenthetwo
devices.
NewAuthentication Description
Features(Continued)
Authentication for ThefirewallnowvalidatesthedigitalcertificatesofSSL/TLSserversthathostexternal

External Dynamic Lists dynamiclists,and,iftheserversenforcebasicHTTPusername/passwordauthentication
(clientauthentication),thefirewallcanforwardlogincredentialstogainaccesstothelists.
Ifanexternaldynamiclistsourcefailsserverorclientauthentication,thefirewalldoesnot
retrievethelistandceasestoenforcepolicybasedonitscontents.Thesesecurity
enhancementshelpensurethatthefirewallretrievesIPaddresses,domains,orURLsfrom
avalidsourceoverasecure,privatechannel.
UserIDFeatures
NewUserIDFeatures Description
Panorama and Log YoucannowleverageyourPanoramaanddistributedlogcollectioninfrastructureto

Collectors as User-ID redistributeUserIDmappingsinlargescaledeployments.Byusingtheexisting
Redistribution Points connectionsfromfirewallstoLogCollectorstoPanorama,youcanaggregatethe
mappingswithoutsettingupandmanagingextraconnectionsbetweenfirewalls.
Centralized Deployment YoucannowuseendpointmanagementsoftwaresuchasMicrosoftSCCMtoremotely

and Management of install,configure,andupgrademultipleWindowsbasedUserIDagentsandTerminal
User-ID and TS Agents Services(TS)agentsinasingleoperation.Usingendpointmanagementsoftware
streamlinesyourworkflowbyenablingyoutodeployandconfigurenumerousUserID
andTSagentsthroughanautomatedprocessinsteadofusingamanualloginsessionfor
eachagent.
User Groups Capacity Toaccommodateenvironmentswhereaccesscontrolforeachresourceisbasedon

Increase membershipinausergroup,andwherethenumberofresourcesandgroupsisincreasing,
youcannowreferencemoregroupsinpolicy(thelimitvariesbyplatform).
User-ID Syslog ThefollowingenhancementsimprovetheaccuracyofUserIDmappingsandsimplify

Monitoring monitoringsyslogserversformappinginformation:
Enhancements AutomaticdeletionofusermappingsToimprovetheaccuracyofyouruserbased
policiesandreports,thefirewallcannowusesyslogmonitoringtodetectwhenusers
haveloggedoutandthendeletetheassociatedUserIDmappings.
MultiplesyslogformatsInenvironmentswithmultiplepointsofauthentication
sendingsyslogmessagesindifferentformats,itisnoweasiertomonitorloginand
logouteventsbecausethefirewallcaningestmultipleformatsfromasyslogserver
aggregatingfromvarioussources.
Group-Based Reporting Panoramanowprovidesvisibilityintotheactivitiesofusergroupsinyournetwork

in Panorama throughtheUserActivityreport,SaaSApplicationUsagereport(seeSaaSApplication
VisibilityforUserGroups),customreports,andtheACC.Panoramaaggregatesgroup
activityinformationfrommanagedfirewallssothatyoucanfilterlogsandgenerate
reportsforallgroups.
AppIDFeatures
NewAppIDFeatures Description
SaaS Application TohelpyoumonitortheassortmentofSaaSapplicationsthatservetheproductivityneeds

Visibility for User oftheusergroupsonyournetworkandensurethesecurityanddataintegritydemands
Groups fortheorganization,theSaaSApplicationUsagePDFreportnowincludesdataonuser
groups.Thereporthighlightsthemostusedapplicationsbyusergroupsandpresentsthe
volumeofdataeachusergrouptransfersusingsanctionedandunsanctionedapplications.
Foramoregranularview,youcancustomizethereporttoshowapplicationusagefora
specificusergroup,applicationusageonaspecificsecurityzone,andreportonapplication
usagebymultipleusergroupswithinasecurityzone.
InadditiontotheenhancementsinthePDFreport,youcannowusetheACCtovisualize
SaaSactivitytrendsonyournetwork.TheACCincludesglobalfiltersforviewingSaaS
applicationusagebasedonriskratingorbythenumberofsanctionedandunsanctioned
applicationsinuseonyournetwork.
ALG Support for IPv6 ThefirewallcannowsafelyenableSessionInitiationProtocol(SIP)andSkinnyClient

ControlProtocol(SCCP)forIPv6anddualstacknetworks.Youcansafelyallowthese
protocolswithoutopeningawiderangeofportstoallowthetraffic.
DecryptionFeatures
NewDecryptionFeatures Description
Decryption for Elliptical FirewallsenabledtodecryptSSLtrafficnowdecryptSSLtrafficfromwebsitesand

Curve Cryptography applicationsusingECCcertificates,includingEllipticalCurveDigitalSignatureAlgorithm
(ECC) Certificates (ECDSA)certificates.AssomeorganizationstransitiontousingECCcertificatestotake
advantageofbenefitssuchasstrongkeysandsmallcertificatesize,thisfeatureensures
thatyoumaintainvisibilityintoandcansafelyenableECCsecuredapplicationand
websitetraffic.
DecryptionforwebsitesandapplicationsusingECCcertificatesisnotsupported
fortrafficthatismirroredtothefirewall;encryptedtrafficusingECCcertificates
mustpassthroughthefirewalldirectlyforthefirewalltodecryptit.
Management for Younowhaveincreasedflexibilitytomanagetrafficexcludedfromdecryption.New,

Decryption Exclusions centralizedSSLdecryptionexclusionmanagementenablesyoutobothcreateyourown
customdecryptionexclusions,andtoreviewPaloAltoNetworkspredefineddecryption
exclusionsinasingleplace:
Asimplifiedworkflowallowsyoutoeasilyexcludetrafficfromdecryptionbasedon
hostname.
Thefirewalldoesnotdecryptapplicationsthatareknowntobreakduringdecryption.
Now,youcanviewthesedecryptionexceptionsdirectlyonthefirewall.Updatesand
additionstothePaloAltoNetworkspredefineddecryptionexclusionsaredeliveredto
thefirewallincontentupdatesandareenabledbydefault.
Perfect Forward Secrecy PANOS7.1introducedPFSforSSLForwardProxydecryption;now,inPANOS8.0,PFS

(PFS) Support with SSL supportisextendedtoSSLInboundInspection.PFSensuresthatdatafromsessions
Inbound Inspection undergoingdecryptioncannotlaterberetrievedifserverprivatekeysarecompromised.
YoucanenforceDiffieHellmankeyexchangebasedPFS(DHE)andellipticcurve
DiffieHellman(ECDHE)basedPFSfordecryptedSSLtraffic.
VirtualizationFeatures
NewVirtualization Description
Features
VM-Series Firewall Thisfeatureintroducesimprovedperformance,capacity,andefficiencyforallVMSeries

Performance firewalls,includingthreenewVMSeriesmodels:VM50,VM500,andVM700.The
Enhancements and VMSeriesmodellineupnowcoversawidevarietyoffirewallsfromsmalloptimized
Expanded Model Line firewallsinresourceconstrainedenvironmentstolarge,highperformancefirewallsfor
deploymentinadiverserangeofNetworkFunctionVirtualization(NFV)usecases.You
canalsoleveragetheexpandedrangeofVMSeriesmodelscoupledwithflexibilityand
pertenantisolationofVMSeriesmodelstodeploymultitenantsolutions.
VM50FirewallAvirtualfirewallwithanoptimizedcomputeresourcefootprint.This
firewallisidealforuseinvirtualcustomerpremisesequipment(vCPE)andhighdensity
multitenancysolutionsformanagedsecurityserviceproviders(MSSP).
VM500andVM700FirewallsWhenutilizingalargercomputeresourcefootprint,
thesevirtualfirewallsprovidehighperformanceandcapacity.TheVM500and
VM700firewallsareidealinNFVusecasesforserviceproviderinfrastructureanddata
centerroles.
VM100,VM200,VM300,VM1000HVFirewallsExistingVMSeriesmodelsnow
featureincreasedperformance,capacity,andefficiencywhencomparedtothesame
computeresourcesinearlierreleaseversions.Thisreleasealsoconsolidatesthe
VM200withtheVM100andtheVM1000HVwiththeVM300,whichmeansthat
theVM100andVM200arenowfunctionallyidentical,asaretheVM300and
VM1000HV.
Inaddition,VMSeriesfirewallmodelsarenowdistinguishedbysessioncapacityandthe
numberofmaximumeffectivevCPUcores(insteadofonlysessioncapacity).
CloudWatch Integration VMSeriesfirewallsonAWScannownativelysendPANOSmetricstoAWSCloudWatch

for the VM-Series foradvancedmonitoringandautoscalingpolicydecisions.TheCloudWatchintegration
Firewall on AWS enablesyoutomonitorthecapacity,healthstatus,andavailabilityofthefirewallswith
metricssuchastotalnumberofactivesessions,GlobalProtectgatewaytunnelutilization,
orSSLproxyutilization,sothatthesecuritytiercomprisingtheVMSeriesfirewallscan
scaledynamicallywhenyourEC2workloadsscaleinresponsetodemand.
Seamless VM-Series ThisreleaseintroducesseamlesslicensecapacityupgradesoftheVMSeriesfirewall.Ifa

Model Upgrade tenantsrequirementsincrease,youcanupgradethecapacitytoaccommodatethe
changeswithminimaltrafficandoperationdisruption.Additionally,VMSeriesfirewalls
nowsupportHAsynchronizationbetweenVMSeriesfirewallsofdifferentcapacities
duringtheupgradeprocess.
VM-Series NSX ThenewPanoramaVMwareNSXpluginstreamlinestheprocessofdeployingVMSeries

Integration firewallforNSXandeliminatestheduplicateeffortindefiningthesecurityrelated
Configuration through configurationonbothPanoramaandtheNSXManagerorvCenterserver.Panoramanow
Panorama servesasthesinglepointofconfigurationthatprovidestheNSXManagerwiththe
contextualinformationrequiredtoredirecttrafficfromtheguestvirtualmachinestothe
VMSeriesfirewall.WhenyoucommittheNSXconfiguration,Panoramageneratesa
securitygroupintheNSXenvironmentforeachqualifieddynamicaddressgroupand
PanoramapusheseachsteeringrulegeneratesNSXManager.TheNSXManagerusesthe
steeringrulestoredirecttrafficfromthevirtualmachinesbelongingtothecorresponding
NSXsecuritygroup.
NewVirtualization Description
Features(Continued)
Support for NSX Security TheVMSeriesfirewallcannowdynamicallytagaguestVMwithNSXsecuritytagsto

Tags on the VM-Series enableimmediateisolationofcompromisedorinfectedguests.Theuniversallyunique
NSX Edition Firewall identifierofaguestVMisnowpartoftheTrafficandThreatlogsonthefirewall.By
leveragingthreat,antivirus,andmalwaredetectionlogsontheVMSeriesfirewall,NSX
Managercanplaceguestsinaquarantinedsecuritygrouptopreventlateralmovementof
thethreatinthevirtualizeddatacenterenvironment.
New Serial Number TheserialnumberformatfortheVMSeriesfirewallnowdisplaysthenameofthe

Format for the VM-Series hypervisoronwhichthefirewallisdeployedsothatyoucanconsistentlyidentifythe
Firewall firewallsforlicensemanagement,andcontentandsoftwareupdates.Thenewformatis
15charactersinlength,numericforthebringyourownlicense(BYOL)model,and
alphanumericfortheMarketplacemodels(Bundle1orBundle2)availableinpubliccloud
environments.Aspartofthischange,VMSeriesfirewallsinAWSnowsupportlonger
instanceIDformats.
VM-Series YoucannowbootstraptheVMSeriesfirewallinESXi,KVM,andHyperVusingblock
Bootstrapping with storage.Thisoptionprovidesabootstrappingsolutionforenvironmentswheremounting
Block Storage aCDROMisnotsupported.
VM-Series License TodeactivateaVMSerieslicense,youmustfirstinstallalicensedeactivationAPIkeyon

Deactivation API Key yourfirewallorPanorama.ThedeactivationAPIkeyprovidesanadditionallayerof
securityforcommunicationsbetweenthePaloAltoNetworksUpdateServerand
VMSeriesfirewallsandPanorama.ThePANOSsoftwareusesthisAPIkeyto
authenticatewiththeupdateandlicensingservers.
TheAPIkeyisavailablethroughtheCustomerSupportPortaltoadministratorswith
superuserprivileges.
Support for VM-Series AzureGovernmentisapubliccloudplatformforU.S.governmentandpublicsector

on Azure Government agencies.TheVMSeriesfirewallonAzurenowprovidesthesamerobustsecurityfeatures
inAzureGovernmentasintheAzurepubliccloud.OntheAzureGovernment
Marketplace,theVMSeriesfirewallisonlyavailableasabringyourownlicense(BYOL)
optionbecausetheAzureGovernmentMarketplacedoesnotsupportpayasyougo
(PAYG).
NetworkingFeatures
NewNetworking Description
Features
Tunnel Content Thefirewallcannowinspectthetrafficcontentofcleartexttunnelprotocols:

Inspection GenericRoutingEncapsulation(GRE)
NonencryptedIPSectraffic(NULLEncryptionAlgorithmforIPSecandtransportmode
AHIPSec)
GeneralPacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU)
ThisenablesyoutoenforceSecurity,DoSProtection,andQoSpoliciesontrafficinthese
typesoftunnelsandtrafficnestedwithinanothercleartexttunnel(forexample,Null
EncryptedIPSecinsideaGREtunnel).Youcanalsoviewtunnelinspectionlogsandtunnel
activityintheACCtoverifythattunneledtrafficcomplieswithcorporatesecurityand
usagepolicies.
ThefirewallsupportstunnelcontentinspectionofGREandnonencryptedIPSeconall
firewallmodels.ItsupportstunnelcontentinspectionofGTPUonPA5200Series
firewallsandVMSeriesfirewalls.ThefirewallisnotterminatingtheGRE,nonencrypted
IPSec,orGTPUtunnel.ForinformationonfullGTPinspection,seeGPRSTunneling
Protocol(GTP)Security(PANOS8.0.4andlaterreleases).
Multiprotocol BGP ThefirewallnowsupportsMultiprotocolBGP(MPBGP)sothatafirewallenabledwith

BGPcanadvertiseIPv4multicastroutesandIPv6unicastroutes(inadditiontotheIPv4
unicastroutesitalreadysupports)inBGPUpdatemessages.Inthisway,MPBGPprovides
IPv6connectivityforyourBGPnetworksthatuseeithernativeIPv6ordualstackIPv4and
IPv6.Forexample,inaserviceproviderenvironment,youcanofferIPv6serviceto
customers.Inanenterpriseenvironment,youcanuseIPv6servicefromserviceproviders.
Youcanalsoseparateyourunicastandmulticasttrafficsotheytakedifferentpaths,in
caseyouneedmulticasttraffictoundergolesslatencyortakefewerhops.
Static Route Removal Youcannowusepathmonitoringtodetermineifastaticordefaultrouteisdown.Ifpath

Based on Path monitoringtooneormoremonitoreddestinationsfails,thefirewallconsidersthestaticor
Monitoring defaultroutedownandusesanalternativeroutesothatthetrafficisnotblackholed
(silentlydiscarded).Likewise,thefirewalladvertisesanalternativestaticroute(ratherthan
afailedroute)forrouteredistributionintoadynamicroutingprotocol.
Youcanenablepathmonitoringonstaticroutesbetweenrouters,onstaticrouteswhere
apeerdoesnotsupportBidirectionalForwardingDetection(BFD),andonstaticroutes
wherepolicybasedforwarding(PBF)pathmonitoringisinsufficientbecauseitdoesnot
replacefailedrouteswithalternativeroutes.
IPv6 Router TomakeDNSresolutioneasierforyourIPv6hosts,thefirewallnowhasenhanced

Advertisement for DNS NeighborDiscovery(ND)sothatyoucanprovisionIPv6hostsjoiningthenetworkwith
Configuration RecursiveDNSServer(RDNSS)andDNSSearchList(DNSSL)options,eliminatingthe
needforaseparateDHCPv6server.ThefirewallsendsIPv6RouterAdvertisementswith
theseoptions;thus,yourIPv6hostsareconfiguredwith:
TheaddressesofRDNSserversthatcanresolveDNSqueries.
Alistofthedomainnames(suffixes)thattheDNSclientappends(oneatatime)toan
unqualifieddomainnamebeforeenteringthedomainnameintoaDNSquery.
NewNetworkingFeatures Description
(Continued)
NDP Monitoring for Fast YoucannowenableNeighborDiscoveryProtocol(NDP)monitoringforadataplane

Device Location interfaceonthefirewallsothatyoucanviewtheIPv6addressesofdevicesonthelink
localnetwork,theircorrespondingMACaddress,andusernamefromUserID(iftheuser
ofthatdeviceusesthedirectoryservicetologin).Havingthesethreepiecesof
informationinoneplaceaboutadevicethatviolatesasecurityruleallowsyoutoquickly
trackthedevice.YoucanalsomonitorIPv6NDlogstomaketroubleshootingeasier.
Zone Protection for YoucannowwhitelistorblacklistnonIPprotocolsbetweensecurityzonesorbetween

Non-IP Protocols on a interfaceswithinasecurityzoneinaLayer2VLANoronavirtualwire.Thefirewall
Layer 2 VLAN or Virtual normallypassesnonIPprotocolsbetweenLayer2zonesandbetweenvirtualwirezones;
Wire withthisfeature,youcannowcontrolnonIPprotocolsbetweenthesezones.For
example,ifyoudontwantlegacyWindowsXPhoststodiscoverotherNetBEUIenabled
hostsonanotherzone,youcanconfigureaZoneProtectionprofiletoblacklistNetBEUI
ontheingresszone.
Global and Zone YoucannowenableordisableMultipathTCP(MPTCP)globallyorforeachnetworkzone.

Protection for Multi-path MPTCPisanextensionofTCPthatallowsaclienttosimultaneouslyusemultiplepaths
TCP (MPTCP) Evasions (insteadofasinglepath)toconnectwithadestinationhost.MPTCPespeciallybenefits
mobileusers,enablingthemtomaintaindualconnectionstobothWiFiandcellular
networksastheymovethisimprovesboththeresilienceandqualityofthemobile
connectionandenhancestheuserexperience.However,MPTCPcanalsopotentiallybe
leveragedbyattackersaspartofanevasiontechnique.Thisfeatureprovidestheflexibility
toenableordisableMPTCPforallfirewalltrafficorforindividualnetworkzones,based
onthevisibility,performance,andsecurityrequirementsforeachnetworkzone.
Zone Protection for SYN YoucannowdropTCPSYNandSYNACKpacketsthatcontaindatainthepayloadduring

Data Payloads athreewayhandshake.Incasethepayloadismaliciousforexampleifitcontains
commandandcontroltrafficoritisbeingusedtoexfiltratedatadroppingsuchpackets
canpreventsuccessfulattacks.
TheTCPFastOpenoptionpreservesthespeedofaconnectionsetupbyincludingdatain
thepayloadofSYNandSYNACKpackets.TheZoneProtectionprofiletreatsTCP
handshakesthatusetheFastOpenoptionseparatelyfromotherSYNandSYNACK
packets;theprofileissettoallowthehandshakepacketsiftheycontainavalidFastOpen
cookie.
Hardware IP Address WhenyouconfigurethefirewallwithaDoSProtectionpolicyorVulnerabilityProtection

Blocking profiletoblockpacketsfromspecificIPv4addresses,thefirewallnowautomatically
blocksthattrafficinhardwarebeforethosepacketsuseCPUorpacketbufferresources.
BlockingtrafficbydefaultinhardwareallowsthefirewalltostopDoSattacksevenfaster
thanblockingtrafficinsoftware.Iftheamountofattacktrafficexceedsthehardware
blockcapacity,IPblockingmechanismsinsoftwareblocktheexcesstraffic.Thisfeatureis
supportedonPA3060firewalls,PA3050firewalls,PA5000Series,PA5200Series,and
PA7000Seriesfirewallmodels.
NewNetworkingFeatures Description
(Continued)
Packet Buffer Protection Packetbufferprotectionallowsyoutoprotectthefirewallfrombeingimpactedbysingle

sourcedenialofservice(DoS)attacks.TheseattackscomefromsessionsorIPaddresses
thatarenotblockedbySecuritypolicy.Afterasessionispermittedbythefirewall,itcan
generatesuchahighvolumeoftrafficthatitoverwhelmsthefirewallpacketbufferand
causesthefirewalltoappeartohangasbothattackandlegitimatetrafficaredropped.The
firewalltracksthetoppacketbufferconsumersandgivesyoutheabilitytoconfigure
globalthresholdsthatspecifywhenactionistakenagainstthesesessions.After
identifyingasessionasabusive,thefirewallusesRandomEarlyDrop(RED)asafirstline
ofdefensetothrottletheoffendingsessionandthendiscardsthesessioniftheabuse
continues.IfaparticularIPaddresscreatesmanysessionsthatarediscarded,thefirewall
blocksit.
Reconnaissance Zoneprotectionsreconnaissanceprotectiondetectsandtakesactionagainsthostsweep
Protection Source andTCPandUDPportscans.Thisisusefulagainstattackerssearchingforvulnerabilities.
Address Exclusion However,itcanalsonegativelyimpactscanningactivities,suchasnetworksecurity
testingorfingerprinting.Youcannowwhitelistsourceaddressestoexcludethemfrom
reconnaissanceprotection.Thisallowsyoutoprotectyournetworkfromreconnaissance
attackswhileallowinglegitimatemonitoringtools.
IKE Peer and IPSec ThePA7000Series,PA5000Series,andPA3000SeriesmodelsnowsupportmoreIKE

Tunnel Capacity peersandIPSectunnelsthaninpriorreleases.Thisisabenefitinserviceproviderandlarge
Increases enterpriseenvironmentswhereyouneedtosupportmanysitetositeVPNpeersand
IPSecVPNconnectionsbetweenremotesites.
ECMP Enhancement to ECMPhasanewloadbalancingoptionthatusesanIPhashofthesourceaddressinthe

IP Hash (PAN-OS 8.0.3 packetheader.TheUse Source Address Onlyoptionensuresthatallsessionsbelonging
and later releases) tothesamesourceIPaddressalwaystakethesamepathfromtheavailablemultiplepaths,
thusmakingtroubleshootingeasier.
IfyouenabletheUse Source Address Onlyoption,youshouldntpushthe
configurationfromPanoramatofirewallsrunningPANOS8.0.2oranearlier
PANOS8.0release.
GlobalProtectFeatures
NewGlobalProtect Description
Features
Clientless VPN YoucannowuseClientlessVPNforsecuringremoteaccesstocommonenterpriseweb

applicationsthatuseHTML,HTML5,andJavaScripttechnologies.Usershavethe
advantageofsecuringaccessfromSSLenabledwebbrowserswithoutinstalling
GlobalProtectclientsoftware.Thisisusefulwhenyouneedtoenablepartneror
contractoraccesstoapplications,andtosafelyenableunmanagedassets,including
personaldevices.YoucanconfiguretheGlobalProtectportallandingpagetoprovide
accesstowebapplicationsbasedonusersandusergroupsandalsoallowsinglesignon
toSAMLenabledapplications.SupportedoperatingsystemsareWindows,Mac,iOS,
Android,Chrome,andLinux.SupportedbrowsersareChrome,InternetExplorer,Safari,
andFirefox.ThisfeaturerequiresyoutoinstallaGlobalProtectsubscriptiononthefirewall
thathoststheClientlessVPNfromtheGlobalProtectportal.
IPv6 for GlobalProtect GlobalProtectclientsandsatellitescannowconnecttoportalsandgatewaysusingIPv6.

ThisfeatureallowsconnectionsfromclientsthatareinIPv6onlyenvironments,IPv4only
environments,ordualstack(IPv4andIPv6)environments.YoucantunnelIPv4traffic
overanIPv6tunnelandtheIPaddresspoolcanassignbothIPv4andIPv6addresses.To
usethisfeature,youmustinstallaGlobalProtectsubscriptiononeachgatewaythat
supportsGlobalProtectclientsthatuseIPv6addresses.
Define Split Tunnels by YoucannowexcludespecificdestinationIPsubnetstrafficfrombeingsentovertheVPN

Excluding Access tunnel.Withthisfeature,youcansendlatencysensitiveorhighbandwidthconsuming
Routes trafficoutsideoftheVPNtunnelwhileallothertrafficisroutedthroughtheVPNfor
inspectionandpolicyenforcementbytheGlobalProtectgateway.
External Gateway GlobalProtectcannowusethegeographicregionoftheGlobalProtectclienttodetermine

Priority by Source thebestexternalgateway.Byincludingsourceregionaspartoftheexternalgateway
Region selectionlogic,youcanensurethatusersconnecttogatewaysthatarepreferredfortheir
currentregion.Thiscanhelpavoiddistantconnectionswhentherearemomentary
fluctuationsofnetworklatency.Thiscanalsobeusedtoensureallconnectionsstaywithin
aregionifdesired.
Internal Gateway GlobalProtectcannowrestrictinternalgatewayconnectionchoicesbasedonthesource

Selection by Source IP IPaddressoftheclient.Inadistributedenterprise,thisfeaturesallowsyoutohaveusers
Address fromabranchtoauthenticateandsendHIPreportstothefirewallconfiguredasthe
internalgatewayforthatbranchasopposedtoauthenticatingandsendingHIPreportsto
allbranches.
GlobalProtect Agent TosimplifyGlobalProtectagentsandpreventunnecessaryloginpromptswhena

Login Enhancement usernameandpasswordarenotrequired,thepanelthatshowedportal,username,and
passwordisnowsplitintotwoscreens(onescreenfortheportaladdressandanother
screenforusernameandpassword).TheGlobalProtectagentnowdisplaysloginprompts
forusernameandpasswordonlyifthisinformationisrequired.GlobalProtect
automaticallyhidestheusernameandpasswordscreenforauthenticationtypessuchas
cookieorclientcertificateauthenticationthatdonotrequireausernameandpassword.
Authentication Policy YoucanleveragethenewAuthenticationPolicyandMultiFactorAuthentication

and Multi-Factor enhancementswithinGlobalProtecttosupportaccesstononHTTPapplicationsthat
Authentication for requiremultifactorauthentication.GlobalProtectcannownotifyandprompttheuserto
GlobalProtect performthetimely,multifactorauthenticationneededtoaccesssensitivenetwork
resources.
NewGlobalProtect Description
Features(Continued)
SAML 2.0 Authentication GlobalProtectportals,gateways,andclientsnowsupportSAML2.0Authentication.Ifyou

for GlobalProtect havechosenSAMLasyourauthenticationstandard,GlobalProtectportalsandgateways
canactasSecurityAssertionMarkupLanguage(SAML)2.0serviceprovidersand
GlobalProtectclientscanauthenticateusersdirectlytotheSAMLidentityprovider.
Restrict Transparent YoucannowcontrolwhentransparentupgradesoccurforaGlobalProtectclient.With

Agent Upgrades to thisconfiguration,iftheuserconnectsfromoutsidethecorporatenetwork,theupgrade
Internal Network ispostponed.Later,whentheuserconnectsfromwithinthecorporatenetwork,the
Connections upgradeisactivated.Thisfeatureallowsyoutoholdtheupdatesuntiluserscantake
advantageofgoodnetworkavailabilityandhighbandwidthfromwithinthecorporate
network.Theupgradeswillnothinderuserswhentheytraveltoenvironmentswithlow
bandwidth.
AirWatch MDM ThePANOSWindowsUserIDagenthasbeenextendedtosupportanewAirWatch

Integration MDMIntegrationservice.ThisserviceactsareplacementfortheGlobalProtectMobile
SecurityManagerandenablesGlobalProtecttousethehostinformationcollectedbythe
servicetoenforceHIPbasedpoliciesondevicesmanagedbyVMwareAirWatch.Running
aspartofthePANOSWindowsUserIDagent,theAirWatchMDMintegrationservice
usestheAirWatchAPItocollectinformationfrommobiledevices(includingAndroidand
iOS)thataremanagedbyAirWatchandtranslatethisdataintohostinformation.
Increased Capacity for (PANOS8.0.2andlaterreleases)thefirewallnowsupportsupto800accessroutesused

