Pan Os Release Notes

PAN-OS® Release Notes
Version 9.0.10
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2019-2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
August 27, 2020
2 PAN-OS® RELEASE NOTES |

Table of Contents
PAN-OS 9.0 Release Information................................................................... 5
Features Introduced in PAN-OS 9.0...................................................................................................... 7
App-ID Features..............................................................................................................................7
Virtualization Features...................................................................................................................8
Panorama Features.........................................................................................................................9
Content Inspection Features..................................................................................................... 10
GlobalProtect Features............................................................................................................... 12
Management Features................................................................................................................ 15
Networking Features...................................................................................................................17
User-ID Features.......................................................................................................................... 19
WildFire Features.........................................................................................................................20
New Hardware Introduced with PAN-OS 9.0...................................................................... 20
Changes to Default Behavior.................................................................................................................22
Associated Software and Content Versions.......................................................................................27
Limitations...................................................................................................................................................28
Known Issues............................................................................................................................................. 30
Known Issues Related to PAN-OS 9.0................................................................................... 30
Known Issues Specific to the WildFire Appliance............................................................. 206
PAN-OS 9.0 Addressed Issues....................................................................207

PAN-OS 9.0.10 Addressed Issues...................................................................................................... 209
PAN-OS 9.0.9-h1 Addressed Issues.................................................................................................. 217
PAN-OS 9.0.9 Addressed Issues........................................................................................................ 218
Getting Help.................................................................................................... 297

Related Documentation........................................................................................................................ 299
Requesting Support................................................................................................................................300
TABLE OF CONTENTS iii

iv TABLE OF CONTENTS
PAN-OS 9.0 Release Information
Revision Date: August 27, 2020
Review important information about Palo Alto Networks PAN-OS® 9.0 software, including
new features introduced, a list of known issues, workarounds for open issues, and issues
that are addressed in the PAN-OS 9.0 release. For installation, upgrade, and downgrade
instructions, refer to the PAN-OS 9.0 New Features Guide.
> Features Introduced in PAN-OS 9.0

> Changes to Default Behavior
> Associated Software and Content Versions
> Limitations
> Known Issues
> PAN-OS 9.0.10 Addressed Issues
> PAN-OS 9.0.9-h1 Addressed Issues
> Getting Help
5
6 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information
© 2020 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 9.0
The following topics describe the new features and new hardware introduced with the PAN-OS® 9.0
release, which requires content release version 8103 or a later version. For upgrade and downgrade
considerations and for specific information about the upgrade path for a firewall, refer to the PAN-OS 9.0
New Features Guide. The new features guide also provides additional information about how to use the
new features in this release.
• App-ID Features
• Virtualization Features
• Panorama Features
• Content Inspection Features
• GlobalProtect Features
• Management Features
• Networking Features
• User-ID Features
• WildFire Features
• Hardware Features
App-ID Features
New App-ID Feature Description
Policy Optimizer Policy Optimizer identifies all applications seen on any legacy
Security policy rule and provides an easy workflow for selecting
the applications you want to allow on that rule. Additionally, it
helps you remove unused applications from overprovisioned
application-based rules. This simplified workflow allows you to
migrate a legacy rule gradually and natively to an application-
based rule so you can safely enable applications in your
environment and improve your security posture.
®
(Beginning with PAN-OS 9.0.2) Policy Optimizer also gives you
the option to select applications in a legacy Security policy rule
and add applications to an existing rule so that you can leverage
pre-existing App-ID™ based rules and eliminate the need to
continually create new rules. You can also now choose between
container app and specific apps seen so that the web interface
clearly displays which applications have been seen on a rule and
which ones were added as part of the container but that have
not, yet, been seen on that rule.
HTTP/2 Inspection You can now safely enable applications running over HTTP/2,
without any additional configuration on the firewall. As more
websites continue to adopt HTTP/2, the firewall can enforce
security policy and detect and prevent threats on a per-stream
basis. This visibility into HTTP/2 traffic enables you to secure
web servers that provide services over HTTP/2, and allow your
users to benefit from the speed and resource efficiency gains
that HTTP/2 provides.
PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 7

New App-ID Feature Description
Strict Default Ports for Decrypted Application-default—which enables you to allow applications
Applications only on their most commonly-used ports—now enforces
strict default port usage strict standard port usage for certain
applications that use a different default port when they are
encrypted: web-browsing, SMTP, FTP, LDAP, POP3, and IMAP.
For example, with SSL decryption turned on, application-default
differentiates between cleartext and encrypted web-browsing
traffic and strictly enforces:
• cleartext web-browsing traffic (HTTP) on port 80
• and encrypted web-browsing traffic (HTTPS) on port 443.
Application-default is a best practice for

application-based Security policy rules—it
reduces administrative overhead and closes
security gaps that port-based policy introduces.
Virtualization Features
New Virtualization Features Description
VM-Series firewall on KVM—VLAN Access In VLAN access mode with SR-IOV, when you deploy
Mode with SR-IOV the VM-Series firewall as a Virtual Network Function
® (VNF) on the KVM hypervisor, it can send and receive
Available starting with PAN-OS 9.0.4.
packets from SR-IOV virtual functions (VFs) without
VLAN tags. This capability enables you to apply
QoS policies on the access interface and provide
differentiated treatment of traffic in a multi-tenant
deployment.
VM-Series on AWS—Support for C5 and M5 The VM-Series firewall on AWS adds support for the
Instance Types with ENA C5 and M5 instance types that use the Elastic Network
Adapter (ENA). With the support for these instance
types, you can deploy the VM-Series firewall in all
regions that support C5/M5 instance types including
new AWS regions, such as AWS Paris that exclusively
use newer instance types.
VM-Series Plugin The VM-Series firewalls now support a plugin

architecture that enables Palo Alto Networks to deliver
cloud features and updates, including integrations with
new cloud platforms or hypervisors, independent of
a PAN-OS release. This VM-Series plugin manages
interactions between the VM-Series firewalls and the
supported public and private cloud deployments.
The plugin is digitally signed by Palo Alto Networks
and built-in to all models of the VM-Series firewalls.
You can update the installed plugin version just like

New Virtualization Features Description
software or content updates—locally on the firewall,
using bootstrapping, or centrally from Panorama™.
Support for HA for VM-Series on Azure The VM-Series firewall on Azure now supports an
active/passive HA configuration. This capability is
delivered using the VM-Series plugin (see above).
Higher Performance for VM-Series on Azure To support higher throughput, VM-Series firewalls
using Azure Accelerated Networking (SR- deployed on D/DSv2 and D/DSv3 class of Azure VMs
IOV) include support for Accelerated Networking (SR-IOV).
You can now deploy this higher performance firewall as
an active/passive HA pair or in a scale-out deployment
with Azure load balancers.
The following Networking Features are also relevant for VM-Series deployments in
private or public cloud environments:
• Security Group Tag (SGT) EtherType Support
• FQDN Refresh Enhancement
• FQDN Support for Static Route Next Hop, PBF Next Hop, and BGP Peer
• Dynamic DNS Support for Firewall Interfaces
• Advanced Session Distribution Algorithms for Destination NAT
• VXLAN Tunnel Content Inspection
Panorama Features
New Panorama Feature Description
Master Key When you need to change the default master key used to encrypt sensitive
Deployment from elements in the configuration, you can now deploy a master key to firewalls,
Panorama™ Log Collectors, and WildFire appliances from Panorama. In a large-scale
deployment, managing the master key centrally from Panorama ensures a
uniform master key deployment and provides visibility into the status of the
operation.
Device Management Scale up all your Panorama capabilities to manage up to 5,000 firewalls, using
Capacity Enhancement M-600 appliances or similarly resourced Panorama virtual appliances. This
enhancement allows you to leverage all the benefits of centralization while
utilizing the logging, reporting, device health monitoring, device deployment,
and configuration management capabilities of Panorama for a larger number
of firewalls. For example, if you are managing 3,500 firewalls using four
Panorama appliances, you can now consolidate to a single Panorama
appliance for managing your firewalls to ease the operational burden and
reduce your management footprint.
Granular Configuration In order to troubleshoot configuration errors, you can now perform
Management of Device operations such as export, revert, save, import, and load at a device group
Groups and Templates and template level. For example, this granularity allows you to independently

New Panorama Feature Description
revert or load the configuration of the firewalls within your access domain
without impacting changes other administrators have made.
Streamlined Device Panorama enables simplified onboarding of new firewalls by allowing you to
Onboarding assign them to device groups, templates, collector groups, or Log Collectors
during the initial deployment. You can also elect to automatically push the
configuration to firewalls when the firewalls initially connect to Panorama.
Using this onboarding workflow, you can ensure that new firewalls are
immediately configured and ready to secure your network.
VM-Series Plugin The VM-Series plugin manages integration with public and private clouds,
allowing Palo Alto Networks to release bug fixes, new features, or new cloud
®
integrations, independent of a PAN-OS release.
Panorama 9.0 supports the VM-Series plugin and supplies the compatible
version, but does not install it automatically. Install the plugin if you have VM-
Series cloud integrations and you want to use Panorama to manage them
centrally.
Content Inspection Features

New Content Inspection Feature Description
DNS Security The firewall can now access the full database of Palo Alto
Networks DNS signatures through a new DNS Security service.
The DNS Security service also performs pro-active analysis of
DNS data to predict new malicious domains and to detect C2
evasion techniques—like domain generation algorithms and
DNS tunneling—that aim to bypass common protections.
New Security-Focused URL New Security-focused URL categories enable you to implement
Categories simple security and decryption policies based on website safety,
without requiring you to decide (or even know) what website is
likely to expose you to web-based threats:
• High risk, medium risk, and low risk—These categories
indicate the level of suspicious activity that a site displays.
All URLs—except those that are confirmed malware, C2, or
phishing sites—now include this risk rating.
• Newly-registered domains—This category identifies sites
that were registered within the last 32 days. New domains
are frequently used as tools in malicious campaigns.
These new categories help you to reduce your attack surface
by providing targeted decryption and enforcement for sites
that pose varying levels of risk but are not confirmed malicious.
Websites are classified with a Security-related category only
when they meet the criteria for that category; as site content
changes, policy enforcement dynamically adapts.
Multi-Category URL Filtering PAN-DB, the Palo Alto Networks URL database, now assigns
multiple categories to URLs that classify the content, purpose,
and safety of a site. Every URL now has up to four categories,

including a risk rating that indicates how likely it is that the page
will expose you to threats. More granular URL categorizations
means that you can move beyond a basic block-or-allow
approach to web access. Instead, control how your users
interact with content, especially websites that, while necessary
for business, are more likely to be used as part of a cyberattack
(like blogs or cloud storage services). For example, allow your
users to visit high-risk websites, but enforce read-only access
to questionable content by blocking obfuscated JavaScript and
preventing dangerous file downloads.
Built-In External Dynamic List for Because bulletproof hosting providers place few, if any,
Bulletproof Hosts restrictions on content, attackers frequently use these services
to host and distribute malicious, illegal, and unethical material.
The Threat Prevention subscription now includes a new built-
in external dynamic list (EDL) that you can use to block IP
addresses associated with bulletproof hosting providers.
EDL Capacity Increases External dynamic list (EDL) capacities are increased to better
accommodate the use of third-party intelligence feeds,
significantly expanding the number of threat indicators you can
leverage within your network Security policies. Additionally,
you can now prioritize EDLs to make sure lists containing
critical threat indicators are committed before capacity limits
are reached.
Support for New Predefined Data To identify and protect sensitive information from leaving your
Filtering Patterns network, the firewall provides 19 new predefined data filtering
patterns that identify specific (regulated) information from
different countries of the world, such as INSEE Identification
(France) and New Zealand Internal Revenue Department
®
Identification Numbers. PAN-OS software also performs a
checksum validation for all patterns to eliminate false positives.
Cellular IoT Security As your business moves to cellular IoT (CIoT) and the network
adopts 3GPP CIoT technologies, you need to secure CIoT traffic
to protect your network and CIoT from attacks. Cellular IoT
Security allows you to secure CIoT traffic and gain visibility into
CIoT and device-to-device communication over your network.
If you are a mobile network operator (MNO) or a mobile virtual
network operator (MVNO), such as a utility company focused
on oil, gas, or energy operating as an MVNO, you can now
secure CIoT traffic. CIoT security also allows you to protect
MNO infrastructure and CIoT devices from DoS attacks on
both Signaling/Control and Data layers, from attacks from
infected CIoTs, and from spying attacks; and it allows you to
detect and prevent malware, ransomware, and vulnerabilities.
Additionally, the firewall now supports Narrowband IoT (NB-
IoT) radio access technology (RAT), 3GPP TS 29.274 for GTPv2-
C up to Release 15.2.0, and 3GPP TS 29.060 for GTPv1-C up to
Release 15.1.0.
CIoT security is supported on VM-Series firewalls, PA-5200
Series firewalls, and PA-7000 Series firewalls that have all new

cards, including new 100G NPC, new second-generation SMCs,
and new Log Forwarding Card (LFC).
GTP Event Packet Capture Firewalls now support packet capture for a GTP event to make
troubleshooting easier. GTP packet capture is supported for
events such as GTP-in-GTP, end user IP address spoofing, and
abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have
missing mandatory information elements (IE), invalid IE, invalid
header, out-of-order IE, or unsupported message type.
GTP event packet capture is supported on VM-Series firewalls,
PA-5200 Series firewalls, and PA-7000 Series firewalls that
have all new cards, including new 100G NPC, new second-
generation SMCs, and new Log Forwarding Card (LFC).
Graceful Enablement of GTP Stateful (PAN-OS 9.0.3 and later releases) You can now enable GTP
Inspection stateful inspection in the firewall gracefully with minimal
disruption to GTP traffic. You can allow GTPv2, GTPv1-C, and
GTP-U packets that fail GTP stateful inspection to pass through
a firewall. Although the firewall drops such packets by default
after GTP stateful inspection is enabled, allowing them to pass
minimizes disruption when you deploy a new firewall or when
you migrate GTP traffic.
Graceful Enablement of SCTP (PAN-OS 9.0.4 and later releases) You can now enable SCTP
Stateful Inspection stateful inspection in the firewall gracefully with minimal
disruption to SCTP traffic. You can allow SCTP packets
that fail SCTP stateful inspection to pass through a firewall.
Although the firewall drops such packets by default after SCTP
stateful inspection is enabled, allowing them to pass minimizes
disruption when you deploy a new firewall or when you migrate
SCTP traffic.
One of the new App-ID Features, HTTP/2 Inspection, enables you to enforce threat
prevention on a per-stream basis.
GlobalProtect Features
®
The following table describes new GlobalProtect™ features introduced in PAN-OS 9.0. For features related
to the GlobalProtect app, see the GlobalProtect App 5.0 Release Notes.
New GlobalProtect Description

Feature
Simplified Deployment You can now reduce the number of GlobalProtect portals and gateways you
for GlobalProtect need to deploy and manage for GlobalProtect use cases by configuring the
Portals and Gateways following features on a single firewall:
• Endpoint Tunnel Configurations Based on Source Region or IP Address—
You can now assign tunnel configurations to users based on their source
IP address or region from a particular GlobalProtect gateway. For example,

Feature
you can configure a gateway to allow all traffic for local network printing
to bypass the VPN tunnel when end users connect from a branch office
but require all traffic to route through the VPN tunnel when users connect
remotely from an unknown or untrusted network (such as a coffee shop or
library).
• Portal Configuration Assignment and HIP-Based Access Control Using
New Endpoint Attributes—You can now deploy different configurations
and enforce access control for managed (corporate-owned) endpoints and
unmanaged endpoints (such as in a BYOD environment) from a particular
GlobalProtect portal or gateway. To identify the managed status of an
endpoint, GlobalProtect portals and gateways can now use the following
new endpoint attributes: machine certificate and serial number.
• DNS Configuration Assignment Based on Users or User Groups—From
a particular gateway you can now assign different DNS servers and DNS
suffixes to endpoints based on the user or user group. This allows you to
leverage your distributed DNS infrastructure for users connecting with
GlobalProtect.
• Mixed Authentication Method Support for Certificates or User
Credentials—You can now assign multiple combinations of authentication
methods with user credentials and/or client certificates from a particular
portal or gateway. For example when connecting to the same portal or
gateway, users connecting from corporate mobile devices can authenticate
using a certificate while users connecting from personal devices can
authenticate using their AD credentials.
HIP Report In data center environments, you can now use HIP report redistribution to
Redistribution ensure consistent policy enforcement across all endpoints and to simplify
policy configuration and management across internal and external gateways.
With HIP report redistribution, you use the same mechanism as User-ID™
redistribution to enable the GlobalProtect gateways to send the HIP reports
to a Dedicated Log Collector (DLC), firewall, or Panorama™. HIP report
redistribution eliminates the need for exception policies for external gateways
or internal gateways thereby simplifying HIP setup and configuration time for
your gateways and firewalls.
Tunnel Restoration and You can now enforce additional restrictions for enhanced security:
Authentication Cookie
• You can now choose to enable automatic restoration of VPN tunnels at
Usage Restrictions
the gateway level. For example, you can enable automatic restoration
of VPN tunnels for all gateways in the enterprise except for specific
gateways that you want to require authentication before a tunnel is
established.
• You can now choose whether to accept an authentication cookie when
the IP address attributes (IP address or IP address range) of the endpoint
change. If you choose to reject an authentication cookie when the
endpoint IP address attribute differs from the original value associated
with the authentication cookie, the user must authenticate again to
receive a new authentication cookie.
These settings provide a more restricted user connection

experience.

Feature
Pre-Logon Followed By The GlobalProtect app for Windows and Mac endpoints now supports pre-
Two-Factor and SAML logon followed by two-factor or SAML authentication for user login. After
Authentication the pre-logon tunnel is established, the user can log in to the endpoint and
authenticate using the configured authentication method. If authentication
is successful on Windows endpoints, the pre-logon tunnel is seamlessly
renamed to User tunnel and the GlobalProtect connection is established. If
authentication is successful on macOS endpoints, a new tunnel is created and
the GlobalProtect connection is established.
GlobalProtect Gateway To help users identify the geographic location of GlobalProtect gateways, you
and Portal Location can now configure a label for the physical location. By separating the location
Configuration into a dedicated label, you can also use location-independent names when
you configure your gateways.
The GlobalProtect app displays the label for the location of the gateway
to which a user is connected and the Clientless VPN portal landing page
displays the label for the location of the portal to which a Clientless VPN user
is logged in.
When end users experience unusual behavior, such as poor network
performance, they can provide this location information to their support or
Help Desk professionals to assist with troubleshooting. They can also use this
location information to determine their proximity to the Clientless VPN portal
or gateway. Based on their proximity, they can evaluate whether they need
to switch to a closer portal or gateway. However, auto-selected gateways are
still preferred.
Refer to the GlobalProtect App 5.0 Release Notes for more information on
gateway and portal location visibility for end users.
User Location Visibility For enhanced reporting and user activity analysis, you can now view the
on GlobalProtect source region of users that connect (or have previously connected) to
Gateways and Portals GlobalProtect portals and gateways. You can identify the source region of the
Clientless VPN users in the Remote Users section of the Portal configuration
and the source region of GlobalProtect users in the Remote Users section of
the Gateway configuration.
Concurrent Support You can now assign up to ten IPv4 and IPv6 DNS servers in the client settings
for IPv4 and IPv6 DNS provided to the endpoint by the GlobalProtect gateway. This enhancement
Servers enables you to simultaneously assign multiple IPv4 and IPv6 DNS servers
simultaneously to the endpoints that connect to the gateway.
Support for IPv6- GlobalProtect now supports IPv6-only deployments. With this enhancement,
Only GlobalProtect you can define an IP address pool that uses only IPv6 addresses when you
Deployments con-figure GlobalProtect gateways.
When you configure IPv6 pools, you must also enable split
tunneling to route any IPv4 traffic from the endpoint to the
internet.

Management Features
New Management Description
Feature
Cortex™ Data Lake Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log
Logging for Firewalls storage and aggregation for firewalls and services. With Cortex Data Lake,
without Panorama™ Palo Alto Networks takes care of the ongoing maintenance and monitoring of
your logging infrastructure so that you can focus on your business.
®
Until PAN-OS 9.0.3, Panorama was required to onboard firewalls to Cortex
Data Lake and to view logs stored in Cortex Data Lake. Now, with PAN-OS
9.0.3 and later releases, you can enable non-Panorama managed firewalls to
securely connect and send logs to Cortex Data Lake.
Enforcement of As your team creates and modifies rules, the rationale for creating or
Description, Tag and modifying rules are lost over time. To capture the reason for rule creation and
Audit Comment modification, you can now require a description, tag, or audit comment to
maintain rule revision history for auditing. For example, if you are creating a
new app-based security policy rule to replace a port-based rule, enforce these
rule creation elements to ensure that the rule is appropriately grouped, and
that the administrator describes the purpose of the rule.
Rule Changes Archive When you create or modify policy rules, you now have revision history to
audit changes. To track and analyze how your policy rules have evolved over
time, you can review the audit comment history and see differences between
two rule versions. Combined with the new Enforcement of Rule Description,
Tag and Audit Comment (see above), you can enforce audit comments with
every rule creation and modification to ensure that the audit comment history
is maintained for your policy rulebases.
Tag Based Rule Groups Visually group related rules using a new group tag to efficiently manage
large sets of related rules within any policy rulebase. You can use any tag
as a group tag to organize related rules so that you can easily move, clone,
or delete the rules in the selected group. This allows you to visually see the
organizational changes that are happening to your rulebase, and increase the
efficiency of managing large sets of rules.
Policy Match and Validate policy configuration changes of one or more firewalls directly from
Connectivity Tests the web interface to ensure network traffic matches the policy rules as
from the Web Interface expected. In addition to validating policy, you can also test that firewalls can
reach network resources. With the ability to run test commands on the web
interface, you can avoid over-provisioning administrator roles with CLI access
while still giving administrators a way to determine firewalls are configured
correctly.
Rule Usage Filtering When auditing your rulebase, you can now filter and quickly identify
unused rules to manage policy rules. Removing unused rules improves your
security posture by reducing the proliferation of rules. For example, when
transitioning from port-based rules to App-ID™ based rules, this information
enables you to assess whether your App-ID based rules are matched instead
of your port-based rules so that you can remove the unused rules.

Feature
Object Capacity To help you scale your deployment and ease the migration to Palo Alto
Improvements on Networks firewalls, the PA-5220 and the PA-3200 Series firewalls have
the PA-5220 and increased capacities for several objects, including increases in the number of
the PA-3200 Series address objects, address groups, service groups, service objects, zones, and
Firewalls policy rules.
API Key Lifetime If you are using the firewall or Panorama APIs to enable programmatic access,
you can now specify the API key lifetime to match the automation task
duration and control the validity period for an authenticated and secure
connection between the firewall/Panorama and the automation program or
service. Because each API call requires the API key, using a key with a limited
lifetime allows you to enforce key rotation at a regular cadence to safeguard
your network and adhere to compliance standards. You can also expire all API
keys simultaneously, if you suspect accidental exposure or a leak.
PAN-OS REST API In addition to the existing XML API, the firewalls and Panorama now support
for a Simplified a REST API for a more simplified API integration. With the REST API, the
Automation/ firewall is represented as a set of resources with URIs on which you can
Integration Experience perform operations that allow you to easily map firewall tasks to the API
interface. For example, Security policy is represented as a REST resource
with URI /restapi/9.0/Policies/SecurityRules and has a list of operations
that includes list, create, edit, delete, move, and rename. The REST API
provides the flexibility to use JSON and XML data formats in API requests
and responses, and supports versioning for backward compatibility with
future PAN-OS releases. The initial release of this API allows you to manage
the configuration of policies and objects on the firewall and Panorama and
provides reference documentation that is built in to the product.
Universally Unique To simplify auditing, searching, reporting, and tracking for configuration
Identifiers for Policy changes to rules, universally unique identifiers (UUIDs) are created for all
Rules policy rulebases that you create on the firewall or push from Panorama. If you
rename or delete the rule, the UUID ensures that the rule’s history of changes
is maintained. The UUID can pinpoint the rule across multiple rulebases
containing thousands of rules that may have similar or identical names, and
simplifies automation and integration for rules into third-party systems (such
as ticketing or orchestration) that do not support names.
Temporary Master Key You can now extend the lifetime of the master key directly from the firewall
Expiration Extension or from Panorama until your next available maintenance window. If the
master key is due to expire before your planned maintenance window, the
key extension allows the firewall to remain operational and continue securing
your network.
Real-Time Enforcement To enforce security policy for entities such as IoT devices, virtual workloads,
and Expanded and containers that have bursts of traffic or short lifecycles, the firewalls can
Capacities for Dynamic now update the list of registered IP addresses within a dynamic address group
Address Groups in real time. This enhancement enables the firewall to register IP addresses
that match the tags you have defined in dynamic address groups and instantly
apply policy as soon as the endpoint is online, and then unregister the IP
addresses automatically based on a time limit that you configure. And to make
it easier for you to monitor and troubleshoot these registered IP addresses,
Panorama and the firewall now include a new IP-Tag log. Lastly, to handle a

Feature
larger volume of entities, select firewall models now have up to five-times
more capacity for registered IP addresses.
Networking Features
New Networking Feature Description
Security Group Tag (SGT) EtherType If you're using Security Group Tags (SGTs) in a Cisco TrustSec
Support network, inline firewalls in Layer 2 or Virtual Wire mode can
now inspect and enforce the tagged traffic. Layer 3 firewalls
in a Cisco TrustSec network can also inspect and enforce SGT
traffic when deployed between two SGT exchange protocol
(SXP) peers.
Processing of SGT traffic works by default and without any
configuration changes. Because the firewall does not use SGTs
as match criteria for security policy enforcement, you should
continue to define SGT-based policy in the same way you do
today.
FQDN Refresh Enhancement With cloud applications requiring frequent FQDN refresh rates
to ensure nonstop services, the FQDN refresh feature now
supports the ability to refresh cached entries based on the
DNS TTL value. You can set a minimum FQDN refresh time to
limit how frequently the firewall will refresh the FQDN cache
entries to avoid refreshing too frequently, and state how long
the firewall continues to use FQDN cached entries in the event
of a network failure where the DNS server is unreachable.
GRE Tunneling Support The firewall can now be a GRE tunnel endpoint, so you can
send traffic through a GRE tunnel to a point-to-point tunneling
peer, and the firewall will inspect and enforce policies as it
does for non-tunneling traffic. Cloud services and partner
networks often use GRE tunnels for point-to-point connectivity
to customer networks. The firewall also supports GRE over
IPSec to interoperate with other vendors’ implementations in
deployments that encrypt GRE within IPSec.
Wildcard Address Support in Security When you define private IPv4 addresses to internal devices,
Policy Rules you can use an IP addressing pattern that assigns special
meaning to certain bits in the IP address. For example, the first
three bits in the third octet of an IP address might signify the
device type. This structure helps you easily identify device
type, location, and other information, based on the IP address
of the device. You can also use your same address structure
in Security policy rules on the firewall for easier deployment.
Additionally, you can now build Security policy rules based on
sources and destinations that use a wildcard address and use
only specific bits in an IP address as a match. This means you
don’t need to manage an unnecessarily large number of address
objects to cover all the matching IP addressees or use less

restrictive Security policy rules than needed due to IP address
capacity constraints. For example, a rule using a single wildcard
address can allow all cash registers in the northeastern region
of the U.S. to access a specific application. This helps make
your Security deployment easier in an environment that uses a
discontiguous addressing scheme.
Hostname Option Support for DHCP When your firewall interface is a DHCP client (a DHCP server
Clients assigns a dynamic IPv4 address to the interface), you can now
assign a hostname to the interface and send the hostname
(Option 12) to the DHCP server. The DHCP server can register
the hostname with the DNS server, which can automatically
manage hostname-to-dynamic IP address resolutions.
FQDN Support for Static Route Next You can now use an FQDN or FQDN address object in a static
Hop, PBF Next Hop, and BGP Peer route next hop, a PBF next hop, and a BGP peer address. Use
of FQDNs reduces configuration and management overhead.
Also, in order to simplify provisioning, you can use an FQDN
(instead of statically assigning IP addresses to these functions)
and the FQDN resolution can change from location to location.
You can map the FQDN to the IP address based on the location
and deployment requirements. For example, if you are a service
provider, you can provide FQDNs for accessing the services
and resolve these to the IP address of the closest server for
the client (based on the client’s geo-location), so that the same
FQDN can be used globally for the service connection.
Dynamic DNS Support for Firewall When you have services hosted behind the firewall or you
Interfaces need to provide remote access to the firewall, you can now
automatically register IPv4 and IPv6 address changes to a
Dynamic DNS (DDNS) provider whenever the IP address on
the firewall interface changes (for example, if the interface
is a DHCP client). The firewall registers the change with the
DDNS service, which automatically updates the DNS record
(IP address-to-hostname mappings). DDNS support helps avoid
using external mechanisms to keep the DNS records up to date.
The firewall currently supports five DDNS providers: DuckDNS,
DynDNS, FreeDNS Afraid.org, FreeDNS Afraid.org Dynamic
API, and No-IP.
HA1 SSH Key Refresh When you need to change your SSH key pairs to secure HA1
communications, you can now refresh the keys without needing
to restart the firewalls.
Advanced Session Distribution In destination NAT, translation to a pool of IP addresses or an

Algorithms for Destination NAT FQDN that resolves to multiple IP addresses can be distributed
among the addresses based on one of four additional session
distribution methods (or the existing round-robin method). The
additional distribution methods are source IP hash, IP modulo,
IP hash, and least sessions. You can use the distribution method
that best suits your destination NAT use case.

VXLAN Tunnel Content Inspection If you use VXLAN as a transport overlay you can use Tunnel
Content Inspection Policy to natively scan traffic within the
VXLAN tunnel. For example, if you use VXLAN as a transport
overlay to connect your geographically dispersed data centers
you can scan and control the individual flows within the tunnel.
With support for the VXLAN protocol in Tunnel Content
Inspection Policy, you have visibility into VXLAN traffic and can
enforce Security Policy rules to this traffic without terminating
the tunnel or implementing network changes.
LACP and LLDP Pre-Negotiation on An HA passive firewall can negotiate LACP and LLDP before it
an HA Passive Firewall becomes active. This pre-negotiation reduces failover times by
eliminating the delays incurred by LACP or LLDP negotiations.
This functionality, previously supported on several firewall
models, extends to PA-220, PA-220R, PA-820, PA-850,
PA-3200 Series, and PA-5280 firewalls.
DNS Rewrite for Destination NAT (Requires Applications and Threats content release version
® 8147 or a later version) You can configure a destination NAT
(Available with PAN-OS 9.0.2 and
policy rule for a static translation of an IPv4 address to also
later 9.0 releases)
translate the IPv4 address in a DNS response that matches the
rule. This DNS rewrite (translation) prevents the DNS server on
one side of the firewall from providing an internal IP address to
its client on the external side of the firewall or vice versa. Thus,
the IPv4 address in the DNS response undergoes NAT and the
firewall forwards the appropriate IPv4 address to the client to
reach the destination service.
Ignore DF (don’t fragment) Bit You can configure the firewall globally to fragment IPv4
packets when the DF (don't fragment) bit is set for packets that
(Available with PAN-OS 9.0.9 and
exceed the egress interface maximum transmission unit (MTU).
later 9.0 releases)
This feature is applied to Layer 3 and tunnel interfaces when
enabled through the CLI.
User-ID Features
New User-ID Feature Description
®
WinRM Support for To create User-ID™ mappings, the PAN-OS integrated User-ID agent can
Server Monitoring now connect to Microsoft Active Directory and Exchange servers using the
lightweight Windows Remote Management (WinRM) protocol. The WinRM
protocol greatly improves the speed and efficiency of collecting User-ID
mappings.
Shared User-ID To easily enforce user-based policy in a multi-vsys environment, you can
Mappings Across assign a virtual system as the User-ID hub to share mappings with other
Virtual Systems virtual systems. This reduces configuration complexity and maximizes the
number of mappings available to each virtual system.

