Professional Documents
Culture Documents
0ReleaseNotes
Release7.0.15
RevisionDate:April28,2017
ReviewimportantinformationaboutPaloAltoNetworksPANOS7.0software,includingnewfeatures
introduced,workaroundsforopenissues,andissuesthatareaddressedinthePANOS7.0release.For
installation,upgrade,anddowngradeinstructions,refertothePANOS7.0NewFeaturesGuide.Forthe
latestversionofthesereleasenotes,refertothePaloAltoNetworkstechnicaldocumentationportal.
ThePanoramacertificateusedtoauthenticatePanoramatofirewallcommunicationexpiresonJune16,2017.
ReviewthemostcurrentinformationabouthowtomakesureyoucancontinueusingPanoramatomanage
firewallsandtoaggregatefirewalllogsonLogCollectorsafterJune16,2017:
https://live.paloaltonetworks.com/t5/GeneralTopics/PanoramaCertificateExpirationonJune162017/mp
/150948/threadid/50050.(Physicalandvirtualfirewalls,WF500appliances,andM500appliancesrunningin
PANDBmodedonotrequireanyaction.)
PANOS7.0ReleaseInformation ....................................... 3
FeaturesIntroducedinPANOS7.0 .................................................. 4
ManagementFeatures .......................................................... 5
PanoramaFeatures ............................................................. 7
WildFireFeatures............................................................... 8
ContentInspectionFeatures....................................................10
AuthenticationFeatures ........................................................11
DecryptionFeatures ...........................................................12
UserIDFeatures..............................................................12
VirtualizationFeatures .........................................................12
NetworkingFeatures...........................................................13
PolicyFeatures ................................................................15
VPNFeatures.................................................................15
GlobalProtectFeatures .........................................................16
LicensingFeatures .............................................................17
ChangestoDefaultBehavior .......................................................18
AuthenticationChanges........................................................18
GlobalProtectChanges.........................................................19
ManagementChanges..........................................................19
PanoramaChanges ............................................................20
ThreatPreventionChanges.....................................................20
WildFireChanges ..............................................................21
CLIChangesinPANOS7.0 ........................................................22
XMLAPIChangesinPANOS7.0 ...................................................25
AssociatedSoftwareVersions.......................................................26
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 1
TableofContents
KnownIssues ..................................................................... 27
PANOS7.0.15AddressedIssues......................................39
PANOS7.0.14AddressedIssues......................................41
PANOS7.0.13AddressedIssues......................................43
PANOS7.0.12AddressedIssues......................................45
PANOS7.0.11AddressedIssues......................................49
PANOS7.0.10AddressedIssues......................................53
PANOS7.0.9AddressedIssues .......................................57
PANOS7.0.8AddressedIssues .......................................63
PANOS7.0.7AddressedIssues .......................................67
PANOS7.0.6AddressedIssues .......................................71
PANOS7.0.5h2AddressedIssues....................................75
PANOS7.0.5AddressedIssues .......................................77
PANOS7.0.4AddressedIssues .......................................83
PANOS7.0.3AddressedIssues .......................................89
PANOS7.0.2AddressedIssues .......................................97
GettingHelp....................................................... 115
RelatedDocumentation........................................................115
RequestingSupport ...........................................................116
2 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation
FeaturesIntroducedinPANOS7.0
ChangestoDefaultBehavior
CLIChangesinPANOS7.0
XMLAPIChangesinPANOS7.0
AssociatedSoftwareVersions
ThePanoramacertificateusedtoauthenticatePanoramatofirewallcommunicationexpiresonJune16,2017.
ReviewthemostcurrentinformationabouthowtomakesureyoucancontinueusingPanoramatomanage
firewallsandtoaggregatefirewalllogsonLogCollectorsafterJune16,2017:
https://live.paloaltonetworks.com/t5/GeneralTopics/PanoramaCertificateExpirationonJune162017/mp
/150948/threadid/50050.(Physicalandvirtualfirewalls,WF500appliances,andM500appliancesrunningin
PANDBmodedonotrequireanyaction.)
KnownIssues
PANOS7.0.15AddressedIssues
PANOS7.0.14AddressedIssues
PANOS7.0.13AddressedIssues
PANOS7.0.12AddressedIssues
PANOS7.0.11AddressedIssues
PANOS7.0.10AddressedIssues
PANOS7.0.9AddressedIssues
PANOS7.0.8AddressedIssues
PANOS7.0.7AddressedIssues
PANOS7.0.6AddressedIssues
PANOS7.0.5h2AddressedIssues
PANOS7.0.5AddressedIssues
PANOS7.0.4AddressedIssues
PANOS7.0.3AddressedIssues
PANOS7.0.2AddressedIssues
PANOS7.0.1AddressedIssues
GettingHelp
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 3
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
FeaturesIntroducedinPANOS7.0
ThefollowingtopicsdescribethenewfeaturesintroducedinPANOS7.0releases,whichrequirecontent
releaseversion497oralaterversion.Forupgradeanddowngradeconsiderationsandforspecific
informationabouttheupgradepathforafirewall,refertotheUpgradesectionofthePANOS7.0New
FeaturesGuide.Thenewfeaturesguidealsoprovidesadditionalinformationabouthowtousethenew
featuresinthisrelease.
ManagementFeatures
PanoramaFeatures
WildFireFeatures
ContentInspectionFeatures
AuthenticationFeatures
DecryptionFeatures
UserIDFeatures
VirtualizationFeatures
NetworkingFeatures
PolicyFeatures
VPNFeatures
GlobalProtectFeatures
LicensingFeatures
4 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
ManagementFeatures
NewManagement Description
Feature
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 5
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
NewManagement Description
Feature
6 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
NewManagement Description
Feature
PanoramaFeatures
NewPanoramaFeature Description
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 7
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
NewPanoramaFeature Description
WildFireFeatures
NewWildFireFeatures Description
8 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
NewWildFireFeatures Description
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 9
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
ContentInspectionFeatures
NewContentInspection Description
Features
10 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
AuthenticationFeatures
NewAuthentication Description
Features
TACACS+ DevicesnowsupporttheTerminalAccessControllerAccessControlSystemPlus
Authentication (TACACS+)protocolforauthenticatingadministrativeusers.TACACS+providesgreater
securitythanRADIUSinsofarasitencryptsusernamesandpasswords(insteadofjust
passwords)andisalsomorereliable(usesTCPinsteadofUDP).
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 11
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
DecryptionFeatures
NewDecryptionFeatures Description
UserIDFeatures
NewUserIDFeature Description
VirtualizationFeatures
NewVirtualization Description
Feature
12 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
NewVirtualization Description
Feature
ForlicensingfeaturesontheVMSeriesfirewall,seeLicensingFeatures.
NetworkingFeatures
NewNetworkingFeature Description
ECMP ThefirewallnowsupportsEqualCostMultipath(ECMP).EnableECMPfortheforwarding
tabletohaveuptofourequalcostpathstoasingledestination,whichallowsyoutoload
balancetraffic,usemoreoftheavailablebandwidth,andhavetrafficdynamicallyshiftto
anotherECMPmemberifonepathfails.Youcanchooseoneofseveralloadbalancing
algorithmstodeterminewhichequalcostpathavirtualrouterusesforanewsessionto
thedestination.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 13
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
NewNetworkingFeature Description
LLDP YoucannowconfigureLinkLayerDiscoveryProtocol(LLDP)toenablethefirewallto
automaticallydiscoverneighboringdevicesandtheircapabilitiesatthelinklayer.LLDP
allowsthefirewalltosendandreceiveEthernetframescontainingLLDPdataunitstoand
fromneighbors.ThereceivingdevicestorestheinformationinaMIB,whichcanbe
accessedbySNMP.LLDPenablesnetworkdevicestolearnthecapabilitiesofthe
connecteddevicesandcanbeusedtomapnetworktopology.Thismakestroubleshooting
easier,especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygo
undetectedbyapingortraceroute.
NPTv6 YoucannowenableIPv6toIPv6NetworkPrefixTranslation(NPTv6)onthefirewallto
performastateless,statictranslationofoneIPv6prefixtoanotherIPv6prefix(port
numbersarenotchanged).OnebenefitofNPTv6isthepreventionofasymmetrical
routingproblemsthatresultfromproviderindependentaddressesbeingadvertisedfrom
multipledatacenters.NPTv6allowsmorespecificroutestobeadvertisedsothatreturn
trafficarrivesatthesamefirewallthattransmittedthetraffic.Anotherbenefitisthe
independenceofprivateandpublicaddresses;youcanchangeonewithoutaffectingthe
other.AthirdbenefitofNPTv6istheabilitytotranslateuniquelocaladdresses(ULAs)to
globallyroutableaddresses.
14 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
NewNetworkingFeature Description
PolicyFeatures
NewPolicyFeature Description
VPNFeatures
NewVPNFeature Description
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 15
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
GlobalProtectFeatures
ForinformationaboutnewauthenticationfeaturessupportedonGlobalProtect(SuiteB
cryptographyandSSL/TLSserviceprofiles),seeAuthenticationFeatures.
NewGlobalProtect Description
Feature
16 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
NewGlobalProtect Description
Feature
LicensingFeatures
NewLicensingFeature Description
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 17
ChangestoDefaultBehavior PANOS7.0ReleaseInformation
ChangestoDefaultBehavior
ThefollowingarechangestodefaultbehaviorinPANOS7.0:
YoucanalsoseeCLIChangesinPANOS7.0andXMLAPIChangesinPANOS7.0.