Split Tunnel Include toincludetrafficinasplittunnelgatewayconfigurationonChromebooksandupto1000
Access Routes accessroutesonallotherendpoints.Thisenablesyouincludeagreaternumberofroutes
frombeingsentovertheGlobalProtectVPNtunnelthanwaspreviouslyavailable.Note
thattheexcludetunnelcapacityremainsthesameat200accessroutes.Forupgradeand
downgradeconsiderationsforthisfeature,seeinthePANOS8.0NewFeaturesGuide.
ChangestoDefaultBehavior PANOS8.0ReleaseInformation
ChangestoDefaultBehavior
ThefollowingtopicsdescribechangestodefaultbehaviorinPANOSandPanorama8.0:
AuthenticationChanges
ContentInspectionChanges
GlobalProtectChanges
ManagementChanges
PanoramaChanges
VMSeriesFirewallChanges
WildFireChanges
AuthenticationChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforauthenticationfeatures:
Feature Change
Hardware security (PANOS8.0.2andlaterreleases)Todowngradetoareleaseearlierthan

modules PANOS8.0.2,youmustensurethatthemasterkeyisstoredlocallyon
Panoramaoronthefirewall,notonahardwaresecuritymodule(HSM).
Authentication policy AuthenticationpolicyreplacesCaptivePortalpolicy.
Logging Whenanauthenticationeventinvokesapolicyrule,thefirewallnowgenerates
AuthenticationlogsinsteadofSystemlogs.
RADIUS and TACACS+ YounowusethewebinterfaceinsteadofaCLIcommandtosettheauthentication

protocoltoCHAPorPAPforTACACS+andRADIUSserverprofiles.
PANOS8.0ReleaseInformation ChangestoDefaultBehavior
ContentInspectionChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforcontentinspectionfeatures:
Feature Change
TCP settings ThedefaultsforthefollowingTCPSettings(Device > Setup > Session > TCP

Settings)havebeenchangedin8.0:
Drop segments without flagisnowenabledbydefault.ThecorrespondingCLI
command,set deviceconfig setting tcp drop-zero-flagisnowsettoyes
bydefault.
Drop segments with null timestamp option isnowenabledbydefault.The
correspondingCLIcommand,set deviceconfig setting tcp
check-timestamp-optionisnowsettoyesbydefault.
Forward segments exceeding TCP out-of-order queue isnowdisabledby
default.ThecorrespondingCLIcommand,set deviceconfig setting
bypass-exceed-op-queueisnowsettonobydefault.
Content-ID Forward segments exceeding TCP App-ID inspection queue(Device > Setup >
Content-ID > Content-ID Settings)isnowdisabledbydefault.ThecorrespondingCLI
command,set deviceconfig setting application bypass-exceed-queue is
nowsettonobydefault.
Zone Protection profiles InaZoneProtectionprofileforPacketBasedAttackProtection,thedefaultsettingis

nowtodropTCPSYNandSYNACKpacketsthatcontaindatainthepayloadduring
athreewayhandshake.(InpriorPANOSreleases,firewallallowedsuchpackets.)By
default,aZoneProtectionprofileissettoallowTCPhandshakepacketsthatusethe
TCPFastOpenoptioniftheycontainavalidFastOpencookie.Ifyouhaveexisting
ZoneProtectionprofilesinplacewhenyouupgradetoPANOS8.0,thethreedefault
settingswillapplytoeachprofileandthefirewallwillactaccordingly.
Decryption ThefirewalldoesnotsupportSSLdecryptionofRSAkeysthatexceed8Kbinsize.
YoucaneitherblockconnectionstoserversthatusecertificateswithRSAkeys
exceeding8KborskipSSLdecryptionforsuchconnections.Toblocksuch
connections,selectObjects > Decryption Profile,edittheprofile,selectSSL
Decryption > SSL Forward Proxy,andintheUnsupportedModeCheckssection
selectBlock sessions with unsupported cipher suites.Toskipdecryptionforsuch
connections,clearBlock sessions with unsupported cipher suites.
URL Filtering WhenafirewallrunningPANOS8.0connectswithPANDB(publicorprivatecloud),

itvalidatestheCommonNameontheservercertificatebeforeestablishinganSSL
connection.Ifthevalidationfails,theconnectionisrefusedandthefirewallgenerates
asystemlog.
Data Pattern objects Objects > Custom Objects > Data Patternsprovidespredefinedpatterns(Pattern
Type > Predefined Pattern),suchassocialsecuritynumbersandcreditcardnumbers,
tocheckforintheincomingfiletypesthatyouspecify.Thefirewallnolonger
supportscheckingforthesepredefinedpatternsinGZIPandZIPfiles.
Application filters YoumustnowselectatleastoneCategorywhencreatingormodifyinganapplication

filter(Objects > Application Filters).Thisoptimizesfirewallperformancewhen
filteringapplications,asthefirewallincludesonlythecategoriesthatarerelevantto
you.
GlobalProtectChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforGlobalProtectfeatures:
Feature Change
GlobalProtect portals TheAgent > GatewaystabforGlobalProtectportalconfigurationsissplitintotwo

separatetabs:InternalandExternal.UsetheInternaltabtospecifyinternal
gatewaysettingsforGlobalProtectagentsandapps.UsetheExternaltabto
specifyexternalgatewaysettingsforGlobalProtectagentsandapps.Theseare
layoutchangesonlyyourexistingPANOS7.1configurationispreserved.
TheDisable login pagecheckboxontheGeneraltabforGlobalProtectportal
configurationsisnowaDisablecommandinthePortal Login Page.Thisisalayout
changeonlyyourexistingPANOS7.1configurationispreserved.
GlobalProtect gateways TheAgent > Client Settings> Network SettingstabforGlobalProtectgateway

configurationsisreplacedwithtwoseparatetabs:IP PoolsandSplit Tunnel.These
arelayoutchangesonlyyourexistingPANOS7.1configurationispreserved.
IP address pools InPANOS7.1andearlierreleases,topreventpotentialIPaddressconflicts,the

GlobalProtectgatewaydidnotassignanIPaddressifthelocalnetworkIPaddress
sentfromtheendpointwasinthesamesubnetastheIPaddresspool.Usershadto
configureasecondIPaddresspoolthatcontainedaddressesfromaseparatesubnet.
BeginninginPANOS8.0,whenyouconfigureonlyoneIPaddresspool,
GlobalProtectassignsanIPaddressregardlessofsubnetoverlap.Thischangemay
causewarningmessagesonWindowsendpoints.Ifyouareconcernedaboutthe
warningmessage,configureasecondIPaddresspool.
Clientless VPN TheoptiontoAllow user to launch unpublished applicationsisnowrenamed

Display application URL address bar.Thenewoptionnamebetterreflectsthe
purposeofthisoption.
Web interfaces changes GlobalProtecthasthefollowingminorchangestomenuandcheckboxlabels.These

arechangestowordingonlyyourexistingPANOS7.1configurationispreserved.
Location PANOS7.1Label PANOS8.0Label
TheGeneraltabfor CustomLoginPage PortalLoginPage

GlobalProtectportal
configurations
TheGeneraltabfor CustomHelpPage AppHelpPage

GlobalProtectportal
configurations
TheAgent > External> IfthisGlobalProtect Manual(theusercan

Add > External Gateway gatewaycanbemanually manuallyselectthis
forGlobalProtectportal selected gateway)
configurations
ManagementChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforfirewallandPanoramamanagementfeatures:
Feature Change
Management access Bydefault,thefirewallandPanoramanolongerallowmanagementaccessover

TLSv1.0connections.Ifyouacceptthisdefault,anyscriptsthatrequire
managementaccess(suchasAPIscripts)mustsupportTLSv1.1orlaterTLS
versions.Toovercomethedefaultrestriction,youcanconfigureanSSL/TLS
serviceprofilethatallowsTLSv1.0andassigntheprofiletotheinterfaceusedto
accessthefirewallorPanorama.
Toconfigurethemanagement(MGT)interfaceonthefirewall,younowselect
Device > Setup > InterfacesinsteadofDevice > Setup > Management.
Configuration backups Tocreateasnapshotfileforthecandidateconfiguration,youmustnowselectConfig

> Save ChangesinsteadofSaveatthetoprightofthewebinterface.
External dynamic lists WhenretrievinganexternaldynamiclistfromasourcewithanHTTPSURL,the

firewallnowauthenticatesthedigitalcertificatesofthelistsource.Youmust
configureacertificateprofiletoauthenticatethesource.Ifthesource
authenticationfails,thefirewallstopsenforcingpolicybasedonthelistcontents.
InPANOS7.1,thefirewallsupportedamaximumof30uniquesourcesfor
externaldynamiclistsandenforcedthemaximumnumbereveniftheexternal
dynamiclistwasnotusedinpolicy.BeginninginPANOS8.0,onlythelistsyouuse
toenforcepolicywillcounttowardthemaximumnumberallowed.
Entriesinanexternaldynamiclist(IPaddresses,domains,andURLs)nowonly
counttowardthemaximumnumberthatthefirewallsupportsifasecuritypolicy
rulereferencestheexternaldynamiclist.
Anti-Spyware profiles InPANOS7.1andearlierreleases,passiveDNSmonitoringwasasettingyoucould

enableinanAntiSpywareProfile.YoucouldattachtheAntiSpywareProfiletoa
policyruleandthensessionsthatmatchthatrulewilltriggerpassiveDNSmonitoring.
BeginninginPANOS8.0,passiveDNSmonitoringisaglobalsettingthatyoucan
enablethroughtheTelemetryandThreatIntelligencefeature,andwhenenabled,the
firewallactsasapassiveDNSsensorforalltrafficthatpassesthroughthefirewall.
Service routes ThefirewallnowusesthenewserviceroutePalo Alto Networks Servicestoaccess

externalservicesthatitaccessedviatheserviceroutesPalo Alto Updatesand
WildFire PublicpriortoPANOS8.0.
Content and software BeginningwithPANOS8.0,theVerify Update Server Identityglobalservicessetting

updates forinstallingcontentandsoftwareupdatesisenabledbydefault(Device > Setup >
Services > Global).
PanoramaChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforPanoramafeatures:
Feature Change
Management access ToconfigureinterfacesonPanorama,younowselectPanorama > Setup > Interfaces

(insteadofPanorama > Setup > Management).
Log collection WhenaddingoreditingaLogCollector(Panorama > Managed Collectors),you

nowconfigureinterfacesintheInterfacestab,whichreplacestheManagement,
Eth1,andEth2tabsintheCollectordialog.
WhenthePanoramavirtualapplianceisinPanoramamodeandisdeployedina
highavailability(HA)configuration,youcanconfigurebothHApeerstocollectlogs,
notjusttheactivepeer.
Commit and push WhenpushingconfigurationstomanagedfirewallsorLogCollectors,Panoramanow

operations pushestherunningconfigurationinsteadofthecandidateconfiguration.Therefore,
youmustcommitchangestoPanoramabeforepushingthechangestofirewallsor
LogCollectors.
Content and software FirewallsandLogCollectorsnowretrievesoftwareandcontentupdatesfrom

updates Panoramaoverport28443insteadofPanoramapushingtheupdatesoverport3978.
VMSeriesFirewallChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforVMSeriesfirewalls:
Feature Change
Management interfaces InPANOS8.0,theuseofhypervisorassignedMACaddressesandDHCPon

managementinterfacesareenabledonnewVMSeriesfirewallinstallations.These
optionsarenotenabledautomaticallywhenupgradingaVMSeriesfirewallto
PANOS8.0fromPANOS7.1orearlierreleases.
Licensing BeginningwithPANOS7.1.7,todeactivateaVMSerieslicenseyoumustfirstinstall
alicenseAPIkeyonyourfirewallorPanorama.Formoreinformation,see
VirtualizationFeatures.
Large Receive Offload LargeReceiveOffload(LRO)isenabledbydefaultonthenewdeploymentsofthe

VMSeriesfirewallforNSXordeploymentsupgradedto8.0.
Data Plane Development SupportforDataPlaneDevelopmentKit(DPDK)isenabledbydefaultonthe

Kit VMSeriesforKVMandESXi.However,totakeadvantageofDPDK,youmustinstall
therequiredNICdriveronyourhypervisor.DPDKsupportisdisabledbydefaulton
theVMSeriesforAWS.
WildFireChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforWildFirefeatures:
Feature Change
Logging IfyoupreviouslyenabledWildFireforwardingonyourfirewall,thefirewallnow
forwardsblockedfilesthatmatchexistingsignatures,inadditiontounknownfiles,
forWildFireanalysis.TheWildFireSubmissionslognowincludeslogentriesfor
blockedfiles.
TheActioncolumnintheWildFireSubmissionslognowindicatesifthefirewall
actionforasamplewasalloworblock.InPANOS7.1andearlierversions,the
actiondisplayedforallsamplesintheWildFireSubmissionslogwasalert.
DoS Protection profiles WhenyouuseaClassifiedDoSProtectionprofileforfloodprotectionora

VulnerabilityProtectionprofilethatisconfiguredtoBlockIPaddresses,thefirewall
willnowblockIPaddressesinhardwarefirst,andtheninsoftwareifthehardware
blocklisthasreacheditscapacity.
CLIandXMLAPIChangesinPANOS8.0 PANOS8.0ReleaseInformation
CLIandXMLAPIChangesinPANOS8.0
PANOS8.0haschangestoexistingCLIcommands,whichalsoaffectcorrespondingPANOSXMLAPI
requests.Ifyouhaveascriptorapplicationthatusestheserequests,runcorrespondingCLIcommandsin
debugmodetoviewthecorrespondingXMLAPIsyntax.
Operationalcommandsareprecededbyagreaterthansign(>),whileconfigurationcommandsarepreceded
byahash(#).Anasterisk(*)indicatesthatrelatedcommandsinthesamehierarchyhavealsochanged.
AuthenticationCLIChanges
ContentInspectionCLIChanges
GlobalProtectCLIChanges
ManagementCLIChanges
UserIDCLIChanges
AuthenticationCLIChanges
PANOS8.0hasthefollowingCLIandXMLAPIchangesforAuthenticationfeatures:
Feature Change
Authentication policy WithAuthenticationpolicyreplacingCaptivePortalpolicy,therelatedCLIcommands

havechanged:
PANOS7.1andearlierreleases:
> show running captive-portal-policy
> test cp-policy-match *
# show rulebase captive-portal *
# set import resource max-cp-rules <0-4000>
# set rulebase captive-portal *
# set shared admin-role <name> role device webui policies
captive-portal-rulebase <enable|read-only|disable>
# set import resource max-cp-rules <0-4000>
PANOS8.0release:
> show running authentication-policy
> test authentication-policy-match *
# show rulebase authentication *
# set import resource max-auth-rules <0-4000>
# set rulebase authentication rules *
# set shared admin-role <name> role device webui policies
authentication-rulebase <enable|read-only|disable>
# set import resource max-auth-rules <0-4000>
PANOS8.0ReleaseInformation CLIandXMLAPIChangesinPANOS8.0
Feature Change
Certificate management WiththeintroductionofdecryptionforEllipticalCurveCryptography(ECC)

Certificates,thefollowingCLIcommandhasbeenreplacedwithtwo
algorithmspecificcommands:
# set deviceconfig setting ssl-decrypt
fwd-proxy-server-cert-key-size <0|1024|2048>
PANOS8.0release:
fwd-proxy-server-cert-key-size-rsa <0|1024|2048>
fwd-proxy-server-cert-key-size-ecdsa <0|256|384>
Hardware security CLIcommandsrelatedtoSafeNetNetworkHSM(formerlyLunaSA)nowreflectthe

modules newname:
# show deviceconfig system hsm-settings provider safenet-luna-sa *
# set deviceconfig system hsm-settings provider safenet-luna-sa *
PANOS8.0release:
# show deviceconfig system hsm-settings provider safenet-network *
# set deviceconfig system hsm-settings provider safenet-network *
ContentInspectionCLIChanges
PANOS8.0hasthefollowingCLIandXMLAPIchangesforcontentinspectionfeatures:
Feature Change
Malicious IP address feeds WithnewsupportformaliciousIPaddressfeeds,relatedCLIcommandshave

changedtosupportIPaddresses,URLs,anddomains:
# set external-list <name> *
PANOS8.0release:
# set external-list <name> type ip *
# set external-list <name> type predefined-ip *
# set external-list <name> type domain *
# set external-list <name> type url *
CLIandXMLAPIChangesinPANOS8.0 PANOS8.0ReleaseInformation
GlobalProtectCLIChanges
PANOS8.0hasthefollowingCLIandXMLAPIchangesforGlobalProtectfeatures:
Feature Change
IPv6 support WiththeintroductionofIPv6supportinGlobalProtect,thefollowingCLIcommands

havebeenreplacedwithtwoprotocolspecificcommands:
# set global-protect global-protect-portal <name> portal-config
local-address ip <value>
PANOS8.0release:
local-address ip ipv4 <value>
local-address ip ipv6 <value>
local-address floating-ip <value>
PANOS8.0release:
local-address floating-ip ipv4 <value>
local-address floating-ip ipv6 <value>
ManagementCLIChanges
PANOS8.0hasthefollowingCLIandXMLAPIchangesforfirewallandPanoramamanagementfeatures:
Feature Change
Log forwarding Withtheintroductionofselectivelogforwardingbasedonlogattributes,youmust

nowspecifythenameofacustomfiltermatchlistinrelatedCLIcommands:
# show shared log-settings system *
# set shared log-settings system *
# show shared log-settings config *
# set shared log-settings config *
# show shared log-settings hipmatch *
# set shared log-settings hipmatch *
# show shared log-settings profiles <name> *
# set shared log-settings profiles <name> *
PANOS8.0release:
# show shared log-settings system match-list *
# set shared log-settings system match-list *
# show shared log-settings config match-list *
# set shared log-settings config match-list *
# show shared log-settings hipmatch match-list *
# set shared log-settings hipmatch match-list *
# show shared log-settings profiles <name> match-list *
# set shared log-settings profiles <name> match-list *
PANOS8.0ReleaseInformation CLIandXMLAPIChangesinPANOS8.0
UserIDCLIChanges
PANOS8.0hasthefollowingCLIandXMLAPIchangesforUserIDfeatures:
Feature Change
IP address-to-username TheoperationalcommandtoclearUserIDmappingsforallIPaddressesora
mapping specificIPaddresshaschanged:
> clear user-cache [all | ip]
PANOS8.0release:
> clear ipuser-cache [all | ip]
TheUserIDcommandstoclearusermappingsfromthedataplanehavechanged:
> clear uid-gids-cache uid <1-2147483647>
> clear uid-gids-cache all
PANOS8.0release:
> clear uid-cache uid <1-2147483647>
> clear uid-cache all
PAN-OS integrated CLIcommandsrelatedtoconfiguringtheUserIDagentmustnowinclude

User-ID agent host-port:
# set user-id-agent <name> host <ip/netmask>|<value>
# set user-id-agent <name> port <1-65535>
# set user-id-agent <name> ntlm-auth <yes|no>
# set user-id-agent <name> ldap-proxy <yes|no>
# set user-id-agent <name> collectorname <value>
# set user-id-agent <name> secret <value>
PANOS8.0release:
# set user-id-agent <name> host-port host <ip/netmask>|<value>
# set user-id-agent <name> host-port port <1-65535>
# set user-id-agent <name> host-port ntlm-auth <yes|no>
# set user-id-agent <name> host-port ldap-proxy <yes|no>
# set user-id-agent <name> host-port collectorname <value>
# set user-id-agent <name> host-port secret <value>
AssociatedSoftwareandContentVersions PANOS8.0ReleaseInformation
AssociatedSoftwareandContentVersions
ThefollowingminimumsoftwareversionsaresupportedwithPANOS8.0.ToseealistofthePaloAlto
NetworksfirewallsandappliancesthatsupportPANOS8.0,seethePaloAltoNetworksCompatibility
Matrix.
PaloAltoNetworksSoftwareor MinimumSupportedVersionwithPANOS8.0
ContentReleaseVersion
Panorama 8.0.2
WF-500 Appliance 8.0.1
User-ID Agent 8.0.0
Terminal Services (TS) Agent 8.0.0
GlobalProtect Agent 4.0.0
Applications and Threat Content 655

Release Version
Antivirus Content Release Version 2137
PANOS8.0ReleaseInformation Limitations
Limitations
ThefollowingtableincludeslimitationsassociatedwiththePANOS8.0.1andlaterreleases.
IssueID Description
PAN-68997 TheWildFireapplianceclustermembershiplistmaynotbeaccurateifclustermembersare
offlineorthemembershiplistisstale.YoucanimportaconfigurationfromanyWildFire
applianceorapplianceclusterintoPanorama,addanyconnectedWildFireappliancetoa
cluster,andassignitaroleintheclustersothatyouhavemoreflexibilitywhenconfiguring
andreconfiguringclusters.
Afteryouimportaclusterconfiguration,youcanviewtheclustermembersfromthe
Panoramawebinterface(Panorama > Managed Wildfire Clusters).Checkthecluster
membershiplisttoensurethatalllistedmembersarenodesinthecluster.Addmissing
nodestotheclusterasneeded.
IfyouimportaWildFireappliancethatisalreadypartofaclusteroryouimportaWildFire
applianceandlateraddittoaclusterusinglocalconfiguration,thePanoramaweb
interfacedisplaysitasastandaloneapplianceandshowsittobeoutofsync.Toresolve
thisissue,addthenodetothecluster,whichsyncstheconfigurationsinPanorama.
Toavoidaninaccuratemembershiplist,beforeyouaddanodetoacluster,makesurethat
anyWildFireapplianceyouaddtotheclusterisnotamemberofanothercluster.
Controllerandcontrollerbackupnodesperformcriticalclustermanagementtasks.
Ifyouchangethecontrollerorcontrollerbackupnode,ensurethatthe
replacementnodeisaclustermember.Ifyouinadvertentlyaddanodetomore
thanonecluster,orifyouspecifyacontrollerorcontrollerbackupnodethatdoes
notbelongtothecluster,theconsequencesvarydependingonwhetheryoupush
thechangestotheclusters.
IfyoudidnotyetcommitthechangesonthePanoramaappliance,orifyouonly
committedthechangesbutdidnotpushthemyet,thenfirstreconfigurethe
clusterandCommittoPanoramatoavoidunintendedconsequences.
Ifyoupushamisconfigurationtoclusters,clusterbehaviorisunpredictableandcanaffect
morethanoneclusterifthepushedPanoramaconfigurationincludesnodesthatare
assignedtomorethanonecluster.Ifyouinadvertentlyaddanodetomorethanone
cluster,maketheappropriatechangetocorrectthemisconfiguration:
IfyouhavenotcommittedtheconfigurationonPanorama,removethenodefromthe
cluster.
IfyouhavealreadycommittedthechangesonPanorama,removethenodefromthe
clusterandrecommitthechangestoPanorama.
IfyouhavealreadycommittedthechangesonPanoramaandpushedthechangesto
managedWildFireapplianceclusters,removethenodefromthecluster,andthen
recommittoPanoramaandrepushtotheWildFireapplianceclusters.
Ifyouinadvertentlyspecifyacontrollerorcontrollerbackupnodethatisnotacluster
member,maketheappropriatechangetocorrectthemisconfiguration:
IfyouhavenotcommittedtheconfigurationonPanorama,specifyavalidclusternode
asthecontrollerorcontrollerbackupnode.
IfyouhavealreadycommittedthechangesonPanorama,specifyavalidclusternode
asthecontrollerorcontrollerbackupnodeandCommit to Panorama.
IfyouhavealreadycommittedthechangesonPanoramaandpushedthechangesto
managedWildFireapplianceclusters,specifyavalidclusternodeasthecontrolleror
controllerbackupnode,andthenrecommittoPanoramaandrepushtotheWildFire
applianceclusters.
KnownIssues PANOS8.0ReleaseInformation
KnownIssues
ThefollowingtopicsdescribeknownissuesinPANOS8.0releases.
ForrecentupdatestoknownissuesforagivenPANOSrelease,referto
https://live.paloaltonetworks.com/t5/Articles/CriticalIssuesAddressedinPANOSReleases/tap/52882.
KnownIssuesRelatedtoPANOS8.0Releases
KnownIssuesSpecifictotheWF500Appliance
KnownIssuesRelatedtoPANOS8.0Releases
ThefollowinglistincludesknownissuesspecifictoPANOS8.0releases,whichincludesknownissues
specifictoPanoramaandGlobalProtect,aswellasknownissuesthatapplymoregenerallyorthatarenot
identifiedbyanissueID.SeealsotheKnownIssuesSpecifictotheWF500Appliance.
IssueID Description
UpgradingaPA200orPA500firewalltoPANOS8.0cantake30to60minutesto
complete.Ensureuninterruptedpowertoyourfirewallthroughouttheupgradeprocess.
Panorama8.0doesnotcurrentlysupportmanagementofappliancesrunningWildFire7.1
orearlierreleases.EventhoughthesemanagementoptionsarevisibleonthePanorama
8.0webinterface(Panorama > Managed WildFire ClustersandPanorama > Managed
WildFire Appliances),makingchangestothesesettingsforappliancesrunningWildFire
7.1orearlierreleaseshasnoeffect.
GPC-2742 IfyouconfigureGlobalProtectportalsandgatewaystouseclientcertificatesandLDAPas
twofactorsofauthentication,ChromebookusersthatarerunningChromeOS47orlater
versionscanencounterexcessivepromptstoselectaclientcertificate.
Workaround:Topreventexcessiveprompts,configureapolicytospecifytheclient
certificateintheGoogleAdminconsoleanddeploythatpolicytoyourmanaged
Chromebooks:
1. LogintotheGoogleAdminconsole(https://admin.google.com)andselectDevice
management > Chrome management > User settings.
2. IntheClientCertificatessection,enterthefollowingURLpatterntoAutomatically
Select Client Certificate for These Sites:
{""pattern"":""https://[*.]"",""filter"":{}}
3. ClickSave.TheGoogleAdminconsoledeploysthepolicytoalldeviceswithinafew
minutes.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
GPC-1737 Bydefault,theGlobalProtectappaddsarouteoniOSmobiledevicesthatcausestraffic
totheGP100GlobalProtectMobileSecurityManagertobypasstheVPNtunnel.
Workaround:ToconfiguretheGlobalProtectapponiOSmobiledevicestorouteall
trafficincludingtraffictotheGP100GlobalProtectMobileSecurityManagertopass
throughtheVPNtunnel,performthefollowingtasksonthefirewallhostingthe
GlobalProtectgateway(Network > GlobalProtect > Gateways > <gateway-config> >
Agent > Client Settings > <client-settings-config> > Network Settings > Access Route):
Add0.0.0.0/0asanaccessroute.
EntertheIPaddressfortheGlobalProtectMobileSecurityManagerasanadditional
accessroute.
GPC-1517 FortheGlobalProtectapptoaccessanMDMserverthroughaSquidproxy,youmustadd
theMDMserverSSLaccessportstotheproxyserverallowlist.Forexample,iftheSSL
accessportis8443,addacl SSL_ports port 8443totheallowlist.
PAN-81125 (PANOS8.0.3andlaterreleases)OnafirewallconfiguredtoconnecttoTerminalServices
(TS)agents,importingaconfigurationfile(Device > Setup > Operations > Import named
configuration snapshot)thatdoesnotdefineTSagentconnectionscausestheUserID
servicetostopresponding.
Workaround:AddanemptyTSagentnode<tsagent/>under
<devices><entry><vsys><entry>intheconfigurationfilebeforeimportingit.
PAN-82251 BootstrappingisnotsupportedontheVMSeriesfirewallonAWSGovCloud.
PAN-81061 PA3000Seriesfirewallsintermittentlydroplonglivedsessionsthatareactiveduringa
This issue is now resolved. contentupdateifyouimmediatelyfollowtheupdatewithanAntivirusorWildFireupdate.
See PAN-OS 8.0.2
Addressed Issues.
PAN-80564 Themgmtsrvrprocessandotherprocessesrepeatedlyrestartduetoabnormalsystem
memoryusageonafirewallthatforwardslogstoasyslogserver.
Workaround:InPANOS8.0.4andlater8.0releases,youcanstopthecontinuousrestarts
byrunningthedebug syslog-ng restartCLIcommandtorestartthesyslogngprocess.
PAN-79423 Panoramacannotpushaddressgroupobjectsfromdevicegroupstomanagedfirewallsif
zonesspecifytheobjectsintheUserIdentificationACLincludeorexcludelists(Network
> Zones)andiftheShare Unused Address and Service Objects with Devicesoptionis
disabled(Panorama > Setup > Management > Panorama Settings).
PAN-79365 PushingPanoramatemplateconfigurationstoVMSeriesfirewallsforNSXremovesthose
This issue is now resolved. firewallsasmanageddevicesonPanorama.
See PAN-OS 8.0.4 Workaround:MakeminorconfigurationchangestoPanoramaandselectCommit >
Addressed Issues. Commit and Push.PanoramathendisplaystheVMSeriesfirewallsforNSXasmanaged
devices.YoucanthenselectConfig > Revert Changestoreverttheminorconfiguration
changestoPanorama.
PAN-78224 Thefirewalltruncatespasswordsto40characterswhenenduserstrytoauthenticate
This issue is now resolved. throughRADIUSintheCaptivePortalwebform.
See PAN-OS 8.0.4
Addressed Issues.
IssueID Description
PAN-78034 TheThreatlogsthatZoneProtectionprofilestriggerforscanandpackettypeeventsdo
notrecordIMSIandIMEIvalues.
Workaround:SelectMonitor > Threat,clickthespyglassiconfortheThreatlogtodisplay
additionaldetails,andthendoubleclicktherelatedlogstoseetheIMSIandIMEIofthe
subscriberthattriggeredtheThreatlog.
PAN-77702 DynamicaddressupdatestakeseveralminutestocompleteonPanoramainNSX
deployments.
PAN-77671 Thefirewallidentifiestraffictowww.onlinetranslator.comasthetranslator5application
This issue is now resolved. insteadofaswebbrowsing.
See PAN-OS 8.0.4
Addressed Issues.
PAN-77595 PA7000SeriesandPA5200SeriesfirewallsforwardaSIPINVITEbasedonroutelookup
This issue is now resolved. insteadofPolicyBasedForwarding(PBF)policy.
See PAN-OS 8.0.4
Addressed Issues.
PAN-77339 TheSafeNetClient6.2.2doesnotsupportthenecessaryMACalgorithm(HMACSHA1)
This issue is now resolved. toworkwithPaloAltoNetworksfirewallsthatruninFIPSCCmode.
See PAN-OS 8.0.4
Addressed Issues.
PAN-77237 Usingthedebug skip-condor-reports noCLIcommandtoforcePanorama8.0toquery