New User-ID Feature Description
User-ID Support for To consistently enforce user-based Security policy in environments with a
Large Numbers of large number of terminal servers, you can now monitor an increased number
Terminal Servers of terminal servers per firewall. This simplifies the complexity of network
design and firewall configuration, resulting in centralized visibility and policy
enforcement for all terminal server users.
WildFire Features
New WildFire Feature Description
®
WildFire Forwarding Support for You can now configure the Palo Alto Networks firewall
Script Files to automatically forward scripts (JScript, VBScript, and
PowerShell Script) for WildFire analysis.
WildFire Appliance Monitoring The WildFire appliance now features new CLI commands and
Enhancements logs additional system events for you to better monitor and
manage your appliance performance and resources, as well as
providing additional assistance when troubleshooting various
issues.
Increased WildFire File Forwarding The quantity and maximum size of files that a firewall can
Capacity forward to WildFire is increased to provide greater visibility
and detection of uncommonly large malicious samples.
WildFire Appliance Archive Support The WildFire appliance can now analyze and classify RAR and
7-Zip archives, which can be used by an adversary to covertly
deliver malicious payloads to users. When the WildFire
appliance determines that the file contents of an archive
are malicious, it generates a signature for the entire archive.
The appliance then provides the signature to all connected
firewalls to prevent future attacks.
New Hardware Introduced with PAN-OS 9.0

New Hardware Description
PA-7000 100G The new 100G NPC provides more session capacity than in previous NPCs
Network Processing and improved performance. This new NPC provides the following main
Card (NPC) features:
• App-ID™ throughput (AppMix) of 72Gbps
• Threat throughput (AppMix) of 35Gbps
• Session capacity up to 32 million
• Four QSFP+/QSFP28 (40Gbps/100Gbps) ports
• Eight SFP/SFP+ (1Gbps/10Gbps) ports
• A new service LED that allows a remote administrator to illuminate the
SVC LED on a specific front-slot card so an on-site technician can locate
the card.

New Hardware Description
PA-7000 Switch The new second-generation SMCs (PA-7050-SMC-B and PA-7080-SMC-B)

Management Cards provide the following main features:
(SMC-B)
• Higher performance
®
• Redundant solid-state drives (SSDs) for PAN-OS and management log
storage
• MGT-A, MGT-B, HA1-A, and HA1-B support 1G SFP or 10G SFP+
transceivers
• Micro USB management port
PA-7000 Log The new Log Forwarding Card (LFC) implements the high speed log
Forwarding Card (LFC) forwarding feature introduced in PAN-OS 8.0. The LFC includes the following
main features:
• High-speed log forwarding of all dataplane logs to an external log collector
(For example, Panorama™ or syslog servers)
• Supports up to 350,000 logs per second to Panorama
• QSFP/QSFP+ ports (port 1 at 10Gbps and port 9 at 40Gbps)
PA-7050 FANTRAY-L/ The new second-generation fan trays for the PA-7050 provide more cooling
R-A capacity than the first-generation fan trays and are required when you install
the second-generation hardware in a PA-7050 firewall.
PA-7080 EMI Filter This new EMI filter for existing PA-7080 firewalls reduces electromagnetic
interference and is required when you install the second-generation hardware
in a PA-7080 firewall. New chassis will have this new filter pre-installed.

Changes to Default Behavior
®
The following table details the changes in default behavior upon upgrade to PAN-OS 9.0. You may also
want to review the CLI Changes in PAN-OS 9.0 and the Upgrade/Downgrade Considerations before
upgrading to this release.
Feature Change
API Key Lifetime When you generate a new API key, the key metadata
includes a timestamp of the creation date which makes
the key size larger than those generated with PAN-OS
version earlier than 9.0.
Default Administrator Password Starting with PAN-OS 9.0.4, the firewall enforces
Requirements password complexity for the default admin account on
the first log in. If the current password doesn't meet the
(PAN-OS 9.0.4 and later 9.0 releases)
complexity requirements, the device prompts you to
change it.
The new password must have a minimum of eight
characters and include a minimum of one lowercase
and one uppercase character, as well as one number
or special character. On a new installation, password
complexity is enabled with a minimum password length
of eight characters.
This change does not affect other administrative users.
HTTP/2 Inspection The firewall now processes and inspects HTTP/2 traffic
by default.
If you want to disable HTTP/2 inspection, you can
specify for the firewall to remove any value contained in
the Application-Layer Protocol Negotiation (ALPN) TLS
extension: select Objects > Decryption > Decryption
Profile > SSL Decryption > SSL Forward Proxy and
then select Strip ALPN. ALPN is used to secure HTTP/2
connections—when there is no value specified for this
TLS extension, the firewall either downgrades HTTP/2
traffic to HTTP/1.1 or classifies it as unknown TCP
traffic.
Strict Default Ports for Decrypted Application default—which enables you to allow
Applications, Including Web-Browsing applications only on their most commonly-used ports—
now enforces standard port usage for certain applications
that use a different default port when encrypted: web-
browsing, SMTP, FTP, LDAP, IMAP and POP3.
This means that, if you’re decrypting SSL traffic, a
security policy that allows web-browsing on the
application default ports now strictly enforces web-
browsing on port 80 and SSL-tunneled web-browsing on
port 443.

Feature Change
To enhance security, if you currently have a security
policy rule configured to allow web-browsing on
service-HTTP and service-HTTPS, you might consider
updating the rule to instead allow web-browsing on the
application-default ports:
Network Processing Card Session The session capacity for these two 20Gbps Network
Capacity Change (PA-7000-20G-NPC and Processing Cards changed from 4 million sessions per
PA-7000-20GQ-NPC) NPC to 3.2 million sessions per NPC on firewalls running
a PAN-OS 9.0 or later release.
PA-7000 Series Firewall Memory Limit for As of PAN-OS 9.0.10, the PA-7000 Series firewalls have
the Management Server new CLI commands to enable or disable resource control
groups and new CLI commands to set an upper memory
limit of 8G on a process (mgmtsrvr).
To enable resource-control groups, use:
debug software resource-control enable
To disable resource-control groups, use:
debug software resource-control disable
To set the memory limit, use:
debug management-server limit-memory
enable
To remove the memory limit, use:
debug management-server limit-memory
disable
Reboot the firewall to ensure the memory limit change
takes effect.
Refresh of Default Trusted CAs The certificate authorities (CAs) that the firewall trusts by
default are updated; new trusted root CAs are added and
expired CAs are removed. To view and manage the lists
of CAs that the firewall trusts by default, select Device >
Certificate Management > Certificates > Default Trusted
Certificate Authorities.
VM-50 and VM-50 Lite Firewalls The minimum memory requirement has changed from
4GB to 4.5GB for the VM-50 Lite and from 4.5GB
to 5.5GB for the VM-50 in PAN-OS 9.0. You cannot
upgrade the VM-50 Lite without allocating additional
memory. If you upgrade the VM-50 with less than 5.5GB
memory, it will default to the system capacities (number
of sessions, rules, security zones, address objects, etc)
associated with the VM-50 Lite.

Feature Change
See Upgrade/Downgrade Considerations for more
information.
VM-Series Plugin Beginning with PAN-OS 9.0, the built-in VM-Series

plugin manages interactions between the VM-Series
firewalls and the supported public and private cloud
platforms. Also, the bootstrap package now has an
optional /plugins folder for upgrading a plugin. To
configure plugin integrations, select Device > VM-Series.
In Panorama™ 9.0 the VM-Series plugin is available in
Panorama > Plugins but must be manually installed.
VXLAN Tunnel Content Inspection In PAN-OS 8.1 and earlier releases, the firewall used the
UDP Session key to create UDP sessions for all tunnel
content inspection protocols. It is a six-tuple key (zone,
source IP, destination IP, protocol, source port, and
destination port), and it remains in use.
PAN-OS 9.0 introduces the VNI Session key specifically
for VXLAN tunnel content inspection. The VNI Session
key is a five-tuple key incorporating the zone, source
IP, destination IP, protocol, and the VXLAN Network
Identifier (VNI).
By default, VXLAN tunnels now automatically use the
VNI Session key to create a VNI Session, which is visible
in logs.
If you prefer to use the UDP Session key for
VXLAN (as you did in previous releases), you can
define a custom application for VXLAN and use an
application override policy to invoke your custom
application.
Panorama Commit and push operations • Commit is unavailable (grayed out) when you
have no pending changes on Panorama and all
managed firewalls and Log Collectors are in sync with
Panorama (which means that you have successfully
pushed all changes you made on Panorama to all
managed firewalls and appliances).
• Commit displays as a green downward arrow ( )
when you have pending changes on Panorama that
must be committed and pushed to managed devices.
• Commit displays as a yellow sideways arrow ( )
when managed firewalls and Log Collectors are out
of sync, and you must push the committed Panorama
configuration.
• When you Commit and Push your configuration
changes on Panorama, you must Edit Selections to
specify the Push Scope to managed devices.
Security Group Tag (SGT) Ethertype If you're using Security Group Tags (SGTs) to control user
Support and device access in a Cisco Trustsec network, inline
firewalls in Layer 2 or Virtual Wire mode now inspect

Feature Change
and provide threat prevention for the tagged traffic
by default. Before PAN-OS 9.0, a firewall in Layer 2 or
virtual wire mode could allow SGT traffic but did not
process and inspect it.
The firewall does not enforce security

policy based on SGTs.
Authentication Policy In PAN-OS 8.1 and earlier, administrators needed to add

a rule to decrypt TLS sessions to apply authentication
policy. In PAN-OS 9.0, the firewall applies the
authentication policy without needing to decrypt the
session.
IP Address Registration and Dynamic In PAN-OS 8.1 and earlier, it could take up to 60
Address Groups seconds to register an IP address, and the associated
tags, and update the membership information for a
dynamic address group (DAG). In PAN-OS 9.0, IP address
registration occurs in real time. Any policy matches for
updates on a registered IP address (IP-tag mapping) are
reflected only in new sessions. Any existing sessions
are reevaluated for a policy match when you perform a
commit or the App-ID™ on the session changes.
URL Filtering Overrides In earlier release versions, URL Filtering overrides had
priority enforcement ahead of custom URL categories.
As part of the upgrade to PAN-OS 9.0, URL category
overrides are converted to custom URL categories,
and no longer receive priority enforcement over other
custom URL categories. Instead of the action you defined
for the category override in previous release versions,
the new custom URL category is enforced by the security
policy rule with the strictest URL Filtering profile action.
From most strict to least strict, possible URL Filtering
profile actions are: block, override, continue, alert, and
allow. This means that, if you had URL category overrides
with the action allow, there’s a possibility the overrides
might be blocked after they are converted to custom URL
categories in PAN-OS 9.0.
Workaround:
1. Create a URL Filtering Profile that defines site access
for a custom URL category. Select Objects > Security
Profiles > URL Filtering > Categories, and set the
Site Access (like allow or block) for Custom URL
Categories that you want to exclude from a URL
category.
2. Create a new security policy rule to prioritize
enforcement for URL category exceptions. Attach
the URL Filtering profile you just created to that rule
(Policies > Security > Actions > Profile Setting >
Profiles). Because the firewall evaluates rules from

Feature Change
top to bottom, make sure that this rule appears at the
top of your security policy (Policies > Security).
The Overrides tab objects are removed

and Custom URL Category objects are
created for firewalls running PAN-OS 8.1
or earlier releases when managed by a
Panorama management server that is
upgraded to PAN-OS 9.0.
For more details on this, review PAN-OS 9.0 Upgrade

and Downgrade Considerations.
CLI Commands for the Option to Hold Web The CLI commands for this feature are now the
Requests During URL Category Lookup following:
(PAN-OS 9.0.4 or later 9.0 releases) 1. Enter configure to access Configuration Mode.
2. Enter set deviceconfig setting ctd hold-
client-request yes to enable the feature.
3. Commit your changes.
URL Filtering CLI Change You no longer need to download a predefined set of
URLs after activating a URL Filtering license, so the
following commands associated with that operation have
been removed:
• request url-filtering download
paloaltonetworks region <region>
• request url-filtering download status
vendor paloaltonetworks
SAML Authentication To ensure your users can continue to authenticate

successfully with SAML Authentication, you must:
(PAN-OS 9.0.9 and later 9.0 releases)
• Ensure that you configure the signing certificate of
your SAML Identity Provider as the Identity Provider
Certificate on the SAML Identity Provider Server
Profile.
• Ensure that your SAML IdP sends signed SAML
Responses, Assertions, or both.

Associated Software and Content Versions
®
The following minimum software and content release versions are compatible with PAN-OS 9.0. To
see a list of the next-generation firewall models that support PAN-OS 9.0, see the Palo Alto Networks
Compatibility Matrix.
Palo Alto Networks Software or Minimum Compatible Version with PAN-OS 9.0
Content Release Version
Panorama™ 9.0
User-ID™ Agent 9.0
Terminal Services (TS) Agent 9.0
GlobalProtect™ App 4.1
Applications and Threats Content 8103

Release Version
Antivirus Content Release Version 2874
VMware NSX Plugin Version 2.0.3

Limitations
The following are limitations associated with PAN-OS 9.0 releases.
Issue ID Description
— Firewalls and appliances perform a software integrity check periodically

when they are running and when they reboot. If you simultaneously boot up
multiple instances of a VM-Series firewall on a host or you enable CPU over-
subscription on a VM-Series firewall, the firewall boots in to maintenance
mode when a processing delay results in a response timeout during the
integrity check. If your firewall goes in to maintenance mode, please check the
error and warnings in the fips.log file.
A reboot always occurs during an upgrade so if you enabled CPU over-
subscription on your VM-Series firewall, consider upgrading your firewall
during a maintenance window.
PAN-137615 On the Panorama management server, scheduled content updates

(Panorama > Device Deployment > Dynamic Updates) for managed VM-Series
firewalls configured to Download Only cause commit failures for the VM-
Series firewalls.
Workaround: Configure scheduled content updates for VM-Series firewalls to
Download and Install.
PAN-128908 If an admin user password is changed but no commit is performed afterward,

the new password does not persistent after a reboot. Instead, the admin user
can still use the old password to log in, and the calculation of expiry days is
incorrect based on the password change timestamp in the database.
PAN-107142 After adding a new virtual system from the CLI, you must log out and log back
in to see the new virtual system within the CLI.
PAN-102264 On Panorama™, the number of Apps Seen on a Security policy rule depends
on whether you created the rule in a Shared context or in the context of a
particular device group.
For rules created in the Shared context, Apps Seen displays the total number
of unique applications seen on each rule in all of the device groups in the
Shared context so a Shared context that includes two device groups—DG1
and DG2—displays the combined number of unique applications seen on the
rule in both groups. For example, if DG1 saw two unique applications on the
rule and DG2 saw eight unique applications on the rule, Apps Seen shows
ten applications seen on the rule, which is the aggregate number of unique
applications seen in both device groups; it does not show the number of
unique applications in each individual group.
For rules created in a specific device group context, Apps Seen displays the
total number of unique applications seen on each rule in that particular device
group. For example, if DG2 saw eight unique applications on a rule, Apps Seen
shows eight applications seen on the rule.

To get an accurate count of the Apps Seen on a rule for a device group, change
the context to the device group in which you created the rule.
PAN-99845 After an HA firewall fails over to its HA peer, sessions established before the
failover might not undergo the following actions in a reliable manner:
• SIP call modifications (some examples include resuming a call that was on
hold, transferring a call, and picking up a parked call).
• Call tear-down.
PAN-99483 (Affects only PA-7000 Series firewalls that do not use second-generation
PA-7050-SMC-B or PA-7080-SMC-B Switch Management Cards) When
This issue is now
you deploy the firewall in a network that uses Dynamic IP and Port (DIPP)
resolved. See PAN-OS
NAT translation with PPTP, client systems are limited to using a translated
9.0.3 Addressed Issues
IP address-and-port pair for only one connection. This issue occurs because
.
the PPTP protocol uses a TCP signaling (control) protocol that exchanges data
using Generic Routing Encapsulation (GRE) version 1 and the hardware cannot
correlate the call-id in the GRE version 1 header with the correct dataplane
(the one that owns the predict session of GRE). This issue occurs even if you
configure the Dynamic IP and Port (DIPP) NAT Oversubscription Rate to allow
multiple connections (Device > Setup > Session > Session Settings > NAT
Oversubscription).
Workaround: Upgrade to a second-generation SMC-B card.
PAN-97821 The commit all job is executed from Panorama to the firewall only if the
newly added firewall is running PAN-OS 8.1 or a later release with Auto Push
on 1st Connect enabled.
PAN-92719 When performing destination NAT to a translated address that is Dynamic IP

(with session distribution), the firewall does not remove duplicate IP addresses
from the list of destination IP addresses before the firewall distributes
sessions. The firewall distributes sessions to the duplicate addresses in the
same way it distributes sessions to non-duplicate addresses.
PAN-85036 If you use the Panorama management server to manage the configuration of
firewalls in an HA active/active configuration, you must set the Device ID for
each firewall in the HA pair before you upgrade Panorama. If you upgrade
without setting the Device IDs (which determine which peer is the active-
primary peer), you cannot commit configuration changes to Panorama.
PAN-81719 You cannot form an HA pair of Panorama management servers on AWS

instances when the management interface on one HA peer is assigned an
Elastic Public IP address or when the HA peers are in different Virtual Private
Clouds (VPCs).
PAN-79669 The firewall blocks an HTTPS session when the hardware security module
(HSM) is down and a Decryption policy for inbound inspection uses the default
decryption profile for an ECDSA certificate.

Known Issues
The following topics describe known issues in PAN-OS® 9.0 releases.
For recent updates to known issues for a given PAN-OS release, refer to https://
knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm68CAC.
• Known Issues Related to PAN-OS 9.0 Releases

• Known Issues Related to Cortex Data Lake
Known Issues Related to PAN-OS 9.0

The Consolidated List of PAN-OS 9.0 Known Issues includes all known issues that impact a PAN-OS
9.0 release. This list includes both outstanding issues and issues that are addressed in Panorama™,
GlobalProtect™, VM-Series plugins, and WildFire®, as well as known issues that apply more generally or
that are not identified by a specific issue ID.
To review the subset of outstanding known issues for a specific PAN-OS 9.0 maintenance release, see the
following lists:
• PAN-OS 9.0.10 Known Issues
• PAN-OS 9.0.5 (and 9.0.5-h3) Known Issues
• PAN-OS 9.0.3 (and 9.0.3-h2 and 9.0.3-h3) Known Issues
• PAN-OS 9.0.2 (and 9.0.2-h4) Known Issues
Consolidated List of PAN-OS 9.0 Known Issues
Issue ID PAN-OS 9.0 Known Issue Description
— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.
— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.

• If the memory allocation is more than 4.5GB but less that
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.
The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.
WF500-4200 The Create Date shown when using the show wildfire
global sample-status sha256 equal<hash> or show
wildfire global sample-analysis CLI command
is two hours behind the actual time for WF-500 appliance
samples.
PLUG-1854 (PAN-OS 9.0.2 and later releases on AWS and GCP only) You
cannot swap the management interface.
This issue is resolved after you
upgrade to VM-Series plugin 1.0.3 and
reboot the firewall.
PLUG-1827 (Microsoft Azure only) The firewall drops packets due to larger
than expected packet sizes when Accelerated networking is
enabled on the firewall (Settings > Networking).
PLUG-1709 (Microsoft Azure only) There is an intermittent issue where

the secondary IP address becomes associated with the passive
This issue is resolved with VM-Series
firewall after multiple failovers.
plugin 1.0.3.
Workaround: Reassign IP addresses to the active and passive
firewalls in Azure as needed.
PLUG-1694 (PAYG licenses only) Your pay-as-you-go (PAYG) license is not

retained when you upgrade from a PAN-OS 8.1 release to a
PAN-OS 9.0 release.
Workaround: Upgrade to VM-Series plugin 1.0.2 (or later)
after you upgrade to a PAN-OS 9.0 release and then reboot
the firewall to recover your PAYG license.
PLUG-1681 If you bootstrap a PAN-OS 9.0.1 image while using VM-Series

plugin 1.0.0, the firewall will not apply the capacity license. To
downgrade the VM-Series plugin from version 1.0.2 to 1.0.0,
first bootstrap the PAN-OS 9.0.1 image and then downgrade
the plugin.
PLUG-1642 After a high availability (HA) failover, the dataplane interface

on a VM-Series firewall on Azure with Accelerated Networking
(SR-IOV) becomes disabled when, as a result of the failover,
plugin 1.0.2.
the secondary IP address is detached from or attached to the
firewall and moved to its HA peer.

PLUG-1503 When a VM-Series firewall on AWS running on a C5 or M5

instance experiences a high availability (HA) failover, the
dataplane interfaces from the previously active firewall are not
plugin 1.0.3.
moved to the newly active (previously passive) peer.
Workaround: Check for the latest VM-Series plugin version
and install the VM-Series plugin 9.0.0 version; the built-in
version is 9.0.0-c29.
PLUG-1074 On the VM-Series firewall on AWS, when you change the

instance type, the firewall no longer has a serial number
or a license. Additionally, if you manage this firewall using
Panorama, it is no longer connected to Panorama.
PLUG-380 When you rename a device group, template, or template stack

in Panorama that is part of a VMware NSX service definition,
the new name is not reflected in NSX Manager. Therefore, any
ESXi hosts that you add to a vSphere cluster are not added to
the correct device group, template, or template stack and your
Security policy is not pushed to VM-Series firewalls that you
deploy after you rename those objects. There is no impact to
existing VM-Series firewalls.
PAN-151909 On the Panorama management server, Preview Changes

(Commit > Commit to Panorama) incorrectly displays an
existing route as Added and the new route as an existing route
in the Candidate Configuration when you configure a new
virtual router route (Network > Virtual Router)
PAN-150172 Dataplane processes restart when attempting to access

websites that have the NotBefore attribute less than or equal
This issue is now resolved. See PAN-
to Unix Epoch Time in the server certificate with forward
OS 9.0.9-h1 Addressed Issues.
proxy enabled.
PAN-147331 (VM-Series firewalls only) Bootstrapping with .xfr images is

not supported.When you use an image with the.xfr filename to
bootstrap, it fails with the error No image found.
PAN-146573 PA-7000 Series firewalls configured with a large number of

interfaces experience impacted performance and possible
timeouts when performing SNMP queries.
PAN-140008 ElasticSearch is forced to restart when the masterd process

misses too many heartbeat messages on the Panorama
management server resulting in a delay in a log query and
ingestion.
PAN-136701 (PA-7000b Series firewalls only) Packets for new sessions drop
when handling predict sessions.
Workaround: Use the following CLI command to bypass this
issue:

• set session hwpredict disable yes
To enable hwpredict again set session hwpredict
disable no.
To verify the current settings, show session hwpredict
status.
PAN-132598 The Panorama management server does not check for

duplicate addresses in address groups (Objects > Address
Groups) and duplicate services in service groups (Objects >
Service Groups) when created from the CLI.
PAN-131915 There is an issue when you implement a new firewall

bootstrap with a USB drive where the bootstrap fails and
displays the following error message: no USB device
found.
Workaround: Perform a factory reset or run the request
system private-data-reset CLI command and then
proceed with bootstrapping.
PAN-131792 The Name log filter (Monitor > Logs > Traffic) is not
maintained when viewing the Log Viewer for a Security policy
This issue is now resolved. SeePAN-OS
rule (Policies > Security) from the drop-down menu.
9.0.9 Addressed Issues.
PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000

Series firewalls) For traffic between virtual systems (inter-vsys
traffic), the firewall cannot perform source NAT using dynamic
IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port
(DIPP) translation on inter-vsys traffic.
PAN-130069 There is an issue where the firewall incorrectly interprets an

external dynamic list MineMeld instability error code as an
empty external dynamic list.
OS 9.0.6 Addressed Issues.
PAN-128650 Selecting Preview Changes under a specific device group

results in the following error message: Parameter device
group missing.
OS 9.0.10 Addressed Issues
PAN-128269 (PA-5250, PA-5260, and PA-5280 firewalls with 100GB

AOC cables only) When you upgrade the first peer in a high
availability (HA) configuration to PAN-OS 9.0.3 or a later PAN-
OS 9.0 release, the High Speed Chassis Interconnect (HSCI)
port does not come up due to an FEC mismatch until after you
finish upgrading the second peer.
PAN-127189 (VM-Series firewalls only) The non-blocking pattern

match setting is enabled by default, which results in CTD
performance degradation.

Workaround: Manually disable the feature and improve
performance by using the following CLI command: set
system setting ctd nonblocking-pattern-match
disable.
PAN-126921 (PA-7000 Series firewalls only) There is an issue where internal

path monitoring fails when the firewall processes corrupt
packets.
OS 9.0.5 Addressed Issues .
PAN-125775 There is an issue where Panorama management servers

deployed using the C5 or M5 instance types on Amazon
Web Services (AWS) cause the Panorama instance to stop
responding in regions that support these instance types.
PAN-125121 (VM-Series firewalls only) There is an issue where custom

images do not function as expected for PAN-OS 9.0.
OS 9.0.5 Addressed Issues . Workaround: Use PAN-OS 8.1 for creating custom images.
PAN-124956 There is an issue where VM-Series firewalls do not support

packet buffer protection.
PAN-123322 (PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls

running PAN-OS 9.0.5 only) There is an intermittent issue
where a process (all_pktproc) stops responding due to a Work
Query Entry (WQE) corruption that is caused by duplicate
child sessions.
PAN-121449 (PAN-OS 9.0.3 and later releases only) The Remove Config
button on Panorama > Plugins does not remove the
configuration for any plugins you have set up on Panorama.
Workaround: Manually remove the plugin configuration.
Manually delete the plugin configuration. Select your plugin
on Panorama, clear the values from all fields and Commit your
changes.
PAN-120662 (PA-7000 series firewalls using PA-7000-20G-NPC cards only)

There is an intermittent issue where an out-of-memory (OOM)
condition causes dataplane or internal path monitoring to stop
responding.
PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the following
format: 2001:DB9:85A3:0:0:8A2E:370:2.
PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.

Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server
PAN-118628 There is an issue where after you deploy Panorama in Azure,

you cannot log in to Panorama with the username and
password that was provided during the deployment process.
PAN-118525 (PA-5250, PA-5260, PA-5280, and PA-7000 Series firewalls

only) There is an issue where the QSFP28 port does not
come up with the TR-FC13L-N00 version of the PAN-
QSFP28-100GBASE-LR4 optical transceiver on firewalls
running a PAN-OS 9.0 release. For assistance, please contact
Support.
PAN-118414 (PAN-OS 9.0.2 and later releases only) There is an intermittent

issue where a Panorama management server and managing
Prisma™ Access or Cortex™ Data Lake fails to authorize one-
time-password (OTP) submissions during the onboarding
process.
Workaround: Downgrade to PAN-OS 9.0.1.
PAN-118108 There is an issue where an API call against a Panorama

management server, which triggers the request analyze-
shared-policy command causes Panorama to reboot after
you execute the command.
PAN-118065 (M-Series Panorama management servers in Management

Only mode) When you delete the local Log Collector
(Panorama > Managed Collectors), it disables the 1/1 ethernet
interface in the Panorama configuration as expected but the
interface still displays as Up when you execute the show
interface all command in the CLI after you commit.
Workaround: Disable the 1/1 ethernet interface before
you delete the local log collector and then commit the
configuration change.

PAN-117918 The logs are not visible after you upgrade a Panorama
management server in an HA configuration from PAN-OS 8.1
to PAN-OS 9.0.
Workaround: After you complete the upgrade, log in to the
web interface of the primary Panorama HA peer and perform
a Collector Group push (Commit > Push to Devices > Edit
Selections) or log in to the CLI of the primary Panorama HA
peer and commit force the local configuration.
PAN-117424 Cortex Data Lake without Panorama—where we removed

Panorama as a requirement to send logs to Cortex Data
Lake—was introduced in PAN-OS 9.0.2, and was not initially
supported for PA-220 and PA-800 Series firewalls. This issue
details an update we made to support this feature across all
firewall platforms. If you successfully onboarded the firewall
to Cortex Data Lake before PAN-OS 9.0.3 released, this issue
does not impact you. But following the release of PAN-OS
9.0.3, this feature is no longer supported in PAN-OS 9.0.2. If
this is a feature you would like to implement, you’ll need to
upgrade to PAN-OS 9.0.3. Here’s how you can get started
with Cortex Data Lake now.
PAN-117043 There is an issue on the Panorama management server and all

supported firewalls where special characters contained in the
tag names of the Security policy rules returns the following
error message: group-tag is invalid when you commit
or push a configuration.
Workaround: Modify the tags and group tags (Objects > Tags)
to exclude special characters.
PAN-116436 (Panorama virtual appliances only) There is a disk space

calculation error that eventually leads to an erroneous opt/
panlogs/ partition full condition and causes a process (CDB) to
stop responding.
PAN-116084 VM-Series firewalls on Microsoft Azure deployed using MMAP

drops traffic when the firewall experiences heavy traffic.
PAN-116069 (PA-200 firewalls only) There is a rare out-of-memory (OOM)

condition.
PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.

PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.
PAN-115733 (PAN-OS firewalls in an HA configuration only) There is a rare

issue where data interfaces do not come up after you reboot
the firewall when running a C5 or M5 instance type in AWS.
PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a VM-
Series firewall running PAN-OS 9.0 in DPDK packet mode
and you then switch to MMAP packet mode, the VM-Series
firewall duplicates packets that originate from or terminate
on the firewall. As an example, if a load balancer or a server
behind the firewall pings the VM-Series firewall after you
switch from DPDK packet mode to MMAP packet mode, the
firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.
PAN-113614 There is an issue with a memory leak associated with commits

on Panorama appliances that eventually causes an unexpected
restart of the configuration (configd) process.
PAN-113501 The Panorama management server returns a Secure Copy

(SCP) server connection error after you create an SCP
Scheduled Config Export profile (Panorama > Scheduled
Config Export) due to the SCP server password exceeding 15
characters in length.
PAN-113340 (PA-200 firewalls only) There is an issue where the

management plane memory is lower than expected, which
causes the management plane to restart.
PAN-113117 A newly launched firewall does not get its configuration from
Panorama when it first connects if you installed the VM-Series
plugin on Panorama. When a newly launched firewall that is
bootstrapped connects to Panorama, a process restart occurs
on Panorama. Upon restart, you are logged out of the user
interface and you need to log in and push the device group
and template configuration to the newly connected firewall.
PAN-113098 In the firewall web interface, you can temporarily submit

change requests for the following URL categories: insufficient-
content, high-risk, medium-risk, low-risk, and newly-
registered-domains. However, Palo Alto Networks does not
support or process change requests for these categories.

