Professional Documents
Culture Documents
0ReleaseNotes
Release8.0.4h2
RevisionDate:August17,2017
ReviewimportantinformationaboutPaloAltoNetworksPANOS8.0software,includingnewfeatures
introduced,workaroundsforopenissues,andissuesthatareaddressedinPANOS8.0releases.For
installation,upgrade,anddowngradeinstructions,refertothePANOS8.0NewFeaturesGuide.Forthe
latestversionofthesereleasenotes,refertothePaloAltoNetworkstechnicaldocumentationportal.
HSMstorageofthemasterkeyonfirewallsrunningPANOS8.0.0orPANOS8.0.1isnotsupported.Seethe
PAN75960knownissuedescriptionfordetails.
PANOS8.0ReleaseInformation ....................................... 3
FeaturesIntroducedinPANOS8.0 .................................................. 4
ManagementFeatures .......................................................... 5
PanoramaFeatures ............................................................. 6
ContentInspectionFeatures..................................................... 8
WildFireFeatures..............................................................11
AuthenticationFeatures ........................................................12
UserIDFeatures..............................................................13
AppIDFeatures ...............................................................14
DecryptionFeatures ...........................................................14
VirtualizationFeatures .........................................................15
NetworkingFeatures...........................................................17
GlobalProtectFeatures .........................................................20
ChangestoDefaultBehavior .......................................................22
AuthenticationChanges........................................................22
ContentInspectionChanges ....................................................23
GlobalProtectChanges.........................................................24
ManagementChanges..........................................................25
PanoramaChanges ............................................................26
VMSeriesFirewallChanges ....................................................26
WildFireChanges ..............................................................27
CLIandXMLAPIChangesinPANOS8.0............................................28
AuthenticationCLIChanges.....................................................28
ContentInspectionCLIChanges .................................................29
GlobalProtectCLIChanges......................................................30
ManagementCLIChanges......................................................30
UserIDCLIChanges ...........................................................31
AssociatedSoftwareandContentVersions ...........................................32
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 1
TableofContents
Limitations ........................................................................ 33
KnownIssues ..................................................................... 34
KnownIssuesRelatedtoPANOS8.0Releases.................................... 34
KnownIssuesSpecifictotheWF500Appliance ................................... 53
PANOS8.0.4h2AddressedIssues....................................59
PANOS8.0.4AddressedIssues .......................................61
PANOS8.0.3h4AddressedIssues....................................67
PANOS8.0.3AddressedIssues .......................................69
PANOS8.0.2AddressedIssues .......................................75
PANOS8.0.1AddressedIssues .......................................81
PANOS8.0.0AddressedIssues .......................................85
GettingHelp.........................................................93
RelatedDocumentation......................................................... 93
RequestingSupport ............................................................ 94
2 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation
FeaturesIntroducedinPANOS8.0
ChangestoDefaultBehavior
CLIandXMLAPIChangesinPANOS8.0
AssociatedSoftwareandContentVersions
Limitations
KnownIssues
HSMstorageofthemasterkeyonfirewallsrunningPANOS8.0.0orPANOS8.0.1isnotsupported.Seethe
PAN75960knownissuedescriptionfordetails.
PreviouslyknownissuescarriedoverfrompreviousreleasenotesandthatwereidentifiedusinglegacyIDnumbers
(5or6digitswithoutaprefix)arenowassignednewissueIDnumbersthatalsoincludeproductspecificprefixes.
PANOS8.0.4h2AddressedIssues
PANOS8.0.4AddressedIssues
PANOS8.0.3h4AddressedIssues
PANOS8.0.3AddressedIssues
PANOS8.0.2AddressedIssues
PANOS8.0.1AddressedIssues
PANOS8.0.0AddressedIssues
GettingHelp
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 3
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
FeaturesIntroducedinPANOS8.0
ThefollowingtopicsdescribethenewfeaturesintroducedinthePANOS8.0release,whichrequires
contentreleaseversion655oralaterversion.Forupgradeanddowngradeconsiderationsandforspecific
informationabouttheupgradepathforafirewall,refertotheUpgradesectionofthePANOS8.0New
FeaturesGuide.Thenewfeaturesguidealsoprovidesadditionalinformationabouthowtousethenew
featuresinthisrelease.
ManagementFeatures
PanoramaFeatures
ContentInspectionFeatures
WildFireFeatures
AuthenticationFeatures
UserIDFeatures
AppIDFeatures
DecryptionFeatures
VirtualizationFeatures
NetworkingFeatures
GlobalProtectFeatures
4 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
ManagementFeatures
NewManagement Description
Features
Administrator-Level Youcannowcommit,validate,preview,save,andrevertchangesthatyoumadeina
Commit and Revert Panoramaorfirewallconfigurationindependentofchangesthatotheradministratorshave
made.Thissimplifiesyourconfigurationworkflowbecauseyoudon'thavetocoordinate
commitswithotheradministratorswhenyourchangesareunrelatedtotheirs,orworry
aboutrevertingchangesotheradministratorsmadethatweren'tready.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 5
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
NewManagement Description
Features(Continued)
PanoramaFeatures
NewPanorama Description
Features
Logging YoucannowcreateaLogCollectorthatrunslocallyonthePanoramavirtualappliance.
Enhancements on the BecausethelocalLogCollectorsupportsmultiplevirtualloggingdisks,youcanincreaselog
Panorama Virtual storageasneededwhilepreservingexistinglogs.Youcanincreaselogstoragetoamaximum
Appliance of24TBforasinglePanoramaandupto48TBforahighavailabilitypair.UsingalocalLog
Collectoralsoenablesfasterreportgeneration(seeLogQueryAcceleration).
6 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NewPanoramaFeatures Description
(Continued)
Streamlined Youcannowdeploysoftwareandcontentupdatestomanageddevicesmorequickly.
Deployment of Insteadofpushingtheupdatestoonedeviceatatime,Panoramanownotifiesfirewallsand
Software and Content LogCollectorswhenupdatesareavailableandthedevicesthenretrievetheupdatesin
Updates from parallel.
Panorama TheExtendedSupportforMultiplePanoramaInterfacesenablesyoutoconfigureaseparate
interface,insteadofusingthemanagement(MGT)interface,fordeployingcontentand
softwareupdatestomanageddevices.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 7
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
ContentInspectionFeatures
NewContentInspection Description
Features
Telemetry Youcannowparticipateinacommunitydrivenapproachtothreatpreventionthrough
telemetry.Telemetryallowsyourfirewalltoperiodicallycollectandshareinformation
aboutapplications,threats,anddevicehealthwithPaloAltoNetworks.PaloAlto
Networksusesthethreatintelligencecollectedfromyouandothercustomerstoimprove
thequalityofintrusionpreventionsystem(IPS)andspywaresignaturesandthe
classificationofURLsinPANDB.Forexample,whenathreateventtriggersvulnerability
orspywaresignatures,thefirewallsharestheURLsassociatedwiththethreatwiththe
PaloAltoNetworksthreatresearchteam,sotheycanproperlyclassifytheURLsas
malicious.TelemetryalsoallowsPaloAltoNetworkstorapidlytestandevaluate
experimentalthreatsignatureswithnoimpacttoyournetwork,sothatcriticalthreat
preventionsignaturescanbereleasedtoallcustomersfaster.
Youhavefullcontroloverwhichdatathefirewallsharesthroughtelemetry,andsamples
ofthisdataareavailabletoviewthroughyourTelemetrysettings.PaloAltoNetworks
doesnotshareyourtelemetrydatawithothercustomersorthirdpartyorganizations.
8 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NewContentInspection Description
Features(Continued)
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 9
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
NewContentInspection Description
Features(Continued)
10 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
WildFireFeatures
PANOS8.0.1isthebaseimageforWF500appliances(notPANOS8.0.0).
NewWildFireFeatures Description
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 11
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
AuthenticationFeatures
NewAuthentication Description
Features
12 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NewAuthentication Description
Features(Continued)
UserIDFeatures
NewUserIDFeatures Description
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 13
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
AppIDFeatures
NewAppIDFeatures Description
DecryptionFeatures
NewDecryptionFeatures Description
14 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
VirtualizationFeatures
NewVirtualization Description
Features
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 15
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
NewVirtualization Description
Features(Continued)
VM-Series YoucannowbootstraptheVMSeriesfirewallinESXi,KVM,andHyperVusingblock
Bootstrapping with storage.Thisoptionprovidesabootstrappingsolutionforenvironmentswheremounting
Block Storage aCDROMisnotsupported.
16 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NetworkingFeatures
NewNetworking Description
Features
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 17
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
NewNetworkingFeatures Description
(Continued)
18 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NewNetworkingFeatures Description
(Continued)
Reconnaissance Zoneprotectionsreconnaissanceprotectiondetectsandtakesactionagainsthostsweep
Protection Source andTCPandUDPportscans.Thisisusefulagainstattackerssearchingforvulnerabilities.
Address Exclusion However,itcanalsonegativelyimpactscanningactivities,suchasnetworksecurity
testingorfingerprinting.Youcannowwhitelistsourceaddressestoexcludethemfrom
reconnaissanceprotection.Thisallowsyoutoprotectyournetworkfromreconnaissance
attackswhileallowinglegitimatemonitoringtools.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 19
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
GlobalProtectFeatures
NewGlobalProtect Description
Features
20 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NewGlobalProtect Description
Features(Continued)
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 21
ChangestoDefaultBehavior PANOS8.0ReleaseInformation
ChangestoDefaultBehavior
ThefollowingtopicsdescribechangestodefaultbehaviorinPANOSandPanorama8.0:
AuthenticationChanges
ContentInspectionChanges
GlobalProtectChanges
ManagementChanges
PanoramaChanges
VMSeriesFirewallChanges
WildFireChanges
AuthenticationChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforauthenticationfeatures:
Feature Change
Logging Whenanauthenticationeventinvokesapolicyrule,thefirewallnowgenerates
AuthenticationlogsinsteadofSystemlogs.
22 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation ChangestoDefaultBehavior
ContentInspectionChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforcontentinspectionfeatures:
Feature Change
Content-ID Forward segments exceeding TCP App-ID inspection queue(Device > Setup >
Content-ID > Content-ID Settings)isnowdisabledbydefault.ThecorrespondingCLI
command,set deviceconfig setting application bypass-exceed-queue is
nowsettonobydefault.
Decryption ThefirewalldoesnotsupportSSLdecryptionofRSAkeysthatexceed8Kbinsize.
YoucaneitherblockconnectionstoserversthatusecertificateswithRSAkeys
exceeding8KborskipSSLdecryptionforsuchconnections.Toblocksuch
connections,selectObjects > Decryption Profile,edittheprofile,selectSSL
Decryption > SSL Forward Proxy,andintheUnsupportedModeCheckssection
selectBlock sessions with unsupported cipher suites.Toskipdecryptionforsuch
connections,clearBlock sessions with unsupported cipher suites.
Data Pattern objects Objects > Custom Objects > Data Patternsprovidespredefinedpatterns(Pattern
Type > Predefined Pattern),suchassocialsecuritynumbersandcreditcardnumbers,
tocheckforintheincomingfiletypesthatyouspecify.Thefirewallnolonger
supportscheckingforthesepredefinedpatternsinGZIPandZIPfiles.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 23
ChangestoDefaultBehavior PANOS8.0ReleaseInformation
GlobalProtectChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforGlobalProtectfeatures:
Feature Change
24 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation ChangestoDefaultBehavior
ManagementChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforfirewallandPanoramamanagementfeatures:
Feature Change
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 25
ChangestoDefaultBehavior PANOS8.0ReleaseInformation
PanoramaChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforPanoramafeatures:
Feature Change
VMSeriesFirewallChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforVMSeriesfirewalls:
Feature Change
Licensing BeginningwithPANOS7.1.7,todeactivateaVMSerieslicenseyoumustfirstinstall
alicenseAPIkeyonyourfirewallorPanorama.Formoreinformation,see
VirtualizationFeatures.
26 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation ChangestoDefaultBehavior
WildFireChanges
PANOS8.0hasthefollowingchangesindefaultbehaviorforWildFirefeatures:
Feature Change
Logging IfyoupreviouslyenabledWildFireforwardingonyourfirewall,thefirewallnow
forwardsblockedfilesthatmatchexistingsignatures,inadditiontounknownfiles,
forWildFireanalysis.TheWildFireSubmissionslognowincludeslogentriesfor
blockedfiles.
TheActioncolumnintheWildFireSubmissionslognowindicatesifthefirewall
actionforasamplewasalloworblock.InPANOS7.1andearlierversions,the
actiondisplayedforallsamplesintheWildFireSubmissionslogwasalert.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 27
CLIandXMLAPIChangesinPANOS8.0 PANOS8.0ReleaseInformation
CLIandXMLAPIChangesinPANOS8.0
PANOS8.0haschangestoexistingCLIcommands,whichalsoaffectcorrespondingPANOSXMLAPI
requests.Ifyouhaveascriptorapplicationthatusestheserequests,runcorrespondingCLIcommandsin
debugmodetoviewthecorrespondingXMLAPIsyntax.
Operationalcommandsareprecededbyagreaterthansign(>),whileconfigurationcommandsarepreceded
byahash(#).Anasterisk(*)indicatesthatrelatedcommandsinthesamehierarchyhavealsochanged.
AuthenticationCLIChanges
ContentInspectionCLIChanges
GlobalProtectCLIChanges
ManagementCLIChanges
UserIDCLIChanges
AuthenticationCLIChanges
PANOS8.0hasthefollowingCLIandXMLAPIchangesforAuthenticationfeatures:
Feature Change
PANOS8.0release:
> show running authentication-policy
> test authentication-policy-match *
# show rulebase authentication *
# set import resource max-auth-rules <0-4000>
# set rulebase authentication rules *
# set shared admin-role <name> role device webui policies
authentication-rulebase <enable|read-only|disable>
# set import resource max-auth-rules <0-4000>
28 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation CLIandXMLAPIChangesinPANOS8.0
Feature Change
PANOS8.0release:
# set deviceconfig setting ssl-decrypt
fwd-proxy-server-cert-key-size-rsa <0|1024|2048>
# set deviceconfig setting ssl-decrypt
fwd-proxy-server-cert-key-size-ecdsa <0|256|384>
PANOS8.0release:
# show deviceconfig system hsm-settings provider safenet-network *
# set deviceconfig system hsm-settings provider safenet-network *
ContentInspectionCLIChanges
PANOS8.0hasthefollowingCLIandXMLAPIchangesforcontentinspectionfeatures:
Feature Change
PANOS8.0release:
# set external-list <name> type ip *
# set external-list <name> type predefined-ip *
# set external-list <name> type domain *
# set external-list <name> type url *
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 29
CLIandXMLAPIChangesinPANOS8.0 PANOS8.0ReleaseInformation
GlobalProtectCLIChanges
PANOS8.0hasthefollowingCLIandXMLAPIchangesforGlobalProtectfeatures:
Feature Change
PANOS8.0release:
# set global-protect global-protect-portal <name> portal-config
local-address ip ipv4 <value>
# set global-protect global-protect-portal <name> portal-config
local-address ip ipv6 <value>
PANOS7.1andearlierreleases:
# set global-protect global-protect-portal <name> portal-config
local-address floating-ip <value>
PANOS8.0release:
# set global-protect global-protect-portal <name> portal-config
local-address floating-ip ipv4 <value>
# set global-protect global-protect-portal <name> portal-config
local-address floating-ip ipv6 <value>
ManagementCLIChanges
PANOS8.0hasthefollowingCLIandXMLAPIchangesforfirewallandPanoramamanagementfeatures:
Feature Change
PANOS8.0release:
# show shared log-settings system match-list *
# set shared log-settings system match-list *
# show shared log-settings config match-list *
# set shared log-settings config match-list *
# show shared log-settings hipmatch match-list *
# set shared log-settings hipmatch match-list *
# show shared log-settings profiles <name> match-list *
# set shared log-settings profiles <name> match-list *
30 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation CLIandXMLAPIChangesinPANOS8.0
UserIDCLIChanges
PANOS8.0hasthefollowingCLIandXMLAPIchangesforUserIDfeatures:
Feature Change
IP address-to-username TheoperationalcommandtoclearUserIDmappingsforallIPaddressesora
mapping specificIPaddresshaschanged:
PANOS7.1andearlierreleases:
> clear user-cache [all | ip]
PANOS8.0release:
> clear ipuser-cache [all | ip]
TheUserIDcommandstoclearusermappingsfromthedataplanehavechanged:
PANOS7.1andearlierreleases:
> clear uid-gids-cache uid <1-2147483647>
> clear uid-gids-cache all
PANOS8.0release:
> clear uid-cache uid <1-2147483647>
> clear uid-cache all
PANOS8.0release:
# set user-id-agent <name> host-port host <ip/netmask>|<value>
# set user-id-agent <name> host-port port <1-65535>
# set user-id-agent <name> host-port ntlm-auth <yes|no>
# set user-id-agent <name> host-port ldap-proxy <yes|no>
# set user-id-agent <name> host-port collectorname <value>
# set user-id-agent <name> host-port secret <value>
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 31
AssociatedSoftwareandContentVersions PANOS8.0ReleaseInformation
AssociatedSoftwareandContentVersions
ThefollowingminimumsoftwareversionsaresupportedwithPANOS8.0.ToseealistofthePaloAlto
NetworksfirewallsandappliancesthatsupportPANOS8.0,seethePaloAltoNetworksCompatibility
Matrix.
PaloAltoNetworksSoftwareor MinimumSupportedVersionwithPANOS8.0
ContentReleaseVersion
Panorama 8.0.2
32 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation Limitations
Limitations
ThefollowingtableincludeslimitationsassociatedwiththePANOS8.0.1andlaterreleases.
IssueID Description
PAN-68997 TheWildFireapplianceclustermembershiplistmaynotbeaccurateifclustermembersare
offlineorthemembershiplistisstale.YoucanimportaconfigurationfromanyWildFire
applianceorapplianceclusterintoPanorama,addanyconnectedWildFireappliancetoa
cluster,andassignitaroleintheclustersothatyouhavemoreflexibilitywhenconfiguring
andreconfiguringclusters.
Afteryouimportaclusterconfiguration,youcanviewtheclustermembersfromthe
Panoramawebinterface(Panorama > Managed Wildfire Clusters).Checkthecluster
membershiplisttoensurethatalllistedmembersarenodesinthecluster.Addmissing
nodestotheclusterasneeded.
IfyouimportaWildFireappliancethatisalreadypartofaclusteroryouimportaWildFire
applianceandlateraddittoaclusterusinglocalconfiguration,thePanoramaweb
interfacedisplaysitasastandaloneapplianceandshowsittobeoutofsync.Toresolve
thisissue,addthenodetothecluster,whichsyncstheconfigurationsinPanorama.
Toavoidaninaccuratemembershiplist,beforeyouaddanodetoacluster,makesurethat
anyWildFireapplianceyouaddtotheclusterisnotamemberofanothercluster.
Controllerandcontrollerbackupnodesperformcriticalclustermanagementtasks.
Ifyouchangethecontrollerorcontrollerbackupnode,ensurethatthe
replacementnodeisaclustermember.Ifyouinadvertentlyaddanodetomore
thanonecluster,orifyouspecifyacontrollerorcontrollerbackupnodethatdoes
notbelongtothecluster,theconsequencesvarydependingonwhetheryoupush
thechangestotheclusters.
IfyoudidnotyetcommitthechangesonthePanoramaappliance,orifyouonly
committedthechangesbutdidnotpushthemyet,thenfirstreconfigurethe
clusterandCommittoPanoramatoavoidunintendedconsequences.
Ifyoupushamisconfigurationtoclusters,clusterbehaviorisunpredictableandcanaffect
morethanoneclusterifthepushedPanoramaconfigurationincludesnodesthatare
assignedtomorethanonecluster.Ifyouinadvertentlyaddanodetomorethanone
cluster,maketheappropriatechangetocorrectthemisconfiguration:
IfyouhavenotcommittedtheconfigurationonPanorama,removethenodefromthe
cluster.
IfyouhavealreadycommittedthechangesonPanorama,removethenodefromthe
clusterandrecommitthechangestoPanorama.
IfyouhavealreadycommittedthechangesonPanoramaandpushedthechangesto
managedWildFireapplianceclusters,removethenodefromthecluster,andthen
recommittoPanoramaandrepushtotheWildFireapplianceclusters.
Ifyouinadvertentlyspecifyacontrollerorcontrollerbackupnodethatisnotacluster
member,maketheappropriatechangetocorrectthemisconfiguration:
IfyouhavenotcommittedtheconfigurationonPanorama,specifyavalidclusternode
asthecontrollerorcontrollerbackupnode.
IfyouhavealreadycommittedthechangesonPanorama,specifyavalidclusternode
asthecontrollerorcontrollerbackupnodeandCommit to Panorama.
IfyouhavealreadycommittedthechangesonPanoramaandpushedthechangesto
managedWildFireapplianceclusters,specifyavalidclusternodeasthecontrolleror
controllerbackupnode,andthenrecommittoPanoramaandrepushtotheWildFire
applianceclusters.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 33
KnownIssues PANOS8.0ReleaseInformation
KnownIssues
ThefollowingtopicsdescribeknownissuesinPANOS8.0releases.
ForrecentupdatestoknownissuesforagivenPANOSrelease,referto
https://live.paloaltonetworks.com/t5/Articles/CriticalIssuesAddressedinPANOSReleases/tap/52882.
