PAN-OS Release Notes

PANOS7.
0ReleaseNotes
Release7.0.15
RevisionDate:April28,2017
ReviewimportantinformationaboutPaloAltoNetworksPANOS7.0software,includingnewfeatures
introduced,workaroundsforopenissues,andissuesthatareaddressedinthePANOS7.0release.For
installation,upgrade,anddowngradeinstructions,refertothePANOS7.0NewFeaturesGuide.Forthe
latestversionofthesereleasenotes,refertothePaloAltoNetworkstechnicaldocumentationportal.
ThePanoramacertificateusedtoauthenticatePanoramatofirewallcommunicationexpiresonJune16,2017.
ReviewthemostcurrentinformationabouthowtomakesureyoucancontinueusingPanoramatomanage
firewallsandtoaggregatefirewalllogsonLogCollectorsafterJune16,2017:
https://live.paloaltonetworks.com/t5/GeneralTopics/PanoramaCertificateExpirationonJune162017/mp
/150948/threadid/50050.(Physicalandvirtualfirewalls,WF500appliances,andM500appliancesrunningin
PANDBmodedonotrequireanyaction.)
PANOS7.0ReleaseInformation ....................................... 3
FeaturesIntroducedinPANOS7.0 .................................................. 4
ManagementFeatures .......................................................... 5
PanoramaFeatures ............................................................. 7
WildFireFeatures............................................................... 8
ContentInspectionFeatures....................................................10
AuthenticationFeatures ........................................................11
DecryptionFeatures ...........................................................12
UserIDFeatures..............................................................12
VirtualizationFeatures .........................................................12
NetworkingFeatures...........................................................13
PolicyFeatures ................................................................15
VPNFeatures.................................................................15
GlobalProtectFeatures .........................................................16
LicensingFeatures .............................................................17
ChangestoDefaultBehavior .......................................................18
AuthenticationChanges........................................................18
GlobalProtectChanges.........................................................19
ManagementChanges..........................................................19
PanoramaChanges ............................................................20
ThreatPreventionChanges.....................................................20
WildFireChanges ..............................................................21
CLIChangesinPANOS7.0 ........................................................22
XMLAPIChangesinPANOS7.0 ...................................................25
AssociatedSoftwareVersions.......................................................26
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 1
TableofContents
KnownIssues ..................................................................... 27
PANOS7.0.15AddressedIssues......................................39
PANOS7.0.9AddressedIssues .......................................57
PANOS7.0.5h2AddressedIssues....................................75
PANOS7.0.1AddressedIssues ..................................... 105
GettingHelp....................................................... 115
RelatedDocumentation........................................................115
RequestingSupport ...........................................................116
2 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation
FeaturesIntroducedinPANOS7.0
ChangestoDefaultBehavior
CLIChangesinPANOS7.0
XMLAPIChangesinPANOS7.0
AssociatedSoftwareVersions
ThePanoramacertificateusedtoauthenticatePanoramatofirewallcommunicationexpiresonJune16,2017.
ReviewthemostcurrentinformationabouthowtomakesureyoucancontinueusingPanoramatomanage
firewallsandtoaggregatefirewalllogsonLogCollectorsafterJune16,2017:
https://live.paloaltonetworks.com/t5/GeneralTopics/PanoramaCertificateExpirationonJune162017/mp
/150948/threadid/50050.(Physicalandvirtualfirewalls,WF500appliances,andM500appliancesrunningin
PANDBmodedonotrequireanyaction.)
KnownIssues
PANOS7.0.15AddressedIssues
PANOS7.0.5h2AddressedIssues
GettingHelp
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
FeaturesIntroducedinPANOS7.0
ThefollowingtopicsdescribethenewfeaturesintroducedinPANOS7.0releases,whichrequirecontent
releaseversion497oralaterversion.Forupgradeanddowngradeconsiderationsandforspecific
informationabouttheupgradepathforafirewall,refertotheUpgradesectionofthePANOS7.0New
FeaturesGuide.Thenewfeaturesguidealsoprovidesadditionalinformationabouthowtousethenew
featuresinthisrelease.
ManagementFeatures
PanoramaFeatures
WildFireFeatures
ContentInspectionFeatures
AuthenticationFeatures
DecryptionFeatures
UserIDFeatures
VirtualizationFeatures
NetworkingFeatures
PolicyFeatures
VPNFeatures
GlobalProtectFeatures
LicensingFeatures
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
ManagementFeatures
NewManagement Description
Feature
All New Application TheACCisredesignedtoprovideimprovedvisibilityintonetworktrafficandactionable

Command Center (ACC) informationonthreats.Thenewlayoutincludesatabbedviewofnetworkactivity,threat
activity,andblockedactivityandeachtabincludespertinentwidgetsforbetter
visualizationoftrafficpatternsonyournetwork.Forapersonalizedviewofyournetwork,
youcanalsoaddacustomtabandincludewidgetsthatallowyoutodrilldownintothe
informationthatismostimportanttoyou.
Automated Correlation Thenewautomatedcorrelationengineisananalyticstoolthatdetectssecurityeventson

Engine yournetwork.Itcollectsisolatedeventsacrossmultiplelogtypesonthefirewall,queries
thedataforspecificpatterns,andcorrelatesnetworkeventstoidentifyactionable
informationsuchashostbasedactivitiesthatindicateacompromisedhost.
TheautomatedcorrelationengineincludescorrelationobjectsthataredefinedbythePalo
AltoNetworksMalwareResearchteam.Theseobjectsidentifysuspicioustrafficpatterns
orasequenceofeventsthatindicateamaliciousoutcome;somecorrelationobjectscan
identifydynamicpatternsthathavebeenobservedfrommalwaresamplesinWildFire.
Correlationobjectstriggercorrelationeventswhentheymatchontrafficpatternsand
networkartifactsthatindicateacompromisedhostonyournetwork.Thus,correlated
eventsprovideactionableintelligencethatyoucanusetoremediateincidents,mitigate
risks,andsecureyournetwork.YoucanviewthecorrelatedeventlogsintheMonitortab
orseeagraphicaldisplayintheCompromisedHostswidgetontheThreatActivitytabof
theACC.TheautomatedcorrelationengineissupportedonPA3000Series,PA5000
Series,PA7000Seriesplatforms,andonPanorama.
Newcorrelationobjectswillbedeliveredwiththeweeklycontentupdates.Toobtainnew
correlationobjects,thefirewallmusthaveaThreatPreventionlicense;Panoramarequires
asupportlicenseforgettingthecorrelationobjectswiththeweeklycontentupdates.
Global Find TomakethemanagementofyourPaloAltoNetworksdevicesmoreefficient,anewglobal

findfeatureisintroducedtoenableyoutosearchtheentireconfigurationofaPANOSor
Panoramawebinterfaceforaparticularstring,suchasanIPaddress,objectname,policy
name,threatID,orapplicationname.Thesearchresultsaregroupedbycategoryand
providelinkstotheconfigurationlocationinthewebinterface,sothatyoucanquicklyand
easilyfindalloftheplaceswherethestringisreferenced.Forexample,ifyoutemporarily
deniedanapplicationthatisdefinedinmultiplesecuritypolicyrulesandyounowwantto
allowthatapplication,youcansearchontheapplicationnameandquicklylocateall
referencedpolicestochangetheactionbacktoallow.
Tag Browser Thetagbrowserintroducesawaytoviewallthetagsusedwithinarulebase.Inrulebases

withalargenumberofrules,thetagbrowsersimplifiesthedisplaybypresentingthetags,
thecolorcode,andtherulenumbersinwhichthetagsareused;italsoallowsyoutogroup
rulesusingthefirsttagappliedtotherule.Youcan,forexample,filterrulesbythefirsttag
appliedandviewtherulesgroupedbyahighlevelfunctionsuchasinternetaccessordata
centeraccess.Inthisgroupedruleview,ifyouidentifygapsincoverage,thetagbrowser
allowsyoutomoverulesoraddnewruleswithintherulebase.
Configuration Validation TheoptiontovalidateaPANOSorPanoramacandidateconfigurationbeforeyoucommit

Improvements (todeterminewhetheryourrecentchangeswillcommitsuccessfully)isenhancedtodo
syntacticandsemanticvalidationoftheconfiguration.Itthendisplaysthesameerrorsand
warningsaswoulddisplayforafullcommitorvirtualsystemcommit,suchasrule
shadowingorapplicationdependencywarnings,orerrorsindicatinganinvalidroute
destinationoramissingaccount/passwordtoqueryaserver.
Feature
Move and Clone Youcannowmoveorclonepoliciesandobjectstoadifferentdevicegrouporvirtual

Policies, Objects, and system.Thissavesyoutheeffortofdeleting,recreating,orrenamingtheseitemswhen
Templates onlyamoveorcopyisneeded.YoucanalsoclonetemplatesandTemplateStacks.
Extended SNMP Support ExtendedSNMPsupportincludes:

GlobalcountersforDenialofService(DoS),IPfragmentation,TCPstate,anddropped
packets,bywhichtomonitorthehealthandsecurityofyourdevicesandnetwork.
Previously,youhadtousetheCLIorXMLAPItomonitorglobalcounters.
SNMPInterfaceMIBforLogicalInterfacesThePANOSimplementationofthe
interfacesandIfMIBhasbeenextendedtosupportalllogicalinterfacesonthefirewall,
includingtunnels,aggregategroups,L2subinterfaces,L3subinterfaces,loopback
interfaces,andVLANinterfaces.ThisisinadditiontotheSNMPInterfaceMIBsupport
onphysicalinterfaces.Inaddition,theVPNtunnelstatuscannowbemonitored.
LLDPV2MIBInformationtransmittedandreceivedfromneighborsusingLinkLayer
DiscoveryProtocol(LLDP)isstoredforSNMPaccess.AllMIBobjectsunderthe
standardLLDPMIBdefinitionsaresupported.Neighborentriesareagedoutwhentheir
TTLvaluecontainedinthereceivedLLDPmessagereacheszero.
SaaS Application Usage AnewpredefinedreportisintroducedtoprovidevisibilityintoSoftwareasaService

Report (SaaS)applicationusage,enablingyoutoassessandsubsequentlymitigatetherisksto
yourenterprise'sdatawhentakingadvantageofSaaSapplications.Thereportwillalso
helptoassessriskstothesecurityofyourenterprisenetwork,suchasthedeliveryof
malwarethroughSaaSapplicationsadoptedbyyourusers.
Policy Impact Review for Beforeinstallinganewcontentrelease,youcannowreviewthepolicyimpactfornew

New Content Releases AppIDsandstageanynecessarypolicyupdates.Thisenablesyoutoassessthe
treatmentanapplicationreceivesbothbeforeandafterthenewcontentisinstalledand
thenpreparepolicyupdatestotakeeffectatthesametimethatthecontentupdateis
installed.Thisfeaturespecificallyincludesthecapabilitytomodifyexistingsecurity
policiesusingthenewAppIDscontainedinadownloadedcontentrelease(priorto
installingthenewcontent).Youcanthensimultaneouslyupdateyoursecuritypolicyrules
andinstallnewcontent,allowingforaseamlessshiftinpolicyenforcement.Youcanalso
choosetodisablenewAppIDswheninstallinganewcontentreleaseversion;thisenables
protectionagainstthelatestthreats,whilegivingyoutheflexibilitytoenablethenew
AppIDsafteryou'vehadthechancetoprepareanypolicychanges.
Security Profile and Thesecurityprofilecapacitiesandnumberofaddressobjectsperaddressgrouphavebeen

Address Objects Per increasedasfollows:
Address Group Capacity SecurityProfileCapacityincreasedonallplatformsbyapproximately50%forthe
Increase followingsecurityprofiles:Antivirus,AntiSpyware,VulnerabilityProtection,URL
Filtering,FileBlocking,WildFireAnalysis,DataFiltering,andDecryption.Forexample,
thePA7050firewallsupported500securityprofilesinPANOS6.1,andnowsupports
750profilesinPANOS7.0.
AddressobjectsperaddressgroupIncreasedfrom500to2500forallplatforms.
Fordetailsonplatformcapacities,referto
https://www.paloaltonetworks.com/products/productselection.html.
Virtual System/Device Youcannowvieworsearchlogsorcreateareportbasedonvirtualsystemnamesand

Name in Reports and devicenames,whicharemoreuserfriendlyattributestousethanvirtualsystemIDsand
Logs deviceserialnumbers.Nowyoudonotneedtomanuallymapavirtualsystemnametoits
IDormapadevicenametoitsserialnumber,tovieworsearchlogsorcreatereports.
VirtualSystemNameandDeviceNameareaddedasavailableattributestoPANOSand
Panoramareportsandlogs.
Feature
Time-Based Log and Youcannowconfigureautomaticdeletionoflogsandreportsbasedontimeinsteadof

Report Deletion justonspacequotas.Thisisusefulindeploymentswhereperiodicallydeletingmonitored
dataisdesiredornecessary.Forexample,deletinguserdataafteracertainperiodmight
bemandatoryinyourorganizationforlegalreasons.
Software Upload Devicesnowdisplaydetailsaboutuploadedsoftwareupdatesthatenableyoutocheck,

Improvements beforeinstallinganupdate,thatitistheintendedone.Installinguploadedsoftwarenow
involvesfewersteps,whichmakesdeploymenteasierwhenadevicedoesnothave
externalnetworkaccess.
PanoramaFeatures
NewPanoramaFeature Description
Device Group Hierarchy Youcannowcreatenesteddevicegroupsinatreehierarchywithlowerlevelgroups

inheritingthesettingsofhigherlevelgroups.Thisenablesyoutoorganizedevicesbased
onfunctionandlocationwithoutredundantconfiguration.Forexample,youcould
configureSharedsettingsthatareglobaltoallfirewalls,configuredevicegroupswith
functionspecificsettingsatthefirstlevel,andconfiguredevicegroupswith
locationspecificsettingsatsubsequentlevels.Withoutahierarchy,youwouldhaveto
configurebothfunctionandlocationspecificsettingsforeverydevicegroupinasingle
levelunderShared.CombinedwiththeRoleBasedAccessControlEnhancementsinthis
release,ahierarchyalsoenablesyoutocontroladministratoraccesstodataaccordingto
areas/levelsofresponsibility.
Template Stacks Youcannowdefineatemplatestack,whichisacombinationoftemplates.Byassigning

firewallstoastack,youcanpushallthenecessarysettingstothemwithoutthe
redundancyofaddingeverysettingtoeverytemplate.Forexample,youcouldassignthe
firewallsinaCaliforniadatacentertoastackthathasonetemplatewithglobalsettings,
onetemplatewithCaliforniaspecificsettings,andonetemplatewithdatacenterspecific
settings.TomanagefirewallsinaCaliforniabranchoffice,youcouldthenreusetheglobal
andCaliforniaspecifictemplatesbyaddingthemtoanotherstackthatincludesatemplate
withbranchspecificsettings.
Role-Based Access Youcannowassociateeachaccessdomainwithanadministratorroletoenforcethe

Control Enhancements separationofinformationamongthefunctionalorregionalareasofyourorganization.You
canassignmultipleaccessdomain/rolepairstoanadministrator(localorexternal),who
canthenfilterthePanoramawebinterfacetodisplayonlyinformationthatisrelevantto
aparticulardomain.Forcustomroles,youcanalsodefinefeaturespecificaccessto
firewalls(throughcontextswitching)separatelyfromPanoramaaccess,andprovide
additionalaccesstologsandreports,sothatadministratorscanhaveabroaderrangeof
responsibilities.
Firewall Configuration YoucannowimportfirewallconfigurationsintoPanoramainsteadofrecreatingthem.

Import into Panorama PanoramaprovidestheoptiontoimportobjectsfromSharedonthefirewallintoShared
inPanorama,andimportotherobjects,policies,andsettingsintonewdevicegroupsand
templates.Aftertheimport,youcanMoveandClonePolicies,Objects,andTemplatesto
differentdevicegroups.
NewPanoramaFeature Description
Panorama Support for Panoramanowsupportsmuchlargerconfigurationfiles,whichenableyoutoaddmore

Larger Configuration informationandgreatercomplexitytoindividualdevicegroups,templates,andother
Files configurationswithoutaffectingsystemperformanceorstability.Panoramaalsosupports
ahighernumberofconcurrent,activeadministrators.
Log Redundancy Within YoucannowenablelogduplicationforaCollectorGroupsothateachlogwillhavetwo

a Collector Group copiesandeachcopywillresideonadifferentLogCollector.Thisredundancyensures
that,ifanyoneLogCollectorbecomesunavailable,nologsarelost:youcanstilldisplayall
thelogsforwardedtotheCollectorGroupandrunreportsforallthelogdata.
Firewall HA State in ThePanoramawebinterfacenowdisplaysthehighavailabilitystateoffirewalls(for

Panorama example,activeorpassive)inplaceswhereknowingthatstateisuseful.Forexample,the
ContextdropdownnowdisplaysHAstatesothatyoucanswitchcontexttothe
activeprimaryfirewallwhenyouneedtochangethefirewallconfiguration.
Scheduled Updates for InPANOS7.0.3andlaterreleases,youcanscheduleAntivirus,WildFire,andURL

Antivirus, WildFire, and Filtering(BrightCloudonly)updatesforLogCollectorsusingthePanoramawebinterface
URL Filtering on Log (Panorama > Device Deployment>Dynamic Updates>Schedules)ortheCLI.For
Collectors reportingconsistency,configurescheduledcontentupdatesforalllogcollectorstoensure
theystayinsync.
WildFireFeatures
NewWildFireFeatures Description
Grayware Verdict TheWildFiregraywareverdictisintroducedtoclearlyidentifyexecutablesthatbehave

similarlytomalwarebutarenotmaliciousinnatureorintent.Agraywareverdictmightbe
assignedtoexecutablesthatdonotposeadirectsecuritythreatbutdisplayotherwise
obtrusivebehavior(forexample,installingunwantedsoftware,changingvarioussystem
settings,orreducingsystemperformance).Examplesofgraywaresoftwaretypically
includeadware,spyware,andBrowserHelperObjects(BHOs).Thegraywareverdict
allowsthesecurityrespondertoquicklydistinguishmaliciousfilesonthenetworkfrom
graywareandtoprioritizeaccordingly.Whileantivirussignaturesarenotgeneratedfor
grayware,WildFirelogscancontinuetoalertthesecurityrespondertoendpoints
downloadinggraywaresotherespondercanassesswhethersucheventsareconcerning.
NewWildFireFeatures Description
WildFire Hybrid Cloud EnableaWildFirehybridclouddeploymentsothatasinglefirewallcanforwardunknown

samples(filesoremaillinks)toeitheraWF500applianceortheWildFirepubliccloud,
dependingonthesample.Thisfeatureallowstheflexibilitytoanalyzeprivatedocuments
insidethenetwork,whilefilessourcedfromtheinternetcanbeanalyzedbytheWildFire
publiccloud.Forexample,PaymentCardIndustry(PCI)andProtectedHealthInformation
(PHI)datacanbeexclusivelyforwardedtotheWF500applianceforprivatecloud
analysisandlesssensitivefiles,suchasPortableExecutables(PEs),canbeforwardedto
theWildFirepubliccloud.Whenpossible,offloadingfilestotheWildFirepubliccloud
allowsyoutobenefitfromapromptverdictforfilesthathavebeenpreviouslyprocessed
bythepubliccloudandalsofreesupWF500appliancecapacitytoprocesssensitive
content.Additionally,inaWildFirehybridclouddeployment,youcanusetheWildFire
publiccloudtoanalyzefiletypesthatarenotcurrentlysupportedforWF500appliance
analysis,suchasAndroidApplicationPackage(APK)files.
ThisfeaturealsointroducestheWildFireAnalysisprofile,tobeusedinplaceofthefile
blockingprofiletoforwardsamplesforWildFireanalysis.ExistingFileBlockingprofile
ruleswiththeactionsettoforwardorcontinue and forwardaremigratedtothenew
WildFireAnalysisprofile.ForeachWildFireanalysisprofilerule,definetraffictoforward
toeithertheWildFireprivatecloudortheWildFirepubliccloudbasedonfiletype,
application,orfiletransferdirection(uploadordownload).
WildFire Appliance TheWildFireappliancecannowlocallygenerateantivirussignaturesformaliciousJava

Support for Java files(.jarand.class),sothatmaliciousJavafilesdetectedbytheWildFireapplianceno
Antivirus Signatures longerhavetobeforwardedtotheWildFireCloudforsignaturegeneration.
WildFire Appliance ThefirewallcannowextractHTTP/HTTPSlinkscontainedinSMTPandPOP3email

Support for Email Link messagesandforwardthelinkstotheWildFireapplianceforanalysis(thisfeaturewas
Analysis supportedonlyfortheWildFirepubliccloudinPANOS6.1).Enablethisfunctionalityby
configuringthefirewalltoforwardtheemaillinkfiletype(Objects>Security Profiles>
WildFire Analysis).Notethatthefirewallonlyextractslinksandassociatedsession
information(sender,recipient,andsubject)fromtheemailmessagesthattraversethe
firewall;itdoesnotreceive,store,forward,orviewtheemailmessage.
Afterreceivinganemaillinkfromafirewall,theWildFireappliancevisitsthelinkto
determineifthecorrespondingwebpagehostsanyexploits.Ifitdetectsmalicious
behavioronthepage,itreturnsamaliciousverdictand:
GeneratesadetailedanalysisreportandlogsittotheWildFireSubmissionslogonthe
firewallthatforwardedthelinks.
CategorizestheURLasmalwareandgeneratesanddistributesasignaturetoconnected
firewallstoallowthemtoidentifyandblockthemalware.
Ifthelinkcorrespondstoafiledownload,theWildFireappliancedoesnotanalyzethefile.
However,thefirewallwillforwardthecorrespondingfiletotheWildFireappliancefor
analysisiftheenduserclicksthelinktodownloaditaslongasthecorrespondingfiletype
isenabledforforwarding.
TheWildFireappliancedoesnotsendalogtothefirewallifitdeterminesalinktobe
benignorgraywareevenifyouenabledloggingofbenignorgraywarefilesbecauseof
thelargenumberoflogsthiswouldgenerate.
ContentInspectionFeatures
NewContentInspection Description
Features
Configurable Drop TheVulnerabilityProtection,AntiSpyware,andAntivirusprofilesincludenewactionsto

Actions in Security droporresetconnections.Inadditiontotheallow/alert/blockactionswithinthesecurity
Profiles profile,youcannowgranularlydefinehowtodroporresetconnectionswhenthefirewall
detectsathreat.Forexample,tosecuretheMicrosoftwebserversonyournetwork,you
cancreatearuleintheVulnerabilityProtectionprofilewithanactiontoeitherdropthe
trafficandsendaresetonlytotheserverordropthetrafficandblocktheoffendingclient
IPaddressfromcreatingnewconnectionsforaspecifiedtimeinterval.
Increased Inspection Thefirewallnowidentifiesandinspectsfilesthathavebeenencodedorcompressedupto

Depth for Multi-Level fourtimes,wherepreviouslythefirewallsupportedonlytwolevelsofdecoding.Multiple
Compression and levelsofcompressionandencodingarefrequentlyintroducedtofilesbasedonthefile
Encoding formatandtheapplicationusedforfiletransfer.Forexample,aMicrosoftOfficeOpen
XMLfile(.docx)thatiscompressed(.zip)andissentasanemailattachmenthasthreelevels
ofencoding:theOOXMLformatisonelevelofencoding,thecompressionofthefileto
theZIPformatisthesecondlevelofencoding,andthethirdlevelofencodingisadded
whentheemailattachmentisembeddedusingBase64.Inthiscase,thefirewallnow
decodesthefile,correctlyidentifiesitasaMicrosoftWorddocument,andperforms
policyenforcementincludingfileblocking,threatinspection,andWildFireanalysis.
Blocking of Encoded Anewfiletypeclassification,MultiLevelEncoding,cannowbeusedtologorblock

Content contentthathasbeencompressedorotherwiseencodedtoahighdegree.Asthefirewall
cannowdecodeandinspectuptofourlevelsofencoding(seeIncreasedInspectionDepth
forMultiLevelCompressionandEncoding),thenewclassificationcanbeusedtoblock
filesthathavebeenencodedfivetimesormore.Multiplelevelsofencodingcanbeused
asanevasiontechniquetocircumventsecuritydevices;usingtheMultiLevelEncoding
filetypetoperformfileblockingensuresthatunidentifiedfilesthathavenotbeen
processedforthreatsarenotpassedthroughthefirewall.
Negate Operator for AnewNegateoperatorisnowavailablewhencreatingcustomvulnerabilityorspyware

Custom Threat signatures.TheNegateoperatorcanbeusedtoensurethatthevulnerabilityorspyware
Signatures signatureisnottriggeredundercertainconditions.Forexample,createacustomsignature
totriggerwhenaUniformResourceIdentifier(URI)patternismatchedtotrafficbutonly
whentheHTTPrefererfieldisnotequaltoacertainvalue.Acustomsignaturemust
includeatleastonepositiveconditionforanegatedconditiontobespecified.
PAN-DB Private Cloud IfthesecurityandcompliancerequirementsinyourenterpriseprohibitthePaloAlto

Networksnextgenerationfirewallsfromdirectlyaccessingtheinternetforperforming
URLlookups,youcandeployaPANDBprivatecloud.Toprotectusersfrommalwareand
undesirablewebcontent,thefirewallscanquerythePANDBprivateclouddeployed
withinyournetworkinsteadofaccessingthePANDBpubliccloud.ThePANDBprivate
cloudsolutionensuresinformationprivacyanddoesnotsendanydataoranalyticstothe
publiccloud.
AuthenticationFeatures
NewAuthentication Description
Features
Authentication and Theworkflowtoconfigureauthenticationserversandprofilesisnowmoreintuitiveand

Authorization consistent.YoucanalsoenableGlobalProtectclientstosendRADIUSvendorspecific
Enhancements attributestoRADIUSserverssothatRADIUSadministratorscanmakepolicydecisions
basedonthoseattributes.Forexample,RADIUSadministratorsmightusetheclient
operatingsystemattributetodefineapolicythatmandatesregularpassword
authenticationforMicrosoftWindowsusersandonetimepassword(OTP)authentication
forGoogleAndroidusers.
SSL/TLS Service Profiles YoucannowassignSSL/TLSserviceprofilestodeviceservicesthatuseSSL/TLS,including

CaptivePortal,managementtrafficaccessusingthewebinterfaceorXMLAPI,theURL
AdminOverridefeature,theUserIDSysloglisteningservice,andyoucanassignprofiles
toGlobalProtectportalsandgateways.SSL/TLSserviceprofilesspecifyacertificateand
theallowedprotocolversionorrangeofversions(nowincludingTLSv1.2).Bydefiningthe
protocolversions,theprofilesenableyoutorestricttheciphersuitesthatareavailableto
securecommunicationwithenpointsthatarerequestingtheservices.Thisimproves
networksecuritybyallowingyoutoconfigureendpointstoavoidSSL/TLSversionsthat
haveknownweaknesses.
TACACS+ DevicesnowsupporttheTerminalAccessControllerAccessControlSystemPlus
Authentication (TACACS+)protocolforauthenticatingadministrativeusers.TACACS+providesgreater
securitythanRADIUSinsofarasitencryptsusernamesandpasswords(insteadofjust
passwords)andisalsomorereliable(usesTCPinsteadofUDP).
Kerberos Single Sign-on DevicesnowsupportKerberosV5singlesignon(SSO)foradministratorauthentication

andCaptivePortalauthentication.Singlesignonminimizesthenumberofloginsrequiring
userinputwhileensuringsecurityforwebservices.
Suite B Cryptography YoucannowuseSuiteBcipherstoauthenticateadministrators,tosecuresitetosite

Support VPN,andtosecureGlobalProtectremoteaccessandlargescaleVPN(LSVPN).Tosecure
theVPNtunnelsbetweenGlobalProtectLSVPNgatewaysandendpointdevices,thelatter
mustrunGlobalProtectclientagent2.2oralaterrelease.ThenewGlobalProtectIPSec
CryptoprofilesupportsSuiteBencryptionalgorithms(andotheralgorithms)forLSVPN.
Youcanuseellipticcurve(ECDSA)certificatesforadministratorandGlobalProtect
authentication.SuiteBsupportenablesyoutomeetU.S.federalnetworksecurity
standards.
Authentication Server YoucannowtestanauthenticationprofiletodetermineifyourfirewallorPanorama

Connectivity Testing managementservercancommunicatewithabackendauthenticationserverandifthe
authenticationrequestwassuccessful.Youcanperformauthenticationtestsonthe
candidateconfiguration,sothatyouknowtheconfigurationiscorrectbeforecommitting.
Authenticationserverconnectivitytestingissupportedforlocaldatabase,RADIUS,
TACACS+,LDAP,andKerberosauthentication.
DecryptionFeatures
NewDecryptionFeatures Description
SSL Decryption WhenusingSSLdecryptiontoinspectandenforcesecurityrulesforconnections

Enhancements betweenclientsanddestinationservers,enablethefollowingnewoptionsas
increasedsecuritymeasures:
Enforcetheuseofstrongciphersuites.Thisincludessupporttospecifically
enforcetheuseofAES128GCMandAES256GCMciphers.
Enforcetheuseofminimumandmaximumprotocolversions.
Enforcecertificatevalidationonaperpolicybasis(wherepreviously,certificate
validationwasperformedatthedevicelevel).
DefinetrafficthatyouwanttobedecryptedbasedonTCPportnumbers.This
enablesyoutoapplydifferentdecryptionpoliciestoasingleserver'straffic;traffic
beingtransmittedusingdifferentprotocolscanreceivedifferenttreatment.
Enforcevalidcertificatesandtrustedissuesfortrafficthatisnotdecrypted,with
theoptionstoterminateanSSLsessioniftheservercertificateisexpiredorifthe
servercertificateissueisuntrusted.
UserIDFeatures
NewUserIDFeature Description
User Attribution Based YoucannowconfigureUserIDtoreaduserIPaddressesfromtheXForwardedFor(XFF)

on X-Forwarded-For headerinclientrequestsforwebserviceswhenthefirewallisdeployedbetweenthe
Headers internetandaproxyserverthatwouldotherwisehidetheuserIPaddresses.UserID
matchestheIPaddresseswithusernamesthatyourpoliciesreferencesothatthose
policiescancontrolandlogaccessfortheassociatedusersandgroups.
Custom Groups Based YoucannowdefinecustomgroupsbasedonLDAPfilterssothatyoucanbasefirewall

on LDAP Filters policiesonuserattributesthatdonotmatchexistingusergroupsinanLDAPbased
servicesuchasActiveDirectory(AD).Definingcustomgroupscanbequickerthan
creatingnewgroupsorchangingexistingonesontheLDAPserveranddoesnotrequire
anLDAPadministratortointervene.
VirtualizationFeatures
NewVirtualization Description
Feature
Support for High TheVMSeriesfirewallonESXi,Xen(onSDX),andKVMnowsupportsboth

Availability on the Active/PassiveHAandActive/ActiveHAwithsessionsynchronization.TheVMSeriesin
VM-Series Firewall AmazonWebServices(AWS)supportsActive/PassiveHAonly.
InanHAconfiguration,youmustdeploybothpeersonthesametypeofhypervisor,have
identicalhardwareresourcesassignedtothem,andhavethesamesetoflicensesand
subscriptions.
NewVirtualization Description
Feature
Support for Jumbo TheVMSeriesfirewallcannowsupportjumboframes,whichareEthernetpacketslarger

Frames than1,500bytes.Likewithhardwarebasedfirewalls,whenyouenablejumboframeson
aVMSeriesfirewall,thedefaultMaximumTransmissionUnit(MTU)sizeforallLayer 3
interfacesissetto9,192bytes;theMTUcanrangebetween512and9,216bytes.You
canoverridetheglobalMTUandconfigureanexplicitvaluebetween512and9,216bytes
onaperinterfacebasis.
Support for Hypervisor TheVMSeriesfirewallsupportstheabilitytodetecttheMACaddressassignedtothe

Assigned MAC Address physicalinterfacebythehost/hypervisorandusethatMACaddressontheinterfaces
assignedtotheVMSeriesfirewall. InLayer3deployments,thiscapabilityallowsa
vSwitchtoforwardtraffictothecorrectinterfaceonthefirewallwithoutrequiringthat
promiscuousmodebeenabledonthevSwitch.HypervisorassignedMACaddressesare
alsosupportedonPCIpassthroughandSRIOVcapablenetworkadapters.
ForlicensingfeaturesontheVMSeriesfirewall,seeLicensingFeatures.
NetworkingFeatures
NewNetworkingFeature Description
ECMP ThefirewallnowsupportsEqualCostMultipath(ECMP).EnableECMPfortheforwarding
tabletohaveuptofourequalcostpathstoasingledestination,whichallowsyoutoload
balancetraffic,usemoreoftheavailablebandwidth,andhavetrafficdynamicallyshiftto
anotherECMPmemberifonepathfails.Youcanchooseoneofseveralloadbalancing
algorithmstodeterminewhichequalcostpathavirtualrouterusesforanewsessionto
thedestination.
DHCP Options AfirewallconfiguredasaDHCPservercannowsendafullrangeofDHCPoptionsto

clients,includingvendorspecificandcustomizedoptionsthatsupportawidevarietyof
officeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncode
supportsmultiplevalues,whichcanbeIPaddresses,ASCIItext,orhexadecimalvalues.
WiththeenhancedDHCPoptionsupportenabledonthefirewall,branchoffice
administratorsdonotneedtopurchaseandmanagetheirownDHCPserverstoprovide
vendorspecificandcustomizedoptionstoDHCPclients.
Granular Actions for Whenyouconfigurethefirewalltoblocktraffic,thefirewalleitherresetstheconnection

Blocking Traffic in orsilentlydropspackets.Whenthefirewallsilentlydropspackets,itcausessome
Security Policy applicationstobreakandappearunresponsivetotheuser.Newactionstogracefullyblock
trafficprovideabetteruserexperience.Thenewactionsavailableare:
Droptrafficsilentlyand,optionally,sendanICMPUnreachableresponsetotheuser.
Blocktrafficand,automatically,usethedenyactionpredefinedfortheapplication.You
canviewthepredefineddenyactionforanapplicationinApplipedia.
ResettheconnectionwithaTCPresetontheclientsideconnection,ontheserverside
connection,orbothsidesoftheconnection.
ThesenewactionswillbeloggedintheTrafficlogsandareavailableforlogqueries.
Session-Based DSCP DifferentiatedServicesCodePoint(DSCP)classificationisusedtoindicatethelevelof

Classification servicerequestedfortraffic,suchashighpriorityorbesteffortdelivery.Setup
sessionbasedDSCPclassificationtoenablethefirewalltohonortheserviceclass
requestedfortrafficandtomarkasessiontoreceiveprioritytreatment.Sessionbased
DSCPextendsthepowerofQualityofService(QoS),whichpolicestrafficasitpasses
throughthefirewall,byallowingallnetworkdevicesbetweenthefirewallandtheclientto
alsopolicetrafficbasedontheDSCPvalueforthetraffic.Forexample,inboundreturn
trafficfromanexternalservercannowbetreatedwiththesameprioritythatthefirewall
initiallyenforcedfortheoutboundflow.Networkdevicesintermediatetothefirewalland
enduserwillalsothenenforcethesamepriorityforthereturntraffic.
QoS on Aggregate YoucannowenableQoSonAEinterfacesconfiguredonPA7000Series,PA5000Series,

Ethernet (AE) Interfaces PA3000Series,PA2000Series,andPA500platforms.AnAEinterfaceistwoormore
interfaceslinkedtogetherforcombinedbandwidthandlinkredundancy.WhenusingAE
interfacestoscaleyournetwork,enableQoSonanAEinterfacetoprioritize,allocate,and
guaranteetheincreasedbandwidthsupportedontheAEinterface.
SupportforQoSonAEinterfacesonPA7050firewallsbeganinPANOS6.0.
Improved Performance IndeploymentswhereasingleVPNtunnelissetupbetweenaPaloAltoNetworksfirewall

for a Single VPN Tunnel andanotherIPSecVPNdeviceandwherethattunnelsupportsmultiplesessions,the
firewallcannowusemultipleCPUcores(simultaneously)todecrypttraffic.Whenthe
volumeofVPNtrafficishigh,thisenhancementminimizeslatencyandimproves
performance.
Per-Virtual System ThesourceinterfaceandsourceIPaddressofserviceroutescannowbeconfiguredfor

Service Routes individualvirtualsystems,inadditiontotheglobalconfigurationofserviceroutes.
Pervirtualsystemserviceroutesprovidetheflexibilitytocustomizeserviceroutesfor
numeroustenantsordepartmentsonasinglefirewall.Anyvirtualsystemthatdoesnot
haveaservicerouteconfiguredtoaccessaparticularexternalserviceinheritsthesource
interfaceandsourceIPaddressthataresetgloballyforthatservice.ThePA7000Series
firewallsuseLogProcessingCard(LPC)subinterfacestoseparatetheloggingservicesfor
eachvirtualsystem.PriortoPANOS7.0,eachserviceroutetoaservicewasconfigured
globallyandappliedtotheentirefirewall.
LLDP YoucannowconfigureLinkLayerDiscoveryProtocol(LLDP)toenablethefirewallto
automaticallydiscoverneighboringdevicesandtheircapabilitiesatthelinklayer.LLDP
allowsthefirewalltosendandreceiveEthernetframescontainingLLDPdataunitstoand
fromneighbors.ThereceivingdevicestorestheinformationinaMIB,whichcanbe
accessedbySNMP.LLDPenablesnetworkdevicestolearnthecapabilitiesofthe
connecteddevicesandcanbeusedtomapnetworktopology.Thismakestroubleshooting
easier,especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygo
undetectedbyapingortraceroute.
NPTv6 YoucannowenableIPv6toIPv6NetworkPrefixTranslation(NPTv6)onthefirewallto
performastateless,statictranslationofoneIPv6prefixtoanotherIPv6prefix(port
numbersarenotchanged).OnebenefitofNPTv6isthepreventionofasymmetrical
routingproblemsthatresultfromproviderindependentaddressesbeingadvertisedfrom
multipledatacenters.NPTv6allowsmorespecificroutestobeadvertisedsothatreturn
trafficarrivesatthesamefirewallthattransmittedthetraffic.Anotherbenefitisthe
independenceofprivateandpublicaddresses;youcanchangeonewithoutaffectingthe
other.AthirdbenefitofNPTv6istheabilitytotranslateuniquelocaladdresses(ULAs)to
globallyroutableaddresses.
TCP Split Handshake PaloAltoNetworksfirewallsbydefaultcorrectlysecureTCPsessions,whethertheyuse