PAN-112983 (Firewalls with multiple virtual systems only; no impact to

Panorama) If you select any Location other than Shared when
you generate or import a new CA Certificate in a Certificate
Profile (Device > Certificate Management > Certificate
Profile), the firewall adds the newly generated or imported
certificate to vsys1. For example, if you specify vsys3 as the
Location, Add a CA Certificate, and then Generate a new
certificate, the firewall adds the certificate to vsys1 instead of
vsys3. When you click OK to configure the Certificate Profile,
the firewall returns an Operation Failed error message
because it sees a certificate for vsys1 added to vsys3.
Workaround 1:
1. Generate or import the new certificate in a Certificate
Profile (Device > Certificate Management > Certificates >
Device Certificates) and select the appropriate vsys
Location when you generate or import the certificate.
2. When you create or edit the Certificate Profile, specify the
vsys Location and Add the certificate that you generated
(or imported) from the list of existing certificates.
Workaround 2: When you generate or import a new
certificate when you configure a Certificate Profile for a vsys
other than vsys1, specify the Location as Shared.
PAN-112814 H.323-based calls lose audio when the predicted H.245

session cannot convert to Active status, which causes the
firewall to incorrectly drop H.245 traffic.
PAN-112700 (PA-7000 Series firewalls in an HA configuration only) After

you upgrade to PAN-OS 9.0, some logs may display a different
rule name than the rule name associated with the universally
unique identifier (UUID).
Workaround: If you are using Panorama, make a policy
change (such as cloning a rule) in the corresponding device
group, commit the change, and push the updated policy to
managed devices. If you are not using Panorama to manage
your firewalls, make a policy change (such as cloning a rule) on
the firewall and commit the change.
PAN-112699 (VM-Series firewall on AWS running on a C5 or M5 instance

only) You cannot use the mgmt-interface-swap command
to swap the interfaces for deploying a VM-Series firewall
behind a web load balancer (such as AWS ALB or Classic ELB).
PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a

New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.
PAN-112626 When you upgrade to PAN-OS 9.0 with a PAYG Bundle 2

license, the new DNS Security subscription is not available on
your VM-Series firewall.
This subscription is included with the BYOL and VM-Series
ELA when you upgrade.
PAN-112562 The Log Forwarding Card (LFC) subinterface incorrectly uses

the interface IP address instead of the subinterface IP address
for all services that forward logs (such as syslog, email, and
SNMP) for selected virtual systems.
PAN-112456 You can temporarily submit a change request for a URL

Category with more than two suggested categories. However,
we support only two suggested categories so add no more
than two suggested categories to a change request until we
address this issue. If you submit more than two suggested
categories, we will use only the first two categories you enter.
PAN-112340 If you enable URL Filtering without enabling Threat Prevention

and your environment processes a large number (thousands)
of URL look-ups per second per dataplane, you are likely to
experience performance issues, including high CPU usage.
PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.
PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.
• Manually select the devices that belong to the modified
device group and template configurations.

PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.
PAN-111708 (PA-3200 Series firewalls only) There is a rare issue where a

software issue causes the dataplane to restart unexpectedly.
PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.
PAN-111553 On the Panorama management server, the Include Device and

Network Templates setting is disabled by default when you
attempt to push changes to managed devices, which causes
your push to fail.
Workaround: Before you commit and push the configuration
changes from Panorama to your managed devices, edit the
push scope (Commit > Push to Devices > Edit Selections or
Commit > Commit and Push > Edit Selections) to Include
Device and Network Templates.
PAN-111251 Using the CLI to enable or disable DNS Rewrite under a

Destination NAT policy rule has no effect.
PAN-110794 DGA-based threats shown in the firewall threat log display the
same name for all such instances.
PAN-110603 In some cases, when a port on an PA-7000 Series 100Gbps

Network Processor Card (NPC) has an SFP+ transceiver
inserted but no cable is connected, the system detects a signal
and attempts to tune and link with that port. As a result, if the
device at the other end of the connection is rebooted or has
an HA failover event, the link is sometimes held down for an
extended period of time while the interface attempts to tune
itself.
Workaround: Connect a cable to the installed SFP+
transceiver to allow the system to tune and link. Then, when
you disconnect the cable, the system will correctly detect that
the link is down. Alternatively, remove the SFP+ transceiver
from the port.
PAN-109759 The firewall does not generate a notification for the

GlobalProtect client when the firewall denies an unencrypted
TLS session due to an authentication policy match.
PAN-109526 The system log does not correctly display the URL for CRL
files; instead, the URLs are displayed with encoded characters.

PAN-108113 If you configure a firewall to use a static route whose next

hop is an FQDN and you configure Bidirectional Forwarding
Detection (BFD) for that static route, BFD is non-operational
for that static route.
PAN-108111 If you configure a firewall with a BGP peer that is identified

by an FQDN and you configure Bidirectional Forwarding
Detection (BFD) for that BGP peer, then BFD is non-
operational for that BGP peer.
PAN-106989 (PAN-OS 9.0.1 and later PAN-OS 9.0 releases) There is a

display-only issue on Panorama that results in a commit
failed status for Template Last Commit State (Panorama >
Managed Devices > Summary).
Workaround: Push templates to managed devices.
PAN-106675 After upgrading the Panorama management server to PAN-OS

8.1 or a later release, predefined reports do not display a list of
top attackers.
Workaround: Create new threat summary reports (Monitor >
PDF Reports > Manage PDF Summary) containing the top
attackers to mimic the predefined reports.
PAN-105210 (Panorama in FIPS mode only when managing non-FIPS

firewalls) You cannot configure a GlobalProtect portal on
Panorama in FIPS mode when managing a non-FIPS firewall.
If you attempt to do so, you will receive the following error
message: agent-user-override-key unexpected
here Portal_fips.
PAN-104808 There is an issue where scheduled SaaS reports generate and

email empty PDF reports.
OS 9.0.4 Addressed Issues . Workaround: Manually generate the report from the
Panorama web interface.
PAN-104780 If you configure a HIP object to match only when a connecting

endpoint is managed (Objects > GlobalProtect > HIP
Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do not
appear in the HIP report.

PAN-103336 (HA configurations only) When you downgrade a VM-Series

firewall on Azure from PAN-OS 9.0 to an earlier release, you
do not receive warnings. Do not downgrade your firewall
without saving and exporting your current configuration.
Workaround: Because HA is not supported in earlier versions
of VM-Series firewalls on Azure, to prevent the loss of your
configuration:
• Save and export the configuration before you downgrade.
• After you downgrade, load the saved configuration and
commit your changes. The firewall will resume operation
without the HA configuration.
PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.
PAN-103018 (Panorama plugins) When you use the AND/OR boolean

operators to define the match criteria for Dynamic Address
Groups on Panorama, the boolean operators do not function
properly. The member IP addresses are not included in the
address group as expected.
PAN-101688 (Panorama plugins) The IP address-to-tag mapping information

registered on a firewall or virtual system is not deleted when
you remove the firewall or virtual system from a Device
Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.
PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction equal
<direction> <dst> | <src> in <object-name>
command on a managed firewall only returns address and
address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>
PAN-99483 (PA-5220, PA-5250, PA-5260, and PA-5280 firewalls only)

When you deploy the firewall in a network that uses Dynamic

This issue is now resolved for PA-5220 IP and Port (DIPP) NAT translation with PPTP, client systems
firewalls. See PAN-OS 9.0.3 Addressed are limited to using a translated IP address-and-port pair for
Issues . only one connection. This issue occurs because the PPTP
protocol uses a TCP signaling (control) protocol that exchanges
data using Generic Routing Encapsulation (GRE) version 1 and
the hardware cannot correlate the call-id in the GRE version
1 header with the correct dataplane (the one that owns the
predict session of GRE).
PAN-98803 If you configure the Panorama plugin to monitor virtual

machines or endpoints in your AWS, Azure, or Cisco ACI
environment without installing the NSX plugin, the IP-
address-to-tag mappings for Dynamic Address Groups are not
displayed on Panorama.
Workaround: Install the NSX plugin (you do not need to use
the NSX plugin for the installation to resolve this display issue).
PAN-98520 When booting or rebooting a PA-7000 Series Firewall with the

SMC-B installed, the BIOS console output displays attempts to
connect to the card's controller in the System Memory Speed
section. The messages can be ignored.
PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from RADIUS
in the authentication profile and configure group mapping
from Active Directory (AD) through LDAP.
PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.
PAN-96985 The request shutdown system command does not shut

down the Panorama management server.
PAN-96960 You cannot restart or shutdown a Panorama on KVM from the

Virtual-manager console or virsch CLI.
PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded to a
Panorama management server that is running in Management
Only mode.
PAN-95773 On VM-Series firewalls that have Data Plane Development Kit

(DPDK) enabled and that use the i40e network interface card

(NIC), the show session info CLI command displays an
inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.
PAN-95717 After 30,000 or more end users log in to the GlobalProtect

gateway within a two- to three-hour period, the firewall web
interface responds slowly, commits take longer than expected
or intermittently fail, and Tech Support File generation times
out and fails.
PAN-95602 In a deployment where a Log Collector connects to Panorama

management servers in a high availability (HA) configuration,
after you switch the Log Collector appliance to Panorama
mode, commit operations fail on the appliance.
Workaround: Remove the following node from
the running-config.xml file on the Log Collector
before switching it to Panorama mode: devices/
entry[@name='localhost.localdomain']/
deviceconfig/system/panorama-server-2
PAN-95511 The name for an address object, address group, or an external

dynamic list must be unique. Duplicate names for these
objects can result in unexpected behavior when you reference
the object in a policy rule.
PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only after
you modify the account passwords. (Administrator accounts
that you create in PAN-OS 8.0.9 or a later release do not
require you to change the passwords to apply password profile
settings.)
PAN-94966 After you delete disconnected and connected Terminal Server

(TS) agents in the same operation, the firewall still displays
the IP address-to-port-user mappings (show user ip-
port-user-mapping CLI command) for the disconnected TS
agents you deleted (Device > User Identification > Terminal
Services Agents).
Workaround: Do not delete both disconnected and connected
TS agents in the same operation.
PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.

PAN-94093 HTTP Header Insertion does not work when jumbo frames are
received out of order.
PAN-93968 The firewall and Panorama web interfaces display vulnerability

threat IDs that are not available in PAN-OS 9.0 releases
(Objects > Security Profiles > Vulnerability Protection >
<profile> > Exceptions). To confirm whether a particular threat
ID is available in your release, monitor the release notes for
each new Applications and Threats content update or check
the Palo Alto Networks Threat Vault to see the minimum PAN-
OS release version for a threat signature.
PAN-93842 The logging status of a Panorama Log Collector deployed on

AWS or Azure displays as disconnected when you configure
the ethernet1/1 to ethernet1/5 interfaces for log collection
(Panorama > Managed Collectors > Interfaces). This results in
firewalls not sending logs to the Log Collector.
Workaround: Configure the management (MGT) interface for
log collection.
PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups), the
Security Profile Group doesn’t list the SCTP Protection profile
in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.
PAN-93532 When you configure a firewall running PAN-OS 9.0 as an

nCipher HSM client, the web interface on the firewall displays
the nCipher server status as Not Authenticated, even though
the HSM state is up (Device > Setup > HSM).
PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,

committing changes or generating reports, at the same time,
on the firewall.
PAN-92155 You cannot configure an IP address using templates for HA2

(Device > High Availability > Data Link (HA2)) when set to
IP or Ethernet for Panorama management servers in a high
availability (HA) configuration.
Workaround: Configure HA2 in the CLI using the following
commands:
> configure
# set
template <template_name> config
deviceconfig high-availability interface ha2
ip-address <IP_address>
PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.
PAN-88987 When you configure a PA-5220 firewall with Dynamic IP and

Port (DIPP) NAT, the number of translated IP addresses cannot
exceed 3,000; otherwise, the commit fails.
PAN-86903 In rare cases, PA-800 Series firewalls shut themselves down

due to a false over-current measurement.
PAN-85691 Authentication policy rules based on multi-factor

authentication (MFA) don't block connections to an MFA
vendor when the MFA server profile specifies a Certificate
Profile that has the wrong certificate authority (CA) certificate.
PAN-84670 When you disable decryption for HTTPS traffic, end users who
don't have valid authentication timestamps can access HTTPS
services and applications regardless of Authentication policy.
Workaround: Create a Security policy rule that blocks HTTPS
traffic that is not decrypted.
PAN-84488 On PA-7000 Series and PA-5200 Series firewalls, client

systems can use a translated IP address-and-port pair for
only one connection even if you configure the Dynamic IP
and Port (DIPP) NAT Oversubscription Rate to allow multiple
connections (Device > Setup > Session > Session Settings >
NAT Oversubscription).
PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.

Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.
PAN-83598 VM-Series firewalls cannot monitor more than 500 virtual

machine (VM) information sources (Device > VM Information
Sources).
PAN-83236 The VM-Series firewall on Google Compute Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup >
Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.
PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto an nCipher
nShield hardware security module (HSM).
PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.
PAN-79423 Panorama cannot push address group objects from device

groups to managed firewalls when zones specify the objects in
the User Identification ACL include or exclude lists (Network >
Zones) and the Share Unused Address and Service Objects
with Devices option is disabled (Panorama > Setup >
Management > Panorama Settings).
PAN-77125 PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls

configured in tap mode don’t close offloaded sessions after
processing the associated traffic; the sessions remain open
until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.
PAN-75457 (PAN-OS 8.0.1 and later releases) In WildFire appliance

clusters that have three or more nodes, the Panorama
management server does not support changing node roles. In
a three-node cluster for example, you cannot use Panorama
to configure the worker node as a controller node by adding
the HA and cluster controller configurations, configure an
existing controller node as a worker node by removing the HA
configuration, and then commit and push the configuration.
Attempts to change cluster node roles from Panorama results

in a validation error—the commit fails and the cluster becomes
unresponsive.
PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.
PAN-73401 (PAN-OS 8.0.1 and later releases) When you import a

two-node WildFire appliance cluster into the Panorama
management server, the controller nodes report their state as
out-of-sync if either of the following conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-node
cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama, push
the configuration from Panorama to the cluster. After the
push succeeds, Panorama reports that the controller nodes
are in sync.
• Configure a worker list on the cluster controller:
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
worker-list <worker-ip-address>
(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into
Panorama. The service advertisement can advertise that
DNS is or is not enabled.
service-advertisement dns-service
enabled
yes
or

enabled
no
Both commands result in Panorama reporting that the

controller nodes are in sync.
PAN-71329 Local users and user groups in the Shared location (all virtual
systems) are not available to be part of the user-to-application
mapping for GlobalProtect Clientless VPN applications
(Network > GlobalProtect > Portals > <portal> > Clientless
VPN > Applications).
Workaround: Create users and user groups in specific virtual
systems on firewalls that have multiple virtual systems. For
single virtual systems (like VM-Series firewalls), users and user
groups are created under Shared and are not configurable for
Clientless VPN applications.
PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.
PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).
PAN-41558 When you use a firewall loopback interface as a GlobalProtect

gateway interface, traffic is not routed correctly for third-party
IPSec clients, such as strongSwan.
Workaround: Use a physical firewall interface instead of a
loopback firewall interface as the GlobalProtect gateway
interface for third-party IPSec clients. Alternatively, configure
the loopback interface that is used as the GlobalProtect
gateway to be in the same zone as the physical ingress
interface for third-party IPSec traffic.
PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.
PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the

15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to
scheduled reports; on-demand reports include all data within
the specified Time Frame.
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.
PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.
PAN-31832 The following issues apply when configuring a firewall to use a

hardware security module (HSM):
• nCipher nShield Connect—The firewall requires at least
four minutes to detect that an HSM was disconnected,
causing SSL functionality to be unavailable during the delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.
PAN-25046 Firewalls store SSH host keys used for SCP log exports in the
known hosts file. In an HA deployment, PAN-OS synchronizes
the SCP log export configuration between the firewall HA
peers (Device > Scheduled Log Export), but not the known
host file. When a failover occurs, the SCP log export fails.
Workaround: Log in to each peer in HA, select Device >
Scheduled Log Export > <log_export_configuration>, and Test
SCP server connection to confirm the host key so that SCP log
forwarding continues to work after a failover.
PAN-OS 9.0.10 Known Issues

®
The following list includes only outstanding known issues specific to the PAN-OS 9.0.10 maintenance
release. This list includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®,
as well as known issues that apply more generally or that are not identified by an issue ID. For a complete
list of existing and addressed known issues in all PAN-OS 9.0 releases, see the Consolidated List of PAN-OS
9.0 Known Issues.



available.
— A Panorama management server running PAN-OS 9.0

does not currently support management of appliances
running WildFire 7.1 or earlier releases. Even though these
management options are visible on the Panorama 9.0 web
interface (Panorama > Managed WildFire Clusters and
Panorama > Managed WildFire Appliances), making changes
to these settings for appliances running WildFire 7.1 or an
earlier release has no effect.
samples.
plugin 1.0.3.

plugin 1.0.3.


PAN-OS 9.0 release.

the plugin.

plugin 1.0.2.

plugin 1.0.3.



virtual router route (Network > Virtual Router).


proxy enabled.

issue:
disable no.
status.

found.


format: 2001:DB9:85A3:0:0:8A2E:370:2.

firewall.
settings).


Support.

process.







Workaround 1:






configuration.


adapter.


itself.
from the port.
PAN-106989 There is a display-only issue on Panorama that results in a

commit failed status for Template Last Commit State
(Panorama > Managed Devices > Summary).

top attackers.

here Portal_fips.



configuration:

unresponsive.
add the disk again.


Group.








Only mode.


out and fails.




settings.)

Services Agents).




log collection.



not:
management server.
installed.
on the firewall.





packets.
persistently disable session off load for only UDP traffic using

Sources).

Services).


Kerberos).




unresponsive.

cluster.)
controller nodes).
are in sync.


enabled
yes
or
enabled
no


Lists).





command.

20 seconds.

®
9.0 Known Issues.


available.

samples.

plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.

plugin 1.0.2.

plugin 1.0.3.





proxy enabled.

issue:
disable no.
status.

found.
PAN-128650 Selecting Preview Changes under a specific device group

results in the following error message: Parameter device
group missing.


format: 2001:DB9:85A3:0:0:8A2E:370:2.


firewall.
settings).

Support.

process.







Workaround 1:






configuration.



adapter.

itself.
from the port.


top attackers.


here Portal_fips.


configuration:

unresponsive.
add the disk again.


Group.









Only mode.


out and fails.



settings.)

Services Agents).




log collection.



not:
management server.
installed.

on the firewall.




packets.

Sources).

Services).


Kerberos).




unresponsive.

cluster.)
controller nodes).
are in sync.

enabled
yes
or
enabled
no



Lists).




command.

20 seconds.


®
9.0 Known Issues.


available.


samples.
plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.

plugin 1.0.2.

plugin 1.0.3.




issue:
disable no.
status.

found.



format: 2001:DB9:85A3:0:0:8A2E:370:2.

firewall.
settings).

Support.

process.








Workaround 1:





configuration.



adapter.

itself.
from the port.



top attackers.

here Portal_fips.


configuration:

unresponsive.
add the disk again.



Group.








Only mode.


out and fails.



settings.)


Services Agents).



log collection.




not:
management server.
installed.
on the firewall.




packets.

Sources).

Services).



Kerberos).



unresponsive.

cluster.)

controller nodes).
are in sync.

enabled
yes
or
enabled
no



Lists).




command.


20 seconds.

®
9.0 Known Issues.


available.


samples.
plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.


plugin 1.0.2.

plugin 1.0.3.




found.



format: 2001:DB9:85A3:0:0:8A2E:370:2.

on the M-500 Panorama management server even when you
firewall.
settings).

Support.

process.



PAN-1114914 (PA-7000 Series firewalls only) If you replace the small

form-factor pluggable (SFP) module with the PAN-SFP-
PLUS-10GBASE-T module, a system reboot is required.



Workaround 1:






configuration.



adapter.

itself.
from the port.


top attackers.


here Portal_fips.


configuration:

unresponsive.
add the disk again.


Group.









Only mode.


out and fails.



settings.)

Services Agents).




log collection.



not:
management server.
installed.

on the firewall.




packets.

Sources).

Services).


Kerberos).




unresponsive.

cluster.)
controller nodes).
are in sync.

enabled
yes
or
enabled
no



Lists).




command.

20 seconds.


®
9.0 Known Issues.


available.


samples.
plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.

plugin 1.0.2.

plugin 1.0.3.





found.


format: 2001:DB9:85A3:0:0:8A2E:370:2.


firewall.
settings).

Support.

process.







Workaround 1:






configuration.



adapter.

itself.
from the port.


top attackers.

here Portal_fips.



configuration:

unresponsive.
add the disk again.


Group.








Only mode.



out and fails.



settings.)

Services Agents).




log collection.



not:
management server.
installed.
on the firewall.





packets.

Sources).

Services).


Kerberos).




unresponsive.

cluster.)
controller nodes).
are in sync.


enabled
yes
or
enabled
no


Lists).





command.

20 seconds.

PAN-OS 9.0.5 (and 9.0.5-h3) Known Issues

®
The following list includes only outstanding known issues specific to the PAN-OS 9.0.5 maintenance and
hotfix releases. This list includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and
WildFire®, as well as known issues that apply more generally or that are not identified by an issue ID. For a
complete list of existing and addressed known issues in all PAN-OS 9.0 releases, see the Consolidated List
of PAN-OS 9.0 Known Issues.


available.


samples.
plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.

plugin 1.0.2.

plugin 1.0.3.




found.


port did not come up due to an FEC mismatch until after you
finished upgrading the second peer.

PAN-123322 (PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls

running PAN-OS 9.0.5 only) There is an intermittent issue
where a process (all_pktproc) stops responding due to a Work
Query Entry (WQE) corruption that is caused by duplicate
child sessions.

format: 2001:DB9:85A3:0:0:8A2E:370:2.


firewall.
settings).

Support.

process.









Workaround 1:





configuration.



adapter.

itself.
from the port.



top attackers.

here Portal_fips.


configuration:

unresponsive.
add the disk again.



Group.








Only mode.


out and fails.



settings.)


Services Agents).



log collection.




not:
management server.
installed.
on the firewall.




packets.

Sources).

Services).



Kerberos).



unresponsive.

cluster.)

controller nodes).
are in sync.

enabled
yes
or
enabled
no



Lists).




command.


20 seconds.

®
9.0 Known Issues.


available.


samples.
plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.


plugin 1.0.2.

plugin 1.0.3.



found.



PAN-127189 (VM-Series firewalls only) The non-blocking pattern

match setting is enabled by default, which results in CTD
performance degradation.
Workaround: Manually disable the feature and improve
performance by using the following CLI command: set
system setting ctd nonblocking-pattern-match
disable.

packets.


Workaround: Use PAN-OS 8.1 for creating custom images.


format: 2001:DB9:85A3:0:0:8A2E:370:2.

firewall.
settings).



Support.

process.








Workaround 1:






configuration.


adapter.


itself.
from the port.


top attackers.

here Portal_fips.



configuration:

unresponsive.
add the disk again.


Group.








Only mode.



out and fails.



settings.)

Services Agents).




log collection.



not:
management server.
installed.
on the firewall.





packets.

Sources).

Services).


Kerberos).




unresponsive.

cluster.)
controller nodes).
are in sync.


enabled
yes
or
enabled
no


Lists).





command.

20 seconds.

PAN-OS 9.0.3 (and 9.0.3-h2 and 9.0.3-h3) Known Issues
®
The following list includes only outstanding known issues specific to the PAN-OS 9.0.3 maintenance and
hotfix releases. This list includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and
WildFire®, as well as known issues that apply more generally or that are not identified by an issue ID. For
a complete list of existing and addressed known issues in all PAN-OS 9.0 releases, see the Known Issues
Related to PAN-OS 9.0.


available.

samples.

plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.

plugin 1.0.2.

plugin 1.0.3.




found.



packets.



PAN-121449 The Remove Config button on Panorama > Plugins does not
remove the configuration for any plugins you have set up on
Panorama.
Workaround: Manually remove the plugin configuration.
Manually delete the plugin configuration. Select your plugin

on Panorama, clear the values from all fields and Commit your
changes.

responding.

format: 2001:DB9:85A3:0:0:8A2E:370:2.

firewall.
settings).


Support.

process.


PAN-117424 PA-220 and PA-800 Series firewalls do not support Cortex

Data Lake logging without Panorama—for these firewalls,
continue to use Panorama to enable Cortex Data Lake logging.


stop responding.

condition.







Workaround 1:







configuration.


adapter.


itself.
from the port.


top attackers.

here Portal_fips.

Workaround: Manually generate the report from the



configuration:

unresponsive.
add the disk again.


Group.

PAN-99483 (PA-5220, PA-5250, PA-5260, and PA-5280 firewalls only)

When you deploy the firewall in a network that uses Dynamic
This issue is now resolved for PA-5220
IP and Port (DIPP) NAT translation with PPTP, client systems
firewalls. See PAN-OS 9.0.3 Addressed
are limited to using a translated IP address-and-port pair for
Issues .
only one connection. This issue occurs because the PPTP
protocol uses a TCP signaling (control) protocol that exchanges
data using Generic Routing Encapsulation (GRE) version 1 and
the hardware cannot correlate the call-id in the GRE version
1 header with the correct dataplane (the one that owns the








Only mode.


out and fails.



settings.)

Services Agents).




log collection.



not:
management server.
installed.

on the firewall.




packets.

Sources).

Services).



Kerberos).



unresponsive.

cluster.)
controller nodes).

are in sync.

enabled
yes
or
enabled
no



Lists).




command.


20 seconds.
PAN-OS 9.0.2 (and 9.0.2-h4) Known Issues

®
The following list includes only outstanding known issues specific to PAN-OS 9.0.2 (and PAN-OS 9.0.2-
h4). This list includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as
well as known issues that apply more generally or that are not identified by an issue ID. For a complete list
of existing and addressed known issues in all PAN-OS 9.0 releases, see the Known Issues Related to PAN-
OS 9.0.


available.


samples.
plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.


plugin 1.0.2.

plugin 1.0.3.



found.


packets.





responding.

format: 2001:DB9:85A3:0:0:8A2E:370:2.

firewall.
settings).


Support.


process.


Panorama as a requirement to send logs to Cortex Data
Lake—was introduced in PAN-OS 9.0.2, and was not initially
details an update we made to support this feature across all
firewall platforms. If you successfully onboarded the firewall
to Cortex Data Lake before PAN-OS 9.0.3 released, this issue
does not impact you. But following the release of PAN-OS
9.0.3, this feature is no longer supported in PAN-OS 9.0.2. If
this is a feature you would like to implement, you’ll need to
upgrade to PAN-OS 9.0.3. Here’s how you can get started
with Cortex Data Lake now.


stop responding.

condition.







Workaround 1:






configuration.



adapter.

itself.
from the port.


top attackers.


here Portal_fips.



configuration:

unresponsive.
add the disk again.



Group.
PAN-99483 (PA-5250, PA-5260, and PA-5280 firewalls only) When you

deploy the firewall in a network that uses Dynamic IP and
Port (DIPP) NAT translation with PPTP, client systems are
limited to using a translated IP address-and-port pair for only
one connection. This issue occurs because the PPTP protocol
uses a TCP signaling (control) protocol that exchanges data
using Generic Routing Encapsulation (GRE) version 1 and the
hardware cannot correlate the call-id in the GRE version 1
header with the correct dataplane (the one that owns the








Only mode.


out and fails.




settings.)

Services Agents).



log collection.




not:
management server.
installed.
on the firewall.




packets.


Sources).

Services).


Kerberos).



unresponsive.


cluster.)
controller nodes).
are in sync.

enabled
yes
or
enabled

no


Lists).





command.

20 seconds.

The following list includes only outstanding known issues specific to the first PAN-OS® 9.0 maintenance
release—PAN-OS 9.0.1. This list includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins,
and WildFire®, as well as known issues that apply more generally or that are not identified by an issue ID.
For a complete list of existing and addressed known issues in all PAN-OS 9.0 releases, see the Known Issues
Related to PAN-OS 9.0.



available.

samples.

plugin 1.0.3.

PAN-OS 9.0 release.


the plugin.

plugin 1.0.2.

plugin 1.0.3.



found.



packets.




responding.

format: 2001:DB9:85A3:0:0:8A2E:370:2.

firewall.
settings).



Support.

PAN-118065 (M-Series Panorama management servers in Management

Workaround: Disable the 1/1 ethernet interface before
you delete the local log collector and then commit the
configuration change.


stop responding.
PAN-116084 VM-Series firewalls on Microsoft Azure deployed using MMAP

drops traffic when the firewall experiences heavy traffic.

condition.








Workaround 1:
PAN-112814 H.323-based calls lose audio when the predicted H.245

session cannot convert to Active status, which causes the
firewall to incorrectly drop H.245 traffic.

only) You cannot use the mgmt-interface-swap command
to swap the interfaces for deploying a VM-Series firewall
behind a web load balancer (such as AWS ALB or Classic ELB).







configuration.


adapter.
PAN-111553 On the Panorama management server, the Include Device and

Network Templates setting is disabled by default when you
attempt to push changes to managed devices, which causes
your push to fail.
Workaround: Before you commit and push the configuration
changes from Panorama to your managed devices, edit the
push scope (Commit > Push to Devices > Edit Selections or
Commit > Commit and Push > Edit Selections) to Include
Device and Network Templates.
PAN-111251 Using the CLI to enable or disable DNS Rewrite under a

Destination NAT policy rule has no effect.


itself.
from the port.


top attackers.

here Portal_fips.




configuration:

unresponsive.
add the disk again.


Group.

PAN-99483 (PA-5250, PA-5260, and PA-5280 firewalls only) When you

deploy the firewall in a network that uses Dynamic IP and
Port (DIPP) NAT translation with PPTP, client systems are
one connection. This issue occurs because the PPTP protocol
uses a TCP signaling (control) protocol that exchanges data
using Generic Routing Encapsulation (GRE) version 1 and the
hardware cannot correlate the call-id in the GRE version 1
header with the correct dataplane (the one that owns the








Only mode.


out and fails.



settings.)

Services Agents).




log collection.



not:
management server.
installed.

on the firewall.




packets.

Sources).

Services).



Kerberos).



unresponsive.

cluster.)
controller nodes).

are in sync.

enabled
yes
or
enabled
no



Lists).




command.