AuthenticationChanges
GlobalProtectChanges
ManagementChanges
PanoramaChanges
ThreatPreventionChanges
WildFireChanges
AuthenticationChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorforauthenticationfeatures:
Feature Change
18 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation ChangestoDefaultBehavior
GlobalProtectChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorforGlobalProtectfeatures:
Feature Change
ManagementChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorformanagementfeatures:
Feature Change
Tags ThemaximumnumberoftagsthatthefirewallandPanoramasupportisnow
increasedfrom2,500to10,000.Thislimitisenforcedacrossthefirewall/Panorama
andisnotallocatedbyvirtualsystemordevicegroup.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 19
ChangestoDefaultBehavior PANOS7.0ReleaseInformation
Feature Change
PanoramaChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorforPanoramafeatures:
Feature Change
ThreatPreventionChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorforthreatpreventionfeatures:
Feature Change
20 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation ChangestoDefaultBehavior
WildFireChanges
PANOS7.0hasthefollowingchangesindefaultbehaviorforWildFirefeatures:
Feature Change
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 21
CLIChangesinPANOS7.0 PANOS7.0ReleaseInformation
CLIChangesinPANOS7.0
ThefollowingtablelistsCLIcommandsthatchangedbetweenPANOS6.1(orangetext)andPANOS7.0
(greentext).Thechangesincludecommandoptionsthataredeprecatedorhavenewnames,values,or
commandpathsinPANOS7.0.
PANOS6.1Commands PANOS7.0Commands
ConfigurationModeCommands
commit validate validate [full | partial]
set deviceconfig setting wildfire cloud-server set deviceconfig setting wildfire [public-cloud-server
| private-cloud-server]
set network ike crypto-profiles ike-crypto-profiles set network ike crypto-profiles ike-crypto-profiles
<name> lifetime days <value: 1-65535> <name> lifetime days <value: 1-365>
set network ike crypto-profiles ipsec-crypto-profiles set network ike crypto-profiles ipsec-crypto-profiles
<name> lifetime days <value: 1-65535> <name> lifetime days <value: 1-365>
set network tunnel global-protect-gateway <name> set vsys <name> global-protect global-protect-gateway
client ip-pool <name> remote-user-tunnel-configs <name> ip-pool
set network tunnel global-protect-gateway <name> set vsys <name> global-protect global-protect-gateway
client split-tunneling <name> remote-user-tunnel-configs <name>
split-tunneling
set network dhcp interface <name> server option set network dhcp interface <name> server option
ippool-subnet subnet-mask
set [shared | vsys <name>] profiles virus <name> set [shared | vsys <name>] profiles virus <name>
decoder <name> [action | wildfire-action] [block] decoder <name> [action | wildfire-action] [reset-both]
set [shared | vsys <name>] profiles virus <name> set [shared | vsys <name>] profiles virus <name>
application <name> action [block] application <name> action [reset-both]
set [shared | vsys <name>] profiles [spyware | set [shared | vsys <name>] profiles [spyware |
vulnerability] <name> rules action action [block] vulnerability] <name> rules action action [reset-both]
set [shared | vsys <name>] profiles file-blocking The forward and continue-and-forward optionsare
<name> rules <name> action [forward |
continue-and-forward] deprecated.ToforwardfilestoWildFire,youmustnow
configureaWildFireAnalysisprofile:
set profiles wildfire-analysis <name>
set reports <name> type url sortby user_agent The user_agent optionisdeprecated.
set reports <name> type wildfire sortby filetype The filetype optionisdeprecated.
set application-group <name> [<value1> | <value2> | ] set application-group <name> members [<value1> |
<value2> | ]
set scheduled <name> [non-recurring | recurring] set scheduled <name> schedule-type [non-recurring |
recurring]
set threats [spyware | vulnerability] <threat-id> set threats [spyware | vulnerability] <threat-id>
default-action drop-packets default-action drop
22 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation CLIChangesinPANOS7.0
PANOS6.1Commands PANOS7.0Commands
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] authentication-profile
checkgroup <name> method radius checkgroup
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] server-profile radius <name>
timeout <value: 1-30> timeout <value: 1-120>
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] server-profile radius <name>
server <name> port <value: 0-65535> server <name> port <value: 1-65535>
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] authentication-profile
<name> domain <name> user-domain
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] authentication-profile
<name> realm <name> method kerberos realm
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] server-profile kerberos
<name> server <name> port 0-65535 <name> server <name> port 1-65535
set [vsys <name>] global-protect global-protect-portal set [vsys <name>] global-protect global-protect-portal
<name> portal-config server-certificate <name> portal-config ssl-tls-service-profile
OperationalModeCommands
clear session id <value> <value: 1-2147483648> clear session id <value> <value: 1-4294967295>
show session id <value> <value: 1-2147483648> show session id <value> <value: 1-4294967295>
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 23
CLIChangesinPANOS7.0 PANOS7.0ReleaseInformation
PANOS6.1Commands PANOS7.0Commands
show user ip-user-mapping all type [NTLM | SSL/VPN] The SSL/VPN and NTLM optionsaredeprecated.Thenew
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping all type SSO
show user ip-user-mapping all option [count | detail] The SSL/VPN and NTLM optionsaredeprecated.Thenew
type [NTLM | SSL/VPN]
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping all option [count | detail]
type SSO
show user ip-user-mapping-mp all option [count | The SSL/VPN and NTLM optionsaredeprecated.Thenew
detail] no-group-only [no | yes] type [NTLM | SSL/VPN]
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping-mp all option [count |
detail] no-group-only [no | yes] type SSO
show log [threat | url | data] action [equal | show log [threat | url | data] action [equal |
not-equal] drop-all-packets not-equal] drop-all
debug software restart <process> debug software restart [core | process] <process>
24 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation XMLAPIChangesinPANOS7.0
XMLAPIChangesinPANOS7.0
ThePANOS7.0XMLAPIhasthefollowingchanges:
Feature Change
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 25
AssociatedSoftwareVersions PANOS7.0ReleaseInformation
AssociatedSoftwareVersions
ThefollowingminimumsoftwareversionsaresupportedwithPANOS7.0.Toseealistofthenextgen
firewallmodelsthatsupportPANOS7.0,seethePaloAltoNetworksCompatibilityMatrix.
PaloAltoNetworksSoftware MinimumSupportedVersionwithPANOS7.0
Panorama 7.0.1
NetConnect NotsupportedwithPANOS7.0
26 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues
KnownIssues
ThefollowinglistdescribesWildFireKnownIssues,GlobalProtectKnownIssues,andFirewallandPanorama
KnownIssuesinthePANOS7.0release:
StartingwithPANOS7.0.11,thesereleasenotesidentifyallunresolvedknownissuesusingnewissueIDs
thatincludeaproductspecificprefix.KnownissuesforearlierreleasesuseboththeirnewissueIDsandtheir
originalissueIDs(inparentheses).
ForrecentupdatestoknownissuesforagivenPANOSrelease,referto
https://live.paloaltonetworks.com/t5/Articles/CriticalIssuesAddressedinPANOSReleases/tap/52882.
IssueID Description
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 27
KnownIssues PANOS7.0ReleaseInformation
IssueID Description
PAN-76162 Panorama8.0failstoqueryPA7000SeriesfirewallsrunningaPANOS7.0release.
Donotusethedebug skip-condor-reports nocommandtoworkaroundthis
issueifyouusePanorama8.0tomanageaPA7000Seriesfirewallthatisrunning
aPANOS7.0release(knownissuePAN77237).
PAN-75881 EstablishingaTCPsession,theninstallingacontentupdate,andtheninstallingan
AntivirusorWildFireupdatecausesthefirewalltodiscard,usewrongcontent,orfailto
inspectandperformNATforthesession.
PAN-67072 InPANOS6.1and7.0,thefirewallappliesthewrongsecuritypolicyifauserattemptsto
downloadablockedfilebyselectingResumeintheblockedpagedialogpresentedbythe
browser,allowingtheusertodownloadtheblockedfile.Thisissueoccurswhenasecurity
policythatblocksdownloadshasalowerprioritythanasecuritypolicythatappliesan
actionsuchasURLfiltering(butdoesnotblockdownloads)onthesametraffic.Thisissue
isresolvedinPANOS7.1andlaterreleases.
Workaround:Changetheorderofthesecuritypoliciessothatthedownloadblocking
policyhasahigherprioritythantheURLfilteringpolicy.
PAN-61724 (101293) TheNetwork Monitorreport(Monitor > App Scope > Network Monitor)displaysonly
partialdatawhenyouselectSourceorDestinationforadatasetthatincludesalarge
numberofsourceordestinationIPaddressesandusernames.However,thereportdoes
displayalldataasexpectedwhenyouinsteadselectApplicationorApplication Category
foralargedataset.
28 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues
IssueID Description
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 29
KnownIssues PANOS7.0ReleaseInformation
IssueID Description
30 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues
IssueID Description
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 31
KnownIssues PANOS7.0ReleaseInformation
IssueID Description
32 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues
IssueID Description
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 33
KnownIssues PANOS7.0ReleaseInformation
IssueID Description
IfthepasswordfortheadministratorsaccountontheNSXManagercontainsspecial
PAN-42058 (70222) characters(suchas$),PanoramacannotcommunicatewiththeNSXManager.The
inabilitytocommunicatepreventscontextbasedinformation,suchasDynamicAddress
Groups,frombeingavailabletoPanorama.
Workaround:RemovespecialcharactersfromthepasswordontheNSXManager.
34 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues
IssueID Description
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 35
KnownIssues PANOS7.0ReleaseInformation
IssueID Description
36 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues
IssueID Description
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 37
KnownIssues PANOS7.0ReleaseInformation
38 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.15AddressedIssues
ThefollowingtablelistsissuesthatareaddressedinthePANOS7.0.15release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewinformation
abouthowtoUpgradetoPANOS7.0.
StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.
IssueID Description
PAN-74188 Fixedanissuewhereconflictingnexthopentriesintheegressroutingtablecaused
thefirewalltoincorrectlyroutetrafficthatmatchedPolicyBasedForwarding(PBF)
policyrulesconfiguredtoEnforce Symmetric Return.
PAN-73914 AsecurityrelatedfixwasmadetoaddressOpenSSLvulnerabilities
(CVE20173731).
PAN-73045 FixedanissuewhereHAfailoverandfailbackeventsterminatedsessionsthat
startedbeforethefailover.
PAN-72769 AsecurityrelatedfixwasmadetopreventbruteforceattacksontheGlobalProtect
externalinterface(CVE20177945).
PAN-70674 Asecurityrelatedfixwasmadetopreventcrosssitescripting(XSS)attacksthrough
theGlobalProtectexternalinterface(CVE20177409).
