Pan Os 7.0.2 RN

PAN-OS 7.0.
2 Release Notes
Revision Date: August 27, 2015
Review important information about Palo Alto Networks PAN-OS 7.0 software, including new features
introduced in this release, workarounds for open issues, and resolved issues. For the latest version of this release
note, refer to the Palo Alto Networks technical documentation portal.
PAN-OS 7.0 Release Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Features Introduced in PAN-OS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Panorama Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
WildFire Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Content Inspection Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Decryption Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
User-ID Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Virtualization Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Networking Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Policy Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
VPN Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
GlobalProtect Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Licensing Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Changes to Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Associated Software Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
PAN-OS 7.0.2 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Requesting Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Palo Alto Networks PAN-OS 7.0 Release Notes 1

Table of Contents
2 PAN-OS 7.0 Release Notes Palo Alto Networks

PAN-OS 7.0 Release Information
Features Introduced in PAN-OS 7.0
Changes to Default Behavior
Associated Software Versions
Known Issues
PAN-OS 7.0.2 Addressed Issues
Getting Help

Features Introduced in PAN-OS 7.0 PAN-OS 7.0 Release Information
Features Introduced in PAN-OS 7.0

The following topics describe the new features introduced in the PAN-OS 7.0 release. This release requires
Content Release version 497 or later. For details on how to use the new features, refer to the PAN-OS 7.0 New
Features Guide.
Management Features
Panorama Features
WildFire Features
Content Inspection Features
Authentication Features
Decryption Features
User-ID Features
Virtualization Features
Networking Features
Policy Features
VPN Features
GlobalProtect Features
Licensing Features

PAN-OS 7.0 Release Information Features Introduced in PAN-OS 7.0
Management Features
New Management Description

Feature
All New Application The ACC is redesigned to provide improved visibility into network traffic and actionable
Command Center (ACC) information on threats. The new layout includes a tabbed view of network activity, threat
activity, and blocked activity and each tab includes pertinent widgets for better visualization
of traffic patterns on your network. For a personalized view of your network, you can also
add a custom tab and include widgets that allow you to drill down into the information that
is most important to you.
Automated Correlation The new automated correlation engine is an analytics tool that detects security events on
Engine your network. It collects isolated events across multiple log types on the firewall, queries the
data for specific patterns, and correlates network events to identify actionable information
such as host-based activities that indicate a compromised host.
The automated correlation engine includes correlation objects that are defined by the Palo Alto
Networks Malware Research team. These objects identify suspicious traffic patterns or a
sequence of events that indicate a malicious outcome; some correlation objects can identify
dynamic patterns that have been observed from malware samples in WildFire.
Correlation objects trigger correlation events when they match on traffic patterns and network
artifacts that indicate a compromised host on your network. Thus, correlated events provide
actionable intelligence that you can use to remediate incidents, mitigate risks, and secure
your network. You can view the correlated event logs in the Monitor tab or see a graphical
display in the Compromised Hosts widget on the Threat Activity tab of the ACC. The
automated correlation engine is supported on PA-3000 Series, PA-5000 Series, PA-7000
Series platforms, and on Panorama.
New correlation objects will be delivered with the weekly content updates. To obtain new
correlation objects, the firewall must have a Threat Prevention license; Panorama requires a
support license for getting the correlation objects with the weekly content updates.
Global Find To make the management of your Palo Alto Networks devices more efficient, a new global
find feature is introduced to enable you to search the entire configuration of a PAN-OS or
Panorama web interface for a particular string, such as an IP address, object name, policy
name, threat ID, or application name. The search results are grouped by category and
provide links to the configuration location in the web interface, so that you can quickly and
easily find all of the places where the string is referenced. For example, if you temporarily
denied an application that is defined in multiple security policy rules and you now want to
allow that application, you can search on the application name and quickly locate all
referenced polices to change the action back to allow.
Tag Browser The tag browser introduces a way to view all the tags used within a rulebase. In rulebases
with a large number of rules, the tag browser simplifies the display by presenting the tags,
the color code, and the rule numbers in which the tags are used; it also allows you to group
rules using the first tag applied to the rule. You can, for example, filter rules by the first tag
applied, and view the rules grouped by a high-level function such as Internet access or data
center access. In this grouped-rule view, if you identify gaps in coverage, the tag browser
allows you to move rules or add new rules within the rulebase.


Feature
Configuration Validation The option to validate a PAN-OS or Panorama candidate configuration before you commit
Improvements (to determine whether your recent changes will commit successfully) is enhanced to do
syntactic and semantic validation of the configuration. It then displays the same errors and
warnings as would display for a full commit or virtual system commit, such as rule
shadowing or application dependency warnings, or errors indicating an invalid route
destination or a missing account/password to query a server.
Move and Clone You can now move or clone policies and objects to a different device group or virtual
Policies, Objects, and system. This saves you the effort of deleting, recreating, or renaming these items when only
Templates a move or copy is needed. You can also clone templates and Template Stacks.
Extended SNMP Support Extended SNMP support includes:
Global counters for Denial of Service (DoS), IP fragmentation, TCP state, and dropped
packets, by which to monitor the health and security of your devices and network.
Previously, you had to use the CLI or XML API to monitor global counters.
SNMP Interface MIB for Logical InterfacesThe PAN-OS implementation of the
interfaces and IfMIB has been extended to support all logical interfaces on the firewall,
including tunnels, aggregate groups, L2 subinterfaces, L3 subinterfaces, loopback
interfaces, and VLAN interfaces. This is in addition to the SNMP Interface MIB support
on physical interfaces. In addition, the VPN tunnel status can now be monitored.
LLDP-V2-MIBInformation transmitted and received from neighbors using Link
Layer Discovery Protocol (LLDP) is stored for SNMP access. All MIB objects under the
standard LLDP MIB definitions are supported. Neighbor entries are aged out when their
TTL value contained in the received LLDP message reaches zero.
SaaS Application Usage A new predefined report is introduced to provide visibility into Software as a Service (SaaS)
Report application usage, enabling you to assess and subsequently mitigate the risks to your
enterprise's data when taking advantage of SaaS applications. The report will also help to
assess risks to the security of your enterprise network, such as the delivery of malware
through SaaS applications adopted by your users.
Policy Impact Review for Before installing a new content release, you can now review the policy impact for new
New Content Releases App-IDs and stage any necessary policy updates. This enables you to assess the treatment
an application receives both before and after the new content is installed and then prepare
policy updates to take effect at the same time that the content update is installed. This
feature specifically includes the capability to modify existing security policies using the new
App-IDs contained in a downloaded content release (prior to installing the new content).
You can then simultaneously update your security policy rules and install new content,
allowing for a seamless shift in policy enforcement. You can also choose to disable new
App-IDs when installing a new content release version; this enables protection against the
latest threats, while giving you the flexibility to enable the new App-IDs after you've had the
chance to prepare any policy changes.


Feature
Security Profile and The security profile capacities and number of address objects per address group have been
Address Objects Per increased as follows:
Address Group Capacity
Security ProfileCapacity increased on all platforms by approximately 50% for the
Increase
following security profiles: Antivirus, Anti-Spyware, Vulnerability Protection, URL
Filtering, File Blocking, WildFire Analysis, Data Filtering, and Decryption. For example,
the PA-7050 firewall supported 500 security profiles in PAN-OS 6.1, and now supports
750 profiles in PAN-OS 7.0.
Address objects per address groupIncreased from 500 to 2500 for all platforms.
For details on platform capacities, refer to
https://www.paloaltonetworks.com/products/product-selection.html.
Virtual System/Device You can now view or search logs or create a report based on a virtual system name or a
Name in Reports and device name, which are more user-friendly attributes to use than the virtual system ID or
Logs device serial number. Now you need not manually map a virtual system name to its ID, or
map a device name to its serial number, in order to view or search logs or create reports.
Virtual System Name and Device Name are added as available attributes to PAN-OS and
Panorama reports and logs.
Time-Based Log and You can now configure automatic deletion of logs and reports based on time instead of just
Report Deletion on space quotas. This is useful in deployments where periodically deleting monitored data
is desired or necessary. For example, deleting user data after a certain period might be
mandatory in your organization for legal reasons.
Software Upload Devices now display details about uploaded software updates that enable you to check,
Improvements before installing an update, that it is the intended one. Installing uploaded software now
involves fewer steps, which makes deployment easier when a device does not have external
network access.

Panorama Features
New Panorama Feature Description
Device Group Hierarchy You can now create nested device groups in a tree hierarchy, with lower-level groups
inheriting the settings of higher-level groups. This enables you to organize devices based on
function and location without redundant configuration. For example, you could configure
Shared settings that are global to all firewalls, configure device groups with function-specific
settings at the first level, and configure device groups with location-specific settings at
subsequent levels. Without a hierarchy, you would have to configure both function- and
location-specific settings for every device group in a single level under Shared. Combined
with the Role-Based Access Control Enhancements in this release, a hierarchy also enables
you to control administrator access to data according to areas/levels of responsibility.
Template Stacks You can now define a template stack, which is a combination of templates. By assigning
firewalls to a stack, you can push all the necessary settings to them without the redundancy
of adding every setting to every template. For example, you could assign the firewalls in a
California data center to a stack that has one template with global settings, one template with
California-specific settings, and one template with data center-specific settings. To manage
firewalls in a California branch office, you could then re-use the global and
California-specific templates by adding them to another stack that includes a template with
branch-specific settings.
Role-Based Access You can now associate each access domain with an administrator role to enforce the
Control Enhancements separation of information among the functional or regional areas of your organization. You
can assign multiple access domain/role pairs to an administrator (local or external), who can
then filter the Panorama web interface to display only information that is relevant to a
particular domain. For custom roles, you can also define feature-specific access to firewalls
(through context switching) separately from Panorama access, and provide additional access
to logs and reports, so that administrators can have a broader range of responsibilities.
Firewall Configuration You can now import firewall configurations into Panorama instead of recreating them.
Import into Panorama Panorama provides the option to import objects from Shared on the firewall into Shared in
Panorama, and import other objects, policies, and settings into new device groups and
templates. After the import, you can Move and Clone Policies, Objects, and Templates to
different device groups.
Panorama Support for Panorama now supports much larger configuration files, which enable you to add more
Larger Configuration information and greater complexity to individual device groups, templates, and other
Files configurations without affecting system performance or stability. Panorama also supports a
higher number of concurrent, active administrators.
Log Redundancy Within You can now enable log duplication for a Collector Group so that each log will have two
a Collector Group copies and each copy will reside on a different Log Collector. This redundancy ensures that,
if any one Log Collector becomes unavailable, no logs are lost: you can still display all the
logs forwarded to the Collector Group and run reports for all the log data.
Firewall HA State in The Panorama web interface now displays the high availability state of firewalls (for
Panorama example, active or passive) in places where knowing that state is useful. For example, the
Context drop-down now displays HA state so that you can switch context to the
active-primary firewall when you need to change the firewall configuration.

WildFire Features
New WildFire Features Description
Grayware Verdict The WildFire grayware verdict is introduced to clearly identify executables that behave
similarly to malware, but are not malicious in nature or intent. A grayware verdict might be
assigned to executables that do not pose a direct security threat, but display otherwise
obtrusive behavior (for example, installing unwanted software, changing various system
settings, or reducing system performance). Examples of grayware software can typically
include adware, spyware, and Browser Helper Objects (BHOs). The grayware verdict allows
the security responder to quickly distinguish malicious files on the network from grayware,
and to prioritize accordingly. While antivirus signatures are not generated for grayware,
WildFire logs can continue to alert the security responder to endpoints downloading
grayware, in order to assess if such events are concerning.
WildFire Hybrid Cloud Enable a WildFire hybrid cloud deployment so that a single firewall can forward unknown
samples (files or email links) to either a WF-500 appliance or the WildFire public cloud,
depending on the sample. This feature allows the flexibility to analyze private documents
inside the network, while files sourced from the Internet can be analyzed by the WildFire
public cloud. For example, Payment Card Industry (PCI) and Protected Health Information
(PHI) data can be exclusively forwarded to the WF-500 appliance for private cloud analysis
and less sensitive files, such as Portable Executables (PEs), can be forwarded to the WildFire
public cloud. When possible, offloading files to the WildFire public cloud allows you to
benefit from a prompt verdict for files that have been previously processed by the public
cloud, and also frees up WF-500 appliance capacity to process sensitive content.
Additionally, in a WildFire hybrid cloud deployment, you can use the WildFire public cloud
to analyze file types that are not currently supported for WF-500 appliance analysis, such as
Android Application Package (APK) files.
This feature also introduces the WildFire Analysis profile, to be used in place of the file
blocking profile to forward samples for WildFire analysis. Existing File Blocking profile
rules with the action set to forward or continue and forward are migrated to the new
WildFire Analysis profile. For each WildFire analysis profile rule, define traffic to forward
to either the WildFire private cloud or the WildFire public cloud based on file type,
application, or file transfer direction (upload or download).
WildFire Appliance The WildFire appliance can now locally generate antivirus signatures for malicious Java files
Support for Java (.jar and .class), so that malicious Java files detected by the WildFire appliance no longer have
Antivirus Signatures to be forwarded to the WildFire Cloud for signature generation.