PA7000SeriesfirewallscausesPA7000SeriesfirewallsrunningaPANOS7.0release
toreboot.DonotusethiscommandifyouusePanorama8.0tomanageaPA7000Series
firewallthatisrunningaPANOS7.0release.
PAN-77213 PanoramadoesnotforwardlogstoasyslogserveroverTCP.
This issue is now resolved.
See PAN-OS 8.0.4
Addressed Issues.
PAN-77116 Afterbootup,thefirewalldisplayserrormessagessuchasError:
sysd_construct_sync_importer(sysd_sync.c:328): sysd_sync_register()
failed: (111) Unknown error code,eventhoughthebootupissuccessful.
Workaround:Ignoretheerrormessages;theydonotaffectthefirewalloperations.
PAN-77062 Administratorswithacustomrolecannotdeletepacketcaptures.
See PAN-OS 8.0.4
Addressed Issues.
PAN-76832 ModifyingaBFDprofileconfiguration(Network > Network Profiles > BFD Profile)or

This issue is now resolved. assigningadifferentBFDprofile(Network > Virtual Routers > BGP)inavirtualrouter
See PAN-OS 8.0.4 causestheassociatedroutingprotocol(BGP)toflap.
Addressed Issues.
PAN-76779 OnthePA5020firewall,thedataplanerestartscontinuouslywhenauseraccesses
This issue is now resolved. applicationsoveraGlobalProtectclientlessVPN.
See PAN-OS 8.0.4
Addressed Issues.
IssueID Description
PAN-76509 Onfirewallswithmultiplevirtualsystems,customspywaresignaturesworkonlyonvsys1.
PAN-76270 OperationsthatrequireheavymemoryusageonLogCollectors(suchasingestinglogsat
This issue is now resolved. ahighrate)causesomeotherprocessestorestart.
See PAN-OS 8.0.3
Addressed Issues.
PAN-76162 Panorama8.0failstoqueryPA7000SeriesfirewallsrunningaPANOS7.0orPANOS
This issue is now resolved. 7.1release.
See PAN-OS 8.0.3 Workaround:Runthedebug skip-condor-reports nocommandandthenthedebug
Addressed Issues. software restart process reportdcommandonthePanoramamanagementserver
sothatitcansuccessfullyqueryPA7000SeriesfirewallsrunningaPANOS7.1release.
DonotusethisworkaroundifyouusePanorama8.0tomanageaPA7000Series
firewallthatisrunningaPANOS7.0release(knownissuePAN77237).
PAN-76058 WhenmigratingURLcategoriesfromBrightCloudtoPANDB,Panoramadoesnotapply
This issue is now resolved themigrationtoprerulesandpostrules.
(requires content release
version 718 or later). See
PAN-OS 8.0.4 Addressed
Issues.
PAN-75960 YoucannotstorethemasterkeyonanHSMinPANOS8.0.Doingsowillcausethe
This issue is now resolved. firewalltoentermaintenancemodeafterareboot,whichwillrequireafactoryreset.
See PAN-OS 8.0.2
Addressed Issues.
PAN-75908 MulticastpacketswithstalesessionIDscausethefirewalldataplanetorestart.
See PAN-OS 8.0.4
Addressed Issues.
PAN-75881 AregressionintroducedinPANOS8.0.0and8.0.1causesthefirewalldataplanetorestart
This issue is now resolved. incertaincaseswhencombinedwithcontentupdates.Fordetails,includingtherelevance
See PAN-OS 8.0.2 ofcontentreleaseversion709,refertotheassociatedCustomerAdvisory.
Addressed Issues.
PAN-75457 (PANOS8.0.1andlaterreleases)InWildFireapplianceclustersthathavethreeormore
nodes,Panoramadoesnotsupportchangingnoderoles.Forexample,onPanorama,ina
threenodecluster,youcannotconfiguretheworkernodeasacontrollernodebyadding
thehighavailabilityandclustercontrollerconfigurations,configureanexistingcontroller
nodeasaworkernodebyremovingtheHAconfiguration,andthencommitandpushthe
configuration.AttemptstochangeclusternoderolesfromPanoramaresultsinavalidation
errorthecommitwillfailandtheclusterbecomesunresponsive.
PAN-74886 Panoramadoesnotpushasharedaddressobjecttofirewallsiftheobjectispartofa
This issue is now resolved. dynamicaddressgroupthatusesatag.
See PAN-OS 8.0.4
Addressed Issues.
IssueID Description
PAN-74652 AfterafirewallsuccessfullyinstallsacontentupdatereceivedfromPanorama,Panorama
This issue is now resolved. displaysafailuremessageforthatupdatewhentheassociatedjobIDonthefirewallis
See PAN-OS 8.0.4 higherthan65536.
Addressed Issues.
PAN-74632 ThefirewalldoesnotclearIPaddresstousernamemappingsorusernametogroup
This issue is now resolved. mappingsafterreachingthelimitforthenumberofusergroups(100,000),whichcauses
See PAN-OS 8.0.4 commitfailureswiththefollowingerrors:user-id is not registerdandser-ID
manager was reset. Commit is required to reinitialize User-ID.
Addressed Issues.
PAN-74293 Thefirewalldropssessionsafteronly30secondsofidletrafficinsteadofafterthesession
This issue is now resolved. timeoutassociatedwiththeapplication.
See PAN-OS 8.0.4
Addressed Issues.
PAN-74139 OnthePA500firewall,insufficientmemoryallocationcausesSSLdecryptionerrorsthat
This issue is now resolved. resultinSSLsessionfailures,andTrafficlogsdisplaytheSessionEndReasonas
See PAN-OS 8.0.4 decrypt-errorordecrypt-cert-validation.
Addressed Issues.
PAN-73964 DonotupgradeVMSeriesfirewallsonAWStoPANOS8.0.0iftheyaredeployedina
This issue is now resolved. highavailability(HA)configuration.
See PAN-OS 8.0.1
Addressed Issues.
PAN-73879 YoucannotclonethestrictfileblockingprofileinPANOS8.0;however,cloningthebasic
This issue is resolved with fileblockingprofile(oranyotherSecurityProfiletypes)worksasexpected.
content release version
658 and later releases.
PAN-73877 YoucannotusethefirewallwebinterfacetogenerateaSAMLmetadatafileforCaptive
This issue is now resolved. PortalorGlobalProtectifthefirewallhasmultiplevirtualsystems;afteryouclickthe
See PAN-OS 8.0.1 Metadatalinkassociatedwithanauthenticationprofile,novirtualsystemsareavailableto
Addressed Issues. select.
Workaround:AccessthefirewallCLI,switchtothevirtualsystemwhereyouassignedthe
authenticationprofile(set system setting target-vsys <vsys-name>),andgenerate
themetadatafile(show sp-metadata [captive-portal | global-protect] vsys
<value> authprofile <value> ip-hostname <value>).
PAN-73859 TheVMSeriesfirewallonAzuresupportsonlyfiveinterfaces(onemanagementinterface
This issue is now resolved. andfourdataplaneinterfaces)insteadofeight(onemanagementinterfaceandseven
See PAN-OS 8.0.2 dataplaneinterfaces).
Addressed Issues.
PAN-73849 Afteryouperformafactoryresetorprivatedataresetonafreshinstallationofthe
Panoramavirtualappliance,thePanorama > Pluginspagedoesnotdisplaythepreloaded
VMwareNSXpluginandthereforeyoucannotusethewebinterfacetoinstalltheplugin.
Workarounds:
Usetherequest plugins install vmware_nsx-<version>CLIcommandtoinstall
theplugin.
DownloadthepluginfromthePaloAltoNetworksSupportPortalandthenuploadthe
plugintoPanorama.Thewebinterfacethendisplaysthepluginforyoutoinstall.
IssueID Description
PAN-73579 AfteryouupgradeafirewalltoPANOS8.0,thefirewalldoesnotapplyupdatestothe
This issue is now resolved. predefinedPaloAltoNetworksmaliciousIPaddressfeeds(deliveredthroughthedaily
See PAN-OS 8.0.1 antiviruscontentupdates)untilyouperformacommitonthefirewall.
Addressed Issues. Workaround:Commitchangestothefirewalldailytoensureyoualwayshavethelatest
versionofthemaliciousIPaddressfeeds.
PAN-73545 WhenaddinginterfacestoaVM300,VM500,orVM700firewall,youmustcommit
This issue is now resolved. twicefortraffictopassnormally.
See PAN-OS 8.0.1
Addressed Issues.
PAN-73530 Thefirewalldoesnotgenerateapacketcapture(pcap)whenaDataFilteringprofileblocks
files.
PAN-73401 (PANOS8.0.1andlaterreleases)OnatwonodeWildFireappliancecluster,ifyouimport
theclusterintoPanorama,thecontrollernodesreporttheirstateasoutofsyncifeither
ofthefollowingtwoconditionsexist:
Youdonotconfigureaworkerlisttoaddatleastoneworkernodetothecluster.(Ina
twonodecluster,bothnodesarecontrollernodesconfiguredasahighavailabilitypair.
Addingaworkernodewouldmaketheclusterathreenodecluster.)
Youdonotconfigureaserviceadvertisement(eitherbyenablingornotenabling
advertisingDNSserviceonthecontrollernodes).
Workaround:Therearethreepossibleworkaroundstosyncthecontrollernodes:
AfteryouimportthetwonodeclusterintoPanorama,pushtheconfigurationfrom
Panoramatothecluster.Afterthepushsucceeds,Panoramareportsthatthecontroller
nodesareinsync.
Configureaworkerlistontheclustercontroller:
admin@wf500(active-controller)# set deviceconfig cluster mode
controller worker-list <worker-ip-address>
(<workeripaddress>istheIPaddressoftheworkernodeyouareaddingto
thecluster.)Thiscreatesathreenodecluster.ImporttheclustertoPanorama
andPanoramareportsthatthecontrollernodesareinsync.Ifyouwantthe
clustertohaveonlytwonodes,useadifferentworkaround.
ConfigureserviceadvertisementonthelocalCLIoftheclustercontrollerandthen
importtheconfigurationintoPanorama.Theserviceadvertisementcanadvertisethat
DNSisenabled,orthatDNSisnotenabled:
controller service-advertisement dns-service enabled yes
or
controller service-advertisement dns-service enabled no
BothcommandsresultinPanoramareportingthatthecontrollernodesarein
sync.
PAN-73316 WhenaGlobalProtectuserfirstlogsinwithaRADIUSauthenticationprofile,the
Domain-UserNameappearsasuser@domain(insteadofdomain\user)inthePANOS
webinterface.
Workaround:OnceaHIPreportisgenerated,theusernameformatisnormalizedand
updatedtothecorrectformat.
IssueID Description
PAN-73307 WhenyouusetheACCtabtoviewTunnelActivityandyouJump to Logs,theTunnel

Inspectionlogsdisplaytunnelasthetunneltype.
Workaround:Removetunneltypefromthequeryintunnellogs.
PAN-73291 IfyousetupclientcertificateauthenticationforGlobalProtectportalsandgateways,you
This issue is now resolved. canspecifyaCertificateProfilewithmultiplecertificateauthority(CA)certificatesthat
See PAN-OS 8.0.1 havethesamecommonname.However,authenticationfailsforclientcertificatessigned
Addressed Issues. byaCAcertificatethatisnotlistedfirstintheCertificateProfile.
PAN-73254 AfteryouinstalltheVMwareNSXpluginonPanoramainahighavailability(HA)
This issue is now resolved. deployment,Panoramadoesnotautomaticallysynchronizeconfigurationchanges
See PAN-OS 8.0.3 betweentheHApeersunlessyoufirstupdatesettingsrelatedtotheNSXplugin.
Addressed Issues. Workaround:ConfiguretheNSXsettingsandcommityourchangestoPanorama.
PAN-73207 IfthefirewallintegrateswithOktaAdaptiveasthemultifactorauthentication(MFA)
This issue is now resolved. vendor,youcannotusepushnotificationasanauthenticationfactor.
See PAN-OS 8.0.1
Addressed Issues.
PAN-73168 IfthePANOSwebinterfaceandtheGlobalProtectportalthathostsClientlessVPN
This issue is now resolved. applicationsareconfiguredtosharethesameFQDN,youcangeta400 Bad Request
See PAN-OS 8.0.2 errorfromyourbrowserwhenyoutrytoaccessthePANOSwebinterface.
Addressed Issues. Workaround:BestpracticeistoconfigureseparateFQDNsforthePANOSwebinterface
andtheGlobalProtectportalthathostsClientlessVPNapplications.Asashorttermfix,
clearthebrowsercacheorcloseallbrowserwindowsandthenopenaseparatebrowser
windowtologintothePANOSwebinterface.
PAN-73006 Whenloggingratesarehigh,theAppScopeChangeMonitorandNetworkMonitor
This issue is now resolved. reportssometimesfailtodisplaydatawhenyoufilterbySourceorDestinationIP
See PAN-OS 8.0.1 addresses.Additionally,theAppScopeSummaryreportsometimesfailstodisplaydatafor
Addressed Issues. theTop5BandwidthConsumingSourceandTop5Threatswhenloggingratesarehigh.
PAN-72894 PanoramadoesnotdisplayHAfirewalls(Panorama > Managed Devices)aftertheconfigd

This issue is now resolved. processstopsresponding.
See PAN-OS 8.0.4
Addressed Issues.
PAN-72861 WhenyouconfigureaPA5200SeriesorPA7000Seriesfirewalltoperform
tunnelintunnelinspection,whichincludesGREkeepalivepackets(Policies > Tunnel
Inspection > Inspection > Inspect Options),andyouruntheclear session allCLI
commandwhiletrafficistraversingatunnel,thefirewalltemporarilydropstunneled
packets.
PAN-72843 IfyoucommitaconfigurationthatenablesclientlessVPNonmultipleGlobalProtect
This issue is now resolved. portalsusingdifferentDNSproxies,thecommitfails.
See PAN-OS 8.0.1 Workaround:Restartthefirewalldataplaneandrepeattheconfigurationcommit.
Addressed Issues.
IssueID Description
PAN-72402 IfyouconfigureaBGPIPv6aggregateaddresswithanAdvertiseFilterthatconsistsof
This issue is now resolved. bothaprefixfilterandanexthopfilter,thefirewalladvertisesonlytheaggregateaddress
See PAN-OS 8.0.1 anddoesnotadvertisethespecificroutescoveredbytheAdvertiseFilter.
Addressed Issues. Workaround:Removethenexthopfiltersothatthefirewalladvertisesboththe
aggregateaddressandthemorespecificroutes.Thisappliesonlytorouteslearnedfrom
anotherBGPpeer;thefirewalladvertiseslocallyinjectedroutesasexpectedwithoutthis
workaround.
PAN-72342 EnduserswhoignoretheDuoV2authenticationpromptuntilittimesoutcanstill
This issue is now resolved. authenticatesuccessfullytoaGlobalProtectportalconfiguredfortwofactor
See PAN-OS 8.0.4 authentication.
Addressed Issues.
PAN-71833 ForaTACACS+authenticationprofile,theoutputofthetest authentication

This issue is now resolved. authentication-profileCLIcommandintermittentlydisplays
authentication/authorization failed for usereventhoughtheadministratorcan
See PAN-OS 8.0.1
Addressed Issues. successfullylogintothewebinterfaceorCLIusingthesamecredentialsaswerespecified
inthetestcommand.
PAN-71829 Insomecases,whenyoumakespecificchangesonaPA5000Seriesfirewallrelatedto
This issue is now resolved. certificatesorSSLprofilesforaGlobalProtectconfiguration,thedataplanerestarts.
See PAN-OS 8.0.1 Changesthatresultinarestartincludeconfiguringanewgateway,changingacertificate
Addressed Issues. linkedtoGlobalProtect,orchangingtheminimumormaximumversionoftheTLSprofile
linkedtoGlobalProtect;othertypesofchangestoGlobalProtectconfigurationsdonot
triggeradataplanerestart.
PAN-71765 DeactivatingaVMSeriesfirewallfromPanoramacompletessuccessfullybuttheweb
interfacedoesnotupdatetoshowthatdeactivationiscomplete.
Workaround:ViewdeactivationstatusfromManagedDevices(Panorama > Managed
Devices).
PAN-71556 MACaddresstableentrieswithatimetolive(TTL)valueof0arenotremovedas
This issue is now resolved. expectedinLayer2deployments,whichresultsinatablethatcontinuallygrowslargerin
See PAN-OS 8.0.1 size.
Addressed Issues. Workaround:Monitorthenumberoftableentriesandruntheclear mac allCLI
commandorrebootasneededtoclearthetable.
PAN-71334 OnaPA5200Seriesfirewall,whenyousetupaVoIPcallusingtheSessionInitiation
This issue is now resolved. Protocol(SIP),youcanexperienceadelayofupto10secondsbeforethefirewall
See PAN-OS 8.0.1 transmitstheaudio/videostream.
Addressed Issues.
PAN-71329 LocalusersandusergroupscreatedunderShared(allvirtualsystems)arenotavailableto
bepartoftheusertoapplicationmappingforGlobalProtectClientlessVPNapplications
(Clientless VPN > ApplicationsontheGlobalProtectPortal).
Workaround:Createusersandusergroupsundervsysformultiplevirtualsystems.For
singlevirtualsystems(likeVM),usersandusergroupsarecreatedunderSharedandare
notconfigurableforClientlessVPNapplications.
IssueID Description
PAN-71271 Ifthelogpurgingprocessstartsrunningbeforelogmigrationbeginsafteranupgradeto
This issue is now resolved. PANOS8.0,thelogmigrationprocessfailsanddropsnewlogs.
See PAN-OS 8.0.1 Youcannotworkaroundthisissueifthelogpurgingprocessstartsbeforeyoustart
Addressed Issues. migration.Todeterminewhetherlogpurginghasbegun,runtheless mp-log
es_purge.logCLIcommand,enteraforwardslash("/"),enterdeleting,andcheckthe
output.Ifthereareanymatches,youcannotmigrate;iftherearenomatches,thenyou
canstartlogmigration.
PAN-71215 DeactivatingaVMSeriesfirewallfromPanoramafailswhenPanoramaisconfiguredto
Verify Update Server Identity(Panorama > Setup > Services > Verify Update Server
Identity)andthissettingisdisabledonthefirewall(Device > Setup > Services);thisfailure
causesthefirewalltobecomeunreachable.
Workaround:EnsurethatyouconfigurebothPanoramaandtheVMSeriesfirewallto
Verify Update Server Identitybeforeyoudeactivatethefirewall.
PAN-70906 IfthePANOSwebinterfaceandtheGlobalProtectportalareenabledonthesameIP
address,thenwhenauserlogsoutfromtheGlobalProtectportal,theadministrativeuser
isloggedoutfromthePANOSwebinterfaceaswell.Thisissueiscompoundedwhenthe
portalisconfiguredforGlobalProtectClientlessVPNbecauseitcanincreasethenumber
ofuserswhoaccesstheportal.
Workaround:UsetheIPaddresstoaccessthePANOSwebinterfaceandanFQDNto
accesstheGlobalProtectportal.
PAN-70353 ClientlessVPNdoesnotworkifyouconfiguretheGlobalProtectportalthathoststhe
This issue is now resolved. ClientlessVPNonaninterfacewithDHCP Clientenabled.
See PAN-OS 8.0.2 Workaround:ConfiguretheinterfacetousestaticIPaddresses.
Addressed Issues.
PAN-70323 FirewallsrunninginFIPSCCmodedonotallowimportofSHA1CAcertificateseven
This issue is now resolved. whentheprivatekeyisnotincluded;instead,firewallsdisplaythefollowingerror:Import
See PAN-OS 8.0.1 of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
Addressed Issues.
PAN-70181 PA7000Seriesfirewallsthatrunalargenumberofscheduleddailyreports(near1,000or
more)willeventuallyexperienceamemoryissuethatcausesCLIcommandstofailand
ultimatelycausesSSHconnectionattemptstothemanagementIPaddresstofail,aswell.
Workaround:Monitormemoryusageandrestartthemgmtsrvrprocesswhenmgmtsrvr
virtualmemoryexceeds6GBormgmtsrvrresidentmemoryexceeds4GB.
PAN-70119 ThefirewallmapsuserstotheKerberos Realmdefinedinauthenticationprofiles(Device

> Authentication Profiles)insteadofextractingtherealmfromKerberostickets.
PAN-70046 Astandard404browsererrordisplaysifyoutrytouseGlobalProtectClientlessVPN
withoutthecorrectcontentreleaseversion.
Workaround:ClientlessVPNrequiresyoutoinstallaGlobalProtectsubscriptiononthe
firewallthathoststheClientlessVPNfromtheGlobalProtectportal.Additionally,you
needGlobalProtectClientlessVPNdynamicupdatestousethisfeature.
PAN-70027 (PLUG-216) Theoutputoftheshow object registered-IP allcommanddoesnotincludethe

This issue is resolved with SourceofIPtag(serviceprofilenameandID).
the VMware NSX 1.0.1
plugin.
IssueID Description
PAN-70023 Authenticationusingautofilledcredentialsintermittentlyfailswhenyouaccessan
applicationusingGlobalProtectClientlessVPN.
Workaround:Manuallyenterthecredentials.
PAN-69932 ThePanoramawebinterfaceandCLIrespondslowlywhennumerousNSXpluginsarein
progress.
PAN-69874 WhenthePANOSXMLAPIsendsusermappingswithnotimeoutvaluetoafirewallthat
This issue is now resolved. hastheEnable User Identification Timeoutoptiondisabled,thefirewallassignsthe
See PAN-OS 8.0.2 mappingsatimeoutof60minutesinsteadofnever.
Addressed Issues.
PAN-69505 WhenviewinganexternaldynamiclistthatrequiresclientauthenticationandyouTest
Source URL,thefirewallfailstoindicatewhetheritcanreachtheexternaldynamiclist
serverandreturnsaURLaccesserror.
PAN-69367 Thefirewallincorrectlygeneratespacketdiagnosticlogsandcapturespacketsforsessions
This issue is now resolved. thatarenotpartofapacketfilter(Monitor > Packet Capture).
See PAN-OS 8.0.4
Addressed Issues.
PAN-69340 Whenyouusealicenseauthorizationcode(capacitylicenseorabundle)tobootstrapa
This issue is now resolved. VMSeriesfirewall,thecapacitylicenseisnotapplied.Thisissueoccursbecausethe
See PAN-OS 8.0.1 firewalldoesnotrebootafterthelicenseisapplied.
Addressed Issues. Workaround:Usetherequest restart softwareCLIcommandorrebootthefirewall
manuallytoactivatesessioncapacityforaVMSeriesfirewall.
PAN-69141 OnPA7000SeriesfirewallsandonPanoramalogcollectors,logcollectionprocesses
consumeexcessmemoryanddonotprocesslogsasexpected.Thisissueoccurswhen
DNSresponsetimesareslowandscheduledreportscontainfieldsthatrequireDNS
lookups.
Workaround:Usethedebug management-server report-namelookup disableCLI
commandtodisableDNSlookupsforreportingpurposesandthenrestartthelogreceiver
byrunningdebug software restart process log-receiver.
PAN-68974 OnPA3000Seriesfirewalls,youcannotconfigureaQoSProfiletohaveamaximum
egressbandwidth(Egress Max)higherthan1Gbpsforanaggregategroupinterface
(Network > Network Profiles > QoS Profile).
PAN-68767 PanoramadoesnotchangetheconnectionStatusofanNSXmanager(Panorama >

VMware NSX > Service Managers)fromUnknowntoRegisteredduetoanonexistent
nullvalueentryintheNSXmanagerresponse.
PAN-67971 WhenyouconfigureanendpointrunningaGlobalProtectagent3.xreleasetousea
fullyqualifieddomainname(FQDN)toconnecttoadualstackPANOS8.0gateway,the
firewallincorrectlydisplaysanIPv6addressinsteadofanIPv4addressfortheconnection.
Workaround:UseGlobalProtectagent4.0toconnecttoPANOS8.0.
PAN-67544 Fixedanissuewhere,whenamulticastforwardinginformationbase(MFIB)timedout,the
packetprocessingprocess(flow_ctrl)stoppedresponding,whichintermittentlycausedthe
firewalldataplanetorestart.
IssueID Description
PAN-67422 (PANOS8.0.1andlaterreleases)TheFirewallreregisterswithWildFireevery15days
unlessaconnectionfailureoccurs.IfafirewallregisteredwithastandaloneWildFire
applianceandthenyouconfigurethefirewalltoregisterwithaWildFireappliancecluster,
thefirewallshowsasregisteredbothtotheclusterandtothestandaloneappliance,which
createsduplicateentries.
ToverifythatafirewallisconnectedtoaWildFireapplianceandaWildFireappliance
cluster,runthefollowingcommandontheWildFireclusterandstandaloneWildFire
appliancetodisplayallfirewallsregisteredtothatclusterandappliance:
admin@Panorama> show wildfire-appliance last-device-registration all
serial-number <value>"
The<value>isthe12digitserialnumberoftheWildFireclustercontrollernodeorthe
WildFireappliance.Forexample,toviewallfirewallsonaclusterwhosecontrollernode
hastheserialnumber002001000099,runthefollowingcommand:
admin@Panorama> show wildfire-appliance last-device-registration all
serial-number <002001000099>
Workaround:Runtheshow wildfire global devices-reporting-datacommandto
showonlyfirewallsthatarereportingdatatotheWildFireappliance.Ifafirewallhasnot
submittedasampletotheWildFireapplianceduringthepast24hours,thefirewallisnot
listed.
PAN-66997 OnPA7000Series,PA5200Series,andPA5000Seriesfirewalls,userswhoaccess
This issue is now resolved. applicationsoverSSLVPNorIPSectunnelsthroughGlobalProtectexperienced
See PAN-OS 8.0.2 onedirectionaltraffic.
Addressed Issues.
PAN-66122 Tunnelcontentinspectionisnotsupportedinavirtualsystemtovirtualsystemtopology.
See PAN-OS 8.0.1
Addressed Issues.
PAN-66032 WhenyoumonitorBlockIPListentries,anIPaddressblockedbyaVulnerability
ProtectionprofileorAntiSpywareprofiledisplaystheBlockSourcetobetheThreatID
(TID)andvirtualsystem(ifapplicable),insteadofthenameofthethreatthatblockedthe
IPaddress.Forexample,theBlockSourcedisplays41000:vsys1(or41000:*ifthereisno
virtualsystem).
PAN-63905 Installingacontentupdateorcommittingconfigurationchangesonthefirewallcauses
RTPsessionsthatwerecreatedfrompredictsessionstomovefromanactivestatetoa
discardstate.
PAN-63274 Whenyouconfiguretunnelcontentinspectionfortrafficinasharedgatewaytopology
This issue is now resolved. (thefirewallhasmultiplevirtualsystems),innerflowsessionsinstalledondataplane1
See PAN-OS 8.0.1 (DP1)willfail.Additionally,whennetworkingdevicesbehindthesharedgatewayinitiate
Addressed Issues. traffic,thattrafficdoesn'treachthenetworkingdevicesbehindthevirtualsystems.
PAN-62820 IfyouusetheAppleSafaribrowserinPrivateBrowsingmodetorequestaserviceor
applicationthatrequiresmultifactorauthentication(MFA),thefirewalldoesnotredirect
youtotheserviceorapplicationevenafterauthenticationsucceeds.
IssueID Description
PAN-62453 EnteringvSpheremaintenancemodeonaVMSeriesfirewallwithoutfirstshuttingdown
theGuestOSfortheagentVMscausesthefirewalltoshutdownabruptlyandcauses
issuesthatpersistafterthefirewallispoweredonagain.RefertoIssue1332563inthe
VMwarereleasenotes:https://www.vmware.com/support/pubs/nsx_pubs.html.
Workaround:VMSeriesfirewallsareServiceVirtualMachines(SVMs)pinnedtoESXi
hostsandshouldnotbemigrated.BeforeyouentervSpheremaintenancemode,usethe
VMwaretoolstoensureagracefulshutdownoftheVMSeriesfirewall.
PAN-61840 Theshow global-protect-portal statisticsCLIcommandisnotsupported.

