Pan-Os 8.1-Release-Notes PDF

PAN-OS® Release Notes
Version 8.1.12
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2018-2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
January 15, 2020
2 PAN-OS® RELEASE NOTES |

Table of Contents
PAN-OS 8.1 Release Information................................................................... 5
Features Introduced in PAN-OS 8.1...................................................................................................... 7
App-ID Features..............................................................................................................................7
Virtualization Features...................................................................................................................8
Decryption Features.................................................................................................................... 10
WildFire Features.........................................................................................................................11
Panorama Features...................................................................................................................... 11
Content Inspection Features..................................................................................................... 13
Authentication Features............................................................................................................. 15
GlobalProtect Features............................................................................................................... 15
Management Features................................................................................................................ 17
Networking Features...................................................................................................................18
User-ID Features.......................................................................................................................... 20
Certifications Features................................................................................................................ 20
New Hardware Introduced with PAN-OS 8.1...................................................................... 21
Changes to Default Behavior.................................................................................................................23
App-ID Changes in PAN-OS 8.1.............................................................................................. 23
Authentication Changes in PAN-OS 8.1................................................................................ 23
Content Inspection Changes in PAN-OS 8.1........................................................................ 24
GlobalProtect Changes in PAN-OS 8.1.................................................................................. 25
User-ID Changes in PAN-OS 8.1............................................................................................. 25
Panorama Changes in PAN-OS 8.1......................................................................................... 26
Networking Changes in PAN-OS 8.1...................................................................................... 26
Virtualization Changes in PAN-OS 8.1................................................................................... 27
Appliance Changes in PAN-OS 8.1..........................................................................................28
CLI and XML API Changes in PAN-OS 8.1........................................................................................ 29
Authentication CLI and XML API Changes............................................................................29
Content Inspection CLI and XML API Changes....................................................................31
Decryption CLI and XML API Changes.................................................................................. 31
GlobalProtect CLI and XML API Changes..............................................................................32
Management CLI and XML API Changes...............................................................................34
Panorama CLI and XML API Changes.....................................................................................35
User-ID CLI and XML API Changes.........................................................................................37
Associated Software and Content Versions.......................................................................................38
Limitations...................................................................................................................................................39
Known Issues............................................................................................................................................. 40
Known Issues Related to PAN-OS 8.1 Releases.................................................................. 40
Known Issues Specific to the WF-500 Appliance................................................................72
PAN-OS 8.1 Addressed Issues...................................................................... 75

PAN-OS 8.1.12 Addressed Issues........................................................................................................ 77
PAN-OS 8.1.9-h4 Addressed Issues.................................................................................................... 99
PAN-OS 8.1.8-h5 Addressed Issues.................................................................................................. 108
TABLE OF CONTENTS iii

Getting Help.................................................................................................... 183

Related Documentation........................................................................................................................ 185
Requesting Support................................................................................................................................186
iv TABLE OF CONTENTS
PAN-OS 8.1 Release Information
Revision Date: December 31, 2019
Review important information about Palo Alto Networks PAN-OS® 8.1 software, including
new features introduced, workarounds for open issues, and issues that are addressed in PAN-
OS 8.1 releases. For installation, upgrade, and downgrade instructions, refer to the PAN-OS
8.1 New Features Guide.
To ensure that you are viewing the most current version of these release notes, always defer
to the web version; do not store or rely on PDF files to be current after you download them.
> Features Introduced in PAN-OS 8.1

> Changes to Default Behavior
> CLI and XML API Changes in PAN-OS 8.1
> Associated Software and Content Versions
> Limitations
> Known Issues
> PAN-OS 8.1.12 Addressed Issues
> PAN-OS 8.1.9-h4 Addressed Issues
> Getting Help
5
6 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information
© 2020 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 8.1
The following topics describe the new features and new hardware introduced with the PAN-OS® 8.1
release, which requires content release version 769 or a later version. For upgrade and downgrade
considerations and for specific information about the upgrade path for a firewall, refer to the Upgrade
section of the PAN-OS 8.1 New Features Guide. The new features guide also provides additional
information about how to use the new features in this release.
• App-ID Features
• Virtualization Features
• Decryption Features
• WildFire Features
• Panorama Features
• Content Inspection Features
• Authentication Features
• GlobalProtect Features
• Management Features
• Networking Features
• User-ID Features
• Certifications Features
• New Hardware Introduced with PAN-OS 8.1
App-ID Features
New App-ID Feature Description
™
SaaS Application Hosting By leveraging the enhanced SaaS Application Hosting Characteristics in App-ID ,
Characteristics you can now identify and control SaaS applications that could pose a risk to your
organization due to unfavorable hosting characteristics. To help you understand
the enterprise readiness of a SaaS application, five new characteristics have been
added: certifications achieved, past data breaches, support for IP-based access
restrictions, financial viability, and terms of service. Using these characteristics,
you can identify and explore the extent of high risk application usage from the
Application Command Center (ACC). The SaaS Application Usage report is also
enhanced to incorporate this context with a summary page covering risky SaaS
applications and highlights the characteristics on the detailed pages. For a more
tailored view, you can use the characteristics when building custom reports. Armed
with the usage and the detailed risk profile, you can make informed decisions about
which SaaS applications should be allowed in your environment and create policy
to enforce this.
Simplified App-ID Palo Alto Networks releases new App-IDs on a monthly basis that your security
policy can begin to enforce without any additional configuration. While this
enables the firewall to dynamically control application traffic with ever-increasing
precision, it can also impact the availability of the mission-critical applications on
which your organization relies.
Together, these new App-ID features enable you to equip the firewall with the
latest application knowledge and ensure availability for mission-critical applications
at the same time. Plus, they make it easier to move to and maintain an application-
based security policy:
PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 7

New App-ID Feature Description
• New App-ID Threshold—Install content updates that include new App-IDs on
a separate schedule than those that don’t; this gives you more time to update
your security policy to account for any changes in enforcement.
• New App-ID Characteristic—Allow new App-IDs that might affect availability
for critical enterprise applications (like software development or authentication
App-IDs) and get visibility into new App-IDs activity, so that you can best refine
your security policy.
• Extended Policy Impact Review for Content Releases—In addition to new App-
IDs, get insight into how modified App-IDs affect security policy enforcement.
• Coverage Change Details for Modified App-IDs—Get details on how coverage
for a modified App-ID is expanded or more precise.
SaaS Application Access Unsanctioned usage of SaaS applications can be a way for your users to transmit
Control using HTTP sensitive information outside of your network. This kind of SaaS usage usually
Header Insertion means that the user is accessing a consumer-version of the application. At the
same time, you may have found that usage of the enterprise-version of these
applications by specific individuals or organizations is both desirable and necessary.
You can now disallow SaaS consumer accounts while allowing usage of a specific
enterprise account by managing HTTP header information. Many SaaS applications
allow or disallow application access based on information contained on specific
HTTP headers. This feature provides predefined header insertion rules for popular
SaaS application such as G Suite and Microsoft Office 365. You can also create
your own custom header insertion rules for SaaS applications for which predefined
header insertion rules have not been provided by Palo Alto Networks, but that also
use HTTP headers to limit service access.
Easy Custom Timeouts You want to migrate from your legacy firewall to a Palo Alto Networks next
for Applications and generation firewall so that you can safely and comprehensively enable the
Services applications you need to do business, but you also need to maintain any custom
timeouts configured for your mission-critical applications. Now, you can custom
timeouts for legacy applications in two quick and easy steps, where previously to
maintain custom timeouts during the move to an application-based policy, you
might have overridden App-ID (losing application visibility) or created a custom
App-ID (expending a lot of time and research).
Virtualization Features
New Virtualization Description
Features
VM-50 Lite The VM-50 Lite is a resource optimized mode of the VM-50 firewall with a
smaller memory footprint. This mode allows you to deploy the VM-Series
firewall in environments where resources are limited while providing the same
performance and features as the standard VM-50 firewall.
Integration with Azure You can now deploy the VM-Series firewall directly from the Azure Security
Security Center Center, which provides a consolidated view of the security posture of your
Microsoft Azure workloads. This integration enables you to forward URL
Filtering, Threat, and WildFire logs of high and critical severity that are
generated on the firewall to Azure Security Center so that you can monitor
security events from a single management console. When the firewall

Features
prevents an attack on your internet-facing web server and generates a threat
log for a known vulnerability on an inbound request, for example, it forwards
this log to Azure Security Center where you can directly review the security
incident.
Bootstrapping When bootstrapping the VM-Series firewall on Azure, you can now use Azure
Enhancements for VM- file storage (instead of a data disk) to store the bootstrap files. This change
Series firewall on Azure improves the bootstrapping workflow because it enables multiple virtual
machines to simultaneously access the same bootstrap package.
Support for Azure To enable monitoring and alerts on the health and performance of the
Application Insights VM-Series firewall, you can now natively publish firewall metrics to Azure
Application Insights. The integration with Azure Application Insights allows
you to monitor custom PAN-OS metrics such as total number of active
sessions or dataplane CPU utilization, in order to set alarms or trigger
automation events.
VM Monitoring for VM Monitoring of Microsoft® Azure® resources enables you to dynamically

Azure update security policy rules to consistently enforce Security policy across all
assets deployed within your Azure subscription. VM Monitoring on Azure
uses a VM Monitoring script that runs on a virtual machine within the Azure
public cloud. This script collects the IP address-to-tag mapping for all your
Azure assets and uses the API to push the VM information to your Palo Alto
Networks® firewall(s).
VM-Series Firewall on To secure your workloads on the Google Cloud Platform, you can now deploy
Google Cloud Platform the VM-Series firewall from the Google Cloud Platform Marketplace. To scale
security with your workloads, deploy one or more instances of the VM-Series
firewall behind Google Cloud load balancers and bootstrap the firewall with a
complete configuration that includes security policies at launch.
The VM-Series firewall can also natively publish metrics to the Google
Stackdriver to monitor and trigger alerts for firewall health and performance.
And, to create security policy rules that automatically adapt to changes to
your workloads—adds, moves, or deletions of virtual machines in a Google
Cloud Platform Project VPC—you can enable VM Monitoring for instances
running on Google Cloud Platform on any hardware or VM-Series firewall
running PAN-OS 8.1.
Performance The VM-Series firewall for VMware NSX can now provide higher per-host
Enhancements for the traffic throughput. In addition to PAN-OS 8.1, you must also be running
VM-Series Firewall on VMware NSX Manager 6.3.1 or higher. NSX Manager 6.3.1 introduced NetX
NSX APIs that support multiple device channels and multi-process I/O, allowing
the VM-Series firewall to use these device channels to improve performance.
NSX allocates device channels equal to the number of dataplane cores
assigned to the firewall. When you upgrade to 8.1, your VM-Series firewall
deployed in an NSX 6.3.1 or higher environment takes full advantage of the
number of maximum effective cores assigned to the dataplane.
FQDN Refresh Time In PAN-OS 8.1, VM-Series firewalls support a larger range for the FQDN
Enhancement Refresh Time than in prior releases. The range is now 60-14,399 seconds,
which allows VM-Series firewalls to refresh the IP addresses for an FQDN at

Features
shorter intervals. A shorter refresh time is helpful for VM-Series firewalls in
cloud deployments where IP addresses for FQDNs change frequently.
The shorter refresh time along with the support for using the FQDN of a
load balancer in Destination NAT policy (Dynamic IP Address Support for
Destination NAT) makes it easier for you to deploy the Amazon ELB service
and any other FQDN-based load balancer to distribute sessions evenly across
more than one IP address.
Decryption Features
New Decryption Feature Description
Decryption Broker Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic
only once. A firewall enabled as a decryption broker forwards clear text
traffic to security chains (sets of inline, third-party appliances) for additional
enforcement. This allows you to consolidate security functions on the firewall,
optimize network performance, and reduce the number of devices in your
security infrastructure.
Automatic SAN Browsers like Google Chrome and Mozilla Firefox require server certificates
Support for SSL to use a Subject Alternative Name (SAN), instead of a Common Name (CN), to
Decryption specify the domains the certificate protects. In order to continue to decrypt
SSL sessions where a server certificate contains only a CN, the firewall can
now add a SAN to the impersonation certificate it uses to establish itself as a
trusted third-party to the SSL session. The firewall populates the SAN in the
impersonation certificate based on the server certificate CN.
HSM Client Upgrade When you use a firewall as a hardware security module (HSM) client to
and SafeNet HSM manage your digital keys, that firewall HSM client now supports SafeNet
Cluster Support client versions 5.4.2 and 6.2.2 and Thales nShield version 12.30 to provide
compatibility with HSM server versions.
Additionally, SafeNet HSM server high availability is enhanced from
supporting an HA pair of HSMs to supporting an HA cluster of up to 16
HSMs.
The HSM client upgrades and SafeNet HSM high availability clusters are
supported on Panorama and all firewall models except for PA-800 Series,
PA-500, PA-220, and PA-200 firewalls.
ECDSA Certificate You can now securely store your elliptic curve private keys on a third-party
Support for SSL network HSM when you use Elliptic Curve Digital Signature Algorithm
Decryption with HSMs (ECDSA) certificates for SSL decryption. The firewall can get the ECDSA key
from the HSM to decrypt traffic between a client and server. HSM support
for ECDSA certificates applies to SSL decryption in both forward proxy and
inbound inspection modes.
ECDHE/DHE Cipher HSM integration now supports Diffie-Hellman Exchange (DHE) and Elliptic
Support on HSMs Curve DHE (ECDHE) ciphers for SSL decryption when your keys are stored on
a network HSM.

New Decryption Feature Description
Decryption Port Decryption port mirroring is now supported on all hardware-based and
Mirroring Support VM-Series firewalls. This feature enables the firewall to create a copy of
Extension decrypted traffic and send it to a traffic collection tool for archiving and
analysis.
This feature is not supported on VMware NSX, Citrix SDX, or public cloud
hypervisors (AWS, Azure, and Google Cloud Platform).
WildFire Features
New WildFire Feature Description
Static Analysis Detection The WildFire® appliance static analysis environment now
Enhancements includes improved malware detection logic that is delivered
through content releases. Previously, updates to the
WildFire appliance detection engines were limited to PAN-
OS® software releases. This feature enables the WildFire
appliance to enhance the accuracy of threat detection by
providing regular scheduled updates that can be installed to
combat zero day threats.
Download and install the latest content

updates daily to stay up-to-date with the static
analysis enhancements.
WildFire Forwarding Support for Linux You can now configure the Palo Alto Networks firewall to
and Archive Files automatically forward archive (RAR and 7-Zip) and Linux
(ELF) file types for WildFire analysis.
Encrypted Appliance-to-Appliance You can now enable encryption in WildFire appliance clusters
Communications to maintain the confidentiality of transmitted content,
including user samples. This feature allows you to configure
custom and predefined client/server certificates so that
appliances can establish encrypted appliance-to-appliance
communication. Additionally, WildFire appliances in a cluster
are now supported in FIPS-CC compliant mode when you
configure this feature using FIPS-CC compliant certificates.
Panorama Features
New Panorama Feature Description
Device Monitoring on Monitoring resource utilization on firewalls helps you assess the impact of
Panorama substantial policy changes and operational activities, benchmark across locations
with similar traffic profiles, and in proactively tracking device component health.
The data needed to conduct these analyses is often aggregated in separate tools
that firewall administrators cannot access. With Device Monitoring on Panorama
you can now track resource utilization, environmental conditions, and other key
operational metrics over time and in bulk across large deployments. With this

new ability, Panorama can highlight devices operating outside their normal ranges
and provide the data you need to accelerate investigation and make informed
decisions.
Configuration Reusability Deploying firewalls with few differences in networking/device level configuration
for Templates and often requires duplication of templates on Panorama. Such duplication increases
Template Stacks operational overhead and the chances of configuration errors. PAN-OS 8.1
introduces variables for device-specific IP values, which enable you to use the
same templates in a template stack for multiple appliances that have unique
configurations so that you can minimize template duplication and reduce
inconsistencies between appliances.
Support for Panorama The Panorama virtual appliance is now supported on AWS, AWS GovCloud,
Virtual Appliance in New Azure, Google™ Cloud Platform, KVM, and Hyper-V to provide more flexibility.
Environments The functionality and features on the Panorama virtual appliance match the
hardware-based M-Series appliances so you have the option of deploying the
entire Panorama environment on the newly supported hypervisors or on a mix of
both physical and virtual appliances and reduce your physical footprint.
Dedicated Log Collectors You can now deploy Dedicated Log Collectors in virtual environments to align with
in Virtual Environments your business strategy and reduce capital costs. Because the virtual Dedicated Log
Collectors on AWS, AWS GovCloud, Azure, Google™ Cloud Platform, KVM, Hyper-
V, and VMware ESXi provide the same functionality as hardware-based M-series
appliances, you now have the flexibility to scale your log collection infrastructure
without the challenges associated with physically deploying hardware.
Management Only Mode Panorama in Management Only mode is now available for you to offload logging
to the Logging Service and/or your on premise distributed Log Collectors. In this
mode you can continue to use Panorama for centralized configuration, device
management, and deployment of your managed firewalls, Log Collectors and
Wildfire clusters, and have a single pane for monitoring network and threat activity
on the ACC and for generating reports. On a Panorama virtual appliance this
mode provides a smaller memory footprint, and on a hardware-based Panorama
appliance it frees up resources required for log collection functions. Because
the log-related capabilities are not enabled in this mode, the configuration
management capability on Panorama is more efficient and results in faster commit
times, speedier configuration pushes, and deployment of software and content
updates.
Device Management In PAN-OS 8.1, Panorama validates that a valid device management and associated
License Enforcement for support licenses exist for the firewalls you plan to manage on Panorama. New
Panorama and existing Panorama virtual appliances running PAN-OS 8.1 have a 180-day
grace period from deployment or upgrade to download and install the device
management license if you don’t already have one installed.
Content Update Revert Revert content updates on one or more managed firewalls, Log Collectors, or
from Panorama WildFire appliances from Panorama without the need to log in to each managed
appliance to revert the content version for each appliance individually. This
capability reduces the time required to restore your environment when a content
update negatively impacts your network operations.

Direct Query of PA-7000 Because the PA-7000 Series firewall can now forward logs to Panorama, Panorama
Series Firewalls from no longer treats the PA-7000 Series firewalls it manages as Log Collectors. If you
Panorama have not configured your managed PA-7000 Series firewalls to forward logs to
Panorama, by default you can only view the logs from the local firewall and not
from Panorama. If you do not yet have a log forwarding infrastructure capable of
handling the logging rate and volume from your PA-7000 Series firewalls, you can
now enable Panorama to directly query managed PA-7000 Series firewalls so that
you can view the logs directly from Panorama.
Content Inspection Features

New Content Inspection Description
Feature
SCTP Security In mobile network operator environments, you can now enforce multilayer
security on Stream Control Transmission Protocol (SCTP) traffic to prevent
information from leaking and prevent attackers from causing denial of service,
network congestion, and outages that disrupt data and voice services for
mobile subscribers.
In addition to enabling stateful inspection with multi-homing support, multi-
chunk inspection and protocol validation of SCTP, this feature enables you
to filter SCTP traffic based on payload protocol IDs (PPIDs) and to filter
Diameter and SS7 traffic over SCTP.
SCTP security is supported only on PA-5200 Series and VM-Series firewalls
and requires content release version 785 or a later version.
Rapid Deployment When thinking about how best to deploy the latest application and threat
of the Latest Threat updates, you might have had to previously choose between a mission-critical
Prevention Updates approach—where you delay content installation until you can assess impact
to application availability—and a security-first approach—where you prioritize
immediate threat protection over possible impact to application availability.
Now, you don’t need to choose. The following features enable a blend of
both approaches, so that you can quickly deploy the latest threat prevention
updates while ensuring application availability:
• Installation Threshold for New-App-IDs—Fine tune content update
thresholds to install threat updates and application updates separately
based on your network security and availability requirements.
• Streamlined Panorama Deployment for Content Releases—Use Panorama
to more easily configure dynamic updates schedules for multiple firewalls,
and stagger updates across your network (for example, deploy updates to
locations with less business risk first, like satellite offices).
Tools to Avoid or Palo Alto Networks application and threat content releases undergo rigorous
Mitigate Content performance and quality assurance; however, because there are so many
Update Issues possible variables in a customer environment, there are rare occasions
where a content release might impact a network in an unexpected way. The
following features are now available to help you to avoid or mitigate an issue
with a content release, so that there is as little impact to your network as
possible:

New Content Inspection Description
Feature
• Content Release Validation Check—The firewall now validates that
a previously-downloaded content release is still Palo Alto Networks-
recommended at the time of installation.
• Enhanced Telemetry—The threat intelligence telemetry data that the
firewall sends to Palo Alto Networks now includes information that Palo
Alto Networks can use to identify and troubleshoot issues with content
updates.
• Critical Content Alerts—Palo Alto Networks can now directly alert you
to a critical content release issue; we’ll give you the information you
need to understand if and how the issue affects you, along with steps to
move forward. (If needed, you can also now use Panorama to easily revert
managed firewalls to the latest content update version. See Panorama
Features).
SMB Improvements Firewall SMB support now includes SMBv3 (3.0, 3.0.2, and 3.1.1) and has
with WildFire Support additional threat detection and file identification capabilities, performance,
and reliability across all versions of SMB. These improvements provide an
additional layer of security for networks, such as data center deployments,
network segments, and internal networks by allowing files transmitted
using SMB to be forwarded to WildFire for analysis. Because of the way
that SMBv3 multi-channel works in splitting up files, customers should
disable the use of multi-channel file transfer for maximum protection
and inspection of files. As a result, Palo Alto Networks recommends
disabling SMB multi-channel through the Windows PowerShell. For more
information on this task, please refer to: technet.microsoft.com/en-us/library/
dn610980(v=ws.11).aspx
Option to Hold Web (PAN-OS 8.1.10 and later releases) You can now decide whether to hold or
Requests During URL allow web requests while the firewall performs a URL category lookup. By
Category Lookup default, the firewall allows requests to be made while it looks up uncached
URLs in PAN-DB. Now, you can hold requests during this lookup, which can
improve third-party security ratings.
Graceful Enablement (PAN-OS 8.1.9 and later releases) You can now enable GTP stateful
of GTP Stateful inspection in the firewall gracefully with minimal disruption to GTP traffic.
Inspection You can allow GTPv2, GTPv1-C, and GTP-U packets that fail GTP stateful
inspection to pass through a firewall. Although the firewall drops such packets
by default after GTP stateful inspection is enabled, allowing them to pass
minimizes disruption when you deploy a new firewall or when you migrate
GTP traffic.
Graceful Enablement (PAN-OS 8.1.10 and later releases) You can now enable SCTP stateful
of SCTP Stateful inspection in the firewall gracefully with minimal disruption to SCTP traffic.
Inspection You can allow SCTP packets that fail SCTP stateful inspection to pass through
a firewall. Although the firewall drops such packets by default after SCTP
stateful inspection is enabled, allowing them to pass minimizes disruption
when you deploy a new firewall or when you migrate SCTP traffic.

Authentication Features
New Authentication Description
Feature
EAP Support for To securely transport credentials between the firewall and the RADIUS
RADIUS server without having to create IPSec tunnels, you can now use one of three
Extensible Authentication Protocol (EAP) methods: PEAP-MSCHAPv2,
PEAP with GTC, and EAP-TTLS with PAP. You can use this feature for
™
GlobalProtect and Captive Portal authentication and for administrative
access to the firewall and Panorama. For more information, refer to the New
Features Guide.
Authentication Using You can now deploy custom certificates to replace the predefined certificates
Custom Certificates for shipped on Palo Alto Networks appliances for management connections
WildFire and PAN-DB between WildFire or PAN-DB appliances and other products in the Palo
Alto Networks next-gen security platform. By generating and deploying
custom certificates for each appliance, you can establish a unique chain of
trust between WildFire and PAN-DB and connected Palo Alto Networks
appliances. You can generate these custom certificates locally or import them
from an existing enterprise public key infrastructure (PKI).
GlobalProtect Features
New GlobalProtect Description

Feature
Optimized Split In addition to route-based split tunnel policy, GlobalProtect™ now supports
Tunneling for split tunneling based on destination domain, client process, and HTTP/HTTPS
GlobalProtect video streaming application. This feature works on Windows and macOS
endpoints and enables you to:
• Tunnel enterprise SaaS and public cloud applications for comprehensive
SaaS application visibility and control to avoid risks associated with
Shadow-IT in environments where tunneling all traffic is not feasible.
• Send latency-sensitive traffic, such as VoIP, outside the tunnel, while
all other traffic goes through the tunnel for inspection and policy
enforcement by the GlobalProtect gateway.
• Exclude HTTP/HTTPS video streaming traffic from the tunnel. Video
streaming applications, such as YouTube and Netflix, consume large
amounts of bandwidth. By excluding lower risk video streaming traffic
from the tunnel, you can decrease bandwidth consumption on the
gateway.
Kerberos GlobalProtect endpoints running macOS 10.10 and later releases now
Authentication Support support Kerberos V5 single sign-on (SSO) for GlobalProtect portal and
for macOS gateway authentication. Kerberos SSO, which is primarily intended for
internal gateway deployments, provides accurate User-ID™ information
without user interaction and helps enforce user and HIP policies.

Feature
SAML SSO for GlobalProtect now supports SAML single sign-on (SSO) for Chrome OS. If you
GlobalProtect on configure SAML as the authentication standard for Chromebooks, users can
Chromebooks authenticate to GlobalProtect by leveraging the same login they use to access
the Chromebook applications. This allows users to connect to GlobalProtect
without having to re-enter their credentials in the GlobalProtect app. With
SSO enabled (default), Google acts as the SAML service provider while the
GlobalProtect app authenticates users directly to your organization’s SAML
identity provider.
GlobalProtect currently supports only the Post SAML HTTP

binding method.
GlobalProtect The GlobalProtect credential provider logon screen on Windows 7 and

Credential Provider Windows 10 endpoints now displays the pre-logon connection status when
Pre-Logon Connection you configure pre-logon for remote users. The pre-logon connection status
Status indicates the state of the pre-logon VPN connection prior to user logon. By
providing more visibility on the pre-logon connection status, this feature
allows end-users to determine whether they will be able to access network
resources upon logon, which prevents them from logging in prematurely
before the connection establishes and network resource become available.
If the GlobalProtect app determines that an endpoint is internal (connected
to the corporate network), the logon screen displays the GlobalProtect
connection status as Internal. If the GlobalProtect app determines that
an endpoint is external (connected to a remote network), the logon
screen displays the GlobalProtect connection status as Connected or Not
Connected.
Active Directory End users can now change their Active Directory (AD) password using
Password the GlobalProtect credential provider on Windows 10 endpoints. This
Change Using the enhancement improves the single sign-on (SSO) experience by allowing
GlobalProtect users to update their AD password and access resources that are secured by
Credential Provider GlobalProtect using the GlobalProtect credential provider. Users can change
their AD password using the GlobalProtect credential provider only when
their AD password expires or an administrator requires a password change at
the next login.
Expired Active Remote users can now change their RADIUS or Active Directory (AD)
Directory Password password through the GlobalProtect app when their password expires or
Change for Remote a RADIUS/AD administrator requires a password change at the next login.
Users With this feature, users can change their RADIUS or AD password when
they are unable to access the corporate network locally and their only
option is to connect remotely using RADIUS authentication. This feature is
enabled only when the user authenticates with a RADIUS server using the
Protected Extensible Authentication Protocol Microsoft Challenge Handshake
Authentication Protocol version 2 (PEAP-MSCHAPv2).
OPSWAT SDK V4 GlobalProtect is now integrated with OPSWAT SDK V4 to detect and assess
Support the endpoint state and the third-party security applications running on the
endpoint. OPSWAT is a security tool leveraged by the Host Information
Profile (HIP) to collect information about the security status of your

Feature
endpoints. GlobalProtect uses this information for policy enforcement on the
GlobalProtect gateway.
This integration follows the end-of-life (EoL) announcement for OPSWAT
SDK V3, which is the OPSWAT SDK version supported by GlobalProtect in
PAN-OS 8.0 and earlier releases.
GlobalProtect App for The new GlobalProtect app for Linux now extends User-ID and security
Linux policy enforcement to users on Linux endpoints. The GlobalProtect app
provides a command-line interface and functions as an SSL or IPSec VPN
client. The GlobalProtect app supports common GlobalProtect features and
authentication methods, including certificate and two-factor authentication
and both user-logon and on-demand connect methods. The app can also
perform internal host detection to determine whether the Linux endpoint
is on the internal network and collects host information (such as operating
system and operating system version, domain, hostname, host ID, and
network interface). Using this information, you can allow or deny access to a
specific Linux endpoint based on the adherence of that endpoint to the host
policies you define.
The GlobalProtect app for Linux is available for the Linux distribution of
Ubuntu 14.04, RHEL 7.0, and CentOS 7.0 (and later releases of each) and
requires a GlobalProtect subscription.
GlobalProtect Tunnel You can now configure GlobalProtect to preserve the existing VPN tunnel
Preservation On User when users log out of their endpoint. With this enhancement, you can specify
Logout the amount of time for which the GlobalProtect session remains active during
user logout.
Automatic Launching You can now configure GlobalProtect to launch your default web browser
of Web Browser automatically upon captive portal detection so that users can log in to the
in Captive Portal captive portal seamlessly. With this enhancement, you can specify the URL
Environment of the website that you want to use for the initial connection attempt that
initiates web traffic when the default web browser launches. The captive
portal then intercepts this website connection attempt and redirects the
default web browser to the captive portal login page.
Management Features
New Management Description
Feature
Rule Usage Tracking Obsolete or outdated firewall rules introduce unnecessary security risks that
can be exploited by an attacker to execute a successful cyber attack. With
rule usage tracking, you can readily identify unused rules, validate additions
to the rulebase, and evaluate whether the policy implementation matches
your enforcements needs. This capability gives you a way to identify obsolete
rules to aid in the transition from port-based rules to App-ID based rules. The
statistics for monitoring rule use include a timestamp for the most recent rule
match, a timestamp for the first rule match, and a rule hit counter.

New Management Description
Feature
Configuration Table Auditors often require snapshots of Panorama and firewall configuration in
Export order to track and validate changes over time or to demonstrate compliance
with industry standards. You can now export the configuration table of
your rulebases and objects into a PDF or CSV format directly from the web
interface, and provide the auditor an easy way to read and manipulate the
data for analysis.
Reporting Engine Correlate system events with user activity to investigate network and
Enhancements platform behavior and use these correlations to create policies that guard
against security risks and patterns you observe on your network. When a
network event occurs, you can now overlay system logs on top of available
activity logs in the ACC and use the newly added User Activity Report
filters to include or exclude specific users, applications, IP addresses, or URL
categories. Then, use the results of this reporting engine enhancements to
reduce or prevent future risky behavior in your network.
Enhanced Application Enable the firewall to collect data that increases network visibility for Palo
Logging Alto Networks applications. For example, this increased network visibility
enables Palo Alto Networks Magnifier to better categorize and establish a
baseline for normal network activity, in order to detect unusual behavior that
might indicate an attack. Enhanced Application Logging requires a Logging
Service license, and you cannot view enhanced application logs; they are
designed to be consumed only by Palo Alto Networks applications and
services.
Software Integrity Starting with PAN-OS 8.1.1, firewalls and Panorama perform software
Check integrity checks for tamper detection and software corruption. The software
integrity check validates that the operating system and data file structure are
intact and as delivered by Palo Alto Networks. When the check is successful,
a System log of informational severity is generated. If the check detects a
software corruption or possible appliance tampering, it generates a System
log of critical severity on PAN-OS 8.1.1 and 8.1.2. Starting PAN-OS 8.1.3, the
appliance goes in to maintenance mode when the check fails. For more details
on how the software integrity check works, see the PAN-OS 8.1.1 Software
Integrity Check article.
If you're using Panorama with GlobalProtect Cloud Service or the Logging
Service, you must install Cloud Services plugin 1.0.3 before you upgrade
Panorama to PAN-OS 8.1.1. If you attempt to upgrade Panorama to 8.1.1
with an Cloud Services plugin version earlier than 1.0.3, the Panorama
upgrade will fail.
Networking Features
New Networking Description
Feature
Tunnel Content Tunnel Content Inspection is enhanced so that you can separate logs for
Inspection Logging outer tunnel traffic from logs for inside traffic, which is subject to security
policy rules. This separation provides more reporting options, enhanced ACC

Feature
statistics, and makes troubleshooting long-lived sessions, such as GRE, easier.
For example, using only the default logging for a security policy rule (which
logs at session end) might not provide any logs, but now you can log tunnel
sessions at the start and end of a session, allowing you to view all GRE traffic.
You can also now forward tunnel inspection logs to one or more servers or to
Panorama, which makes it more convenient to access log data. Additionally,
when you view a detailed tunnel inspection log, it includes the name of the
tunnel inspection rule applied to a session that was captured in the log, which
makes it easier to track information about non-encrypted tunnel traffic.
Dynamic IP Address You can now configure destination NAT to a translated destination host that
Support for Destination has a DHCP-assigned IP address (not just to a host with a static IP address)
NAT because the translated address can now be an FQDN. This means that
when the DHCP server assigns a new address to the host, you don’t have to
manually update the FQDN, the DNS server, or the NAT policy rule—nor do
you need to use a separate external component to update the DNS server
with the latest FQDN-to-IP address mapping.
With this capability, if the FQDN resolves to more than one address, the
firewall automatically distributes sessions among those addresses (based on
a round-robin algorithm) to provide more evenly distributed session loading.
Also, in a single NAT rule, you can translate multiple pre-NAT destination IP
addresses to multiple post-NAT destination IP addresses to support a many-
to-many destination NAT translation.
FQDN Support for When you configure an IPSec tunnel with an IKE gateway peer, the peer’s
IKE Gateway Peer IP address can now be an FQDN or an address object that uses an FQDN,
Address which helps you avoid the need to reconfigure changed IP addresses for IKE
endpoints. For example, if you have several satellite offices with multiple hub
locations and VPN connectivity between firewalls at the satellites and hub
gateway, you can now configure the firewall in each satellite office with the
IKE peer address of the hub as an FQDN. So if one hub goes down, the DNS
server for that FQDN automatically resolves the FQDN to the IP address for
the second hub and you don’t have to manually reconfigure the IKE peer to
use the IP address of the second hub.
Configuration Capacity To help you scale your deployment and ease the migration to Palo Alto
Improvements Networks firewalls, there are several configuration capacity improvements.
Depending on the model, firewalls running PAN-OS 8.1 now support more
address groups, service groups, service entries per service group, address
objects, service objects, FQDN address objects, zones, tunnel zones, security
rules, and tunnel inspection rules. Additionally, all firewalls running PAN-OS
8.1 support 63 characters per rule name.
Refresh of Default The certificate authorities (CAs) that the firewalls trusts by default are
Trusted CAs updated in PAN-OS 8.1; new CAs are added and expired CAs are removed.
The pre-installed list of CAs includes the most common and trusted certificate
providers responsible for issuing the certificates the firewall requires to
secure the connections to the internet. Because these CAs are trusted by
default, you need to add only those additional trusted enterprise CAs that are
required by your organization.

Feature
ARP Cache Timeout The fixed 1800-second timeout of ARP cache entries (mappings of IP
addresses to hardware addresses) set on the firewall might not have suited
your environment. You can now change the ARP cache timeout to a value in
the range of 60 to 65,535 seconds.
Logging of Packet- (PAN-OS 8.1.2 or later releases) You now have a way to generate a Threat
Based Attack log when the firewall receives certain types of packets, so that you can
Protection Events more easily analyze these occurrences and also fulfill audit and compliance
requirements. If you enable the following types of Packet-Based Attack
Protection in a Zone Protection profile, you can generate a Threat log when
the firewall receives and drops such packets:
• Fragmented IP packets
• IP address spoofing
• ICMP packets larger than 1024 bytes
• Packets containing ICMP fragments
• ICMP packets embedded with an error message
• First packets for a TCP session that are not SYN packets
You can also generate Threat logs on the following events (which don’t
require Packet-Based Attack Protection):
• Teardrop attack
• DoS attack using ping of death
User-ID Features
The Windows-based User-ID™ Agent 8.1 release includes the following new feature.
New User-ID Feature Description
Support for Multiple When a user logs on to multiple services with different usernames, User-
Username Formats ID™ sources send these usernames in multiple formats (for example,
jane.doe@domain.com, DOMAIN\jdoe, and jdoe). In this case, it can be
difficult to uniquely identify the user. To help you identify and consistently
enforce policy for these users, you can now configure the firewall to fetch
multiple attributes from an LDAP-compliant directory.
For more information, refer to the PAN-OS® 8.1 New Features Guide.
Certifications Features
New Certifications Feature Description
FIPS Scrub Option If you need to decommission or send in a FIPS-enabled Palo Alto Networks
firewall or appliance for repair, you can now scrub the swap memory to remove
all cryptographic security parameter (CSP) information from the swap partition(s).
Beginning with PAN-OS 8.1.2, you can add the scrub option to the shutdown or
restart CLI command as follows: > request [restart | shutdown] system with-swap-
scrub [dod | nnsa]

New Certifications Feature Description
After the scrub completes, a System log is generated that indicates the status of
the scrub.
New Hardware Introduced with PAN-OS 8.1

New Hardware Description
PA-220R Firewall The PA-220R firewall is designed and certified for deployments in harsh
industrial environments while continuing to provide the same next-generation
security features as our other firewall models. The PA-220R firewall includes
the following main features:
• An operating temperature range from -40°F to 158°F
• Six 10/100/1000Mbps RJ-45 ports with built-in surge protection
• Passive cooling (no fans) to reduce noise, power consumption, and to
increase reliability (no moving parts)
• Two direct 12-24VDC power inputs to provide redundant DC power
• Supports active/passive and active/active high availability (HA)
configurations
For more information on the PA-220R firewall, refer to the PA-220R
Hardware Reference.
PA-3200 Series The PA-3200 Series includes the PA-3220, PA-3250, and PA-3260 firewalls,
Firewalls which are designed to deliver high-performance internet edge deployments.
These firewalls include the following main features:
• Interface speeds up to 40Gbps
• Up to five times the overall performance of the PA-3000 Series firewalls
• Decryption performance is increased by up to seven times and decryption
session capacity is increased up to twenty times compared to the PA-3000
Series firewalls
For more information on the hardware, refer to the PA-3200 Series Hardware
Reference.
PA-5280 Firewall The newest PA-5200 Series PA-5280 firewall comes with double the memory
of the PA-5260 firewall. The PA-5280 firewall uses nearly the same hardware
as the PA-5260 except that it doubles the session capacity from 32 million to
64 million sessions.
For more information on the hardware, refer to the PA-5200 Series Hardware
Reference.
M-200 and M-600 These new M-Series models are multi-functional appliances that you can
Appliances configure to run in Panorama™ Management mode, Panorama Management-
only mode, Panorama Log Collector mode, or PAN-DB Private Cloud mode.
These models include the following main features when compared to the
M-100 and M-500 appliances:
• Improved responsiveness with faster CPU and more memory
• Increased log ingestion rate

New Hardware Description
• Improved serviceability by providing dual power supplies and the ability to
replace the operating system drive if a failure occurs
For more information on the hardware, refer to the M-200 and M-600
Appliance Hardware Reference.

Changes to Default Behavior
The following topics describe changes to default behavior in PAN-OS® and Panorama™ 8.1:
• App-ID Changes in PAN-OS 8.1
• Authentication Changes in PAN-OS 8.1
• Content Inspection Changes in PAN-OS 8.1
• GlobalProtect Changes in PAN-OS 8.1
• User-ID Changes in PAN-OS 8.1
• Panorama Changes in PAN-OS 8.1
• Networking Changes in PAN-OS 8.1
• Virtualization Changes in PAN-OS 8.1
• Appliance Changes in PAN-OS 8.1
App-ID Changes in PAN-OS 8.1

PAN-OS® 8.1 has the following changes in default behavior for App-ID features:
Feature Change
App-ID cache for SSL applications The default setting of the App-ID cache for SSL
applications has changed:
• PAN-OS 8.0 and earlier releases—The App-ID
cache for SSL applications is enabled by default.
If a cloud service provider serves multiple
applications from the same IP address and
you notice the firewall misidentifying these
applications, you can disable the cache in PAN-
OS 8.0.8 and later releases. For details, see
PAN-84445 in the Addressed Issues of the
PAN-OS 8.0 Release Notes.
• PAN-OS 8.1 release—The App-ID cache for
SSL applications is disabled by default. Firewalls
running PAN-OS 8.1 do not populate the cache
when they can identify applications from the
Server Name Indication (SNI). If in rare cases
the firewall misidentifies applications, you can
manually enable the cache.
To change the default setting in PAN-OS 8.1 or
in PAN-OS 8.0.8 or a later 8.0 release, run the
following CLI command:
> set application use-appid-cache-

ssl-sni {no | yes}
Authentication Changes in PAN-OS 8.1

PAN-OS 8.1 has the following change in default behavior for Authentication features:

Feature Change
Extensible Authentication Protocol (EAP) Support All new RADIUS server profiles use PEAP-
for RADIUS MSCHAPv2 as the default Authentication
Protocol, and the Make Outer Identity
Anonymous option is enabled by default.
The Auto option for the Authentication Protocol
has been deprecated. With this deprecation,
after you upgrade a firewall that was previously
configured to use Auto, the firewall will use
CHAP or PAP based on the protocol that was in
use before the upgrade; a firewall that was not
configured to use RADIUS authentication before
upgrade will default to CHAP.
After you upgrade, Panorama templates use CHAP
as the default authentication protocol.
When you downgrade a firewall that was
configured to use PEAP-MSCHAPv2, PEAP with
GTC, or EAP-TTLS with PAP, the firewall will
default to CHAP.
Content Inspection Changes in PAN-OS 8.1

PAN-OS® 8.1 has the following change in default behavior for Content Inspection features:
Feature Change
Enhanced Application Logging As of PAN-OS 8.1.2, the Enhanced Application Log type that records
non-SYN TCP traffic is disabled by default. There aren't any Palo Alto
Networks® cloud services or apps that currently leverage non-SYN
TCP logs; however, if you enable enhanced application logging and
want to capture non-SYN TCP logs, consult your SE or contact Palo
Alto Networks Customer Support for assistance.
Critical Content Update Alerts As of PAN-OS 8.1.2, Palo Alto Networks critical content update
alerts are logged as system log entries with the Type dynamic-
updates and the Event palo-alto-networks-message. You can use the
following filter to view or set up log forwarding for these type of log
entries: (subtype eq dynamic-updates) and (eventid eq
palo-alto-networks-message).
In PAN-OS 8.1.0 and PAN-OS 8.1.1, critical content alerts are logged
with the Type general and the Event palo-alto-networks-message:
(subtype eq general) and (eventid eq palo-alto-
networks-message).
SMB Improvements with WildFire If you previously enabled WildFire® forwarding on your firewall
Support using the default WildFire analysis Security Profiles setting, the
firewall now forwards files that have been transmitted using the SMB
network protocol.