New WildFire Features Description
WildFire Appliance The firewall can now extract HTTP/HTTPS links contained in SMTP and POP3 email
Support for Email Link messages and forward the links to the WildFire appliance for analysis (this feature was
Analysis supported only for the WildFire public cloud in PAN-OS 6.1). Enable this functionality by
configuring the firewall to forward the email-link file type (Objects > Security Profiles >
WildFire Analysis). Note that the firewall only extracts links and associated session
information (sender, recipient, and subject) from the email messages that traverse the
firewall; it does not receive, store, forward, or view the email message.
After receiving an email link from a firewall, the WildFire appliance visits the links to
determine if the corresponding web page hosts any exploits. If it detects malicious behavior
on the page, it returns a malicious verdict and:
Generates a detailed analysis report and logs it to the WildFire Submissions log on the
firewall that forwarded the links.
Categorizes the URL as malware and generates and distributes a signature to connected
firewalls, to allow them to identify and block the malware.
If the link corresponds to a file download, the WildFire appliance does not analyze the file.
However, the firewall will forward the corresponding file to the WildFire appliance for
analysis if the end user clicks the link to download it as long as the corresponding file type
is enabled for forwarding.
The WildFire appliance does not send a log to the firewall if it determines a link to be benign
or grayware, even if you have enabled logging of benign or grayware files because of the
large number of logs this would generate.

Content Inspection Features
New Content Inspection Description

Features
Configurable Drop The Vulnerability Protection, Anti-Spyware, and Antivirus profiles include new actions to
Actions in Security drop or reset connections. In addition to the allow/alert/block actions within the security
Profiles profile, you can now granularly define how to drop or reset connections when the firewall
detects a threat. For example, to secure the Microsoft web servers on your network, you can
create a rule in the Vulnerability Protection profile with an action to either drop the traffic
and send a reset only to the server, or drop the traffic and block the offending client IP
address from creating new connections for a specified time interval.
Increased Inspection The firewall now identifies and inspects files that have been encoded or compressed up to
Depth for Multi-Level four times, where previously the firewall supported only two levels of decoding. Multiple
Compression and levels of compression and encoding are frequently introduced to files based on the file
Encoding format and the application used for file transfer. For example, a Microsoft Office Open
XML file (.docx) that is compressed (.zip) and is sent as an email attachment has three levels
of encoding: the OOXML format is one level of encoding, the compression of the file to
the ZIP format is the second level of encoding, and the third level of encoding is added
when the email attachment is embedded using Base64. In this case, the firewall now decodes
the file, correctly identifies it as a Microsoft Word document, and performs
policy-enforcement including file blocking, threat inspection, and WildFire analysis.
Blocking of Encoded A new file type classification, Multi-Level-Encoding, can now be used to log or block
Content content that has been compressed or otherwise encoded to a high degree. As the firewall
can now decode and inspect up to four levels of encoding (see Increased Inspection Depth
for Multi-Level Compression and Encoding), the new classification can be used to block
files that have been encoded five times or more. Multiple levels of encoding can be used as
an evasion technique to circumvent security devices; using the Multi-Level-Encoding file
type to perform file-blocking ensures that unidentified files that have not been processed
for threats are not passed through the firewall.
Negate Operator for A new Negate operator is now available when creating custom vulnerability or spyware
Custom Threat signatures. The Negate operator can be used to ensure that the vulnerability or spyware
Signatures signature is not triggered under certain conditions. For example, create a custom signature
to trigger when a Uniform Resource Identifier (URI) pattern is matched to traffic, but only
when the HTTP referer field is not equal to a certain value. A custom signature must include
at least one positive condition in order for a negated condition to be specified.
PAN-DB Private Cloud If the security and compliance requirements in your enterprise prohibit the Palo Alto
Networks next generation firewalls from directly accessing the Internet for performing URL
look ups, you can deploy a PAN-DB Private Cloud. To protect users from malware and
undesirable web content, the firewalls can query the PAN-DB Private Cloud deployed
within your network instead of accessing the PAN-DB public cloud. The PAN-DB Private
Cloud solution ensures information privacy and does not send any data or analytics to the
public cloud.

Authentication Features
New Authentication Description

Features
Authentication and The workflow to configure authentication servers and profiles is now more intuitive and
Authorization consistent. You can also enable GlobalProtect clients to send RADIUS vendor-specific
Enhancements attributes to RADIUS servers so that RADIUS administrators can make policy decisions
based on those attributes. For example, RADIUS administrators might use the client
operating system attribute to define a policy that mandates regular password authentication
for Microsoft Windows users and one-time password (OTP) authentication for Google
Android users.
SSL/TLS Service Profiles You can now assign SSL/TLS service profiles to device services that use SSL/TLS,
including Captive Portal, management traffic access using the web interface or XML API,
the URL Admin Override feature, the User-ID Syslog listening service, and to
GlobalProtect portals and gateways. SSL/TLS service profiles specify a certificate and the
allowed protocol version or range of versions (now including TLSv1.2). By defining the
protocol versions, the profiles enable you to restrict the cipher suites that are available to
secure communication with the clients requesting the services. This improves network
security by enabling devices to avoid SSL/TLS versions that have known weaknesses.
TACACS+ Devices now support Terminal Access Controller Access-Control System Plus (TACACS+)
Authentication protocol for authenticating administrative users. TACACS+ provides greater security than
RADIUS insofar as it encrypts usernames and passwords (instead of just passwords), and is
also more reliable (it uses TCP instead of UDP).
Kerberos Single Sign-on Devices now support Kerberos V5 single sign-on for administrator authentication and
Captive Portal authentication. Single sign-on minimizes the number of logins requiring user
input while ensuring security for web services.
Suite B Cryptography You can now use Suite B ciphers to authenticate administrators and to secure site-to-site
Support VPN, and GlobalProtect remote access and large scale VPN (LSVPN). To secure the VPN
tunnels between GlobalProtect gateways and endpoint devices, the latter must run
GlobalProtect client software 2.2 or later releases. The new GlobalProtect IPSec Crypto
profile supports Suite B encryption algorithms (and other algorithms) for LSVPN. You can
use elliptic curve (ECDSA) certificates for administrator and GlobalProtect authentication.
Suite B support enables you to meet U.S. federal network security standards.
Authentication Server You can now test an authentication profile to determine if your firewall or Panorama
Connectivity Testing management server can communicate with a backend authentication server and if the
authentication request was successful. You can perform authentication tests on the
candidate configuration, so that you know the configuration is correct before committing.
Authentication server connectivity testing is supported for local database, RADIUS,
TACACS+, LDAP, and Kerberos authentication.

Decryption Features
New Decryption Description

Features
SSL Decryption When using SSL decryption to inspect and enforce security rules for connections
Enhancements between clients and destination servers, enable the following new options as increased
security measures:
Enforce the use of strong cipher suites. This includes support to specifically enforce
the use of AES128-GCM and AES256-GCM ciphers.
Enforce the use of minimum and maximum protocol versions.
Enforce certificate validation on a per-policy basis (where previously, certificate
validation was performed at the device level).
Define traffic that you want to be decrypted based on TCP port numbers. This
enables you to apply different decryption policies to a single server's traffic; traffic
being transmitted using different protocols can receive different treatment.
Enforce valid certificates and trusted issues for traffic that is not decrypted, with the
options to terminate an SSL session if the server certificate is expired or if the server
certificate issue is untrusted.

User-ID Features
New User-ID Feature Description
User Attribution Based You can now configure User-ID to read user IP addresses from the X-Forwarded-For
on X-Forwarded-For (XFF) header in client requests for web services when the firewall is deployed between the
Headers Internet and a proxy server that would otherwise hide the user IP addresses. User-ID
matches the IP addresses with usernames that your policies reference so that those policies
can control and log access for the associated users and groups.
Custom Groups Based You can now define custom groups based on LDAP filters so that you can base firewall
on LDAP Filters policies on user attributes that do not match existing user groups in an LDAP-based service
such as Active Directory (AD). Defining custom groups can be quicker than creating new
groups or changing existing ones on the LDAP server, and does not require an LDAP
administrator to intervene.

Virtualization Features
New Virtualization Description

Feature
Support for High The VM-Series firewall on ESXi, Xen (on SDX), and KVM now supports both
Availability on the Active/Passive HA and Active/Active HA with session synchronization. The VM-Series in
VM-Series Firewall Amazon Web Services (AWS) supports Active/Passive HA only.
In an HA configuration, you must deploy both peers on the same type of hypervisor, have
identical hardware resources assigned to them, and have the same set of
licenses/subscriptions.
Support for Jumbo The VM-Series firewall can now support jumbo frames, which are Ethernet packets larger
Frames than 1500 bytes. Like with the hardware-based firewalls, when you enable jumbo frames on
the VM-Series firewall, the default Maximum Transmission Unit (MTU) size for all Layer 3
interfaces is set to 9192 bytes; the MTU can range between 512 and 9216 bytes. You can
override the global MTU, and configure an explicit value between 512 and 9216 bytes on a
per-interface basis.
Support for Hypervisor The VM-Series firewall supports the ability to detect the MAC address assigned to the
Assigned MAC Address physical interface by the host/hypervisor and use that MAC address on the interfaces
assigned to the VM-Series firewall. In Layer 3 deployments, this capability allows a vSwitch
to forward traffic to the correct interface on the firewall without requiring that promiscuous
mode be enabled on the vSwitch. Hypervisor-assigned MAC addresses are also supported
on PCI passthrough and SR-IOV capable network adapters.
For licensing features on the VM-Series firewall, see Licensing Features.

Networking Features
New Networking Feature Description
ECMP The firewall now supports Equal Cost Multipath (ECMP). Enable ECMP for the
forwarding table to have up to four equal-cost paths to a single destination, which allows
you to load balance traffic, use more of the available bandwidth, and have traffic dynamically
shift to another ECMP member if one path fails. You can choose one of several
load-balancing algorithms to determine which equal-cost path a virtual router uses for a new
session to the destination.
DHCP Options A firewall configured as a DHCP server can now send a full range of DHCP options to
clients, including vendor-specific and customized options that support a wide variety of
office equipment, such as IP phones and wireless infrastructure devices. Each option code
supports multiple values, which can be IP addresses, ASCII text, or hexadecimal values.
With the enhanced DHCP option support enabled on the firewall, branch office
administrators do not need to purchase and manage their own DHCP servers in order to
provide vendor-specific and customized options to DHCP clients.
Granular Actions for When you configure the firewall to block traffic, the firewall either resets the connection or
Blocking Traffic in silently drops packets. When the firewall silently drops packets, it causes some applications
Security Policy to break and appear unresponsive to the user. New actions to gracefully block traffic provide
a better user experience. The new actions available are:
Drop traffic silently, and optionally send an ICMP Unreachable response to the user.
Block traffic, and automatically use the deny action predefined for the application. You
can view the predefined deny action for an application in Applipedia.
Reset the connection with a TCP reset on the client-side connection, on the server-side
connection, or reset-both sides of the connection.
These new actions will be logged in the Traffic logs and are available for log queries.
Session-Based DSCP Differentiated Services Code Point (DSCP) is used to indicate the level of service requested
Classification for traffic, such as high priority or best effort delivery. Set up session-based DSCP
classification to enable the firewall to honor the service class requested for traffic and to
mark a session to receive priority treatment. Session-based DSCP extends the power of
Quality of Service (QoS), which polices traffic as it passes through the firewall, by allowing
all network devices between the firewall and the client to also police traffic based on the
DSCP value for traffic. For example, inbound return traffic from an external server can now
be treated with the same priority that the firewall initially enforced for the outbound flow.
Network devices intermediate to the firewall and end user will also then enforce the same
priority for the return traffic.
QoS on Aggregate You can now enable QoS on AE interfaces configured on PA-7000 Series, PA-5000 Series,
Ethernet (AE) Interfaces PA-3000 Series, PA-2000 Series, and PA-500 platforms. An AE interface is two or more
interfaces linked together for combined bandwidth and link redundancy. When using AE
interfaces to scale your network, enable QoS on an AE interface to prioritize, allocate, and
guarantee the increased bandwidth supported on the AE interface.
Support for QoS on AE interfaces on PA-7050 firewalls began in PAN-OS 6.0.0.

New Networking Feature Description
Improved Performance In deployments where a single VPN tunnel is set up between a Palo Alto Networks firewall
for a Single VPN Tunnel and another IPSec VPN device, and the tunnel supports multiple sessions, the firewall can
now use multiple CPU cores (simultaneously) to decrypt traffic. When the volume of VPN
traffic is high, this enhancement minimizes latency and improves performance.
Per-Virtual System The source interface and source IP address of service routes can now be configured for
Service Routes individual virtual systems, in addition to the global configuration of service routes.
Per-virtual system service routes provide the flexibility to customize service routes for
numerous tenants or departments on a single firewall. Any virtual system that does not have
a service route configured to access a particular external service inherits the source interface
and source IP address that are set globally for that service. The PA-7000 Series firewalls use
Log Processing Card (LPC) subinterfaces to separate the logging services for each virtual
system. Prior to PAN-OS 7.0, each service route to a service was configured globally and
applied to the entire firewall.
LLDP You can now configure Link Layer Discovery Protocol (LLDP) to enable the firewall to
automatically discover neighboring devices and their capabilities at the link layer. LLDP
allows the firewall to send and receive Ethernet frames containing LLDP data units to and
from neighbors. The receiving device stores the information in a MIB, which can be
accessed by SNMP. LLDP enables network devices learn capabilities of the connected
devices, and can be used to map network topology. This makes troubleshooting easier,
especially for virtual wire deployments where the firewall would typically go undetected by
a ping or traceroute.
NPTv6 You can now enable IPv6-to-IPv6 Network Prefix Translation (NPTv6) on the firewall, to
perform a stateless, static translation of one IPv6 prefix to another IPv6 prefix (port
numbers are not changed). One benefit of NPTv6 is the prevention of asymmetrical routing
problems that result from provider-independent addresses being advertised from multiple
data centers. NPTv6 allows more specific routes to be advertised so that return traffic
arrives at the same firewall that transmitted the traffic. Another benefit is the independence
of private and public addresses; you can change one without affecting the other. A third
benefit of NPTv6 is the ability to translate unique local addresses (ULAs) to globally
routable addresses.
TCP Split Handshake Palo Alto Networks firewalls by default correctly secure TCP sessions, whether they use a
Drop well-known 3-way handshake or a variation, such as a 4-way or 5-way split handshake or a
simultaneous open. The firewall now offers an additional option to simply drop a TCP
session that tries to use such a variation because it is possibly malicious.