See PAN-OS 8.0.1
Addressed Issues.
PAN-61834 ThefirewallcapturespacketsofIPaddressesthatarenotincludedinthepacketfilter
(Monitor > Packet Capture).
PAN-58872 Theautomaticlicensedeactivationworkflowforfirewallswithdirectinternetaccessdoes
notwork.
Workaround:Usetherequest license deactivate key features <name> mode
manualCLIcommandtoDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.To
DeactivateaVM,chooseComplete Manually(insteadofContinue)andfollowthesteps
tomanuallydeactivatetheVM.
PAN-56217 YoucannotconfiguremultipleDNSproxyobjectsthatspecifyforthefirewalltolistenfor
DNSrequestsonthesameinterface(Network > DNS Proxy > Interfaces).IfmultipleDNS
proxyobjectsareconfiguredwiththesameinterface,onlythefirstDNSproxyobject
settingsareapplied.
Workaround:IfthereareDNSproxyobjectsconfiguredwiththesameinterface,youmust
modifytheDNSproxyobjectssothateachobjectspecifiesuniqueinterfaces:
TomodifyaDNSproxyobjectthatspecifiesonlyoneinterface,deletetheDNSproxy
objectandreconfiguretheobjectwithaninterfacethatisnotsharedamonganyother
objects.
TomodifyaDNSproxyobjectconfiguredwithmultipleinterfaces,deletetheinterface
thatissharedwithotherDNSproxyobjects,clickOKtosavethemodifiedobject,and
thenCommit.
PAN-55825 PerforminganAutoFocusremotesearchthatistargetedtoaPANOSfirewallor
Panoramadoesnotworkcorrectlywhenthesearchconditioncontainsasingleordouble
quotationmark.
PAN-55437 Highavailability(HA)forVMSeriesfirewallsdoesnotworkinAWSregionsthatdonot
supportthesignatureversion2signingprocessforEC2APIcalls.Unsupportedregions
includeAWSEU(Frankfurt)andKorea(Seoul).
PAN-55203 Whenyouchangethereportingperiodforascheduledreport,suchastheSaaS
ApplicationUsagePDFreport,thereportcanhaveincompleteornodataforthereporting
period.
Workaround:Ifyouneedtochangethereportingperiodforanyscheduledreport,create
anewreportforthedesiredtimeperiodinsteadofmodifyingthetimeperiodonan
existingreport.
PAN-54531 ThefirewallstopswritingnewTrafficandThreatlogstostoragebecausetheAutomated
CorrelationEngineusesdiskspaceinawaythatpreventsthefirewallfrompurgingolder
logs.
IssueID Description
PAN-54254 InTrafficlogs,thefollowingsessionendreasonsforCaptivePortaloraGlobalProtectSSL
VPNtunnelindicatedtheincorrectreasonforsessiontermination:
decrypt-cert-validation,decrypt-unsupport-param,ordecrypt-error.
PAN-53825 FortheVMSeriesNSXeditionfirewall,whenyouaddormodifyanNSXserviceprofile
zoneonPanorama,youmustperformaPanoramacommitandthenperformaDevice
GroupcommitwiththeIncludeDeviceandNetworkTemplatesoptionselected.To
successfullyredirecttraffictotheVMSeriesNSXeditionfirewall,youmustperformboth
aTemplateandaDevice Groupcommitwhenyoumodifythezoneconfigurationto
ensurethatthezonesareavailableonthefirewall.
PAN-53663 WhenyouopentheSaaSApplicationUsagereport(Monitor > PDF Reports > SaaS

Application Usage)onmultipletabsinabrowser,eachforadifferentvirtualsystem(vsys),
andyouthenattempttoexportPDFsfromeachtab,onlythefirstrequestisaccurate;all
successiveattemptswillresultinPDFsthatareduplicatesofthefirstreport.
Workaround:ExportonlyonePDFatatimeandwaitforthatexportprocesstofinish
beforeyoutriggerthenextexportrequest.
PAN-53601 PanoramarunningonanM500appliancecannotconnecttoaSafeNetNetworkorThales
nShieldConnecthardwaresecuritymodule(HSM).
PAN-51969 OntheNSXManager,whenyouunbindanNSXSecurityGroupfromanNSXSecurity
Policyrule,thedynamictagandregisteredIPaddressareupdatedonPanoramabutare
notsenttotheVMSeriesfirewalls.
Workaround:TopushtheDynamicAddressGroupupdatestotheVMSeriesfirewalls,
youmustmanuallysynchronizetheconfigurationwiththeNSXManager(Panorama >
VMware Service ManagerandselectNSX Config-Sync).
PAN-51952 IfasecuritygroupoverlapoccursinanNSXSecuritypolicywherethesamesecuritygroup
isweightedwithahigherandalowerpriorityvalue,thetrafficmayberedirectedtothe
wrongserviceprofile(VMSeriesfirewallinstance).ThisissueoccursbecauseanNSX
Securitypolicywithahigherweightdoesnotalwaystakeprecedenceoverapolicywitha
lowerweight.
Workaround:Makesurethatmembersthatareassignedtoasecuritygrouparenot
overlappingwithanotherSecuritygroupandthateachsecuritygroupisassignedtoa
uniqueNSXSecuritypolicyrule.ThisallowsyoutoensurethatNSXSecuritypolicydoes
notredirecttraffictothewrongserviceprofile(VMSeriesfirewall).
PAN-51870 WhenusingtheCLItoconfigurethemanagementinterfaceasaDHCPclient,thecommit
failsifyoudonotprovideallfourDHCPparametersinthecommand.Forasuccessful
commitwhenusingtheset deviceconfig system type dhcp-clientcommand,you
mustincludeeachofthefollowingparameters:accept-dhcp-domain,
accept-dhcp-hostname,send-client-id,andsend-hostname.
PAN-51869 Cancelingpendingcommitsdoesnotimmediatelyremovethemfromthecommitqueue.
ThecommitsremaininthequeueuntilPANOSdequeuesthem.
PAN-51673 BFDsessionsarenotestablishedbetweentwoRIPpeerswhentherearenoRIP
advertisements.
Workaround:EnableRIPonanotherinterfacetoprovideRIPadvertisementsfroma
remotepeer.
IssueID Description
PAN-51216 TheNSXManagerfailstoredirecttraffictotheVMSeriesfirewallwhenyoudefinenew
ServiceProfilezonesforNSXonPanorama.ThisissueoccursintermittentlyontheNSX
Managerwhenyoudefinesecurityrulestoredirecttraffictothenewserviceprofilesthat
areavailablefortrafficintrospectionandresultsinthefollowingerror:Firewall
configuration is not in sync with NSX Manager. Conflict with Service
Profile Oddhost on service (Palo Alto Networks NGFW) when binding to
host<name>.
PAN-51181 APaloAltoNetworksfirewall,M100appliance,orWF500applianceconfiguredtouse
FIPSoperationalmodefailstobootwhenrebootingafteranupgradetoPANOS7.0or
laterreleases.
Workaround:EnableFIPSandCommonCriteriasupportonallPaloAltoNetworks
firewallsandappliancesbeforeyouupgradetoaPANOS7.0orlaterrelease.
PAN-51122 FortheVMSeriesfirewall,ifyoumanuallyresetaheartbeatfailurealarmonthevCenter
servertoindicatethattheVMSeriesfirewallishealthy(changecolortogreen),the
vCenterserverdoesnottriggeraheartbeatfailurealarmagain.
PAN-50651 OnPA7000Seriesfirewalls,onedataportmustbeconfiguredasalogcardinterface
becausethetrafficandloggingcapabilitiesofthisplatformexceedthecapabilitiesofthe
managementport.AlogcardinterfaceperformsWildFirefileforwardingandlog
forwardingforsyslog,email,andSNMPandtheseservicesrequireDNSsupport.Ifyouset
upacustomservicerouteforthefirewalltoperformDNSqueries,servicesusingthelog
cardinterfacemightnotbeabletogenerateDNSrequests.Thisisonlyanissueifyouve
configuredthefirewalltouseaservicerouteforDNSrequestsand,inthiscase,youmust
performaworkaroundtoenablecommunicationbetweenthefirewalldataplaneandthe
logcardinterface.
Workaround:EnableDNSProxyonthefirewallanddonotspecifyaninterfaceforthe
DNSproxyobjecttouse(ensurethatNetwork > DNS Proxy > Interfaceisnotconfigured).
PAN-50641 EnablingordisablingBFDforBGPorchangingaBFDprofilethataBGPpeerusescauses
BGPtoflap.
PAN-50038 WhenyouenablejumboframesfromtheCLIonaVMSeriesfirewallinAWS,the
maximumtransmissionunit(MTU)sizeontheinterfacesdoesnotincrease.TheMTUon
eachinterfaceremainsatamaximumvalueof1500bytes.
PAN-48565 TheVMSeriesfirewallonCitrixSDXdoesnotsupportjumboframes.
PAN-48456 IPv6toIPv6NetworkPrefixTranslation(NPTv6)isnotsupportedwhenconfiguredona
sharedgateway.
PAN-47969 IfyoulogintoPanoramaasaDeviceGroupandTemplateadministratorandyourename
adevicegroup,thePanorama > Device Groupspagenolongerdisplaysanydevicegroups.
Workaround:Afteryourenameadevicegroup,performacommit,logout,andlogback
in;thepagethendisplaysthedevicegroupswiththeupdatedvalues.
PAN-47073 WebpagesusingtheHTTPStrictTransportSecurity(HSTS)protocoldonotalways
displayproperlyforendusers.
Workaround:Endusersmustimportanappropriateforwardproxycertificatefortheir
browsers.
PAN-46344 WhenyouuseaMacOSSafaribrowser,clientcertificateswillnotworkforCaptivePortal
authentication.
Workaround:OnaMacOSsystem,instructenduserstouseadifferentbrowser(for
example,MozillaFirefoxorGoogleChrome).
IssueID Description
PAN-45793 Onafirewallwithmultiplevirtualsystems,ifyouaddanauthenticationprofiletoavirtual
systemandgivetheprofilethesamenameasanauthenticationsequenceinShared,
referenceerrorsoccur.ThesameerrorsoccuriftheprofileisinSharedandthesequence
withthesamenameisinavirtualsystem.
Workaround:Whencreatingauthenticationprofilesandsequences,alwaysenterunique
names,regardlessoftheirlocation.Forexistingauthenticationprofilesandsequences
withsimilarnames,renametheonesthatarecurrentlyassignedtoconfigurations(for
example,aGlobalProtectgateway)toensureuniqueness.
PAN-44616 OntheACC > Network Activitytab,ifyouaddthelabelUnknownasaglobalfilter,the

filtergetsaddedasA1andqueryresultsdisplayA1insteadofUnknown.
PAN-44400 Thelinkona1GbpsSFPportonaVMSeriesfirewalldeployedonaCitrixSDXserverdoes
notcomeupwhensuccessivefailoversaretriggered.Thisbehaviorisonlyobservedina
highavailability(HA)active/activeconfiguration.
Workaround:Usea10GbpsSFPportinsteadofthe1GbpsSFPportontheVMSeries
firewalldeployedonaCitrixSDXserver.
PAN-44300 WildFireanalysisreportscannotbeviewedonfirewallsrunningPANOS6.1release
versionsifconnectedtoaWF500applianceinCommonCriteriamodethatisrunning
PANOS7.0orlaterreleases.
PAN-43000 VulnerabilitydetectionofSSLv3failswhenSSLdecryptionisenabled.Thisoccurswhen
youattachaVulnerabilityProtectionprofile(thatdetectsSSLv3CVE20143566)toa
SecuritypolicyruleandthatSecuritypolicyruleandanSSLDecryptionpolicyruleare
configuredonthesamevirtualsysteminthesamezone.AfterperformingSSLdecryption,
thefirewallseesdecrypteddataandnolongerseestheSSLversionnumber.Inthiscase,
theSSLv3vulnerabilityisnotidentified.
Workaround:SSLDecryptionEnhancementswereintroducedinPANOS7.0thatenable
youtoprohibittheinherentlyweakerSSL/TLSversions,whicharemorevulnerableto
attacks.Forexample,youcanuseaDecryptionProfiletoenforceaminimumprotocol
versionofTLS1.2oryoucanBlock sessions with unsupported versionstodisallow
unsupportedprotocolversions(Objects > Decryption Profile > SSL Decryption > SSL
Forward Proxyand/orSSL Inbound Inspection).
PAN-41558 WhenyouuseafirewallloopbackinterfaceasaGlobalProtectgatewayinterface,traffic
isnotroutedcorrectlyforthirdpartyIPSecclients,suchasStrongSwan.
Workaround:Useaphysicalfirewallinterfaceinsteadofaloopbackfirewallinterfaceas
theGlobalProtectgatewayinterfaceforthirdpartyIPSecclients.Alternatively,configure
theloopbackinterfacethatisusedastheGlobalProtectgatewaytobeinthesamezone
asthephysicalingressinterfaceforthirdpartyIPSectraffic.
PAN-40842 WhenyouconfigureafirewalltoretrieveaWildFiresignaturepackage,theSystemlog
showsunknown versionforthepackage.Forexample,afterascheduledWildFire
packageupdate,thesystemlogshows:WildFire package upgraded from version
<unknown version> to 38978-45470.Thisisacosmeticissueonlyanddoesnotprevent
theWildFirepackagefrominstalling.
PAN-40714 IfyouaccessDevice > Log SettingsonadevicerunningaPANOS7.0orlaterreleaseand

thenusetheCLItodowngradethedevicetoaPANOS6.1orearlierreleaseandreboot,
anerrormessageappearsthenexttimeyouaccessLog Settings.Thisoccursbecause
PANOS7.0andlaterreleasesdisplayLog SettingsinasinglepagewhereasPANOS6.1
andearlierreleasesdisplaythesettingsinmultiplesubpages.Toclearthemessage,
navigatetoanotherpageandreturntoanyLog Settingssubpage;theerrorwillnotrecur
insubsequentsessions.
IssueID Description
PAN-40130 IntheWildFireSubmissionslogs,theemailrecipientaddressisnotcorrectlymappedtoa
usernamewhenconfiguringLDAPgroupmappingsthatarepushedinaPanorama
template.
PAN-40079 TheVMSeriesfirewallonKVM,forallsupportedLinuxdistributions,doesnotsupportthe
BroadcomnetworkadaptersforPCIpassthroughfunctionality.
PAN-40075 TheVMSeriesfirewallonKVMrunningonUbuntu12.04LTSdoesnotsupportPCI
passthroughfunctionality.
PAN-39728 TheURLloggingrateisreducedwhenHTTPheaderloggingisenabledintheURLFiltering
profile(Objects > Security Profiles > URL Filtering > URL Filtering profile > Settings).
PAN-39636 RegardlessoftheTimeFrameyouspecifyforascheduledcustomreportonaPanorama
MSeriesappliance,theearliestpossiblestartdateforthereportdataiseffectivelythe
datewhenyouconfiguredthereport.Forexample,ifyouconfigurethereportonthe15th
ofthemonthandsettheTimeFrametoLast30Days,thereportthatPanoramagenerates
onthe16thwillincludeonlydatafromthe15thonward.Thisissueappliesonlyto
scheduledreports;ondemandreportsincludealldatawithinthespecifiedTimeFrame.
Workaround:Togenerateanondemandreport,clickRun Nowwhenyouconfigurethe
customreport.
PAN-39501 UnusedNATIPaddresspoolsarenotclearedafterasinglecommit,soacommitfailsifthe
combinedcacheofunusedpools,existingusedpools,andnewpoolsexceedsthememory
limit.
Workaround:Commitasecondtime,whichclearstheoldpoolallocation.
PAN-38584 ConfigurationspushedfromPanorama6.1andlaterreleasestofirewallsrunningPANOS
6.0.3orearlierPANOS6.0releaseswillfailtocommitduetoanunexpectedRuleType
error.ThisissueiscausedbytheRule TypesettinginSecuritypolicyrulesthatwasnot
includedintheupgradetransformand,therefore,thenewruletypesarenotrecognized
ondevicesrunningPANOS6.0.3orearlierreleases.
Workaround:OnlyupgradePanoramatoversion6.1orlaterreleasesifyouarealso
planningtoupgradeallmanagedfirewallsrunningPANOS6.0.3oranearlierPANOS6.0
releasetoaPANOS6.0.4orlaterreleasebeforepushingaconfigurationtothedevices.
PAN-38255 IfyouperformafactoryresetonaPanoramavirtualapplianceandconfiguretheserial
number,loggingdoesnotworkuntilyourebootPanoramaorexecutethedebug
software restart management-serverCLIcommand.
PAN-37511 DuetoalimitationrelatedtotheEthernetchipdrivingtheSFP+ports,PA5050and
PA5060firewallswillnotperformlinkfaultsignalingasstandardizedwhenafiberinthe
fiberpairiscutordisconnected.
IssueID Description
PAN-37177 AfterdeployingtheVMSeriesfirewall,whenthefirewallconnectstoPanorama,youmust
issueaPanoramacommittoensurethatPanoramarecognizesthefirewallasamanaged
device.IfyourebootPanoramawithoutcommittingthechanges,thefirewallwillnot
connectbacktoPanorama;althoughthedevicegroupwilldisplaythelistofdevices,the
devicewillnotdisplayinPanorama > Managed Devices.
Further,ifPanoramaisconfiguredinanHAconfiguration,theVMSeriesfirewallisnot
addedtothepassivePanoramapeeruntiltheactivePanoramapeersynchronizesthe
configuration.Duringthistime,thepassivePanoramapeerwilllogacriticalmessage:
vm-cfg: failed to process registration from svm device. vm-state: active.
ThismessageisloggeduntilyoucommitthechangesontheactivePanorama,whichthen
initiatessynchronizationbetweenthePanoramaHApeersandtheVMSeriesfirewallis
addedtothepassivePanoramapeer.
Workaround:Toreestablishtheconnectiontothemanageddevices,commityour
changestoPanorama(clickCommitandselectCommitType:Panorama).IncaseofanHA
setup,thecommitwillinitiatethesynchronizationoftherunningconfigurationbetween
thePanoramapeers.
PAN-37127 OnthePanoramawebinterface,thePolicies > Security > Post Rules > Combined Rules
Previewwindowdoesnotdisplaypostrulesandlocalrulesformanageddevices.
PAN-37044 LivemigrationoftheVMSeriesfirewallisnotsupportedwhenyouenableSSLdecryption
usingtheSSLforwardproxymethod.UseSSLinboundinspectionifyouneedsupportfor
livemigration.
PAN-36730 WhendeletingtheVMSeriesdeployment,allVMsaredeletedsuccessfully;however,
sometimesafewinstancesstillremaininthedatastore.
Workaround:ManuallydeletetheVMSeriesfirewallsfromthedatastore.
PAN-36728 Insomescenarios,trafficfromnewlyaddedguestsorvirtualmachinesisnotsteeredto
theVMSeriesfirewallevenwhentheguestsbelongtoaSecurityGroupandareattached
toaSecurityPolicythatredirectstraffictotheVMSeriesfirewall.
Workaround:ReapplytheSecurityPolicyontheNSXManager.
PAN-36727 TheVMSeriesfirewallfailstodeploywithanerrormessage:Invalid OVF Format in

Agent Configuration.
Workaround:UsethefollowingcommandtorestarttheESXAgentManagerprocesson
thevCenterServer:/etc/init.d/vmware-vpxd tomcat-restart.
PAN-36433 Ifahighavailability(HA)failoveroccursonPanoramaatthetimethattheNSXManager
isdeployingtheVMSeriesNSXeditionfirewall,thelicensingprocessfailswiththeerror:
vm-cfg: failed to process registration from svm device. vm-state: active.
Workaround:DeletetheunlicensedinstanceoftheVMSeriesfirewalloneachESXihost
andthenredeploythePaloAltoNetworksnextgenerationfirewallservicefromtheNSX
Manager.
PAN-36409 WhenviewingtheSessionBrowser(Monitor > Session Browser),usingtheglobalrefresh

option(toprightcorner)toupdatethelistofsessionscausestheFiltermenutodisplay
incorrectlyandclearsanypreviouslyselectedfilters.
Workaround:Tomaintainandapplyselectedfilterstoanupdatedlistofsessions,clickthe
greenarrowtotherightoftheFiltersfieldinsteadoftheglobal(orbrowser)refresh
option.
PAN-36394 Whenthedatastoreismigratedforaguest,allcurrentsessionsarenolongersteeredto
theVMSeriesfirewall.However,allnewsessionsaresecuredproperly.
IssueID Description
PAN-36393 WhendeployingtheVMSeriesfirewall,theTaskConsoledisplaysError while

enabling agent. Cannot complete the operation. See the event log for
details.Thiserrordisplaysevenonasuccessfuldeployment.Youcanignorethe
messageiftheVMSeriesfirewallissuccessfullydeployed.
PAN-36333 TheServicedialogforaddingoreditingaserviceobjectinthewebinterfacedisplaysthe
incorrectportrangeforbothsourceanddestinationports:1-65535.Thecorrectport
rangeis0-65535andspecifyingportnumber0foreitherasourceordestinationportis
successful.
PAN-36289 IfyoudeploytheVMSeriesfirewallandthenassignthefirewalltoatemplate,thechange
isnotrecordedinthebootstrapfile.
Workaround:DeletethePaloAltoNetworksNGFWServiceontheNSXManager,and
verifythatthetemplateisspecifiedonPanorama > VMware Service Manager,register
theservice,andredeploytheVMSeriesfirewall.
PAN-36088 WhenanESXihostisrebootedorshutdown,thefunctionalstatusoftheguestsisnot
updated.BecausetheIPaddressisnotupdated,thedynamictagsdonotaccuratelyreflect
thefunctionalstateofthegueststhatareunavailable.
PAN-36049 ThevCenterServer/vmtoolsdisplayedtheIPAddressforaguestincorrectlyaftervlan
tagswereaddedtoanEthernetport.ThedisplaydidnotaccuratelyshowtheIPaddresses
associatedwiththetaggedEthernetportandtheuntaggedEthernetport.Thisissuewas
seenonsomeLinuxOSversionssuchasUbuntu.
PAN-35903 Whenyoueditatrafficintrospectionrule(tosteertraffictotheVMSeriesfirewall)onthe
NSXManager,aninvalid (tcp) port numbererrororinvalid (udp) port number
errordisplayswhenyouremovethedestination(TCPorUDP)port.
Workaround:Deletetheruleandaddanewone.
PAN-35875 Whendefiningtrafficintrospectionrules(tosteertraffictotheVMSeriesfirewall)onthe
NSXManager,eitherthesourceorthedestinationfortherulemustreferencethename
ofaSecurityGroup;youcannotcreatearulefromanytoanySecurityGroup.
Workaround:ToredirectalltraffictotheVMSeriesfirewall,youmustcreateaSecurity
Groupthatincludesalltheguestsinthecluster.Thenyoucandefineasecuritypolicythat
redirectstrafficfromandtotheclustersothatthefirewallcaninspectandenforcepolicy
ontheeastwesttraffic.
PAN-35874 DuplicatepacketsarebeingsteeredtotheVMSeriesfirewall.Thisissueoccursifyou
enabledistributedvSwitchforsteeringinpromiscuousmode.
Workaround:Disablepromiscuousmode.
PAN-34966 OnaVMSeriesNSXeditionfirewall,whenaddingorremovingaSecurityGroup
(Container)thatisboundtoaSecurityPolicy,Panoramadoesnotgetadynamicupdateof
theaddedorremovedSecurityGroup.
Workaround:OnPanorama > VMware Service Manager,clickSynchronize Dynamic
Objectstoinitiateamanualsynchronizationtogetthelatestupdate.
PAN-34855 OnaVMSeriesNSXeditionfirewall,DynamicTags(update)donotreflecttheactualIP
addresssetontheguest.ThisissueoccursbecausethevCenterServercannotaccurately
viewtheIPaddressoftheguest.
IssueID Description
PAN-33316 AddingorremovingportsontheSDXserverafterdeployingtheVMSeriesfirewallcan
causeaconfigurationmismatchonthefirewall.Toavoidtheneedtoreconfigurethe
interfaces,considerthetotalnumberofdataportsthatyourequireonthefirewalland
assigntherelevantnumberofportsontheSDXserverwhendeployingtheVMSeries
firewall.
Forexample,ifyouassignports1/3and1/4ontheSDXserverasdatainterfacesonthe
VMSeriesfirewall,theportsaremappedtoeth1andeth2.Ifyouthenaddport1/1or1/2
ontheSDXserver,eth1willbemappedto1/1or1/2,eth2willbemappedto1/3and
eth3to1/4.Ifports1/3and1/4weresetupasavirtualwire,thisremappingwillrequire
youtoreconfigurethenetworkinterfacesonthefirewall.
PAN-31832 Thefollowingissuesapplywhenconfiguringafirewalltouseahardwaresecuritymodule
(HSM):
ThalesnShieldConnectThefirewallrequiresatleastfourminutestodetectthatan
HSMhasbeendisconnected,causingSSLfunctionalitytobeunavailableduringthe
delay.
SafeNetNetworkWhenlosingconnectivitytoeitherorbothHSMsinahigh
availability(HA)configuration,thedisplayofinformationfromtheshow ha-statusor
show hsm infocommandisblockedfor20seconds.
PAN-31593 AfteryouconfigureaPanoramaMSeriesapplianceforHAandsynchronizethe
configuration,theLogCollectorofthepassivepeercannotconnecttotheactivepeeruntil
yourebootthepassivepeer.
PAN-29441 ThePanoramavirtualappliancedoesnotwritesummarylogsfortrafficandthreatsas
expectedafteryouentertheclear logcommand.
Workaround:Reboot Panoramamanagementserver(Panorama > Setup > Operations)to
enablesummarylogs.
PAN-29411 Insomeconfigurations,whenyouswitchcontextfromPanoramaandaccesstheweb
interfaceofamanageddevice,youareunabletoupgradethePANOSsoftwareimage.
Workaround:UsethePanorama > Device Deployment > Softwaretabtodeployand
installthesoftwareimageonthemanageddevice.
PAN-29385 YoucannotconfigurethemanagementIPaddressonanM100appliancewhileitis
operatingasthesecondarypassivepeerinanHApair.
Workaround:TosettheIPaddressforthemanagementinterface,youmustsuspendthe
activePanoramapeer,promotethepassivepeertoactivestate,changetheconfiguration,
andthenresettheactivepeertoactivestate.
PAN-29053 Bydefault,thehostnameisnotincludedintheIPheaderofsyslogmessagessentfromthe
firewall.However,somesyslogimplementationsrequirethisfieldtobepresent.
Workaround:EnablethefirewalltoincludetheIPaddressofthefirewallasthehostname
inthesyslogheaderbyselectingSend Hostname in Syslog(Device > Setup).
PAN-28794 IfaPanoramaLogCollectorMGTportisconfiguredwithanIPv4addressandyouwantto
haveonlyanIPv6addressconfigured,youcanusethePanoramawebinterfaceto
configurethenewIPv6addressbutyoucannotusePanoramatoremovetheIPv4address.
Workaround:ConfiguretheMGTportwiththenewIPv6addressandthenapplythe
configurationtotheLogCollectorandtestconnectivityusingtheIPv6addresstoensure
thatyoudonotloseaccesswhenyouremovetheIPv4address.AfteryouconfirmtheLog
CollectorisaccessibleusingtheIPv6address,gototheCLIontheLogCollectorand
removetheIPv4address(usingthedelete deviceconfig system ip-address
command)andthencommityourchanges.
IssueID Description
PAN-25101 IfyouaddaDecryptionpolicyrulethatinstructsthefirewalltoblockSSLtrafficthatwas
notpreviouslybeingblocked,thefirewallwillcontinuetoforwardtheundecryptedtraffic.
Workaround:Usethedebug dataplane reset ssl-decrypt exclude-cachecommand
tocleartheSSLdecryptexcludecache.
PAN-25046 SSHhostkeysusedforSCPlogexportarestoredintheknownhostsfileonthefirewall.
Inahighavailability(HA)configuration,theSCPlogexportconfigurationissynchronized
withthepeerdevice,buttheknownhostfileisnotsynchronized.Whenafailoveroccurs,
theSCPlogexportfails.
Workaround:LogintoeachpeerinHAandTest SCP server connectiontoconfirmthe
hostkeysothatSCPlogforwardingcontinuestoworkafterafailover.
PAN-23732 WhenyouusePanoramatemplatestoschedulealogexport(Device > Scheduled Log