Drop awellknown3wayhandshakeoravariation,suchasa4wayor5waysplithandshake
orasimultaneousopen.ThefirewallnowoffersanadditionaloptiontosimplydropaTCP
sessionthattriestousesuchavariationbecauseitispossiblymalicious.
Increased Address InprePANOS7.0releases,youcanresolveamaximumof10IPv4addressesand10IPv6

Resolution per FQDN addresses(foratotalmaximumof20addressobjects)perFQDN.InPANOS7.0andlater
releases,youcannowresolveamaximumof64addresses(32ofeach)perFQDNaddress
object.
ThereisaKnownIssue(PAN59614(98576))wherethenumberofaddressesyou
cansuccessfullyresolveislimitedtoacombinationofaddresstypes(IPv4and
IPv6)thatdoesnotexceedatotalof512B(thecurrentDNSserverresponse
packetsize).
PolicyFeatures
NewPolicyFeature Description
DoS Protection Against InPANOS7.0.2andlaterreleases,youcanconfigureDoSprotectiontobetterblockIP

Flooding of New addressestohandlehighvolumesinglesessionandmultiplesessionattacksmore
Sessions efficiently.Forconfigurationdetails,seeDoSProtectionAgainstFloodingofNew
Sessions.
VPNFeatures
NewVPNFeature Description
IKEv2 Support for VPN SitetositeIPSecVPNisenhancedtosupportinternetKeyExchangeVersion2(IKEv2),

Tunnels inadditiontoIKEv1(theGlobalProtectagentisnotincludedinthisfeaturesupport).
IKEv2:
ExchangesfewermessagesthanIKEv1whensettingupthetunnelendpoints.
Cannegotiatemultiplesetsoftrafficselectorstocontrolwhichtrafficcanaccessthe
tunnel.
Providesalivenesschecktodetermineifapeergatewayandtunnelarestillup.
SupportsNATTraversal.
SupportstheHashandURLcertificateexchange,whichreducesfragmentation.
SupportscookievalidationofaconnectionifathresholdnumberofconcurrentIKESA
sessionsisexceeded,reducingthepotentialforDoSattacks.
IPv6 IPSec VPN Support SitetositeIPSecVPNnowsupportsIPv6sitetositeconnections,whichallowsyouto

establishIKEandIPSecSecurityAssociations(SAs)betweenIPv6gateways.
IPSec VPN Youcannowusethewebinterfacetoenable,disable,restart,orrefreshanIKEgateway

Enhancements oranIPSecVPNtunneltosimplifytroubleshooting.ThisfeatureappliestoIPv4andIPv6
tunnels.
GlobalProtectFeatures
ForinformationaboutnewauthenticationfeaturessupportedonGlobalProtect(SuiteB
cryptographyandSSL/TLSserviceprofiles),seeAuthenticationFeatures.
NewGlobalProtect Description
Feature
Disable Direct Access to Youcannowdisabledirectaccesstolocalnetworkssothatuserscannotsendtrafficto

Local Networks proxiesorlocalresourceswhileconnectedtoaGlobalProtectVPN.Forexample,ifauser
establishesaGlobalProtectVPNtunnelwhileconnectedtoapublichotspotorhotelWiFi
andthisfeatureisenabled,alltrafficisroutedthroughthetunnelandissubjecttopolicy
enforcementbythefirewall.
Static IP Address AnenhancementtotheIPaddressallocationlogicenablestheGlobalProtectgatewayto

Allocation maintainanindexofclientsandIPaddressessothattheendpointautomaticallyreceives
thesameIPaddressforallsubsequentGlobalProtectVPNconnections.Thegateway
continuestoissueIPaddressesinaroundrobinfashionuntilallIPaddressesare
exhausted.ToensurethatanendpointreceivesthesameaddressandtoavoidIPaddress
conflicts,createanIPaddresspoollargeenoughtoaccommodatethenumberof
endpoints.
Alternatively,youcannowconfigureaGlobalProtectgatewaytoassignfixedIPaddresses
usinganexternalauthenticationserver.Thisisusefulwhendownstreamresources,such
asprinters,servers,andapplications,useafixedsourceIPaddress/IPaddresspoolto
allowaccessforaspecificuser,usergroup,orOS.Whenenabled,theGlobalProtect
gatewayallocatestheIPaddresstoconnectingdevicesusingtheFramedIPattribute
fromtheauthenticationserver.
Apply a Gateway Youcannowspecifyoneormoreusersorusergroupsand/orclientoperatingsystemsto

Configuration to Users, whichtoapplyaremoteusertunnelconfiguration.Forexample,byconfiguringdifferent
Groups, and/or IPaddresspoolsandaccessroutesforWindowsbasedclientsorforusersinusergroups
Operating Systems suchasEngineering,youcanensurethateachclientreceivesthecorrectnetworksettings.
Welcome Page TheGlobalProtectclientconfigurationnowincludesasettingtoforcetheWelcomePage

Management todisplayeachtimeauserinitiatesaconnection.Thispreventstheuserfromdismissing
importantinformationsuchastermsandconditionsthatmayberequiredbyyour
organizationtomaintaincompliance.Alternativelyyoucanprovidetheusertheabilityto
dismissseeingtheWelcomepageatsubsequentlogins.
Remote Desktop TheGlobalProtectVPNtunnelfunctionalityhasbeenenhancedtoallowusers,suchasIT

Connection to a Remote HelpDesk,toRDPtoaclientdevicewhenconnectedoverGlobalProtectVPNenabling
Client troubleshootingandsupportforremoteWindowsusers.
Now,whenITHelpDeskpersonnellogintoaclientdevice,theGlobalProtectappcan
detectanewloginwithoutbringingdowntheRDPtunnel.Aftertheadministratorlogs
intotheremotemachineandsuccessfullyauthenticateswiththegateway,the
GlobalProtectappreassignstheRDPtunneltotheremoteadministrator.Thissecurity
measurepreventsunauthorizedaccesstoVPNresourcesbecausepolicyenforcementfor
trafficthroughtheRDPtunnelisnowenforcedandloggedbasedontheprivilegesofthe
RDPuser.
NewGlobalProtect Description
Feature
Simplified GlobalProtect YoucannowuseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivate

License Structure network(VPN)solutionviasingleormultipleexternalgateways,withoutany
GlobalProtectlicenses.Theportallicense,whichwasrequiredtoenablethisfunctionality,
hasbeendeprecated.However,advancedfeaturesthatincludeHostInformationProfile
(HIP)checksandsupportfortheGlobalProtectmobileappforiOSandAndroidstillrequire
agatewaysubscription.Totakeadvantageofthenewlicensestructure,youneedto
upgradeonlythedevicerunningtheGlobalProtectportaltoaPANOS7.0orlaterrelease.
LicensingFeatures
NewLicensingFeature Description
Self-Service License & ThefirewallandPanoramanowprovidethecapabilitytounassignordeactivatetheactive

Subscription licensesonafirewallandassignthelicensestoanotherfirewall.Toreleasetheactive
Management licensesattributedtoafirewall,younowhavetwooptions:
DeactivateafeaturelicenseorsubscriptiononafirewallIfyouaccidentallyinstalleda
license/subscriptiononafirewallandneedtoreassignthelicensetoanotherfirewall,
youcandeactivateanindividuallicenseandreusethesameauthorizationcodeon
anotherfirewallwithouthelpfromTechnicalSupport.Thiscapabilityissupportedon
theCLIofboththehardwarebasedfirewallsandtheVMSeriesfirewalls.
DeactivatelicensesonaVMSeriesfirewallWhenyounolongerneedaninstanceof
theVMSeriesfirewall,youcanfreeupallactivelicensessubscriptionlicenses,
VMCapacitylicenses,andsupportentitlementsusingthewebinterfaceorCLIonthe
firewallorPanorama.Thelicensesarecreditedbacktoyouraccountandyoucanuse
thesameauthorizationcodesonadifferentinstanceoftheVMSeriesfirewall.
Support for TheVMSeriesfirewallinAWSnowsupportstheusagebasedpricingmodel,inaddition

Usage-Based Licensing totheBringYourOwnLicense(BYOL)model.Thiscapabilitymakesiteasiertoconsolidate
in Amazon Web Services thebillingofAWSresourcesandtheusagefeesfortheVMSeriesfirewall.
(AWS) TheusagebasedmodelintheAWSMarketplaceisavailableinhourlyandannualpricing
bundles:
VMSeriescapacitylicensewiththeThreatPreventionlicenseforeachmodel
VM100,VM200,VM300,orVM1000HV.Itincludesapremiumsupport
entitlement.
VMSeriescapacitylicensewiththecompletesuiteoflicenses,whichincludesThreat
Prevention,GlobalProtect,WildFire,andPANDBURLFilteringcapabilitiesforeach
modelVM100,VM200,VM300,orVM1000HV.Itincludesapremiumsupport
entitlement.
Usagebasedsubscriptions/licensesarehandledautomaticallybyAWS;theselicenses
cannotbeactivatedonthefirewallormanagedfromPanorama.
Term-Based Capacity AtermbasedlicenseisalicensethatallowsyoutousetheVMSeriesfirewallfora

Licenses on the specifiedperiodoftime.AtermbasedVMSeriescapacitylicensewillhaveanexpiration
VM-Series Firewall dateandthewebinterfacewilldisplayrenewalnotificationsbeforethelicenseexpires.If
thecapacitylicenseexpires,althoughthefirewallwillcontinuetooperateatthelicensed
capacity,youcannotobtainsoftwareupdatesorcontentupdatesuntilyourenewthe
capacitylicense.
ChangestoDefaultBehavior PANOS7.0ReleaseInformation
ChangestoDefaultBehavior
ThefollowingarechangestodefaultbehaviorinPANOS7.0:
YoucanalsoseeCLIChangesinPANOS7.0andXMLAPIChangesinPANOS7.0.
AuthenticationChanges
GlobalProtectChanges
ManagementChanges
PanoramaChanges
ThreatPreventionChanges
WildFireChanges
AuthenticationChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorforauthenticationfeatures:
Feature Change
RADIUS authentication RADIUSadministratorscannowlogintothefirewallCLIasSSHuserswithoutfirst

loggingintothewebinterface.
WhensendingauthenticationrequeststoaRADIUSserver,PANOSandPanorama
7.0andlaterreleasesalwaysusetheauthenticationprofilenameasthenetwork
accessserver(NAS)identifier,eveniftheprofileisassignedtoanauthentication
sequence.Inpre7.0releases,thefirewallandPanoramausethenameof
whicheverauthenticationprofileorsequenceisconfiguredfortheservicethat
initiatestheauthenticationprocess(suchasadministratorauthentication).
PANOS7.0ReleaseInformation ChangestoDefaultBehavior
GlobalProtectChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorforGlobalProtectfeatures:
Feature Change
OTP Authentication Previously,whenauserloggedintoaGlobalProtectgatewaythatwasonthesame

firewallastheportal,theportalgeneratedashortlivedgatewayuserauthentication
cookie(expiredin60seconds).Thegatewaywouldusethatcookietoauthenticate
theuserwithoutrequiringtheusertoenterasecondonetimepassword(OTP).This
featureisnowdeprecated.Toenablethesameuserexperience,wherebytheuseris
onlyrequiredtoenteranOTPoncetoconnecttoGlobalProtect,youmustsetthe
Authentication ModifiertoCookie authentication for config refreshwhen
configuringtheportalauthenticationbehavior.
Portal licenses TheGlobalProtectportallicenseisnowdeprecated.StartingwiththePANOS7.0

release,youcanuseallGlobalProtectportalfunctionality(whichwaspreviously
available)withoutinstallinganadditionallicense.However,advancedfeatures
includingHostInformationProfile(HIP)checksandsupportfortheGlobalProtect
mobileappforiOSandAndroidstillrequireagatewaysubscription.Totake
advantageofthenewlicensestructure,youneedtoupgradeonlythedevicerunning
theGlobalProtectportaltoaPANOS7.0orlaterrelease(thedevicerunningthe
GlobalProtectgatewaycanrunPANOS7.0andearlierreleases).
ManagementChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorformanagementfeatures:
Feature Change
Operational modes FIPSmodeisnolongersupportedinPANOS7.0andlaterreleases.Ifyourfirewall

isrunningaPANOS6.1orearlierreleaseandisinFIPSmode,youmustEnableFIPS
andCommonCriteriaSupportbeforeyouupgradetoaPANOS7.0orlaterrelease.
RefertothePANOS7.0Upgrade/DowngradeConsiderationsformoredetails.
DNS proxy Thereisachangeinthewayvirtualsystemreportingandserverprofilesmakequeries

usingDNSproxy.Previously,thefirewallwouldsendvirtualsystemreportqueries
andvirtualsystemserverprofilequeriestotheDNSproxythatwasspecifiedforthe
firewall,eveniftherewasaDNSproxyspecifiedforthevirtualsystem.Now,the
virtualsystemreportandvirtualsystemserverprofilesendtheirqueriestotheDNS
serverspecifiedforthevirtualsystemifthereisone.IfthereisnoDNSserver
specifiedforthevirtualsystem,theDNSserverspecifiedforthefirewallisqueried.
(ThevsysspecificDNSserverusedisdefinedinDevice>Virtual Systems>General
>DNS Proxy.)
Tags ThemaximumnumberoftagsthatthefirewallandPanoramasupportisnow
increasedfrom2,500to10,000.Thislimitisenforcedacrossthefirewall/Panorama
andisnotallocatedbyvirtualsystemordevicegroup.
ChangestoDefaultBehavior PANOS7.0ReleaseInformation
Feature Change
Policy objects Whenyoucloneanobjectorrule,thenamingconventionforthecloneisnow

<original-name>-<n>,where<original-name>isthenameoftheoriginalobject
orruleand<n>isanumericsuffix(startingat1forthefirstclone)thatmakesthe
clonenameuniqueinitscurrentscope(virtualsystem,devicegroup,orShared
location).Forexample,ifyoutwiceclonearulenamedIngressTraffic,thefirewall
namesthefirstcloneIngressTraffic1andnamesthesecondcloneIngressTraffic2.
PanoramaChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorforPanoramafeatures:
Feature Change
Firewall licenses Previously,tocheckforlicensingchangestothemanagedfirewalls,youhadto

manuallyclicktheRefreshbuttononthePanorama>Device Deployment>
Licensestab.Now,Panoramaperformsadailycheckinwiththelicensingserverand
retrieveslicenseupdates/renewalsandpushesthemtothemanagedfirewalls.The
dailycheckintakesplacebetween1:00amand2:00am,accordingtotheTime Zone
configuredforPanorama(Panorama>Setup>Management).
ThreatPreventionChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorforthreatpreventionfeatures:
Feature Change
Security profiles Thedefaultactionsforhandlingthreatsarenowalertorreset-both(sidesofthe

connection).InreleasespriortoPANOS7.0,thedefaultswerealertorblock.On
upgrade,theblockactionwillbeconvertedtoreset-bothandthedrop-packets
optionisnowrenamedasdrop.
Ondowngrade,allactionsconfiguredasdroporresetwillbeconvertedtoblock.
PANOS7.0ReleaseInformation ChangestoDefaultBehavior
WildFireChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorforWildFirefeatures:
Feature Change
WildFire Analysis profile FileBlockingprofileswiththeactionsettoforwardorcontinue and forwardare

migratedtothenewWildFireAnalysisprofileinPANOS7.0.Toeditthemigrated
profilesortocreatenewprofilestoforwardfilesandemaillinksforWildFireanalysis,
selectObjects>Security Profiles>WildFire Analysis.Additionally,samples
forwardedbythefirewallforWildFireanalysisarenolongeraddedasentriestothe
DataFilteringlogs(Monitor>Data Filtering);instead,usetheCLItoverifythatthe
firewallisforwardingsamples.SeetheWildFireAnalysisProfileforfulldetailsonthis
enhancedWildFireworkflow.
CLIChangesinPANOS7.0 PANOS7.0ReleaseInformation
CLIChangesinPANOS7.0
ThefollowingtablelistsCLIcommandsthatchangedbetweenPANOS6.1(orangetext)andPANOS7.0
(greentext).Thechangesincludecommandoptionsthataredeprecatedorhavenewnames,values,or
commandpathsinPANOS7.0.
PANOS6.1Commands PANOS7.0Commands
ConfigurationModeCommands
commit validate validate [full | partial]
set deviceconfig setting wildfire cloud-server set deviceconfig setting wildfire [public-cloud-server
| private-cloud-server]
set deviceconfig setting ssl-decrypt set profiles decryption <name> ssl-forward-proxy

[block-unknown-cert | block-timeout-cert] [block-unknown-cert | block-timeout-cert]
set network ike crypto-profiles ike-crypto-profiles set network ike crypto-profiles ike-crypto-profiles
<name> lifetime days <value: 1-65535> <name> lifetime days <value: 1-365>
set network ike crypto-profiles ipsec-crypto-profiles set network ike crypto-profiles ipsec-crypto-profiles
<name> lifetime days <value: 1-65535> <name> lifetime days <value: 1-365>
set network tunnel global-protect-gateway <name> set vsys <name> global-protect global-protect-gateway
client ip-pool <name> remote-user-tunnel-configs <name> ip-pool
set network tunnel global-protect-gateway <name> set vsys <name> global-protect global-protect-gateway
client split-tunneling <name> remote-user-tunnel-configs <name>
split-tunneling
set network dhcp interface <name> server option set network dhcp interface <name> server option
ippool-subnet subnet-mask
set [shared | vsys <name>] profiles virus <name> set [shared | vsys <name>] profiles virus <name>
decoder <name> [action | wildfire-action] [block] decoder <name> [action | wildfire-action] [reset-both]
set [shared | vsys <name>] profiles virus <name> set [shared | vsys <name>] profiles virus <name>
application <name> action [block] application <name> action [reset-both]
set [shared | vsys <name>] profiles [spyware | set [shared | vsys <name>] profiles [spyware |
vulnerability] <name> rules action action [block] vulnerability] <name> rules action action [reset-both]
set [shared | vsys <name>] profiles file-blocking The forward and continue-and-forward optionsare
<name> rules <name> action [forward |
continue-and-forward] deprecated.ToforwardfilestoWildFire,youmustnow
configureaWildFireAnalysisprofile:
set profiles wildfire-analysis <name>
set [shared | vsys <name>] profiles [spyware | InPANOS7.0,thedropoptionperformsthesameaction

vulnerability] <name> threat-exception <threat-id>
action [drop | drop-all-packets] asthe drop-all-packets optiondoesinPANOS6.1:
set [shared | vsys <name>] profiles spyware <name>
threat-exception <threat-id> action drop
set reports <name> type url sortby user_agent The user_agent optionisdeprecated.
set reports <name> type wildfire sortby filetype The filetype optionisdeprecated.
set application-group <name> [<value1> | <value2> | ] set application-group <name> members [<value1> |
<value2> | ]
set scheduled <name> [non-recurring | recurring] set scheduled <name> schedule-type [non-recurring |
recurring]
set threats [spyware | vulnerability] <threat-id> set threats [spyware | vulnerability] <threat-id>
default-action drop-packets default-action drop
PANOS7.0ReleaseInformation CLIChangesinPANOS7.0
set [shared | vsys <name>] authentication-sequence The lockout optionsaredeprecatedforauthentication

<name> lockout [failed-attempts | lockout-time]
sequences.Younowsetthefailedloginattemptslimitand
accountlockoutdurationonlyforauthenticationprofiles.
set [shared | vsys <name>] server-profile [ldap | set [shared | vsys <name>] authentication-profile
radius] <name> domain <name> user-domain
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] authentication-profile
checkgroup <name> method radius checkgroup
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] server-profile radius <name>
timeout <value: 1-30> timeout <value: 1-120>
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] server-profile radius <name>
server <name> port <value: 0-65535> server <name> port <value: 1-65535>
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] authentication-profile
<name> domain <name> user-domain
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] authentication-profile
<name> realm <name> method kerberos realm
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] server-profile kerberos
<name> server <name> port 0-65535 <name> server <name> port 1-65535
set [shared | vsys <name>] certificate <name> The display-common-name, display-subject,and

[display-common-name | display-subject |
display-issuer] display-issuer optionsaredeprecated.
Togeneratecertificates,alwaysusethe request
certificate generateoperationalcommand
(insteadoftheset [shared | vsys <name>]
certificatecommand).
set [vsys <name>] captive-portal server-certificate set [vsys <name>] captive-portal

ssl-tls-service-profile
set [vsys <name>] url-admin-override set [vsys <name>] url-admin-override

server-certificate ssl-tls-service-profile
set [vsys <name>] global-protect global-protect-portal set [vsys <name>] global-protect global-protect-portal
<name> portal-config server-certificate <name> portal-config ssl-tls-service-profile
set [vsys <name>] global-protect set [vsys <name>] global-protect

global-protect-gateway <name> server-certificate global-protect-gateway <name> ssl-tls-service-profile
OperationalModeCommands
clear session id <value> <value: 1-2147483648> clear session id <value> <value: 1-4294967295>
show session id <value> <value: 1-2147483648> show session id <value> <value: 1-4294967295>
delete user-file delete authentication user-file
delete software image Theimageoptionisdeprecated.Theversionoptionisnot

newbutperformsthesamefunctionastheimageoption:
delete software version
request system software install file Thefileoptionisdeprecated.Theversionoptionisnot

newbutperformsthesamefunctionasthefileoption:
request system software install version
request system software install load-config <value> Thefileoptionisdeprecated.Theversionoptionisnot

file
newbutperformsthesamefunctionasthefileoption:
request system software install load-config <value>
version
delete radius-user Theradius-useroptionisdeprecated.
CLIChangesinPANOS7.0 PANOS7.0ReleaseInformation
show user ip-user-mapping all type [NTLM | SSL/VPN] The SSL/VPN and NTLM optionsaredeprecated.Thenew
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping all type SSO
show user ip-user-mapping all option [count | detail] The SSL/VPN and NTLM optionsaredeprecated.Thenew
type [NTLM | SSL/VPN]
SSO:
show user ip-user-mapping all option [count | detail]
type SSO
show user ip-user-mapping-mp all option [count | The SSL/VPN and NTLM optionsaredeprecated.Thenew
detail] no-group-only [no | yes] type [NTLM | SSL/VPN]
SSO:
show user ip-user-mapping-mp all option [count |
detail] no-group-only [no | yes] type SSO
show user email-lookup [base | bind-dn | bind-password Allthe email-lookup optionsaredeprecatedexceptthe

| domain | group-object | name-attribute | proxy-agent
| proxy-agent-port | use-ssl | mail-attribute | server email option.Thefollowingcommandisnotnewbuthas
| server-port] similaroptions:
show user group-selection [base | bind-dn |
bind-password | group-object | name-attribute |
proxy-agent | proxy-agent-port | use-ssl | server |
server-port]
show log traffic session_end_reason show log traffic session-end-reason
show log [threat | url | data] action [equal | show log [threat | url | data] action [equal |
not-equal] drop-all-packets not-equal] drop-all
debug software restart <process> debug software restart [core | process] <process>
debug authd debug authentication
debug authd [admin-db | use-domain] The admin-db and use-domain optionsaredeprecated.

debug device-server pan-url-db Thefollowingconfiguremodecommandreplacesthe
[cloud-static-list-enable | cloud-static-list-disable]
cloud-static-list-enable and
cloud-static-list-disable options:
set deviceconfig setting pan-url-db cloud-static-list
debug dataplane packet-diag clear debug dataplane packet-diag clear

filter-marked-session id <value: 1-2147483648> filter-marked-session id <value: 1-4294967295>
debug user-id test ntlm-login The ntlm-login optionisdeprecated.Thenew

sso-login (singlesignon)optionisforbothNTLMand
KerberosSSO:
debug user-id test sso-login
set management-server unlock request authentication [unlock-admin | unlock-user]
request certificate generate nbits request certificate generate certificate-name <value>

<name> <value> algorithm [ECDSA | RSA] [ecdsa-nbits |
rca-nbits]
PANOS7.0ReleaseInformation XMLAPIChangesinPANOS7.0
XMLAPIChangesinPANOS7.0
ThePANOS7.0XMLAPIhasthefollowingchanges:
Feature Change
Custom reports OnPA7000SeriesfirewallsandPanorama,APIrequestsforcustomreportsno

longersupportthesynchronous(asynch=no)option.APIrequestsnowprovideajob
ID,whichyoucanusetoretrievethereport.Additionally,APIrequestsforreports
(type=report)arenowprocessedasynchronouslybydefaultonallfirewall
platforms.
Commits and validation Youcannowfullyorpartiallyvalidateyourconfigurationonthefirewallor

Panorama.ThechangeintheXMLAPIsyntaxisasfollows:
PANOS6.1andearlierreleases:
/api/?type=op&cmd=<commit><validate></validate></commit>
PANOS7.0andlaterreleases:
/api/?type=op&cmd=<validate><full></full></validate>, and
/api/?type=op&cmd=<validate><partial></partial></validate>
TheXMLdocumentformattocommitsharedpoliciestodevicegroupson
PanoramausingthePANOSXMLAPIhaschangedinPANOS7.0.Thischangeis
duetoanenhancementtopermitacommittodeviceswithinthedevicegroup:the
devicegroupnameisnowanattributenodeinsteadofatextnode.
ThechangeintheXMLAPIrequestisasfollows:
PANOS6.1andearlierreleases:
/api/?type=commit&action=all&cmd=<commit-all><shared-policy><dev
ice-group>
<name>DeviceGroupName</name></device-group></shared-policy></commit-a
ll>
PANOS7.0andlaterreleases:
/api/?type=commit&action=all&cmd=<commit-all><shared-policy><dev
ice-group>
<entryname='DeviceGroupName'/></device-group></shared-policy></commit
-all>
AssociatedSoftwareVersions PANOS7.0ReleaseInformation
AssociatedSoftwareVersions
ThefollowingminimumsoftwareversionsaresupportedwithPANOS7.0.Toseealistofthenextgen
firewallmodelsthatsupportPANOS7.0,seethePaloAltoNetworksCompatibilityMatrix.
PaloAltoNetworksSoftware MinimumSupportedVersionwithPANOS7.0
Panorama 7.0.1
User-ID Agent 6.0.0
Terminal Server Agent 6.0.0
NetConnect NotsupportedwithPANOS7.0
GlobalProtect Agent 2.2.0
GlobalProtect Mobile Security Manager 6.1.0
Content Release Version 497
PANOS7.0ReleaseInformation KnownIssues
KnownIssues
ThefollowinglistdescribesWildFireKnownIssues,GlobalProtectKnownIssues,andFirewallandPanorama
KnownIssuesinthePANOS7.0release:
StartingwithPANOS7.0.11,thesereleasenotesidentifyallunresolvedknownissuesusingnewissueIDs
thatincludeaproductspecificprefix.KnownissuesforearlierreleasesuseboththeirnewissueIDsandtheir
originalissueIDs(inparentheses).
ForrecentupdatestoknownissuesforagivenPANOSrelease,referto
https://live.paloaltonetworks.com/t5/Articles/CriticalIssuesAddressedinPANOSReleases/tap/52882.
IssueID Description
WildFire Known Issues
WF500-1907 (77299) WhenusingaFirefoxbrowsertoaccessthefirewallwebinterface,WildFireAnalysis

This issue is now resolved. reportsdonotshowtheCoverageStatusforthesample,evenwhenasignatureis
See PAN-OS 7.0.3 generatedtoidentifythesample(Monitor>Logs>WildFire Submissions>Detailed Log
Addressed Issues. View>WildFire Analysis Report).
Workaround:ToviewthecorrectCoverageStatusforasample,useChromeorinternet
ExplorerbrowserstoaccessWildFire Submissions logsonthefirewallwebinterface.
WF500-1584 (67624) WhenusingawebbrowsertoviewaWildFireAnalysisReportfromafirewallthatisusing

aWF500applianceforfilesampleanalysis,thereportmaynotappearuntilthebrowser
downloadstheWF500certificate.Thisissueoccursafterupgradingafirewallandthe
WF500appliancetoaPANOS6.1orlaterrelease.
Workaround:BrowsetotheIPaddressorhostnameoftheWF500appliance,whichwill
temporarilydownloadthecertificateintothebrowser.Forexample,iftheIPaddressof
theWF500applianceis10.3.4.99,openabrowserandenterhttps://10.3.4.99.You
canthenaccessthereportfromthefirewallbyselectingMonitor>WildFire Submissions,
clickingthelogdetailsicon,andthenselectingtheWildFire Analysis Reporttab.
GlobalProtect Known Issues
GPC-1941 (66745) OnmanagedmobiledevicesrunningiOS8,unenrollingthedevicedoesnotalwaysremove

theVPNprofileandtheMobileSecurityManagerprofile.
GPC-1737 (61720) Bydefault,theGlobalProtectappaddsarouteoniOSmobiledevicesthatcausestraffic

totheGP100GlobalProtectMobileSecurityManagertobypasstheVPNtunnel.
Workaround:ToconfiguretheGlobalProtectapponiOSmobiledevicestorouteall
trafficincludingtraffictotheGP100GlobalProtectMobileSecurityManagertopass
throughtheVPNtunnel,performthefollowingtasksonthefirewallhostingthe
GlobalProtectgateway(Network>GlobalProtect>Gateways>Client Configuration>
Network Settings > Access Route):
Add 0.0.0.0/0 asanaccessroute.
EntertheIPaddressfortheGlobalProtectMobileSecurityManagerasanadditional
accessroute.
Firewall and Panorama Known Issues
PAN-77237 Usingthedebug skip-condor-reports noCLIcommandtoforcePanorama8.0toquery

PA7000SeriesfirewallscausesPA7000SeriesfirewallsrunningaPANOS7.0release
toreboot.DonotusethiscommandifyouusePanorama8.0tomanageaPA7000Series
firewallthatisrunningaPANOS7.0release.
KnownIssues PANOS7.0ReleaseInformation
IssueID Description
PAN-76162 Panorama8.0failstoqueryPA7000SeriesfirewallsrunningaPANOS7.0release.
Donotusethedebug skip-condor-reports nocommandtoworkaroundthis
issueifyouusePanorama8.0tomanageaPA7000Seriesfirewallthatisrunning
aPANOS7.0release(knownissuePAN77237).
PAN-75881 EstablishingaTCPsession,theninstallingacontentupdate,andtheninstallingan
AntivirusorWildFireupdatecausesthefirewalltodiscard,usewrongcontent,orfailto
inspectandperformNATforthesession.
PAN-67072 InPANOS6.1and7.0,thefirewallappliesthewrongsecuritypolicyifauserattemptsto
downloadablockedfilebyselectingResumeintheblockedpagedialogpresentedbythe
browser,allowingtheusertodownloadtheblockedfile.Thisissueoccurswhenasecurity
policythatblocksdownloadshasalowerprioritythanasecuritypolicythatappliesan
actionsuchasURLfiltering(butdoesnotblockdownloads)onthesametraffic.Thisissue
isresolvedinPANOS7.1andlaterreleases.
Workaround:Changetheorderofthesecuritypoliciessothatthedownloadblocking
policyhasahigherprioritythantheURLfilteringpolicy.
PAN-62453 (102159) EnteringvSpheremaintenancemodeonaVMSeriesfirewallwithoutfirstshuttingdown

theGuestOSfortheagentVMscausesthefirewalltoshutdownabruptly,andresultsin
issuesafterthefirewallispoweredonagain.RefertoIssue1332563intheVMware
releasenotes:www.vmware.com/support/pubs/nsx_pubs.html
Workaround:VMSeriesfirewallsareServiceVirtualMachines(SVMs)pinnedtoESXi
hostsandshouldnotbemigrated.BeforeyouentervSpheremaintenancemode,usethe
VMwaretoolstoensureagracefulshutdownoftheVMSeriesfirewall.
PAN-61724 (101293) TheNetwork Monitorreport(Monitor > App Scope > Network Monitor)displaysonly
partialdatawhenyouselectSourceorDestinationforadatasetthatincludesalarge
numberofsourceordestinationIPaddressesandusernames.However,thereportdoes
displayalldataasexpectedwhenyouinsteadselectApplicationorApplication Category
foralargedataset.
PAN-61267 (100700) IfyouplantoconfiguretheGlobalProtectportalonaninterfaceassignedtoavirtual

routerthatispartofavirtualrouterchaininthesamezone,youmustconfiguretheportal
onthefirstingressinterfaceintheVRchain.Thisisbecausethesessionisestablished
whenthepacketingressestheinterfaceonthefirstvirtualrouter.Whenitingressesthe
secondvirtualrouter,becauseitisinthesamezoneanditmatchesanexistingsession,a
secondsecuritylookupisnotperformedandthepacketisthereforenotroutedtothe
properportontheportalinterface.
PAN-59636 (98602) ThePanoramamanagementserverhasamemoryincreaseduetosyncingofWildFire

This issue is now resolved. reportsfromPanoramatologcollectors.
See PAN-OS 7.0.10
Addressed Issues.
PAN-59614 (98576) InPANOS7.0andlaterreleases,themaximumnumberofaddressobjectsyoucan

resolveforanFQDNisincreasedfrom10ofeachaddresstype(IPv4andIPv6)toa
maximumof32each.However,thecombinationofIPv4andIPv6addressescannot
exceed512B;ifitdoes,addressesthatarenotincludedinthefirst512Baredroppedand
notresolved.
PAN-59258 (98112) ForafirewallinanHAactive/activeconfiguration,sessiontimeoutsforsometraffic

This issue is now resolved. unexpectedlyrefreshafteracommitorHAsyncattempt.
See PAN-OS 7.0.9
Addressed Issues.
IssueID Description
PAN-59037 (97806) ForfirewallsrunningPANOS7.0.7inanHAactive/activeconfiguration,thepeerthatis

notthesessionownerintermittentlyincorrectlyagesoutsessions,whichresultsinthe
prematureremovalofthosesessionsfrombothpeers.
PAN-58872 (97584) Theautomaticlicensedeactivationworkflowforfirewallswithdirectinternetaccessdoes

notwork.
Workaround:Usethe request license deactivate key features <name> mode
manual CLIcommandtoDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.To
DeactivateaVM,chooseComplete Manually(insteadofContinue)andfollowthesteps
tomanuallydeactivatetheVM.
PAN-57471 (95611) ThereisacachingissuewiththemanagementplanethatresultsinWildFirereportsand

alertsforfilesthatarealreadyuploadedatleastoncetothefirewallandthatarefollowed
byaconfigurationchangeorthreatcontentupdateonthefirewallthatspecificallyblocks
thosesamefiles.
PAN-57218 (95260) The pan-comm optionforrestartingthedataplanecommunicationprocessisnotavailable

inthe debug software restart process operationalCLIcommand.
PAN-55437 (92423) Highavailability(HA)forVMSeriesfirewallsdoesnotworkinAWSregionsthatdonot

supportthesignatureversion2signingprocessforEC2APIcalls.Unsupportedregions
includeAWSEU(Frankfurt)andKorea(Seoul).
PAN-54806 (91395) SimultaneoustransferoflargefilesfromtwodifferentSMBserversoveraGlobalProtect

connectionfromaWindows8endpointcausestheconnectiontofail.
Workaround:InPANOS7.0.8andlaterreleases,enableHeuristicsonWindows8
endpointsorsetthetunnelinterfaceMTUsizeto1,300toavoidthisissue.
PAN-54611 (91086) ThereisanissuewherethefirewallexperiencesBGPdisconnectionsbecausethefirewall

This issue is now resolved. failstosendkeepalivemessagestoneighborswithinspecifiedtimers.
See PAN-OS 7.0.10
Addressed Issues.
PAN-54604 (91075) IfyouconfigureLSVPNtunnelinterfacesbetweenaGlobalProtectLSVPNgatewayand

This issue is now resolved. anLSVPNsatellite,youcannotupgradetheLSVPNsatellitetoaPANOS7.0releasewhile
See PAN-OS 7.0.7 theLSVPNgatewaycontinuestorunaPANOS6.1orearlierrelease;ifyoudo,theLSVPN
Addressed Issues. tunnelsnolongerpasstrafficasexpectedduetochangesmadetotheencryption
algorithmnameswhenintroducingSuiteBciphersinPANOS7.0.
Workaround:UpgradebothfirewallstoPANOS7.0oralaterrelease.Ifyoucannot
upgradetheLSVPNgatewaytoPANOS7.0oralaterrelease,thenupgradetheLSVPN
satellitetoPANOS7.0.7oralaterrelease(ortoaPANOS7.1release)toavoidthisissue.
PAN-54153 (90326) ThebotnetlogcleanupjobonaPA7000Seriesfirewallrunstwohoursbeforethe

This issue is now resolved. systemgeneratedbotnetreportsaretriggered,whichresultsinemptyornobotnet
See PAN-OS 7.0.8 reportswhennologsarecollectedbetweenjobs.
Addressed Issues.
PAN-54100 (90256) DecryptedSSHsessionsarenotmirroredtothedecryptmirrorinterfaceasexpected.