Policy Features
New Policy Feature Description
DoS Protection Against In PAN-OS 7.0.2 and later releases, you can configure DoS protection to better block IP
Flooding of New addresses to handle high-volume single-session and multiple-session attacks more
Sessions efficiently. For configuration details, see DoS Protection Against Flooding of New Sessions.
VPN Features
New VPN Feature Description
IKEv2 Support for VPN Site-to-site IPSec VPN is enhanced to support Internet Key Exchange Version 2 (IKEv2),
Tunnels in addition to IKEv1 (GlobalProtect clients are not included in this feature support).
IKEv2:
Exchanges fewer messages than IKEv1 when setting up the tunnel endpoints.
Can negotiate multiple sets of traffic selectors to control which traffic can access the
tunnel.
Provides a liveness check to determine if a peer gateway and tunnel are still up.
Supports NAT Traversal.
Supports the Hash and URL certificate exchange, which reduces fragmentation.
Supports cookie validation of a connection if a threshold number of concurrent IKE SA
sessions is exceeded, reducing the potential for DoS attacks.
IPv6 IPSec VPN Support Site-to-site IPSec VPN now supports IPv6 site-to-site connections, allowing you to
establish IKE and IPSec Security Associations (SAs) between IPv6 gateways.
IPSec VPN You can now use the web interface to enable, disable, restart, or refresh an IKE gateway or
Enhancements an IPSec VPN tunnel to simplify troubleshooting. This feature applies to IPv4 and IPv6.

GlobalProtect Features
For information about new authentication features supported on GlobalProtect (Suite B

cryptography and SSL/TLS service profiles), see Authentication Features.
New GlobalProtect Description

Feature
Disable Direct Access to You can now disable direct access to local networks so that users cannot send traffic to
Local Networks proxies or local resources while connected to a GlobalProtect VPN. For example, if a user
establishes a GlobalProtect VPN tunnel while connected to a public hotspot or hotel Wi-Fi,
and this feature is enabled, all traffic is routed through the tunnel and is subject to policy
enforcement by the firewall.
Static IP Address An enhancement to the IP address allocation logic enables the GlobalProtect gateway to
Allocation maintain an index of clients and IP addresses so that the endpoint automatically receives the
same IP address for all subsequent GlobalProtect VPN connections. The gateway continues
to issue IP addresses in a round-robin fashion until all IP addresses are exhausted. To ensure
that an endpoint receives the same address and to avoid IP address conflicts, create an IP
address pool large enough to accommodate the number of endpoints.
Alternatively, you can now configure a GlobalProtect gateway to assign fixed IP addresses
using an external authentication server. This is useful when downstream resources such as
printers, servers, and applications use a fixed source IP address/IP address pool to allow
access for a specific user, user group, or OS. When enabled, the GlobalProtect gateway
allocates the IP address to connecting devices using the Framed-IP-attribute from the
authentication server.
Apply a Gateway You can now specify one or more users or user groups and/or client operating systems to
Configuration to Users, which to apply a remote user tunnel configuration. For example, by configuring different IP
Groups, and/or address pools and access routes for Windows-based clients or for users in user groups such
Operating Systems as Engineering, you can ensure that each client receives the correct network settings.
Welcome Page The GlobalProtect client configuration now includes a setting to force the Welcome Page
Management to display each time a user initiates a connection. This prevents the user from dismissing
important information such as terms and conditions that may be required by your
organization to maintain compliance. Alternatively you can provide the user the ability to
dismiss seeing the Welcome page at subsequent logins.
Remote Desktop The GlobalProtect VPN tunnel functionality has been enhanced to allow users, such as IT
Connection to a Remote Help Desk, to RDP to a client device when connected over GlobalProtect VPN enabling
Client troubleshooting and support for remote Windows users.
Now, when IT Help Desk personnel log in to a client device, the GlobalProtect app can
detect a new login without bringing down the RDP tunnel. After the administrator logs into
the remote machine and successfully authenticates with the gateway, the GlobalProtect app
reassigns the RDP tunnel to the remote administrator. This security measure prevents
unauthorized access to VPN resources because policy enforcement for traffic through the
RDP tunnel is now enforced and logged based on the privileges of the RDP user.

New GlobalProtect Description

Feature
Simplified GlobalProtect You can now use GlobalProtect to provide a secure, remote access or virtual private network
License Structure (VPN) solution via single or multiple external gateways, without any GlobalProtect licenses.
The portal license, which was required to enable this functionality, has been deprecated.
However, advanced features including Host Information Profile (HIP) checks and support
for the GlobalProtect mobile app for iOS and Android still require a gateway subscription.
To take advantage of the new license structure, you need to upgrade only the device running
the GlobalProtect portal to PAN-OS 7.0 or later.

Licensing Features
New Licensing Feature Description
Self-Service License & The firewall and Panorama now provide the capability to unassign or deactivate the active
Subscription licenses on a firewall and assign the licenses to another firewall. To release the active licenses
Management attributed to a firewall, you now have two options:
Deactivate a feature license or subscription on a firewallIf you accidentally installed a
license/subscription on a firewall and need to reassign the license to another firewall, you
can deactivate an individual license and re-use the same authorization code on another
firewall without help from Technical Support. This capability is supported on the CLI of
both the hardware-based firewalls and the VM-Series firewalls.
Deactivate licenses on a VM-Series firewallWhen you no longer need an instance of
the VM-Series firewall, you can free up all active licensessubscription licenses,
VM-Capacity licenses, and support entitlementsusing the web interface, CLI, or the
XML API on the firewall or Panorama. The licenses are credited back to your account
and you can use the same authorization codes on a different instance of the VM-Series
firewall.
Support for The VM-Series firewall in AWS now supports the usage-based pricing model, in addition to
Usage-Based Licensing the Bring Your Own License (BYOL) model. This capability makes it easier to consolidate
in Amazon Web Services the billing of AWS resources and the usage fees for the VM-Series firewall.
(AWS)
The usage-based model in the AWS Marketplace is available in hourly and annual pricing
bundles:
VM-Series capacity license with the Threat Prevention license for each modelVM-100,
VM-200, VM-300, or VM-1000-HV. It includes a premium support entitlement.
VM-Series capacity license with the complete suite of licenses, which includes Threat
Prevention, GlobalProtect, WildFire, and PAN-DB URL Filtering capabilities for each
modelVM-100, VM-200, VM-300, or VM-1000-HV. It includes a premium support
entitlement.
Usage-based subscriptions/licenses are handled automatically by AWS; these licenses
cannot be activated on the firewall or managed from Panorama.
Term-Based Capacity A term-based license is a license that allows you to use the VM-Series firewall for a specified
Licenses on the period of time. A term-based VM-Series capacity license will have an expiration date and the
VM-Series Firewall web interface will display renewal notifications before the license expires. If the capacity
license expires, although the firewall will continue to operate at the licensed capacity, you
cannot obtain software updates or content updates until you renew the capacity license.

Changes to Default Behavior PAN-OS 7.0 Release Information
Changes to Default Behavior

The following points describe changes to default behavior in PAN-OS 7.0:
File Blocking profile rules with the action set to forward or continue and forward are migrated to the new
WildFire Analysis profile in PAN-OS 7.0. To edit the migrated rules or to create new rules to forward files
and email links for WildFire Analysis, navigate to Objects > Security Profiles > WildFire Analysis. Additionally,
samples forwarded by the firewall for WildFire Analysis are no longer added as entries to the Data Filtering
logs (Monitor > Data Filtering). For details on this enhanced WildFire workflow, including new options to
verify that the firewall is forwarding samples for WildFire Analysis, refer to the WildFire Analysis profile
topic in the PAN-OS 7.0 New Features Guide.
The default actions for handling threats now are alert or reset-both (sides of the connection). In releases
prior to PAN-OS 7.0.0, the defaults were alert or block. On upgrade, the block action will be converted to
reset-both; and the drop-packets option is now renamed as drop.
On downgrade, all actions configured as drop or reset, will be converted to block.
Previously, to check for licensing changes to the managed firewalls, you had to manually click the Refresh
button on the Panorama > Device Deployment > Licenses tab. Now, Panorama performs a daily check-in with
the licensing server and retrieves license updates/renewals and pushes them to the managed firewalls. The
daily check-in takes place between 1:00 am and 2:00 am, according to the Time Zone configured for Panorama
(Panorama > Setup > Management).
There is a change in the way virtual system reporting and server profiles make queries using DNS Proxy.
Previously, the firewall would send virtual system report queries and virtual system server profile queries to
the DNS Proxy that was specified for the device, even if there was a DNS Proxy specified for the virtual
system. Now, the virtual system report and virtual system server profile send their queries to the DNS server
specified for the virtual system if there is one. If there is no DNS server specified for the virtual system, the
DNS server specified for the device is queried. (The DNS server used is defined in Device > Virtual Systems
> General > DNS Proxy.)
Previously, when a user logged in to a GlobalProtect gateway that was on the same firewall as the portal, the
portal generated a short-lived gateway user authentication cookie (expires in 60 seconds). The gateway would
use that cookie to authenticate the user without requiring the user to enter a second one-time password
(OTP). This feature is now deprecated. To enable the same user experience, whereby the user is only required
to enter an OTP once to connect to GlobalProtect, you must set the Authentication Modifier to Cookie
authentication for config refresh when configuring the portal authentication behavior.
The maximum number of tags that the firewall and Panorama support is now increased from 2,500 to
10,000. This limit is enforced across the firewall/Panorama and is not allocated by virtual system or device
group.
The GlobalProtect portal license is now deprecated. Now, you can use all GlobalProtect portal functionality
that was previously available without installing an additional license. However, advanced features including
Host Information Profile (HIP) checks and support for the GlobalProtect mobile app for iOS and Android
still require a gateway subscription. To take advantage of the new license structure, you need to upgrade only
the device running the GlobalProtect portal to PAN-OS 7.0 or later (the GlobalProtect gateway can run
PAN-OS 7.0 or earlier).

PAN-OS 7.0 Release Information Changes to Default Behavior
With the enhanced capability to validate your configuration before committing it on the firewall or on
Panorama, the commit validate command is no longer available. The ability to fully or partially validate your
configuration is now an operational mode command that allows you to validate full|partial. In the API,
the validate command is now of type=validate instead of type=commit.The change in the XML API syntax
is as follows:
Pre 7.0 Syntax: /api/?type=op&cmd=<commit><validate></validate></commit>
7.0 Syntax: /api/?type=op&cmd=<validate><full></full></validate>, and
/api/?type=op&cmd=<validate><partial></partial></validate>

Associated Software Versions PAN-OS 7.0 Release Information
Associated Software Versions

The following minimum software versions are supported with PAN-OS 7.0:
Palo Alto Networks Software Minimum Supported Version with PAN-OS 7.0
Panorama 7.0.0
User-ID Agent 6.0.0
Terminal Server Agent 6.0.0
NetConnect Not supported with PAN-OS 7.0.0
GlobalProtect Agent 2.2.0
GlobalProtect Mobile Security Manager 6.1.0
Content Release Version 497

PAN-OS 7.0 Release Information Known Issues
Known Issues
The following list describes known issues in the PAN-OS 7.0 release:
For recent updates to known issues for a given PAN-OS release, refer to
https://live.paloaltonetworks.com/t5/Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/ta-p/52882.
Bug ID Description
83702 WildFire Analysis reports do not display as expected in the WildFire Analysis Report tab
(Monitor > Logs > WildFire Submissions > Detailed Log View) on PA-7000 Series firewall
running PAN-OS 7.0.2.
Workaround: Use the WildFire portal (https://wildfire.paloaltonetworks.com) or the
WildFire API to retrieve WildFire Analysis reports.
82299 There is a critical security vulnerability affecting PAN-OS 7.0.0. This issue specifically
affects devices running PAN-OS 7.0.0 that are configured to use LDAP authentication for
This issue is now resolved.
Captive Portal or for device management, including Panorama. This issue does not affect
See PAN-OS 7.0.1
devices configured to use RADIUS or local authentication instead of LDAP authentication,
Addressed Issues.
nor does it affect any PAN-OS release other than PAN-OS 7.0.0. Due to the critical nature
of this vulnerability, we strongly advise all customers who have installed PAN-OS 7.0.0 to
upgrade as soon as possible to PAN-OS 7.0.1. Alternatively, you can revert to an older
version of PAN-OS, such as PAN-OS 6.1 or PAN-OS 6.0.
81373 When the firewall is configured to communicate with a WildFire cloud (public or private)
through a proxy server, WildFire Analysis reports for samples analyzed in the WildFire
public cloud are not displayed in the WildFire Submissions log (Monitor > WildFire
See PAN-OS 7.0.2
Submissions).
Addressed Issues.
Workaround: Use the WildFire portal (https://wildfire.paloaltonetworks.com) or the
WildFire API to retrieve WildFire Analysis reports.
80903 A PA-7050 firewall running a PAN-OS 6.1 or earlier release and managed by Panorama
running PAN-OS 7.0.0 cannot accurately handle queries from Panorama. This results in the
inability to display data in the Application Command Center (ACC) widgets and prevents
See PAN-OS 7.0.1
log data from the PA-7050 firewall from being included in reports generated on Panorama.
Addressed Issues.
80871 WildFire Analysis reports are not displayed for WildFire Submissions log entries when the
firewall is configured to use a service route instead of the management interface to
communicate with the WildFire public cloud and/or the WildFire private cloud.
See PAN-OS 7.0.1
Addressed Issues. Workaround: For firewalls running PAN-OS 7.0.0 or 7.0.1, you can retrieve WildFire
Analysis reports through the WildFire portal (wildfire.paloaltonetworks.com) or the
WildFire API. Additionally, for firewalls running PAN-OS 7.0.1, you can specifically
configure wildfire.paloaltonetworks.com as the WildFire public cloud to view
integrated reports from within the web interface:
Web interface: navigate to Device > Setup > WildFire > General Settings.
CLI: use the set
deviceconfig setting wildfire public-cloud-server
wildfire.paloaltonetworks.com command in configuration mode.