PAN-70541 Asecurityrelatedfixwasmadetoaddressaninformationdisclosureissuethatwas
causedbyafirewallthatdidnotproperlyvalidatecertainpermissionswhen
administratorsaccessedthewebinterfaceoverthemanagement(MGT)interface
(CVE20177644).
PAN-69801 FixedanissuewherefirewallsthathadanHAactive/activeconfigurationandwhere
theprimarypeerwasinatentativeHAstatedidnotsynchronizesessionupdate
messagesbetweenthepeers,whichresultedindroppedsessionpacketsaftera
sessionagedout(within30seconds).
PAN-62015 FixedanissueonPA7000Seriesfirewallswhere,whencreatingthekeyforaGRE
packet,thefirewalldidnotusethesamedefaultvaluesforthesourceanddestination
portsinthehardwareandsoftware,whichslowedthefirewallperformance.
PAN-60376 Fixedanissuewheretheauthenticationprocess(authd)stoppedrespondingand
causedthefirewalltorebootafterthefirewallreceivedastaleresponsetoan
authenticationrequestbeforeselectingCHAPorPAPastheprotocolfor
authenticatingtoaRADIUSserver.
PAN-58589 Fixedanissuewherethedataplanerestartedwhenanoutofmemorycondition
occurredonaprocess(pan_comm).
PAN-57520 FixedanissuewherefirewallsstoppedconnectingtoPanoramawhentherootCA
servercertificateonPanoramaexpired.Withthisfix,Panoramareplacestheoriginal
certificatewithanewcertificatethatexpiresin2024.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 39
PANOS7.0.15AddressedIssues
IssueID Description
PAN-53116 FixedanissueonfirewallswithLACPenabledwhereacommitorLACPflapping
causedamemoryleakinthedataplane.
FPGA-232 FixedanissueonPA5000SeriesfirewallswherepacketsbecamestuckintheFPGA,
whichresultedinpacketlossand,onHAfirewallswithpathmonitoringconfigured,
triggeredafailover.
40 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.14AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.14release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.
IssueID Description
PAN-71892 FixedanissuewhereanLDAPprofiledidnotusetheconfiguredport;theprofileused
thedefaultport,instead.
PAN-71073 FixedanissuewhereacommitassociatedwithadynamicupdatecausedanHA
failoverwhenthepathmonitoringtargetIPaddressagedoutorwhenthefirst
pathmonitoringhealthcheckfailed.
PAN-68431 FixedanissuewherefirewallsandPanoramafailedtosendSNMPv3trapsifyou
configuredtheserviceroutetoforwardthetrapsoveradataplaneinterface.
PAN-68074 AsecurityrelatedfixwasmadetoaddressCVE20165195(PANSA20170003).
PAN-67090 Fixedanissuewherethewebinterfacedisplayedanobsoleteflagforthenationof
Myanmar.
PAN-62319 FixedanissuewheremulticastentrieswerepointingtothewrongIPaddressfora
rendezvouspoint(RP)becausearecycledinterfaceIDallocatedforPIMregister
encapsulationretainedanoldtunnelinterfacethatpointedtothewrongRP.
PAN-59654 FixedanissuewherecommitsfailedonthefirewallafterupgradingfromaPANOS
6.1releaseduetoincorrectsettingsfortheHexaTechVPNapplicationonthe
firewall.Withthisfix,upgradingfromaPANOS6.1releasetoaPANOS7.0.14or
laterreleasedoesnotcausecommitfailuresrelatedtothesesettings.
PAN-58496 Fixedanissuewherecustomreportsusingthreatsummarywerenotpopulated.
PAN-56684 FixedanissuewhereDNSproxystaticentriesstoppedworkingwhentherewere
duplicateentriesintheconfiguration.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 41
PANOS7.0.14AddressedIssues
42 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.13AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.13release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.
IssueID Description
PAN-72616 FixedanissueonPA7000Seriesfirewallswheresessionsweredroppedwiththe
flow_bind_pending_fullmessagewhenusingEthernetIP(etherip)protocol97,
whichresultedinunstableconnectionsanddelayedresponses.
PAN-70428 Asecurityrelatedfixwasmadetopreventinappropriateinformationdisclosureto
authenticatedusers(CVE20175583/PANSA20170005).
PAN-70312 Fixedanissuewhereattemptstodownloadthreatpacketcaptures(pcaps)fromthe
threatlogsfailedwiththeerrorFile not found,duetoamissingTimeGenerated
column.
PAN-68072 FixedanissueonVMSeriesfirewallswhererebootingorconfiguringanewL3
interfacecausedtheIPrangeconfiguredonadisabledinterfacetobeincorrectly
installedintheFIBandroutingtableifyoudisabledtheinterfacefromthevSwitch.
PAN-68062 Fixedanissuewherethefirewallfailedtoapplythecorrectactionifthevulnerability
profilehadaverylonglistofCVEs.Withthisfix,thefirewallisabletosupportupto
64CVEspervulnerabilityrule.IfthenumberofCVEsintheruleismorethan64,the
firewallprovidesawarningonconfigurationcommit.
PAN-67944 Fixedanissuewhereaprocess(all_pktproc)stoppedrespondingbecausearace
conditionoccurredwhenclosingsessions.
PAN-66838 AsecurityrelatedfixwasmadetoaddressaCrossSiteScripting(XSS)vulnerability
onthemanagementwebinterface(CVE20175584/PANSA20170004).
PAN-64638 FixedanissuewherethefirewallfailedtosendaRADIUSaccessrequestafter
changingthemanagementinterfacesIPaddress.
PAN-63204 FixedanissuewherethefirewallincorrectlyassignedanexpiredUserIDIPmapping
for30secondsaftertheoriginalmappinghadexpired.
PAN-62822 FixedanissuewherethefirewalldroppedRTPtrafficmatchingapredictsession
whenavideocallinitiatedfromtheexternalsideofasharedgateway.Withthisfix,
whenapredictsessiongoesacrossadifferentvsysorasharedgateway,thefirewall
usestheegressinterface'svsystolookupthedestinationzoneinsteadofthe
session'svsys.
PAN-62074 FixedanissuewheretheUserIDagentincorrectlyreadtheIPaddressinthesecurity
logsforKerberosloginevents.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 43
PANOS7.0.13AddressedIssues
IssueID Description
PAN-61837 FixedanissueonPA3000SeriesandPA5000Seriesfirewallswherethedataplane
stoppedrespondingwhenasessioncrossedvsysboundariesandcouldnotfindthe
correctegressport.Thisissueoccurredwhenzoneprotectionwasenabledwitha
SYN Cookiesaction(Network > Zone Protection > Flood Protection).
PAN-60662 Fixedanissueondeviceswherecommitsfailedduetoissueswithaprocess(authd).
PAN-60591 Fixedanissuewhereacustomroleadministratorwithcommitprivilegescouldnot
commitconfigurationsusingtheXMLAPI.
PAN-59204 FixedanissuewherethefirewalldidnotcreateanIPSecNATTsessionafteratunnel
rekeyuntilitoriginatedatunnelkeepalive.Whenthisissueoccurred,thefirewall
droppedNATTtrafficpackets.
PAN-57338 Fixedanissuewhereaslowfiledescriptorleakbetweentwoprocesses(mgmtsrvrand
pan_log_receiver)causedthelogreceivertostoprespondinganddegraded
managementserverperformance.Thisissueoccurredafteralongdeviceuptimeof
morethan380days.
PAN-56839 Fixedanissuewherethedataplanestoppedrespondingwhenachangetothe
aggregateEthernet(AE)linkconfigurationwascommitted,resultinginanunexpected
pathmonitoringcondition.
PAN-56700 FixedanissuewheretheSNMPOIDifHCOutOctetsdidnotcontaintheexpected
data.
PAN-48095 FixedanissuewherethePanoramadynamicupdatescheduleignoredthecurrently
installeddynamicupdateversion,andinstalledunnecessarydynamicupdates.
44 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.12AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.12release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.
IssueID Description
PAN-69485 FixedanissuewhereUserIDgroupmappingdidnotretaingroupsretrievedfrom
ActiveDirectory(AD)serversiftherewereanyinvalidgroupsinthegroupmapping
includelist.
PAN-68045 FixedanissueonPA7000SeriesfirewallswhereforwardingtoWildFirefaileddue
toanincorrectcalculationoffilesize.
PAN-67986 FixedanissuewherethedataplanerestartedduetoacorruptionintheQoSqueue
pointer.
PAN-67587 Fixedarareconditionwhereadataplaneprocess(all_pktproc)stoppedresponding.
PAN-67231 FixedanissueonPA5000SeriesandPA3000Seriesfirewallswherethedataplane
restartedwhenprocessingtrafficthathadanincorrectlysetIPv4Reservedflag.
PAN-66540 FixedanissuewherethemanagementinterfaceandHAinterfacesflappedduring
installationofasoftwareupgrade,whichcausedHAfailoverorsplitbrain.
PAN-64662 Fixedanissuewherelatencyintermittentlyspikedover3msforIPsectraffic.With
thisfix,theconditionsthatcontributedtolatencyspikesareaddressed.
PAN-64368 FixedanissueonPA7000SeriesfirewallswhereapplyingaQualityofService(QoS)
profiletoanAggregatedEthernet(AE)interfacecausedthereportedmaximum
egressfortheAEinterfacetodifferfromthesumoftheegressvaluesofthe
individualinterfacesintheaggregate.Withthisfix,QoSstatisticscorrectlyreportthe
configuredQoSvalueofanAEinterface.
PAN-64263 Fixedanissuewhereforwardproxydecryptionfailediftheservercertificaterecord
sizeexceeded16KB.
PAN-63796 FixedanissueonPA7000Seriesfirewallswhereinternalloopingoftunnelcreation
packetscausedhighdataplaneCPUusage.
PAN-63142 FixedanissueonfirewallswherethedataplanerestartedwhenprocessingIPv6
trafficthatmatchedapredictsession.
PAN-61534 FixedanissueonthewebinterfacewhereattemptingtoaddmultipleIPaddressesto
securitypolicies(Policies > Security)failedwiththeerrorrange separator(-)
not found -> Destination is invalid.