This issue is now resolved.
See PAN-OS 7.0.8
Addressed Issues.
PAN-53686 (89595) AttemptstoHide Panorama background header(Panorama>Setup>Operations>

Custom Logos)resultinanerror(Edit breaks config validity).
IssueID Description
PAN-53550 (89385) ForafirewallinanHAactive/activeconfiguration,sessiontimeoutsforsometraffic

This issue is now resolved. unexpectedlyrefreshafteracommitorHAsyncattempt.
See PAN-OS 7.0.7 Thefixforthisissueintroducedaknownissue:PAN59037(97806).
Addressed Issues.
PAN-52812 (88141) LoginattemptsonPanoramaforadministratorswithanaccessdomainnamelongerthan

31characterswillfailwiththefollowingerror: Login could not be completed. Please
contact the administrator. ThisisbecausetheAccessDomainfieldallowsupto63
charactersbutloginoperationsallowamaximumofonly31characters.
Workaround:Ensurethattheaccessdomainnameforalladministratorsisnolongerthan
31charactersorupgradetoaPANOS7.1release,whichallowsthelongeraccessdomain
names(upto63characters).
PAN-52743 (88029) Ifyouhaveasystemwidefirewallproxyconfiguration(Device>Setup>Services)ina

PANOS6.1orearlierreleaseandthenupgradetoPANOS7.0,theupgradeprocesswill
notautomaticallyextendtheproxyconfigurationtotheWildFirepubliccloud,which
includesaseparateproxyconfiguration(Device>Setup>WildFire)inPANOS7.0.
Workaround:AfteryouupgradeafirewalltoPANOS7.0,addthenecessaryproxy
configurationforaccessingtheWildFirepubliccloud(Device>Setup>WildFire).
PAN-51943 (86623) AfirewallinanHAactive/passiveconfigurationwithanestablishedFTPsessiondrops

This issue is now resolved. FTPPORTcommandpacketsafterafailover.
See PAN-OS 7.0.8
Addressed Issues.
PAN-51181 (85397) APaloAltoNetworksfirewall,M100appliance,orWF500applianceconfiguredtouse

FIPSoperationalmodewillfailtobootwhenrebootingafteranupgradetoaPANOS7.0
release.
Workaround:EnableFIPSandCommonCriteriasupportonanyPaloAltoNetworks
firewallorappliancebeforeyouupgradetoaPANOS7.0release.
PAN-50651 (84594) OnPA7000Seriesfirewalls,onedataportmustbeconfiguredasalogcardinterface

becausethetrafficandloggingcapabilitiesofthisplatformexceedthecapabilitiesofthe
managementport.AlogcardinterfaceperformsWildFirefileforwardingandlog
forwardingforsyslog,email,andSNMPandtheseservicesrequireDNSsupport.Ifyou
havesetupacustomservicerouteforthefirewalltousetoperformDNSqueries,services
usingthelogcardinterfacemightnotbeabletogenerateDNSrequests.Thisisonlyan
issueifyouveconfiguredthefirewalltouseaservicerouteforDNSrequests,andinthis
case,youmustperformthefollowingworkaroundtoenablecommunicationbetweenthe
firewalldataplaneandthelogcardinterface.
Workaround:EnabletheDNSProxyonthefirewall,anddonotspecifyaninterfacefor
theDNSproxyobject(leavethefieldNetwork>DNS Proxy>Interfaceclear).Seethe
stepstoenableDNSproxyorusetheCLIcommandset deviceconfig system
dns-setting dns-proxy-object.
PAN-50186 (83702) WildFireAnalysisreportsdonotdisplayasexpectedintheWildFire Analysis Reporttab

This issue is now resolved. (Monitor > Logs > WildFire Submissions > Detailed Log View)onaPA7000Series
See PAN-OS 7.0.6 firewallrunningPANOS7.0.2orlaterreleases.
Addressed Issues. Workaround:UsetheWildFireportal(https://wildfire.paloaltonetworks.com)orthe
WildFireAPItoretrieveWildFireAnalysisreports.
IssueID Description
PAN-49708 (82849) APanoramavirtualapplianceusingaNetworkFileSystem(NFS)storagepartition

This issue is now resolved. incorrectlyfailsthefilesystemintegritycheckfortheNFSdirectorywhenrebooting
See PAN-OS 7.0.6 PanoramaafteranupgradetoaPanorama7.0release.
Addressed Issues.
PAN-49577 (82605) Offloadedpolicybasedforwarding(PBF)sessionswillfailtoegressafirewallrunning

This issue is now resolved. PANOS6.1.4andlaterreleasesifyouEnforce Symmetric Return(Policies>Policy
See PAN-OS 7.0.4 Based Forwarding><pbfrule>>Forwarding).
Addressed Issues. Workaround:DisableEnforce Symmetric ReturnandcreatebidirectionalPBFpolicies.
PAN-49399 (82299) ThereisacriticalsecurityvulnerabilityaffectingPANOS7.0.0.Thisissuespecifically

This issue is now resolved. affectsdevicesrunningPANOS7.0.0thatareconfiguredtouseLDAPauthenticationfor
See PAN-OS 7.0.1 CaptivePortalorfordevicemanagement,includingPanorama.Thisissuedoesnotaffect
Addressed Issues. devicesconfiguredtouseRADIUSorlocalauthenticationinsteadofLDAPauthentication,
nordoesitaffectanyPANOSreleaseotherthanPANOS7.0.0.Duetothecriticalnature
ofthisvulnerability,westronglyadviseallcustomerswhohaveinstalledPANOS7.0.0to
upgradeassoonaspossibletoPANOS7.0.1.Alternatively,youcandowngradetoan
olderversionofPANOS,suchasPANOS6.1orPANOS6.0.
PAN-49044 (81584) InPanorama7.0,outputfromthe show ntp commanddoesnotalwaysdisplaythecorrect

This issue is now resolved. NTPstatus.ThisprimarilyoccurswhenthereisonlyoneNTPserverconfiguredwhere,
See PAN-OS 7.0.3 evenwhencorrectlyconnectedtotheNTPserver,the show ntp status displaysas
Addressed Issues. rejected.
PAN-48933 (81373) WhenthefirewallisconfiguredtocommunicatewithaWildFirecloud(publicorprivate)

This issue is now resolved. throughaproxyserver,WildFireAnalysisreportsforsamplesanalyzedintheWildFire
See PAN-OS 7.0.2 publiccloudarenotdisplayedintheWildFireSubmissionslog(Monitor>WildFire
Addressed Issues. Submissions).
Workaround:UsetheWildFireportal(https://wildfire.paloaltonetworks.com)orthe
WildFireAPItoretrieveWildFireAnalysisreports.
PAN-48719 (80903) APA7050firewallrunningaPANOS6.1orearlierreleaseandmanagedbyPanorama

This issue is now resolved. runningPANOS7.0.0cannotaccuratelyhandlequeriesfromPanorama.Thisresultsin
See PAN-OS 7.0.1 theinabilitytodisplaydataintheApplicationCommandCenter(ACC)widgetsand
Addressed Issues. preventslogdatafromthePA7050firewallfrombeingincludedinreportsgeneratedon
Panorama.
PAN-48702 (80871) WildFireAnalysisreportsarenotdisplayedforWildFire Submissionslogentrieswhen

This issue is now resolved. thefirewallisconfiguredtouseaservicerouteinsteadofthemanagementinterfaceto
See PAN-OS 7.0.1 communicatewithaWildFirecloud(publicorprivate).
Addressed Issues. Workaround:ForfirewallsrunningPANOS7.0.1,youcanretrieveWildFireAnalysis
reportsthroughtheWildFireportal(wildfire.paloaltonetworks.com)ortheWildFireAPI.
Additionally,youcanspecificallyconfigurewildfire.paloaltonetworks.comasthe
WildFirepubliccloudtoviewintegratedreportsfromwithinthewebinterface:
Webinterface:selectDevice>Setup>WildFire>General Settings.
CLI:usetheset deviceconfig setting wildfire public-cloud-server
wildfire.paloaltonetworks.comcommandinconfigurationmode.
PAN-48667 (80799) FilesandemaillinkssentusingSimpleMailTransferProtocol(SMTP)orPostOffice

This issue is now resolved. Protocolversion3(POP3)arenotforwardedtotheWildFirepubliccloudforanalysis
See PAN-OS 7.0.1 unlessthefirewallisalsoconfiguredtoforwardfilestoaWildFireprivatecloud.For
Addressed Issues. firewallsconnectedtoaWildFire Private Cloud,forwardingtoboththeWildFirepublic
cloudandWildFireprivatecloudworkscorrectly(Device>Setup>WildFire).
IssueID Description
PAN-48647 (80750) WhenspecifyingthedevicegroupandtemplatefortheVMSeriesNSXeditionfirewall,

youcannotselectatemplatestackoradescendantdevicegroupdefinedinadevicegroup
hierarchyonPanorama.Youcanassignthefirewallstoatemplateandaparentdevice
grouponly.
PAN-48565 (80589) TheVMSeriesfirewallonCitrixSDXdoesnotsupportjumboframes.
PAN-48550 (80561) SoftwareforwardingofLayer3multicasttrafficwithProtocolIndependentMulticast

This issue is now resolved. (PIM)doesnotfunctioncorrectly.
See PAN-OS 7.0.1
Addressed Issues.
PAN-48463 (80398) Ifyouconfigurethefirewalltouseclientcertificatestoauthenticateadministratorswhen

This issue is now resolved. theyaccessthewebinterfaceandyouenableOnlineCertificateStatusProtocol(OCSP)
See PAN-OS 7.0.1 verification,thentheauthenticationwillfailandadministratorscan'tlogin.
Addressed Issues. Workaround:CleartheBlock session if certificate status is unknownandBlock session
if certificate status cannot be retrieved within timeoutcheckboxesinthecertificate
profilethatthefirewallusestoauthenticateadministrators.
PAN-48456 (80387) IPv6toIPv6NetworkPrefixTranslation(NPTv6)isnotsupportedwhenconfiguredona

sharedgateway.
PAN-48446 (80373) TheoptionstoCloneobjectsorpoliciesinasharedgatewaylocationandtoMoveobjects

This issue is now resolved. orpoliciesfromavirtualsystemtoasharedgatewaylocationdonotworkcorrectly.
See PAN-OS 7.0.1
Addressed Issues.
PAN-48421 (80323) Onreboot,thelinkstatesforfirewallinterfacesdonotcomeup.Thisissueoccurswhen

This issue is now resolved. youdisablehighavailability(HA)onafirewallthatwasconfiguredinHAandthenreboot
See PAN-OS 7.0.1 thefirewall.
Addressed Issues. Workaround:Usethedelete deviceconfig high-availability enabledCLI
commandinconfigurationmodetodeletethehighavailabilityconfigurationnode.
PAN-48394 (80268) WhenswitchingtoCommonCriteria(CC)modeonaPA7050firewallrunningPANOS

This issue is now resolved. 7.0.0,theoperationdoesnotcompleteandshowsthefollowingerror:Set CCEAL4 Mode
See PAN-OS 7.0.1 Sysd Error.ThisissueoccursbecausetheCCmodeoperationattemptstochangethe
Addressed Issues. operationalmodebeforethesystemprocess(sysd)isfullyloaded.Thisoperationsetsthe
firewalltothefactorydefaultconfigurationwithoutCCconfigurationchanges.
Workaround:ChangetoCCmodewhilerunningaPANOS6.1releasebeforeupgrading
toPANOS7.0.0.
PAN-48392 (80266) IfyouconfigurethePA200,PA500,orPA2050firewalltouseaservicerouteinstead

This issue is now resolved. ofthemanagement(MGT)interfacetoconnecttoanLDAPserver,theconnectionwont
See PAN-OS 7.0.1 workandanyfirewallfunctionsthatrelyontheconnectionwillfail.
Addressed Issues. Workaround:IfyouconfiguredaserviceroutebeforeupgradingtoaPANOS7.0release,
reconfigureitasadestinationservicerouteortosettheSource InterfaceandSource
Addressfieldsoftheserviceroute(Device>Setup>Services>Global>Service Route
Configuration>IPv4orIPv6)toUse default.
PAN-48346 (80177) TheURLblockpagedoesnotdisplayasexpectedwhenproxiedrequestsfromclientuse

CONNECTmethod.
IssueID Description
PAN-47976 (79470 PanoramadoesnotdisplayWildFireAnalysisreportscorrectlyintheWildFire

This issue is now resolved. Submissionslog.
See PAN-OS 7.0.2 Workaround:IntheContextdropdown,selectthefirewallthatforwardedthelogand
Addressed Issues. displaythereportinthefirewallcontext.
PAN-47969 (79462) IfyoulogintoPanoramaasaDeviceGroupandTemplateadministratorandrenamea

devicegroup,thePanorama>Device Groupspagenolongerdisplaysanydevicegroups.
Workaround:Afteryourenameadevicegroup,performacommit,logout,andlogback
in;thepagethendisplaysthedevicegroupswiththeupdatedvalues.
PAN-47611 (78803) InPanorama,templatesettingsthatareglobaltoeveryvirtualsystem(vsys)onafirewall

This issue is now resolved. (forexample,Systemlogsettings)cantreferenceconfigurationelements(forexample,an
See PAN-OS 7.0.2 Emailserverprofile)thatyouaddtoaspecificvsysinsteadoftotheSharedlocation.Only
Addressed Issues. templateanddevicegroupsettingsthatPanoramacanpushtoaspecificvsys(for
example,LogForwardingprofiles)canreferenceelementsthatyouaddtoaspecificvsys.
Tocreateanelementthatbothglobalandvsysspecificsettingscanreference,youmust
setthetemplateModetoMulti VSYSenabledand,whenaddingtheelement,setits
LocationtoShared.
PAN-47518 (78646) Firewallsincorrectlyreplacemultibytecharacterswithaperiodcharacter( . )when

This issue is now resolved. forwardinglogsoreventinformationtoSNMPtraps,toasyslogserver,throughemail,or
See PAN-OS 7.0.1 inscheduledlogexports.ThisissuealsooccurswhenexportinglogstoCSV.
Addressed Issues.
PAN-47073 (77850) WebpagesusingtheHTTPStrictTransportSecurity(HSTS)protocolsometimesdonot

displayproperlyforendusers.
Workaround:Endusersshouldimportanappropriateforwardproxycertificatefortheir
browsers.
PAN-47038 (77775) Avalidationerroroccurswhenyoutrytomoveanobjectfromitscurrentdevicegroupto

This issue is now resolved. adestinationdevicegroupthatislowerinthehierarchyevenifthepolicyrulesorobjects
See PAN-OS 7.0.2 thatreferencetheobjectareinthesamedestinationorareinadevicegroupthatshould
Addressed Issues. inherittheobject.
Workaround:Clonetheobjecttothedestination.
PAN-46344 (76601) WhenyouuseaMacOSSafaribrowser,clientcertificateswillnotworkforCaptivePortal

authentication.
Workaround:OnaMacOSsystem,instructenduserstouseadifferentbrowser(for
example,MozillaFirefoxorGoogleChrome).
PAN-45793 (75806) Inafirewallwithmultiplevirtualsystems,ifyouaddanauthenticationprofiletoavirtual

systemandgivetheprofilethesamenameasanauthenticationsequenceinShared,
referenceerrorsoccur.ThesameerrorsoccuriftheprofileisinSharedandthesequence
withthesamenameisinavirtualsystem.
Workaround:Whencreatingauthenticationprofilesandsequences,alwaysenterunique
names,regardlessoftheirlocation.Forexistingauthenticationprofilesandsequences
withsimilarnames,renametheonesthatarecurrentlyassignedtoconfigurations(for
example,aGlobalProtectgateway)toensureuniqueness.
PAN-44901 (74423) Whenfetchingadynamicblocklist,afirewallrunningPANOS7.0.1incorrectlyusesthe

This issue is now resolved. URLUpdatesservicerouteinsteadoftheserviceroutethatisattachedtothePaloAlto
See PAN-OS 7.0.2 Updatesintheservicerouteconfiguration(Device>Setup>Services>Global).
Addressed Issues.
IssueID Description
PAN-44616 (73997) OntheACC>Network Activity tab,ifyouaddthelabelUnknownasaglobalfilter,the

filtergetsaddedasA1andqueryresultsdisplayA1insteadofUnknown.
PAN-44400 (73674) Thelinkona1GbpsSFPportonaVMSeriesfirewalldeployedonaCitrixSDXserverdoes

notcomeupwhensuccessivefailoversaretriggered.Thisbehaviorisonlyobservedinan
HAactive/activeconfiguration.
Workaround:Usea10GbpsSFPportinsteadofthe1GbpsSFPportontheVMSeries
firewalldeployedonaCitrixSDXserver.
PAN-44300 (73518) WildFireAnalysisreportscannotbeviewedonfirewallsrunningPANOS6.1release

versionsifconnectedtoaWF500applianceinCommonCriteriamodethatisrunninga
PANOS7.0release.
PAN-43000 (71624) VulnerabilitydetectionofSSLv3failswhenSSLdecryptionisenabled.Thiscanoccur

whenyouattachaVulnerabilityProtectionprofile(thatdetectsSSLv3CVE20143566)
toaSecuritypolicyruleandthatSecuritypolicyruleandanSSLDecryptionpolicyruleare
configuredonthesamevirtualsysteminthesamezone.AfterperformingSSLdecryption,
thefirewallseesdecrypteddataandnolongerseestheSSLversionnumber.Inthiscase,
theSSLv3vulnerabilityisnotidentified.
Workaround:SSLDecryptionEnhancementswereintroducedinPANOS7.0thatenable
youtoprohibittheinherentlyweakerSSL/TLSversions,whicharemorevulnerableto
attacks.Forexample,youcanuseaDecryptionprofiletoenforceaminimumprotocol
versionofTLS1.2orselectBlock sessions with unsupported versionstodisallow
unsupportedprotocolversions(Objects>Decryption Profile>SSL Decryption>SSL
Forward Proxyand/orSSL Inbound Inspection).
PAN-42141 (70335) WhenatunnelmonitorisenabledforalargescaleVPN(LSVPN)andthetunnelmonitor

This issue is now resolved. isinwaitrecovermode,accessroutesfromtheGlobalProtectgatewaycannotbeinstalled
See PAN-OS 7.0.1 ontheGlobalProtectsatellite.
Addressed Issues.
IfthepasswordfortheadministratorsaccountontheNSXManagercontainsspecial
PAN-42058 (70222) characters(suchas$),PanoramacannotcommunicatewiththeNSXManager.The
inabilitytocommunicatepreventscontextbasedinformation,suchasDynamicAddress
Groups,frombeingavailabletoPanorama.
Workaround:RemovespecialcharactersfromthepasswordontheNSXManager.
PAN-41558 (69458) WhenyouuseafirewallloopbackinterfaceasaGlobalProtectgatewayinterface,traffic

isnotroutedcorrectlyforthirdpartyIPSecclients,suchasStrongSwan.
Workaround:Useaphysicalfirewallinterfaceinsteadofaloopbackfirewallinterfaceas
theGlobalProtectgatewayinterfaceforthirdpartyIPSecclients.Alternatively,configure
theloopbackinterfacethatisusedastheGlobalProtectgatewaytobeinthesamezone
asthephysicalingressinterfaceforthirdpartyIPSectraffic.
PAN-40842 (68330) WhenyouconfigureafirewalltoretrieveaWildFiresignaturepackage,theSystemlog

shows unknown version forthepackage.Forexample,afterascheduledWildFire
packageupdate,thesystemlogshows: Wildfire package upgraded from version
<unknown version> to 38978-45470. Thisisacosmeticissueonlyanddoesnotprevent
theWildFirepackagefrominstalling.
IssueID Description
PAN-40714 (68095) IfyouaccessDevice>Log SettingsonadevicerunningaPANOS7.0orlaterreleaseand

thenusetheCLItodowngradethedevicetoPANOS6.1oranearlierreleaseandreboot,
anerrormessageappearsthenexttimeyouaccessLog Settings.Thisoccursbecause
PANOS7.0andlaterreleasesdisplayLog SettingsinasinglepagewhereasPANOS6.1
andearlierreleasesdisplaythesettingsinmultiplesubpages.Toclearthemessage,
navigatetoanotherpageandreturntoanyLog Settings subpage.Theerrorwillnotrecur
insubsequentsessions.
PAN-40501 (67713) PANOSallowsdowngradetocontentreleaseversions(ApplicationsandThreats)onthe

This issue is now resolved. firewalltoversionsthatthecurrentPANOSreleasedoesnotsupport.Forexample,ifthe
See PAN-OS 7.0.1 firewallisrunningPANOS7.0.1andtheminimumcontentreleaseversionis497,the
Addressed Issues. administratorshouldnotbeabletodowngradetoaversionearlierthan497.
PAN-40429 (67552) FirewallsrunningPANOS6.0andearlierreleasessendaNILvalue(orendash)tothe

syslogserverwhennodomainorhostnamevalueisconfiguredonthefirewall.InPANOS
6.1andlaterreleases,thefirewalldoesnotsendanyvaluewhenthedomainand
hostnamefieldsareempty;instead,thisfieldisleftblankinsyslogheaders.
PAN-40130 (66976) IntheWildFireSubmissionsLogs,theemailrecipientaddressisnotcorrectlymappedtoa

usernamewhenconfiguringmappingwithgroupmappingprofilesthatarepushedina
Panoramatemplate.
PAN-40079 (66887) TheVMSeriesfirewallonKVM,forallsupportedLinuxdistributions,doesnotsupportthe

BroadcomnetworkadaptersforPCIpassthroughfunctionality.
PAN-40075 (66879) TheVMSeriesfirewallonKVMrunningonUbuntu12.04LTSdoesnotsupportPCI

passthroughfunctionality.
PAN-39728 (66233) TheURLloggingrateisreducedwhenHTTPheaderloggingisenabledintheURLFiltering

profile(Objects>Security Profiles>URL Filtering>URL Filtering profile>Settings).
PAN-39636 (66059) RegardlessoftheTime FrameyouspecifyforascheduledcustomreportonaPanorama

MSeriesappliance,theearliestpossiblestartdateforthereportdataiseffectivelythe
datewhenyouconfiguredthereport.Forexample,ifyouconfigurethereportonthe15th
ofthemonthandsettheTime FrametoLast 30 Days,thereportthatPanoramagenerates
onthe16thwillincludeonlydatafromthe15thonward.Thisissueappliesonlyto
scheduledreports;ondemandreportsincludealldatawithinthespecifiedTime Frame.
Workaround:Togenerateanondemandreport,clickRun Nowwhenyouconfigurethe
customreport.
PAN-39501 (65824) UnusedNATIPaddresspoolsarenotclearedafterasinglecommit,soacommitfailsifthe

totalcacheofunusedpools,existingusedpools,andnewpoolsexceedthememorylimit.
Workaround:Commitasecondtime,whichclearstheoldpoolallocation.
PAN-38584 (63962) ConfigurationspushedfromPanorama6.1andlaterreleasestofirewallsrunningPANOS

6.0.3orearlierreleaseswillfailtocommitduetoanunexpectedRule Typeerror.This
issueiscausedbythenewRule Typesettinginsecuritypolicyrulesthatwasnotincluded
intheupgradetransformand,therefore,thenewruletypesarenotrecognizedondevices
runningPANOS6.0.3orearlierreleases.
Workaround:OnlyupgradePanoramatoversion6.1orlaterreleasesifyouarealso
planningtoupgradeallmanagedfirewallstoaPANOS6.0.4orlaterreleasebefore
pushingconfigurationtofirewalls.
PAN-38255 (63186) IfyouperformafactoryresetonaPanoramavirtualapplianceandconfiguretheserial

number,loggingdoesnotworkuntilyourebootPanoramaorexecutethedebug
software restart management-serverCLIcommand.
IssueID Description
PAN-37511 (60851) DuetoalimitationrelatedtotheEthernetchipdrivingtheSFP+ports,PA5050and

PA5060firewallswillnotperformlinkfaultsignalingasstandardizedwhenafiberinthe
fiberpairiscutordisconnected.
PAN-37177 (59856) AfterdeployingtheVMSeriesfirewall,whenthefirewallconnectstoPanorama,youmust

issueaPanoramacommittoensurethatPanoramarecognizesthefirewallasamanaged
device.IfyourebootPanoramawithoutcommittingthechanges,thefirewallwillnot
connectbacktoPanorama;althoughthedevicegroupwilldisplaythelistofdevices,the
devicewillnotdisplayinPanorama>Managed Devices.
Further,ifPanoramaisconfiguredinanHAconfiguration,theVMSeriesfirewallisnot
addedtothepassivePanoramapeeruntiltheactivePanoramapeersynchronizesthe
configuration.Duringthistime,thepassivePanoramapeerwilllogacriticalmessage:
vm-cfg: failed to process registration from svm device. vm-state: active.
ThismessageisloggeduntilyoucommitthechangesontheactivePanorama,whichthen
initiatessynchronizationbetweenthePanoramaHApeersandtheVMSeriesfirewallis
addedtothepassivePanoramapeer.
Workaround:Toreestablishtheconnectiontothemanageddevices,commityour
changestoPanorama(clickCommitandselectCommitTypePanorama).IncaseofanHA
setup,thecommitwillinitiatethesynchronizationoftherunningconfigurationbetween
thePanoramapeers.
PAN-37044 (59573) LivemigrationoftheVMSeriesfirewallisnotsupportedwhenyouenableSSLdecryption

usingtheSSLforwardproxymethod.UseSSLinboundinspectionifyouneedsupportfor
livemigration.
PAN-36730 (58839) WhendeletingtheVMSeriesdeployment,allVMsaredeletedsuccessfully;however,

sometimesafewinstancesstillremaininthedatastore.
Workaround:ManuallydeletetheVMSeriesfirewallsfromthedatastore.
PAN-36433 (58260) IfanHAfailoveroccursonPanoramaatthetimethattheNSXManagerisdeployingthe

VMSeriesNSXeditionfirewall,thelicensingprocessfailswiththeerror:vm-cfg: failed
to process registration from svm device. vm-state: active.
Workaround:DeletetheunlicensedinstanceoftheVMSeriesfirewalloneachESXihost
andthenredeploythePaloAltoNetworksnextgenerationfirewallservicefromtheNSX
Manager.
PAN-36409 (58202) WhenviewingtheSessionBrowser(Monitor>Session Browser),usingtheglobalrefresh

option(toprightcorner)toupdatethelistofsessionscausestheFiltermenutodisplay
incorrectlyandclearsanypreviouslyselectedfilters.
Workaround:Tomaintainandapplyselectedfilterstoanupdatedlistofsessions,clickthe
greenarrowtotherightoftheFiltersfieldinsteadoftheglobal(orbrowser)refresh
option.
PAN-31832 (49742) Thefollowingissuesapplywhenconfiguringafirewalltouseahardwaresecuritymodule

(HSM):
ThalesnShieldConnectThefirewallrequiresatleastfourminutestodetectthatan
HSMhasbeendisconnected,causingSSLfunctionalitytobeunavailableduringthe
delay.
SafeNetNetworkWhenlosingconnectivitytoeitherorbothHSMsinanHA
configuration,thedisplayofinformationfromthe show ha-statusandshow hsm info
commandsisblockedfor20seconds.
PAN-31593 (49322) AfteryouconfigureaPanoramaMSeriesapplianceforHAandsynchronizethe

configuration,theLogCollectorofthepassivepeercannotconnecttotheactivepeeruntil
yourebootthepassivepeer.
IssueID Description
PAN-29441 (45464) ThePanoramavirtualappliancedoesnotwritesummarylogsfortrafficandthreatsas

expectedafteryouenterthe clear log command.
Workaround:Reboot Panoramamanagementserver(Panorama>Setup>Operations)
toenablesummarylogs.
PAN-25743 (40436) FirewallsrunningPANOS6.1andlaterreleasesdonotupdateFQDNentriesunlessyou