Known Issues PAN-OS 7.0 Release Information
Bug ID Description
80799 Files and email links sent using Simple Mail Transfer Protocol (SMTP) or Post Office
Protocol version 3 (POP3) are not forwarded to the WildFire public cloud for analysis
unless the firewall is also configured to forward files to a WildFire private cloud. For
See PAN-OS 7.0.1
firewalls connected to a WildFire Private Cloud, forwarding to both the WildFire public
Addressed Issues.
cloud and WildFire private cloud works correctly (Device > Setup > WildFire).
80750 When specifying the device group and template for the VM-Series NSX edition firewall, you
cannot select a template stack or a descendant device group defined in a device group
hierarchy on Panorama. You can assign the firewalls to a template and a parent device group
only.
80589 The VM-Series firewall on Citrix SDX does not support jumbo frames.
80561 Software forwarding of Layer 3 multicast traffic with Protocol Independent Multicast (PIM)
does not function correctly.
See PAN-OS 7.0.1
Addressed Issues.
80398 If you configure the firewall to use client certificates to authenticate administrators when
they access the web interface, and you enable Online Certificate Status Protocol (OCSP)
verification, then the authentication will fail and administrators can't log in.
See PAN-OS 7.0.1
Addressed Issues. Workaround: Clear the Block session if certificate status is unknown and Block session
if certificate status cannot be retrieved within timeout check boxes in the certificate
profile that the firewall uses to authenticate administrators.
80387 IPv6-to-IPv6 Network Prefix Translation (NPTv6) is not supported when configured on a
shared gateway.
80373 The options to Clone objects or policies in a shared gateway location and to Move objects
or policies from a virtual system to a shared gateway location do not work correctly.
See PAN-OS 7.0.1
Addressed Issues.
80323 On reboot, the link states for firewall interfaces do not come up. This issue occurs when you
disable high availability (HA) on a firewall that was configured in HA and then reboot the
firewall.
See PAN-OS 7.0.1
Addressed Issues. Workaround: Use the delete deviceconfig high-availability enabled CLI
command in configuration mode to delete the high availability configuration node.
80268 When switching to Common Criteria (CC) mode on a PA-7050 firewall running PAN-OS
7.0.0, the operation does not complete and shows the following error: Set CCEAL4 Mode
Sysd Error. This issue occurs because the CC mode operation attempts to change the
See PAN-OS 7.0.1
operational mode before the system process (sysd) is fully loaded. This operation sets the
Addressed Issues.
firewall to the factory default configuration without CC configuration changes.
Workaround: Change to CC mode while running a PAN-OS 6.1 release before upgrading to
PAN-OS 7.0.0.

Bug ID Description
80266 If you configure the PA-200, PA-500, or PA-2050 firewall to use a service route instead of
the management (MGT) interface to connect to an LDAP server, the connection wont
work and any firewall functions that rely on the connection will fail.
See PAN-OS 7.0.1
Addressed Issues. Workaround: If you configured a service route before upgrading to PAN-OS 7.0.0,
reconfigure it as a destination service route or to set the Source Interface and Source
Address fields of the service route (Device > Setup > Services > Global > Service Route
Configuration > IPv4 or IPv6) to Use default.
79470 Panorama does not display WildFire Analysis reports correctly in the WildFire Submissions
log.
See PAN-OS 7.0.2 Workaround: In the Context drop-down, select the firewall that forwarded the log and
Addressed Issues. display the report in the firewall context.
79462 If you log in to Panorama as a Device Group and Template administrator and rename a
device group, the Panorama > Device Groups page no longer displays any device groups.
Workaround: After you rename a device group, perform a commit, log out, and log back in;
the page then displays the device groups with the updated values.
78803 In Panorama, template settings that are global to every virtual system (vsys) on a firewall (for
example, System log settings) cant reference configuration elements (for example, an Email
server profile) that you add to a specific vsys instead of to the Shared location. Only
See PAN-OS 7.0.2
template and device group settings that Panorama can push to a specific vsys (for example,
Addressed Issues.
log forwarding profiles) can reference elements that you add to a specific vsys. To create an
element that both global and vsys-specific settings can reference, you must set the template
Mode to Multi VSYS enabled and, when adding the element, set its Location to Shared.
78646 Firewalls incorrectly replace multibyte characters with a period character ( . ) when
forwarding logs or event information to SNMP traps, to a syslog server, through email, or
in scheduled log exports. This issue also occurs when exporting logs to CSV.
See PAN-OS 7.0.1
Addressed Issues.
77850 Web pages might not be displayed for end users. This is related to issues with the use of
HTTP Strict Transport Security (HSTS) protocol.
Workaround: Import the forward-proxy-certificate to end user browsers. If the
forward-proxy-certificate was issued by a certificate authority (CA), you must also import
the CA as a trusted certificate issuer.
77775 A validation error occurs when you try to move an object from its current device group to
a destination device group that is lower in the hierarchy even if the policy rules or objects
that reference the object are in the same destination or are in a device group that should
See PAN-OS 7.0.2
inherit the object.
Addressed Issues.
Workaround: Clone the object to the destination.
77299 When using a Firefox browser to access the firewall web interface, WildFire Analysis reports
do not show the Coverage Status for the sample, even when a signature was generated to
identify the sample (Monitor > Logs > WildFire Submissions > Detailed Log View >
WildFire Analysis Report).
Workaround: To view the correct Coverage Status for a sample, use Chrome or Internet
Explorer browsers to access WildFire Submissions logs on the firewall web interface.

Bug ID Description
76601 When you use a Mac OS Safari browser, client certificates will not work for Captive Portal
authentication.
Workaround: On a Mac OS system, use a different browser (for example, Mozilla Firefox
or Google Chrome).
75806 In a firewall with multiple virtual systems, if you add an authentication profile to a virtual
system and give the profile the same name as an authentication sequence in Shared,
reference errors might occur. The same errors are possible if the profile is in Shared and the
sequence with the same name is in a virtual system.
Workaround: When creating authentication profiles and sequences, always enter unique
names, regardless of their location. For existing authentication profiles and sequences with
similar names, rename the ones that are currently assigned to configurations (for example,
a GlobalProtect gateway) to ensure uniqueness.
74423 When fetching a Dynamic Block List, a firewall running PAN-OS 7.0.1 incorrectly uses the
URL Updates service route instead of the service route that is attached to the Palo Alto
Updates in the Service Route Configuration (Device > Setup > Services > Global).
See PAN-OS 7.0.2
Addressed Issues.
73997 On the ACC > Network Activity tab, if you add the label Unknown as a global filter, the filter
gets added as A1 and query results display A1 instead of Unknown.
73674 The link on a 1Gbps SFP port on a VM-Series firewall deployed on a Citrix SDX server
does not come up when successive failovers are triggered. This behavior is only observed in
a high availability (HA) active/active configuration.
Workaround: Use a 10Gbps SFP port instead of the 1Gbps SFP port on the VM-Series
firewall deployed on a Citrix SDX server.
73518 WildFire Analysis reports cannot be viewed on firewalls running PAN-OS 6.1 release
versions if connected to a WF-500 appliance in Common Criteria mode that is running a
PAN-OS 7.0 release.
71624 Vulnerability detection of SSLv3 fails when SSL decryption is enabled. This can occur when
a security policy rule configured to detect SSLv3 vulnerabilities and an SSL decryption
policy rule are configured on the same virtual system and same zone. After performing SSL
decryption, the firewall sees decrypted data and cannot see the SSL version number in the
SSL handshake hello packets. In this case, the SSLv3 vulnerability is not identified.
Workaround: SSL Decryption Enhancements are introduced in PAN-OS 7.0 that allow you
to prohibit the weaker SSL/TLS versions which are more vulnerable to attacks. For
example, you can use a decryption profile to enforce a minimum protocol version of TLS
1.2 or select Block sessions with unsupported versions to disallow unsupported protocol
versions (Objects > Decryption Profile > SSL Decryption > SSL Forward Proxy and/or SSL
Inbound Inspection).
70335 When a tunnel monitor is enabled for a large scale VPN (LSVPN) and the tunnel monitor
is in wait recover mode, access routes from the GlobalProtect gateway cannot be installed
on the GlobalProtect satellite.
See PAN-OS 7.0.1
Addressed Issues.

Bug ID Description
70222 If the password for the administrators account on the NSX Manager contains special
characters, such as $, Panorama cannot communicate with the NSX Manager. The
inability to communicate prevents context-based information, such as Dynamic
Address Groups, from being available to Panorama.
Workaround: Remove special characters from the password on the NSX Manager.
69458 When a loopback interface is used a GlobalProtect gateway, traffic for third-party IPSec
clients is not routed correctly.
Workaround: Use a physical interface instead of a loopback interface as the GlobalProtect
gateway for third-party IPSec clients. Alternatively, configure the loopback interface that is
used as the GlobalProtect gateway to be in the same zone as the physical ingress interface
for third-party IPSec traffic.
68330 When a WF-500 appliance is configured to generate content updates and a PAN-OS firewall
is retrieving incremental content updates from the appliance, the system log shows unknown
version for the update. For example, after an auto update, the system log shows: Wildfire
package upgraded from version <unknown version> to 38978-45470. This is a
cosmetic issue only and does not prevent content updates from installing.
68153 On a firewall with numerous interfaces, the scheduled and unscheduled (on demand)
reports might display discrepancies in the byte counts for traffic logs and the repeat counts
for threat and data filtering logs.
68095 If you access the Log Settings page in the web interface of a device running PAN-OS 7.0,
and then use the CLI to downgrade the device to PAN-OS 6.1 and reboot, an error message
appears the next time you access the Log Settings page. This occurs because PAN-OS 7.0
displays log settings in a single page whereas PAN-OS 6.1 displays the settings in multiple
sub-pages. To clear the message, navigate to another page and return to any Log Settings
subpage. The error will not recur in subsequent sessions.
67624 When using a web browser to view a WildFire Analysis report from a firewall that is using
a WF-500 appliance for file sample analysis, the report may not appear until the browser
downloads the WF-500 certificate. This issue occurs after upgrading a firewall and the
WF-500 appliance to a PAN-OS 6.1 or later release.
Workaround: Browse to the IP address or hostname of the WF-500 appliance, which will
temporarily download the certificate into the browser. For example, if the IP address of the
WF-500 is 10.3.4.99, open a browser and enter https://10.3.4.99. You can then access
the report from the firewall by selecting Monitor > WildFire Submissions, click the log
details icon and then click the WildFire Analysis Report tab.
66976 In the WildFire Submissions logs, the email recipient address is not correctly mapped to a
username when the mapping is done using group mapping profiles pushed in a Panorama
template.
66887 The VM-Series firewall on KVM, for all supported Linux distributions, does not support
the Broadcom network adapters for PCI pass-through functionality.
66879 The VM-Series firewall on KVM running on Ubuntu 12.04 LTS does not support PCI
pass-through functionality.
66745 On managed mobile devices running iOS 8, unenrolling the device does not always remove
the VPN profile and the Mobile Security Manager profile.