GlobalProtect Changes in PAN-OS 8.1
PAN-OS® 8.1 has the following changes in default behavior for GlobalProtect™ features:
Feature Change
GlobalProtect gateway The Client Settings > Split Tunnel tab has been split into two separate tabs: Access
agent Route and Domain and Application. Use the Access Route tab to include or
exclude specific destination IP subnet traffic from the VPN tunnel. Use the Domain
and Application tab to include or exclude software as a service (SaaS) or public
cloud applications from the VPN tunnel.
You can now add up to 100 DNS suffixes to the GlobalProtect gateway
configuration (Network > GlobalProtect > Gateways > <gateway-config> >
Agent > Network Services > DNS Suffix).
HIP categories The Antivirus and Anti-Spyware HIP categories are now deprecated and
superseded by the Anti-Malware HIP category in PAN-OS® 8.1. The Anti-Malware
category enables HIP matching based on both the antivirus and anti-spyware
coverage on GlobalProtect endpoints.
User-ID Changes in PAN-OS 8.1

PAN-OS 8.1 has the following change in default behavior for User-ID features:
Feature Change
Support for • Since multiple username attributes are supported, you must select the primary
Multiple username attribute that you want to use.
Username • Previously, the firewall normalized usernames received from User-ID sources
Formats (such as an LDAP directory) to the domain\username format. In PAN-OS 8.1,
when the Primary Username is in UPN format, it will not be normalized as in
previous PAN-OS versions. As a result, usernames are displayed on the web
interface in their original format (for example, username@domain).
• If you use a Certificate Profile for authentication and the username is Subject Alt,
the firewall does not drop the domain name from the email or Principal Name.
• To support multiple username formats, some web interface options were moved
(refer to the callouts in the following screenshots):
• (1) The Device > User Identification > Group Mapping Settings > Server
Profile > User Objects > User Name option has been moved to Device > User
Identification > Group Mapping Settings > User and Group Attributes > User
Attributes.
• (3) The Device > User Identification > Group Mapping Settings > Server
Profile > Group Objects > Group Name and Group Member options have
been moved to Device > User Identification > Group Mapping Settings >
User and Group Attributes > Group Attributes.
• (2) The Mail Domains section previously configured in Device > User
Identification > Group Mapping Settings > Server Profile was moved
to the User Attributes and Group Attributes settings in Device > User
Identification > Group Mapping Settings > User and Group Attributes.

Feature Change
Previous Group Mapping Settings
Current Group Mapping Settings
Panorama Changes in PAN-OS 8.1
Feature Change
Templates and Template Stacks You must assign managed devices to a template
stack instead of a template.
Templates and Template Stacks A maximum of 8 templates can be assigned to a

template stack.
Device Groups You can only view the template configuration

for a device group if devices in the device group,
and the template, are associated with the same
template stack.
Networking Changes in PAN-OS 8.1

PAN-OS 8.1 has the following change in default behavior for a networking feature:

Feature Change
DNS Proxy In releases prior to PAN-OS 8.1, when the Device

uses a DNS Proxy Object for the DNS Server setting
(instead of using the DNS Server’s address), internal
DNS queries do not use the DNS Service Route
Configuration if the service route is configured to
use the management interface; instead, internal DNS
queries use the address of the dataplane interface if
a dataplane interface is configured on the DNS proxy
object. This also occurs for a virtual system when the
virtual system is configured with a DNS Proxy Object
instead of defaulting to the global Device DNS Server
settings.
Beginning with PAN-OS 8.1, when the Device uses a
DNS Proxy Object for the DNS Server setting, internal
DNS queries act according to the service route
configuration to use the management interface or
the explicitly configured dataplane interface address,
whichever is configured.
External Dynamic List Service Routes When an External Dynamic List service route is
configured to use default values, a user-defined Palo
Alto Networks service route configuration takes
precedence (introduced in PAN-OS 8.0). The EDL
service route takes precedence only when it has
been explicitly configured. If both service routes are
configured to use defaults, the management port is
used to retrieve EDL updates.
Virtualization Changes in PAN-OS 8.1

PAN-OS® 8.1 has the following changes in default behavior for Virtualization features:
Feature Change
VM-50 and VM-50 Lite Firewalls • PAN-OS 8.1.7 and earlier releases—Pre-
defined and custom reports on Panorama
(8.1.8 and later)
using a remote database were automatically
generated and pushed to firewalls every hour
and local pre-defined reports were generated
on firewalls every 24 hours.
• PAN-OS 8.1.8 and later PAN-OS 8.1 releases—
Daily generation of local pre-defined reports
and hourly generation of scheduled reports
pushed from Panorama are disabled by default.
To enable daily generation of the pre-defined
reports, go to the Logging and Reporting
settings on the web interface (Device >
Setup > Management > Logging and Reporting
settings) and select the appropriate reports
and then, on a firewall, use the debug

Feature Change
predefined-default enable CLI
command or, on Panorama, use the debug
run-panorama-predefined-report yes
CLI command.
To enable hourly generation of Panorama-
pushed scheduled reports, on the firewall, use
the debug run-panorama-predefined-
report yes CLI command.
Appliance Changes in PAN-OS 8.1

PAN-OS 8.1 has the following changes to default behavior specific to hardware and virtual appliances:
Appliance Change
PA-200 firewalls • PAN-OS 8.1.8 and earlier releases—The session

capacity was 64,000 sessions.
The session capacity is 32,000 sessions.
PA-200 firewalls • PAN-OS 8.1.8 and earlier releases—Pre-defined

and custom reports on Panorama using a remote
database were automatically generated and
pushed to firewalls every hour and local pre-
defined reports were generated on firewalls every
24 hours.
Daily generation of local pre-defined reports and
hourly generation of scheduled reports pushed
from Panorama are disabled by default.
To enable daily generation of the pre-defined
reports, go to the Logging and Reporting
settings on the web interface (Device > Setup >
Management > Logging and Reporting settings)
and select the appropriate reports and then, on a
firewall, use the debug predefined-default
enable CLI command or, on Panorama, use the
debug run-panorama-predefined-report
yes CLI command.
To enable hourly generation of Panorama-pushed
scheduled reports, on the firewall, use the debug
run-panorama-predefined-report yes CLI
command.

CLI and XML API Changes in PAN-OS 8.1
PAN-OS® 8.1 has changes to existing CLI commands, which also affect corresponding PAN-OS XML API
requests. If you have a script or application that uses these requests, run the corresponding CLI commands
in debug mode to view the XML API syntax. A greater-than sign (>) precedes operational commands, while
a hash (#) precedes configuration commands. An asterisk (*) indicates that related commands in the same
hierarchy have also changed.
• Authentication CLI and XML API Changes
• Content Inspection CLI and XML API Changes
• Decryption CLI and XML API Changes
• GlobalProtect CLI and XML API Changes
• Management CLI and XML API Changes
• Panorama CLI and XML API Changes
• User-ID CLI and XML API Changes
Authentication CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for Authentication features:
Feature Change
CLI access over SSH The minimum and maximum have changed for the
amount of data transmitted over the Management
(MGT) interface before PAN-OS regenerates the
SSH keys that administrators use to access the
firewall CLI:
• PAN-OS 8.0 and earlier releases:
# set deviceconfig system ssh

session-rekey mgmt data {1-32 |
default}
• PAN-OS 8.1 release:
# set deviceconfig system

ssh session-rekey mgmt
data {10-4000 | default}
LDAP authentication The minimum value has changed for the interval (in
seconds) after which PAN-OS tries to connect to
an LDAP server after a previous failed attempt:
# set [shared] server-

profile ldap <name> retry-
interval <1-3600>
# set [vsys <name>] server-

interval <1-3600>

Feature Change
# set [shared] server-

interval <60-3600>

interval <60-3600>
RADIUS authentication PAN-OS no longer provides the option to fall back

to Password Authentication Protocol (PAP) when
a RADIUS server doesn’t respond to Challenge-
Handshake Authentication Protocol (CHAP)
requests:
# set [shared] server-profile

radius <name> protocol {CHAP |
PAP | Auto}

profile radius <name>
protocol {CHAP | PAP | Auto}

radius <name> protocol
{EAP-TTLS-with-PAP | PEAP-
MSCHAPv2 | PEAP-with-GTC | CHAP
| PAP}

profile radius <name> protocol
{EAP-TTLS-with-PAP | PEAP-
MSCHAPv2 | PEAP-with-GTC | CHAP
| PAP}
TACACS+ authentication PAN-OS no longer provides the option to fall back

to Password Authentication Protocol (PAP) when
a TACACS+ server doesn’t respond to Challenge-
Handshake Authentication Protocol (CHAP)
requests:

Feature Change

tacplus <name> protocol {CHAP |
PAP | Auto}

profile tacplus <name>
protocol {CHAP | PAP | Auto}

tacplus <name> protocol {CHAP |
PAP}

profile tacplus <name>
protocol {CHAP | PAP}
Content Inspection CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for content inspection features:
Feature Change
Allow HTTP partial response The command to enable or disable the option for
clients to fetch only part of a file has changed:
# set deviceconfig setting ctd

skip-block-http-range {yes |
no}
# set deviceconfig setting ctd

allow-http-range {yes | no}
Decryption CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for decryption features:
Feature Change
Decryption profiles The CLI command to set administrative role

privileges for Decryption profiles have changed in
PAN-OS 8.1.

Feature Change
# set shared admin-role <name>

role {device | vsys} webui
objects
decryption-profile {enable |
read-only | disable}
# set shared admin-role <name>

role {device | vsys} webui
objects
decryption decryption-
profile {disable | enable |
read-only}
GlobalProtect CLI and XML API Changes

PAN-OS® 8.1 has the following CLI and XML API changes for GlobalProtect™ features:
Feature Change
Host information profiles (HIP) for antivirus and The commands for displaying and configuring
anti-spyware antivirus and anti-spyware matching criteria are
now consolidated under anti-malware matching
criteria:
# show [shared] profiles hip-

objects <name> [antivirus |
anti-spyware] *
# show [vsys <name>] profiles

hip-objects <name> [antivirus |
anti-spyware] *
# set [shared] profiles hip-

objects <name> [antivirus |
anti-spyware] *
# set [vsys <name>] profiles

hip-objects <name> [antivirus |
anti-spyware] *

Feature Change
# show [shared] profiles hip-

objects <name> anti-malware *
# show [vsys <name>] profiles

hip-objects <name> anti-malware
*

objects <name> anti-malware *
# set [vsys <name>] profiles

hip-objects <name> anti-malware
*
Host information profiles (HIP) for disk encryption The commands for configuring disk encryption
matching criteria changed:
PAN-OS 8.0

objects <name> disk-encryption
criteria
encrypted-locations <name>
encryption-state {is | is-not}
{full | none | not-available |
partial}
# set [vsys <name>] profiles hip-

criteria
{full | none | not-available |
partial}
PAN-OS 8.1

criteria
{encrypted | partial | unencrypted
| unknown}
# set [vsys <name>] profiles hip-

criteria
{encrypted | partial | unencrypted
| unknown}

Feature Change
GlobalProtect satellites Subnet masks were never applicable to

GlobalProtect satellite gateways and therefore
the option to enter a subnet mask is deprecated in
PAN-OS 8.1:
# set [vsys <name>] global-

protect global-protect-
portal <name> satellite-config
configs <name> gateways <name>
ip [ipv4 | ipv6] <ip/netmask>
# set [vsys <name>] global-

protect global-protect-
portal <name> satellite-config
configs <name> gateways <name>
ip [ipv4 | ipv6] <value>
Management CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for firewall management features:
Feature Change
High availability (HA) settings The syntax to set the HA group ID changed in
PAN-OS 8.1. To set the group ID, you now enter
group group-id followed by the group ID
number.
# set deviceconfig high-

availability group <name>
# set deviceconfig high-

availability group group-
id <1-63>
Core logs (PA-200 and PA-220 firewalls only) The CLI command to allocate logdb storage for
large core files now allocates 128MB instead of
4GB. This changed because allocating 4GB caused
a commit error on these models.
# set deviceconfig setting

management large-core
Rule use The CLI command to view used and unused

rules changed. In PA-OS 8.1, you must add the
highlight option.

Feature Change
> show running rule-use

vsys <value> rule-base
> show running rule-use

highlight vsys <value> rule-
base
Panorama CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for Panorama features:
Feature Change
Deploying content updates The CLI commands to set and display thresholds
for the Antivirus updates and Applications and
Threats updates that the Panorama management
server deploys to firewalls and Log Collectors have
changed in PAN-OS 8.1.
• PAN-OS 8.0.6 and later PAN-OS 8.0 releases
have the following operational mode
commands (which were unavailable in earlier
releases):
> request batch {content | anti-

virus} threshold set <1-120>
> request batch {content | anti-

virus} threshold show
# set deviceconfig system

deployment-update-
schedule <schedule_name> <update_type>
recurring threshold <1-336>
# show deviceconfig
system deployment-update-
schedule <schedule_name>
Request get-template-stack The following command to view the template

stack-level configuration is deprecated in PAN-OS
8.1:
> request get-template-

stack template-
stack <value> xpath <value>
transform
<value> sortby <value>

Feature Change
order <value> nrec <value>
skip <value> dir <value>
anchor <value> emptyok <value>
shallow <value> xpaths request
get-template-stack
template-stack <value>
xpath <value> transform <value>
sortby <value> order <value>
nrec <value> skip <value>
dir <value> anchor <value>
emptyok <value>
shallow
<value> xpaths entry
In PAN-OS 8.1, run the following command to

view the stack-level configuration:
> show template-stack <name>
To view the merged configuration of a stack

and all inherited templates, run the following
command:
> show template <name>
Managed devices privileges The CLI command to set administrative role

privileges for managed devices has changed in
PAN-OS 8.1.
# set shared admin-role <name> role

panorama webui panorama managed-
devices

panorama webui panorama managed-
devices
{summary | health} {enable | read-only |
disable}
Context switch privileges The CLI command to set context switch privileges
for managed devices has changed in PAN-OS
8.1. You can configure a decryption profile and a
decryption forwarding profile.

panorama contextswitch objects
decryption-profile {enable | read-only |
disable}

Feature Change

panorama contextswitch objects decryption
{decryption-profile | decryption-forwarding-
profile} {enable | read-only | disable}
User-ID CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for User-ID features:
Feature Change
Username-to-group mapping • The command to configure the user email

attribute in group mapping configurations has
changed in PAN-OS 8.1:
# set [vsys <name>] group-

mapping <name> email {<email>
<email2> <email3>...}

mapping <name> user-
email {<email1> <email2>
<email3>}
• The following command to configure the email
domain list in group mapping configurations is
deprecated in PAN-OS 8.1:

mapping <name>
mail-domain-list {<mail-domain-
list1> <mail-domain-list2>
<mail-domain-list3>...}

Associated Software and Content Versions
The following minimum software and content release versions are compatible with PAN-OS 8.1. To see
a list of the next-generation firewall models that support PAN-OS 8.1, see the Palo Alto Networks®
Compatibility Matrix.
Palo Alto Networks Software or Minimum Compatible Version with PAN-OS 8.1
Content Release Version
Panorama 8.1
User-ID Agent 8.1
Terminal Services (TS) Agent 8.1
GlobalProtect App 4.0
Applications and Threats Content 769

Release Version
Antivirus Content Release Version 2137
VMware NSX Plugin Version 2.0.1

Limitations
The following are limitations associated with PAN-OS 8.1 releases.
Issue ID Description
— Beginning in PAN-OS 8.1.3, firewalls and appliances perform a software

integrity check periodically when they are running and when they reboot. If
you simultaneously boot up multiple instances of a VM-Series firewall on a
host or you enable CPU over-subscription on a VM-Series firewall, the firewall
boots in to maintenance mode when a processing delay results in a response
timeout during the integrity check. If your firewall goes in to maintenance
mode, please check the error and warnings in the fips.log file.
A reboot always occurs during an upgrade so if you enabled CPU over-
subscription on your VM-Series firewall, consider upgrading your firewall
during a maintenance window.
PAN-85036 If you use the Panorama management server to manage the configuration of
an active/active firewall HA pair, you must set the Device ID for each firewall
HA peer before upgrading Panorama to PAN-OS 8.1. If you upgrade without
setting the Device IDs, which determine which peer will be active-primary, you
cannot commit configuration changes to Panorama.
PAN-81719 You cannot form an HA pair of Panorama management servers on AWS

instances when the management interface on one HA peer is assigned an
Elastic Public IP address or when the HA peers are in different Virtual Private
Clouds (VPCs).
PAN-79669 The firewall blocks an HTTPS session when the hardware security module
(HSM) is down and a Decryption policy for inbound inspection uses the default
decryption profile for an ECDSA certificate.

Known Issues
The following topics describe known issues in PAN-OS® 8.1 releases.
For recent updates to known issues for a given PAN-OS release, refer to https://
live.paloaltonetworks.com/t5/Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/ta-
p/52882.
• Known Issues Related to PAN-OS 8.1 Releases

• Known Issues Specific to the WF-500 Appliance
• Known Issues Related to Cortex Data Lake
Known Issues Related to PAN-OS 8.1 Releases

®
The following list includes known issues specific to PAN-OS 8.1 releases, which includes known issues
specific to Panorama™ and GlobalProtect™, as well as known issues that apply more generally or that are
not identified by an issue ID. See also the Known Issues Specific to the WF-500 Appliance.
— Upgrading a PA-200 or PA-500 firewall to PAN-OS 8.1 can take 30 to

60 minutes to complete. Ensure uninterrupted power to your firewall
throughout the upgrade process.
— PAN-OS 8.1.1 introduces a new software integrity check; a failed

check results in a critical system log, while a passed check generates an
informational system log.
To check for a software integrity check failure, select Monitor > Logs and
enter the filter: (severity eq critical) and (eventid eq fips-
selftest-integ).
Please contact Palo Alto Networks Support if a device fails a software
integrity check.
GPC-2742 If you configure GlobalProtect portals and gateways to use client

certificates and LDAP as two factors of authentication, Chromebook
endpoints that run Chrome OS 47 or later versions encounter excessive
prompts to select a client certificate.
Workaround: To prevent excessive prompts, configure a policy to specify
the client certificate in the Google Admin console and deploy that policy to
your managed Chromebooks:
1. Log in to the GoogleAdminconsole and select Device management >
Chrome management > User settings.
2. In the Client Certificates section, enter the following URL pattern to
Automatically Select Client Certificate for These Sites:
{"pattern": "https://[*.]", "filter":{}}
3. Click Save. The Google Admin console deploys the policy to all devices
within a few minutes.

PLUG-380 When you rename a device group, template, or template stack in Panorama
that is part of a VMware NSX service definition, the new name is not
reflected in NSX Manager. Therefore, any ESXi hosts that you add to
a vSphere cluster are not added to the correct device group, template,
or template stack and your Security policy is not pushed to VM-Series
firewalls that you deploy after you rename those objects. There is no
impact to existing VM-Series firewalls.
PAN-135260 (PA-7000 Series firewalls running PAN-OS 8.1.12 only) There is an

intermittent issue where the dataplane process (all_pktproc_X) on a
Network Processing Card (NPC) restarts unexpectedly when processing
IPSec tunnel traffic. This issue can occur on any NPC card in any slot.
PAN-131915 There is an issue when you implement a new firewall bootstrap with a USB
drive where the bootstrap fails and displays the following error message: no
USB device found.
Workaround: Perform a factory reset or run the request system
private-data-reset CLI command and then proceed with
bootstrapping.
PAN-130550 (PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series

firewalls) For traffic between virtual systems (inter-vsys traffic), the firewall
cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation
on inter-vsys traffic.
PAN-128269 (PA-5250, PA-5260, and PA-5280 firewalls with 100GB AOC cables only)
When you upgrade the first peer in a high availability (HA) configuration to
This issue is now
PAN-OS 8.1.9-h4 or a later PAN-OS 8.1 release, the High Speed Chassis
resolved. See PAN-OS
Interconnect (HSCI) port does not come up due to an FEC mismatch until
8.1.12 Addressed Issues
after you finish upgrading the second peer.
PAN-124956 There is an issue where VM-Series firewalls do not support packet buffer
protection.
PAN-123322 (PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls running
PAN-OS 8.1.11 only) There is an intermittent issue where a process
This issue is now
(all_pktproc) stops responding due to a Work Query Entry (WQE)
corruption that is caused by duplicate child sessions.
PAN-122804 There is an issue on Panorama M-Series and virtual appliances where the
firewall stops forwarding logs to Cortex Data Lake after you upgrade the
This issue is now
cloud services plugin to 1.4.
PAN-120662 (PA-7000 Series firewalls using PA-7000-20G-NPC cards only) There is an

intermittent issue where an out-of-memory (OOM) condition causes the
This issue is now
dataplane or internal path monitoring to stop responding.

PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having Private
PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2.
PAN-120303 There is an issue where the firewall remains connected to the PAN-DB-URL
server through the old management IP address on the M-500 Panorama
management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one
of the methods below.
• Modify the PAN-DB Server IP address on the managed firewall.
1. On the web interface, delete the PAN-DB Server IP address
(Device > Setup > Content ID > URL Filtering settings).
2. Commit your changes.
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
4. Commit your changes.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software restartprocess
device-server
PAN-119862 (PA-5050 firewalls only) There is an intermittent issue where an out-of-

memory (OOM) condition causes the dataplane or internal path monitoring
This issue is now
to stop responding.
PAN-118065 (M-Series Panorama management servers in Management Only mode)

When you delete the local Log Collector (Panorama > Managed Collectors),
it disables the 1/1 Ethernet interface in the Panorama configuration as
expected but the interface still displays as Up when you execute the show
interface all command in the CLI after you commit.
Workaround: Disable the 1/1 Ethernet interface before you delete the local
log collector and then commit the configuration change.
PAN-117729 There is an issue where the firewall incorrectly displays application

dependency warnings (Policies > Security) after you initiate a commit.
This issue is now
PAN-116436 (Panorama™ virtual appliances only) There is a disk space calculation error
that eventually leads to an erroneous opt/panlogs/ partition full condition
This issue is now
and causes a process (CDB) to stop responding.
8.1.8 Addressed Issues;
see PAN-94475.
PAN-116084 (PAN-OS 8.1.7 only) VM-Series firewalls on Microsoft Azure deployed

using MMAP drops traffic when the firewall experiences heavy traffic.

This issue is now
8.1.8 Addressed Issues.
PAN-116069 (PA-200 firewalls only) There is a rare out-of-memory (OOM) condition.

This issue is now
PAN-114041 (Panorama M-Series and virtual appliances only) There is a rare issue where,
as a result of known issue PAN-107636, new Elasticsearch (ES) indices are
empty, which prevents the web interface from displaying logs for the days
associated with those indices. The root cause of this issue is addressed in
PAN-OS 8.1.7; however, if you cannot see logs for a given day, contact
your Support team to get help recovering them.
PAN-113614 There is an issue with a memory leak associated with commits on

Panorama appliances that eventually causes an unexpected restart of the
This issue is now
configuration (configd) process.
PAN-113501 The Panorama management server returns a Secure Copy (SCP) server
connection error after you create an SCP Scheduled Config Export profile
This issue is now
(Panorama > Scheduled Config Export) due to the SCP server password
exceeding 15 characters in length.
PAN-113340 (PA-200 firewalls only) There is an issue where the management plane
memory is lower than expected, which causes the management plane to
This issue is now
restart.
PAN-112814 (PAN-OS 8.1.6 and later releases only) H.323-based calls lose audio when
the predicted H.245 session cannot convert to Active status, which causes
This issue is now
the firewall to incorrectly drop H.245 traffic.
PAN-112428 If you use Panorama running PAN-OS 8.1.6 to manage a WildFire

appliance that is running PAN-OS 8.1.5 or an earlier PAN-OS 8.1. release,
This issue is now
autocommits will intermittently fail and Panorama will stop displaying
device groups.
Workaround: If you use Panorama to manage any WildFire appliances
running a PAN-OS 8.1 release, upgrade those WildFire appliances to
PAN-OS 8.1.6 before you upgrade Panorama to PAN-OS 8.1.6. If you
already upgraded Panorama to PAN-OS 8.1.6, then upgrade all PAN-OS 8.1
WildFire appliances to PAN-OS 8.1.6, as well, and then reboot Panorama.
PAN-111928 Invalid configuration errors are not displayed as expected when you revert
a Panorama management server configuration.

Workaround: After you revert the Panorama configuration, Commit
(Commit > Commit to Panorama) the reverted configuration to display the
invalid configuration errors.
PAN-111866 The push scope selection on the Panorama web interface displays
incorrectly even though the commit scope displays as expected. This issue
This issue is now
occurs when one administrator makes configuration changes to separate
device groups or templates that affect multiple firewalls and a different
administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a Push to Devices
operation for the modified device group and template configurations.
• Manually select the devices that belong to the modified device group
and template configurations.
PAN-111844 (VM-50 and VM-50 Lite firewalls only) There is a rare out-of-memory
(OOM) condition.
This issue is now
PAN-111729 If you disable DPDK mode and enable it again, you must reboot the firewall
immediately.
PAN-111708 (PA-3200 Series firewalls only) There is a rare issue where a software issue
causes the dataplane to restart unexpectedly.
This issue is now
PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV adapter.
PAN-111553 On the Panorama management server, the Include Device and Network
Templates setting is disabled by default when you attempt to push changes
This issue is now
to managed devices, which causes your push to fail.
8.1.9 Addressed Issues. Workaround: Before you commit and push the configuration changes from
Panorama to your managed devices, edit the push scope (Commit > Push to
Devices > Edit Selections or Commit > Commit and Push > Edit Selections)
to Include Device and Network Templates.
PAN-109759 The firewall does not generate a notification for the GlobalProtect
client when the firewall denies an unencrypted TLS session due to an
This issue is now
authentication policy match.
PAN-109594 (HA configurations only) The dataplane restarts when an IPsec rekey event
occurs and causes a tunnel process (tund) failure when one—but not both—
This issue is now
HA peers is running PAN-OS 8.0.14 or PAN-OS 8.1.5.
8.1.6 Addressed Issues. Workaround: Temporarily modify the IKE phase 2 lifetime for both peers
(Network > Network Profiles > IPsec Crypto) to increase the interval
between rekey events (default is one hour) to avoid a rekey event before

you complete the upgrade on the second peer. Alternatively, remove
the HA configuration, upgrade both firewalls, and then restore the HA
configuration.
PAN-109526 The system log does not display the URL for CRL files correctly, the URLs
are displayed with encoded characters.
PAN-108805 (PA-3250 and PA-3260 firewalls only) There is a rare issue with
deterministic finite automaton (DFA) signature matching in PAN-OS 8.1.2
This issue is now
and later releases that causes the firewall to stop responding when using
hardware-based DFA scanning (default).
Workaround: In PAN-OS 8.1.5, you can use the following CLI commands to
switch to software-based DFA scanning:
• set system setting dfa-mode [hw-dfa|sw-dfa]—Switch
between DFA scanning options (persistent across restarts and does not
require a reboot).
• set system setting dfa-mode-default—Restore the default
DFA setting.
• show system setting dfa-mode—Show the current DFA scanning
configuration.
PAN-108165 Memory issues on Palo Alto Networks hardware and virtual appliances
cause intermittent management plane instability.
This issue is now
PAN-107636 (Panorama M-Series and virtual appliances only) There is a rare issue where
the purge script does not remove the oldest Elasticsearch (ES) indices
This issue is now
to make room for new ones as expected when the appliance reaches
maximum capacity. This prevents the web interface from displaying any
logs for the days associated with those new ES indices (see known issue
PAN-114041) because those indices are empty (the appliances cannot read
or write to them). If you experience this issue, contact your Support team
for assistance.
PAN-107449 (PAN-OS 8.1.4 only) Firewalls fail to establish IKE phase 1 or phase 2 when
you specify Diffie-Hellman (DH) group1.
This issue is now
resolved. See PAN-OS Workaround: Specify a DH group other than group1.
PAN-107271 (PA-3200 Series firewalls running PAN-OS 8.1.4 in an HA configuration

only) The physical link for the HA1-B (backup) port does not function
This issue is now
as expected, which means you cannot use this port as an HA1 backup
interface when running PAN-OS 8.1.4.
8.1.4-h2 Addressed
Issues.
PAN-106989 There is a display-only issue on Panorama that results in a commit

failed status for Template Last Commit State (Panorama > Managed
Devices > Summary).

Workaround: Push templates to managed devices.
PAN-106675 After upgrading the Panorama management server to PAN-OS 8.1 or a later
release, predefined reports do not display a list of top attackers.
Workaround: Create new threat summary reports (Monitor > PDF
Reports > Manage PDF Summary) containing the top attackers to mimic
the predefined reports.
PAN-105737 (PAN-OS 8.1.7 and PAN-OS 8.1.8 only) If you use the AUX 1 or AUX
2 interface and you do not configure an IP address, network mask, and
This issue is now
default gateway for the interface, the interface will not come up when
you upgrade the firewall to PAN-OS 8.1.7. The most common use of AUX
interfaces is to configure AUX ports as HA1 and HA1 Backup interfaces for
fiber connections on PA-5200 Series firewalls in an HA configuration.
Workaround: To avoid a split-brain scenario in HA configurations as a
result of this issue, configure a default gateway on at least one of the AUX
interfaces.
PAN-105210 (Panorama in FIPS mode only when managing non-FIPS firewalls) You
cannot configure a GlobalProtect portal on Panorama in FIPS mode when
managing a non-FIPS firewall. If you attempt to do so, you will receive the
following error message: agent-user-override-key unexpected
here Portal_fips.
PAN-104808 There is an issue where scheduled SaaS reports generate and email empty
PDF reports.
This issue is now
resolved. See PAN-OS Workaround: Manually generate the report from the Panorama web
8.1.10 Addressed Issues. interface.
PAN-103276 Adding a disk to a Panorama 8.1 virtual appliance on VMware ESXi 6.5
update1 causes the Panorama virtual appliance and host web client to
become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk
again.
PAN-102828 (Panorama plugins) When you use the AND/OR boolean operators to
define the match criteria for Dynamic Address Groups on Panorama, the
boolean operators do not function properly. The member IP addresses are
not included in the address group as expected.
PAN-102140 Extended Authentication (X-Auth) clients intermittently fail to establish an

IPSec tunnel to GlobalProtect gateways.
This issue is now
PAN-101819 The Panorama Controller does not display all commit-all jobs for
Panorama Nodes (Panorama > Interconnect > Tasks) and the Panorama
This issue is now
Controller does not push those missing jobs when you Push to Devices if
the associated Panorama Node is running a PAN-OS 8.1 release.

PAN-101688 (Panorama plugins) The IP address-to-tag mapping information registered

on a firewall or virtual system is not deleted when you remove the firewall
or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following
command to unregister the IP address-to-tag mappings: debug object
registered-ip clear all.
PAN-100686 An invalid public key is intermittently applied to the administrator account

when deploying a VM-Series firewall in Google Cloud using the Google web
interface.
Workaround: The administrator must log in to the firewall via SSH with
a valid private key using the ssh -i private-key-file admin@VM
command. Then, from the CLI, remove the invalid public key and add a
password for the admin Profile using the following configuration commands
from the CLI to enable successful commits:
# delete
mgt-config users admin public-key
# set
mgt-config users admin password
# commit
PAN-100244 There is a rare issue where a failed commit or commit validation followed
by a non-user-committed event (such as an FQDN refresh, an external
This issue is now
dynamic list refresh, or an antivirus update) results in an unexpected change
to the configuration that causes the firewall to drop traffic.
Workaround: Perform a successful commit immediately after you
experience this issue. Alternatively, reload an earlier successfully-
committed configuration and manually refresh the FQDN list.
PAN-100154 (PAN-OS 8.1.3 and later PAN-OS 8.1 releases only) The default static route
always becomes the active route and takes precedence over a DHCP auto-
created default route that is pointing to the same gateway regardless of the
metrics or order of installation. Thus, when the system has both a DHCP
auto-created default route and a manually configured default static route
pointing to the same gateway, the firewall always installs the default static
route in the FIB.
Workaround: Set the Default Route Metric in the web interface DHCP
Client configuration (Network > Interfaces > {Ethernet | VLAN} >
<interface> > IPv4).
PAN-99924 Fixed an issue where the Panorama management server web and command
line interface (CLI) stopped responding after a partial configuration load
This issue is now
(Panorama > Setup > Operations).

PAN-99084 (HA configurations running PAN-OS 8.0.9 or a later PAN-OS release) If you
disable the HA configuration sync option (enabled by default), User-ID data
does not sync as expected between HA peers.
Workaround: Re-Enable Config Sync (Device > High Availability >
General > Setup settings).
PAN-98735 Upgrading a Panorama management server on Microsoft Azure from PAN-

OS 8.1.0 to PAN-OS 8.1.1 or PAN-OS 8.1.2 results in an autocommit
This issue is now
failure.
8.1.3 Addressed Issues. Workaround: Before you upgrade to PAN-OS 8.1.1 or PAN-OS
8.1.2, export your Panorama 8.1.0 configuration. Then upgrade the
Panorama management server and, when finished, import your exported
configuration.
Alternatively, you can export the Panorama 8.1.0 configuration, deploy a
new instance of Panorama using the 8.1.2 image on the Azure marketplace,
and then import and reload the exported configuration.
If you decide to launch a new Panorama 8.1.2 VM through

the Azure marketplace, the web interface will display the
image as PAN-OS8.1.2-h4.
PAN-97848 Panorama on KVM deploys in Legacy mode instead of Management

Only mode even when meeting the minimum resource requirements for
Management Only mode.
Workaround: After you successfully deploy Panorama on KVM, change to
Management Only mode.
PAN-97757 GlobalProtect authentication fails with an Invalid username/

password error (because the user is not found in Allow List) after you
enable GlobalProtect authentication cookies and add a RADIUS group
to the Allow List of the authentication profile used to authenticate to
GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively,
disable (clear) Retrieve user group from RADIUS in the authentication
profile and configure group mapping from Active Directory (AD) through
LDAP.
PAN-97561 Panorama appliances running PAN-OS 8.1.2 cannot connect to the Logging
Service:
This issue is now
resolved. See PAN-OS • When you deploy a Panorama 8.1.2 virtual appliance, Panorama is
8.1.3 Addressed Issues. unable to connect to the Logging Service and firewalls are unable to
forward logs to the Logging Service.
• If you upgrade a Panorama virtual appliance with Logging Service
enabled to PAN-OS 8.1.2, both Panorama and the firewalls will continue
to connect to the Logging Service but will not display information about
Logging Services instances when you run the request logging-
service-forwarding customer info fetch CLI command.

PAN-97524 (Panorama management server only) The Security Zone and Virtual System
columns (Network tab) display None after a Device Group and Template
administrator with read-only privileges performs a context switch.
PAN-96985 The request shutdown system command does not shut down the
Panorama management server.
PAN-96960 You cannot restart or shutdown a Panorama on KVM from the Virtual-
manager console or virsch CLI.
PAN-96813 The GlobalProtect gateway ignores the Enable X-Auth Support setting
when you enable or disable it through the firewall web interface
(Network > GlobalProtect > Gateways > <gateway> > Agent > Tunnel
Settings).
Workaround: Enable or disable X-Auth support by running the set
network tunnel global-protect-gateway <gateway> ipsec
third-party-client rekey-noauth {yes| no} configuration
mode CLI command.
PAN-96734 The configuration daemon (configd) stops responding during a partial revert
operation when reverting an interface configuration.
This issue is now
PAN-96587 PA-7000 Series and PA-5200 Series firewalls intermittently fail to forward
logs to Log Collectors or the Logging Service due to DNS resolution failure
This issue is now
for the FQDNs of those log receivers.
8.1.2 Addressed Issues. Workaround: On the firewall, commit a configuration change or run the
debug software restart process log-receiver CLI command.
PAN-96572 After end users successfully authenticate for access to a service or

application, their web browsers briefly display a page indicating that
This issue is now
authentication completed and then they are redirected to an unknown URL
that the user did not specify.
PAN-96446 A firewall that is not included in a Collector Group fails to generate a

system log if logs are dropped when forwarded to a Panorama management
server that is running in Management Only mode.
PAN-96113 In a deployment where the firewall connects to a Border Gateway Protocol

(BGP) peer that advertises a route for which the next hop is not in the same
This issue is now
subnetwork as the BGP peer interface, the show routing protocol
bgp rib-out CLI command does not display advertised routes that the
firewall sent to the BGP peer.
Workaround: Move the next hop to the same subnetwork as the BGP peer
interface.

PAN-95999 Firewalls in an HA active/active configuration with a default session setup

and owner configuration drop packets in a GlobalProtect VPN tunnel that
This issue is now
uses a floating IP address.
PAN-95895 Firewalls that collect port-to-username mappings from Terminal Services

agents doesn't enforce user-based policies correctly because the dataplane
This issue is now
has incorrect primary-to-alternative-username mappings even after you
clear the User-ID cache.
PAN-95773 On VM-Series firewalls that have Data Plane Development Kit (DPDK)
enabled and that use the i40e network interface card (NIC), the show
session info CLI command displays an inaccurate throughput and
packet rate.
Workaround: Disable DPDK by running the set system setting
dpdk-pkt-io off CLI command.
PAN-95736 The mprelay process stops responding when a commit occurs while the
firewall is identifying flows that need a NetFlow update.
This issue is now
PAN-95717 After 30,000 or more end users log in to the GlobalProtect gateway within
a two- to three-hour period, the firewall web interface responds slowly,
commits take longer than expected or intermittently fail, and Tech Support
File generation times out and fails.
PAN-95602 In a deployment where a Log Collector connects to Panorama management

servers in an HA configuration, after you switch the Log Collector appliance
to Panorama mode, commit operations fail on the appliance.
Workaround: Remove the following node from the running-config.xml file
on the Log Collector before switching it to Panorama mode: devices/
entry[@name='localhost.localdomain']/deviceconfig/
system/panorama-server-2.
PAN-95513 On the Panorama management server, selecting additional target firewalls

for a shared policy rule clears any existing firewall selections for that rule
This issue is now
(Panorama > Policies > <policy_type> > {Pre Rules | Post Rules | Default
Rules} > Target).
fix requires the VMware
NSX 2.0.4 or later plugin.
PAN-95511 The name for an address object, address group, or an external dynamic list
must be unique. Duplicate names for these objects can result in unexpected
behavior when you reference the object in a policy rule.
PAN-95445 VM-Series firewalls for NSX and firewalls in an NSX notify group
(Panorama > VMware NSX > Notify Group) briefly drop traffic while

This issue is now receiving dynamic address updates after the primary Panorama in an HA
resolved. See PAN-OS configuration fails over.
fix requires the VMware
NSX 2.0.4 or later plugin.
PAN-95443 A VM-Series firewall on KVM in DPDK mode doesn't receive traffic after
you configure it to use the i40e single-root input/output virtualization (SR-
This issue is now
IOV) virtual function (VF).
PAN-95197 Mobile endpoints that use GPRS Tunneling Protocol (GTP) lose traffic and
have to reconnect because the firewall drops the response message that
This issue is now
a Gateway GPRS support node (GGSN) sends for a second Packet Data
Protocol (PDP) context update.
PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8 and
earlier releases, the firewall does not apply password profile settings
(Device > Password Profiles) until after you upgrade to PAN-OS 8.0.9
or a later release and then only after you modify the account passwords.
(Administrator accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply password profile
settings.)
PAN-94966 After you delete disconnected and connected Terminal Server (TS) agents
in the same operation, the firewall still displays the IP address-to-port-
user mappings (showuser ip-port-user-mapping CLI command) for
the disconnected TS agents you deleted (Device > User Identification >
Terminal Services Agents).
Workaround: Do not delete both disconnected and connected TS agents in
the same operation.
PAN-94917 On Panorama Log Collectors, the show system masterkey-

properties CLI command does not display the master key lifetime and
This issue is now
reminder settings.
PAN-94864 A firewall receiving IP addresses via DHCP fails to resolve FQDN objects to
an IP address.
This issue is now
PAN-94853 Mobile endpoints that use GPRS Tunneling Protocol (GTP) lose GTP-U
traffic because the firewall drops all GTP-U packets as packets without
This issue is now
sessions after receiving two GTP requests with the same tunnel endpoint
identifiers (TEIDs) and IP addresses.