enabletheDNSproxyCacheoption(Network>DNS Proxy><DNSProxyconfig>>
Advanced).
ThefollowingtablelistsissuesthatareaddressedinthePANOS7.0.15release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewinformation
abouthowtoUpgradetoPANOS7.0.
StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.
IssueID Description
PAN-74188 Fixedanissuewhereconflictingnexthopentriesintheegressroutingtablecaused
thefirewalltoincorrectlyroutetrafficthatmatchedPolicyBasedForwarding(PBF)
policyrulesconfiguredtoEnforce Symmetric Return.
PAN-73914 AsecurityrelatedfixwasmadetoaddressOpenSSLvulnerabilities
(CVE20173731).
PAN-73045 FixedanissuewhereHAfailoverandfailbackeventsterminatedsessionsthat
startedbeforethefailover.
PAN-72769 AsecurityrelatedfixwasmadetopreventbruteforceattacksontheGlobalProtect
externalinterface(CVE20177945).
PAN-70674 Asecurityrelatedfixwasmadetopreventcrosssitescripting(XSS)attacksthrough
theGlobalProtectexternalinterface(CVE20177409).
PAN-70541 Asecurityrelatedfixwasmadetoaddressaninformationdisclosureissuethatwas
causedbyafirewallthatdidnotproperlyvalidatecertainpermissionswhen
administratorsaccessedthewebinterfaceoverthemanagement(MGT)interface
(CVE20177644).
PAN-69801 FixedanissuewherefirewallsthathadanHAactive/activeconfigurationandwhere
theprimarypeerwasinatentativeHAstatedidnotsynchronizesessionupdate
messagesbetweenthepeers,whichresultedindroppedsessionpacketsaftera
sessionagedout(within30seconds).
PAN-62015 FixedanissueonPA7000Seriesfirewallswhere,whencreatingthekeyforaGRE
packet,thefirewalldidnotusethesamedefaultvaluesforthesourceanddestination
portsinthehardwareandsoftware,whichslowedthefirewallperformance.
PAN-60376 Fixedanissuewheretheauthenticationprocess(authd)stoppedrespondingand
causedthefirewalltorebootafterthefirewallreceivedastaleresponsetoan
authenticationrequestbeforeselectingCHAPorPAPastheprotocolfor
authenticatingtoaRADIUSserver.
PAN-58589 Fixedanissuewherethedataplanerestartedwhenanoutofmemorycondition
occurredonaprocess(pan_comm).
PAN-57520 FixedanissuewherefirewallsstoppedconnectingtoPanoramawhentherootCA
servercertificateonPanoramaexpired.Withthisfix,Panoramareplacestheoriginal
certificatewithanewcertificatethatexpiresin2024.
IssueID Description
PAN-53116 FixedanissueonfirewallswithLACPenabledwhereacommitorLACPflapping
causedamemoryleakinthedataplane.
FPGA-232 FixedanissueonPA5000SeriesfirewallswherepacketsbecamestuckintheFPGA,
whichresultedinpacketlossand,onHAfirewallswithpathmonitoringconfigured,
triggeredafailover.
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.14release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
IssueID Description
PAN-71892 FixedanissuewhereanLDAPprofiledidnotusetheconfiguredport;theprofileused
thedefaultport,instead.
PAN-71073 FixedanissuewhereacommitassociatedwithadynamicupdatecausedanHA
failoverwhenthepathmonitoringtargetIPaddressagedoutorwhenthefirst
pathmonitoringhealthcheckfailed.
PAN-68431 FixedanissuewherefirewallsandPanoramafailedtosendSNMPv3trapsifyou
configuredtheserviceroutetoforwardthetrapsoveradataplaneinterface.
PAN-68074 AsecurityrelatedfixwasmadetoaddressCVE20165195(PANSA20170003).
PAN-67090 Fixedanissuewherethewebinterfacedisplayedanobsoleteflagforthenationof
Myanmar.
PAN-62319 FixedanissuewheremulticastentrieswerepointingtothewrongIPaddressfora
rendezvouspoint(RP)becausearecycledinterfaceIDallocatedforPIMregister
encapsulationretainedanoldtunnelinterfacethatpointedtothewrongRP.
PAN-59654 FixedanissuewherecommitsfailedonthefirewallafterupgradingfromaPANOS
6.1releaseduetoincorrectsettingsfortheHexaTechVPNapplicationonthe
firewall.Withthisfix,upgradingfromaPANOS6.1releasetoaPANOS7.0.14or
laterreleasedoesnotcausecommitfailuresrelatedtothesesettings.
PAN-58496 Fixedanissuewherecustomreportsusingthreatsummarywerenotpopulated.
PAN-56684 FixedanissuewhereDNSproxystaticentriesstoppedworkingwhentherewere
duplicateentriesintheconfiguration.
IssueID Description
PAN-72616 FixedanissueonPA7000Seriesfirewallswheresessionsweredroppedwiththe
flow_bind_pending_fullmessagewhenusingEthernetIP(etherip)protocol97,
whichresultedinunstableconnectionsanddelayedresponses.
PAN-70428 Asecurityrelatedfixwasmadetopreventinappropriateinformationdisclosureto
authenticatedusers(CVE20175583/PANSA20170005).
PAN-70312 Fixedanissuewhereattemptstodownloadthreatpacketcaptures(pcaps)fromthe
threatlogsfailedwiththeerrorFile not found,duetoamissingTimeGenerated
column.
PAN-68072 FixedanissueonVMSeriesfirewallswhererebootingorconfiguringanewL3
interfacecausedtheIPrangeconfiguredonadisabledinterfacetobeincorrectly
installedintheFIBandroutingtableifyoudisabledtheinterfacefromthevSwitch.
PAN-68062 Fixedanissuewherethefirewallfailedtoapplythecorrectactionifthevulnerability
profilehadaverylonglistofCVEs.Withthisfix,thefirewallisabletosupportupto
64CVEspervulnerabilityrule.IfthenumberofCVEsintheruleismorethan64,the
firewallprovidesawarningonconfigurationcommit.
PAN-67944 Fixedanissuewhereaprocess(all_pktproc)stoppedrespondingbecausearace
conditionoccurredwhenclosingsessions.
PAN-66838 AsecurityrelatedfixwasmadetoaddressaCrossSiteScripting(XSS)vulnerability
onthemanagementwebinterface(CVE20175584/PANSA20170004).
PAN-64638 FixedanissuewherethefirewallfailedtosendaRADIUSaccessrequestafter
changingthemanagementinterfacesIPaddress.
PAN-63204 FixedanissuewherethefirewallincorrectlyassignedanexpiredUserIDIPmapping
for30secondsaftertheoriginalmappinghadexpired.
PAN-62822 FixedanissuewherethefirewalldroppedRTPtrafficmatchingapredictsession
whenavideocallinitiatedfromtheexternalsideofasharedgateway.Withthisfix,
whenapredictsessiongoesacrossadifferentvsysorasharedgateway,thefirewall
usestheegressinterface'svsystolookupthedestinationzoneinsteadofthe
session'svsys.
PAN-62074 FixedanissuewheretheUserIDagentincorrectlyreadtheIPaddressinthesecurity
logsforKerberosloginevents.
IssueID Description
PAN-61837 FixedanissueonPA3000SeriesandPA5000Seriesfirewallswherethedataplane
stoppedrespondingwhenasessioncrossedvsysboundariesandcouldnotfindthe
correctegressport.Thisissueoccurredwhenzoneprotectionwasenabledwitha
SYN Cookiesaction(Network > Zone Protection > Flood Protection).
PAN-60662 Fixedanissueondeviceswherecommitsfailedduetoissueswithaprocess(authd).
PAN-60591 Fixedanissuewhereacustomroleadministratorwithcommitprivilegescouldnot
commitconfigurationsusingtheXMLAPI.
PAN-59204 FixedanissuewherethefirewalldidnotcreateanIPSecNATTsessionafteratunnel
rekeyuntilitoriginatedatunnelkeepalive.Whenthisissueoccurred,thefirewall
droppedNATTtrafficpackets.
PAN-57338 Fixedanissuewhereaslowfiledescriptorleakbetweentwoprocesses(mgmtsrvrand
pan_log_receiver)causedthelogreceivertostoprespondinganddegraded
managementserverperformance.Thisissueoccurredafteralongdeviceuptimeof
morethan380days.
PAN-56839 Fixedanissuewherethedataplanestoppedrespondingwhenachangetothe
aggregateEthernet(AE)linkconfigurationwascommitted,resultinginanunexpected
pathmonitoringcondition.
PAN-56700 FixedanissuewheretheSNMPOIDifHCOutOctetsdidnotcontaintheexpected
data.
PAN-48095 FixedanissuewherethePanoramadynamicupdatescheduleignoredthecurrently
installeddynamicupdateversion,andinstalledunnecessarydynamicupdates.
IssueID Description
PAN-69485 FixedanissuewhereUserIDgroupmappingdidnotretaingroupsretrievedfrom
ActiveDirectory(AD)serversiftherewereanyinvalidgroupsinthegroupmapping
includelist.
PAN-68045 FixedanissueonPA7000SeriesfirewallswhereforwardingtoWildFirefaileddue
toanincorrectcalculationoffilesize.
PAN-67986 FixedanissuewherethedataplanerestartedduetoacorruptionintheQoSqueue
pointer.
PAN-67587 Fixedarareconditionwhereadataplaneprocess(all_pktproc)stoppedresponding.
PAN-67231 FixedanissueonPA5000SeriesandPA3000Seriesfirewallswherethedataplane
restartedwhenprocessingtrafficthathadanincorrectlysetIPv4Reservedflag.
PAN-66540 FixedanissuewherethemanagementinterfaceandHAinterfacesflappedduring
installationofasoftwareupgrade,whichcausedHAfailoverorsplitbrain.
PAN-64662 Fixedanissuewherelatencyintermittentlyspikedover3msforIPsectraffic.With
thisfix,theconditionsthatcontributedtolatencyspikesareaddressed.
PAN-64368 FixedanissueonPA7000SeriesfirewallswhereapplyingaQualityofService(QoS)
profiletoanAggregatedEthernet(AE)interfacecausedthereportedmaximum
egressfortheAEinterfacetodifferfromthesumoftheegressvaluesofthe
individualinterfacesintheaggregate.Withthisfix,QoSstatisticscorrectlyreportthe
configuredQoSvalueofanAEinterface.
PAN-64263 Fixedanissuewhereforwardproxydecryptionfailediftheservercertificaterecord
sizeexceeded16KB.
PAN-63796 FixedanissueonPA7000Seriesfirewallswhereinternalloopingoftunnelcreation
packetscausedhighdataplaneCPUusage.
PAN-63142 FixedanissueonfirewallswherethedataplanerestartedwhenprocessingIPv6
trafficthatmatchedapredictsession.
PAN-61534 FixedanissueonthewebinterfacewhereattemptingtoaddmultipleIPaddressesto
securitypolicies(Policies > Security)failedwiththeerrorrange separator(-)
not found -> Destination is invalid.
PAN-61367 FixedanissuewherethefirewallfailedtosendaTCPreset(RST)totheclientside
andserversidedeviceswhenanapplicationhadaReset bothdenyactioninits
securitypolicy.
IssueID Description
PAN-61146 FixedanissuewherechangingorrefreshinganFQDNconfigurationwithalarge
numberofIPaddressentries(morethan32IPv4andIPv6entries)inasingleFQDN
objectcausedthefirewallorPanoramatostopresponding.
PAN-60751 FixedanissuewherecommitfailedwhenanIKEv2dynamicpeerhadthesame
proposalasanIKEv2staticpeerwiththesametunnelsourceinterface.Withthisfix,
auserisallowedtocreateonedynamicIKEv2peerwiththesameproposalasastatic
peer,withbothpeerssharingthesametunnelinterface.
PAN-60681 FixedanissuewherePanoramadidnotcorrectlyverifyDevicegroupobjectswhen
pushingconfigurationswithalargenumberofobjectstofirewalls,whichcaused
commitfailureswithobjectvalidationerrors.
PAN-60222 FixedanissuewherePanoramaallowedyoutoconfigureadecryptiontypeonNo
Decryptpolicies.WhenPanoramapushedthesepoliciestofirewalls,itsetthe
decryptiontypetothedefaultvalueSSL Forward Proxy.Withthisfix,whenyou
selectNo Decryptasapolicyruleaction,Panoramadisablesconfigurationofthe
decryptiontype.
PAN-60182 InresponsetoanissuewhereLACPflappedintermittentlyduetonegotiation
failures,priorityforLACPprocessingisenhancedtomitigateflapping,andadditional
debugoptionsareaddedtohelpisolatenegotiationfailures.
PAN-59411 Fixedanissueonfirewallswhereaprocess(logrcvr)stoppedresponding.Withthisfix,
theprocessusesthecorrectbuffersizetopreventthefault.
PAN-58516 FixedanissueonPA500andPA2000Seriesfirewallswherecorruptionofan
instructioncachecausedthefirewalltorestart.Thisissueoccurredafterthefirewall
wasincontinuousoperationwithoutarestartforhundredsofdays.
PAN-58341 FixedanissuewherePanoramachangedLDAPgroupmappingsto<ssl>no</ssl>,
whichpreventedendusersfromconnectingwhenthesemappingswerepushedto
devices.ThisissueoccurredwhenupgradingfromaPANOS6.1releasetoa
PANOS7.0release.
PAN-57946 FixedanissueontheM100appliancewhereaconfigurationforasubnetinthe
permittedIPaddressesofinterfaceEth1orEth2failedtotakeeffect.
PAN-57819 FixedanissuewheredisablingandimportinglocalcopiesofPanoramapoliciesand
objectsresultedinexclusionofLogForwardingprofileimportsonmultiplevirtual
systems(multivsys).
PAN-57787 FixedanissueonPanoramawhere,ifyouusedtheCLIreplacecommandtoreplace
adeviceserialnumber,Panoramaupdatedthemanageddeviceserialnumberbutdid
notupdatetheserialnumberinthedeploymentscheduleandincustomreports.
PAN-57715 Fixedanissuewherethefirewalldidnotsendallofthesupportedalgorithmsinthe
signaturealgorithmextensionofclient hellowhennegotiatingconnectionswith
someSSLsitesaccessedfromversion50oftheChromebrowser,whichcausedthose
connectionattemptstofail.
PAN-57593 FixedanissuewhereadecryptionpolicystoppeddecryptingSSLtrafficifyou
enabledWait for URLonSSLdecryption.
IssueID Description
PAN-57145 Fixedanissuewhere,ifthefirewallperformedIPandportNATinthepathofa
GlobaProtectLargeScaleVPN(LSVPN)IPSectunnel,arekeycausedthefirewall
sidetotemporarilychangebacktothedefaultportnumberforthenewtunnel,and
theintermediateNATdevicedroppedtrafficuntiltheoldtunneltimedoutorwas
deletedmanually.Withthisfix,whenarekeyhappens,thefirewallsearchesand
appliesthecorrectportnumbertothenewtunnelimmediatelytopreventtraffic
drops.
PAN-57121 FixedanissuewhereaVMSeriesfirewallthatwasinFIPSCCmodecouldnot
connecttoaPanoramaserverthatwasinnormalmode.
PAN-56918 Fixedanissuewherefirewallsdidnotrecognizemalwarethathadbeen
Base64encodedinazippedRTFfileduringanSMTPsession.
PAN-56569 FixedanissuewherethetophalfoftextlinesfailedtodisplaycorrectlyinthePDF
versionoftheAppScopeThreatMonitorReport(Monitor > App Scope > Threat
Monitor).
PAN-56009 FixedanissueonfirewallsinstalledinanHAactive/activeconfigurationwhere
outoforderjumbopacketscausedthedataplanetorestart,whichresultedina
failover.
PAN-55958 FixedanissuewherethefirewalldidnotproperlyprocessactiveFTPdatasessionsif
theFTPclientreusedwithinashortperiodoftimethedestinationportnumber
thatwasnegotiatedintheFTPcontrolsession.
PAN-55881 FixedanissueonPA5000Seriesfirewallswherethedataplanerestartedinresponse
toanoutofmemorycondition.Thisissueoccurredwhenadataplaneprocess
stoppedresponding,andtheinformationcollectionprocedurethatfollowsaprocess
failurerequiredmorememorythanwhatwasavailable.Withthisfix,theinformation
collectionproceduredoesnotrunwhenalowmemoryconditionispresent.
PAN-55737 FixedanissueonPA200firewallswhere,afterthefirewallrebootedandbeforeNTP
synchronizationoccurred,thefirewallreportedareboottimewithoutatimezone
calculationtoPanorama.
PAN-55243 Fixedanissuewhereanadministratorwithreadonlyprivilegewasunabletoexport
CorrelatedEventslogsinCSVformat.
PAN-55190 FixedanissuewherefirewallsfailedtoresolvedURLsonthedataplane.Thisissue
occurredwhenanoutofmemoryerrorcausedfaultsintheURLcache.Withthisfix,
firewallshandleoutofmemoryerrorscorrectly,allowingproperresolutionofURLs.
PAN-55045 FixedanissuewhereaddingobjectssuchastagstoPanoramausingtheXMLAPI
resultedinthoseobjectsnotbeingvisibleunderPolicies,Addresses,orServices.
PAN-54423 FixedanissuewherethefirewallfailedtomaketheCLIconfigurationset
authentication radius-vsa-on client-source-ippersistentacrosssystemrestart.
PAN-54279 FixedanissuewheretheFTPfiletransferofalargenumberofsmallfilesfailed
becausethefirewalldidnotinstalltheFTPdatachannelsessioninatimelymanner.
PAN-53885 Fixedanissuewherenonsuperuseradministratorscouldnotseeexemptprofilesand
securitypolicyruleswhenviewingthreatdetailsinathreatlog.
PAN-52274 FixedanissuewheretheUserIDprocess(useridd)stoppedrespondingduetoan
issueinaninternallibrary,whichcausedthefirewalltoreboot
IssueID Description
PAN-52177 FixedanissueonPA7000Seriesfirewallswhereanewlyinstalledandenabled
NetworkProcessingCard(NPC)didnothaveacorrectlyprogrammedforwarding
table,whichcausedthefirewalltodroppacketsuntiltheforwardingtablewas
manuallyflushed.Withthefix,thefirewallcorrectlyprogramstheforwardingtable
uponslotstartup.
PAN-52007 FixedanissuewhereQoSstatisticsforaspecificinterfacewereemptyafteradevice
reboot.
PAN-49890 FixedanissuewhereexportingcustomreportstoCSV,XML,andPDFfailed.
IssueID Description
PAN-66677 FixedanissueonPA5000Seriesfirewallswheretrafficloopedinfinitelybetween
dataplanes,whichcausedalossoftheaffectedtrafficandaspikeinCPU
consumption.
PAN-66250 Fixedanissueonlogcollectorswhereadeadlockoccurredforinterlogcollector
connections,whichcausedconnectivityissuesbetweenlogcollectorsandfrom
firewallstologcollectors.Thisissuealsocausedlocalbufferingoflogsonthefirewall.
Withthisfix,logcollectorconnectionprocessinghasbeenmodifiedtoeliminatethis
deadlock.
PAN-66210 Fixedanissuewhereadataplaneprocessfailedtorestartduetoamissingorcorrupt
file,whichcausedthenetworkprocessingcard(NPC)torestart.
PAN-64360 Fixedanissuewherethefirewallfailedtopopulatetheemailsender,recipientand
subjectinformationforWildFirereports.
PAN-63073 Securityrelatedfixesweremadetopreventdenialofserviceattacksagainsttheweb
managementinterface(PANSA20160035).
PAN-62782 Fixedanissuewhere,ifanLDAPrefreshqueryterminatedbeforecompletion,the
firewalldeletedusersbelongingtothedomainusergroupintheactivedirectory(AD).
PAN-62385 Fixedanissuewhere,ifthefirewalllostconnectivitywithanLDAPserverorifyou
appliedaninvalidqueryfilter,andthesedisruptionsoccurredduringaUserIDgroup
mappingupdate,thefirewalldeletedexistingusergroupmappings.Withthisfix,
disruptionsduringaUserIDgroupmappingupdatewillcausethefirewalltostop
addingnewusergroupmappings,andthefirewallwillnotdeleteexistingusergroup
mappings.
PAN-61815 FixedarareissuewhereVMSeriesfirewallsstoppedgeneratingtraffic,threatorURL
logs,orlosttheabilitytoresolvetheURLcategory.
PAN-61554 Fixedanissueonfirewallswhereamemoryleakinaprocess(authd)causedall
authenticationstothefirewalltofail.
PAN-61104 Asecurityrelatedfixwasmadetoaddressalocalprivilegeescalationissue
(PANSA20160034).
PAN-61046 Asecurityrelatedfixwasmadetoaddressacrosssiterequestforgeryissue
(PANSA20160032).s
IssueID Description
PAN-58673 FixedanissuewherethefirewalldidnotuseasecondLDAPserverforauthentication
ifthefirstLDAPserverwasunreachable.
PAN-58418 FixedanissuewherePanoramacouldnotsynctotheNSXmanagerafterarebootor
afailover,whichcausedaserviceoutage.Withthisfix,syncworksasexpected.
PAN-58410 FixedanissueonVMSeriesfirewallsinanHAconfigurationwhere,afterafailover
occurred,aninterfaceontheactivefirewalldisplayeditsstatusas
ukn/ukn/down(autoneg).
PAN-58086 Fixedanissueonfirewallswhereaprocess(devsrvr)restartedifyoucommitteda
configurationthatusedmorethan64vendorIDsinasinglevulnerabilityprotection
rule.Withthisfix,ifyoucommitaconfigurationwithmorethen64vendorIDsina
singlerule,youreceiveawarningthatyouhaveexceededthemaximumnumberof
IDs,andtheprocessrestartdoesnotoccur.
PAN-57855 Fixedanissuewherethefirewallstoppedforwardinglogsanddiscardedlogseven
whentheincomingloggingratewaslow.Withthisfix,theprocessingoflogsis
optimizedtoincreaseprematching,andCPUloadisreducedtopreventthequeue
frombecomingfullanddiscardinglogs.
PAN-57323 FixedanissuewhereVPNtrafficwentintoadiscardstatebecausethefirewall
allowedpacketstobesentthroughthetunnelpriortothecompletionoftheIKE
Phase2rekeyprocess.
PAN-57055 FixedanissueonVMSeriesfirewallswheretrafficprocessingsloweddownfortwo
tothreeminutesafterthefirewallreceivedaburstofpacketsontheHA2datalink.
PAN-56978 FixedanissuewhereaVMwareNSXeditionfirewallhadincorrectaddressgroup
objectspushedviaPanoramaupdates.
PAN-56973 Fixedanissueonfirewallswhereemailsconfiguredtousethepervirtualsystem
(vsys)SMTPservicerouteweresentusingtheglobalSMTPserviceroutesettings.
Withthisfix,emailsusetheconfiguredvirtualsystemSMTPserviceroute.
PAN-56775 Fixedanissueonfirewallswhere,ifyouconfiguredthefirewalltoperformamonthly
updateoftheexternalblocklist(EBL),thefirewallincorrectlyinitiatedanEBLrefresh
jobeverysecond.
PAN-56650 Fixedanissuewherealogcollectorfailedtosendthesystemlogtotheactive
PanoramapeerinanHAactive/passivePanoramaconfigurationaftertheactivepeer
restarted.
PAN-56616 Fixedanissuewherethefirewalltruncatedusergroupnameswhenthename
exceeded150characters.Withthisfix,thefirewallpreservesthecompletegroup
nameeveniftheusergroupnameexceeds150characters,uptoamaximumof255
characters.
PAN-56438 FixedanissueonfirewallswheretheinternalvalueforblocktimeintheDenialof
Service(DoS)tableexceededtheconfiguredblocktime.Thisissueoccurredon
firewallsinstalledinanHAconfiguration.
PAN-56332 FixedanissuewherecommitsonPanoramafailedbecauseaprocess(cord)stopped
responding.
IssueID Description
PAN-56280 Fixedanissuewherethefirewalldisplayedthestatusofa10GSFP+virtualwire
interfaceas10000/full/upwhentheconfiguredstateoftheinterfacewas
auto/auto/down.ThisissueoccurredwhenLink State Pass ThroughinNetwork>
Virtual Wireswasenabled.
PAN-56221 Asecurityrelatedfixwasmadetoaddressacrosssitescripting(XSS)conditioninthe
webinterface(PANSA20160033).
PAN-56200 Fixedanissuewherethefirewallallowedaccesstothesearchengine'scached
versionofawebpageeventhoughthepagebelongedtoaURLcategoryblockedby
apolicy.
PAN-56034 FixedanissuewhereWildFireplatformsexperiencednonresponsiveprocessesand
suddenrestartsundercertainclientstrafficconditions.
PAN-55651 Fixedanissueonfirewallswhere,regardlessoftheconfiguredmetric,OSPF
preferredType2externalmetricsoverType1externalmetrics.
PAN-55560 Fixedanissueonfirewallswhereamemoryconditioncausedthedataplanetorestart
withthemessageDataplane is down: too many dataplane processes exited.
PAN-55237 AsecurityrelatedfixwasmadetoaddressanXPathinjectionvulnerabilityintheweb
interface(PANSA20160037).
PAN-55199 Fixedanissuewhere,ifyouusedSNMPtocheckthestatusofatunnelinterface,the
firewallprovidedincorrectinformation.
PAN-54696 Fixedanissueonfirewallswhereincorrecthandlingofselectiveacknowledgment
(SACK)packetscausedadecreaseindownloadspeedsonSSLdecryptedtraffic.
PAN-53039 FixedanissueonfirewallswheretheSNMPifOperStatusOIDdidnotreflectstate
changesoftheaggregateEthernet(AE)interfacesinanLACPtrunkconfiguration.
PAN-52901 Fixedanissuewherethedataplanerestartedanddataplaneprocessesstopped
respondingwhenpassingSSHtrafficusingSSHdecryption.
PAN-52379 AsecurityrelatedfixwasmadetoaddressCVE20155364and20155366
(PANSA20160025).
PAN-52183 FixedanissuewherePanoramamanagementserversrunningPANOS7.0oralater
PANOSreleasefailedtodisplayordownloadreportsreceivedfromfirewallsrunning
PANOS6.1orearlierreleases.
PAN-52164 FixedanissuewhereTrafficlogsreportedcumulativebytesforsessionswithTCP
portreuse,whichcausedcustomreportstoincorrectlyreportthebytecount.
PAN-49397 Fixedanissueonfirewallswhereaprocess(varrcvr)stoppedrespondingwhenyou
requestedWildFirestatisticsafterreceivinganunexpectedresponsecodefromthe
WildFireCloud,suchasanerrorresponsecodeduringqueryorupload.
PAN-48508 FixedanissuewherethepassivePanoramaserverinanHAconfigurationdidnot
displayapplicationdataintheApplicationCommandCenter(ACC)orinAppScope.
IssueID Description
102600 Fixedanissueonfirewallswhere,ifyouconfiguredGlobalProtecttouse
certificatebasedauthentication,usersonChromebookendpointsreceivedprompts
tologonusingusernameandpassword.
101406 FixedanissueonfirewallswhereCPUutilizationonthedataplanewashigherthan
expected.
101089 FixedanissuewhereafirewallincorrectlyappliedSSLdecryptiontotrafficina
customURLcategory.Thisissueoccurredwhenthefirewallinspectedtraffic
betweentheclientandanexplicitHTTPproxy,andtheclienthellomessagedidnot
containservernameinformation(SNI).
100129 FixedanissueonfirewallsinanHAactivepassivepairwhereHAconfigurationsync
failed.Thisissueoccurredwhenconfigurationsyncfromtheactivefirewallhappened
whilethepassivefirewallwasinastatewherealocalcommitfailed.Withthisfix,
configurationsyncfromtheactivefirewalloverwritestheconfigurationonthe
passivefirewall,andconfigurationsyncsucceeds.
100115 Fixedanissueonfirewallswherethedataplanerestartedwhileprocessingachainof
tunnelpackets.
99918 Fixedanissueonfirewallswhereaprocess(devsrvr)restartedrepeatedlyduetoa
problemwiththeinternalURLcachestructure.
99818 Fixedanissuewherethefirewalldidnotprovideablockedpageresponseifyou
accessedablockedapplicationoverHTTPS.
PAN-60568 AsecurityrelatedchangewasmadetoaddressaversiondisclosureinGlobalProtect
99786 (PANSA20160026).
99057 Fixedanissueonfirewallswhere,ifyouconfiguredvirtualrouterswithOSPFType5
externalrouteswithnonzeroforwardaddresses,theroutingtablesofsomevirtual
routersdidnotcontaintheroutes.Withthisfix,OSPFType5externalroutesinstall
asexpectedinthevirtualrouters.
98684 FixedanissueonVMSeriesfirewallswhere,ifpathmonitoringforHAusedIPv6
addressing,thefirewallusedthewrongIPv6addressandpathmonitoringchecking
failed.
98602 FixedanissuewherethePanoramamanagementserverhadamemoryincreasedue
tosyncingofWildFirereportsfromPanoramatologcollectors.
98388 FixedanissuewherethefirewallbroughtdownatunnelthatterminatedatanIKE
gatewayconfiguredfordynamicIPaddressingwhentheIPaddressofthegateway
changed.Withthisfix,thefirewalldoesnotbringdownatunneliftheIKEgateway
dynamicIPaddresschanges.
IssueID Description
98188 FixedanissueonfirewallswhereHAfailoverdidnotoccurimmediatelyafterthe
controlplanefailedontheactivefirewall.
97466 FixedanissueonfirewallswhereaTCPreassemblyfailureforareusedTCPsession
preventedusersfromaccessingWindowsServer2012sitesandapplications.
97282 FixedanissueonPA7000Seriesfirewallswhereaslotstoppedrespondingduetoa
memorycondition.
97063 FixedanissueonfirewallswhereUserIDgroupmappingstoppedworkingduetoa
racecondition.
96800 Fixedanissueonfirewallswhere,ifyoumonitoredserverstatusfromtheuser
interface,theconnectionstateappearedtotogglebetweentheconnectedand
disconnectedstateseventhoughtheserverremainedconnected.Thisissueoccurred
forserverswithagentlessusermappingwhenyouselectedEnable SessioninDevice
>User Identification>User Mapping>Palo Alto Networks User-ID Agent Setup>
Server Monitor.
96155 FixedanissueonVMSeriesfirewallswherethepassivefirewallinterfaceinanHA
pairwentdown,evenwithPassiveLinkStatesettoautointheHAconfiguration.
96082 FixedanissuewherethefirewallrespondedtoMicrosoftnetworkloadbalancing
(MSNLB)multicastpacketsbyincorrectlysendingthemulticastaddressasthe
sourceaddress.
PAN-57659 Asecurityrelatedfixwasmadetoaddressacrosssitescriptingconditionintheweb
95895 interface(PANSA20160031).
95864 FixedanissuewheretheGlobalProtectportaldidnotnegotiateencryption
algorithmscorrectly,whichcausederrorsonrecentreleasesofbrowserswithnewly
availablestrictercheckingenabled.Afterthisfix,theportalnegotiatesthecorrect
algorithmstoeliminatebrowsererrors.
95797 FixedanissueonPanoramawhere,ifyouselectedGroup HA Peers,previously

selectedindividualfirewallsbecameunselected,leavingonlythemostrecently
selectedfirewallsaspartofthegroupingconfiguration.
95604 FixedanissuewherefirewallsconfiguredwithOSPFv3adjacencyandAH
authenticationheaderprofilesfailedtoestablishfulladjacencybecausethe
fragmentedOSPFv3packetsfailedtheAHauthenticationcheck.
95034 Fixedanissueonfirewallswhere,ifyouusedtheXMLAPItoredistributeUserID
mappinginformation,andthemappingusedatimeoutvalueofNEVER,thefirewall
incorrectlychangedthetimeoutvalueto3600.
94853 FixedanissuewherePanoramaincorrectlyremovedtheLDAPdomainfieldwhenit
pushedatemplateconfigurationtoafirewallrunningaPANOS6.xrelease.This
issueoccurredinaconfigurationwhenPanoramausedaPANOS7.xreleaseand
firewallsusedamixtureofPANOS6.xandPANOS7.xreleases.
94615 Fixedanissueon7000SeriesfirewallswherethedesignatedLogCardinterfacedid
nottransmitagratuitousARPuponfailover,whichcausedconnectivityissueswith
neighboringdevices.
94435 FixedanissuewhereafirewallfailedtolearnofOSPFneighborsthatwereon
interfacesconfiguredwithamaximumtransmissionunit(MTU)of9216becausethe
OSPFdatabaseexchangefailedforjumbopackets.
IssueID Description
94282 FixedanissueonPA7000SeriesfirewallsconfiguredasHApairswhere,afterthe
activefirewallfailedovertobecomethepassivefirewall,thenewlypassivefirewall
restartedwiththeerrormessage:internal packet path monitoring failure.
Withthisfix,thefirewallwillnotrestartafterbecomingpassive.
94166 Fixedanissueonfirewallswhere,ifyouconfiguredaNetflowprofileunderavirtual
system(vsys),youcouldnotassigntheNetflowprofiletoasubinterfacepartofsame
vsys.
94136 FixedanissuewhereaPA200firewallreportedanantivirusupdatejobassuccessful
whentheupdatedownloadedwithoutinstalling.Withthisfix,alargertimeoutvalue
allowstheinstallationtocomplete.
94115 Fixedanissueonfirewallswhere,ifyouimplementedanauthorizationprofilefor
OSPFwithMD5authenticationonafirewallconfiguredforFIPSCCmode,the
dataplanerestarted.
93770 FixedanissuewherethefirewallinterpretedatruncatedexternaldynamiclistIP
address(suchas8.8.8.8/)as0.0.0.0/0andblockedalltraffic.Withthisfix,thefirewall
ignoresincorrectlyformattedIPaddressentries.
93394 FixedanissueonfirewallswherethedataplanerestartedwhenprocessingSSL
packetswithanoversizedLayer2header.
92934 FixedanissuewhereafirewallconfiguredforDHCPrelay(withmultipleDHCPrelays
orincertainfirewallvirtualsystemconfigurations)rebroadcastaDHCPpacketonthe
sameinterfacethatreceivedthepacket,whichcausedabroadcaststorm.Withthis
fix,thefirewalldropsduplicatebroadcastsinsteadofretransmittingthem.
92912 FixedanissueonPanoramawhereanadministratorreceivedaFile not found

errorwhenattemptingtoviewathreatpacketcapture(pcap).
92701 FixedanissuewherePanoramadisplayedanunauthorized requestmessagetoa

devicegroupandtemplateadministratorwhentheadministratorattemptedtoview
shareddevicegrouppolicies.
92621 Fixedanissuewhereforwardedthreatlogsusedinconsistentformattingbetween
theRequestfieldandthePanOSRefererfield.Withthisfix,thePanOSRefererfield
usesdoublequotesforconsistencywiththeRequestfield.
92523 Fixedanissuewhere,forfirewallsinanHAactive/activeconfiguration,anOracle
redirectspredictsessionsynchronizedtothepeerdevicebecamestuckinthe
OpeningStatebecausetheparentsessionwasnotinstalledonthepeerdevice.
Withthisfix,thefirewallensurestheparentsessionisinstalledonthepeerdevice
andtheOracleredirectspredictsessiontransitionstoactivestatetoallowfor
successfulOracleclienttoservercommunication.
91474 FixedanissuethatpreventedafirewallinCommonCriteriaEvaluationAssurance
Level4(EAL4)modefromconnectingtoPanoramaHApairunitsinCommonCriteria
(CC)mode.
91086 FixedanissuewherethefirewallexperiencedBGPdisconnectionsbecausethe
firewallfailedtosendkeepalivemessagestoneighborswithinspecifiedtimers.
90596 FixedanissueonPA5000SeriesfirewallswheretheFPGAdidnotinitialize.With
thisfix,theFPGAisautomaticallyreprogrammedafteraninitializationfailuresothat
itcanattemptmultiplereinitializationsbeforetriggeringabootfailure.
IssueID Description
90508 SecurityrelatedfixesweremadetoaddressCVE20160777andCVE20160778
(PANSA20160011).
90145 FixedanissuewherethesystemloginPanoramadidnotcontaincompleteusername
andjobIDinformation.Withthisfix,PanoramadisplaystheusernameandjobID
correctly,butfirewallscontinuetoshowpanoramaastheusernameinsystemlogs
forcommitallconfigurations.
89891 FixedanissuewhereThreatlogsforwardedfromthefirewallhadanextracolon
whenusingTCPforthetransportprotocol.Withthisfix,theformatofforwardedlogs
overTCPandUDPisconsistent.
89284 FixedareportingissuewherethenonstandardportACCwidgetsdisplayed
inaccurateinfo.Thisissueoccurredwhentrafficonthefirewallranonstandardports
matchingcustomapplicationspushedbyPanorama.
88841 Fixedanissueonfirewallswhereaprocess(routed)stoppedresponding.
88651 Fixedanissuewhereaprocess(useridd)stoppedrespondingwhentherunningconfig
wasmissingtheportnumberassociationsfortheTerminalServices(TS)Agent.
88194 FixedanissuewherePanoramadidnotlogiftheForceTemplateValuesoptionwas
inthecheckedstatewhenapplyingaTemplateorDeviceGroupcommit.Withthis
fix,thePanoramalogswillindicateiftheForceTemplateValuesoptionisinthe
checkedstatewhendoingaTemplateorDeviceGroupcommit.
87870 FixedanissuewhereanOSPFroutewithaloweradministrativedistancethanthe
staticrouteshouldbecomethepreferredroutebutwasnotinstalledandusedas
expected;thefirewallcontinuedtousethestaticrouteinstead.
87727 Fixedanissuewhereavirtualsystemcustomroleadministratorcouldnotadd
usertoIPmappingsusingtheXMLAPI.
87052 FixedanissuewherefirewallscouldnotuseanEUregionAWSvirtualprivatecloud
asaVMinformationsource.Thisissueoccurredbecausethefirewallusedsignature
version2tosignAPIrequestswhiletheEUregionAmazonMachineImage(AMI)
usedsignatureversion4.Withthisfix,thefirewallusesthesupportedsignature
version.
85361 Fixedanissuewhere,ifyouusedtheCLItoinputmorethan126addressesinan
addressgroupor126URLsinanallowlist,thefirewalldidnotapplythe
configuration.
83569 FixedanissuewheremultipleQoSchangeswhileunderaheavyloadcausedthe
dataplanetorestart.
82165 FixedanissuewhereafirewallconfiguredtoblockURLcategoriesoverHTTPSdid
notsendaFIN/ACKtothebrowsertoclosetheconnectionaftersendingablock
page.ThisissueoccurredforfirewallsconfiguredtoperformNAT.
81451 FixedanissueonPanoramawheredevicegroupandtemplateadministratorswere
unabletochangetheirownpasswords.
81178 Fixedanissuewhere,ifyoufilteredtheURLlogs,thereturnedresultsdidnotinclude
expectedmatches.
79472 FixedanissuewherePanoramatruncatedsystemlogsto180characters.
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.9release.Foranoverviewofnew
IssueID Description
99505 FixedanissueonfirewallswherelongclientIDscausedtheDHCPservicetostop
responding,leadingtoafirewallrestart.
98510 Fixedanissuewhereexportedlogfilesdidnotcorrectlyescapecertaincharacters,
suchascommas(,),backslashes(\),andequaltooperators(=).
98327 FixedanissueonfirewallswhereanFQDNrefreshoracontentupdatetriggeredan
unexpectedconfigurationcommitafteryouappliedaprecommitvalidation.With
thisfix,anFQDNrefreshoracontentupdatewillnottriggeraconfigurationcommit.
98112 FixedanissuewithfirewallsinanHAactive/activeconfigurationwheresession
timeoutsforsometrafficwereunexpectedlyrefreshedafteracommitorHAsync
attempt.
97763 FixedanissuewhereaPA200firewallfailedtodownloadaPANOSsoftware
updateduetoanincorrectdiskspacecalculation.
97571 Fixedanissueonfirewallswhereeusingpreviousportinformation(tcpreuse)for
newsessionscausedtrafficinthosesessionstobedropped.
97247 FixedanissuewhereaPA200firewallfailedtodownloadacontentupdatedueto
diskspaceissuesafterafailedantivirusupdateinstallation.Withthisfix,thefirewall
will,aspartoftheupdateinstallationprocess,cleanupalltemporaryfilesevenifthe
updateinstallationfails.
97099 Fixedanissuewhere,afterimportingtheconfigurationfromaPanoramaM100
devicetoaPanoramaM500device,theexistingsecurityprofilesandlogforwarding
profilescouldnotbeselected.
95622 SecurityrelatedfixesweremadetoaddressissuesidentifiedintheMay3,2016
OpenSSLsecurityadvisory(PANSA20160020).
95462 FixedanissueonPA5000andPA7000Seriesfirewallswherethedataplane
repeatedlystoppedresponding.
95133 Fixedanissuewherefirewallincorrectlyappliedpolicybasedforwarding(PBF)to
sessionscreatedviaprediction(suchasftpdatasessions).
94765 FixedanissuewhereNATtranslationdidnotworkasexpectedwhenthe
administratordeletedavirtualsystem(vsys)fromafirewallwithmultiplevirtual
systems(multivsys)andNATrulesconfiguredwithoutfirstdeletingNATrules
associatedwiththevsys.Withthisfix,whentheadministratordeletesavsys,the
firewallautomaticallydeletesNATrulesassociatedwiththatvsys.
94573 Fixedanissuewhere,underspecificconditions,afirewalldroppedincoming
PSH+ACKsegmentsfromtheserver.
IssueID Description
94569 FixedanissuewhereintegratedWildFirereportfromWF500didnotdisplay
correctlywhenusingInternetExplorer11.
94165 FixedanissuewherethefirewallgeneratedWildFireSubmissionslogswithan
incorrectemailsubjectandsenderinformationwhensendingmorethanoneemailto
arecipientinaPOP3session.
93961 Fixedanissuewhereaprocess(configdormgmtsrvr)restartedduetotheuseof
specialcharacters,suchasabracketcharacter[or]inasearchfield(for
example,intheAddresssection).
93865 FixedanissueonanM100applianceinLogCollectormodewherelocallycreated
proxyconfigurationswerelostwhenacommitwasperformedfromPanorama.With
thisfix,locallycreatedproxyconfigurationspersistafteraPanoramacommit.
93855 FixedanissuewheretheDNSproxytemplateobjectthatwaspushedfromPanorama
didnotoverridethatobjectonthefirewallasexpected.
93783 Fixedanissueonfirewallswhereautocommitfailedifanadministratorconfiguredan
IPSectunnelusingthemanualkeymethod.
93778 FixedarareissuewhereabindrequestfromthefirewalltotheLDAPserverfailed.
93667 FixedanissueonfirewallswheretheGlobalProtectendpointincorrectlyfailedthe
HostInformationProfile(HIP)evaluationwhenthereisanemptymissingpatchtag
intheHIPReportandtheChecksettingforpatchmanagementinHIPObjectscriteria
wassettohas-all(Objects>GlobalProtect>HIP Objects>Patch Management>
Criteria).
93540 Fixedanissuewhereareadonlysuperusercouldnotexportathreatpacketcapture
(PCAP)filefromtheGUI,whichdisplayedaFile not foundmessage.
93531 Fixedanissueonfirewallswhere,ifyouexportedtoCSVformatfromtwoormore
customscheduledreports,theexportprocessproducedthesamefileforboth
reports.
93508 Fixedanissuewhereaprocess(logrcvr)stoppedrespondingandrestartedrepeatedly
afteranupgradetocontentreleaseversion571,whichcausedthefirewalltoreboot.
Contentreleaseversion572mitigatedthisissuebutthisfixensuresthatfirewalls
runningPANOS7.0.9andlaterreleases(orPANOS7.1.2andlaterreleases)willnot
beaffectedbythisissue.
93449 FixedanissuewheretheAPIbrowserdisplayedtheincorrectXMLAPIsyntaxforthe
show arp allcommand.
92863 Fixedanissuewhereaprocess(mgmtsrvr)stoppedrespondingandcreatedcorefiles
duringfirewallstartup.
92752 FixedanissuewherePanoramaexportedanincompleteCSVfilebecauseacustom
reportnamecontainedaspace.
92684 Fixedanissueonfirewallswhereaprocess(l3svc)stoppedrespondingwhen
processingalargenumberofuserauthenticationrequests.
92677 FixedanissuewheretheComodoRSAcertificateauthority(CA)wasnotincludedin
thedefaulttrustedrootonthefirewall,whichcausedSSLdecryptiontofailonsites
usingthisastheirCA.
IssueID Description
92610 FixedanissueonPA200firewallswherethefirewallstalledduringbootupafteran
upgradefromPANOS6.1.12oranearlierPANOS6.1releasetoaPANOS7.0or
laterrelease.
92472 Fixedanissuewhere,duringtheconnectionofasatellitetotheGlobalProtect
gateway,theOnlineCertificateStatusProtocol(OCSP)verificationforthe
GlobalProtectcertificatefailedbecausetheOCSPresponsedidnotcontainthe
signaturecertificate.
92466 FixedanissueonPanoramawhereyoucouldnotenablethesettingremove tcp

timestampinazoneprotectionprofilepushedviaatemplatefromPanorama7.0.x
todevicesrunningaPANOS6.1release.Withthisfix,Panoramawillbeabletopush
theremove tcp timestampconfigurationtodevicesrunningaPANOS6.1release.
PAN-55259 AsecurityrelatedfixwasmadetoaddressmultipleNTPvulnerabilities
92106 (PANSA20160019).
91998 Fixedanissuewheretheset application dump on ruleCLIcommanddidnot

workforSecuritypolicyrulespushedtofirewallsfromPanorama.
91785 FixedanissuewhereaPanoramaprocess(configd)stoppedrespondingwhentrying
toaddtagstomultiplefirewalls(Panorama > Managed Devices)atthesametime.
91522 Fixedanissuewhereaclonedapplicationnamecouldnotbeeditedafteritwas
clonedfromaShared/DeviceGrouplocationtoaSharedlocation.Withthisfix,the
clonedapplicationnamesareeditable.
91379 Fixedanissuewhereanoutofsequencepacketwaspassedthroughthefirewall.
91269 Fixedanissuewherethefirewallrestartedthedataplaneafteraprocessstopped
responding.
91156 FixedanissueonPanoramawhereperforminglogqueriesandreportsresultedin
incorrectreportingofmultiplePanoramaloggedinadministratorsonPA7000Series
firewalls.
91034 FixedanissueontheWildFireplatformwhere,ifthesnmp.logfilewasover5MB,the
SNMPdaemon(snmpd)processclearedthelogfileandrestarted.
90933 Fixedanissuewherethefirewallgeneratedsuperfluouslogs(fortrafficthatdidnot
matchtheconfiguredfilters)afteryouenableddataplanedebugging.Withthisfix,
thefirewallwillcorrectlyfilterthelogs,butsomesuperfluouslogswillbeobserved.
90691 FixedanissueonfirewallsrunningaPANOS7.0orlaterreleasewheretheweb
interfacebecameinaccessible(502 bad gatewayerror)whensendingahighrate
ofconcurrentUserIDXMLAPIPOSTrequests.
90677 Fixedanissueonfirewallswheretheflow_mgmtprocessstoppedresponding,which
causedthedataplanetorestart.
90618 FixedanissueonPanoramawherecreatinganexemptionforathreatnamefromthe
Threatlogcausedthewebinterfacetodisplaytheexemptionmultipletimes
dependingonthenumberofsubdevicegroups.Afterthefix,theinterfacecorrectly
displaysonlyoneprofilename.
90252 FixedanissuewherefirewallsdeployedinanActive/Activeconfigurationdropped
DNStrafficpacketswithacorrespondingincrementinthesession_state_error
counter.
IssueID Description
90141 ImprovedoutputofthecommandrequestbatchlicenseinfoonPanoramatoinclude
licenseexpirationtimes.
90106 Fixedanissuewhereaprocessrestartedunexpectedlyduetothereuseofaprocess
ID(PID).ThePIDwasassociatedwithanoldSSHsessionthatthefirewallintended
toterminatebecausetheSSHsessionhadtimedoutbutwasneverclosedproperly,
whichinadvertentlyresultedinarestartoftheprocesscurrentlyassociatedwiththat
PID.
89984 Asecurityrelatedfixwasmadetoaddressastackoverflowcondition
(PANSA20160024).
89620 FixedanissuewhereSSLinbounddecryptionfailedwhenaclientsentaClientHello
withTLS1.2whiletheserversupportedonlyTLS1.0.
89264 FixedanissuewhereDNSresolutionfailedwhenmessagecompressionwasdisabled
ontheDNSserver,whichresultedincasemismatchbetweenCNAMEqueryand
answervaluesinDNSserverreplies.Withthisfix,thefirewallignorescaseinCNAME
valuessothatqueryandanswervaluesmatchandDNSrequestsresolvesuccessfully.
88585 FixedanissuewhereDNSproxyrulesdidn'tconsistentlymatchadomainnamewith
thecorrectprimaryIPaddresses.Withthisfix,matchinglogicfavorsresultsthatdo
notincludewildcards.
88225 FixedanissuewherethefirewallcouldnotregisterwiththeWildFirepubliccloud
duetoaproblemwiththelogcachesizebecomingtoolarge.Withthisfix,alimitation
mechanismisaddedtocontrolthelogcachesize.
87414 Fixedacosmeticissuewherethetrafficlogtypewasdisplayedintheseverity
columnoftheLogForwardingprofile.
87223 Fixedanissuewhereaprocess(mprelay)stoppedrespondingduetoaracecondition
relatedtotheageoutlogicforMFIBentries.
87154 FixedanissuewherefirewallsstoppedforwardingdatatotheWildFirecloud.With
thisfix,iftheconnectiontotheWildFirecloudfails,thefirewallattemptsto
reconnectaftertheinitialfailureandresumesforwardingwhensuccessfully
reconnected.
86990 Fixedanissueonafirewallwhereaprocess(sslvpn)repeatedlyrestartedduetoan
internalthreadsynchronizationissue.
86979 FixedanissuewhereanincompleteIPSectunnelconfiguration(onewithoutanIKE
gatewayspecified)causedthefirewallserverprocesstostopresponding.
85015 FixedanissuewheretheAPIdidnotlistCorrelated Eventsassupportedlog