Bug ID Description
66233 The URL logging rate is reduced when HTTP header logging is enabled in the URL
Filtering profile (Objects > Security Profiles > URL Filtering > URL Filtering profile >
Settings).
66059 Regardless of the Time Frame you specify for a scheduled custom report on a Panorama
M-Series appliance, the earliest possible start date for the report data is effectively the date
when you configured the report. For example, if you configure the report on the 15th of the
month and set the Time Frame to Last 30 Days, the report that Panorama generates on the
16th will include only data from the 15th onward. This issue applies only to scheduled
reports; on-demand reports include all data within the specified Time Frame.
Workaround: To generate an on-demand report, click Run Now when you configure the
custom report.
65824 Unused NAT IP address pools are not cleared after a single commit, so a commit might
possibly fail if the cache of unused pools, existing used pools, and the new pools together
exceed the memory limit.
Workaround: Commit a second time, which clears the old pool allocation.
63962 Configurations pushed from Panorama 6.1 and later releases to firewalls running PAN-OS
6.0.3 or earlier releases will fail to commit due to an unexpected Rule Type error. This
issue is caused by the new Rule Type setting in security policy rules that was not included in
the upgrade transform and, therefore, the new rule types are not recognized on devices
running PAN-OS 6.0.3 or earlier releases.
Workaround: Only upgrade Panorama to version 6.1 or later releases if you are also planning
to upgrade all managed firewalls to a PAN-OS 6.0.4 or later release before pushing
configuration to the devices.
63186 If you perform a factory reset on a Panorama virtual appliance and configure the serial
number, logging does not work until you reboot Panorama or execute the debug software
restart management-server CLI command.
61720 For iOS devices, an access route for traffic to the GlobalProtect Mobile Security Manager
server is automatically added. This access route works correctly; however, it excludes Mobile
Security Manager traffic from the VPN tunnel established between the GlobalProtect agent
and the GlobalProtect gateway.
Workaround: If you want to ensure that Mobile Security Manager traffic is routed through
GlobalProtect, perform the following for iOS devices: Enter 0.0.0.0/0 as an access
route and then enter the IP address for the Mobile Security Manager server as an additional
access route (Network > GlobalProtect > Gateways > Client Configuration > Network
Settings > Access Route). The new access route for the Mobile Security Manager server
takes precedence over the automatically-added access route and ensures that traffic to the
Mobile Security Manager server is sent through the VPN tunnel.
59573 Live migration of the VM-Series firewall is not supported when you enable SSL decryption
using the forward proxy method. Use SSL inbound inspection if you need support for live
migration.

Bug ID Description
58260 If a high availability (HA) failover occurs on Panorama at the time that the NSX Manager is
deploying the NSX edition firewall, the licensing process fails with the error: vm-cfg:
failed to process registration from svm device. vm-state: active.
Workaround: Delete the unlicensed instance of the VM-Series firewall on each ESXi host
and then redeploy the Palo Alto Networks next-generation firewall service from the NSX
Manager.
49742 The following issues apply when deploying a firewall with these specific hardware security
modules (HSMs):
Thales nShield ConnectThe firewall requires at least four minutes to detect that an
HSM has been disconnected. The four-minute delay could result in SSL functionality
being unavailable during the delay.
SafeNet Luna SAWhen connectivity to one or both HSMs is down in a high availability
(HA) configuration, the display of information from the show ha-status and show hsm
info commands is blocked for 20 seconds.
49322 After you configure Panorama for high availability and synchronize the configuration, the
Log Collector of the passive peer cannot connect to the active peer until you reboot the
passive peer.


The following table lists the issues that are fixed in the PAN-OS 7.0.2 release. For an overview of new features
introduced in PAN-OS 7.0 and other release information, including the list of known issues, see PAN-OS 7.0
Release Information.
Bug ID Issue Description
82724 Fixed an issue where old registered IP addresses in a Dynamic Address Group on a
high availability (HA) active/passive pair were deleted from the passive firewall when
that firewall switched from non-functional to passive state and received an incremental
update of registered IP addresses from the active firewall. This fix also addressed a
related issue in an HA active/active configuration where the active-secondary firewall
retained old IP addresses in the Dynamic Address Group after switching to a
functional state when the active-secondary firewall switched to non-functional state
and all IP addresses in the Dynamic Address Group became unregistered on the
active-primary firewall.
82717 Fixed an issue where a dataplane stopped responding after a reboot due to an
initialization issue on SFP+ ports.
82675 Fixed an issue on an M-100 appliance where, after an upgrade to PAN-OS 7.0.1, an
authentication process (authd) stopped responding when the LDAP binding password
contained special characters.
82370 Fixed an intermittent issue where a dataplane process (mprelay) experienced a memory
leak that caused the virtual memory to increase until it triggered a dataplane restart.
82310 In response to a fragmentation issue, virus patterns are split into smaller chunks to
reduce the possibility of memory allocation failure.
82087 Fixed an issue where a firewall displayed an alert for low disk space. With this fix, the
/opt/content directory was removed to improve the disk cleanup process.
82009 Fixed an issue where a document file triggered an attempt to ping an IP address.
81981 Fixed an issue where the LLDP System Name field displayed the firewall model
number and could not be modified to differentiate from other similar firewalls. With
this fix, the firewall populates the LLDP System Name field using the configurable
hostname value.
81970 Fixed an issue where some Active Directory (AD) servers were incorrectly displaying
a Password expires in x days message even after selecting Password never
expires on the AD server. With this fix, the AD server ignores the maximum password
age (maxPwdAge) value when the Password never expires option is selected.
81955 Fixed an issue on a firewall where files were not sent to WildFire as expected when the
first 8 bytes of the file were split across different packets or decrypted buffers.
81941 Fixed an issue where a dataplane restarted when encountering resumed SSL sessions
using inbound SSL decryption.

81819 Fixed an issue where the System log reported that a firewall in a high availability (HA)
active/active configuration Received conflicting ARP for the floating IP address
of its HA peer. With this fix, duplicate IP address detection continues to log conflicts
for non-floating IP addresses, as well as duplicate addresses detected for a floating IP
address received from any other device that is not a member of the HA pair.
81816 Removed support for SSLv3 on Panorama for connections to managed devices.
81797 Fixed an issue where ASCII and special characters were not supported in the user
activity report username field.
81783 Fixed an issue where a firewall picked the wrong decryption cipher when configured
with multiple IPSec Crypto profiles for IKEv2 negotiation.
81676 Fixed an issue where a firewall allowed administrators to configure subinterface with
using invalid notation (such as ethernet1/1.1.1).
81577 Fixed an issue where custom URL categories associated with a Decryption policy did
not match traffic destined for a proxy server.
81572 Fixed an issue on a PA-7000 Series firewall that displayed incorrect timestamps in
Traffic, Threat, and URL logs.
81535 Fixed an issue where the group list was empty after pushing the group mapping
configuration from Panorama to a multi-vsys firewall during an attempt to configure
users in a Security policy rule even though the group mapping state was synchronized.
81510 Fixed an issue where Device Group and Template administrators were able to create
and modify Shared objects. With this fix, Device Group and Template administrators
are allowed to create and modify only objects specific to the Device Group and
Templates to which they have accessnot Shared objects.
81500 Fixed an issue where a VM-Series firewall in a VMware NSX configuration running on
an ESXi server restarted when a process (all_task) stopped responding.
81485 Fixed an issue on PA-200 and VM-Series firewalls where local objects were not
resolved in the Traffic log after selecting the Resolve hostname option (bottom of the
Monitor > Logs > Traffic tab).
81452 Fixed an issue where switching context from the Panorama web interface to a managed
firewall did not indicate whether the administrator was logged in over an encrypted
SSL connection; system log message was always User admin logged in via
Panorama from x.x.x.x using http regardless whether the connection was
encrypted. With this fix, the system log now specifically reports User admin logged
in via Panorama from x.x.x.x using http over an SSL connection when the
administrator is connected through an encrypted SSL connection to differentiate from
non-encrypted connections.
81389 Fixed an issue where the output of the show admins all command displayed all
administrator accounts on the firewall, including root accounts. With this fix, show
admins all command output displays only local and non-local administrator
accounts.

81373 Fixed an issue where WildFire Analysis reports for samples analyzed in a WildFire
cloud (public or private) were not displayed in the WildFire Submissions log (Monitor
> WildFire Submissions) when the firewall was configured to communicate with the
WildFire cloud through a proxy server.
81312 Fixed an issue where firewall Device administrators were unable to run and view
output on a firewall for the show panorama-status CLI command. With this fix,
Device administrator, Device administrator (read-only), Superuser, and
Superuser (read-only) users (Device > Administrators > <administrator>) can run
and view output for the show panorama-status command from the firewall.
81271 Fixed an issue where the second attempt to access some websites over HTTPS failed
when SSL Forward Proxy was enabled.
81264 Fixed an issue where Threat logs were generated for Threat Name - IP fragment
overlap, ID - 8705 after upgrading to a PAN-OS 7.0 release.
81219 Fixed an issue with stability when adding Log Collectors to a Collector Group.
81115 Fixed an issue where administrators experienced long delays when executing log
queries consisting of multiple attributes.
81110 Fixed a session reuse issue where an incoming SYN/ACK packet for an established
session caused a failure in TCP reassembly, which resulted in a dropped packet even
the Reject Non-SYN TCP option was disabled (Network > Network Profiles > Zone
Protection > <Zone Protection profile> > Packet Based Attack Protection > TCP Drop).
With this fix, initiating session reuse with a SYN/ACK packet is successful regardless
of the Reject Non-SYN TCP setting.
80993 Fixed an issue in PAN-OS 7.0 (as well as in Panorama 5.1 and later releases) where
XML API POST requests failed when including a QUERY_STRING but no
content-length header. With this fix (in both PAN-OS and Panorama 7.0.2 releases),
POST requests with a QUERY_STRING and a missing content-length header are
successful.
80960 Fixed an issue where attempting to Test SCP server connection (Device > Scheduled
Log Export) created an unnecessary Config lock that prevented any additional changes
to the running configuration.
80933 Fixed a rare issue where a PA-7000 Series firewall experienced heartbeat failures on the
HA1 and HA1 backup links that caused split brain in a high availability (HA)
configuration.
80924 Fixed an issue where a GlobalProtect Large Scale VPN (LSVPN) satellite
configuration caused the satellite firewall to Proxy ARP for the defined access route
subnets on all logical and physical interfaces.
80896 Fixed an issue where some actions that utilize the /opt/pancfg/ partition, such as
dynamic updates and commits, were failing when that partition ran out of space due to
a large number of HIP reports received from User-ID XML API. With this fix, HIP
reports are no longer saved in the /opt/pancfg/ partition of the firewall.
80840 Fixed an issue where the URL filter did not correctly parse the common name (CN)
value when a MAC address was specified as the CN value in the server certificate.

80839 Fixed an issue where

error is displayed for Tor status in the CLI output for both the
show wildfire status and test wildfire tor CLI commands.
80767 In response to a very rare issue where the configured NAT pool or method was not
utilized as expected, an enhancement was made to Tech Support file generation that
includes additional data to help troubleshoot the issue.
80720 Fixed an issue where a firewall experienced a dataplane restart when the packet
processing daemon terminated due to a double free condition associated with a specific
packet buffer (fptcp).
80687 Fixed an issue on PA-7000 Series, PA-5000 Series, and PA-3000 Series firewalls where
software packet buffers were depleted (although eventually recovered) when receiving
TCP packets with large payloads. With this fix, modifications to processes for
allocating software buffers and handling TCP congestion en-sure that software packet
buffers do not get depleted due to packets with large payloads.
80669 Fixed an issue on firewalls in CCEAL mode where the management server would
restart when the firewall attempted to send an SNMPv3 trap.
80624 Fixed an issue where administrators experienced delays accessing the firewall web
interface when the firewall reconnected to Panorama and had a large number of logs
to send.
80592 Fixed an issue where firewalls in a high availability (HA) active/passive configuration
did not sync the Dynamic Address Group when one of the firewalls stopped
functioning and then changed to a functional state.
80567 In response to an issue where race conditions affecting block IP table operations
inadvertently caused some packets to be marked as drop ip block without any entry
in the Block IP Table.
80532 Fixed an issue where files were not being forwarded as expected to the Wildfire cloud
due to a terminated process (varrcvr). This issue occurred when the Subject field in
forwarded emails contained non-ASCII characters.
80469 In response to a rare and intermittent issue where some packets were dropped in a high
availability (HA) configuration, additional debugging log messages are added to help
identify root causes for dropped packets.

80404 Fixed an issue where PA-2000 Series firewalls experienced connectivity issues when
auto-negotiating duplex and speed settings on the management interface connection
to a third-party device. With this fix, a new driver is added to ensure that the
management interface remains accessible and to provide a more reliable transition
when speeds are changed (such as from 1,000 Mbps over full duplex1000/Fullto
100/Full) when there is little or no traffic flowing through the firewall. Use the
following best practice recommendations to ensure successful transitions:
When possible, set both the PA-2000 Series firewall and the third-party device to
auto-negotiate mode, where each side selects the highest possible common
maximum speed and duplex setting.
If you must manually configure the speed and duplex setting for either the firewall
(Device > Setup > Management > Management Interface Settings) or the
third-party device, you should manually configure the same speed and duplex
settings on both sides so that they are in sync. If you do not manually configure the
settings to be the same at both ends of the connection, traffic flow will be impacted
because the PA-2000 Series firewall cannot determine the correct duplex mode and
will default to half-duplex mode, which can cause a duplex mismatch.
If you manually configure both sides of the connection:
Do not set the port on the third-party device to 1000 Mbps master mode, as
this will completely stop traffic and the ports will not recover (both ports try
to control the link and neither is successful).
Do not attempt to change the speed or duplex setting while traffic is flowing
through the connection: pause traffic, configure the two peer ports
appropriately, make sure the ports are set to the same speed and duplex
values, and then resume traffic flow.
80386 Fixed an issue where a configuration override failed when pushing system log settings
to firewalls from Panorama resulting in the following error: edit failed, may need
to override template object informational first.
80318 Fixed an intermittent issue on a PA-7000 Series firewall where some packets were
dropped during the initial session setup process. This issue occurred when two packets
in the same session were sent almost simultaneously, causing the second of the two
packets to get dropped.
80251 Fixed an issue on a firewall with X-Forward-For (XFF) enabled where a dataplane
restarted with multiple core files (all_pktproc, flow_ctrl, and flow_mgmt) when the
firewall received percent-encoded HTTP requests from a proxy server.
80187 Fixed an issue where the test authentication authentication-profile
command results in output that uses the management interface as the source regardless
whether you configured a service route to provide a different source.
80063 Fixed an issue on an M-100 appliance where the configuration daemon (configd)
stopped responding when processing a null value.