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e virtual function
(VF) driver, the VF does not detect the link status of the physical link. The
VF link status remains up, regardless of changes to the physical link state.
PAN-94777 A 500 Internal Server error occurs for traffic that matches a Security
policy rule with a URL Filtering profile that specifies a Continue action
This issue is now
(Objects > Security Profiles > URL Filtering) because the firewall does not
treat the API keys as binary strings.
Workaround: Reboot the firewall.
PAN-94452 The firewall records GPRS Tunneling Protocol (GTP) packets multiple times
in firewall-stage packet captures (PCAPs).
This issue is now
PAN-94402 Upgrading firewalls from PAN-OS 8.0 to 8.1 causes the loss of user
mapping information and therefore disrupts user-based policies in the
following HA configurations:
• Active/active (in this example, the primary/secondary peers are
firewall1/firewall2)—During the period after you upgrade firewall1
to PAN-OS 8.1 but before you upgrade firewall2, firewall1 loses user
mapping information. When you finish upgrading both firewalls to PAN-
OS 8.1, HA synchronization restores the lost mapping information on
firewall1.
• Active/passive (in this example, the active/passive peers are firewall1/
firewall2)—After you upgrade firewall2 to PAN-OS 8.1 but before you
upgrade firewall1, firewall2 loses user mapping information but does
not enforce policies because it is still in a passive state. However, after
you trigger failover by suspending firewall1 (in anticipation of upgrading
it), firewall2 becomes the active peer and fails to enforce user-based
policies because its mapping information is still missing. After you then
upgrade firewall1 and trigger failback, firewall1 resumes enforcing policy
and HA synchronization ensures the mapping information is complete
on both firewalls.
In both configurations, whichever firewall is missing user mapping
information also cannot collect new user mappings through the PAN-OS
XML API until you finish upgrading both HA peers.
PAN-94382 On the Panorama management server, the Task Manager displays

Completed status immediately after you initiate a push operation to
This issue is now
firewalls (Commit all) even though the push operation is still in progress.
PAN-94290 (HA active/active configuration only) Fragmented packets are dropped

when traversing a firewall.
This issue is now

PAN-94278 A Panorama Collector Group forwards Threat and WildFire Submission

logs to the wrong external server after you configure match list profiles
This issue is now
with the same name for both log types (Panorama > Collector Groups >
<Collector_Group> > Collector Log Forwarding > {Threat | WildFire} >
<match_list_profile>).
Workaround: Configure match list profiles with different names for Threat
and WildFire Submission logs.
PAN-94236 When the file-forwarding queue limit is reached, additional files fail to
upload to the WildFire cloud. However, these files are included in the
This issue is now
WildFire log with a status of offset mismatch.
PAN-94187 The firewall does not apply tag-based matching rules for dynamic address
groups unless you enclose the tag names with single quotes ('<tag_name>')
This issue is now
in the matching rules (Objects > Address Groups > <address_group>).
PAN-94167 Firewalls randomly retain IP address-to-username mappings even after

receiving information via User-ID Redistribution that the mapping was
This issue is now
deleted or expired.
PAN-94135 Device monitoring does not work on the Panorama management server.
This issue is now Workaround: To enable Panorama to receive device monitoring
resolved. See PAN-OS information from firewalls running PAN-OS 8.1, run the monitoring
8.1.1 Addressed Issues. cfg-send device <device_serial_number> CLI command on
Panorama.
PAN-94023 The request system external-list show type ip name

<EDL_name> CLI command does not display external dynamic list entries
This issue is now
after you restart the management server (mgmtsrvr) process.
PAN-93968 The firewall and Panorama web interfaces display vulnerability threat IDs
that are not available in PAN-OS 8.1 releases (Objects > Security Profiles >
Vulnerability Protection > <profile> > Exceptions). To confirm whether a
particular threat ID is available in your release, monitor the release notes
for each new Applications and Threats content update or check the Palo
Alto Networks Threat Vault to see the minimum PAN-OS release version
for a threat signature.
PAN-93937 The management server process (mgmtsrvr) on the firewall restarts

whenever you push configurations from the Panorama management server.
This issue is now

PAN-93930 When you enable SSL decryption on a firewall, decryption errors cause
a process (all_pktproc) to stop responding and causes the dataplane to
This issue is now
restart.
PAN-93889 The Panorama management server generates high-severity System logs

with the message Syslogconnection establishedto server after
This issue is now
you configure Traps log ingestion (Panorama > Log Ingestion Profile) for
forwarding to a syslog server (Panorama > Server Profiles > Syslog) and
commit configuration changes (Commit > Commit to Panorama).
Workaround: Disable Traps log ingestion.
PAN-93865 The GlobalProtect agent can't split tunnel applications based on the
destination domain because the Include Domain and Exclude Domain lists
This issue is now
are not pushed to the agent after the user establishes the GlobalProtect
connection (Network > GlobalProtect > Gateways > <gateway-config> >
Agent > Client Settings > <client-setting-config> > Split Tunnel > Domain
and Application).
In addition, the GlobalProtect agent can't include applications in the VPN
tunnel based on the application process name because the Include Client
Application Process Name list is not pushed to the agent after the user
establishes the GlobalProtect connection.
PAN-93864 The password field does not display in the GlobalProtect portal login dialog
if you attach the certificate profile to the portal configuration.
This issue is now
resolved. See PAN-OS Workaround: Remove the certificate profile from the portal configuration
8.1.3 Addressed Issues. or set the username field to None in the certificate profile.
PAN-93842 The logging status of a Panorama Log Collector deployed on AWS or

Azure displays as disconnected when you configure the ethernet1/1
to ethernet1/5 interfaces for log collection (Panorama > Managed
Collectors > Interfaces). This results in firewalls not sending logs to the Log
Collector.
Workaround: Configure the management (MGT) interface for log collection.
PAN-93755 SSL decrypted traffic fails after you Enforce Symmetric Return in Policy
Based Forwarding (PBF) policy rules (Policies > Policy Based Forwarding).
This issue is now
PAN-93753 High log rates cause disk space on PA-200 firewalls to reach maximum
capacity.
This issue is now
PAN-93705 Configuring additional interfaces (such as ethernet1/1 or ethernet1/2) on

the Panorama management server in Management Only mode causes an
attempt to create a local Log Collector when you commit the configuration

This issue is now (Panorama > Setup > Interfaces). This will cause the commit to fail because
resolved. See PAN-OS a local Log Collector is not supported on a Panorama management sever in
8.1.2 Addressed Issues. Management Only mode.
PAN-93640 On firewalls, the Log Collector preference list displays the IP address of
a Panorama Log Collector deployed on AWS as unknown if the interface
This issue is now
(ethernet1/1 to ethernet1/5) used for sending logs does not have a public
IP address configured and you push configurations to the Collector Group.
Workaround: Configure the management (MGT) interface for log collection.
PAN-93607 When you configure a VM-500 firewall with an SCTP Protection profile
(Objects > Security Profiles > SCTP Protection) and you try to add the
profile to an existing Security Profile Group (Objects > Security Profile
Groups), the Security Profile Group doesn’t list the SCTP Protection profile
in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP
Protection profile from there.
PAN-93532 When you configure a firewall running PAN-OS 8.1 as a Thales HSM client,
the web interface on the firewall displays the Thales server status as Not
Authenticated, even though the HSM state is up (Device > Setup > HSM).
PAN-93522 On firewalls in an HA configuration, traffic is disrupted because the

dataplane restarts unexpectedly when the firewall concurrently processes
This issue is now
HA messages and packets for the same session. This issue applies to all
firewall models except the PA-200 and VM-50 firewalls.
PAN-93430 The firewall web interface doesn't display Host Information Profile (HIP)
information in HIP Match logs for end users who have Microsoft-supported
This issue is now
special characters in their domains or usernames.
PAN-93410 PA-5200 Series firewalls send logs to the passive or suspended Panorama
virtual appliance in Legacy mode in an HA configuration.
This issue is now
resolved. See PAN-OS Workaround: On the active Panorama, run the request log-fwd-ctrl
8.1.2 Addressed Issues. device <firewall_serial_number> action start CLI command,
where <firewall_serial_number> is the serial number of the firewall from
which you want to send logs to Panorama.
PAN-93318 Firewall CPU usage reaches 100 per cent due to SNMP polling for logical
interfaces based on updates to the Link Layer Discovery Protocol (LLDP)
This issue is now
MIB (LLDP-V2-MIB.my).
8.1.2 Addressed Issues. Workaround: Restart the snmpd process by running the debug software
restart process snmp CLI command. Note that restarting snmpd
reduces the CPU usage to allow other operations, but does not prevent the
issue from recurring the next time SNMP polling occurs for the LLDP-V2-
MIB.my MIB.

PAN-93233 PA-7000 Series firewalls cause slow traffic over IPSec VPN tunnels when
the tunnel session and inner traffic session are on different dataplanes
This issue is now
because the firewalls reorder TCP segments during IPSec encryption.
8.1.2 Addressed Issues. Workaround: Keep the tunnel session and inner traffic session on the same
dataplane. To determine which dataplane the tunnel session uses, first
run the show vpn tunnel name <tunnel_name> CLI command to
see the tunnel identifier, and then run the show vpn flow tunnel-
id <tunnel_id> command to display the dataplane (owner cpuid).
To force the inner traffic session onto the same dataplane, run the set
session distribution-policy fixed <dataplane>command.
PAN-93207 The firewall reports the incorrect hostname when responding to SNMP get
requests.
This issue is now
PAN-93193 The memory-optimized VM-50 Lite intermittently performs slowly and

stops processing traffic when memory utilization is critically high. To
prevent this issue, make sure that you do not:
• Switch to the firewall Context on the Panorama management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical
System log for memory utilization, wait for 5 minutes and then manually
reboot the firewall.
Use the Task Manager to verify that you are not performing memory
intensive tasks such as installing dynamic updates, committing changes or
generating reports, at the same time, on the firewall.
PAN-93184 (VM-50 Lite firewalls only) There are intermittent instances of wild-
fire-auth-failed due to ssl error 58 in the system log due
This issue is now
to management plane out-of-memory errors when the varcvr process
attempts to register to the cloud.
PAN-93090 When configuring a Google Cloud Platform (GCP) instance to assign an

L3 DHCP interface to ethernet1/2, the GCP DHCP Server takes 30-50
This issue is now
seconds to respond to the DHCP discover request. This delay causes DHCP
resolved. SeePAN-OS
IP assignments to fail.
Workaround: To bypass the need to wait for the DHCP response, set the
firewall interface to match the static IP address that GCP assigned to the
network interface at creation. In the GCP console, this address is in the
“Primary internal IP” column.
PAN-93072 For hardware firewalls that are decrypting SSL traffic, multiple commits in
a short period of time can cause the firewall to become unresponsive. This
issue applies only to a hardware firewall with SSL decryption enabled; it
does not apply to virtual firewalls.

This issue is now
PAN-93005 The firewall generates System logs with high severity for Dataplane
under severe load conditions that do not affect traffic.
This issue is now
PAN-92892 (VM-50 Lite firewalls only) There are intermittent instances of Failed
to back up PAN-DB in the system log due to management plane out-
This issue is now
of-memory errors when the devsrvr process attempts to run an md5
checksum.
PAN-92858 The Panorama management server cannot generate reports, and the ACC
page intermittently becomes unresponsive when too many heartbeats are
This issue is now
missed because report IDs greater than 65535 are never cleared.
PAN-92678 On Panorama management servers in an HA configuration, after failover

causes the secondary HA peer to become active, it fails to deploy scheduled
This issue is now
dynamic updates to Log Collectors and firewalls.
8.1.1 Addressed Issues. Workaround: Manually deploy the dynamic updates (Panorama > Device
Deployment > Dynamic Updates).
PAN-92604 A Panorama Collector Group does not forward logs to some external
servers after you configure multiple server profiles (Panorama > Collector
This issue is now
Groups > <Collector_Group> > Collector Log Forwarding).
PAN-92564 A small percentage of writable third-party SFP transceivers (not purchased

from Palo Alto Networks®) can stop working or experience other issues
This issue is now
after you upgrade the firewall to which the SFPs are connected to a PAN-
OS 8.0 or PAN-OS 8.1 release. If your firewall uses third-party SFPs, Palo
Alto Networks recommends that you do not upgrade to a PAN-OS 8.0 or
PAN-OS 8.1 release until we release maintenance releases that address this
issue. Additionally, after we provide releases with this fix and you begin the
upgrade process, you must not reboot the firewall after you download and
install the PAN-OS 8.0 or PAN-OS 8.1 base image until after you download
and install a maintenance release with this fix.
For additional details, upgrade considerations, and instructions for
upgrading your firewalls, refer to the PAN-OS 8.0 upgrade information or
the PAN-OS 8.1 upgrade information, as appropriate.
PAN-92487 Enabling jumbo frames (Device > Setup > Session) reduces throughput
because:
This issue is now
resolved. See PAN-OS • The firewalls hardcode the maximum segment size (TCP MSS) within
8.1.1 Addressed Issues. TCP SYN packets and in server-to-client traffic at 1,460 bytes when
packets exceed that size.

• PA-7000 Series and PA-5200 Series firewalls hardcode the maximum
transmission unit (MTU) at 1,500 bytes for the encapsulation stage
when tunneled clear-text traffic and the originating tunnel session reside
on different dataplanes.
PAN-92366 PA-5200 Series firewalls in an active/passive HA configuration drop

Bidirectional Forwarding Detection (BFD) sessions when the passive
This issue is now
firewall is in an initialization state after you reboot it.
8.1.2 Addressed Issues. Workaround: On the passive firewall, set the Passive Link State to
Shutdown (Device > High Availability > General > Active/Passive Settings).
PAN-92334 (PAN-OS 8.1.1 through PAN-OS 8.1.3 only) The firewall fails to forward
correlation events if you do not first configure a log forwarding profile for
This issue is now
correlated events.
8.1.4 Addressed Issues. Workaround: Configure log forwarding for correlated events (Device > Log
Settings > Correlation).
PAN-92163 Firewalls in an active/passive HA configuration take longer than expected

to fail over after you configure them to redistribute routes between an
This issue is now
interior gateway protocol (IGP) and Border Gateway Protocol (BGP).
PAN-92155 You cannot configure an IP address using templates for HA2 (Device > High
Availability > Data Link (HA2)) when set to IP or Ethernet for Panorama
This issue is now
management servers in an HA configuration.
8.1.8 Addressed Issues. Workaround: Configure HA2 in the CLI using the following commands:
> configure
# set
template <template_name> config
deviceconfig high-availability interface ha2 ip-
address <IP_address>
PAN-92152 The firewall web interface displays a blank Device > Licenses page when
the customer has 10 x 5 phone support.
This issue is now
PAN-92149 On PA-3250 and PA-3260 firewalls, the hardware signature match engine
is disabled and the PAN-OS software performs signature matching instead,
This issue is now
resulting in a ten percent degradation in threat detection performance.
PAN-92105 Panorama Log Collectors do not receive some firewall logs and take longer
than expected to receive all logs when the Collector Group has spaces in its
name.

This issue is now Workaround: Configure Collector Group names without spaces.
PAN-92017 Log Collectors that belong to a collector group with a space in its name
fail to fully connect to one another, which affects log visibility and logging
This issue is now
performance.
8.1.3 Addressed Issues. Workaround: Configure Collector Group names without spaces.
PAN-91946 The Panorama management server intermittently does not refresh data
about the health of managed firewalls (Panorama > Managed Devices >
This issue is now
Health). This results in some session statistics being displayed as 0.
PAN-91809 After you reboot the VM-Series firewall for Azure, some interfaces
configured as DHCP clients intermittently do not receive DHCP-assigned IP
This issue is now
addresses.
8.1.1 Addressed Issues. Workaround: First, configure static IP addresses on the affected interfaces
on the firewall and commit the change. Then enable DHCP on the same
interfaces and commit again. When the commit finishes, the interfaces will
receive DHCP-assigned IP addresses.
PAN-91802 On a VM-Series firewall, the clear session all CLI command does not clear
GTP sessions.
PAN-91776 End users cannot authenticate to GlobalProtect after you specify a User
Domain with Microsoft-supported symbols such as the dollar symbol ($) in
This issue is now
the authentication profile (Device > Authentication Profile).
PAN-91689 The Panorama management server removes address objects and, in

the Network tab settings and NAT policy rules, uses the associated IP
This issue is now
address values without reference to the address objects before pushing
configurations to firewalls.
PAN-91421 The firewall dataplane restarts and results in temporary traffic loss when
any process stops responding while system resource usage is running high.
This issue is now
PAN-91370 The firewall drops IPv6 traffic while enforcing IPv6 bidirectional NAT policy
rules because the firewall incorrectly translates the destination address for
This issue is now
a host that resides on a directly attached network.
8.1.1 Addressed Issues. Workaround: Above the bidirectional rule in your NAT policy, add an
NPTv6 rule that specifies no translation and matches the IPv6 address
configured on the interface that the firewall uses for traffic to the directly
attached network.

PAN-91238 An Aggregate Ethernet (AE) interface with Link Aggregation Control

Protocol (LACP) enabled on the firewall goes down after a cisco-nexus
This issue is now
primary virtual port channel (vPC) switch LACP peer reboots and comes
back up.
Workaround: Set a hold time on the AE interface by running the debug l2
ctrl dlacp set hold-time CLI command. The hold time (default is
15 seconds) specifies the delay before the firewall processes LACP protocol
data units (PDUs) after LACP-enabled interfaces come up.
PAN-91236 The Panorama management server does not display new logs collected
on M-Series Log Collectors because the logging search engine does
not register during system startup when logging disk checks and RAID
mounting take longer than two hours to complete.
PAN-91088 On PA-7000 Series firewalls in an HA configuration, the HA3 link does not
come up after you upgrade to PAN-OS 8.0.6 or a later release.
This issue is now
resolved. See PAN-OS Workaround: Unplug and replug the HSCI modules.
PAN-91059 GTP log query filters do not work when you filter based on a value of
unknown for the message type or GTP interface fields (Monitor > Logs >
This issue is now
GTP).
PAN-90947 The PA-5250 firewall stops responding when you configure 2,900 or more
DHCP relay agent interfaces.
PAN-90565 The firewall does not accept wildcards (*) as standalone characters to match
all IMSI identifiers when you configure IMSI Filtering in a GTP Protection
profile (Objects > Security Profiles > GTP Protection > Filtering Options >
IMSI Filtering).
PAN-90404 The Panorama management server intermittently displays the connections

among Log Collectors as disconnected after pushing configurations to a
This issue is now
Collector Group (Panorama > Managed Collectors).
PAN-90347 On a PA-5000 Series firewall configured to use an IPSec tunnel containing

multiple proxy IDs (Network > IPSec Tunnels > <tunnel> > Proxy IDs), the
This issue is now
firewall drops tunneled traffic after clear text sessions are established on a
dataplane other than the first dataplane (DP0).
Workaround: Use Palo Alto Networks firewalls on both ends of the IPSec
tunnel, or use one proxy ID per tunnel, or use only DP0 for establishing
clear text sessions (run the set session processing-cpu dp0 CLI
command).
PAN-90301 The firewall generates false positives during GTP-in-GTP checks because
it detects some DNS-in-GTP packets as GTP-in-GTP packets (Objects >

Security Profiles > GTP Protection > <GTP_Protection_profile> > GTP
Inspection > GTP-U).
PAN-90096 Threat logs record incorrect IMSI values for GTP packets after you enable
Packet Capture in Vulnerability Protection profiles (Objects > Security
This issue is now
Profiles > Vulnerability Protection > <Vulnerability_Protection_profile> >
Rules).
PAN-89794 (PA-3050, PA-3060, PA-5000 Series, PA-5200 Series, and PA-7000 Series
firewalls only in an HA configuration) Multicast sessions intermittently stop
This issue is now
forwarding traffic after HA failover on firewalls with hardware offloading
enabled (default).
Workaround: Disable hardware offloading by running the set session
off load no CLI command and clear any multicast sessions that are
already offloaded after failover by running the clear session CLI
command.
PAN-89402 On PA-3200 Series firewalls, Ethernet ports 2, 3, 4, 6, 7, 8, and 10 function

only at 1,000Mbps (1Gbps); you should not configure these ports to run
This issue is now
at any other speed. (Ethernet ports 1, 5, 9, 11, and 12 function at 10Mbps,
100Mbps, or 1,000Mbps.)
PAN-88987 When you configure a PA-5220 firewall with Dynamic IP and Port
(DIPP) NAT, the number of translated IP addresses cannot exceed 3,000;
This issue is now
otherwise, the commit fails.
PAN-88852 VM-Series firewalls stop displaying URL Filtering logs after you configure a
URL Filtering profile with an alert action (Objects > Security Profiles > URL
This issue is now
Filtering).
PAN-88649 After receiving machine account names in UPN format from a Windows-
based User-ID agent, the firewall misidentifies them as user accounts
This issue is now
and overrides usernames with machine names in IP address-to-username
mappings.
PAN-88487 The firewall stops enforcing policy after you manually refresh an External
Dynamic List (EDL) that has an invalid IP address or that resides on an
This issue is now
unreachable web server.
8.1.9 Addressed Issues. Workaround: Do not refresh EDLs that have invalid IP addresses or that
reside on unreachable web servers.
PAN-88048 A VM-Series firewall on KVM in MMAP mode doesn't receive traffic after
you configure it to use the i40e single-root input/output virtualization (SR-
This issue is now
IOV) virtual function (VF).

PAN-87990 The WF-500 appliance becomes inaccessible over SSH and becomes stuck
in a boot loop after you upgrade from a release lower than PAN-OS 8.0.1
and try to upgrade to PAN-OS 8.0.5 or a later release.
PAN-87309 When you configure a GlobalProtect gateway to exclude all video

streaming traffic from the VPN tunnel, Hulu and Sling TV traffic cannot
This issue is now
be redirected if you do not configure any security profiles (such as a File
Blocking profile) for your firewall Security policy.
PAN-86936 Logs are temporarily unavailable on Panorama Log Collectors because the
vldmgr process restarts.
PAN-86903 In rare cases, PA-800 Series firewalls shut themselves down due to a false
over-current measurement.
PAN-86028 (HA active/active configurations only) Traffic in a GlobalProtect VPN tunnel

in SSL mode fails after Layer 7 processing is completed if asymmetric
This issue is now
routing is involved.
PAN-85691 Authentication policy rules based on multi-factor authentication (MFA)

don't block connections to an MFA vendor when the MFA server profile
specifies a Certificate Profile that has the wrong certificate authority (CA)
certificate.
PAN-84670 When you disable decryption for HTTPS traffic, end users who don't
have valid authentication timestamps can access HTTPS services and
This issue is now
applications regardless of Authentication policy.
8.1.7 Addressed Issues. Workaround: Create a Security policy rule that blocks HTTPS traffic that is
not decrypted.
PAN-84488 On PA-7000 Series and PA-5200 Series firewalls, client systems can use
a translated IP address-and-port pair for only one connection even if you
configure the Dynamic IP and Port (DIPP) NAT Oversubscription Rate to
allow multiple connections (Device > Setup > Session > Session Settings >
NAT Oversubscription).
PAN-84199 After you disable the Skip Auth on IKE Rekey option in the GlobalProtect
gateway, the firewall still applies the option: end users with endpoints
This issue is now
that use Extended Authentication (X-Auth) don't have to re-authenticate
when the key used to establish the IPSec tunnel expires (Network >
GlobalProtect > Gateways > <gateway> > Agent > Tunnel Settings).
PAN-84045 VM-Series firewalls in an HA configuration with Data Plane Development

Kit (DPDK) enabled experience HA path monitoring failures and (in active/
This issue is now
passive deployments) HA failover.

PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100 network processor)
that has session offload enabled (default) incorrectly resets the UDP
checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently
disable session offload for only UDP traffic using the set session udp-
off load no CLI command.
PAN-83598 VM-Series firewalls cannot monitor more than 500 virtual machine (VM)
information sources (Device > VM Information Sources).
PAN-83236 The VM-Series firewall on Google Compute Platform does not publish
firewall metrics to Google Stack Monitoring when you manually configure a
DNS server IP address (Device > Setup > Services).
Workaround: The VM-Series firewall on Google Cloud Platform must use
the DNS server that Google provides.
PAN-83215 SSL decryption based on ECDSA certificates does not work when you
import the ECDSA private keys onto a Thales nShield hardware security
module (HSM).
PAN-83047 The firewall displays the following commit warning when you configure a
GlobalProtect gateway with a Tunnel Interface set to the default tunnel
This issue is now
interface (Network > GlobalProtect > Gateways > <gateway> > General)
even after you enable IPv6: Warning: tunnel tunnel ipv6 is not
enabled. IPv6 address will be ignored!
PAN-82987 The web interface intermittently becomes unresponsive during ACC

queries.
This issue is now
PAN-82278 Filtering does not work for Threat logs when you filter for threat names
that contain certain characters: single quotation (’), double quotation (”),
back slash (\), forward slash (/), backspace (\b), form feed (\f), new line
(\n), carriage return (\r), and tab (\t).
PAN-81521 Endpoints failed to authenticate to GlobalProtect through Kerberos when

you specify an FQDN instead of an IP address in the Kerberos server profile
This issue is now
(Device > Server Profiles > Kerberos).
8.1.0 Addressed Issues. Workaround: Replace the FQDN with the IP address in the Kerberos server
profile.
PAN-79423 Panorama cannot push address group objects from device groups to
managed firewalls when zones specify the objects in the User Identification
ACL include or exclude lists (Network > Zones) and the Share Unused
Address and Service Objects with Devices option is disabled (Panorama >
Setup > Management > Panorama Settings).

PAN-79291 An intermittent issue occurs with ZIP hardware offloading (hardware-based

decompression) where firewalls identify ZIP files as threats when they are
This issue is now
sent over Simple Mail Transfer Protocol (SMTP).
PAN-79090 There is an issue where HIP-related objects are missing transformation

logic for OPSWAT when using a Panorama 8.1 release to manage firewalls
running a PAN-OS 8.0.15 or earlier release.
Workaround: Ensure all firewalls are running a PAN-OS 8.0.16 or later
release.
PAN-77125 PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured
in tap mode don’t close offloaded sessions after processing the associated
traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of
tap mode, or disable session offloading by running the set session
offloadno CLI command.
PAN-75457 (PAN-OS 8.0.1 and later releases) In WildFire appliance clusters that have
three or more nodes, the Panorama management server does not support
changing node roles. In a three-node cluster for example, you cannot use
Panorama to configure the worker node as a controller node by adding the
HA and cluster controller configurations, configure an existing controller
node as a worker node by removing the HA configuration, and then commit
and push the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and the cluster
becomes unresponsive.
PAN-73530 The firewall does not generate a packet capture (pcap) when a Data
Filtering profile blocks files.
PAN-73401 (PAN-OS 8.0.1 and later releases) When you import a two-node WildFire
appliance cluster into the Panorama management server, the controller
nodes report their state as out-of-sync if either of the following conditions
exist:
• You did not configure a worker list to add at least one worker node
to the cluster. (In a two-node cluster, both nodes are controller nodes
configured as an HA pair. Adding a worker node would make the cluster
a three-node cluster.)
• You did not configure a service advertisement (either by enabling or not
enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller
nodes:
• After you import the two-node cluster into Panorama, push the
configuration from Panorama to the cluster. After the push succeeds,
Panorama reports that the controller nodes are in sync.
• Configure a worker list on the cluster controller:

admin@wf500(active-controller)# set deviceconfig

cluster mode controller worker-list <worker-ip-
address>
(<worker-ip-address> is the IP address of the worker node you

are adding to the cluster.) This creates a three-node cluster. After you
import the cluster into Panorama, Panorama reports that the controller
nodes are in sync. When you want the cluster to have only two nodes,
use a different workaround.
• Configure service advertisement on the local CLI of the cluster
controller and then import the configuration into Panorama. The service
advertisement can advertise that DNS is or is not enabled.

cluster mode controller service-advertisement dns-
service enabled
yes
or

cluster mode controller service-advertisement
dns-service enabled no
Both commands result in Panorama reporting that the controller nodes

are in sync.
PAN-72861 When you configure a PA-7000 Series or PA-5200 Series firewall to

perform tunnel-in-tunnel inspection, which includes GRE keep-alive packets
(Policies > Tunnel Inspection > <tunnel_inspection_rule> > Inspection >
Inspect Options), and you run the clear session all CLI command
while traffic is traversing a tunnel, the firewall temporarily drops tunneled
packets.
PAN-71765 Deactivating a VM-Series firewall from Panorama completes successfully

but the web interface does not update to indicate that deactivation
finished.
Workaround: View deactivation status from Panorama > Managed
Devices.
PAN-71329 Local users and user groups in the Shared location (all virtual systems)
are not available to be part of the user-to-application mapping for
GlobalProtect Clientless VPN applications (Network > GlobalProtect >
Portals > <portal> > Clientless VPN > Applications).
Workaround: Create users and user groups in specific virtual systems on
firewalls that have multiple virtual systems. For single virtual systems (like
VM-Series firewalls), users and user groups are created under Shared and
are not configurable for Clientless VPN applications.

PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are enabled on
the same IP address, then when a user logs out of the GlobalProtect portal,
the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and
an FQDN to access the GlobalProtect portal.
PAN-70023 Authentication using auto-filled credentials intermittently fails when you

access an application using GlobalProtect Clientless VPN.
Workaround: Manually enter the credentials.
PAN-69505 When viewing an external dynamic list that requires client authentication
and you Test Source URL, the firewall fails to indicate whether it can reach
the external dynamic list server and returns a URL access error (Objects >
External Dynamic Lists).
PAN-62453 Entering vSphere maintenance mode on a VM-Series firewall without first

shutting down the Guest OS for the agent VMs causes the firewall to shut
down abruptly, and results in issues after the firewall is powered on again.
Refer to Issue 1332563 in the VMware Release Notes.
Workaround: VM-Series firewalls are Service Virtual Machines (SVMs)
pinned to ESXi hosts and you should not migrate those firewalls. Before
you enter vSphere maintenance mode, use the VMware tools to ensure a
graceful shutdown of the VM-Series firewall.
PAN-58872 The automatic license deactivation workflow for firewalls with direct
internet access does not work.
Workaround: Use the request license deactivate key
features <name> modemanual CLI command to Deactivate a Feature
License_or_Subscription_Using_the_CLI. To Deactivate a VM-Series
firewall, choose Complete Manually (instead of Continue) and follow the
steps to manually deactivate the VM.
PAN-55825 Performing an AutoFocus remote search that is targeted to a firewall or

Panorama management server does not work correctly when the search
condition contains a single or double quotation mark.
PAN-55437 HA for VM-Series firewalls does not work in AWS regions that do
not support the signature version 2 signing process for EC2 API calls.
Unsupported regions include AWS EU (Frankfurt) and Korea (Seoul).
PAN-55203 When you change the reporting period for a scheduled report, such as the
SaaS Application Usage PDF report, the report can have incomplete or no
data for the reporting period.
Workaround: If you need to change the reporting period for any scheduled
report, create a new report for the desired time period instead of modifying
the time period on an existing report.
PAN-54254 In Traffic logs, the following session end reasons for Captive Portal or a
GlobalProtect SSL VPN tunnel indicated the incorrect reason for session

termination: decrypt-cert-validation, decrypt-unsupport-param, or decrypt-
error.
PAN-53825 On the VM-Series for NSX firewall, when you add or modify an NSX service
profile zone on Panorama, you must perform a Panorama commit and then
push device group configurations with the Include Device and Network
Templates option selected (Commit > Commit and Push). To successfully
redirect traffic to the VM-Series for NSX firewall, you must push both
device group and template configurations when you modify the zone
configuration to ensure that the zones are available on the firewall.
PAN-53663 When you open the SaaS Application Usage report (Monitor > PDF
Reports > SaaS Application Usage) on multiple tabs in a browser, each for
a different virtual system (vsys), and you then attempt to export PDFs from
each tab, only the first request is accurate; all successive attempts result in
PDFs that are duplicates of the first report.
Workaround: Export only one PDF at a time and wait for that export
process to finish before initiating the next export request.
PAN-51969 On the NSX Manager, when you unbind an NSX Security Group from an
NSX Security Policy rule, the dynamic tag and registered IP address are
updated on the Panorama management server but are not sent to the VM-
Series firewalls.
Workaround: To push the Dynamic Address Group updates to the VM-
Series firewalls, you must manually synchronize the configuration with the
NSX Manager (select Panorama > VMware Service Manager and select
NSX Config-Sync).
PAN-51952 If a security group overlap occurs in an NSX Security policy where the same
security group is weighted with a higher and a lower priority value, the
traffic may be redirected to the wrong service profile (VM-Series firewall
instance). This issue occurs because an NSX Security policy with a higher
weight does not always take precedence over a policy with a lower weight.
Workaround: Make sure that members that are assigned to a security
group are not overlapping with another Security group and that each
security group is assigned to a unique NSX Security policy rule. This allows
you to ensure that NSX Security policy does not redirect traffic to the
wrong service profile (VM-Series firewall).
PAN-51870 When using the CLI to configure the management interface as a

DHCP client, the commit fails if you do not provide all four DHCP
parameters in the command. For a successful commit when using the set
deviceconfig system type dhcp-client configuration mode CLI
command, you must include each of the following parameters: accept-
dhcp-domain, accept-dhcp-hostname, send-client-id, and
send-hostname.
PAN-51869 Canceling pending commits does not immediately remove them from the
commit queue. The commits remain in the queue until PAN-OS dequeues
them.

PAN-51673 BFD sessions are not established between two RIP peers when there are no
RIP advertisements.
Workaround: Enable RIP on another interface to provide RIP
advertisements from a remote peer.
PAN-51216 The NSX Manager fails to redirect traffic to the VM-Series firewall
when you define new Service Profile zones for NSX on the Panorama
management server. This issue occurs intermittently on the NSX Manager
when you define security rules to redirect traffic to the new service profiles
that are available for traffic introspection and results in the following error:
Firewall configuration is not in sync with NSX Manager.
Conflict with Service Profile Odd hoston service(Palo
Alto Networks NGFW) when binding to host<name>.
PAN-51122 For the VM-Series firewall, after you manually reset a heartbeat failure
alarm on the vCenter server to indicate that the VM-Series firewall is
healthy (change color to green), the vCenter server does not trigger a
heartbeat failure alarm again.
PAN-48456 IPv6-to-IPv6 Network Prefix Translation (NPTv6) is not supported when

configured on a shared gateway.
PAN-46344 When you use a Mac OS Safari browser, client certificates will not work for
Captive Portal authentication.
Workaround: On a Mac OS system, instruct end users to use a different
browser (for example, Mozilla Firefox or Google Chrome).
PAN-45793 On a firewall with multiple virtual systems, when you add an authentication
profile to a virtual system and give the profile the same name as an
authentication sequence in Shared, reference errors occur. The same errors
occur if the profile is in Shared and the sequence with the same name is in a
virtual system.
Workaround: When creating authentication profiles and sequences, always
enter unique names, regardless of their location. For existing authentication
profiles and sequences with similar names, rename the ones that are
currently assigned to configurations (such as a GlobalProtect gateway) to
ensure uniqueness.
PAN-43000 Vulnerability detection of SSLv3 fails when SSL decryption is enabled. This
occurs when you attach a Vulnerability Protection profile (that detects
SSLv3—CVE-2014-3566) to a Security policy rule and that Security policy
rule and a Decryption policy rule are configured on the same virtual system
in the same zone. After performing SSL decryption, the firewall sees
decrypted data and no longer sees the SSL version number. In this case, the
SSLv3 vulnerability is not identified.
Workaround: PAN-OS 7.0 introduced enhancements to SSL Decryption
that enable you to prohibit the inherently weaker SSL/TLS versions, which
are more vulnerable to attacks. For example, you can use a Decryption
Profile to enforce a minimum protocol version of TLS 1.2 or select Block
sessions with unsupported versions to disallow unsupported protocol

versions (Objects > Decryption Profile > SSL Decryption > {SSL Forward
Proxy | SSL Inbound Inspection}.
PAN-41558 When you use a firewall loopback interface as a GlobalProtect gateway

interface, traffic is not routed correctly for third-party IPSec clients, such as
StrongSwan.
Workaround: Use a physical firewall interface instead of a loopback firewall
interface as the GlobalProtect gateway interface for third-party IPSec
clients. Alternatively, configure the loopback interface that is used as the
GlobalProtect gateway to be in the same zone as the physical ingress
interface for third-party IPSec traffic.
PAN-40130 In the WildFire Submissions logs, the email recipient address is not correctly
mapped to a username after you push LDAP group mappings to the firewall
from a Panorama template.
PAN-40079 The VM-Series firewall on KVM, for all supported Linux distributions,
does not support the Broadcom network adapters for PCI pass-through
functionality.
PAN-40075 The VM-Series firewall on KVM running on Ubuntu 12.04 LTS does not
support PCI pass-through functionality.
PAN-39728 The URL logging rate is reduced after you enable HTTP header logging
in the URL Filtering profile (Objects > Security Profiles > URL Filtering >
<URL_Filtering_profile> > Settings).
PAN-39636 Regardless of the Time Frame you specify for a scheduled custom report
on a Panorama M-Series appliance, the earliest possible start date for
the report data is effectively the date when you configured the report
(Monitor > Manage Custom Reports). For example, if you configure the
report on the 15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include only data from
the 15th onward. This issue applies only to scheduled reports; on-demand
reports include all data within the specified Time Frame.
Workaround: To generate an on-demand report, click Run Now when you
configure the custom report.
PAN-39501 The firewall does not clear unused NAT IP address pools after a single
commit, so a commit fails when the combined cache of unused pools,
existing used pools, and new pools exceeds the memory limit.
Workaround: Commit a second time, which clears the old pool allocation.
PAN-38255 When you perform a factory reset on a Panorama virtual appliance and
configure the serial number, logging does not work until you reboot
Panorama or execute the debug software restart process
management-server CLI command.

PAN-37511 Due to a limitation related to the Ethernet chip driving the SFP+ ports,
PA-5050 and PA-5060 firewalls will not perform link fault signaling as
standardized when a fiber in the fiber pair is cut or disconnected.
PAN-37177 After deploying the VM-Series firewall and it connects to the Panorama
management server, you must commit to Panorama (Commit > Commit to
Panorama) to ensure that Panorama recognizes the firewall as a managed
device. If you reboot Panorama without committing the changes, the
firewall does not reconnect with Panorama; although the device group
displays the list of firewalls, the firewall does not display in Panorama >
Managed Devices.
Furthermore, when Panorama has an HA configuration, the VM-Series
firewall is not added to the passive Panorama peer until the active
Panorama peer synchronizes the configuration. During this time, the
passive Panorama peer logs a critical message: vm-cfg: failed to
process registration from svm device.vm-state: active.
The passive peer logs this message until you commit the changes on
the active Panorama, which then initiates synchronization between the
Panorama HA peers and the VM-Series firewall is added to the passive
Panorama peer.
Workaround: To reconnect to the managed firewalls, commit your
changes to Panorama. In an HA deployment, the commit initiates the
synchronization of the running configuration between the Panorama HA
peers.
PAN-36730 When deleting the VM-Series deployment, all VMs are deleted successfully;
however, sometimes a few instances still remain in the datastore.
Workaround: Manually delete the VM-Series firewalls from the datastore.
PAN-36728 (VM-Series for NSX firewalls only) In some scenarios, traffic from newly
added guests or virtual machines is not steered to the VM-Series firewall
even when the guests belong to a Security Group and are attached to a
Security Policy that redirects traffic to the VM-Series firewall.
Workaround: Reapply the Security Policy on the NSX Manager.
PAN-36727 The VM-Series firewall fails to deploy and displays the following error
message: Invalid OVF Format in Agent Configuration.
Workaround: Use the following command to restart the ESX Agent
Manager process on the vCenter Server: /etc/init.d/vmware-vpxd
tomcat-restart.
PAN-36433 When HA failover occurs on Panorama at the time that the NSX Manager
is deploying the VM-Series NSX edition firewall, the licensing process fails
with the following error: vm-cfg:failed to process registration
from svm device. vm-state: active.
Workaround: Delete the unlicensed instance of the VM-Series firewall on
each ESXi host and then redeploy the Palo Alto Networks next-generation
firewall service from the NSX Manager.

PAN-36394 (VM-Series for NSX firewalls only) When the datastore is migrated for a
guest, all current sessions are no longer steered to the VM-Series firewall.
However, all new sessions are secured properly.
PAN-36393 When deploying the VM-Series firewall, the Task Console displays Error
while enabling agent. Cannot complete the operation.
See the event log for details. This error displays even on a
successful deployment. You can ignore the message if the VM-Series
firewall is successfully deployed.
PAN-36088 When an ESXi host is rebooted or shut down, the functional status of the
guests is not updated. Because the IP address is not updated, the dynamic
tags do not accurately reflect the functional state of the guests that are
unavailable.
PAN-36049 The VMware vCenter Server/vmtools displays the IP address for a guest
incorrectly after VLAN tags are added to an Ethernet port. The display does
not accurately show the IP addresses associated with the tagged Ethernet
port and the untagged Ethernet port. This issue occurs on some Linux OS
versions such as Ubuntu.
PAN-35903 When you edit a traffic introspection rule (to steer traffic to the VM-
Series firewall) on the NSX Manager, an invalid (tcp) port number
error or invalid (udp) port number error displays when you
remove the destination (TCP or UDP) port.
Workaround: Delete the rule and add a new one.
PAN-35875 When defining traffic introspection rules (to steer traffic to the VM-Series
firewall) on the NSX Manager, either the source or the destination for the
rule must reference the name of a Security Group; you cannot create a rule
from any to any Security Group.
Workaround: To redirect all traffic to the VM-Series firewall, you must
create a Security Group that includes all the guests in the cluster. Then you
can define a security policy that redirects traffic from and to the cluster so
that the firewall can inspect and enforce policy on the east-west traffic.
PAN-35874 Duplicate packets are steered to the VM-Series firewall after you enable
distributed vSwitch for steering in promiscuous mode.
Workaround: Disable promiscuous mode.
PAN-34966 On a VM-Series NSX edition firewall, when adding or removing a Security

Group (Container) that is bound to a Security Policy, the Panorama
management server does not get a dynamic update of the added or
removed Security Group.
Workaround: Select Panorama > VMware Service Manager, and
Synchronize Dynamic Objects to initiate a manual synchronization to get
the latest update.

PAN-34855 On a VM-Series NSX edition firewall, Dynamic Tags (update) do not reflect
the actual IP address set on the guest. This issue occurs because the
vCenter Server cannot accurately view the IP address of the guest.
PAN-31832 The following issues apply when configuring a firewall to use a hardware
security module (HSM):
• Thales nShield Connect—The firewall requires at least four minutes to
detect that an HSM was disconnected, causing SSL functionality to be
unavailable during the delay.
• SafeNet Network—When losing connectivity to either or both HSMs in
an HA configuration, the display of information from the show high-
availability state and show hsm info commands are blocked
for 20 seconds.
PAN-25046 Firewalls store SSH host keys used for SCP log exports in the known
hosts file. In an HA deployment, PAN-OS synchronizes the SCP log export
configuration between the firewall HA peers (Device > Scheduled Log
Export), but not the known host file. When a failover occurs, the SCP log
export fails.
Workaround: Log in to each peer in HA, select Device > Scheduled Log
Export > <log_export_configuration>, and Test SCP server connection to
confirm the host key so that SCP log forwarding continues to work after a
failover.
PAN-23732 After you use a Panorama template to push a log export schedule that
specifies an SCP server as the destination (Device > Scheduled Log Export),
you must log in to each firewall that receives the schedule and Test SCP
server connection. The connection is not established until the firewall
accepts the host key for the SCP server.
Known Issues Specific to the WF-500 Appliance

The following list includes known issues specific to WildFire® 8.1 releases running on the WF-500
appliance. See also the specific and general Known Issues Related to PAN-OS 8.1 Releases.
— A Panorama™ management server running PAN-OS® 8.1 does not

currently support management of appliances running WildFire 7.1
or earlier releases. Even though these management options are
visible on the Panorama 8.1 web interface (Panorama > Managed
WildFire Clusters and Panorama > Managed WildFire Appliances),
making changes to these settings for appliances running WildFire
7.1 or an earlier release has no effect.
WF500-4893 (RADIUS server profile configurations only) You cannot send a

commit from a Panorama appliance running a PAN-OS 8.1 release
This issue is now resolved. See
to a WF-500 appliance running a PAN-OS 8.0 release because the
PAN-OS 8.1.6 Addressed Issues.

RADIUS authentication protocol is incorrectly changed to CHAP
authentication.
WF500-4636 In rare cases when you upgrade a WF-500 appliance from a PAN-
OS 7.1 release to a PAN-OS 8.0 release, the disk partition becomes
This issue is now resolved. See
full due to the amount of data on the drive. When you try deleting
PAN-OS 8.1.6 Addressed Issues.
the backup database to free up space, the debug wildfire
reset backup-database-for-old-samples CLI command
fails and displays the following error: Server error : Client
wf_devsrvr not ready.
WF500-4200 The Create Date shown when using the show wildfire
global sample-status sha256 equal<hash> and show
wildfire global sample-analysis CLI commands is two
hours behind the actual time for WF-500 appliance samples.
WF500-3935 WildFire appliances build and release all untested signatures to the
connected firewalls every five minutes, which is the maximum time
that a signature remains untested (not released to firewalls). When
a WildFire appliance joins a cluster, if any untested (unreleased)
signatures are on the appliance, they may be lost instead of
migrating to the cluster, depending on when the last build of
untested signatures occurred.