PAN-61367 FixedanissuewherethefirewallfailedtosendaTCPreset(RST)totheclientside
andserversidedeviceswhenanapplicationhadaReset bothdenyactioninits
securitypolicy.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 45
PANOS7.0.12AddressedIssues
IssueID Description
PAN-61146 FixedanissuewherechangingorrefreshinganFQDNconfigurationwithalarge
numberofIPaddressentries(morethan32IPv4andIPv6entries)inasingleFQDN
objectcausedthefirewallorPanoramatostopresponding.
PAN-60751 FixedanissuewherecommitfailedwhenanIKEv2dynamicpeerhadthesame
proposalasanIKEv2staticpeerwiththesametunnelsourceinterface.Withthisfix,
auserisallowedtocreateonedynamicIKEv2peerwiththesameproposalasastatic
peer,withbothpeerssharingthesametunnelinterface.
PAN-60681 FixedanissuewherePanoramadidnotcorrectlyverifyDevicegroupobjectswhen
pushingconfigurationswithalargenumberofobjectstofirewalls,whichcaused
commitfailureswithobjectvalidationerrors.
PAN-60222 FixedanissuewherePanoramaallowedyoutoconfigureadecryptiontypeonNo
Decryptpolicies.WhenPanoramapushedthesepoliciestofirewalls,itsetthe
decryptiontypetothedefaultvalueSSL Forward Proxy.Withthisfix,whenyou
selectNo Decryptasapolicyruleaction,Panoramadisablesconfigurationofthe
decryptiontype.
PAN-60182 InresponsetoanissuewhereLACPflappedintermittentlyduetonegotiation
failures,priorityforLACPprocessingisenhancedtomitigateflapping,andadditional
debugoptionsareaddedtohelpisolatenegotiationfailures.
PAN-59411 Fixedanissueonfirewallswhereaprocess(logrcvr)stoppedresponding.Withthisfix,
theprocessusesthecorrectbuffersizetopreventthefault.
PAN-58516 FixedanissueonPA500andPA2000Seriesfirewallswherecorruptionofan
instructioncachecausedthefirewalltorestart.Thisissueoccurredafterthefirewall
wasincontinuousoperationwithoutarestartforhundredsofdays.
PAN-58341 FixedanissuewherePanoramachangedLDAPgroupmappingsto<ssl>no</ssl>,
whichpreventedendusersfromconnectingwhenthesemappingswerepushedto
devices.ThisissueoccurredwhenupgradingfromaPANOS6.1releasetoa
PANOS7.0release.
PAN-57946 FixedanissueontheM100appliancewhereaconfigurationforasubnetinthe
permittedIPaddressesofinterfaceEth1orEth2failedtotakeeffect.
PAN-57819 FixedanissuewheredisablingandimportinglocalcopiesofPanoramapoliciesand
objectsresultedinexclusionofLogForwardingprofileimportsonmultiplevirtual
systems(multivsys).
PAN-57787 FixedanissueonPanoramawhere,ifyouusedtheCLIreplacecommandtoreplace
adeviceserialnumber,Panoramaupdatedthemanageddeviceserialnumberbutdid
notupdatetheserialnumberinthedeploymentscheduleandincustomreports.
PAN-57715 Fixedanissuewherethefirewalldidnotsendallofthesupportedalgorithmsinthe
signaturealgorithmextensionofclient hellowhennegotiatingconnectionswith
someSSLsitesaccessedfromversion50oftheChromebrowser,whichcausedthose
connectionattemptstofail.
PAN-57593 FixedanissuewhereadecryptionpolicystoppeddecryptingSSLtrafficifyou
enabledWait for URLonSSLdecryption.
46 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.12AddressedIssues
IssueID Description
PAN-57145 Fixedanissuewhere,ifthefirewallperformedIPandportNATinthepathofa
GlobaProtectLargeScaleVPN(LSVPN)IPSectunnel,arekeycausedthefirewall
sidetotemporarilychangebacktothedefaultportnumberforthenewtunnel,and
theintermediateNATdevicedroppedtrafficuntiltheoldtunneltimedoutorwas
deletedmanually.Withthisfix,whenarekeyhappens,thefirewallsearchesand
appliesthecorrectportnumbertothenewtunnelimmediatelytopreventtraffic
drops.
PAN-57121 FixedanissuewhereaVMSeriesfirewallthatwasinFIPSCCmodecouldnot
connecttoaPanoramaserverthatwasinnormalmode.
PAN-56918 Fixedanissuewherefirewallsdidnotrecognizemalwarethathadbeen
Base64encodedinazippedRTFfileduringanSMTPsession.
PAN-56569 FixedanissuewherethetophalfoftextlinesfailedtodisplaycorrectlyinthePDF
versionoftheAppScopeThreatMonitorReport(Monitor > App Scope > Threat
Monitor).
PAN-56009 FixedanissueonfirewallsinstalledinanHAactive/activeconfigurationwhere
outoforderjumbopacketscausedthedataplanetorestart,whichresultedina
failover.
PAN-55958 FixedanissuewherethefirewalldidnotproperlyprocessactiveFTPdatasessionsif
theFTPclientreusedwithinashortperiodoftimethedestinationportnumber
thatwasnegotiatedintheFTPcontrolsession.
PAN-55881 FixedanissueonPA5000Seriesfirewallswherethedataplanerestartedinresponse
toanoutofmemorycondition.Thisissueoccurredwhenadataplaneprocess
stoppedresponding,andtheinformationcollectionprocedurethatfollowsaprocess
failurerequiredmorememorythanwhatwasavailable.Withthisfix,theinformation
collectionproceduredoesnotrunwhenalowmemoryconditionispresent.
PAN-55737 FixedanissueonPA200firewallswhere,afterthefirewallrebootedandbeforeNTP
synchronizationoccurred,thefirewallreportedareboottimewithoutatimezone
calculationtoPanorama.
PAN-55243 Fixedanissuewhereanadministratorwithreadonlyprivilegewasunabletoexport
CorrelatedEventslogsinCSVformat.
PAN-55190 FixedanissuewherefirewallsfailedtoresolvedURLsonthedataplane.Thisissue
occurredwhenanoutofmemoryerrorcausedfaultsintheURLcache.Withthisfix,
firewallshandleoutofmemoryerrorscorrectly,allowingproperresolutionofURLs.
PAN-55045 FixedanissuewhereaddingobjectssuchastagstoPanoramausingtheXMLAPI
resultedinthoseobjectsnotbeingvisibleunderPolicies,Addresses,orServices.
PAN-54423 FixedanissuewherethefirewallfailedtomaketheCLIconfigurationset
authentication radius-vsa-on client-source-ippersistentacrosssystemrestart.
PAN-54279 FixedanissuewheretheFTPfiletransferofalargenumberofsmallfilesfailed
becausethefirewalldidnotinstalltheFTPdatachannelsessioninatimelymanner.
PAN-53885 Fixedanissuewherenonsuperuseradministratorscouldnotseeexemptprofilesand
securitypolicyruleswhenviewingthreatdetailsinathreatlog.
PAN-52274 FixedanissuewheretheUserIDprocess(useridd)stoppedrespondingduetoan
issueinaninternallibrary,whichcausedthefirewalltoreboot
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 47
PANOS7.0.12AddressedIssues
IssueID Description
PAN-52177 FixedanissueonPA7000Seriesfirewallswhereanewlyinstalledandenabled
NetworkProcessingCard(NPC)didnothaveacorrectlyprogrammedforwarding
table,whichcausedthefirewalltodroppacketsuntiltheforwardingtablewas
manuallyflushed.Withthefix,thefirewallcorrectlyprogramstheforwardingtable
uponslotstartup.
PAN-52007 FixedanissuewhereQoSstatisticsforaspecificinterfacewereemptyafteradevice
reboot.
PAN-49890 FixedanissuewhereexportingcustomreportstoCSV,XML,andPDFfailed.
48 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.11AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.11release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.
IssueID Description
PAN-66677 FixedanissueonPA5000Seriesfirewallswheretrafficloopedinfinitelybetween
dataplanes,whichcausedalossoftheaffectedtrafficandaspikeinCPU
consumption.
PAN-66250 Fixedanissueonlogcollectorswhereadeadlockoccurredforinterlogcollector
connections,whichcausedconnectivityissuesbetweenlogcollectorsandfrom
firewallstologcollectors.Thisissuealsocausedlocalbufferingoflogsonthefirewall.
Withthisfix,logcollectorconnectionprocessinghasbeenmodifiedtoeliminatethis
deadlock.
PAN-66210 Fixedanissuewhereadataplaneprocessfailedtorestartduetoamissingorcorrupt
file,whichcausedthenetworkprocessingcard(NPC)torestart.
PAN-64360 Fixedanissuewherethefirewallfailedtopopulatetheemailsender,recipientand
subjectinformationforWildFirereports.
PAN-63073 Securityrelatedfixesweremadetopreventdenialofserviceattacksagainsttheweb
managementinterface(PANSA20160035).
PAN-62782 Fixedanissuewhere,ifanLDAPrefreshqueryterminatedbeforecompletion,the
firewalldeletedusersbelongingtothedomainusergroupintheactivedirectory(AD).
PAN-62385 Fixedanissuewhere,ifthefirewalllostconnectivitywithanLDAPserverorifyou
appliedaninvalidqueryfilter,andthesedisruptionsoccurredduringaUserIDgroup
mappingupdate,thefirewalldeletedexistingusergroupmappings.Withthisfix,
disruptionsduringaUserIDgroupmappingupdatewillcausethefirewalltostop
addingnewusergroupmappings,andthefirewallwillnotdeleteexistingusergroup
mappings.
PAN-61815 FixedarareissuewhereVMSeriesfirewallsstoppedgeneratingtraffic,threatorURL
logs,orlosttheabilitytoresolvetheURLcategory.
PAN-61554 Fixedanissueonfirewallswhereamemoryleakinaprocess(authd)causedall
authenticationstothefirewalltofail.
PAN-61468 AsecurityrelatedfixwasmadetoaddressCVE20166210(PANSA20160036).
PAN-61104 Asecurityrelatedfixwasmadetoaddressalocalprivilegeescalationissue
(PANSA20160034).