types.Withthisfix,thetype=log parameterintheAPIincludeslog-type=corr,
log-type=corr-detail,andlog-type=corr-categassupportedlogtypes.
Formoreinformation,refertoRetrieveLogs(API).
83086 Fixedanissuewheretheoutputoftheshow dos-protection <zone-name>

blocked sourcecommanddidn'tdisplaythecorrectdatafortherequestedzone.
83008 FixedanissuewhereVMSeriesfirewallsexperiencedpacketloss.Withthisfix,an
internalbufferisincreasedinsizetopreventthepacketloss.
IssueID Description
82613 FixedanissuewherefirewallsdownloadedmultipleCertificateRevocationLists
(CRLs)becausetheCRLverificationprocessdidnotsupportcertainextensiontypes
inthelist.Withthisfix,ifthefirewallencountersaCRLwiththeextensionIssuing
Distribution PointitwillreturnthestatusofthecertificateasUnknown.
81750 FixedanissueonPA200firewallswherefilesinthe/tmppartitioncausedalowdisk
spacecondition.Withthisfix,somefilesin/tmparerelocatedtootherpartitionsto
improvediskspaceallocation.
80628 FixedanissuewhereWildFirecontentupdatesshowedtimestampswithfuture
dates.
69900 FixesintroducedinPANOS7.0.0areenhancedinthisrelease.Withthisfixinthe
PANOS7.0.9release,thetechsupportfilecontainsafilteredversionofthe
php.debug.logfile,whichwasexcludedfromthepreviousfix.
44888 Fixedanissueonfirewallswhere,ifyouenabledSYNcookies,droppingtheoriginal
SYNpacketandsendingSYNACKbacktotheclientincorrectlytriggeredan
incrementintheflow_dos_rule_dropcounter.
IssueID Description
97313 FixedanissuewherethemanagementplaneofPanoramaM100andM500
appliancesstoppedrespondingwhenrenamingobjectsorsecuritypoliciesdueto
memorycorruption.
96792 FixedanissuewherecommitsfailedduetoamemoryleakrelatedtoHAsyncofthe
candidateconfigurationthatcausedthepassivePanoramapeertostopresponding.
94757 FixedarareissueonfirewallswhereSecuritypolicyrulesincludedemptydynamic
blocklists(0.0.0.0/0)afteraCommitfromPanoramawithForce Template Values
enabled.
93729 FixedanissuewhereSSHdecryptioncausedadataplanememoryleakandrestart.
93072 Asecurityrelatedchangewasmadetoaddressanissueinthepolicyconfiguration
dialog(PANSA20160014).
92763 Fixedanissuewherecommitsfailedduetoavalidationerrorthatoccurredwhen
PanoramapushedAuthenticationSequenceprofilesthatincludedavirtualsystem
thatwasnotmigratedproperlyduringanupgradefromaPanorama6.1releasetoa
Panorama7.0orlaterrelease.
92391 FixedanissuewherefirewallTrafficlogsdisplayedunusuallylargebytecountsfor
sessionspassingthroughproxyservers.
92293 AsecurityrelatedfixwasmadetoaddressCVE20161712(PANSA20160012).
91900 FixedanissuewhereaPanoramavalidateoperationfollowedbyanFQDNrefresh
causedthevalidatedconfigurationchangetocommittothefirewall.
91886
91876 FixedanissuewherethepassivefirewallinaVMSeriesESXiconfigurationwas
processingandforwardingtraffic.
91799 FixedanissuewereaPA7050firewalldidnotdisplaylogsasexpectedandcaused
aprocess(logrcvr)tostopresponding.
91728 AsecurityrelatedfixwasmadetoaddressaDenialofServiceconditionrelatedto
theAPI(PANSA20160008).
91724 Fixedanissuewhereanautocommitofanincrementalantivirusupdatefailedaftera
reloadduetoacorruptvirussignaturesfileandafailedincrementalinstallation.With
thisfix,incrementalcontentinstallationhasenhancedprotectionstoprevent
autocommitfailures,andwilllogadditionalinformationtoassistwith
troubleshooting.
91653 FixedanissuewhereSSLdecryptiondidnotworkasexpectedforresumedsessions.
IssueID Description
91643 FixedarareissuewheretrafficthattriggeredanSSLdecryptURLproxyaction
causedaprocess(all_task)torestart.
91497 FixedanissuewherestalenexthopMACentriespersistedonthesessionoffload
processorafteryoumodifiedasubinterfaceconfiguration,whichcausedSSH
connectionstofail.Withthisfix,themanagementplanecachenolongerduplicates
nexthopMACentries,whichpreventsthestaleentriesthatcausedSSHconnections
tofail.
91336 Fixedanissuewherethepacketprocessorstoppedrespondingwhenproxypackets
wereswitchedtothefastpathgrouponthedataplane.
90982 FixedanissuewhereupgradingfromaPANOS6.1releasetoPANOS7.0.3ora
laterPANOS7.0releasecausedtheGlobalProtectportalorgatewayandSSL
decryptionprocessestostopresponding.ThisissueoccurredbecauseSSL/TLS
ServiceProfiles(introducedinPANOS7.0)werenotcreatedsuccessfullyifyoudid
notenablemultiplevirtualsystem(multivsys)functionalityonthefirewall.Withthis
fix,SSL/TLSServiceprofilesarenowsuccessfullycreatedonnonmultivsys
platformswhenupgradingtoPANOS7.0.8orlaterreleasesortoPANOS7.1
releases.
90857 FixedanissuewithaPanoramapassivepeerinanHAconfigurationwhere
administratorswereunabletoconfiguretheDynamicUpdatesschedulefor
ApplicationsandThreatsupdates.
90856 Fixedanissuewherethedialogforcreatingcertificatesandthedialogforediting
certificateshaddifferentcharacterlimitsforthecertificatename.Withthisfix,the
certificatenamefieldinbothdialogsallowsupto63characters.
90842 FixedanissuewherethefirewallreceivedanunencryptedemptyISAKMPpacketin
quickmodethatcausedaprocess(ikemgr)tostopresponding.
90794 Fixedanissuewherealogfile(/var/log/wtmp)inflatedandconsumedthe
availablediskspace.Withthisfix,PANOSsoftwareusesalogrotationfunctionto
preventlogfilesfromconsumingmorediskspacethannecessary.
90680 FixedanissueonPA500firewallswherecertainprocesses(l3svcandsslvpn)stopped
respondingafterthefirewallattemptedadynamicupdate.
90635 Asecurityrelatedfixwasmadetoaddressacrosssitescriptingconditioninthe
ApplicationCommandCenter(ACC)(PANSA20160009).
90553 FixedanissuewhereDataFilteringandWildFireSubmissionslogsfornonNAT
sessionscontainedincorrectorinvalidNATinformation.
90326 FixedanissueonPA7000Seriesfirewallswherebotnetreportswerenotcreated
consistentlyduetoalogcleanupjobthatranjustpriortowhenthebotnetreports
weregenerated,whichonsomedaysresultedinemptyornobotnetreports.With
thisfix,thebotnetlogcleanupjobtakesplaceafterthedailygenerationofbotnet
reportssothatdailyreportsarecreatedandpopulatedasexpected.
90256 FixedanissuewheredecryptedSSHsessionswerenotmirroredtothedecrypt
mirrorinterfaceasexpected.
90249 FixedanissuewhereupgradingfromaPANOS6.1orearlierreleaseprevented
administratorsfromoverridingLDAPgroupmappingsthatwerepushedfrom
Panorama.
IssueID Description
90044 FixedanissuewherelogforwardinginPanoramafailedwhenusingsyslogoverTCP.
89979 FixedanissuewheretheAggregateEthernet(AE)interfaceportinvirtualwiremode
withlinkstatepassthroughenabledcameupafteracommit;althoughitspeerAE
interfaceportwasdown.Withthisfix,theotherAEinterfaceportwillcomeupafter
thecommitandisthenbroughtdowninapproximately10seconds.Thiscausesboth
AEinterfacestostaydownuntilthefirstAEinterfacerecovers.
89917 FixedanintermittentissuewhereoneormoreinterfacesonaVMSeriesfirewall
deployedintheAmazonWebServices(AWS)cloudcouldnotobtainIPaddresses
fromaDHCPserverafterbootingup.
89910 FixedanissuewhereallLLDPpacketsweresentwiththesourceMACaddressofthe
MGTinterfaceinsteadofthedataplaneinterfacefromwhichtheyweretransmitted.
Withthisfix,LLDPpacketsareencapsulatedwiththesourceMACaddressofthe
interfacethattransmittedthepacket.
89743 Fixedanissuewherecommitsfailedduetoprocesses(configdandmgmtsrvr)that
stoppedresponding.Thisissuewascausedbymemorycorruptionrelatedtothe
schedulingofWildFiredynamicupdates.
89551 FixedanissuewhereUserActivityReportsdeliveredviatheEmailSchedulerdidnot
includeusernamesthatcontainedGermancharacters.
88646 FixedanissuewherepredictedFTPsessionswerenotestablishedasexpectedfrom
theparentFTPsession.
88346 FixedanissuewhereafirewallwassendingBGPpacketswiththewrongMD5
authenticationvalue.
88327 FixedanissuewhereseveralvalidcountrycodesweremissingintheCertificate
Attributessectionwhengeneratingacertificatefromthewebinterface.
88157 Fixedanissuewithreducedthroughputfortrafficoriginatingonthefirewalland
traversingaVPNtunnel.
87851 Fixedanissuewherehighratesoffragmentedpacketscausedthefirewallto
experienceaspikeinpacketbuffer,descriptor,andCPUusage.
87741 FixedanissueonPA3000Seriesfirewallswherethedataplanerestartedafteran
upgrade.
87179 Fixedanissuewhereavirtualsystem(vsys)inaPanoramatemplatewasassigned
duplicatevsysnumbersduringcommittothefirewall.
86767
86623 FixedanissuewhereafirewallinanHAactive/passiveconfigurationdroppedFTP
PORTcommandpacketsafterafailover.
86123 FixedanissuewhereanM100applianceinanHApairhadaprocess(configd)
repeatedlyrestart,causingHAsynctofail.
85160 Fixedanissuewhereafirewalllostmembersofadomaingroupafterafailoverfrom
theprimarytothesecondaryLDAPserverwhenthelastmodifiedtimestampforthe
groupwasnotthesameonbothservers.
IssueID Description
84115 Fixedanissuewherevirtualsystemadministrators(fullaccessorreadonly)were
unabletoaccesssettingsundertheNetworktab(Panel for undefined not
registeredwasdisplayed,instead).
83239 FixedanissuewhereinboundSSLdecryptiondidnotworkasexpectedwhenyou
enabledSYNcookies.
PAN-48954 SecurityrelatedfixesweremadetoaddressissuesidentifiedintheMarch19,2015
81411 andJune11,2015OpenSSLsecurityadvisories(PANSA20160028).
80953 FixedanissueonfirewallsinanHAactive/activeconfigurationthatincludedvirtual
wireinterfaceswherepacketsdidnotadheretovirtualwireforwardingpathsand
causedMACaddressflappingonneighbor.
77822 FixedanissueonaVMSeriesNSXeditionfirewallthatsentDynamicAddressGroup
informationonlytotheprimaryvirtualsystem(VSYS1)ontheintegratedphysical
firewallatthedatacenterperimeter.Withthisfix,aVMSeriesNSXeditionfirewall
configuredtoNotifyDeviceGroupsendsDynamicAddressGroupupdatestoall
virtualsystemsonaphysicalfirewallrunningPANOS7.0.8oralaterPANOS7.0
release.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
94912 FixedanissueinPANOS7.0.6whereWF500appliancesreturnedfalsepositive
resultsprimarilyforMicrosoftWord(.docx)files.
93775 Fixedanissuewherepacketdiagnosticsfailedduetoanunnecessarilylargedebug
logrelatedtoHA3packetforwarding.
93644 FixedanissueonPA3000Seriesfirewallswhereprocessingjumboframesthatwere
largerthan7,000bytesduringaperiodofheavytrafficcausedtheFPGAtostop
responding.Withthisfix,theFPGAthresholdsareadjustedtocorrectlyhandleupto
9KBjumboframes.
93612 Asecurityrelatedfixwasmadetoaddressaprivilegeescalationissue
(PANSA20160015).
93228 FixedanissueonPA7050firewallsinanHAactive/activeconfigurationwhere
jumboframesthatincludedtheDF(donotfragment)bitweredroppedwhencrossing
dedicatedHA3ports.
92413 Asecurityrelatedchangewasmadetoaddressaboundarycheckthatcauseda
servicedisruptionofthecaptiveportal(PANSA20160013).
91771 FixedanissuewhereafirewalldidnotsendTCPpacketsoutduringthetransmit
stageinthesameorderasthosepacketswerereceived.
91443 FixedanissuewhereaPanoramaM100appliancepurgedlogsduetoanincorrect
quotasize.
91079 FixedanissueonaVMSeriesfirewallwhereanungracefulrebootcausedDynamic
IPaddressinformationtogetoutofsync.
91075 FixedanissuewheretheLSVPNtunnelinterfacefailedtopasstrafficafterupgrading
aGlobalProtectLSVPNsatellitetoaPANOS7.0releasewhiletheGlobalProtect
LSVPNgatewaywasstillrunningaPANOS6.1orearlierrelease.Additionally,the
tunnelinterfaceflappedifyouenabledtunnelmonitoring.Theseissuesoccurreddue
tochangestotheencryptionalgorithmnameswhenintroducingSuiteBciphersin
PANOS7.0.Withthisfix,GlobalProtectLSVPNsatellitesrunningPANOS7.0.7(or
PANOS7.1)orlaterreleasessuccessfullyrecognizetheoldnamesusedinPANOS
6.1andearlierreleasessothatLSVPNtunnelsareestablishedandpasstrafficas
expected.
IssueID Description
90433 FixedanissuewhereoverridesofthedefaultrulesintheSharedpolicytook
precedenceovertheoverridesofdefaultrulesinadevicegroup.Withthisfix,
overrideprecedencenowbehavesasdesigned(overridesofdefaultrulesinthe
lowestleveldevicegrouptakeprecedenceoverthosesettingsinthehigherlevel
devicegroupsandShared).
90194 FixedanissuewherefirewallswithoutanyWildFirepublicsignatures(hadnever
downloadedanyoroldsignatureshadbeendeleted)didnotproperlyleverage
WildFireprivatecloudsignatureswhenmonitoringtraffic.
90158 FixedanissueonPA7000Seriesfirewallswhereaggregateoutboundtrafficwas
incorrectlylimitedbythechassisswitchfabricswitchingcapacity.
90070 Fixedanissuewhereamemoryleakassociatedwiththeauthenticationprocess
(authd)causedintermittentaccessandauthenticationissues.
90029 FixedanissuewhereaGlobalProtectgatewayrejectedthesamerouteslearnedfrom
differentLSVPNsatelliteswhentheroutesweredestinedforadifferentvirtual
router.
89761 Fixedanissuewhereascheduledlogexportfailedtoexportthelogsifthepassword
intheconfigurationcontainedthedollarsign("$")character.
89588 FixedanissuewherepacketsthathadtoberetransmittedduringSSLdecryption
werenothandledcorrectly,whichresultedinadepletedsoftwarepacketbuffer.
89503 Fixedanissuewhereusergroupmappingswerenotproperlypopulatedintothe
dataplaneafterafirewallreboot.
89413 FixedanissuewherePanoramatemplatecommitsfailedwhenthenamesofseveral
certificatesintheDefaultTrustedCertificateAuthoritieslistchanged.Thisoccurred
whenPanoramawasrunningaPANOS7.0releaseandpushedatemplatetoa
firewallrunningaPANOS6.1orearlierrelease.
89385 FixedanissuewithfirewallsinanHAactive/activeconfigurationwheresession
timeoutsforsometrafficwereunexpectedlyrefreshedafteracommitorHAsync
attempt.
Thisfixintroducedaknownissue:PAN59037(97806).
89296 FixedanissuewhereacommitfailedafterrenamingaPanoramasharedobjectthat
wasalreadyreferencedintherulesonalocalfirewall.
89108 FixedanissuewhereafirewalldidnotadvertiseprefixestosomeBGPpeerswhen
expected.
88689 Fixedanissuewhereamemoryleakassociatedwiththeauthenticationprocess
(authd)causedcommitattemptstofail.
88450 FixedanissuewhereLayer3interfaceswithoutdefinedIPaddresses,zones,or
virtualroutersdroppedLLDPpackets,whichpreventedthefirewallfromobtaining
anddisplayingneighborinformation.
88421 FixedanissuewhereWildFirereportsweregeneratedforfilesalreadyblockedbythe
AntivirusprofileSMTPdecoder.
88325 FixedanissuewhereaPA500firewallrunningaPANOS7.0.1orlaterreleaseand
withDNSProxyenabledfailedtoconnecttoUserIDagentsusingFQDN.
IssueID Description
88313 Fixedanissuewherereadonlydeviceadministratorswereunabletoviewlogsonthe
ACCtab.
87911 Fixedanissuewherescheduleddynamicupdatestomanagedfirewallsstopped
functioningaftermigratingthePanoramaVMtoanM500appliance.
87880 FixedanissuewheretheXMLAPIrequesttotestSecuritypolicywasnotproperly
targetedtoaspecifiedvirtualsystem(vsys),whichmadetherequestapplicableonly
tothedefaultvsys.Withthisfix,theXMLAPIrequesttotestSecuritypolicyisable
toretrieveresultsforanypreviouslytargetedvsys.
87833 FixedanissuewhereWildFireupdatescausedtheinterfacetoflap.
87729 FixedanissuewherethedataplaneonthepassivefirewallinasyncedHA
configurationrestartedduetoaDecryptionprofilethatdidn'thaveanyassociated
Decryptionpolicyrules,whichresultedinSSLproxysessionsthatweredroppedon
thepassivefirewallwhentheactivefirewallbecamesuspendedduringafailover.
87594 FixedanissueonMSeriesappliancesthatcausedthe show ntp CLIcommandto

timeout.
87094 FixedanissuewherecommittingapolicyonPanoramathatcontainedinterfacesthat
weremanuallydefinedgeneratedtheerror: [interface name] is not an allowed
keyword.
86977 FixedanissuewhereLDAPsessionssourcedfromPanorama,afirewall,oranM100
appliancewerekeptopenandnotactivelyrefreshed,whichcausedsessionsto
timeoutwhentheytraversedthepeerfirewall(orthedataplaneonthesamefirewall)
and,ultimately,causedauthenticationattemptstofailwhenrequestscouldnolonger
reachtheLDAPserver.Withthisfix,akeepalivemechanismisaddedthatis
triggeredafter15minutesofsessioninactivityandthatallowsamaximumoffive
failedprobesbeforedroppingaconnection(probesoccurin60secondintervals).
86821 Fixedanissuewheretheserverprocess(devsrvr)stoppedrespondingwhen
attemptingtoaccessaURLwithmultiplenestedchildren,whichcausedthe
dataplanetorestart.
86686 SecurityrelatedfixesweremadetoaddressissuesreportedintheOctober2015
NTP4.2.8p4SecurityVulnerabilityAnnouncement.
86313 Fixedanissuewherethe failed to handle CONFIG_COMMIT errorwasdisplayed

duringacommit.
86202 Fixedanissuewherethemanagementplanestoppedrespondingifyoumodifiedan
objectreferencedinalargenumberofrules.
86189 FixedanissuewherethefirewalldidnotsendSNMPv3trapsthatusedanIPv6server
address.
86122 FixedanissuewhereanLACPAggregateEthernet(AE)interfaceusingSFPcopper
portsremaineddownafteradataplanerestart.
85344 FixedanissuewherescheduleddynamicupdateinstallationcausedtheHAlinkto
flap.
85265 FixedanissueintheXMLAPIthatpreventedareadonlysuperuserfrom
downloadingcustompacketcaptures.
84997 FixedanissueonPA7000Seriesfirewallswherethefirstautocommitattemptfailed.
IssueID Description
84461 FixedaPanoramaissuewherethevirtualmemoryforaprocess(configd)exceededits
allocation,whichcausedcommitandHAsyncattemptstofail.
84146 FixedanissueinPANOS7.0releaseswherethesourceanddestinationfieldwasno
longerincludedasexpectedinerrormessagesthatweretriggeredwhenrequeststo
deleteaddressobjectsfailed.Withthisfix,thesourceanddestinationinformationis
againincludedintheerrormessage.
84027 FixedanissuewhereafirewallallowedsomeHTTPGETpacketstopassthrough
evenwhentheURLFilteringprofilewasconfiguredtoblockpacketsinthisURL
category.
83564 FixedanissuewhereacertificateCommonName(CN)containingUTF8characters
causedcommitrequeststofailbecausethedecodedCNstringexceededthe
64characterlimit.
82918 FixedanissuewherereenteringanLDAPbindpasswordthroughtheCLIusinga
hashvalue(insteadofaregularpassword)wasrejectedforhavingtoomany
characters.
77460 FixedanissueonafirewallwithanexpiredBrightCloudlicensewherethespecified
vendorwasunexpectedlyandautomaticallychangedfromBrightCloudtoPANDB
whenanyfeatureauthcodewaspushedfromPanoramatothefirewall.
76661 Fixedanissuewherevoltagealarmsweretriggeredincorrectly(voltagewaswithin
theappropriaterange).
74443 AsecurityrelatedfixwasmadetoaddressCVE20150235.
73082 Fixedanissuewhereafirewallprocess(all_pktproc)stoppedrespondingduetoan
issuewithNATpoolallocation.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowto
upgradeafirewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyour
firewallorappliance,youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyou
upgradetoPANOS7.0.3oralaterrelease.
ForWF500appliances,thePANOS7.0.7maintenancereleaseaddressesanissuethatwasintroducedin
PANOS7.0.6thatcausesfrequentfalsepositiveverdictsforMicrosoftOfficedocuments.Youareadvisedto
upgradeWF500appliancesto7.0.7orlaterreleasesandareadvisednottoinstallthe7.0.6image.
IssueID Description
92671 Fixedanissuewheretrafficthatwasoffloadedtohardwarewasnotforwarded
properly.ThisoccurredonPA3050andPA3060firewallsandprimarilywithSSL
traffic.
90992 FixedanintermittentissuewheretheinitialGlobalProtectclientconnectiontoa
GlobalProtectportalorgatewayfailedwiththeerror: Valid client certificate
is required.ThisoccurredwhenthecertificateprofileusedCRL/OCSPtocheck
certificatevalidityandwasduetoaproblemwiththecertificatenotbeingavailable
inthedataplanecache.Subsequentconnectionsworkedbecausethecertificatewas
addedtothecacheduringtheinitialconnectionattempt.
90904 FixedapacketdropissueonPA7000SeriesfirewallsinHAconfigurationsrunning
aPANOS7.0.3throughPANOS7.0.5release.ThisoccurredduetoaMACaddress
lookupissueoninterfacesinanAggregateEthernet(AE)interfacegroupthatwere
partofaVLAN.
89881 FixedanissuewheretheUserIDagenttruncatedNetBIOSnameswithmorethan
14characters.Asaresult,userswithdomainnameslongerthan14characterswere
notgrantedaccess.
89880 AddedanewCLIoperationalcommand(set authentication radius-auth-type

<auto|chap|pap>)forMSeriesappliancesinPanoramamodetoaddressan
incompatibilityissuebetweenPANOSandsomeRADIUSservers.Withthisfix,you
canmanuallyoverridetheautomaticselectionmechanismandchoosebetween
CHAPandPAP.
89317 Fixedanissuewhereimproperdatapatternorderingoccurredafteranadministrator
deleteddatapatternsfromanexistingDataFilteringprofile,whichsubsequently
causedanerror(rule is already in use)whenattemptingtoaddanewdata
pattern.Withthisfix,youcanaddordeletedatapatternsinanyorder.
88794 Fixedanissuewhereonetimepassword(OTP)RADIUSauthenticationfailedwhen
thedomainselectionfieldwasusedintheauthenticationprofile.
88696 Fixedanissuewhere,undercertainconditions,aprocess(mpreplay)frequently
restartedduetoexcessiveinternalmessaging.
IssueID Description
88570 FixedanissuewhereaNeighborSolicitation(NS)packetusedtorefreshIPv6
neighbortableswassentoutthroughaVLANinterfacewithoutaVLANtag.TheNS
packetwastaggedcorrectlywhentheneighborentrywasinitiallycreatedbutthe
packetusedtorefreshthetablewassentwithoutthetag,whichcausedthetable
updatetofailwhentheneighbordidnotreceiveanappropriatelytaggedresponse.
88168 FixedanissuewhereVMSeriesfirewallsrunningonan8coreplatformchangedthe
passivefirewalltoactivewhenasocketerroroccurred.Thesocketremainedclosed
untilaninterfacerelatedchangewasmade.
88125 FixedanissuewhereTCPsegmentsforDNSqueriesweredroppedwhenthe
segmentsweresmallerthan12bytes.
87482 Asecurityrelatedchangewasmadetomanagementplaneaccountrestrictionsto
avoidservicedisruption.
87285 FixedanissuewhereaUserActivityReportPDFforthelast30daysgeneratedan
errorwhenthereportcontainedmorethan100,000lines.
87257 Fixedanissuethatcausedadataplanerestartwhenthefirewallwasconfiguredasa
DHCPrelayandreceivedDHCPrequestsfromathirdpartyDHCPserverorclient
thatexceededthepayloadlengthspecifiedinRFC2132.
87158 Fixedanissuewheresomepacketswereduplicatedintheegressstage.Thisoccurred
onmultidataplanefirewallswhentrafficflowedfromvirtualsystemtovirtualsystem
orfromvirtualsystemtoasharedgateway.Anupdatehasbeenmadetoprevent
packetduplication.
86980 Fixedanintermittentissuewherecommitsfailedduetoinvalidfilepermission
warningsrelatedtoSSHauthentication.
86970 FixedanissuewheredecryptiononthefirewalldidnotfunctionwhenusingChrome
tobrowsecertainwebsitesbecauseChromeeliminatedinsecurefallbacktoTLS1.0.
86916 FixedanissuewheretrafficburstsenteringaPA3000Seriesfirewallcaused
shorttermpacketlosseventhoughtheoveralldataplaneutilizationremainedlow.
Thisissuewastypicallyobservedwhentwofirewallinterfacesonthesamefirewall
wereconnectedtoeachother.Withthisfix,internalthresholdsweremodifiedto
preventpacketlossintheseconditions.
86671 FixedanissuewherePanoramadidnotrecognizethreatIDsgeneratedbyaWF500
appliance,whichpreventedyoufromconfiguringanexemptionforthesethreatsin
Panoramathatcouldbepushedtomanagedfirewalls.
86633 FixedanissuewherethewebinterfaceindicatedthatanewDHCPrelayconfigured
intheCLIwasenabledeventhoughtherelaywasnot,yet,enabledfromtheCLI.
86321 FixedanissuewhereSSHdecryptioncausedadataplanememoryleakandrestart.
86251 Fixedanissuewhereanadministratorwasunabletoretrievelogpartitionutilization
usingSNMPafteraddingadditionalvirtualdiskspaceonPanorama.
85913 FixedanissuewhereanadministratorwasunabletoaddmorethanoneXAuth
GlobalProtectgatewayonthesameinterface.
85880 Enhancedthesyslogvariablelisttoinclude cef-number-of-severity.
IssueID Description
85110 FixedanissuewherethefirewallsentgratuitousARP(GARP)packetsforaninterface
IPaddressusedinadestinationNATrulefromallinterfacesinthezonewherethat
interfacebelonged.Withthisfix,theGARPpacketsaresentonlyfromtheinterface
thatownstheIPaddress.
84949 FixedanissuewhereM100appliancesinanHAactive/activeconfiguration
forwardedlogsonlytoonesyslogserver,eventhoughtwosyslogserverswere
defined.Thisissueoccurredonlyontheprimarysecondaryapplianceandwasdueto
anHAsyncissue.
84665 FixedanissuewheretheCommiticonincorrectlyindicatedpendingconfiguration
changesafteranApplicationsandThreatsupdate.
84641 FixedanissuewheresomeDNSrequestswereforwardedtothewrongDNSserver
theonepreviouslybutnolongerconfiguredonthefirewall.
84339 Fixedanissuewhereasinglesessionconsumedthemajorityofthepacketbuffer
resources.Withthisfix,youcanuseinformationintheoutputoftheshow running
resource-monitor ingress-backlogscommandtoIdentifySessionsThatUsean
ExcessivePercentageofthePacketBufferandthenusetherequest
session-discardCLIoperationalcommandtomanuallydiscardsessionsasneeded.
Thesecommandsareonlyavailableonfirewallsthatsupporthardwareoffload.
84236 FixedanissuewherespecialcharactersintheSNMPv3Usersfieldcausedencryption
tofailandcausedthefirewalltorestart.
83722 FixedanissuewheredestinationbasedserviceroutesdidnotworkforRADIUS
authenticationservers.
83702 FixedanissueonPA7000SeriesfirewallsrunningPANOS7.0.2andlaterreleases
whereWildFireAnalysisreportsdidnotdisplayintheWildFire Analysis Reporttab
(Monitor > Logs > WildFire Submissions > Detailed Log View).
83361 FixedanissuewheretheDoSclassificationcounterstoppedatanabnormallyhigh
value.ThiscausedfloodtypefalsepositivesintheThreatlogs,causingthefirewallto
appearasifitreachedmaximumsessioncapacity.
83135 FixedanissuewheretheinitialredirectfailedforsomeSSLsites.(TheerrorBad
Record MACappearedaftertheuserclickedcontinuebuttheusercouldthen
refreshthepagetosuccessfullyenterthewebsite.)
83100 FixedanissuewherePanoramaHAsynchronizationfailedwhenattemptingto
upgradetoaPANOS7.0.1throughPANOS7.0.5h2release.
82756 FixedanissuewherecustomreportswerenotsentoutbytheEmailScheduler.
82443 Fixedanissuewhereunwantedcharactersweredisplayedontheloginpageaftera
failedlogin.
80721 FixedanissuewheretheXMLAPIcommand show dos-protection rule

statistics (usedtoretrieveDoSprotectionstatistics)returnedanerror:invalid
command option.
80507 FixedanissueinPanoramawhereThreatandContentnamesforcertainthreatsdid
notappearinACCreports,predefinedreports,andspywarereports.Thisissue
occurredonlyonPA7000SeriesfirewallsmanagedbyPanoramaandonlyduringan
Antivirusupdate.
IssueID Description
79729 FixedanissuewithfirewallsinanHAconfigurationwhereacommitoperation
abortedforalldaemonsandthentheDHCPdaemonstoppedresponding.This
occurredwhenthe set deviceconfig high-availability group {group-name}
configuration-synchronization enabled option wassetto no.
78090 FixedanissuewheretheUserIDprocessstoppedrespondingonbothpeersinanHA
active/passiveconfiguration.Thisissueoccurredafteranupgradeandwasduetoa
problemwiththeLDAPlibrary.
74333 FixedanissuewhereincrementalupdatesfornewandupdatedregisteredIP
addresseswerefailingwhenregistrationeventswereoccurringthroughtheXML
API.Withthisfix,integratingtheupdatesforregisteredIPaddressesnolongerfails
whenusingtheXMLAPI(oneitherstandalonefirewallsandappliancesorthosein
HAconfigurations).
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.5h2release.Foranoverviewof
oralaterrelease.
IssueID Description
89750 Asecurityrelatedfixwasmadetoaddressastackunderflowcondition.
89706 AsecurityrelatedfixwasmadetopreventsomeCLIcommandsfromimproperly
executingcode.
oralaterrelease.
IssueID Description
89752 Asecurityrelatedfixwasmadetoaddressabufferoverflowcondition.
89717 Asecurityrelatedfixwasmadetoensuretheappropriateresponsetospecialrequests
receivedthroughtheAPIinterface.
88550 FixedanissueonfirewallsrunninginCommonCriteria(CC)modewhereseedingusingan
OpenSSLdeterministicrandombitgenerator(DRBG)causedaprocess(cryptod)tostop
respondingandresultedincommitfailures.
88439 FixedanissueonaPA3000Seriesfirewallwhereadataplaneconstantlyrestarteddueto
ahardwarecontentmatchingmemoryissue.
88382 Fixedanissueinahighavailability(HA)active/activeconfigurationwithunexpectedly
short(20second)timeoutsthatoccurredwhenanHA2sessionsyncmessagefailed.This
issuewasduetoanARPproblembetweendataplanesintheHAconfigurationwhenthe
HA2backupwasinuseandusingeitherIPorUDPtransportmode.Withthisfix,
unexpectedlyshortsessiontimeoutsnolongeroccurduetothisissue.
88191 Asecurityrelatedfixwasmadetoaddressinformationleakageinsystemslogthat
impactedthewebinterface(PANSA20160016).
87565 Fixedanissuewhereafirewalldidnotforwardcorrelationeventstothesyslogserver.
87170 Fixedanissuewhereafirewalldidnotfiltergroupsusingthefiltersappliedinsearch
parameters;instead,thefirewallignoredfiltersanddisplayedallgroupsinsearchresults.
86947 Fixedarareissuewhereanactivefirewallinahighavailability(HA)configuration
incorrectlysyncedtotheconfigurationfromthepassivefirewallwhenasecondcommit
wasperformedontheactivefirewallbeforeapreviouscommitwascompleted.
86723 Fixedanissuewhereadataplanerestartedwhenclienttoservertrafficexceeded4GB
andincludedHTTPGETorPOSTrequeststhathadthesourceIPaddressintheOrigin
header.
86664 FixedanissuewithIKEv2thatcausedachildsecurityassociation(SA)toinstallincorrectly
onafirewallwhenthetunnelwasconnectedtothirdpartyequipmentusingPFS.
86390 Fixedanissuewhereavirtualsystem(vsys)createdinaPanoramatemplatedidnotdisplay
whereexpectedwhenthefirsttwocharactersofthevsysnamewas"sg"(suchas"sg01").
Withthisfix,Panoramanolongerallowsyoutocreateavsyswithanamethatbeginswith
"sg"inaPanoramatemplate.
IssueID Description
86319 Fixedanissuewhereaprocess(routed)onthefirewallstoppedrespondingandresultedin
highCPUusagewhenapplyingaBGPautonomoussystem(AS)pathfilter.
86312 Fixedanissuewherethe last update timeneverexceeded1secondaftermakinga

changetotheupdateintervalofagroupmappingservice.
86193 Fixedanissueinahighavailability(HA)configurationwhereLDAPgroupmappingsdidnot
properlyrefreshafterafirewallbecametheactivepeeragainaftergoingthroughthe
passivestate.Thiswasduetoavariablethatwasnotinitializedproperlyandwasthenused
inanerrorcase.Withthisfix,LDAPvariablesareproperlyinitializedtoavoidthisLDAP
groupmappingissue.
86136 FixedanissuewheretheGlobalProtectgatewaysentanaccessrequestpacketwith
malformeddatainsidetheFramedIPAddressfieldtotheRADIUSserver.
86126 Fixedanissuewhereauserwithacustomrolebasedadministrativeaccountcouldn't
previewruleslistedasCombinedrules.
86091 Fixedanissuewhereacommittoconfigureatunnelinterfacethatusedastringinsteadof
anintegercausedaprocess(routed)onthefirewalltostopresponding.
86075 FixedanissueonaPA3060firewallwherethesizeoftheSMLVMEmlInfosoftwarepool
waslessthanexpected.Withthisfix,thesizeoftheSMLVMEmlInfosoftwarepoolis
increasedtotheexpectedvalue.
85888 FixedanissuewherePanoramaignoredthesessiontimeoutvalueandautomatically
refreshedadministratorswhowerestillloggedintothePanoramaapplianceevenwhen
thosesessionswereinactiveforaperiodlongerthantheconfiguredtimeout.
85879 Fixedanissuewhereafirewallinahighavailability(HA)configurationgeneratedafalse
positiveevent(Running configuration not synchronized after retries)75
secondsaftereachHAsync.Withthisfix,thiserrorisreturnedonlyforcommitsthattake
longerthan45minutestocomplete.
85878 InresponsetoanissuewhereDNSqueriessometimescausedaLogCollectortoruntoo
slowlyandcauseddelaysinlogprocessing,the debug management-server
report-namelookup disable CLIcommandisaddedtodisableDNSlookupsfor
reportingpurposes.
85863 Fixedanissuewheremulticasttrafficsentoveravirtualwire(vwire)withMulticast
Firewallingdisabled(Network > Virtual Wires > <vwire>)causedhighCPUandpacket
bufferdepletion.
85821 Fixedanissuewhereadataplanestoppedrespondingduetomemorycorruption.
85754 FixedanissuewhereaVMSeriesdiskwascorruptedandwentintomaintenancemode
afterprocessingmutatedtrafficfromthirdpartysignaturedetectionsoftware.
85687 Fixedanissuewherethesystemlogentriesdisplayed logged in via Web from