20 seconds.
Known Issues Specific to the WildFire Appliance

®
Beginning with the PAN-OS 9.0.1 release, known issues specific to WildFire® 9.0 releases running on the
WF-500 appliance are included with the Known Issues Related to PAN-OS 9.0.

PAN-OS 9.0 Addressed Issues
Review the issues that were addressed in each maintenance release of the PAN-OS® 9.0
release.
For new features, associated software versions, known issues, and changes in default behavior
in the PAN-OS 9.0 release, see the PAN-OS 9.0 Release Information.

207
208 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Addressed Issues
PAN-OS 9.0.10 Addressed Issues
PAN-152699 Fixed an issue where the firewall added a redundant 0\r\n packet while
processing Clientless VPN traffic.
PAN-151197 Fixed an issue where a process (authd) restarted when an administrator

authenticated to the firewall with an Active Directory (AD) account. This
issue occurred when LDAP was configured with FQDN, used DHCP instead
of a static management IP address, and used the management interface to
connect to the LDAP server.
PAN-150172 Fixed an issue where dataplane processes restarted when attempting to

access websites that had the NotBefore attribute less than or equal to Unix
Epoch Time in the server certificate with forward proxy enabled.
PAN-149839 (PA-7000 Series firewalls only) Added CLI commands to enable/disable

resource-control groups and CLI commands to set an upper memory limit of
8G on a process (mgmtsrvr). To enable resource-control groups, use debug
software resource-control enable and to disable them, use debug
software resource-control disable. To set the memory limit, use
debug management-server limit-memory enable, and to remove
the limit, use debug management-server limit-memory disable. For
the memory limit change to take effect, the firewall must be rebooted.
PAN-149813 Fixed an issue where the reply to an XML API call from Panorama was in a
different format after upgrading to PAN-OS 8.1.14-h1 and later releases,
which caused automated systems to fail the API call.
PAN-149325 Fixed an issue on Panorama where the web interface took more time than
expected to load changes when the virtual router was large or when there
was a large configuration change request from the web interface.
PAN-149005 Fixed an issue where XML API failed to fetch logs larger than 10MB.
PAN-148676 Fixed an issue where the panlogs directory reached 100% utilization on the
firewall due to early calculation of the .size file.
PAN-148522 Fixed an issue for PAN-DB where certain situations caused performance
issues.
PAN-147996 (PA-7000b Series firewalls only) Fixed a buffer overflow issue.
PAN-147424 Fixed an issue with internal buffer and file sizes where logs were discarded
due to slow log purging when the incoming log rate was high.
PAN-147399 Fixed an issue where Panorama in Legacy mode rebooted due to multiple
process (reportd) restarts.
PAN-OS® RELEASE NOTES | PAN-OS 9.0 Addressed Issues 209

PAN-147258 Fixed an issue with one-way audio for inbound voice calls due to incorrect
source port translation.
PAN-147203 Fixed an issue where API calls did not return the output for the operational
command for running configurations.
PAN-146624 Fixed an issue where exporting logs from the web interface did not generate a
system log entry.
PAN-145942 After upgrading to certain PAN-OS 8.1 and 9.0 versions, for certain
configurations using dynamic routing without graceful restart and with
Bidirectional Forwarding Detection (BFD) enabled, there was a longer traffic
hit after a high availability (HA) failover compared to previous versions. This
was due to BFD incorrectly timing admin-down messages for the failover
event.
PAN-145929 Fixed an issue where, after upgrading the passive firewall, the stream control
transmission protocol (SCTP) sessions synced from the active firewall did not
retain the rule information, and, after failover, SCTP stateful inspection did
not work.
PAN-145507 Fixed an issue on the firewalls where traffic originating from a GlobalProtect
user did not match host information profile (HIP) based Security policies using
the cached HIP report. Instead, the traffic was denied until the GlobalProtect
agent submitted a new HIP report about 20 seconds later.
PAN-145422 Fixed an issue where a process (all_pktproc) restarted while processing SSL
VPN sessions.
PAN-145305 Fixed an issue where an inconsistent PAN-DB cloud connection caused the
firewall to negotiate the incorrect version and decode the cloud responses
with the incorrect format.
PAN-145302 Fixed an issue where the HA peer device did not preserve its import
configuration when the mode was active/active and VR sync was disabled.
PAN-145142 Fixed an issue where Panorama running 9.0.8 allowed a user with the admin
role Device Group and Template to create templates and template stacks.
PAN-145041 Fixed an issue on the firewalls where a process (all_task) stopped responding.
PAN-144804 Fixed an issue where the firewall generated GPRS tunneling protocol
(GTP) logs for invalid GTP packets. This fix also implements a counter,
flow_gtp_invalid_ver, where the invalid packets are counted.
PAN-144670 Fixed an issue where the multi-factor authentication (MFA) timestamp was
not redistributed across the virtual system (vsys) when the IP address-to-user
mapping type was UIA.

PAN-144613 Fixed an issue where, when previewing device group configurations from
Panorama, the following error message was returned: Parameter device
group missing.
PAN-144492 Fixed an issue where traffic matched an incorrect URL filtering profile due to
a similarity in the MD5 hashes between the URL filtering profiles.
PAN-144232 Fixed an issue where, when any change was made to an authentication
profile, the LDAP server or local user database in a shared context removed
the user group mapping information from the firewall.
PAN-143686 Fixed an issue where a firewall running in FIPS mode was unable to download
the GlobalProtect datafile even when a GlobalProtect license was installed
and valid.
PAN-143644 Fixed an issue in multi-vsys firewalls where traffic did not match an FQDN
address group based policy.
PAN-143493 Fixed an memory issue associated with a process (mgmtsrvr) due to a large
number of ACK packets in logs on Panorama or the log collector.
PAN-143442 Fixed an issue where Amazon Web Services (AWS) Nitro System based VM-
Series firewalls unexpectedly rebooted due to input/output (I/O) errors
caused by improper NMVE I/O timeout settings.
PAN-142927 Fixed an issue where the locked users list grew too large, which caused 100%
CPU usage on a process (authd). With this fix, locked users will be purged
hourly if the lockout time for that user has expired.
PAN-142853 Fixed an issue on Panorama where commits failed, referring to a portion of

the configuration that was not changed.
PAN-142674 Fixed an issue where a process (brdagent) failed in an HA configuration using

High Speed Chassis Interconnect (HSCI) ports due to a memory leak.
PAN-142363 Fixed an issue where a process (*mprelay*) stopped responding and invoked
an out-of-memory (OOM) killer condition and displayed the following error
messages: `tcam full` and `pan_plfm_fe_cp_arp_delete`.
PAN-142302 Fixed an issue where the firewalls faced connection issues with Cortex Data
Lake.
PAN-142089 Fixed an internal logging issue for a daemon (authd).
PAN-141844 Fixed an issue where promiscuous VLAN mode did not work with the
new host drivers being used on the ESXi and single-root input/output
virtualization (SR-IOV) with VLAN tagging did not work as expected. Both
Data Plane Development Kit and packet mmap mode did not work.
PAN-141239 Fixed an issue where dataplane free memory was depleted, which affected
new GlobalProtect connections to the firewall.

PAN-141221 Fixed an issue where a commit or content update operation with an error was
not prevented from executing in the dataplane, which caused corruption in
the dataplane policy cache.
PAN-141099 Fixed an issue where the HTTP/2 stream method was no longer valid after
overloading the same pointer to point to either the HTTP/2 stream or the
proxy flow.
PAN-140982 (PA-7000 Series firewalls only) Fixed an issue where a process (mprelay) on
the control plane was restarted due to an internal heartbeat miss.
PAN-140747 Fixed an issue where the firewall failed to establish SFTP firewall-server
connections when SSH decryption was enabled.
PAN-140389 Fixed an issue on Panorama in Legacy mode where configuring Network File
System (NFS) log storage (Device > Setup > Operations) caused all plugin
installations to fail.
PAN-140375 Fixed an issue where a process (logrcvr) exited due to a race condition.
PAN-139365 (PA-7000 Series firewalls only) Enhanced latency-sensitive protocols

processing. With this fix, the following latency-sensitive control traffic will be
prioritized: BGP, BFD, LACP, OSPF, OSPFv3, Protocol Independent Multicast
(PIM), and Internet Group Management Protocol (IGMP).
PAN-139264 Fixed an issue where the Elasticsearch cluster status displayed in yellow due
to a missing replica serial number.
PAN-139172 Fixed an issue where response pages generated from the firewall used the
SMAC and DMAC addresses from the original packet, which caused a MAC
flap on connected switches.
PAN-138584 Fixed an issue that prevented the addition of a secondary logging disk for a
VM-Series firewall deployed on AWS using Nitro server instance types.
PAN-138037 Fixed an issue where the host information profile (HIP) match message was
automatically enabled when modifying the GlobalProtect Agent settings.
PAN-138034 Fixed an issue where virtual machine (VM) information source Dynamic
Address Groups overrode static address groups, which caused traffic to hit
the wrong Security policy rule.
PAN-137885 (VM-Series firewalls in Microsoft Azure environment only) Fixed an issue

where a firewall with accelerated networking enabled was unable to process
packets efficiently because of underlying Microsoft drivers. To leverage this
fix, you must upgrade to VM-Series Plugin 1.0.12.
PAN-137656 Fixed an issue where the show config diff CLI command did not work
correctly and produced unexpected output.

PAN-136957 Fixed an issue where access was denied if a password contained more than
63 characters.
PAN-136950 Fixed an issue where, on a firewall managed by Panorama, the XML API based
IP tags were lost after a firewall reboot or process (useridd) restart.
PAN-136844 Fixed an issue for S11 traffic where if the Modify Bearer Request message
came after 30 seconds of Create Session Response message, the firewall
dropped the Modify Bearer Request packet. This fix increases this time to 90
seconds.
PAN-136726 Fixed an issue on the firewall where the dataplane pan-task process
(all_pktproc) stopped responding while inspecting Server Message Block
(SMB) traffic.
PAN-136623 Fixed an issue where a process (useridd) failed due to internal user groups
that were loading from the disk taking over the lock.
PAN-136304 Fixed an issue where clientless VPN rewrite failed due to incorrect parsing of
the HTML webpage.
PAN-135946 Fixed an intermittent issue where Panorama was unable to query logs from
the log collector due to large file sizes in es_cache_cron.log.
PAN-135547 Fixed an issue on Panorama where administrators were unable to delete a

shared address object even when it was not referenced in the configuration.
PAN-135418 Fixed an issue on the firewall where configuring uppercase User Domain
values in authentication profiles led to a failure in GlobalProtect Agent
configuration selection based on the domain user match condition.
PAN-135356 Fixed an issue where policies that contained objects did not display correctly
when exported to CSV or PDF format.
PAN-135354 Fixed an issue where the paths between the control plane and the dataplanes
in network processing cards (NPCs) stalled in the dataplane-to-control plane
direction due to the Ring Descriptor entries becoming out of sync on each
side. This produced unrecoverable data path monitoring failures, which
caused the chassis to become nonfunctional.
PAN-135321 Fixed an issue where all NAT rules using the same FQDN entries as translated
IP addresses were not updated when the IP addresses changed for those
FQDNs.
PAN-135158 Fixed an issue where setting an IPv6 destination filter for the packet-diag
option returned an error regarding a character limit.
PAN-135134 Fixed an issue where using a session_proxy() without checking that it

actually is a proxy led to a dataplane process restart.

PAN-134981 Fixed an issue with a memory leak in a process (user-id) due to failed LDAP
over SSL (LDAPS) requests.
PAN-134810 Fixed an issue where Resolve (Objects > Addresses > <Name>) in the
web interface did not work for FQDN address objects with more than 63
characters.
PAN-134799 Fixed an issue where packets of the same session were forwarded through a
different member of an Aggregate Ethernet (AE) group once the session was
offloaded.
PAN-134714 Fixed an issue where Safe Search was not enabled after an application
change.
PAN-134624 (VM-Series firewalls only) Fixed an issue where the VLAN interface failed to
obtain the MAC address when the interface was used as a DHCP relay agent.
PAN-134488 Fixed an issue where a process (all_pktproc) restarted while processing

Clientless VPN traffic.
PAN-134038 Fixed an issue where custom signatures did not properly detect the User-
Agent header when the Origin header was above the User-Agent header.
PAN-133915 Fixed an issue on Panorama where configuring a BGP import rule from
the CLI failed with the following error message: Server error :
permission denied for the command set.
PAN-133912 Fixed an issue where querying traffic logs based on address objects and
address groups did not work.
PAN-133880 Fixed an issue where RADIUS authentication failed due to an FQDN

resolution failure after the VM-Series firewall rebooted.
PAN-133673 Fixed an issue that caused a procses (ikemgr) to exit when site-to-site VPNs
experienced connectivity interruptions.
PAN-133609 Fixed an issue where the Authentication Portal did not work due to a large
number of HTTP requests with unsupported Authorization headers.
PAN-133285 Fixed an issue on the firewalls where configuring a default Online Certificate
Status Protocol (OCSP) URL in front of an intermediate certificate authority
(CA) in a certificate profile did not override the OCSP URL during the
validation of client certificates issued by the intermediate CA.
PAN-132922 Fixed an issue where service objects were unable to be deleted if they were
configured to exceed firewall limits.
PAN-132715 Fixed an issue where a child dynamic address group was not added as a
member of the parent group.

PAN-132697 Fixed an issue where the GlobalProtect portal did not generate certificate
signing requests (CSRs) due to failed Simple Certificate Enrollment Protocol
(SCEP) authentication cookie validation.
PAN-131973 Fixed an issue where both firewalls in an HA active/passive configuration

stopped responding at the same time.
PAN-131814 Fixed an issue where the firewall did not recognize a device when the DHCP
contained a hostname with a trailing NULL.
PAN-131491 Fixed an issue where the ACC risk meter displayed as zero for long time
periods with a large amount of logs.
PAN-131045 Fixed an issue where a rare cleartext HTTP/2 application behavior caused
a resource leak. If jumbo frames were enabled, this leak caused the App-ID
queue to fill up quickly, which led to legitimate sessions being discarded.
PAN-130564 Fixed an issue where the session ID did not display correctly in the debug logs
related to the hardware security module (HSM).
PAN-130562 Fixed an issue where, in VM-Series firewalls deployed using init-cfg.txt in the
bootstrap process and set in an HA configuration, the configuration did not
display as synchronized due to the initcfg configuration.
PAN-130168 Fixed an issue where a process (pan_comm) stopped responding due to

operation commands run during a commit.
PAN-129474 Fixed an issue where a process (mgmtsrvr) restarted due to race conditions
initialized by the mutex.
PAN-129461 Fixed an issue where excessive next hop FPGA exceptions occurred when an
ARP request or response was lost in the network in an ECMP configuration,
which blocked subsequent ARP learning due to a full queue.
PAN-129294 Fixed an issue on Panorama where the Policy Optimizer showed invalid data
for Rule Usage.
PAN-129277 Enhanced a daemon (dnsproxy) to support DNS compression for query

strings.
PAN-128650 Fixed an issue where selecting Preview Changes under a specific device
group resulted in the following error message: Parameter device group
missing.
PAN-128042 Fixed an issue where the dynamic address group failed due to a process
(devsrvr) not being synced with another process (useridd).
PAN-127691 Fixed an issue where the dataplane maintained the old category for the URL
even after changing or deleting that category from PAN-DB.
PAN-126938 Fixed an issue where multiple daemons restarted due to MP ARP overflow.

PAN-126353 Fixed an issue where the XML API used to retrieve hardware status
periodically failed with a 200 OK message and no data.
PAN-120530 Fixed an issue where a Panorama appliance running PAN-OS 10.0.0 observed
restarts in a process (reportd) while running a custom report when the log
collector or remote device was running a software version earlier than the
current version on Panorama.
PAN-120249 Fixed an issue where Elasticsearch failed to properly start up, which caused
issues with logging on Panorama or the Log Collector.
PAN-118468 (VM-Series firewalls on VMware ESXi only) Fixed an issue where the firewall
stays in a boot loop and enters maintenance mode after adding a 60GB disk.
PAN-118416 (Japanese language only) Fixed an issue where the WildFire Update Schedule
incorrectly displayed At as Atlantic.
PAN-116843 Fixed an issue on Panorama where, when navigating through Policies, the
following error message displayed: show rule hit count op-command
failed.
PAN-115954 Fixed an issue where commits failed with the following error: Error
unserializing profile objects failed to handle
CONFIG_UPDATE_START.
PAN-113523 Fixed an intermittent issue where configuration audit stopped showing

commit history and revisions.
PAN-112539 Fixed an issue where the firewall stopped forwarding logs to the log collector
from the Log Processing Card (LPC) after a commit push from Panorama due
to a race condition.
PAN-112246 Fixed an issue on the firewalls where a process (mgmtsrvr) restarted after the
Panorama connection flapped.

PAN-OS 9.0.9-h1 Addressed Issues
PAN-150172 Fixed an issue where dataplane processes

restarted when attempting to access websites that
had the NotBefore attribute less than or equal
to Unix Epoch Time in the server certificate with
forward proxy enabled.

WF500-5320 Fixed an issue where the WF-500 cluster did not synchronize verdicts after
successful verdict recheck queries with the WildFire global cloud.
PAN-148988 A fix was made to address a Security Assertion Markup Language (SAML)
authentication issue (CVE-2020-2021).
PAN-148068 Fixed an issue where SSL connections were blocked if you enabled decryption
with the option to block sessions that have expired certificates. This issue
included servers that sent an expired AddTrust certificate authority (CA) in
the certificate chain.
PAN-145026 Fixed an issue where Cortex Data Lake certificates on the firewall were not
automatically renewed after the certificates expired.
PAN-144882 Fixed an issue where the firewall generated critical system logs: Fsck
failed for Logging Raid Disk Pair after downgrading from PAN-
OS 9.0 to PAN-OS 8.1.
PAN-144782 Fixed an issue where a configuration audit created a large number of

opresult.out files, which filled up the session/pan/user_tmp directory in opt/
pancfg. This caused a slow Panorama response until a device restart was
performed or the files were manually deleted from the root of the device.
PAN-144646 Fixed an issue where a process (varrcvr) stopped responding on the PA-7000
Series Log Forwarding Card (LFC) when it received a verdict from the
WildFire cloud.
PAN-143957 Fixed an issue where, after loading a saved configuration snapshot by API, a
custom role-based administrator required Superuser privileges to perform a
full commit.
PAN-143648 (VM-Series firewalls in Azure environment only) Fixed an issue where a kernel
panic in a Linux Integration Services (LIS) driver caused the firewall to reboot
by itself.
PAN-141563 Fixed an issue where Slot 8 path monitoring failure occurred due to a memory
buildup in a process (logrcvr) that was caused by slow communication and
connection between log forwarding and Cortex Data Lake.
PAN-140846 Fixed an issue where the dataplane restarted during a commit when Netflow
was enabled.
PAN-140494 Added a mechanism to detect corrupted or incorrect formats

received on dataplane CPU. Such packets are dropped, and a counter,
pkt_recv_bad_group, is incremented.

PAN-140465 (VM-Series firewalls only) Fixed connection issues between IPv6 peers when
the IPv6 neighbor cache was synchronized in an HA cluster where, after
failover, the newly active firewall did not send multicast neighbor solicitation
from its global unicast address.
PAN-140386 Fixed an intermittent issue where the firewall used IP addresses instead of
domain names for URL category lookup after upgrading to 9.0.6.
PAN-139935 Fixed an issue in the URL process where a process (devsrvr) stopped
responding.
PAN-139764 Fixed an issue where an out-of-memory (OOM) condition occurred due to a

memory leak, which caused a process (configd) to restart.
PAN-139718 Fixed an issue where the firewall failed stateful inspection for GTP forward
relocation requests greater than 1,500 bytes and could not parse Access
Point Name (APN) information in forward relocation requests.
PAN-139587 (PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue where
high and continuous CPU utilization was seen on dataplanes after IPSec
Encapsulating Security Payload (ESP) rekeying occurred for multiple tunnels.
PAN-139391 Fixed an issue where unique GlobalProtect portal profiles were not selected
in the correct order.
PAN-138870 Fixed an issue where a process (configd) restarted and administrators received
one of the following error messages: Timed out while getting config
lock. Please try again or Please wait while the server
reboots... due to a database error.
PAN-138813 Fixed a performance drop issue seen when using API to configure larger sets
of objects (more than 25 objects).
PAN-138739 Fixed an issue where, in a high availability (HA) active/active configuration in

a virtual wire deployment with asymmetric traffic, decryption did not work for
some sites.
PAN-138476 Fixed an intermittent issue where logs were delayed or missing when
querying for logs by applying filters. To leverage this fix, you must upgrade
Panorama to 9.0.9 and the Cloud Services plugin to 1.6.0-h1.
PAN-137966 Fixed a configuration lock issue where Panorama timed out due to a process
(configd) being unable to read another process (mongod).
PAN-137902 (PA-7000 Series firewalls only) Fixed an issue where hot swapping a PA-7000
100G NPC with a PA-7000 20G NPC caused packet buffer leak and slot
restarts.
PAN-137867 (PA-7000 Series firewalls only, running with both a PA-7000 100G NPC and
a PA-7000 20G NPC) Fixed an issue where IPSec traffic caused dataplane
restarts.

PAN-137387 Fixed an issue where URL filtering used the IP address instead of the
hostname, which led to incorrect URL categorization.
PAN-137138 Fixed an issue where a process (configd) consistently restarted with

the following error message: virtual memory limit exceeded,
restarting due to a dynamic updates push from Panorama to multiple
firewalls.
PAN-136703 (PA-3000 Series and PA-800 Series firewalls only) Fixed an issue with
insufficient memory allocation for configurations to accommodate the PAN-
OS 9.0 Dynamic Address Group feature.
PAN-136649 Fixed an issue where PA-7000 20GXM and PA-7000 20GQXM Network
Processing Cards (NPCs) failed to process some sessions for Layer 7
inspection due to internal maximum threshold value that was not set.
PAN-136608 Fixed an issue in Panorama where the Security policy Target displayed the
serial number of the targeted device instead of the hostname.
PAN-136390 (PA-7000 Series with 100GB NPC only) Fixed an issue during firewall bootup
where the following error message: Bootloader upgrade failed, ret
255 appeared when small form-factor pluggable (SFP) modules were installed.
PAN-135865 Fixed an issue that prevented Panorama from being switched out of
management-only mode when deployed in Amazon Web Services (AWS)
instance types M5 and C5.
PAN-135684 Fixed an issue with log collectors on Panorama where large index sizes caused
higher CPU usage than expected when disk space usage was high.
PAN-135587 Fixed an issue where the GlobalProtect gateway was unable to parse a large
list of IP addresses assigned on a local machine.
PAN-135039 Fixed an issue in Panorama where a memory leak occurred during an HA sync
commit.
PAN-134309 Fixed an issue where a process (devsrvr) restarted when it hit the limit of the
number of custom patterns available in the allocated memory.
PAN-133731 Fixed an issue on the Panorama Virtual Appliance where the show
interface all CLI command did not list any output.
PAN-133727 Fixed an issue where Session Initiation Protocol (SIP) messages were not
parsed correctly when the packet was received in separate segments, which
caused the receiver to receive corrupted messages.
PAN-133614 Fixed an issue on the Panorama Virtual Appliance where SNMP Object IDs
(OIDs) were missing for interfaces other than the Management interface.
PAN-133495 Fixed an issue where the Terminal Server (TS) Agent disconnected on the
firewall after a failover or reboot.

PAN-133411 Fixed an issue where after making configuration changes and selecting
Preview Changes, a 500 Internal Server Error message displayed due to a
memory leak.
PAN-133211 Fixed an issue where the policy order was not maintained when moved to a
different device group.
when jumbo frames were enabled, the maximum transmission unit (MTU) size
limit was lower than expected.
PAN-132766 Fixed an issue in Panorama where custom region objects were not visible in
the GlobalProtect Portal External Gateway drop-down.
PAN-132712 Fixed an issue where scheduled reports did not run on a PA-7000 Series
firewall not managed by Panorama after upgrade to 8.1.10 or 9.0.4 and later
versions.
PAN-132476 Made improvements to the log storage for VM-Series for NSX Panorama.
PAN-131945 Fixed an issue where Device > VM-Series on the firewall web interface
showed a blank screen.
PAN-131792 Fixed an issue where the Name log filter (Monitor > Logs > Traffic) was not
maintained when viewing the Log Viewer for a Security policy rule (Policies >
Security) from the drop-down.
PAN-131501 Fixed an issue when configuring Clientless VPN and executing the portal-
getconfig CLI command where user groups were retrieved but were not
freed, which caused a memory leak on a process (sslvpn).
PAN-131290 Fixed an issue where reports from Panorama displayed the following
messages: Please wait... and Warning: Some of the devices
are in High Speed Log Forwarding Mode.
PAN-131038 Fixed an issue on the firewalls where the FIB lookup routing test did not
display all available paths on the web interface.
PAN-130870 Fixed an issue where the management plane CPU on the firewall was high
due to index generation on summary logs.
PAN-130776 Fixed an issue on Panorama where Applications and Threats content update
deployment failed due to the content version date check.
PAN-130558 Fixed an issue on the firewalls where SNMP queries for panZoneTable listed
details for only one zone when there were two zones with same names under
different virtual systems.
PAN-130121 Fixed an issue in Amazon Web Services (AWS) where Ethernet1/1 failed
DHCP renewal after the hour.

PAN-129281 Fixed an issue where a process (useridd) restarted due to a buffer overflow
when the time-to-live (TTL) and Idle Timeout values were set to Never, a
timing issue between user group context and a process (sysd) callback, and a
group mapping issue when multiple group mappings fetched the same groups
with different override domains.
PAN-128879 Fixed an issue where the PAN-OS XML API inject was not working for IP
address to user mappings or for the import of software, content, and plugins.
PAN-128393 Fixed an issue where User-ID running on port 5007 responded with the
default certificate and participated in mutual authentication after upgrading
to PAN-OS 9.0, which exposed the default certificate on the firewall to third-
party vulnerability scanners.
PAN-128155 Fixed an issue where system log entries misspelled "client version" as "lient
version", which made it difficult for syslog servers to find these entries.
PAN-128078 Fixed an issue where a process (mgmtsrvr) stopped responding and was
inaccessible through SSH or HTTPS until the firewall was power cycled.
PAN-127434 Fixed an issue where reports for URLs were not generating the correct data
output.
PAN-127375 Fixed an issue where a process (rasmgr) restarted multiple times, which
caused the firewall to reboot.
PAN-127260 Fixed an issue where the /opt/pancfg partition became full due to a large
amount of botnet reports that were not automatically deleted.
PAN-125524 Fixed an issue where the dataplane restarted when many NAT rules were
followed by successive commits.
PAN-125501 Fixed an issue where URL information in a URL Custom Report was blank
when the report contained flexible size fields (such as URL Category List).
PAN-125466 Fixed an issue where, during Antivirus or Threat Content update downloads
or install, some show commands in the CLI, API calls, and web interface pages
gave information output with significant delay (15-60 seconds).
PAN-124916 Added two ciphers for GlobalProtect Portal TLS connections.
PAN-123279 Fixed an issue where a process (configd) stopped responding after upgrading
Panorama to 8.1.9 from 8.0.16 due to 8.0 WildFire appliance register
requests.
PAN-123090 (PA-3000 Series firewalls only) Fixed an issue where a configuration commit
failed due to a memory allocation failure on the dataplane.
PAN-122226 Fixed an issue where traffic failed to match Security policies using wildcard
address objects.

PAN-121602 Fixed an issue on Panorama where a query (after-change-preview

contains) did not return the expected results for configuration logs.
PAN-120830 Fixed an issue in Panorama where certificate import failed with the following
error message: Certificate chain cannot be validated,
required CAs not found.
PAN-120614 Fixed an issue where a commit from a Panorama appliance running PAN-
OS 9.1 to a managed firewall running PAN-OS 9.0 or earlier failed with the
following error message in ms.log: error generating tranform ike-
pre-transform.xsl.
PAN-120454 Fixed an issue where the firewall did not fail over to the secondary LDAP
server when the primary LDAP server was not reachable and the configured
LDAP bind timeout was not properly honored when SSL protocol was used.
PAN-120113 Fixed an issue where the to, from, and subject fields did not populate in the
threat logs if the fields were out of order.
PAN-120105 Fixed an issue where email header information intermittently was not present
in threat logs.
PAN-119645 Fixed an issue where a process (panio) used unnecessary memory and caused
an out-of-memory (OOM) condition on the dataplane if the dataplane was
already low on memory.
PAN-119170 Fixed an issue where Panorama did not display managed devices when
selecting Revert Content (Panorama > Device Deployment > Dynamic
Updates).
PAN-119159 Fixed an issue where if one invalid FQDN object was configured, FQDN
resolution failed for all FQDN objects.
PAN-118098 Fixed an issue where a process (useridd) restarted while updating user groups.
This issue occurred when multiple group mapping profiles were used to fetch
the same group information while using different domain override settings.
PAN-117606 Fixed an issue where a process (configd) crashed while making configuration
changes on Panorama.
PAN-117487 Fixed an issue where a process (mgmtsrvr) stopped responding due to a

memory corruption issue when acquiring a configuration lock.
PAN-117075 Fixed an issue where the firewall did not process the TLS record in SSL
Inbound Inspection as expected, which introduced out-of-order packets in
the transmit stage packet capture and affected client performance while
accessing HTTP video applications.
PAN-116835 Fixed an issue with log reading performance when using WMI for server
monitoring with PAN-OS integrated User-ID agent.

PAN-115914 Fixed an issue where Static, Connected, and Host routes were missing on the
FIB table of the firewall in a passive state after 300 seconds of switch over.
PAN-112120 Fixed an issue where threat Name field of a threat Custom Report displayed
the threat ID instead of the threat name.
PAN-111379 Fixed an issue on the firewall where the Application Command Center (ACC)
Network Activity tab displayed the message In Progress and stopped
responding.
PAN-110457 Fixed an issue where Panorama ran out of memory due to high memory usage
on a process (configd).
PAN-106763 Fixed an issue where the dataplane crashed while freeing up memory due to a
corrupted or long certificate field in the handshake.
PAN-102202 Fixed an issue where the OSPF summary Link State Advertisement (LSA) for
the default 0.0.0.0/0 route were not advertised by the Area Border Router
(ABR).
PAN-98933 Fixed an issue on an M-Series appliances in a high availability (HA) active/

passive configuration where the schedules (Device > Dynamic Updates) were
unresponsive after a failover or restart of Panorama.
PAN-98694 Fixed an issue on a PA-5200 Series firewall in an HA active/passive

configuration where the firewall dropped TCP-FIN packets after a failover.