79960 Fixed an issue where the firewall sent an extra carriage return line feed (CRLF) in
HTTP/1.1 POST packets when requesting an update from the BrightCloud URL
database. This issue occurred when using a proxy server, which correctly rejects the
packets and returns HTTP/1.1 400 Bad Request messages due to the extra CRLF (per
RFC 7230).
79929 Fixed an issue where a process (mprelay) stopped responding and did not receive a
refresh of the configuration when it restarted.
79925 Fixed an issue where virtual wire (vwire) path monitoring failed and the firewall
stopped sending ICMP packets over the vwire interface after a high availability (HA)
failover.
79719 Fixed a rare issue where a dataplane restarted when multiple processes (flow_ctrl and
mprelay) stopped responding due to a software buffer leak.
79709 Fixed an intermittent issue where ZIP processing caused the dataplane to stop
responding when software ZIP processing was enabled.
79535 Fixed an issue in a high availability (HA) configuration where the monitored
destination IP address for Path Monitoring displayed as up even when unavailable,
preventing the firewall from displaying as tentative as expected. With this fix, the
monitored destination IP address correctly shows as down when unavailable, which
results in the firewall correctly changing status to tentative.
79504 Fixed an issue where a passive M-100 appliance in a high availability (HA)
configuration lost its Device Group and Template configuration.
79470 Fixed an issue where Panorama did not display WildFire Analysis reports correctly in
the WildFire Submissions log for WF-500 appliances running PAN-OS 6.1 or earlier
releases.
You can fetch these reports using a secure channel only for WF-500 appliances
running PAN-OS 7.0.2 or later releases; a secure channel is not used when
fetching reports from a WF-500 appliance running PAN-OS 7.0.1 or earlier
releases.
79382 Fixed an issue where IP address registration through the XML API failed to populate
the Dynamic Address Group following an AddrObjRefresh job failure during a
template commit from Panorama when the Force Template Values option was
checked, resulting in an Error: Failed to parse security policy.
79347 Fixed an issue where a firewall stopped responding and triggered a dataplane restart
when receiving incomplete and insufficient parameters in API calls. With this fix,
checks are in place to prevent the dataplane restart when receiving API requests with
invalid or insufficient parameters.
79279 Fixed an issue that caused an error to be displayed (ntp-servers unexpected here.
Discarding.) after a Panorama upgrade when pushing templates with a Device
Group configuration.

79046 Fixed an issue on an M-Series appliance running Panorama and running in Log
Collector mode where log forwarding to an external syslog server stopped working
after a Panorama commit when forwarding logs through TCP port 514 (default)
instead of UDP port 514 (Device > Server Profiles > Syslog). With this fix, the
administrator no longer needs to perform a Collector Group commit to resume log
forwarding after a Panorama commit when the syslog server is configured to use TCP.
78891 Fixed an issue where the use of region-based objects in the Security policy caused
consistently high dataplane CPU utilization.
78803 Fixed an issue in Panorama where template settings that were global to every virtual
system (vsys) on a firewall (for example, System log settings) were unable to reference
configuration elements (for example, an Email server profile) when that element was
added to a specific vsys instead of to the Shared location. With this fix, Panorama can
push template and device group settingseven those that are not or can't be pushed
to a specific vsysregardless whether those settings refer to Shared elements or
elements that are specific to a vsys.
78571 Fixed an intermittent issue where a firewall received a Virtual Systems license that
allowed for a higher number of virtual systems than the maximum amount supported
for the platform. With this fix, the licensed virtual systems activated on a firewall
cannot be higher than the maximum amount of virtual systems supported on the
firewall.
78568 Fixed an issue where PA-3000, PA-5000, and PA-7000 Series firewalls experienced a
memory leak associated with improper purging of old, replaced entries in the
ARP/ND table when the table reached capacity.
78511 Fixed an issue where the DHCP relay agent incorrectly set the gateway IP address
(giaddr) value to zero (instead of the IP address of the ingress interface as defined in
RFC 1542) when responding to DHCP requests.
78084 The output for the command show log collector serial number displayed
different log data when executed on a primary-active Panorama than the output that
was displayed when the command was executed from the secondary-passive
Panorama. This issue is fixed so that the output for the command show log
collector serial number correctly displays the latest log data for managed Log
Collectors.
78064 Fixed an intermittent issue where authentication failed in a two-phase authentication
process when the login response contained customer data.
77816 Fixed an intermittent issue where some Windows 7 GlobalProtect clients using
two-factor authentication (LDAP and certificate) lost connection to the portal or
gateway and could not reconnect due to a failed authentication with the error
Required client certificate is not found even when the certificate was
available.
77775 Fixed an issue where a validation error occurred when an administrator attempted to
move an object from its current device group to a destination device group that was
lower in the hierarchy even when the policy rules or objects that reference the object
being moved were in the same destination or in a device group that should inherit the
object.

77103 Fixed an issue where a System log message (Failed to upgrade WildFire package
to version <unknown version>) displayed on the firewall even when no WildFire
license existed on the firewall.
76875 Fixed an issue where the dataplane rebooted when a process (brdagent) was terminated
by the firewall in response to an out of memory condition. With the fix, dataplane
reboots are no longer triggered by these out-of-memory events because the firewall no
longer considers the brdagent process for termination when attempting to address an
out-of-memory event.
76781 Fixed an issue where a firewall incorrectly calculated packet length and TCP sequence
due to a one-byte zero-window-probe packet when that packet was sent from one vsys
to another.
76631 Fixed an issue on PA-7000 Series firewalls where the Log Processing Card (LPC) failed
to resolve the FQDN of the syslog server. With this fix, the firewall will re-initiate the
DNS lookup request until the lookup succeeds.
76561 Fixed an issue where the DHCP relay agent dropped DHCPDISCOVER packets that
the agent could not process due to multiple BOOTP flags. With this fix, the DHCP
relay agent recognizes the first BOOTP flag in a DHCPDISCOVER packet and
ignores any additional BOOTP flags that may exist (per RFC 1542) so that multiple
BOOTP flags do not cause DHCPDISCOVER packets to be dropped.
76238 A security update was made to address CVE-2015-1873.
75803 Addressed an issue regarding how often password API keys are regenerated.
75344 Fixed an issue where a memory process restarted and caused an invalid memory
reference; the invalid memory reference resulted in a management plane restart.
74423 Fixed an issue where a firewall running PAN-OS 7.0.1 was incorrectly using the URL
Updates service route when fetching a Dynamic Block List instead of using the service
route attached to the Palo Alto Updates in the Service Router Configuration (Device >
Setup > Services > Global).
73443 Fixed an intermittent issue that resulted in corrupted forwarding entries on the offload
processor.
71331 Fixed an issue on a PA-500 firewall where the firewall assigned a DHCP address for
the management (MGT) interface even after the administrator configured a static IP
address for that port. With this fix, DHCP initiation for the MGT interface is disabled.
70887 Fixed an issue where clicking the More link to view the registered IP address under
Object > Address Groups resulted in an error if the name of a Dynamic Address
Group included a space. With this fix, spaces in Dynamic Address Group names no
longer cause an error when displaying the IP address.
70302 Fixed an issue where the autocommit process failed after upgrading a PA-7050 or
PA-5000 Series firewall to a PAN-OS 6.1 or PAN-OS 7.0 release.
69132 Fixed an issue where occasional dataplane restarts occurred due to a kernel memory
allocation failure.

64602 In response to an issue where a firewall generated core files for a process (pktproc) when
a dataplane stopped responding, an additional check and associated error output is
added to help troubleshoot an issue where an FPGA running the Aho-Corasick
algorithm returns a session index mapped to a NULL pointer.
64531 Fixed an issue where a high availability (HA) failover occurred due to insufficient
kernel memory on a PA-5000 Series firewall that was attempting to handle unusually
heavy network and system traffic. With this fix, PA-5000 Series firewalls include some
cache-flushing events and increased kernel memory to ensure sufficient kernel
memory remains available for ping requests and keep-alive messages even when under
an unusually heavy load.
64266 Fixed a rare issue where certain processes (l3svc and sslvpn) stopped responding when a
Content update and FQDN refresh occurred simultaneously.


The following table lists the issues that are fixed in the PAN-OS 7.0.1 release. For an overview of new features
introduced in PAN-OS 7.0 and other release information, including the list of known issues, see PAN-OS 7.0
Release Information.
82299 Fixed a critical security vulnerability for firewalls and Panorama running PAN-OS 7.0.0
that were configured to use LDAP authentication for Captive Portal or for device
management. (This issue does not affect devices configured to use RADIUS or local
authentication.)
81374 Fixed an issue on a PA-200 firewall where the MAC address configured for the
management interface was inadvertently changed after an upgrade to PAN-OS 7.0.0.
With this fix, the management interface MAC address configured before an upgrade
remains the same after the upgrade.
81174 Fixed an issue where an autocommit failed after an upgrade to PAN-OS 7.0.0 due to a
failed IKE Crypto profile verification when two IKE gateways were configured using
a dynamic peer in main mode on the same local interface.
81167 Fixed an issue where the Apps-only (no Threats) version of Content Updates failed to
install on a device registered with standard support.
81158 Fixed an issue where an IPSec tunnel failed to negotiate a new session and dropped
packets during an SA re-key in IKEv2 mode.
81024 Fixed an issue where Panorama 7.0.0 failed to properly push Device Group and
Service Group objects to devices running PAN-OS 6.1 or earlier releases. With this fix,
Panorama pushes Device Group and Service Group objects as expected to devices
running any supported PAN-OS release.
80903 Fixed an issue where PA-7050 firewalls running PAN-OS 6.1 or earlier releases did not
accurately handle queries from Panorama running PAN-OS 7.0.0, which resulted in the
inability to display data in the Application Command Center (ACC) widgets and
prevented log data from the PA-7050 firewall from being included in reports generated
on Panorama. With this fix, Panorama queries to PA-7050 firewalls are disabled by
default so that ACC widgets display correctly for all other devices you manage through
Panorama.
80871 Fixed an issue where WildFire analysis reports were not displayed in Detailed Log
View (Monitor > WildFire Submissions > Detailed Log View > WildFire Analysis
Report) for WildFire Submissions log entries when the firewall was configured to use
a service route instead of the management interface to communicate either with a
WildFire private cloud or with the WildFire public cloud. However, for firewalls
running PAN-OS 7.0.1, to view the integrated reports from within the web interface
on the firewall, you must first configure wildfire.paloaltonetworks.com as the
WildFire public cloud; either in the web interface (Device > Setup > WildFire >
General Settings) or using the set deviceconfig setting wildfire
public-cloud-server wildfire.paloaltonetworks.com CLI command.

80849 Fixed an issue where IPv4 and IPv6 traffic forwarding failed when sent through an
LACP Aggregated Ethernet (AE) interface due to an incorrect system MAC address.
80799 Fixed an issue where files and email links sent using Simple Mail Transfer Protocol
(SMTP) or Post Office Protocol version 3 (POP3) were not forwarded to the WildFire
public cloud for analysis unless the firewall was also configured to forward files to a
WildFire private cloud. With this fix, firewalls connected only to the WildFire public
cloud appropriately forward to the WildFire public cloud all files and email links that
are sent using SMTP or POP3.
80607 Fixed an issue where a firewall rebooted when an unusually large number of
fragmented packets passed through the firewall when the NAT64 IPv6 Minimum
Network MTU setting was configured to a value other than 1500 (Device > Setup >
Session > Session Settings), which triggered a memory leak. With this fix, fragmented
packets no longer cause a memory leak. Additionally, a new counter was to monitor
whether resources are available for fragmenting packets when needed.
80561 Fixed an issue where software forwarding of Layer 3 multicast traffic with Protocol
Independent Multicast (PIM) did not function properly.
80408 Fixed an issue where, in some environments, new content updates could no longer be
accommodated by the memory on the firewall that is allotted for these files due to a
continually increasing number of applications in the updates. With this fix, allocated
memory for content updates is increased so that continued growth of content updates
will not prevent successful download and installation of those updates.
80398 Fixed an issue where administrators were unable to log in through the web interface
when the firewall was configured to authenticate administrators using client certificates
and was configured with Online Certificate Status Protocol (OCSP) verification
enabled.
80373 Fixed an issue where attempts to Clone objects or policies in a shared gateway location
or Move objects or policies from a virtual system to a shared gateway location did not
work correctly.
80323 Fixed an issue where the link states for firewall interfaces did not come up when
rebooting the firewall after disabling high availability (HA).
80286 Fixed an issue where a commit failed after an upgrade to PAN-OS 7.0.0 when Defaults
for an application was set to ICMP Type (Objects > Applications > application >
Advanced). With this fix, commits do not fail after an upgrade to PAN-OS 7.0.1 or
later releases regardless of this Defaults setting.
80268 Fixed an issue on a PA-7050 firewall running PAN-OS 7.0.0 where attempts to switch
to Common Criteria (CC) mode failed with the following error: Set CCEAL4 Mode
Sysd Error. This issue occurred because the CC mode operation attempted to
change the operational mode before the system process (sysd) was fully loaded. This
operation resulted in setting the firewall to the factory default configuration without
CC configuration changes.