KnownIssuesRelatedtoPANOS8.0Releases
KnownIssuesSpecifictotheWF500Appliance
KnownIssuesRelatedtoPANOS8.0Releases
ThefollowinglistincludesknownissuesspecifictoPANOS8.0releases,whichincludesknownissues
specifictoPanoramaandGlobalProtect,aswellasknownissuesthatapplymoregenerallyorthatarenot
identifiedbyanissueID.SeealsotheKnownIssuesSpecifictotheWF500Appliance.
IssueID Description
UpgradingaPA200orPA500firewalltoPANOS8.0cantake30to60minutesto
complete.Ensureuninterruptedpowertoyourfirewallthroughouttheupgradeprocess.
Panorama8.0doesnotcurrentlysupportmanagementofappliancesrunningWildFire7.1
orearlierreleases.EventhoughthesemanagementoptionsarevisibleonthePanorama
8.0webinterface(Panorama > Managed WildFire ClustersandPanorama > Managed
WildFire Appliances),makingchangestothesesettingsforappliancesrunningWildFire
7.1orearlierreleaseshasnoeffect.
GPC-2742 IfyouconfigureGlobalProtectportalsandgatewaystouseclientcertificatesandLDAPas
twofactorsofauthentication,ChromebookusersthatarerunningChromeOS47orlater
versionscanencounterexcessivepromptstoselectaclientcertificate.
Workaround:Topreventexcessiveprompts,configureapolicytospecifytheclient
certificateintheGoogleAdminconsoleanddeploythatpolicytoyourmanaged
Chromebooks:
1. LogintotheGoogleAdminconsole(https://admin.google.com)andselectDevice
management > Chrome management > User settings.
2. IntheClientCertificatessection,enterthefollowingURLpatterntoAutomatically
Select Client Certificate for These Sites:
{""pattern"":""https://[*.]"",""filter"":{}}
3. ClickSave.TheGoogleAdminconsoledeploysthepolicytoalldeviceswithinafew
minutes.
34 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
GPC-1737 Bydefault,theGlobalProtectappaddsarouteoniOSmobiledevicesthatcausestraffic
totheGP100GlobalProtectMobileSecurityManagertobypasstheVPNtunnel.
Workaround:ToconfiguretheGlobalProtectapponiOSmobiledevicestorouteall
trafficincludingtraffictotheGP100GlobalProtectMobileSecurityManagertopass
throughtheVPNtunnel,performthefollowingtasksonthefirewallhostingthe
GlobalProtectgateway(Network > GlobalProtect > Gateways > <gateway-config> >
Agent > Client Settings > <client-settings-config> > Network Settings > Access Route):
Add0.0.0.0/0asanaccessroute.
EntertheIPaddressfortheGlobalProtectMobileSecurityManagerasanadditional
accessroute.
GPC-1517 FortheGlobalProtectapptoaccessanMDMserverthroughaSquidproxy,youmustadd
theMDMserverSSLaccessportstotheproxyserverallowlist.Forexample,iftheSSL
accessportis8443,addacl SSL_ports port 8443totheallowlist.
PAN-81125 (PANOS8.0.3andlaterreleases)OnafirewallconfiguredtoconnecttoTerminalServices
(TS)agents,importingaconfigurationfile(Device > Setup > Operations > Import named
configuration snapshot)thatdoesnotdefineTSagentconnectionscausestheUserID
servicetostopresponding.
Workaround:AddanemptyTSagentnode<tsagent/>under
<devices><entry><vsys><entry>intheconfigurationfilebeforeimportingit.
PAN-82251 BootstrappingisnotsupportedontheVMSeriesfirewallonAWSGovCloud.
PAN-81061 PA3000Seriesfirewallsintermittentlydroplonglivedsessionsthatareactiveduringa
This issue is now resolved. contentupdateifyouimmediatelyfollowtheupdatewithanAntivirusorWildFireupdate.
See PAN-OS 8.0.2
Addressed Issues.
PAN-80564 Themgmtsrvrprocessandotherprocessesrepeatedlyrestartduetoabnormalsystem
memoryusageonafirewallthatforwardslogstoasyslogserver.
Workaround:InPANOS8.0.4andlater8.0releases,youcanstopthecontinuousrestarts
byrunningthedebug syslog-ng restartCLIcommandtorestartthesyslogngprocess.
PAN-79423 Panoramacannotpushaddressgroupobjectsfromdevicegroupstomanagedfirewallsif
zonesspecifytheobjectsintheUserIdentificationACLincludeorexcludelists(Network
> Zones)andiftheShare Unused Address and Service Objects with Devicesoptionis
disabled(Panorama > Setup > Management > Panorama Settings).
PAN-79365 PushingPanoramatemplateconfigurationstoVMSeriesfirewallsforNSXremovesthose
This issue is now resolved. firewallsasmanageddevicesonPanorama.
See PAN-OS 8.0.4 Workaround:MakeminorconfigurationchangestoPanoramaandselectCommit >
Addressed Issues. Commit and Push.PanoramathendisplaystheVMSeriesfirewallsforNSXasmanaged
devices.YoucanthenselectConfig > Revert Changestoreverttheminorconfiguration
changestoPanorama.
PAN-78224 Thefirewalltruncatespasswordsto40characterswhenenduserstrytoauthenticate
This issue is now resolved. throughRADIUSintheCaptivePortalwebform.
See PAN-OS 8.0.4
Addressed Issues.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 35
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN-78034 TheThreatlogsthatZoneProtectionprofilestriggerforscanandpackettypeeventsdo
notrecordIMSIandIMEIvalues.
Workaround:SelectMonitor > Threat,clickthespyglassiconfortheThreatlogtodisplay
additionaldetails,andthendoubleclicktherelatedlogstoseetheIMSIandIMEIofthe
subscriberthattriggeredtheThreatlog.
PAN-77702 DynamicaddressupdatestakeseveralminutestocompleteonPanoramainNSX
deployments.
PAN-77671 Thefirewallidentifiestraffictowww.onlinetranslator.comasthetranslator5application
This issue is now resolved. insteadofaswebbrowsing.
See PAN-OS 8.0.4
Addressed Issues.
PAN-77595 PA7000SeriesandPA5200SeriesfirewallsforwardaSIPINVITEbasedonroutelookup
This issue is now resolved. insteadofPolicyBasedForwarding(PBF)policy.
See PAN-OS 8.0.4
Addressed Issues.
PAN-77339 TheSafeNetClient6.2.2doesnotsupportthenecessaryMACalgorithm(HMACSHA1)
This issue is now resolved. toworkwithPaloAltoNetworksfirewallsthatruninFIPSCCmode.
See PAN-OS 8.0.4
Addressed Issues.
PAN-77213 PanoramadoesnotforwardlogstoasyslogserveroverTCP.
This issue is now resolved.
See PAN-OS 8.0.4
Addressed Issues.
PAN-77116 Afterbootup,thefirewalldisplayserrormessagessuchasError:
sysd_construct_sync_importer(sysd_sync.c:328): sysd_sync_register()
failed: (111) Unknown error code,eventhoughthebootupissuccessful.
Workaround:Ignoretheerrormessages;theydonotaffectthefirewalloperations.
PAN-77062 Administratorswithacustomrolecannotdeletepacketcaptures.
This issue is now resolved.
See PAN-OS 8.0.4
Addressed Issues.
PAN-76779 OnthePA5020firewall,thedataplanerestartscontinuouslywhenauseraccesses
This issue is now resolved. applicationsoveraGlobalProtectclientlessVPN.
See PAN-OS 8.0.4
Addressed Issues.
36 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN-76509 Onfirewallswithmultiplevirtualsystems,customspywaresignaturesworkonlyonvsys1.
PAN-76270 OperationsthatrequireheavymemoryusageonLogCollectors(suchasingestinglogsat
This issue is now resolved. ahighrate)causesomeotherprocessestorestart.
See PAN-OS 8.0.3
Addressed Issues.
PAN-76162 Panorama8.0failstoqueryPA7000SeriesfirewallsrunningaPANOS7.0orPANOS
This issue is now resolved. 7.1release.
See PAN-OS 8.0.3 Workaround:Runthedebug skip-condor-reports nocommandandthenthedebug
Addressed Issues. software restart process reportdcommandonthePanoramamanagementserver
sothatitcansuccessfullyqueryPA7000SeriesfirewallsrunningaPANOS7.1release.
DonotusethisworkaroundifyouusePanorama8.0tomanageaPA7000Series
firewallthatisrunningaPANOS7.0release(knownissuePAN77237).
PAN-76058 WhenmigratingURLcategoriesfromBrightCloudtoPANDB,Panoramadoesnotapply
This issue is now resolved themigrationtoprerulesandpostrules.
(requires content release
version 718 or later). See
PAN-OS 8.0.4 Addressed
Issues.
PAN-75960 YoucannotstorethemasterkeyonanHSMinPANOS8.0.Doingsowillcausethe
This issue is now resolved. firewalltoentermaintenancemodeafterareboot,whichwillrequireafactoryreset.
See PAN-OS 8.0.2
Addressed Issues.
PAN-75908 MulticastpacketswithstalesessionIDscausethefirewalldataplanetorestart.
This issue is now resolved.
See PAN-OS 8.0.4
Addressed Issues.
PAN-75881 AregressionintroducedinPANOS8.0.0and8.0.1causesthefirewalldataplanetorestart
This issue is now resolved. incertaincaseswhencombinedwithcontentupdates.Fordetails,includingtherelevance
See PAN-OS 8.0.2 ofcontentreleaseversion709,refertotheassociatedCustomerAdvisory.
Addressed Issues.
PAN-75457 (PANOS8.0.1andlaterreleases)InWildFireapplianceclustersthathavethreeormore
nodes,Panoramadoesnotsupportchangingnoderoles.Forexample,onPanorama,ina
threenodecluster,youcannotconfiguretheworkernodeasacontrollernodebyadding
thehighavailabilityandclustercontrollerconfigurations,configureanexistingcontroller
nodeasaworkernodebyremovingtheHAconfiguration,andthencommitandpushthe
configuration.AttemptstochangeclusternoderolesfromPanoramaresultsinavalidation
errorthecommitwillfailandtheclusterbecomesunresponsive.
PAN-74886 Panoramadoesnotpushasharedaddressobjecttofirewallsiftheobjectispartofa
This issue is now resolved. dynamicaddressgroupthatusesatag.
See PAN-OS 8.0.4
Addressed Issues.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 37
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN-74652 AfterafirewallsuccessfullyinstallsacontentupdatereceivedfromPanorama,Panorama
This issue is now resolved. displaysafailuremessageforthatupdatewhentheassociatedjobIDonthefirewallis
See PAN-OS 8.0.4 higherthan65536.
Addressed Issues.
PAN-74632 ThefirewalldoesnotclearIPaddresstousernamemappingsorusernametogroup
This issue is now resolved. mappingsafterreachingthelimitforthenumberofusergroups(100,000),whichcauses
See PAN-OS 8.0.4 commitfailureswiththefollowingerrors:user-id is not registerdandser-ID
manager was reset. Commit is required to reinitialize User-ID.
Addressed Issues.
PAN-74293 Thefirewalldropssessionsafteronly30secondsofidletrafficinsteadofafterthesession
This issue is now resolved. timeoutassociatedwiththeapplication.
See PAN-OS 8.0.4
Addressed Issues.
PAN-74139 OnthePA500firewall,insufficientmemoryallocationcausesSSLdecryptionerrorsthat
This issue is now resolved. resultinSSLsessionfailures,andTrafficlogsdisplaytheSessionEndReasonas
See PAN-OS 8.0.4 decrypt-errorordecrypt-cert-validation.
Addressed Issues.
PAN-73964 DonotupgradeVMSeriesfirewallsonAWStoPANOS8.0.0iftheyaredeployedina
This issue is now resolved. highavailability(HA)configuration.
See PAN-OS 8.0.1
Addressed Issues.
PAN-73879 YoucannotclonethestrictfileblockingprofileinPANOS8.0;however,cloningthebasic
This issue is resolved with fileblockingprofile(oranyotherSecurityProfiletypes)worksasexpected.
content release version
658 and later releases.
PAN-73877 YoucannotusethefirewallwebinterfacetogenerateaSAMLmetadatafileforCaptive
This issue is now resolved. PortalorGlobalProtectifthefirewallhasmultiplevirtualsystems;afteryouclickthe
See PAN-OS 8.0.1 Metadatalinkassociatedwithanauthenticationprofile,novirtualsystemsareavailableto
Addressed Issues. select.
Workaround:AccessthefirewallCLI,switchtothevirtualsystemwhereyouassignedthe
authenticationprofile(set system setting target-vsys <vsys-name>),andgenerate
themetadatafile(show sp-metadata [captive-portal | global-protect] vsys
<value> authprofile <value> ip-hostname <value>).
PAN-73859 TheVMSeriesfirewallonAzuresupportsonlyfiveinterfaces(onemanagementinterface
This issue is now resolved. andfourdataplaneinterfaces)insteadofeight(onemanagementinterfaceandseven
See PAN-OS 8.0.2 dataplaneinterfaces).
Addressed Issues.
PAN-73849 Afteryouperformafactoryresetorprivatedataresetonafreshinstallationofthe
Panoramavirtualappliance,thePanorama > Pluginspagedoesnotdisplaythepreloaded
VMwareNSXpluginandthereforeyoucannotusethewebinterfacetoinstalltheplugin.
Workarounds:
Usetherequest plugins install vmware_nsx-<version>CLIcommandtoinstall
theplugin.
DownloadthepluginfromthePaloAltoNetworksSupportPortalandthenuploadthe
plugintoPanorama.Thewebinterfacethendisplaysthepluginforyoutoinstall.
38 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN-73579 AfteryouupgradeafirewalltoPANOS8.0,thefirewalldoesnotapplyupdatestothe
This issue is now resolved. predefinedPaloAltoNetworksmaliciousIPaddressfeeds(deliveredthroughthedaily
See PAN-OS 8.0.1 antiviruscontentupdates)untilyouperformacommitonthefirewall.
Addressed Issues. Workaround:Commitchangestothefirewalldailytoensureyoualwayshavethelatest
versionofthemaliciousIPaddressfeeds.
PAN-73545 WhenaddinginterfacestoaVM300,VM500,orVM700firewall,youmustcommit
This issue is now resolved. twicefortraffictopassnormally.
See PAN-OS 8.0.1
Addressed Issues.
PAN-73530 Thefirewalldoesnotgenerateapacketcapture(pcap)whenaDataFilteringprofileblocks
files.
PAN-73401 (PANOS8.0.1andlaterreleases)OnatwonodeWildFireappliancecluster,ifyouimport
theclusterintoPanorama,thecontrollernodesreporttheirstateasoutofsyncifeither
ofthefollowingtwoconditionsexist:
Youdonotconfigureaworkerlisttoaddatleastoneworkernodetothecluster.(Ina
twonodecluster,bothnodesarecontrollernodesconfiguredasahighavailabilitypair.
Addingaworkernodewouldmaketheclusterathreenodecluster.)
Youdonotconfigureaserviceadvertisement(eitherbyenablingornotenabling
advertisingDNSserviceonthecontrollernodes).
Workaround:Therearethreepossibleworkaroundstosyncthecontrollernodes:
AfteryouimportthetwonodeclusterintoPanorama,pushtheconfigurationfrom
Panoramatothecluster.Afterthepushsucceeds,Panoramareportsthatthecontroller
nodesareinsync.
Configureaworkerlistontheclustercontroller:
admin@wf500(active-controller)# set deviceconfig cluster mode
controller worker-list <worker-ip-address>
(<workeripaddress>istheIPaddressoftheworkernodeyouareaddingto
thecluster.)Thiscreatesathreenodecluster.ImporttheclustertoPanorama
andPanoramareportsthatthecontrollernodesareinsync.Ifyouwantthe
clustertohaveonlytwonodes,useadifferentworkaround.
ConfigureserviceadvertisementonthelocalCLIoftheclustercontrollerandthen
importtheconfigurationintoPanorama.Theserviceadvertisementcanadvertisethat
DNSisenabled,orthatDNSisnotenabled:
admin@wf500(active-controller)# set deviceconfig cluster mode
controller service-advertisement dns-service enabled yes
or
admin@wf500(active-controller)# set deviceconfig cluster mode
controller service-advertisement dns-service enabled no
BothcommandsresultinPanoramareportingthatthecontrollernodesarein
sync.
PAN-73316 WhenaGlobalProtectuserfirstlogsinwithaRADIUSauthenticationprofile,the
Domain-UserNameappearsasuser@domain(insteadofdomain\user)inthePANOS
webinterface.
Workaround:OnceaHIPreportisgenerated,theusernameformatisnormalizedand
updatedtothecorrectformat.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 39
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN-73291 IfyousetupclientcertificateauthenticationforGlobalProtectportalsandgateways,you
This issue is now resolved. canspecifyaCertificateProfilewithmultiplecertificateauthority(CA)certificatesthat
See PAN-OS 8.0.1 havethesamecommonname.However,authenticationfailsforclientcertificatessigned
Addressed Issues. byaCAcertificatethatisnotlistedfirstintheCertificateProfile.
PAN-73254 AfteryouinstalltheVMwareNSXpluginonPanoramainahighavailability(HA)
This issue is now resolved. deployment,Panoramadoesnotautomaticallysynchronizeconfigurationchanges
See PAN-OS 8.0.3 betweentheHApeersunlessyoufirstupdatesettingsrelatedtotheNSXplugin.
Addressed Issues. Workaround:ConfiguretheNSXsettingsandcommityourchangestoPanorama.
PAN-73207 IfthefirewallintegrateswithOktaAdaptiveasthemultifactorauthentication(MFA)
This issue is now resolved. vendor,youcannotusepushnotificationasanauthenticationfactor.
See PAN-OS 8.0.1
Addressed Issues.
PAN-73168 IfthePANOSwebinterfaceandtheGlobalProtectportalthathostsClientlessVPN
This issue is now resolved. applicationsareconfiguredtosharethesameFQDN,youcangeta400 Bad Request
See PAN-OS 8.0.2 errorfromyourbrowserwhenyoutrytoaccessthePANOSwebinterface.
Addressed Issues. Workaround:BestpracticeistoconfigureseparateFQDNsforthePANOSwebinterface
andtheGlobalProtectportalthathostsClientlessVPNapplications.Asashorttermfix,
clearthebrowsercacheorcloseallbrowserwindowsandthenopenaseparatebrowser
windowtologintothePANOSwebinterface.
PAN-73006 Whenloggingratesarehigh,theAppScopeChangeMonitorandNetworkMonitor
This issue is now resolved. reportssometimesfailtodisplaydatawhenyoufilterbySourceorDestinationIP
See PAN-OS 8.0.1 addresses.Additionally,theAppScopeSummaryreportsometimesfailstodisplaydatafor
Addressed Issues. theTop5BandwidthConsumingSourceandTop5Threatswhenloggingratesarehigh.
PAN-72861 WhenyouconfigureaPA5200SeriesorPA7000Seriesfirewalltoperform
tunnelintunnelinspection,whichincludesGREkeepalivepackets(Policies > Tunnel
Inspection > Inspection > Inspect Options),andyouruntheclear session allCLI
commandwhiletrafficistraversingatunnel,thefirewalltemporarilydropstunneled
packets.
PAN-72843 IfyoucommitaconfigurationthatenablesclientlessVPNonmultipleGlobalProtect
This issue is now resolved. portalsusingdifferentDNSproxies,thecommitfails.
See PAN-OS 8.0.1 Workaround:Restartthefirewalldataplaneandrepeattheconfigurationcommit.
Addressed Issues.
40 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN-72402 IfyouconfigureaBGPIPv6aggregateaddresswithanAdvertiseFilterthatconsistsof
This issue is now resolved. bothaprefixfilterandanexthopfilter,thefirewalladvertisesonlytheaggregateaddress
See PAN-OS 8.0.1 anddoesnotadvertisethespecificroutescoveredbytheAdvertiseFilter.
Addressed Issues. Workaround:Removethenexthopfiltersothatthefirewalladvertisesboththe
aggregateaddressandthemorespecificroutes.Thisappliesonlytorouteslearnedfrom
anotherBGPpeer;thefirewalladvertiseslocallyinjectedroutesasexpectedwithoutthis
workaround.
PAN-72342 EnduserswhoignoretheDuoV2authenticationpromptuntilittimesoutcanstill
This issue is now resolved. authenticatesuccessfullytoaGlobalProtectportalconfiguredfortwofactor
See PAN-OS 8.0.4 authentication.
Addressed Issues.
PAN-71829 Insomecases,whenyoumakespecificchangesonaPA5000Seriesfirewallrelatedto
This issue is now resolved. certificatesorSSLprofilesforaGlobalProtectconfiguration,thedataplanerestarts.
See PAN-OS 8.0.1 Changesthatresultinarestartincludeconfiguringanewgateway,changingacertificate
Addressed Issues. linkedtoGlobalProtect,orchangingtheminimumormaximumversionoftheTLSprofile
linkedtoGlobalProtect;othertypesofchangestoGlobalProtectconfigurationsdonot
triggeradataplanerestart.
PAN-71765 DeactivatingaVMSeriesfirewallfromPanoramacompletessuccessfullybuttheweb
interfacedoesnotupdatetoshowthatdeactivationiscomplete.
Workaround:ViewdeactivationstatusfromManagedDevices(Panorama > Managed
Devices).