PAN-140575 Fixed an issue where a process (masterd) did not restart another process
(logrcvr) on the Log Forwarding Card (LFC) after the process (logrcvr) crashed.
PAN-140509 Fixed an issue where performing private data resets during custom Amazon
Machine Image (AMI) creation removed CloudWatch directories and caused
the CloudWatch plugin to fail.
PAN-140270 Added additional debugging to periodically collect the debug dataplane

internal pdt bcm counters graphical CLI command's output in the
Tech Support File (TSF).
PAN-140043 (PA-7050 firewalls running on PA-7000 100G NPCs only) Fixed an issue
where the PA-7000 100G NPC Native Implemented Function (NIF)
initialization took longer than expected, which caused internal path
monitoring failure and sent the firewall into a non-functional state while
rebooting.
PAN-139555 Fixed an issue where after upgrading the passive firewall, the outer UDP
sessions synced from the active firewall did not retain the rule information
and after failover, GPRS tunneling protocol (GTP) inspection did not work.
PAN-137673 Fixed an issue where a memory leak associated with a process (devsrvr)
caused an out-of-memory (OOM) condition on the firewall.
PAN-136765 Fixed an issue where an FQDN update that resolved to the same IP address
of another FQDN across different policies caused the other FQDN to be
deleted due to missing FQDN aggregation.
PAN-136612 Fixed an issue where fragmented packets leaked, which caused the depletion
of Work Query Entry (WQE) pools.
PAN-136470 Fixed an issue where a process (all_pktproc) restarted while processing

packets with 0.0.0.0 and destination protocol 251 that internally mapped to
GTP-C traffic, which caused the dataplane to restart.
PAN-136173 Fixed an issue where dataplane interfaces remained down after active firewall
bootup or a high availability (HA) failover.
PAN-135909 Fixed an issue where connections to the web interface

were abruptly interrupted due to a double free condition
(gPanUiPhpGlobal_secure_config_reset), which led to unexpected process
restarts.
PAN-134571 Fixed an issue where DNS security incorrectly set bits to zero on compressed
DNS packets, which caused DNS malformation.

PAN-134547 Fixed an issue where the passive firewall in an active/passive HA

configuration deleted BGP-learned routes synchronized from the active
firewall if the BGP configuration included the redistribution of the learned
routes.
PAN-134546 Fixed a rare issue on the firewall where a process (flow_mgmt) restarted due
to an invalid packet received through the GlobalProtect agent or clientless
VPN.
PAN-134431 Fixed an issue with Security Assertion Markup Language (SAML)

authentication where the firewall used old authd_id values, which resulted
in failed authentication.
PAN-133289 Fixed an issue where improper parsing of the URL database caused high
device-server CPU usage.
PAN-132898 Fixed an intermittent issue where logs were missing with log_index debug
messages due to merging of the index.
PAN-132651 Fixed an issue where packet buffer use was at 99% and tunnel monitoring
failed, which caused tunnel flaps and LDAP authentication failures.
PAN-131922 Fixed an issue where the certificate was not automatically pushed to the
firewall until you manually fetched the certificate from the firewall.
PAN-131517 Fixed an issue with a memory corruption error that caused a process
(all_pktproc) to restart.
PAN-130750 Fixed an issue where commit failed on the firewall after disabling Pre-Defined
Reports from Panorama.
PAN-129328 Fixed an issue where packet descriptor (on-chip) usage reached 100% even
though buffers, throughput, and session counts were not elevated.
PAN-129289 Fixed an issue where export failed for a large running-config.xml file using the
XML API.
PAN-128568 Fixed a rare issue on the firewalls where a process (pan_task) restarted due to
NULL pointer exception.
PAN-128330 Fixed an issue where the response for the XML API call for the show
object registered-ip all operational CLI command included extra
appended content.
PAN-128195 Fixed an issue on Panorama where processes (vld) ran on high CPU when the
incoming system log rate was 0.
PAN-127614 Fixed an issue where SNMPv3 monitoring of the firewall failed from the
Zabbix server after a firewall reboot or SNMP daemon restart on the firewall.

PAN-127358 Fixed an issue with a memory leak in a process (configd) where virtual
memory exceeded the limit, which caused the process to restart.
PAN-127318 Fixed an issue where the firewall intermittently dropped DNS A or AAAA
queries received over IPSec tunnels due to a session installation failure.
PAN-127004 Fixed an issue where a process (sysd) restarted due to missing heartbeats.
PAN-126205 Fixed an issue where role-based administrators were unable to import

certificate private keys onto firewalls.
PAN-126069 Fixed an issue in Panorama where logs couldn't be viewed when an additional
log collector was configured in the existing log collector group.
PAN-125934 Fixed an issue on Panorama where a commit failed when bootstrapping a

firewall to a configuration with a serial number of "unknown." The commit
failed with the following error message: mgt-config -> devices ->
unknown unknown is invalid.
PAN-125794 Fixed an issue where a role-based administrator with CLI access was not able
to successfully execute the commit-partial CLI command to commit only
changes made by themselves.
PAN-125730 Fixed an issue where packets tagged with IP protocol 252 were incorrectly
treated as GPRS tunneling protocol (GTP) traffic, which caused the packet
processor to terminate.
firewalls experienced high packet descriptor (on-chip) usage during uploads to
the WildFire Cloud or WF-500 appliance.
PAN-125410 Fixed an issue where a new GPRS tunneling protocol version 2 control plane
(GTPv2-C) session reused GTP-C tunnel parameters within two seconds
after deleting the old GTP-C session, which caused a session conflict on the
firewall.
PAN-124893 Fixed an issue where a race condition caused the FIB entry list to form a
circle, which in turn caused a process (mprelay) to infinitely loop.
PAN-124039 A fix was made to address an issue where the GlobalProtect Portal feature
in PAN-OS did not set a new session identifier after a successful user login
(CVE-2020-1993).
PAN-123637 (PA-3200 Series firewalls only) Fixed an issue where configuring 1G small
form-factor pluggable (SFP) ports on a firewall with forced speed mode (of
1G) enabled made the link unusable when forced speed mode (of 1G) was
also enabled on the peer firewall.
PAN-122408 (PA-7000b Series firewalls with LFC cards only) Fixed an issue where the
system logs would continuously report a failure to connect to the proxy for
WildFire even when the connectivity was working properly.

PAN-119806 Fixed an issue in an HA configuration where the dataplane restarted due to

internal packet path monitoring failure on the passive firewall.
PAN-116480 Fixed an issue in Panorama where the show system search-engine-

quota CLI command, the show log-collector serial-number
<log-collector_SN> CLI command, and Statistics (Panorama > Managed
Collectors > Statistics) showed incorrect log retention data.
PAN-111611 Fixed an issue where the connection between the firewall and Cortex Data
Lake flapped if connections decreased.
PAN-88136 Fixed a rare issue where a URL update caused the dataplane to restart.

WF500-5185 (WF-500 Series only) Fixed an issue where high disk use was observed due to
an inadequate rotation of log files.
PAN-140090 Fixed an issue where HA links were down in VLAN access mode for KVM.
This fix is only applicable for KVM deployments that are configured in VLAN
access mode with SR-IOV.
PAN-137458 Fixed an issue where system logs with new event IDs caused a memory leak
in a process (mgmtsrvr).
PAN-136698 Fixed an issue where a process (all_pktproc) stopped responding and the
dataplane restarted when the firewall processed a malformed GPRS tunneling
protocol (GTP) packet.
PAN-136696 Fixed an issue where the dataplane restarted due to excessive logs from the
pan_comm process.
PAN-135703 (PA-7000 Series firewalls only) Fixed an issue where the switch ports
connected to Quad Small Form-factor Pluggable (QSFP+) interfaces were up
while Network Processing Cards (NPCs) were still rebooting.
PAN-135260 (PA-7000 Series firewalls running PAN-OS® 8.1.12 only) Fixed an intermittent
issue where the dataplane process (all_pktproc_X) on a Network Processing
Card (NPC) restarted when processing IPSec tunnel traffic.
PAN-135103 A fix was made to address a format string vulnerability on PA-7000 Series
firewalls with a Log Forwarding Card (LFC) (CVE-2020-1992).
PAN-135089 Fixed an issue where the CPU for a process (ikemgr) spiked when third-party
VPN clients connected to the GlobalProtect gateway with more than three
DNS servers configured.
PAN-134678 (PA-5200 Series firewalls only) Fixed an issue where the Quad Small Form-
factor Pluggable (QSFP) 28 ports 21 and 22 did not respond when plugged in
with a Finisar 100G AOC cable.
PAN-134370 Fixed an issue where a process (mp-relay) restarted due to missing routes or
next hops.
PAN-134244 Fixed an issue where connections proxied by the firewall (such as SSL
Decryption, GlobalProtect portal and gateway connections, and SIP over TCP)
failed due to insufficient buffer allocation. Some connections failed with the
following error message: proxy decrypt failure.
PAN-133582 Fixed an issue in the firewalls where some Dynamic Address Groups pushed
from Panorama were missing member IP addresses.

PAN-133440 Fixed an issue where fragmented traffic caused high dataplane use and
firewall performance issues.
PAN-133378 Fixed an issue in Panorama where a process (configd) restarted while doing a
commit using a RADIUS super admin role.
PAN-133048 (PA-5200 and PA-7000 Series firewalls only) Fixed an issue where firewalls
processed traffic asymmetrically when using Internet Protocol (IP) classifiers
on virtual wire (vwire) subinterfaces.
PAN-133042 (PA-5200 and PA-7000 Series firewalls only) Fixed an issue where firewalls
dropped certain GPRS tunneling protocol (GTP) traffic even when gtp
nodrop was enabled.
PAN-133040 Fixed an issue on a WF-500 appliance where a VM-Series firewall controller

stopped responding, which caused the appliance to stop file analysis.
PAN-131993 Fixed an issue where a process (reportd) would crash while running a log
query.
PAN-131907 Fixed an issue where GPRS tunneling protocol (GTP) version 2 handling
was unable to handle fully qualified tunnel endpoint IDs (FTEID) received
in reverse order, which resulted in GTP-C and GTP-U flows with incorrect
IP addresses and tunnel endpoint IDs (TEID). This caused a GTP stateful
inspection failure for subsequent packets on the respective flows.
PAN-131486 Fixed an issue where autocommits failed due to invalid access routes after an
upgrade.
PAN-131193 Fixed an issue where firewalls dropped generic routing encapsulation (GRE)
packets with the following error message: Packet dropped, prepend
failure.
PAN-130573 Fixed an issue where the software pool for Regex results was depleted and
caused connection failures.
PAN-130447 Fixed an issue where the firewall dropped offloaded traffic every time there
was an explicit commit (Commit on the firewall locally or Commit All Changes
in Panorama) or an implicit commit (such as an Antivirus update, Dynamic
Update, or WildFire® update) on the firewall.
PAN-130361 A fix was made to address an external control of filename vulnerability in the
SD-WAN component of Palo Alto Networks Panorama (CVE-2020-2009).
PAN-130345 Fixed an issue where the Panorama VM rebooted while filtering for
configuration logs when the query value was not one of the predefined string
results.
PAN-130290 Fixed an issue in the web interface where traffic logs did not display the
destination zone (Monitor > Logs > Traffic > To Zone) for multicast sessions.

PAN-130262 Fixed an issue where firewalls dropped HTTP 200 OK messages during the
offload of traffic for App-ID™ inspection.
PAN-130229 Fixed an issue on Panorama appliances where you could not change maximum
transmission unit (MTU) values from the web interface; attempting to do so
caused the appliance to display the following error message: Malformed
Request.
PAN-129518 Fixed an issue where the firewall restarted due to an out-of-memory (OOM)
condition caused by a leak in a process (ikemgr).
PAN-129490 Fixed an issue where CRL/OCSP verifications failed due to requests routing
through the management interface even when service route was configured.
PAN-128908 If a user password was changed but no commit was performed afterward, the
new password did not persist after a reboot. Instead, the user could still use
the old password to log in, and the calculation of expiry days was incorrect
based on the password change timestamp in the database.
PAN-128717 Fixed an issue in Panorama where, after switching context to a managed

device, the session idle timeout was not updated, and the web session timed
out even while the administrator was actively working in the interface.
PAN-127616 Fixed an issue where you could not push FQDN Minimum Refresh Time from
Panorama to managed firewalls.
PAN-127438 Fixed an issue where GlobalProtect portal configuration selection based on

certificate template OID failed.
PAN-127219 Fixed an issue where you could not select existing certificates when creating
an authentication profile by using the Security Assertion Markup Language
(SAML) method on the template stack.
PAN-127118 A fix was made to address an OS command line injection vulnerability in the
PAN-OS management server where authenticated users were able to inject
arbitrary shell commands with root privileges (CVE-2020-2014).
PAN-127087 Fixed an issue where a push operation (Commit All Changes) from Panorama
failed on passive firewalls when pushing a large number of new Security
policy rules to both firewalls in a high availability (HA) pair.
PAN-126944 Fixed an issue where the Panorama Template did not allow for Ethernet
Interface Link Speed configurations greater than 1,000Mpbs.
PAN-126817 Fixed an issue where Security Assertion Markup Language (SAML) response
validation failed with a certificate mismatch error even if the firewall had the
same certificate on IdP.
PAN-126775 (PA-800 and PA-220 Series only) Fixed an issue where NTP sync failures
occurred when using NTP servers configured with IPv6.

PAN-126573 Fixed an issue on Panorama where, after overriding a Layer 3 Aggregate

Group subinterface, all subinterfaces in the stack template disappeared.
PAN-126412 Fixed an issue where hardware security model (HSM) authentication from the
web interface failed if the password contained an ampersand (&).
PAN-126362 A fix was made to address a command injection vulnerability in the PAN-
OS management interface where an authenticated administrator was able to
execute arbitrary OS commands with root privileges (CVE-2020-2010).
PAN-126278 Fixed an issue where a burst of VLAN-tagged packets in a congested system

caused an overflow and locked up the firewall. With this fix, the threshold is
increased.
PAN-126202 Fixed an issue where a process (routed) stopped responding when users
accessed the web interface to view the OSPF interface data (Network >
Virtual Routers > More Runtime Stats > OSPF > Interface) if OSPF MD5 was
configured in the OSPF Auth profile.
PAN-126017 Fixed an issue where the set application dump on rule CLI command
did not accept rule names with more than than 32 characters despite a stated
limit of 63 characters.
PAN-126014 Fixed an issue for GlobalProtect gateways where the Login At and Logout At
time fields in the Previous User PDF/CSV report for User Information used
the Epoch standard for displaying time.
PAN-125889 (PA-7000 Series firewalls only) Fixed an issue where auto-tagging in log
forwarding didn't work.
PAN-125804 A fix was made to address an issue where an OS command injection

vulnerability in the PAN-OS management server allowed authenticated
administrators to execute arbitrary OS commands with root privileges when
uploading a new certificate in FIPS-CC mode (CVE-2020-2028).
PAN-125546 Fixed an issue where a process failed to restart even when the system
logs displayed the following message: virtual memory exceeded,
restarting.
PAN-125527 Fixed an issue where a multilayer ZIP file inspection caused software buffer
corruption and the all_pktproc process to restart.
PAN-125306 Fixed an issue where a Transmission Control Protocol (TCP) connection reuse
was incorrectly handled by an HA active/active cluster with asymmetric
flows.
PAN-125194 Fixed an issue where system startup failed when the collector group was
configured with an incorrect serial number of invalid length.
PAN-125032 Fixed an issue where, when Minimum Password Complexity was Enabled
for all local administrators, the setting was also applied to plugin users.
This caused API calls from plugin users to fail (HTTP Error code 502)

because the password change was not made for the users which caused
authentication to fail.
PAN-124857 Fixed an issue where a Microsoft Access Database (MDB) file stopped and a
process (mgmtsrvr) stopped responding at the epoll_wait () system call
after the Panorama Virtual Appliance was stopped and started from Azure.
PAN-124802 Fixed an issue where LACP connectivity issues were observed due to high
CPU utilization when multiple dataplanes were used.
PAN-124628 Fixed an issue where REST API queries were unable to pull shared region
objects on Panorama.
PAN-124495 Fixed an issue on Panorama where the task manager showed locally executed
jobs but did not show tasks or jobs pushed to managed firewalls.
PAN-124087 Fixed an issue where GPRS tunneling protocol (GTP) v2 protocol handling
failed to handle the secondary Modify Bearer Request/Response in the GTP-
C session.
PAN-123858 Fixed an issue on firewalls where a process (userid) restarted while processing
incorrect IP address-to-username mappings that contained blank usernames
from User-ID agents.
PAN-123830 Fixed an issue where the GlobalProtect™ portal used an outdated

getbootstrap version.
PAN-123736 Fixed an issue where a Create Session Request message looped internally,
which caused continuous packet inspection that consumed firewall resources.
PAN-123724 Fixed an issue in Panorama where shared address objects were not
configurable as a destination in a static route configuration.
PAN-123391 A fix was made to address a predictable temporary file vulnerability in PAN-
OS (CVE-2020-1994).
PAN-123295 Fixed an issue where the dataplane restarted due to a race condition when a
configuration push and a Netflow update occurred simultaneously.
PAN-123135 Fixed an issue where user group membership lookup failed if the username
source (for example, Security Assertion Markup Language identity provider
(SAML IdP)) did not provide the user domain information. The issue occurred
even if you configured the firewall to Allow matching usernames without
domains (Device > User Identification > User Mapping > Palo Alto Networks
User-ID Agent Setup).
PAN-122909 Fixed an issue where enabling SSL Forward Proxy using the hardware
security module (HSM) led to intermittent failures when loading random
secure websites and displayed the following message: ERR_CERT_INVALID.
This issue was most closely associated with servers presenting ECDSA
certificates.

PAN-122872 Fixed an issue where the Aggregate Ethernet (AE) subinterface showed a
different status from the AE parent interface.
PAN-122147 Fixed an issue where the firewall dropped IPv6 Bidirectional Forwarding
Detection (BFD) packets due to a race condition with the Neighbor Discovery
Protocol (NDP).
PAN-121822 Fixed an issue with certificate authentication where only the topmost
certificate was used to validate the client certificate.
PAN-121654 (PA-3000 Series firewalls only) Fixed an issue where decrypting HTTP/2
traffic caused performance issues due to low memory conditions.
PAN-121626 (PA-3200 Series firewalls only) Fixed an intermittent issue where firewalls
dropped packets, which caused issues such as traffic latency, slow file
transfers, reduced throughput, internal path monitoring failures, and
application failures.
PAN-121598 Fixed an issue where the PAN-OS XML API packet capture (pcap) export
failed with the following error message: Missing value for parameter
device_name. Now, device_name and sessionid are no longer required
parameters.
PAN-121596 Fixed an issue where the OSPF protocol didn't choose the correct loopback
address for the forwarding address in the Not-So-Stubby Area (NSSA).
PAN-121483 Fixed an issue where Data Filtering profiles did not generate a packet capture
(pcap) for Server Message Block (SMB) when action was set to Alert.
PAN-121395 Fixed an issue where the bidirectional static NAT policy rule hit count did not
increase even when the policy was used.
PAN-121371 Fixed an issue where autocommit stopped at 99% if the firewall had an invalid
customer ID.
PAN-121319 A fix was made to address a stack-based buffer overflow vulnerability in the
management server component of PAN-OS (CVE-2020-1990).
PAN-121258 Fixed an issue where some SSLv3 session traffic logs showed an Allow action
even when the security rule policy had a Deny action when url-proxy was
enabled.
PAN-120726 Fixed an issue where the firewall incorrectly populated the username after
the user was served an Anti-Phishing Continue page due to credential
phishing detection.
PAN-120640 Fixed an issue where show routing bfd related commands triggered a
memory leak in a process (routed).
PAN-120350 Fixed an issue where an Address Resolution Protocol (ARP) broadcast storm
overloaded the Log Processing Card (LPC) and caused the device to reboot.

PAN-119810 A fix was made to address the improper restriction of the XML external entity
(XXE) vulnerability in the Palo Alto Networks Panorama management server
(CVE-2020-2012).
PAN-119625 Fixed an issue where configuring GlobalProtect certificate enrollment using

Simple Certificate Enrollment Protocol (SCEP) with a dynamic SCEP challenge
caused the firewall to initiate a TLS 1.0 based connection for challenge
authentication.
PAN-119442 Fixed an issue where Panorama did not display the drop-down for part of a
custom report after using Pick up Later (Monitor > Manage Custom Reports).
PAN-119173 (PA-5000 and PA-3000 Series firewalls only) Fixed an issue where the passive
device in a high availability (HA) pair started processing traffic, which resulted
in a packet buffer leak.
PAN-118226 A fix was made to address an improper input validation vulnerability in the
configuration daemon of Palo Alto Networks Panorama (CVE-2020-2011).
PAN-117480 A fix was made to upgrade Nginx software included with PAN-OS (PAN-
SA-2020-0006 / CVE-2016-4450 and CVE-2013-0337).
PAN-117108 Fixed an issue where user mappings populated by the XML API were lost
after a reboot.
PAN-117043 Fixed an issue where using special characters in the tag names of the Security
policy rules returned the following error message when committing or
pushing a configuration: group-tag is invalid.
PAN-116842 Fixed an issue where, after enabling a Cortex Data Lake license, the
management plane memory utilization would increase unexpectedly when
some connections between the firewall and Customer Support Portal server
were blocked, leading to multiple process restarts due to an out-of-memory
(OOM) condition.
PAN-116231 Fixed an issue where invalid packet header content drop counters
were seen in global counters when packets from the network or HA3
were hitting a stale flow. The following flow state verify error was seen:
flow_fpga_rcv_key_err - Packets dropped.
PAN-116061 Fixed an issue where traffic traversing through an IPSec tunnel used did not
use the default maximum interface bandwidth, which caused the traffic to
traverse through the IPSec tunnel with latency.
PAN-116002 Fixed an issue where an incorrect optimization could cause IP address-to-user

mapping to not update within 60 seconds.
PAN-115562 Fixed an issue where superuser CLI permissions for role-based administrators
did not match superuser privileges.

PAN-115093 Fixed an issue where the firewall generated excessive logs for content
decoder (CTD) errors.
PAN-114648 (PA-3200 Series firewalls only) Fixed an issue where the HA1 hearbeat
backup connection flapped due to ping failures caused by unavailable buffer
space when Heartbeat Backup was configured (Device > High Availability >
Election Settings).
PAN-111636 A fix was made to address OpenSSH issues (PAN-SA-2020-0002 /

CVE-2018-20685, CVE-2019-6109, and CVE-2019-6111).
PAN-102682 A fix was made to address an OS command injection vulnerability in

the management component of PAN-OS where an authenticated user
was able to potentially execute arbitrary commands with root privileges
(CVE-2020-2007).
PAN-100734 A fix was made to address a buffer flow vulnerability in the PAN-OS
management interface where authenticated users were able to crash system
processes or execute arbitrary code with root privileges (CVE-2020-2015).
PAN-100415 A fix was made to address an external control of filename vulnerability in the
command processing of PAN-OS (CVE-2020-2003).
PAN-74442 Fixed an issue where, after enabling debugging on the dataplane, the debug
logs contained information about unrelated traffic.

WF500-5343 Fixed an issue on WF-500 that caused cloud queries to fail when the cloud
verdict did not match the local verdict.
PAN-135141 Fixed an issue where the Log Processing Card (LPC) did not come up
intermittently in a fully loaded PA-7000 Series.
PAN-134242 (PA-7000b Series firewalls with Log Forwarding Cards (LFC) only) A
security fix was made to restrict improper communications to the LFC
(CVE-2019-17440/PAN-SA-2019-0040).
PAN-133883 Fixed an issue where a race condition caused pan_task and pan_com to exit
unexpectedly.
PAN-133491 Fixed an issue where Internet Protocol (IP) to user mappings were not synced
from the HUB virtual system (vsys) to the non-hub vsys.
PAN-133448 Fixed an issue where the mprelay process could crash during commit if the
devsrvr process was restarted before or during the commit.
PAN-133443 Fixed an issue where an XML API call incorrectly masked the response, which
prevented role based administrators from running the response.
PAN-132501 Fixed an issue where after you switched the Context from Panorama™ to
a firewall, the DESTINATION ZONE (Policies > Security > <policy-name> >
Destination) incorrectly displayed none.
PAN-132104 Fixed an issue on Panorama M-Series and virtual appliances where the
<show><object><registered-ip></registered-ip></object></
show> XML API call did not retrieve more than 500 entries.
PAN-131939 Fixed an issue where DP crashed during file transfer due to one or more
content updates being installed.
PAN-130640 Fixed an issue where the management plane CPU on the firewall was high
due to index generation on summary logs.
PAN-130465 Fixed an issue where required fields were masked incorrectly in a XML API
call, which hid the response.
PAN-130073 Fixed an issue where a large number (65,000) of GlobalProtect™ user

connections caused a process (sslvpn) to stop responding after you upgraded
®
from PAN-OS 8.1.10 to PAN-OS 8.1.11.
PAN-130069 Fixed an issue where the firewall incorrectly interpreted an external dynamic
list MineMeld instability error code as an empty external dynamic list.

PAN-129668 Fixed an issue on the firewalls where the dataplane restarted unexpectedly
when processing HTTP/2 traffic if packet-diag debugs were enabled.
PAN-129658 Fixed an issue where GTP inspection stopped functioning after unrelated
changes in policy and a commit followed by a high availability (HA) failover.
®
PAN-129441 Fixed an issue where the concurrent file limitation for WildFire submissions
didn't work when the firewall had many files waiting to be uploaded, which
caused /opt/panlogs/wildfire/tmpfile to become full and destabilize
the firewall (for example, the process crashed or system logs were not
written).
PAN-129327 Fixed a rare timing window that caused an Internal packet path monitoring
failure.
PAN-129127 Fixed an issue where log export from maintenance mode failed with the
following error message: no ip address configured, can't export
logs even though the management interface Internet Protocol (IP) address
was configured.
PAN-128856 Fixed an issue where the disk usage calculation was getting corrupted and
purging logs.
PAN-128269 (PA-5250, PA-5260, and PA-5280 firewalls with 100GB AOC cables only)
Fixed an issue where after you upgraded the first peer in a high availability
(HA) configuration to a PAN-OS 9.0 release, the High Speed Chassis
Interconnect (HSCI) port did not come up due to an FEC mismatch until after
you finished upgrading the second peer.
PAN-128248 A fix was made to address a vulnerability with a race condition due
to an insecure creation of a file in a temporary directory in PAN-OS
(CVE-2020-2016).
PAN-127649 Fixed an issue where a purge script stopped responding, which caused a
process (logrcvr) to discard incoming logs.
PAN-127089 Fixed an intermittent issue where the default route did not redistribute to an
OSPF Not-So-Stubby Area (NSSA).
PAN-126882 A security fix was made to address an OpenSSL vulnerability

(CVE-2019-1547/CVE-2019-1563).
PAN-126627 Fixed an issue where a process (all_pktproc) stopped responding due to a

NULL pointer exception while cleaning up SSL proxy sessions previously
configured for GlobalProtect.
PAN-126283 Fixed an intermittent issue where after you configured Cache EDNS
Responses (Network > DNS Proxy > <DNS Proxy-name> > Advanced) a
process (dnsproxy) stopped responding.

PAN-126159 Fixed an issue where the firewall did not match the Security policy when you
configured the match condition to a shared local group.
PAN-125996 Fixed an issue on Panorama M-Series and VM-Series where the configd
process would crash.
PAN-125898 Fixed an issue where a process (openssl) caused higher than expected
management CPU usage due to the incompletion of the Online Certificate
Status Protocol (OCSP) during the logging service certificate validation.
PAN-125793 Fixed an issue where multiple No valid URL filtering license

warning messages were generated during a commit due to an expired URL
filtering license. With this fix, the warning messages are grouped into a single
message per virtual system (vsys).
PAN-125594 Fixed an issue where the configd process on a Panorama appliance had a
memory leak during commit operations.
PAN-125302 Fixed an issue where the real-time clock (RTC) battery voltage exceeded the
maximum threshold and triggered alerts in the system log.
PAN-125157 Fixed an issue on the firewalls where the rasmgr process restarted
unexpectedly when using third-party VPN clients to connect to
GlobalProtect.
PAN-125122 A fix was made to address a cleartext transmission of sensitive information

vulnerability in Palo Alto Networks PAN-OS and Panorama that disclosed
an authenticated PAN-OS administrator's PAN-OS session cookie
(CVE-2020-2013).
PAN-125018 Fixed an issue on Panorama M-Series and virtual appliances where after you
configure the firewall with an API call commits took longer than expected.
PAN-125017 (PA-7000b Series firewalls only) Fixed an issue where logs were unexpectedly
discarded.
PAN-124948 Fixed an issue where a null point (policy) dereference was causing a crash.
PAN-124882 Fixed an issue where traffic logs that contained incorrect Security policies
were generated during an active commit process when the Security policies
were being added or removed.
PAN-124858 Fixed an issue on PA-220, PA-820, and PA-850 firewalls where Custom
Signatures caused the CTD memory depletion (OOM), which led to a
dataplane crash.
PAN-124781 Fixed an issue in Panorama where the Policies > Security web interface
flashes and the selected security rule did not stay selected when making a
change to a rule that was part of device group that included more than 200
rules.

PAN-124593 A fix was made to address a missing XML validation vulnerability in the PAN-
OS web interface (CVE-2020-1975).
PAN-124565 Fixed an issue where an out of memory condition caused commits to fail with
the following error: Error unserializing profile objects failed
to handle CONFIG_UPDATE_START.
PAN-124435 Fixed an issue where the firewall dropped pre-VLAN spanning tree (PVST+)
packets from the virtual wire interface when you executed the set session
rewrite-pvst-pvid yes CLI command.
PAN-124428 Fixed an issue where Address Resolution Protocol (ARP) randomly failed on
one of the interfaces for a firewall deployed in the KVM/GCP/ESXi clouds.
PAN-123857 Fixed an issue where HTTP/2 traffic inspection caused a software buffer leak
over time and affected decryption traffic.
PAN-123843 Fixed an issue for Cloud/VM platforms where the tunnels between the log
collectors did not come up when a public IP was used for the log collectors
in an environment with a Panorama management server and two or more log
collectors.
PAN-123747 Fixed an issue where App-ID™ signatures failed to match when there were
more than 12 partial App-ID matches within the same session.
PAN-123667 Fixed an issue where the snmpd process was crashing when polling for global
counters.
PAN-123661 A fix was made to address an authentication bypass vulnerability in the

Panorama context switching feature (CVE-2020-2018).
PAN-123322 (PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls running
PAN-OS 9.0.5 only) Fixed an intermittent issue where a process (all_pktproc)
stopped responding due to a Work Query Entry (WQE) corruption that was
caused by duplicate child sessions.
PAN-123306 Fixed an issue where the Dashboard did not display the release dates for
Application Version, Threat Version, and Antivirus Version.
PAN-123167 Fixed an issue where a process (mprelay) stopped responding.
PAN-122788 Fixed an issue where the firewall incorrectly logged target filenames when
an antivirus signature was triggered over a Server Message Block (SMB)
protocol.
PAN-122779 Fixed an issue where the firewall did not respond to TCP DNS requests when
the firewall acted as a DNS proxy.
PAN-122778 Fixed an issue where the routing daemon restarted due to a deadlock on the
path monitoring heartbeat processing, leading to a SIGABRT.