Export)toanSCPserver,youmustlogintoeachmanageddeviceandTest SCP server
connectionafterthetemplateispushed.Theconnectionisnotestablisheduntilthe
firewallacceptsthehostkeyfortheSCPserver.
PAN-20656 Attemptstoresetthemasterkeyfromthewebinterface(Panorama > Master Key and

Diagnostics)ortheCLIonPanoramawillfail.However,thisshouldnotcauseaproblem
whenpushingaconfigurationfromPanoramatoadevicebecauseitisnotnecessaryfor
thekeystomatch.
PAN-20162 IfaclientPCusesRDPtoconnecttoaserverrunningremotedesktopservicesandthe
userlogsintotheremoteserverwithadifferentusername,whentheUserIDagent
queriestheActiveDirectoryservertogatherusertoIPmappingfromthesecuritylogs,
thesecondusernamewillberetrieved.Forexample,ifUserAlogsintoaclientPCandthen
logsintotheremoteserverusingtheusernameforUserB,thesecuritylogontheActive
DirectoryserverwillrecordUserA,butwillthenbeupdatedwithUserB.Theusername
UserBisthenpickedupbytheUserIDagentfortheusertoIPmappinginformation,
whichisnottheintendedusermapping.
KnownIssuesSpecifictotheWF500Appliance
ThefollowinglistincludesknownissuesspecifictoWildFire8.0releasesrunningontheWF500appliance.
SeealsothespecificandgeneralKnownIssuesRelatedtoPANOS8.0Releases.
IssueID Description
WF500-4218 AspartofandafterupgradingaWildFireappliancetoaPANOS8.0release,rebooting
This issue is now resolved. aclusternode(request cluster reboot-local-node)sometimesresultsinthenode
See PAN-OS 8.0.2 goingofflineorfailingtoreboot.
Addressed Issues. Workaround:Usethedebug cluster agent restart-agentCLIcommandtobringthe
nodebackonlineandtorestarttheclusteragentasneeded.
WF500-4200 TheCreateDateshownwhenusingtheshow wildfire global sample-status

sha256 equal <hash>andshow wildfire global sample-analysiscommandsistwo
hoursbehindtheactualtimeforWF500appliancesamples.
IssueID Description
WF500-4186 InathreenodeWildFireappliancecluster,ifyoudecommissionthebackupcontroller
This issue is now resolved. nodeortheworkernode(request cluster decommission start)andthendeletethe
See PAN-OS 8.0.2 clusterrelatedconfiguration(highavailabilityandclustermembership)fromthe
Addressed Issues. decommissionednode,insomecases,theclusterstopsfunctioning.Runningtheshow
cluster membershipcommandontheprimarycontrollernodeshows:
Service Summary: Cluster:offline, HA:peer-offline
In this state, the cluster does not function and does not accept new samples for
processing.
Workaround: Reboot the primary controller (run the request cluster
reboot-local-node command on the primary controllers local CLI). After the primary
controller reboots, the cluster functions again and accepts new samples for processing.
WF500-4176 Afteryouremoveanodefromacluster,iftheclusterwasstoringsampleinformationon
This issue is now resolved. thatnode,thatserialnumberofthatnodemayappearinthelistofstoragenodeswhen
See PAN-OS 8.0.2 youshowthesamplestatus(show wildfire global sample-status sha256 equal
<value>)eventhoughthenodenolongerbelongstothecluster.
Addressed Issues.
WF500-4173 IntegratedreportsarenotavailableforfirewallsconnectedtoaWF500appliance
This issue is now resolved. runninginFIPSmode.
See PAN-OS 8.0.2
Addressed Issues.
WF500-4166 InaWildFireapplianceclusterwiththreeormorenodesandwithtwocontrollernodes,
ifyoutrytoconfigureaworkernodeasacontrollernode,thechangeshouldfailbecause
aclustercanhaveonlytwocontrollernodes(primaryandbackupcontrollernodes).
However,thecommitoperationontheworkernodesucceedsandcausestheclusterto
seetheworkernodeasathirdcontrollernodethatcannotbeallowedinthecluster.This
preventstheconvertedworkernodefromconnectingtotheclustermanagerandthe
nodeisremovedfromthecluster.Theresultwhenrunningtheshow cluster task
localcommanddisplays:
Server error: Cannot connect to cluster-mgr daemon, please check it is running.
Status Report: <node-ip-address>: reported leader <ip-address>, age 0.
<node-ip-address>: quit cluster due to too many controllers.
Workaround:Performthefollowingtaskstoworkaroundthisissue:
1. Reconfigurethenodetoruninworkermodeusingtheset deviceconfig cluster
mode workercommand.
2. Runthecommit forcecommand.(Astandardcommitoperationfailsandreturnsa
messagethattheclustermanagerisnonresponsive.)
3. Afterthecommitforceoperationsucceeds,rebootthenodeusingtherequest
cluster reboot-local-nodecommand.Untilyourebootthenode,thenodes
applicationservicesdonotrespond.
WF500-4158 WhenyouupgradeWildFireapplianceclustersfromPanorama,donotReboot device

This issue is now resolved. after Install.RebootingtheclusterfromPanoramaresultsinanungracefulrebootthat
See PAN-OS 8.0.2 causestheclustertobecomeunresponsiveinsomecases.
Addressed Issues. Workaround:PushtheupgradefromPanoramawithRebootdeviceafterInstall
disabled.Afterthesoftwareupgradeiscomplete,rebooteachclusternodeindividually
usingtherequest cluster reboot-local-nodecommandoneachnodeslocalCLI.
IssueID Description
WF500-4132 IfyouremoveanodefromatwonodeWildFireapplianceclusterbydeletingthe
highavailabilityconfiguration(delete deviceconfig high-availability)andthe
clusterconfiguration(delete deviceconfig cluster),thesingleremainingcluster
nodecannotprocesssamples.
Workaround:Useeitherofthefollowworkaroundstoenabletheremainingclusternode
toprocesssamples:
MaketheclusternodeastandaloneWildFireapplianceDeletetheHAandcluster
configurationsontheremainingclusternodeandrebootthenode.Thenodecomes
backupasastandaloneWildFireappliance.
RecreatetheclusterReconfigurethenodeyouremovedasaclusternodebyadding
theclusterandHAconfigurationsusingthefollowingcommandssothatbothnodes
comebackupasclusternodesandcanprocesssamples:
admin@WF-500# set deviceconfig cluster cluster-name
<name> interface <cluster-communication-interface> node
controller
admin@WF-500# set deviceconfig high-availability enabled
yes interface ha1 port <port> peer-ip-address
<node-port-ip-address>
admin@WF-500# set deviceconfig high-availability
election-option priority (primary | secondary)
admin@WF-500# set deviceconfig high-availability
interface ha1-backup peer-ip-address
<node-backup-ha-interface-ip-address>
WF500-4047 InathreenodeWildFireappliancecluster,decommissioningtheactive(primary)
This issue is now resolved. controllernodefails.Attemptingtodecommissiontheactivecontrollernodebyrunning
See PAN-OS 8.0.1 therequest cluster decommission startcommandresultsinasuspensionof
Addressed Issues. servicesonthenode.Usetheshow cluster membershipcommandtoverifythatthe
nodeservices(Service Summaryandwildfire-apps-service)aresuspended.
Workaround: Instead of using the request cluster decommission start command
to decommission the active controller, failover the active controller so that it becomes
the passive (backup) controller first and then decommission the passive controller:
1. Ensurethatpreemptionisnotenabled(Preemptive: no)byrunningtheshow
high-availability statecommand(preemptionforcestheactivecontrollerto
resumeitsroleastheactivecontrollersothatafterafailover,whentheactive
controllercomesbackuptheactivecontrollerresumesitsroleastheactive
controllerinsteadofbecomingthepassivebackupcontroller).
Ifpreemptionisenabled,disablepreemptionontheactivecontrollerbyrunningthe
set deviceconfig high-availability election-option preemptive no
commandandthencommittheconfiguration.
2. Failovertheactivecontrollersothatitbecomesthepassive(backup)controllerby
runningtherequest cluster reboot-local-nodeoperationalcommandonthe
activecontroller.
3. Waitfortheformeractivecontrollertocomeupcompletely.Itsnewclusterroleis
thepassivecontroller(asshownintheprompt).
4. Whenthenodeisinthepassivecontrollerstate,removetheHAconfiguration
(delete deviceconfig high-availability)andtheclusterconfiguration(delete
deviceconfig cluster)andthencommittheconfiguration.
5. Decommissionthenodebyrunningtherequest cluster decommission start
command.
IssueID Description
WF500-4044 RemovinganodefromaclusterusingPanoramaisnotsupported.
Workaround:DeleteanodefromaclusterusingthelocalWildFireCLI.
WF500-4001 OnPanorama,youcanconfigureanauthenticationprofileandAddgroupsor
administratorstotheAllow Listintheprofile(Panorama > Authentication Profile >
<auth-profile> > Advanced).However,WildFireappliancesandapplianceclusters
supportonlytheallvalueforthegroupsintheallowlistforanauthenticationprofile.
TheanalogousWildFireapplianceCLIcommandisset shared
authentication-profile <name> allow-list [all],withallastheonlyallowed
parameter.
Attemptingtopushandcommitaconfigurationthatspecifiesagroupornameotherthan
allintheauthenticationprofilefromPanoramatoaWildFireapplianceorappliance
clusterisnotsuccessful.However,Panoramashowsthatthecommitsucceededasthe
Last Commit StateeventhoughtheconfigurationwasnotpushedtotheWildFire
applianceorappliancecluster.ConfigStatusdisplaysclusternodesasOut of Syncand
whenyouclickLast Commit State > commit succeeded,theLast Push State Details
displaysanerrormessage.
Forexample,ifyouAddagroupnamedabcdtoanauthenticationprofilenamedauth5in
PanoramaandthenattempttopushtheconfigurationtoaWildFireappliancecluster,
Panoramareturnstheerrorauthentication-profile auth5 allow-list abcd is
not an allowed keyword.ThisisbecauseWildFireappliancesandapplianceclusters
seetheallowlistargumentasakeyword,notasavariable,andtheonlykeywordallowed
isall.
WF500-3966 Therequest cluster join ip <ip-address>CLIcommandisnotfunctionaland

shouldnotbeused.
WF500-3935 WildFireappliancesbuildandreleasealluntestedsignaturestotheconnectedfirewalls
everyfiveminutes,whichisthemaximumtimethatasignatureremainsuntested(not
releasedtofirewalls).WhenaWildFireappliancejoinsacluster,ifanyuntested
(unreleased)signaturesareontheappliance,theymaybelostinsteadofmigratingtothe
cluster,dependingonwhenthelastbuildofuntestedsignaturesoccurred.
WF500-3892 Therequest cluster reboot-all-nodesCLIcommandisnotfunctionalandshould

notbeused.
Workaround:Torebootallnodesinacluster,rebooteachnodeindividuallyusingthe
request cluster reboot-local-nodecommandfromthenodeslocalCLI.
WF500-3868 InaWildFireapplianceclusterwithtwocontrollernodesinanHAconfiguration,under
certaincircumstances,synchronizingthecontrollernoderunningconfigurationscan
causeavalidationerrorthatpreventstheconfigurationfromcommittingonthepeer
controller.
Whenyouruntherequest high-availability sync-to-remote
running-configurationcommandononecontrollernode,itoverwritesthecandidate
configurationonthepeercontrollerandcommitsthenew(synchronized)configuration.
However,ifyouthenchangetheconfigurationonthepeercontrollerandcommitthe
change,thecommitfailsandreturnsavalidationerror:
Validation Error:
template unexpected here
Workaround:Toavoidthevalidationerror,onthecontrollernodeonwhichthecommit
failed,savetheconfigurationtoafileusingthesave config to <filename>operational
commandandthenloadthesavedconfigurationusingtheload config from
<filename>command.
IssueID Description
WF500-1584 WhenusingawebbrowsertoviewaWildFireAnalysisReportfromafirewallthatis
usingaWF500applianceforfilesampleanalysis,thereportmaynotappearuntilthe
browserdownloadstheWF500certificate.Thisissueoccursafterupgradingafirewall
andtheWF500appliancetoaPANOS6.1orlaterrelease.
Workaround:BrowsetotheIPaddressorhostnameoftheWF500appliance,whichwill
temporarilydownloadthecertificateintothebrowser.Forexample,iftheIPaddressof
theWF500is10.3.4.99,openabrowserandenterhttps://10.3.4.99.Youcan
thenaccessthereportfromthefirewallbyselectingMonitor > WildFire Submissions,
clickinglog details,andthenclickingtheWildFire Analysis Reporttab.
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.4h2release.Fornewfeatures,
associatedsoftwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,see
PANOS8.0ReleaseInformation.
IssueID Description
PAN-78869 Asanenhancementtoreducethesensitivityofyourlogcollectioninfrastructureto
networklatency,youcannowusethedebug log-collector inter-log-collector
data-compression set onCLIcommandsothatLogCollectorscompressthelogdata
theysendtootherLogCollectorswithinaCollectorGroup.Youmustrunthecommand
onalltheLogCollectorswithinaCollectorGrouptoenablelogcompression.Bydefault,
logcompressionisdisabled.
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.4release.Fornewfeatures,
IssueID Description
WF500-4314 FixedanissuewheretheWF500applianceincorrectlyassignedamaliciousverdictto
samplesassociatedwithWebProxyAutoDiscoveryProtocol(WPAD)DNSlookups.
PAN-81053 FixedanissuewherethePanoramavirtualappliancedidnotmigratelogsfromNFS
storagetothevirtualdisksonalocalLogCollectorafteryouswitchedfromLegacymode
toPanoramamode.
PAN-80766 FixedanissuewherecommitsfailedafterupgradingafirewalltoPANOS8.0if,beforethe
upgrade,thatfirewallhadatunnelinterfaceconfiguredastheSource InterfaceforQoS
cleartexttraffic(Network > QoS > <QoS_interface> > Clear Text Traffic).
PAN-80445 Fixedanissuewherethereportdprocesshadamemoryleak.
PAN-80077 FixedanissueonPA7000SeriesandPA5200Seriesfirewallswhereusersfailedto
authenticatewhenCaptivePortalwasconfiguredinRedirectmodebecausetheCaptive
Portalhostsessionincorrectlytimedoutafter5seconds.
PAN-80064 FixedanissuewherethefirewallusedanincorrectsourceMACaddressforaggregate
Ethernet(AE)interfaces,whichcausedtrafficoffloadfailures.
PAN-80062 FixedanissuewherefirewallsrunningPANOS8.0.3displayedtheerrormessageNot
authorizedwhenadministratorswithlocalfirewallaccountstriedtologinusingKerberos
singlesignon.
PAN-79935 FixedanissuewherethefirewalldroppedpacketswhenGlobalProtectendusers
generatedIPv6traffic.
PAN-79833 Fixedanissuewherethefirewallrandomlydroppedpacketsfortrafficthatendusers
generatedafterconnectingtoGlobalProtect.
PAN-79780 FixedanissuewherethefirewallcouldnotdeleteoldHAkeys,whichpreventedthe
generationofnewkeysforHA1encryption.
PAN-79779 FixedanissuewherefirewalladministratorsthatPANOSauthenticatedthroughRADIUS
andauthorizedthroughRADIUSVendorSpecificAttributes(VSAs)couldnotcommit
configurationchangesonthefirewall.
PAN-79436 FixedanissuewherePA7000SeriesfirewallsdidnotapplychangestotheSyslogserver
profileconfigurationuntilyourestartedthesyslogngprocess.
PAN-79365 FixedanissuewherepushingtemplateconfigurationstoVMSeriesfirewallsforNSX
removedthosefirewallsasmanageddevicesonPanorama.
PAN-79311 FixedanissueonPA220firewallswhere,afteryoumodifiedSecuritypolicy,thefirewalls
didnotrematchthepolicyagainstsessionsinvolvingfiletransfersthatwereinprogress
duringthepolicymodification.
PAN-79084 FixedanissuewherefragmentedpacketsinGlobalProtecttrafficcausedPA5200Series
firewallstostopresponding.
IssueID Description
PAN-79001 FixedanissueonPA5250andPA5260firewallswhereQSFPports21to24didnot
comeupwhenconnectingoverLRopticconnections.
PAN-78932 Fixedanissuewhereloadingdefinitionsfor8.0SNMPMIBsfailedforthePANTRAPS.my
MIB.Withthisfix,youcandownloadthelatestenterpriseMIBsfrom
https://www.paloaltonetworks.com/documentation/misc/snmpmibs.html.
PAN-78886 FixedanissuewherethefirewallignoredAuthenticationpolicyrulesforwebsitesthatyou
addedtoacustomURLcategory.
PAN-78456 Asanenhancementtothefirewallbootstrappingprocess,youcanspecifyatemplatestack
inthetemplateparameter(tplname)ofthebootstrappingconfigurationfile(initcfg.txt).
PAN-78390 FixedanissuewherePA5200Seriesfirewallsbecameunresponsiveindeploymentswith
highthroughputtraffic.
PAN-78342 FixedanissuewherePanoramafailedtoexportacustomreportifyousettheDatabase
toaRemote Device Dataoption(Monitor > Manage Custom Reports).
PAN-78256 Fixedanissuewherethefirewallstoppedrespondingandprocessingtrafficduetoa
packetbufferleak.
PAN-78224 Fixedanissuewherethefirewalltruncatedpasswordsto40characterswhenendusers
triedtoauthenticatethroughRADIUSintheCaptivePortalwebform.
PAN-77973 Fixedanissuewherethepassivefirewallinanactive/passiveHAdeploymentlostHA
sessionupdateswhentheactivepeerhadaheavyprocessingload.
PAN-77671 Fixedanissuewherethefirewallidentifiedtraffictowww.onlinetranslator.comasthe
translator5applicationinsteadofaswebbrowsing.
PAN-77595 FixedanissuewherePA7000SeriesandPA5200SeriesfirewallsforwardedaSIP
INVITEbasedonroutelookupinsteadofonPolicyBasedForwarding(PBF)policy.
PAN-77527 FixedanissuewherePA5200Seriesfirewallsthrottledpacketdiagnosticlogseveniflog
throttlingwasdisabled.
PAN-77213 FixedanissuewherePanoramafailedtoforwardlogstoasyslogserveroverTCP.
PAN-77096 FixedanissuewhereGlobalProtectendpointsconfiguredtousetheprelogonConnection
Methodwithcookieauthenticationfailedtoauthenticatebecausetheyfailedtoretrieve
framed(static)IPaddresses.
PAN-77062 Fixedanissuewhereadministratorswithacustomrolecouldnotdeletepacketcaptures.
PAN-77053 FixedanissueonPA7000SeriesfirewallswheretheEgress InterfaceinaPBFpolicyrule

(Policies > Policy Based Forwarding > <rule> > Forwarding)wasresettoanullvalue,
whichbroughtdownalltheinterfacesintheslotassociatedwiththeEgress Interfaceand
causedanHAfailover.
PAN-77012 FixedanissuewherethefirewallevaluatedURLfilteringbasedSecuritypolicyrules
withoutevaluatingapplicationbasedrulesthatwerehigherintheruleevaluationorder.
PAN-76832 FixedanissueinvirtualrouterswheremodifyingaBFDprofileconfiguration(Network >

Network Profiles > BFD Profile)orassigningadifferentBFDprofile(Network > Virtual
Routers > BGP)causedtheassociatedroutingprotocol(BGP)toflap.
IssueID Description
PAN-76831 FixedanissueonPA7000Seriesfirewallswherecommittingconfigurationchanges
causedthemanagementservertostoprespondingandmadethewebinterfaceandCLI
inaccessible.
PAN-76779 FixedanissueonaPA5020firewallwherethedataplanerestartedcontinuouslywhena
useraccessedapplicationsoveraGlobalProtectclientlessVPN.
PAN-76160 FixedanissuewhereamemoryleakcausedthefirewalltocreatehundredsofLDAP
connections,whichresultedincommitfailures.
PAN-76130 AsecurityrelatedfixwasmadetoaddressOpenSSLvulnerabilitiesrelatingtothe
NetworkTimeProtocol(NTP)library(CVE20169042/CVE20176460).
PAN-76058 FixedanissuewherePanoramafailedtomigrateURLcategoriesfromBrightCloudto
PANDBinpolicyprerulesandpostrules;thisfixrequirescontentreleaseversion718or
alaterversion.
PAN-76042 FixedanissuewherePANOSXMLAPIcallsforretrievingallthreatdetailsassociatedwith
athreatIDreturnedonlythreatnames.
PAN-75908 FixedanissuewheremulticastpacketswithstalesessionIDscausedthefirewalldataplane
torestart.
PAN-75769 FixedanissuewherethefirewallenablednewapplicationsassociatedwithApplications
updatesreceivedfromPanoramaevenwhenyouchosetoDisable new apps in content
update(Panorama > Device Deployment > Dynamic Updates).
PAN-75571 FixedanissuewherethewebinterfacedidnotdisplaythefulllistofIPSectunnels
(Network > IPSec Tunnels)afterupgradingthefirewall.
PAN-75505 FixedanissuewherethefirewallfailedtoexportareporttoPDF,XML,orCSVformatif
thereportjobIDwashigherthan65535.
PAN-75412 FixedanissuewheretheMonitor > BotnetreportdisplayedthewrongportionoftheURL

whentheHTTPGETrequestwastoolong,whiletheMonitor > Logs > URL Filteringlogs
displayedtheURLcorrectly.
PAN-75045 FixedanissuewherethefirewallrejectedthedefaultrouteadvertisedbyanOSPFv3
neighborwiththelinklocaladdressfe80::1.
PAN-74959 FixedanissuewherethefirewallorPanoramawebserverstoppedresponding,which
madethewebinterfaceinaccessibleuntilyourebooted.
PAN-74954 FixedanissuewherefirewallsdidnottaketemplatesettingsfromPanoramawhenyou
pushedatemplatestackthathadmultipletemplateswithaDefault VSYS(Panorama >
Templates > <template_configuration>).
PAN-74886 FixedanissuewherePanoramafailedtopushasharedaddressobjecttofirewallswhen
theobjectwaspartofadynamicaddressgroupthatusedatag.
PAN-74652 Fixedanissuewhere,afterafirewallsuccessfullyinstalledacontentupdatereceivedfrom
Panorama,Panoramadisplayedafailuremessageforthatupdatewhentheassociatedjob
IDonthefirewallwashigherthan65536.
PAN-74632 FixedanissuewherethefirewalldidnotclearIPaddresstousernamemappingsor
usernametogroupmappingsafterreachingthemaximumsupportednumberofuser
groups,whichcausedcommitfailureswiththefollowingerrors:user-id is not
registerdandldmgr manager was reset. Commit is required to reinitialize
User-ID.
IssueID Description
PAN-74411 FixedanissuewherePANOSwarnedyoutoolateduringthefirewallbootstrapping
processofanerrorthatwouldcausetheprocesstoabort.Thelatewarningoccurredwhen
theerrorwasaninitcfg.txtfilethatspecifiedanIPv6addresswithoutacorresponding
IPv4address.Withthisfix,PANOSwarnsyouofthiserrormuchearlierinthe
bootstrappingprocess(duringthesanitycheckphase).
PAN-74293 Fixedanissuewherethefirewalldroppedapplicationsessionsafteronly30secondsof
idletrafficinsteadofafterthesessiontimeoutassociatedwiththeapplication.
PAN-74139 FixedanissueonthePA500firewallwhereinsufficientmemoryallocationcausedSSL
decryptionerrorsthatresultedinSSLsessionfailures,andTrafficlogsdisplayedthe
SessionEndReasonasdecrypt-errorordecrypt-cert-validation.
PAN-74110 FixedanissuewhereadministratorscouldnotlogintothefirewallusingLDAPcredentials
afteraPANOSupgrade.
PAN-73270 FixedanissuewherethefirewallrebootedifaSyslogParseprofilewiththeTypesetto
Regex Identifier(Device > User Identification > User Mapping > Palo Alto Networks
User-ID Agent Setup > Syslog Filters)matchedanullcharacterinasyslogmessage.
PAN-73053 FixedanissuewhereincrementalupdatesfailedforregisteredIPaddressesifthefirewall
retrievedtheupdatesthroughVMinformationsources(Device > VM Information
Sources).
PAN-72894 FixedanissuewherePanoramafailedtodisplayHAfirewalls(Panorama > Managed