PAN-61046 Asecurityrelatedfixwasmadetoaddressacrosssiterequestforgeryissue
(PANSA20160032).s
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 49
PANOS7.0.11AddressedIssues
IssueID Description
PAN-58673 FixedanissuewherethefirewalldidnotuseasecondLDAPserverforauthentication
ifthefirstLDAPserverwasunreachable.
PAN-58418 FixedanissuewherePanoramacouldnotsynctotheNSXmanagerafterarebootor
afailover,whichcausedaserviceoutage.Withthisfix,syncworksasexpected.
PAN-58410 FixedanissueonVMSeriesfirewallsinanHAconfigurationwhere,afterafailover
occurred,aninterfaceontheactivefirewalldisplayeditsstatusas
ukn/ukn/down(autoneg).
PAN-58086 Fixedanissueonfirewallswhereaprocess(devsrvr)restartedifyoucommitteda
configurationthatusedmorethan64vendorIDsinasinglevulnerabilityprotection
rule.Withthisfix,ifyoucommitaconfigurationwithmorethen64vendorIDsina
singlerule,youreceiveawarningthatyouhaveexceededthemaximumnumberof
IDs,andtheprocessrestartdoesnotoccur.
PAN-57855 Fixedanissuewherethefirewallstoppedforwardinglogsanddiscardedlogseven
whentheincomingloggingratewaslow.Withthisfix,theprocessingoflogsis
optimizedtoincreaseprematching,andCPUloadisreducedtopreventthequeue
frombecomingfullanddiscardinglogs.
PAN-57323 FixedanissuewhereVPNtrafficwentintoadiscardstatebecausethefirewall
allowedpacketstobesentthroughthetunnelpriortothecompletionoftheIKE
Phase2rekeyprocess.
PAN-57055 FixedanissueonVMSeriesfirewallswheretrafficprocessingsloweddownfortwo
tothreeminutesafterthefirewallreceivedaburstofpacketsontheHA2datalink.
PAN-56978 FixedanissuewhereaVMwareNSXeditionfirewallhadincorrectaddressgroup
objectspushedviaPanoramaupdates.
PAN-56973 Fixedanissueonfirewallswhereemailsconfiguredtousethepervirtualsystem
(vsys)SMTPservicerouteweresentusingtheglobalSMTPserviceroutesettings.
Withthisfix,emailsusetheconfiguredvirtualsystemSMTPserviceroute.
PAN-56775 Fixedanissueonfirewallswhere,ifyouconfiguredthefirewalltoperformamonthly
updateoftheexternalblocklist(EBL),thefirewallincorrectlyinitiatedanEBLrefresh
jobeverysecond.
PAN-56650 Fixedanissuewherealogcollectorfailedtosendthesystemlogtotheactive
PanoramapeerinanHAactive/passivePanoramaconfigurationaftertheactivepeer
restarted.
PAN-56616 Fixedanissuewherethefirewalltruncatedusergroupnameswhenthename
exceeded150characters.Withthisfix,thefirewallpreservesthecompletegroup
nameeveniftheusergroupnameexceeds150characters,uptoamaximumof255
characters.
PAN-56438 FixedanissueonfirewallswheretheinternalvalueforblocktimeintheDenialof
Service(DoS)tableexceededtheconfiguredblocktime.Thisissueoccurredon
firewallsinstalledinanHAconfiguration.
PAN-56332 FixedanissuewherecommitsonPanoramafailedbecauseaprocess(cord)stopped
responding.
50 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.11AddressedIssues
IssueID Description
PAN-56280 Fixedanissuewherethefirewalldisplayedthestatusofa10GSFP+virtualwire
interfaceas10000/full/upwhentheconfiguredstateoftheinterfacewas
auto/auto/down.ThisissueoccurredwhenLink State Pass ThroughinNetwork>
Virtual Wireswasenabled.
PAN-56221 Asecurityrelatedfixwasmadetoaddressacrosssitescripting(XSS)conditioninthe
webinterface(PANSA20160033).
PAN-56200 Fixedanissuewherethefirewallallowedaccesstothesearchengine'scached
versionofawebpageeventhoughthepagebelongedtoaURLcategoryblockedby
apolicy.
PAN-56034 FixedanissuewhereWildFireplatformsexperiencednonresponsiveprocessesand
suddenrestartsundercertainclientstrafficconditions.
PAN-55651 Fixedanissueonfirewallswhere,regardlessoftheconfiguredmetric,OSPF
preferredType2externalmetricsoverType1externalmetrics.
PAN-55560 Fixedanissueonfirewallswhereamemoryconditioncausedthedataplanetorestart
withthemessageDataplane is down: too many dataplane processes exited.
PAN-55237 AsecurityrelatedfixwasmadetoaddressanXPathinjectionvulnerabilityintheweb
interface(PANSA20160037).
PAN-55199 Fixedanissuewhere,ifyouusedSNMPtocheckthestatusofatunnelinterface,the
firewallprovidedincorrectinformation.
PAN-54696 Fixedanissueonfirewallswhereincorrecthandlingofselectiveacknowledgment
(SACK)packetscausedadecreaseindownloadspeedsonSSLdecryptedtraffic.
PAN-53039 FixedanissueonfirewallswheretheSNMPifOperStatusOIDdidnotreflectstate
changesoftheaggregateEthernet(AE)interfacesinanLACPtrunkconfiguration.
PAN-52901 Fixedanissuewherethedataplanerestartedanddataplaneprocessesstopped
respondingwhenpassingSSHtrafficusingSSHdecryption.
PAN-52379 AsecurityrelatedfixwasmadetoaddressCVE20155364and20155366
(PANSA20160025).
PAN-52183 FixedanissuewherePanoramamanagementserversrunningPANOS7.0oralater
PANOSreleasefailedtodisplayordownloadreportsreceivedfromfirewallsrunning
PANOS6.1orearlierreleases.
PAN-52164 FixedanissuewhereTrafficlogsreportedcumulativebytesforsessionswithTCP
portreuse,whichcausedcustomreportstoincorrectlyreportthebytecount.
PAN-49397 Fixedanissueonfirewallswhereaprocess(varrcvr)stoppedrespondingwhenyou
requestedWildFirestatisticsafterreceivinganunexpectedresponsecodefromthe
WildFireCloud,suchasanerrorresponsecodeduringqueryorupload.
PAN-48508 FixedanissuewherethepassivePanoramaserverinanHAconfigurationdidnot
displayapplicationdataintheApplicationCommandCenter(ACC)orinAppScope.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 51
PANOS7.0.11AddressedIssues
52 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.10AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.10release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
IssueID Description
102600 Fixedanissueonfirewallswhere,ifyouconfiguredGlobalProtecttouse
certificatebasedauthentication,usersonChromebookendpointsreceivedprompts
tologonusingusernameandpassword.
101406 FixedanissueonfirewallswhereCPUutilizationonthedataplanewashigherthan
expected.
101089 FixedanissuewhereafirewallincorrectlyappliedSSLdecryptiontotrafficina
customURLcategory.Thisissueoccurredwhenthefirewallinspectedtraffic
betweentheclientandanexplicitHTTPproxy,andtheclienthellomessagedidnot
containservernameinformation(SNI).
100129 FixedanissueonfirewallsinanHAactivepassivepairwhereHAconfigurationsync
failed.Thisissueoccurredwhenconfigurationsyncfromtheactivefirewallhappened
whilethepassivefirewallwasinastatewherealocalcommitfailed.Withthisfix,
configurationsyncfromtheactivefirewalloverwritestheconfigurationonthe
passivefirewall,andconfigurationsyncsucceeds.
100115 Fixedanissueonfirewallswherethedataplanerestartedwhileprocessingachainof
tunnelpackets.
99918 Fixedanissueonfirewallswhereaprocess(devsrvr)restartedrepeatedlyduetoa
problemwiththeinternalURLcachestructure.
99818 Fixedanissuewherethefirewalldidnotprovideablockedpageresponseifyou
accessedablockedapplicationoverHTTPS.
PAN-60568 AsecurityrelatedchangewasmadetoaddressaversiondisclosureinGlobalProtect
99786 (PANSA20160026).
99057 Fixedanissueonfirewallswhere,ifyouconfiguredvirtualrouterswithOSPFType5
externalrouteswithnonzeroforwardaddresses,theroutingtablesofsomevirtual
routersdidnotcontaintheroutes.Withthisfix,OSPFType5externalroutesinstall
asexpectedinthevirtualrouters.
98684 FixedanissueonVMSeriesfirewallswhere,ifpathmonitoringforHAusedIPv6
addressing,thefirewallusedthewrongIPv6addressandpathmonitoringchecking
failed.
98602 FixedanissuewherethePanoramamanagementserverhadamemoryincreasedue
tosyncingofWildFirereportsfromPanoramatologcollectors.
98388 FixedanissuewherethefirewallbroughtdownatunnelthatterminatedatanIKE
gatewayconfiguredfordynamicIPaddressingwhentheIPaddressofthegateway
changed.Withthisfix,thefirewalldoesnotbringdownatunneliftheIKEgateway
dynamicIPaddresschanges.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 53
PANOS7.0.10AddressedIssues
IssueID Description
98188 FixedanissueonfirewallswhereHAfailoverdidnotoccurimmediatelyafterthe
controlplanefailedontheactivefirewall.
97466 FixedanissueonfirewallswhereaTCPreassemblyfailureforareusedTCPsession
preventedusersfromaccessingWindowsServer2012sitesandapplications.
97282 FixedanissueonPA7000Seriesfirewallswhereaslotstoppedrespondingduetoa
memorycondition.
97063 FixedanissueonfirewallswhereUserIDgroupmappingstoppedworkingduetoa
racecondition.
96800 Fixedanissueonfirewallswhere,ifyoumonitoredserverstatusfromtheuser
interface,theconnectionstateappearedtotogglebetweentheconnectedand
disconnectedstateseventhoughtheserverremainedconnected.Thisissueoccurred
forserverswithagentlessusermappingwhenyouselectedEnable SessioninDevice
>User Identification>User Mapping>Palo Alto Networks User-ID Agent Setup>
Server Monitor.
96155 FixedanissueonVMSeriesfirewallswherethepassivefirewallinterfaceinanHA
pairwentdown,evenwithPassiveLinkStatesettoautointheHAconfiguration.