PAN-OS 8.1 Addressed Issues
Review the issues that were addressed in each maintenance release of the PAN-OS® 8.1
release.
For new features, associated software versions, known issues, and changes in default behavior
in the PAN-OS 8.1 release, see PAN-OS 8.1 Release Information.

75
76 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Addressed Issues
PAN-OS 8.1.12 Addressed Issues
PAN-133443 Fixed an issue where an XML API call incorrectly masked the response, which
prevented role based administrators from running the response.
PAN-132501 Fixed an issue where after you switched the Context from Panorama™ to a
firewall, the DESTINATION ZONE (Policies > Security > <policy-name> >
Destination) incorrectly displayed none.
PAN-132104 Fixed an issue on Panorama M-Series and virtual appliances where the
<show><object><registered-ip></registered-ip></object></
show> XML API call did not retrieve more than 500 entries.
PAN-131054 Fixed an issue where the DNS packet parser incorrectly processed DNS packet
headers when the QD count was 0. With this fix, the DNS packet parser aborts
processing when QD!= 1.
PAN-130073 Fixed an issue where a large number (65,000) of GlobalProtect™ user

connections caused a process (sslvpn) to stop responding after you upgraded
from PAN-OS® 8.1.10 to PAN-OS 8.1.11.
PAN-129504 Fixed an issue where an incorrect commit job in the queue caused the FQDN
to display Not resolved after you performed a commit.
PAN-128324 (PA-7000 Series firewalls only) Fixed an issue where internal path monitoring
failures occurred due to either a buffer leak or buffer corruption.
PAN-128269 (PA-5250, PA-5260, and PA-5280 firewalls with 100GB AOC cables only)
Fixed an issue where after you upgraded the first peer in a high availability
(HA) configuration to PAN-OS 8.1.9-h4 or a later] release, the High Speed
Chassis Interconnect (HSCI) port did not come up due to an FEC mismatch
until after you finished upgrading the second peer.
PAN-127649 Fixed an issue where a purge script stopped responding as expected, which
caused a process (logrcvr) to discard incoming logs.
PAN-127089 Fixed an intermittent issue where the default route did not redistribute to an
OSPF Not-So-Stubby Area (NSSA).
PAN-127055 Fixed an issue on a VM-Series firewall deployed in Microsoft Azure where the
CPU ID and serial number changed after you upgraded from PAN-OS 8.0.13 to
PAN-OS 8.1.9-h4.
PAN-126627 Fixed an issue where a process (all_pktproc) stopped responding due to a

NULL pointer exception while cleaning up SSL proxy sessions previously
configured for GlobalProtect.
PAN-126534 (PAN-OS 8.1.10 and later releases only) Fixed an issue where the data from
Security policies did not export as expected.
PAN-OS® RELEASE NOTES | PAN-OS 8.1 Addressed Issues 77

PAN-126283 Fixed an intermittent issue where after you configured Cache EDNS
Responses (Network > DNS Proxy > <DNS Proxy-name> > Advanced) a
process (dnsproxy) stopped responding.
PAN-126159 Fixed an issue where the firewall did not match the Security policy when you
configured the match condition to a shared local group.
PAN-125898 Fixed an issue where a process (openssl) caused higher than expected
management CPU usage due to the incompletion of the Online Certificate
Status Protocol (OCSP) during the logging service certificate validation.
PAN-125833 Fixed an issue on a firewall in an HA active/passive configuration where a

daemon (routed) did not receive the updated interface status after an HA
failover, which caused routes to remain in the routing and FIB tables.
PAN-125793 Fixed an issue where multiple No valid URL filtering license

warning messages were generated during a commit due to an expired URL
filtering license. With this fix, the warning messages are grouped into a single
message per virtual system (vsys).
PAN-125746 Fixed an issue where commits failed and displayed the following error
message: priority is invalid when you configured the GlobalProtect
priority to None.
PAN-125515 Fixed an issue on VM-Series firewalls where the firewall dropped all traffic
traversing from the dataplane to the management plane.
PAN-125478 Fixed an issue on a firewall in an HA active/passive configuration where the

route to the passive firewall dropped during a failover.
PAN-125302 Fixed an issue where after the replacement of the real-time clock (RTC)
battery, the new battery's voltage incorrectly triggered alerts in the system log.
PAN-125018 Fixed an issue on Panorama M-Series and virtual appliances where after you
configure the firewall with an API call commits took longer than expected.
PAN-124890 Fixed a configuration lock issue where you were unable to log in after you
upgraded from PAN-OS 8.1.6 to PAN-OS 8.1.9.
PAN-124882 Fixed an issue where traffic logs that contained incorrect Security policies
were generated during an active commit process when the Security policies
were being added or removed.
PAN-124630 Fixed an issue where new logs were not ingested due to a buffer exhaustion
condition caused by invalid messages incorrectly handled by elastic search.
PAN-124435 Fixed an issue where the firewall dropped pre-VLAN spanning tree (PVST+)
packets from the virtual wire interface when you executed the set session
rewrite-pvst-pvid yes CLI command.
PAN-123322 (PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls running PAN-
OS 8.1.11 only) Fixed an intermittent issue where a process (all_pktproc)

stopped responding due to a Work Query Entry (WQE) corruption that was
caused by duplicate child sessions.
PAN-123306 Fixed an issue where the Dashboard did not display the release dates for
Application Version, Threat Version, and Antivirus Version.
PAN-123220 Fixed an issue on a firewall running snmpwalk where 100GB interfaces were
incorrectly displayed as 1GB.

process (useridd) restarted multiple times and caused the firewall to reboot.
PAN-123167 Fixed an issue where a process (mprelay) stopped responding.
PAN-122804 Fixed an issue on Panorama M-Series and virtual appliances where the firewall
stopped forwarding logs to Cortex Data Lake after you upgraded the cloud
services plugin to 1.4.
PAN-122788 Fixed an issue where the firewall incorrectly logged target filenames when an
antivirus signature was triggered over a Server Message Block (SMB) protocol.
PAN-122779 Fixed an issue where the firewall did not respond to TCP DNS requests when
the firewall acted as a DNS proxy.
PAN-122455 Fixed an issue where the DHCP server incorrectly processed bootp unicast flag
requests.
PAN-122311 (PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed an
issue where parent sessions were dropped while installing a duplicate predict
session.
PAN-122181 (PA-3200 Series and PA-5200 Series firewalls only) Fixed an issue where the
firewall did not capture inbound Encapsulating Security Payload (ESP) protocol
50 packets at the receive stage.
PAN-121917 (PA-800 Series and PA-220 firewalls only) Fixed an issue where the
hrProcessorLoad.2 OID displayed incorrect values.
PAN-121609 (PA-7000 Series firewalls using PA-7000-20G-NPC cards only) Fixed an issue
where the firewall restarted due to an internal path monitoring heartbeat
failure during periods of more than expected traffic load.
PAN-121484 (PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed
an issue where the dataplane sent positive acknowledgments to predict-
status checks from FPP when the corresponding predict was deleted, which
caused SIP and RTSP applications to perform less than the expected achievable
performance.
PAN-121481 Fixed an issue where downloading the GlobalProtect app software on your
GlobalProtect portal took longer than expected.

PAN-121472 Fixed an intermittent issue where the dataplane stopped responding when
processing compressed traffic.
PAN-120986 Fixed an issue where a process (routed) stopped responding when

deployments include multiple OSPF virtual interfaces.
PAN-120965 Fixed an issue where certificate revocation list (CRL) and Online Certificate
Status Protocol (OCSP) checks did not respond as expected when you
configured Block session if certificate status is unknown.
PAN-120900 Fixed an issue on a firewall in an HA active/passive configuration where after

you submitted a host information profile (HIP) report a duplicate User-ID™ log
was generated on the passive firewall.
PAN-120893 Fixed an issue where the Security Parameter Index (SPI) size was incorrectly
set in the IKE Phase 2 packet when you configured commit-bit on the
neighboring device, which caused IKE negotiations to fail on the neighboring
device.
PAN-120701 Fixed an issue where the URL filtering blocked web traffic by a Security policy
when you did not enable URL filtering.
PAN-120545 Fixed an issue on VM-Series firewalls where the ager ran faster than expected,
which prematurely caused the master key to expire.
PAN-120351 Fixed an issue where the firewall caused unnecessary fragmentation when
traffic and tunnel were content inspected, which caused retransmission and
slowed response time.
PAN-120300 Fixed an issue where you were unable to view DHCP leases from the web
interface or through the show dhcp server lease interface all CLI
command due to the request taking longer than expected, which resulted in a
time out.
PAN-120106 Fixed an issue where Panorama did not send correlation events and logs to the
syslog server after you upgraded the firewall from PAN-OS 8.0.9 to PAN-OS
8.1.7.
PAN-120005 Fixed an issue where the firewall incorrectly forwarded incomplete and
corrupted files through the Server Message Block (SMB) protocol to WildFire.
PAN-119950 Fixed an issue on a firewall in a high availability (HA) active/passive

configuration where a process (flow_ctrl) received and restarted due to a
malformed ICMPv6 neighbor advertisement packet.
PAN-119822 Fixed an issue where you were not redirected to the application URL after
authentication.
PAN-119820 Fixed an issue where the firewall incorrectly calculated the TCP segment size
when performing forward proxy decryption.

PAN-119819 Fixed an issue where Discover (Device > User Identification > User Mapping >
Server Monitoring) stopped responding after you configured a DNS proxy.
PAN-119818 Fixed an issue where corrupt logs caused buffered log forwarding to stop
responding.
PAN-119550 Fixed an issue on Panorama M-Series and virtual appliances where

communication between two processes (mgmtsrvr and logd) stopped
responding.
PAN-119452 An enhancement was made to improve subsequent loading times of device

groups after the first load.
PAN-119349 Fixed an issue on Panorama M-Series and virtual appliances where custom
reports from the User-ID log displayed the incorrect receive date.
PAN-119343 Fixed an issue where a daemon (dnsproxy) incorrectly handled TCP requests,
which caused the daemon to stop responding.
PAN-119185 Fixed an issue where a process (panio) caused more than expected CPU
consumption.
PAN-119047 Fixed an issue where local user group names that contained upper case
characters were not converted to lower case characters prior to encoding,
which caused the firewall not to load user groups names with upper case
characters.
PAN-118851 Fixed an issue where the BGP Conditional Advertisement suppress condition
was not met, which caused the Conditional Adv (Network > Virtual Routers >
<router-name> > BGP) not to apply the NEXT HOPS prefix range.
PAN-118777 Fixed an issue on a firewall in an HA active/active configuration where larger

than expected packets sizes were silently dropped when traversing through an
HA3 link in an asymmetric network.
PAN-118762 Fixed an issue where the GlobalProtect portal used an outdated jQuery library.
PAN-118436 (PA-5200 Series firewalls only) Fixed an issue where applications using the
GlobalProtect Clientless VPN did not respond when the Clientless VPN used a
VLAN interface.
PAN-118430 Fixed an issue where pushed template configurations were overridden when
you made a configuration change in the Master Key Lifetime (Device > Master
Key and Diagnostic > Edit) field.
PAN-118413 (PA-5200 Series firewalls only) Fixed an issue where the show system
logd-quota CLI command did not display the Session log storage Quotas as
expected.

PAN-118259 Fixed an issue where you were unable to generate WildFire analysis reports
in the WildFire Submissions log when you configured Proxy Server (Device >
Setup > Services > Global).
PAN-118249 Fixed an issue where traffic logs and URL Filtering logs did not display the URL
for decrypted traffic.
PAN-118207 Fixed an issue where the Security Assertion Markup Language (SAML) for
GlobalProtect did not respond as expected when you configured the IdP
certificate as None on the SAML IdP server profile.
PAN-118108 Fixed an issue where an API call against a Panorama management server,
which triggered the request analyze-shared-policy command caused
Panorama to reboot after you executed the command.
PAN-118090 Fixed an issue on Panorama M-Series and virtual appliances where User
Activity Report (Monitor > PDF Reports) did not generate reports as expected.
PAN-118050 Fixed an issue where some packets had incorrect timestamps in the transmit
stage during packet capture.
PAN-117987 Fixed an issue where the firewall did not exclude video traffic from the
GlobalProtect tunnel when you configured Exclude video traffic from the
tunnel (Windows and macOS only) (Network > GlobalProtect > Gateways >
<gateway-name> > Agent > Video Traffic).
PAN-117969 An enhancement was made to enable administrators to select signature and

digest algorithms for outgoing Security Assertion Markup Language (SAML)
messages through a CLI command.
PAN-117774 Fixed an Issue where the dataplane stopped responding due to an incorrect
parsing of cookies for GlobalProtect Clientless VPN applications.
PAN-117736 Fixed an issue on a firewall in an HA active/active configuration where virtual

MAC addresses pushed from Panorama were overridden on the local firewall.
PAN-117463 Fixed an issue where the firewall did not release the default DHCP route when
a new IP address was obtained on a DHCP configured interface.
PAN-117446 Fixed an issue where GlobalProtect authentication failed when you used the
domain in the group mapping and a User Principle Name (UPN) format for
authentication.
PAN-117276 Fixed an issue on a firewall in an HA active/active configuration where the

names of the virtual routers were pushed from the active-primary firewall to
the active-secondary firewall when you sync the configuration, which caused
schema verification to stop responding when you do a local commit on the
active-secondary firewall.
PAN-117251 Fixed an issue where vsysadmins were unable to view the locks on all the
virtual systems they were assigned to. To view the locks in CLI run the

new show commit-locks vsys and show config-locks vsys CLI
commands.
PAN-117167 Fixed an issue where a process (configd) exceeded the memory limit and
stopped responding.
PAN-117068 Fixed an issue on Panorama M-Series and virtual appliances where memory
utilization increased more than expected when you deleted several rules with
an XML API delete command.
PAN-116889 Fixed an issue where you were unable to establish an SSH session through a
CLI command using a Diffie-Hellman (DH) algorithm.
PAN-116634 Fixed an issue where the date in the GlobalProtect HTTP header was
incorrectly set to a random date instead of a zero ( 0 ), which negatively and
falsely impacted security scorecard ratings.
PAN-116615 Fixed an issue where authentication failed for newly added groups in the
authentication profile Allow List.
PAN-116355 (PA-5200 Series firewalls only) Fixed an issue on a firewall in an HA active/

passive configuration where an HA1 heartbeat backup connection flap
occurred and displayed the following error message: ha_ping_send/No
buffer space available.
PAN-116173 (PA-7000 Series firewalls using PA-7000-20G-NPC or PA-7000-20GQ-NPC

cards only) Fixed an intermittent issue on a firewall in an HA active/passive
configuration where traffic interruptions occurred until you triggered a manual
failover.
PAN-116100 Fixed an issue where a process (mprelay) stopped responding and invoked
an out-of-memory (OOM) killer condition and displayed the following error
messages: tcam full and pan_plfm_fe_cp_arp_delete.
PAN-116061 Fixed an issue where traffic traversing through an IPSec tunnel did not use the
default maximum interface bandwidth, which caused the traffic to traverse
through the IPSec tunnel with latency.
PAN-115505 Fixed an issue where more than expected re-connection attempts to Cortex
Data Lake caused the management plane CPU to spike and caused a process
(mgmtsrvr) to stop responding.
PAN-115238 Fixed an issue where SSL renegotiation sessions incorrectly identified URL
categories.
PAN-115110 An enhancement was made to enable you to configure syslog parameters

through the CLI debug command. To view the available parameters and change
the configurations, run the debug syslogng-params settings CLI
command and perform a commit force to apply the edits.

PAN-115018 Fixed an issue where the firewall was unable to access the CPU information
and caused the CPU frequency to set to 0, which resulted in a divide by zero
error and caused a process (devsrvr) to stop responding.
PAN-114438 Fixed an issue where the system log incorrectly reported intermittent
certificate revocation list (CRL) fetches as successful even though the fetches
were not successful.
PAN-112145 Fixed an intermittent issue where a process (useridd) incorrectly reported

successful Ops commands and did not download Dynamic Address Group
updates, which prevented virtual machines from updating Dynamic Address
Groups.
PAN-111650 Fixed an issue where a process (mgmtsrvr) stopped responding when another
process (masterd) sent a signal interruption after you upgraded from a PAN-OS
8.0 release to a PAN-OS 8.1 release.
PAN-111135 Fixed an issue where Panorama displayed incorrect device monitoring values
(Panorama > Managed Devices > Health) for the firewall.
PAN-109406 Fixed an issue where the firewall restarted when you unplugged the QSFP+
module from the High Speed Chassis Interconnect (HSCI) port.
PAN-108373 Fixed an issue where an application dependency warning incorrectly displayed

when you configured negate-source yes on a security rule to deny an
application.
PAN-108012 Fixed an issue on Panorama M-Series and virtual appliances where you could
not add and generate a certificate as expected.
PAN-107864 Fixed an issue where the Online Certificate Status Protocol (OCSP) check
stopped responding when the leaf certificate was sent twice in the OCSP
request.
PAN-106029 Fixed an issue where the firewall tried to resolve deleted FQDN address
objects after an FQDN refresh.
PAN-105866 Fixed an issue on a firewall in an HA active/active configuration where ARP

entries were removed from a floating IP address on an Ethernet interface when
you deleted another floating IP address on the same Ethernet interface.
PAN-105763 An enhancement was made to enable you to set the signing algorithm to
sha-1 or sha-256 in the Security Assertion Markup Language (SAML)
message on the firewall.
PAN-100946 Fixed an issue where VM-Series firewalls were unable to support the maximum
number of tunnel interfaces due to less than expected memory allocation.
PAN-98603 Fixed an issue on Panorama M-Series and virtual appliances where logs sent by
the Endpoint Security Manager (ESM) server were incorrectly ingested.

WF500-5137 Fixed an issue where the show wildfire global last-device-

registration all CLI command incorrectly returned an error message:
Failed, even when you registered the firewall correctly.
PAN-126547 Fixed an issue where a process (configd) stopped responding when an XML API
call with type=config&action=get triggered during a commit.
PAN-126354 Fixed an issue where log in and commits took longer than expected when you
used XML API calls to create new address objects.
PAN-125517 An enhancement was made to improve firewall performance for stream control
transmission protocol (SCTP) flows. To enable this enhancement, run the set
sctp fast-sack yes CLI command.
PAN-125346 An enhancement was made to enable you to configure IPv6 in the web
interface and through a CLI command when you added IPv6 virtual addresses
to a firewall in a high availability (HA) active/active configuration.
PAN-125069 An enhancement was made to enable you to delete the GTP-C tunnel with all
GTP-U tunnel sessions after the firewall received a Delete Bearer Response
message where default bearer ID=5. To enable this enhancement, run the set
gtp ebi5-del-gtpc [yes/no] CLI command.
PAN-124996 Fixed an issue where a GlobalProtect™ daemon (rasmgr) stopped responding

when you connected with an overlapping IPv6 address, which caused
subsequent GlobalProtect connections to fail.
PAN-124658 Fixed an issue where the timer system call activated more frequently than
expected, which caused higher than expected CPU usage.
PAN-124299 Fixed an issue on VM-Series firewalls in an HA active/passive configuration

where the active firewall leaked packet buffers when links were disconnected
from the hypervisor.
PAN-123850 (PA-5200 and PA-7000 Series firewalls only) Fixed an issue where conflicting
GTP sessions were installed in short interval, which caused the firewall to
queue GTP packets and deplete packet buffers.
PAN-123446 Fixed an issue where an administrator with a Superuser role could not reset
administrator credentials.
PAN-123371 Fixed an issue where the Wildfire Analysis Report incorrectly displayed the
following error message: You are not authorized to access this
page on the web interface.
PAN-123030 Fixed an issue with a memory leak associated with a process (mgmtsrvr) when
you pushed a commit.

PAN-122662 (PA-5260 firewalls only) Fixed an issue where a process (mpreplay) stopped
responding after a commit when you configured the firewall with more than
200 virtual systems (vsys) running on PAN-OS® 8.1.9.
PAN-122601 Fixed a memory leak issue with a process (configd) when you performed device
group related operations.
PAN-122550 Fixed an issue where VM-Series firewalls on Microsoft Azure experienced

traffic latency due to an incompatible driver.
PAN-121911 Fixed an issue where a process (logrcvr) restarted during commits.
PAN-121523 Fixed an issue where an API call triggered memory errors, which caused a
process (configd) to stop responding and triggered SIGABRT logs.
PAN-121447 Fixed an issue where the BGP did not remove the IPv6 default route from the
forwarding table after the route was withdrawn.
PAN-121133 Fixed an issue on Panorama M-Series and virtual appliances where a validation
job triggered a memory leak in a process (configd), which caused context
switching between Panorama and the web interface to respond slower than
expected.
PAN-121001 Fixed an issue where the firewall only reported a maximum of two logs when
you configured more than two hardware security modules (HSM).
PAN-120901 Fixed an issue on Panorama M-Series and virtual appliances where partial
commits did not apply configuration changes as expected.
PAN-120662 (PA-7000 Series firewalls using PA-7000-20G-NPC cards only) Fixed an

intermittent issue where an out-of-memory (OOM) condition caused the
dataplane or internal path monitoring to stop responding.
PAN-120361 Fixed an issue on Panorama M-Series and virtual appliances where objects
were not compressed, which caused higher than expected CPU and memory
usage.
PAN-120287 Fixed a JavaScript error due to an incorrect HTTP response, which prevented
GlobalProtect Clientless VPN applications to load.
PAN-120151 Fixed an issue where the DNS packet parser incorrectly processed DNS
packet headers when the QD count is 0, which caused the DNS server to stop
responding.
PAN-119862 (PA-5050 firewalls only) Fixed an intermittent issue where an out-of-memory

(OOM) condition caused the dataplane or internal path monitoring to stop
responding. With this fix, session capacity is reduced by 400,000.
PAN-119765 Fixed an intermittent issue where the firewall dropped sessions that used a
large number of predict sessions.

PAN-119680 Fixed a rare issue where the show running CLI commands for policy
addresses caused file descriptor leaks.
PAN-119647 Fixed an issue where a process (mgmtsrvr) stopped responding due to an out-
of-memory (OOM) condition.
PAN-119225 Fixed an issue where an inaccurate sequence number check for an RST packet
caused the packet to drop.
PAN-119172 Fixed an issue where the firewall incorrectly enforced URL category policies
and erroneously triggered alert instead of block.
PAN-118985 Fixed an issue on Panorama M-Series and virtual appliances where a process
(configd) experienced high memory utilization and a memory leak condition,
which caused slower than expected performance.
PAN-118720 Fixed an issue on a firewall in an HA active/active configuration

where Oracle traffic SYN packets dropped intermittently with the
flow_fpp_owner_err_no_predict counter.
PAN-118583 Fixed a memory allocation issue that prevented URL filtering logs from
displaying the full URL.
PAN-118509 Fixed an issue on Panorama M-Series and virtual appliances where shared
policies were out of sync due to an empty stream control transmission protocol
(SCTP) after you upgraded the firewall from PAN-OS 8.0.16 to PAN-OS 8.1.8.
PAN-118180 Fixed an issue on firewalls configured with authentication policies where UDP
and ICMP packets matching an authentication policy did not generate traffic
logs as defined in the Security policy when sessions were redirected or denied.

process (all_pkts) stopped responding and the dataplane restarted due to an
internal path monitoring failure and an HA failover event.
PAN-118055 Fixed an issue where administrators were unable to export Security Assertion
Markup Language (SAML) metadata files from virtual system (vsys) specific
authentication profiles.
PAN-117959 Fixed an issue where LDAP authentication failed when you configured the
authentication server with an FQDN.
PAN-117900 Fixed an issue where commits failed when you moved an object referenced in
a policy to a shared group.
PAN-117888 Fixed an issue where the firewall was unable to detect the hardware security
module (HSM), which caused the firewall to drop SSL traffic.
PAN-117738 (PA-3050 and PA-3060 firewalls only) Fixed an issue where a higher than
expected number of flow_fpga_flow_update messages occurred when
you configured QoS.

PAN-117727 Fixed an issue where job threads were deadlocked, which prevented log in
attempts and displayed the following error message: CONFIG_LOCK: write
lock TIMEDOUT for cmd.
PAN-117303 Fixed an issue where the BGP aggregate prefix, which is advertised to multiple
BGP peers was removed from RIB OUT when you disabled one of the BGP
peers.
(configd) restarted due to virtual memory issues.
PAN-117086 Fixed an issue where community attributes to BGP routes had a character limit
of 31 characters, which caused expressions to take longer than expected to
process.
PAN-117026 Fixed an issue where eBGP peers connected by a VPN tunnel failed to come
up when you configured eBGP Multi Hop to 0.
PAN-116949 Fixed a memory leak issue with a process (mprelay), which caused the
dataplane to restart.
PAN-116903 Fixed an issue on Panorama M-Series and virtual appliances where you were
unable to configure Enable X-Auth Support (Network > GlobalProtect >
Gateways > Template > <Template-stack> > Agent > Tunnel Settings) at the
Template-stack level.
PAN-116772 Fixed an issue where the firewall sent empty attributes in the LDAP query
when you did not configure Alternate Username 1 - 3 (Device > User
Identification > Group Mapping Settings > <group-name> > User and Group
Attributes) in the User Attributes web interface.
PAN-116729 Fixed an issue where you were unable to deploy bootstrapped content in
offline environments due to content validity checks.
PAN-116611 Fixed an issue where an API call for correlated events did not return any
events.
PAN-116473 Fixed an issue where the firewall logged URL categories configured for Allow
in the URL filtering logs.
PAN-116384 An enhancement was made to enable firewalls, Panorama management

servers, and log collectors running a PAN-OS 8.1 release to receive new App-
ID™ signatures in the new ID signature range (7,020,001 to 7,040,000). To
enable this enhancement, you must reinstall the current content update or
install a later content update.
PAN-116334 Fixed an issue where a process (mgmtsrvr) leaked memory caused by SNMP
traps.

PAN-116286 Fixed an issue where commits failed after you upgraded from PAN-OS 8.0.16
to PAN-OS 8.1.6 due to an invalid encryption state for a host information
profile (HIP) object.
PAN-116274 Fixed an issue where the firewall was unable to authenticate when you pushed
a public key from Panorama.
PAN-116123 Fixed an issue where a process (devsrvr) stopped responding when you
performed a commit or a configuration validation when the proxy ID contained
24 or more characters.
PAN-115990 Fixed an issue where the FQDN address object (Policy > Security > <address-
object> > Value) displayed the following unrelated error: <FQDN-name> Not
used.
PAN-115959 Fixed an issue where DNS names with more than 63 characters did not resolve
FQDN address objects during an FQDN refresh.
PAN-115890 Fixed an issue where the show system info CLI command incorrectly
displayed VMware ESXi as VMWare ESXi.
PAN-115879 Fixed an issue on a firewall where a bypass switch sent heartbeat messages to
the firewall, which triggered non-stop link status change interrupts through a
Marvell switch.
PAN-115738 Fixed an issue where data logs were generated but the firewall did not forward
the logs to the syslog server.
PAN-115697 Fixed CVE-2019-17437, see PAN-SA-2019-0038 for details.
PAN-115549 Fixed an issue where predict sessions were incorrectly created with a
captive-portal zone, which caused the firewall to drop RTP traffic.
PAN-115349 Fixed an issue where an incorrect predict session was created when a policy-
based forwarding (PBF) policy was used without a NAT in the parent session,
which caused the firewall to drop RTP and RTCP packets.
PAN-115344 Fixed an issue where the Username Modifier %USERDOMAIN%\

%USERINPUT% enabled you to log in to a locked out user account.
PAN-115287 Fixed an issue where commits failed and displayed the following error
message: Commit job was not queued. All daemons are not
available.
PAN-115282 Fixed an issue where temporary download files were deleted before a
download job was completed, which caused the progress bar to remain at 0%
and prevented a timeout when downloads fail.
PAN-115281 Fixed an issue where the firewall did not resolve an external dynamic list server
address when the DNS proxy configured it as a static entry.

PAN-115108 Fixed an issue on Panorama M-Series and virtual appliances where scheduled
uploading and installation of WildFire® content meta files to WF-500
appliances failed and displayed the following error message: device not
supported.
PAN-114880 Fixed an issue where the debug management-server summary-logs

flush-options max-keys CLI command did not persist through a system
reboot.
PAN-114771 Fixed an issue on Panorama M-Series and virtual appliances where Decrypt
Mirror (Objects > Decryption > Decryption Profile > <Device Group-name>)
did not appear in the Interface drop-down menu when you tried to configure a
Decryption Profile.
PAN-114667 Fixed an issue on a firewall in an HA active/passive configuration where a split-

brain condition occurred after you upgraded from PAN-OS 8.1.3 to PAN-OS
8.1.6.
PAN-114628 Fixed an issue where Panorama was unable to query logs forwarded from the
firewall to the log collector.
PAN-114540 Fixed an issue where renaming a template stack did not change the value and
reset to the original value after you commit the change.
PAN-114456 Fixed an issue where extended packet capture (pcap) for threat logs caused a
process (mgmtsrvr) to stop responding.
PAN-114427 Fixed an issue where an empty host name in the HTTP header caused a web
server process (websrvr) to stop responding when you accessed the captive
portal redirect page.
PAN-114270 Fixed an issue where the firewall dropped TCP trace route traffic after you
upgraded to PAN-OS 8.1.5. To leverage this fix, run the set session tcp-
reject-diff-syn no CLI command.
PAN-114247 Fixed an issue where a larger than expected number of Could not find
entry for interface ethernet1/<interface>.<subinterface>
in CPS table filled the snmpd.log, which caused the log file to rotate more
frequently than expected.
PAN-113610 Fixed an issue where Panorama incorrectly deleted valid device group
directories and was unable to generate reports.
PAN-113606 Fixed an issue where the Throughput column (Panorama > Managed Devices >
Health) was incorrectly labeled.
PAN-113261 (PA-5200 Series firewalls only) Fixed an issue where the total entries for
the URL filtering allow list, block list, and custom categories was incorrectly
changed to a 100,000 entries limit.

PAN-112661 Fixed an issue where you were unable to access a firewall due to a defective
small form-factor pluggable (SFP)/SFP+ module inserted into the firewall.
PAN-112321 Fixed an issue where a daemon (sslmgr) caused an out-of-memory condition.
PAN-111850 Fixed an issue where the firewall did not capture the number of packets in
the threat packet capture (pcap) as configured in the extended packet capture
length setting.
PAN-111544 Fixed an issue on Panorama M-Series and virtual appliances configured as log
collectors where SSH did not respond after you enabled SSH on ethernet1/1.
PAN-110685 Fixed a rare issue where an incorrect User-ID™ match to the respective LDAP
group caused a security policy mismatch.
PAN-110098 Fixed an issue on a firewall in an HA active/passive configuration where you

were unable to synchronize configurations or dynamic updates between HA
pairs.
PAN-109874 Fixed a memory leak issue on a firewall during a commit, which prevented the
firewall from generating GlobalProtect client configurations.
PAN-108876 Fixed an issue where the firewall dropped Session Initiation Protocol (SIP)
registration packets, which caused SIP sessions to fail.
PAN-108488 Fixed an issue where a typo in the MIB definition file caused an error message:
ERROR: Cannot find symbol panSctpDIamAvpCode when you loaded
a PAN-TRAPS.my file.
PAN-108234 Fixed an issue on a firewall configured with a GlobalProtect gateway where

after you upgraded from a PAN-OS 7.1 release to a PAN-OS 8.0 or later
release and committed the configuration, the following error message
displayed: SSLVPN: Invalid access-routess (null) in tunnel
GPgateway-N.
PAN-107330 Fixed an issue where when you configured the URL Filtering Profile
(Objects > URL Filtering > <filter-name> > Categories) to Shared all custom
URL categories pushed displayed on the web interface and returned the
following error message: test -> credential-enforcement -> allow
'Blocked-Category-Exceptions' is not valid reference test
-> credential-enforcement -> allow is invalid.
PAN-107207 Fixed an issue where the VPN tunnel operational status incorrectly displayed
“up" even though the VPN tunnel is down.
PAN-106889 Fixed a rare issue on a firewall in an HA active/passive configuration running in

FIPS-CC mode where the passive firewall rebooted in to maintenance mode.
PAN-106434 Fixed an issue where a process (keymgr) stopped responding due to missed
heartbeats, which caused IPSec tunnels to stop responding.

PAN-105806 Fixed an issue where the firewall did not detect duplicate Destination/Source
IP Addresses entered into the Security Policy Rule.
PAN-105437 Fixed an issue where a process (useridd) ran out of file descriptors and stopped
responding due to the rate of concurrent Security Assertion Markup Language
(SAML) requests initiated by Authentication policy rules.
PAN-104178 Fixed an issue on Panorama M-Series and virtual appliances where CLI
commands returned the following error message: Error: Timed out
while getting config lock. Please try again when a commit job
was not pending.
PAN-103500 An enhancement was made to enable the firewalls and Panorama M-Series and
virtual appliances to set the SameSite attribute to Strict and the GlobalProtect
portal to set the SameSite attribute to Lax.
PAN-102195 Fixed an issue where the firewall did not detect all threat sessions while the
App and Threat content installation was processed.
PAN-100977 (VM-Series NSX edition firewalls only) Fixed an issue where the existing logs
for dynamic address updates had insufficient information to debug the root
cause of a bug and where the dynamic address update logs were larger than
expected, which caused the file to roll over every five minutes and did not
provide a sufficient log history to debug issues.
PAN-98584 (PA-5200 Series and PA-3200 Series firewalls only) Fixed a rare issue where
invalid packets caused the firewall to stop responding as expected when you
configured the dataplane port to traverse HA3 traffic.
PAN-97784 Fixed an issue on a firewall where repeated failed validation errors were
reported for validated configurations due to a race condition.

process (pan_comm) stopped responding when you configured an external
dynamic list, which caused commits to fail and displayed the following error
message: failed to handle CONFIG_UPDATE_START.
PAN-95230 Fixed an issue where the Security Assertion Markup Language (SAML) schema
size limit (100,000 characters) prevented the SAML Identity Provider Server
Profile Import (Device > Server Profiles > SAML Identity Provider > Import)
from importing SAML metadata.
PAN-90738 Fixed an issue where a process (configd) exceeded the virtual memory usage
limit and caused the firewall to restart. With this fix, you must run the debug
management-server system globalfind disable-db-lookup
and debug management-server system appweb-thread-count
enhance commands.
PAN-89649 Fixed an issue where Panorama did not send the preference list to managed
firewalls, which caused logs to be forwarded to the CMS instead of the log
collector.

PAN-120548 Fixed an issue where the Captive Portal request limit was ignored when
you configured the Captive Portal authentication method to browser-
challenge.
PAN-120409 (PA-7000 Series firewalls only) Fixed an issue where firewalls running a 20G
Network Processing Card (NPC) or a 20GQ NPC dropped stream control
transmission protocol (SCTP) connections due to incorrect session handling.
PAN-119257 Fixed an issue where the firewall could not establish an IKEv2 connection with
SHA256 certificates.
PAN-119030 Fixed an issue on Panorama™ M-Series and virtual appliances where

bootstrapped managed firewalls were disconnected after you performed a
partial revert if you did not first perform a manual commit. With this fix, the
manual commit is not required.
PAN-118656 Fixed an issue where the ifAdminStatus object identifier (OID) for
dedicated high availability (HA) interfaces incorrectly displayed as up when
interfaces were not used in an HA configuration.
PAN-118423 Fixed an intermittent issue with local HA status changes where the mprelay
process failed to commit changes to the HA state.
PAN-118411 Fixed an issue where ARP entries took longer than expected to age out in a
single run.
PAN-118351 (PAN-OS 8.1.7, 8.1.8, and 8.1.9 only) Fixed an issue where log forwarding
stopped responding when you configured a second log collector to the
collector group.
PAN-117921 Fixed an issue where you were unable to create GTP inner sessions, which
caused the firewall to drop GTP-U data packets when the firewall was
deployed on S1-U and S-11 interfaces.
PAN-117916 Fixed an issue where the dataplane stopped responding when you pushed
permitted IP addresses from Panorama to managed firewalls.
PAN-117818 (PA-5200 Series firewalls only) Fixed a rare issue where an initialization delay
with a process (brdagent) caused the dataplane to stop responding.
PAN-116969 Fixed an issue where authentication failed when you configured a User
Principal Name (UPN) and included a group in the profile.
PAN-116807 (PA-7000, PA-5200, and PA-3200 Series firewalls only) Fixed an issue where
the firewall dropped ICMP error messages when the security policy was
configured to allow ICMP

PAN-116218 Fixed an issue where test routing bgp virtual-router default

restart peer <peer-ID> CLI command did not execute the operational
request and returned the following error message: op command for
client routed timed out as client is not available.
PAN-115856 Fixed an issue where Dynamic IP and Port (DIPP) NAT pools did not release
used ports after all sessions were removed.
PAN-115852 Fixed an issue on VM-Series firewalls on AWS where you could not change
maximum transmission unit (MTU) values from the web interface and displayed
the following error message: Malformed Request.
PAN-115812 Fixed an issue where the child session did not inherit policy-base forwarding
information when the parent session is allocated to separate dataplanes.
PAN-115748 Fixed an intermittent issue on Panorama M-Series and virtual appliances where
a memory issue caused the firewall to reboot.
PAN-115695 Fixed an intermittent issue where a large number of packets were received
before acknowledgments were complete, which depleted descriptor queue
entries and resulted in high latency during data transfers even though CPU
usage looked normal.
PAN-115354 Fixed an issue on Panorama M-Series and virtual appliances where renaming
a device group followed by a partial commit did not change the device group
hierarchy as expected.
PAN-115219 Fixed an issue on Panorama M-Series and virtual appliances where Global Find
caused the web interface to stop responding when you searched for common
English words.
PAN-115186 Fixed an issue where SaaS reports were not generated due to report
definitions not getting pushed to the log collector.
PAN-115160 Fixed an issue where a UDP packet without a payload did not trigger the
multi-factor authentication (MFA) and was not discarded based on the
authentication policy.
PAN-115012 Fixed an issue where a process (appweb) stopped responding, which caused
the web interface to stop responding.
PAN-114958 Fixed an issue where the User-ID™ (useridd) process consumed more CPU
cycles than expected when you configured User-ID redistribution.
PAN-114855 Fixed an issue where the firewall dropped syslog packets after you upgraded
to PAN-OS® 8.1.6.
PAN-114844 Fixed an issue on Panorama M-Series and virtual appliances where malformed
API calls caused the appliance to reboot.

PAN-114779 Fixed an issue where log purging took longer than expected, which prevented
the firewall from capturing traffic logs.
PAN-114695 Fixed an issue where a daemon (authd) stopped responding when you
configured a GlobalProtect™ portal and gateway with Security Assertion
Markup Language (SAML) authentication.
PAN-114567 Fixed an issue where a system query (Eventideq globalprotectportal-

config-succ) caused the management server (mgmtsrvr) process to stop
responding.
PAN-114533 Fixed an issue where traffic was blocked by safe search enforcement before
matching the intended allow rule.
PAN-114526 Fixed an issue where larger than expected number of packets sent over a GTP-
U tunnel caused packet captures to fill the files faster than expected. With
this fix, you can run the debug dataplane packet-diag set capture
gtpu-lvl[1-30] command to ensure GTP-U traffic are captured.
PAN-114475 Fixed an issue where Panorama in FIPS mode defaulted to FIPS-CC mode
instead of Normal mode.
PAN-114395 Fixed an issue on a VM-Series firewall where a process (all_task) stopped

responding, which caused the firewall to reboot.
PAN-114264 Fixed an issue where sessions were offloaded as the application identification
was performed when you configured a custom application with Continue
scanning for other application.
PAN-114222 Fixed an issue where the firewall dropped traffic logs due to a negative log
counter reading.
PAN-114160 Fixed an issue where you were unable to download ZIP files greater than 3GB
through a GlobalProtect Clientless VPN application.
PAN-114105 Fixed an issue on a Panorama M-Series appliance where the Summary

(Panorama > Managed Devices > Summary) web interface refreshes every 10
seconds when set to manually refresh.
PAN-114090 Fixed an issue on a Panorama virtual appliance in Legacy mode and in an HA

active/passive configuration where logs were forwarded only to the active HA
peer.
PAN-114002 Fixed an issue where you were unable to import variable CSV files when
variable names contained a character space.
PAN-113930 Fixed an issue on VM-Series firewalls where CPU loads were uneven across
cores when more than 8 cores were allocated to the dataplane.
PAN-113912 Fixed an issue where a process (ikemgr) stopped responding and caused the
firewall to reboot.

PAN-113887 Fixed an issue where loading custom app tags did not complete successfully,
which prevented subsequent requests (such as commits, content installs, and
FQDN refreshes) from executing as expected.
PAN-113870 Fixed an issue where Security policies were not evaluated in sequential order
when the policy was based on URL categories.
PAN-113796 Fixed an issue where GlobalProtect configured with the pre-logon then on-
demand connect method was unable to authenticate during pre-logon when
you configured the portal and gateway with an Authentication Override and
without a certification profile.
PAN-113767 Fixed an issue where the firewall silently dropped packets when Security
profiles were attached and FPGA enabled AHO and DFA.
PAN-113501 Fixed an issue where the Panorama management server returned a Security
Copy (SCP) server connection error after you created an SCP Scheduled Config
Export profile (Panorama > Scheduled Config Export) due to the SCP server
password exceeding 15 characters in length.
PAN-113356 Fixed an issue where the web interface did not populate the Virtual System
Name column (Monitor > Manage Custom Reports <monitor-name> > Run
Now) when you generated reports from the application statistics database.
PAN-113229 Fixed an issue on Panorama M-Series and virtual appliances in an HA active/

passive configuration where the passive HA peer displayed an out-of-sync
shared policy status when you edited the Device Group.
PAN-113185 Fixed an issue where the passive firewall in an HA active/passive configuration

was processing traffic.
PAN-113096 Fixed an issue where incorrect serial numbers were generated when you
created VM-Series firewalls on AWS and swapped the interface with the
mgmt-interface-swap=enable CLI command.
PAN-112988 Fixed an issue where a process (useridd) leaked memory, which caused the
firewall to drop traffic and display the following error message: Out-of-
memory condition detected, kill process.
PAN-112972 Fixed an issue where scheduled reports were not generated as expected when
you added groups in a query builder.
PAN-112566 Fixed an issue where the GlobalProtect Client was unable to download files
from a web interface and sessions went into DISCARD state and displayed the
following message: Packet dropped, control plane service not
allowed.

passive firewall incorrectly received several alerts.