127.0.0.1 foradministratorswhologgedinviaXMLAPI.Withthisfix,thesystemlog
displaysthecorrectIPaddressforadministratorswhologgedinviaXMLAPI.
85675 Fixedanintermittentissuewhereaprocess(mprelay)restartedand,aftermultiplerestarts,
causedthefirewalltorestart.Thisissuewasassociatedwiththeprocessingofaddand
deleteeventsforIPv4ARPandIPv6neighborupdates.Withthisfix,IPv4ARPandIPv6
neighborupdatesnolongercausethemprelayprocessorfirewalltorestart.
IssueID Description
85611 Fixedanissuewherethe number of fib entries for device FIBcounterwas

inaccuratewithECMPenabled.Withthisfix,thefirewallmaintainsanaccuratecountof
entriesintheFIBtableforthe number of fib entries for device FIBcounter.
85484 FixedanintermittentissuewheretheGlobalProtectportalusedthecookieinsteadofthe
authenticationinformationprovidedbytheGlobalProtectclient,whichcaused
authenticationtofail.Withthisfix,ifaclientconnectsusingacookie,theGlobalProtect
portalignoresthecookieinfavoroftheauthenticationinformationprovidedbythe
GlobalProtectclientsothatauthenticationissuccessful.
85358 FixedanissuewhereSSLdecryptionsessionswerenotclearedafterexecutingthe clear

session all filter ssl-decrypt yes CLIcommand(oranyothersessionclearing
commandthatusedthe ssl-decrypt yes filter).Withthisfix,SSLdecryptsessionsare
clearedasexpectedwhenexecutingsessionclearingcommandsthatincludethe
ssl-decrypt yes filter.
85245 Fixedanissuewhereavirtualsystem(vsys)configurationremainedinthefirewall
configurationevenafterthevsyswasdeleted.Thiscausedcommitstofailwhen
attemptingtoaddanewvsysusingthesameIDasthevsysthatwasnotsuccessfully
deleted.
85193 Fixedanissueinahighavailability(HA)configurationwheremultipleoverlappingqueries
resultedinaraceconditionthatcausedHAsyncjobstofail.
84963 FixedanissueinPanoramatemplateswhereadministratorscouldmarkacertificateas
ForwardTrustorForwardUntrustbutforwardingdidnottakeplaceasexpectedwhenthe
templatewasconfiguredtoapplyonlytoonevirtualsystem(singlevsysmode).Withthis
fix,markingacertificateasForwardTrustorForwardUntrustworksasexpectedeven
whenthetemplateisinsinglevsysmode.
84908 FixedanissuewheretheloggedsessionendreasonfordecryptedSSLsessionsalways
displayedas aged out regardlesswhetherthatwastheactualTCPsessionendreason.
Withthisfix,thesessionendreasonnowdisplayscorrectlyfordecryptedSSLsessions.
84729 FixedanissueonMSeriesappliancesandwithPA7000SeriesLogProcessingcards
whereoutputofthe show system logdb-quota CLIcommanddidn'tmatchthevalues
inLoggingandReportingSettingsinthewebinterface(Device > Setup > Management >
Logging and Reporting Settings > Log (Card) Storage)duetoadiscrepancyinspace
calculation.Withthisfix,thevaluesinthewebinterfaceaccuratelyreflectavailable
storagespaceandmatchtheoutputfromthe show system logdb-quota CLIcommand.
84552 Fixedanissuewherethe debug user-id reset ts-agent/user-id-agent CLI

commanddidnotworkasexpected.
84538 FixedanissuewhereadataplanerestartedunexpectedlyonafirewallwithSSLdecryption
enabled.ThisoccurredduringtheSSLhandshakewhenthefirewallreceivedaHello
packetfromtheserverthathadahigherSSLprotocolversionthantheHellopacket
receivedfromtheclient.
84496 FixedanissueonPA7000Seriesfirewallswhereexcessiveorprolongedlogqueries
causedamemoryleakontheLogProcessingCard(LPC).
84239 FixedanissuewhereareadonlySuperuserwasabletoperformacommitwhenusing
XMLAPI(butnotviathewebinterface).Withthisfix,readonlySuperuserscannotuse
XMLAPItoperformcommits.
83764 Fixedanissuewhereusingwebinterfacecertificateauthenticationcausedloginfailures.
IssueID Description
83731 FixedanissueinavirtualwireconfigurationwhereafirewallincorrectlymodifiedtheMAC
addressfortrafficwhendecryptionwasenabled.Withthisfix,thefirewallnolonger
modifiestheMACaddressoftraffic.
83454 FixedanissuewithIPv6trafficthathadanextensionheaderandcausedjitterwhen
passingthroughaPA7000Seriesfirewallinahighavailability(HA)active/active
configuration.
83362 FixedanissuewhereacommitfailedwhenasubinterfacethatwaspushedfromPanorama
lostitsreferencetoitsassociatedVLANafterthesubinterfaceconfigurationonthe
firewallwasoverriddenandthenrevertedinthetemplate.Withthisfix,afteraninterface
isreverted,subinterfacesdonotlosetheirmappingtoVLANs.
83337 Fixedanissuewherefirewallsgeneratedmultiplecoredumpsafterarebootwhen
incomingpacketswereforwardedtothedataplanewhileanautocommitwasstill
processing.Withthisfix,packetsarenotforwardedtothedataplaneuntilaninprocess
autocommitiscomplete.
83145 FixedanissueonaPA7000Seriesfirewallwhereaninterfaceintapmodeunexpectedly
transmittedtrafficthatwasreceivedonthatinterface.
82916 FixedanissuewherethetrustedCAstoreonthefirewallwasmissingtheQuoVadisroot
CA2androotCA3G3certificates.Withthisfix,boththeseQuoVadiscertificatesare
includedinthetrustedCAlist.
82873 FixedanissuewithmissingfieldsandinconsistenciesintheSyslogformatforCorrelated
Eventsthatwereexportedtoasyslogserver.
82862 Fixedanissuewherethedeviceserverprocess(devsrvr)restartedunexpectedlywhen
Panoramapushedatemplatethatcontainedacertificatewithacorruptpublickey.
82667 FixedanissuewherethePANOSintegratedUserIDagentfailedtoconnecttoa
monitoredserverwhentheUserIDagentwasconfiguredtousetheFQDNinsteadofthe
IPaddressfortheserver.
82358 Fixedanissuewhere,whenusingLDAPauthentication,aGlobalProtectclientincorrectly
showeda Password expired messageevenwhenthepasswordhadnotexpired.
81812 Fixedanissuewhereafirewalldidnotaccuratelycheckcertificaterevocationstatusvia
OCSPbecausetheOCSPrequestdidnotincludetheHOSTheaderoption.Withthisfix,
thefirewallusestheHOSTheaderoptionasexpectedandsuccessfullyretrievesthe
revocationstatusofthecertificateinresponsetoOCSPrequests.
81743 FixedanissuewhereURLcategorizationfailedforsomeURLsduetoanissuewith
messagebuffersize.
81425 FixedanissuewhereIPSecrenegotiationwasnotinitiatedasexpectedafteraPPPoE
interfacereceivedanewIPaddress.
81424 Fixedanissuewherethe From columnintheoutputofthe show admins commandwas

Console insteadofthecorrectIPaddresswhenconnectedtotheCLIviatelnetorSSH.
81062 Fixedanissuewheretheemailactionforscheduledreportstimedoutduetoreportsthat
tooktoolongtogenerate.Withthisfix,theemailtimeoutisincreasedandreport
generationisenhancedtoavoidthisissue.
IssueID Description
80415 FixedanissuewhereafirewallwasnotpresentingtheCaptivePortalresponsepageto
users.ThisoccurredwhentheURLcategorywasmarked not-resolved,suchaswhen
cloudserverswereunavailable.
79596 FixedanintermittentissueonPA5000Seriesfirewallswherethedataplanestopped
responding.Withthisfix,thereareadditionalsanitychecksandloggingtoavoidthisissue.
73177 FixedanissuewhereredistributedNotSoStubbyArea(NSSA)type7routesconverted
toNSSAtype5routeswerenotflushedfromtheOSPFdatabasequicklyenoughafterthe
redistributingNSSArouterwentdown.Withthisfix,theOSPFisflushedwithinthe
expectedperiodoftimesothatroutesthatgodownarenotadvertisedasstillavailable.
oralaterrelease.
IssueID Description
88869 FixedaperformancedegradationissueonaVMSeriesfirewallwith8coreswhenthreat
scanningwasenabledwhenattemptingtoprocesslargetransactionspecificSSLtraffic
types.Additionally,thisfixaddressedanintermittentissuewheretheGlobalProtectMSI
filefailedtodownloadafterauserauthenticatedtotheportalpage.
87422 Fixedanissuewheremulticasttrafficwasdroppedwhenthesourcestartedsendinggroup
trafficbecausetherewasnot,yet,acorrespondingmulticastrouteorFIBentryonthe
firewall.Withthisfix,themulticastrouteisupdatedmorequicklyandpacketsare
enqueuedinsteadofdroppedwhilethefirewallwaitsfortheupdatedrouteinformation.
87410 FixedanissuewhereanAPIcalltoadd,delete,ormodifyaURLentryfailedwhentheURL
includedasingle(')ordouble(")quotecharacterasanXMLattribute.Withthisfixto
complywithXMLXpath1.0,APIinstructionsarecompletedsuccessfullyevenwhen
actingonaURLthatincludesasingleordoublequoteusedasanXMLattribute.
87385 FixedanissuewhereallthewidgetsontheACCtabofamanagedfirewall(andwhen
exportedinaPDFfile)display Report Error whenyouaccessthefirewallthrougha
contextswitchfromPanorama(whethervirtualorMSeriesappliance).
87280 FixedanissuewherethenumberofSSLfreememorychunkswasdepletedto0,which
causedadisruptioninSSLdecryptionrelatedtraffic.
87231 FixedanissuewhereaPA7000Seriesfirewalldidnotloadbalanceegresstrafficon
AggregateEthernet(AE)interfacesasexpected.
87078 Fixedanissuewherethemanagementserverstoppedrespondingwheretherewasahigh
loggingrate,whichcausedtheLogCollectortodisconnectfromPanorama.
86938 TheclientcertificateusedbyPANOSandPanoramatoauthenticatetothePANDB
cloudservice,theWildFirecloudservice,andtoWF500appliancesexpiredonJanuary
21,2016.Theexpirationresultsinanoutageoftheseservices.Toavoidanoutage,either
upgradetocontentreleaseversion550(oralaterversion)orupgradePANOSand
PanoramainstancesrunningaPANOSorPanorama7.0releasetoPANOS(orPanorama)
7.0.4oralaterrelease.
86895 FixedanissueonMSeriesandWF500applianceswheretheEthernet1/2interface
unexpectedlybroadcastedDHCPdiscoverpacketswiththeinternalBMCIPMILANMAC
addressasthesourceMACaddresswhentheinternalBMCIPMILANwasconfiguredto
useDHCPasthesourceaddress.
IssueID Description
86803 FixedanintermittentissuewheretheidletimerforGlobalProtectIPSectunnelseitherdid
notexpireappropriately(suchaswhenthetunnelwastorndown)orexpiredatthe
configuredidletimeexpirationevenwhenauserwasactivelyusingtheconnection.With
thisfix,theGlobalProtectIPSectunnelidletimerbehavesasexpected.
86467 FixedanissueinPANOS7.0.3wherefirewallsdidnotcheckforsuperuseraccountsthat
werepushedthroughaPanoramatemplate,whichcausedanupgradeprocesserrorwhen
allsuperuseraccountswerepushedthroughaPanoramatemplate(firewallsmusthaveat
leastonesuperuseraccountintheconfiguration).Withthisfix,firewallscorrectly
recognizesuperuseraccountsthatarepushedthroughaPanoramatemplate.
86212 AddedanewCLIoperationalcommand(set authentication radius-auth-type

<auto|chap|pap>)toaddressanincompatibilityissuebetweenPANOSandsome
RADIUSservers.Withthisfix,youcanmanuallyoverridetheautomaticselection
mechanismintroducedwithChallengeHandshakeAuthenticationProtocol(CHAP)
supportinPANOS7.0toselecteitherCHAPorPasswordAuthenticationProtocol(PAP)
asneeded.
85801 FixedanissuewhereafirewallthatwasforwardinglogstomultiplePanorama
managementserversandLogCollectorsstoppedforwardinglogstoanyapplianceafteran
administratorsuspendedlogforwardingontheactiveprimaryPanoramaserver.Withthis
fix,thefirewallcontinuestoforwardlogstoallPanoramamanagementserversandLog
Collectorsexceptanyapplianceforwhichanadministratorspecificallysuspendslog
forwarding.
85721 FixedanissuewherefirewallswithaspecificOCZDenevaharddisk(model
DENCSTE251M21)configuredinaRAIDandrunningPANOS7.0.1orlaterreleases
experiencedRAIDerrors.
85514 Fixedanissuewhereacommitrequestfailedduetoprocesses(configdandmongod)with
highmemoryusage.
85364 FixedanissuewhereHTTPandHTTPOnlineCertificateStatusProtocol(OCSP)
managementserviceswereenabledonlyforthefirstIPaddressonaninterfacewith
multipleIPaddresses.Withthisfix,whenHTTPandHTTPOCSPmanagementservices
areenabledonaninterface,servicesareenabledforallIPaddressesassociatedwiththat
interface.
85285 Fixedanissuewhereoutputfromthe show ntp commanddidnotalwaysdisplaythe

correctNTPstatus.Primarily,thisissueoccurredwhentherewasonlyoneNTPserver
configuredand,evenwhencorrectlyconnectedtotheNTPserver,theoutputofthe show
ntp status commanddisplayedas rejected.Withthisfix,outputfromthe show ntp
commandcorrectlydisplaysNTPstatusas synchronized afterthefirewallsuccessfully
connectstoanNTPserver.
85166 FixedanissueonaPA7000Seriesfirewallwherethefirstpacketinasessionwas
droppedwhenitarrivedbeforethefirewallfreedupaprevioussessionthatusedthesame
5tuple.Withthisfix,thefirewalltreatstheprevioussessionasaninactiveflowand
successfullycreatesthenewsession.
85091 Fixedanissueonafirewallwheresoftwarepacketbufferswerebeingdepleted.Withthis
fix,thefirewallwilldynamicallyadjusttheTCPreceivewindowbasedonpeertrafficto
avoidsoftwarepacketbufferdepletion.Additionally,thereisafixforamemoryleakin
errorhandlingofSSLForwardProxymodeandthesizeofthesoftwarebufferpoolsis
increased.
IssueID Description
84851 Fixedanissuewherethevirtualsystem(vsys)IDonthefirewallwascomputedincorrectly
whenPanoramapushedatemplatewithForce template valueenabledandcontaining
virtualsysteminformationtothefirewall.
84811 FixedanissueonaVMSeriesfirewall(KVMonCentos7/Redhat)whereaprocess
(vmuuid)displayedasemptyafterboot.Withthisfix,thevmuuidprocessisdisplayed
correctly.
84678 FixedanissuewiththewaythemanagementplaneperformedupdatesthroughHTTPand
HTTPScalls,suchasforblocklistandcontentupdates.
84595 FixedanissuewithHTTPrequestsgeneratedbythefirewallwhenretrievingcustom
DynamicBlockLists.
84495 Fixedanissuewhere,insomecases,generatingoutputforthe show running url-cache

all CLIcommandcausedashortdelayincommunicationwiththedataplane.Withthis
fix,toavoidthiscommunicationdelay,theoutputofthe show running url-cache all
commandisnolongerincludedwhengeneratingthetechsupportfile.
84494 FixedanissuewherethesessionendreasonforasinglethreatIDwasreporteddifferently
dependingonwhichdecoderwasused.Withthisfix,onlyonesessionendreason(threat)
isreportedforallblockedSMTPtrafficregardlesswhichdecoderisused.
84465 FixedanissuewheretheexternalinterfaceonanLSVPNsatellitewasunabletoestablish
anLSVPNconnectiontotheactiveprimaryfirewallinanHAactive/activeconfiguration
thatwasactingastheGlobalProtectportalorgatewaywhentheexternalinterfaceofthe
satellitewasconfiguredasaDHCPclient.(ThisfailureoccurredeventhoughanLSVPN
connectionwassuccessfullyestablishedwiththeactivesecondaryfirewall.)Withthisfix,
theLSVPNsatellite(withtheexternalinterfaceconfiguredasaDHCPclient)successfully
establishesanLSVPNconnectiontobothfirewalls(activeprimaryandactivesecondary)
afterareboot.
84454 Fixedanissuewhereattemptstoloadapartialconfigurationforadevicegroupfroman
XMLfileresultedinanerrormessage.Withthisfix,youcansuccessfullyloadapartial
configurationforadevicegroupandmergeitwithanexistingdevicegroup.
84433 Fixedanissuewhereawebpagewouldnotloadsuccessfullywithoutrefreshingthe
browsermultipletimeswhenOpenCertificateStatusProtocol(OCSP)validationwas
enabled.Thisoccurredwhenablockpagemessagewaspresentedwithinonesecondof
theattempttoloadanHTTPSsitewhiledecryptionwasenabledonthefirewallwiththe
OCSPvalidationtimeoutsetto60seconds.
84167 FixedanissuewhereafirewallincorrectlyreorderedcertainTCPtrafficduringtransmit
stage.
84008 FixedanissuewhereanLSVPNIPSectunnelwentdownwhenthehardkeylifetime
expiredduringarekey.Withthisfix,thesoftkeylifetimeisadjustedsothatthehardkey
lifetimedoesnotexpirebeforetherekeyfinishes.
83907 Fixedanissuewhereadministratorscouldnotdisablecountersinsystemlogsusingthe
debug dataplane packet-diag set log counter <counter-name> CLIcommand
whenthosecountershadnameslongerthan31characters.
83902 FixedanissuewheremonitoringanSNMPOID(.1.3.6.1.2.1.25.2.3.1.5.41)fordiskspace
resultedinincorrectvaluesonvolumesover2TBinsize.
IssueID Description
83898 FixedanissueonPanoramaMSeriesandvirtualapplianceswhereexportingareportas
acommaseparatedvalue(CSV)file(Monitor > Reports)failedandresultedinaweb
interfaceerror(Error enqueuing export job).
83889 FixedanissuewhereaPA7000SeriesfirewallincorrectlydroppednonTCPand
nonUDPfragmentedtraffic,suchasEtherIPtraffic.
83844 FixedanissuewhereamemoryleakcausedaPA200firewalltoreboot.
83657 FixedanissuewherePanoramadidnotproperlypushdeviceortemplateconfigurations
forNTP,sendhostnameinsyslog,orWildFiresettingstoadevice.
83592 FixedanissuewheretheUserIDprocess(useridd)wentintoarebootloopandcausedthe
passivefirewallinahighavailability(HA)configurationtorestart.Thiswasduetobulkand
incrementalupdatesofterminalservicesusers.
83253 FixedanissuewherevideocallsfailedwhenH.245(openlogicalchannelack)packets
referencedapreNATaddress.
82913 FixedanissuewhereToSheaderswerenotsetcorrectlyinEncapsulatingSecurityPayload
(ESP)packetsacrossVPNtunnels.
82865 FixedanissuewithaPA5000Seriesfirewallwheresessionsownedbydataplane1(DP1)
orDP2didnotdisplayintheoutputwhenexecutingthe show session commandon
DP0.
82710 Fixedanissuewhereunexpecteddataplanerestartsoccurredduetooutofmemoryerrors
andhighresourceusageonpacketdescriptorswhenSSLForwardProxywasenabled.This
fixalsoaddressesadataplaneprocessmemoryleak.
82621 FixedanintermittentissueonaPA7000Seriesfirewallwheretrafficwasdroppedwhen
theloginterfaceanddataplaneinterfaceswerebothconfiguredonthesameNetwork
ProcessingCard(NPC).
82605 Fixedanissuewherepolicybasedforwarding(PBF)withEnforce Symmetric Return

enabled(Policies > Policy Based Forwarding > pbfrule > Forwarding)causedoffloaded
PBFsessionstofailwhenattemptingtoegressthefirewall.
82424 FixedanissueonaPA5000Seriesfirewallwherepacketsweredroppedorthedataplane
stoppedrespondingwhenreceivingspecificingressoregresstrafficassociatedwith
offloadedsessions.Withthisfix,afieldprogrammablegatearray(FPGA)changewas
madetoaddresstheseissues.
82138 FixedanissuewhereWildFirereportswerenotdisplayedonthewebinterfacewhen
proxysettingswereconfiguredforthemanagementinterface.
82118 FixedanissueontheQoS Statisticspanel(Network > QoS)wheredatawasdisplayedonly

onthebandwidthtab;allothertabs(Applications,Source Users,Destination Users,
Security Rules,andQoS Rules)wereempty.
82095 Fixedanissuewhereacommitrequestdidnotfinishprocessingduetoaprocess(routed)
thatstoppedresponding.
81996 FixedanissuewhereaHIPProfiledidnotsyncbetweentheactiveandpassivefirewalls
inahighavailability(HA)configuration,whichcausedtheHIPProfiletonolongerbein
effectafterafailover.Withthisfix,theHIPProfileiscorrectlysyncedbetweentheactive
andpassivefirewallsandremainsineffectafterafailover.
IssueID Description
81949 FixedanissuewhereDynamicAddressGroupspushedfromPanoramatoafirewallwere
notdisplayedintheoutputofCLI show commands.
81830 FixedanissuewhereSSLForwardProxydidnotincludetheappropriateTLS1.2extension
(SignatureAlgorithms)inClientHellomessages,whichpreventedsuccessful
interoperabilitywithsomeMicrosoftwebsites.
81333 Fixedanissuewheremanagedfirewallsandapplianceswereunabletoconnectto
Panoramausingthemasterkeyafterafactoryreset(orRMA).
81241 FixedarareissuewhereNATtrafficwasdroppedafterafailedcommitattempt.
80631 Fixedanissueinahighavailability(HA)configurationwheretheportsonthepassive
firewalldidnotcomeupwhenthepassivelinkstatewassettoauto(Device > High
Availability > General >ActivePassiveSettings).
79917 FixedanissueonaPA3000Seriesfirewallwherethedataplanestoppedresponding
whenreceivingspecificingressoregresstrafficassociatedwithoffloadedsessions.With
thisfix,afieldprogrammablegatearray(FPGA)changewasmadetoaddressthisissue.
79531 Fixedanissuewhereanerrorwasdisplayed(No Data to Display)intheThreatMonitor

window(Monitor > App Scope > Threat Monitor)whenselectingtheShow Filesfilter.
78624 FixedanissuewheretheactivesecondaryfirewallinanHAactive/activeconfiguration
wasincorrectlyrespondingtoARPrequestsfortheIPaddressusedinthedestinationNAT
rulewithbindingtotheactiveprimaryfirewall.
78482 FixedanissuewhereVMInformationSourcesbypassedproxysettings.
78317 FixedanissuewherethemanagementplaneinanHAactive/passiveconfiguration
restartedduetoadataplaneprocess(mprelay)thatstoppedrespondingwhenit
experiencedmemorycorruptionandencounteredunexpectedbehaviorfromtheFIB
pointer.
77236 Fixedanissuewhereimportingacertificatemorethanoncewithdifferentnamescaused
thedataplanetostoprespondingwhenthecertificatewasusedforSSLInbound
inspection.
76269 FixedanissuewhereanactiveprimaryM100applianceinanHAconfigurationwas
unabletoestablishaconnectionwiththepassivesecondaryoractivesecondaryHApeer
forlogcollection.
76197 FixedanissuewherefirewallTrafficlogsdisplayedunusuallylargebytecountsfor
http-proxy and httpy-video countersduetofrequentapplicationshiftsbetween
thoseapplicationtypepacketswithinasingleproxysession.
76103 FixedanissuewhereaddingathreatexceptiontoaVulnerabilityProtectionprofile
(Objects > Security Profiles > Vulnerability Protection >profile> Exceptions)resultedin
anerror(Schema node for Xpath was not found).
73187 FixedanissuewheretheWildFireAnalysisreport(Monitor > WildFire Submissions >

Detailed Log View > WildFire Analysis Report)didnotdisplayonversions9or10of
InternetExplorerduetoascripterror.
IssueID Description
70719 InresponsetoanissuewhereadataplanerestartedduetoanincorrectflowID,PANOS
6.1.4andlaterreleasesincludedadditionalcheckstohelppreventthedataplanefrom
restartingduetothisissue.InPANOS7.0.3,thosePANOS6.1.4modificationswere
furthermodifiedtoprovideamorecompletesolutionthatavoidsinadvertentlydropping
IPv4trafficaffectedbythisissue;inPANOS7.0.4,thesolutionincludesanadditionalfix
toavoidinadvertentlydroppingIPv6trafficrelatedtothisissue.
66285 FixedanissuewherethewebinterfacecertificatedidnotproperlysyncbetweenHA
peers,whichledtoaraceconditionthatcausedacommitrequesttofail.
oralaterrelease.
IssueID Description
85065 FixedaCLIinputparsingissuethatcausedaprocessonthemanagementplanetostop
respondingwhenprocessingunexpectedinput.
84711 FixedanintermittentissuewheresomepacketsincorrectlymatchedSecuritypolicyrules,
whichresultedinAppIDpolicylookuperrorsanddiscardingofpackets.
84599 FixedanissueinPANOS7.0releaseswhereaprocess(dhcpd)didnotcorrectlyhandle
DHCPpaddingOption0whenreceivingDHCPrequestfromtheDHCPclient.This
preventedthefirewallthatwasactingastheDHCPserverfromallocatingandcommitting
theofferedIPaddresstotheDHCPclient,whichcausedthefirewalltobestuckinoffered
state.Withthisfix,theDHCPprocesscorrectlyhandlesDHCPpaddingOption0and
successfullycommitsIPaddressesofferedtoDHCPclients.
84246 FixedanissuewhereaPA7050firewallrunningPANOS7.0assignedthesameMAC
addresstoallinterfacesontwodifferentPA7050chassiswhenthechassisbaseMAC
addressesdifferedonlyinthe10thbit.WiththisfixinPANOS7.0.3,twosuchdifferent
PA7050chassisareassigneddifferentinterfaceMACaddressesasexpected.
84094 Fixedanissuewhereauseractivityreport(Monitor > PDF Reports > User Activity Report)

containednostatisticsforuserswithadomain+usernamestringlengththatexceeded32
characters.
84046 FixedanissuewhereSSLdecryptionfailedwhenacertificatewasrejectedduetoamissing
oremptybasicConstraintsextension.Withthisfix,anexceptionisaddedtoallowa
missingoremptybasicConstraintsextensionforselfsignednonCAcertificates,and
thefollowingbehaviorswillbeappliedtoCAswithregardtobasicConstraints
extensions:
IftheCAhasanextensionbasicConstraints=CA:TRUE,thenallowtheCA.
IftheCAhasanextensionbasicConstraints=CA:FALSE,thenblocktheCA,but
allowdevicetrustedCAs,includingdefaultCAsandimportedCAs.
IftheCAhasdoesnothaveabasicConstraintsextension,thenblocktheCA,but
allowdevicetrustedCAs,includingdefaultCAsandimportedCAs,andallowselfsigned
CAs.
84012 Fixedanissuewhereaprocess(ikemgr)stoppedrespondingduetoamissingIKEprofile.
83907 Fixedanissuewherethe debug dataplane packet-diag set log counter

<counter-name> CLIcommanddidnotacceptcounternameslongerthan31characters,
whichpreventedadministratorsfromaddingsuchcountersforlogginginsystemlogs.
IssueID Description
83867 Fixedarareissuewhereoneoftheinternaldatabaseswascorruptedafteranimproper
shutdown(poweroff)ofthefirewall.Whenthishappened,thefirewallwasunableto
automaticallyrestartandwouldnotstartupproperlythereafter.
83819 FixedanissueonanM100appliancerunningPanorama7.0whereacustomreportfailed
torunwhensettingtheDatabase(Monitor > Manage Custom Reports)toSummary
Databases > Remote Device Data > ThreatandselectingSeverityfromthelistofAvailable
ColumnswhenanyremotefirewallusedforcustomreportingwasrunningaPANOS6.1
orearlierrelease.
83637 FixedanissuewherepacketprocessingonaVMSeriesfirewallcausedthefirewalltostop
forwardingtraffic.
83574 Fixedarareissuewhere,insomescenariossuchaswhenafirewallisrestartedandIPSec
securityassociations(SAs)arenotestablishedwhenaremoteVPNpeerisunreachable
thetunnelinterfaceconfiguredwithIPSectunnelmonitoringispresentintheroutingtable
andstatusis Up.
83293 FixedanissueinPanoramawhereSNMPv3settingswereremovedandcouldnotbe
updatedwhenmodifyinganexistingSNMPv3devicetemplate.
83288 FixedanissuewhereautocommitfailedwhentheGlobalProtectgatewayorCaptivePortal
certificatewaspushedthroughPanoramaafterupgradingafirewallfromaPANOS6.1
releasetoPANOS7.0.2.
83256 FixedanissuewherethefirewalldidnotblockunsupportedellipticcurveDiffieHellman
(ECDH)exchangeciphersuitesduringSSLforwardproxyevenwhenBlock sessions with
unsupported cipher suiteswasenabled(Objects > Decryption Profile > <decryptprofile>
> SSL Decryption > SSL Forward Proxy).
83149 Fixedanissuewhereamissingnode(user)intheunlockcommandprevented
administratorsfromusingthePanoramawebinterfacetounlockalockedLDAPuser.
83142 FixedanissuewheretriggeringaDHCPreleasedidnotcleartheoriginalsettingsfora
DHCPclientthatwasin renew state.
83113 Fixedanissuewhereattemptstoregeneratemetadatacausedaprocess
(update_vld_itvl_idx)tostoprespondingwhenencounteringacorruptlogfile(alogfilethat
containedinvaliddata).Withthisfix,themetadataregenerationprocessskipslogfilesthat
containinvaliddatasothatregenerationtaskissuccessfullycompleted.
83102 AddedfunctionalitytoallowcommitstosucceedevenwhenthereisnoNetwork
ProcessingCard(NPC)installed,yet,orwhentheNPCisnotsupportedorrecognizedinthe
currentPANOSrelease.Withthisfix,youcaninstallPA7000Seriescardsthatarenot
supportedinthePANOSversionshippedwithorrunningonthefirewallandthenupgrade
totheappropriatePANOSversion.
83041 Fixedanissuewhereadjustmentstothewidthofcolumnsinthewebinterfacearenot
saved,causingcolumnstoreverttoprevioussettingswhenyouviewadifferenttab.With
thisfix,changestothewidthofcolumnsinthewebinterfaceareretaineduntilchanged
again.
83004 FixedanissuewhereaZoneProtectionprofilewithstrictIPcheckingenabledresultedin
incorrectlydroppedpackets.Thesedropswerecausedbyanimpropercheckofwhether
thesourceIPaddresswasabroadcastaddress.
IssueID Description
83001 FixedanissueonanM100appliancewhereavailabledisksizewasreportedas0bytes
duringanupgrade.ThisincorrectlycausedoldlogstobepurgedfromtheotherLog
Collectorsinthegroupinanattempttoadheretotheconfiguredlogquotaforthegroup.
Additionally,Panorama6.1.8andPanorama7.0.3(andlaterreleases)onanM100
appliancewithzerodiskspacedisplaysanerrorwhenattemptingtocommittoCollector
Group(Failed to commit collector config)orawarningwhenattemptingtocommit
toPanorama(Disk <disk-ID> on log collector <log-collector-id> in group
<group-ID> has a size of zero bytes).
82887 Fixedanissuewhereauthenticationattemptsagainstalocalauthenticationprofilewithin
anauthenticationsequencefailedwhenthelocalprofilewasnotthefirstprofileinthe
sequence.
82853 FixedanissuewhererolebasedadministratorswerenotallowedtoperformAPIcalls.
82849 FixedanissueonaPanoramavirtualapplianceusingaNetworkFileSystem(NFS)storage
partitionwherethefilesystemintegritycheckincorrectlyfailedfortheNFSdirectory,
whichcausedtheNFSmounttofailwhenrebootingPanoramaafteranupgradeto
Panorama7.0.
82838 FixedanissuewheretheUserIDprocess(useridd)stoppedrespondingwhenreading
configmessagesfromtheTerminalServices(TS)agent.
82778 Fixedanissuewherefailedauthenticationattemptswerenotclearedwhenthe
authenticationattemptwaseventuallysuccessful.Withthisfix,thefailedauthentication
attemptcounterforagivenuserisresetasexpectedaftereverysuccessfullogin.
82560 FixedanissuewhereapassiveVMSeriesfirewallinanHApairwithUse Hypervisor

Assigned MAC Addressenabled(Device > Management > Setup)wassendingGARP
requestswithoutanestablishedHA2connection.Withthisfix,apassiveVMSeriesfirewall
nolongersendstheseGARPrequestswhenyouenableUse Hypervisor Assigned MAC
AddresswithoutanHA2connection.
82534 FixedanissuewhereafirewallincorrectlyinjectedSSLmessagesintotrafficonport443.
82533 FixedanissuewheretheOCSPresponderfailedtocheckthevalidityofclientcertificates
andshowedstatusas unknown whenunabletolocatethecustomrootCAusedinthe
certificateprofilefortheGlobalProtectportalconfiguration.
82377 Fixedanissuewhere,inaLargeScaleVPN(LSVPN)configuration,aGlobalProtectgateway
incorrectlyinstalledthepreviouslyallocatedIPaddressfortheGlobalProtectsatelliteas
thenexthopfortheroutesadvertisedbysatellites.Withthisfix,theGlobalProtectgateway
removesanyoldIPaddressesallocatedtothesatelliteandcorrectlyinstallsthenewIP
addressallocatedtothesatelliteasthenexthopfortheroutesadvertisedbysatellites.
82338 Fixedanissuewhereonetimepassword(OTP)RADIUSauthenticationfailedwhen
configuredinthesameauthenticationsequenceasthedomainselection.Thisissuewas
causedbythefirewallincorrectlytruncatingtheRADIUSchallengestate.AlsofixedOTP
RADIUSauthenticationissueswherethebackslash(\)characterwasincorrectlyremoved
fromtheusernameentryandwhereanincorrectpasswordresultedinlongdelaysbefore
returningapassworderrormessage.
82326 FixedanissuewhereadditionallockedusersarenotdisplayedwhenyouclickMoreinthe
webinterface(Devices > Authentication-Sequence > Locked Users).
IssueID Description
82136 Fixedanissuewherepacketsthatmatchedapolicybasedforwarding(PBF)rulewith
ActionsettoNo PBF(Policies > Policy Based Forwarding > pbfrule> Forwarding)were
droppedwhenoffloadingwasenabled.Withthisfix,offloadedsessionsarepassedas
expectedevenwhenthetrafficmatchesaPBFrulewithForwardingsettoNo PBF.
82109 FixedanissueonaPA7000SeriesfirewallwherepassiveFTPSwithinbounddecryption
failedafterenteringpassivemode.Thisoccurredwhenpredictsessionsdidnotmergeas
expectedduetothepredictqueue.Withthisfix,proxyingressexecutesbeforethepredict
queuesothatalldatasessionsmergeasexpectedandFTPtransferissuccessfuloverTLS.
82099 Fixedanissuewheretheremotehost(From)IPaddressforthePanoramasessiondisplayed
inreverseorderdisplayedtheadministratorIPaddressintheLoggedinAdminswidget
ontheDashboard.
81944 FixedanissuewherepatchmanagementforaGlobalProtecthostinformationprofile(HIP)
checkfailedtoidentifymissingpatcheswhentheChecksettingforpatchmanagementin
HIPObjectscriteriawassettohas-all,has-any,orhas-none(Objects > GlobalProtect >
HIP Objects > Patch Management > Criteria).
81927 FixedanissuewhereafirewallstoppedsubmittingfilestoaWildFirecloud(publicor
private)whenaCPUprocess(varrcvr)stoppedresponding.Thisissueoccurredwhen
receivinganemailwithasubjectlinecontainingmorethan252characters.
81868 Fixedanissuewithapacketbuffer(FPTCP)leakandresolvedafew
dataplanetomanagementplaneconnectionissues,aswell.
81584 FixedanissueinPanorama7.0whereoutputfromthe show ntp commanddidnotalways

displaythecorrectNTPstatus.Primarily,thisissueoccurredwhentherewasonlyoneNTP
serverconfiguredand,evenwhencorrectlyconnectedtotheNTPserver,the show ntp
status displayedas rejected.Withthisfix,outputfromthe show ntp command
correctlydisplaysNTPstatusas synchronized.
81581 Fixedanissuewhereaprocess(useridd)wasunabletoaccommodatealargenumberofHIP
reportsduringHAsynchronization,whichcausedabnormallyhighCPUandmemory
utilizationonthefirewall.
81522 Fixedanissuewhereafirewallallowedcommitstosucceedevenwhentherewereno
superuseradministratoraccountsincludedintheconfiguration.Thiswouldcausethe
firewalltobeinaccessible(exceptwhenthefirewallwasmanagedbyPanorama,which
couldstillprovideaccesstothefirewallthroughPanoramacontextswitching).Withthisfix,
acommitsucceedsonlyifthereisatleastonelocalsuperuseraccountintheconfiguration;
ifnoneexist,thecommitfails.
81415 FixedanissueonPA7000Series,PA5000Series,PA3000Series,andPA500firewalls
whereanAggregateEthernet(AE)interfacewasunabletotransmitanARPrequestona
taggedsubinterfacetotheneighboringdevice.
81408 Fixedanissuewheresharedaddressobjectsthatarenotusedinsecuritypolicyruleswere
pushedtofirewallsevenwhenPanoramaSettings(Panorama > Setup > Management)was
configuredtonotShare Unused Address and Service Objects with Devices.
81383 Fixedanissuewherethe show routing route CLIcommandoutputwasmissingacomma