PAN-71556 MACaddresstableentrieswithatimetolive(TTL)valueof0arenotremovedas
This issue is now resolved. expectedinLayer2deployments,whichresultsinatablethatcontinuallygrowslargerin
See PAN-OS 8.0.1 size.
Addressed Issues. Workaround:Monitorthenumberoftableentriesandruntheclear mac allCLI
commandorrebootasneededtoclearthetable.
PAN-71334 OnaPA5200Seriesfirewall,whenyousetupaVoIPcallusingtheSessionInitiation
This issue is now resolved. Protocol(SIP),youcanexperienceadelayofupto10secondsbeforethefirewall
See PAN-OS 8.0.1 transmitstheaudio/videostream.
Addressed Issues.
PAN-71329 LocalusersandusergroupscreatedunderShared(allvirtualsystems)arenotavailableto
bepartoftheusertoapplicationmappingforGlobalProtectClientlessVPNapplications
(Clientless VPN > ApplicationsontheGlobalProtectPortal).
Workaround:Createusersandusergroupsundervsysformultiplevirtualsystems.For
singlevirtualsystems(likeVM),usersandusergroupsarecreatedunderSharedandare
notconfigurableforClientlessVPNapplications.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 41
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN-71271 Ifthelogpurgingprocessstartsrunningbeforelogmigrationbeginsafteranupgradeto
This issue is now resolved. PANOS8.0,thelogmigrationprocessfailsanddropsnewlogs.
See PAN-OS 8.0.1 Youcannotworkaroundthisissueifthelogpurgingprocessstartsbeforeyoustart
Addressed Issues. migration.Todeterminewhetherlogpurginghasbegun,runtheless mp-log
es_purge.logCLIcommand,enteraforwardslash("/"),enterdeleting,andcheckthe
output.Ifthereareanymatches,youcannotmigrate;iftherearenomatches,thenyou
canstartlogmigration.
PAN-71215 DeactivatingaVMSeriesfirewallfromPanoramafailswhenPanoramaisconfiguredto
Verify Update Server Identity(Panorama > Setup > Services > Verify Update Server
Identity)andthissettingisdisabledonthefirewall(Device > Setup > Services);thisfailure
causesthefirewalltobecomeunreachable.
Workaround:EnsurethatyouconfigurebothPanoramaandtheVMSeriesfirewallto
Verify Update Server Identitybeforeyoudeactivatethefirewall.
PAN-70906 IfthePANOSwebinterfaceandtheGlobalProtectportalareenabledonthesameIP
address,thenwhenauserlogsoutfromtheGlobalProtectportal,theadministrativeuser
isloggedoutfromthePANOSwebinterfaceaswell.Thisissueiscompoundedwhenthe
portalisconfiguredforGlobalProtectClientlessVPNbecauseitcanincreasethenumber
ofuserswhoaccesstheportal.
Workaround:UsetheIPaddresstoaccessthePANOSwebinterfaceandanFQDNto
accesstheGlobalProtectportal.
PAN-70353 ClientlessVPNdoesnotworkifyouconfiguretheGlobalProtectportalthathoststhe
This issue is now resolved. ClientlessVPNonaninterfacewithDHCP Clientenabled.
See PAN-OS 8.0.2 Workaround:ConfiguretheinterfacetousestaticIPaddresses.
Addressed Issues.
PAN-70323 FirewallsrunninginFIPSCCmodedonotallowimportofSHA1CAcertificateseven
This issue is now resolved. whentheprivatekeyisnotincluded;instead,firewallsdisplaythefollowingerror:Import
See PAN-OS 8.0.1 of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
Addressed Issues.
PAN-70181 PA7000Seriesfirewallsthatrunalargenumberofscheduleddailyreports(near1,000or
more)willeventuallyexperienceamemoryissuethatcausesCLIcommandstofailand
ultimatelycausesSSHconnectionattemptstothemanagementIPaddresstofail,aswell.
Workaround:Monitormemoryusageandrestartthemgmtsrvrprocesswhenmgmtsrvr
virtualmemoryexceeds6GBormgmtsrvrresidentmemoryexceeds4GB.
PAN-70046 Astandard404browsererrordisplaysifyoutrytouseGlobalProtectClientlessVPN
withoutthecorrectcontentreleaseversion.
Workaround:ClientlessVPNrequiresyoutoinstallaGlobalProtectsubscriptiononthe
firewallthathoststheClientlessVPNfromtheGlobalProtectportal.Additionally,you
needGlobalProtectClientlessVPNdynamicupdatestousethisfeature.
42 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN-70023 Authenticationusingautofilledcredentialsintermittentlyfailswhenyouaccessan
applicationusingGlobalProtectClientlessVPN.
Workaround:Manuallyenterthecredentials.
PAN-69932 ThePanoramawebinterfaceandCLIrespondslowlywhennumerousNSXpluginsarein
progress.
PAN-69874 WhenthePANOSXMLAPIsendsusermappingswithnotimeoutvaluetoafirewallthat
This issue is now resolved. hastheEnable User Identification Timeoutoptiondisabled,thefirewallassignsthe
See PAN-OS 8.0.2 mappingsatimeoutof60minutesinsteadofnever.
Addressed Issues.
PAN-69505 WhenviewinganexternaldynamiclistthatrequiresclientauthenticationandyouTest
Source URL,thefirewallfailstoindicatewhetheritcanreachtheexternaldynamiclist
serverandreturnsaURLaccesserror.
PAN-69367 Thefirewallincorrectlygeneratespacketdiagnosticlogsandcapturespacketsforsessions
This issue is now resolved. thatarenotpartofapacketfilter(Monitor > Packet Capture).
See PAN-OS 8.0.4
Addressed Issues.
PAN-69340 Whenyouusealicenseauthorizationcode(capacitylicenseorabundle)tobootstrapa
This issue is now resolved. VMSeriesfirewall,thecapacitylicenseisnotapplied.Thisissueoccursbecausethe
See PAN-OS 8.0.1 firewalldoesnotrebootafterthelicenseisapplied.
Addressed Issues. Workaround:Usetherequest restart softwareCLIcommandorrebootthefirewall
manuallytoactivatesessioncapacityforaVMSeriesfirewall.
PAN-69141 OnPA7000SeriesfirewallsandonPanoramalogcollectors,logcollectionprocesses
consumeexcessmemoryanddonotprocesslogsasexpected.Thisissueoccurswhen
DNSresponsetimesareslowandscheduledreportscontainfieldsthatrequireDNS
lookups.
Workaround:Usethedebug management-server report-namelookup disableCLI
commandtodisableDNSlookupsforreportingpurposesandthenrestartthelogreceiver
byrunningdebug software restart process log-receiver.
PAN-68974 OnPA3000Seriesfirewalls,youcannotconfigureaQoSProfiletohaveamaximum
egressbandwidth(Egress Max)higherthan1Gbpsforanaggregategroupinterface
(Network > Network Profiles > QoS Profile).
PAN-67971 WhenyouconfigureanendpointrunningaGlobalProtectagent3.xreleasetousea
fullyqualifieddomainname(FQDN)toconnecttoadualstackPANOS8.0gateway,the
firewallincorrectlydisplaysanIPv6addressinsteadofanIPv4addressfortheconnection.
Workaround:UseGlobalProtectagent4.0toconnecttoPANOS8.0.
PAN-67544 Fixedanissuewhere,whenamulticastforwardinginformationbase(MFIB)timedout,the
packetprocessingprocess(flow_ctrl)stoppedresponding,whichintermittentlycausedthe
firewalldataplanetorestart.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 43
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN-67422 (PANOS8.0.1andlaterreleases)TheFirewallreregisterswithWildFireevery15days
unlessaconnectionfailureoccurs.IfafirewallregisteredwithastandaloneWildFire
applianceandthenyouconfigurethefirewalltoregisterwithaWildFireappliancecluster,
thefirewallshowsasregisteredbothtotheclusterandtothestandaloneappliance,which
createsduplicateentries.
ToverifythatafirewallisconnectedtoaWildFireapplianceandaWildFireappliance
cluster,runthefollowingcommandontheWildFireclusterandstandaloneWildFire
appliancetodisplayallfirewallsregisteredtothatclusterandappliance:
admin@Panorama> show wildfire-appliance last-device-registration all
serial-number <value>"
The<value>isthe12digitserialnumberoftheWildFireclustercontrollernodeorthe
WildFireappliance.Forexample,toviewallfirewallsonaclusterwhosecontrollernode
hastheserialnumber002001000099,runthefollowingcommand:
admin@Panorama> show wildfire-appliance last-device-registration all
serial-number <002001000099>
Workaround:Runtheshow wildfire global devices-reporting-datacommandto
showonlyfirewallsthatarereportingdatatotheWildFireappliance.Ifafirewallhasnot
submittedasampletotheWildFireapplianceduringthepast24hours,thefirewallisnot
listed.
PAN-66997 OnPA7000Series,PA5200Series,andPA5000Seriesfirewalls,userswhoaccess
This issue is now resolved. applicationsoverSSLVPNorIPSectunnelsthroughGlobalProtectexperienced
See PAN-OS 8.0.2 onedirectionaltraffic.
Addressed Issues.
PAN-66122 Tunnelcontentinspectionisnotsupportedinavirtualsystemtovirtualsystemtopology.
This issue is now resolved.
See PAN-OS 8.0.1
Addressed Issues.
PAN-66032 WhenyoumonitorBlockIPListentries,anIPaddressblockedbyaVulnerability
ProtectionprofileorAntiSpywareprofiledisplaystheBlockSourcetobetheThreatID
(TID)andvirtualsystem(ifapplicable),insteadofthenameofthethreatthatblockedthe
IPaddress.Forexample,theBlockSourcedisplays41000:vsys1(or41000:*ifthereisno
virtualsystem).
PAN-63905 Installingacontentupdateorcommittingconfigurationchangesonthefirewallcauses
RTPsessionsthatwerecreatedfrompredictsessionstomovefromanactivestatetoa
discardstate.
PAN-63274 Whenyouconfiguretunnelcontentinspectionfortrafficinasharedgatewaytopology
This issue is now resolved. (thefirewallhasmultiplevirtualsystems),innerflowsessionsinstalledondataplane1
See PAN-OS 8.0.1 (DP1)willfail.Additionally,whennetworkingdevicesbehindthesharedgatewayinitiate
Addressed Issues. traffic,thattrafficdoesn'treachthenetworkingdevicesbehindthevirtualsystems.
PAN-62820 IfyouusetheAppleSafaribrowserinPrivateBrowsingmodetorequestaserviceor
applicationthatrequiresmultifactorauthentication(MFA),thefirewalldoesnotredirect
youtotheserviceorapplicationevenafterauthenticationsucceeds.
44 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN-62453 EnteringvSpheremaintenancemodeonaVMSeriesfirewallwithoutfirstshuttingdown
theGuestOSfortheagentVMscausesthefirewalltoshutdownabruptlyandcauses
issuesthatpersistafterthefirewallispoweredonagain.RefertoIssue1332563inthe
VMwarereleasenotes:https://www.vmware.com/support/pubs/nsx_pubs.html.
Workaround:VMSeriesfirewallsareServiceVirtualMachines(SVMs)pinnedtoESXi
hostsandshouldnotbemigrated.BeforeyouentervSpheremaintenancemode,usethe
VMwaretoolstoensureagracefulshutdownoftheVMSeriesfirewall.
PAN-61834 ThefirewallcapturespacketsofIPaddressesthatarenotincludedinthepacketfilter
(Monitor > Packet Capture).
PAN-58872 Theautomaticlicensedeactivationworkflowforfirewallswithdirectinternetaccessdoes
notwork.
Workaround:Usetherequest license deactivate key features <name> mode
manualCLIcommandtoDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.To
DeactivateaVM,chooseComplete Manually(insteadofContinue)andfollowthesteps
tomanuallydeactivatetheVM.
PAN-56217 YoucannotconfiguremultipleDNSproxyobjectsthatspecifyforthefirewalltolistenfor
DNSrequestsonthesameinterface(Network > DNS Proxy > Interfaces).IfmultipleDNS
proxyobjectsareconfiguredwiththesameinterface,onlythefirstDNSproxyobject
settingsareapplied.
Workaround:IfthereareDNSproxyobjectsconfiguredwiththesameinterface,youmust
modifytheDNSproxyobjectssothateachobjectspecifiesuniqueinterfaces:
TomodifyaDNSproxyobjectthatspecifiesonlyoneinterface,deletetheDNSproxy
objectandreconfiguretheobjectwithaninterfacethatisnotsharedamonganyother
objects.
TomodifyaDNSproxyobjectconfiguredwithmultipleinterfaces,deletetheinterface
thatissharedwithotherDNSproxyobjects,clickOKtosavethemodifiedobject,and
thenCommit.
PAN-55825 PerforminganAutoFocusremotesearchthatistargetedtoaPANOSfirewallor
Panoramadoesnotworkcorrectlywhenthesearchconditioncontainsasingleordouble
quotationmark.
PAN-55437 Highavailability(HA)forVMSeriesfirewallsdoesnotworkinAWSregionsthatdonot
supportthesignatureversion2signingprocessforEC2APIcalls.Unsupportedregions
includeAWSEU(Frankfurt)andKorea(Seoul).
PAN-55203 Whenyouchangethereportingperiodforascheduledreport,suchastheSaaS
ApplicationUsagePDFreport,thereportcanhaveincompleteornodataforthereporting
period.
Workaround:Ifyouneedtochangethereportingperiodforanyscheduledreport,create
anewreportforthedesiredtimeperiodinsteadofmodifyingthetimeperiodonan
existingreport.
PAN-54531 ThefirewallstopswritingnewTrafficandThreatlogstostoragebecausetheAutomated
CorrelationEngineusesdiskspaceinawaythatpreventsthefirewallfrompurgingolder
logs.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 45
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN-54254 InTrafficlogs,thefollowingsessionendreasonsforCaptivePortaloraGlobalProtectSSL
VPNtunnelindicatedtheincorrectreasonforsessiontermination:
decrypt-cert-validation,decrypt-unsupport-param,ordecrypt-error.
PAN-53825 FortheVMSeriesNSXeditionfirewall,whenyouaddormodifyanNSXserviceprofile
zoneonPanorama,youmustperformaPanoramacommitandthenperformaDevice
GroupcommitwiththeIncludeDeviceandNetworkTemplatesoptionselected.To
successfullyredirecttraffictotheVMSeriesNSXeditionfirewall,youmustperformboth
aTemplateandaDevice Groupcommitwhenyoumodifythezoneconfigurationto
ensurethatthezonesareavailableonthefirewall.
PAN-53601 PanoramarunningonanM500appliancecannotconnecttoaSafeNetNetworkorThales
nShieldConnecthardwaresecuritymodule(HSM).
PAN-51969 OntheNSXManager,whenyouunbindanNSXSecurityGroupfromanNSXSecurity
Policyrule,thedynamictagandregisteredIPaddressareupdatedonPanoramabutare
notsenttotheVMSeriesfirewalls.
Workaround:TopushtheDynamicAddressGroupupdatestotheVMSeriesfirewalls,
youmustmanuallysynchronizetheconfigurationwiththeNSXManager(Panorama >
VMware Service ManagerandselectNSX Config-Sync).
PAN-51952 IfasecuritygroupoverlapoccursinanNSXSecuritypolicywherethesamesecuritygroup
isweightedwithahigherandalowerpriorityvalue,thetrafficmayberedirectedtothe
wrongserviceprofile(VMSeriesfirewallinstance).ThisissueoccursbecauseanNSX
Securitypolicywithahigherweightdoesnotalwaystakeprecedenceoverapolicywitha
lowerweight.
Workaround:Makesurethatmembersthatareassignedtoasecuritygrouparenot
overlappingwithanotherSecuritygroupandthateachsecuritygroupisassignedtoa
uniqueNSXSecuritypolicyrule.ThisallowsyoutoensurethatNSXSecuritypolicydoes
notredirecttraffictothewrongserviceprofile(VMSeriesfirewall).
PAN-51870 WhenusingtheCLItoconfigurethemanagementinterfaceasaDHCPclient,thecommit
failsifyoudonotprovideallfourDHCPparametersinthecommand.Forasuccessful
commitwhenusingtheset deviceconfig system type dhcp-clientcommand,you
mustincludeeachofthefollowingparameters:accept-dhcp-domain,
accept-dhcp-hostname,send-client-id,andsend-hostname.
PAN-51869 Cancelingpendingcommitsdoesnotimmediatelyremovethemfromthecommitqueue.
ThecommitsremaininthequeueuntilPANOSdequeuesthem.
PAN-51673 BFDsessionsarenotestablishedbetweentwoRIPpeerswhentherearenoRIP
advertisements.
Workaround:EnableRIPonanotherinterfacetoprovideRIPadvertisementsfroma
remotepeer.
46 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN-51216 TheNSXManagerfailstoredirecttraffictotheVMSeriesfirewallwhenyoudefinenew
ServiceProfilezonesforNSXonPanorama.ThisissueoccursintermittentlyontheNSX
Managerwhenyoudefinesecurityrulestoredirecttraffictothenewserviceprofilesthat
areavailablefortrafficintrospectionandresultsinthefollowingerror:Firewall
configuration is not in sync with NSX Manager. Conflict with Service
Profile Oddhost on service (Palo Alto Networks NGFW) when binding to
host<name>.
PAN-51181 APaloAltoNetworksfirewall,M100appliance,orWF500applianceconfiguredtouse
FIPSoperationalmodefailstobootwhenrebootingafteranupgradetoPANOS7.0or
laterreleases.
Workaround:EnableFIPSandCommonCriteriasupportonallPaloAltoNetworks
firewallsandappliancesbeforeyouupgradetoaPANOS7.0orlaterrelease.
PAN-51122 FortheVMSeriesfirewall,ifyoumanuallyresetaheartbeatfailurealarmonthevCenter
servertoindicatethattheVMSeriesfirewallishealthy(changecolortogreen),the
vCenterserverdoesnottriggeraheartbeatfailurealarmagain.
PAN-50651 OnPA7000Seriesfirewalls,onedataportmustbeconfiguredasalogcardinterface
becausethetrafficandloggingcapabilitiesofthisplatformexceedthecapabilitiesofthe
managementport.AlogcardinterfaceperformsWildFirefileforwardingandlog
forwardingforsyslog,email,andSNMPandtheseservicesrequireDNSsupport.Ifyouset
upacustomservicerouteforthefirewalltoperformDNSqueries,servicesusingthelog
cardinterfacemightnotbeabletogenerateDNSrequests.Thisisonlyanissueifyouve
configuredthefirewalltouseaservicerouteforDNSrequestsand,inthiscase,youmust
performaworkaroundtoenablecommunicationbetweenthefirewalldataplaneandthe
logcardinterface.
Workaround:EnableDNSProxyonthefirewallanddonotspecifyaninterfaceforthe
DNSproxyobjecttouse(ensurethatNetwork > DNS Proxy > Interfaceisnotconfigured).
PAN-50641 EnablingordisablingBFDforBGPorchangingaBFDprofilethataBGPpeerusescauses
BGPtoflap.
PAN-50038 WhenyouenablejumboframesfromtheCLIonaVMSeriesfirewallinAWS,the
maximumtransmissionunit(MTU)sizeontheinterfacesdoesnotincrease.TheMTUon
eachinterfaceremainsatamaximumvalueof1500bytes.
PAN-48565 TheVMSeriesfirewallonCitrixSDXdoesnotsupportjumboframes.
PAN-48456 IPv6toIPv6NetworkPrefixTranslation(NPTv6)isnotsupportedwhenconfiguredona
sharedgateway.
PAN-47969 IfyoulogintoPanoramaasaDeviceGroupandTemplateadministratorandyourename
adevicegroup,thePanorama > Device Groupspagenolongerdisplaysanydevicegroups.
Workaround:Afteryourenameadevicegroup,performacommit,logout,andlogback
in;thepagethendisplaysthedevicegroupswiththeupdatedvalues.
PAN-47073 WebpagesusingtheHTTPStrictTransportSecurity(HSTS)protocoldonotalways
displayproperlyforendusers.
Workaround:Endusersmustimportanappropriateforwardproxycertificatefortheir
browsers.
PAN-46344 WhenyouuseaMacOSSafaribrowser,clientcertificateswillnotworkforCaptivePortal
authentication.
Workaround:OnaMacOSsystem,instructenduserstouseadifferentbrowser(for
example,MozillaFirefoxorGoogleChrome).
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 47
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN-45793 Onafirewallwithmultiplevirtualsystems,ifyouaddanauthenticationprofiletoavirtual
systemandgivetheprofilethesamenameasanauthenticationsequenceinShared,
referenceerrorsoccur.ThesameerrorsoccuriftheprofileisinSharedandthesequence
withthesamenameisinavirtualsystem.
Workaround:Whencreatingauthenticationprofilesandsequences,alwaysenterunique
names,regardlessoftheirlocation.Forexistingauthenticationprofilesandsequences
withsimilarnames,renametheonesthatarecurrentlyassignedtoconfigurations(for
example,aGlobalProtectgateway)toensureuniqueness.
PAN-44400 Thelinkona1GbpsSFPportonaVMSeriesfirewalldeployedonaCitrixSDXserverdoes
notcomeupwhensuccessivefailoversaretriggered.Thisbehaviorisonlyobservedina
highavailability(HA)active/activeconfiguration.