96082 FixedanissuewherethefirewallrespondedtoMicrosoftnetworkloadbalancing
(MSNLB)multicastpacketsbyincorrectlysendingthemulticastaddressasthe
sourceaddress.
PAN-57659 Asecurityrelatedfixwasmadetoaddressacrosssitescriptingconditionintheweb
95895 interface(PANSA20160031).
95864 FixedanissuewheretheGlobalProtectportaldidnotnegotiateencryption
algorithmscorrectly,whichcausederrorsonrecentreleasesofbrowserswithnewly
availablestrictercheckingenabled.Afterthisfix,theportalnegotiatesthecorrect
algorithmstoeliminatebrowsererrors.
95604 FixedanissuewherefirewallsconfiguredwithOSPFv3adjacencyandAH
authenticationheaderprofilesfailedtoestablishfulladjacencybecausethe
fragmentedOSPFv3packetsfailedtheAHauthenticationcheck.
95034 Fixedanissueonfirewallswhere,ifyouusedtheXMLAPItoredistributeUserID
mappinginformation,andthemappingusedatimeoutvalueofNEVER,thefirewall
incorrectlychangedthetimeoutvalueto3600.
94853 FixedanissuewherePanoramaincorrectlyremovedtheLDAPdomainfieldwhenit
pushedatemplateconfigurationtoafirewallrunningaPANOS6.xrelease.This
issueoccurredinaconfigurationwhenPanoramausedaPANOS7.xreleaseand
firewallsusedamixtureofPANOS6.xandPANOS7.xreleases.
94615 Fixedanissueon7000SeriesfirewallswherethedesignatedLogCardinterfacedid
nottransmitagratuitousARPuponfailover,whichcausedconnectivityissueswith
neighboringdevices.
94435 FixedanissuewhereafirewallfailedtolearnofOSPFneighborsthatwereon
interfacesconfiguredwithamaximumtransmissionunit(MTU)of9216becausethe
OSPFdatabaseexchangefailedforjumbopackets.
54 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.10AddressedIssues
IssueID Description
94282 FixedanissueonPA7000SeriesfirewallsconfiguredasHApairswhere,afterthe
activefirewallfailedovertobecomethepassivefirewall,thenewlypassivefirewall
restartedwiththeerrormessage:internal packet path monitoring failure.
Withthisfix,thefirewallwillnotrestartafterbecomingpassive.
94166 Fixedanissueonfirewallswhere,ifyouconfiguredaNetflowprofileunderavirtual
system(vsys),youcouldnotassigntheNetflowprofiletoasubinterfacepartofsame
vsys.
94136 FixedanissuewhereaPA200firewallreportedanantivirusupdatejobassuccessful
whentheupdatedownloadedwithoutinstalling.Withthisfix,alargertimeoutvalue
allowstheinstallationtocomplete.
94115 Fixedanissueonfirewallswhere,ifyouimplementedanauthorizationprofilefor
OSPFwithMD5authenticationonafirewallconfiguredforFIPSCCmode,the
dataplanerestarted.
93770 FixedanissuewherethefirewallinterpretedatruncatedexternaldynamiclistIP
address(suchas8.8.8.8/)as0.0.0.0/0andblockedalltraffic.Withthisfix,thefirewall
ignoresincorrectlyformattedIPaddressentries.
93394 FixedanissueonfirewallswherethedataplanerestartedwhenprocessingSSL
packetswithanoversizedLayer2header.
92934 FixedanissuewhereafirewallconfiguredforDHCPrelay(withmultipleDHCPrelays
orincertainfirewallvirtualsystemconfigurations)rebroadcastaDHCPpacketonthe
sameinterfacethatreceivedthepacket,whichcausedabroadcaststorm.Withthis
fix,thefirewalldropsduplicatebroadcastsinsteadofretransmittingthem.
92621 Fixedanissuewhereforwardedthreatlogsusedinconsistentformattingbetween
theRequestfieldandthePanOSRefererfield.Withthisfix,thePanOSRefererfield
usesdoublequotesforconsistencywiththeRequestfield.
92523 Fixedanissuewhere,forfirewallsinanHAactive/activeconfiguration,anOracle
redirectspredictsessionsynchronizedtothepeerdevicebecamestuckinthe
OpeningStatebecausetheparentsessionwasnotinstalledonthepeerdevice.
Withthisfix,thefirewallensurestheparentsessionisinstalledonthepeerdevice
andtheOracleredirectspredictsessiontransitionstoactivestatetoallowfor
successfulOracleclienttoservercommunication.
91474 FixedanissuethatpreventedafirewallinCommonCriteriaEvaluationAssurance
Level4(EAL4)modefromconnectingtoPanoramaHApairunitsinCommonCriteria
(CC)mode.
91086 FixedanissuewherethefirewallexperiencedBGPdisconnectionsbecausethe
firewallfailedtosendkeepalivemessagestoneighborswithinspecifiedtimers.
90596 FixedanissueonPA5000SeriesfirewallswheretheFPGAdidnotinitialize.With
thisfix,theFPGAisautomaticallyreprogrammedafteraninitializationfailuresothat
itcanattemptmultiplereinitializationsbeforetriggeringabootfailure.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 55
PANOS7.0.10AddressedIssues
IssueID Description
90508 SecurityrelatedfixesweremadetoaddressCVE20160777andCVE20160778
(PANSA20160011).
90145 FixedanissuewherethesystemloginPanoramadidnotcontaincompleteusername
andjobIDinformation.Withthisfix,PanoramadisplaystheusernameandjobID
correctly,butfirewallscontinuetoshowpanoramaastheusernameinsystemlogs
forcommitallconfigurations.
89891 FixedanissuewhereThreatlogsforwardedfromthefirewallhadanextracolon
whenusingTCPforthetransportprotocol.Withthisfix,theformatofforwardedlogs
overTCPandUDPisconsistent.
89284 FixedareportingissuewherethenonstandardportACCwidgetsdisplayed
inaccurateinfo.Thisissueoccurredwhentrafficonthefirewallranonstandardports
matchingcustomapplicationspushedbyPanorama.
88841 Fixedanissueonfirewallswhereaprocess(routed)stoppedresponding.
88651 Fixedanissuewhereaprocess(useridd)stoppedrespondingwhentherunningconfig
wasmissingtheportnumberassociationsfortheTerminalServices(TS)Agent.
88194 FixedanissuewherePanoramadidnotlogiftheForceTemplateValuesoptionwas
inthecheckedstatewhenapplyingaTemplateorDeviceGroupcommit.Withthis
fix,thePanoramalogswillindicateiftheForceTemplateValuesoptionisinthe
checkedstatewhendoingaTemplateorDeviceGroupcommit.
87870 FixedanissuewhereanOSPFroutewithaloweradministrativedistancethanthe
staticrouteshouldbecomethepreferredroutebutwasnotinstalledandusedas
expected;thefirewallcontinuedtousethestaticrouteinstead.
87727 Fixedanissuewhereavirtualsystemcustomroleadministratorcouldnotadd
usertoIPmappingsusingtheXMLAPI.
87052 FixedanissuewherefirewallscouldnotuseanEUregionAWSvirtualprivatecloud
asaVMinformationsource.Thisissueoccurredbecausethefirewallusedsignature
version2tosignAPIrequestswhiletheEUregionAmazonMachineImage(AMI)
usedsignatureversion4.Withthisfix,thefirewallusesthesupportedsignature
version.
85361 Fixedanissuewhere,ifyouusedtheCLItoinputmorethan126addressesinan
addressgroupor126URLsinanallowlist,thefirewalldidnotapplythe
configuration.
83569 FixedanissuewheremultipleQoSchangeswhileunderaheavyloadcausedthe
dataplanetorestart.
82165 FixedanissuewhereafirewallconfiguredtoblockURLcategoriesoverHTTPSdid
notsendaFIN/ACKtothebrowsertoclosetheconnectionaftersendingablock
page.ThisissueoccurredforfirewallsconfiguredtoperformNAT.
81451 FixedanissueonPanoramawheredevicegroupandtemplateadministratorswere
unabletochangetheirownpasswords.
81178 Fixedanissuewhere,ifyoufilteredtheURLlogs,thereturnedresultsdidnotinclude
expectedmatches.
79472 FixedanissuewherePanoramatruncatedsystemlogsto180characters.
56 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.9AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.9release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
IssueID Description
99505 FixedanissueonfirewallswherelongclientIDscausedtheDHCPservicetostop
responding,leadingtoafirewallrestart.
98510 Fixedanissuewhereexportedlogfilesdidnotcorrectlyescapecertaincharacters,
suchascommas(,),backslashes(\),andequaltooperators(=).
98327 FixedanissueonfirewallswhereanFQDNrefreshoracontentupdatetriggeredan
unexpectedconfigurationcommitafteryouappliedaprecommitvalidation.With
thisfix,anFQDNrefreshoracontentupdatewillnottriggeraconfigurationcommit.
98112 FixedanissuewithfirewallsinanHAactive/activeconfigurationwheresession
timeoutsforsometrafficwereunexpectedlyrefreshedafteracommitorHAsync
attempt.
97763 FixedanissuewhereaPA200firewallfailedtodownloadaPANOSsoftware
updateduetoanincorrectdiskspacecalculation.
97571 Fixedanissueonfirewallswhereeusingpreviousportinformation(tcpreuse)for
newsessionscausedtrafficinthosesessionstobedropped.
97247 FixedanissuewhereaPA200firewallfailedtodownloadacontentupdatedueto
diskspaceissuesafterafailedantivirusupdateinstallation.Withthisfix,thefirewall
will,aspartoftheupdateinstallationprocess,cleanupalltemporaryfilesevenifthe
updateinstallationfails.
97099 Fixedanissuewhere,afterimportingtheconfigurationfromaPanoramaM100
devicetoaPanoramaM500device,theexistingsecurityprofilesandlogforwarding
profilescouldnotbeselected.
95622 SecurityrelatedfixesweremadetoaddressissuesidentifiedintheMay3,2016
OpenSSLsecurityadvisory(PANSA20160020).