80266 Fixed an issue where PA-200, PA-500, and PA-2050 firewalls running PAN-OS 7.0.0
and configured to use a service route instead of the management (MGT) interface to
connect to an LDAP server were unable to establish a connection, which caused all
firewall functions that relied on that connection to fail. With this fix, firewalls
successfully connect through a configured service route to an LDAP server.
79854 Fixed an issue where Panorama was unable to display System and Config logs for
PA-7000 Series firewalls.
79844 Fixed an issue where logs sent to a log collector group were not properly saved and
could not be displayed when that log collector group contained a space in the name.
With this fix, logs are saved and displayed correctly even when there is a space in the
log collector group name.
79522 Fixed an intermittent issue where a firewall with hardware offload enabled included an
incorrect IP checksum value in outgoing NAT packets, which caused some packets to
be dropped.
79511 Fixed an issue on Panorama where disabling the Share Unused Address and Service
Objects with Devices option (Panorama > Setup > Management > Panorama
Settings) when no Shared objects were configured caused a process to restart during
a commit.
79478 Fixed an issue where the firewall connected directly to a directory server instead of the
User-ID agent configured as an LDAP proxy. With this fix, the firewall correctly uses
the User-ID agent when the agent is configured for use as an LDAP proxy.
79463 Fixed an issue where CPU memory on a PA-7050 firewall spiked when attempting to
view reports in the Application Command Center (ACC). This issue occurred when
task creation notifications were not processed properly and, as a result, the Log
Collector did not terminate failed requests as expected. With this fix, task creation
notifications are processed appropriately and failed tasks are properly terminated.
79443 Fixed an issue in the web interface where, in some cases, the PHP session cookie
(PHPSESSID) was not marked as secure.
79367 Fixed an issue in PAN-OS where GlobalProtect clients experienced delays and
intermittently failed to retrieve the gateway configuration for connecting to a
GlobalProtect gateway when the firewall was in a high availability (HA) configuration
and under a heavy load. This issue occurred due to an issue with the synchronization
of HIP reports between gateways on HA peers when there was a high number of
near-simultaneous GlobalProtect connection requests. With this fix, the sync process
is modified so that GlobalProtect clients are able to download the configuration and
connect to the network as expected even when multiple clients are attempting to
connect at the same time.
79335 Fixed an issue where attempting to filter System logs using the log filter Type equal
globalprotect did not work. A space was automatically added to the log filter,
causing an error to be displayed.
79291 Fixed an issue where the Bytes column results displayed when clicking Run Now for a
custom report (Monitor > Manage Custom Reports) did not match the results
displayed in that same report when emailed or exported out in PDF format.

79278 Fixed an issue where the active device in a high availability (HA) configuration failed
to generate tech support files due to a buffer limitation that could not accommodate
the output from some commands. With this fix, the commands that prevent generation
of tech support files have been removed so that reports are generated as expected.
79260 Fixed a rare issue on a WF-500 appliance where an ICMP packet containing a
FIN+ACK packet was incorrectly forwarded out through the management (MGT)
interface. With this fix, ICMP packets containing a FIN+ACK packet are dropped,
instead.
79104 Fixed a rare issue on a PA-7000 Series firewall where the HA1 and HA1 backup links
experienced heartbeat failures that caused split brain in a high availability (HA)
configuration.
78646 Fixed an issue where a firewall replaced multibyte characters with a period character
( . ) when forwarding logs or event information to SNMP traps, to a syslog server,
through email, or in scheduled log exports. This issue also occurred when exporting
logs to CSV. With this fix, multibyte characters are forwarded and exported correctly
with one exception: in PAN-OS 7.0.1, PA-7000 Series firewalls will still incorrectly
replace multibyte characters with period characters when exporting logs to CSV.
78621 Fixed an issue that occurred when Chile adopted new official times and the official
time for Continental Chile became UTC-03:00. A PA-200 firewall configured to use the
Chile Continental time incorrectly continued to display the official time as UTC-04:00.
78556 Fixed an issue in Panorama where using the option to import a certificate when
configuring a GlobalProtect gateway or portal did not result in the imported certificate
being added to the drop-down. The imported certificate also did not display on the
Templates > Device > Certificates page. (However, the imported certificate did
display correctly after a Panorama commit.) With this fix, imported certificates are
displayed immediately on the web interface where expected.
78448 Fixed an issue where a custom response page containing an invalid substring caused
the process for communicating between the dataplane and management planes
(mprelay) to stop responding when attempting to commit configuration changes.
78343 Fixed an issue that occurred with decryption enabled, where some websites were not
decrypted due to an issue with certificate serial numbers.
78289 Fixed an issue where the receive errors interface counter displayed values larger
than the actual number of packets that should be counted as errors. This issue occurred
because some packets were counted twice. With this fix, the receive errors counter
displays the correct value.
78187 Fixed an intermittent issue with a system process (all_task) that caused a device to
restart unexpectedly. This fix includes an adjustment to an internal timer to avoid these
restarts.
78155 Addressed an issue where two DoS protection policy rules that were not overlapping
incorrectly resulted in a warning that one of the rules was shadowing the other rule.

77907 Fixed an issue where log forwarding to a Log Collector did not stop as expected when
executing the request log-fwd-ctrl device <s/n> action stop CLI command
on Panorama. With this fix, log forwarding to a Log Collector stops as expected when
executing the request log-fwd-ctrl device <s/n> action stop command so
long as both the firewall and Panorama are running PAN-OS 7.0.1 or later releases.
77784 Fixed an issue on Panorama where administrators were unable to filter Device Groups
by tags in the commit window.
77477 Fixed an issue where a user was no longer able to connect to a VM-Series firewall
configured as a GlobalProtect gateway and deployed in Amazon Web Services (AWS)
after the user had been connected for several hours and the user could not reconnect
until the gateway was restarted. With this fix, users no longer lose their connection to
the GlobalProtect gateway if they stay connected for several hours.
77307 Fixed an issue where the CLI seemed unresponsive after running the show config
diff command due to the extended period of time it took to process and return results
for a diff containing a large number of configuration changes. With this fix, the show
config diff command returns results without any significant delay.
76688 Fixed an issue where the IPv6 source address was not displayed in the Host column
for Config logs. With this fix, the IPv6 source address is displayed in the Host column
as expected (instead of 0.0.0.0).
76575 Fixed an issue on a PA-5000 Series firewall where an occasional inconsistency in the
IPv6 neighbor cache on different dataplanes caused IPv6 traffic sent to certain hosts
to get dropped. With this fix, the firewall keeps the IPv6 neighbor cache in sync
between dataplanes so that IPv6 packets are not dropped.
76282 Fixed an issue where FQDN objects were not resolved when all the following
conditions were true:
The FQDN object was being used as a tag in a Dynamic Address Group.
The Dynamic Address Group was not a member of the same tag.
The FQDN object was not attached to a security policy rule.
The FQDN object was not included in a regular address group that was attached to
a security policy rule.
76083 Fixed an issue where no System logs were generated for failed login attempts using the
CLI over an SSH connection. With this fix, additional System logs now provide
visibility for failed logins to the management interface even if those attempts come
from a CLI over an SSH connection.

76079 Fixed an issue on PA-7000 Series firewalls where Traffic logs on Advanced Mezzanine
Cards (AMCs) could not be recovered after installing the AMCs onto a new Log
Processing Card (LPC). With this fix, a new CLI command (request
metadata-regenerate slot <slotnum>) is available for retrieving logs from the old
AMC disks after installing them in a new LPC.
When you use this command, you should ensure the device is not processing traffic
until the regeneration request is complete. Additionally, you can ignore the erroneous
error message (Failure communicating with given slot) that displays 60 seconds
after running the request metadata-regenerate command: the regeneration
process will continue to run as expected and you will need to wait for it to finish before
resuming traffic flow. It can take up to two hours, or longer, to regenerate all metadata
depending on the number of logs recovered. To determine if regeneration is complete,
use the following CLI command to look for the Done generating metadata for
LD:x message:
less s8lp-log vld-<amcslotnum>-0.log
75744 Fixed an issue where a dataplane stopped responding after a commit that changed the
interface index when high availability (HA) session packets were referencing that
interface index using an interface pointer.
74654 Fixed an issue on an M-100 device where an attempt to download Content Updates
failed due to a lack of disk space. This issue occurred when continuous XML API
queries filled the /opt/pancfg partition because STOP messages were getting
dropped between Panorama and the Log Collector and queries were not properly
removed when no longer needed. With this fix, STOP messages should not be
dropped. Additionally, in case STOP messages are dropped for any other reason, a
timeout setting for queries is in place to ensure that stale queries are removed from disk
space before causing a storage space issue.
73317 Fixed an issue where the System log displayed an IPv4 address for a firewall that was
connected to an Active Directory (AD) server through a management port using an
IPv6 address. For example: ldap cfg <group_name> connected to server <IPv6
address>, initiated by: <IPv4 address>. With this fix, the appropriate IP
address and format is displayed for the initiating device even when connected using an
IPv6 address.
73058 Fixed an issue where source and destination fields in SNMP traps were not populated
for traffic using IPv6 addresses. With this fix and Rev. B of the PAN-OS 6.1 Enterprise
SNMP MIB modules, new IP version-neutral fields were added (InetAddress and
InetAddressType in place of the IpAddress field) to fully support IPv6 addresses. (The
IpAddress field is retained for backward compatibility but is deprecated; administrators
are expected to transition to the new fields.)
72544 Addressed CVE-2014-8730. For additional information, refer to the
PAN-SA-2014-0224 security advisory on the Palo Alto Networks Security Advisories
web site at https://securityadvisories.paloaltonetworks.com.
72371 When a custom QoS profile was enabled on an interface, the QoS statistics for the
custom profile were instead displayed as the default QoS profile statistics. This issue
has been resolved so QoS statistics are displayed correctly with the corresponding QoS
profile (and for each class in the profile).

72153 Fixed an issue where the first SYN packet in a TCP connection that passed through
two virtual systems did not reach the destination server. This occurred when:
The first virtual system was configured with DNAT.
The second virtual system was configured with SNAT.
Sessions were allocated on different dataplanes (DPs), with the first session on DP0.
70537 Added a new debug CLI command (debug dataplane internal pdt pci list) to
provide a dump of the peripheral component interconnect (PCI) when attempting to
identify the root cause for the data_plane_X: Startup Script Failure error.
70431 Fixed an issue where a custom URL category with the name any caused unexpected
results. With this fix, the name any is no longer allowed when creating a custom URL
category (Objects > Custom Objects > URL Category).
70335 Fixed an issue where access routes from the GlobalProtect gateway could not be
installed on a satellite when the tunnel monitor was enabled for a Large Scale VPN
(LSVPN) and the tunnel monitor was in wait recover mode.
66681 Resolved a dataplane restart issue due to race conditions.
63652 Fixed an issue where some files forwarded to WildFire were not uploaded successfully
due to a CANCEL_OFFSET_NO_MATCH error. With this fix, the offset (caused by a buffer
overload) is no longer an issue.


The following table lists the issues that are fixed in the PAN-OS 7.0.0 release. For new features, associated
software versions, known issues, and changes in default behavior, see PAN-OS 7.0 Release Information.
Issue Identifier Description
79401 VM-1000-HV firewalls running on eight vCPUs did not save and display Traffic and
Threat logs. With this fix, VM-1000-HV firewalls properly save and display the logs.
This issue did not affect VM-Series firewalls running on two or four vCPUs.
78652 Fixed a rare issue where a firewall dropped URL requests when the management plane
(MP) URL trie (data structure) reached 100% capacity. With this fix, when the MP URL
trie reaches 90% capacity, URLs in the cache are cleared until the MP URL trie utilizes
only 50% of capacity so that the trie cannot reach maximum capacity and cause
requests to be dropped.
78436 Fixed an issue where the management plane stopped responding when more than one
process attempted to modify the device table during a configuration push from
Panorama. With this fix, the device table is locked and modifiable by only one
process at a time to avoid conflicting modifications.
78413 Fixed an issue on a PA-7000 Series firewall with multiple virtual systems where a
memory leak was observed related to the First Packet Processor (FPP) management
plane process when running the show session meter CLI command.
78304 A security update was made to address a cross-site request forgery (CSRF) issue in the
web interface.
78197 HIP reports for users can now be retrieved using the XML API (in addition to viewing
HIP reports using the CLI).
78166 Fixed an issue where the VirusTotal link in the Coverage Status section of WildFire
Analysis reports did not correctly open the VirusTotal page.
77749 Fixed an issue where clicking More to view the registered IP address under Policies >
Security > Object > Address Groups resulted in an error.
77721 Fixed an issue on a PA-200 firewall where a reboot took much longer than expected
(more than 20 minutes). This issue occurred when the Content Updates database was
corrupted and updates did not stop or pause as expected to allow the reboot to take
place. With this fix, the firewall reinitializes the database if it is corrupted to allow the
Content Update and system reboot to proceed as expected.
77413 Fixed an issue where the authentication process failed to parse the base Distinguished
Name (DN) correctly when it contained a space (" ") character.
77342 When using the XML API to retrieve HA control-link statistics, the statistics retrieved
were not the same as those displayed in the output for the CLI operational command
show high-availability and control-link statistics.