PAN-112467 Fixed an issue where obsolete IPv6 Neighbor Discovery (ND) entries did
not clear as expected, which caused the IPv6 table to reach full capacity and
caused new IPv6 ND entries to fail.
PAN-112308 Fixed an issue where hardware security module (HSM) accounts were locked
out after three attempts when you ran the show hsm ha-status CLI
command.
PAN-112293 Fixed an issue where the connection between the firewall and Log Collector
flapped.
PAN-112016 Fixed an issue on VM-Series firewalls where the physical port counters on the
dataplane interfaces did not increase on KVM when you disabled DPDK.
PAN-111660 Fixed an issue where an incorrect SSH key initialization caused a process
(pan_comm) to stop responding every 15 minutes when you configured an
SSH proxy on the firewall.
PAN-111380 (PA-3200, PA-5200, and PA-7000 Series firewalls with 100Gbps cards only)
Fixed an issue where the show qos interface ae1 throughput 0 CLI
command incorrectly displayed the active data stream only and QoS was not
working as expected on the first subinterface.
PAN-110990 Fixed an issue where a logical operation not configured with receive_time
in the traffic log filter did not respond as expected.
PAN-110960 Fixed an issue on Panorama M-Series and virtual appliances where commits
failed when you configured an address group object in the Include List
(Network > Zone > <zone-name> > Include List).
PAN-110839 Fixed a rare issue where a commit pushed from Panorama failed, which caused
a process (routed) to stop responding.
PAN-110304 Fixed an issue where the dataplane restarted due to a callback function, which
caused a deadlock condition.
PAN-110234 Fixed an issue where administrators with a Superuser (read-only) role was able
to initiate a commit through the CLI.
PAN-109861 Fixed an issue where BGP route attributes were processed from BGP updates,
which caused the firewall to stop responding.
PAN-109457 Fixed an issue where the firewall duplicated address objects when you
imported a configuration to Panorama.

passive firewall processed a high rate of packets.
PAN-107786 Fixed an issue where you were unable to import variable CSV files when the
external gateway was configured with a source region of Any.

PAN-107779 Fixed an issue where Wildfire® signature version information was no longer
displayed after you activated a GlobalProtect client.
PAN-106628 Fixed an issue where the firewall did not generate a system log when the
firewall detected a RAM issue.
PAN-106449 Fixed an issue when you connected to an internal GlobalProtect gateway on

a firewall in an HA active/passive configuration and authenticated with multi-
factor authentication (MFA) to access a resource where the first and second
authentication factors succeeded but you would not be redirected to the
actual resource.
PAN-105286 Fixed an issue where the firewall did not record email header information in
Data Filtering logs when you triggered a test mail that contained a data leak
prevention (DLP) pattern.
PAN-104808 Fixed an issue where scheduled SaaS reports generated and emailed empty
PDF reports.
PAN-104454 Fixed a memory leak issue with the User-ID (useridd) process when you
enabled VM Monitoring.
PAN-103865 Fixed an issue where the firewall did not detect user credentials when the
number of users exceeded 60,000. To leverage this fix, you must upgrade
Windows agents to User-ID agent 8.1.11 or a later User-ID agent 8.1 release.
PAN-104251 Fixed an issue where the syslog server TCP keep-alive parameter caused the
connection to unexpectedly age out.
PAN-101613 (PA-800 Series firewalls only) Fixed an intermittent congestion condition

caused by paused frames on firewalls where flow control was enabled on
adjacent firewalls. To leverage this fix, run the set system setting hol-
system enable CLI command to enable head-of-line (HOL) system mode.
PAN-98974 Fixed an issue where the export function (Panorama > Managed Devices >
Summary > Manage) was not available for managed devices.
PAN-50031 Fixed an issue where the show wildfire local statistics CLI
command incorrectly returned samples pending analysis when there were no
actual samples pending.

PAN-OS 8.1.9-h4 Addressed Issues
PAN-123700 A security-related fix was made to prevent a memory corruption vulnerability

in PAN-OS® software (PAN-SA-2019-0023 / CVE-2019-1582).
PAN-123603 A security-related fix was made to prevent a memory corruption vulnerability

in PAN-OS software (PAN-SA-2019-0021 / CVE-2019-1580).
PAN-123564 Fixed CVE-2019-1581, see PAN-SA-2019-0022 for details.
PAN-123371 Fixed an issue where the Wildfire Analysis Report incorrectly displayed
the following error message: You are not authorized to access
thispage on the web interface.
PAN-120194 (Virtual and M-Series Panorama appliances and Log Collectors only) Fixed an
issue where closed Elasticsearch (ES) indices were continuing to receive and
re-queue logs, which resulted in high CPU usage.
PAN-118640 Fixed an issue where the GTP-U session did not match the correct policy,
which caused the IMSI and IMEI not to display in the inner session traffic and
threat logs.
PAN-117720 (GlobalProtect™ Clientless VPN environments only) Fixed an issue where a

process (all_pktproc) stopped responding and caused the firewall to restart
unexpectedly when processing GlobalProtect Clientless VPN traffic. To
leverage this fix, you must first upgrade (Devices > Dynamic Updates) to
GlobalProtect Clientless VPN content release 79 or a later release.
PAN-114642 Fixed an issue where firewall logs incorrectly included the end-user IP address
in GTP message logs when you configured PAA IE with IPv4 and IPv6 dual
stack in the Create Session Response message.
PAN-114275 Fixed an issue where the firewall dropped GTPv1 DELETE PDP response
packets that had a termination endpoint ID (TEID) value of 0.
PAN-105412 Fixed an issue where forward error correction (FEC) was disabled by default
for AOC modules, which caused QSFP ports to flap or remain in the DOWN
state. With this fix, FEC is enabled by default for AOC modules.
PAN-105091 Fixed an issue on a firewall where stateful inspection failed, which caused the
firewall to drop GTPv2-C Modify Bearer Request packets.
PAN-99447 (Virtual and M-Series Panorama appliances and Log Collectors only) Fixed an
issue where a Log Collector received logs destined for closed ES indices, which
caused indices to return failure messages and, when the issue persisted for
more than a few hours, caused Log Collectors to disconnect and reconnect
repeatedly when attempting (and failing) to process the re-queued logs.

PAN-98005 Fixed an issue where adding more than eight Log Collectors to a collector
group caused the configuration (configd) process to stop responding.

WF500-4995 Fixed an issue on Panorama™ M-Series and WF-500 appliances where

administrators were unable to run the debug software disk-usage
aggressive-cleaning enable CLI command and resulted in the following
error message: Server error : Failed to execute op command.
PAN-118949 Fixed an issue where after you changed the filter configuration in the
user.src notin 'cns\proxy full profile the firewall displayed the
following error message: Unknown user group cns\Proxy Full.
PAN-118407 Fixed an issue where an internal path monitoring failure due to a buffer leak
caused the firewall to reboot.
PAN-117729 Fixed an issue where the firewall incorrectly displayed application dependency
warnings (Policies > Security) after you initiated a commit.
PAN-117149 Fixed an issue on firewalls configured with authentication policies where

sessions matching an authentication policy did not generate traffic logs as
defined in the security policy when sessions were redirected or denied.
PAN-116851 Fixed an issue where users were unable to open an app in their browser after
they logged in to GlobalProtect™ Clientless VPN until they closed any and all
tabs associated with that app and then opened the app a second time. This
issue occurred only when an administrator configured a Source User for the
Clientless VPN Security policy rule (Policies > Security > <GP-VPN-Security-
policy-rule> > User).
PAN-116848 Fixed an issue where multiple device group administrators simultaneously

enabled configuration locks caused a race condition.
management server and a process (configd) used higher than expected CPU
and memory when you added or deleted a larger than expected number of
Security policy rules with an XML API.
PAN-116613 Fixed an issue on a VM-Series firewall deployed in Microsoft Azure where

packets dropped silently due to a kernel error.
PAN-116579 Fixed an issue where the firewall sent truncated URLs to the Captive Portal
Redirect message when HTTPS traffic sent through a proxy server was
subjected to decryption.
PAN-116069 (PA-200 firewalls only) Fixed an issue where the report generation default
configuration caused an out-of-memory condition.
PAN-116022 Fixed an issue where the NSX Manager passed a blank string to Panorama,
which caused a null entry into the configuration and commits to fail.

PAN-115526 Fixed an issue where a dataplane process (all_pktproc) stops responding due to
a packet buffer protection feature.
PAN-115494 Fixed an issue where the "/opt/pancfg/" partition became full due to a
configuration preview operation not responding.
PAN-115450 Fixed a rare issue where a race condition occurred between daemons during
a tunnel re-key, which caused BGP sessions to drop from Large Scale VPN
tunnels. To leverage this fix, you must run the debug rasmgr delay-nh-
update CLI command.
PAN-115415 Fixed an issue where a session created from a predict session went into
DISCARD state.
PAN-115379 Fixed an issue where you were unable to create a custom log forwarding
profile when you configured a filter with the "in" and "not in" configurations
(Objects > Log Forwarding > Add > Add > Filter > Filter Builder) and resulted
in the following error message: Invalid filter <Log Forwarding
profile name> match-list -> <match list profile-name> ->
filter is invalid.
PAN-115339 Fixed a rare issue where a commit caused the firewall to stop responding when
you enabled flow debug and configured a NAT policy.
PAN-114743 Fixed an issue on Panorama M-Series and virtual appliances where, after you
upgraded the firewall to PAN-OS® 8.1, commits failed when Panorama is
configured to manage shared gateway objects for managed firewalls.
PAN-114607 Fixed an issue where all the log collectors did not get queued when you
configured more than 32 collector groups.
PAN-114548 Fixed an issue where the firewall discarded external dynamic lists after the list
was downloaded and a server authentication attempt failure occurred.
PAN-114437 Fixed an issue on Panorama M-Series and virtual appliances where, after you
upgraded the firewall from PAN-OS 8.0.8 to PAN-OS 8.1.4, commits took
longer than expected when you configured the Device Group with large group
hierarchies.
PAN-114434 Fixed an issue where the firewall created incorrect predict sessions, which
caused flow sessions to fail for applications.
PAN-113971 (PA-7000 Series firewalls only) Fixed an issue where the High Speed Chasis
Interconnect (HSCI) link flapped after you rebooted the firewall.
PAN-113795 Fixed an issue on a firewall configured with GlobalProtect Clientless VPN

where a process (all_pkts) stopped responding, which caused the dataplane to
restart.
PAN-113775 Fixed an issue where the firewall dropped UpdatePDPContext response

packets and displayed the following GTP log event: 122113.

PAN-113631 A security-related fix was made to address a use-after-free (UAF) vulnerability

in the Linux kernel (PAN-SA-2019-0017 / CVE-2019-8912).
PAN-113619 Fixed an issue where the GlobalProtect gateway did not assign an IP address
when the local IP address was a supernet of the GlobalProtect pool.
PAN-113614 Fixed an issue with a memory leak on Panorama appliances associated with
commits that eventually caused an unexpected restart of the configuration
(configd) process.
PAN-113340 (PA-200 firewalls only) Fixed an issue where the management plane (MP)
memory was lower than expected, which caused the MP to restart.
PAN-113189 A security-related fix was made to correct log file string-conversion errors
that caused parsing issues, which caused the User-ID (useridd) process to stop
running.
PAN-113046 (PA-5200 Series firewalls only) Fixed an issue where a process (brdagent)
stopped responding, which caused the management plane to stop responding.
PAN-112674 Fixed an issue where an escape ( \ ) character was added to HTTP logs when a
log contained a comma.
PAN-112577 Fixed an issue on a VM-Series firewall in a high availability (HA) active/passive

configuration where the HA1 port flapped and caused a split-brain condition.
PAN-112446 Fixed an issue where a predefined report (blocked credential

post) generated reports using the incorrect query builder (flags has
credential-builder), which caused the report to incorrectly display logs
for alerts.
PAN-112319 Fixed an issue where a race condition caused a process (mgmtsrvr) to restart
with an error message: Connecting to management server failed.
(configd) stopped responding when a role-based user with privacy settings
disabled, viewed a scheduled report that required data anonymization.
PAN-112167 Fixed an issue where IPv4 BGP routes were missing from the routing table and
FIB after a failover event.
PAN-111976 Fixed an issue where you were unable to generate user activity reports when
the username included the colon ( : ), ampersand ( & ), and single parenthesis
( ' ) characters.
PAN-111930 (PA-3200 Series firewall only) Fixed an issue on a firewall in an HA active/

active configuration where packets looped due to a higher than expected CPU
rate.
PAN-111708 (PA-3200 Series firewalls only) Fixed a rare software issue that caused the
dataplane to restart unexpectedly. To leverage this fix, you must run the

debug dataplane set pow no-desched yes CLI command (increases
CPU utilization).
PAN-111553 Fixed an issue on the Panorama management server where the Include Device
and Network Templates setting (Commit > Push to Devices > Edit Selections
or Commit > Commit and Push > Edit Selections) was disabled by default and
caused your push attempts to fail. With this fix, your push will Include Device
and Network Templates by default.
PAN-111540 Fixed an issue on PA-5200 Series firewalls where the dataplane stopped
responding when the session table was full.
PAN-111468 Fixed an issue where you were unable to save host information profile (HIP)
reports due to a folder permission error.
PAN-111308 Fixed an issue in Panorama where you were able to push and commit the log
forwarding configuration to firewalls that did not support it.
PAN-111286 Fixed an issue where you were unable to generate a custom report (Monitor >
Manage Custom Report > <device-name> > Report Setting).
PAN-111084 Fixed an issue where an out-of-memory condition caused all IPSec tunnels
(which includes IKEv1, IKEv2, and NAT-T) to stop responding.
PAN-110962 Fixed an issue where a process (all_pktproc) stopped responding when SSH
decryption was enabled, which caused the dataplane to restart.
PAN-110638 Fixed an issue where you were unable to establish a GlobalProtect connection
on IPv6 and displayed the following error message: Packet too big due
to the firewall MTU value set lower than normalon the
neighboring firewall.
PAN-110548 Fixed an intermittent issue where heartbeats failed on the management

plane (MP), which caused the dataplane to stop responding and displayed the
following error message: Dataplane is down: controlplane exit
failure.
PAN-110168 Fixed an issue where the firewall and Panorama web interface did not present
HSTS headers to your web browser.
PAN-109926 Fixed an issue where the firewall dropped HTTPS connections to

GlobalProtect and did not send an HTTPS redirect, which caused the web
browser to timeout.
PAN-109853 Fixed an issue where a log collector settings preference list without an IPv4
address defined, configured an unknown entry and caused connections
between log collectors to intermittently bounce.
PAN-109746 Fixed an issue on Panorama M-Series and virtual appliances where the Device
Group Syslog server profile template allowed a space between the IP address
and URL, which caused pushes to firewalls to fail.

PAN-109701 Fixed an issue on Panorama M-Series and virtual appliances where the Task
Manager web interface did not sort the list of firewalls by name.
PAN-109672 Fixed an issue on a VM-Series firewall in an HA active/passive configuration

where the passive firewall received buffered packets while in an idle state
when the data plane development kit (DPDK) was enabled.
PAN-109663 Fixed an intermittent issue where the firewall dropped packets when the policy
rule was set to allow during a commit or high availability (HA) sync.
PAN-109551 Fixed an issue where group-based policy match stopped responding after a
process (useridd) restarted.
PAN-109186 Fixed an issue where the dataplane stopped responding and caused a failover
event.
PAN-109024 Fixed an issue where, after you upgrade the firewall from PAN-OS 8.0 to PAN-
OS 8.1, firewalls configured with the User-ID™ agent and group mapping
incorrectly mapped users to groups.
PAN-107677 Fixed an issue on GlobalProtect where Security Assertion Markup Language

(SAML) authentication failed when you used a macOS operating system.
PAN-107143 Fixed an issue on Panorama M-Series and virtual appliances where a partial
commit to the running configuration was successful but did not get applied to
the configuration when you added a new address object to an existing address
group.
PAN-107117 Fixed an issue where device administrators were unable to manually upload
signature files (Device > Dynamic Updates) and the firewall displayed the
following error message: You need superuser privileges to do
that.

configuration where HA1 and HA2 links stopped passing packets, which
caused a split-brain condition after an automatic configuration sync.

show vpn ipsec-sa CLI command incorrectly returned an error message:
Server error: An error occurred. See dagger.log for
information. when you ran the command on the active secondary firewall.
PAN-106141 Fixed an issue where a firewall was unable to establish an SSH session to
a private cloud if you used the M-500 appliance interface configuration
ethernet1/1 port.
PAN-106019 Fixed an issue where a process (routed) stopped responding when an

incomplete command ran in the XML API.
PAN-105737 (PAN-OS 8.1.7 & 8.1.8 only) Fixed an issue where AUX ports remained in
Down state after you upgraded to PAN-OS 8.1.7.

PAN-104909 Fixed an issue where the firewall incorrectly forwarded traffic when you
configured the ingress interface with a QoS policy and the egress interface as a
tunnel.
PAN-104515 Fixed an issue where the Panorama web interface took longer than expected
to update the Managed Collectors (Panorama > Managed Collectors) status.
PAN-104144 Fixed an intermittent issue where the management plane (MP) CPU on
Panorama and the manged firewall experience higher than expected usage due
to the redistribution of User-ID™ and when more than one user was mapped
to a single IP address.
PAN-103847 Fixed a memory buffer allocation issue that caused the Session Initiation
Protocol (SIP) traffic NAT to stop responding.
unable to export threat pcaps generated from Prisma™ Access and the firewall
displayed the following error message: File not found.
PAN-101598 (Japanese language only) Fixed an issue where the Interface Mgmt (Network >
Network Profiles > Interface Mgmt) and Management Interface Settings
(Device > Setup > Interfaces > Management) web interfaces incorrectly
displayed Telnet as Temperature.
PAN-101215 Fixed an issue where you were unable to connect to a syslog server over SSL
due to a certificate validation error.
PAN-100773 (PA-7000 Series firewalls only) Fixed an issue where the Quad Small Form-
factor Pluggable (QSFP) port on a 20GQ NPC card unexpectedly entered low
power mode and did not link up.
PAN-99958 Fixed an issue where the dataplane did not receive enough keep-alive packets
as expected, which caused the Syslog server connection to age-out.
PAN-99134 Fixed an issue where temporary files generated during preview changes did
not get cleared, which caused disk space issues.
PAN-99016 A security-related fix was made to address the LazyFP state restore
vulnerability (PAN-SA-2019-0017 / CVE-2018-3665).
PAN-96827 Fixed an issue where BGP command output formats did not display
consistently across different PAN-OS releases.
PAN-96790 Fixed an issue where the FTP data connection was incorrectly matched to the
predict session for IPv6 addresses.
PAN-96707 (PA-5200 Series firewalls only) Fixed an intermittent issue where CRC errors
caused traffic issues.
PAN-96371 Fixed an issue where you were unable to connect to GlobalProtect when a
certificate did not have a common name.

PAN-95534 Fixed an issue where the firewall could not send syslogs to the syslog server.
PAN-95072 Fixed a log forwarding filter issue where the firewall incorrectly sent logs for
policies that were not configured with log forwarding to the syslog server.
PAN-94279 Fixed an issue where a commit with an authentication sequence configured

was pushed from Panorama to a firewall and caused the firewall's management
server to stop responding.
PAN-94059 Fixed an issue where the firewall did not send a complete certificate chain
when you configure the Windows User-ID Agent as a Syslog Listener.
PAN-91442 Fixed an issue where an external dynamic list with an invalid IPv6 address
range caused commits to fail.
PAN-89820 Fixed an intermittent issue where the Data Filtering (Monitor > Data Filtering)
and Threat Log (Monitor > Threat) did not display file names when you
transferred multiple files into a single session.
PAN-88987 Fixed an issue on the PA-5220 firewall with Dynamic IP and Port (DIPP) NAT
where the number of translated IP addresses could not exceed 3,000 or it
caused commits to fail.
PAN-88487 Fixed an issue where the firewall stopped enforcing policy after you manually
refreshed an External Dynamic List (EDL) that had an invalid IP address or that
resided on an unreachable web server.

PAN-119745 A security-related fix was made to address the Netflix

Linux kernel TCP SACK vulnerability (PAN-SA-2019-0013 /
CVE-2019-11477,CVE-2019-11478,CVE-2019-11479, and CVE-2019-5599).
PAN-118869 A security-related fix was made to address an issue where the php-
debug log incorrectly displayed non-sanitized data (PAN-SA-2019-0019 /
CVE-2019-1575).
PAN-107239 A security-related fix was made to address cleartext passwords and keys
that were visible in the logs for XML API calls (PAN-SA-2019-0019 /
CVE-2019-1575).

WF500-5023 Fixed an issue on WF-500 appliances where the cluster service took longer
than expected to start due to a large number of queued sample data.
WF500-4974 Fixed an issue on WF-500 appliances where the static analysis results
displayed in the PDF report but did not display in the WildFire® analysis
summary of the web interface.
WF500-4844 Fixed an issue on WildFire appliance clusters where the passive-controller

responded with the incorrect Common Name (CN) in the certificate, which
caused the registration to fail.
WF500-4838 Fixed an intermittent issue on a WF-500 appliance where WildFire reports

took longer than expected to generate, which caused the task to automatically
timeout.
WF500-4785 Fixed a rare issue on WF-500 appliances where the firewall did not respond
after you upgraded the appliance from a PAN-OS® 8.0.1 release to a PAN-OS
8.0.10 or later release. With this fix, you can run the new debug software
raid fixup auto CLI command to recover the RAID controller.
WF500-4784 Fixed an issue on a WF-500 appliance where during a reboot, the following
error message displayed: FATAL: module nbd not found.
WF500-4743 Fixed an intermittent issue on a WF-500 appliance where the CLI command
debug wildfire reset global-database fix stopped responding.
PAN-116316 Fixed an issue where RTP and RTCP predict sessions failed, which caused
RTSP based video streaming to stop processing.
PAN-116084 Fixed a file descriptor issue that caused an interface on a VM-Series firewall on
Azure to stop receiving traffic.
PAN-114984 Fixed OpenSSL vulnerability CVE-2019-1559, see PAN-SA-2019-0039 for

details.
PAN-114403 Fixed an issue on Panorama™ M-Series and virtual appliances where serial
numbers for deployed firewalls did not display in the web interface with the
exception of GlobalProtect™ cloud service firewalls.
PAN-114181 Fixed an issue where the firewall incorrectly triggered Reverse Path
Forwarding (RPF), which caused packet leaks.
PAN-113692 Fixed an intermittent issue on a firewall in a high availability (HA) active/

passive configuration where five minutes after a failover test IP routes
disappeared, which caused traffic interruptions.

PAN-113446 Fixed an issue where the firewall unintentionally generated the following
system log: Installed content package WildFire is newer
than available package, skipping, when you checked for WildFire
updates.

process (useridd) did not respond to the alternate user attribute (Device > User
Identification > Group Mapping Settings > <group mapping-name> > User and
Group Attributes) on the passive firewall during a restart.
PAN-112814 Fixed an issue where H.323-based calls lost audio because the predicted
H.245 session was not converted to Active status, which caused the firewall to
drop the H.245 traffic.
PAN-112729 Fixed an issue on Panorama M-Series and virtual appliances where Decrypted
Sessions Info (Panorama > Managed Devices > Health > All Devices >
<device-name> > Sessions) did not display as expected for VM-Series
firewalls.
PAN-112445 Fixed an issue on a firewall in an HA active/passive configuration where a race

condition caused the firewall to stop responding after an HA1 link flap.
PAN-112194 Fixed an issue where packet buffers did not release GlobalProtect clientless
VPN packets, which caused the firewall to stop responding.
PAN-112187 Fixed an issue where a process (report_gen) ran out-of-memory, which caused
the dataplane to restart.
PAN-111897 Fixed an issue where the tags were not set on OSPFv3 routes redistributed to
BGP-3.
PAN-111844 (VM-50 and VM-50 Lite firewalls only) Fixed a rare out-of-memory (OOM)
condition.
PAN-111822 (PA-3200, PA-5200, and PA-7000 Series firewalls only) Fixed an intermittent
issue on a firewall configured with policy-based forwarding (PBF) and
symmetric return, where traffic dropped because the ARP table did not get
updated.
PAN-111679 Fixed an issue where URL filtering profiles were being incorrectly applied to
security policies during a commit.
PAN-111653 Fixed an issue on PA-7000 Series firewalls where an internal packet buffer leak
caused heartbeat failures.
PAN-111052 Fixed an issue where a firewall silently dropped TCP packets when you
enabled the Antivirus profile while the software deterministic finite automation
(DFA) option is disabled (DFA is disabled by default).

PAN-111048 Fixed an issue where the show object dynamic address group XML
API command returned an invalid error message: You must specify a
valid Device Group.
PAN-110996 Fixed an issue where the dataplane stopped responding due to an incorrectly
calculated offset when you configured Exclude video traffic from the tunnel
(Network > GlobalProtect > Gateways > <gateway-name> > Agent > Video
Traffic).
PAN-110873 Fixed an issue where member interfaces of the aggregate interface did not
display on web interface (Panorama > Managed Devices > Health > All
Devices > <device-name> > Interfaces).
PAN-110796 Fixed an issue on PA-3200 and PA-5200 Series firewalls where an erroneous
dataplane error (power status is bad, shutting system down)
caused the firewall to shutdown.
unable to configure the firewall to disable the portal log-in page.
PAN-110628 Fixed an issue where user groups were deleted from the Group Include List
(Device > User identification > Group Mapping Settings > <group-name> >
Group Include List) if you changed the LDAP server profile account password.
PAN-110441 (PA-5200 Series firewall only) Fixed an intermittent issue where the internal
path monitoring failed, which caused the firewall to unexpectedly restart.
PAN-110390 Fixed an issue on PA-7000 Series firewalls where invalid filters caused the
device management server to stop responding when you generated a database
(DB) report from a remote firewall.
PAN-110336 (PA-3000, PA-3200, PA-5000, PA-5200, and PA-7000 Series firewalls

only)Fixed an issue where a process (mpreplay) restarted and caused the
offload traffic to drop.
PAN-110273 Fixed an issue where you were unable to establish OSPF neighborship when
an OSPF routing protocol was configured with MD5 authentication and one of
the firewalls was restarted.
PAN-109966 Fixed an issue where the content update threshold downloaded and installed
an older content version after you manually installed a newer content version.
PAN-109954 Fixed an issue where a commit failed with an error message: cluster
is missing 'encryption' when HA Traffic Encryption (Panorama >
Managed WildFire Clusters > <appliance-name> > Communication) was not
configured and after upgrading from PAN-OS 8.0.12 to PAN-OS 8.1.4.
PAN-109944 Fixed an intermittent issue where a process (configd) restarted due to a race
condition when generating custom reports.

PAN-109837 Fixed an issue where a race condition occurred when a configuration push
and Netflow update occurred simultaneously, which caused the dataplane to
restart.
PAN-109803 Fixed an issue where credential phishing prevention did not detect user or
password phishing when passwords, which contained two discontiguous
character spaces were used.
PAN-109759 Fixed an issue where the firewall did not generate a notification for the
GlobalProtect client when the firewall denied unencrypted TLS sessions due to
an authentication policy match.
management server stopped responding when the log collector disconnected
and reconnected to Panorama.
PAN-109665 Fixed an issue where you were unable to disable the Graceful Restart
(Network > Virtual Routers > <router-name> > BGP > Advanced)
configuration.
PAN-109619 Fixed an issue where a physical or Aggregate Ethernet (AE) Layer 3

configuration edit (Network > Interfaces > <interface-name>) removed the
DHCP Client setting when it was configured in the subinterface.
PAN-109575 Fixed an issue where you were unable to configure more than one device
certificate (Device > Certificate Management > Certificates > <device
certificate-name>) with Trusted Root CA.
PAN-109344 Fixed an issue where service objects did not import into Panorama when you
configured them identically but with different names.
PAN-109101 Fixed an issue where you were unable to override IKE Gateway configurations
(Network > IKE Gateways > <template-name>) in the template stack.
However, with this fix, you still cannot override template stacks when
you configure any value with "none." Additionally, to override the Local
Identification, select Authentication in the pop-up dialogue.
PAN-108878 Fixed an issue where host traffic ICMP packets larger than 9,180 bytes
dropped when you configured a jumbo frame with a maximum MTU value of
9,216 bytes and with the DF option enabled.
PAN-108846 Fixed an issue where a higher than expected rate of tunnel resolution packets
occurred due to an internal loop, which caused a spike in dataplane CPU usage
for firewalls that support distributed tunnel ownership.
PAN-108715 Fixed an issue where the firewall did not update the dataplane DNS cache
after the management plane (MP) DNS entries expired, which caused evasion
signatures to erroneously trigger a Suspicious TLS/HTTP Evasion
Found event.

PAN-108620 Fixed an issue where Traps ESM (Monitor > Traps ESM) logs were sent to the
Log Collector but did not display in the web interface.
PAN-108459 Fixed an issue where Network Activity (ACC > Network Activity) incorrectly
displayed no session activity at random time points.
PAN-108409 Fixed an issue on a firewall in an HA active/passive configuration where

scheduled dynamic updates pushed from Panorama to the managed firewalls
failed.
PAN-108215 Fixed an issue where the test security-policy-match CLI command

ignored source-user when matching security policies.
PAN-108164 Fixed an issue where a process (tund) caused the dataplane to restart during a
commit.
PAN-107998 Fixed an issue where you could not log-in to GlobalProtect and resulted in
the following error message: The client certificate is invalid.
Please contact your IT administrator.
PAN-107662 Fixed an issue on a firewall in an HA active/active configuration where client-

bound DHCPv6 packets dropped when you configured the firewall as a
DHCPv6 relay agent.
PAN-107370 Fixed an issue where IPv6 traffic throughput reduced more than expected
after you updated a static ND entry (Network > Interfaces > <interface-
name> > Advanced > ND Entries) by moving the interface to a different virtual
router.
PAN-107126 Fixed an issue where an SSL inbound session cache corruption caused a
process (all_pktproc) to stop responding.
PAN-106950 Fixed an intermittent issue where authd CPU usage is higher than expected
during RADIUS authentication.
PAN-106861 Fixed an issue where stale route entries remained in the FIB after the routes
were removed from the routing table when you used a redistribution rule
without a profile.
PAN-106783 Fixed an issue where after a SAML authentication an incorrect query was sent
to the web browser.
PAN-106746 Fixed an issue where VoIP traffic dropped when policy-based forwarding (PBF)
was configured as a rule.
PAN-106735 Fixed an issue where the firewall incorrectly set the FPGA, which caused the
dataplane to stop responding.

Panorama management server enabled the administrator to clone a rule on the
passive firewall.

PAN-106433 Fixed an issue where after you configured Packet Buffer Protection on a
firewall, a process (all_pktproc) stopped responding.

passive firewall reported a higher number of GlobalProtect user accounts than
the active firewall.
PAN-106249 (PA-200, PA-220, and PA-800 Series firewalls only) Fixed an issue where the
Block IP List option, which is not supported, displayed in the administrator role
profile (Device > Admin Role > Web UI).

iBGP peer default route did not get added to the routing table after a reboot of
either firewall.
PAN-105925 Fixed an issue where the GlobalProtect Gateway web interface did not display
the list of previous users.
PAN-105466 Fixed an issue where the Allow matching usernames without domain
(Device > User Identification > User-ID Agent Setup > Cache) configuration
did not respond without a domain when you used the PAN-OS XML API.
PAN-105397 Fixed an issue where a firewall incorrectly processed path monitoring, which
originated from a NAT firewall on the same network segment.
PAN-105252 Fixed an intermittent issue on a firewall where dataplane CPU spikes occurred,
which caused an LACP flap.
PAN-105086 Fixed an issue where the firewall incorrectly calculated the password expiry
time for admin accounts, which caused Panorama to push locked user
accounts.
PAN-104578 (PA-800 Series firewalls only) Fixed an issue on a firewall in an HA active/

passive configuration where the HA failover took longer than expected.
PAN-104568 Fixed an issue where the firewall did not send emails when you configured the
email gateway with an FQDN.
PAN-104274 Addressed an issue where in a slow network environment the firewall

displayed an error message: error on line 1 at column 1: document
is empty when you used an API call to fetch a license even when the auth
code was successfully applied. Extremely slow networks may still see this issue.
PAN-104264 Fixed an issue where the Panorama management server stopped responding
when you upgraded from PAN-OS 8.0.9 to PAN-OS 8.1.3.
PAN-104007 Fixed an issue where the WildFire signatures sent Windows Server Updates
Services (WSUS) traffic when the virus identification was incorrectly enabled in
the ms-sms app definition.

PAN-103863 Fixed an issue where the IPSec tunnel restart (Network > IPSec Tunnels > IKE
Info) did not display properly on the web interface.
PAN-103844 Fixed an issue where Global Find incorrectly returned the query when there
were more than one users or groups listed in the security rule.
PAN-103367 Fixed an issue where Detailed Log View (Monitor > Traffic > Detailed Log
View) did not display the file blocking logs as expected.
PAN-103061 Fixed an issue where special characters contained in the comment field
of the Ethernet Interface web interface caused a process (devsrvr) to stop
responding.
PAN-102979 Fixed an issue where Dynamic Updates did not display expired threat
prevention licenses when you tried to install an application from Panorama.
PAN-102595 Fixed an intermittent issue on a firewall in an HA active/active configuration

where fragmented ICMP and UDP packets dropped from the packet
transmission.
PAN-102532 Fixed an issue where the firewall used an expired certificate, which caused
connecting to Cortex Data Lake to fail.
PAN-102327 Fixed an issue on PA-3200 Series firewalls in an HA active/passive

configuration where the copper ports of passive firewall were active when the
passive link state was set to shutdown.
PAN-102145 Fixed an issue where the API keys did not update after you changed the
master key.
PAN-102029 Fixed an issue on a firewall where the DNS resolution routed through the
dataplane and configured with a service route, stopped responding when the
management interface was not configured.
PAN-101764 Fixed an issue where a process (slmgr) stopped responding during an auto-
commit.
PAN-101391 Fixed an issue where the scheduled nightly custom report was not generated
or emailed as expected.
PAN-101379 Fixed an issue where an invalid Captive Portal authentication policy was
successfully pushed to managed firewalls, which caused autocommits to fail.
PAN-100832 Fixed an issue where, when you performed a Commit from Panorama to bring
a firewall back to sync, the rule order displayed a random distribution instead
of reflecting the order configured in Panorama.
PAN-100742 Fixed an issue on Panorama M-Series and virtual appliances where scheduled
reports generated more than one DNS lookups, which caused inconsistent
name resolutions for DNS deployments.

PAN-100693 Fixed an issue where you were unable to process Address Group match criteria
when the match name included the double quotation ( " ) character.
PAN-99976 Fixed an issue where a process (pan_threatvault_reports) caused the elastic

search script and another process (configd) to stop responding.
PAN-99707 Fixed an issue where the command-line interface (CLI) displayed an error
message when you used a parenthesis character in a Global Protect External
Gateway name.
PAN-99640 A security-related fix was made to address a denial of service (DoS)

vulnerability in PAN-OS Linux Kernel (CVE-2017-8890).
PAN-99478 Fixed an issue where a daemon (authd) took longer than expected to fetch
group mapping, which caused commits to take longer than expected.
PAN-99354 Fixed an issue where the firewall incorrectly denied URL access when the URL
filtering profile was configured to alert.
PAN-98746 Fixed an issue where GlobalProtect clientless VPN did not get redirected to
the application URL when you used Internet Explorer as a web browser.
PAN-98386 Fixed an issue where a security rule with an "Any" destination address did not
shadow rules with IPv6 destination addresses when you performed a commit
or configuration validation.
PAN-98107 Fixed an issue on PA-7000 Series firewalls where Encapsulating Security

Payload (ESP) sequence numbers were reused when multiple proxy IDs were
in use, which caused ESP traffic to drop while you conducted an ESP sequence
check.
PAN-97953 Fixed an issue where Threats (Monitor > Reports > Threat Reports > Threats)
did not display resolved Threat IDs to Threat/Content Names for disabled
signatures as expected.
PAN-97862 Fixed an issue where an administrator with a custom configuration role could
not export custom reports and returned the following error message: Error
enqueuing export job.
PAN-97700 Fixed an issue where administrators could not view Managed Collectors
(Panorama > Managed Collectors) web interface.
PAN-97488 Fixed an issue on Panorama M-Series and virtual appliances where the commit
preview did not display as expected.
PAN-97288 Fixed an issue on GlobalProtect Clientless VPN where the URL gets truncated
when you exclude the domain from the rewrite exclude domain list.
PAN-97187 Fixed an issue on VM-Series firewalls where a configuration commit failed

due to a reversed bootstrapping process where the configuration was applied
before the auth code.

PAN-96036 Fixed an issue on Panorama M-Series and virtual appliances where the Group
Include List (Device > User Identification > <group-name> > Group Include
List) search function did not respond as expected.
PAN-95644 Fixed an issue on a firewall where the web interface did not display traffic and
unified logs due to a race condition.
PAN-94475 (Panorama virtual appliances only) Improved a condition where a disk

calculation error resulted in an erroneous opt/panlogs/ partition full condition
and caused a process (CDB) to stop responding.
PAN-94161 Fixed an issue where the log collector mode did not display logs as expected
after you rebooted Panorama.
PAN-92872 Fixed an intermittent issue where the firewall sent packets incorrectly to an
outgoing interface.
PAN-92161 Fixed an issue where an internal power status reported as abnormal caused
the firewall to shutdown.
PAN-92155 Fixed an issue where administrators were unable to configure an IP address

using templates for HA2 (Device > High Availability > Data Link (HA2)) after
setting the configuration to IP or Ethernet for Panorama management servers
in an HA configuration.
PAN-81778 Fixed an issue where scheduled reports did not generate as expected due to a
race condition.
PAN-79640 Fixed an issue where the firewall intermittently logged incorrect actions for
WildFire submissions and reports.

WF500-4093 Fixed an issue on a WF-500 appliance cluster where a firewall failed to join the
cluster with a large data set of previously processed files.
PAN-113536 Fixed an issue where the automatic refresh of external dynamic lists (EDLs) did
not update the URL or Domain EDLs.
PAN-112540 Fixed an issue on a VM-Series firewall where traffic stopped processing and
resumed processing only after the firewall was restarted.
PAN-112428 (Panorama™ running PAN-OS® 8.1.6 only) Fixed an intermittent issue where
autocommits failed and Panorama stopped displaying device groups when
managing a WildFire® appliance running PAN-OS 8.1.5 or an earlier PAN-OS
8.1 release.
PAN-112305 Fixed an issue where source URLs (Objects > External Dynamic Lists > <EDL-
name> > Create List > Source URL), which contained double escape characters
caused external dynamic list entries to display incorrect values in the policies.
PAN-112098 Fixed an intermittent issue on a firewall where outbound traffic failed with
an error message: (proxy decrypt failure) when configured with
HTTP Header Insertion (Objects > Security Profiles > URL Filtering > <Filter-
name> > HTTP Header Insertion).
PAN-111866 Fixed an issue where the push scope selection on the Panorama web interface
displayed incorrectly even though the commit scope displayed as expected.
This issue occurred when one administrator made configuration changes to
separate device groups or templates that affected multiple firewalls and a
different administrator attempted to push those changes.
elastic search queries to Cortex Data Lake did not display logs.
PAN-111638 Fixed an issue where the external dynamic list did not update after a scheduled
refresh of the list.
PAN-111593 (PA-3200 Series and PA-5200 Series firewalls only) Fixed an issue where a
firewall dropped generic routing encapsulation (GRE) version 1 traffic.
PAN-110526 Fixed an issue where Captive Portal authentication required two log-
in attempts when the authentication sequence was configured as an
authentication profile.
PAN-110341 Fixed an issue where the firewall sent RIP updates more frequently than
expected.
PAN-110293 Fixed an issue where GTP-U traffic dropped when the GTP tunnel endpoint ID
(TEID) was not updated correctly during a GTP-C update.

PAN-110262 Fixed an issue on VM-Series firewalls Dynamic Address Groups did not display
all the tags and labels for registered IPs.
PAN-109668 A security related fix was made to limit the amount of information returned
from an API call error message.
PAN-109506 Fixed an issue where a process (useridd) stopped responding when the firewall
received excessive Security Assertion Markup Language (SAML) requests
received.
PAN-109336 (PA-500 and PA-800 Series firewalls only) Fixed an issue where commits failed
after you imported a device state from Panorama the template configuration
referenced Bidirectional Forwarding Detection (BFD).
PAN-109187 Fixed an issue where an administrator with a custom configuration role could
not export reports.
PAN-109096 Fixed an issue where the firewall did not remove the 4-Byte AS Format
number when Remove Private AS was enabled.
(configd) stopped responding during a local commit.
PAN-108990 Fixed an intermittent issue on a firewall where configuring Force Template

Values (Network > Interfaces > Commit > Push to Devices > Templates)
deleted the zone assigned to an interface.
PAN-108642 Fixed an issue where P2MP OSPF static neighbor did not display in the run-
time neighbor table.
PAN-108542 Fixed an issue where the DHCP client interface was configured with an
incorrect subnet mask value instead of the value provided by DHCP option 1.
PAN-108374 Fixed an issue on GlobalProtect™ where you were unable to authenticate

when the domain name included the ampersand ( & ) character.
PAN-108123 Fixed an issue where applications took longer than expected to load when
accessed through a Clientless VPN.
PAN-107989 Fixed an issue where the Strict IP Address Check incorrectly triggered when
you enabled ECMP (Network >Virtual Routers > Add > Router settings >
ECMP).
PAN-107922 Fixed an issue on a VM-Series firewall where packet sizes more than 1,500
bytes caused the firewall to stop transmitting and receiving packets.
PAN-107848 Fixed an issue where commits failed after a BGP aggregate route configuration
modification.
PAN-107729 Fixed an issue on a VM-Series firewall where the PCI-PT interface did not
receive VLAN tagged traffic after a system boot up.