Workaround:Usea10GbpsSFPportinsteadofthe1GbpsSFPportontheVMSeries
firewalldeployedonaCitrixSDXserver.
PAN-44300 WildFireanalysisreportscannotbeviewedonfirewallsrunningPANOS6.1release
versionsifconnectedtoaWF500applianceinCommonCriteriamodethatisrunning
PANOS7.0orlaterreleases.
PAN-43000 VulnerabilitydetectionofSSLv3failswhenSSLdecryptionisenabled.Thisoccurswhen
youattachaVulnerabilityProtectionprofile(thatdetectsSSLv3CVE20143566)toa
SecuritypolicyruleandthatSecuritypolicyruleandanSSLDecryptionpolicyruleare
configuredonthesamevirtualsysteminthesamezone.AfterperformingSSLdecryption,
thefirewallseesdecrypteddataandnolongerseestheSSLversionnumber.Inthiscase,
theSSLv3vulnerabilityisnotidentified.
Workaround:SSLDecryptionEnhancementswereintroducedinPANOS7.0thatenable
youtoprohibittheinherentlyweakerSSL/TLSversions,whicharemorevulnerableto
attacks.Forexample,youcanuseaDecryptionProfiletoenforceaminimumprotocol
versionofTLS1.2oryoucanBlock sessions with unsupported versionstodisallow
unsupportedprotocolversions(Objects > Decryption Profile > SSL Decryption > SSL
Forward Proxyand/orSSL Inbound Inspection).
PAN-41558 WhenyouuseafirewallloopbackinterfaceasaGlobalProtectgatewayinterface,traffic
isnotroutedcorrectlyforthirdpartyIPSecclients,suchasStrongSwan.
Workaround:Useaphysicalfirewallinterfaceinsteadofaloopbackfirewallinterfaceas
theGlobalProtectgatewayinterfaceforthirdpartyIPSecclients.Alternatively,configure
theloopbackinterfacethatisusedastheGlobalProtectgatewaytobeinthesamezone
asthephysicalingressinterfaceforthirdpartyIPSectraffic.
PAN-40842 WhenyouconfigureafirewalltoretrieveaWildFiresignaturepackage,theSystemlog
showsunknown versionforthepackage.Forexample,afterascheduledWildFire
packageupdate,thesystemlogshows:WildFire package upgraded from version
<unknown version> to 38978-45470.Thisisacosmeticissueonlyanddoesnotprevent
theWildFirepackagefrominstalling.
48 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN-40130 IntheWildFireSubmissionslogs,theemailrecipientaddressisnotcorrectlymappedtoa
usernamewhenconfiguringLDAPgroupmappingsthatarepushedinaPanorama
template.
PAN-40079 TheVMSeriesfirewallonKVM,forallsupportedLinuxdistributions,doesnotsupportthe
BroadcomnetworkadaptersforPCIpassthroughfunctionality.
PAN-40075 TheVMSeriesfirewallonKVMrunningonUbuntu12.04LTSdoesnotsupportPCI
passthroughfunctionality.
PAN-39728 TheURLloggingrateisreducedwhenHTTPheaderloggingisenabledintheURLFiltering
profile(Objects > Security Profiles > URL Filtering > URL Filtering profile > Settings).
PAN-39636 RegardlessoftheTimeFrameyouspecifyforascheduledcustomreportonaPanorama
MSeriesappliance,theearliestpossiblestartdateforthereportdataiseffectivelythe
datewhenyouconfiguredthereport.Forexample,ifyouconfigurethereportonthe15th
ofthemonthandsettheTimeFrametoLast30Days,thereportthatPanoramagenerates
onthe16thwillincludeonlydatafromthe15thonward.Thisissueappliesonlyto
scheduledreports;ondemandreportsincludealldatawithinthespecifiedTimeFrame.
Workaround:Togenerateanondemandreport,clickRun Nowwhenyouconfigurethe
customreport.
PAN-39501 UnusedNATIPaddresspoolsarenotclearedafterasinglecommit,soacommitfailsifthe
combinedcacheofunusedpools,existingusedpools,andnewpoolsexceedsthememory
limit.
Workaround:Commitasecondtime,whichclearstheoldpoolallocation.
PAN-38584 ConfigurationspushedfromPanorama6.1andlaterreleasestofirewallsrunningPANOS
6.0.3orearlierPANOS6.0releaseswillfailtocommitduetoanunexpectedRuleType
error.ThisissueiscausedbytheRule TypesettinginSecuritypolicyrulesthatwasnot
includedintheupgradetransformand,therefore,thenewruletypesarenotrecognized
ondevicesrunningPANOS6.0.3orearlierreleases.
Workaround:OnlyupgradePanoramatoversion6.1orlaterreleasesifyouarealso
planningtoupgradeallmanagedfirewallsrunningPANOS6.0.3oranearlierPANOS6.0
releasetoaPANOS6.0.4orlaterreleasebeforepushingaconfigurationtothedevices.
PAN-38255 IfyouperformafactoryresetonaPanoramavirtualapplianceandconfiguretheserial
number,loggingdoesnotworkuntilyourebootPanoramaorexecutethedebug
software restart management-serverCLIcommand.
PAN-37511 DuetoalimitationrelatedtotheEthernetchipdrivingtheSFP+ports,PA5050and
PA5060firewallswillnotperformlinkfaultsignalingasstandardizedwhenafiberinthe
fiberpairiscutordisconnected.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 49
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN-37177 AfterdeployingtheVMSeriesfirewall,whenthefirewallconnectstoPanorama,youmust
issueaPanoramacommittoensurethatPanoramarecognizesthefirewallasamanaged
device.IfyourebootPanoramawithoutcommittingthechanges,thefirewallwillnot
connectbacktoPanorama;althoughthedevicegroupwilldisplaythelistofdevices,the
devicewillnotdisplayinPanorama > Managed Devices.
Further,ifPanoramaisconfiguredinanHAconfiguration,theVMSeriesfirewallisnot
addedtothepassivePanoramapeeruntiltheactivePanoramapeersynchronizesthe
configuration.Duringthistime,thepassivePanoramapeerwilllogacriticalmessage:
vm-cfg: failed to process registration from svm device. vm-state: active.
ThismessageisloggeduntilyoucommitthechangesontheactivePanorama,whichthen
initiatessynchronizationbetweenthePanoramaHApeersandtheVMSeriesfirewallis
addedtothepassivePanoramapeer.
Workaround:Toreestablishtheconnectiontothemanageddevices,commityour
changestoPanorama(clickCommitandselectCommitType:Panorama).IncaseofanHA
setup,thecommitwillinitiatethesynchronizationoftherunningconfigurationbetween
thePanoramapeers.
PAN-37127 OnthePanoramawebinterface,thePolicies > Security > Post Rules > Combined Rules
Previewwindowdoesnotdisplaypostrulesandlocalrulesformanageddevices.
PAN-37044 LivemigrationoftheVMSeriesfirewallisnotsupportedwhenyouenableSSLdecryption
usingtheSSLforwardproxymethod.UseSSLinboundinspectionifyouneedsupportfor
livemigration.
PAN-36730 WhendeletingtheVMSeriesdeployment,allVMsaredeletedsuccessfully;however,
sometimesafewinstancesstillremaininthedatastore.
Workaround:ManuallydeletetheVMSeriesfirewallsfromthedatastore.
PAN-36728 Insomescenarios,trafficfromnewlyaddedguestsorvirtualmachinesisnotsteeredto
theVMSeriesfirewallevenwhentheguestsbelongtoaSecurityGroupandareattached
toaSecurityPolicythatredirectstraffictotheVMSeriesfirewall.
Workaround:ReapplytheSecurityPolicyontheNSXManager.
PAN-36433 Ifahighavailability(HA)failoveroccursonPanoramaatthetimethattheNSXManager
isdeployingtheVMSeriesNSXeditionfirewall,thelicensingprocessfailswiththeerror:
vm-cfg: failed to process registration from svm device. vm-state: active.
Workaround:DeletetheunlicensedinstanceoftheVMSeriesfirewalloneachESXihost
andthenredeploythePaloAltoNetworksnextgenerationfirewallservicefromtheNSX
Manager.
PAN-36394 Whenthedatastoreismigratedforaguest,allcurrentsessionsarenolongersteeredto
theVMSeriesfirewall.However,allnewsessionsaresecuredproperly.
50 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN-36333 TheServicedialogforaddingoreditingaserviceobjectinthewebinterfacedisplaysthe
incorrectportrangeforbothsourceanddestinationports:1-65535.Thecorrectport
rangeis0-65535andspecifyingportnumber0foreitherasourceordestinationportis
successful.
PAN-36289 IfyoudeploytheVMSeriesfirewallandthenassignthefirewalltoatemplate,thechange
isnotrecordedinthebootstrapfile.
Workaround:DeletethePaloAltoNetworksNGFWServiceontheNSXManager,and
verifythatthetemplateisspecifiedonPanorama > VMware Service Manager,register
theservice,andredeploytheVMSeriesfirewall.
PAN-36088 WhenanESXihostisrebootedorshutdown,thefunctionalstatusoftheguestsisnot
updated.BecausetheIPaddressisnotupdated,thedynamictagsdonotaccuratelyreflect
thefunctionalstateofthegueststhatareunavailable.
PAN-36049 ThevCenterServer/vmtoolsdisplayedtheIPAddressforaguestincorrectlyaftervlan
tagswereaddedtoanEthernetport.ThedisplaydidnotaccuratelyshowtheIPaddresses
associatedwiththetaggedEthernetportandtheuntaggedEthernetport.Thisissuewas
seenonsomeLinuxOSversionssuchasUbuntu.
PAN-35903 Whenyoueditatrafficintrospectionrule(tosteertraffictotheVMSeriesfirewall)onthe
NSXManager,aninvalid (tcp) port numbererrororinvalid (udp) port number
errordisplayswhenyouremovethedestination(TCPorUDP)port.
Workaround:Deletetheruleandaddanewone.
PAN-35875 Whendefiningtrafficintrospectionrules(tosteertraffictotheVMSeriesfirewall)onthe
NSXManager,eitherthesourceorthedestinationfortherulemustreferencethename
ofaSecurityGroup;youcannotcreatearulefromanytoanySecurityGroup.
Workaround:ToredirectalltraffictotheVMSeriesfirewall,youmustcreateaSecurity
Groupthatincludesalltheguestsinthecluster.Thenyoucandefineasecuritypolicythat
redirectstrafficfromandtotheclustersothatthefirewallcaninspectandenforcepolicy
ontheeastwesttraffic.
PAN-35874 DuplicatepacketsarebeingsteeredtotheVMSeriesfirewall.Thisissueoccursifyou
enabledistributedvSwitchforsteeringinpromiscuousmode.
Workaround:Disablepromiscuousmode.
PAN-34966 OnaVMSeriesNSXeditionfirewall,whenaddingorremovingaSecurityGroup
(Container)thatisboundtoaSecurityPolicy,Panoramadoesnotgetadynamicupdateof
theaddedorremovedSecurityGroup.
Workaround:OnPanorama > VMware Service Manager,clickSynchronize Dynamic
Objectstoinitiateamanualsynchronizationtogetthelatestupdate.
PAN-34855 OnaVMSeriesNSXeditionfirewall,DynamicTags(update)donotreflecttheactualIP
addresssetontheguest.ThisissueoccursbecausethevCenterServercannotaccurately
viewtheIPaddressoftheguest.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 51
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN-33316 AddingorremovingportsontheSDXserverafterdeployingtheVMSeriesfirewallcan
causeaconfigurationmismatchonthefirewall.Toavoidtheneedtoreconfigurethe
interfaces,considerthetotalnumberofdataportsthatyourequireonthefirewalland
assigntherelevantnumberofportsontheSDXserverwhendeployingtheVMSeries
firewall.
Forexample,ifyouassignports1/3and1/4ontheSDXserverasdatainterfacesonthe
VMSeriesfirewall,theportsaremappedtoeth1andeth2.Ifyouthenaddport1/1or1/2
ontheSDXserver,eth1willbemappedto1/1or1/2,eth2willbemappedto1/3and
eth3to1/4.Ifports1/3and1/4weresetupasavirtualwire,thisremappingwillrequire
youtoreconfigurethenetworkinterfacesonthefirewall.
PAN-31832 Thefollowingissuesapplywhenconfiguringafirewalltouseahardwaresecuritymodule
(HSM):
ThalesnShieldConnectThefirewallrequiresatleastfourminutestodetectthatan
HSMhasbeendisconnected,causingSSLfunctionalitytobeunavailableduringthe
delay.
SafeNetNetworkWhenlosingconnectivitytoeitherorbothHSMsinahigh
availability(HA)configuration,thedisplayofinformationfromtheshow ha-statusor
show hsm infocommandisblockedfor20seconds.
PAN-31593 AfteryouconfigureaPanoramaMSeriesapplianceforHAandsynchronizethe
configuration,theLogCollectorofthepassivepeercannotconnecttotheactivepeeruntil
yourebootthepassivepeer.
PAN-29441 ThePanoramavirtualappliancedoesnotwritesummarylogsfortrafficandthreatsas
expectedafteryouentertheclear logcommand.
Workaround:Reboot Panoramamanagementserver(Panorama > Setup > Operations)to
enablesummarylogs.
PAN-29411 Insomeconfigurations,whenyouswitchcontextfromPanoramaandaccesstheweb
interfaceofamanageddevice,youareunabletoupgradethePANOSsoftwareimage.
Workaround:UsethePanorama > Device Deployment > Softwaretabtodeployand
installthesoftwareimageonthemanageddevice.
PAN-29385 YoucannotconfigurethemanagementIPaddressonanM100appliancewhileitis
operatingasthesecondarypassivepeerinanHApair.
Workaround:TosettheIPaddressforthemanagementinterface,youmustsuspendthe
activePanoramapeer,promotethepassivepeertoactivestate,changetheconfiguration,
andthenresettheactivepeertoactivestate.
PAN-29053 Bydefault,thehostnameisnotincludedintheIPheaderofsyslogmessagessentfromthe
firewall.However,somesyslogimplementationsrequirethisfieldtobepresent.
Workaround:EnablethefirewalltoincludetheIPaddressofthefirewallasthehostname
inthesyslogheaderbyselectingSend Hostname in Syslog(Device > Setup).
PAN-28794 IfaPanoramaLogCollectorMGTportisconfiguredwithanIPv4addressandyouwantto
haveonlyanIPv6addressconfigured,youcanusethePanoramawebinterfaceto
configurethenewIPv6addressbutyoucannotusePanoramatoremovetheIPv4address.
Workaround:ConfiguretheMGTportwiththenewIPv6addressandthenapplythe
configurationtotheLogCollectorandtestconnectivityusingtheIPv6addresstoensure
thatyoudonotloseaccesswhenyouremovetheIPv4address.AfteryouconfirmtheLog
CollectorisaccessibleusingtheIPv6address,gototheCLIontheLogCollectorand
removetheIPv4address(usingthedelete deviceconfig system ip-address
command)andthencommityourchanges.
52 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN-25101 IfyouaddaDecryptionpolicyrulethatinstructsthefirewalltoblockSSLtrafficthatwas
notpreviouslybeingblocked,thefirewallwillcontinuetoforwardtheundecryptedtraffic.
Workaround:Usethedebug dataplane reset ssl-decrypt exclude-cachecommand
tocleartheSSLdecryptexcludecache.
PAN-25046 SSHhostkeysusedforSCPlogexportarestoredintheknownhostsfileonthefirewall.
Inahighavailability(HA)configuration,theSCPlogexportconfigurationissynchronized
withthepeerdevice,buttheknownhostfileisnotsynchronized.Whenafailoveroccurs,
theSCPlogexportfails.
Workaround:LogintoeachpeerinHAandTest SCP server connectiontoconfirmthe
hostkeysothatSCPlogforwardingcontinuestoworkafterafailover.
PAN-20162 IfaclientPCusesRDPtoconnecttoaserverrunningremotedesktopservicesandthe
userlogsintotheremoteserverwithadifferentusername,whentheUserIDagent
queriestheActiveDirectoryservertogatherusertoIPmappingfromthesecuritylogs,
thesecondusernamewillberetrieved.Forexample,ifUserAlogsintoaclientPCandthen
logsintotheremoteserverusingtheusernameforUserB,thesecuritylogontheActive
DirectoryserverwillrecordUserA,butwillthenbeupdatedwithUserB.Theusername
UserBisthenpickedupbytheUserIDagentfortheusertoIPmappinginformation,
whichisnottheintendedusermapping.
KnownIssuesSpecifictotheWF500Appliance
ThefollowinglistincludesknownissuesspecifictoWildFire8.0releasesrunningontheWF500appliance.
SeealsothespecificandgeneralKnownIssuesRelatedtoPANOS8.0Releases.
IssueID Description
WF500-4218 AspartofandafterupgradingaWildFireappliancetoaPANOS8.0release,rebooting
This issue is now resolved. aclusternode(request cluster reboot-local-node)sometimesresultsinthenode
See PAN-OS 8.0.2 goingofflineorfailingtoreboot.
Addressed Issues. Workaround:Usethedebug cluster agent restart-agentCLIcommandtobringthe
nodebackonlineandtorestarttheclusteragentasneeded.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 53
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
WF500-4186 InathreenodeWildFireappliancecluster,ifyoudecommissionthebackupcontroller
This issue is now resolved. nodeortheworkernode(request cluster decommission start)andthendeletethe
See PAN-OS 8.0.2 clusterrelatedconfiguration(highavailabilityandclustermembership)fromthe
Addressed Issues. decommissionednode,insomecases,theclusterstopsfunctioning.Runningtheshow
cluster membershipcommandontheprimarycontrollernodeshows:
Service Summary: Cluster:offline, HA:peer-offline
In this state, the cluster does not function and does not accept new samples for
processing.
Workaround: Reboot the primary controller (run the request cluster
reboot-local-node command on the primary controllers local CLI). After the primary
controller reboots, the cluster functions again and accepts new samples for processing.
WF500-4176 Afteryouremoveanodefromacluster,iftheclusterwasstoringsampleinformationon
This issue is now resolved. thatnode,thatserialnumberofthatnodemayappearinthelistofstoragenodeswhen
See PAN-OS 8.0.2 youshowthesamplestatus(show wildfire global sample-status sha256 equal
<value>)eventhoughthenodenolongerbelongstothecluster.
Addressed Issues.
WF500-4173 IntegratedreportsarenotavailableforfirewallsconnectedtoaWF500appliance
This issue is now resolved. runninginFIPSmode.
See PAN-OS 8.0.2
Addressed Issues.
WF500-4166 InaWildFireapplianceclusterwiththreeormorenodesandwithtwocontrollernodes,
ifyoutrytoconfigureaworkernodeasacontrollernode,thechangeshouldfailbecause
aclustercanhaveonlytwocontrollernodes(primaryandbackupcontrollernodes).
However,thecommitoperationontheworkernodesucceedsandcausestheclusterto
seetheworkernodeasathirdcontrollernodethatcannotbeallowedinthecluster.This
preventstheconvertedworkernodefromconnectingtotheclustermanagerandthe
nodeisremovedfromthecluster.Theresultwhenrunningtheshow cluster task
localcommanddisplays:
Server error: Cannot connect to cluster-mgr daemon, please check it is running.
Status Report: <node-ip-address>: reported leader <ip-address>, age 0.
<node-ip-address>: quit cluster due to too many controllers.
Workaround:Performthefollowingtaskstoworkaroundthisissue:
1. Reconfigurethenodetoruninworkermodeusingtheset deviceconfig cluster
mode workercommand.
2. Runthecommit forcecommand.(Astandardcommitoperationfailsandreturnsa
messagethattheclustermanagerisnonresponsive.)
3. Afterthecommitforceoperationsucceeds,rebootthenodeusingtherequest
cluster reboot-local-nodecommand.Untilyourebootthenode,thenodes
applicationservicesdonotrespond.
54 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
WF500-4132 IfyouremoveanodefromatwonodeWildFireapplianceclusterbydeletingthe
highavailabilityconfiguration(delete deviceconfig high-availability)andthe
clusterconfiguration(delete deviceconfig cluster),thesingleremainingcluster
nodecannotprocesssamples.
Workaround:Useeitherofthefollowworkaroundstoenabletheremainingclusternode
toprocesssamples:
MaketheclusternodeastandaloneWildFireapplianceDeletetheHAandcluster
configurationsontheremainingclusternodeandrebootthenode.Thenodecomes
backupasastandaloneWildFireappliance.
RecreatetheclusterReconfigurethenodeyouremovedasaclusternodebyadding
theclusterandHAconfigurationsusingthefollowingcommandssothatbothnodes
comebackupasclusternodesandcanprocesssamples:
admin@WF-500# set deviceconfig cluster cluster-name
<name> interface <cluster-communication-interface> node
controller
admin@WF-500# set deviceconfig high-availability enabled
yes interface ha1 port <port> peer-ip-address
<node-port-ip-address>
admin@WF-500# set deviceconfig high-availability
election-option priority (primary | secondary)
admin@WF-500# set deviceconfig high-availability
interface ha1-backup peer-ip-address
<node-backup-ha-interface-ip-address>
WF500-4047 InathreenodeWildFireappliancecluster,decommissioningtheactive(primary)
This issue is now resolved. controllernodefails.Attemptingtodecommissiontheactivecontrollernodebyrunning
See PAN-OS 8.0.1 therequest cluster decommission startcommandresultsinasuspensionof
Addressed Issues. servicesonthenode.Usetheshow cluster membershipcommandtoverifythatthe
nodeservices(Service Summaryandwildfire-apps-service)aresuspended.