95462 FixedanissueonPA5000andPA7000Seriesfirewallswherethedataplane
repeatedlystoppedresponding.
95133 Fixedanissuewherefirewallincorrectlyappliedpolicybasedforwarding(PBF)to
sessionscreatedviaprediction(suchasftpdatasessions).
94765 FixedanissuewhereNATtranslationdidnotworkasexpectedwhenthe
administratordeletedavirtualsystem(vsys)fromafirewallwithmultiplevirtual
systems(multivsys)andNATrulesconfiguredwithoutfirstdeletingNATrules
associatedwiththevsys.Withthisfix,whentheadministratordeletesavsys,the
firewallautomaticallydeletesNATrulesassociatedwiththatvsys.
94573 Fixedanissuewhere,underspecificconditions,afirewalldroppedincoming
PSH+ACKsegmentsfromtheserver.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 57
PANOS7.0.9AddressedIssues
IssueID Description
94569 FixedanissuewhereintegratedWildFirereportfromWF500didnotdisplay
correctlywhenusingInternetExplorer11.
94165 FixedanissuewherethefirewallgeneratedWildFireSubmissionslogswithan
incorrectemailsubjectandsenderinformationwhensendingmorethanoneemailto
arecipientinaPOP3session.
93961 Fixedanissuewhereaprocess(configdormgmtsrvr)restartedduetotheuseof
specialcharacters,suchasabracketcharacter[or]inasearchfield(for
example,intheAddresssection).
93865 FixedanissueonanM100applianceinLogCollectormodewherelocallycreated
proxyconfigurationswerelostwhenacommitwasperformedfromPanorama.With
thisfix,locallycreatedproxyconfigurationspersistafteraPanoramacommit.
93855 FixedanissuewheretheDNSproxytemplateobjectthatwaspushedfromPanorama
didnotoverridethatobjectonthefirewallasexpected.
93783 Fixedanissueonfirewallswhereautocommitfailedifanadministratorconfiguredan
IPSectunnelusingthemanualkeymethod.
93778 FixedarareissuewhereabindrequestfromthefirewalltotheLDAPserverfailed.
93667 FixedanissueonfirewallswheretheGlobalProtectendpointincorrectlyfailedthe
HostInformationProfile(HIP)evaluationwhenthereisanemptymissingpatchtag
intheHIPReportandtheChecksettingforpatchmanagementinHIPObjectscriteria
wassettohas-all(Objects>GlobalProtect>HIP Objects>Patch Management>
Criteria).
93540 Fixedanissuewhereareadonlysuperusercouldnotexportathreatpacketcapture
(PCAP)filefromtheGUI,whichdisplayedaFile not foundmessage.
93531 Fixedanissueonfirewallswhere,ifyouexportedtoCSVformatfromtwoormore
customscheduledreports,theexportprocessproducedthesamefileforboth
reports.
93508 Fixedanissuewhereaprocess(logrcvr)stoppedrespondingandrestartedrepeatedly
afteranupgradetocontentreleaseversion571,whichcausedthefirewalltoreboot.
Contentreleaseversion572mitigatedthisissuebutthisfixensuresthatfirewalls
runningPANOS7.0.9andlaterreleases(orPANOS7.1.2andlaterreleases)willnot
beaffectedbythisissue.
93449 FixedanissuewheretheAPIbrowserdisplayedtheincorrectXMLAPIsyntaxforthe
show arp allcommand.
92863 Fixedanissuewhereaprocess(mgmtsrvr)stoppedrespondingandcreatedcorefiles
duringfirewallstartup.
92752 FixedanissuewherePanoramaexportedanincompleteCSVfilebecauseacustom
reportnamecontainedaspace.
92684 Fixedanissueonfirewallswhereaprocess(l3svc)stoppedrespondingwhen
processingalargenumberofuserauthenticationrequests.
92677 FixedanissuewheretheComodoRSAcertificateauthority(CA)wasnotincludedin
thedefaulttrustedrootonthefirewall,whichcausedSSLdecryptiontofailonsites
usingthisastheirCA.
58 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.9AddressedIssues
IssueID Description
92610 FixedanissueonPA200firewallswherethefirewallstalledduringbootupafteran
upgradefromPANOS6.1.12oranearlierPANOS6.1releasetoaPANOS7.0or
laterrelease.
92472 Fixedanissuewhere,duringtheconnectionofasatellitetotheGlobalProtect
gateway,theOnlineCertificateStatusProtocol(OCSP)verificationforthe
GlobalProtectcertificatefailedbecausetheOCSPresponsedidnotcontainthe
signaturecertificate.
PAN-55259 AsecurityrelatedfixwasmadetoaddressmultipleNTPvulnerabilities
92106 (PANSA20160019).
91785 FixedanissuewhereaPanoramaprocess(configd)stoppedrespondingwhentrying
toaddtagstomultiplefirewalls(Panorama > Managed Devices)atthesametime.
91522 Fixedanissuewhereaclonedapplicationnamecouldnotbeeditedafteritwas
clonedfromaShared/DeviceGrouplocationtoaSharedlocation.Withthisfix,the
clonedapplicationnamesareeditable.
91379 Fixedanissuewhereanoutofsequencepacketwaspassedthroughthefirewall.
91269 Fixedanissuewherethefirewallrestartedthedataplaneafteraprocessstopped
responding.
91156 FixedanissueonPanoramawhereperforminglogqueriesandreportsresultedin
incorrectreportingofmultiplePanoramaloggedinadministratorsonPA7000Series
firewalls.
91034 FixedanissueontheWildFireplatformwhere,ifthesnmp.logfilewasover5MB,the
SNMPdaemon(snmpd)processclearedthelogfileandrestarted.
90933 Fixedanissuewherethefirewallgeneratedsuperfluouslogs(fortrafficthatdidnot
matchtheconfiguredfilters)afteryouenableddataplanedebugging.Withthisfix,
thefirewallwillcorrectlyfilterthelogs,butsomesuperfluouslogswillbeobserved.
90691 FixedanissueonfirewallsrunningaPANOS7.0orlaterreleasewheretheweb
interfacebecameinaccessible(502 bad gatewayerror)whensendingahighrate
ofconcurrentUserIDXMLAPIPOSTrequests.
90677 Fixedanissueonfirewallswheretheflow_mgmtprocessstoppedresponding,which
causedthedataplanetorestart.
90618 FixedanissueonPanoramawherecreatinganexemptionforathreatnamefromthe
Threatlogcausedthewebinterfacetodisplaytheexemptionmultipletimes
dependingonthenumberofsubdevicegroups.Afterthefix,theinterfacecorrectly
displaysonlyoneprofilename.
90252 FixedanissuewherefirewallsdeployedinanActive/Activeconfigurationdropped
DNStrafficpacketswithacorrespondingincrementinthesession_state_error
counter.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 59
PANOS7.0.9AddressedIssues
IssueID Description
90141 ImprovedoutputofthecommandrequestbatchlicenseinfoonPanoramatoinclude
licenseexpirationtimes.
90106 Fixedanissuewhereaprocessrestartedunexpectedlyduetothereuseofaprocess
ID(PID).ThePIDwasassociatedwithanoldSSHsessionthatthefirewallintended
toterminatebecausetheSSHsessionhadtimedoutbutwasneverclosedproperly,
whichinadvertentlyresultedinarestartoftheprocesscurrentlyassociatedwiththat
PID.
89984 Asecurityrelatedfixwasmadetoaddressastackoverflowcondition
(PANSA20160024).
89620 FixedanissuewhereSSLinbounddecryptionfailedwhenaclientsentaClientHello
withTLS1.2whiletheserversupportedonlyTLS1.0.
89264 FixedanissuewhereDNSresolutionfailedwhenmessagecompressionwasdisabled
ontheDNSserver,whichresultedincasemismatchbetweenCNAMEqueryand
answervaluesinDNSserverreplies.Withthisfix,thefirewallignorescaseinCNAME
valuessothatqueryandanswervaluesmatchandDNSrequestsresolvesuccessfully.
88585 FixedanissuewhereDNSproxyrulesdidn'tconsistentlymatchadomainnamewith
thecorrectprimaryIPaddresses.Withthisfix,matchinglogicfavorsresultsthatdo
notincludewildcards.
88225 FixedanissuewherethefirewallcouldnotregisterwiththeWildFirepubliccloud
duetoaproblemwiththelogcachesizebecomingtoolarge.Withthisfix,alimitation
mechanismisaddedtocontrolthelogcachesize.
87414 Fixedacosmeticissuewherethetrafficlogtypewasdisplayedintheseverity
columnoftheLogForwardingprofile.
87223 Fixedanissuewhereaprocess(mprelay)stoppedrespondingduetoaracecondition
relatedtotheageoutlogicforMFIBentries.
87154 FixedanissuewherefirewallsstoppedforwardingdatatotheWildFirecloud.With
thisfix,iftheconnectiontotheWildFirecloudfails,thefirewallattemptsto
reconnectaftertheinitialfailureandresumesforwardingwhensuccessfully
reconnected.
86990 Fixedanissueonafirewallwhereaprocess(sslvpn)repeatedlyrestartedduetoan
internalthreadsynchronizationissue.
86979 FixedanissuewhereanincompleteIPSectunnelconfiguration(onewithoutanIKE
gatewayspecified)causedthefirewallserverprocesstostopresponding.
83008 FixedanissuewhereVMSeriesfirewallsexperiencedpacketloss.Withthisfix,an
internalbufferisincreasedinsizetopreventthepacketloss.
60 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.9AddressedIssues
IssueID Description
82613 FixedanissuewherefirewallsdownloadedmultipleCertificateRevocationLists
(CRLs)becausetheCRLverificationprocessdidnotsupportcertainextensiontypes
inthelist.Withthisfix,ifthefirewallencountersaCRLwiththeextensionIssuing
Distribution PointitwillreturnthestatusofthecertificateasUnknown.
81750 FixedanissueonPA200firewallswherefilesinthe/tmppartitioncausedalowdisk
spacecondition.Withthisfix,somefilesin/tmparerelocatedtootherpartitionsto
improvediskspaceallocation.
80628 FixedanissuewhereWildFirecontentupdatesshowedtimestampswithfuture
dates.