(",").Withthisfix,theoutputdisplayscorrectly.
81370 Fixedanissuewherethefirewallwasunabletoallocatealargememoryblock,which
causedsessionstofail.Thisfixensuresadequateresourcesareavailableforalargememory
blockwhenneeded.
IssueID Description
81301 Fixedanissueonafirewallwithdecryptionenabledwhereinsufficientbufferspace
resultedindiscardedSSLsessions.
81170 FixedanissuewheretheSNMPmanagerreturnedawarning(subtype-illegal)relatedto
panVsysEntryOBJECTTYPE(panVsysName)whenaddingthePANCOMMONMIB.my
MIBfile.Withthisfix,addingthecurrentversionofMIBfilestotheSNMPmanagerdoes
nottriggera subtype-illegal warning.
81079 Fixedanissuewhere,inaDynamicUpdatesschedulepopup(Device > Dynamic Updates

><Schedule>),hoveringovertheoverrideiconsdisplayedincorrectvaluesforthe
RecurrencesettingforantivirusandcontentupdateswhentheRecurrencesettingonthe
firewallwasoverriddenbyatemplatepush.Withthisfix,hoveringovertheRecurrence
valueoverrideiconforaDynamicUpdatescheduledisplaysthecorrectinformationeven
whentheRecurrencesettingwaspushedtothefirewallthroughatemplatepush.
81058 FixedanissueonPA7000SeriesfirewallswhereNATDynamicIPfallbackdidnotcorrectly
translateresources,whichresultedindroppedpackets.
80932 FixedanissuewherepasswordsfornonadministratorsenteredintheGlobalProtectlogin
windowweretruncatedto40characterswhenusingRADIUSauthentication.
80831 FixedanissuewhereSSLdecryptionfailedforsomesiteswhenthesizeofthecertificate
waslargerthan1.5KB.
80766 Fixedanissuewheredataplane0(DP0)onthepassivefirewallinahighavailability(HA)
configurationrestartedafterasessionwasestablishedontheactivefirewallinterfacewhen
thatsameinterfacedidnotalsoexistonthepassivefirewall.
80753 FixedanissueonaPA3060firewallwhereanetworkoutageoccurredwhenthenumber
ofactivesessionsreached100,000.Withthisfix,themaximumnumberofdetectorthreats
(dthreats)isincreasedtoavoidthisissue.
80702 Fixedanissueinahighavailability(HA)configurationwheretheARPtablesyncedwiththe
primarypeerbutwasrefreshedonlyondataplane0(DP0)ofthepassivepeer,which
causedARPentriestoexpireprematurelyonthepassivefirewallwhentheirTTLreached0.
80648 Fixedanissuewhereadevicegroupcommitfailedwhenusingthedestinationinterfacein
aNATruleconfiguredonPanorama.
80533 FixedanissuewhereadministratorscouldviewaddressesandusernamesintheApplication
CommandCenter(ACC)viewevenwhentheShow Full IP AddressesorShow User
Names In Logs And ReportsoptionwasdisabledfortheAdminRoleprofileassociatedwith
thoseadministrators(Device > Admin Roles ><AdminRoleProfile>> Web UI >Privacy
settings).
80463 FixedanissuewherealocalcommitonPanoramafailed(invalid reference)ona

templateortemplatestackwhenaLogForwardingprofilewasconfiguredtosendlogsto
syslog(Objects > Log Forwarding).
80397 FixedanissuewhereyoucouldcreateanewMonitorprofilewhencreatingapolicybased
forwarding(PBF)ruleonPanoramaevenwhenthetargettemplatewasunknown(thePBF
ruleispartofadevicegroupandtheMonitorprofileispartofatemplateconfiguration).
Withthisfix,youcannolongercreateanewMonitorprofilewhencreatingaPBFruleon
Panorama.
IssueID Description
80389 FixedanissueonaPA5060firewallwhereinternalpacketpathmonitoringfailedwhen
underaheavyload.Withthisfix,internalpacketpathmonitoringisforwardedusinga
prioritysettingthatpreventsthesefailuresevenwhenexperiencinghightrafficconditions.
80086 Fixedanissuewereafirewalldisplayedanincorrectlocationforthesourceordestination
ontheTrafficMap.
79841 Fixedanissuewhere,incertaincircumstances,therewerediscrepanciesbetweena
scheduledreportandthatsamereportgeneratedusingtherun nowoption(Monitor >
Manage Custom Reports > <CustomReport>).
79746 FixedanissueonaPA2000SeriesfirewallwhereanAggregateEthernet(AE)interfacewas
unabletotransmitanARPrequestonataggedsubinterfacetotheneighboringdevice.
79328 FixedanissuewhereApplicationsandSecurityrulesinQoSstatisticsview(Network >

QoS > <interface>)werenotdisplayedwhentheingressinterfacewasconfiguredtouseL2
VLAN.
78848 Fixedarareissuewhereacommit(suchasanantivirusupdateorFQDNrefresh)caused
thefirewalltostopprocessingtraffic.Thisissueoccurredafterahighavailability(HA)
synchronizationeventwhentheautocommittriggeredbythesynchronizationeventwas
ignored.Withthisfix,aforcecommitrequestisautomaticallyandrepeatedlygenerated
untilsuccessful.
78773 Fixedanissuewherethe debug dataplane flow-control enable port and debug

dataplane flow-control disable port CLIcommandsfailedtomodifyflowcontrol
settingsasexpected.
78426 FixedanissuewhereaCPUprocess(pan_dhcpd)spikedwhenDHCPNAKpacketswere
receivedontheDHCPrelayinterface.
78210 Fixedanissueinahighavailability(HA)active/passiveconfigurationwherethemulticast
treefailedtoconvergenonoffloadedmulticasttrafficasquicklyasexpectedaftera
failover.Withthisfix,themulticasttreeconvergencetimeisreducedfornonoffloaded
multicasttrafficafteranHAactive/passivefailover.
78040 Fixedanissuewheretheoutputofthe show zone-protection zone CLIcommanddid

notcorrectlydisplayzoneprotectioninformationforadefinedvirtualsystem(VSYS).
77376 FixedanissuewhereagatewayConfigrefreshonasatellitedevice(Network > IPSec

Tunnels > Gateway Info(foragateway)> select<gateway> > Refresh GW Config)causeda
delayintunnelinstallationandresultedinconnectivityissuesforthedurationofthedelay.
77299 FixedanissuewhereWildFireanalysisreportsdidnotdisplayCoverageStatusforthe
samplewhenusingaFirefoxbrowserevenwhenasignaturewasgeneratedtoidentifythe
sample(Monitor > Logs > WildFire Submissions > Detailed Log View > WildFire Analysis
Report).Withthisfix,youcanviewthecorrectCoverageStatusforasamplewhenusinga
Firefoxbrowser.
76981 Fixedanissuewhereacertificatecontainingaspacecharacter(" ")intheCommonName

fieldofthecertificatefailedtoestablishasecuresyslogconnectionwiththesyslogserver.
Withthisfix,certificatesestablishsyslogconnectionsasexpectedevenwhencontaining
spacecharactersintheCommonName.
76811 FixedanissuewherepacketlosscouldoccurwithasymmetrictrafficwhentwoPA4060
firewallsweresetupaspeersinahighavailability(HA)active/activeconfiguration.This
issueoccurredwithVLANtaggedtrafficwhenjumboframesprocessingwasdisabledand
largenonjumboframespassedovertheHA3linkandbecamejumboframes.
IssueID Description
76481 FixedanintermittentissuewhereaCategoryforasessionintheURLFilteringlogdidnot
matchtheactualcategorizationofthatsession.Withthisfix,thelogicforremovingexpired
orunresolvedURLcacheentriesisimprovedsothataCategoryintheURLFilteringlog
staysinsyncwiththeactualcategorizationofasession.
72115 WhenthewebinterfacewassettodisplayinanylanguageotherthanEnglish,service
routestospecifyhowthefirewallcommunicateswithotherserversordevicescouldnotbe
configured(Device > Setup > Services > Service Route Configuration).Thisissuehasbeen
fixedsothatserviceroutescanbeconfiguredandworkcorrectlywhenthewebinterface
issettoanylanguagepreference.
70719 InresponsetoanissuewhereadataplanerestartedduetoanincorrectflowID,PANOS
6.1.4andlaterreleasesincludedadditionalcheckstohelppreventthedataplanefrom
restartingduetothisissue.WiththisfixinPANOS7.0.3,thosePANOS6.1.4
modificationsarefurthermodifiedtoprovideamorecompletesolutionthatavoids
inadvertentlydroppingIPv4trafficaffectedbythisissue.
67254 FixedanissuewhereanXMLAPIcallforsystemRAIDfailedwithanattributeerrorfor
raid_handler object.
66607 FixedanissueonaPA200firewallwhereadministratorscouldconfigureafirewalldirectly
orusePanoramatopushexternalblocklists(EBLs)withatotalnumberofEBLlistsorIP
addressesthatexceededlimitationsanddidnotreceiveanerrormessage.(Lowend
platformssupportamaximumof10listsand50,000IPaddresses;highendplatforms
supportamaximumof30listsand150,000IPaddresses;thereisnoperlistmaximumfor
anyplatform.)Withthisfix,anerrormessageisdisplayedasexpectedwhenconfiguringa
PA200firewalldirectlyorthroughapushfromPanorama(orPANOSreleasedowngrade)
wherethenumberofEBLlistsorIPaddressesexceedsthelimitationsofthatfirewallorof
thecurrentPANOSrelease.
34340 Fixedanissuewherealargenumberofinformationallogsforthekeymanagerprocess
(keymgr)wereincludedinreportswhenlogsettingforkeymgrlogswassetto normal.With
thisfix,informationallogsforkeymgrareincludedonlywhenyouconfigureloggingfor
keymgrmessagestothedebugsettingusingthe debug keymgr on debug CLIcommand.
IssueID Description
82724 FixedanissuewhereoldregisteredIPaddressesinaDynamicAddressGrouponahigh
availability(HA)active/passivepairweredeletedfromthepassivefirewallwhenthat
firewallswitchedfromnonfunctionaltopassivestateandreceivedanincrementalupdate
ofregisteredIPaddressesfromtheactivefirewall.Thisfixalsoaddressedarelatedissuein
anHAactive/activeconfigurationwheretheactivesecondaryfirewallretainedoldIP
addressesintheDynamicAddressGroupafterswitchingtoafunctionalstatewhenthe
activesecondaryfirewallswitchedtononfunctionalstateandallIPaddressesinthe
DynamicAddressGroupbecameunregisteredontheactiveprimaryfirewall.
82717 Fixedanissuewhereadataplanestoppedrespondingafterarebootduetoaninitialization
issueonSFP+ports.
82675 FixedanissueonanM100appliancewhere,afteranupgradetoPANOS7.0.1,an
authenticationprocess(authd)stoppedrespondingwhentheLDAPbindingpassword
containedspecialcharacters.
82370 Fixedanintermittentissuewhereadataplaneprocess(mprelay)experiencedamemoryleak
thatcausedthevirtualmemorytoincreaseuntilittriggeredadataplanerestart.
82310 Inresponsetoafragmentationissue,viruspatternsaresplitintosmallerchunkstoreduce
thepossibilityofmemoryallocationfailure.
82087 Fixedanissuewhereafirewalldisplayedanalertforlowdiskspace.Withthisfix,the
/opt/contentdirectorywasremovedtoimprovethediskcleanupprocess.
82009 FixedanissuewhereadocumentfiletriggeredanattempttopinganIPaddress.
81981 FixedanissuewheretheLLDPSystemNamefielddisplayedthefirewallmodelnumberand
couldnotbemodifiedtodifferentiatefromothersimilarfirewalls.Withthisfix,thefirewall
populatestheLLDPSystemNamefieldusingtheconfigurablehostnamevalue.
81970 FixedanissuewheresomeActiveDirectory(AD)serverswereincorrectlydisplayinga
Password expires in x daysmessageevenafterselectingPassword never expireson
theADserver.Withthisfix,theADserverignoresthemaximumpasswordage
(maxPwdAge)valuewhenthePassword never expiresoptionisselected.
81955 FixedanissueonafirewallwherefileswerenotsenttoWildFireasexpectedwhenthefirst
8bytesofthefileweresplitacrossdifferentpacketsordecryptedbuffers.
81941 FixedanissuewhereadataplanerestartedwhenencounteringresumedSSLsessionsusing
inboundSSLdecryption.
81819 FixedanissuewheretheSystemlogreportedthatafirewallinahighavailability(HA)
active/activeconfigurationReceived conflicting ARP forthefloatingIPaddressofits
HApeer.Withthisfix,duplicateIPaddressdetectioncontinuestologconflictsfor
nonfloatingIPaddresses,aswellasduplicateaddressesdetectedforafloatingIPaddress
receivedfromanyotherdevicethatisnotamemberoftheHApair.
IssueID Description
81816 RemovedsupportforSSLv3onPanoramaforconnectionstomanageddevices.
81797 FixedanissuewhereASCIIandspecialcharacterswerenotsupportedintheuseractivity
reportusernamefield.
81783 Fixedanissuewhereafirewallpickedthewrongdecryptioncipherwhenconfiguredwith
multipleIPSecCryptoprofilesforIKEv2negotiation.
81676 Fixedanissuewhereafirewallallowedadministratorstoconfiguresubinterfacewithusing
invalidnotation(suchasethernet1/1.1.1).
81577 FixedanissuewherecustomURLcategoriesassociatedwithaDecryptionpolicydidnot
matchtrafficdestinedforaproxyserver.
81572 FixedanissueonaPA7000SeriesfirewallthatdisplayedincorrecttimestampsinTraffic,
Threat,andURLFilteringlogs.
81535 Fixedanissuewherethegrouplistwasemptyafterpushingthegroupmapping
configurationfromPanoramatoamultivsysfirewallduringanattempttoconfigureusers
inaSecuritypolicyruleeventhoughthegroupmappingstatewassynchronized.
81510 FixedanissuewhereDeviceGroupandTemplateadministratorswereabletocreateand
modifySharedobjects.Withthisfix,DeviceGroupandTemplateadministratorsare
allowedtocreateandmodifyonlyobjectsspecifictothedevicegroupsandtemplatesto
whichtheyhaveaccessnotSharedobjects.
81500 FixedanissuewhereaVMSeriesfirewallinaVMwareNSXconfigurationrunningonan
ESXiserverrestartedwhenaprocess(all_task)stoppedresponding.
81485 FixedanissueonPA200andVMSeriesfirewallswherelocalobjectswerenotresolvedin
theTrafficlogafterselectingtheResolve hostnameoption(bottomoftheMonitor > Logs
> Traffictab).
81452 FixedanissuewhereswitchingcontextfromthePanoramawebinterfacetoamanaged
firewalldidnotindicatewhethertheadministratorwasloggedinoveranencryptedSSL
connection;theSystemlogmessagewasalwaysUser admin logged in via Panorama
from x.x.x.x using httpregardlesswhethertheconnectionwasencrypted.Withthis
fix,theSystemlognowspecificallyreportsUser admin logged in via Panorama from
x.x.x.x using http over an SSL connectionwhentheadministratorisconnected
throughanencryptedSSLconnectiontodifferentiatefromnonencryptedconnections.
81389 Fixedanissuewheretheoutputoftheshow admins allcommanddisplayedall

administratoraccountsonthefirewall,includingrootaccounts.Withthisfix,show admins
allcommandoutputdisplaysonlylocalandnonlocaladministratoraccounts.
81373 FixedanissuewhereWildFireAnalysisreportsforsamplesanalyzedinaWildFirecloud
(publicorprivate)werenotdisplayedintheWildFireSubmissionslog(Monitor > WildFire
Submissions)whenthefirewallwasconfiguredtocommunicatewiththeWildFirecloud
throughaproxyserver.
81312 FixedanissuewherefirewallDeviceadministratorswereunabletorunandviewoutputon
afirewallforthe show panorama-status CLIcommand.Withthisfix,Device
administrator,Deviceadministrator(readonly),Superuser,andSuperuser(readonly)
users(Device>Administrators><administrator>)canrunandviewoutputforthe show
panorama-status commandfromthefirewall.
81271 FixedanissuewherethesecondattempttoaccesssomewebsitesoverHTTPSfailedwhen
SSLForwardProxywasenabled.
IssueID Description
81264 FixedanissuewhereThreatlogsweregeneratedfor Threat Name - IP fragment

overlap, ID - 8705 afterupgradingtoaPANOS7.0release.
81219 FixedanissuewithstabilitywhenaddingLogCollectorstoaCollectorGroup.
81115 Fixedanissuewhereadministratorsexperiencedlongdelayswhenexecutinglogqueries
consistingofmultipleattributes.
81110 FixedasessionreuseissuewhereanincomingSYN/ACKpacketforanestablishedsession
causedafailureinTCPreassembly,whichresultedinadroppedpacketeventheReject
NonSYNTCPoptionwasdisabled(Network > Network Profiles > Zone Protection >
<ZoneProtectionprofile> > Packet Based Attack Protection > TCP Drop).Withthisfix,
initiatingsessionreusewithaSYN/ACKpacketissuccessfulregardlessoftheReject
NonSYNTCPsetting.
80993 FixedanissueinPANOS7.0(aswellasinPanorama5.1andlaterreleases)whereXMLAPI
POSTrequestsfailedwhenincludingaQUERY_STRINGbutnocontentlengthheader.
Withthisfix(inbothPANOSandPanorama7.0.2releases),POSTrequestswitha
QUERY_STRINGandamissingcontentlengthheaderaresuccessful.
80960 FixedanissuewhereattemptingtoTest SCP server connection(Device > Scheduled Log

Export)createdanunnecessaryConfiglockthatpreventedanyadditionalchangestothe
runningconfiguration.
80933 FixedarareissuewhereaPA7000Seriesfirewallexperiencedheartbeatfailuresonthe
HA1andHA1backuplinksthatcausedsplitbraininahighavailability(HA)configuration.
80924 FixedanissuewhereaGlobalProtectLargeScaleVPN(LSVPN)satelliteconfiguration
causedthesatellitefirewalltoProxyARPforthedefinedaccessroutesubnetsonalllogical
andphysicalinterfaces.
80896 Fixedanissuewheresomeactionsthatutilizethe/opt/pancfg/partition,suchasdynamic
updatesandcommits,werefailingwhenthatpartitionranoutofspaceduetoalarge
numberofHIPreportsreceivedfromUserIDXMLAPI.Withthisfix,HIPreportsareno
longersavedinthe/opt/pancfg/partitionofthefirewall.
80840 FixedanissuewheretheURLfilterdidnotcorrectlyparsethecommonname(CN)value
whenaMACaddresswasspecifiedastheCNvalueintheservercertificate.
80839 Fixedanissuewhere error isdisplayedforTorstatusintheCLIoutputforboththe show

wildfire status and test wildfire tor CLIcommands.
80767 InresponsetoaveryrareissuewheretheconfiguredNATpoolormethodwasnotutilized
asexpected,anenhancementwasmadetoTechSupportfilegenerationthatincludes
additionaldatatohelptroubleshoottheissue.
80720 Fixedanissuewhereafirewallexperiencedadataplanerestartwhenthepacketprocessing
daemonterminatedduetoadoublefreeconditionassociatedwithaspecificpacketbuffer
(fptcp).
80687 FixedanissueonPA7000Series,PA5000Series,andPA3000Seriesfirewallswhere
softwarepacketbuffersweredepleted(althougheventuallyrecovered)whenreceiving
TCPpacketswithlargepayloads.Withthisfix,modificationstoprocessesforallocating
softwarebuffersandhandlingTCPcongestionensurethatsoftwarepacketbuffersdonot
getdepletedduetopacketswithlargepayloads.
80669 FixedanissueonfirewallsinCCEALmodewherethemanagementserverwouldrestart
whenthefirewallattemptedtosendanSNMPv3trap.
IssueID Description
80624 Fixedanissuewhereadministratorsexperienceddelaysaccessingthefirewallweb
interfacewhenthefirewallreconnectedtoPanoramaandhadalargenumberoflogsto
send.
80592 Fixedanissuewherefirewallsinahighavailability(HA)active/passiveconfigurationdidnot
synctheDynamicAddressGroupwhenoneofthefirewallsstoppedfunctioningandthen
changedtoafunctionalstate.
80567 InresponsetoanissuewhereraceconditionsaffectingBlockIPtableoperations
inadvertentlycausedsomepacketstobemarkedas drop ip block withoutanyentryin
theBlockIPtable.
80532 FixedanissuewherefileswerenotbeingforwardedasexpectedtotheWildFirecloud
(publicorprivate)duetoaterminatedprocess(varrcvr).Thisissueoccurredwhenthe
SubjectfieldinforwardedemailscontainednonASCIIcharacters.
80404 FixedanissuewherePA2000Seriesfirewallsexperiencedconnectivityissueswhen
autonegotiatingduplexandspeedsettingsonthemanagementinterfaceconnectiontoa
thirdpartydevice.Withthisfix,anewdriverisaddedtoensurethatthemanagement
interfaceremainsaccessibleandtoprovideamorereliabletransitionwhenspeedsare
changed(suchasfrom1,000Mbpsoverfullduplex1000/Fullto100/Full)whenthereis
littleornotrafficflowingthroughthefirewall.Usethefollowingbestpractice
recommendationstoensuresuccessfultransitions:
Whenpossible,setboththePA2000Seriesfirewallandthethirdpartydeviceto
autonegotiatemode,whereeachsideselectsthehighestpossiblecommonmaximum
speedandduplexsetting.
Ifyoumustmanuallyconfigurethespeedandduplexsettingforeitherthefirewall
(Device > Setup > Management > Management Interface Settings)orthethirdparty
device,youshouldmanuallyconfigurethesamespeedandduplexsettingsonbothsides
sothattheyareinsync.Ifyoudonotmanuallyconfigurethesettingstobethesameat
bothendsoftheconnection,trafficflowwillbeimpactedbecausethePA2000Series
firewallcannotdeterminethecorrectduplexmodeandwilldefaulttohalfduplexmode,
whichcancauseaduplexmismatch.
Ifyoumanuallyconfigurebothsidesoftheconnection:
Donotsettheportonthethirdpartydeviceto1000Mbpsmastermode,asthis
willcompletelystoptrafficandtheportswillnotrecover(bothportstrytocontrol
thelinkandneitherissuccessful).
Donotattempttochangethespeedorduplexsettingwhiletrafficisflowing
throughtheconnection:pausetraffic,configurethetwopeerportsappropriately,
makesuretheportsaresettothesamespeedandduplexvalues,andthenresume
trafficflow.
80386 Fixedanissuewhereaconfigurationoverridefailedwhenpushingsystemlogsettingsto
firewallsfromPanoramaresultinginthefollowingerror: edit failed, may need to
override template object informational first.
80318 FixedanintermittentissueonaPA7000Seriesfirewallwheresomepacketsweredropped
duringtheinitialsessionsetupprocess.Thisissueoccurredwhentwopacketsinthesame
sessionweresentalmostsimultaneously,causingthesecondofthetwopacketstoget
dropped.

IssueID Description
80251 Fixedanissueonafirewallwhereadataplanerestartedwithmultiplecorefiles(all_pktproc,
flow_ctrl,andflow_mgmt)afterthefirewallreceivedpercentencodedHTTPrequestsfrom
aproxyserverwhenboththeparsingofXForwardedFor(XFF)attributesandstrippingof
XFFfromHTTPHeaderswereenabled(configuredwiththe set system setting ctd
CLIcommand).Withthisfix,youcanenablebothXFFactionswithoutcausingthe
dataplanetorestartwhenthefirewallreceivespercentencodedHTTPrequestfroma
proxyserver.
80187 Fixedanissuewherethe test authentication authentication-profile command

resultsinoutputthatusesthemanagementinterfaceasthesourceregardlesswhetheryou
configuredaserviceroutetoprovideadifferentsource.
80063 FixedanissueonanM100appliancewheretheconfigurationdaemon(configd)stopped
respondingwhenprocessinganullvalue.
79960 Fixedanissuewherethefirewallsentanextracarriagereturnlinefeed(CRLF)inHTTP/1.1
POSTpacketswhenrequestinganupdatefromtheBrightCloudURLdatabase.Thisissue
occurredwhenusingaproxyserver,whichcorrectlyrejectsthepacketsandreturns
HTTP/1.1400BadRequestmessagesduetotheextraCRLF(perRFC7230).
79929 Fixedanissuewhereaprocess(mprelay)stoppedrespondinganddidnotreceivearefresh
oftheconfigurationwhenitrestarted.
79925 Fixedanissuewherevirtualwire(vwire)pathmonitoringfailedandthefirewallstopped
sendingICMPpacketsoverthevwireinterfaceafterahighavailability(HA)failover.
79719 Fixedarareissuewhereadataplanerestartedwhenmultipleprocesses(flow_ctrland
mprelay)stoppedrespondingduetoasoftwarebufferleak.
79709 FixedanintermittentissuewhereZIPprocessingmaycausethedataplanetorestart.
79535 Fixedanissueinahighavailability(HA)configurationwherethemonitoreddestinationIP
addressforPathMonitoringdisplayedas up evenwhenunavailable,preventingthe
firewallfromdisplayingas tentative asexpected.Withthisfix,themonitoreddestination
IPaddresscorrectlyshowsas down whenunavailable,whichresultsinthefirewallcorrectly
changingstatusto tentative.
79504 FixedanissuewhereapassiveM100applianceinahighavailability(HA)configurationlost
itsdevicegroupandtemplateconfiguration.
79470 FixedanissuewherePanoramadidnotdisplayWildFireAnalysisreportscorrectlyinthe
WildFireSubmissionslogforWF500appliancesrunningPANOS6.1orearlierreleases.
YoucanfetchthesereportsusingasecurechannelonlyforWF500appliances
runningPANOS7.0.2orlaterreleases;asecurechannelisnotusedwhenfetching
reportsfromaWF500appliancerunningPANOS7.0.1orearlierreleases.
79382 FixedanissuewhereIPaddressregistrationthroughtheXMLAPIfailedtopopulatethe
DynamicAddressGroupfollowingan AddrObjRefresh jobfailureduringatemplate
commitfromPanoramawhentheForce Template Valuesoptionwaschecked,resultingin
an Error: Failed to parse security policy.
79347 Fixedanissuewhereafirewallstoppedrespondingandtriggeredadataplanerestartwhen
receivingincompleteandinsufficientparametersinAPIcalls.Withthisfix,checksarein
placetopreventthedataplanerestartwhenreceivingAPIrequestswithinvalidor
insufficientparameters.

IssueID Description
79279 Fixedanissuethatcausedanerrortobedisplayed(ntp-servers unexpected here.

Discarding.)whenpushingadevicegroupconfigurationthroughtemplatesaftera
Panoramaupgrade.
79046 FixedanissueonanMSeriesappliancerunninginLogCollectormodewherelog
forwardingtoanexternalsyslogserverstoppedworkingafteraPanoramacommitwhen
forwardinglogsthroughTCPport514(default)insteadofUDPport514(Device > Server
Profiles > Syslog).Withthisfix,younolongerneedtoperformaCollectorGroupcommit
toresumelogforwardingafteraPanoramacommitwhenthesyslogserverisconfiguredto
useTCP.
78891 FixedanissuewheretheuseofregionbasedobjectsintheSecuritypolicycaused
consistentlyhighdataplaneCPUutilization.
78803 FixedanissueinPanoramawheretemplatesettingsthatwereglobaltoeveryvirtual
system(vsys)onafirewall(forexample,Systemlogsettings)wereunabletoreference
configurationelements(forexample,anEmailserverprofile)whenthatelementwasadded
toaspecificvsysinsteadoftotheSharedlocation.Withthisfix,Panoramacanpush
templateanddevicegroupsettingseventhosethatarenotorcan'tbepushedtoaspecific
vsysregardlesswhetherthosesettingsrefertoSharedelementsorelementsthatare
specifictoavsys.
78571 FixedanintermittentissuewhereafirewallreceivedaVirtualSystemslicensethatallowed
forahighernumberofvirtualsystemsthanthemaximumamountsupportedforthe
platform.Withthisfix,thelicensedvirtualsystemsactivatedonafirewallcannotbehigher
thanthemaximumamountofvirtualsystemssupportedonthefirewall.
78568 FixedanissuewherePA3000,PA5000,andPA7000Seriesfirewallsexperienceda
memoryleakassociatedwithimproperpurgingofold,replacedentriesintheARP/NDtable
whenthetablereachedcapacity.
78511 FixedanissuewheretheDHCPrelayagentincorrectlysetthegatewayIPaddress(giaddr)
valuetozero(insteadoftheIPaddressoftheingressinterfaceasdefinedinRFC1542)
whenrespondingtoDHCPrequests.
78084 Theoutputforthecommand show log collector serial number displayeddifferent

logdatawhenexecutedonaprimaryactivePanoramathantheoutputthatwasdisplayed
whenthecommandwasexecutedfromthesecondarypassivePanorama.Thisissueisfixed
sothattheoutputforthecommand show log collector serial number correctly
displaysthelatestlogdataformanagedLogCollectors.
78064 Fixedanintermittentissuewhereauthenticationfailedinatwophaseauthentication
processwhentheloginresponsecontainedcustomerdata.
77816 FixedanintermittentissuewheresomeWindows7GlobalProtectclientsusingtwofactor
authentication(LDAPandcertificate)lostconnectiontotheportalorgatewayandcould
notreconnectduetoafailedauthenticationwiththeerror Required client
certificate is not found evenwhenthecertificatewasavailable.
77775 Fixedanissuewhereavalidationerroroccurredwhenattemptingtomoveanobjectfrom
itscurrentdevicegrouptoadestinationdevicegroupthatwaslowerinthehierarchyeven
whenthepolicyrulesorobjectsthatreferencetheobjectbeingmovedwereinthesame
destinationorinadevicegroupthatshouldinherittheobject.
77103 FixedanissuewhereaSystemlogmessage(Failed to upgrade WildFire package to

version <unknown version>)displayedonthefirewallevenwhennoWildFirelicense
existedonthefirewall.

IssueID Description
76875 Fixedanissuewherethedataplanerebootedwhenaprocess(brdagent)wasterminatedby
thefirewallinresponsetoanoutofmemorycondition.Withthefix,dataplanerebootsare
nolongertriggeredbytheseoutofmemoryeventsbecausethefirewallnolonger
considersthebrdagentprocessforterminationwhenattemptingtoaddressan
outofmemoryevent.
76781 FixedanissuewhereafirewallincorrectlycalculatedpacketlengthandTCPsequencedue
toaonebytezerowindowprobepacketwhenthatpacketwassentfromonevsysto
another.
76631 FixedanissueonPA7000SeriesfirewallswheretheLogProcessingCard(LPC)failedto
resolvetheFQDNofthesyslogserver.Withthisfix,thefirewallwillreinitiatetheDNS
lookuprequestuntilthelookupsucceeds.
76561 FixedanissuewheretheDHCPrelayagentdroppedDHCPDISCOVERpacketsthatthe
agentcouldnotprocessduetomultipleBOOTPflags.Withthisfix,theDHCPrelayagent
recognizesthefirstBOOTPflaginaDHCPDISCOVERpacketandignoresanyadditional
BOOTPflagsthatmayexist(perRFC1542)sothatmultipleBOOTPflagsdonotcause
DHCPDISCOVERpacketstobedropped.
75803 AddressedanissueregardinghowoftenpasswordAPIkeysareregenerated.
75344 Fixedanissuewhereamemoryprocessrestartedandcausedaninvalidmemoryreference;
theinvalidmemoryreferenceresultedinamanagementplanerestart.
74423 FixedanissuewhereafirewallrunningPANOS7.0.1wasincorrectlyusingtheURL
UpdatesserviceroutewhenfetchingaDynamicBlockListinsteadofusingtheservice
routeattachedtothePaloAltoUpdatesintheServiceRouteConfiguration(Device > Setup
> Services > Global).
73443 Fixedanintermittentissuethatresultedincorruptedforwardingentriesontheoffload
processor.
71331 FixedanissueonaPA500firewallwherethefirewallassignedaDHCPaddressforthe
management(MGT)interfaceevenaftertheadministratorconfiguredastaticIPaddressfor
thatport.Withthisfix,DHCPinitiationfortheMGTinterfaceisdisabled.
70887 FixedanissuewhereclickingtheMorelinktoviewtheregisteredIPaddressunderObject
> Address GroupsresultedinanerrorifthenameofaDynamicAddressGroupincludeda
space.Withthisfix,spacesinDynamicAddressGroupnamesnolongercauseanerror
whendisplayingtheIPaddress.
70302 FixedanissuewheretheautocommitprocessfailedafterupgradingaPA7050orPA5000
SeriesfirewalltoaPANOS6.1orPANOS7.0release.
69132 Fixedanissuewhereoccasionaldataplanerestartsoccurredduetoakernelmemory
allocationfailure.
64602 Inresponsetoanissuewhereafirewallgeneratedcorefilesforaprocess(pktproc)whena
dataplanestoppedresponding,anadditionalcheckandassociatederroroutputisaddedto
helptroubleshootanissuewhereanFPGArunningtheAhoCorasickalgorithmreturnsa
sessionindexmappedtoaNULLpointer.

IssueID Description
64531 Fixedanissuewhereahighavailability(HA)failoveroccurredduetoinsufficientkernel
memoryonaPA5000Seriesfirewall.Withthisfix,PA5000Seriesfirewallsincludesome
cacheflushingeventsandincreasedkernelmemorytoensuresufficientkernelmemory
remainsavailableforpingrequestsandkeepalivemessagestoavoidtheseHAfailovers.
64266 Fixedarareissuewherecertainprocesses(l3svcandsslvpn)stoppedrespondingwhena
ContentupdateandFQDNrefreshoccurredsimultaneously.

ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.1release.(AsthebasePANOS
7.0image,thisreleaseandthelistbelowalsoincludeallissuesinitiallyaddressedforPANOS7.0.0.)Foran
overviewofnewfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistof
knownissues,seePANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,
reviewtheinformationinUpgradetoPANOS7.0.
IssueID Description
PAN-73605 FixedanissuewherethefirewalldidnotcorrectlyidentifytheURLcategoryofaweb
sessionwhentheHTTPheaderinformationwassplitacrossmultiplepacketsduetoa
sequenceofabnormallylargeHTTPcookies.
82299 FixedacriticalsecurityvulnerabilityforfirewallsandPanoramarunningPANOS7.0.0that
wereconfiguredtouseLDAPauthenticationforCaptivePortalorfordevicemanagement.
(ThisissuedoesnotaffectdevicesconfiguredtouseRADIUSorlocalauthentication.)
81374 FixedanissueonaPA200firewallwheretheMACaddressconfiguredforthe
managementinterfacewasinadvertentlychangedafteranupgradetoPANOS7.0.0.With
thisfix,themanagementinterfaceMACaddressconfiguredbeforeanupgraderemainsthe
sameaftertheupgrade.
81174 FixedanissuewhereanautocommitfailedafteranupgradetoPANOS7.0.0duetoafailed
IKECryptoprofileverificationwhentwoIKEgatewayswereconfiguredusingadynamic
peerinmainmodeonthesamelocalinterface.
81167 FixedanissuewheretheAppsonly(noThreats)versionofContentUpdatesfailedtoinstall
onadeviceregisteredwithstandardsupport.
81158 FixedanissuewhereanIPSectunnelfailedtonegotiateanewsessionanddroppedpackets
duringanSArekeyinIKEv2mode.
81024 FixedanissuewherePanorama7.0.0failedtoproperlypushDeviceGroupandService
GroupobjectstodevicesrunningPANOS6.1orearlierreleases.Withthisfix,Panorama
pushesDeviceGroupandServiceGroupobjectsasexpectedtodevicesrunningany
supportedPANOSrelease.
80903 FixedanissuewherePA7050firewallsrunningPANOS6.1orearlierreleasesdidnot
accuratelyhandlequeriesfromPanoramarunningPANOS7.0.0,whichresultedinthe
inabilitytodisplaydataintheApplicationCommandCenter(ACC)widgetsandprevented
logdatafromthePA7050firewallfrombeingincludedinreportsgeneratedonPanorama.
Withthisfix,PanoramaqueriestoPA7050firewallsaredisabledbydefaultsothatACC
widgetsdisplaycorrectlyforallotherdevicesyoumanagethroughPanorama.
80871 FixedanissuewhereWildFireanalysisreportswerenotdisplayedinDetailedLogView
(Monitor > WildFire Submissions > Detailed Log View > WildFire Analysis Report)for
WildFireSubmissionslogentrieswhenthefirewallwasconfiguredtouseaserviceroute
insteadofthemanagementinterfacetocommunicateeitherwithaWildFireprivatecloud
orwiththeWildFirepubliccloud.However,forfirewallsrunningPANOS7.0.1,toviewthe
integratedreportsfromwithinthewebinterfaceonthefirewall,youmustfirstconfigure
wildfire.paloaltonetworks.comastheWildFirepubliccloud;eitherintheweb
interface(Device > Setup > WildFire > General Settings)orusingtheset deviceconfig
setting wildfire public-cloud-server wildfire.paloaltonetworks.comCLI
command.