Workaround: Instead of using the request cluster decommission start command
to decommission the active controller, failover the active controller so that it becomes
the passive (backup) controller first and then decommission the passive controller:
1. Ensurethatpreemptionisnotenabled(Preemptive: no)byrunningtheshow
high-availability statecommand(preemptionforcestheactivecontrollerto
resumeitsroleastheactivecontrollersothatafterafailover,whentheactive
controllercomesbackuptheactivecontrollerresumesitsroleastheactive
controllerinsteadofbecomingthepassivebackupcontroller).
Ifpreemptionisenabled,disablepreemptionontheactivecontrollerbyrunningthe
set deviceconfig high-availability election-option preemptive no
commandandthencommittheconfiguration.
2. Failovertheactivecontrollersothatitbecomesthepassive(backup)controllerby
runningtherequest cluster reboot-local-nodeoperationalcommandonthe
activecontroller.
3. Waitfortheformeractivecontrollertocomeupcompletely.Itsnewclusterroleis
thepassivecontroller(asshownintheprompt).
4. Whenthenodeisinthepassivecontrollerstate,removetheHAconfiguration
(delete deviceconfig high-availability)andtheclusterconfiguration(delete
deviceconfig cluster)andthencommittheconfiguration.
5. Decommissionthenodebyrunningtherequest cluster decommission start
command.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 55
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
WF500-4044 RemovinganodefromaclusterusingPanoramaisnotsupported.
Workaround:DeleteanodefromaclusterusingthelocalWildFireCLI.
WF500-4001 OnPanorama,youcanconfigureanauthenticationprofileandAddgroupsor
administratorstotheAllow Listintheprofile(Panorama > Authentication Profile >
<auth-profile> > Advanced).However,WildFireappliancesandapplianceclusters
supportonlytheallvalueforthegroupsintheallowlistforanauthenticationprofile.
TheanalogousWildFireapplianceCLIcommandisset shared
authentication-profile <name> allow-list [all],withallastheonlyallowed
parameter.
Attemptingtopushandcommitaconfigurationthatspecifiesagroupornameotherthan
allintheauthenticationprofilefromPanoramatoaWildFireapplianceorappliance
clusterisnotsuccessful.However,Panoramashowsthatthecommitsucceededasthe
Last Commit StateeventhoughtheconfigurationwasnotpushedtotheWildFire
applianceorappliancecluster.ConfigStatusdisplaysclusternodesasOut of Syncand
whenyouclickLast Commit State > commit succeeded,theLast Push State Details
displaysanerrormessage.
Forexample,ifyouAddagroupnamedabcdtoanauthenticationprofilenamedauth5in
PanoramaandthenattempttopushtheconfigurationtoaWildFireappliancecluster,
Panoramareturnstheerrorauthentication-profile auth5 allow-list abcd is
not an allowed keyword.ThisisbecauseWildFireappliancesandapplianceclusters
seetheallowlistargumentasakeyword,notasavariable,andtheonlykeywordallowed
isall.
WF500-3935 WildFireappliancesbuildandreleasealluntestedsignaturestotheconnectedfirewalls
everyfiveminutes,whichisthemaximumtimethatasignatureremainsuntested(not
releasedtofirewalls).WhenaWildFireappliancejoinsacluster,ifanyuntested
(unreleased)signaturesareontheappliance,theymaybelostinsteadofmigratingtothe
cluster,dependingonwhenthelastbuildofuntestedsignaturesoccurred.
WF500-3868 InaWildFireapplianceclusterwithtwocontrollernodesinanHAconfiguration,under
certaincircumstances,synchronizingthecontrollernoderunningconfigurationscan
causeavalidationerrorthatpreventstheconfigurationfromcommittingonthepeer
controller.
Whenyouruntherequest high-availability sync-to-remote
running-configurationcommandononecontrollernode,itoverwritesthecandidate
configurationonthepeercontrollerandcommitsthenew(synchronized)configuration.
However,ifyouthenchangetheconfigurationonthepeercontrollerandcommitthe
change,thecommitfailsandreturnsavalidationerror:
Validation Error:
template unexpected here
Workaround:Toavoidthevalidationerror,onthecontrollernodeonwhichthecommit
failed,savetheconfigurationtoafileusingthesave config to <filename>operational
commandandthenloadthesavedconfigurationusingtheload config from
<filename>command.
56 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
WF500-1584 WhenusingawebbrowsertoviewaWildFireAnalysisReportfromafirewallthatis
usingaWF500applianceforfilesampleanalysis,thereportmaynotappearuntilthe
browserdownloadstheWF500certificate.Thisissueoccursafterupgradingafirewall
andtheWF500appliancetoaPANOS6.1orlaterrelease.
Workaround:BrowsetotheIPaddressorhostnameoftheWF500appliance,whichwill
temporarilydownloadthecertificateintothebrowser.Forexample,iftheIPaddressof
theWF500is10.3.4.99,openabrowserandenterhttps://10.3.4.99.Youcan
thenaccessthereportfromthefirewallbyselectingMonitor > WildFire Submissions,
clickinglog details,andthenclickingtheWildFire Analysis Reporttab.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 57
KnownIssues PANOS8.0ReleaseInformation
58 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.4h2AddressedIssues
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.4h2release.Fornewfeatures,
associatedsoftwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,see
PANOS8.0ReleaseInformation.
IssueID Description
PAN-78869 Asanenhancementtoreducethesensitivityofyourlogcollectioninfrastructureto
networklatency,youcannowusethedebug log-collector inter-log-collector
data-compression set onCLIcommandsothatLogCollectorscompressthelogdata
theysendtootherLogCollectorswithinaCollectorGroup.Youmustrunthecommand
onalltheLogCollectorswithinaCollectorGrouptoenablelogcompression.Bydefault,
logcompressionisdisabled.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 59
PANOS8.0.4h2AddressedIssues
60 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.4AddressedIssues
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.4release.Fornewfeatures,
associatedsoftwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,see
PANOS8.0ReleaseInformation.
IssueID Description
WF500-4314 FixedanissuewheretheWF500applianceincorrectlyassignedamaliciousverdictto
samplesassociatedwithWebProxyAutoDiscoveryProtocol(WPAD)DNSlookups.
PAN-81053 FixedanissuewherethePanoramavirtualappliancedidnotmigratelogsfromNFS
storagetothevirtualdisksonalocalLogCollectorafteryouswitchedfromLegacymode
toPanoramamode.
PAN-80766 FixedanissuewherecommitsfailedafterupgradingafirewalltoPANOS8.0if,beforethe
upgrade,thatfirewallhadatunnelinterfaceconfiguredastheSource InterfaceforQoS
cleartexttraffic(Network > QoS > <QoS_interface> > Clear Text Traffic).
PAN-80445 Fixedanissuewherethereportdprocesshadamemoryleak.
PAN-80077 FixedanissueonPA7000SeriesandPA5200Seriesfirewallswhereusersfailedto
authenticatewhenCaptivePortalwasconfiguredinRedirectmodebecausetheCaptive
Portalhostsessionincorrectlytimedoutafter5seconds.
PAN-80064 FixedanissuewherethefirewallusedanincorrectsourceMACaddressforaggregate
Ethernet(AE)interfaces,whichcausedtrafficoffloadfailures.
PAN-80062 FixedanissuewherefirewallsrunningPANOS8.0.3displayedtheerrormessageNot
authorizedwhenadministratorswithlocalfirewallaccountstriedtologinusingKerberos
singlesignon.
PAN-79935 FixedanissuewherethefirewalldroppedpacketswhenGlobalProtectendusers
generatedIPv6traffic.
PAN-79833 Fixedanissuewherethefirewallrandomlydroppedpacketsfortrafficthatendusers
generatedafterconnectingtoGlobalProtect.
PAN-79780 FixedanissuewherethefirewallcouldnotdeleteoldHAkeys,whichpreventedthe
generationofnewkeysforHA1encryption.
PAN-79779 FixedanissuewherefirewalladministratorsthatPANOSauthenticatedthroughRADIUS
andauthorizedthroughRADIUSVendorSpecificAttributes(VSAs)couldnotcommit
configurationchangesonthefirewall.
PAN-79436 FixedanissuewherePA7000SeriesfirewallsdidnotapplychangestotheSyslogserver
profileconfigurationuntilyourestartedthesyslogngprocess.
PAN-79365 FixedanissuewherepushingtemplateconfigurationstoVMSeriesfirewallsforNSX
removedthosefirewallsasmanageddevicesonPanorama.
PAN-79311 FixedanissueonPA220firewallswhere,afteryoumodifiedSecuritypolicy,thefirewalls
didnotrematchthepolicyagainstsessionsinvolvingfiletransfersthatwereinprogress
duringthepolicymodification.
PAN-79084 FixedanissuewherefragmentedpacketsinGlobalProtecttrafficcausedPA5200Series
firewallstostopresponding.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 61
PANOS8.0.4AddressedIssues
IssueID Description
PAN-79001 FixedanissueonPA5250andPA5260firewallswhereQSFPports21to24didnot
comeupwhenconnectingoverLRopticconnections.
PAN-78932 Fixedanissuewhereloadingdefinitionsfor8.0SNMPMIBsfailedforthePANTRAPS.my
MIB.Withthisfix,youcandownloadthelatestenterpriseMIBsfrom
https://www.paloaltonetworks.com/documentation/misc/snmpmibs.html.
PAN-78886 FixedanissuewherethefirewallignoredAuthenticationpolicyrulesforwebsitesthatyou
addedtoacustomURLcategory.
PAN-78456 Asanenhancementtothefirewallbootstrappingprocess,youcanspecifyatemplatestack
inthetemplateparameter(tplname)ofthebootstrappingconfigurationfile(initcfg.txt).
PAN-78390 FixedanissuewherePA5200Seriesfirewallsbecameunresponsiveindeploymentswith
highthroughputtraffic.
PAN-78342 FixedanissuewherePanoramafailedtoexportacustomreportifyousettheDatabase
toaRemote Device Dataoption(Monitor > Manage Custom Reports).
PAN-78256 Fixedanissuewherethefirewallstoppedrespondingandprocessingtrafficduetoa
packetbufferleak.
PAN-78224 Fixedanissuewherethefirewalltruncatedpasswordsto40characterswhenendusers
triedtoauthenticatethroughRADIUSintheCaptivePortalwebform.
PAN-77973 Fixedanissuewherethepassivefirewallinanactive/passiveHAdeploymentlostHA
sessionupdateswhentheactivepeerhadaheavyprocessingload.
PAN-77671 Fixedanissuewherethefirewallidentifiedtraffictowww.onlinetranslator.comasthe
translator5applicationinsteadofaswebbrowsing.
PAN-77595 FixedanissuewherePA7000SeriesandPA5200SeriesfirewallsforwardedaSIP
INVITEbasedonroutelookupinsteadofonPolicyBasedForwarding(PBF)policy.
PAN-77527 FixedanissuewherePA5200Seriesfirewallsthrottledpacketdiagnosticlogseveniflog
throttlingwasdisabled.
PAN-77213 FixedanissuewherePanoramafailedtoforwardlogstoasyslogserveroverTCP.
PAN-77096 FixedanissuewhereGlobalProtectendpointsconfiguredtousetheprelogonConnection
Methodwithcookieauthenticationfailedtoauthenticatebecausetheyfailedtoretrieve
framed(static)IPaddresses.
PAN-77062 Fixedanissuewhereadministratorswithacustomrolecouldnotdeletepacketcaptures.
PAN-77012 FixedanissuewherethefirewallevaluatedURLfilteringbasedSecuritypolicyrules
withoutevaluatingapplicationbasedrulesthatwerehigherintheruleevaluationorder.
62 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.4AddressedIssues
IssueID Description
PAN-76831 FixedanissueonPA7000Seriesfirewallswherecommittingconfigurationchanges
causedthemanagementservertostoprespondingandmadethewebinterfaceandCLI
inaccessible.
PAN-76779 FixedanissueonaPA5020firewallwherethedataplanerestartedcontinuouslywhena
useraccessedapplicationsoveraGlobalProtectclientlessVPN.
PAN-76160 FixedanissuewhereamemoryleakcausedthefirewalltocreatehundredsofLDAP
connections,whichresultedincommitfailures.
PAN-76130 AsecurityrelatedfixwasmadetoaddressOpenSSLvulnerabilitiesrelatingtothe
NetworkTimeProtocol(NTP)library(CVE20169042/CVE20176460).
PAN-76058 FixedanissuewherePanoramafailedtomigrateURLcategoriesfromBrightCloudto
PANDBinpolicyprerulesandpostrules;thisfixrequirescontentreleaseversion718or
alaterversion.
PAN-76042 FixedanissuewherePANOSXMLAPIcallsforretrievingallthreatdetailsassociatedwith
athreatIDreturnedonlythreatnames.
PAN-75908 FixedanissuewheremulticastpacketswithstalesessionIDscausedthefirewalldataplane
torestart.
PAN-75769 FixedanissuewherethefirewallenablednewapplicationsassociatedwithApplications
updatesreceivedfromPanoramaevenwhenyouchosetoDisable new apps in content
update(Panorama > Device Deployment > Dynamic Updates).
PAN-75571 FixedanissuewherethewebinterfacedidnotdisplaythefulllistofIPSectunnels
(Network > IPSec Tunnels)afterupgradingthefirewall.
PAN-75505 FixedanissuewherethefirewallfailedtoexportareporttoPDF,XML,orCSVformatif
thereportjobIDwashigherthan65535.
PAN-75045 FixedanissuewherethefirewallrejectedthedefaultrouteadvertisedbyanOSPFv3
neighborwiththelinklocaladdressfe80::1.
PAN-74959 FixedanissuewherethefirewallorPanoramawebserverstoppedresponding,which
madethewebinterfaceinaccessibleuntilyourebooted.
PAN-74954 FixedanissuewherefirewallsdidnottaketemplatesettingsfromPanoramawhenyou
pushedatemplatestackthathadmultipletemplateswithaDefault VSYS(Panorama >
Templates > <template_configuration>).
PAN-74886 FixedanissuewherePanoramafailedtopushasharedaddressobjecttofirewallswhen
theobjectwaspartofadynamicaddressgroupthatusedatag.
PAN-74652 Fixedanissuewhere,afterafirewallsuccessfullyinstalledacontentupdatereceivedfrom
Panorama,Panoramadisplayedafailuremessageforthatupdatewhentheassociatedjob
IDonthefirewallwashigherthan65536.
PAN-74632 FixedanissuewherethefirewalldidnotclearIPaddresstousernamemappingsor
usernametogroupmappingsafterreachingthemaximumsupportednumberofuser
groups,whichcausedcommitfailureswiththefollowingerrors:user-id is not
registerdandldmgr manager was reset. Commit is required to reinitialize
User-ID.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 63
PANOS8.0.4AddressedIssues
IssueID Description
PAN-74411 FixedanissuewherePANOSwarnedyoutoolateduringthefirewallbootstrapping
processofanerrorthatwouldcausetheprocesstoabort.Thelatewarningoccurredwhen
theerrorwasaninitcfg.txtfilethatspecifiedanIPv6addresswithoutacorresponding
IPv4address.Withthisfix,PANOSwarnsyouofthiserrormuchearlierinthe
bootstrappingprocess(duringthesanitycheckphase).
PAN-74293 Fixedanissuewherethefirewalldroppedapplicationsessionsafteronly30secondsof
idletrafficinsteadofafterthesessiontimeoutassociatedwiththeapplication.
PAN-74139 FixedanissueonthePA500firewallwhereinsufficientmemoryallocationcausedSSL
decryptionerrorsthatresultedinSSLsessionfailures,andTrafficlogsdisplayedthe
SessionEndReasonasdecrypt-errorordecrypt-cert-validation.
PAN-74110 FixedanissuewhereadministratorscouldnotlogintothefirewallusingLDAPcredentials
afteraPANOSupgrade.
PAN-73270 FixedanissuewherethefirewallrebootedifaSyslogParseprofilewiththeTypesetto
Regex Identifier(Device > User Identification > User Mapping > Palo Alto Networks
User-ID Agent Setup > Syslog Filters)matchedanullcharacterinasyslogmessage.
PAN-73053 FixedanissuewhereincrementalupdatesfailedforregisteredIPaddressesifthefirewall
retrievedtheupdatesthroughVMinformationsources(Device > VM Information
Sources).
PAN-72831 Fixedanissuewhererebootingthefirewallcausedittogenerateafalsecriticalalarmthat
indicatedLDAPserversweredown.
PAN-72698 Fixedanissuewherethewebinterfacedidnotdisplaythecharacterlimit(2,048)when
userstriedtosavelogfilters.Withthisfix,thefirewalldisplaysmoreinformationinerror
messagesrelatingtosavinglogfilters.
PAN-72342 FixedanissuewhereendusersignoredtheDuoV2authenticationpromptuntilittimed
outbutstillauthenticatedsuccessfullytoaGlobalProtectportalconfiguredfortwofactor
authentication.
PAN-71931 FixedanissuewherePanoramaallowedyoutoaddmultipleentriesforthesamefirewall
toaLogForwardingPreferenceslistwhileconfiguringaCollectorGroup(Panorama >
Collector Groups > <Collector_Group_configuration> > Device Log Forwarding),which
causedacommitfailure.Withthisfix,Panoramapreventsyoufromaddingmultipleentries
forthesamefirewallwhileconfiguringaCollectorGroup.
PAN-71226 Fixedanissuewherethefirewalldataplanerestartedbecausetheprocessesthatperform
packetprocessingstoppedrespondingforHTTPtrafficinvolvingURLpercentencoding.
PAN-69367 Fixedanissuewherethefirewallincorrectlygeneratedpacketdiagnosticlogsand
capturedpacketsforsessionsthatwerenotpartofapacketfilter(Monitor > Packet
Capture).
PAN-68974 FixedanissueonPA3000SeriesfirewallswhereyoucouldnotconfigureaQoSProfileto
haveamaximumegressbandwidth(Egress Max)higherthan1Gbpsforanaggregate
groupinterface(Network > Network Profiles > QoS Profile).
64 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.4AddressedIssues
IssueID Description
PAN-67618 FixedanissuewherethePanoramaXMLAPIrequesttoshowalldynamicaddressgroups
didnotrespondwithXML:
http://firewall/api/?type=op&cmd=<show><object><dynamic-address-group>
<all></all></dynamic-address-group></object></show>
PAN-67544 Fixedanissuewhere,whenamulticastforwardinginformationbase(FIB)timedout,the
processforpacketprocessing(flow_ctrl)stoppedresponding,whichintermittentlycaused
thefirewalldataplanetorestart.
PAN-63905 FixedanissuewhereRTPsessionsthatwerecreatedfrompredictsessionswentfroman
activestatetoadiscardstateafteryouinstalledacontentupdateorcommitted
configurationchangesonthefirewall.
PAN-61834 FixedanissuewherethefirewallcapturedpacketsofIPaddressesnotincludedinthe
packetfilter(Monitor > Packet Capture).
PAN-60535 FixedanissueonPA7000SeriesfirewallswhereNPCslotswentdownduetomissing
hearbeats.
PAN-57490 FixedanissuewherePanoramadisplayedanerrormessagewhenyouconfiguredan
accessdomainwith512ormoredevicegroups.Withthisfix,youcanconfigureupto
1,024devicegroupsinasingleaccessdomain.
PAN-54531 FixedanissuewherethefirewallstoppedwritingnewTrafficandThreatlogstostorage
becausetheAutomatedCorrelationEngineuseddiskspaceinawaythatpreventedthe
firewallfrompurgingolderlogs.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 65
PANOS8.0.4AddressedIssues
66 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.3h4AddressedIssues
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.3h4release.Fornewfeatures,
associatedsoftwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,see
PANOS8.0ReleaseInformation.
IssueID Description
PAN-79424 FixedanissuewherethefirewalldroppedpacketswhenGlobalProtectendusers
generatedtrafficwithlargepackets.
PAN-79051 Fixedanissuewherethefirewallcouldnotprocesspacketsthathadbase64chaffing
applied.
PAN-78934 FixedanissuewherethefirewalldidnotapplypolicyrulestoHTTPtrafficthatmatched
securityprofilesignatureswhenthetrafficwaschunkedandhadasmallchunksize.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 67
PANOS8.0.3h4AddressedIssues
68 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.3AddressedIssues
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.3release.Fornewfeatures,
associatedsoftwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,see
PANOS8.0ReleaseInformation.
IssueID Description
WF500-4291 FixedanissuewheretheWF500appliancereturnedfalsepositivesforknown,benign
PortableExecutable(PE)files.
PAN-78448 Fixedanissuewherethefirewalldroppedsomelogsthatitwasconfiguredtoforwardto
syslogservers.
PAN-77849 FixedanissuewheretheCaptivePortalwebformdidnotdisplaytoendusersafteryou
pusheddevicegroupconfigurationsfromaPanoramamanagementserverrunning
Panorama8.0toafirewallrunningPANOS7.1.
PAN-77802 FixedanissuewhereeverycommitclearedtunnelflowsessionssuchasGREandIPSec
ESP/AHsessions.
PAN-77595 FixedanissuewherePA7000SeriesandPA5200SeriesfirewallsforwardedaSIP
INVITEbasedonroutelookupinsteadofPolicyBasedForwarding(PBF)policy.