77163 Fixed an issue where the /var/log/secure log file inflated and consumed available
disk space. With this fix, PAN-OS uses a log rotation function for this log file to avoid
consuming more disk space than is necessary.
77140 Fixed an issue where an error was displayed when using Panorama to change a
password for a managed firewall admin.
76847 Fixed an issue where IKE phase 2 re-key was happening too frequently for an IPSec
site-to-site VPN configured with tunnel monitoring on multiple Proxy IDs when QoS
was enabled.
76759 Fixed an issue where an SSL scan of a WF-500 appliance returned SSLv3 connections
and RC4 ciphers even though the WF-500 appliance no longer supports SSLv3. With
this fix, the WF-500 appliance returns only TLSv1 connections.
76729 Fixed an issue where the response returned by the request batch license info
XML API request was not wrapped with <response> <result>.
75881 Fixed an issue on a PA-5000 Series firewall where the management plane and dataplane
restarted due to a race condition that occurred when the Enforce Symmetric Return
option was enabled in the policy-based forwarding (PBF) rules (Policies > Policy
Based Forwarding > Forwarding). This race condition caused inaccurate PBF
return-mac ager lists, which caused the restarts. With this fix, the firewall retrieves
and checks return MAC entries to avoid this race condition and associated restarts.
75825 Fixed a rare issue on a PA-5000 Series firewall where a race condition occurred between
dataplanes 1 and 2 (DP1 and DP2) and dataplane 0 (DP0) that incorrectly caused a
reset of the timeout value for parent sessions owned by DP1 and DP2 when creating
predict sessions, which caused those parent sessions to time out prematurely. With this
fix, the timeout for parent sessions is not changed when the predict sessions are
created.
75758 Fixed an issue where the dataplane restarted on a PA-5000 Series firewall in a high
availability (HA) cluster due to corruption of ARP packets.
75677 Fixed a Panorama issue where clearing the setting Require SSL/TLS secured
connection for a vsys-specific LDAP server profile displayed an error (Templates >
Device > Server Profiles > LDAP).
75404 Fixed an issue for the show log CLI command, where you could not filter the
displayed logs by username if the user/srcuser option used characters other than an
alphanumeric character, underscore, dash, dot, forward slash, or colon.
75003 Fixed an issue where only the first 15 characters of a zone name was displayed in logs.
Complete zone names are now displayed in logs.
74609 Fixed an issue on a PA-5000 Series firewall where PREDICT sessions were handled by
dataplane 0 (DP0) but the SIP parent sessions were on a different dataplane. With this
fix, you can use the set session filter-ip-proc-cpu dest-ip <IPaddr> CLI
command to specify all destination SIP proxy IP addresses in a filter list on the firewall.
You can then use the list to configure the firewall so that DP0 receives and handles any
inbound packet that is destined for any of the specified SIP proxy IP addresses.

74600 A security update was made to the OpenSSL package to address multiple vulnerabilities
impacting the OpenSSL libraries.
74489 Fixed an issue with regular expression where using the vertical bar character ( | ) caused
errors.
74315 Fixed an issue where comments added to an Aggregate Ethernet (AE) interface were
not saved along with the AE interface configuration and the Comment field displayed
as empty after closing the configuration window.
73692 Updated an error message that originally noted that an Antivirus content download
failed because an Antivirus content download was in progress. The error message is
updated to correctly state that the failed Antivirus content download was due to a
WildFire content download being in progress.
73631 Fixed an issue where several NTP sync errors were displayed following a firewall
software upgrade.
73158 The port range you can use to define ports for custom applications has been updated
to be from port 0 - 65535. The update matches the ports you can define for application
override policy rules (also 0 - 65535). Previously, you could not define port 0 for
custom applications.
73064 When a firewall was configured as a DHCP client, it failed to renew or release the
DHCP-assigned IP address when the firewall interface was then connected to a new
DHCP server.
72933 Fixed an issue where Panorama administrators were unable to view the Botnet report
option when switched to the firewall context.
72806 The GlobalProtect pre-logon connect method did not work when a certificate
profile was configured to use a subject alternative name (SAN) and the matching device
certificate did not contain the SAN.
72756 Fixed an intermittent issue where a race condition caused by multiple processes
asynchronously attempting to retrieve the last saved configuration file caused Captive
Portal or the FQDN refresh job to fail.
72719 Fixed an issue where the Tunnel Monitor Threshold value displayed for a
GlobalProtect satellite was incorrectly displayed as a unit of time (seconds). The
Tunnel Monitor Threshold actually specifies the number of heartbeats to wait for
before the firewall takes specified action, and is no longer displayed in seconds.
72075 When the firewall was configured to access an LDAP server through a data interface,
the firewall could not connect to the LDAP server if it was also configured to access
the User-ID agent using a different data interface.
71860 Addressed an issue where configuration changes were not reflected in the
configuration logs after importing SSH keys.
71682 Fixed an issue on a PA-5000 Series device where a port that was in use was sometimes
re-used when dynamic port translation was enabled with NAT and sessions were
initiated on different dataplanes. With this fix, Active FTP sessions succeed with a
NAT policy setup.

71340 Fixed an issue where firewall administrators were unable to clone any of the three
predefined common criteria admin roles; attempting to do so resulted in an error.
71250 Fixed an issue where decryption policies with a destination address and a URL category
defined as matching criteria caused commit failures.
71049 Made an update to ensure that the CLI command request system shutdown can
only be executed by users with superuser access privileges.
69961 Fixed an issue where Panorama and a firewall running the same release version, did not
display the same drop-down selections to add as matching criteria to a security policy
rule. Now, if Panorama and a firewall are running the same release version, the same
objects are displayed and can be added to a security policy rule, regardless of whether
the rule is being defined on Panorama or a firewall.
69752 Fixed an issue where the web interface did not display concurrently logged-in
administrators if those administrators had not locally authenticated to the firewall.
69685 Updates were made to existing Russian time zones and new Russian time zones were
added to the available list of global time zones for a device, to accommodate the 2014
changes to Russian time zones.
69419 Fixed an issue that was seen with predict sessions when traffic traversed a firewall in
virtual wire mode twice.
68508 Fixed an issue where the DHCP server sent DHCP lease offers on the wrong interface
after a high availability (HA) failover due to interface IDs being out-of-sync on the HA
peers.
68484 If the Panorama setting to Share Unused Address and Service Objects with Devices
was enabled, committing changes to a device group did not correctly push objects to
managed firewalls.
68178 When configuring a threat exception for an Anti-Spyware or Vulnerability Protection
profile, adding an IP address exemption to the exception did not work if the input
included a subnet (for example, XXX.XXX.XXX.XXX/32). Only IP address exemptions
entered without a subnet were accepted by the firewall. This issue is fixed so that you
can add an IP address with a subnet as an exemption within a threat exception (Objects
> Vulnerability Protect/Anti-Spyware > Exceptions).
67713 An administrator was allowed to downgrade the content version (Applications and
Threats) on the firewall to a version that was not supported with the PAN-OS software
release version running on the firewall. For example, if the firewall was running
PAN-OS 6.1 and the minimum content version was 449, the administrator was
incorrectly able to downgrade to a version prior to 449.
65959 Added an enhancement to display predefined URL categories in addition to custom
URL-categories in the Allow Categories column for URL Filtering profile rules
(Objects > Security Profiles > URL Filtering).
63524 Fixed an issue that occurred when performing a template commit to a PA-200 firewall
on Panorama. The operation failed if you changed the vsys1 display name on the
firewall using the set display-name <name> CLI command.

62276 Fixed an issue where the Application Command Center (ACC) failed to load any
widgets and displayed the following error: The selected filters cannot be
applied to any of the acc reports. This issue occurred when navigating from
Monitor > Reports > HTTP Applications to the ACC.
61259 Removed white space preceding a response that was displayed when using the XML
API to submit a file for WildFire analysis.


Getting Help
The following topics provide information on where to find more about our products and how to request
support:
Related Documentation
Requesting Support
Related Documentation
Refer to the following documents on the Technical Documentation portal at
https://www.paloaltonetworks.com/documentation for more information on our products:
New Feature GuideDetailed information on configuring the features introduced in this release.
PAN-OS Administrator's GuideProvides the concepts and solutions to get the most out of your Palo Alto
Networks next-generation firewalls. This includes taking you through the initial configuration and basic set
up on your Palo Alto Networks firewalls.
Panorama Administrator's GuideProvides the basic framework to quickly set up the Panorama virtual
appliance or an M-Series appliance for centralized administration of the Palo Alto Networks firewalls.
WildFire Administrator's GuideProvides steps to set up a Palo Alto Networks firewall to forward samples
for WildFire Analysis, to deploy the WF-500 appliance to host a WildFire private or hybrid cloud, and to
monitor WildFire activity.
VM-Series Deployment GuideProvides details on deploying and licensing the VM-Series firewall on all
supported hypervisors. It includes example of supported topologies on each hypervisor.
GlobalProtect Administrator's GuideTakes you through the configuration and maintenance of your
GlobalProtect infrastructure.
Online Help SystemDetailed, context-sensitive help system integrated with the firewall web interface.
Open Source Software (OSS) ListingsOSS licenses used with Palo Alto Networks products and software:
PAN-OS 7.0
Panorama 7.0
WildFire 7.0

Getting Help
Requesting Support
For technical support, call 1-866-898-9087 or send email to support@paloaltonetworks.com.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Contact Information
Corporate Headquarters:
Palo Alto Networks

4401 Great America Parkway
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-us
Palo Alto Networks, Inc.

www.paloaltonetworks.com
2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of
their respective companies.
Revision Date: August 27, 2015

Pan Os 7.0.2 RN

Uploaded by

Copyright:

Available Formats

Pan Os 7.0.2 RN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pan Os 7.0.2 RN

Uploaded by

Copyright:

Available Formats

PAN-OS 7.0.

PAN-OS 7.0 Release Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

PAN-OS 7.0.2 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

PAN-OS 7.0.1 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

PAN-OS 7.0.0 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

Palo Alto Networks PAN-OS 7.0 Release Notes 1

2 PAN-OS 7.0 Release Notes Palo Alto Networks

Palo Alto Networks PAN-OS 7.0 Release Notes 3

Features Introduced in PAN-OS 7.0

4 PAN-OS 7.0 Release Notes Palo Alto Networks

New Management Description

Palo Alto Networks PAN-OS 7.0 Release Notes 5

New Management Description

6 PAN-OS 7.0 Release Notes Palo Alto Networks

New Management Description

Palo Alto Networks PAN-OS 7.0 Release Notes 7

New Panorama Feature Description

8 PAN-OS 7.0 Release Notes Palo Alto Networks

New WildFire Features Description

Palo Alto Networks PAN-OS 7.0 Release Notes 9

New WildFire Features Description

10 PAN-OS 7.0 Release Notes Palo Alto Networks

Content Inspection Features

New Content Inspection Description

Palo Alto Networks PAN-OS 7.0 Release Notes 11

New Authentication Description

12 PAN-OS 7.0 Release Notes Palo Alto Networks

New Decryption Description

Palo Alto Networks PAN-OS 7.0 Release Notes 13

New User-ID Feature Description

14 PAN-OS 7.0 Release Notes Palo Alto Networks

New Virtualization Description

For licensing features on the VM-Series firewall, see Licensing Features.

Palo Alto Networks PAN-OS 7.0 Release Notes 15

New Networking Feature Description

16 PAN-OS 7.0 Release Notes Palo Alto Networks

New Networking Feature Description

Palo Alto Networks PAN-OS 7.0 Release Notes 17

New Policy Feature Description

New VPN Feature Description

18 PAN-OS 7.0 Release Notes Palo Alto Networks

For information about new authentication features supported on GlobalProtect (Suite B

New GlobalProtect Description

Palo Alto Networks PAN-OS 7.0 Release Notes 19

New GlobalProtect Description

20 PAN-OS 7.0 Release Notes Palo Alto Networks

New Licensing Feature Description

Palo Alto Networks PAN-OS 7.0 Release Notes 21

Changes to Default Behavior

22 PAN-OS 7.0 Release Notes Palo Alto Networks

Palo Alto Networks PAN-OS 7.0 Release Notes 23

Associated Software Versions

24 PAN-OS 7.0 Release Notes Palo Alto Networks

Palo Alto Networks PAN-OS 7.0 Release Notes 25

26 PAN-OS 7.0 Release Notes Palo Alto Networks

Palo Alto Networks PAN-OS 7.0 Release Notes 27

28 PAN-OS 7.0 Release Notes Palo Alto Networks

Palo Alto Networks PAN-OS 7.0 Release Notes 29