PAN-107659 (PA-5000 Series firewalls only) Fixed an issue where extra byte (1 to 7)
padding were appended to the initial SYN and UDP packets, which caused the
server to stop responding.
PAN-107636 (Panorama M-Series and virtual appliances only) Fixed a rare issue where the
web interface did not display new logs as expected because Elasticsearch (ES)
stopped working when the Raid drives reached maximum capacity and the
purge script to remove old ES indices failed to execute and make room for new
indices. However, this issue also resulted in creation of new ES indices that
were empty because the appliance could not read or write to them. With this
fix, old indices are purged as expected; however, empty ES indices created
before you upgraded to this release with this fix are not removed as expected
(see known issue PAN-114041).
PAN-107607 Fixed an issue where the test security-policy-match XML API

command returned invalid XML responses.
PAN-107240 Fixed an issue where you were unable to retrieve the external dynamic list for
URLs that included the ampersand ( & ) character in the URL string.
PAN-107120 Fixed an intermittent issue on a firewall where the (all_pktproc) stopped

responding and caused the dataplane to restart.
PAN-107006 Fixed an issue where you were unable to search for service objects by
destination port numbers.
PAN-106963 Fixed an issue where the firewall did not display the full URL information in the
URL Filtering log (Monitor > URL Filtering) after a (“ ’\r’ “) return character.
PAN-106922 A security-related fix was made to address a denial of service (DoS)

vulnerability in PAN-OS SNMP (CVE-2018-18065 / PAN-SA-2019-0007).
PAN-106865 Fixed an issue where DNS proxy memory leaks occurred during the FQDN
refresh process.
PAN-106857 Fixed an issue where the dataplane restarted due to an internal path
monitoring failure caused by large SSL decrypted file transfer sessions.
PAN-106724 Fixed an intermittent issue on a firewall where the log receiver leaked memory
after 24 hours of runtime, which caused the firewall to stop responding.
PAN-106548 Fixed an issue where MIB attributes caused MIB compilation failures when
using a third-party compiler.
PAN-106426 Fixed an issue where GlobalProtect did not authenticate and displayed the
following error message: search failed 32.
PAN-106356 Fixed an issue where you could not log in to GlobalProtect from a mobile
device when the mobile ID contained a hyphen (-) character in the mobile ID
string.

PAN-106274 Fixed an issue on a firewall where a Layer 2 interface that contained a VLAN
sub-interface in conjunction with policy based forwarding (PBF) caused the
firewall to forward the return traffic to the incorrect web interface.
PAN-105966 A security-related fix was made to address the Linux Kernel Local Privilege
Escalation vulnerability (CVE-2018-14634 / PAN-SA-2019-0006).
PAN-105849 A security-related fix was made to address an issue with the wf_curl.log
file in WF-500 appliances (WildFire).
PAN-105792 Fixed an issue where NetFlow server profile traffic did not route over IPSec
tunnels when the service route was configured to use the dataplane interface.
PAN-105747 Fixed an issue where correlated events forwarded as email alerts displayed the
incorrect date and time.

configuration where OSPF and BGP running on an Aggregate Ethernet (AE)
interface with LACP enabled took longer than expected to restart after a
failover.
PAN-104866 Fixed an issue on a VM-Series firewall where the dataplane interface

continuously flapped when PCI passthrough was enabled with DPDK.
PAN-104738 Fixed an intermittent issue where octet values were incorrect for random flows
in the NetFlow traffic.
PAN-104466 Fixed an issue on a VM-50 firewall where an out-of-memory event caused the
firewall to restart.
PAN-104354 Fixed an issue in an HA active/passive configuration where the passive firewall

ran a configuration out-of-sync after a restart.
PAN-104263 Fixed an issue where the real-time clock (RTC) battery voltage exceeded the
maximum threshold value.
PAN-104078 Fixed an issue where BGP conditional advertisements did not respond, the
BGP conditional advertisements did not match the suppress condition policy
even when the prefix in the non-exist filter condition matched.
PAN-103857 Fixed an issue in an HA active/passive configuration where a suspended

firewall processed traffic.
PAN-103497 Fixed an issue on PA-3200 Series firewalls where an SNMP OID (sysObjectID)
reported the incorrect model (for example, PA-2020 instead of PA-3260).
PAN-103285 Fixed an issue where an API call (show system disk details),
responded with the following error message: An error occurred. See
dagger.log for information.

PAN-103225 Fixed an issue on Panorama M-Series and virtual appliances where the Task
Manager did not display progress after you pushed a configuration to a
firewall.
PAN-103140 Fixed an issue where a newly deployed VM-Series firewall in the VMware
NSX environment did not display on the summary web interface (Panorama >
Summary) after a partial commit.
PAN-103023 Fixed an intermittent issue where a job type (content) caused a firewall
configuration failure and the firewall to stop responding.
PAN-102745 Fixed an intermittent issue on a firewall where a commit and FQDN refresh
took longer than expected.
PAN-102526 Fixed an issue on Panorama M-Series and virtual appliances where disk quota
edits failed and resulted in the following error message: quota-settings ->
disk-quota is invalid.
PAN-101527 Fixed an issue on a PA-5200 Series firewall where enhanced small form-
factor pluggable (SFP+) ports were unable to detect link-fault events on the
transmission side.
PAN-101451 Fixed an issue where SNMP queries displayed incorrect values.
PAN-101365 Fixed an intermittent issue where the session ID did not clear when the session
ID was set to 0.
PAN-101341 Fixed an issue where administrators configured with Device Group and
Template Admin type were unable to perform a global search and returned the
following message: Unauthorized request.
PAN-101224 Fixed an intermittent issue on VM-Series firewalls in an AWS environment

where packets were dropped due to a longer than expected delay in
transmission.
PAN-101068 Fixed an issue where the object identifier (OID) ifAdminStatus incorrectly
displayed "up" when it was configured to be configured "down."
PAN-100761 A security-related fix was made to address a development configuration file

issue.
PAN-100408 Fixed an issue where the IPv6 flow label was set to 0 when decryption was
configured, which caused the firewall to drop IPv6 traffic during the SSL
handshake.
PAN-98420 Fixed an issue on Panorama M-Series and virtual appliances where TCP port
28 was accessible on management plane.
PAN-98128 Fixed an issue where SYN-ACK packets with low time-to-live (TTL) values
were sent, which caused a connection failure.

PAN-97385 An enhancement was made to enable you to monitor connections between a

firewall and Cortex Data Lake on the web interface.
PAN-96344 Fixed an issue on a firewall where TCP reset packets were sent even after you
set the vulnerability profile action to drop the packets.
PAN-96038 (PA-200 <N/A in 9.0>, PA-220, and PA-220R firewalls only) Fixed an issue
with the Ethernet driver that caused the firewall to reboot when experiencing
heavy broadcast traffic on the management interface.
PAN-95034 Fixed an issue where a firewall stopped responding when a NAT Dynamic IP
and Port (DIPP) was configured as a NAT dynamic IP fallback.
PAN-94342 Fixed an issue where the GlobalProtect Gateway host information profile (HIP)
notification operation failed to execute and returned the following message:
GP-EX-GW-21 -> hip-notification - > win-fw-is-not-enable
-> not-match-message -> message is invalid.
PAN-84670 Fixed an issue where firewalls that were not configured to decrypt HTTPS
services and applications traffic allowed users without valid authentication
timestamps to access those resources regardless of Authentication Policy
settings. To prevent such access, either configure the firewall to decrypt traffic
or run the debug device-server cp-deny-encrypted on command
and perform a force commit (this command will persist across reboots).
PAN-82421 Fixed an issue where the new connection did not get established after you
changed the IP address of a log collector.

PAN-112148 An enhancement was made to pattern-matching capabilities to accommodate

additional signatures.

WF500-4901 Fixed an issue where files sent by Traps™ to WildFire® were referenced for
trusted signers in the incorrect database, which resulted in a malicious file
verdict and caused conflicting post detection events.
WF500-4893 (RADIUS server profile configurations only) Fixed an issue where the RADIUS
authentication protocol was incorrectly changed to CHAP authentication when
you pushed a commit from a Panorama™ appliance running a PAN-OS® 8.1
release to a WF-500 appliance running a PAN-OS 8.0 release.
WF500-4869 Fixed an issue on a WF-500 appliance where the sample analysis failed when
using FIPS-CC mode.
WF500-4815 Fixed an intermittent issue on WF-500 appliances where the Redis command
line interface (CLI) failed to execute during master node re-balancing.
WF500-4747 Fixed an issue on a WF-500 appliance where the Panorama™ management

server ran unrelated Logging Service threads.
WF500-4636 (WF-500 Appliances only) Fixed a rare issue that occurred after upgrading
from a PAN-OS 8.0 release to a PAN-OS 8.1 release where the disk partition
became full due to the amount of data on the drive and, when you tried to
delete the backup database to free up space, the debug wildfire reset
backup-database-for-old-samples CLI command failed and resulted in
the following error: Server error : Client wf_devsrvr not ready.
PAN-111305 Fixed an issue where you were unable to reference certificate profiles from the
External Dynamic Lists (Objects > External Dynamic Lists > Add > Create List)
but instead, you had to type in the certificate profile.
PAN-110448 Fixed an issue on PA-3200 Series firewalls where the dataplane took longer
than expected to respond or intermittently stopped responding after a firewall
reboot.
PAN-109594 Fixed an issue where the dataplane restarted when an IPsec rekey event
occurred and caused a tunnel process (tund) failure when one--but not both--
HA peer is running PAN-OS 8.0.14 or PAN-OS 8.1.5.
PAN-109124 A security-related fix was made to address an issue where you were unable to
retrieve GlobalProtect™ cloud service threat packet captures from the Logging
Service on Panorama M-Series and virtual appliances.
PAN-108785 Fixed an intermittent issue on a firewall in an HA active/passive configuration

where a ping test stopped responding on Ethernet 1/1, 1/2, and 1/4 due to
input errors on the corresponding switch port after an HA failover.

PAN-108241 Fixed an issue on a PA-3200 Series firewall where multiple dataplane

processes (all_pktproc, flow_mgmt, flow_ctrl, and pktlog_forwarding) stopped
responding when overloaded with traffic.
PAN-108165 Fixed memory issues on Palo Alto Networks hardware and virtual appliances
that caused intermittent management plane instability.
PAN-108161 Fixed an issue on an HA active/passive configuration where GTP sessions did

not properly sync to the passive firewall, which caused a failure on the passive
firewall during a failover.
PAN-107895 Fixed an issue where PDP Delete Response packet did not match the GTPv1-
C tunnel session, which caused the generated GTP log to display incorrect
session data.
PAN-107893 Fixed an issue where a Delete PDP Context Response (Monitor > Logs > GTP)
did not correlate with a Delete PDP Context Request and appeared as a new
session.
PAN-107790 Fixed an issue where Application incorrectly displayed as unknown-udp

instead of gtp-c for the GTPv1-C tunnel management message GTP Event
Type.
PAN-107734 Fixed an intermittent issue where IPSec Tunnels failed due to a race condition
between the (pan_task) process and (tund) process.
selected Allow with Ticket (Networks > GlobalProtect > Portals <Portal-
Name> > App) the web interface Generate Ticket did not display.
PAN-107290 Fixed an issue where a single API call failed to locate a Device Group node and
create a device node for the Device Group when necessary.
PAN-107262 A security-related fix was made to prevent cross-site scripting (XSS) attacks
through the PAN-OS Management Web Interface (CVE-2019-1566).
PAN-106947 Fixed an intermittent issue where a large number of out-of-order TCP packets
caused packet buffer depletion.
PAN-106776 A security-related fix was made to prevent a cross-site scripting (XSS)

vulnerability in PAN-OS External Dynamic Lists (CVE-2019-1565).
PAN-106759 Fixed an issue in an HA active/passive configuration where a process (configd)

restarted due to a memory error.
PAN-106253 Fixed an issue where the GTP Message Type Modify Bearer Response and
GTP Event Code 124223 were denied due to failed stateful inspections.
PAN-106251 Fixed an issue where the list of Panorama Managed Devices did not display
(Panorama > Device > Deployment > Licenses).

PAN-105928 Fixed an issue on a firewall where server side data packets dropped after a
terminated challenge ACK session was reused.
PAN-105759 Fixed an issue on PA-3200 Series and PA-5200 Series firewalls in an HA

active/active configuration where the SNMP notification did not report the HA
interfaces.
an issue where the QoS profile rule did not match non-offloaded traffic as
expected.
a cloned security or NAT policy used the incorrect Rule order.
PAN-105348 Fixed an issue on Panorama M-Series and virtual appliances where Dynamic
Updates (Device > Dynamic Updates) did not allow local overrides on an
existing template.
PAN-105281 (PAN-OS 8.1.6 and later) Fixed an issue where a SAML based GlobalProtect
re-authentication portal displayed an authentication error after you have
previously logged in.
PAN-105157 Fixed an intermittent issue on Panaoram M-Series and virtual appliances where
logs did not display due to a file descriptor limit by the process (Elasticsearch).
PAN-105103 Fixed an intermittent issue where GTP logs did not display due to GTP packets
with an APN > 14 bytes caused the traffic log to reach the limit and stopped
generating logs.
PAN-105012 Fixed an issue on Panorama M-Series and virtual appliances where a log
migration from an old-disk pair to a new-disk pair failed with the following
error message: Error restoring disks from RMAed device, which
caused the (configd) process to fail.
PAN-104463 Fixed an intermittent issue where the DNS resolution stopped responding
when the firewall acted as a DNS proxy and the DNS request volume was
higher than expected.

process (all_task) failed due to a (bad_gtp_header) code on the passive
firewall after upgrading from PAN-OS 8.0.12.
PAN-104300 Fixed an issue on a firewall where a process (mprelay) stopped responding

while the (> debug dataplane internal pdt) command was processed.
PAN-104165 Fixed an issue on a VM-Series firewall configured to use the i40e single-root
input/output virtualization (SR-IOV) virtual function (VF) with VLAN tagging
dropped Ethernet frames exceeding 1496 bytes.
PAN-104077 Fixed an intermittent issue where User-ID™ stopped responding, which caused
the user IP mapping to not display.

PAN-104042 Fixed an issue where directly connected IPv4 routes do not display in the
routing table after the firewall was restarted.
PAN-104041 Fixed an issue where the web interface management session failed to time out
as expected when you set the Idle Timeout (Device > Setup > Management >
Authentication Settings > Edit) to more than five minutes.
PAN-103665 Fixed an issue on an HA active/active configuration where the active primary

LLDP profile could not be copied to the active secondary firewall.
PAN-103224 Fixed an issue on a VM-Series firewall where the initialization buffer caused
the firewall to stop responding when five or more interfaces were active.
PAN-102954 A security-related fix was made to address a code parameter in the clientless
VPN portal.
PAN-102625 Fixed an issue on a firewall where traffic stopped passing due to higher than
normal duplicate TCP ACK packets sent from the client side, which caused a
spike in packet buffers and packet descriptor usage.
PAN-102338 Fixed an issue where you were unable to configure Maximum Egress
(Network > QoS) to 10000 Mbps on a 10000 Mbps port.
PAN-101990 Fixed an issue on Panorama M-Series and virtual appliances in an HA active/

passive configuration where you were unable to edit the template variables
(Panorama > Summary).
PAN-101973 Fixed an issue where you were unable to configure IPv6 variables (Network >
Virtual Routers > Add > Static > Routes > IPv6).
PAN-101882 Fixed an issue on Panorama M-Series and virtual appliances where a partial
Commit and Push for one or more administrators incorrectly sets the Push
scope to all relevant firewalls as if a full Commit and Push was performed.
PAN-101851 Fixed an intermittent issue on PAN-OS 8.1.3 and later releases, where
downloading files from email services were allowed when the file blocking
profile was configured to block email service file downloads.
PAN-101800 Fixed an issue where the parent session stopped responding during a file
transfer using a decryption enabled FTP server with the following error
message: Lost connection.
PAN-101692 Fixed an issue where the (show session all filter nat-rule)
command did not respond with destination NAT rules.
PAN-101684 Fixed an issue on Panorama M-Series and virtual appliances where adding a
threat exception for a child Device Group caused existing rules to be removed
from the Global Device Group.
PAN-101614 Fixed an issue on a firewall where SSL/TLS Service Profile (Device > SSL/TLS
Service Profile) values failed to change after an override.

PAN-101607 Fixed an issue where template administrators with the required permission
made configuration changes on shared objects and the Commit failed with the
following error message: No pending change to commit.
PAN-101401 Fixed an issue where a DNS App-ID™ security policy allowed non-DNS traffic
to flow through.
PAN-101202 Fixed an issue on a firewall where the TFC padding parameter was set to null
when negotiating with a peer device capable of TFC padding during IKEv2
negotiations.
PAN-101185 Fixed an issue on Panorama M-Series and virtual appliances where the Decrypt
Mirror (Network > Interfaces > Ethernet > Interface Type) template setting did
not Push to a firewall.
PAN-101031 Fixed an issue where you were unable to select existing certificates after you
created an IKE gateway on a template stack and changed Authentication to
Certificate.
PAN-101029 Fixed an issue where routing traffic dropped due to an increased activity in
global counter (flow_fpga_rcv_egr_L3_NH_NF) when an interface is
moved from one virtual router to another.
PAN-100962 Fixed an issue on Panorama M-Series and virtual appliances where the disk
quota configuration exceeded a combined total of 100 percent when a Push
was performed from Panorama due to value discrepancies between Panorama
and the firewall.
PAN-100717 Fixed an issue where the (configd) process depleted memory when you deleted
multiple security rules with an XML API call.

higher than normal rate of HA session update messages caused higher than
normal CPU usage on both active and passive nodes.
PAN-100381 Fixed an issue on a firewall in an HA configuration where a path monitoring

variable was not available for Destination IP (Device > High Availability > Link
and Path Monitoring > Add Virtual Router Path).
PAN-100173 Fixed an issue where H.323 based calls had audio issues due to the predicted
RTP session not following the policy-based forwarding (PBF) rules that sends
traffic from the client to servers, which caused RTP traffic to be forwarded
incorrectly by route.
PAN-99924 Fixed an issue where the Panorama management server web and CLI stopped
responding after a partial configuration load (Panorama > Setup > Operations).
PAN-99764 Fixed an issue on VM-Series firewalls where CPU calculations for additional
vCPUs in the dataplane did not display correctly.

PAN-99742 Fixed an issue on a PA-500 Series firewall where SSL Forward Proxy was
denied due to insufficient shared memory.
PAN-99621 Fixed an issue on a firewall where Captive Portal sessions matched incorrect
policies and were incorrectly logged in the traffic log.
PAN-99504 Fixed an issue on a firewall where Group Mapping (Device > User
Identification > Group Mapping Settings) did not display the list of LDAP
server profile users when a Domino server with an empty distinguished name
(DN) was used.
PAN-99079 Fixed an issue on Panorama M-Series and virtual appliances where Logging
Service was enabled, traffic log filters with a variable length subnet mask did
not display any logs.
PAN-99058 Fixed an issue where threat log messages (SCAN: UDP Port Scan) appeared
when the UDP port scan traffic rate was less than the Reconnaissance
Protection UDP port scan threshold.
PAN-99002 Fixed a rare issue where XML files with random file sizes failed to upload
through API calls.
PAN-99000 Fixed an issue where the packet capture option did not display (Monitor >
Traffic) when administrators switched context from Panorama to a managed
firewall.
PAN-98861 Fixed an issue where shadowed rule warnings did not display during commits.
PAN-98811 Fixed an issue on Panorama M-Series and virtual appliances where Group
Mapping Settings (Object > Security Profile > URL Filtering > User Credential
Detection) did not display profile names.
PAN-98786 Fixed an issue where websites were not accessible when you configured a
decryption policy Action to No Decrypt and enabled Block sessions with
expired certificates.
PAN-98625 Fixed an issue where the Threat Category (Monitor > Threat) did not display as
expected on Panorama M-Series and virtual appliances when it received logs
from PA-200, PA-220, PA-500, and PA-800 Series firewalls.
PAN-97898 Fixed a rare issue where the traffic log did not generate data due to a negative
log counter reading.
PAN-97743 Fixed an issue where the firewall did not recognize the small form-factor
pluggable (SFP) port, which caused the dataplane to restart when the path
monitor process stopped responding.
To ensure a successful upgrade to PAN-OS 8.1.6 for this fix,

re-seat all connected SFP transceivers and then follow the
upgrade path described in the PAN-OS 8.1 upgrade procedure
(PAN-OS 8.1 New Features Guide).

PAN-97672 Fixed an issue where polled SNMP object identifiers (OID) stopped responding
after the firewall was restarted.
PAN-97670 Fixed an issue on a VM-Series firewall in an HA active/passive configuration

where after a reboot, the passive firewall sent ARP packets during the
initialization state, which caused a traffic conflict with the active firewall.
PAN-97496 Fixed an issue on a firewall where the (show running resource-monitor

ingress-backlogs) CLI command displayed invalid session IDs.
PAN-97298 (PAN-OS 8.1.1 and later releases only) Fixed an issue where Address Groups
(Objects > Address Groups) search results were cleared from the web interface
when you switched between tabs.
PAN-97223 Fixed an issue where an administrator with superuser access was unable to
remove a configuration lock from a logged out administrator whose username
contained a backslash (" \ ").
PAN-97139 Fixed an issue where the GlobalProtect Data File (Device > Dynamic
Updates > GlobalProtect data File) version did not update after a PAN-OS 8.1
upgrade.

scheduled antivirus content update failed due to a process (mgmtsrvr) failure.
PAN-95121 Fixed an issue where applications gets disabled after you enabled them during
the install or revert of application and threat signatures.
PAN-93112 Fixed an issue on a PA-5200 Series firewall where small form-factor pluggable
(SFP) ports only linked in auto negotiation mode.
PAN-91059 Fixed an issue where GTP log query filters did not work when you filtered
based on a value of unknown for the message type or GTP interface fields
(Monitor > Logs > GTP).
PAN-90096 Fixed an issue where Threat logs recorded incorrect IMSI values for GTP
packets when you enabled Packet Capture in Vulnerability Protection
profiles (Objects > Security Profiles > Vulnerability Protection >
<vulnerability_protection_profile> > Rules).
PAN-88461 Fixed an issue on PA-3050 and PA-3060 firewalls in an HA active/passive

configuration with link state pass-through enabled in virtual wire (vwire) where
the Aggregate Ethernet (AE) interface communication failed during an HA
failover event.
PAN-84292 Fixed an issue on a firewall where the (show system state browser)
command window displayed live traffic values toggle between zero and other
incorrect values.

WF500-4811 Fixed an issue where WF-500 appliances displayed the wrong WildFire®
content version show system info after a WildFire content update.
PAN-108805 Fixed an intermittent issue on PA-3200 Series firewalls where a process

(all_pktproc_11) failed, which caused an out of memory condition and the
dataplane to restart.
PAN-107791 Fixed an issue where after upgrading from PAN-OS® 8.1.3 to 8.1.4 the CLI
two-factor administrator authentication failed.
PAN-107449 Fixed an issue where firewalls failed to establish IKE phase 1 or phase 2 when
you specified Diffie-Hellman (DH) group1.
PAN-107365 Fixed an issue on Panorama™ M-Series and virtual appliances where after you
make a change to a template and attempt to push to a target device, the device
does not appear in the Push Scope Selection list (Commit > Push to Devices >
Edit Selections > Device Groups).
PAN-107005 Fixed an issue on PA-3200 Series firewalls where packets dropped when a
VSS-Monitoring Ethernet trailer was being appended by an external device.
PAN-106936 Fixed an issue where PA-800 Series firewalls intermittently restarted due to a
kernel error.
PAN-106829 Fixed an issue on a PA-3200 Series firewall where the dataplane failed due to
an internal path monitoring failure.
PAN-106502 Fixed an issue where hardware packet buffers gradually depleted when LLDP
packets created locally were sent to a down interface within an Aggregate
Ethernet (AE) interface.
PAN-106231 Fixed an intermittent issue where newly created IPSec Tunnels (Network >
IPSec Tunnels > Add) did not activate.
PAN-106016 Fixed an issue on PA-800 Series firewalls where a kernel memory spike caused
the firewall to restart.
an address object referenced in the address group was allowed to be deleted
without a reference error which caused commits to fail.
PAN-105921 Fixed an issue with Panorama where administrators were unable to use the
web interface to acquire a commit or configuration lock for device groups.
Dynamic Address Group lists did not display and displayed the following error
message: Command failed with no output.

PAN-105695 Fixed an intermittent issue where the dataplane restarted while processing
SMTP traffic.
PAN-104876 Fixed an issue on Panorama managed devices where the green Template
Values Exist indicator incorrectly displayed after you closed any interface
settings (Device > Setup > Interfaces) even when you did not make any
changes.
PAN-104771 Fixed an issue where the HTTP header insertion entries caused the dataplane
to restart.
PAN-104764 Fixed an issue on Panorama management server when using Microsoft Azure
or Amazon AWS where the management interface settings (Device > Setup >
Interface > Management) is disabled.
PAN-104668 Fixed an issue where a GTP PDP update did not update the GTP-U session
which caused subsequent GTP traffic to drop.
PAN-104524 Fixed an issue where the firewall logged data in the packet-diag log for IP
addresses that you did not specify in the packet-capture filters when you
enabled the tunnel:flow log feature.
PAN-104406 Fixed an intermittent issue where the replace device CLI command caused
the configuration lock to stop responding.
PAN-104163 Fixed an issue where the show config audit base-version command
continuously increased the number of file descriptors and caused the
management server (mgmtsrvr) to exit and restart.
PAN-104073 Fixed an issue where the replace device old <serial number> new
<serial number> command caused the configuration process (configd) to
stop responding.
PAN-103820 Fixed and issue where the template stack retains the dynamic update schedule
information after you remove it.
PAN-103383 Fixed an issue where a firewall blocked SMTP traffic when processing ZIP files
due to too many packet-process loops.
PAN-103346 Fixed an issue where the LDAP Service Route Configuration (Device > Setup >
Services > Service Route Configuration) did not respond when Customize was
selected and non-management interfaces were enabled.
PAN-103248 Fixed an issue where the process (routed) infinitely looped due to a corrupt
internal OSPF database (DB) which caused OSPF adjacencies to be dropped.
PAN-103132 A security-related fix was made to address the FragmentSmack vulnerability

(CVE-2018-5391 / PAN-SA-2018-0012).
PAN-102975 Fixed an issue where SSL enabled applications accessed through a

GlobalProtect™ Clientless VPN caused buffer leaks.

PAN-102743 (PA-5250, PA-5260, “PA-5280-8.1-only”, PA-5000 Series, and PA-7000 Series

firewalls only) Fixed an intermittent issue where GlobalProtect SSL sessions
that were enforcing client certificate authentication failed to resume and
caused an authentication failure.
PAN-102337 Fixed an issue on Panorama virtual appliances in a high availability (HA)

configuration where the elastic search script failed to identify the master node
due to case sensitivity in the serial number that caused log-replication failures
when you enabled log redundancy.
PAN-101981 Fixed an issue where installing path monitoring for static route on a satellite in
a Large Scale VPN (LSVPN) infrastructure failed.
PAN-101819 Fixed an issue where the Panorama Controller did not display all commit-
all jobs for Panorama Nodes (Panorama > Interconnect > Tasks) and the
Panorama Controller did not push those missing jobs during a Push to Devices
action when the associated Panorama Node was running a PAN-OS 8.1
release.
PAN-101604 Fixed an issue where the firewall did not correctly process OSPF link-state
updates which caused the firewall to send incorrect updates externally, which
resulted in ARP broadcasts that contained incorrect source MAC and source IP
addresses.
PAN-101585 (The following PA-7000 Series NPCs only: PA-7000-20G-NPC,

PA-7000-20GQ-NPC, PA-7000-20GXM-NPC, PA-7000-20GQXM-NPC) Fixed
an issue where an egress buffer overflow that impacted internal packet path
monitoring caused a high availability (HA) failover. Additionally, enhancements
were made to flow control communication between the traffic manager and
flow engine components to improve system stability during periods of heavy
traffic.
PAN-101525 Fixed an issue where the EDL and FQDN address objects in the security and
NAT policies displayed 0.0.0.0, which caused traffic to fail to match the policy.
configured the Authentication fields (Panorama > Authentication Profile >
Add > Authentication) for the GlobalProtect gateway template stack, the
saved configuration did not get applied.
PAN-101425 Fixed an issue where after a redistribution profile was added, the OSPF
configured with an authentication profile flapped.
PAN-101378 Fixed an issue with firewalls in a high availability (HA) active/passive

configuration where the firewall processed traffic in a suspended state.
PAN-101368 Fixed an issue where SNMP polling displayed incorrect values, which caused
authentication failures each time you restarted the firewall.
PAN-101328 Fixed an intermittent issue where SSL decryption caused Content-ID™ to block
files received over SMTP.

PAN-101124 Fixed an issue where User Principal Names (UPN) which begin with the
"at" ( @ ) character caused User-ID™ to fail.
PAN-100862 Fixed an intermittent issue where a commit error occurred when an Aggregate
Ethernet (AE) sub-interface was configured as the destination interface in a
QoS policy rule.
PAN-100719 Fixed an issue where Dynamic Updates pushed from Panorama to the Firewall
displayed an incorrect None scheduled value.
PAN-100613 Fixed an issue on a PA-5200 Series firewall in a high availability (HA) active/
active configuration with a virtual wire (vwire) subinterface where session
setup packets sent to peer firewalls were sent back as HA2/HA3 race
conditions, which caused an increase in packet descriptors and traffic to stop
responding.
PAN-100538 Fixed an issue where exporting a device state (Device > Setup > Operations)
from Panorama failed to import to the firewall.
PAN-100448 Fixed an issue where a scheduled external dynamic list refresh displayed
incorrect update values.
PAN-100447 (VM-Series firewalls in a high availability (HA) configuration only) Fixed an

issue when the management interface used DHCP Client-IP assignment where
the automatic commits failed after multiple PAN-OS upgrade and downgrade
cycles.
PAN-100443 Fixed an issue on Panorama M-Series and virtual appliances in a high

availability (HA) active/passive configuration where the passive firewall failed
to connect to a newly deployed firewall with the following error message:vm-
cfg: failed to process registration from svm device. vm-
state: active.
PAN-100395 Fixed an intermittent issue on a firewall where Dead Peer Detection

(DPD) (Network > IKE Gateways > Add) was enabled and failed during IKE
negotiations.
PAN-100256 Fixed and issue on a firewall where a Device Group was selected, the App
Scope Network Monitor report (Monitor > App Scope > > Network Monitor)
failed to display data.
PAN-100244 Fixed an issue where a failed commit or commit validation followed by a

non-user-committed event (such as an FQDN refresh, an external dynamic
list refresh, or an antivirus update) resulted in an unexpected change to the
configuration that caused the firewall to drop traffic.
PAN-100238 Fixed an issue where obsolete IPv6 host entries were not purged and remained
in a REACHABLE state, which caused new entries to fail.

PAN-100228 Fixed an intermittent issue on a PA-7000 Series firewall where auto-commits

prematurely executed before all Network Processing Cards (NPCs) were
detected and ready.
PAN-100144 Fixed an issue on PA-7000 Series firewalls in a high availability (HA) active/
active configuration where after a HA failover event the IP address rule list
continuously duplicated entries and resulted in slow response times from
the firewall and, eventually, caused the Network Processing Cards (NPCs) to
restart.
PAN-100049 Fixed an issue on Panorama M-Series and virtual appliances where Push Scope
Selection (Commit > Push to Devices) selected firewalls not in the hierarchy of
the firewall you selected.
PAN-99966 Fixed an issue where Commit and Push (Commit > Commit and Push) failed
and displayed the following validation error: log-settings profiles
match-list send-email is not a valid reference when you
attempted to import a firewall configuration to Panorama.
PAN-99965 Fixed an issue where SNMP Object identifier queries for

hrStorageAllocationUnits returned negative values.
PAN-99861 Fixed an issue where SaaS application usage reports were empty when you
used special characters in naming zones.
PAN-99860 Fixed an issue on a PA-7000 Series firewall where the Network Processing
Card (NPC) rebooted due to a memory allocation issue.
PAN-99643 Fixed an issue where a change in user-mapping information prevented the host
information profile (HIP) from updating.
PAN-99582 Fixed an issue where a firewall in a high availability (HA) active/passive

configuration did not send the Bidirectional Forwarding Detection (BFD)
administrator down status after a manual failover.
PAN-99525 Fixed an issue where the destination NAT (DNAT) using a dynamic IP address
caused the dataplane to fail.
PAN-99483 Fixed an issue on PA-5200 Series and PA-3200 Series firewalls where after the
first session, subsequent Point-to-Point Tunneling Protocols (PPTP) sessions
using Generic Routing Encapsulation (GRE) over DIPP NAT failed.
PAN-99211 Fixed an issue in a high availability (HA) active/passive configuration where the
hardware offload feature attempted to reinstall IPSec sessions for individual
packets, which caused additional dataplane CPU loads on both the active and
passive firewalls.
PAN-99204 Fixed an issue on Panorama M-Series and virtual appliances where a qualifier
configured for a custom application signature displayed the following error
message: Unauthorized request.

PAN-99161 Fixed an issue where the Captive Portal configured with RADIUS
authentication failed when a username contained the "at" ( @ ) character.
PAN-99085 Fixed an issue where firewalls did not purge files automatically as expected,
which caused WildFire updates to fail.
GlobalProtect Gateway Configuration (Network > GlobalProtect > Gateways >
Authentication) responded with the following message: Malformed
Request.
PAN-98683 Fixed an issue where the firewall dropped IPv6 ping packets, which caused
high availability (HA) path monitoring to fail.
PAN-98475 Fixed an issue on a firewall configured with RADIUS where the default timeout
setting failed after an administrator entered credentials through the web
interface.
PAN-98375 Fixed an issue when you configured service objects (Objects > Services) a
process (all_pktproc) failed and caused the dataplane to restart.
PAN-98332 Fixed an issue where the firewall incorrectly forwarded packets to upstream
devices when it had no ARP entry for the destination IP address, which
resulted in traffic outages caused by source MAC addresses that did not get
updated as expected.
PAN-98263 Fixed an issue on a PA-5000 Series firewall where SNMP values for received
and transmitted bytes for Aggregate Ethernet (AE) subinterfaces returned
incorrect values.
PAN-98249 Fixed an issue where General Information (Dashboard) did not display the date
information for Application Version, Threat Version, and Antivirus Version line
items.
PAN-98115 Fixed an issue on Panorama M-Series and virtual appliances in a high

availability (HA) active/passive configuration where after you delete a plugin
from both firewalls the configuration synchronization failed.
PAN-98110 (PAN-OS 8.0.8 and later releases only) Fixed an issue where administrator
setting did not change when appropriate after you imported a configuration.
PAN-97928 Fixed an issue where you could not set the Captive Portal session timeout
(Device > Setup > Session) to 60 seconds or longer without causing a browser
redirect.
PAN-97879 Fixed an issue on Panorama management server in a high availability

(HA) active/passive configuration where a Commit (Commit > Commit to
Panorama) caused the firewalls to restart.

PAN-97853 Fixed an issue Panorama M-Series and virtual appliances with the
characteristic Data Breaches (Objects > Application Filters) enabled caused all
Device Groups entries not to display.
PAN-97698 Fixed an issue where the firewall took longer than expected to update a URL
category.
PAN-97495 Fixed an issue on a PA-5000 Series firewall in a QoS configuration where the
setting did not re-apply after the dataplane restarted.
PAN-97199 A security-related fix was made to the way the Linux kernel handles exceptions
associated with MOV to SS and POP to SS instructions (CVE-2018-8897).
PAN-96877 Fixed an issue where license keys with special characters caused rebooting to
fail.
PAN-96696 A security-related fix was made to prevent modification of attributes in a

SAML Response packet.
PAN-96548 Fixed an issue where the command delete report custom scope
shared report-name <report name> file-name did not delete the
files in the directory and displayed the following error message: Server
error : unable to remove directory for <report-name>.
PAN-96522 Fixed an intermittent issue where the firewall did not rotate error logs
correctly, which caused disk space issues.
PAN-96462 Fixed an intermittent issue where a null pointer exception caused the
configuration (configd) process to stop responding.
PAN-96440 Fixed an issue where the static route was not reinstalled if you modified the
path-monitoring hold time while the timer was active.
PAN-96391 Fixed an issue on Panorama M-Series and virtual appliances where one
template is selected to display a list of templates displayed.
PAN-96299 Fixed an issue on VM-Series firewalls where the bootstrap in GCP failed when
a software image was provided, which caused GCP to time out before media
availability was provided.
PAN-96283 Fixed an issue where administrators with predefined roles and permission to
save configuration changes were not able to save their changes.
PAN-95935 Fixed an intermittent issue on a PA-7000 Series firewall where the

GlobalProtect LSVPN tunnel monitoring failed during re-key, which caused
satellites to disconnect.
PAN-95819 Fixed an issue where a firewall did not apply the configured NAT policy during
a predicted RTSP session.

PAN-95613 Fixed an issue where Commits failed when custom role-based administrators
made changes to Managed Collectors (Panorama).
PAN-95454 Fixed an intermittent issue on a VM-Series firewall in a VMware NSX

environment where the firewall stopped passing traffic.
PAN-95131 Fixed an issue where administrators with Device Group and Template access
were not able to modify the QoS interface (Network > QoS).
PAN-95024 Fixed an issue on a Panorama M-Series and virtual appliances where firewalls
redeployed to a NSX environment, the Device State (Panorama > Managed
Devices > Summary) displayed a Deactivated status due to the firewalls
being deployed with previously assigned authorization codes.
Firewall gets the same serial number after getting redeployed in NSX
environment where Panorama still think that newly deployed firewalls are de-
activated because of it has a serial number used in the past.
PAN-94532 Fixed an issue where a memory leak caused an out-of-memory (OOM) error.
PAN-93456 Fixed an intermittent issue where VPN tunnels terminated due to IKE manager
failures.
PAN-92694 Fixed an intermittent issue where the threat log displayed unrelated URLs in
the file name column.
PAN-87152 Fixed an issue where the show running ippool command stopped
responding due to a conflict with packet processing and caused the Aggregate
Ethernet (AE) interface to flap.
PAN-86426 A security-related fix was made to SAML authentication.

PAN-107271 Fixed an issue on a PA-3200 Series firewall running PAN-OS 8.1.4 in an HA

configuration where the HA1-B (backup) port did not come up as expected.

WF500-4739 Fixed an issue where WF-500 appliances failed to analyze Excel files because
the files contained links and required a manual response to a popup dialog
about whether to update those links before opening the file.
WF500-4738 Fixed an issue where the WF-500 appliance factory reset failed.
WF500-4737 Fixed an issue on a WF-500 appliance where in maintenance mode, network

activity did not occur.
WF500-4690 Fixed an issue where the WF-500 appliance reported incorrect memory
utilization values through SNMP (hrStorageUsed).
WF500-4664 Fixed an issue where the WF-500 appliance SNMP notifications did not
provide information for the eth2 and eth3 interfaces.
WF500-4466 Fixed an issue on WF-500 passive cluster members where file forwarding
was incorrectly disabled, which prevented the passive firewall from uploading
samples.
WF500-4362 Fixed an issue on WF-500 appliances that caused a compliance scan to

incorrectly report two vulnerabilities: SSL Server Supports DES Ciphers
(Sweet32 Exposure) and NGINX Log Escape Sequence Injection Vulnerability.
PAN-105724 Fixed an issue where the firewall did not generate a new random value in
the TLS Server Hello message, which breaks TLSv1.3 connections when SSL
Forward Proxy decryption is enabled.
PAN-104920 Fixed an issue where administrators were not able to create a WF-500 cluster
unless they first configured an HA1 backup.
PAN-104293 Fixed a rare issue where PA-3200 Series firewalls started dropping offloaded
traffic.
PAN-104131 Fixed an issue with the Panorama Interconnect plugin where Panorama Node
child jobs were not displayed under Panorama Controller Tasks (Panorama >
Interconnect > Tasks) as expected when you tried to Push Common Config
(Panorama > Interconnect > Panorama Nodes).
PAN-104116 Fixed an issue where a hardware packet buffer leak caused firewall
performance to degrade.
PAN-103921 Fixed an issue on a PA 3200 Series firewall where the dataplane failed due to
an internal path monitoring failure.
PAN-103442 Fixed an intermittent issue on a PA-3200 Series firewall where the forwarding
information base (FIB) did not update correctly, which prevented successful
forwarding of offloaded traffic.

PAN-102943 Fixed an Issue where a process (mgmtsrvr) failed on EDL refresh when
configured over a Secured Socket Layer (SSL) connection.
PAN-102750 Fixed an issue on a PA-5000 Series firewall where the dataplane restarts when
multicast traffic matched a stale session on the offload processor that was not
cleared as expected.
PAN-102664 Fixed an issue where a process (rasmgr) restarted when a satellite

tunnel tear down command and a get user config command
occurred simultaneously.
PAN-102631 Fixed an issue where a process (rasmgr) restarted multiple times, which caused
the firewall to reboot.
PAN-102168 Fixed an issue where a PA-5200 Series firewall processed the tunnel-
monitoring with profile-failover as having the tunnel status up and peers as
down during initial configuration.
PAN-102140 Fixed an issue where Extended Authentication (X-Auth) clients intermittently

failed to establish an IPSec tunnel to GlobalProtect™ gateways.
PAN-101955 Fixed an issue on an M-100 appliance in a high availability (HA) configuration

where administrators could not reestablish access to the appliance after a
session ended unexpectedly.
PAN-101704 Fixed an issue where a configured Layer 3 interface erroneously opened ports
28869/tcp and 28870/tcp on the IP address assigned to that Layer 3 interface.
PAN-101289 Fixed an issue where simultaneous management access allowed only one user
to log in at a time.
PAN-101182 Fixed an issue where a system failure occurred due to packet size exceeding
the hardware limit.
PAN-100985 Fixed an issue with PA-5000 Series, PA-5200 Series, and PA-7000 Series
firewalls where the firewall fails to clear cache for refreshing the FQDN
list, which periodically results in an out of memory condition that forces the
firewall to reboot.
PAN-100794 Fixed an issue where SNMP fan trays did not initialize as expected and
prevented the SNMP manager from receiving fan tray information.
PAN-100715 Fixed an issue on VM-Series firewalls where the dataplane stops processing
traffic when attempting to transmit packets larger than the firewall maximum
transmission unit (MTU).
PAN-100345 (PA-200, PA-220, PA-220R, PA-500, and PA-800 Series firewall only) Fixed an
issue where a large number of group mappings caused the firewall to display
out-of-memory (OOM) errors and restart.

PAN-100031 Fixed an issue where the content rewriter module failed to properly handle
simultaneous chunked and zipped responses, and did not send end of
response.
PAN-99964 Fixed an issue on an M-100 appliance where a bulk set of commands timed
out causing config locks and, while running any subsequent show commands,
responded with the following message: Server error: Timed out
while getting config lock. Please try again.
PAN-99936 Fixed an issue where access to Panorama™ accounts failed due to the removal
of IPv4 address and exclusive use of IPv6 on the management (MGT) port.
PAN-99897 Fixed an issue where a configuration change commit was accepted when only
one virtual wire (vwire) interface was defined in a vwire pair. With this fix, a
commit for a change where only one vwire interface is defined for a vwire pair
is rejected and an error message is displayed.
PAN-99830 A security-related fix was made to address a cross-site scripting (XSS)

vulnerability in the GlobalProtect Portal login page.
PAN-99780 Fixed an issue where the second virtual system (vsys) dropped TCP traffic
that was out-of-order when that second vsys controlled the proxy session in a
multi-vsys configuration.
PAN-99590 Fixed an issue where the firewall did not return Captive Portal response pages
as expected due to depletion of file descriptors.
PAN-99392 Fixed an issue where RADIUS VSA administrators were able to login for one
hour after their VSA administrator role was removed on the RADIUS server.
PAN-99310 Fixed an issue where the firewall attempted to reconnect to the LDAP server
when an empty Distinguished Name (DN) returned for an invalid user.
PAN-99260 Fixed an issue where the firewall dataplane restarted due to missing SIP parent
information after an HA failover event.
PAN-99141 Fixed an issue in an HA active/active virtual wire configuration where a race

condition caused the firewall to intermittently drop First SYN packets when
they traversed the HA3 link.
PAN-99110 Fixed an issue where a library (libpam_pan.so) did not handle incorrect
passwords as expected.
PAN-99095 Fixed an issue in Panorama where a commit failed message appeared in

the Template Last Commit column in the device management summary after a
Panorama reboot or upgrade.
PAN-99060 Fixed an issue where searching through pcaps from a Log Collector in a
configuration with multiple Log Collectors took longer than expected.