PAN-77520 FixedanissueonPA7000SeriesfirewallswithAMCharddrives,modelST1000NX0423,
wherethefirewallsrebuiltDiskPairBintheLPCcardafterareboot.
PAN-77516 AsecurityrelatedfixwasmadetoaddressaRemoteCodeExecution(RCE)vulnerability
whenthePANOSDNSProxyserviceresolvedFQDNs(CVE20178390).
PAN-77400 FixedanissueonafirewallrunningPANOS8.0.1or8.0.2whereyoucouldnotloginto
thewebinterfaceafterperformingaprivatedatareset.
PAN-77339 SafeNetClient6.2.2didnotsupportthenecessaryMACalgorithm(HMACSHA1)towork
withPaloAltoNetworksfirewallsrunninginFIPSCCmode.
PAN-77250 Fixedanissuewherethefirewalllostoffloadedsessionsonasubinterfacethatbelonged
toanaggregateinterfacegroupandthathadQoSenabled.
PAN-77173 AsecurityrelatedfixwasmadetopreventremotecodeexecutionwithintheLinuxkernel
thatthefirewallmanagementplaneuses(CVE201610229).
PAN-77127 FixedanissuewherethefirewallreducedtherangeoflocalandremoteIKEv2traffic
selectorsinawaythatdisruptedtrafficinaVPNtunnelthataCiscoAdaptiveSecurity
Appliance(ASA)initiated.
PAN-77033 FixedanissuewhereusingaPanoramamanagementserverrunningPANOS8.0to
generateareportthatqueriedanunsupportedlogfieldfromaPA7050firewallrunning
PANOS7.1slowedtheperformanceofPanoramabecausethemgmtsrvrprocessstopped
responding.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 69
PANOS8.0.3AddressedIssues
IssueID Description
PAN-76964 Fixedanissuewhereinterfaceswentdownduetopacketbuffersbeingoverwhelmed
afterthefirewalltriedtoclosetheconnectiontoarogueclientthatignoredtheURL
Filteringblockpage.
PAN-76890 FixedanissuewheretrafficthatincludedaZIPfilecausedtheall_taskprocesstorestart
andthefirewalldroppedpacketswhilewaitingforthatprocesstoresume.
PAN-76746 FixedanissueonthePA7080firewallwhereauthenticationtrafficfromawireless
controllertoaRADIUSserverfailedduetobufferdepletiononthefirewall.
PAN-76651 FixedanissuewhereVMSeriesfirewallsdroppedmulticasttrafficifyouenabledData
PlaneDevelopmentKit(DPDK)onVMXNET3interfaces.
PAN-76650 FixedanissuewhererenamingasharedobjectonPanoramathatPanoramahaspushedto
firewallscausedacommitfailureifthefirewallsreferencedthatobjectinlocalpolicies.
PAN-76565 FixedanissuewheredynamiccontentupdatesfailedonthefirewallwhenDNSresponse
timeswereslow.
PAN-76454 FixedanissueonPA7000SeriesandPA5200SeriesfirewallswhereGenericRouting
Encapsulation(GRE)sessioncreationfailedwhenthefirewallsreceivedGREpacketswith
aPointtoPointProtocol(PPP)payload.
PAN-76330 Fixedanissuewherethepan_taskprocessstopped,whichcausedalossofserviceand
interruptiontoOSPF.
PAN-76271 FixedanissuewhereyoucouldnotaccessthePanoramawebinterfaceorCLIbecausethe
configdprocessstoppedafteraPreview Changesoperation(Commit > Commit to
Panorama).
PAN-76270 FixedanissuewhereoperationsthatrequiredheavymemoryusageonLogCollectors
(suchasingestinglogsatahighrate)causedsomeotherprocessestorestart.Withthisfix,
youcanfreeupmemoryforprocessesotherthanloggingandreportingbyrunningthe
newdebug logdb show-heap-size [4-32]CLIcommandandsettingthememoryheap
toalowersizethanthedefault8GB.
PAN-76162 FixedanissuewherePanorama8.0didnotdisplaylogsfromPA7000Seriesfirewalls
runningPANOS7.0orPANOS7.1.
PAN-76158 FixedanissuewherethefirewallallowedPsiphonapplicationsessionstocontinuewithout
applyingpolicyrulestothemafterthefirewallranoutofresources(suchaswhile
processingheavytraffic).Withthisfix,thefirewalldropsPsiphonsessionsafterrunning
outofresources.
PAN-76153 FixedanissuewherePA5000Seriesfirewallsdroppedtrafficbecausepredictsessions
incorrectlymatchedPolicyBasedForwarding(PBF)policyrulesfornonrelatedsessions.
PAN-76144 FixedanissuewherethroughputwasreducedonPA5000Seriesfirewallsthatuseda
singleUDPsessionononedataplanetoprocesshighratesoftunneledtraffic.Withthis
fix,youcanusetheset session filter-ip-proc-cpuCLIcommandtousemultiple
dataplanestoprocesstrafficforupto32destinationserverIPaddresses.Thissetting
persistsafterrebootsandupgrades.
70 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.3AddressedIssues
IssueID Description
PAN-76032 Fixedanissuewherethefirewallwebinterfacedisplayedamisspellinginthetooltipthat
openedwhenyouhoveredoverCommitwhennoconfigurationchangeswerepending.
PAN-75977 FixedanissuewhereusersfailedtoauthenticatethroughaUcopiaLDAPserver.
PAN-75617 Fixedanissuewherethefirewallperformedthedefaultsignatureactionforthreat
vulnerabilityexceptionsinsteadofperformingtheActionyousetintheVulnerability
Protectionprofile(Objects > Security Profiles > Vulnerability Protection > Exceptions).
PAN-75580 FixedanissuewhereaPANOSXMLAPIquerytofetchalldynamicaddressgroupsfailed
withanOpening and ending tag mismatcherrorduetoacommandbufferlimitation.
PAN-75512 FixedanissuewherethefirewallfailedtodecryptVPNtrafficforpacketsofcertainsizes
ifyousettheEncryptionalgorithmtoaes-256-gcmintheIPSecCryptoprofileusedfor
theVPNtunnel(Network > Network Profiles > IPSec Crypto).
PAN-75413 FixedanissuewhereDHCPserversdidnotassignIPaddressestonewendusers(DHCP
clients)becausethefirewallfailedtoprocessandrelayDHCPmessagesbetweenthe
serversandclientsafteryouconfiguredafirewallinterfaceasaDHCPrelayagent.
PAN-75372 FixedanissuewherePanoramadroppedalladministrativeusersbecausethe
managementserverprocessrestarted.
PAN-75337 FixedanissuewhereCPUusagespikedonthefirewallduringDiffieHellman(DHE)or
ellipticalcurveDiffieHellman(ECDHE)keyexchangeforSSLdecryption.Withthisfix,the
firewallhasenhancedperformanceforDHEandECDHEkeyexchange.
PAN-75304 FixedanissuewherethefirewallpopulateddefaultvaluesforIPSecCryptoprofilesthat
didnothaveanIPSec Protocol(ESPorAH)defined(Network > Network Profiles > IPSec
Crypto);thedefaultvaluescausedanIKEconfigurationparsingerrorthatpreventedIPSec
VPNtunnelsfromcomingup.
PAN-75215 FixedanissuewheretheactivefirewallinanHAdeploymentkeptsessionsactiveforan
hourinsteadofdiscardingthemafter90secondswhenthesessionsmatchedtheURL
categoryinapolicyrulethatwassettodeny.
PAN-75158 FixedanissuewithnetworkoutagesonfirewallsinavirtualwireHAconfigurationwith
HAPreemptivefailbackenabled(Device > High Availability > General > Election Settings)
duetoLayer2loopingafterfailovereventswhilethefirewallsprocessedbroadcasttraffic.
PAN-75118 FixedanissuewherecommitsfailedafteryouaddedanIPv6peergrouptoavirtualrouter
thathadBorderGatewayProtocol(BGP)enabled(Network > Virtual Routers > BGP >
Peer Group)andthathadimport,exportandaggregaterulesconfigured.
PAN-75029 FixedanissuewherethePA5060firewallrandomlydroppedpacketsanddisplayedthe
reasoninTrafficlogsasresources unavailable.
PAN-74938 FixedanissueonPA3000SeriesfirewallswhereSSLsessionsfailedduetomemory
depletionintheproxymemorypool;Trafficlogsdisplayedthereasondecrypt-error.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 71
PANOS8.0.3AddressedIssues
IssueID Description
PAN-74865 FixedanissuewherePanoramacouldnotpushaddressobjectstomanagedfirewallswhen
zonesspecifiedtheobjectsintheUserIdentificationACLincludeorexcludelists(Network
> Zones)andyouconfiguredPanoramatonotShare Unused Address and Service Objects
with Devices(Panorama > Setup > Management > Panorama Settings).
PAN-74639 Fixedanissuewheretherootpartitiononthefirewallwaslowondiskspace(requiringyou
torunthedebug dataplane packet-diag clear log logCLIcommandtofreedisk
space)becausethepan_taskprocessgeneratedlogsforH.225sessions.
PAN-74601 FixedanissueonPanoramawhereDeviceGroupandTemplateadministratorswhohad
accessdomainsassignedtotheiraccountscouldnoteditsharedsecurityprofiles(Objects
> Security Profiles)aftercommittingthoseprofiles.
PAN-74440 FixedanissuewherethefirewallgeneratedSystemlogsindicatingthel3svcprocess
stoppedrepeatedlybecausethecryptoddaemondeletedacertificatekeyassociatedwith
anSSL/TLS Service ProfilethatwasusedfortheURLAdminOverridefeature(Device >
Setup > Content ID)orforCaptivePortal(Device > User Identification > Captive Portal
Settings).
PAN-74243 Fixedanissuewhere,afteryouusedaPanoramatemplatetopushDNSserverIP
addresses(Device > Setup > Services)toabootstrappedVMSeriesfirewall,thefirewall
failedtoresolveFQDNs.
PAN-73919 FixedanissuewhereyoucouldnotusethewebinterfaceorCLItoconfigureamulticast
IPaddressastheSourceorDestinationinpacketfilters(Monitor > Packet Capture).
PAN-73916 Fixedanissuewhere,afteryouloggedintothefirewallwithanadministratoraccountthat
doesnothaveasuperuserroleandyouthentriedtoDisableanapplication(Objects >
Applications > <application-name>),thefirewalldisplayedanerrormessagethatdidnot
indicatetheneedforsuperuserprivileges.
PAN-73631 Fixedanissuewhereenduserclientsfailedontheirfirstattempttoauthenticatewhenyou
configuredCaptivePortalforcertificatebasedauthenticationandtheclientcertificates
exceeded2,000bytes.
PAN-73556 Fixedanissuewherethefirewalldidnotdeletemulticastforwardinginformationbase
(FIB)entriesformulticastgroupsthatstoppedreceivingtraffic.
72 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.3AddressedIssues
IssueID Description
PAN-73484 Fixedanissuewherethefirewallserverprocess(devsrvr)restartedduringURLupdates.
PAN-73281 FixedanissuewherethefirewalldroppedmulticasttrafficonanegressVLANinterface
whenthetrafficwasoffloaded.
PAN-73254 Fixedanissuewhere,afteryouinstalledtheVMwareNSXpluginonPanoramainahigh
availability(HA)configuration,Panoramadidnotautomaticallysynchronizeconfiguration
changesbetweentheHApeersunlessyoufirstupdatedsettingsrelatedtotheNSXplugin.
PAN-73184 FixedanissuewheresuccessiveHTTPGETrequestsinasinglesessionfailedifyou
configuredSSLDecryptionwiththeStrip X-Forwarded-Foroptionenabled(Device >
Setup > Content-ID).
PAN-72863 FixedanissuewheretheUserIDagent(PANOSintegratedorWindowsbased)stopped
respondingbecausethefirewallsentnumerousqueries.
PAN-72753 Fixedanissuewhereyoucouldnotconfigurethe0.0.0.0/1subnetasaProxyIDforIPSec
VPNtunnels.
PAN-72433 FixedanissuewherethePA7050firewalldisplayedincorrectinformationforthepacket
countsandnumberofbytesassociatedwithtrafficonsubinterfaces.Withthisfix,the
firewalldisplaysthecorrectinformationintheshow interfaceCLIcommandoutputand
inothersourcesofinformationforsubinterfaces(suchasSNMPstatisticsandNetFlow
recordexports).
PAN-71922 FixedanissuewherethefirewalldidnotgenerateThreatlogsforclassifiedDOS
protectionprofilesthathadanActionsettoSYN Cookies(Objects > Security Profiles >
DoS Protection > Flood Protection > SYN Flood).
PAN-71133 Fixedanissueonwherethedataplanerebootedaftermultipledataplaneprocesses
restartedduetomemorycorruption.
PAN-69449 Fixedanissuewhere,afteraclockchangeonthefirewall(suchasforDaylightSavings
Time),theACCdidnotdisplayinformationfortimeperiodsbeforethechange.
PAN-68808 FixedanissueonthePA7050firewallwherethemprelayprocessexperiencedamemory
leakandstoppedresponding,whichcausedslotfailuresandHAfailover.
PAN-68580 FixedanissuewhereHAVMSeriesfirewallsdisplayedthewronglinkstateaftera
linkmonitoringfailure.
PAN-66076 FixedanissuewheretheGlobalProtectportalpromptedenduserstoenteraonetime
password(OTP)evenaftertheusersenteredtheOTPfortheGlobalProtectgatewayand
AuthenticationOverrideisenabled(Network > GlobalProtect > Portals >
<portal-configuration> Agent <agent-configuration> Authentication).
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 73
PANOS8.0.3AddressedIssues
IssueID Description
PAN-64639 FixedanissuewhereHAfirewallsfailedtosynchronizethePANDBURLdatabase.
PAN-62159 FixedanissuewherethefirewalldidnotgenerateWildFireSubmissionlogswhenthe
numberofcachedlogsexceededstorageresourcesonthefirewall.
PAN-59372 FixedanissuewhereneitherPanoramanorthefirewallgeneratedaSystemlogindicating
apasswordchangeafteryouusedaPanoramatemplatetopushanadministrator
passwordchangetothefirewall.
PAN-56287 FixedanissuewherethefirewalldiscardedVoIPsessionsthathadmulticastdestinations.
PAN-46374 FixedanissueonPA7000SeriesfirewallswhereyouhadtopowercycletheSwitch
ManagementCard(SMC)whenitfailedtocomeupafterasoftreboot(suchasafter
upgradingthePANOSsoftware).
74 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.2AddressedIssues
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.2release.Fornewfeatures,
associatedsoftwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,see
PANOS8.0ReleaseInformation.
IssueID Description
WF500-4218 Fixedanissuewhere,aspartofandafterupgradingaWildFireappliancetoaPANOS8.0
release,usingtherequest cluster reboot-local-nodeCLIcommandtoreboota
clusternodeintermittentlycausedthenodetogoofflineorfailtoreboot.
WF500-4186 FixedanissueinathreenodeWildFireapplianceclusterwhere,ifyoudecommissioned
thebackupcontrollernodeortheworkernode(request cluster decommission start)
andthendeletedtheclusterrelatedconfiguration(highavailabilityandcluster
membership)fromthedecommissionednode,theclusterintermittentlystopped
functioning.Runningtheshow cluster membershipCLIcommandontheprimary
controllernodeshowedthemessage:Service Summary: Cluster:offline,
HA:peer-offline.Inthisstate,theclusterdidnotfunctionanddidnotacceptnew
samplesforprocessing.
WF500-4176 Fixedanissuewhere,afteryouremovedanodefromaclusterthatstoredsample
informationonthenode,thenodeserialnumberappearedinthelistofstoragenodes
whenyoudisplayedthesamplestatus(show wildfire global sample-status sha256
equal <value>)eventhoughthenodenolongerbelongedtothecluster.
WF500-4173 Fixedanissuewhereintegratedreportswerenotavailableforfirewallsconnectedtoa
WF500appliancerunninginFIPSmode.
PAN-81061 FixedanissuewherePA3000Seriesfirewallsdroppedlonglivedsessionsthatwere
activeduringacontentupdatefollowedimmediatelybyanAntivirusorWildFireupdate.
PAN-76517 FixedanissuewherePanoramadidnotautomaticallypushtheupdatedIPaddressesof
dynamicaddressgroupsfromdevicegroupstoVMSeriesfirewallsforNSX.
PAN-76447 FixedanissuewherePanoramarunningPANOS8.0didnotpushaggregateBGP
configurationsinatemplatetofirewallsrunningPANOS7.1oranearlierrelease.
PAN-76402 FixedanissuewherethefirewallgeneratedSystemlogsofcriticalseveritywiththe
messageCould not connect to Cloud : SSL/TLS Authentication Failedeven
thoughthefirewallhadnoconnectionfailures.
PAN-76265 FixedanissuewherethefirewallfailedtoretrieveusergroupsfromanLDAPserver
becausetheserverresponsedidnothaveapagecontrolvalue.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 75
PANOS8.0.2AddressedIssues
IssueID Description
PAN-76258 FixedanissueonPA7000SeriesandPA5200Seriesfirewallswhereuserscouldnot
accessapplicationsandservicesthroughGlobalProtectwhensessiondistributionwasset
toroundrobin(default).
PAN-76244 FixedanissuewherefirewallsweremissingaGlobalProtectsatelliteconfigurationpushed
fromaPanoramatemplate.
PAN-76105 FixedanissuewhereyouhadtoconfigurealicensedeactivationAPIkeytomanually
deactivatelicensesforVMSeriesfirewalls.
PAN-76104 FixedanissuewherethefirewallstoppedreceivingIPporttousernamemappingsfroma
TerminalServices(TS)agentifyousetitsHostfieldtoanFQDNinsteadofanIPaddress.
PAN-76069 FixedanissuewherethefirewallcouldnotdecryptSSLconnectionsduetoacacheissue,
whichpreventedusersfromaccessingSSLwebsites.
PAN-76054 FixedanissuewhereyoucouldnotdeleteatunnelinterfacefromaPanoramatemplate
(Network > Interfaces > Tunnel).
PAN-76051 FixedanissuewhereyoucouldnotpushaManagement(MGT)interfaceconfiguration
fromaPanoramatemplate(Device > Setup > Interfaces)tofirewallsunlessyouspecified
anIP Addressfortheinterface.
PAN-76030 FixedanissueonVMSeriesfirewallswherethedataplanerestartedifjumboframeswere
enabledonsinglerootinput/outputvirtualization(SRIOV)interfaces.
PAN-75969 Fixedanissuewheretheroutedprocessstoppedrespondingafteryoucheckedthestatic
routemonitoringstatusthroughthewebinterface(Network > Virtual Routers > Routing
> Static Route Monitoring)orCLI(show routing path-monitor).
PAN-75960 FixedanissuewherestoringthemasterkeyonanHSMcausedthefirewalltoenter
maintenancemodeafterareboot(whichrequiredafactoryreset).
PAN-75914 FixedanissuewheretheM100orM500appliancelostlogsafterupgradingfroma
PANOS7.1releasetoaPANOS8.0release.
PAN-75896 FixedanissuewherethefirewalldidnotacceptlocalIPv6addressesthatwerelongerthan
31characterswhenyouconfiguredIPv6BGPpeering.
PAN-75881 FixedanissuewherearegressionintroducedinPANOS8.0.0and8.0.1causedthe
firewalldataplanetorestartincertaincaseswhencombinedwithcontentupdates.For
details,includingtherelevanceofcontentreleaseversion709,refertotheassociated
CustomerAdvisory.
PAN-75863 FixedanissueonHAPanoramaM100applianceswherethepassivepeerdidnotupdate
thelocalVMwareNSXmanagerpluginafteryouupgradedfromaPANOS7.1releaseto
aPANOS8.0release,whichcausedapluginmismatchwiththeactivepeer.
PAN-75684 Fixedanissuewhereamanagementservermemoryleakcausedseveraltaskstofail,
includingcommits,PANDBURLdownloads,dynamicupdates,andFQDNorExternal
DynamicList(EDL)refreshes.
76 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.2AddressedIssues
IssueID Description
PAN-75397 FixedanissuewherethePanoramamanagementserverrestartedbecausetheconfigd
processstoppedrunningafteranupgrade.
PAN-75132 Fixedanissuewherelocallycreatedcertificateshadduplicateserialnumbersbecausethe
firewalldidnotchecktheserialnumbersofexistingcertificatessignedbythesameCA
whengeneratingnewcertificates.
PAN-75048 Fixedanissuewherethefirewallusedthedefaultroute(insteadofthenextbestavailable
route)whentheeBGPnexthopwasunavailable,whichresultedindroppedpackets.
Additionallywiththisfix,thedefaulttimetolive(TTL)valueforasinglehopeBGPpeeris
changedto1(insteadof2).
PAN-74877 FixedanissuewherePanoramatookalongtimetopushconfigurationsfrommultiple
devicegroupstofirewalls.
PAN-74655 FixedanissuewhereusersexperiencedslownetworkconnectivityduetoCPUutilization
spikesinthefirewallnetworkprocessingcards(NPCs)whentheURLcacheexceededone
millionentries.
PAN-74640 FixedanissuewhereVMSeriesfirewallsfailedtocreatepredictsessionsforRTPand
RTCP,whichdisruptedH.323basedvideoconferencingtraffic.Additionally,fixedan
issuewhereallfirewallmodelsdroppedRTPpacketsbecausepolicymatchingfailedfor
RTPtraffic.