PAN-122565 Fixed an issue where a log collector with a dynamically assigned IP address
could not establish communication between other log collectors.
PAN-122455 Fixed an issue where the DHCP server incorrectly processed bootp unicast
flag requests.
PAN-122311 Fixed an issue where parent sessions were dropped when you installed
duplicate predict session.
the firewall did not capture inbound Encapsulating Security Payload (ESP)
protocol 50 packets at the receive stage.
PAN-121917 (PA-800 Series and PA-220 firewalls only) Fixed an issue where the
hrProcessorLoad.2 OID displayed incorrect values.
PAN-121827 Fixed an issue where allow lists and auth profiles in multi-vsys systems would
not allow a user to be identified in user groups.Users would show as Not in
allow list because the multi-vsys (vsys1) was shown as vsys0.
PAN-121609 (PA-7000 Series firewalls using PA-7000-20G-NPC cards only) Fixed an issue
where the firewall restarted due to an internal path monitoring heartbeat
failure during periods of more than expected traffic load.
PAN-121484 (PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed an
issue where the dataplane sent positive acknowledgments to predict-status
checks from FPP when the corresponding predict was deleted, which caused
SIP and RTSP applications to perform less than the expected achievable
performance.
PAN-121481 Fixed an issue where downloading the GlobalProtect app software on your
GlobalProtect portal took longer than expected.
PAN-121472 Fixed an intermittent issue where the dataplane stopped responding when
processing compressed traffic.
PAN-121374 Fixed an issue where Internet Protocol (IP) tags with timeouts generated alert
messages.
PAN-121184 Fixed an issue where the varrcvr process crashed due to memory corruption
issues.
PAN-121058 A fix was made to address a DOM-based cross site scripting vulnerability in
the PAN-OS and Panorama management web interfaces (CVE-2020-2017).
PAN-121022 Fixed an issue involving unexpected behavior within the GlobalProtect app
where the Active viewed Template does not populate when clicking the
hyperlink to trigger a redirect to the Template area and list.
PAN-120986 Fixed an issue where a process (routed) stopped responding when you
configured virtual interfaces.

PAN-120965 Fixed an issue where certificate revocation list (CRL) and Online Certificate
Status Protocol (OCSP) checks did not respond as expected when you
configured Block session if certificate status is unknown.
PAN-120909 Fixed an issue to improve the validation of certain field inputs in the web
interface.
PAN-120900 Fixed an issue on a firewall in a high availability (HA) active/passive

configuration where after you submitted a host information profile (HIP)
report a duplicate User-ID™ log was generated on the passive firewall.
PAN-120893 Fixed an issue where the Security Parameter Index (SPI) size was incorrectly
set in the IKE Phase 2 packet when you configured commit-bit on the
neighboring device, which caused IKE negotiations to fail on the neighboring
device.
PAN-120730 Fixed an issue where pushing a config bundle from Panorama M-Series to a
firewall failed with the following error: log-card -> iptag unexpected
here.
PAN-120701 Fixed an issue where URL filtering blocked web traffic by the security policy
that did not have URL filtering enabled.
PAN-120665 (PA-800 Series) Fixed an issue where the deployment of the Master Key
through the web interface failed.
PAN-120545 Fixed an issue on VM-Series firewalls where the ager ran faster than
expected, which prematurely caused the master key to expire.
PAN-120420 Fixed an issue in Panorama where you could not see Certificate Profile in the
drop-down when adding an HTTP Server Profile.
PAN-120397 A fix was made to address an external control of path and data vulnerability in
the Palo Alto Networks Panorama XSLT processing logic (CVE-2020-2001).
PAN-120351 Fixed an issue where the firewall caused unnecessary fragmentation when
traffic and tunnel were content inspected, which caused retransmission and
slowed response time.
PAN-120300 Fixed an issue where you were unable to view DHCP leases from the web
interface or through the show dhcp server lease interface all CLI
command due to the request taking longer than expected, which resulted in a
time out.
PAN-120157 Fixed an issue where temporary files created on a firewall during an API call
execution were not properly cleaned up, leading to increased disk space
usage.
PAN-120106 Fixed an issue where Panorama did not send correlation events and logs to
the syslog server after you upgraded the firewall from PAN-OS 8.0.9 to PAN-
OS 8.1.7.

PAN-120005 Fixed an issue where the firewall incorrectly forwarded incomplete and
corrupted files through the Server Message Block (SMB) protocol to WildFire.
This fix requires content release version 8219 or a later version.
PAN-119950 Fixed an issue on a firewall in a high availability (HA) active/passive

configuration where a process (flow_ctrl) received and restarted due to a
malformed ICMPv6 neighbor advertisement packet.
PAN-119922 Fixed an issue in Panorama where the show config diff command was
not working correctly and produced unexpected output.
PAN-119822 Fixed an issue where you were not redirected to the application URL after
authentication.
PAN-119820 Fixed an issue where the firewall incorrectly calculated the TCP segment size
when performing forward proxy decryption.
PAN-119819 Fixed an issue where Discover (Device > User Identification > User Mapping
> Server Monitoring) stopped responding after you configured a DNS proxy.
PAN-119818 Fixed an issue where corrupt logs caused buffered log forwarding to stop
responding.
PAN-119801 Fixed an issue where the firewall web interface did not display the BGP MED
attribute value in the BGP Rib-Out tab (Virtual Routers > More Runtime
Stats).
PAN-119550 Fixed an issue on Panorama M-Series and virtual appliances where

communication between two processes (mgmtsrvr and logd) stopped
responding.
PAN-119545 Fixed an issue where updates (including WildFire, antivirus, and so on) were
intermittently failing.
PAN-119452 An enhancement was made to improve subsequent loading times of device

groups after the first load.
PAN-119349 Fixed an issue on Panorama M-Series and virtual appliances where custom
reports from the User-ID log displayed the incorrect receive date.
PAN-119343 Fixed an issue where a daemon (dnsproxy) incorrectly handled TCP requests,
which caused the daemon (dnsproxy) to stop responding.
PAN-119047 Fixed an issue where local user group names that contained upper case
characters were not converted to lower case characters prior to encoding,
which caused the firewall not to load user groups names with upper case
characters.
PAN-119046 Fixed an issue where moving multiple rules in Panorama using the Move All
rules in Group and Move rules in group to different rule base group actions
caused the rules to move in a reversed order.

PAN-118991 Fixed an issue in Panorama where on a high availability (HA) pair working
in legacy mode, the following error message displayed in the system log:
Panorama has lost connection to its peer, no log will be
forwarded.
PAN-118957 A fix was made to address an authentication bypass spoofing vulnerability in

the authentication daemon and User-ID components of Palo Alto Networks
PAN-OS (CVE-2020-2002).
PAN-118851 Fixed an issue where the BGP Conditional Advertisement suppress condition
was not met, which caused the Conditional Adv (Network > Virtual Routers >
<router-name> > BGP) not to apply the NEXT HOPS prefix range.
PAN-118777 Fixed an issue on a firewall in a high availability (HA) active/active

configuration where larger than expected packets sizes were silently dropped
when traversing through an HA3 link in an asymmetric network.
PAN-118436 (PA-5200 Series firewalls only) Fixed an issue where applications using the
GlobalProtect Clientless VPN did not respond when the Clientless VPN used
a VLAN interface.
PAN-118413 (PA-5200 Series firewalls only) Fixed an issue where the show system
logd-quota CLI command did not display the Session log storage Quotas as
expected.
PAN-118259 Fixed an issue where you were unable to generate WildFire analysis reports
in the WildFire Submissions log when you configured Proxy Server (Device >
Setup > Services > Global).
PAN-118249 Fixed an issue where traffic logs and URL Filtering logs did not display the
URL for decrypted traffic.
PAN-118207 Fixed an issue where the Security Assertion Markup Language (SAML) for
GlobalProtect did not respond as expected when you configured the IdP
certificate as None on the SAML IdP server profile.
PAN-118108 Fixed an issue where an API call against a Panorama management server,
which triggered the request analyze-shared-policy command,
caused Panorama to reboot after you executed the command.
PAN-118091 Fixed an issue where application dependency warnings were displayed after
a commit when the policy rules containing the dependent applications used
different sources (one used user and the other used groups).
PAN-118090 Fixed an issue on Panorama M-Series and virtual appliances where User
Activity Report (Monitor > PDF Reports) did not generate reports as
expected.
PAN-118075 Fixed an issue where the BGP conditional advertisement did not respond as
expected, which caused the prefix in the Advertise Filters (Network > Virtual
Router > BGP > Conditional Adv) to be incorrectly advertised.

PAN-118050 Fixed an issue where some packets had incorrect timestamps in the transmit
stage during packet capture.
PAN-117987 Fixed an issue where the firewall did not exclude video traffic from the
GlobalProtect tunnel when you configured Exclude video traffic from the
tunnel (Windows and macOS only) (Network > GlobalProtect > Gateways >
<gateway-name> > Agent > Video Traffic).
PAN-117969 An enhancement was made to enable administrators to select signature and

digest algorithms for outgoing Security Assertion Markup Language (SAML)
messages through a CLI command.
PAN-117774 Fixed an Issue where the dataplane stopped responding due to an incorrect
parsing of cookies for GlobalProtect Clientless VPN applications.

configuration where virtual MAC addresses pushed from Panorama were
overridden on the local firewall.
PAN-117561 Fixed an issue in Panorama where Packet Capture was enabled with
extended-capture (Objects > Security Profiles > Anti-Spyware) for DNS
signatures, but the setting was not pushed to firewalls running PAN-OS 8.1.
PAN-117479 A fix was made to address a vulnerability with the Nginx web server included
with PAN-OS (CVE-2017-7529).
PAN-117463 Fixed an issue where the firewall did not release the default DHCP route
when a new IP address was obtained on a DHCP configured interface.
PAN-117446 Fixed an issue where GlobalProtect authentication failed when you used the
domain in the group mapping and a User Principle Name (UPN) format for
authentication.

configuration where the names of the virtual routers were pushed from the
active-primary firewall to the active-secondary firewall when you sync the
configuration, which caused schema verification to stop responding when you
do a local commit on the active-secondary firewall.
PAN-117251 Fixed an issue where vsysadmins were unable to view the locks on all the
virtual systems they were assigned to. To view the locks in CLI run the
new show commit-locks vsys and show config-locks vsys CLI
commands.
PAN-117167 Fixed an issue where a process (configd) exceeded the memory limit and
stopped responding.
PAN-116889 Fixed an issue where you were unable to establish an SSH session through a
CLI command using a Diffie-Hellman (DH) algorithm.

PAN-116841 Fixed an issue where commits failed when address objects were used in static
route configurations.
PAN-116615 Fixed an issue where authentication failed for newly added groups in the
authentication profile Allow List.
PAN-116383 Fixed an issue with Panorama on AWS where the configuration of the high
availability (HA) pair became out of sync due to different plugin versions
being detected even though the same versions were installed on both peers.
PAN-116355 (PA-5200 Series firewalls only) Fixed an issue on a firewall in a high

availability (HA) active/passive configuration where an HA1 heartbeat
backup connection flap occurred and displayed the following error message:
ha_ping_send/No buffer space available.
PAN-116173 Fixed an intermittent issue on a firewall in a high availability (HA) active/

passive configuration where traffic interruptions occurred until you triggered
a manual failover.
PAN-116100 Fixed an issue where a process (mprelay) stopped responding and invoked
an out-of-memory (OOM) killer condition and displayed the following error
messages: tcam full and pan_plfm_fe_cp_arp_delete.
PAN-115875 Fixed an issue where a PA-7080b HA pair rebooted when large sized packet
traffic impacted the front panel ports of the Log Forwarding Card (LFC).
PAN-115238 Fixed an issue where SSL renegotiation sessions incorrectly identified URL
categories.
PAN-115018 Fixed an issue where the firewall was unable to access the CPU information
and caused the CPU frequency to set to 0, which resulted in a divide by zero
error and caused a process (devsrvr) to stop responding.
PAN-114966 Fixed an issue where trunk interfaces were not working on Hyper-V.
PAN-114784 Fixed an issue where a process (devsrvr) stopped responding after you
pushed a configuration from Panorama to a firewall.
PAN-114438 Fixed an issue where the system log incorrectly reported intermittent
certificate revocation list (CRL) fetches as successful even though the fetches
were not successful.
PAN-114197 Fixed an issue where a configured certificate profile was not visible from
the web interface in Network > Network Profiles > IKE Gateways > Add >
General > Certificate Profile.
PAN-113144 Fixed an issue where BGP peers were not enabled when transitioning from
Active/Passive to Active/Active or Active/Active to Active/Passive config on
both IPv4 and IPv6 peer groups.
PAN-112145 Fixed an intermittent issue where a process (useridd) incorrectly reported

successful Ops commands and did not download Dynamic Address Group

updates, which prevented virtual machines from updating Dynamic Address
Groups.
PAN-111650 Fixed an issue where a process (mgmtsrvr) stopped responding when another
process (masterd) sent a signal interruption after you upgraded from a PAN-
OS 9.0 release to a PAN-OS 9.1 release.
PAN-111333 An enhancement was made to increase the pattern match limit to recognize
applications and threats accurately.
PAN-111135 Fixed an issue where Panorama displayed incorrect device monitoring values
(Panorama > Managed Devices > Health) for the firewall.
PAN-109528 Fixed an issue where an old GPRS tunneling protocol (GTP) event was
unexpectedly freed when an update message arrived, causing a crash.
PAN-109406 Fixed an issue where the firewall restarted when you unplugged the QSFP+
module from the High Speed Chassis Interconnect (HSCI) port.
PAN-108992 A fix was made to address an improper authorization vulnerability in PAN-OS

(CVE-2020-1998).
PAN-107358 Fixed an issue where a firewall had a race condition in the error handling code
in the write thread, causing memory corruption in the sslmgr session cache
ring buffer.
PAN-105763 An enhancement was made to enable you to set the signing algorithm to
sha-1 or sha-256 in the Security Assertion Markup Language (SAML) message
on the firewall.
PAN-100946 Fixed an issue where VM-Series firewalls were unable to support the
maximum number of tunnel interfaces due to less than expected memory
allocation.
PAN-95651 (PA-3200 Series firewalls only) Fixed an issue where incomplete core dump
files were generated during dataplane process crashes, making the crash
analysis difficult.
PAN-71148 Fixed an issue on Panorama where the ACC tab would not show data for the
period before the daylight saving time (DST) change.

®
Palo Alto Networks made this PAN-OS 9.0.5-h3 release available specifically for PA-7000
Series (PA-7000b with SMC-B) firewall customers who have the Log Forwarding Card (LFC)
installed.
PAN-134242 (PA-7000 Series (PA-7000b with SMC-B) firewalls with Log

Forwarding Cards (LFC) only) Fixed an issue related to incorrect
restrictions on communications to the LFC.
PAN-114784 Fixed an issue where a process (devsrvr) stopped responding

after you pushed a configuration from Panorama™ to a firewall.
PAN-111333 An enhancement was made to increase the pattern match limit

to recognize applications and threats accurately.

WF500-5137 Fixed an issue where the show wildfire global last-

device-registration all CLI command incorrectly
returned an error message: Failed, even when you registered
the firewall correctly.
PAN-128561 Fixed an issue where a process (all_pktproc) stopped

responding after you upgraded the firewall to PAN-OS® 9.0.4.
PAN-128324 (PA-7000 Series firewalls only) Fixed an issue where internal

path monitoring failures occurred due to either a buffer leak or
buffer corruption.
PAN-127932 Fixed an issue where the REST API reference did not display
the web browser documentation, which resulted in an error
when running a PAN-OS 9.0.4 release.
PAN-127807 Fixed an issue on Panorama™ M-Series and virtual appliances

where a process (configd) stopped responding when you
performed a commit to a large number of firewalls.
PAN-127189 Fixed an issue where images displayed through the Clientless

VPN were corrupted.
PAN-126921 (PA-7000 Series firewalls only) Fixed an issue where internal

path monitoring failed when the firewall processed corrupt
packets.
PAN-126697 Fixed an HTTPD issue with PHP where it leaked memory.
PAN-126547 Fixed an issue where a process (configd) stopped responding

when an XML API call with type=config&action=get
triggered during a commit.
PAN-126534 (PAN-OS 8.1.10 and later releases only) Fixed an issue where
the data from Security policies did not export as expected.
PAN-126354 Fixed an issue where log in and commits took longer than
expected when you used XML API calls to create new address
objects.
PAN-125933 Fixed an issue where the receiving firewall deleted the host
information profile (HIP) report due to the report containing the
same IPv4 address in the IP and IP2 fields and caused a process
(useridd) to stop responding.
PAN-125833 Fixed an issue on a firewall in a high availability (HA) active/

passive configuration where a daemon (routed) did not receive

the updated interface status after an HA failover, which caused
routes to remain in the routing and FIB tables.
PAN-125775 Fixed an issue where Panorama management servers deployed

using the C5 or M5 instance types on Amazon Web Services
(AWS) caused the Panorama instance to stop responding in
regions that supported these instance types.
PAN-125517 An enhancement was made to improve firewall performance for

stream control transmission protocol (SCTP) flows. To enable
this enhancement, run the set sctp fast-sack yes CLI
command.
PAN-125515 Fixed an issue on VM-Series firewalls where the firewall

dropped all traffic traversing from the dataplane to the
management plane.
PAN-125478 Fixed an issue on a firewall in an HA active/passive

configuration where the route to the passive firewall dropped
during a failover.
PAN-125452 Fixed an issue where the firewall did not list registered
addresses from the Dynamic Address Group when the same IP-
tag information was received from two sources, which caused
the traffic flow to stop responding as expected.
PAN-125346 An enhancement was made to enable you to configure IPv6

in the web interface and through a CLI command when you
added IPv6 virtual addresses to a firewall in an HA active/active
configuration.
PAN-125121 (VM-Series firewalls only) Fixed an issue where custom images

did not function as expected for PAN-OS 9.0.
PAN-125069 An enhancement was made to enable you to delete the GTP-C

tunnel with all GTP-U tunnel sessions after the firewall received
a Delete Bearer Response message where default bearer ID=5.
To enable this enhancement, run the set gtp ebi5-del-
gtpc [yes/no] CLI command.
PAN-124996 Fixed an issue where a GlobalProtect™ daemon (rasmgr)

stopped responding when you connected with an overlapping
IPv6 address, which caused subsequent GlobalProtect
connections to fail.
PAN-124890 Fixed a configuration lock issue where you were unable to log
in after you upgraded from PAN-OS 8.1.6 to PAN-OS 8.1.9.
PAN-124630 Fixed an issue where new logs were not ingested due to
a buffer exhaustion condition caused by invalid messages
incorrectly handled by elastic search.

PAN-124481 Fixed an issue where the dataplane stopped responding when

SMTP sessions were used.
PAN-124299 Fixed an issue on VM-Series firewalls in an HA active/passive

configuration where the active firewall leaked packet buffers
when links were disconnected from the hypervisor.
PAN-123850 (PA-5200 and PA-7000 Series firewalls only) Fixed an issue

where conflicting GTP sessions were installed in short interval,
which caused the firewall to queue GTP packets and deplete
packet buffers.
PAN-123600 Fixed an issue where the firewall was unable to establish

a connection to the DNS Security feature domain
(dns.service.paloaltonetworks.com) when the firewall could not
connect with the primary DNS server but could connect with
the secondary DNS server.
PAN-123446 Fixed an issue where an administrator with a Superuser role

could not reset administrator credentials.
PAN-123362 Fixed an issue where the firewall used more than expected
virtual memory when you decreased the maximum elastic
search heap size.

configuration where a process (useridd) restarted multiple times
and caused the firewall to reboot.
PAN-123030 Fixed an issue with a memory leak associated with a process

(mgmtsrvr) when you pushed a commit.
PAN-122662 (PA-5260 firewalls only) Fixed an issue where a process

(mpreplay) stopped responding after a commit when you
configured the firewall with more than 200 virtual systems
(vsys) running on PAN-OS 8.1.9.
PAN-122601 Fixed a memory leak issue with a process (configd) when you
performed device group related operations.
PAN-122550 Fixed an issue where VM-Series firewalls on Microsoft Azure

experienced traffic latency due to an incompatible driver.
PAN-121945 Fixed an issue on Panorama M-Series and virtual appliances

where after you deployed the firewall in Google Cloud the
Panorama serial console stopped responding.
PAN-121911 Fixed an issue where a process (logrcvr) restarted during

commits.

PAN-121667 Fixed an issue where traffic incorrectly matched Security

policies when configured static address groups and FQDN IP
addresses on Security policies overlapped.
PAN-121523 Fixed an issue where an API call triggered memory errors, which
caused a process (configd) to stop responding and triggered
SIGABRT logs.
PAN-121447 Fixed an issue where the BGP did not remove the IPv6 default
route from the forwarding table after the route was withdrawn.

where a validation job triggered a memory leak in a process
(configd), which caused context switching between Panorama
and the web interface to respond slower than expected.
PAN-121001 Fixed an issue where the firewall only reported a maximum

of two logs when you configured more than two hardware
security modules (HSM).

where partial commits did not apply configuration changes as
expected.

where objects were not compressed, which caused higher than
expected CPU and memory usage.
PAN-120287 Fixed a JavaScript error due to an incorrect HTTP response,

which prevented GlobalProtect Clientless VPN applications to
load.
PAN-120151 Fixed an issue where the DNS packet parser incorrectly

processed DNS packet headers when the QD count is 0. With
this fix, the DNS packet parser aborts further processing when
QD != 1.
PAN-119765 Fixed an intermittent issue where the firewall dropped sessions

that used a large number of predict sessions.
PAN-119680 Fixed a rare issue where the show running CLI commands for
policy addresses caused file descriptor leaks.

where you were unable to query Cortex™ Data Lake by the
serial number filter.
PAN-119225 Fixed an issue where an inaccurate sequence number check for

an RST packet caused the packet to drop.

PAN-119185 Fixed an issue where a process (panio) caused more than

expected CPU consumption.
PAN-119172 Fixed an issue where the firewall incorrectly enforced URL

category policies and erroneously triggered alert instead of
block.

where a process (configd) experienced high memory utilization
and a memory leak condition, which caused slower than
expected performance.
PAN-118881 Fixed an issue where the user domain information was missing
from the user IP mapping entry when you configured Allow
Authentication with User Credentials or Client Certificate
to Yes while using a client certificate for GlobalProtect
authentication.
PAN-118783 Fixed an intermittent issue where a daemon (dnsproxy) stopped

responding when you configured an HTTP proxy on the
firewall.
PAN-118762 Fixed an issue where the GlobalProtect portal used an outdated

jQuery library.
PAN-118720 Fixed an issue on a firewall in an HA active/active configuration

where Oracle traffic SYN packets dropped intermittently with
the flow_fpp_owner_err_no_predict counter.
PAN-118628 Fixed an issue where after you deployed Panorama in Azure,

you were unable to log in to Panorama with the username and
PAN-118583 Fixed a memory allocation issue that prevented URL filtering

logs from displaying the full URL.
PAN-118430 Fixed an issue where pushed template configurations were

overridden when you made a configuration change in the
Master Key Lifetime (Device > Master Key and Diagnostic >
Edit) field.
PAN-118370 Fixed an issue where the firewall displayed incorrect application

dependency warnings during commits when a Security policy
used a wildcard address.
PAN-118277 Fixed an issue where the firewall stopped responding due to a

race condition.
PAN-118256 Fixed an issue where a DNS Security signature response from a

cloud service caused a daemon (dnsproxyd) to stop responding.

PAN-118183 Fixed an issue where a process (dnsproxyd) stopped responding

due to higher than expected CPU usage.
PAN-118180 Fixed an issue on firewalls configured with authentication

policies where UDP and ICMP packets matching an
authentication policy did not generate traffic logs as defined in
the Security policy when sessions were redirected or denied.

configuration where a process (all_pktproc) stopped responding
and the dataplane restarted, which caused an internal path
monitoring failure and an HA failover event.
PAN-118055 Fixed an issue where administrators were unable to export

Security Assertion Markup Language (SAML) metadata files
from virtual system (vsys) specific authentication profiles.
PAN-117959 Fixed an issue where LDAP authentication failed when you

configured the authentication server with an FQDN.
PAN-117907 Fixed an issue where the date and time provided for a request
license information output did not match the show clock output
provided by the NTP server.
PAN-117900 Fixed an issue where commits failed when you moved an object
referenced in a policy to a shared group.
PAN-117888 Fixed an issue where the firewall was unable to detect the
hardware security module (HSM), which caused the firewall to
drop SSL traffic.
PAN-117878 Fixed an issue where you were unable to add a service

definition to the NSX manager and the following error message
displayed: Failed to create object service-
definition. Ret code is 400.
PAN-117835 Fixed an intermittent issue where a process (all_pktproc)

stopped responding, which caused a heartbeat failure and the
firewall to drop LACP and OSPF connections.
PAN-117738 (PA-3050 and PA-3060 firewalls only) Fixed an issue where a

higher than expected number of flow_fpga_flow_update
messages occurred when you configured QoS.
PAN-117727 Fixed an issue where job threads were deadlocked, which

prevented log in attempts and displayed the following error
message: CONFIG_LOCK: write lock TIMEDOUT for
cmd.

where the connection between Panorama and managed
firewalls timed out when you upgraded PAN-OS 9.0.0 to PAN-

OS 9.0.1 and displayed the following error message: Error -
time out sending/receiving message.
PAN-117303 Fixed an issue where the BGP aggregate prefix, which is

advertised to multiple BGP peers was removed from RIB OUT
when you disabled one of the BGP peers.

where a process (configd) restarted due to virtual memory
issues.
PAN-117086 Fixed an issue where community attributes to BGP routes had

a character limit of 31 characters, which caused expressions to
take longer than expected to process.

where memory utilization increased more than expected when
you deleted several rules with an XML API delete command.
PAN-116977 Fixed an issue on VM-Series firewalls where you could not

upgrade to PAN-OS 9.0.1 or a later release with a pre-licensed
firewall.
PAN-116949 Fixed a memory leak issue with a process (mprelay), which

caused the dataplane to restart.

where you were unable to configure Enable X-Auth Support
(Network > GlobalProtect > Gateways > Template >
<Template-stack> > Agent > Tunnel Settings) at the Template-
stack level.
PAN-116772 Fixed an issue where the firewall sent empty attributes in the
LDAP query when you did not configure Alternate Username 1
- 3 (Device > User Identification > Group Mapping Settings >
<group-name> > User and Group Attributes) in the User
Attributes web interface.
PAN-116708 Fixed an issue where administrators were unable to export

policies and objects in PDF format.
PAN-116611 Fixed an issue where an API call for correlated events did not
return any events.
PAN-116473 Fixed an issue where the firewall logged URL categories

configured for Allow in the URL filtering logs.
PAN-116334 Fixed an issue where a process (mgmtsrvr) leaked memory

caused by SNMP traps.

PAN-116286 Fixed an issue where commits failed after you upgraded from
PAN-OS 8.0.16 to PAN-OS 8.1.6 due to an invalid encryption
state for a host information profile (HIP) object.
PAN-116274 Fixed an issue where the firewall was unable to authenticate

when you pushed a public key from Panorama.
PAN-116189 Fixed an issue where Session Initiation Protocol (SIP) calls failed
and displayed the following error message: end-reason:
resources-unavailable.
PAN-115990 Fixed an issue where the FQDN address object (Policy >
Security > <address-object> > Value) displayed the following
unrelated error: <FQDN-name> Not used.
PAN-115959 Fixed an issue where DNS names with more than 63 characters
did not resolve FQDN address objects during an FQDN refresh.
PAN-115890 Fixed an issue where the show system info CLI command
incorrectly displayed VMware ESXi as VMWare ESXi.
PAN-115879 Fixed an issue on a firewall where a bypass switch sent

heartbeat messages to the firewall, which triggered non-stop
link status change interrupts through a Marvell switch.
PAN-115697 Fixed CVE-2019-17437, see PAN-SA-2019-0038 for details.
PAN-115549 Fixed an issue where predict sessions were incorrectly created

with a captive-portal zone, which caused the firewall to
drop RTP traffic.
PAN-115349 Fixed an issue where an incorrect predict session was created

when a policy-based forwarding (PBF) policy was used without
a NAT in the parent session, which caused the firewall to drop
RTP and RTCP packets.
PAN-115344 Fixed an issue where the Username Modifier%USERDOMAIN

%\%USERINPUT% enabled you to log in to a locked out user
account.

configuration where the passive firewall experienced higher
than expected dataplane CPU usage caused by HA IPSec
messages bouncing between dataplanes.
PAN-115282 Fixed an issue where temporary download files were deleted

before a download job was completed, which caused the
progress bar to remain at 0% and prevented a timeout when
downloads fail.

PAN-115281 Fixed an issue where the firewall did not resolve an external
dynamic list server address when the DNS proxy configured it
as a static entry.
PAN-115110 An enhancement was made to enable you to configure syslog

parameters through the CLI debug command. To view the
available parameters and change the configurations, run the
debug syslogng-params settings CLI command and
perform a commit force to apply the edits.

where scheduled uploading and installation of WildFire®
content meta files to WF-500 appliances failed and displayed
the following error message: device not supported.
PAN-114880 Fixed an issue where the debug management-server

summary-logs flush-options max-keys CLI command
did not persist through a system reboot.

where Decrypt Mirror (Objects > Decryption > Decryption
Profile > <Device Group-name>) did not appear in the Interface
drop-down menu when you tried to configure a Decryption
Profile.

configuration where a split-brain condition occurred after you
upgraded from PAN-OS 8.1.3 to PAN-OS 8.1.6.
PAN-114628 Fixed an issue where Panorama was unable to query logs

forwarded from the firewall to the log collector.
PAN-114540 Fixed an issue where renaming a template stack did not change
the value and reset to the original value after you commit the
change.
PAN-114456 Fixed an issue where extended packet capture (pcap) for threat
logs caused a process (mgmtsrvr) to stop responding.
PAN-114270 Fixed an issue where the firewall dropped TCP trace route
traffic after you upgraded to PAN-OS 8.1.5. To leverage this
fix, run the set session tcp-reject-diff-syn no CLI
command.
PAN-114247 Fixed an issue where a larger than expected number of

Could not find entry for interface ethernet1/
<interface>.<subinterface> in CPS table filled the
snmpd.log, which caused the log file to rotate more frequently
than expected.