IssueID Description
80849 FixedanissuewhereIPv4andIPv6trafficforwardingfailedwhensentthroughanLACP
AggregatedEthernet(AE)interfaceduetoanincorrectsystemMACaddress.
80799 FixedanissuewherefilesandemaillinkssentusingSimpleMailTransferProtocol(SMTP)
orPostOfficeProtocolversion3(POP3)werenotforwardedtotheWildFirepubliccloud
foranalysisunlessthefirewallwasalsoconfiguredtoforwardfilestoaWildFireprivate
cloud.Withthisfix,firewallsconnectedonlytotheWildFirepubliccloudappropriately
forwardtotheWildFirepubliccloudallfilesandemaillinksthataresentusingSMTPor
POP3.
80607 Fixedanissuewhereafirewallrebootedwhenanunusuallylargenumberoffragmented
packetspassedthroughthefirewallwhentheNAT64 IPv6 Minimum Network MTUsetting
wasconfiguredtoavalueotherthan1500(Device > Setup > Session > Session Settings),
whichtriggeredamemoryleak.Withthisfix,fragmentedpacketsnolongercausea
memoryleak.Additionally,anewcounterwastomonitorwhetherresourcesareavailable
forfragmentingpacketswhenneeded.
80561 FixedanissuewheresoftwareforwardingofLayer3multicasttrafficwithProtocol
IndependentMulticast(PIM)didnotfunctionproperly.
80408 Fixedanissuewhere,insomeenvironments,newcontentupdatescouldnolongerbe
accommodatedbythememoryonthefirewallthatisallottedforthesefilesduetoa
continuallyincreasingnumberofapplicationsintheupdates.Withthisfix,allocated
memoryforcontentupdatesisincreasedsothatcontinuedgrowthofcontentupdateswill
notpreventsuccessfuldownloadandinstallationofthoseupdates.
80398 Fixedanissuewhereadministratorswereunabletologinthroughthewebinterfacewhen
thefirewallwasconfiguredtoauthenticateadministratorsusingclientcertificatesandwas
configuredwithOnlineCertificateStatusProtocol(OCSP)verificationenabled.
80373 FixedanissuewhereattemptstoCloneobjectsorpoliciesinasharedgatewaylocationor
Moveobjectsorpoliciesfromavirtualsystemtoasharedgatewaylocationdidnotwork
correctly.
80323 Fixedanissuewherethelinkstatesforfirewallinterfacesdidnotcomeupwhenrebooting
thefirewallafterdisablinghighavailability(HA).
80286 FixedanissuewhereacommitfailedafteranupgradetoPANOS7.0.0whenDefaultsfor
anapplicationwassettoICMP Type(Objects > Applications > application > Advanced).
Withthisfix,commitsdonotfailafteranupgradetoPANOS7.0.1orlaterreleases
regardlessofthisDefaultssetting.
80268 FixedanissueonaPA7050firewallrunningPANOS7.0.0whereattemptstoswitchto
CommonCriteria(CC)modefailedwiththefollowingerror:Set CCEAL4 Mode Sysd
Error.ThisissueoccurredbecausetheCCmodeoperationattemptedtochangethe
operationalmodebeforethesystemprocess(sysd)wasfullyloaded.Thisoperationresulted
insettingthefirewalltothefactorydefaultconfigurationwithoutCCconfiguration
changes.
80266 FixedanissuewherePA200,PA500,andPA2050firewallsrunningPANOS7.0.0and
configuredtouseaservicerouteinsteadofthemanagement(MGT)interfacetoconnect
toanLDAPserverwereunabletoestablishaconnection,whichcausedallfirewall
functionsthatreliedonthatconnectiontofail.Withthisfix,firewallssuccessfullyconnect
throughaconfiguredserviceroutetoanLDAPserver.
79854 FixedanissuewherePanoramawasunabletodisplaySystemandConfiglogsforPA7000
Seriesfirewalls.

IssueID Description
79844 Fixedanissuewherelogssenttoalogcollectorgroupwerenotproperlysavedandcould
notbedisplayedwhenthatlogcollectorgroupcontainedaspaceinthename.Withthisfix,
logsaresavedanddisplayedcorrectlyevenwhenthereisaspaceinthelogcollectorgroup
name.
79522 Fixedanintermittentissuewhereafirewallwithhardwareoffloadenabledincludedan
incorrectIPchecksumvalueinoutgoingNATpackets,whichcausedsomepacketstobe
dropped.
79511 FixedanissueonPanoramawheredisablingtheShare Unused Address and Service

Objects with Devicesoption(Panorama > Setup > Management > Panorama Settings)
whennoSharedobjectswereconfiguredcausedaprocesstorestartduringacommit.
79478 Fixedanissuewherethefirewallconnecteddirectlytoadirectoryserverinsteadofthe
UserIDagentconfiguredasanLDAPproxy.Withthisfix,thefirewallcorrectlyusesthe
UserIDagentwhentheagentisconfiguredforuseasanLDAPproxy.
79463 FixedanissuewhereCPUmemoryonaPA7050firewallspikedwhenattemptingtoview
reportsintheApplicationCommandCenter(ACC).Thisissueoccurredwhentaskcreation
notificationswerenotprocessedproperlyand,asaresult,theLogCollectordidnot
terminatefailedrequestsasexpected.Withthisfix,taskcreationnotificationsare
processedappropriatelyandfailedtasksareproperlyterminated.
79443 Fixedanissueinthewebinterfacewhere,insomecases,thePHPsessioncookie
(PHPSESSID)wasnotmarkedassecure.
79401 VM1000HVfirewallsrunningoneightvCPUsdidnotsaveanddisplayTrafficandThreat
logs.Withthisfix,VM1000HVfirewallsproperlysaveanddisplaythelogs.Thisissuedid
notaffectVMSeriesfirewallsrunningontwoorfourvCPUs.
79367 FixedanissueinPANOSwhereGlobalProtectclientsexperienceddelaysand
intermittentlyfailedtoretrievethegatewayconfigurationforconnectingtoa
GlobalProtectgatewaywhenthefirewallwasinahighavailability(HA)configurationand
underaheavyload.ThisissueoccurredduetoanissuewiththesynchronizationofHIP
reportsbetweengatewaysonHApeerswhentherewasahighnumberof
nearsimultaneousGlobalProtectconnectionrequests.Withthisfix,thesyncprocessis
modifiedsothatGlobalProtectclientsareabletodownloadtheconfigurationandconnect
tothenetworkasexpectedevenwhenmultipleclientsareattemptingtoconnectatthe
sametime.
79335 FixedanissuewhereattemptingtofilterSystemlogsusingthelogfilter Type equal

globalprotect didnotwork.Aspacewasautomaticallyaddedtothelogfilter,causing
anerrortobedisplayed.
79291 FixedanissuewheretheBytescolumnresultsdisplayedwhenclickingRun Nowfora

customreport(Monitor > Manage Custom Reports)didnotmatchtheresultsdisplayedin
thatsamereportwhenemailedorexportedoutinPDFformat.
79278 Fixedanissuewheretheactivedeviceinahighavailability(HA)configurationfailedto
generatetechsupportfilesduetoabufferlimitationthatcouldnotaccommodatethe
outputfromsomecommands.Withthisfix,thecommandsthatpreventgenerationoftech
supportfileshavebeenremovedsothatreportsaregeneratedasexpected.
79260 FixedarareissueonaWF500appliancewhereanICMPpacketcontainingaFIN+ACK
packetwasincorrectlyforwardedoutthroughthemanagement(MGT)interface.Withthis
fix,ICMPpacketscontainingaFIN+ACKpacketaredropped,instead.

IssueID Description
79104 FixedarareissueonaPA7000SeriesfirewallwheretheHA1andHA1backuplinks
experiencedheartbeatfailuresthatcausedsplitbraininahighavailability(HA)
configuration.
78798 FixedanissuewheretheURLfieldintheURLFilteringlogbecameblankorwaslogged
withoutahostname.
78652 FixedarareissuewhereafirewalldroppedURLrequestswhenthemanagementplane(MP)
URLtrie(datastructure)reached100%capacity.Withthisfix,whentheMPURLtrie
reaches90%capacity,URLsinthecachearecleareduntiltheMPURLtrieutilizesonly50%
ofcapacitysothatthetriecannotreachmaximumcapacityandcauserequeststobe
dropped.
78646 Fixedanissuewhereafirewallreplacedmultibytecharacterswithaperiodcharacter( . )
whenforwardinglogsoreventinformationtoSNMPtraps,toasyslogserver,through
email,orinscheduledlogexports.ThisissuealsooccurredwhenexportinglogstoCSV.
Withthisfix,multibytecharactersareforwardedandexportedcorrectlywithone
exception:inPANOS7.0.1,PA7000Seriesfirewallswillstillincorrectlyreplacemultibyte
characterswithperiodcharacterswhenexportinglogstoCSV.
78621 FixedanissuethatoccurredwhenChileadoptednewofficialtimesandtheofficialtimefor
ContinentalChilebecameUTC03:00.APA200firewallconfiguredtousetheChile
ContinentaltimeincorrectlycontinuedtodisplaytheofficialtimeasUTC04:00.
78556 FixedanissueinPanoramawhereusingtheoptiontoimportacertificatewhenconfiguring
aGlobalProtectgatewayorportaldidnotresultintheimportedcertificatebeingaddedto
thedropdown.TheimportedcertificatealsodidnotdisplayontheTemplates > Device >
Certificatespage.(However,theimportedcertificatediddisplaycorrectlyaftera
Panoramacommit.)Withthisfix,importedcertificatesaredisplayedimmediatelyonthe
webinterfacewhereexpected.
78448 Fixedanissuewhereacustomresponsepagecontaininganinvalidsubstringcausedthe
processforcommunicatingbetweenthedataplaneandmanagementplanes(mprelay)to
stoprespondingwhenattemptingtocommitconfigurationchanges.
78436 Fixedanissuewherethemanagementplanestoppedrespondingwhenmorethanone
processattemptedtomodifythedevicetableduringaconfigurationpushfrom
Panorama.Withthisfix,thedevicetableislockedandmodifiablebyonlyoneprocessat
atimetoavoidconflictingmodifications.
78413 FixedanissueonaPA7000Seriesfirewallwithmultiplevirtualsystemswhereamemory
leakwasobservedrelatedtotheFirstPacketProcessor(FPP)managementplaneprocess
whenrunningtheshow session meterCLIcommand.
78343 Fixedanissuethatoccurredwithdecryptionenabled,wheresomewebsiteswerenot
decryptedduetoanissuewithcertificateserialnumbers.
78304 Asecurityrelatedfixwasmadetoaddressacrosssiterequestforgery(CSRF)issueinthe
webinterface.
78289 Fixedanissuewherethereceive errorsinterfacecounterdisplayedvalueslargerthan

theactualnumberofpacketsthatshouldbecountedaserrors.Thisissueoccurredbecause
somepacketswerecountedtwice.Withthisfix,thereceive errorscounterdisplaysthe
correctvalue.
78197 HIPreportsforuserscannowberetrievedusingtheXMLAPI(inadditiontoviewingHIP
reportsusingtheCLI).

IssueID Description
78187 Fixedanintermittentissuewithasystemprocess(all_task)thatcausedadevicetorestart
unexpectedly.Thisfixincludesanadjustmenttoaninternaltimertoavoidtheserestarts.
78166 FixedanissuewheretheVirusTotallinkintheCoverageStatussectionofWildFire
AnalysisreportsdidnotcorrectlyopentheVirusTotalpage.
78155 AddressedanissuewheretwoDoSprotectionpolicyrulesthatwerenotoverlapping
incorrectlyresultedinawarningthatoneoftheruleswasshadowingtheotherrule.
77907 FixedanissuewherelogforwardingtoaLogCollectordidnotstopasexpectedwhen
executingtherequest log-fwd-ctrl device <s/n> action stopCLIcommandon
Panorama.Withthisfix,logforwardingtoaLogCollectorstopsasexpectedwhen
executingtherequest log-fwd-ctrl device <s/n> action stopcommandsolongas
boththefirewallandPanoramaarerunningPANOS7.0.1orlaterreleases.
77784 FixedanissueonPanoramawhereadministratorswereunabletofilterDeviceGroupsby
tagsinthecommitwindow.
77749 FixedanissuewhereclickingMoretoviewtheregisteredIPaddressunderPolicies >

Security > Object > Address Groupsresultedinanerror.
77721 FixedanissueonaPA200firewallwhereareboottookmuchlongerthanexpected(more
than20minutes).ThisissueoccurredwhentheContentUpdatesdatabasewascorrupted
andupdatesdidnotstoporpauseasexpectedtoallowthereboottotakeplace.Withthis
fix,thefirewallreinitializesthedatabaseifitiscorruptedtoallowtheContentUpdateand
systemreboottoproceedasexpected.
77477 FixedanissuewhereauserwasnolongerabletoconnecttoaVMSeriesfirewall
configuredasaGlobalProtectgatewayanddeployedinAmazonWebServices(AWS)after
theuserhadbeenconnectedforseveralhoursandtheusercouldnotreconnectuntilthe
gatewaywasrestarted.Withthisfix,usersnolongerlosetheirconnectiontothe
GlobalProtectgatewayiftheystayconnectedforseveralhours.
77413 FixedanissuewheretheauthenticationprocessfailedtoparsethebaseDistinguished
Name(DN)correctlywhenitcontainedaspace("")character.
77342 WhenusingtheXMLAPItoretrieveHAcontrollinkstatistics,thestatisticsretrievedwere
notthesameasthosedisplayedintheoutputfortheCLIoperationalcommandshow
high-availability and control-link statistics.
77307 FixedanissuewheretheCLIseemedunresponsiveafterrunningtheshow config diff

commandduetotheextendedperiodoftimeittooktoprocessandreturnresultsforadiff
containingalargenumberofconfigurationchanges.Withthisfix,theshow config diff
commandreturnsresultswithoutanysignificantdelay.
77163 Fixedanissuewherethe/var/log/securelogfileinflatedandconsumedavailabledisk
space.Withthisfix,PANOSusesalogrotationfunctionforthislogfiletoavoidconsuming
morediskspacethanisnecessary.
77140 FixedanissuewhereanerrorwasdisplayedwhenusingPanoramatochangeapassword
foramanagedfirewalladmin.
76847 FixedanissuewhereIKEphase2rekeywashappeningtoofrequentlyforanIPSec
sitetositeVPNconfiguredwithtunnelmonitoringonmultipleProxyIDswhenQoSwas
enabled.

IssueID Description
76759 FixedanissuewhereanSSLscanofaWF500appliancereturnedSSLv3connectionsand
RC4cipherseventhoughtheWF500appliancenolongersupportsSSLv3.Withthisfix,
theWF500appliancereturnsonlyTLSv1connections.
76729 Fixedanissuewheretheresponsereturnedbythe request batch license info XML

APIrequestwasnotwrappedwith<response> <result>.
76688 FixedanissuewheretheIPv6sourceaddresswasnotdisplayedintheHostcolumnfor
Configlogs.Withthisfix,theIPv6sourceaddressisdisplayedintheHostcolumnas
expected(insteadof0.0.0.0).
76575 FixedanissueonaPA5000SeriesfirewallwhereanoccasionalinconsistencyintheIPv6
neighborcacheondifferentdataplanescausedIPv6trafficsenttocertainhoststoget
dropped.Withthisfix,thefirewallkeepstheIPv6neighborcacheinsyncbetween
dataplanessothatIPv6packetsarenotdropped.
76489 FixedanissuewherethreatupdatesdidnotinstallcorrectlyafteraddingaThreat
PreventionlicenseandinstallinganApplicationsandThreatscontentreleaseversion.This
occurredeventhoughtheoutputoftheshow system infoCLIcommandverifiedthatthe
ThreatPreventionlicensewasinstalled.
76282 FixedanissuewhereFQDNobjectswerenotresolvedwhenallthefollowingconditions
weretrue:
TheFQDNobjectwasbeingusedasataginaDynamicAddressGroup.
TheDynamicAddressGroupwasnotamemberofthesametag.
TheFQDNobjectwasnotattachedtoasecuritypolicyrule.
TheFQDNobjectwasnotincludedinaregularaddressgroupthatwasattachedtoa
securitypolicyrule.
76083 FixedanissuewherenoSystemlogsweregeneratedforfailedloginattemptsusingtheCLI
overanSSHconnection.Withthisfix,additionalSystemlogsnowprovidevisibilityfor
failedloginstothemanagementinterfaceevenifthoseattemptscomefromaCLIoveran
SSHconnection.
76079 FixedanissueonPA7000SeriesfirewallswhereTrafficlogsonAdvancedMezzanine
Cards(AMCs)couldnotberecoveredafterinstallingtheAMCsontoanewLogProcessing
Card(LPC).Withthisfix,anewCLIcommand(request metadata-regenerate slot
<slotnum>)isavailableforretrievinglogsfromtheoldAMCdisksafterinstallingthemina
newLPC.
Whenyouusethiscommand,youshouldensurethedeviceisnotprocessingtrafficuntil
theregenerationrequestiscomplete.Additionally,youcanignoretheerroneouserror
message(Failure communicating with given slot)thatdisplays60secondsafter
runningtherequest metadata-regeneratecommand:theregenerationprocesswill
continuetorunasexpectedandyouwillneedtowaitforittofinishbeforeresumingtraffic
flow.Itcantakeuptotwohours,orlonger,toregenerateallmetadatadependingonthe
numberoflogsrecovered.Todetermineifregenerationiscomplete,usethefollowingCLI
commandtolookfortheDone generating metadata for LD:xmessage:
less s8lp-log vld-<amcslotnum>-0.log
75881 FixedanissueonaPA5000Seriesfirewallwherethemanagementplaneanddataplane
restartedduetoaraceconditionthatoccurredwhentheEnforce Symmetric Return
optionwasenabledinthepolicybasedforwarding(PBF)rules(Policies > Policy Based
Forwarding > Forwarding).ThisraceconditioncausedinaccuratePBFreturn-mac ager
lists,whichcausedtherestarts.Withthisfix,thefirewallretrievesandchecksreturnMAC
entriestoavoidthisraceconditionandassociatedrestarts.

IssueID Description
75825 FixedarareissueonaPA5000Seriesfirewallwherearaceconditionoccurredbetween
dataplanes1and2(DP1andDP2)anddataplane0(DP0)thatincorrectlycausedaresetof
thetimeoutvalueforparentsessionsownedbyDP1andDP2whencreatingpredict
sessions,whichcausedthoseparentsessionstotimeoutprematurely.Withthisfix,the
timeoutforparentsessionsisnotchangedwhenthepredictsessionsarecreated.
75758 FixedanissuewherethedataplanerestartedonaPA5000Seriesfirewallinahigh
availability(HA)clusterduetocorruptionofARPpackets.
75744 Fixedanissuewhereadataplanestoppedrespondingafteracommitthatchangedthe
interfaceindexwhenhighavailability(HA)sessionpacketswerereferencingthatinterface
indexusinganinterfacepointer.
75677 FixedaPanoramaissuewhereclearingthesettingRequire SSL/TLS secured connection

foravsysspecificLDAPserverprofile(Templates > Device > Server Profiles > LDAP)
displayedanerror.
75404 Fixedanissuefortheshow logCLIcommand,whereyoucouldnotfilterthedisplayedlogs

byusernameiftheuser/srcuseroptionusedcharactersotherthananalphanumeric
character,underscore,dash,dot,forwardslash,orcolon.
75003 Fixedanissuewhereonlythefirst15charactersofazonenamewasdisplayedinlogs.
Completezonenamesarenowdisplayedinlogs.
74654 FixedanissueonanM100devicewhereanattempttodownloadContentUpdatesfailed
duetoalackofdiskspace.ThisissueoccurredwhencontinuousXMLAPIqueriesfilledthe
/opt/pancfgpartitionbecauseSTOPmessagesweregettingdroppedbetweenPanorama
andtheLogCollectorandquerieswerenotproperlyremovedwhennolongerneeded.
Withthisfix,STOPmessagesshouldnotbedropped.Additionally,incaseSTOPmessages
aredroppedforanyotherreason,atimeoutsettingforqueriesisinplacetoensurethat
stalequeriesareremovedfromdiskspacebeforecausingastoragespaceissue.
74609 FixedanissueonaPA5000SeriesfirewallwherePREDICTsessionswerehandledby
dataplane0(DP0)buttheSIPparentsessionswereonadifferentdataplane.Withthisfix,
youcanusetheset session filter-ip-proc-cpu dest-ip <IPaddr>CLIcommandto
specifyalldestinationSIPproxyIPaddressesinafilterlistonthefirewall.Youcanthenuse
thelisttoconfigurethefirewallsothatDP0receivesandhandlesanyinboundpacketthat
isdestinedforanyofthespecifiedSIPproxyIPaddresses.
74600 AsecurityrelatedfixwasmadetotheOpenSSLpackagetoaddressmultiplevulnerabilities
impactingtheOpenSSLlibraries.
74489 Fixedanissuewithregularexpressionwhereusingtheverticalbarorpipecharacter(|)
causederrors.
74315 FixedanissuewherecommentsaddedtoanAggregateEthernet(AE)interfacewerenot
savedalongwiththeAEinterfaceconfigurationandtheCommentfielddisplayedasempty
afterclosingtheconfigurationwindow.
73692 UpdatedanerrormessagethatoriginallynotedthatanAntiviruscontentdownloadfailed
becauseanAntiviruscontentdownloadwasinprogress.Theerrormessageisupdatedto
correctlystatethatthefailedAntiviruscontentdownloadwasduetoaWildFirecontent
downloadbeinginprogress.
73631 FixedanissuewhereseveralNTPsyncerrorsweredisplayedfollowingafirewallsoftware
upgrade.

IssueID Description
73317 FixedanissuewheretheSystemlogdisplayedanIPv4addressforafirewallthatwas
connectedtoanActiveDirectory(AD)serverthroughamanagementportusinganIPv6
address.Forexample:ldap cfg <group_name> connected to server <IPv6 address>,
initiated by: <IPv4 address>.Withthisfix,theappropriateIPaddressandformatis
displayedfortheinitiatingdeviceevenwhenconnectedusinganIPv6address.
73158 Theportrangeyoucanusetodefineportsforcustomapplicationshasbeenupdatedtobe
fromport065535.Theupdatematchestheportsyoucandefineforapplicationoverride
policyrules(also065535).Previously,youcouldnotdefineport0forcustom
applications.
73064 WhenafirewallwasconfiguredasaDHCPclient,itfailedtoreneworreleasethe
DHCPassignedIPaddresswhenthefirewallinterfacewasthenconnectedtoanewDHCP
server.
73058 FixedanissuewheresourceanddestinationfieldsinSNMPtrapswerenotpopulatedfor
trafficusingIPv6addresses.WiththisfixandRev.BofthePANOS6.1EnterpriseSNMP
MIBmodules,newIPversionneutralfieldswereadded(InetAddressandInetAddressType
inplaceoftheIpAddressfield)tofullysupportIPv6addresses.(TheIpAddressfieldis
retainedforbackwardcompatibilitybutisdeprecated;administratorsareexpectedto
transitiontothenewfields.)
72933 FixedanissuewherePanoramaadministratorswereunabletoviewtheBotnetreport
optionwhenswitchedtothefirewallcontext.
72806 TheGlobalProtectprelogonconnectmethoddidnotworkwhenacertificateprofilewas
configuredtouseasubjectalternativename(SAN)andthematchingdevicecertificatedid
notcontaintheSAN.
72756 Fixedanintermittentissuewherearaceconditioncausedbymultipleprocesses
asynchronouslyattemptingtoretrievethelastsavedconfigurationfilecausedCaptive
PortalortheFQDNrefreshjobtofail.
72719 FixedanissuewheretheTunnelMonitorThresholdvaluedisplayedforaGlobalProtect
satellitewasincorrectlydisplayedasaunitoftime(seconds).TheTunnelMonitor
Thresholdactuallyspecifiesthenumberofheartbeatstowaitforbeforethefirewalltakes
specifiedaction,andisnolongerdisplayedinseconds.
72544 AsecurityrelatedfixwasmadetoaddressCVE20148730.Foradditionalinformation,
refertothePANSA20140224securityadvisoryonthePaloAltoNetworksSecurity
Advisorieswebsiteathttps://securityadvisories.paloaltonetworks.com.
72371 WhenacustomQoSprofilewasenabledonaninterface,theQoSstatisticsforthecustom
profilewereinsteaddisplayedasthedefaultQoSprofilestatistics.Thisissuehasbeen
resolvedsoQoSstatisticsaredisplayedcorrectlywiththecorrespondingQoSprofile(and
foreachclassintheprofile).
72153 FixedanissuewherethefirstSYNpacketinaTCPconnectionthatpassedthroughtwo
virtualsystemsdidnotreachthedestinationserver.Thisoccurredwhen:
ThefirstvirtualsystemwasconfiguredwithDNAT.
ThesecondvirtualsystemwasconfiguredwithSNAT.
Sessionswereallocatedondifferentdataplanes(DPs),withthefirstsessiononDP0.
72075 WhenthefirewallwasconfiguredtoaccessanLDAPserverthroughadatainterface,the
firewallcouldnotconnecttotheLDAPserverifitwasalsoconfiguredtoaccessthe
UserIDagentusingadifferentdatainterface.

IssueID Description
71860 Addressedanissuewhereconfigurationchangeswerenotreflectedintheconfiguration
logsafterimportingSSHkeys.
71682 FixedanissueonaPA5000Seriesdevicewhereaportthatwasinusewassometimes
reusedwhendynamicporttranslationwasenabledwithNATandsessionswereinitiated
ondifferentdataplanes.Withthisfix,ActiveFTPsessionssucceedwithaNATpolicysetup.
71340 Fixedanissuewherefirewalladministratorswereunabletocloneanyofthethree
predefinedcommoncriteriaadminroles;attemptingtodosoresultedinanerror.
71250 FixedanissuewheredecryptionpolicieswithadestinationaddressandaURLcategory
definedasmatchingcriteriacausedcommitfailures.
71049 MadeanupdatetoensurethattheCLIcommandrequest system shutdown canonlybe

executedbyuserswithsuperuseraccessprivileges.
70537 AddedanewdebugCLIcommand(debug dataplane internal pdt pci list)toprovide

adumpoftheperipheralcomponentinterconnect(PCI)whenattemptingtoidentifythe
rootcauseforthedata_plane_X: Startup Script Failureerror.
70431 FixedanissuewhereacustomURLcategorywiththenameanycausedunexpected
results.Withthisfix,thenameanyisnolongerallowedwhencreatingacustomURL
category(Objects > Custom Objects > URL Category).
70335 FixedanissuewhereaccessroutesfromtheGlobalProtectgatewaycouldnotbeinstalled
onasatellitewhenthetunnelmonitorwasenabledforaLargeScaleVPN(LSVPN)andthe
tunnelmonitorwasinwait recovermode.
69961 FixedanissuewherePanoramaandafirewallrunningthesamereleaseversion,didnot
displaythesamedropdownselectionstoaddasmatchingcriteriatoasecuritypolicyrule.
Now,ifPanoramaandafirewallarerunningthesamereleaseversion,thesameobjectsare
displayedandcanbeaddedtoasecuritypolicyrule,regardlessofwhethertheruleisbeing
definedonPanoramaorafirewall.
69752 Fixedanissuewherethewebinterfacedidnotdisplayconcurrentlyloggedin
administratorsifthoseadministratorshadnotlocallyauthenticatedtothefirewall.
69685 UpdatesweremadetoexistingRussiantimezonesandnewRussiantimezoneswereadded
totheavailablelistofglobaltimezonesforadevice,toaccommodatethe2014changesto
Russiantimezones.
69419 Fixedanissuethatwasseenwithpredictsessionswhentraffictraversedafirewallinvirtual
wiremodetwice.
68508 FixedanissuewheretheDHCPserversentDHCPleaseoffersonthewronginterfaceafter
ahighavailability(HA)failoverduetointerfaceIDsbeingoutofsyncontheHApeers.
68484 IfthePanoramasettingtoShare Unused Address and Service Objects with Deviceswas

enabled,committingchangestoadevicegroupdidnotcorrectlypushobjectstomanaged
firewalls.
68178 WhenconfiguringathreatexceptionforanAntiSpywareorVulnerabilityProtection
profile,addinganIPaddressexemptiontotheexceptiondidnotworkiftheinputincluded
asubnet(forexample,XXX.XXX.XXX.XXX/32).OnlyIPaddressexemptionsenteredwithout
asubnetwereacceptedbythefirewall.ThisissueisfixedsothatyoucanaddanIPaddress
withasubnetasanexemptionwithinathreatexception(Objects > Vulnerability
Protect/Anti-Spyware > Exceptions).

IssueID Description
67713 Anadministratorwasallowedtodowngradethecontentversion(ApplicationsandThreats)
onthefirewalltoaversionthatwasnotsupportedwiththePANOSsoftwarerelease
versionrunningonthefirewall.Forexample,ifthefirewallwasrunningPANOS7.0and
theminimumcontentversionwas497,theadministratorwasincorrectlyableto
downgradetoaversionpriorto497.
66681 Resolvedadataplanerestartissueduetoraceconditions.
65959 AddedanenhancementtodisplaypredefinedURLcategoriesinadditiontocustom
URLcategoriesintheAllowCategoriescolumnforURLFilteringprofilerules(Objects >
Security Profiles > URL Filtering).
63652 FixedanissuewheresomefilesforwardedtoWildFirewerenotuploadedsuccessfullydue
toaCANCEL_OFFSET_NO_MATCHerror.Withthisfix,theoffset(causedbyabufferoverload)
isnolongeranissue.
63524 FixedanissuethatoccurredwhenperformingatemplatecommittoaPA200firewallon
Panorama.Theoperationfailedifyouchangedthevsys1displaynameonthefirewallusing
theset display-name <name>CLIcommand.
62276 FixedanissuewheretheApplicationCommandCenter(ACC)failedtoloadanywidgetsand
displayedthefollowingerror:The selected filters cannot be applied to any of
the acc reports.ThisissueoccurredwhennavigatingfromMonitor > Reports > HTTP
ApplicationstotheACC.
61259 RemovedwhitespaceprecedingaresponsethatwasdisplayedwhenusingtheXMLAPIto
submitafileforWildFireanalysis.

GettingHelp
Thefollowingtopicsprovideinformationonwheretofindmoreaboutourproductsandhowtorequest
support:
RelatedDocumentation
RequestingSupport
RelatedDocumentation
RefertothefollowingdocumentsontheTechnicalDocumentationportalat
https://www.paloaltonetworks.com/documentationformoreinformationonourproducts:
NewFeaturesGuideDetailedinformationonconfiguringthefeaturesintroducedinthisrelease.
PANOSAdministrator'sGuideProvidestheconceptsandsolutionstogetthemostoutofyourPalo
AltoNetworksnextgenerationfirewalls.Thisincludestakingyouthroughtheinitialconfigurationand
basicsetuponyourPaloAltoNetworksfirewalls.
PanoramaAdministrator'sGuideProvidesthebasicframeworktoquicklysetupthePanoramavirtual
applianceoranMSeriesapplianceforcentralizedadministrationofthePaloAltoNetworksfirewalls.
WildFireAdministrator'sGuideProvidesstepstosetupaPaloAltoNetworksfirewalltoforward
samplesforWildFireAnalysis,todeploytheWF500appliancetohostaWildFireprivateorhybrid
cloud,andtomonitorWildFireactivity.
VMSeriesDeploymentGuideProvidesdetailsondeployingandlicensingtheVMSeriesfirewallonall
supportedhypervisors.Itincludesexampleofsupportedtopologiesoneachhypervisor.
GlobalProtectAdministrator'sGuideTakesyouthroughtheconfigurationandmaintenanceofyour
GlobalProtectinfrastructure.
OnlineHelpSystemDetailed,contextsensitivehelpsystemintegratedwiththefirewallwebinterface.
CompatibilityMatrixDetailedreferencetodeterminesupportforPaloAltoNetworksfirewalls,
appliances,agents,andOSreleases.
OpenSourceSoftware(OSS)ListingsOSSlicensesusedwithPaloAltoNetworksproductsand
software:
PANOS7.0
Panorama7.0
WildFire7.0

GettingHelp
RequestingSupport
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopen
asupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
20152017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistof
ourtrademarkscanbefoundathttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarks
mentionedhereinmaybetrademarksoftheirrespectivecompanies.
RevisionDate:April28,2017

PAN-OS Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAN-OS Release Notes

Uploaded by

Copyright:

Available Formats

PANOS7.

PANOS7.0.1AddressedIssues ..................................... 105

All New Application TheACCisredesignedtoprovideimprovedvisibilityintonetworktrafficandactionable

Automated Correlation Thenewautomatedcorrelationengineisananalyticstoolthatdetectssecurityeventson

Global Find TomakethemanagementofyourPaloAltoNetworksdevicesmoreefficient,anewglobal

Tag Browser Thetagbrowserintroducesawaytoviewallthetagsusedwithinarulebase.Inrulebases

Configuration Validation TheoptiontovalidateaPANOSorPanoramacandidateconfigurationbeforeyoucommit

Move and Clone Youcannowmoveorclonepoliciesandobjectstoadifferentdevicegrouporvirtual

Extended SNMP Support ExtendedSNMPsupportincludes:

SaaS Application Usage AnewpredefinedreportisintroducedtoprovidevisibilityintoSoftwareasaService

Policy Impact Review for Beforeinstallinganewcontentrelease,youcannowreviewthepolicyimpactfornew

Security Profile and Thesecurityprofilecapacitiesandnumberofaddressobjectsperaddressgrouphavebeen

Virtual System/Device Youcannowvieworsearchlogsorcreateareportbasedonvirtualsystemnamesand

Time-Based Log and Youcannowconfigureautomaticdeletionoflogsandreportsbasedontimeinsteadof

Software Upload Devicesnowdisplaydetailsaboutuploadedsoftwareupdatesthatenableyoutocheck,

Device Group Hierarchy Youcannowcreatenesteddevicegroupsinatreehierarchywithlowerlevelgroups

Template Stacks Youcannowdefineatemplatestack,whichisacombinationoftemplates.Byassigning

Role-Based Access Youcannowassociateeachaccessdomainwithanadministratorroletoenforcethe

Firewall Configuration YoucannowimportfirewallconfigurationsintoPanoramainsteadofrecreatingthem.

Panorama Support for Panoramanowsupportsmuchlargerconfigurationfiles,whichenableyoutoaddmore

Log Redundancy Within YoucannowenablelogduplicationforaCollectorGroupsothateachlogwillhavetwo

Firewall HA State in ThePanoramawebinterfacenowdisplaysthehighavailabilitystateoffirewalls(for

Scheduled Updates for InPANOS7.0.3andlaterreleases,youcanscheduleAntivirus,WildFire,andURL

Grayware Verdict TheWildFiregraywareverdictisintroducedtoclearlyidentifyexecutablesthatbehave

WildFire Hybrid Cloud EnableaWildFirehybridclouddeploymentsothatasinglefirewallcanforwardunknown

WildFire Appliance TheWildFireappliancecannowlocallygenerateantivirussignaturesformaliciousJava

WildFire Appliance ThefirewallcannowextractHTTP/HTTPSlinkscontainedinSMTPandPOP3email

Configurable Drop TheVulnerabilityProtection,AntiSpyware,andAntivirusprofilesincludenewactionsto

Increased Inspection Thefirewallnowidentifiesandinspectsfilesthathavebeenencodedorcompressedupto

Blocking of Encoded Anewfiletypeclassification,MultiLevelEncoding,cannowbeusedtologorblock

Negate Operator for AnewNegateoperatorisnowavailablewhencreatingcustomvulnerabilityorspyware

PAN-DB Private Cloud IfthesecurityandcompliancerequirementsinyourenterpriseprohibitthePaloAlto

Authentication and Theworkflowtoconfigureauthenticationserversandprofilesisnowmoreintuitiveand

SSL/TLS Service Profiles YoucannowassignSSL/TLSserviceprofilestodeviceservicesthatuseSSL/TLS,including

Kerberos Single Sign-on DevicesnowsupportKerberosV5singlesignon(SSO)foradministratorauthentication

Suite B Cryptography YoucannowuseSuiteBcipherstoauthenticateadministrators,tosecuresitetosite

Authentication Server YoucannowtestanauthenticationprofiletodetermineifyourfirewallorPanorama

SSL Decryption WhenusingSSLdecryptiontoinspectandenforcesecurityrulesforconnections

User Attribution Based YoucannowconfigureUserIDtoreaduserIPaddressesfromtheXForwardedFor(XFF)

Custom Groups Based YoucannowdefinecustomgroupsbasedonLDAPfilterssothatyoucanbasefirewall

Support for High TheVMSeriesfirewallonESXi,Xen(onSDX),andKVMnowsupportsboth

Support for Jumbo TheVMSeriesfirewallcannowsupportjumboframes,whichareEthernetpacketslarger

Support for Hypervisor TheVMSeriesfirewallsupportstheabilitytodetecttheMACaddressassignedtothe

DHCP Options AfirewallconfiguredasaDHCPservercannowsendafullrangeofDHCPoptionsto

Granular Actions for Whenyouconfigurethefirewalltoblocktraffic,thefirewalleitherresetstheconnection

Session-Based DSCP DifferentiatedServicesCodePoint(DSCP)classificationisusedtoindicatethelevelof

QoS on Aggregate YoucannowenableQoSonAEinterfacesconfiguredonPA7000Series,PA5000Series,

Improved Performance IndeploymentswhereasingleVPNtunnelissetupbetweenaPaloAltoNetworksfirewall

Per-Virtual System ThesourceinterfaceandsourceIPaddressofserviceroutescannowbeconfiguredfor

TCP Split Handshake PaloAltoNetworksfirewallsbydefaultcorrectlysecureTCPsessions,whethertheyuse

Increased Address InprePANOS7.0releases,youcanresolveamaximumof10IPv4addressesand10IPv6

DoS Protection Against InPANOS7.0.2andlaterreleases,youcanconfigureDoSprotectiontobetterblockIP

IKEv2 Support for VPN SitetositeIPSecVPNisenhancedtosupportinternetKeyExchangeVersion2(IKEv2),

IPv6 IPSec VPN Support SitetositeIPSecVPNnowsupportsIPv6sitetositeconnections,whichallowsyouto

IPSec VPN Youcannowusethewebinterfacetoenable,disable,restart,orrefreshanIKEgateway

Disable Direct Access to Youcannowdisabledirectaccesstolocalnetworkssothatuserscannotsendtrafficto

Static IP Address AnenhancementtotheIPaddressallocationlogicenablestheGlobalProtectgatewayto

Apply a Gateway Youcannowspecifyoneormoreusersorusergroupsand/orclientoperatingsystemsto

Welcome Page TheGlobalProtectclientconfigurationnowincludesasettingtoforcetheWelcomePage

Remote Desktop TheGlobalProtectVPNtunnelfunctionalityhasbeenenhancedtoallowusers,suchasIT

Simplified GlobalProtect YoucannowuseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivate

Self-Service License & ThefirewallandPanoramanowprovidethecapabilitytounassignordeactivatetheactive

Support for TheVMSeriesfirewallinAWSnowsupportstheusagebasedpricingmodel,inaddition

Term-Based Capacity AtermbasedlicenseisalicensethatallowsyoutousetheVMSeriesfirewallfora