Devices)aftertheconfigdprocessstoppedresponding.
PAN-72831 Fixedanissuewhererebootingthefirewallcausedittogenerateafalsecriticalalarmthat
indicatedLDAPserversweredown.
PAN-72698 Fixedanissuewherethewebinterfacedidnotdisplaythecharacterlimit(2,048)when
userstriedtosavelogfilters.Withthisfix,thefirewalldisplaysmoreinformationinerror
messagesrelatingtosavinglogfilters.
PAN-72342 FixedanissuewhereendusersignoredtheDuoV2authenticationpromptuntilittimed
outbutstillauthenticatedsuccessfullytoaGlobalProtectportalconfiguredfortwofactor
authentication.
PAN-71931 FixedanissuewherePanoramaallowedyoutoaddmultipleentriesforthesamefirewall
toaLogForwardingPreferenceslistwhileconfiguringaCollectorGroup(Panorama >
Collector Groups > <Collector_Group_configuration> > Device Log Forwarding),which
causedacommitfailure.Withthisfix,Panoramapreventsyoufromaddingmultipleentries
forthesamefirewallwhileconfiguringaCollectorGroup.
PAN-71226 Fixedanissuewherethefirewalldataplanerestartedbecausetheprocessesthatperform
packetprocessingstoppedrespondingforHTTPtrafficinvolvingURLpercentencoding.
PAN-70119 FixedanissuewherethefirewallmappeduserstotheKerberos Realmdefinedin

authenticationprofiles(Device > Authentication Profiles)insteadofextractingtherealm
fromKerberostickets.
PAN-69367 Fixedanissuewherethefirewallincorrectlygeneratedpacketdiagnosticlogsand
capturedpacketsforsessionsthatwerenotpartofapacketfilter(Monitor > Packet
Capture).
PAN-68974 FixedanissueonPA3000SeriesfirewallswhereyoucouldnotconfigureaQoSProfileto
haveamaximumegressbandwidth(Egress Max)higherthan1Gbpsforanaggregate
groupinterface(Network > Network Profiles > QoS Profile).
IssueID Description
PAN-67618 FixedanissuewherethePanoramaXMLAPIrequesttoshowalldynamicaddressgroups
didnotrespondwithXML:
http://firewall/api/?type=op&cmd=<show><object><dynamic-address-group>
<all></all></dynamic-address-group></object></show>
PAN-67544 Fixedanissuewhere,whenamulticastforwardinginformationbase(FIB)timedout,the
processforpacketprocessing(flow_ctrl)stoppedresponding,whichintermittentlycaused
thefirewalldataplanetorestart.
PAN-63905 FixedanissuewhereRTPsessionsthatwerecreatedfrompredictsessionswentfroman
activestatetoadiscardstateafteryouinstalledacontentupdateorcommitted
configurationchangesonthefirewall.
PAN-61834 FixedanissuewherethefirewallcapturedpacketsofIPaddressesnotincludedinthe
packetfilter(Monitor > Packet Capture).
PAN-60535 FixedanissueonPA7000SeriesfirewallswhereNPCslotswentdownduetomissing
hearbeats.
PAN-57490 FixedanissuewherePanoramadisplayedanerrormessagewhenyouconfiguredan
accessdomainwith512ormoredevicegroups.Withthisfix,youcanconfigureupto
1,024devicegroupsinasingleaccessdomain.
PAN-54531 FixedanissuewherethefirewallstoppedwritingnewTrafficandThreatlogstostorage
becausetheAutomatedCorrelationEngineuseddiskspaceinawaythatpreventedthe
firewallfrompurgingolderlogs.
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.3h4release.Fornewfeatures,
IssueID Description
PAN-79424 FixedanissuewherethefirewalldroppedpacketswhenGlobalProtectendusers
generatedtrafficwithlargepackets.
PAN-79051 Fixedanissuewherethefirewallcouldnotprocesspacketsthathadbase64chaffing
applied.
PAN-78934 FixedanissuewherethefirewalldidnotapplypolicyrulestoHTTPtrafficthatmatched
securityprofilesignatureswhenthetrafficwaschunkedandhadasmallchunksize.
IssueID Description
WF500-4291 FixedanissuewheretheWF500appliancereturnedfalsepositivesforknown,benign
PortableExecutable(PE)files.
PAN-78448 Fixedanissuewherethefirewalldroppedsomelogsthatitwasconfiguredtoforwardto
syslogservers.
PAN-77849 FixedanissuewheretheCaptivePortalwebformdidnotdisplaytoendusersafteryou
pusheddevicegroupconfigurationsfromaPanoramamanagementserverrunning
Panorama8.0toafirewallrunningPANOS7.1.
PAN-77802 FixedanissuewhereeverycommitclearedtunnelflowsessionssuchasGREandIPSec
ESP/AHsessions.
PAN-77595 FixedanissuewherePA7000SeriesandPA5200SeriesfirewallsforwardedaSIP
INVITEbasedonroutelookupinsteadofPolicyBasedForwarding(PBF)policy.
PAN-77520 FixedanissueonPA7000SeriesfirewallswithAMCharddrives,modelST1000NX0423,
wherethefirewallsrebuiltDiskPairBintheLPCcardafterareboot.
PAN-77516 AsecurityrelatedfixwasmadetoaddressaRemoteCodeExecution(RCE)vulnerability
whenthePANOSDNSProxyserviceresolvedFQDNs(CVE20178390).
PAN-77400 FixedanissueonafirewallrunningPANOS8.0.1or8.0.2whereyoucouldnotloginto
thewebinterfaceafterperformingaprivatedatareset.
PAN-77339 SafeNetClient6.2.2didnotsupportthenecessaryMACalgorithm(HMACSHA1)towork
withPaloAltoNetworksfirewallsrunninginFIPSCCmode.
PAN-77290 FixedanissuewherePanoramadisplayedamissing vsyserrormessagewhenyoutried

toupdatedynamicaddressgroupsthroughPANOSXMLAPIcalls,evenifyouspecified
avirtualsystem.
PAN-77250 Fixedanissuewherethefirewalllostoffloadedsessionsonasubinterfacethatbelonged
toanaggregateinterfacegroupandthathadQoSenabled.
PAN-77173 AsecurityrelatedfixwasmadetopreventremotecodeexecutionwithintheLinuxkernel
thatthefirewallmanagementplaneuses(CVE201610229).
PAN-77127 FixedanissuewherethefirewallreducedtherangeoflocalandremoteIKEv2traffic
selectorsinawaythatdisruptedtrafficinaVPNtunnelthataCiscoAdaptiveSecurity
Appliance(ASA)initiated.
PAN-77033 FixedanissuewhereusingaPanoramamanagementserverrunningPANOS8.0to
generateareportthatqueriedanunsupportedlogfieldfromaPA7050firewallrunning
PANOS7.1slowedtheperformanceofPanoramabecausethemgmtsrvrprocessstopped
responding.
IssueID Description
PAN-76964 Fixedanissuewhereinterfaceswentdownduetopacketbuffersbeingoverwhelmed
afterthefirewalltriedtoclosetheconnectiontoarogueclientthatignoredtheURL
Filteringblockpage.
PAN-76890 FixedanissuewheretrafficthatincludedaZIPfilecausedtheall_taskprocesstorestart
andthefirewalldroppedpacketswhilewaitingforthatprocesstoresume.
PAN-76746 FixedanissueonthePA7080firewallwhereauthenticationtrafficfromawireless
controllertoaRADIUSserverfailedduetobufferdepletiononthefirewall.
PAN-76651 FixedanissuewhereVMSeriesfirewallsdroppedmulticasttrafficifyouenabledData
PlaneDevelopmentKit(DPDK)onVMXNET3interfaces.
PAN-76650 FixedanissuewhererenamingasharedobjectonPanoramathatPanoramahaspushedto
firewallscausedacommitfailureifthefirewallsreferencedthatobjectinlocalpolicies.
PAN-76615 FixedanissuewherePanoramafailedtoGenerate Tech Support File(Panorama >

Support).
PAN-76565 FixedanissuewheredynamiccontentupdatesfailedonthefirewallwhenDNSresponse
timeswereslow.
PAN-76454 FixedanissueonPA7000SeriesandPA5200SeriesfirewallswhereGenericRouting
Encapsulation(GRE)sessioncreationfailedwhenthefirewallsreceivedGREpacketswith
aPointtoPointProtocol(PPP)payload.
PAN-76330 Fixedanissuewherethepan_taskprocessstopped,whichcausedalossofserviceand
interruptiontoOSPF.
PAN-76271 FixedanissuewhereyoucouldnotaccessthePanoramawebinterfaceorCLIbecausethe
configdprocessstoppedafteraPreview Changesoperation(Commit > Commit to
Panorama).
PAN-76270 FixedanissuewhereoperationsthatrequiredheavymemoryusageonLogCollectors
(suchasingestinglogsatahighrate)causedsomeotherprocessestorestart.Withthisfix,
youcanfreeupmemoryforprocessesotherthanloggingandreportingbyrunningthe
newdebug logdb show-heap-size [4-32]CLIcommandandsettingthememoryheap
toalowersizethanthedefault8GB.
PAN-76184 FixedanissuewheredisablingtheoptiontoTurn on QoS feature on this interface

(Network > QoS)reducedthroughputon40Gbpsinterfaces.
PAN-76162 FixedanissuewherePanorama8.0didnotdisplaylogsfromPA7000Seriesfirewalls
runningPANOS7.0orPANOS7.1.
PAN-76158 FixedanissuewherethefirewallallowedPsiphonapplicationsessionstocontinuewithout
applyingpolicyrulestothemafterthefirewallranoutofresources(suchaswhile
processingheavytraffic).Withthisfix,thefirewalldropsPsiphonsessionsafterrunning
outofresources.
PAN-76153 FixedanissuewherePA5000Seriesfirewallsdroppedtrafficbecausepredictsessions
incorrectlymatchedPolicyBasedForwarding(PBF)policyrulesfornonrelatedsessions.
PAN-76144 FixedanissuewherethroughputwasreducedonPA5000Seriesfirewallsthatuseda
singleUDPsessionononedataplanetoprocesshighratesoftunneledtraffic.Withthis
fix,youcanusetheset session filter-ip-proc-cpuCLIcommandtousemultiple
dataplanestoprocesstrafficforupto32destinationserverIPaddresses.Thissetting
persistsafterrebootsandupgrades.
IssueID Description
PAN-76032 Fixedanissuewherethefirewallwebinterfacedisplayedamisspellinginthetooltipthat
openedwhenyouhoveredoverCommitwhennoconfigurationchangeswerepending.
PAN-75977 FixedanissuewhereusersfailedtoauthenticatethroughaUcopiaLDAPserver.
PAN-75617 Fixedanissuewherethefirewallperformedthedefaultsignatureactionforthreat
vulnerabilityexceptionsinsteadofperformingtheActionyousetintheVulnerability
Protectionprofile(Objects > Security Profiles > Vulnerability Protection > Exceptions).
PAN-75580 FixedanissuewhereaPANOSXMLAPIquerytofetchalldynamicaddressgroupsfailed
withanOpening and ending tag mismatcherrorduetoacommandbufferlimitation.
PAN-75512 FixedanissuewherethefirewallfailedtodecryptVPNtrafficforpacketsofcertainsizes
ifyousettheEncryptionalgorithmtoaes-256-gcmintheIPSecCryptoprofileusedfor
theVPNtunnel(Network > Network Profiles > IPSec Crypto).
PAN-75413 FixedanissuewhereDHCPserversdidnotassignIPaddressestonewendusers(DHCP
clients)becausethefirewallfailedtoprocessandrelayDHCPmessagesbetweenthe
serversandclientsafteryouconfiguredafirewallinterfaceasaDHCPrelayagent.
PAN-75372 FixedanissuewherePanoramadroppedalladministrativeusersbecausethe
managementserverprocessrestarted.
PAN-75337 FixedanissuewhereCPUusagespikedonthefirewallduringDiffieHellman(DHE)or
ellipticalcurveDiffieHellman(ECDHE)keyexchangeforSSLdecryption.Withthisfix,the
firewallhasenhancedperformanceforDHEandECDHEkeyexchange.
PAN-75304 FixedanissuewherethefirewallpopulateddefaultvaluesforIPSecCryptoprofilesthat
didnothaveanIPSec Protocol(ESPorAH)defined(Network > Network Profiles > IPSec
Crypto);thedefaultvaluescausedanIKEconfigurationparsingerrorthatpreventedIPSec
VPNtunnelsfromcomingup.
PAN-75215 FixedanissuewheretheactivefirewallinanHAdeploymentkeptsessionsactiveforan
hourinsteadofdiscardingthemafter90secondswhenthesessionsmatchedtheURL
categoryinapolicyrulethatwassettodeny.
PAN-75158 FixedanissuewithnetworkoutagesonfirewallsinavirtualwireHAconfigurationwith
HAPreemptivefailbackenabled(Device > High Availability > General > Election Settings)
duetoLayer2loopingafterfailovereventswhilethefirewallsprocessedbroadcasttraffic.
PAN-75154 FixedanissuewheretheMonitor > Traffic MapdisplayedtheNorthwesternSomaliregion

asSolomonIslandsinsteadofSomalia.
PAN-75119 FixedanissuewhereIP Address ExemptionsinAntiSpywareprofiles(Objects > Security

Profiles > Anti-Spyware Profile)didnotworkforthefollowingthreats:ThreatID14978,
ThreatID14984,andRaven.
PAN-75118 FixedanissuewherecommitsfailedafteryouaddedanIPv6peergrouptoavirtualrouter
thathadBorderGatewayProtocol(BGP)enabled(Network > Virtual Routers > BGP >
Peer Group)andthathadimport,exportandaggregaterulesconfigured.
PAN-75029 FixedanissuewherethePA5060firewallrandomlydroppedpacketsanddisplayedthe
reasoninTrafficlogsasresources unavailable.
PAN-74938 FixedanissueonPA3000SeriesfirewallswhereSSLsessionsfailedduetomemory
depletionintheproxymemorypool;Trafficlogsdisplayedthereasondecrypt-error.
IssueID Description
PAN-74865 FixedanissuewherePanoramacouldnotpushaddressobjectstomanagedfirewallswhen
zonesspecifiedtheobjectsintheUserIdentificationACLincludeorexcludelists(Network
> Zones)andyouconfiguredPanoramatonotShare Unused Address and Service Objects
with Devices(Panorama > Setup > Management > Panorama Settings).
PAN-74639 Fixedanissuewheretherootpartitiononthefirewallwaslowondiskspace(requiringyou
torunthedebug dataplane packet-diag clear log logCLIcommandtofreedisk
space)becausethepan_taskprocessgeneratedlogsforH.225sessions.
PAN-74601 FixedanissueonPanoramawhereDeviceGroupandTemplateadministratorswhohad
accessdomainsassignedtotheiraccountscouldnoteditsharedsecurityprofiles(Objects
> Security Profiles)aftercommittingthoseprofiles.
PAN-74579 Fixedanissuewherethedebug dataplane internal pdt oct show-allCLIcommand

restartedthefirewalldataplane.
PAN-74440 FixedanissuewherethefirewallgeneratedSystemlogsindicatingthel3svcprocess
stoppedrepeatedlybecausethecryptoddaemondeletedacertificatekeyassociatedwith
anSSL/TLS Service ProfilethatwasusedfortheURLAdminOverridefeature(Device >
Setup > Content ID)orforCaptivePortal(Device > User Identification > Captive Portal
Settings).
PAN-74369 FixedanissuewheremodifyingtheBFDprofileinavirtualrouter(Network > Virtual

Routers)causedtheroutedprocesstostop.
PAN-74334 FixedanissueonPanoramawherethereplace deviceCLIcommanddidnotreplacethe

serialnumbersoffirewallsthatpolicyrulesreferencedastargets.
PAN-74243 Fixedanissuewhere,afteryouusedaPanoramatemplatetopushDNSserverIP
addresses(Device > Setup > Services)toabootstrappedVMSeriesfirewall,thefirewall
failedtoresolveFQDNs.
PAN-73919 FixedanissuewhereyoucouldnotusethewebinterfaceorCLItoconfigureamulticast
IPaddressastheSourceorDestinationinpacketfilters(Monitor > Packet Capture).
PAN-73916 Fixedanissuewhere,afteryouloggedintothefirewallwithanadministratoraccountthat
doesnothaveasuperuserroleandyouthentriedtoDisableanapplication(Objects >
Applications > <application-name>),thefirewalldisplayedanerrormessagethatdidnot
indicatetheneedforsuperuserprivileges.
PAN-73707 FixedanissuewhereyoucouldnotgenerateaSCEPcertificateiftheSCEP Challenge

(password)hadasemicolon(Device > Certificate Management > SCEP).
PAN-73631 Fixedanissuewhereenduserclientsfailedontheirfirstattempttoauthenticatewhenyou
configuredCaptivePortalforcertificatebasedauthenticationandtheclientcertificates
exceeded2,000bytes.
PAN-73556 Fixedanissuewherethefirewalldidnotdeletemulticastforwardinginformationbase
(FIB)entriesformulticastgroupsthatstoppedreceivingtraffic.
PAN-73551 Fixedanissuewherecommitsfailedwiththeerrorsyntax error

[kmp_sa_lifetime_time ;]ifthefirewallhadIKECryptoprofileswithoutaKey Lifetime
defined(Network > Network Profiles > IKE Crypto).
PAN-73548 Fixedanissuewherethefirewallusedtheglobalserviceroute(Device > Setup > Services

> Global)insteadofserviceroutesdefinedforspecificvirtualsystems(Device > Setup >
Services > Virtual Systems)ifyouconfiguredDevice > Server ProfilesintheShared
location.
IssueID Description
PAN-73484 Fixedanissuewherethefirewallserverprocess(devsrvr)restartedduringURLupdates.
PAN-73281 FixedanissuewherethefirewalldroppedmulticasttrafficonanegressVLANinterface
whenthetrafficwasoffloaded.
PAN-73254 Fixedanissuewhere,afteryouinstalledtheVMwareNSXpluginonPanoramainahigh
availability(HA)configuration,Panoramadidnotautomaticallysynchronizeconfiguration
changesbetweentheHApeersunlessyoufirstupdatedsettingsrelatedtotheNSXplugin.
PAN-73184 FixedanissuewheresuccessiveHTTPGETrequestsinasinglesessionfailedifyou
configuredSSLDecryptionwiththeStrip X-Forwarded-Foroptionenabled(Device >
Setup > Content-ID).
PAN-72946 FixedanissuewhereHAfirewallsdisplayedasout of syncifanSSL/TLS Service Profile

withoutacertificatewasassignedtothemanagement(MGT)interface(Device > Setup >
Management).Withthisfix,PANOSunassignstheSSL/TLS Service Profileifitdoesn't
haveacertificate.
PAN-72863 FixedanissuewheretheUserIDagent(PANOSintegratedorWindowsbased)stopped
respondingbecausethefirewallsentnumerousqueries.
PAN-72753 Fixedanissuewhereyoucouldnotconfigurethe0.0.0.0/1subnetasaProxyIDforIPSec
VPNtunnels.
PAN-72433 FixedanissuewherethePA7050firewalldisplayedincorrectinformationforthepacket
countsandnumberofbytesassociatedwithtrafficonsubinterfaces.Withthisfix,the
firewalldisplaysthecorrectinformationintheshow interfaceCLIcommandoutputand
inothersourcesofinformationforsubinterfaces(suchasSNMPstatisticsandNetFlow
recordexports).
PAN-72258 FixedanissuewherepushinganARPloadsharingconfiguration(Device > High

Availability > Active/Active Config > Virtual Address)fromPanoramatoafirewalldeleted
itfromthefirewall.
PAN-71922 FixedanissuewherethefirewalldidnotgenerateThreatlogsforclassifiedDOS
protectionprofilesthathadanActionsettoSYN Cookies(Objects > Security Profiles >
DoS Protection > Flood Protection > SYN Flood).
PAN-71535 FixedanissueonPanoramawherePanorama > Device Deployment > Softwarestopped

displayingsoftwareimagesforareleaseafteryouperformedamanualUploadfora
softwareimageofthatrelease.
PAN-71133 Fixedanissueonwherethedataplanerebootedaftermultipledataplaneprocesses
restartedduetomemorycorruption.
PAN-69449 Fixedanissuewhere,afteraclockchangeonthefirewall(suchasforDaylightSavings
Time),theACCdidnotdisplayinformationfortimeperiodsbeforethechange.
PAN-68808 FixedanissueonthePA7050firewallwherethemprelayprocessexperiencedamemory
leakandstoppedresponding,whichcausedslotfailuresandHAfailover.
PAN-68580 FixedanissuewhereHAVMSeriesfirewallsdisplayedthewronglinkstateaftera
linkmonitoringfailure.
PAN-66076 FixedanissuewheretheGlobalProtectportalpromptedenduserstoenteraonetime
password(OTP)evenaftertheusersenteredtheOTPfortheGlobalProtectgatewayand
AuthenticationOverrideisenabled(Network > GlobalProtect > Portals >
<portal-configuration> Agent <agent-configuration> Authentication).
IssueID Description
PAN-64639 FixedanissuewhereHAfirewallsfailedtosynchronizethePANDBURLdatabase.
PAN-62159 FixedanissuewherethefirewalldidnotgenerateWildFireSubmissionlogswhenthe
numberofcachedlogsexceededstorageresourcesonthefirewall.
PAN-59372 FixedanissuewhereneitherPanoramanorthefirewallgeneratedaSystemlogindicating
apasswordchangeafteryouusedaPanoramatemplatetopushanadministrator
passwordchangetothefirewall.
PAN-56287 FixedanissuewherethefirewalldiscardedVoIPsessionsthathadmulticastdestinations.
PAN-46374 FixedanissueonPA7000SeriesfirewallswhereyouhadtopowercycletheSwitch
ManagementCard(SMC)whenitfailedtocomeupafterasoftreboot(suchasafter
upgradingthePANOSsoftware).
IssueID Description
WF500-4218 Fixedanissuewhere,aspartofandafterupgradingaWildFireappliancetoaPANOS8.0
release,usingtherequest cluster reboot-local-nodeCLIcommandtoreboota
clusternodeintermittentlycausedthenodetogoofflineorfailtoreboot.
WF500-4186 FixedanissueinathreenodeWildFireapplianceclusterwhere,ifyoudecommissioned
thebackupcontrollernodeortheworkernode(request cluster decommission start)
andthendeletedtheclusterrelatedconfiguration(highavailabilityandcluster
membership)fromthedecommissionednode,theclusterintermittentlystopped
functioning.Runningtheshow cluster membershipCLIcommandontheprimary
controllernodeshowedthemessage:Service Summary: Cluster:offline,
HA:peer-offline.Inthisstate,theclusterdidnotfunctionanddidnotacceptnew
samplesforprocessing.
WF500-4176 Fixedanissuewhere,afteryouremovedanodefromaclusterthatstoredsample
informationonthenode,thenodeserialnumberappearedinthelistofstoragenodes
whenyoudisplayedthesamplestatus(show wildfire global sample-status sha256
equal <value>)eventhoughthenodenolongerbelongedtothecluster.
WF500-4173 Fixedanissuewhereintegratedreportswerenotavailableforfirewallsconnectedtoa
WF500appliancerunninginFIPSmode.
WF500-4158 FixedanissuewhereselectingReboot device after InstallwhenupgradingWildFire

applianceclustersfromPanoramacausedanungracefulrebootthatintermittentlymade
theclusterunresponsive.
PAN-81061 FixedanissuewherePA3000Seriesfirewallsdroppedlonglivedsessionsthatwere
activeduringacontentupdatefollowedimmediatelybyanAntivirusorWildFireupdate.
PAN-76517 FixedanissuewherePanoramadidnotautomaticallypushtheupdatedIPaddressesof
dynamicaddressgroupsfromdevicegroupstoVMSeriesfirewallsforNSX.
PAN-76447 FixedanissuewherePanoramarunningPANOS8.0didnotpushaggregateBGP
configurationsinatemplatetofirewallsrunningPANOS7.1oranearlierrelease.
PAN-76424 FixedanissuewhereSecurityLifecycleReviewreports(Generate Stats Dump Fileunder

Device > Support)displayedincorrectsubtypevaluesduetoThreatIDchanges.
PAN-76402 FixedanissuewherethefirewallgeneratedSystemlogsofcriticalseveritywiththe
messageCould not connect to Cloud : SSL/TLS Authentication Failedeven
thoughthefirewallhadnoconnectionfailures.
PAN-76331 Fixedanissuewhere,afterupgradingtoPANOS8.0.1,aNetwork > DNS Proxyobject

withtenormoreStatic EntriesthatmappedtothesameIPaddresscausedthefirewall
DNSdaemontorestart,whichpreventedusersfromaccessingapplicationsthatrequired
DNSlookups.
PAN-76265 FixedanissuewherethefirewallfailedtoretrieveusergroupsfromanLDAPserver
becausetheserverresponsedidnothaveapagecontrolvalue.
IssueID Description
PAN-76258 FixedanissueonPA7000SeriesandPA5200Seriesfirewallswhereuserscouldnot
accessapplicationsandservicesthroughGlobalProtectwhensessiondistributionwasset
toroundrobin(default).
PAN-76244 FixedanissuewherefirewallsweremissingaGlobalProtectsatelliteconfigurationpushed
fromaPanoramatemplate.
PAN-76105 FixedanissuewhereyouhadtoconfigurealicensedeactivationAPIkeytomanually
deactivatelicensesforVMSeriesfirewalls.
PAN-76104 FixedanissuewherethefirewallstoppedreceivingIPporttousernamemappingsfroma
TerminalServices(TS)agentifyousetitsHostfieldtoanFQDNinsteadofanIPaddress.
PAN-76092 FixedanissuewherereportsdeliveredthroughtheEmailScheduler(Monitor > PDF

Reports > Email Scheduler)displayeddatatotalsasbytesinsteadofkilobytes(K),
megabytes(M),orgigabytes(G),whichmadethetotalshardtoread.
PAN-76069 FixedanissuewherethefirewallcouldnotdecryptSSLconnectionsduetoacacheissue,
whichpreventedusersfromaccessingSSLwebsites.
PAN-76054 FixedanissuewhereyoucouldnotdeleteatunnelinterfacefromaPanoramatemplate
(Network > Interfaces > Tunnel).
PAN-76051 FixedanissuewhereyoucouldnotpushaManagement(MGT)interfaceconfiguration
fromaPanoramatemplate(Device > Setup > Interfaces)tofirewallsunlessyouspecified
anIP Addressfortheinterface.
PAN-76030 FixedanissueonVMSeriesfirewallswherethedataplanerestartedifjumboframeswere
enabledonsinglerootinput/outputvirtualization(SRIOV)interfaces.
PAN-75969 Fixedanissuewheretheroutedprocessstoppedrespondingafteryoucheckedthestatic
routemonitoringstatusthroughthewebinterface(Network > Virtual Routers > Routing
> Static Route Monitoring)orCLI(show routing path-monitor).
PAN-75960 FixedanissuewherestoringthemasterkeyonanHSMcausedthefirewalltoenter
maintenancemodeafterareboot(whichrequiredafactoryreset).
PAN-75914 FixedanissuewheretheM100orM500appliancelostlogsafterupgradingfroma
PANOS7.1releasetoaPANOS8.0release.
PAN-75896 FixedanissuewherethefirewalldidnotacceptlocalIPv6addressesthatwerelongerthan
31characterswhenyouconfiguredIPv6BGPpeering.
PAN-75881 FixedanissuewherearegressionintroducedinPANOS8.0.0and8.0.1causedthe
firewalldataplanetorestartincertaincaseswhencombinedwithcontentupdates.For
details,includingtherelevanceofcontentreleaseversion709,refertotheassociated
CustomerAdvisory.
PAN-75863 FixedanissueonHAPanoramaM100applianceswherethepassivepeerdidnotupdate
thelocalVMwareNSXmanagerpluginafteryouupgradedfromaPANOS7.1releaseto
aPANOS8.0release,whichcausedapluginmismatchwiththeactivepeer.
PAN-75721 FixedanissuewhereyoucouldnotsettheauthenticationprofileTypetoNone(Device >