PAN-113610 Fixed an issue where Panorama incorrectly deleted valid device

group directories and was unable to generate reports.
PAN-113606 Fixed an issue where the Throughput column (Panorama >

Managed Devices > Health) was incorrectly labeled.
PAN-113261 (PA-5200 Series firewalls only) Fixed an issue where the total
entries for the URL filtering allow list, block list, and custom
categories were incorrectly set to an entry limit value other
than 100,000.
PAN-113162 Fixed an issue where you were unable to create shared URL
filtering profiles from the Panorama web interface.
PAN-112661 Fixed an issue where you were unable to access a firewall due
to a defective small form-factor pluggable (SFP)/SFP+ module
inserted into the firewall.

configured as log collectors where SSH did not respond after
you enabled SSH on ethernet1/1.
PAN-110685 Fixed a rare issue where an incorrect User-ID™ match to the

respective LDAP group caused a security policy mismatch.

configuration where you were unable to synchronize
configurations or dynamic updates between HA pairs.
PAN-109874 Fixed a memory leak issue on a firewall during a commit, which

prevented the firewall from generating GlobalProtect client
configurations.
PAN-108876 Fixed an issue where the firewall dropped Session Initiation

Protocol (SIP) registration packets, which caused SIP sessions to
fail.
PAN-108373 Fixed an issue where an application dependency warning

incorrectly displayed when you configured negate-source
yes on a security rule to deny an application.

where you could not add and generate a certificate as expected.
PAN-106434 Fixed an issue where a process (keymgr) stopped responding

due to missed heartbeats, which caused IPSec tunnels to stop
responding.
PAN-102195 Fixed an issue where the firewall did not detect all threat
sessions while the App and Threat content installation was
processed.

PAN-100977 (VM-Series NSX edition firewalls only) Fixed an issue where

the existing logs for dynamic address updates had insufficient
information to debug the root cause of an issue and where
the dynamic address update logs were larger than expected,
which caused the file to roll over every five minutes and did not
provide a sufficient log history to debug issues.

- (Microsoft Azure only) Updates to support changes in Azure

Accelerated Networking (AN).
WF500-4785 Fixed a rare issue on WF-500 appliances where the firewall did
not respond after you upgraded the appliance from a PAN-OS®
8.0.1 release to a PAN-OS 8.0.10 or later release. With this fix,
you can run the new debug software raid fixup auto
CLI command to recover the RAID controller.
PAN-124658 Fixed an issue where the timer system call activated more
frequently than expected, which caused higher than expected
CPU usage.
®
PAN-123371 Fixed an issue where the Wildfire Analysis Report incorrectly
displayed the following error message: You are not
authorized to access this page on the web
interface.
PAN-123079 Fixed an intermittent issue where after a configuration change,

a commit caused the dataplane to stop responding.
PAN-122804 Fixed an issue on Panorama™ M-Series and virtual appliances

where the firewall stopped forwarding logs to Cortex™ Data
Lake after you upgraded the cloud services plugin to 1.4.
PAN-122489 (Microsoft Azure only) Fixed an issue where VM-Series firewalls

incorrectly renamed (to eth) interfaces connected to Mellanox
appliances when Accelerated networking was enabled on the
firewall.
PAN-122004 (PA-5200 Series firewalls only) Fixed an issue where the Quad
Small Form-factor Pluggable (QSFP) 28 ports 21 and 22 did not
respond when plugged in with a Finisar 100G AOC cable.
PAN-121449 Fixed an issue where Remove Config (Panorama > Plugins) did
not remove the configuration for any plugins you have set up
on Panorama.
PAN-121185 Fixed an intermittent issue where domains were not

normalized, which caused an incorrect verdict response.
PAN-120662 (PA-7000 Series firewalls using PA-7000-20G-NPC cards only)

Fixed an intermittent issue where an out-of-memory (OOM)
condition caused the dataplane or internal path monitoring to
stop responding.

PAN-120548 Fixed an issue where the Captive Portal request limit was
ignored when you configured the Captive Portal authentication
method to browser-challenge.
PAN-120409 (PA-7000 Series firewalls only) Fixed an issue where firewalls

running a 20G Network Processing Card (NPC) or a 20GQ
NPC dropped stream control transmission protocol (SCTP)
connections due to incorrect session handling.
PAN-120342 Fixed an intermittent issue where the dataplane stopped

responding when processing a UDP packet that passed through
an IPSec tunnel.
PAN-120194 (Virtual and M-Series Panorama appliances and Log Collectors

only) Fixed an issue where closed Elasticsearch (ES) indices
were continuing to receive and re-queue logs, which resulted in
high CPU usage.
PAN-119257 Fixed an issue where the firewall could not establish an IKEv2
connection with SHA256 certificates.
PAN-119187 (Panorama only) Fixed an issue where a file lock was released
before the lock was taken, which triggered an erroneous
maximum connection timeout that prevented administrators
from logging in to and executing commands from the
command-line interface (CLI).

where bootstrapped managed firewalls were disconnected
after you performed a partial revert if you did not first perform
a manual commit. With this fix, the manual commit is not
required.
PAN-118964 Fixed an issue on VM-Series firewalls where single root I/O

virtualization (SR-IOV) did not support packet mmap in access
mode and DPDK mode.
PAN-118784 Fixed an intermittent issue where the firewall dropped a

message: Update PDP Context Response and did not
update the General Packet Radio Service (GPRS) Tunneling
Protocol for User Data (GTP-U).

where shared policies were out of sync due to an empty stream
control transmission protocol (SCTP) after you upgraded the
firewall from PAN-OS 8.0.16 to PAN-OS 8.1.8.
PAN-118423 Fixed an intermittent issue with local high availability (HA)

status changes where a process (mprelay) failed to commit
changes to the HA state.

PAN-118411 Fixed an issue where ARP entries took longer than expected to
age out in a single run.
PAN-118407 Fixed an issue where an internal path monitoring failure due to

a buffer leak caused the firewall to reboot.
PAN-117923 Fixed an issue where the management server stopped

responding when an incorrect filter was used to filter traffic
logs instead of displaying an error message.
PAN-117921 Fixed an issue where you were unable to create GTP inner
sessions, which caused the firewall to drop GTP-U data packets
when the firewall was deployed on S1-U and S-11 interfaces.
PAN-117916 Fixed an issue where the dataplane stopped responding when

you pushed permitted IP addresses from Panorama to managed
firewalls.
PAN-117720 (GlobalProtect™ Clientless VPN environments only) Fixed an

issue where a process (all_pktproc) stopped responding and
caused the firewall to restart unexpectedly when processing
GlobalProtect Clientless VPN traffic. To leverage this fix,
you must first upgrade (Devices > Dynamic Updates) to
GlobalProtect Clientless VPN content release 79 or a later
release.
PAN-116807 (PA-7000, PA-5200, and PA-3200 Series firewalls only) Fixed

an issue where the firewall dropped ICMP error messages when
the security policy was configured to allow ICMP.

where the progress bar for a commit all job incorrectly
remained at 0% after a job was completed.
PAN-116769 Fixed an issue where a process (pan_comm) stopped

responding due to a memory allocation error.
PAN-116729 Fixed an issue where you were unable to deploy bootstrapped

content in offline environments due to content validity checks.
PAN-116634 Fixed an issue where the date in the GlobalProtect HTTP

header was incorrectly set to a random date instead of a zero
(0), which negatively and falsely impacted security scorecard
ratings.
PAN-116613 Fixed an issue on a VM-Series firewall deployed in Microsoft

Azure where packets dropped silently due to a kernel error.
PAN-116513 Fixed an issue where VM-Series firewalls did not bootstrap

successfully when you included the software version in the
software folder of the bootstrap package.

PAN-116436 (Panorama virtual appliances only) Fixed an issue where a disk

calculation error resulted in an erroneous opt/panlogs/ partion
full condition and caused a process (CDB) to stop responding.
PAN-116416 Fixed an issue on Panaorama M-Series and virtual appliances

where a process (configd) stopped responding when you
performed a commit to a large number of firewalls.
PAN-116383 Fixed an issue with Panorama on Azure where the configuration

of an HA pair became out of sync due to different plugin
versions being detected even though the same versions were
installed on both peers.
PAN-116280 Fixed an issue where the firewall displayed a static route

warning when the next hop IP address was not included in the
subnet of the outgoing interface.

where traffic logs did not display data when the IPv6 address
filter is based on netmask.
PAN-116218 Fixed an issue where the test routing bgp virtual-

router default restart peer Peer-v6 CLI command
did not execute the operational request and returned the
following error message: op command for client routed
timed out as client is not available.
PAN-116128 Fixed an issue where a process (logrcvr) stopped responding

when packet captures (pcap) were generated for HTTP2 traffic.
PAN-116123 Fixed an issue where a process (devsrvr) stopped responding

when you performed a commit or a configuration validation
when the proxy ID contained 24 or more characters.
PAN-115856 Fixed an issue where Dynamic IP and Port (DIPP) NAT pools did
not release used ports after all sessions were removed.
PAN-115852 Fixed an issue on VM-Series firewalls on AWS where you could

not change maximum transmission unit (MTU) values from
the web interface and displayed the following error message:
Malformed Request.
PAN-115794 Fixed an issue where, after you upgraded the firewall from
PAN-OS 8.1.5 to PAN-OS 9.0.0, the firewall displayed the
following validation error: plugins 'read-only' is not
an allowed keyword.
PAN-115792 Fixed an issue where after a refresh of the external dynamic list
values from the previous list were not retained, which caused
the list values to display 0.0.0.0 and displayed the following
error message: HTTP/1.1 500 Internal Server Error.

PAN-115748 Fixed an intermittent issue on Panorama M-Series and virtual

appliances where a memory issue caused the firewall to reboot.
PAN-115738 Fixed an issue where data logs were generated but the firewall
did not forward the logs to the syslog server.
PAN-115695 Fixed an intermittent issue where a large number of packets

were received before acknowledgments were complete, which
depleted descriptor queue entries and resulted in high latency
during data transfers even though CPU usage looked normal.
PAN-115450 Fixed a rare issue where a race condition occurred between

daemons during a tunnel re-key, which caused BGP sessions
to drop from Large Scale VPN tunnels. To leverage this fix,
you must run the debug rasmgr delay-nh-update CLI
command.

where renaming a device group followed by a partial commit
did not change the device group hierarchy as expected.
PAN-115287 Fixed an issue where commits failed and displayed the following
error message: Commit job was not queued. All
daemons are not available.

where Global Find caused the web interface to stop responding
when you searched for common English words.
PAN-115186 Fixed an issue where SaaS reports were not generated due to
report definitions not getting pushed to the log collector.
PAN-114958 Fixed an issue where the User-ID™ (useridd) process consumed

more CPU cycles than expected when you configured User-ID
redistribution.
PAN-114889 Fixed an issue where a Panorama template push to a firewall

with a PAN-OS 8.1 release or earlier resulted in the deletion of
split tunnel configurations when any address objects or address
groups are included. With this fix, you still must remove all
address groups before pushing templates to a PAN-OS 8.1 or
earlier release.
PAN-114867 Fixed an issue where GlobalProtect gateway client

configuration generation failed when a matching rule existed.

where malformed API calls caused the firewall to reboot.
PAN-114779 Fixed an issue where log purging took longer than expected,
which prevented the firewall from capturing traffic logs.

PAN-114567 Fixed an issue where the Eventid eq

globalprotectportal-config-succ system query caused
the management server (mgmtsrvr) process to stop responding.
PAN-114566 Fixed an issue where after a commit the firewall displayed

the following error message: No Valid DNS Security
License even when the license was valid and successfully
applied.
PAN-114533 Fixed an issue where traffic was blocked by the safe search
enforcement instead of the intended allow rule.
PAN-114526 Fixed an issue where larger than expected number of packets

sent over a GTP-U tunnel caused packet captures to fill the
files faster than expected. With this fix, you can run the debug
dataplane packet-diag set capture gtpu-lvl
[1-30] command to ensure GTP-U traffic are captured.
PAN-114475 Fixed an issue where Panorama in FIPS mode defaulted to FIPS-

CC mode instead of Normal mode.
PAN-114427 Fixed an issue where an empty host name in the HTTP header
caused a web server process (websrvr) to stop responding when
you accessed the captive portal redirect page.
PAN-114264 Fixed an issue where sessions were offloaded as the application

identification was performed when you configured a custom
application with Continue scanning for other application.
PAN-114160 Fixed an issue where you were unable to download ZIP files
greater than 3GB through a GlobalProtect Clientless VPN
application.
PAN-114105 Fixed an issue on a Panorama M-Series appliance where the

Summary (Panorama > Managed Devices > Summary) web
interface refreshes every 10 seconds when set to manually
refresh.
PAN-114090 Fixed an issue on a Panorama virtual appliance in Legacy mode

and in an HA active/passive configuration where logs were
forwarded only to the active firewall.
PAN-114002 Fixed an issue where you were unable to import variable CSV
files when variable names contained a character space.
PAN-113971 (PA-7000 Series firewalls only) Fixed an issue where the High
Speed Chassis Interconnect (HSCI) link flapped after you
rebooted the firewall.

PAN-113930 Fixed an issue on VM-Series firewalls where CPU loads were

uneven across cores when more than 8 cores were allocated to
the dataplane.
PAN-113912 Fixed an issue where a process (ikemgr) stopped responding

and caused the firewall to reboot.
PAN-113887 Fixed an issue where loading custom app tags did not complete
successfully, which prevented subsequent requests (such as
commits, content installs, and FQDN refreshes) from executing
as expected.
PAN-113870 Fixed an issue where Security policies were not evaluated in

sequential order when the policy was based on URL categories.
PAN-113796 Fixed an issue where GlobalProtect configured with the

pre-logon then on-demand connect method was unable to
authenticate during pre-logon when you configured the portal
and gateway with an Authentication Override and without a
certification profile.
PAN-113767 Fixed an issue where the firewall silently dropped packets when
security profiles were attached and FPGA enabled AHO and
DFA.
PAN-113619 Fixed an issue where the GlobalProtect gateway did not assign
an IP address when the local IP address was a supernet of the
GlobalProtect pool.
PAN-113501 Fixed an issue where the Panorama management server

returned a Security Copy (SCP) server connection error
after you created an SCP Scheduled Config Export profile
(Panorama > Scheduled Config Export) due to the SCP server
password exceeding 15 characters in length.
PAN-113229 Fixed an issue on Panorama M-Series and virtual appliances in

an HA active/passive configuration where the passive firewall
displayed an out-of-sync shared policy status when you edited
the Device Group.
PAN-113185 Fixed an issue where the passive firewall in an HA active/

passive configuration was processing traffic.
PAN-112988 Fixed an issue where a process (useridd) leaked memory, which

caused the firewall to drop traffic and display the following
error message: Out-of-memory condition detected,
kill process.
PAN-112972 Fixed an issue where scheduled reports were not generated as

expected when you added groups in a query builder.

PAN-112566 Fixed an issue where the GlobalProtect Client was unable

to download files from a web interface, sessions went into
DISCARD state, and displayed the following message: Packet
dropped, control plane service not allowed.
PAN-112529 Fixed an issue where the firewall incorrectly sent several benign
critical content alerts daily.
PAN-112467 Fixed an issue where obsolete IPv6 Neighbor Discovery (ND)

entries did not clear as expected, which caused the IPv6 table
to reach full capacity and caused new IPv6 ND entries to fail.
PAN-112308 Fixed an issue where hardware security module (HSM) accounts

were locked out after three attempts when you ran the show
hsm ha-status CLI command.
PAN-112016 Fixed an issue on VM-Series firewalls where the physical port

counters on the dataplane interfaces did not increase on KVM
when you disabled DPDK.
PAN-111698 Fixed an issue where administrators were unable to log in when

character spaces were used in usernames.
PAN-111660 Fixed an issue where an incorrect SSH key initialization caused

a process (pan_comm) to stop responding every 15 minutes
when you configured an SSH proxy on the firewall.
PAN-110990 Fixed an issue where a logical operation not configured

with receive_time in the traffic log filter did not respond as
expected.

where commits failed when you configured an address group
object in the Include List (Network > Zone > <zone-name> >
Include List).
PAN-110839 Fixed a rare issue where a commit pushed from Panorama

failed, which caused a process (routed) to stop responding.
PAN-110628 Fixed an issue where user groups were deleted from the Group
Include List ("Device > User identification > Group Mapping
Settings > <group-name> > Group Include List) if you changed
the LDAP server profile account password.
PAN-110234 Fixed an issue where administrators with a Superuser (read-

only) role was able to initiate a commit through the CLI.
PAN-110168 Fixed an issue where the firewall and Panorama web interface
did not present HSTS headers to your web browser.

PAN-109803 Fixed an issue where credential phishing prevention did not

detect user or password phishing when passwords, which
contained two discontiguous character spaces were used.
PAN-109759 Fixed an issue where the firewall did not generate a notification
for the GlobalProtect client when the firewall denied
unencrypted TLS sessions due to an authentication policy
match.
PAN-107207 Fixed an issue where the VPN tunnel operational status

incorrectly displays up even though the VPN tunnel is down.
PAN-106889 Fixed a rare issue on a firewall in an HA active/passive

configuration running in FIPS-CC mode where the passive
firewall rebooted in to maintenance mode.
PAN-106628 Fixed an issue where the firewall did not generate a system log
when the firewall detected a RAM issue.
PAN-106449 Fixed an issue when you connected to an internal GlobalProtect

gateway on a firewall in an HA active/passive configuration
and authenticated with multi-factor authentication (MFA) to
access a resource, the first and second authentication factors
succeeded but you would not be redirected to the actual
resource.
PAN-106100 (PA-3200 Series firewalls only) Fixed an issue on a firewall in an

HA active/active configuration where SSL traffic through the
GlobalProtect VPN (in SSL mode) tunnel stopped responding
after Layer 7 processing completed and when asymmetric
routing occurred.
PAN-105286 Fixed an issue where the firewall did not record email header
information in Data Filtering logs when you triggered a test mail
that contained a data leak prevention (DLP) pattern.
PAN-104909 Fixed an issue where the firewall incorrectly forwarded traffic

when you configured the ingress interface with a QoS policy
and the egress interface as a tunnel.
PAN-104808 Fixed an issue where scheduled SaaS reports generated and

emailed empty PDF reports.
PAN-104251 Fixed an issue where the syslog server TCP keep-alive

parameter caused the connection to unexpectedly age out.
PAN-103865 Fixed an issue where the firewall did not detect user credentials
when the number of users exceeded 60,000.
PAN-103847 Fixed a memory buffer allocation issue that caused the Session
Initiation Protocol (SIP) traffic NAT to stop responding.

PAN-101613 (PA-800 Series firewalls only) Fixed an intermittent issue where

a congestion condition occurred during periods of low traffic.
With this fix, run the set system setting hol-system
enable CLI command to enable the HOL system mode.
PAN-84670 Fixed an issue where firewalls that were not configured to

decrypt HTTPS services and applications traffic allowed users
without valid authentication timestamps to access those
resources regardless of Authentication Policy settings. To
prevent such access, either configure the firewall to decrypt
traffic or run the debug device-server cp-deny-
encrypted on command and execute a commit force CLI
command (this command will persist across reboots).

PAN-123700 A security-related fix was made to prevent a memory

corruption vulnerability in PAN-OS® software (PAN-
SA-2019-0023 / CVE-2019-1582).
PAN-123603 A security-related fix was made to prevent a memory

corruption vulnerability in PAN-OS software (PAN-
SA-2019-0021 / CVE-2019-1580).
PAN-123564 Fixed CVE-2019-1581, see PAN-SA-2019-0022 for details.
PAN-121814 Fixed an issue where the threat log incorrectly displayed

informational severity-level threats with high severity
level.

PAN-120745 An enhancement was made to the IP Options field in the

TCP/IP header for zone protection profiles.

WF500-4995 Fixed an issue on Panorama™ M-Series and WF-500 appliances

where administrators were unable to run the debugsoftware
disk-usage aggressive-cleaning enable CLI
command and resulted in the following error message: Server
error:Failed to execute op command.
PAN-118949 Fixed an issue where after you changed the filter configuration
in the user.src notin 'cns\proxy full profile, the
firewall displayed the following error message: Unknown user
group cns\Proxy Full.
PAN-118640 Fixed an issue where the GTP-U session did not match the
correct policy, which caused the IMSI and IMEI not to display in
the inner session traffic and threat logs.

Panorama as a requirement to send logs to Cortex Data Lake
®
—was introduced in PAN-OS 9.0.2, and was not initially
details a change we've made in PAN-OS 9.0.3 to support this
feature across all firewall platforms. Here’s how you can get
started with Cortex Data Lake now.
PAN-117359 (Firewalls with an AutoFocus license only) Fixed an issue where

AutoFocus™ threat intelligence did not display when hovering
over source and destination addresses in the logs when you
configure a service route or proxy.
PAN-117249 Fixed an issue where end users who don't have REST API
authentication roles were able to list and edit configuration
rules.
PAN-117149 Fixed an issue on firewalls configured with authentication

policies where sessions matching an authentication policy did
not generate traffic logs as defined in the security policy when
sessions were redirected or denied.
PAN-116969 Fixed an issue where authentication failed when you configured

a User Principal Name (UPN) and included a group in the
profile.
PAN-116848 Fixed an issue where multiple device group administrators

simultaneously enabled configuration locks caused a race
condition.


where the management server and a process (configd) used
higher than expected CPU and memory.
PAN-116069 (PA-200 firewalls only) Fixed a rare out-of-memory (OOM)

condition.
PAN-116579 Fixed an issue where the firewall sent truncated URLs to the
Captive Portal Redirect message when HTTPS traffic sent
through a proxy server was subjected to decryption.
PAN-116188 Fixed an issue where communication between tunnel interfaces

did not respond when you configured a generic routing
encapsulation (GRE) tunnel.
PAN-116022 Fixed an issue where the NSX Manager passed a blank string to
Panorama, which added a null entry into the configuration and
caused commits to fail.
PAN-115930 Fixed an intermittent issue where after a configuration change,

a commit caused the dataplane to stop responding.
PAN-115526 Fixed an issue where a dataplane process (all_pktproc) stopped

responding due to a packet buffer protection feature.
PAN-115494 Fixed an issue where the /opt/pancfg/ partition became full

due to a configuration preview operation not responding.
PAN-115415 Fixed an issue where a session created from a predict session

went into DISCARD state.
PAN-115379 Fixed an issue where you were unable to create a custom log
forwarding profile when you configured a filter with the "in"
and "not in" configurations (Objects > Log Forwarding > Add >
Add > Filter > Filter Builder) and resulted in the following error
message: Invalid filter policy-logging-cf-ent ->
match-list -> ITS_url_logs -> filteris invalid.
PAN-115339 Fixed a rare issue where a commit caused the firewall to stop
responding when you enabled flow debug and configured a
NAT policy.
PAN-115035 Fixed a rare issue where Threat log and URL log stopped
generating.
PAN-115012 Fixed an issue where a process (appweb) stopped responding,

which caused the web interface to stop responding.
PAN-114867 Fixed an issue where GlobalProtect™ gateway client

configuration generation failed when a matching rule existed.


where, after you upgraded the firewall to PAN-OS 8.1, commits
failed when Panorama was configured to manage shared
gateway objects for managed firewalls.
PAN-114695 Fixed an issue where a daemon (authd) stopped responding

when you configured a GlobalProtect portal and gateway with
Security Assertion Markup Language (SAML) authentication.
PAN-114642 Fixed an issue where firewall logs incorrectly included the end-
user IP address in GTP message logs when you configured PAA
IE with IPv4 and IPv6 dual stack in the Create Session Response
message.
PAN-114607 Fixed an issue where all the log collectors did not get queued
when you configured more than 32 collector groups.
PAN-114593 Fixed an issue where the setsystem setting layer4-

checksum disable CLI command did not disable the Layer 4
checksum check as expected.

where you were unable to authenticate when the
authentication profile contained a server profile that used the
FQDN of the server.

where, after you upgraded the firewall from PAN-OS 8.0.8 to
PAN-OS 8.1.4, commits took longer than expected when you
configured the Device Group with large group hierarchies.
PAN-114435 Fixed an issue where multiple dataplanes stopped responding

and caused traffic outages after you enabled IPSec tunnels.
PAN-114434 Fixed an issue where the firewall created incorrect predict

sessions, which caused flow sessions to fail for applications.

where serial numbers for deployed firewalls did not display in
the web interface with the exception of GlobalProtect cloud
service firewalls.
PAN-114395 Fixed an issue on a VM-Series firewall where a process

(all_task) stopped responding, which caused the firewall to
reboot.
PAN-114275 Fixed an issue where the firewall dropped GTPv1 DELETE PDP
response packets that had a termination endpoint ID (TEID)
value of 0.

PAN-114181 Fixed an issue where the firewall incorrectly triggered Reverse

Path Forwarding (RPF), which caused packet leaks.
PAN-113795 Fixed an issue on a firewall configured with GlobalProtect

Clientless VPN where a process (all_pkts) stopped responding,
which caused the dataplane to restart.
PAN-113775 Fixed an issue where the firewall dropped

UpdatePDPContext reponse packets and displayed the
following GTP log event: 122113.
PAN-113631 A security-related fix was made to address a use-after-free

(UAF) vulnerability in the Linux kernel (PAN-SA-2019-0017 /
CVE-2019-8912)
PAN-113614 Fixed an issue with a memory leak on Panorama appliances

associated with commits that eventually caused an unexpected
restart of the configuration (configd) process.
PAN-113340 (PA-200 firewalls only) Fixed an issue where the management

plane (MP) memory was lower than expected, which caused the
MP to restart.
PAN-113189 A security-related fix was made to correct log file string-

conversion errors that caused parsing issues, which caused the
User-ID™ (useridd) process to stop running.
PAN-113117 Fixed an issue on Panorama VM-Series firewalls where you

were logged out of the web interface and had to log back in to
push a device group and template configuration from a newly
launched bootstrapped firewall.
PAN-113046 (PA-5200 Series firewalls only)Fixed an issue where a process

(brdagent) stopped responding, which caused the management
plane to stop responding.
PAN-112674 Fixed an issue where an escape ( “\” ) character was added to

HTTP log s when a log contained a comma.
PAN-112577 Fixed an issue on a VM-Series firewall in an HA active/passive

configuration where the HA1 port flapped and caused a split-
brain condition.
PAN-112446 Fixed an issue where a predefined report (blocked credential

post) generated reports using the incorrect query builder
(flags has credential-builder), which caused the
report to incorrectly display logs for alerts.
PAN-112293 Fixed an issue where the connection between the firewall and
Log Collector flapped.

PAN-112167 Fixed an issue where IPv4 BGP routes were missing from the
routing table and FIB after a failover event.
PAN-112106 Fixed an issue where the firewall was unable to add IPv6
loopback IP address ::1 to the external dynamic list and
displayed the following error message: Invalid ips: ::1.
PAN-111976 Fixed an issue where you were unable to generate user activity
reports when the username included a colon ( : ), ampersand
( & ), single parenthesis ( ' ) character.
PAN-111872 A security-related fix was made to address a command injection

vulnerability (PAN-SA-2019-0018 / CVE-2019-1576).
PAN-111708 (PA-3200 Series firewalls only) Fixed a rare software issue that
caused the dataplane to restart unexpectedly. To leverage this
fix, you must run the debug dataplane set pow no-
desched yes CLI command.
PAN-111380 (PA-5200, PA-3200, and PA-7000 Series firewalls with

100Gbps cards only) Fixed an issue where the show qos
interface ae1 throughput 0 CLI command incorrectly
displayed the active data stream only and QoS was not working
as expected on the first subinterface.
PAN-111286 Fixed an issue where you were unable to generate a custom

report (Monitor > Manage Custom Report > <device-name> >
Report Setting).
PAN-110996 Fixed an issue where the dataplane stopped responding due to

an incorrectly calculated offset when you configured Exclude
video traffic from the tunnel (Network > GlobalProtect >
Gateways > <gateway-name> > Agent > Video Traffic).
PAN-110962 Fixed an issue where a process (all_pktproc) stopped

responding when SSH decryption was enabled, which caused
the dataplane to restart.
PAN-110883 Fixed an issue on a VM-Series firewall where all jobs did not
execute and returned the following error message: Error-
time out sending/receiving message.
PAN-110873 Fixed an issue where member interfaces of the aggregate

interface did not display on web interface (Panorama >
Managed Devices > Health > All Devices > <device-name> >
Interfaces).

where you were unable to configure the firewall to disable the
portal log in page.

PAN-110638 Fixed an issue where you were unable to establish a

GlobalProtect connection on IPv6 and displayed the following
error message: Packet too big due to the firewall
MTU value set lower than normal on the neighboring
firewall.
PAN-110548 Fixed an intermittent issue where heartbeats failed on the

management plane (MP), which caused the dataplane to
stop responding and displayed the following error message:
Dataplaneis down: controlplane exit failure.
PAN-110526 Fixed an issue where Captive Portal authentication required

two log-in attempts when the authentication sequence was
configured as an authentication profile.
PAN-110293 Fixed an issue where GTP-U traffic dropped when the GTP
tunnel endpoint ID (TEID) was not updated correctly during a
GTP-C update.
PAN-109966 Fixed an issue where the content update threshold downloaded

and installed an older content version after you manually
installed a newer content version.
PAN-109954 Fixed an issue where a commit failed with an error message:

cluster is missing 'encryption' when HA Traffic
Encryption (Panorama > Managed WildFire Clusters >
<appliance-name> > Communication) was not configured and
after upgrading from PAN-OS 8.0.12 to PAN-OS 8.1.4.
PAN-109944 Fixed an intermittent issue where a process (configd) restarted

due to a race condition when generating custom reports.
PAN-109663 Fixed an intermittent issue where the firewall dropped packets

when the policy rule was set to allow but denied the packets
during a commit or high availability (HA) sync.
PAN-109837 Fixed an issue where a race condition occurred when

a configuration push and NetFlow update occurred
simultaneously, which caused the dataplane to restart.
PAN-109575 Fixed an issue where you were unable to configure more than
one device certificate (Device > Certificate Management >
Certificates > <device certificate-name>) with Trusted Root
CA.
PAN-109336 (PA-500 and PA-800 Series firewalls only) Fixed an issue

where commits failed after you imported a device state from
Panorama the template configuration referenced Bidirectional
Forwarding Detection (BFD).