PAN-74575 FixedanissuewherethefirewalldidnotreleaseIPaddressesassignedtointerfacesafter
youchangedtheaddressingTypefromDHCP ClienttoStatic.
PAN-74548 FixedanissuewheretheExportNamedConfigurationdialogdidnotletyoufilter
configurationsnapshotsbyName,whichpreventedyoufromselectingsnapshotsbeyond
thefirst500.Withthisfix,youcannowenterafilterstringintheNamefieldtodisplayany
matchingsnapshots.
PAN-74403 FixedanissueonPanoramawherethewebinterfacebecameunresponsiveafteryou
selectedExport to CSVforacustomreport,whichforcedyoutologintotheCLIand
rebootPanoramaorrestartthemanagementserver.
PAN-74368 Fixedanissuewherecommitsfailedduetoconfigurationmemorylimitsonfirewallsthat
hadnumerousSecuritypolicyrulesthatreferencedmanyaddressobjects.Withthisfix,
thenumberofaddressobjectsthatapolicyrulereferencesdoesnotimpactconfiguration
memory.
PAN-74236 FixedanissuewheretheUserIDprocess(useridd)stoppedrespondingwhentherewere
alotofnonbrowserbasedrequestsfromclients,whichresultedintoomanypan_errors
diskwrites.
PAN-74188 Fixedanissuewhereconflictingnexthopentriesintheegressroutingtablecausedthe
firewalltoincorrectlyroutetrafficthatmatchedPolicyBasedForwarding(PBF)policy
rulesconfiguredtoEnforce Symmetric Return.
PAN-74161 FixedanissuewherefirewallsconfiguredinavirtualwiredeploymentwhereSpanning
TreeProtocol(STP)bridgeprotocoldataunit(BPDU)packetsweredropped.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 77
PANOS8.0.2AddressedIssues
IssueID Description
PAN-74128 Fixedanissuewhereasessioncausedthedataplanetorestartifthesessionwasactive
duringandafteryouinstalledacontentupdateonthefirewallandtheupdatecontained
adecoderchange.
PAN-73995 FixedanissuewherefirewallmanagementinterfacesthatwereconfiguredthroughDHCP
releasedorrenewedeverytimeyoupushedconfigurationsfromPanoramainsteadof
releasingorrenewingwhentheDHCPleasesexpired.
PAN-73993 FixedanissuewhereAppIDsignaturematchingdidnotworkonthefirewall,which
causedittomisidentifyapplications.
PAN-73914 AsecurityrelatedfixwasmadetoaddressOpenSSLvulnerabilities(CVE20173731).
PAN-73859 FixedanissuewheretheVMSeriesfirewallonAzuresupportedonlyfiveinterfaces(one
managementinterfaceandfourdataplaneinterfaces)insteadofeight(onemanagement
interfaceandsevendataplaneinterfaces).
PAN-73783 FixedanissuewherecookiebasedauthenticationfortheGlobalProtectgatewayfailed
withthefollowingerror:Invalid user name.
PAN-73710 FixedanissuewherethefirewalldidnotcommitchangestotheNTPserversconfiguration
(Device > Setup > Services)whenthefirewallconnectedtotheserversthroughaservice
routeandthemanagement(MGT)interfacewasdown.
PAN-73553 FixedanissuewhereSSLInboundDecryptionfailedwhentheprivatekeywasstoredon
ahardwaresecuritymodule(HSM).
PAN-73502 FixedanissuewherethefirewalldidnotpurgeexpiredIPaddresstousernamemappings,
whichcausedoneoftherootpartitionstorunoutoffreespace.
PAN-73381 Fixedanissueonfirewallswithmultiplevirtualsystemswhereenduserscouldnot
authenticatetoaGlobalProtectportalorgatewaythatspecifiedanauthenticationprofile
forwhichtheAllowListreferencedusergroupsinsteadofusernames.
PAN-73191 FixedanissuewhereOSPFadjacencyflappingoccurredbetweenthefirewallandanOSPF
peerduetoaheavyprocessingloadonthedataplaneandqueuedOSPFhellopackets.
PAN-73045 FixedanissuewhereHAfailoverandfailbackeventsterminatedsessionsthatstarted
beforethefailover.
PAN-72769 AsecurityrelatedfixwasmadetopreventbruteforceattacksontheGlobalProtect
externalinterface(CVE20177945).
PAN-72697 Fixedanissuewhere,afteraDoSattackended,thefirewallcontinuedgeneratingThreat
logsandincrementingthesessiondropcounter.
78 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.2AddressedIssues
IssueID Description
PAN-72350 FixedanissuewherehighvolumeSSLtrafficintermittentlyaddedlatencytoSSLsessions.
PAN-72149 FixedanissuewhereURLvaluesdidnotdisplayforthetopwebsitesinURLFiltering
reports(Monitor > PDF Reports > Manage PDF Summary).
PAN-71627 FixedanissuewherethefirewallfailedtoauthenticatetoaSafeNethardwaresecurity
module(HSM).Withthisfix,thefirewallsupportsmultipleSafeNetHSMclientversions;
youcanusetherequest hsm client-versionCLIcommandtoselecttheversionthatis
compatiblewithyourSafeNetHSMserver.
PAN-71612 Fixedanissuewherethelogsthatthefirewallforwardedtoasyslogserverhadsyslog
headertimestampsthatdidnotmatchthetimeswhenthefirewallgeneratedthelogs.
PAN-71484 FixedanissuewherethefirewalldiscardedlonglivedSIPsessionsafteracontentupdate,
whichdisruptedSIPtraffic.
PAN-71455 Fixedanissuewhereuserscouldnotaccessasecurewebsiteifthecertificateauthority
thatsignedthewebservercertificatealsosignedmultiplecertificateswiththesame
subjectnameintheDefaultTrustedCertificateAuthoritieslistonthefirewall.
PAN-71319 UpdatedPANOStoaddressNTPissues(CVE20167433).
PAN-70731 FixedanissuewherethefirewallfailedtoauthenticatetoaSafeNethardwaresecurity
module(HSM)iftheAdministrator Password(underDevice > Setup > HSM)contained
specialcharacters.
PAN-70353 FixedanissuewhereClientlessVPNdidnotworkifitshostwasaGlobalProtectportalthat
youconfiguredonaninterfacewithDHCP Clientenabled.
PAN-70345 FixedanissuewheretheMSeriesappliancesdidnotforwardlogstoasyslogserverover
TCPports.
PAN-69882 Fixedanissuewherefirewallsthathadmultiplevirtualsystemsandthatweredeployedin
anHAactive/activeconfigurationdroppedTCPsessions.
PAN-69874 Fixedanissuewhere,whenthePANOSXMLAPIsentIPaddresstousernamemappings
withnotimeoutvaluetoafirewallthathadtheEnable User Identification Timeoutoption
disabled,thefirewallassignedthemappingsatimeoutof60minutesinsteadofnever.
PAN-68763 Fixedanissuewherepathmonitoringfailuresdidnotproduceenoughinformationfor
troubleshooting.Withthisfix,PANOSsupportsadditionaldebugcommandsandthetech
supportfile(clickGenerate Tech Support FileunderDevice > Support)includesadditional
registryvaluestotroubleshootpathmonitoringfailures.
PAN-67412 FixedanissueonfirewallsinanHAconfigurationwhere,whenanenduseraccessed
applicationsoveraGlobalProtectclientlessVPN,thewebbrowserbecameunresponsive
forabout30secondsafterafailover.
PAN-67029 Fixedanissuewherethefirewallstoppedforwardinglogstoexternalservices(suchasa
syslogserver)afterthefirewallmanagementserverrestartedunexpectedly.
PAN-66997 FixedanissueonPA7000Series,PA5200Series,andPA5000Seriesfirewallswhere
enduserswhoaccessedapplicationsoverSSLVPNorIPSectunnelsthrough
GlobalProtectexperiencedonedirectionaltraffic.
PAN-65969 FixedanissueonPA7000SeriesfirewallswheretheSwitchManagementCard(SMC)
restartedduetofalsepositiveconditions(ATAerrors)detectedduringadiskcheck.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 79
PANOS8.0.2AddressedIssues
IssueID Description
PAN-63205 FixedanissueonVMSeriesfirewallswherecommitoperationsfailedafteryouconfigured
HAwiththeHA2andHA3interfaces.
PAN-62791 Fixedanissuewherethefirewallcouldnotusethecertificatesinitscertificatestore
(Device > Certificate Management > Certificates > Device Certificates)afteramanualor
automaticcommit,whichcausedcertificateauthenticationtofail.
PAN-62074 FixedanissuewheretheUserIDagentincorrectlyreadtheIPaddressinthesecuritylogs
forKerberosloginevents.
PAN-61409 FixedanissuewherethefirewallfailedtoconnecttoanHTTPserverusingtheHTTPS
protocolwhentheCAcertificatethatvalidatedthefirewallcertificatewasinaspecific
virtualsysteminsteadoftheSharedlocation.
PAN-60555 FixedanissueonVMSeriesfirewallsforNSXwherethewebinterfaceletusersspecifya
Tag Allowedvalueforvirtualwireinterfaces(Network > Virtual Wires),whichcauseda
commiterrorbecausetheoptionisnotconfigurableonthatfirewallmodel.Withthisfix,
theTag Allowedvaluehasareadonlyvalueof04094onVMSeriesfirewallsforNSX.
PAN-55619 FixedanissuewherenewusersthatyouaddedtoanActiveDirectory(AD)usergroup
intermittentlyfailedtoauthenticatetotheGlobalProtectportal.
PAN-48901 FixedanissueonHAfirewallswhere,ifyouenabledapplicationlevelgateway(ALG)for
theUnistimapplication,VoIPcallsthatusedtheUNIStimprotocolhadonlyonewayaudio
afteranHAfailoverevent.
FPGA-343 FixedanissueonPA7000SeriesfirewallsinaLayer2deploymentwheremulticast
sessions(suchasHSRP)failedbecausePANOSdidnotreassignthesessionstoan
alternativeNetworkProcessingCard(NPC)iftheoriginalNPCwasshutdown.
80 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.1AddressedIssues
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.1release.Fornewfeatures,
associatedsoftwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,see
PANOS8.0ReleaseInformation.
IssueID Description
PAN-74932 Fixedanissuewherethedirection(dir)parameterusedintype=logXMLAPIrequestswas
incorrectlymadearequiredparameter,whichcausedapplicationsthatusethetype=log
requesttofailwhenthedirargumentwasnotincludedintherequest.Withthisfix,the
directionparameterisagainoptional.
PAN-74829 FixedanissuewhereAuthenticationpolicyincorrectlymatchedtrafficcomingfrom
knownusersthoseincludedintheTerminalServices(TS)agentusermappingand
displayedthecaptiveportalpage.Withthisfix,onlyunknownusersaredirectedtothe
captiveportalpage.
PAN-74367 FixedanissuewheresomeplatformsdidnotconnecttoBrightCloudafteryouupgraded
toPANOS8.0.
PAN-74264 FixedanissuewherenewfieldsinThreatandHIPMatchlogswereinsertedbetween
existingfields,whichdisruptedsomethirdpartyintegrations.Withthisfix,thenewfields
areappendedattheendofallpreexistingfields.
PAN-73977 FixedanissuewherefirewallsandPanoramadidnotforwardlogsasexpectedwhenthe
localmachinetimewasnotsettocurrentlocaltimeandwassettoatimebetweencurrent
UTCtimeandcurrentUTCtimeplus<n>,where<n>istheUTC+<n>valueforthecurrent
timezone.
PAN-73964 FixedanissuewhereyoucouldnotupgradeVMSeriesfirewallsonAWSinanHA
configurationtoPANOS8.0.Withthisfix,youcanupgradeVMSeriesfirewallsonAWS
inanHAconfigurationtoPANOS8.0.1oralaterPANOS8.0release.
PAN-73877 FixedanissuewhereyouwereunabletogenerateaSAMLmetadatafileforCaptivePortal
orGlobalProtectwhenthefirewallhadmultiplevirtualsystemsbecausetherewereno
virtualsystemsavailableforyoutoselectwhenyouclickedtheMetadatalinkassociated
withanauthenticationprofile.
PAN-73579 Fixedanissuewhere,afteryouupgradedafirewalltoPANOS8.0,thefirewalldidn'tapply
updatestothepredefinedPaloAltoNetworksmaliciousIPaddressfeeds(delivered
throughthedailyantiviruscontentupdates)untilafteryouperformedacommitonthe
firewall.Withthisfix,changestothepredefinedmaliciousIPaddressfeedsare
automaticallyappliedwhendeliveredtothefirewall.
PAN-73545 FixedanissueonVM300,VM500,andVM700firewallswhereyouwererequiredto
commitchangesasecondtimeafteraddinganinterfacebeforetrafficwouldpass
normally.
PAN-73360 FixedanissuewherethepassivePanoramapeerinanHAconfigurationshowedshared
policytobeoutofsyncevenwhenthedevicegroupcommitfromtheactivepeerwas
successful.
PAN-73291 FixedanissuewhereauthenticationfailedforclientcertificatessignedbyaCAcertificate
thatwasnotlistedfirstintheCertificateProfileconfiguredwithclientcertificate
authenticationforGlobalProtectportalsandgateways.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 81
PANOS8.0.1AddressedIssues
IssueID Description
PAN-73207 Fixedanissuewhereyoucouldnotpushnotificationsasanauthenticationfactorifthe
firewallwasintegratedwithOktaAdaptiveasthemultifactorauthentication(MFA)
vendor.
PAN-73006 FixedanissuewheretheAppScopeChangeMonitorandNetworkMonitorreportsfailed
todisplaydataifyoufilteredbySourceorDestinationIPaddresseswhenloggingrates
werehigh.ThisfixalsoaddressesanissuewheretheAppScopeSummaryreportfailedto
displaydatafortheTop5BandwidthConsumingSourcesandTop5Threatswhenlogging
rateswerehigh.
PAN-72952 ImprovedfiletypeidentificationforOfficeOpenXML(OOXML)files,whichimprovesthe
abilityforWildFiretoaccuratelyclassifyOOXMLfilesasbenignormalicious.
PAN-72849 FixedanissueinPanoramaHAactive/passiveconfigurationswhereElasticsearch
parameterswerenotpushedtothepassivepeer.
PAN-72843 FixedanissuewherecommitsfailedforconfigurationsthatenabledclientlessVPNon
multipleGlobalProtectportalsusingdifferentDNSproxies.
PAN-72726 FixedanissuewherethefirewallwasunabletomarkBFDpacketswithappropriateDSCP
values.
PAN-72667 Fixedanissuewherethefirewallwebinterfacedisplayedincorrectvaluesforthelog
storagequotasettings.
PAN-72402 Fixedanissuewherethefirewalladvertisedonlytheaggregateaddressanddidnot
advertisethespecificroutescoveredbytheAdvertiseFilterwhenyouconfiguredaBGP
IPv6aggregateaddresswithanAdvertiseFilterthatconsistedofbothaprefixfilteranda
nexthopfilter.
PAN-72246 FixedanissuewherethefirewallgeneratedanECDSAcertificatesigningrequest(CSR)
usingtheSHA1algorithminsteadoftheselectedalgorithm.
PAN-71829 FixedanissueonPA5000Seriesfirewallswherethedataplanerestartedduetospecific
changesrelatedtocertificatesorSSLprofilesinaGlobalProtectconfiguration;specifically,
configuringanewgateway,changingacertificatelinkedtoGlobalProtect,orchangingthe
minimumormaximumversionoftheTLSprofilelinkedtoGlobalProtect.
PAN-71556 FixedanissuewhereMACaddresstableentrieswithatimetolive(TTL)valueof0were
notremovedasexpected,whichcausedthetabletocontinuallyincreaseinsize.
82 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.1AddressedIssues
IssueID Description
PAN-71530 FixedanissuewhereLDAPauthenticationfailedintermittentlyduetoaracecondition.
PAN-71334 Fixedanissuewithdelaysofupto10secondsbeforethefirewalltransmittedthe
audio/videostreamwhenyousetupaVoIPcallonaPA5200Seriesfirewallusingthe
SessionInitiationProtocol(SIP).
PAN-71312 Fixedanissuewherecustomreportsdidnotdisplayresultsforqueriesthatspecifiedthe
Negateoption,Containsoperator,andaValuethatincludedaperiod(.)character
precedingafilenameextension.
PAN-71271 Fixedanissuewherenewlogswerelostifthelogpurgingprocessstartedrunningbefore
youstartedlogmigrationafteranupgradetoPANOS8.0.
PAN-70366 FixedanissuewhereSMTPemailserversdidnotreceivePDFreportsfromthefirewall
becausethereportemailshadlineseparatorsthatusedbareLFinsteadofCRLF.
PAN-70323 FixedanissuewherefirewallsrunninginFIPSCCmodedidnotallowimportofSHA1CA
certificatesevenwhentheprivatekeywasnotincluded;instead,firewallsdisplayedthe
followingerror:Import of <cert name> failed. Unsupported digest or keys used
in FIPS-CC mode.
PAN-69622 Fixedanissuewherethefirewalldidnotproperlycloseasessionafterreceivingareset
(RST)messagefromtheserveriftheSYNCookiesactionwastriggered.
PAN-69585 FixedanissuewheretheURLlinkincludedintheemailforaSaaSApplicationUsagereport
(sothatyoucouldretrievethereportfromthefirewallwebinterface)triggeredthirdparty
spamfiltersdeployedinyournetwork.
PAN-69340 FixedanissuewherePANOSdidnotapplythecapacitylicensewhenyouusedalicense
authorizationcode(capacitylicenseorabundle)tobootstrapaVMSeriesfirewallbecause
thefirewalldidnotrebootafterthelicensewasapplied.
PAN-68795 FixedanissuewheretheSaaSApplicationUsagereportdisplayeduploadanddownload
bandwidthusagenumbersincorrectlyintheDataTransferbyApplicationsection.
PAN-68185 Fixedanissuewherethe7.1SNMPtrapsMIB(PANTRAPS.my)hadanincorrect
descriptionforthepanHostnameattribute.
PAN-67629 Fixedanissuewhereexistinguserswereremovedfromusergroupmappingwhenthe
ActiveDirectory(AD)didnotreturnanLDAPPageControlinresponsetoanLDAP
refresh,whichresultedinthefollowingUserID(useridd)logs:
debug: pan_ldap_search(pan_ldap.c:602): ldap_parse_result error code: 4
Error: pan_ldap_search(pan_ldap.c:637): Page Control NOT found
PAN-66122 Fixedanissuewheretunnelcontentinspectionwasnotsupportedinavirtual
systemtovirtualsystemtopology.
PAN-64725 FixedanissuewherePanoramadidnotmaintainsitsconnectionstofirewallsifitreceived
logsatahighrateandthelogsmatchedqueriesandothersettingsinscheduledreports.
PAN-64164 FixedanissueonPanoramavirtualappliancesinanHAconfigurationwhere,ifyou
enabledlogforwardingtosyslog,boththeactiveandpassivepeerssentlogs.Withthisfix,
onlytheactivepeersendslogswhenyouenablelogforwardingtosyslog.
PAN-63274 Fixedanissueonfirewallswithmultiplevirtualsystemswhereinnerflowsessionsinstalled
ondataplane1(DP1)failedifyouconfiguredtunnelcontentinspectionfortrafficina
sharedgatewaytopology.Additionallywiththisfix,whennetworkingdevicesbehindthe
sharedgatewayinitiatetraffic,thattrafficcannowreachthenetworkingdevicesbehind
thevirtualsystems.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 83
PANOS8.0.1AddressedIssues
IssueID Description
PAN-60101 FixedanissueontheM500andM100appliancesinPanoramamodewhereemailed
customreportscontainednodataifyouconfiguredareportquerythatusedanOperator
settocontains(Monitor > Manage Custom Reports).
PAN-58979 Fixedanissuewherethedataplanerestartedduetoamemoryleakinaprocess(mprelay)
thatoccurredifyoudidnotdisableLLDPwhenyoudisabledaninterfacewithLLDP
enabled(Network > Interfaces > <interface> > Advanced > LLDP).
PAN-57553 FixedanissuewhereaQoSprofilefailedtoworkasexpectedwhenappliedtoacleartext
nodeconfiguredwithanAggregateEthernet(AE)sourceinterfacethatincludedAE
subinterfaces.
PAN-57142 FixedanissueonPA7000SeriesfirewallsinanHAactive/passiveconfigurationwhere
QoSlimitswerenotcorrectlyenforcedonAggregateEthernet(AE)subinterfaces.
84 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.0release.Fornewfeatures,
associatedsoftwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,see
PANOS8.0ReleaseInformation.
IssueID Description
PAN-76702 Fixedanissuewhereseveraldataplaneprocessesstoppedrespondingwhenthefirewall
processedVPNtrafficwithIPpacketchains,whichwereusuallytriggeredbyIP
fragmentationorSSLdecryptionoperations.
PAN-72346 Fixedanissuewhereexportingbotnetreportsfailedwiththefollowingerror:Missing
reportjobid.
PAN-72242 FixedanissuewhereconfiguringasourceaddressexclusioninReconnaissanceProtection
tabunderzoneprotectionprofilewasnotallowed.
PAN-71892 FixedanissuewhereanLDAPprofiledidnotusetheconfiguredport;theprofileusedthe
defaultport,instead.
PAN-71615 Fixedanissuewheretheintrazoneblockruleshadowedtheuniversalrulethathas
differentsourceanddestinationzones.