Authentication Profile)onafirewallinFIPSmode.
PAN-75684 Fixedanissuewhereamanagementservermemoryleakcausedseveraltaskstofail,
includingcommits,PANDBURLdownloads,dynamicupdates,andFQDNorExternal
DynamicList(EDL)refreshes.
IssueID Description
PAN-75397 FixedanissuewherethePanoramamanagementserverrestartedbecausetheconfigd
processstoppedrunningafteranupgrade.
PAN-75132 Fixedanissuewherelocallycreatedcertificateshadduplicateserialnumbersbecausethe
firewalldidnotchecktheserialnumbersofexistingcertificatessignedbythesameCA
whengeneratingnewcertificates.
PAN-75048 Fixedanissuewherethefirewallusedthedefaultroute(insteadofthenextbestavailable
route)whentheeBGPnexthopwasunavailable,whichresultedindroppedpackets.
Additionallywiththisfix,thedefaulttimetolive(TTL)valueforasinglehopeBGPpeeris
changedto1(insteadof2).
PAN-74877 FixedanissuewherePanoramatookalongtimetopushconfigurationsfrommultiple
devicegroupstofirewalls.
PAN-74655 FixedanissuewhereusersexperiencedslownetworkconnectivityduetoCPUutilization
spikesinthefirewallnetworkprocessingcards(NPCs)whentheURLcacheexceededone
millionentries.
PAN-74640 FixedanissuewhereVMSeriesfirewallsfailedtocreatepredictsessionsforRTPand
RTCP,whichdisruptedH.323basedvideoconferencingtraffic.Additionally,fixedan
issuewhereallfirewallmodelsdroppedRTPpacketsbecausepolicymatchingfailedfor
RTPtraffic.
PAN-74613 Fixedanissuewheretheshow running url-cache statisticsCLIcommanddidnot

displayenoughinformationtodiagnoseissuesrelatedtoURLcategoryresolution.With
thisfix,theerrormessagesindicatewhatfailedandtheexactpointoffailure.
PAN-74575 FixedanissuewherethefirewalldidnotreleaseIPaddressesassignedtointerfacesafter
youchangedtheaddressingTypefromDHCP ClienttoStatic.
PAN-74548 FixedanissuewheretheExportNamedConfigurationdialogdidnotletyoufilter
configurationsnapshotsbyName,whichpreventedyoufromselectingsnapshotsbeyond
thefirst500.Withthisfix,youcannowenterafilterstringintheNamefieldtodisplayany
matchingsnapshots.
PAN-74412 Fixedanissuewhere,inDecryptionpolicyruleswithanActionsettoNo Decrypt,you

couldnotusethewebinterfacetosetthedecryptionTypeformatchingtraffic.
PAN-74403 FixedanissueonPanoramawherethewebinterfacebecameunresponsiveafteryou
selectedExport to CSVforacustomreport,whichforcedyoutologintotheCLIand
rebootPanoramaorrestartthemanagementserver.
PAN-74368 Fixedanissuewherecommitsfailedduetoconfigurationmemorylimitsonfirewallsthat
hadnumerousSecuritypolicyrulesthatreferencedmanyaddressobjects.Withthisfix,
thenumberofaddressobjectsthatapolicyrulereferencesdoesnotimpactconfiguration
memory.
PAN-74236 FixedanissuewheretheUserIDprocess(useridd)stoppedrespondingwhentherewere
alotofnonbrowserbasedrequestsfromclients,whichresultedintoomanypan_errors
diskwrites.
PAN-74188 Fixedanissuewhereconflictingnexthopentriesintheegressroutingtablecausedthe
firewalltoincorrectlyroutetrafficthatmatchedPolicyBasedForwarding(PBF)policy
rulesconfiguredtoEnforce Symmetric Return.
PAN-74161 FixedanissuewherefirewallsconfiguredinavirtualwiredeploymentwhereSpanning
TreeProtocol(STP)bridgeprotocoldataunit(BPDU)packetsweredropped.
IssueID Description
PAN-74128 Fixedanissuewhereasessioncausedthedataplanetorestartifthesessionwasactive
duringandafteryouinstalledacontentupdateonthefirewallandtheupdatecontained
adecoderchange.
PAN-73995 FixedanissuewherefirewallmanagementinterfacesthatwereconfiguredthroughDHCP
releasedorrenewedeverytimeyoupushedconfigurationsfromPanoramainsteadof
releasingorrenewingwhentheDHCPleasesexpired.
PAN-73993 FixedanissuewhereAppIDsignaturematchingdidnotworkonthefirewall,which
causedittomisidentifyapplications.
PAN-73914 AsecurityrelatedfixwasmadetoaddressOpenSSLvulnerabilities(CVE20173731).
PAN-73859 FixedanissuewheretheVMSeriesfirewallonAzuresupportedonlyfiveinterfaces(one
managementinterfaceandfourdataplaneinterfaces)insteadofeight(onemanagement
interfaceandsevendataplaneinterfaces).
PAN-73783 FixedanissuewherecookiebasedauthenticationfortheGlobalProtectgatewayfailed
withthefollowingerror:Invalid user name.
PAN-73710 FixedanissuewherethefirewalldidnotcommitchangestotheNTPserversconfiguration
(Device > Setup > Services)whenthefirewallconnectedtotheserversthroughaservice
routeandthemanagement(MGT)interfacewasdown.
PAN-73553 FixedanissuewhereSSLInboundDecryptionfailedwhentheprivatekeywasstoredon
ahardwaresecuritymodule(HSM).
PAN-73502 FixedanissuewherethefirewalldidnotpurgeexpiredIPaddresstousernamemappings,
whichcausedoneoftherootpartitionstorunoutoffreespace.
PAN-73461 FixedanissuewhereenablingencryptionontheHA1controllink(Device > High

Availability > General)andrebootingoneHAfirewallpeerinanactive/passive
configurationcausedsplitbraintooccur.
PAN-73381 Fixedanissueonfirewallswithmultiplevirtualsystemswhereenduserscouldnot
authenticatetoaGlobalProtectportalorgatewaythatspecifiedanauthenticationprofile
forwhichtheAllowListreferencedusergroupsinsteadofusernames.
PAN-73213 Fixedanissuewhere,whentheGlobalProtectPortal Login PagewassettoDisable

(Network > GlobalProtect > Portals > General)andtheuserenteredhttps://portalin
thebrowserURLfield,thebrowserredirectedtohttps://portal/globalprotect/login.esp,
whichexposedthatthefirewallfunctionedasaGlobalProtectVPN.Withthisfix,the
firewallnowrespondswitha502BadGatewayresponseanddoesnotexposethe
functionofthefirewall.
PAN-73191 FixedanissuewhereOSPFadjacencyflappingoccurredbetweenthefirewallandanOSPF
peerduetoaheavyprocessingloadonthedataplaneandqueuedOSPFhellopackets.
PAN-73045 FixedanissuewhereHAfailoverandfailbackeventsterminatedsessionsthatstarted
beforethefailover.
PAN-72871 FixedanissuewherethefirewalldisplayedonlypartoftheURL Filtering Continue and

Overrideresponsepage.
PAN-72769 AsecurityrelatedfixwasmadetopreventbruteforceattacksontheGlobalProtect
externalinterface(CVE20177945).
PAN-72697 Fixedanissuewhere,afteraDoSattackended,thefirewallcontinuedgeneratingThreat
logsandincrementingthesessiondropcounter.
IssueID Description
PAN-72350 FixedanissuewherehighvolumeSSLtrafficintermittentlyaddedlatencytoSSLsessions.
PAN-72149 FixedanissuewhereURLvaluesdidnotdisplayforthetopwebsitesinURLFiltering
reports(Monitor > PDF Reports > Manage PDF Summary).
PAN-71627 FixedanissuewherethefirewallfailedtoauthenticatetoaSafeNethardwaresecurity
module(HSM).Withthisfix,thefirewallsupportsmultipleSafeNetHSMclientversions;
youcanusetherequest hsm client-versionCLIcommandtoselecttheversionthatis
compatiblewithyourSafeNetHSMserver.
PAN-71612 Fixedanissuewherethelogsthatthefirewallforwardedtoasyslogserverhadsyslog
headertimestampsthatdidnotmatchthetimeswhenthefirewallgeneratedthelogs.
PAN-71484 FixedanissuewherethefirewalldiscardedlonglivedSIPsessionsafteracontentupdate,
whichdisruptedSIPtraffic.
PAN-71455 Fixedanissuewhereuserscouldnotaccessasecurewebsiteifthecertificateauthority
thatsignedthewebservercertificatealsosignedmultiplecertificateswiththesame
subjectnameintheDefaultTrustedCertificateAuthoritieslistonthefirewall.
PAN-71319 UpdatedPANOStoaddressNTPissues(CVE20167433).
PAN-70731 FixedanissuewherethefirewallfailedtoauthenticatetoaSafeNethardwaresecurity
module(HSM)iftheAdministrator Password(underDevice > Setup > HSM)contained
specialcharacters.
PAN-70353 FixedanissuewhereClientlessVPNdidnotworkifitshostwasaGlobalProtectportalthat
youconfiguredonaninterfacewithDHCP Clientenabled.
PAN-70345 FixedanissuewheretheMSeriesappliancesdidnotforwardlogstoasyslogserverover
TCPports.
PAN-69882 Fixedanissuewherefirewallsthathadmultiplevirtualsystemsandthatweredeployedin
anHAactive/activeconfigurationdroppedTCPsessions.
PAN-69874 Fixedanissuewhere,whenthePANOSXMLAPIsentIPaddresstousernamemappings
withnotimeoutvaluetoafirewallthathadtheEnable User Identification Timeoutoption
disabled,thefirewallassignedthemappingsatimeoutof60minutesinsteadofnever.
PAN-68763 Fixedanissuewherepathmonitoringfailuresdidnotproduceenoughinformationfor
troubleshooting.Withthisfix,PANOSsupportsadditionaldebugcommandsandthetech
supportfile(clickGenerate Tech Support FileunderDevice > Support)includesadditional
registryvaluestotroubleshootpathmonitoringfailures.
PAN-67412 FixedanissueonfirewallsinanHAconfigurationwhere,whenanenduseraccessed
applicationsoveraGlobalProtectclientlessVPN,thewebbrowserbecameunresponsive
forabout30secondsafterafailover.
PAN-67029 Fixedanissuewherethefirewallstoppedforwardinglogstoexternalservices(suchasa
syslogserver)afterthefirewallmanagementserverrestartedunexpectedly.
PAN-66997 FixedanissueonPA7000Series,PA5200Series,andPA5000Seriesfirewallswhere
enduserswhoaccessedapplicationsoverSSLVPNorIPSectunnelsthrough
GlobalProtectexperiencedonedirectionaltraffic.
PAN-65969 FixedanissueonPA7000SeriesfirewallswheretheSwitchManagementCard(SMC)
restartedduetofalsepositiveconditions(ATAerrors)detectedduringadiskcheck.
IssueID Description
PAN-63720 FixedanissuewhereMonitor > App Scope > Network Monitordisplayedincorrectbyte

totalsandhourlydistributionwhenyoufilteredthereportbySource User/Addressor
Destination User/AddressinsteadofbyApplication.
PAN-63205 FixedanissueonVMSeriesfirewallswherecommitoperationsfailedafteryouconfigured
HAwiththeHA2andHA3interfaces.
PAN-62791 Fixedanissuewherethefirewallcouldnotusethecertificatesinitscertificatestore
(Device > Certificate Management > Certificates > Device Certificates)afteramanualor
automaticcommit,whichcausedcertificateauthenticationtofail.
PAN-62074 FixedanissuewheretheUserIDagentincorrectlyreadtheIPaddressinthesecuritylogs
forKerberosloginevents.
PAN-61644 FixedanissuewherePanoramadisplayedtheInvalid term(device-group eq)error

whenyoutriedtodisplaythelogsforaspecificdevicegroup.
PAN-61409 FixedanissuewherethefirewallfailedtoconnecttoanHTTPserverusingtheHTTPS
protocolwhentheCAcertificatethatvalidatedthefirewallcertificatewasinaspecific
virtualsysteminsteadoftheSharedlocation.
PAN-60555 FixedanissueonVMSeriesfirewallsforNSXwherethewebinterfaceletusersspecifya
Tag Allowedvalueforvirtualwireinterfaces(Network > Virtual Wires),whichcauseda
commiterrorbecausetheoptionisnotconfigurableonthatfirewallmodel.Withthisfix,
theTag Allowedvaluehasareadonlyvalueof04094onVMSeriesfirewallsforNSX.
PAN-55619 FixedanissuewherenewusersthatyouaddedtoanActiveDirectory(AD)usergroup
intermittentlyfailedtoauthenticatetotheGlobalProtectportal.
PAN-48901 FixedanissueonHAfirewallswhere,ifyouenabledapplicationlevelgateway(ALG)for
theUnistimapplication,VoIPcallsthatusedtheUNIStimprotocolhadonlyonewayaudio
afteranHAfailoverevent.
FPGA-343 FixedanissueonPA7000SeriesfirewallsinaLayer2deploymentwheremulticast
sessions(suchasHSRP)failedbecausePANOSdidnotreassignthesessionstoan
alternativeNetworkProcessingCard(NPC)iftheoriginalNPCwasshutdown.
IssueID Description
PAN-74932 Fixedanissuewherethedirection(dir)parameterusedintype=logXMLAPIrequestswas
incorrectlymadearequiredparameter,whichcausedapplicationsthatusethetype=log
requesttofailwhenthedirargumentwasnotincludedintherequest.Withthisfix,the
directionparameterisagainoptional.
PAN-74829 FixedanissuewhereAuthenticationpolicyincorrectlymatchedtrafficcomingfrom
knownusersthoseincludedintheTerminalServices(TS)agentusermappingand
displayedthecaptiveportalpage.Withthisfix,onlyunknownusersaredirectedtothe
captiveportalpage.
PAN-74367 FixedanissuewheresomeplatformsdidnotconnecttoBrightCloudafteryouupgraded
toPANOS8.0.
PAN-74264 FixedanissuewherenewfieldsinThreatandHIPMatchlogswereinsertedbetween
existingfields,whichdisruptedsomethirdpartyintegrations.Withthisfix,thenewfields
areappendedattheendofallpreexistingfields.
PAN-73977 FixedanissuewherefirewallsandPanoramadidnotforwardlogsasexpectedwhenthe
localmachinetimewasnotsettocurrentlocaltimeandwassettoatimebetweencurrent
UTCtimeandcurrentUTCtimeplus<n>,where<n>istheUTC+<n>valueforthecurrent
timezone.
PAN-73964 FixedanissuewhereyoucouldnotupgradeVMSeriesfirewallsonAWSinanHA
configurationtoPANOS8.0.Withthisfix,youcanupgradeVMSeriesfirewallsonAWS
inanHAconfigurationtoPANOS8.0.1oralaterPANOS8.0release.
PAN-73877 FixedanissuewhereyouwereunabletogenerateaSAMLmetadatafileforCaptivePortal
orGlobalProtectwhenthefirewallhadmultiplevirtualsystemsbecausetherewereno
virtualsystemsavailableforyoutoselectwhenyouclickedtheMetadatalinkassociated
withanauthenticationprofile.
PAN-73579 Fixedanissuewhere,afteryouupgradedafirewalltoPANOS8.0,thefirewalldidn'tapply
updatestothepredefinedPaloAltoNetworksmaliciousIPaddressfeeds(delivered
throughthedailyantiviruscontentupdates)untilafteryouperformedacommitonthe
firewall.Withthisfix,changestothepredefinedmaliciousIPaddressfeedsare
automaticallyappliedwhendeliveredtothefirewall.
PAN-73545 FixedanissueonVM300,VM500,andVM700firewallswhereyouwererequiredto
commitchangesasecondtimeafteraddinganinterfacebeforetrafficwouldpass
normally.
PAN-73360 FixedanissuewherethepassivePanoramapeerinanHAconfigurationshowedshared
policytobeoutofsyncevenwhenthedevicegroupcommitfromtheactivepeerwas
successful.
PAN-73291 FixedanissuewhereauthenticationfailedforclientcertificatessignedbyaCAcertificate
thatwasnotlistedfirstintheCertificateProfileconfiguredwithclientcertificate
authenticationforGlobalProtectportalsandgateways.
IssueID Description
PAN-73207 Fixedanissuewhereyoucouldnotpushnotificationsasanauthenticationfactorifthe
firewallwasintegratedwithOktaAdaptiveasthemultifactorauthentication(MFA)
vendor.
PAN-73168 Fixedanissuewhereyourwebbrowserdisplayedtheerrormessage400 Bad Request

whenyoutriedtoaccessaPANOSwebinterfacethatsharedthesameFQDNasthe
GlobalProtectportalthathostedClientlessVPNapplications.
PAN-73006 FixedanissuewheretheAppScopeChangeMonitorandNetworkMonitorreportsfailed
todisplaydataifyoufilteredbySourceorDestinationIPaddresseswhenloggingrates
werehigh.ThisfixalsoaddressesanissuewheretheAppScopeSummaryreportfailedto
displaydatafortheTop5BandwidthConsumingSourcesandTop5Threatswhenlogging
rateswerehigh.
PAN-72952 ImprovedfiletypeidentificationforOfficeOpenXML(OOXML)files,whichimprovesthe
abilityforWildFiretoaccuratelyclassifyOOXMLfilesasbenignormalicious.
PAN-72875 FixedanissuewheretheseverityleveloftheFailed to sync PAN-DB to peer: Peer

user failuresyslogmessagewastoohigh.Withthisfix,themessageseveritylevelis
infoinsteadofmedium.
PAN-72849 FixedanissueinPanoramaHAactive/passiveconfigurationswhereElasticsearch
parameterswerenotpushedtothepassivepeer.
PAN-72843 FixedanissuewherecommitsfailedforconfigurationsthatenabledclientlessVPNon
multipleGlobalProtectportalsusingdifferentDNSproxies.
PAN-72726 FixedanissuewherethefirewallwasunabletomarkBFDpacketswithappropriateDSCP
values.
PAN-72667 Fixedanissuewherethefirewallwebinterfacedisplayedincorrectvaluesforthelog
storagequotasettings.
PAN-72547 Fixedanissuewhererunningtheclear session allCLIcommandonaPA5200Series

firewallinahighavailability(HA)configurationcausedthefirewalltofailoverduetoan
issuewithpathmonitoring.
PAN-72402 Fixedanissuewherethefirewalladvertisedonlytheaggregateaddressanddidnot
advertisethespecificroutescoveredbytheAdvertiseFilterwhenyouconfiguredaBGP
IPv6aggregateaddresswithanAdvertiseFilterthatconsistedofbothaprefixfilteranda
nexthopfilter.
PAN-72246 FixedanissuewherethefirewallgeneratedanECDSAcertificatesigningrequest(CSR)
usingtheSHA1algorithminsteadoftheselectedalgorithm.
PAN-71833 Fixedanissuewheretheoutputofthetest authentication authentication-profile

CLIcommandintermittentlydisplayedauthentication/authorization failed for
userforTACACS+authenticationprofileseventhoughtheadministratorcould
successfullylogintothewebinterfaceorCLIusingthesamecredentialsaswerespecified
inthetestcommand.
PAN-71829 FixedanissueonPA5000Seriesfirewallswherethedataplanerestartedduetospecific
changesrelatedtocertificatesorSSLprofilesinaGlobalProtectconfiguration;specifically,
configuringanewgateway,changingacertificatelinkedtoGlobalProtect,orchangingthe
minimumormaximumversionoftheTLSprofilelinkedtoGlobalProtect.
PAN-71556 FixedanissuewhereMACaddresstableentrieswithatimetolive(TTL)valueof0were
notremovedasexpected,whichcausedthetabletocontinuallyincreaseinsize.
IssueID Description
PAN-71530 FixedanissuewhereLDAPauthenticationfailedintermittentlyduetoaracecondition.
PAN-71334 Fixedanissuewithdelaysofupto10secondsbeforethefirewalltransmittedthe
audio/videostreamwhenyousetupaVoIPcallonaPA5200Seriesfirewallusingthe
SessionInitiationProtocol(SIP).
PAN-71312 Fixedanissuewherecustomreportsdidnotdisplayresultsforqueriesthatspecifiedthe
Negateoption,Containsoperator,andaValuethatincludedaperiod(.)character
precedingafilenameextension.
PAN-71271 Fixedanissuewherenewlogswerelostifthelogpurgingprocessstartedrunningbefore
youstartedlogmigrationafteranupgradetoPANOS8.0.
PAN-70366 FixedanissuewhereSMTPemailserversdidnotreceivePDFreportsfromthefirewall
becausethereportemailshadlineseparatorsthatusedbareLFinsteadofCRLF.
PAN-70323 FixedanissuewherefirewallsrunninginFIPSCCmodedidnotallowimportofSHA1CA
certificatesevenwhentheprivatekeywasnotincluded;instead,firewallsdisplayedthe
followingerror:Import of <cert name> failed. Unsupported digest or keys used
in FIPS-CC mode.
PAN-69622 Fixedanissuewherethefirewalldidnotproperlycloseasessionafterreceivingareset
(RST)messagefromtheserveriftheSYNCookiesactionwastriggered.
PAN-69585 FixedanissuewheretheURLlinkincludedintheemailforaSaaSApplicationUsagereport
(sothatyoucouldretrievethereportfromthefirewallwebinterface)triggeredthirdparty
spamfiltersdeployedinyournetwork.
PAN-69340 FixedanissuewherePANOSdidnotapplythecapacitylicensewhenyouusedalicense
authorizationcode(capacitylicenseorabundle)tobootstrapaVMSeriesfirewallbecause
thefirewalldidnotrebootafterthelicensewasapplied.
PAN-68795 FixedanissuewheretheSaaSApplicationUsagereportdisplayeduploadanddownload
bandwidthusagenumbersincorrectlyintheDataTransferbyApplicationsection.
PAN-68185 Fixedanissuewherethe7.1SNMPtrapsMIB(PANTRAPS.my)hadanincorrect
descriptionforthepanHostnameattribute.
PAN-67629 Fixedanissuewhereexistinguserswereremovedfromusergroupmappingwhenthe
ActiveDirectory(AD)didnotreturnanLDAPPageControlinresponsetoanLDAP
refresh,whichresultedinthefollowingUserID(useridd)logs:
debug: pan_ldap_search(pan_ldap.c:602): ldap_parse_result error code: 4
Error: pan_ldap_search(pan_ldap.c:637): Page Control NOT found
PAN-66122 Fixedanissuewheretunnelcontentinspectionwasnotsupportedinavirtual
systemtovirtualsystemtopology.
PAN-64725 FixedanissuewherePanoramadidnotmaintainsitsconnectionstofirewallsifitreceived
logsatahighrateandthelogsmatchedqueriesandothersettingsinscheduledreports.
PAN-64164 FixedanissueonPanoramavirtualappliancesinanHAconfigurationwhere,ifyou
enabledlogforwardingtosyslog,boththeactiveandpassivepeerssentlogs.Withthisfix,
onlytheactivepeersendslogswhenyouenablelogforwardingtosyslog.
PAN-63274 Fixedanissueonfirewallswithmultiplevirtualsystemswhereinnerflowsessionsinstalled
ondataplane1(DP1)failedifyouconfiguredtunnelcontentinspectionfortrafficina
sharedgatewaytopology.Additionallywiththisfix,whennetworkingdevicesbehindthe
sharedgatewayinitiatetraffic,thattrafficcannowreachthenetworkingdevicesbehind
thevirtualsystems.
IssueID Description
PAN-61840 Fixedanissuewheretheshow global-protect-portal statisticsCLIcommandwas

notsupported.
PAN-60101 FixedanissueontheM500andM100appliancesinPanoramamodewhereemailed
customreportscontainednodataifyouconfiguredareportquerythatusedanOperator
settocontains(Monitor > Manage Custom Reports).
PAN-58979 Fixedanissuewherethedataplanerestartedduetoamemoryleakinaprocess(mprelay)
thatoccurredifyoudidnotdisableLLDPwhenyoudisabledaninterfacewithLLDP
enabled(Network > Interfaces > <interface> > Advanced > LLDP).
PAN-57553 FixedanissuewhereaQoSprofilefailedtoworkasexpectedwhenappliedtoacleartext
nodeconfiguredwithanAggregateEthernet(AE)sourceinterfacethatincludedAE
subinterfaces.
PAN-57142 FixedanissueonPA7000SeriesfirewallsinanHAactive/passiveconfigurationwhere
QoSlimitswerenotcorrectlyenforcedonAggregateEthernet(AE)subinterfaces.
IssueID Description
PAN-76702 Fixedanissuewhereseveraldataplaneprocessesstoppedrespondingwhenthefirewall
processedVPNtrafficwithIPpacketchains,whichwereusuallytriggeredbyIP
fragmentationorSSLdecryptionoperations.
PAN-72346 Fixedanissuewhereexportingbotnetreportsfailedwiththefollowingerror:Missing
reportjobid.
PAN-72242 FixedanissuewhereconfiguringasourceaddressexclusioninReconnaissanceProtection
tabunderzoneprotectionprofilewasnotallowed.
PAN-71892 FixedanissuewhereanLDAPprofiledidnotusetheconfiguredport;theprofileusedthe
defaultport,instead.
PAN-71615 Fixedanissuewheretheintrazoneblockruleshadowedtheuniversalrulethathas
differentsourceanddestinationzones.
PAN-71400 FixedanissuewheretheDNSProxyfeaturedidnotworkbecausetheassociatedprocess
(dnsproxy)stoppedrunningonafirewallthathadanaddressobject(Objects > Address)
withthesameFQDNasoneoftheStatic EntriesinaDNSproxyconfiguration(Network
> DNS Proxy).
PAN-71384 Fixedanissuewiththepassivefirewallinahighavailability(HA)configurationthathad
LACPprenegotiationenabledwherethefirewallstoppedcorrectlyprocessingLACP
BPDUpacketsthroughaninterfacethathadpreviouslyphysicallyflapped.
PAN-71311 Fixedanissuewhere,ifyouconfiguredaUserIDagentwithanFQDNinsteadofanIP
address(Device > User Identification > User-ID Agents),thefirewallgeneratedaSystem
logwiththewrongseveritylevel(informationalinsteadofhigh)afterlosingthe
connectiontotheUserIDagent.
PAN-71307 Fixedanissuewherethescp stats-dumpreportdidnotruncorrectlybecausesource(src)

anddestination(dst)optionsweredeterminedtobeinvalidarguments.
PAN-71192 Fixedanissuewhereperformingalogqueryorlogexportwithaspecificnumberoflogs
causedthemanagementservertostopresponding.Thisoccurredonlywhenthenumber
oflogswasamultipleof64plus63.Forexample,128isamultipleof64andifyouadd63
to128thatequals191logs.Inthiscase,ifyouperformedalogqueryorexportandthere
were191logs,themanagementserverstoppedresponding.
PAN-70969 Fixedanissueonavirtualwirewhere,ifyouenabledLinkStatePassThrough(Network >

Virtual Wires),thereweresignificantdelaysinlinkstatepropagationoreveninstances
whereaninterfacestayeddownpermanentlyevenwhenportswerereenabledonthe
neighbordevice.
PAN-70541 Asecurityrelatedfixwasmadetoaddressaninformationdisclosureissuethatwascaused
byafirewallthatdidnotproperlyvalidatecertainpermissionswhenadministrators
accessedthewebinterfaceoverthemanagement(MGT)interface(CVE20177644).
IssueID Description
PAN-70483 FixedanissueonanMSeriesapplianceinPanoramamodewheresharedservicegroups
didnotpopulateintheservicepulldownwhenattemptingtoaddanewitemtoasecurity
policy.Theissueoccurredwhenthedropdowncontained5,000ormoreentries.
PAN-70428 Asecurityrelatedfixwasmadetopreventinappropriateinformationdisclosureto
authenticatedusers(CVE20175583).
PAN-70323 FixedanissuewherefirewallsrunninginFIPSCCmodedidnotallowimportofSHA1CA
certificatesevenwhentheprivatekeywasnotincluded;instead,firewallsdisplayedthe
followingerror:Import of <cert name> failed. Unsupported digest or keys used
in FIPS-CC mode.
PAN-70057 FixedanissuewhererunningthevalidateoptiononacandidateconfigurationinPanorama
causedchangestotherunningconfigurationonthemanageddevice.Theconfiguration
changeoccurredafterasubsequentFQDNrefreshoccurred.
PAN-69951 FixedanissuewherethefirewallfailedtoforwardsystemlogstoPanoramawhenthe
dataplanewasundersevereload.
PAN-69235 FixedanissuewherecommittingaconfigurationwithseveralthousandLayer3
subinterfacescausedthedataplanetostopresponding.
PAN-69194 FixedanissuewhereperformingadevicegroupcommitfromaPanoramaserverrunning
version7.1toamanagedfirewallsrunningPANOS6.1failedtocommitwhenthecustom
spywareprofileactionwassettoDrop.Withthisfix,Panoramatranslatestheactionfrom
DroptoDrop packetsforfirewallsrunningPANOS6.1,whichallowsthedevicegroup
committosucceed.
PAN-69146 FixedanissuewheretheRemoteUserslinkforagateway(Network > GlobalProtect >