PAN-98976 Fixed an intermittent issue where Captive Portal multi-factor authentication

(MFA) failed and discarded new MFA requests.
PAN-98949 Fixed an issue on Panorama where generating a threat pcap from the web
interface (Monitor tab) took longer than expected and caused the web
interface and CLI to become inaccessible.
PAN-98885 Fixed an issue where high elastic search memory load caused the firewall not
to display logs and reboot
PAN-98694 Fixed an issue on a PA-5200 Series firewall in an HA active/passive

configuration where the firewall dropped TCP-FIN packets after a failover.
PAN-98635 Fixed an issue on the Panorama centralized management server where the logs
related to the clear-log system were not forwarded to the Syslog server.
PAN-98632 Fixed an issue on VM-Series firewalls where administrators could not log in to
a firewall with an AMI image created from a virtual machine (VM).
PAN-98504 A security-related fix was made to address three OpenSSL vulnerabilities:

CVE-2018-0732, CVE-2018-0737, and CVE-2018-0739.
PAN-98479 Fixed an issue where Panorama displayed a File not found error when you
attempted to view or download Threat pcaps from the Monitor tab.
PAN-98392 Fixed an issue where the commit failed and the device server log displayed the
following message: failed to handle CONFIG_UPDATE_START.
PAN-98320 Fixed an issue where after you exit a process, a fixed amount of memory did
not release which caused memory leaks.
PAN-98195 Fixed an issue on a PA-220 firewall in an HA active/passive configuration and

with jumbo frames enabled (Device > Setup > Session) where configuration
and dynamic updates failed to synchronize.
PAN-98189 Fixed an issue where firewall overrides configuration to not validate first
ASN, resulting in multi-lateral BGP connection flaps peering over an internet
exchange.
PAN-98101 Fixed an issue where a log record in the JSON query caused a process (reportd)
to fail.
PAN-97881 Fixed an issue where an administrator with the CLI Device Read privilege was
able to discard a session that was revoked.
PAN-97832 Fixed an issue on VM-Series firewalls where the virtual machine (VM)
information source made incorrect calls in FIPS-CC mode.
PAN-97831 Fixed an issue where the set ssh service-restart mgmt CLI command
did not respond correctly.

PAN-97572 Fixed an issue in an HA active/passive configuration where URL request

messages were not prioritized from the dataplane to the management plane
and where a high rate of log generation in the dataplane caused inconsistent
URL categorization.
PAN-97547 Fixed an issue where the log in banner did not display properly when
configured to single long-line.
PAN-97358 Fixed an issue in an HA active/passive configuration where an HA sync job

executed while a commit all job was processing.
PAN-97355 Fixed an issue where the GlobalProtect connection failed with the following
dataplane ICMPv6 message: Packet too big due to the firewall MTU value
set lower than normal.
PAN-97324 Fixed an issue where values were missing in the URL field in the Data Filtering
logs.
configuration (configd) process stopped responding after you entered a filter
string and tried to Add Match Criteria for any Dynamic address group type
(Objects > Address Groups).
PAN-97296 Fixed an issue where the Panorama web interface Group Mapping Setting
took longer to load than expected when there were multiple device groups and
each group reported to a different master device.
PAN-97253 Fixed an issue where audio failed for long-lived session initiated protocol (SIP)
sessions subjected to six content updates.
PAN-97084 Fixed a rare issue where the task manager failed to load in the web interface
when a pending job caused subsequent completed jobs to be inappropriately
held in memory.
PAN-97077 Fixed an issue on Panorama M-Series and virtual appliances where the report-
generation process stopped responding due to a corrupt log record in the
JSON query.
PAN-96796 Fixed an intermittent issue where session BIND messages were dropped in a
Dynamic IP configuration.
PAN-96780 Fixed an issue on a PA-3220 firewall where the external dynamic list refresh
and commit, failed after an increase in the number of external dynamic list
objects in the firewall.
PAN-96678 Fixed an issue on PA-800 Series firewalls where the web interface did not
display or allow you to configure the bandwidth setting any higher than 1Gbps.
PAN-96645 Fixed an issue where generation of extraneous data filtering logs for SMB
protocol traffic occurred without data filtering or file blocking securities rules
in place.

PAN-96579 Fixed an issue where the Syslog server received an incorrect vsys/port log
message when multiple vsys systems, with the same profile name and different
port numbers, are connected to a single syslog server.
PAN-96565 Fixed an issue where the DNS proxy process failed due to a DNS response
packet containing a TXT resource record with length = 0.
PAN-96477 Fixed an issue where PA-5000 Series firewalls did not send an IGMP query
immediately after an HA failover.
PAN-96461 Fixed an issue where software deployment from Panorama to a managed

firewall failed.
PAN-96431 A security-related fix was made to prevent HTTP Header Injection in the
Captive Portal.
PAN-96316 Fixed an issue during a decrypted session on an L3 Aggregate Ethernet (AE)

interface, where an incorrectly formatted threat packet capture (pcap) caused
malformed packet captures during an inspection.
PAN-96231 Fixed an issue where a commit took significantly longer than expected
when cloning a rule compared to when configuring a new rule when the
configuration contained a large number of rules.
PAN-96183 Fixed an issue on Panorama M-Series and virtual appliances where logs failed
to purge from the log-disks when /opt/pancfg partition usage reached
100%.
PAN-96109 Fixed an issue where a Panorama appliance returned the following error:
mgmtsrvr: User restart reason - Virtual memory limit
exceeded (8204808 > 8192000).
PAN-95999 Fixed an issue where firewalls in an HA active/active configuration with

a default session setup and owner configuration dropped packets in a
GlobalProtect VPN tunnel that used a floating IP address.
PAN-95970 Fixed an issue on a PA-500 firewall where the dataplane tunnel content
pointer entered a NULL state and caused dataplane processes (pan_comm and
tund) to stop responding, which caused the dataplane to restart.
PAN-95958 Fixed an issue where a PA-220 firewall did not recognize the
panDeviceLogging SNMP object identifier.
PAN-95931 Fixed an issue where some fields did not populate the template when logs are
forwarded to the HTTP Server.
PAN-95902 Fixed an issue where the header captions you configured for PDF Summary
Reports or for Custom Reports were not used for the report name as expected.
PAN-95815 Fixed an issue where the firewall returns an empty response for the API call
show user ip-user-mapping.

PAN-95765 Fixed an issue on Panorama where Collector Groups and WildFire Appliances
and Clusters (Commit > Push to Devices > Edit Selections) that were already
in sync with the current configuration were incorrectly selected and, thus,
included when you attempted to push a configuration only to appliances that
were not in sync.
PAN-95698 Fixed an issue where the firewall revealed part of a password in cleartext on
the command-line interface (CLI) and management server (mgmtsrvr) log when
an administrator attempted to set a password that exceeded the maximum
number of characters (31) using the CLI. With this fix, the firewall reports an
error when an administrator attempts to set a password that contains more
than 31 characters without revealing any part of the actual password.
PAN-95438 Fixed an issue where Panorama M-Series and virtual appliances did not resolve
the FQDN list because a bootstrap setting (cfg.product.bootstrap) was set to
factory_reset.
PAN-95407 Fixed an issue where an API call resulted in an incorrect response.
PAN-95331 Fixed an issue where a temporary flap on configured Aggregate Ethernet (AE)
interfaces cleared the dataplane debug logs.
PAN-95265 Fixed an issue on a PA-220 firewall where exporting the device state from
Panorama command-line interface (CLI) included the default bidirectional
forwarding detection (BFD) configuration, which caused a commit to fail on the
firewall when uploading the device state.
PAN-95200 Fixed an issue on an M-100 appliance where reports did not generate in user
groups.
PAN-95119 Fixed an issue where TCP segments with large sequence numbers caused the
dataplane to fail while large file sizes are transferred.
PAN-95054 Fixed an issue where temporary files not properly cleaned caused disk space
issues.
PAN-95045 Fixed an issue where the syslog messages that terminated with 0 prevented
the firewall from identifying matching patterns in the message.
PAN-94559 Fixed an issue on an M-500 appliance where a bootstrapped firewall

automatically added to Panorama did not commit the changes.
PAN-94385 Fixed an issue on Log Collectors where the show log-collector serial-
number <LC_serial_number> CLI command displayed log ages that
exceeded log expiration periods.
PAN-94236 Fixed an issue where files failed to upload to the WildFire cloud when file-
forwarding queue limit was reached on the dataplane. When this occurred, the
WildFire upload log included the file with a status of offset mismatch.

PAN-93847 Fixed an issue where a null-pointer exception caused the device server (devsrv)
process on the management plane to restart.
PAN-93127 Fixed an intermittent issue where NAT traffic was dropped when NAT
parameters were introduced or changed in the path between the LSVPN
GlobalProtect gateway and the GlobalProtect satellite. To leverage this fix in
your network, you must also enable Tunnel Monitoring on the GlobalProtect
Gateway (Network > GlobalProtect > Gateways > <gp-gateway> > Satellite >
Tunnel Settings).
PAN-92955 Fixed an issue on PA-5200 Series firewalls in an HA active/active configuration

where session timeouts occurred when TCP timers did not update as expected
for asymmetric flows.
PAN-92596 Fixed an issue where the output of the show neighbor ndp-monitor
all command-line interface (CLI) command was missing a space between the
Interface and IPv6 address columns, which decreased readability.
PAN-92334 Fixed an issue where the process (cord) stopped responding when trying to
forward correlation events if there was no log forwarding profile configured
for correlated events.
PAN-91874 Fixed an issue where the log receiver failed due to the logging certificate
server name indication (SNI) value.
PAN-91835 Fixed an issue where PA-7000 Series firewalls did not send logs to Panorama.
PAN-91715 (PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed an
issue where the destination interface configured for a QoS profile rule did not
match traffic as expected.
PAN-90967 Fixed an intermittent issue where the Bidirectional Forwarding Detection

(BFD) up time displayed negative values.
PAN-89849 Fixed an issue where the antivirus/anti-spyware block page did not display.
PAN-89402 Fixed an issue on PA-3200 Series firewalls where Ethernet ports 2, 3, 4, 6, 7, 8,

and 10 were functioning only at 1,000Mbps (1Gbps).
PAN-87867 Fixed an issue on an M-100 appliance where, when the interface and
snapshot length (snaplen) options were enabled, the tcpdump command
failed to execute with the following message: Unsupported number of
arguments.
PAN-86759 Fixed an issue where the URL session information WildFire® report displayed
Unknown for sample files uploaded from firewalls running a PAN-OS 8.0
release.
PAN-84199 Fixed an issue where, after you disabled the Skip Auth on IKE Rekey option
in the GlobalProtect gateway, the firewall still applied the option: end users
with endpoints that used Extended Authentication (X-Auth) did not have
to re-authenticate when the key for establishing the IPSec tunnel expired

(Network > GlobalProtect > Gateways > <gateway> > Agent > > Tunnel
Settings).
PAN-83946 Fixed an issue where the default QoS profile limited the available bandwidth
to 10Gbps when you specifically applied the profile to the ae2 interface; this
issue occurred regardless of the bandwidth setting you configured specifically
for that profile.
PAN-82987 Fixed an issue where the Panorama web interface intermittently became
unresponsive during ACC queries.
PAN-81553 Fixed an issue where the M-100 appliance used the default value of 1,000
because the maximum number of user groups was not defined in the system
configuration.

WF500-4645 Fixed an issue where RAID rebuilding after disk replacement either failed or
took longer than expected.
PAN-101101 Fixed an issue with inconsistencies in the IP address-to-username mappings

after upgrading the User-ID agent to a User-ID agent 8.1 release.
PAN-100896 Fixed an issue where the dataplane restarted multiple times when multiple
processes stopped responding when accessing invalid memory.
PAN-100870 Fixed an issue where the GlobalProtect app incorrectly displays a warning
(Password Warning:Password expires in 0 days) even though the
password has not, yet, expired.
PAN-100312 Fixed an intermittent issue where the dataplane restarted when processing
Clientless VPN traffic.
PAN-100015 Fixed an issue where a PA-7000 Series firewall with a 20GQ Network
Processing Card (NPC) failed to properly initiate all QSFP modules.
PAN-99968 Fixed an issue where the firewall incorrectly dropped GTPv2-C Modify Bearer
Response packets due to a sequence-number mismatch.
PAN-99896 Fixed an issue where the route (routed) process on a passive firewall in a high
availability (HA) cluster restarted when receiving an update from the active
peer for a multicast route destined for a multicast group that does not exist on
the firewall.
PAN-99624 Fixed an issue where emails were not sent using the configured email service
route as expected.
PAN-99585 Fixed an issue where a PA-3200 Series firewall processed traffic that was in
suspended mode
PAN-99584 Fixed an issue where a PA-5200 Series firewall processed traffic that was in
suspended mode.
PAN-99380 Fixed an issue where the dataplane stopped responding when a tunnel
interface on the firewall received fragmented packets.
PAN-99362 Fixed an issue on a VM-Series firewall on Azure where a process (logrcvr)

stopped responding.
PAN-99316 Fixed an issue where the SAP Success Factor app failed to load because the
Cipher-cloud was configuring cookies with the at ( @ ) character in the cookie
name but Palo Alto Networks firewalls used the @ character as a separator for
storing cookies locally, which caused the firewall to misinterpret the cookies.

PAN-99263 Fixed an issue where NetFlow caused an invalid memory-access issue that
caused the pan_task process to stop responding.
PAN-99212 Fixed an issue where the firewall incorrectly dropped ARP packets and
increased the flow_arp_throttle counter.
PAN-99067 Fixed an issue where a firewall frequently flapped a BGP session when the
firewall did not receive any response from the BFD peer or when BFD was
configured only on the firewall.
PAN-98735 Fixed an issue where upgrading a Panorama management server on Microsoft

Azure from PAN-OS 8.1.0 to PAN-OS 8.1.1 or PAN-OS 8.1.2 resulted in an
autocommit failure.
PAN-98624 Fixed an issue where an administrator who has all administrative rights is
unable to add a device to Panorama from the web interface.
PAN-98530 Fixed a memory leak associated with the logrcvr process when using custom
syslog filters in a syslog profile.
PAN-98470 Fixed an issue on a firewall with GTP stateful inspection enabled where the
firewall incorrectly identified GTP echo packets as GTP-U application packets.
PAN-98397 Fixed an issue on PA-3200 series firewalls where the offload processor did not
process route-deletion update messages , which left behind stale route entries
and caused sessions to become unresponsive during the session-offload stage.
PAN-98329 (PA-3200 Series firewalls only) Fixed an issue where an SFP+ (10Gbps PAN-
SFP-PLUS-CU-5M) transceiver was incorrectly identified as an SFP (1Gbps)
transceiver.
PAN-98217 Fixed an issue where user-account group members in subgroups (n+1) were
unnecessarily queried when nested level was set to n.
PAN-98116 Fixed an issue where PA-3000 Series firewalls passed file descriptors in a
dataplane process (pan_comm) during content (apps and threats) installation
and FQDNRefresh job execution, which caused the hardware Layer 7 engine
to identify applications incorrectly.
PAN-98097 Fixed an issue on PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200
Series, and PA-7000 Series firewalls where Captive Portal was inaccessible for
traffic on Secure HTTP (https) websites when SSL decryption was enabled and
users were behind a proxy server.
PAN-98088 Fixed an issue where an error (mailsend: failed to get stat of

file) appeared in the System log due to an incorrect condition check even
though there were no issues with the firewall sending PDF reports.
PAN-97905 Fixed an issue where device-group operations were discarded when a

concurrent commit was triggered by a different administrator.

PAN-97810 Fixed an issue where, after upgrading to PAN-OS 8.1.1, User-ID usernames
were not populated in traffic logs as expected even though User-ID mappings
were present on the dataplane.
PAN-97724 Fixed an issue with the Japanese language mode where a firewall displayed
garbled characters when an administrator was logging in to the web interface.
PAN-97634 Fixed an issue where the firewall rebooted when the management (MGT)
interface was connected to a network that contained a network loop, which
caused excessive traffic flow on the interface. This issue was observed only on
a PA-220 firewall.
PAN-97594 Fixed an issue where administrators could not use the new colors that were
introduced in PAN-OS 8.1 for creating and modifying banners and messages;
these colors were unavailable from the CLI and, though available from the web
interface (Device > Setup > Management > Banners and Messages > Banners),
administrators received an Operation Failed error when attempting to use
them.
PAN-97561 Fixed an issue where a Panorama appliance running PAN-OS 8.1.2 was unable
to connect to the Logging Service.
PAN-97497 Fixed an issue where the default for newly added cloned security rules was
Move Top, which placed the new rule at the top of the list. With this fix, the
default is After Rule as it was in PAN-OS 8.0 and earlier releases.
PAN-97282 Fixed an issue where Inbound inspection failed when a cipher was cleared from
the TLS structure during session resumption.
PAN-97225 Fixed an issue where new Vendor names for the HIP check were not included
when Panorama pushed the configuration to firewalls.
PAN-97208 Fixed an issue where a firewall in a high availability (HA) active/active virtual
wire (vwire) configuration with SSL decryption enabled passed traffic through
the wrong firewall.
PAN-97082 Fixed an issue where the firewall incorrectly blocked SSL sessions subjected
to Inbound decryption due to UnsupportedVersion when the Decryption
rule referenced a decryption profile with Min - Max TLS Version, even
though Block sessions with unsupported versions was disabled (Objects >
Decryption > Decryption Profile). With this fix, the firewall checks the TLS
version that the server accepted and compares it with the decryption profile
settings when evaluating whether to allow or bypass sessions based on
Decryption rules.
PAN-97060 Fixed an issue where the User-ID (useridd) process stopped responding due to
an out-of-memory issue related to User-ID group mapping.
PAN-97045 Fixed an issue on PA-850 firewalls where the session rematch option failed
to execute when you added an IP address to the External Dynamic List (EDL)
block list.

PAN-96997 Fixed an intermittent issue where detecting an unreachable WF-500 node took
longer than expected.
PAN-96978 Fixed an issue where the GlobalProtect Clientless VPN and GlobalProtect
Data options did not display as expected on Panorama (Template > Device >
Dynamic Updates).
PAN-96918 Fixed an issue where an unreachable DNS server due to aggressive timers
increased the time of PPPoE negotiation and, in some cases, caused
negotiation to fail.
PAN-96909 A security-related fix was made to address a Denial of Service (DoS)

that existed in the PAN-OS management web interface and allowed an
authenticated user to shut down all management sessions, which causes the
firewall to redirect all logged-in users to the login page (CVE-2018-10140).
PAN-96889 Fixed an issue where administrators were required to perform a commit force
before pushing a partial or regular commit operation to managed appliances
when the management server (mgmtsrvr) or configuration (configd) process
encountered a virtual memory leak and restarted.
PAN-96779 Fixed an issue where using the the XML API to retrieve Hit Count on a security
rule returned an error message: Anerror occurred. See dagger.log
for information.
PAN-96737 Fixed an issue with an incorrect policy match because google-docs-base was
incorrectly identified as SSL.
PAN-96388 Fixed an issue in a non-vsys configuration where a firewall dropped the Client
Hello packet from tunneled traffic when inbound decryption was enabled
because the firewall considered that packet to be an inter-vsys inbound
packet.
PAN-96326 Fixed an issue where endpoints could not authenticate to a GlobalProtect

portal or gateway through client certificate authentication due to an OCSP
status of Unknown when the portal or the gateway used a Certificate profile
that specified Online Certificate Status Protocol (OCSP) to validate certificates
(Network > GlobalProtect > Portals > <portal> > Authentication).
PAN-96200 Fixed an issue where PA-220 firewalls that were bootstrapped with a
configuration that enabled jumbo frames did not change the packet buffer size
as expected, which resulted in a dataplane restart.
PAN-96150 Fixed a memory corruption error that caused the dataplane to restart when
content decode length was zero.
PAN-96113 Fixed an issue where the show routing protocol bgp rib-out CLI
command did not display advertised routes that the firewall sent to the
BGP peer. This issue was observed only in a deployment where a firewall
is connected to a Border Gateway Protocol (BGP) peer that advertised a

route for which the next hop is not in the same subnetwork as the BGP peer
interface.
PAN-96003 Fixed an issue where the GTP Protection profile name did not appear in the
Global Find and Filter options in the Profile column of the security rule to
which the GTP profile was attached.
PAN-95996 Fixed an issue where Panorama virtual appliances converted from legacy mode
to Panorama mode did not properly purge logs, which caused low disk space
issues in /opt/panlogs partition.
PAN-95993 Fixed an issue where the firewall did not properly identify the google-translate
application.
PAN-95955 Fixed an issue on PA-3200 Series firewalls where incorrect internal memory
allocation reduced the number of simultaneous SSL decryption sessions that
the firewall could support.
PAN-95884 Fixed an issue where routing FIB entries that were learned from a BGP peer
were not deleted when BGP Peering went down.
PAN-95854 Fixed an issue where the Filter drop-down did not display properly when you
keep the default Target for a Policy rule set to Any.
PAN-95766 Fixed an issue where Q-in-Q-tagged packets passed through a firewall without
inspection or session creation.
PAN-95740 Fixed an issue where multicast FIB entries were inconsistent across dataplanes,
which caused the firewall to intermittently drop multicast packets.
PAN-95730 Fixed an issue where a firewall dropped SIP-RTP packets flowing through a
GRE tunnel when a Tunnel Inspection Policy was configured with Security
Options (Tunnel Inspection zones).
PAN-95712 Fixed an issue where browsers failed to load custom response pages on
decrypted websites when those pages were larger than 8,191 bytes. With this
fix, the firewall supports decryption of custom response pages up to 17,999
bytes.
PAN-95509 Fixed an issue where the parent device group in the hierarchy did not
automatically acquire read-only access for a URL Profile as expected after you
assigned write access to a child device group of that parent.
PAN-95476 Fixed an issue where a certificate failed to load when the certificate public key
exceeded the supported number of characters (2,048).
PAN-95439 Fixed an issue where using the test nat-policy-match command from
the XML API does not result in any matches when the matching policy is a
destination NAT policy.
PAN-95339 Fixed an issue where a firewall sent packets out of order when the sending
rate was too high.

PAN-95192 Fixed an issue where the SSL Certificate Error Notify page didn't display the
<certname/> <issuer/> variables in the SSL-cert-status-page.
PAN-95120 Fixed an issue where VM-Series firewall bootstrapping failed when you
transferred the bootstrap package using a base64 encoded user-data file.
PAN-95114 Fixed an issue where TACACS+ authorization responded with Illegal

packet version because a firewall was incorrectly sending minor
version 1, which impacts TACACS+ servers and causes a failed
authorization.
PAN-95113 Fixed an where issue where non-local administrators using TACACS were
unable to log in to the CLI.
PAN-95090 Fixed an issue where imported custom applications did not display in Security
Policies that were created through the web interface.
PAN-95061 Fixed an issue on PA-220 firewalls where either a commit or an EDLRefresh

job failed with the following error message: failed to handle
CONFIG_UPDATE_START. This issue occurred after an increase in the number
of type URL entries in an external dynamic list.
PAN-95046 Fixed an issue where the dataplane restarted on a VM-Series firewall on KVM.
PAN-94920 Fixed an issue where PA-5200 Series firewalls in a high availability (HA) active/
active configuration experienced internal packet corruption that caused the
firewalls to stop passing traffic when the active member of a cluster came back
up as passive after being either suspended or rebooted (moving from tentative
to passive state).
PAN-94864 Fixed an issue where firewalls receiving IP addresses via DHCP failed to
resolve FQDN objects to an IP address.
PAN-94777 Fixed an issue where a 500Internal Server error occurred for traffic
that matched a Security policy rule with a URL Filtering profile that specified
a continue action (Objects > Security Profiles > URL Filtering) because the
firewall did not treat the API keys as binary strings.
PAN-94698 Fixed an issue on PA-5000 Series firewalls where a process (all_pktproc) on

the dataplane stopped responding if you enabled the send icmp unreachable
Action Setting (Policies > <rule> > Actions).
PAN-94646 Fixed an issue with firewalls in a high availability (HA) configuration where
a an HA sync initiated from the active peer caused a race condition while
processing the previous request.
PAN-94637 Fixed an issue where an XML API call to execute the request system
external-list show command did not escape the ampersand ( & )
character in the Source section of the XML output, which resulted in a parse
error.

PAN-94571 Fixed an issue on PA-800 Series, PA-3200 Series, and PA-5200 Series firewalls
where tunnel-bound traffic was incorrectly routed through an ECMP route
instead of a PBF route as expected.
PAN-94497 Fixed an issue where the default static route was not present in the routing
table after you removed the DHCP-provided default gateway when you
configured a default static route and DHCP provided the same default route.
PAN-94452 Fixed an issue where the firewall recorded GPRS Tunneling Protocol (GTP)
packets multiple times in firewall-stage packet captures (pcaps).
PAN-94447 Fixed an issue where deleting all FQDN objects that are no longer in use did
not remove them from the FQDN refresh table, which caused firewalls to
continue resolving these old objects per the schedule.
PAN-94409 Fixed an issue where FTP traffic failed and hit an incorrect security policy due
to missing predict sessions.
PAN-94291 Fixed an issue where a firewall failed to process packets if the previous session
was cleared (either from the CLI or web interface), the client uses the same
source port, and when the new session is installed on dataplane1 (dp1).
PAN-94290 Fixed an issue where fragmented packets were dropped when traversing a
firewall in an HA active/active configuration.
PAN-94221 Fixed an issue when QoS was configured where the dataplane restarted due to
a packet process failure.
PAN-94124 Fixed an issue where a PA-800 Series firewall dropped UDP packets traversing
port 0.
PAN-94062 Fixed an issue where the dataplane stopped responding due to a failed packet
buffer initialization after the firewall rebooted.
PAN-94043 Fixed an issue where, when an administrator made and committed partial
changes, the disabled address objects used in a disabled security policy were
pushed from Panorama and retained on the firewall but were deleted when an
administrator performed a full commit from Panorama.
PAN-93990 Fixed an issue where a VM-Series firewall was unable to ping the gateway in
a multiple virtual router configuration when interfaces received IP address
through DHCP.
PAN-93973 Fixed an issue on an M-100 appliance where logging stopped when a process
(vldmgr) stopped responding.
PAN-93864 Fixed an issue where the password field did not display in the GlobalProtect
portal login dialog if you attached the certificate profile to the portal
configuration.

PAN-93811 Fixed an issue where the Panorama task manager view on the web interface
stopped responding after multiple appliances reported multiple errors and
warnings in commit job details.
PAN-93754 A security-related fix was made to address vulnerabilities related to some

SAML implementations (CVE-2018-0486 and CVE-2018-0489). Refer to
www.kb.cert.org/vuls/id/475445 for details.
PAN-93753 Fixed an issue on PA-200 firewalls where disk space usage was constantly
running high and often reaching maximum capacity. With this fix, the PA-200
firewall purges logs more quickly and it no longer requires as much space for
monitor daemons.
PAN-93609 Fixed an issue where the firewall silently dropped the first packet of a session
when that packet was received as a fragmented packet (typically with UDP
traffic).
PAN-93457 Fixed an issue where continuous renewal for a session that went into
DISCARD state when the firewall reached its resource limit prevented the
creation of new sessions that matched that DISCARD session.
PAN-93331 Fixed an issue where the firewall applied the wrong checksum when a re-
transmitted packet in a NAT session had different TCP flags, which caused the
recipient to drop those packets.
PAN-93329 Fixed an issue where the non-session-owner firewall in a high availability (HA)
active/active configuration with asymmetric traffic flow dropped TCP traffic
when TCP reassembly failed.
PAN-93184 (VM-50 Lite firewalls only) Fixed an intermittent issue where the firewall
reported wild-fire-authfailed due to ssl error 58 errors in the
system log due to management plane out-of-memory errors when a process
(varrcvr) attempted to register to the cloud.
PAN-93152 Fixed an intermittent Panorama issue where, after upgrading to PAN-OS 8.0 or
a later release and when connected to a WF-500 appliance, commit validations
failed due to a mismatched threat ID range on the WildFire private cloud.
PAN-93005 Fixed an issue where the firewall generated System logs with high severity for
Dataplane undersevere load conditions that did not affect traffic. With
this fix, the System logs have low severity for Dataplaneunder severe
load conditions that do not affect traffic.
PAN-92745 Fixed an issue where the Vulnerability Protection profile exceptions view
included threat IDs that were disabled or not supported for the PAN-OS
release version. Now, only IDs for signatures that are included in the currently-
installed content package are displayed.
PAN-92740 Fixed an issue in an NSX environment where the Panorama management

server displayed an incorrect number of tags under Dynamic Address Groups
when you configured a static tag in one or more address groups.

PAN-92609 Fixed an issue where the firewall could not forward full information for a
Protocol-Independent Multicast (PIM) group to a peer PIM router when the
PIM bootstrap message was larger than the maximum transmission unit (MTU)
of the firewall interface.
PAN-92548 Fixed an intermittent issue where a race condition caused the Logging Service
or WF-500 appliances to disconnect from or become unresponsive to firewalls
or the Panorama management server.
PAN-92257 Fixed an issue where the firewall was intermittently sending incorrect bytes-
per-packet values for some flows to the NetFlow collector.
PAN-92105 Fixed an issue where the Panorama Log Collectors did not receive some
firewall logs and took longer than expected to receive all logs when a Collector
Group had spaces in its name.
PAN-92033 Fixed an issue during the software download process that prevented some
firewalls and appliances from properly receiving these images.
PAN-92017 Fixed an issue where Log Collectors that belonged to a collector group with
a space in its name failed to fully connect to one another, which affected log
visibility and logging performance.
PAN-91926 Fixed an issue where GlobalProtect users could not access some websites
decrypted by the firewall due to an issue with premature deletion of proxy
sessions.
PAN-91662 Fixed an issue where a certificate was loaded without a digital signature, which
caused the configuration (configd) daemon to stop responding.
PAN-91316 Fixed an issue where you couldn't unlock administrator accounts with expired
passwords because the firewall didn't display a lock icon for their accounts in
the Locked User column (Device > Administrators).
PAN-91259 Fixed an issue where the predict session for the rmi-iiop application was not
created correctly, which caused server-to-client initiated sessions to traverse
slow-path inspection and, eventually, policy rules denied the traffic associated
with these sessions.
PAN-91021 Fixed an issue where, in a multiple virtual system (vsys) configuration on

Panorama, you could not add a certificate defined in vsys to a certificate profile
in the same vsys unless the vsys was defined using the default name.
PAN-90952 Fixed an issue on PA-5000 Series firewalls where multicast traffic failed
because PAN-OS did not remove stale sessions from the hardware session
offload processor.
PAN-90752 Fixed an issue on Panorama where the Last Commit State column (Panorama >
Managed Devices) did not get updated after a Template-Only configuration
push to firewalls.

PAN-90535 Fixed an issue where the firewall unnecessarily sent an Authorize-only request
to the RADIUS server which was denied during the login process if you
disabled the Retrieve Framed-IP-Address attribute from authentication
server (Network > GlobalProtect > Gateways > <gateway> > Agent > Client
Settings > <clients_configuration> > IP Pools) in the GlobalProtect gateway
configuration.
PAN-89620 Fixed an intermittent issue where traffic stopped flowing through the IPSec
tunnel in a hub-and-spoke multiple-vendor configuration.
PAN-89346 Fixed an issue where an XML API call to execute the show system raid
detail command returned an error.
PAN-88473 Fixed an issue where the firewall was sending incorrect bytes-per-packet
values to the NetFlow collector when two servers were configured in the same
NetFlow profile.
PAN-88048 Fixed an issue where a VM-Series firewall on KVM in MMAP mode

didn't receive traffic after you enabled the i40e single-root input/output
virtualization (SR-IOV) virtual function (VF).
PAN-87855 Fixed an issue where some ICMP Type 4 traffic was not blocked as expected
after you created a deny Security policy rule with custom App-ID for ICMP
Type 4 traffic.
PAN-87166 Fixed a rare issue on PA-7000 Series firewalls where 20GQ NPC QSFP+ ports
didn't link up (during online insertion and removal (OIR), link-state change, or
boot up events) and became unrecoverable until the NPC was restarted.
PAN-86769 Fixed an issue where a firewall did not forward logs when using the category
eq command-and-control filter.
PAN-86630 Fixed an issue where the firewall dropped H.323 gatekeeper-assisted calls
after failing to perform NAT translation of third-party addresses in H.323
messages.
PAN-86327 Fixed an issue where the firewall rebooted into maintenance mode.
PAN-85522 Fixed an issue on PA-5200 Series firewalls where an SFP+ (10Gbps)

transceiver (PAN-SFP-PLUS-CU-5M) was incorrectly identified as an SFP
(1Gbps) transceiver.
PAN-83153 Fixed an issue where a Panorama virtual appliance in Legacy mode that
was deployed in a high availability (HA) configuration did not receive logs
forwarded from PA-7000 Series and PA-5200 Series firewalls.
PAN-83047 Fixed an issue where the firewall displayed the following commit warning
when you configured a GlobalProtect gateway with a Tunnel Interface set
to the default tunnel interface (Network > GlobalProtect > Gateways >
<gateway> > General) even after you enabled IPv6: Warning: tunnel
tunnel ipv6 is not enabled. IPv6 address will be ignored!

PAN-80091 Fixed an issue where no results were returned for a Global Find request when
using the short name domain\group format.
PAN-79291 Fixed an intermittent issue with ZIP hardware offloading where firewalls
identified ZIP files as threats when they were sent over Simple Mail Transfer
Protocol (SMTP).
PAN-42036 Fixed a rare intermittent issue on PA-800 Series, PA-2000 Series, PA-3000
Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where
the firewall unexpectedly rebooted due to memory page allocation failure,
which generated a non-maskable interrupt (NMI) watchdog error on the serial
console.
PAN-33746 Fixed an issue where the firewall dropped IKE traffic when another IKE
session was in the discard state on the firewall because the the new session
matched the discard session. This issue persisted because the discard sessions
remained on the firewall longer than expected because the firewall refreshed
the discard-session timeout each time the 5-tuple on a new session matched
the 5-tuple on the discard session.

WF500-4625 Fixed an issue where the WF-500 appliance provided no option to configure
the master key. With this fix, you can use the request master-key new-
master-key <key> lifetime <lifetime> CLI command to configure
the master key.
PAN-97531 Fixed an issue on PA-3200 Series firewalls where powering down a copper
interface disrupted the operations of other interfaces that were grouped with
it at the hardware level.
PAN-97283 Fixed an issue on PA-3200 Series firewalls where SFP/SFP+ ports

intermittently failed to come up after a reboot.
PAN-97003 Fixed an issue on offline VM-Series firewalls where the web interface and CLI
did not display license information after you activated licenses.
PAN-96938 Fixed an issue with dataplane restarts when the mix of network traffic included
a high ratio of RTP and RTP Control Protocol (RTCP) traffic.
PAN-96734 Fixed an issue where a process (configd) stopped responding during a partial
revert operation when reverting an interface configuration.
PAN-96622 Fixed an issue where the GlobalProtect™ portal landing page did not return the
HTTP Strict Transport Security (HSTS) header in the error response page when
sending the response to an endpoint.
PAN-96587 Fixed an issue where PA-7000 Series and PA-5200 Series firewalls
intermittently failed to forward logs to Log Collectors or the Logging Service
due to DNS resolution failure for the FQDNs of those log receivers.
PAN-96572 Fixed an issue where, after end users successfully authenticated for access to
a service or application, their web browsers briefly displayed a page indicating
authentication completed and then they were redirected to an unknown URL
that the user did not specify.
PAN-96490 Fixed an issue where syslog servers misrepresented HIP Match,

Authentication, and User-ID™ logs received from the firewall because the
order changed in the first seven syslog fields for those log types. With this fix,
the first seven syslog fields are the same for all log types.
PAN-96102 Fixed an issue on the Panorama™ management server where partial revert
operations failed with the following error after you used the PAN-OS®
XML API to create template stacks: template-stack-> is missing
'settings' template-stack is invalid.
PAN-96088 Fixed an issue where the active firewall in a high availability (HA) configuration
did not synchronize the GlobalProtect data file to the passive firewall.

PAN-95895 Fixed an issue on firewalls that collect port-to-username mappings from

Terminal Services agents where the firewalls didn't enforce user-based policies
correctly because the dataplane had incorrect primary-to-alternative-username
mappings even after you cleared the User-ID cache.
PAN-95736 Fixed an issue where the mprelay process stopped responding when a commit
occurred while the firewall was identifying flows that needed a NetFlow
update.
PAN-95683 Fixed an issue where, after you upgraded the firewall to PAN-OS 8.1, a 500
Internal Server error occurred for traffic that matched a Security policy
rule with a URL Filtering profile that specified a continue action (Objects >
Security Profiles > URL Filtering) because the firewall did not correctly
apply AES encryption or synchronize the associated API key between the
management plane and dataplane.
PAN-95513 Fixed an issue on the Panorama management server where selecting additional
target firewalls for a shared policy rule cleared any existing firewall selections
for that rule (Panorama > Policies > <policy_type> > {Pre Rules | Post Rules |
Default Rules} > Target).
PAN-95486 Fixed an issue with VM-Series firewalls on Azure where dynamic updates failed
for the GlobalProtect Data File when you scheduled the updates using the
management interface.
PAN-95445 Fixed an issue where VM-Series firewalls for NSX and firewalls in an NSX
notify group (Panorama > VMware NSX > Notify Group) briefly dropped
This fix requires the
traffic while receiving dynamic address updates after the primary Panorama in
VMware NSX 2.0.4 or
a high availability (HA) configuration failed over.
a later plugin.
PAN-95443 Fixed an issue where a VM-Series firewall on KVM in DPDK mode didn't
receive traffic after you configured it to use the i40e single-root input/output
virtualization (SR-IOV) virtual function (VF). This fix requires that you install
i40e driver version 2.1.16 or later, and that you set the VF to be trusted by
running the following CLI command on the KVM host:
ip link set dev eth0 vf 1 trust on
PAN-95197 Fixed an issue where mobile endpoints that used GPRS Tunneling Protocol
(GTP) lost traffic and had to reconnect because the firewall dropped the
response message that a Gateway GPRS support node (GGSN) sent for a
second Packet Data Protocol (PDP) context update.
PAN-95163 Fixed an issue where, after you added group mapping configurations, an
out-of-memory condition developed that intermittently caused the User-
ID process (useridd) to restart and temporarily prevented the firewall from
receiving updates to user mappings and group mappings.
PAN-95130 Fixed an issue on the firewall and Panorama management server where you
could not assign tags that contained a colon ( : ) to service or service group
objects.