PAN-109186 Fixed an issue where the dataplane stopped responding and

caused a failover event.
PAN-109101 Fixed an issue where you were unable to override IKE Gateway
configurations (Network > IKE Gateways > <template-name>)
in the template stack. However, with this fix, you still cannot
override template stacks when you configure any value with
none. Additionally, to override the Local Identification, select
Authentication in the pop-up dialogue.
PAN-109024 Fixed an issue where, after you upgrade the firewall from PAN-
OS 8.0 to PAN-OS 8.1, firewalls configured with the User-ID
agent and group mapping incorrectly mapped users to groups.
PAN-108990 Fixed an intermittent issue on a firewall where configuring

Force Template Values (Network > Interfaces > Commit >
Push to Devices > Templates) deleted the zone assigned to an
interface.
PAN-108878 Fixed an issue where host traffic ICMP packets larger than
9,180 bytes dropped when you configured a jumbo frame with
a maximum MTU value of 9,216 bytes and with the DF option
enabled.
PAN-108846 Fixed an issue where a higher than expected rate of tunnel

resolution packets occurred due to an internal loop, which
caused a spike in dataplane CPU usage for firewalls that
support distributed tunnel ownership.
PAN-108785 Fixed an intermittent issue on a firewall in an HA active/

passive configuration where a ping test stopped responding
on Ethernet 1/1, 1/2, and 1/4 due to input errors on the
corresponding switch port after a HA failover.
PAN-108715 Fixed an issue where the firewall did not update the dataplane
DNS cache after the management plane (MP) DNS entries
expired, which caused evasion signatures to erroneously trigger
a Suspicious TLS/HTTP(S)Evasion Found event.
PAN-108164 Fixed an issue where a process (tund) caused the dataplane to

restart during a commit.
PAN-107989 Fixed an issue where the Strict IP Address Check incorrectly

triggered when you enabled ECMP (Network > Virtual
Routers > Add > Router settings > ECMP).

where client-bound DHCPv6 packets dropped when you
configured the firewall as a DHCPv6 relay agent.
PAN-107370 Fixed an issue where IPv6 traffic throughput reduced more

than expected after you updated a static ND entry (Network >

Interfaces > <interface-name> > Advanced > ND Entries) by
moving the interface to a different virtual router.
PAN-107126 Fixed an issue where an SSL inbound session cache corruption

caused a process (all_pktproc) to stop responding.
PAN-106861 Fixed an issue where stale route entries remained in the FIB
after the routes were removed from the routing table when you
used a redistribution rule without a profile.
PAN-106857 Fixed an issue where the dataplane restarted due to an internal

path monitoring failure Caused by large SSL decrypted file
transfer sessions.

where the show vpn ipsec-sa CLI command incorrectly
returned an error message: Server error: An error
occurred. See dagger.log for information when
you ran the command on the active secondary firewall.
PAN-106344 Fixed an issue where the log collector within a collector group
retained varying numbers of detailed firewall logs when you
enabled log redundancy.
PAN-106274 Fixed an issue on a firewall where a Layer 2 interface that

contained a VLAN sub-interface in conjunction with policy
based forwarding (PBF) caused the firewall to forward the
return traffic to the incorrect web interface.

configuration where the passive firewall reported a higher
number of GlobalProtect user accounts than the active firewall.
PAN-105925 Fixed an issue where the GlobalProtect Gateway web interface

did not display the list of previous users.
PAN-105412 Fixed an issue where forward error correction (FEC) was

disabled by default for AOC modules, which caused QSFP ports
to flap or remain in the DOWN state. With this fix, FEC is enabled
by default for AOC modules.
PAN-105397 Fixed an issue where a firewall incorrectly processed path

monitoring, which originated from a NAT firewall on the same
network segment.
PAN-105091 Fixed an issue on a firewall where stateful inspection failed,

which caused the firewall to drop GTPv2-C Modify Bearer
Request packets.
PAN-104568 Fixed an issue where the firewall did not send emails when you
configured the email gateway with an FQDN.

PAN-104274 Addressed an issue where in a slow network environment the

firewall displayed an error message: error online 1 at
column 1: document is empty when you used an API call
to fetch a license even when the auth code was successfully
applied. Extremely slow networks may still see this issue.
PAN-103285 Fixed an issue where an API call (show system disk

details), responded with the following error message: An
error occurred. See dagger.log for information.

where the Task Manager did not display progress after you
pushed a configuration to a firewall.
PAN-102979 Fixed an issue where Dynamic Updates did not display

expired threat prevention licenses when you tried to install an
application from Panorama.
PAN-102745 Fixed an intermittent issue on a firewall where a commit and

FQDN refresh took longer than expected.
PAN-101970 Fixed an issue where the decode filter was unable to detect
the end characters of a file name, which caused the firewall to
bypass the file blocking profile.
PAN-101764 Fixed an issue where a process (slmgr) stopped responding

during an auto-commit.
PAN-101379 Fixed an issue where an invalid Captive Portal authentication

policy was successfully pushed to managed firewalls, which
caused auto-commits to fail.

where Panorama unnecessarily checked and updated licenses
for VM-Series firewalls on AWS after every commit, which
resulted in new log entries. With this fix, Panorama no longer
checks licenses after every commit.
PAN-100773 (PA-7000 Series firewalls only) Fixed an issue where the Quad
Small Form-factor Pluggable (QSFP) port on a 20GQ NPC card
took longer than expected to respond.
PAN-100742 Fixed an issue Panorama M-Series and virtual appliances

where scheduled reports generated more than one DNS
lookups, which caused inconsistent name resolutions for DNS
deployments.
PAN-100693 Fixed an issue where you were unable to process Address

Group match criteria when the match name included the double
quotation ( " ) character.

PAN-99483 (PA-5220 firewalls only) Fixed an issue where, when you

deployed the firewall in a network that uses Dynamic IP and
Port (DIPP) NAT translation with PPTP, client systems were
one connection.
See Limitations for PA-7000 Series

firewalls that do not use second-generation
PA-7050-SMC-B or PA-7080-SMC-B Switch
Management Cards.
PAN-99354 Fixed an issue where the firewall incorrectly denied URL access
when the URL filtering profile was configured to alert.
PAN-99134 Fixed an issue where temporary files generated during preview

changes did not get cleared, which caused disk space issues.
PAN-98746 Fixed an issue where GlobalProtect clientless VPN did not

get redirected to the application URL when you used Internet
Explorer as a web browser.
PAN-97288 Fixed an issue on GlobalProtect Clientless VPN where the URL

gets truncated when you exclude the domain from the Rewrite
Exclude Domain List (Network > GlobalProtect > Portals >
<portal-name> > Clientless VPN > Advanced Settings).
PAN-92872 Fixed an intermittent issue where the firewall sent packets

incorrectly to an outgoing interface.
PAN-89820 Fixed an intermittent issue where the Data Filtering (Monitor >
Data Filtering) and Threat Log (Monitor > Threat) did not
display file names when you transferred multiple files into a
single session.
PAN-81778 Fixed an issue where scheduled reports did not generate as

expected due to a race condition.

PAN-119745 A security-related fix was made to address the Netflix

Linux kernel TCP SACK vulnerability (PAN-SA-2019-0013 /
CVE-2019-11477,CVE-2019-11478,CVE-2019-11479, and
CVE-2019-5599).
PAN-118869 A security-related fix was made to address an issue where the

php-debug log incorrectly displayed non-sanitized data (PAN-
SA-2019-0019 / CVE-2019-1575).
PAN-107239 A security-related fix was made to address cleartext passwords

and keys that were visible in the logs for XML API calls (PAN-
SA-2019-0019 / CVE-2019-1575).

WF500-5023 Fixed an issue on WF-500 appliances where the cluster service

took longer than expected to start due to a large number of
queued sample data.
WF500-5022 Fixed an issue where a non-functioning CLI command was

removed from WF-500 appliances.
WF500-4974 Fixed an issue on a WF-500 appliance where the static analysis

results displayed in the PDF report but did not display in the
WildFire® analysis summary of the web interface.
WF500-4844 Fixed an issue on WildFire appliance clusters where the

passive-controller responded with the incorrect Common Name
(CN) in the certificate, which caused the registration to fail.
WF500-4838 Fixed an intermittent issue on a WF-500 appliance where

WildFire reports took longer than expected to generate, which
caused the task to automatically timeout.
WF500-4784 Fixed an issue on a WF-500 appliance where during a reboot,

the following error message displayed: FATAL: module nbd
not found.
WF500-4743 Fixed an intermittent issue on a WF-500 appliance where the

CLI command debug wildfire reset global-database
fix became unresponsive.
PAN-118065 (M-Series Panorama™ management servers in Management

Workaround:Disable the 1/1 ethernet interface before you
delete the local log collector and then commit the configuration
change.
PAN-116919 (Microsoft Azure only) Fixed an issue where the firewall

dropped packets passing through IPSec tunnels if you enabled
jumbo frames (Device > Setup > Session > Session Settings).
PAN-116658 Fixed a rare issue where the firewall sent HTTP/2 DATA
frames with incorrect padding byte lengths, which caused
software buffer corruption and a process (all_pktproc) to stop
responding.

PAN-116316 Fixed an issue where RTP and RTCP predict sessions failed,
which caused the firewall to stop processing RTSP-based video
streaming.
PAN-116084 Fixed an issue where a VM-Series firewall on Microsoft Azure

deployed using MMAP dropped traffic when the firewall was
experiencing heavy traffic.
PAN-115592 Fixed an issue where the firewall rebooted due to a plugin

memory leak.
PAN-115591 Fixed an issue where the snmpd process was leaking memory
when polling for global counters.
PAN-114984 Fixed OpenSSL vulnerability CVE-2019-1559, see PAN-

SA-2019-0039 for details.
PAN-114893 Fixed an issue where a context switch from Panorama to a

firewall did not respond as expected when a web browser was
used.
PAN-114804 Fixed an issue where a configuration change resets to "default"

when you conducted a search in the Categories (Objects > URL
Filtering > Categories) web interface.
PAN-114601 Fixed an issue where the Allow List (Device > Setup >
Authentication Setting > <authentication profile - name> >
Authentication) did not update after you added new users to a
group in the Active Directory.
PAN-114255 Fixed an issue where Bidirectional Forwarding Detection (BFD)

went down temporarily during a commit or EDL refresh if you
configured a large value for the BFD Hold Time.
PAN-114003 Fixed an issue on a Panorama management server running

PAN-OS 9.0 where a context switch to firewalls did not
respond.
PAN-113829 Fixed an issue where, after you upgraded the firewall to PAN-
OS® 9.0, a firewall configured from "none" to "allow" in the
custom URL category reverted to "none" after a commit.
PAN-113692 Fixed an intermittent issue on a firewall in a high availability

(HA) active/passive configuration where five minutes after
a failover test IP routes disappeared, which caused traffic
interruptions.
PAN-113608 Fixed an issue on a firewall with packet capture (pcap) enabled

where the log receiver stopped responding when larger than
expected packets were received.

PAN-113414 Fixed an issue where the User-ID™ (useridd) process stopped

responding.

configuration where a process (useridd) did not respond to the
alternate user attribute (Device > User Identification > Group
Mapping Settings > <group mapping-name> > User and Group
Attributes) on the passive firewall during a restart.
PAN-112814 Fixed an issue where H.323-based calls lost audio because the
predicted H.245 session was not converted to Active status,
which caused the firewall to drop the H.245 traffic.

where Decrypted Sessions Info (Panorama > Managed
Devices > Health > All Devices > <device-name> > Sessions)
did not display as expected for VM-Series firewalls.

only) Fixed an issue where you were unable use the mgmt-
interface-swap command to swap the interfaces for
deploying a VM-Series firewall behind a web load balancer
(such as AWS ALB or Classic ELB).
PAN-112626 Fixed an issue where a new DNS Security subscription was not
available on your VM-Series firewall after you upgraded to a
®
PAN-OS 9.0 release with a PAYG Bundle 2 license.

configuration where a race condition caused the firewall to stop
responding after an HA1 link flap.
PAN-112340 Fixed an issue with performance, including high CPU usage,

that occurred when you enabled URL Filtering without enabling
Threat Prevention in an environment that processes a large
number (thousands) of URL look-ups per second per dataplane.
PAN-112194 Fixed an issue where packet buffers did not release

GlobalProtect™ clientless VPN packets, which caused the
firewall to stop responding.
PAN-111679 Fixed an issue where URL filtering profiles were being

incorrectly applied to security policies during a commit.
PAN-111553 Fixed an issue on the Panorama management server where

the Include Device and Network Templates setting (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections) was disabled by default and caused
your push attempts to fail. With this fix, your push will Include
Device and Network Templates by default.

PAN-111540 Fixed an issue on PA-5200 Series firewalls where the dataplane

stopped responding when the session table was full.
PAN-111251 Fixed an issue where administrators were unable to use the

CLI to enable or disable DNS Rewrite under a Destination NAT
policy rule (they were able to execute the command but the
firewall did not implement the change).
PAN-110390 Fixed an issue on PA-7000 Series firewalls where invalid filters

caused the device management server to stop responding when
you generated a database (DB) report from a remote firewall.
PAN-110273 Fixed an issue where you were unable to establish OSPF

neighborship when an OSPF routing protocol was configured
with MD5 authentication and one of the firewalls was
restarted.
PAN-109672 Fixed an issue on a VM-Series firewall in an HA active/passive

configuration where the passive firewall received buffered
packets while in an idle state when the data plane development
kit (DPDK) is enabled.
PAN-109344 Fixed an issue where service objects did not import into
Panorama when you configured them identically but with
different names.
PAN-108374 Fixed an issue on GlobalProtect where you were unable to

authenticate when the domain name included the ampersand
( "&" ) character.

where predefined DHCP options did not accept template
variables when you configured a DHCP server for a template.
PAN-101341 Fixed an issue where administrators configured with Device

Group and Template Admin type were unable to
perform a global search and returned the following message:
Unauthorized request.

PAN-113911 Fixed an issue on PA-5200 Series firewalls where the dataplane

stopped responding due to a deadlock when you accessed the
stream session table.
PAN-113845 Fixed an issue where content installation failed and displayed

the following error message: Error: failed to handle
®
TDB_UPDATE_BLOCK, after you upgraded to PAN-OS 9.0.
PAN-113771 A security-related fix was made to allow Online Certificate

Status Protocol (OCSP) checks while disallowing HTTP calls.
PAN-113682 Fixed an issue where the dataplane restarted when processing

HTTP/2 traffic with padded DATA frames.
PAN-113675 A security-related fix was made to address an authentication

bypass vulnerability in PAN-OS Management Web Interface
(CVE-2019-1572/PAN-SA-2019-0005).
PAN-113512 Fixed an issue where an XML API response for an external

dynamic list did not return invalid or ignored members after you
upgraded to PAN-OS 9.0.
PAN-113446 Fixed an issue where the firewall unintentionally generated

the following system log: Installed content package
WildFire is newer than available package,
skipping, when you checked for WildFire® updates.
PAN-113302 Fixed an issue where commits to the Panorama™ configuration

after you upgraded to PAN-OS 9.0 failed with the following
error message: statistics-service is invalid.
PAN-112700 (PA-7000 Series firewalls in an HA configuration only) Fixed an

issue that occurred after you upgraded to PAN-OS 9.0 where
some logs displayed a different rule name than the rule name
associated with the universally unique identifier (UUID).
PAN-112592 Fixed an issue on a firewall where the system log did not
generate an alert for AutoFocus™ license expiry.
PAN-112458 Fixed an issue on a firewall where the management server

stopped responding when debugs were configured and you
exported traffic logs (Monitor > Traffic <traffic-name> > Export
to CSV).
PAN-112428 Fixed an intermittent issue where autocommits failed and

Panorama stopped displaying device groups when managing
a WildFire appliance that was running an earlier maintenance

release of the same feature release (such as using Panorama
running PAN-OS 8.1.6 to manage a WF-500 appliance that was
running PAN-OS 8.1.3).
PAN-112305 Fixed an issue where source (Object > Dynamic Lists <list-
name> > Create List) URLs, which contained double escape
characters caused external dynamic list entries to display
incorrect values in the policies.

where a process (configd) stopped responding when a role-
based user with privacy settings disabled, viewed a scheduled
report that required data anonymization.
PAN-112098 Fixed an intermittent issue on a firewall where outbound traffic

failed with an error message: (proxy decrypt failure)
when configured with HTTP Header Insertion (Objects >
Security Profiles > URL Filtering <filter-name> > HTTP Header
Insertion).
PAN-111897 Fixed an issue where the tags were not set on OSPFv3 routes
redistributed to BGP-3.
PAN-111850 Fixed an issue where the firewall did not capture the number of
packets in the threat packet capture (pcap) as configured in the
extended packet capture length setting.

an intermittent issue on a firewall configured with policy-based
forwarding (PBF) and symmetric return, where traffic dropped
because the ARP table did not get updated.
PAN-111638 Fixed an issue where the external dynamic list did not update
after a scheduled refresh of the list.
PAN-111061 A fix was made to upgrade OpenSSH software included with

PAN-OS (PAN-SA-2020-0005 / CVE-2016-10012).
PAN-111052 Fixed an issue where a firewall in a virtual wire (vwire)

deployment silently dropped TCP packets when the antivirus
profile was enabled.
PAN-110441 (PA-5200 Series firewall only) Fixed an intermittent issue where

the internal path monitoring failed, which caused the firewall to
unexpectedly restart.
PAN-110341 Fixed an issue where the firewall sent RIP updates more
frequently than expected.
PAN-110336 (PA-3000, PA-3200, PA-5000, PA-5200, and PA-7000 Series

firewalls only) Fixed an issue where a process (mpreplay)
restarted and caused the offload traffic to drop.

PAN-108620 Fixed an issue where Traps ESM logs were sent to the Log
Collector but did not display in the web interface (Monitor >
Traps ESM).
PAN-108575 Fixed an issue where a process (configd) stopped responding

and displayed the following error message: configd is
down.

passive configuration where scheduled dynamic updates
pushed from Panorama to the managed firewalls failed.

did not function on a static route for which the next hop for
that route was an FQDN (instead of an IP address).

did not function on a BGP peer that was identified using an
FQDN (instead of an IP address).
PAN-107677 Fixed an issue on GlobalProtect™ where Security Assertion

Markup Language (SAML) authentication failed when you used
a macOS operating system.
PAN-107006 Fixed an issue where you were unable to search for service
objects by destination port numbers.
PAN-106963 Fixed an issue where the firewall did not display the full URL
information in the URL Filtering log (Monitor > URL Filtering)
after a ( '\r' ) return character.

an issue where the Block IP List option, which is not
supported, displayed in the administrator role profile (Device >
Admin Role > Web UI).
PAN-104263 Fixed an issue where the RTC battery reading exceeded the
maximum threshold value.
PAN-103023 Fixed an intermittent issue where a job type (content) caused

a firewall configuration failure and the firewall to stop
responding.
PAN-96827 Fixed an issue where BGP command output formats did not
display consistently across different PAN-OS releases.
PAN-92155 Fixed an issue where administrators were unable to configure

an IP address using templates for HA2 (Device > High
Availability > Data Link (HA2)) after setting the configuration
to IP or Ethernet for Panorama management servers in HA
configuration.

PAN-85691 Fixed an issue where Authentication policy rules that were

based on multi-factor authentication (MFA) didn't block
connections to an MFA vendor when the MFA server profile
specified a Certificate Profile that had the wrong certificate
authority (CA) certificate.

WF500-4811 Fixed an issue where WF-500 appliances displayed the wrong

WildFire® content version (show system info) after a
WildFire content update.
PAN-109668 A security related fix was made to limit the amount of

information returned from an API call error message.
PAN-109124 A security-related fix was made to address an issue where you

were unable to retrieve GlobalProtect™ cloud service threat
packet captures from the Logging Service on Panorama™ M-
Series and virtual appliances.
PAN-109096 Fixed an issue where the firewall did not remove the 4 Byte AS
Format number when Remove Private AS is enabled.

where a process (configd) stopped responding during a local
commit.
PAN-107887 Fixed an issue where an API call did not return the details of the
security policy when you added a service group.
PAN-107779 Fixed an issue where Wildfire signature version information

was no longer displayed after you activated a GlobalProtect
client.
PAN-107117 Fixed an issue where device administrators were unable to

manually upload signature files (Device > Dynamic Updates)
and the firewall displayed the following error message:
Youneed superuser privileges to do that.
PAN-106784 Fixed an issue where the firewall revealed password hashes in

the web interface when changing administrator passwords.
PAN-106721 Fixed an intermittent issue where a processor cache memory

corruption caused a reload when the firewall freed packets
from the buffer.

passive configuration where the Panorama management server
enabled the administrator to clone a rule on the passive firewall.
PAN-106181 Fixed an issue where the Cancel option was removed to

prevent access when you Require Password Change on First
Login (Device > Setup > Management).

PAN-106019 Fixed an issue where a process (routed) stopped responding

when an incomplete command ran in the XML API.
PAN-105849 A security-related fix was made to address an issue with the

wf_curl.log file in WF-500 appliances (WildFire).
PAN-105737 Fixed an issue where AUX ports remained in Down state after
®
you upgraded to PAN-OS 8.1.7.
PAN-105684 Fixed as issue on a firewall in an HA active/passive

configuration where OSPF and BGP running on an Aggregate
Ethernet (AE) with LACP enabled took longer than expected
after a failover.
PAN-105040 Fixed an issue where the dataplane processor caused memory

loss in the packet buffer pool.
PAN-104623 Fixed an issue where a process (brdagent) printed QoS

information messages in the brdagent.log file, which caused a
missed heartbeat and the firewall to restart.
PAN-104616 Fixed an issue where certificate imports failed when you used a
backslash ( \ ) character in a password to export certificates.
PAN-104578 (PA-800 Series firewalls only) Fixed an issue on a firewall in an

HA active/passive configuration where the HA failover took
longer than expected.

where the configd.log file displayed schema error messages
after you created an administrator role with context switch UI
permissions enabled.

configuration where the passive firewall ran a configuration out
of sync after a restart.
PAN-104078 Fixed an issue where administrators could not successfully

add conditional advertisements (Network > Virtual Routers >
<virtual-router> > BGP > Conditional Adv) for BGP routing
tables (changes were lost after commit).
PAN-103863 Fixed an issue where the IPSec tunnel restart (Network >
IPSec Tunnels > IKE Info) did not display properly on the web
interface.

configuration where the suspended firewall processed traffic.
PAN-103615 Fixed an issue where scheduled log exports failed on

nonstandard ports.

PAN-103192 Fixed an issue on a firewall where the Global Find for IPSec
tunnels displayed incorrect search results.
PAN-103061 Fixed an issue where special characters contained in the CLI

comment field caused the process (devsrvr) to stop responding.
PAN-103055 Fixed an issue where you were unable to filter Address Groups
(Objects > Address Groups) by an address object name.
PAN-102779 Fixed an issue on a PA-3000 Series firewall where multiple

(all_pktproc) processes failed and caused the dataplane to stop
responding.

where disk quota edits failed and displayed the following error
message: quota-settings -> disk-quota is invalid.
PAN-102029 Fixed an issue on a firewall where the DNS resolution routed

through the dataplane and configured with a service route,
stopped responding when the management interface was not
configured.
PAN-101821 Fixed an issue where Referer was spelled incorrectly in the

HTTP Headers section of the Detailed Log View (Monitor >
URL Filtering).
PAN-101451 Fixed an issue where SNMP queries displayed incorrect values.
PAN-101391 Fixed an issue where the scheduled nightly custom report was
not generated or emailed as expected.
PAN-101365 Fixed an intermittent issue where the session ID did not clear
when the session ID is set to 0.
PAN-101294 Fixed an issue where administrators were allowed to create

tunnel interfaces from the template stack.
PAN-101068 Fixed an issue where the object identifier (OID) ifAdminStatus

incorrectly displayed up when configured to down.
PAN-100656 Fixed an issue Panorama M-Series and virtual appliances where

duplicate entries in BGP redistribution configurations were not
verified, which caused commits to fail.
PAN-100464 Fixed an issue where the sub-interfaces and the configurations

were deleted when you tried to override the subinterface of a
template stack.
PAN-100154 Fixed an issue where the default static route always became the
active route and took precedence over a DHCP auto-created
default route that was pointing to the same gateway regardless
of the metrics or order of installation. With this fix, the firewall

no longer installs the default static route in the FIB when the
system has both a DHCP auto-created default route and a
manually configured default static route pointing to the same
gateway.

where Push Scope Selection (Commit > Push to Devices)
selected firewalls not in the hierarchy of the firewall you
selected.
PAN-99945 Fixed an issue on Panorama where the progress bar in the web
interface stopped responding and did not display any status
after sending a commit or activating an auth code even though
the task completed successfully.
PAN-99640 A security-related fix was made to address a denial of service

(DoS) vulnerability in PAN-OS Linux Kernel (CVE-2017-8890).

configuration where the User-ID™ process stopped responding
on the passive firewall when the system was managing a high
number of (more than 30,000) active users.
PAN-99447 "Virtual and M-Series Panorama appliances and Log Collectors

only) Fixed an issue where a Log Collector received logs
destined for closed Elasticsearch (ES) indices, which caused
indices to return failure messages and, when the issue persisted
for more than a few hours, caused Log Collectors to disconnect
and reconnect repeatedly when attempting (and failing) to
process the re-queued logs.
PAN-98130 Fixed an intermittent issue where the firewall allowed traffic

based on an unmatched rule after a session rematch is
triggered.
PAN-98005 Fixed an issue where adding more than eight Log Collectors to
a collector group caused the configuration (configd) process to
stop responding.
PAN-97848 Fixed an issue where if you deployed Panorama on KVM, it

deployed in Legacy mode instead of Management Only mode
even when meeting the minimum resource requirements for
Management Only mode.
PAN-97417 Fixed an issue where the loopback IP address redistributed to

the Local RIB table instead of the Adj-RIBs-out table.
PAN-96344 Fixed an issue on a firewall where TCP reset packets were sent
even after you set the vulnerability profile action to drop the
packets.

PAN-96297 Fixed an issue where a process (useridd) stopped responding

due to the syslog server messages not parsing with field
identifiers.
PAN-95445 Fixed an issue where VM-Series firewalls for NSX and firewalls
in an NSX notify group (Panorama > VMware NSX > Notify
This fix requires the VMware NSX
Group) briefly dropped traffic while receiving dynamic address
2.0.4 or a later plugin.
updates after the primary Panorama in a high availability (HA)
configuration failed over.
PAN-94486 Fixed an issue where the dataplane did not get a dynamic IP
address assigned because the process (routed) did not release it.
PAN-92725 Fixed an issue on the firewall and Panorama management

server where the web interface became unresponsive because
the (cord) process restarted after you configured multiple
log forwarding destinations in a single forwarding rule for
Correlation logs (Device > Log Settings).

where you were unable to set the MTU (Network >
Interfaces > Ethernet > <Interface> > Ethernet Interface >
Advanced > Other Info) value to more than 1460 bytes with
Jumbo Frames enabled.

where you were unable to type in tunnel zone names in the
Tunnel Source Zone (Policies > > Pre Rules > > <rule-name> >
Inspection > Security Options) field.
PAN-91499 Fixed an issue on a firewall where an address object FQDN

resolution returned the IPv6 DNS record but did not return all
associated -- IPv4 and IPv6 -- DNS records.
PAN-91442 Fixed an issue where an external dynamic list with an invalid

IPv6 address range caused commits to fail.
PAN-82278 Fixed an issue where filtering did not work for Threat logs
when you filtered for threat names that contained certain
characters: single quotation (’), double quotation (”), back slash
(\), forward slash (/), backspace (\b), form feed (\f), new line
(\n), carriage return (\r), and tab (\t).
PAN-72861 Fixed an issue where when you configured a PA-5200 Series or

PA-7000 Series firewall to perform tunnel-in-tunnel inspection,
which includes GRE keep-alive packets (Policies > Tunnel
Inspection > <tunnel_inspection_rule> > Inspection > Inspect
Options), and ran the clear session all CLI command
while traffic was traversing a tunnel, the firewall temporarily
dropped tunneled packets.

Getting Help
The following topics provide information on where to find more about this release and how to
request support:
> Related Documentation

> Requesting Support
297
298 PAN-OS® RELEASE NOTES | Getting Help
Related Documentation
Refer to the PAN-OS® 9.0 documentation on the Technical Documentation portal for general information
on how to configure and use already-released features.
• PAN-OS 9.0 New Features Guide—Detailed information on configuring the features introduced in this
release.
• PAN-OS 9.0 Administrator’s Guide—Provides the concepts and solutions to get the most out of your
Palo Alto Networks next-generation firewalls. This includes taking you through the initial configuration
and basic set up on your Palo Alto Networks firewalls.
• Panorama 9.0 Administrator’s Guide—Provides the basic framework to quickly set up the Panorama™
virtual appliance or an M-Series appliance for centralized administration of the Palo Alto Networks
firewalls.
• WildFire 9.0 Administrator’s Guide—Provides steps to set up a Palo Alto Networks firewall to forward
samples for WildFire® Analysis, to deploy the WF-500 appliance to host a WildFire private or hybrid
cloud, and to monitor WildFire activity.
• VM-Series 9.0 Deployment Guide—Provides details on deploying and licensing the VM-Series firewall on
all supported hypervisors. It includes example of supported topologies on each hypervisor.
• GlobalProtect 9.0 Administrator’s Guide—Describes how to set up and manage GlobalProtect™ features.
• PAN-OS 9.0 Web Interface Help—Detailed, context-sensitive help system integrated with the firewall
and Panorama web interface.
• Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility
information for Palo Alto Networks next-generation firewalls, appliances, and agents.
• Open Source (OSS) Listings—OSS licenses used with Palo Alto Networks products and software:
• PAN-OS 9.0
• Panorama 9.0
• Wildfire 9.0
PAN-OS® RELEASE NOTES | Getting Help 299

Requesting Support
For contacting support, for information on support programs, to manage your account or devices, or to
open a support case, go to https://support.paloaltonetworks.com.
You can also use the Palo Alto Networks® Contact Information as needed.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
Palo Alto Networks, Inc.
www.paloaltonetworks.com
300 PAN-OS® RELEASE NOTES | Getting Help

Pan Os Release Notes

Uploaded by

Copyright:

Available Formats

Pan Os Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pan Os Release Notes

Uploaded by

Copyright:

Available Formats

PAN-OS® Release Notes

About the Documentation

2 PAN-OS® RELEASE NOTES |

PAN-OS 9.0 Addressed Issues....................................................................207

Getting Help.................................................................................................... 297

TABLE OF CONTENTS iii

> Features Introduced in PAN-OS 9.0

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 7

Application-default is a best practice for

VM-Series Plugin The VM-Series firewalls now support a plugin

8 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

New Panorama Feature Description

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 9

Content Inspection Features

10 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 11

New GlobalProtect Description

12 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

These settings provide a more restricted user connection

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 13

14 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 15

16 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 17

Advanced Session Distribution In destination NAT, translation to a pool of IP addresses or an

18 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 19

New Hardware Introduced with PAN-OS 9.0

20 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PA-7000 Switch The new second-generation SMCs (PA-7050-SMC-B and PA-7080-SMC-B)

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 21

22 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 23

VM-Series Plugin Beginning with PAN-OS 9.0, the built-in VM-Series

24 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

The firewall does not enforce security

Authentication Policy In PAN-OS 8.1 and earlier, administrators needed to add

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 25

The Overrides tab objects are removed

For more details on this, review PAN-OS 9.0 Upgrade

SAML Authentication To ensure your users can continue to authenticate

26 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

User-ID™ Agent 9.0

Terminal Services (TS) Agent 9.0

GlobalProtect™ App 4.1

Applications and Threats Content 8103

Antivirus Content Release Version 2874

VMware NSX Plugin Version 2.0.3

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 27

— Firewalls and appliances perform a software integrity check periodically

PAN-137615 On the Panorama management server, scheduled content updates

PAN-128908 If an admin user password is changed but no commit is performed afterward,

28 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-92719 When performing destination NAT to a translated address that is Dynamic IP

PAN-81719 You cannot form an HA pair of Panorama management servers on AWS

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 29

• Known Issues Related to PAN-OS 9.0 Releases

Known Issues Related to PAN-OS 9.0

Consolidated List of PAN-OS 9.0 Known Issues

Issue ID PAN-OS 9.0 Known Issue Description