PAN-71400 FixedanissuewheretheDNSProxyfeaturedidnotworkbecausetheassociatedprocess
(dnsproxy)stoppedrunningonafirewallthathadanaddressobject(Objects > Address)
withthesameFQDNasoneoftheStatic EntriesinaDNSproxyconfiguration(Network
> DNS Proxy).
PAN-71384 Fixedanissuewiththepassivefirewallinahighavailability(HA)configurationthathad
LACPprenegotiationenabledwherethefirewallstoppedcorrectlyprocessingLACP
BPDUpacketsthroughaninterfacethathadpreviouslyphysicallyflapped.
PAN-71311 Fixedanissuewhere,ifyouconfiguredaUserIDagentwithanFQDNinsteadofanIP
address(Device > User Identification > User-ID Agents),thefirewallgeneratedaSystem
logwiththewrongseveritylevel(informationalinsteadofhigh)afterlosingthe
connectiontotheUserIDagent.
PAN-71192 Fixedanissuewhereperformingalogqueryorlogexportwithaspecificnumberoflogs
causedthemanagementservertostopresponding.Thisoccurredonlywhenthenumber
oflogswasamultipleof64plus63.Forexample,128isamultipleof64andifyouadd63
to128thatequals191logs.Inthiscase,ifyouperformedalogqueryorexportandthere
were191logs,themanagementserverstoppedresponding.
PAN-70541 Asecurityrelatedfixwasmadetoaddressaninformationdisclosureissuethatwascaused
byafirewallthatdidnotproperlyvalidatecertainpermissionswhenadministrators
accessedthewebinterfaceoverthemanagement(MGT)interface(CVE20177644).
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 85
PANOS8.0.0AddressedIssues
IssueID Description
PAN-70483 FixedanissueonanMSeriesapplianceinPanoramamodewheresharedservicegroups
didnotpopulateintheservicepulldownwhenattemptingtoaddanewitemtoasecurity
policy.Theissueoccurredwhenthedropdowncontained5,000ormoreentries.
PAN-70428 Asecurityrelatedfixwasmadetopreventinappropriateinformationdisclosureto
authenticatedusers(CVE20175583).
PAN-70323 FixedanissuewherefirewallsrunninginFIPSCCmodedidnotallowimportofSHA1CA
certificatesevenwhentheprivatekeywasnotincluded;instead,firewallsdisplayedthe
followingerror:Import of <cert name> failed. Unsupported digest or keys used
in FIPS-CC mode.
PAN-70057 FixedanissuewhererunningthevalidateoptiononacandidateconfigurationinPanorama
causedchangestotherunningconfigurationonthemanageddevice.Theconfiguration
changeoccurredafterasubsequentFQDNrefreshoccurred.
PAN-69951 FixedanissuewherethefirewallfailedtoforwardsystemlogstoPanoramawhenthe
dataplanewasundersevereload.
PAN-69235 FixedanissuewherecommittingaconfigurationwithseveralthousandLayer3
subinterfacescausedthedataplanetostopresponding.
PAN-69194 FixedanissuewhereperformingadevicegroupcommitfromaPanoramaserverrunning
version7.1toamanagedfirewallsrunningPANOS6.1failedtocommitwhenthecustom
spywareprofileactionwassettoDrop.Withthisfix,Panoramatranslatestheactionfrom
DroptoDrop packetsforfirewallsrunningPANOS6.1,whichallowsthedevicegroup
committosucceed.
PAN-68873 FixedanissuewherecustomizingtheblockdurationforthreatID40015inaVulnerability
Protectionprofiledidnotadheretothedefinedblockinterval.Forexample,ifyouset
Number of Hits(SSHhellomessages)to3andpersecondsto60,afterthreeconsecutive
SSHhellomessagesfromtheclient,thefirewallfailedtoblocktheclientforthefull60
seconds.
PAN-68823 Fixedanissuewherecustomthreatreportsfailedtogeneratedatawhenyouspecified
ThreatCategoryforeithertheGroupByorSelectedColumnsetting.
PAN-68766 FixedanissuewherenavigatingtotheIPSectunnelconfigurationinaPanoramatemplate
causedthePanoramamanagementwebinterfacetostoprespondinganddisplayeda502
BadGatewayerror.
PAN-68658 FixedanissuewherehandlingoutoforderTCPFINpacketsresultedindroppedpackets
duetoTCPreassemblythatwasoutofsync.
PAN-68654 FixedanissuewherethefirewalldidnotpopulateUserIDmappingsbasedonthedefined
SyslogParseprofiles(Device > User Identification > User Mapping > Palo Alto Networks
User-ID Agent Setup > Syslog Filters).
PAN-68074 AsecurityrelatedfixwasmadetoaddressCVE20165195.
86 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues
IssueID Description
PAN-67987 FixedanissuewheretheGlobalProtectagentfailedtoconnectusingaclientcertificateif
theintermediateCAissignedusingtheECDSAhashalgorithm.
PAN-67944 Fixedanissuewhereaprocess(all_pktproc)stoppedrespondingbecausearacecondition
occurredwhenclosingsessions.
PAN-67599 InPANOS7.0and7.1releases,arestrictionwasaddedtopreventanadministratorfrom
configuringOSPFrouterID0.0.0.0.ThisrestrictionisremovedinPANOS8.0.
PAN-67224 FixedanissuewherethefirewalldisplayedavalidationerrorafterPanoramaimportedthe
firewallconfigurationandthenpushedtheconfigurationbacktothefirewallsoitcouldbe
managedbyPanorama.Thisissueoccurredbecauselogforwardingprofileswerenot
replacedwiththeprofilesconfiguredinPanorama.Withthisfix,Panoramawillproperly
removetheexistingconfigurationonthemanagedfirewallbeforeapplyingthepushed
configuration.
PAN-67090 Fixedanissuewherethewebinterfacedisplayedanobsoleteflagforthenationof
Myanmar.
PAN-67079 FixedanissueinPANOS7.1.6whereSSLsessionswerediscardediftheservercertificate
chainsizeexceeded23KB.
PAN-66873 FixedanissuewherePANOSdeletedcriticalcontentfileswhenthemanagementplane
ranoutofmemory,whichcausedcommitfailuresuntilyouupdatedorreinstalledthe
content.
PAN-66838 AsecurityrelatedfixwasmadetoaddressaCrossSiteScripting(XSS)vulnerabilityonthe
managementwebinterface(CVE20175584).
PAN-66675 Fixedanissuewhereextendedpacketcaptureswereconsuminganexcessiveamountof
storagespacein/opt/panlogs.
PAN-66654 Fixedanissuewherethestatusofatunnelinterfaceremaineddownevenafterdisabling
thetunnelmonitoringoptionforIPSectunnels.
PAN-66531 FixedanissuewheretheCommitScopecolumnintheCommitwindowwasemptyafter
manuallyuploadingandinstallingacontentupdateandthencommitting.Althoughthe
contentupdatewasnotlistedunderCommitScope,thecommitcontinuedandshowed
100%complete.
PAN-66104 Fixedanissuewherevsysspecificcustomresponsepages(Captiveportal,URLcontinue,
andURLoverride)didnotdisplay;theywerereplacedbysharedresponsepages,instead.
PAN-65918 FixedanissueonthePanoramavirtualappliancewherethethirdpartybackupsoftware
BackupExecfailedtobackupaquiescedsnapshotofPanorama(Panoramainatemporary
statewhereallwriteoperationsareflushed).Withthisfix,theVMwareToolsbundledwith
Panoramasupportsthequiescingoption.
PAN-64981 Fixedanissuewhereaninternalbuffercouldbeoverwritten,causingthemanagement
planetostopresponding.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 87
PANOS8.0.0AddressedIssues
IssueID Description
PAN-64884 FixedanissuewherefirewallsinanHAconfigurationdidnotsynchronizetheLayer2MAC
table;afterfailover,theMACtablewasrebuiltonlyonthepeerthatbecameactive,which
causedexcessivepacketflooding.
PAN-64638 FixedanissuewherethefirewallfailedtosendaRADIUSaccessrequestafterchanging
theIPaddressofthemanagementinterface.
PAN-64579 Errormessageisnowdisplayedwheninstallingappspackagemanuallyfromfileonpassive
Panorama.
PAN-64525 FixedanissuewhereUserIDfailedtoupdatetheallowlistforagroupnamethatwas
largerthan128bytes.
PAN-64520 FixedanissuewhereH.323basedvideocallsfailedwhenusingsourceNAT(dynamicor
static)duetoincorrecttranslationofthedestCallSignalAddresspayloadinthe
H.225callsetup.
PAN-64436 FixedanissuewherecreationofIGMPsessionsfailedduetoatimeoutissue.
PAN-64419 Fixedanissuewherefirewalldisplaysinconsistentshadowrulewarningsduringacommit
forQOSpolicies.
PAN-64081 FixedanissueonPA5000Seriesfirewallswherethedataplanestoppedrespondingdue
toaraceconditionduringhardwareoffload.
PAN-63969 FixedanissueonPA7000SeriesfirewallsinanHAconfigurationwheretheNPC40Gbps
(QSFP)Ethernetinterfacesonthepassivepeerdisplayedlinkactivityonaneighboring
device(suchasaswitch)towhichtheyconnectedeventhoughtheinterfacesweredown
onthepassivepeer.
PAN-63925 Fixedanissuewhereafirewalldidnotgeneratealogwhenacontentupdatefailedorwas
interrupted.
PAN-63908 FixedanissuewhereSSHsessionswereincorrectlysubjectedtoaURLcategorylookup
evenwhenSSHdecryptionwasdisabled.Withthisfix,SSHtrafficisnotsubjecttoaURL
categorylookupwhenSSHdecryptionisdisabled.
PAN-63612 FixedanissuewhereUseractivityreportsonPanoramadidnotincludeanyentrieswhen
therewasaspaceintheDeviceGroupname.
PAN-63520 Fixedanissuewherethewrongsourcezonewasusedwhenloggingvsystovsyssessions.
PAN-63207 FixedanissueonPA7000Seriesfirewallswheregroupmappingsdidnotpopulatewhen
thegroupincludelistwaspushedfromPanorama.
PAN-63054 FixedanissueonVMSeriesfirewallswhereenablingsoftwareQoSresultedindropped
packetsunderheavytrafficconditions.Withthisfix,VMSeriesfirewallsnolongerdrop
packetsduetoheavyloadswithsoftwareQoSenabledandsoftwareQoSperformancein
generalisimprovedforallPaloAltoNetworksfirewalls.
88 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues
IssueID Description
PAN-63013 Fixedanissuewhereacommitvalidationerrordisplayedwhenpushingatemplate
configurationwithamodifiedWildFirefilesizesetting.Withthisfix,commitvalidation
takesplaceonthemanagedfirewallthattriestocommitnewtemplatevalues.
PAN-62937 FixedanissuewhereestablishinganLDAPconnectionoverasloworunstableconnection
causedcommitstofailwhenyouenabledTLS.Withthisfix,ifyouenableTLS,thefirewall
doesnotattempttoestablishLDAPconnectionswhenyouperformacommit.
PAN-62797 Fixedanissuewhereaprocess(cdb)intermittentlyrestarted,whichpreventedjobsfrom
completingsuccessfully.
PAN-62513 FixedanissueonPA7000SeriesfirewallsinanHAactive/passiveconfigurationwhere
theshow high-availability path-monitoringcommandalwaysshowedtheNPCas
slot 1eventhoughthepathmonitoringIPaddresswasassignedtoaninterfaceina
differentNPCslot.ThisoccurredonlywhenthepathmonitoringIPaddresswasassigned
toaninterfaceinanAggregateEthernet(AE)interfacegroupandtheinterfacegroupwas
inaslototherthanslot1.
PAN-62057 FixedanissuewheretheGlobalProtectagentfailedtoauthenticateusingaclient
certificatethathadasignaturealgorithmthatwasnotSHA1/SHA256.Withthisfix,the
firewallprovidessupportfortheSHA384signaturealgorithmforclientbased
authentication.
PAN-61871 FixedanissuewherethefirewallmatchedtraffictoaURLcategoryandonfirstlookup,
whichcausedsometraffictobematchedtothewrongsecurityprofile.Withthisfix,the
firewallmatchestraffictoURLcategoriesasecondtimetoensurethattrafficismatched
tothecorrectsecurityprofile.
PAN-61837 FixedanissueonPA3000SeriesandPA5000Seriesfirewallswherethedataplane
stoppedrespondingwhenasessioncrossedvsysboundariesandcouldnotfindthecorrect
egressport.ThisissueoccurredwhenzoneprotectionwasenabledwithaSYN Cookies
action(Network > Zone Protection > Flood Protection).
PAN-61813 FixedanissueonPanoramawhereacustomscheduledreportconfiguredforadevice
groupwasemptywhenexported.
PAN-61797 FixedanissueonthepassivepeerinanHAconfigurationwhereLACPflappedwhenthe
linkstatewassettoshutdown/autoandprenegotiationwasdisabled.
PAN-61682 FixedanissuewhereenduserseitherdidnotseetheCaptivePortalwebformorsawa
pagedisplayingrawHTMLcodeafterrequestinganapplicationthroughawebproxy
becausetheHTTPbodycontentlengthexceededthespecifiedsizeintheHTTPHeader
ContentLength.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 89
PANOS8.0.0AddressedIssues
IssueID Description
PAN-61284 FixedanissuewhereUserIDconsumedalargeamountofmemorywhenthefirewall
experiencedahighrateofincomingIPaddresstousernamemappingdataandtherewere
morethantenredistributionclientfirewallsatthesametime.
PAN-61252 FixedanissueonfirewallsinanHAactive/activeconfigurationwherethefloatingIP
addresswasnotactiveonthesecondaryfirewallafterthelinkwentdownontheprimary
firewall.
PAN-60797 Fixedanissuewherereadonlysuperuserswereabletoviewthreatpacketcaptures
(pcaps)onthefirewallbutreceivedanerror(File not found)whentheyattemptedto
exportcertaintypesofpcapfiles(threat,threatextpcap,app,andfiltering).
PAN-60753 FixedanissuewherechangingtheRSAkeyfroma2,048bitkeytoa1,024bitkeyforced
theencryptionalgorithmtochangefromSHA256toSHA1forSSLforwardproxy
decryption.
PAN-60581 AddedchecktonotincludealltheapplicationsintheApplicationfilterifnoapplication
categoryisselectedbytheuser.Userhavetoexplicitlyaddallthecategoriestocreatean
applicationfilterwithalltheapplications.
PAN-60577 Fixedanissuewhereanapplicationfilterwithnoselectedcategoriescausedthefirewall
toperformslowlybecausethefilterdefaultedtoincludeallcategories(Objects >
Application Filters).Withthisfix,youcannotconfigureanapplicationfilterwithout
selectingoneormorecategories.
PAN-60556 AddedsupportinthecertificateprofiletoalsoconfigureanonCAcertificateasan
additionalcertificatetoverifytheOCSPresponsereceivedforcertificatestatusvalidation.
TheOCSPVerifyCAfieldinthecertificateprofilehasbeenchangedtoOCSPVerify
Certificate.
PAN-60402 FixedanissuewhererenaminganaddressobjectcausedthecommittoaDeviceGroupto
fail.
PAN-60340 FixedanissuewherethePanoramaapplicationdatabasedidnotdisplayallapplicationsin
thebrowser.
PAN-60035 EnhanceddynamicIPNATtranslationtopreventconflictsbetweendifferentpacket
processorsandimprovedynamicIPNATpoolutilization.
PAN-59676 Fixedanissuewherefirewalladministratorswithcustomroles(AdminRoleprofiles)could
notdownloadcontentorsoftwareupdates.
PAN-59654 FixedanissuewherecommitsfailedonthefirewallafterupgradingfromaPANOS6.1
releaseduetoincorrectsettingsfortheHexaTechVPNapplicationonthefirewall.With
thisfix,upgradingfromaPANOS6.1releasetoPANOS8.0.0(oralaterrelease)doesnot
causecommitfailuresrelatedtothesesettings.
90 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues
IssueID Description
PAN-59614 Fixedanissuewhereadministratorswereunabletofullyutilizethemaximumof64
addressobjectsperFQDNduetothe512BDNSserverresponsepacketsize;specified
addressesthatwerenotincludedinthefirst512Bweredroppedandnotresolved.With
thisfix,thesizeoftheDNSserverresponsepacketisincreasedto4,096B,whichfully
supportsthemaximum64combinedaddressobjectsperFQDN(upto32eachIPv4and
IPv6addresses).
PAN-58636 Fixedanissuewhereconfiguringtoomanyapplicationsandindividualportsinasecurity
rulecausedthefirewalltostopresponding.Withthisfix,thefirewallcontinuesresponding
andsendsthefollowingerrormessage:
Error: Security Policy '58636_rule' is exceeding maximum number of
combinations supported for service ports(51) and applications(2291). To fix
this, please convert this Security Policy into multiple policies by either
splitting applications or service ports.
Error: Failed to parse security policy
(Module: device)
Commit failed
PAN-58496 Fixedanissuewherecustomreportsusingthreatsummarywerenotpopulated.
PAN-58382 Fixedanissuewhereuserswerematchedtotheincorrectsecuritypolicies.
PAN-57529 FixedanissuewherethefirewallactedasaDHCPrelayandwirelessdevicesonaVLAN
didnotreceiveaDHCPaddress(allotherdevicesontheVLANdidreceiveaDHCP
address).Withthisfix,alldevicesonaVLANreceiveaDHCPaddresswhenthefirewall
actsasaDHCPrelay.
PAN-57440 FixedanissuewhereOSPFv3linkstateupdatesweresentwiththeincorrectOSPF
checksumwhentheOSPFpacketneededtoadvertisemorelinkstateadvertisements
(LSAs)thanfitintoa1,500bytepacket.Withthisfix,thefirewallsendsthecorrectOSPF
checksumtoneighboringswitchesandroutersevenwhenthenumberofLSAsdoesntfit
intoa1,500bytepacket.
PAN-57215 FixedanissuewhereanHTTP416errorappearedwhentryingtodownloadupdatestoa
clientfromanIBMBigFixupdateserver.
PAN-56700 FixedanissuewheretheSNMPOIDifHCOutOctetsdidnotcontaintheexpecteddata.
PAN-56684 FixedanissuewhereDNSproxystaticentriesstoppedworkingwhentherewereduplicate
entriesintheconfiguration.
PAN-53659 Fixedanissuewherethesumofalllinkaggregationgroup(LAG)interfaceswasgreater
thanthevalueoftheAggregateEthernet(AE)interface.
PAN-50973 FixedanissueforVMSeriesfirewallsonMicrosoftHyperVwhere,althoughtheFIPSCC
modeoptionwasvisibleinthemaintenancemodemenu,youcouldnotenableit.Withthis
fix,FIPSCCmodeissupportedforandcanbeenabledfromthemaintenancemodemenu
inVMSeriesfirewallsonMicrosoftHyperV.
PAN-48095 FixedanissueonPA200firewallswherethePanoramadynamicupdatescheduleignored
thecurrentlyinstalleddynamicupdateversionandinstalledunnecessarydynamic
updates.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 91
PANOS8.0.0AddressedIssues
92 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
GettingHelp
Thefollowingtopicsprovideinformationonwheretofindmoreaboutthisreleaseandhowtorequest
support:
RelatedDocumentation
RequestingSupport
RelatedDocumentation
RefertothefollowingPANOS8.0documentationontheTechnicalDocumentationportalorsearchthe
documentationformoreinformationonourproducts:
NewFeaturesGuideDetailedinformationonconfiguringthefeaturesintroducedinthisrelease.
PANOSAdministrator'sGuideProvidestheconceptsandsolutionstogetthemostoutofyourPalo
AltoNetworksnextgenerationfirewalls.Thisincludestakingyouthroughtheinitialconfigurationand
basicsetuponyourPaloAltoNetworksfirewalls.
PanoramaAdministrator'sGuideProvidesthebasicframeworktoquicklysetupthePanoramavirtual
applianceoranMSeriesapplianceforcentralizedadministrationofthePaloAltoNetworksfirewalls.
WildFireAdministrator'sGuideProvidesstepstosetupaPaloAltoNetworksfirewalltoforward
samplesforWildFireAnalysis,todeploytheWF500appliancetohostaWildFireprivateorhybrid
cloud,andtomonitorWildFireactivity.
VMSeriesDeploymentGuideProvidesdetailsondeployingandlicensingtheVMSeriesfirewallonall
supportedhypervisors.Itincludesexampleofsupportedtopologiesoneachhypervisor.
GlobalProtectAdministrator'sGuideDescribeshowtosetupandmanageGlobalProtect.
OnlineHelpSystemDetailed,contextsensitivehelpsystemintegratedwiththefirewallwebinterface.
PaloAltoNetworksCompatibilityMatrixProvidesoperatingsystemandothercompatibility
informationforPaloAltoNetworksnextgenerationfirewalls,appliances,andagents.
OpenSourceSoftware(OSS)ListingsOSSlicensesusedwithPaloAltoNetworksproductsand
software:
PANOS8.0
Panorama8.0
Wildfire8.0
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 93
GettingHelp
RequestingSupport
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopen
asupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
3000TanneryWay
SantaClara,CA95054
https://www.paloaltonetworks.com/company/contactsupport
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofour
trademarkscanbefoundathttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarks
mentionedhereinmaybetrademarksoftheirrespectivecompanies.
RevisionDate:August17,2017
94 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.