PAN-95124 Fixed an issue where the firewall did not correctly modify the Configuration
XML file (by removing ctd skip-block-http-range) when you upgraded
from PAN-OS 8.0 to PAN-OS 8.1.
PAN-95056 Fixed an issue on the Panorama management server where the configd process
restarted when an external health monitoring script (such as GoldenGate)
executed against Panorama, which became unusable until configd finished
restarting.
PAN-94917 Fixed an issue on Panorama Log Collectors where the show system
masterkey-properties CLI command did not display the master key
lifetime and reminder settings.
PAN-94912 Fixed an issue where PA-5200 Series and PA-3200 Series firewalls in an
active/active high availability (HA) configuration sent packets in the wrong
direction in a virtual wire deployment.
PAN-94853 Fixed an issue where mobile endpoints that use GPRS Tunneling Protocol
(GTP) lose GTP-U traffic because the firewall dropped all GTP-U packets as
packets without sessions after receiving two GTP requests with the same
tunnel endpoint identifiers (TEIDs) and IP addresses.
PAN-94697 Fixed an issue where commit failures occurred after you configured a DHCP-
enabled subinterface as the local Interface for an IKE gateway configuration
(Network > Network Profiles > IKE Gateways > <IKE_gateway> > General).
PAN-94586 Fixed an issue where the Panorama management server exported reports
slowly or not at all due to DNS resolution failures.
PAN-94582 Fixed an issue where the firewall did not correctly re-learn a User-ID mapping
after that mapping was temporarily lost and recovered through successful
WMI probing.
PAN-94578 Fixed an issue where WildFire submissions with a filename that contained
%20n or a subject that contained %n caused the management server
(mgmtsrvr) process to stop responding.
PAN-94575 Fixed an issue where a Panorama management server running PAN-OS 8.1
failed to push host information profile (HIP) objects that specified Encrypted
Locations with State values to firewalls running PAN-OS 8.0 or an earlier
release (Objects > GlobalProtect > HIP Objects > <HIP_object> > Disk
Encryption > Criteria > <encrypted_location>).
PAN-94516 Fixed an issue on PA-500, PA-220, PA-220-R, and PA-200 firewalls where
commits failed after the Panorama management server pushed a Decryption
profile that you configured to Block sessions if HSM not available to firewalls
that did not support a hardware security module (HSM).
PAN-94510 Fixed an issue where the total log storage utilization that the firewall displayed
did not account for IP Tag storage that was set to less than two per cent

(Device > > Setup > Management > Logging and Reporting Settings > Log
Storage).
PAN-94450 Fixed an issue where QSFP+ interfaces (13 and 14) on a PA-7000-20GQ-NPC
Network Processing Card (NPC) unexpectedly flapped when the card was
booting up.
PAN-94413 Fixed an issue on Panorama M-Series and virtual appliances where the hash of
the shared policy was incorrectly calculated, which caused an in-sync shared
policy status to display as out-of-sync.
PAN-94382 Fixed an issue on the Panorama management server where the Task Manager
displayed Completed status immediately after you initiated a push operation
to firewalls (Commit all job) even though the push operation was still in
progress.
PAN-94318 Fixed an issue where the VM-Series firewall for Azure intermittently failed to
resolve URLs and generated the following error because Azure prematurely
timed out the connection to the PAN-DB cloud after four minutes: Failed
tosend Update Request to the Cloud.
PAN-94278 Fixed an issue where a Panorama Collector Group forwarded Threat and
WildFire® Submission logs to the wrong external server after you configured
match list profiles with the same name for both log types (Panorama >
Collector Groups > <Collector_Group> > Collector Log Forwarding > {Threat |
WildFire} > <match_list_profile>).
PAN-94239 Fixed an issue where the firewall routed Open Shortest Path First (OSPF)
unicast hello messages (P2MP non-broadcast) using a forwarding information
base (FIB) instead of sending the messages over the interface to which the
OSPF neighbor connected.
PAN-94187 Fixed an issue where the firewall did not apply tag-based matching rules
for dynamic address groups unless you enclosed the tag names with single
quotes ('<tag_name>') in the matching rules (Objects > Address Groups >
<address_group>).
PAN-94167 Fixed an issue where a firewall forwarded a deleted or expired IP address-

to-username mapping to another firewall through User-ID Redistribution but
the receiving firewall still displayed the mapping as an active IP address-to-
username mapping.
PAN-94165 Fixed an issue where the firewall used an incorrect next hop in the Border
Gateway Protocol (BGP) route that it advertised to External BGP (eBGP) peers
in the BGP peer group.
PAN-94163 Fixed an issue on firewalls deployed in virtual wire mode where SSL decryption
failed due to a memory pool allocation failure.
PAN-94122 Fixed an issue where firewalls intermittently blocked SSL traffic due to a
certificate timeout error after you enabled SSL Forward Proxy decryption and
configured the firewall to Block sessions on certificate status check timeout

(Objects > Decryption > Decryption Profile > <Decryption_profile> > SSL
Decryption > SSL Forward Proxy).
PAN-94070 Fixed an issue where Bidirectional Forwarding Detection (BFD) sessions were
active in only one virtual router when two or more virtual routers had active
BGP sessions (with BFD enabled) using the same peer IP address.
PAN-94058 (GlobalProtect configurations only) Fixed an issue where a configured Layer

3 interface erroneously opened ports 28869/tcp and 28870/tcp on the IP
address assigned to that Layer 3 interface.
PAN-94023 Fixed an issue where the request system external-list show type
ip name <EDL_name> CLI command did not display external dynamic list
entries after you restarted the management server (mgmtsrvr) process.
PAN-93937 Fixed an issue where the management server (mgmtsrvr) process on the
firewall restarted when you pushed configurations from the Panorama
management server.
PAN-93889 Fixed an issue where the Panorama management server generated high-
severity System logs with the Syslogconnection established to
server message after you configured Traps log ingestion (Panorama >
Log Ingestion Profile) for forwarding to a syslog server (Panorama > Server
Profiles > Syslog) and committed configuration changes (Commit > Commit to
Panorama).
PAN-93755 Fixed an issue where SSL decrypted traffic failed after you configured the
firewall to Enforce Symmetric Return in Policy Based Forwarding (PBF) policy
rules (Policies > Policy Based Forwarding).
PAN-93722 Fixed an issue where the firewall failed to perform decryption because
endpoints tried to resume decrypted inbound perfect forward secrecy (PFS)
sessions.
PAN-93715 In certain customer environments, enhancements in PAN-OS 8.1.2 to change

fan speeds may help reduce rare cases of drive communication failure in
PA-5200 Series firewalls.
PAN-93705 Fixed an issue where configuring additional interfaces (such as ethernet1/1 or

ethernet1/2) on the Panorama management server in Management Only mode
caused an attempt to create a local Log Collector when you committed the
configuration (Panorama > Setup > Interfaces), which caused the commit to
fail because a local Log Collector is not supported on a Panorama management
sever in Management Only mode.
PAN-93522 Fixed an issue on firewalls in a high availability (HA) configuration where traffic
was disrupted because the dataplane restarted unexpectedly when the firewall
concurrently processed HA messages and packets for the same session. This
issue occurred on all firewall models except the PA-200 and VM-50 firewalls.

PAN-93412 Fixed an issue where the Security policy rules pushed from Panorama to a
firewall did not display in the list of available rules in the global filters list in the
Application Command Center (ACC).
PAN-93411 Fixed an issue on VM-Series firewalls for KVM where applications that
relied on multicasting failed because the firewalls filtered multicast traffic by
the physical function (PF) after you configured them to use single root I/O
virtualization (SR-IOV) virtual function (VF) devices.
PAN-93410 Fixed an issue where PA-5200 Series firewalls sent logs to the passive or
suspended Panorama virtual appliance in Legacy mode in a high availability
(HA) configuration. With this fix, the firewalls send logs only to the active
Panorama.
PAN-93318 Fixed an issue where firewall CPU usage reached 100 per cent due to SNMP
polling for logical interfaces based on updates to the Link Layer Discovery
Protocol (LLDP) MIB (LLDP-V2-MIB.my).
PAN-93244 A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack
through the PAN-OS session browser (CVE-2018-9335).
PAN-93242 A security-related fix was made to prevent a Cross-Site Scripting

(XSS) vulnerability in a PAN-OS web interface administration page
(CVE-2018-9337).
PAN-93233 Fixed an issue where PA-7000 Series firewalls caused slow traffic over IPSec
VPN tunnels because the firewalls reordered TCP segments during IPSec
encryption when the tunnel session and inner traffic session were on different
dataplanes.
PAN-93207 Fixed an issue where the firewall reported the incorrect hostname when
responding to SNMP get requests.
PAN-93046 Fixed an issue where administrators whose roles have the Privacy privilege
disabled (Device > Admin Roles > <role> > Web UI) can view details about
source IP addresses and usernames in the PDF reports exported from the
firewall.
PAN-92958 Fixed an issue where disk utilization increased unnecessarily because the
firewall did not archive and rotate the /var/on file, which therefore grew to
over 40MB.
PAN-92892 (VM-50 Lite firewalls only) Fixed an intermittent issue where Failed to
back up PAN-DB errors were reported in the system log due to management
plane out-of-memory errors when a process (devsrvr) attempted to run an md5
checksum.
PAN-92821 Fixed an issue where WildFire Submission logs did not correctly display the
subject fields of emails because the firewall did not remove white spaces
between encoded chunks in those fields.

PAN-92676 Fixed an issue where an administrator whose Admin Role profile had the
Command Line privileges set to superuser (Device > Admin Roles > <role> >
Command Line) could not request tech-support dump from the CLI.
PAN-92569 Fixed an issue where the firewall displayed a continue-and-override response

page when users tried to access a URL that the firewall incorrectly categorized
as unknown because it learned the URL field as an IP address.
PAN-92456 Fixed an issue on the Panorama management server where administrators

couldn't log in to the web interface because disk space utilization reached 100
per cent due to the continuous growth of cmserror log files.
PAN-92366 Fixed an issue where PA-5200 Series firewalls in an active/passive high

availability (HA) configuration dropped Bidirectional Forwarding Detection
(BFD) sessions when the passive firewall was in an initialization state after you
rebooted it.
PAN-92149 Fixed an issue on PA-3250 and PA-3260 firewalls where the hardware
signature match engine was disabled and the PAN-OS software performed
signature matching instead, resulting in a ten percent degradation in threat
detection performance.
PAN-91689 Fixed an issue where the Panorama management server removed address
objects and—in the Network tab settings and NAT policy rules—used the
associated IP address values without reference to the address objects before
pushing configurations to firewalls.
PAN-91421 Fixed an issue where the firewall dataplane restarted and resulted in
temporary traffic loss when any process stopped responding while system
resource usage was running high.
PAN-91238 Fixed an issue where an Aggregate Ethernet (AE) interface with Link
Aggregation Control Protocol (LACP) enabled on the firewall went down after
a cisco-nexus primary virtual port channel (vPC) switch LACP peer rebooted
and came back up.
PAN-91088 Fixed an issue on PA-7000 Series firewalls in a high availability (HA)

configuration where the HA3 link did not come up after you upgraded to PAN-
OS 8.1.0 or a later PAN-OS 8.1 release.
PAN-90920 Fixed an issue on PA-5200 Series firewalls where the dataplane restarted due
to an internal path monitoring failure.
PAN-90692 Fixed an issue where PA-5200 Series firewalls dropped offloaded traffic after
you enabled session offloading (enabled by default), configured subinterfaces
on the second aggregate Ethernet (AE) interface group (ae2), and configured
QoS on a non-AE interface.
PAN-90690 Fixed an issue where Panorama appliances ignored the time-zone offset in logs
sent from the Traps Endpoint Security Manager (ESM).

PAN-90623 Fixed an issue where the Panorama management server displayed template
configurations as Out of Sync for firewalls with multiple virtual systems
even though the template configurations were in sync.
PAN-90418 Fixed an issue where PA-7000 Series, PA-5200 Series, PA-5000 Series,
PA-3200 Series, and PA-3000 Series firewalls dropped packets because their
dataplanes restarted due to QoS queue corruption.
PAN-89988 Fixed an issue where the firewall dataplane intermittently restarted, causing
traffic loss, after you attached a NetFlow server profile to an interface for
which the firewall assigned an invalid identifier.
PAN-89794 Fixed an issue on PA-3050, PA-3060, PA-5000 Series, PA-5200 Series,

and PA-7000 Series firewalls in a high availability (HA) configuration where
multicast sessions intermittently stopped forwarding traffic after HA failover
on firewalls with hardware offloading enabled (default).
PAN-88674 Fixed an issue on the Panorama management server where administrators

with the superuser read-only role could view the Password Hash used to
access a Log Collector CLI after another superuser used browser developer
tools to modify the input type for that field (Panorama > Managed Collectors >
<Log_Collector> > Authentication).
PAN-88428 Fixed an issue where the VM-Series firewall incorrectly displayed network
interfaces as having a Link Speed of 1000 and a Link Duplex set to half
when the actual values were different (Network > Interfaces > <interface> >
Advanced).
PAN-87265 Fixed an issue where the Panorama management server displayed no output
for the User Activity Report (Monitor > PDF Reports > User Activity Report).
PAN-87079 (PA-3060, PA-3050, PA-5000 Series, PA-5200 Series, and PA-7000 Series
firewalls only) Fixed an issue where Threat logs displayed an Other IP
Flood message instead of identifying the threat name of the correct
protocol (such as TCP Flood) when traffic reached the configured SYN
flood max-rate threshold (Objects > Security Profiles > DoS Protection >
<DoS_Protection_profile> > Flood Protection > SYN Flood).
PAN-86672 Fixed an issue where in rare cases a commit caused the disk to become full
due to an incorrect disk quota size value, and as a result the firewall behaved
unpredictably (for example, the web interface and CLI became unresponsive).
PAN-86647 Fixed an issue on the Panorama management server where editing the
Description of a shared policy rule and clicking OK caused the Target setting
to revert to Any firewalls instead of the selected firewalls.
PAN-84647 Fixed an issue with scheduled log exports that prevented firewalls running in
FIPS-CC mode from successfully exporting the logs using Secure Copy (SCP).
PAN-84238 Fixed an issue where the Panorama management server failed to push
configurations to firewalls running a PAN-OS 7.1 release and displayed the
following error:

wins-server-> primary is invalid
PAN-80922 Fixed an issue where the firewall failed to parse the merged configuration file
after you changed the master key; it parsed only the running configuration file.
With this fix, the firewall parses both files as expected after you change the
master key.
PAN-68256 Fixed an issue on PA-7000 Series firewalls in a high availability (HA)

configuration where the HA data link (HSCI) interfaces intermittently failed to
initialize properly during bootup.
PAN-48553 Fixed an issue where, after pushing the high availability (HA) Group ID from
a Panorama management server to a firewall and overriding the value on the
firewall (Device > High Availability > General > Setup), the following error
displayed even though the value was within the permitted range:
deviceconfig -> high-availability-> group -> should be
equal to or between 1 and 63.

WF500-4599 Fixed an issue on WF-500 appliance clusters where attempts to submit

samples for analysis through the WildFire XML API failed with a 499 or 502
error in the HTTP response when the local worker was fully loaded.
WF500-4535 Fixed an issue where the WF-500 appliance couldn’t forward logs over TCP or
SSL to a syslog server.
WF500-4473 Fixed an issue where the root partition on the WF-500 appliance reached
its maximum storage capacity because the following log files had no
size limit and grew continuously: appweb_access.log, trap-access.log,
wpc_build_detail.log, rsyncd.log, cluster-mgr.log, and cluster-script.log. With
this fix, the appweb_access.log, trap-access.log, and wpc_build_detail.log logs
have a limit of 10MB and the WF-500 appliance maintains one rotating backup
file for each of these logs to store old data when a log exceeds the limit. Also
with this fix, the rsyncd.log, cluster-mgr.log, and cluster-script.log logs have a
limit of 5MB and the WF-500 appliance maintains eight rotating backup files
for each of these logs.
WF500-4397 Fixed an issue in a WF-500 appliance cluster where the controller backup node
was stuck in global-db-service: WaitingforLeaderReady status
when you tried to add nodes to the cluster.
WF500-4363 Fixed an issue where firewalls and Panorama management servers couldn’t
retrieve reports from a WF-500 appliance due to an interruption in its data
migration after you upgraded the appliance from a PAN-OS 7.1 release to
a PAN-OS 8.0 or later release. With this fix, you can run the new debug
device data-migration show CLI command on the WF-500 appliance
after each upgrade to verify data migration finished successfully (output is
Migration inMySQL is successful). Don't perform additional upgrades
on the WF-500 appliance until the data migration finishes.
PAN-95536 Fixed an issue where Dedicated Log Collectors failed to forward logs to syslog
servers.
PAN-95504 Fixed an issue on the firewall and Panorama management server where the
web interface became unresponsive because the management server process
(mgmtsrvr) restarted after you set its debugging level to debug (through the
debug management-server on debug CLI command).
PAN-95288 Fixed an issue where the firewall web interface didn't display System logs
(Monitor > Logs > System) after you upgraded to PAN-OS 8.1 and then logged
in using an administrative account that existed before the upgrade.
PAN-94845 Fixed an issue where App-ID didn’t recognize GPRS Tunneling Protocol
User Plane (GTP-U) in GTP messages on port 2152 when only single-
direction message packets arrived (Traffic logs indicated application
insufficient-data).

PAN-94741 Fixed an issue on the Panorama management server where characters in the
Secret string of a TACACS+ server profile changed on the firewall after you
pushed the server profile configuration from a template stack (Device > Server
Profiles > TACACS+).
PAN-94700 Fixed an issue on the PA-200, PA-220, PA-220R, PA-500, and PA-800
Series firewalls where the GlobalProtect data file installation failed after you
upgraded the firewall to PAN-OS 8.1.
PAN-94661 Fixed an issue where the firewall and Panorama management server displayed
policy rules in a jumbled order when you scrolled the rule list in the Policies
tab. The firewall and Panorama also opened the wrong rule for editing when
you double-clicked one.
PAN-94640 Fixed an issue where System logs included the following debugging
information even though the firewall successfully resolved IP addresses:
Failed to resolve domain name:xxx.yyy.zzafter trying all
attempts to name servers: A.B.C.D, W.X.Y.Z. With this fix,
daemon logs include that debugging information instead of System logs.
PAN-94633 Fixed an issue where, after upgrading the firewall to PAN-OS 8.1, LDAP
authentication failed if the associated authentication profile had an Allow List
with entries other than All (Device > Authentication Profile).
PAN-94569 Fixed an issue where GlobalProtect client authentication failed

after you entered domains in upper case characters in the Allow
List of an authentication profile (Device > Authentication Profile >
<authentication_profile> > Advanced).
PAN-94445 Fixed an issue where Server Message Block (SMB) sessions were in a discard
state with the session end reason resources-unavailable.
PAN-94387 Fixed an issue where the Check URL Category link in URL Filtering profiles
opened a page that displayed a page not found error instead of opening
the web page used to check the PAN-DB URL Filtering database for the URL
Filtering category of a URL (Objects > Security Profiles > URL Filtering).
PAN-94386 Fixed an issue where the firewall dropped packet data protocol (PDP) context
update and delete messages that had a tunnel endpoint identifier (TEID) of
zero in GPRS Tunneling Protocol (GTP) traffic, and the traffic failed when the
dropped messages were valid.
PAN-94379 Fixed an issue in a Panorama deployment with a Collector Group containing

multiple Log Collectors where the logging search engine restarted after you
changed the SSH keys used for high availability (HA). The disruption to the
search engine caused an out-of-memory condition and caused Panorama
to display logs and report data from only one Log Collector in the Collector
Group.
PAN-94317 Fixed the following LDAP authentication issues:

• Authentication failed for users who belonged to user groups for which you
specified LDAP short names instead of long names in the Allow List of an
authentication profile (Device > Authentication Profile).
• When performing LDAP lookups based on entries in the Allow List of
LDAP authentication profiles, the firewall treated unknown group names as
usernames.
• Authentication failed for users who belonged to multiple groups that you
entered in the Allow List of different LDAP authentication profiles.
PAN-94288 Fixed an issue where the default view and maximized view of the Application
Usage report (ACC > Network Activity) didn't display matching values when
you set the Time to Last 12 Hrs or a longer period.
PAN-94170 Fixed an issue where GTP traffic failed because the firewall dropped GTP-U
echo request packets.
PAN-94135 Fixed an issue where device monitoring did not work on the Panorama
management server.
PAN-93930 Fixed an issue on firewalls with SSL decryption configured where the
dataplane restarted because the all_pktproc process stopped responding after
decryption errors occurred.
PAN-93865 Fixed an issue where the GlobalProtect agent couldn't split tunnel applications
based on the destination domain because the Include Domain and Exclude
Domain lists were not pushed to the agent after the user established
the GlobalProtect connection (Network > GlobalProtect > Gateways >
gateway> > Agent > Client Settings > client_settings_configuration> > Split
Tunnel > Domain and Application). In addition, the GlobalProtect agent
couldn't include applications in the VPN tunnel based on the application
process name because the Include Client Application Process Name list
was not pushed to the agent after the user established the GlobalProtect
connection.
PAN-93854 Fixed an issue where the VM-Series firewall for NSX randomly disrupted traffic
due to high CPU usage by the pan_task process.
PAN-93640 Fixed an issue on firewalls where the Log Collector preference list displayed
the IP address as unknown for a Panorama Log Collector deployed on AWS if
the interface (ethernet1/1 to ethernet1/5) used for sending logs did not have
a public IP address configured and you pushed configurations to the Collector
Group.
PAN-93431 Fixed an issue where the Panorama management server failed to export Traffic
logs as a CSV file (Monitor > Logs > Traffic) after you set the Max Rows in
CSV Export to more than 500,000 rows (Panorama > Setup > Management >
Logging and Reporting Settings > Log Export and Reporting).
PAN-93430 Fixed an issue where the firewall web interface didn't display Host Information
Profile (HIP) information in HIP Match logs for end users who had Microsoft-
supported special characters in their domains or usernames.

PAN-93336 Fixed an issue where the firewall intermittently became unresponsive because
the management server process (mgmtsrvr) stopped responding during a
commit after you configured policy rules to use external dynamic lists (EDLs).
PAN-93106 Fixed an issue where the Google Chrome browser displayed certificate
warnings for self-signed ECDSA certificates that you generated on the firewall.
PAN-93090 Fixed an issue where the GCP DHCP Server took 30-50 seconds to respond to
a DHCP discover request, causing DHCP IP assignments to fail.
PAN-93089 A security-related fix was made to prevent denial of service (DoS) to the
management web interface (CVE-2018-8715).
PAN-93072 Fixed an issue on hardware firewalls that were decrypting SSL traffic where
multiple commits in a short period of time caused the firewalls to become
unresponsive.
PAN-93052 Fixed an issue where IPv6 BGP peering persisted (not all BGP routes were
withdrawn) after the associated firewall interface went down.
PAN-92950 Fixed an issue where a Panorama appliance experienced memory

depletion after allowing you to mistakenly enter the IP address of the
appliance when using the set deviceconfig system panorama-
server <IP_address> or set log-collector <Log_Collector>
deviceconfig system configuration mode CLI commands. These
commands enable connectivity with separate appliances. With this fix, the
command displays an error message when you specify the IP address of the
appliance on which you run the command instead of the appliance to which
it must connect. The correct IP address depends on the type of appliance on
which you run the command:
• Panorama management server in an HA configuration—Specify the IP
address of the Panorama HA peer.
• Dedicated Log Collector—Specify the IP addresses of the Panorama
management servers, where panorama-server specifies the primary
HA Panorama (or the only Panorama in a non-HA configuration) and
panorama-server-2 specifies the secondary HA Panorama: set
log-collector <Log_Collector> deviceconfig system
{panorama-server | panorama-server-2} <IP_address>.
PAN-92944 Fixed an issue where the firewall assigned the wrong URL filtering category
to traffic that contained a malformed host header. With this fix, the firewall
enables the blocking of any traffic with a malformed URL.
PAN-92916 Fixed an issue where firewalls configured for User-ID redistribution failed to
redistribute IP address-to-username mappings due to a memory leak.
PAN-92858 Fixed an issue where the Panorama management server could not generate
reports and the ACC page became unresponsive when too many heartbeats
were missed because Panorama never cleared reportIDs greater than 65535.

PAN-92789 Fixed an issue where VM-Series firewalls deleted logs by reinitializing the
logging disk when the periodic file system integrity check (FSCK) took over 30
minutes during bootup.
PAN-92788 Fixed an issue where the PAN-OS XML API returned the same job IDs for all
report jobs on the firewall. With this fix, the PAN-OS XML API returns the
correct job ID for each report job.
PAN-92738 Fixed an issue on the Panorama management server where administrators with
read-only privileges couldn’t view deployment Schedules for content updates
(Panorama > Device Deployment > Dynamic Updates).
PAN-92678 Fixed an issue on Panorama management servers in an HA configuration

where, after failover caused the secondary HA peer to become active, it failed
to deploy scheduled dynamic updates to Log Collectors and firewalls.
PAN-92604 Fixed an issue where a Panorama Collector Group didn’t forward logs to some
external servers after you configured multiple server profiles (Panorama >
Collector Groups > <Collector_Group> > Collector Log Forwarding).
PAN-92564 Fixed an issue where a small percentage of writable third-party SFP

transceivers (not purchased from Palo Alto Networks®) stopped working or
experienced other issues after you upgraded the firewall to which the SFPs
are connected to a PAN-OS 8.1 release. With this fix, you must not reboot
the firewall after you download and install the PAN-OS 8.1 base image until
after you download and install the PAN-OS 8.1.1 release. For additional details,
upgrade considerations, and instructions for upgrading your firewalls, refer to
the PAN-OS 8.1 upgrade information.
PAN-92560 Fixed an issue where SSL Forward Proxy decryption didn’t work after you
excluded every predefined Hostname from decryption (Device > Certificate
Management > SSL Decryption Exclusion).
PAN-92487 Fixed an issue where enabling jumbo frames (Device > Setup > Session)
reduced throughput because:
• The firewalls hardcoded the maximum segment size (TCP MSS) within TCP
SYN packets and in server-to-client traffic at 1,460 bytes when packets
exceed that size. With this fix, the firewalls no longer hardcode the TCP
MSS value for TCP sessions.
• PA-7000 Series and PA-5200 Series firewalls hardcoded the maximum
transmission unit (MTU) at 1,500 bytes for the encapsulation stage when
tunneled clear-text traffic and the originating tunnel session were on
different dataplanes. With this fix, the firewalls use the MTU configured
for the interface (Network > Interfaces > <interface> > Advanced > Other
Info) instead of hardcoding the MTU at 1,500 bytes.
PAN-92445 Fixed an issue where the Panorama management server didn't display log data
in Monitor > Logs, the ACC tab, or reports when Panorama was in a different
timezone than the Dedicated Log Collectors because Panorama applied the
wrong time filter.

PAN-92380 Fixed an issue where, when you tried to export a custom report, and your
Chrome or Firefox browser was configured to block popup windows, the
firewall instead downloaded a Tech Support File to your client system.
PAN-92256 Fixed an issue where the firewall didn't Block sessions with unsupported
cipher suites based on Decryption policy rules for SSL Inbound Inspection
when the rules referenced a Decryption Profile with a list of allowed ciphers
that didn't match the ciphers that the destination server specified (Objects >
Decryption > Decryption Profile). With this fix, the firewall checks the ciphers
of both the source client and destination server against the cipher list in
Decryption profiles when evaluating whether to allow sessions based on
Decryption policy.
PAN-92251 Fixed an issue where VM-Series firewalls used the incorrect MAC address
in DHCP messages initiated from a subinterface after you configured
that subinterface as a DHCP Client (Network > Interfaces > Ethernet >
<subinterface> > IPv4) and disabled the Use Hypervisor Assigned MAC
Address option (Device > Management > Setup).
PAN-92163 Fixed an issue where firewalls in an active/passive HA configuration took

longer than expected to fail over after you configured them to redistribute
routes between an interior gateway protocol (IGP) and Border Gateway
Protocol (BGP).
PAN-92152 Fixed an issue where the firewall web interface displayed a blank Device >
Licenses page when you had 10 x 5 phone support.
PAN-92082 Fixed an issue where the firewall didn't generate URL Filtering logs for user
credential submissions associated with a URL that was not a container page
after you selected Log container page only and set the User Credential
Submission action to alert for the URL category in a URL Filtering profile
(Objects > Security Profiles > URL Filtering > <ULR_Filtering_profile>).
With this fix, the firewall generates URL Filtering logs for user credential
submissions regardless of whether you enable Log container page only in the
URL Filtering profile.
PAN-91946 Fixed an issue where the Panorama management server intermittently did not
refresh health data for managed firewalls (Panorama > Managed Devices >
Health) and therefore displayed 0 for session statistics.
PAN-91945 Fixed an issue where the firewall didn't generate a System log to indicate when
the reason that end users couldn’t authenticate to a GlobalProtect portal was
a DNS resolution failure for the FQDNs in a RADIUS server profile (Device >
Server Profiles > RADIUS).
PAN-91809 Fixed an issue on VM-Series firewalls for Azure where, after the firewall
rebooted, some interfaces configured as DHCP clients intermittently did not
receive DHCP-assigned IP addresses.
PAN-91776 Fixed an issue where endpoint users could not authenticate to GlobalProtect
when specifying a User Domain with Microsoft-supported symbols such as

the dollar symbol ($) in the authentication profile (Device > Authentication
Profile).
PAN-91597 As an enhancement to improve security for the firewall, the management

(MGT) interface now includes the following HTTP security headers: X-XSS-
Protection, X-Content-Type-Options, and Content-Security-Policy.
PAN-91591 Fixed an issue where the GlobalProtect agent failed to establish a TCP
connection with the GlobalProtect gateway when TCP SYN packets had
unsupported congestion notification flag bits set (ECN or CWR).
PAN-91564 A security-related fix was made to prevent a local privilege escalation

vulnerability that allowed administrators to access the password hashes of
local users (CVE-2018-9334).
PAN-91559 Fixed an issue where PA-5200 Series firewalls caused slow traffic over IPSec
VPN tunnels because the firewalls reordered TCP segments during IPSec
encryption.
PAN-91370 Fixed an issue where the firewall dropped IPv6 traffic while enforcing IPv6
bidirectional NAT policy rules because the firewall incorrectly translated the
destination address for a host that resided on a directly attached network.
PAN-91360 Fixed an issue where, in rare cases, the firewall couldn't establish connections
with GlobalProtect agents because the rasmgr process stopped responding
when hundreds of end users logged in and out of GlobalProtect at the same
time.
PAN-91254 Fixed an issue where end user accounts were locked out after you configured
authentication based on a RADIUS server profile with multiple servers
(Device > Server Profiles > RADIUS) and enabled the gateway to Retrieve
Framed-IP-Address attribute from authentication server (Network >
GlobalProtect > Gateways > <gateway> > Agent > Client Settings >
<client_settings_configuration> > IP Pools). With this fix, instead of requesting
framed IP addresses from all the servers in a RADIUS server profile at the same
time, the firewall sends the request to only one server at a time until one of the
servers responds.
PAN-90824 An enhancement was made to improve compatibility for the HTTP log
forwarding feature so that you can specify the TLS version that the HTTP log
forwarding feature uses to connect to the HTTP server.
To specify the version, use the debug system https-settings tls-
version CLI command. (To view the version that is currently specified, use
the debug system https-settings command.)
PAN-90753 Fixed an issue where firewalls in an active/passive HA configuration didn’t

synchronize multicast sessions between the firewall HA peers.
PAN-90448 Fixed an issue where PA-7000 Series and PA-5200 Series firewalls didn't
properly Rematch all sessions on config policy change for offloaded sessions
(Device > Setup > Session).

PAN-90411 Fixed an issue where PA-5200 Series firewalls didn’t forward buffered logs
to Panorama Log Collectors after connectivity between the firewalls and Log
Collectors was disrupted and then restored.
PAN-90404 Fixed an issue where the Panorama management server intermittently

displayed the connections among Log Collectors as disconnected after pushing
configurations to a Collector Group (Panorama > Managed Collectors).
PAN-90347 Fixed an issue on a PA-5000 Series firewall configured to use an IPSec tunnel
containing multiple proxy IDs (Network > IPSec Tunnels > <tunnel> > Proxy
IDs) where the firewall dropped tunneled traffic after clear text sessions were
established on a different dataplane than the first dataplane (DP0).
PAN-90190 Fixed an issue on the Panorama virtual appliance on a VMware ESXi server
where VMware Tools failed to start after you upgraded to PAN-OS 8.1.
PAN-90143 Fixed an issue where administrators intermittently failed to log in to the

firewall because it intermittently restarted processes continuously due to an
out-of-memory condition.
PAN-90048 Fixed an issue where automatic commits failed after you configured Security
policy rules that referenced region objects for the source or destination and
then upgraded the PAN-OS software.
PAN-89992 Fixed an issue where the firewall didn’t efficiently handle traffic in which the
number of Address Resolution Protocol (ARP) packets exceeded the processing
capacity of the firewall. With this fix, the firewall handles ARP packets more
efficiently.
PAN-89748 Fixed an issue on the Panorama virtual appliance for Azure where commit
operations failed after you added administrator accounts other than the
default admin account, switched from Panorama mode to Log Collector mode,
made configuration changes, and then tried to commit your changes. With this
fix, Panorama removes all administrator accounts other than the default admin
account when you switch to Log Collector mode. Dedicated Log Collectors
support only the default admin account.
PAN-89715 Fixed an issue on PA-5200 Series firewalls in an active/passive HA

configuration where failover took a few seconds longer than expected when it
was triggered after the passive firewall rebooted.
PAN-89525 Fixed a configuration parsing issue where a default setup of the Authentication
Profile caused the firewall to reboot during commit. If the administrator
configured the Authentication Profile with any allowed values, including
the default values, the configuration committed successfully. The issue was
observed on a PA-500 firewall in FIPS-CC mode.
PAN-89171 Fixed an issue on firewalls in an HA configuration where an auto-commit

failed (the error message was Error:Duplicate user name) after you
connected a new suspended-secondary peer to an active-primary peer.

PAN-88852 Fixed an issue where VM-Series firewalls stopped displaying URL Filtering
logs after you configured a URL Filtering profile with an alert action (Objects >
Security Profiles > URL Filtering).
PAN-88752 Fixed an issue where User-ID agents configured to detect credential phishing
didn’t detect passwords that contained a blank space.
PAN-88649 Fixed an issue where, after receiving machine account names in UPN format
from a Windows-based User-ID agent, the firewall misidentified them as user
accounts and overrode usernames with machine names in IP address-to-
username mappings.
PAN-87964 Fixed an issue where the firewall couldn't render URL content for end users
after you configured GlobalProtect Clientless VPN with a Hostname set to a
Layer 3 subinterface or VLAN interface (Network > GlobalProtect > Portals >
<portal> > Clientless VPN > General).
PAN-87309 Fixed an issue where, after you configured a GlobalProtect gateway to exclude
all video streaming traffic from the VPN tunnel, Hulu and Sling TV traffic could
not be redirected if you did not configure any security profiles (such as a File
Blocking profile) for your firewall Security policies.
PAN-86934 Fixed an issue where the firewall applied case sensitivity to the names of
shared user groups that were defined in its local database and, as a result,
users who belonged to those groups couldn't access applications through
GlobalProtect Clientless VPN even after successful authentication. With this
fix, the firewall ignores character case when evaluating the names of user
groups in its local database.
PAN-86076 As an enhancement to improve security for GlobalProtect deployments, the

GlobalProtect portal now includes the following HTTP security headers in
responses to end user login requests: X-XSS-Protection, X-Content-Type-
Options, and Content-Security-Policy.
PAN-86028 Fixed an issue in an HA active/active configuration where traffic in a

GlobalProtect VPN tunnel in SSL mode failed after Layer 7 processing if
asymmetric routing was involved.
PAN-85308 Fixed an issue in the output for on-demand custom reports (select
Monitor > Manage Custom Reports > <report> and Run Now) where the
<column_heading> drop-down displayed a Columns option even though you
couldn't add or remove columns. With this fix, the <column_heading> drop-
down no longer displays a Columns option.
PAN-83001 Fixed an issue where the firewall dropped packets based on a QoS class even
though traffic didn’t exceed the maximum bandwidth for that class.
PAN-81495 Fixed an issue where connections that the firewall handles as an Application
Level Gateway (ALG) service were disconnected when destination NAT and
decryption were enabled.

PAN-80664 Fixed an issue where, after end users who haven't yet enrolled in Duo failed to
authenticate to a GlobalProtect portal that used a RADIUS server integrated
with Duo for multi-factor authentication, the portal login page displayed
Invalidusername or password as the authentication error instead of
displaying a Duo enrollment URL so that the users could enroll.

PAN-92893 Fixed an issue that occurred during the reboot process and caused some
firewalls to go in to maintenance mode.
an issue where one or more dataplanes did not pass traffic when you ran
several operational commands (from any firewall user interface or from the
Panorama™ management server) while committing changes to device or
network settings or while installing a content update.
PAN-91774 Fixed an issue on Panorama virtual appliances for AWS in a high availability
(HA) configuration where the primary peer did not synchronize template
changes to the secondary peer.
PAN-91429 Fixed an issue where PA-5200 Series firewalls rebooted when you ran the set
ssh service-restart mgmt CLI command multiple times.
PAN-91361 Fixed an issue where client connections initiated with HTTP/2 failed during
SSL Inbound Inspection decryption because the firewall removed the
Application-Layer Protocol Negotiation (ALPN) extension within the server
hello packet instead of forwarding the extension to the client.
PAN-90954 A security-related fix was made to prevent a local privilege escalation

vulnerability that could potentially result in the deletion of files
(CVE-2018-9242).
PAN-90842 Fixed an issue where commits failed after you changed the default Size Limit
to a custom value for MacOSX files that the firewall forwarded to WildFire®
(Device > Setup > WildFire).
PAN-90835 A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack
through the PAN-OS® session browser (CVE-2018-7636).
PAN-90521 Fixed an issue on the Panorama management server where Device Group and
Template administrators could not display or edit the Device > Log Settings in
a template.
PAN-90168 Fixed an issue where, after you downgraded a firewall from PAN-OS 8.1 to a
previous PAN-OS release and then clicked Revert Content on the Panorama
management server (Panorama > Device Deployment > Dynamic Updates) the
Current Version column displayed the content release version of the firewall
when it ran PAN-OS 8.1 regardless of the content version currently installed
on the firewall.
PAN-89471 Fixed an issue where firewalls rebooted because the userid process restarted
too often due to a socket binding failure that caused a memory leak.

PAN-89030 Fixed an issue where the firewall could not authenticate to a hardware security
module (HSM) partition when the partition password contained special
characters.
PAN-88292 Fixed an issue on Panorama management servers in an HA configuration

where the Log Collector that ran locally on the passive peer did not forward
logs to syslog servers.
PAN-88200 Fixed an issue where firewalls with multiple virtual systems did not import
external dynamic lists that you assigned to policy rules.
PAN-86873 Fixed an issue where the firewall advertised the OSPF not-so-stubby area
(NSSA) link-state advertisement (LSA) type 7 default route to NSSA neighbors
even when the OSPF backbone area was down.
PAN-85410 Fixed two issues on a firewall configured for GlobalProtect™ Clientless VPN:
• The firewall dataplane restarted when client cookies contained a path that
did not start with a forward slash (/).
• The firewall did not properly reinitialize client cookies that had a missing
path and domain and instead used values from previously received cookies.
PAN-84836 A security-related fix was made to address a Cross-Site Scripting (XSS)

vulnerability in the PAN-OS response to a GlobalProtect gateway
(CVE-2018-10139).
PAN-84045 Fixed an issue where VM-Series firewalls in a high availability (HA)

configuration with Data Plane Development Kit (DPDK) enabled experienced
HA path monitoring failures and (in active/passive deployments) HA failover.
PAN-83900 Fixed an issue where the Panorama management server did not run ACC
reports or custom reports because the reportd process stopped responding
when an administrator tried to access a device group to which that
administrator did not have access.
PAN-82942 Fixed an issue where the firewall rebooted because the User-ID™ process
(useridd) restarted several times when endpoints, while requesting services
that could not process HTTP 302 responses (such as Microsoft update
services), authenticated to Captive Portal through NT LAN Manager (NTLM)
and immediately disconnected.
PAN-81521 Fixed an issue where endpoints failed to authenticate to GlobalProtect through

Kerberos when you specified the active directory (AD) FQDN instead of
the AD IP address in the Kerberos server profile (Device > Server Profiles >
Kerberos).
PAN-81417 Fixed an issue on the Panorama management server where, after an

administrator selected Force Template Values when editing Push Scope
selections (Commit > Push to Devices), the setting persisted as enabled for
that administrator in all subsequent push operations instead of defaulting
to disabled. With this fix, Force Template Values is disabled by default for

every push operation until, and only if, the administrator manually enables the
setting.
PAN-80794 A protocol-related fix was made to address a bug in the OSPF protocol.
PAN-80569 Fixed an issue where firewalls could not connect to M-500 or M-600
appliances in PAN-DB mode due to certificate validation failures. With this fix,
the appliances add an IP address to the Subject Alternative Name (SAN) field
when generating the certificates used for firewall connections.
PAN-80505 Fixed an issue where a firewall was able connect to Panorama using an expired
certificate.
PAN-75775 Fixed an issue where SNMP managers indicated syntax errors in PAN-OS
MIBs, such as forward slash (/) characters not used within quotation marks (“”).
You can find the updated MIBs at https://docs.paloaltonetworks.com/misc/
snmp-mibs.html.
PAN-73316 Fixed an issue where a GlobalProtect user first logged in with a RADIUS
authentication profile, the Domain-UserName appeared as user@domain
(instead of domain\user) in the PAN-OS web interface.
PAN-73154 Fixed an issue on the Panorama management server where commit operations
stopped progressing after reaching 99 per cent completion.

Getting Help
The following topics provide information on where to find more about this release and how to
request support:
> Related Documentation

> Requesting Support
183
184 PAN-OS® RELEASE NOTES | Getting Help
Related Documentation
Refer to the PAN-OS® 8.1 documentation on the Technical Documentation portal using the links below.
You can also search the documentation for more information on our products:
• PAN-OS 8.1 New Features Guide—Detailed information on configuring the features introduced in this
release.
• PAN-OS 8.1 Administrator’s Guide—Provides the concepts and solutions to get the most out of your
Palo Alto Networks® next-generation firewalls. This includes taking you through the initial configuration
and basic set up on your Palo Alto Networks firewalls.
• Panorama 8.1 Administrator’s Guide—Provides the basic framework to quickly set up the Panorama™
virtual appliance or an M-Series appliance for centralized administration of the Palo Alto Networks
firewalls.
• WildFire 8.1 Administrator’s Guide—Provides steps to set up a Palo Alto Networks firewall to forward
samples for WildFire® Analysis, to deploy the WF-500 appliance to host a WildFire private or hybrid
cloud, and to monitor WildFire activity.
• VM-Series 8.1 Deployment Guide—Provides details on deploying and licensing the VM-Series firewall on
all supported hypervisors. It includes example of supported topologies on each hypervisor.
• GlobalProtect 8.1 Administrator’s Guide—Describes how to set up and manage GlobalProtect™ features.
• PAN-OS 8.1 Online Help System—Detailed, context-sensitive help system integrated with the firewall
web interface.
• Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility
information for Palo Alto Networks next-generation firewalls, appliances, and agents.
• Open Source Software (OSS) Listings—OSS licenses used with Palo Alto Networks products and
software:
• PAN-OS 8.1
• Panorama 8.1
• Wildfire 8.1
PAN-OS® RELEASE NOTES | Getting Help 185

Requesting Support
For contacting support, for information on support programs, to manage your account or devices, or to
open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
You can also use the Palo Alto Networks® Contact Information as needed.
To provide feedback on the documentation, please write to us at: .
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
186 PAN-OS® RELEASE NOTES | Getting Help

Pan-Os 8.1-Release-Notes PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pan-Os 8.1-Release-Notes PDF

Uploaded by

Copyright:

Available Formats

PAN-OS® Release Notes

About the Documentation

2 PAN-OS® RELEASE NOTES |

PAN-OS 8.1 Addressed Issues...................................................................... 75

TABLE OF CONTENTS iii

Getting Help.................................................................................................... 183

> Features Introduced in PAN-OS 8.1

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 7

8 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

VM Monitoring for VM Monitoring of Microsoft® Azure® resources enables you to dynamically

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 9

10 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

Download and install the latest content

New Panorama Feature Description

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 11

12 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

Content Inspection Features

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 13

14 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

New GlobalProtect Description

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 15

GlobalProtect currently supports only the Post SAML HTTP

GlobalProtect The GlobalProtect credential provider logon screen on Windows 7 and

16 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 17

18 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 19

New User-ID Feature Description

20 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

New Hardware Introduced with PAN-OS 8.1

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 21

22 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

App-ID Changes in PAN-OS 8.1

> set application use-appid-cache-

Authentication Changes in PAN-OS 8.1

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 23

Content Inspection Changes in PAN-OS 8.1

24 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

User-ID Changes in PAN-OS 8.1

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 25

Previous Group Mapping Settings

Current Group Mapping Settings

Panorama Changes in PAN-OS 8.1

Templates and Template Stacks A maximum of 8 templates can be assigned to a

Device Groups You can only view the template configuration

Networking Changes in PAN-OS 8.1

26 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

DNS Proxy In releases prior to PAN-OS 8.1, when the Device

Virtualization Changes in PAN-OS 8.1

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 27

Appliance Changes in PAN-OS 8.1

PA-200 firewalls • PAN-OS 8.1.8 and earlier releases—The session

PA-200 firewalls • PAN-OS 8.1.8 and earlier releases—Pre-defined

28 PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information

Authentication CLI and XML API Changes

# set deviceconfig system ssh

# set deviceconfig system

# set [shared] server-

# set [vsys <name>] server-

PAN-OS® RELEASE NOTES | PAN-OS 8.1 Release Information 29

# set [shared] server-

# set [vsys <name>] server-

RADIUS authentication PAN-OS no longer provides the option to fall back