Gateways)becameinactiveandpreventedyoufromreopeningtheUserInformation
dialogifyouclosedthedialogusingtheEsckeyinsteadofclickingClose.
PAN-68873 FixedanissuewherecustomizingtheblockdurationforthreatID40015inaVulnerability
Protectionprofiledidnotadheretothedefinedblockinterval.Forexample,ifyouset
Number of Hits(SSHhellomessages)to3andpersecondsto60,afterthreeconsecutive
SSHhellomessagesfromtheclient,thefirewallfailedtoblocktheclientforthefull60
seconds.
PAN-68831 FixedanissuewhereCSVexportsforUnifiedlogs(Monitor > Logs > Unified)hadnolog

entriesifyoulimitedtheeffectivequeriestoonelogtype.
PAN-68823 Fixedanissuewherecustomthreatreportsfailedtogeneratedatawhenyouspecified
ThreatCategoryforeithertheGroupByorSelectedColumnsetting.
PAN-68766 FixedanissuewherenavigatingtotheIPSectunnelconfigurationinaPanoramatemplate
causedthePanoramamanagementwebinterfacetostoprespondinganddisplayeda502
BadGatewayerror.
PAN-68658 FixedanissuewherehandlingoutoforderTCPFINpacketsresultedindroppedpackets
duetoTCPreassemblythatwasoutofsync.
PAN-68654 FixedanissuewherethefirewalldidnotpopulateUserIDmappingsbasedonthedefined
SyslogParseprofiles(Device > User Identification > User Mapping > Palo Alto Networks
User-ID Agent Setup > Syslog Filters).
PAN-68074 AsecurityrelatedfixwasmadetoaddressCVE20165195.
IssueID Description
PAN-68034 Theshow netstatCLIcommandwasremovedinthe7.1releaseforPanorama,Panorama

logcollector,andWildFire.Withthisfix,theshow netstatcommandisreintroduced.
PAN-67987 FixedanissuewheretheGlobalProtectagentfailedtoconnectusingaclientcertificateif
theintermediateCAissignedusingtheECDSAhashalgorithm.
PAN-67944 Fixedanissuewhereaprocess(all_pktproc)stoppedrespondingbecausearacecondition
occurredwhenclosingsessions.
PAN-67639 FixedanissuewhereAuth PasswordandPriv PasswordfortheSNMPv3serverprofile

werenotproperlymaskedwhenviewingtheconfigurationchangeintheconfigurationlog.
PAN-67599 InPANOS7.0and7.1releases,arestrictionwasaddedtopreventanadministratorfrom
configuringOSPFrouterID0.0.0.0.ThisrestrictionisremovedinPANOS8.0.
PAN-67224 FixedanissuewherethefirewalldisplayedavalidationerrorafterPanoramaimportedthe
firewallconfigurationandthenpushedtheconfigurationbacktothefirewallsoitcouldbe
managedbyPanorama.Thisissueoccurredbecauselogforwardingprofileswerenot
replacedwiththeprofilesconfiguredinPanorama.Withthisfix,Panoramawillproperly
removetheexistingconfigurationonthemanagedfirewallbeforeapplyingthepushed
configuration.
PAN-67090 Fixedanissuewherethewebinterfacedisplayedanobsoleteflagforthenationof
Myanmar.
PAN-67079 FixedanissueinPANOS7.1.6whereSSLsessionswerediscardediftheservercertificate
chainsizeexceeded23KB.
PAN-66873 FixedanissuewherePANOSdeletedcriticalcontentfileswhenthemanagementplane
ranoutofmemory,whichcausedcommitfailuresuntilyouupdatedorreinstalledthe
content.
PAN-66838 AsecurityrelatedfixwasmadetoaddressaCrossSiteScripting(XSS)vulnerabilityonthe
managementwebinterface(CVE20175584).
PAN-66675 Fixedanissuewhereextendedpacketcaptureswereconsuminganexcessiveamountof
storagespacein/opt/panlogs.
PAN-66654 Fixedanissuewherethestatusofatunnelinterfaceremaineddownevenafterdisabling
thetunnelmonitoringoptionforIPSectunnels.
PAN-66531 FixedanissuewheretheCommitScopecolumnintheCommitwindowwasemptyafter
manuallyuploadingandinstallingacontentupdateandthencommitting.Althoughthe
contentupdatewasnotlistedunderCommitScope,thecommitcontinuedandshowed
100%complete.
PAN-66104 Fixedanissuewherevsysspecificcustomresponsepages(Captiveportal,URLcontinue,
andURLoverride)didnotdisplay;theywerereplacedbysharedresponsepages,instead.
PAN-65918 FixedanissueonthePanoramavirtualappliancewherethethirdpartybackupsoftware
BackupExecfailedtobackupaquiescedsnapshotofPanorama(Panoramainatemporary
statewhereallwriteoperationsareflushed).Withthisfix,theVMwareToolsbundledwith
Panoramasupportsthequiescingoption.
PAN-64981 Fixedanissuewhereaninternalbuffercouldbeoverwritten,causingthemanagement
planetostopresponding.
IssueID Description
PAN-64884 FixedanissuewherefirewallsinanHAconfigurationdidnotsynchronizetheLayer2MAC
table;afterfailover,theMACtablewasrebuiltonlyonthepeerthatbecameactive,which
causedexcessivepacketflooding.
PAN-64870 FixedanissuewhereazonewiththeTypesettoVirtual Wire(Network > Zones)dropped

allincomingtrafficwhenyouconfiguredtheZoneProtectionprofileforthatzonewitha
Strict IP Address Check(Network > Network Profiles > Zone Protection > Packet Based
Attack Protection > IP Drop).
PAN-64723 Fixedanissuewherethetest authenticationCLIcommandwasincorrectlysending

vsysspecificinformationtotheUserIDprocessforgroupmappingquerythatallowed
theauthenticationtesttosucceedwhenitshouldhavefailed.
PAN-64638 FixedanissuewherethefirewallfailedtosendaRADIUSaccessrequestafterchanging
theIPaddressofthemanagementinterface.
PAN-64579 Errormessageisnowdisplayedwheninstallingappspackagemanuallyfromfileonpassive
Panorama.
PAN-64525 FixedanissuewhereUserIDfailedtoupdatetheallowlistforagroupnamethatwas
largerthan128bytes.
PAN-64520 FixedanissuewhereH.323basedvideocallsfailedwhenusingsourceNAT(dynamicor
static)duetoincorrecttranslationofthedestCallSignalAddresspayloadinthe
H.225callsetup.
PAN-64436 FixedanissuewherecreationofIGMPsessionsfailedduetoatimeoutissue.
PAN-64419 Fixedanissuewherefirewalldisplaysinconsistentshadowrulewarningsduringacommit
forQOSpolicies.
PAN-64081 FixedanissueonPA5000Seriesfirewallswherethedataplanestoppedrespondingdue
toaraceconditionduringhardwareoffload.
PAN-63969 FixedanissueonPA7000SeriesfirewallsinanHAconfigurationwheretheNPC40Gbps
(QSFP)Ethernetinterfacesonthepassivepeerdisplayedlinkactivityonaneighboring
device(suchasaswitch)towhichtheyconnectedeventhoughtheinterfacesweredown
onthepassivepeer.
PAN-63925 Fixedanissuewhereafirewalldidnotgeneratealogwhenacontentupdatefailedorwas
interrupted.
PAN-63908 FixedanissuewhereSSHsessionswereincorrectlysubjectedtoaURLcategorylookup
evenwhenSSHdecryptionwasdisabled.Withthisfix,SSHtrafficisnotsubjecttoaURL
categorylookupwhenSSHdecryptionisdisabled.
PAN-63612 FixedanissuewhereUseractivityreportsonPanoramadidnotincludeanyentrieswhen
therewasaspaceintheDeviceGroupname.
PAN-63520 Fixedanissuewherethewrongsourcezonewasusedwhenloggingvsystovsyssessions.
PAN-63207 FixedanissueonPA7000Seriesfirewallswheregroupmappingsdidnotpopulatewhen
thegroupincludelistwaspushedfromPanorama.
PAN-63054 FixedanissueonVMSeriesfirewallswhereenablingsoftwareQoSresultedindropped
packetsunderheavytrafficconditions.Withthisfix,VMSeriesfirewallsnolongerdrop
packetsduetoheavyloadswithsoftwareQoSenabledandsoftwareQoSperformancein
generalisimprovedforallPaloAltoNetworksfirewalls.
IssueID Description
PAN-63013 Fixedanissuewhereacommitvalidationerrordisplayedwhenpushingatemplate
configurationwithamodifiedWildFirefilesizesetting.Withthisfix,commitvalidation
takesplaceonthemanagedfirewallthattriestocommitnewtemplatevalues.
PAN-62937 FixedanissuewhereestablishinganLDAPconnectionoverasloworunstableconnection
causedcommitstofailwhenyouenabledTLS.Withthisfix,ifyouenableTLS,thefirewall
doesnotattempttoestablishLDAPconnectionswhenyouperformacommit.
PAN-62797 Fixedanissuewhereaprocess(cdb)intermittentlyrestarted,whichpreventedjobsfrom
completingsuccessfully.
PAN-62513 FixedanissueonPA7000SeriesfirewallsinanHAactive/passiveconfigurationwhere
theshow high-availability path-monitoringcommandalwaysshowedtheNPCas
slot 1eventhoughthepathmonitoringIPaddresswasassignedtoaninterfaceina
differentNPCslot.ThisoccurredonlywhenthepathmonitoringIPaddresswasassigned
toaninterfaceinanAggregateEthernet(AE)interfacegroupandtheinterfacegroupwas
inaslototherthanslot1.
PAN-62057 FixedanissuewheretheGlobalProtectagentfailedtoauthenticateusingaclient
certificatethathadasignaturealgorithmthatwasnotSHA1/SHA256.Withthisfix,the
firewallprovidessupportfortheSHA384signaturealgorithmforclientbased
authentication.
PAN-61877 FixedanissuewhereAuthentication OverrideintheGlobalProtectportalconfiguration

didn'tworkwhenthecertificateusedforencryptinganddecryptingcookieswas
generatedusingRSA4,096bitkeys.
PAN-61871 FixedanissuewherethefirewallmatchedtraffictoaURLcategoryandonfirstlookup,
whichcausedsometraffictobematchedtothewrongsecurityprofile.Withthisfix,the
firewallmatchestraffictoURLcategoriesasecondtimetoensurethattrafficismatched
tothecorrectsecurityprofile.
PAN-61837 FixedanissueonPA3000SeriesandPA5000Seriesfirewallswherethedataplane
stoppedrespondingwhenasessioncrossedvsysboundariesandcouldnotfindthecorrect
egressport.ThisissueoccurredwhenzoneprotectionwasenabledwithaSYN Cookies
action(Network > Zone Protection > Flood Protection).
PAN-61813 FixedanissueonPanoramawhereacustomscheduledreportconfiguredforadevice
groupwasemptywhenexported.
PAN-61797 FixedanissueonthepassivepeerinanHAconfigurationwhereLACPflappedwhenthe
linkstatewassettoshutdown/autoandprenegotiationwasdisabled.
PAN-61682 FixedanissuewhereenduserseitherdidnotseetheCaptivePortalwebformorsawa
pagedisplayingrawHTMLcodeafterrequestinganapplicationthroughawebproxy
becausetheHTTPbodycontentlengthexceededthespecifiedsizeintheHTTPHeader
ContentLength.
PAN-61465 Fixedanissuewherethewebinterface(Objects > Decryption Profile > SSL Decryption >

SSL Protocol Settings > Encryption Algorithms)stilldisplayedthe3DESencryption
algorithmasenabledevenafteryoudisabledit.
IssueID Description
PAN-61365 Fixedanissuewheredatafilteringlogs(Monitor > Logs > Data Filtering)donottakeinto

accountthefiledirection(uploadordownload)soitwasnotpossibletodifferentiate
uploadedfilesfromdownloadedfilesinthelogs.Withthisfix,youconfigurethefile
direction(upload,download,orboth)inObjects > Security Profiles > Data Filteringand
selecttheDirectioncolumninMonitor > Logs > Data Filteringtoviewthefiledirectionin
thelogs.
PAN-61284 FixedanissuewhereUserIDconsumedalargeamountofmemorywhenthefirewall
experiencedahighrateofincomingIPaddresstousernamemappingdataandtherewere
morethantenredistributionclientfirewallsatthesametime.
PAN-61252 FixedanissueonfirewallsinanHAactive/activeconfigurationwherethefloatingIP
addresswasnotactiveonthesecondaryfirewallafterthelinkwentdownontheprimary
firewall.
PAN-60797 Fixedanissuewherereadonlysuperuserswereabletoviewthreatpacketcaptures
(pcaps)onthefirewallbutreceivedanerror(File not found)whentheyattemptedto
exportcertaintypesofpcapfiles(threat,threatextpcap,app,andfiltering).
PAN-60753 FixedanissuewherechangingtheRSAkeyfroma2,048bitkeytoa1,024bitkeyforced
theencryptionalgorithmtochangefromSHA256toSHA1forSSLforwardproxy
decryption.
PAN-60581 AddedchecktonotincludealltheapplicationsintheApplicationfilterifnoapplication
categoryisselectedbytheuser.Userhavetoexplicitlyaddallthecategoriestocreatean
applicationfilterwithalltheapplications.
PAN-60577 Fixedanissuewhereanapplicationfilterwithnoselectedcategoriescausedthefirewall
toperformslowlybecausethefilterdefaultedtoincludeallcategories(Objects >
Application Filters).Withthisfix,youcannotconfigureanapplicationfilterwithout
selectingoneormorecategories.
PAN-60556 AddedsupportinthecertificateprofiletoalsoconfigureanonCAcertificateasan
additionalcertificatetoverifytheOCSPresponsereceivedforcertificatestatusvalidation.
TheOCSPVerifyCAfieldinthecertificateprofilehasbeenchangedtoOCSPVerify
Certificate.
PAN-60402 FixedanissuewhererenaminganaddressobjectcausedthecommittoaDeviceGroupto
fail.
PAN-60340 FixedanissuewherethePanoramaapplicationdatabasedidnotdisplayallapplicationsin
thebrowser.
PAN-60035 EnhanceddynamicIPNATtranslationtopreventconflictsbetweendifferentpacket
processorsandimprovedynamicIPNATpoolutilization.
PAN-59676 Fixedanissuewherefirewalladministratorswithcustomroles(AdminRoleprofiles)could
notdownloadcontentorsoftwareupdates.
PAN-59654 FixedanissuewherecommitsfailedonthefirewallafterupgradingfromaPANOS6.1
releaseduetoincorrectsettingsfortheHexaTechVPNapplicationonthefirewall.With
thisfix,upgradingfromaPANOS6.1releasetoPANOS8.0.0(oralaterrelease)doesnot
causecommitfailuresrelatedtothesesettings.
IssueID Description
PAN-59614 Fixedanissuewhereadministratorswereunabletofullyutilizethemaximumof64
addressobjectsperFQDNduetothe512BDNSserverresponsepacketsize;specified
addressesthatwerenotincludedinthefirst512Bweredroppedandnotresolved.With
thisfix,thesizeoftheDNSserverresponsepacketisincreasedto4,096B,whichfully
supportsthemaximum64combinedaddressobjectsperFQDN(upto32eachIPv4and
IPv6addresses).
PAN-58636 Fixedanissuewhereconfiguringtoomanyapplicationsandindividualportsinasecurity
rulecausedthefirewalltostopresponding.Withthisfix,thefirewallcontinuesresponding
andsendsthefollowingerrormessage:
Error: Security Policy '58636_rule' is exceeding maximum number of
combinations supported for service ports(51) and applications(2291). To fix
this, please convert this Security Policy into multiple policies by either
splitting applications or service ports.
Error: Failed to parse security policy
(Module: device)
Commit failed
PAN-58496 Fixedanissuewherecustomreportsusingthreatsummarywerenotpopulated.
PAN-58382 Fixedanissuewhereuserswerematchedtotheincorrectsecuritypolicies.
PAN-58358 FixedanissuewhereCSVexportsforUnifiedlogs(Monitor > Logs > Unified)displayed

informationinthewrongcolumns.
PAN-57529 FixedanissuewherethefirewallactedasaDHCPrelayandwirelessdevicesonaVLAN
didnotreceiveaDHCPaddress(allotherdevicesontheVLANdidreceiveaDHCP
address).Withthisfix,alldevicesonaVLANreceiveaDHCPaddresswhenthefirewall
actsasaDHCPrelay.
PAN-57440 FixedanissuewhereOSPFv3linkstateupdatesweresentwiththeincorrectOSPF
checksumwhentheOSPFpacketneededtoadvertisemorelinkstateadvertisements
(LSAs)thanfitintoa1,500bytepacket.Withthisfix,thefirewallsendsthecorrectOSPF
checksumtoneighboringswitchesandroutersevenwhenthenumberofLSAsdoesntfit
intoa1,500bytepacket.
PAN-57215 FixedanissuewhereanHTTP416errorappearedwhentryingtodownloadupdatestoa
clientfromanIBMBigFixupdateserver.
PAN-56700 FixedanissuewheretheSNMPOIDifHCOutOctetsdidnotcontaintheexpecteddata.
PAN-56684 FixedanissuewhereDNSproxystaticentriesstoppedworkingwhentherewereduplicate
entriesintheconfiguration.
PAN-53659 Fixedanissuewherethesumofalllinkaggregationgroup(LAG)interfaceswasgreater
thanthevalueoftheAggregateEthernet(AE)interface.
PAN-50973 FixedanissueforVMSeriesfirewallsonMicrosoftHyperVwhere,althoughtheFIPSCC
modeoptionwasvisibleinthemaintenancemodemenu,youcouldnotenableit.Withthis
fix,FIPSCCmodeissupportedforandcanbeenabledfromthemaintenancemodemenu
inVMSeriesfirewallsonMicrosoftHyperV.
PAN-48095 FixedanissueonPA200firewallswherethePanoramadynamicupdatescheduleignored
thecurrentlyinstalleddynamicupdateversionandinstalledunnecessarydynamic
updates.
GettingHelp
Thefollowingtopicsprovideinformationonwheretofindmoreaboutthisreleaseandhowtorequest
support:
RelatedDocumentation
RequestingSupport
RelatedDocumentation
RefertothefollowingPANOS8.0documentationontheTechnicalDocumentationportalorsearchthe
documentationformoreinformationonourproducts:
NewFeaturesGuideDetailedinformationonconfiguringthefeaturesintroducedinthisrelease.
PANOSAdministrator'sGuideProvidestheconceptsandsolutionstogetthemostoutofyourPalo
AltoNetworksnextgenerationfirewalls.Thisincludestakingyouthroughtheinitialconfigurationand
basicsetuponyourPaloAltoNetworksfirewalls.
PanoramaAdministrator'sGuideProvidesthebasicframeworktoquicklysetupthePanoramavirtual
applianceoranMSeriesapplianceforcentralizedadministrationofthePaloAltoNetworksfirewalls.
WildFireAdministrator'sGuideProvidesstepstosetupaPaloAltoNetworksfirewalltoforward
samplesforWildFireAnalysis,todeploytheWF500appliancetohostaWildFireprivateorhybrid
cloud,andtomonitorWildFireactivity.
VMSeriesDeploymentGuideProvidesdetailsondeployingandlicensingtheVMSeriesfirewallonall
supportedhypervisors.Itincludesexampleofsupportedtopologiesoneachhypervisor.
GlobalProtectAdministrator'sGuideDescribeshowtosetupandmanageGlobalProtect.
OnlineHelpSystemDetailed,contextsensitivehelpsystemintegratedwiththefirewallwebinterface.
PaloAltoNetworksCompatibilityMatrixProvidesoperatingsystemandothercompatibility
informationforPaloAltoNetworksnextgenerationfirewalls,appliances,andagents.
OpenSourceSoftware(OSS)ListingsOSSlicensesusedwithPaloAltoNetworksproductsand
software:
PANOS8.0
Panorama8.0
Wildfire8.0
GettingHelp
RequestingSupport
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopen
asupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
3000TanneryWay
SantaClara,CA95054
https://www.paloaltonetworks.com/company/contactsupport
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofour
trademarkscanbefoundathttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarks
mentionedhereinmaybetrademarksoftheirrespectivecompanies.
RevisionDate:August17,2017

PAN-OS Release Notes Upto 8.0.4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAN-OS Release Notes Upto 8.0.4

Uploaded by

Copyright:

Available Formats

PANOS8.

NetFlow Support for PA7000SeriesfirewallsnowhavethesameabilityasotherPaloAltoNetworksfirewalls

PA-7000 Series Firewall YoucannowforwardlogsfromPA7000SeriesfirewallstoPanoramaforimprovedlog

Selective Log Toenableyourorganizationtoprocessandrespondtoincidentalertsmorequickly,you

Action-Oriented Log ThefirewallcannowdirectlyforwardlogsusingHTTP/HTTPSsothatyoucantriggeran

Extended SNMP Support PANOSsupportforSimpleNetworkManagementProtocol(SNMP)nowincludesthe

Increased Storage on ToprovidelongerretentionperiodsforlogsonthePA7000Seriesfirewall,youcannow

Log Query Panoramahasanimprovedlogqueryandreportingenginetoenableasignificant

Increased Log Storage Toprovideadequatediskspaceforalongerlogretentionperiod,youcanincreasethelog

Traps Logs on PanoramacannowingestTrapslogssentbytheTrapsEndpointSecurityManagerusing

Extensible Plug-in Panoramanowsupportsapluginarchitecturetoenablenewthirdpartyintegrationsor

Extended Support for Tosupport thedemandsfornetworksegmentationandsecurityinlargescaledeployments,

Device Group, Panoramanowsupportsupto1,024devicegroupsand1,024templates(previously512

Credential Phishing Phishingsitesaresitesthatattackersdisguiseaslegitimatewebsiteswiththeaimtosteal

Palo Alto Networks PaloAltoNetworksnowprovidesmaliciousIPaddressfeedsthatyoucanusetohelp

Enhanced Coverage for C2signaturessignaturesthatdetectwhereacompromisedsystemissurreptitiously

GPRS Tunneling YoucannowdeploythePaloAltoNetworksfirewalltoprotectthecorenetworkinMobile

Data Filtering Support Datafilteringisenhancedtoworkwiththirdparty,endpointDLPsolutionsthatpopulate

External Dynamic List Newenhancementsprovidebettersecurity,flexibility,andeaseofusewhenworking

New Scheduling Options ThefirewallcannowcheckforthelatestAppID,vulnerabilityprotection,and

Five-Minute Updates for TheMalwareandPhishingURLcategoriesinPANDBarenowupdatedeveryfive

Globally Unique AllPaloAltoNetworksthreatsignaturesnowhavepermanent,globallyuniqueIDsthat

New Predefined File TwonewpredefinedFileBlockingprofilesbasicfileblockingandstrictfileblocking

Enhanced Unicode ThefirewallcannowdecodeUTF16andUTF32encodeddata,toprovidethreatanalysis

WildFire Appliance InenvironmentswhereyoucannotusetheWildFirepubliccloud,youcannowconfigure

Preferred Analysis for YoucannowchoosetodedicateWildFireapplianceanalysisresourcestoeither

Verdict Changes YoucannowmodifytheverdictthattheWildFireapplianceappliestoasample.Verdict

Verdict Checks with the TheWildFireappliancecannowlookupsampleverdictsintheWildFireglobalcloud

WildFire Analysis of ThenewWildFireAnalysisofBlockedFilesenablesthefirewalltosubmitblockedfiles

WildFire Phishing ThenewWildFirePhishingVerdictclassifiesphishinglinksdetectedinemailsseparately

SAML 2.0 Authentication ThefirewallandPanoramacannowfunctionasSecurityAssertionMarkupLanguage

Authentication Policy Toprotectyournetworkresourcesfromattackers,youcanusethenewAuthentication

TACACS+ User Account TouseaTerminalAccessControllerAccessControlSystemPlus(TACACS+)serverfor

Authentication Using Youcannowdeploycustomcertificatestoreplacethepredefinedcertificatesshippedon

Authentication for ThefirewallnowvalidatesthedigitalcertificatesofSSL/TLSserversthathostexternal

Panorama and Log YoucannowleverageyourPanoramaanddistributedlogcollectioninfrastructureto

Centralized Deployment YoucannowuseendpointmanagementsoftwaresuchasMicrosoftSCCMtoremotely

User Groups Capacity Toaccommodateenvironmentswhereaccesscontrolforeachresourceisbasedon

User-ID Syslog ThefollowingenhancementsimprovetheaccuracyofUserIDmappingsandsimplify

Group-Based Reporting Panoramanowprovidesvisibilityintotheactivitiesofusergroupsinyournetwork

SaaS Application TohelpyoumonitortheassortmentofSaaSapplicationsthatservetheproductivityneeds

ALG Support for IPv6 ThefirewallcannowsafelyenableSessionInitiationProtocol(SIP)andSkinnyClient

Decryption for Elliptical FirewallsenabledtodecryptSSLtrafficnowdecryptSSLtrafficfromwebsitesand

Management for Younowhaveincreasedflexibilitytomanagetrafficexcludedfromdecryption.New,

Perfect Forward Secrecy PANOS7.1introducedPFSforSSLForwardProxydecryption;now,inPANOS8.0,PFS

VM-Series Firewall Thisfeatureintroducesimprovedperformance,capacity,andefficiencyforallVMSeries

CloudWatch Integration VMSeriesfirewallsonAWScannownativelysendPANOSmetricstoAWSCloudWatch

Seamless VM-Series ThisreleaseintroducesseamlesslicensecapacityupgradesoftheVMSeriesfirewall.Ifa

VM-Series NSX ThenewPanoramaVMwareNSXpluginstreamlinestheprocessofdeployingVMSeries

Support for NSX Security TheVMSeriesfirewallcannowdynamicallytagaguestVMwithNSXsecuritytagsto

New Serial Number TheserialnumberformatfortheVMSeriesfirewallnowdisplaysthenameofthe

VM-Series License TodeactivateaVMSerieslicense,youmustfirstinstallalicensedeactivationAPIkeyon

Support for VM-Series AzureGovernmentisapubliccloudplatformforU.S.governmentandpublicsector

Tunnel Content Thefirewallcannowinspectthetrafficcontentofcleartexttunnelprotocols:

Multiprotocol BGP ThefirewallnowsupportsMultiprotocolBGP(MPBGP)sothatafirewallenabledwith

Static Route Removal Youcannowusepathmonitoringtodetermineifastaticordefaultrouteisdown.Ifpath

IPv6 Router TomakeDNSresolutioneasierforyourIPv6hosts,thefirewallnowhasenhanced

NDP Monitoring for Fast YoucannowenableNeighborDiscoveryProtocol(NDP)monitoringforadataplane

Zone Protection for YoucannowwhitelistorblacklistnonIPprotocolsbetweensecurityzonesorbetween

Global and Zone YoucannowenableordisableMultipathTCP(MPTCP)globallyorforeachnetworkzone.

Zone Protection for SYN YoucannowdropTCPSYNandSYNACKpacketsthatcontaindatainthepayloadduring

Hardware IP Address WhenyouconfigurethefirewallwithaDoSProtectionpolicyorVulnerabilityProtection

Packet Buffer Protection Packetbufferprotectionallowsyoutoprotectthefirewallfrombeingimpactedbysingle

IKE Peer and IPSec ThePA7000Series,PA5000Series,andPA3000SeriesmodelsnowsupportmoreIKE