69900 FixesintroducedinPANOS7.0.0areenhancedinthisrelease.Withthisfixinthe
PANOS7.0.9release,thetechsupportfilecontainsafilteredversionofthe
php.debug.logfile,whichwasexcludedfromthepreviousfix.
44888 Fixedanissueonfirewallswhere,ifyouenabledSYNcookies,droppingtheoriginal
SYNpacketandsendingSYNACKbacktotheclientincorrectlytriggeredan
incrementintheflow_dos_rule_dropcounter.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 61
PANOS7.0.9AddressedIssues
62 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.8AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.8release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
IssueID Description
97313 FixedanissuewherethemanagementplaneofPanoramaM100andM500
appliancesstoppedrespondingwhenrenamingobjectsorsecuritypoliciesdueto
memorycorruption.
96792 FixedanissuewherecommitsfailedduetoamemoryleakrelatedtoHAsyncofthe
candidateconfigurationthatcausedthepassivePanoramapeertostopresponding.
94757 FixedarareissueonfirewallswhereSecuritypolicyrulesincludedemptydynamic
blocklists(0.0.0.0/0)afteraCommitfromPanoramawithForce Template Values
enabled.
93729 FixedanissuewhereSSHdecryptioncausedadataplanememoryleakandrestart.
93072 Asecurityrelatedchangewasmadetoaddressanissueinthepolicyconfiguration
dialog(PANSA20160014).
92763 Fixedanissuewherecommitsfailedduetoavalidationerrorthatoccurredwhen
PanoramapushedAuthenticationSequenceprofilesthatincludedavirtualsystem
thatwasnotmigratedproperlyduringanupgradefromaPanorama6.1releasetoa
Panorama7.0orlaterrelease.
92391 FixedanissuewherefirewallTrafficlogsdisplayedunusuallylargebytecountsfor
sessionspassingthroughproxyservers.
92293 AsecurityrelatedfixwasmadetoaddressCVE20161712(PANSA20160012).
91900 FixedanissuewhereaPanoramavalidateoperationfollowedbyanFQDNrefresh
causedthevalidatedconfigurationchangetocommittothefirewall.
PAN-55122 AsecurityrelatedfixwasmadetoaddressCVE20157547(PANSA20160021).
91886
91876 FixedanissuewherethepassivefirewallinaVMSeriesESXiconfigurationwas
processingandforwardingtraffic.
91799 FixedanissuewereaPA7050firewalldidnotdisplaylogsasexpectedandcaused
aprocess(logrcvr)tostopresponding.
91728 AsecurityrelatedfixwasmadetoaddressaDenialofServiceconditionrelatedto
theAPI(PANSA20160008).
91724 Fixedanissuewhereanautocommitofanincrementalantivirusupdatefailedaftera
reloadduetoacorruptvirussignaturesfileandafailedincrementalinstallation.With
thisfix,incrementalcontentinstallationhasenhancedprotectionstoprevent
autocommitfailures,andwilllogadditionalinformationtoassistwith
troubleshooting.
91653 FixedanissuewhereSSLdecryptiondidnotworkasexpectedforresumedsessions.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 63
PANOS7.0.8AddressedIssues
IssueID Description
91643 FixedarareissuewheretrafficthattriggeredanSSLdecryptURLproxyaction
causedaprocess(all_task)torestart.
91497 FixedanissuewherestalenexthopMACentriespersistedonthesessionoffload
processorafteryoumodifiedasubinterfaceconfiguration,whichcausedSSH
connectionstofail.Withthisfix,themanagementplanecachenolongerduplicates
nexthopMACentries,whichpreventsthestaleentriesthatcausedSSHconnections
tofail.
91336 Fixedanissuewherethepacketprocessorstoppedrespondingwhenproxypackets
wereswitchedtothefastpathgrouponthedataplane.
90982 FixedanissuewhereupgradingfromaPANOS6.1releasetoPANOS7.0.3ora
laterPANOS7.0releasecausedtheGlobalProtectportalorgatewayandSSL
decryptionprocessestostopresponding.ThisissueoccurredbecauseSSL/TLS
ServiceProfiles(introducedinPANOS7.0)werenotcreatedsuccessfullyifyoudid
notenablemultiplevirtualsystem(multivsys)functionalityonthefirewall.Withthis
fix,SSL/TLSServiceprofilesarenowsuccessfullycreatedonnonmultivsys
platformswhenupgradingtoPANOS7.0.8orlaterreleasesortoPANOS7.1
releases.
90857 FixedanissuewithaPanoramapassivepeerinanHAconfigurationwhere
administratorswereunabletoconfiguretheDynamicUpdatesschedulefor
ApplicationsandThreatsupdates.
90856 Fixedanissuewherethedialogforcreatingcertificatesandthedialogforediting
certificateshaddifferentcharacterlimitsforthecertificatename.Withthisfix,the
certificatenamefieldinbothdialogsallowsupto63characters.
90842 FixedanissuewherethefirewallreceivedanunencryptedemptyISAKMPpacketin
quickmodethatcausedaprocess(ikemgr)tostopresponding.
90794 Fixedanissuewherealogfile(/var/log/wtmp)inflatedandconsumedthe
availablediskspace.Withthisfix,PANOSsoftwareusesalogrotationfunctionto
preventlogfilesfromconsumingmorediskspacethannecessary.
90680 FixedanissueonPA500firewallswherecertainprocesses(l3svcandsslvpn)stopped
respondingafterthefirewallattemptedadynamicupdate.
90635 Asecurityrelatedfixwasmadetoaddressacrosssitescriptingconditioninthe
ApplicationCommandCenter(ACC)(PANSA20160009).
90553 FixedanissuewhereDataFilteringandWildFireSubmissionslogsfornonNAT
sessionscontainedincorrectorinvalidNATinformation.
90326 FixedanissueonPA7000Seriesfirewallswherebotnetreportswerenotcreated
consistentlyduetoalogcleanupjobthatranjustpriortowhenthebotnetreports
weregenerated,whichonsomedaysresultedinemptyornobotnetreports.With
thisfix,thebotnetlogcleanupjobtakesplaceafterthedailygenerationofbotnet
reportssothatdailyreportsarecreatedandpopulatedasexpected.
90256 FixedanissuewheredecryptedSSHsessionswerenotmirroredtothedecrypt
mirrorinterfaceasexpected.
90249 FixedanissuewhereupgradingfromaPANOS6.1orearlierreleaseprevented
administratorsfromoverridingLDAPgroupmappingsthatwerepushedfrom
Panorama.
64 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.8AddressedIssues
IssueID Description
90044 FixedanissuewherelogforwardinginPanoramafailedwhenusingsyslogoverTCP.
89979 FixedanissuewheretheAggregateEthernet(AE)interfaceportinvirtualwiremode
withlinkstatepassthroughenabledcameupafteracommit;althoughitspeerAE
interfaceportwasdown.Withthisfix,theotherAEinterfaceportwillcomeupafter
thecommitandisthenbroughtdowninapproximately10seconds.Thiscausesboth
AEinterfacestostaydownuntilthefirstAEinterfacerecovers.
89917 FixedanintermittentissuewhereoneormoreinterfacesonaVMSeriesfirewall
deployedintheAmazonWebServices(AWS)cloudcouldnotobtainIPaddresses
fromaDHCPserverafterbootingup.
89910 FixedanissuewhereallLLDPpacketsweresentwiththesourceMACaddressofthe
MGTinterfaceinsteadofthedataplaneinterfacefromwhichtheyweretransmitted.
Withthisfix,LLDPpacketsareencapsulatedwiththesourceMACaddressofthe
interfacethattransmittedthepacket.
89743 Fixedanissuewherecommitsfailedduetoprocesses(configdandmgmtsrvr)that
stoppedresponding.Thisissuewascausedbymemorycorruptionrelatedtothe
schedulingofWildFiredynamicupdates.
89551 FixedanissuewhereUserActivityReportsdeliveredviatheEmailSchedulerdidnot
includeusernamesthatcontainedGermancharacters.
88646 FixedanissuewherepredictedFTPsessionswerenotestablishedasexpectedfrom
theparentFTPsession.
88346 FixedanissuewhereafirewallwassendingBGPpacketswiththewrongMD5
authenticationvalue.
88327 FixedanissuewhereseveralvalidcountrycodesweremissingintheCertificate
Attributessectionwhengeneratingacertificatefromthewebinterface.
88157 Fixedanissuewithreducedthroughputfortrafficoriginatingonthefirewalland
traversingaVPNtunnel.
87851 Fixedanissuewherehighratesoffragmentedpacketscausedthefirewallto
experienceaspikeinpacketbuffer,descriptor,andCPUusage.
87741 FixedanissueonPA3000Seriesfirewallswherethedataplanerestartedafteran
upgrade.
87179 Fixedanissuewhereavirtualsystem(vsys)inaPanoramatemplatewasassigned
duplicatevsysnumbersduringcommittothefirewall.
PAN-52038 AsecurityrelatedfixwasmadetoaddressCVE20157547(PANSA20160029).
86767
86623 FixedanissuewhereafirewallinanHAactive/passiveconfigurationdroppedFTP
PORTcommandpacketsafterafailover.
86123 FixedanissuewhereanM100applianceinanHApairhadaprocess(configd)
repeatedlyrestart,causingHAsynctofail.
85160 Fixedanissuewhereafirewalllostmembersofadomaingroupafterafailoverfrom
theprimarytothesecondaryLDAPserverwhenthelastmodifiedtimestampforthe
groupwasnotthesameonbothservers.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 65
PANOS7.0.8AddressedIssues
IssueID Description
84115 Fixedanissuewherevirtualsystemadministrators(fullaccessorreadonly)were
unabletoaccesssettingsundertheNetworktab(Panel for undefined not
registeredwasdisplayed,instead).
83239 FixedanissuewhereinboundSSLdecryptiondidnotworkasexpectedwhenyou
enabledSYNcookies.
PAN-48954 SecurityrelatedfixesweremadetoaddressissuesidentifiedintheMarch19,2015
81411 andJune11,2015OpenSSLsecurityadvisories(PANSA20160028).
80953 FixedanissueonfirewallsinanHAactive/activeconfigurationthatincludedvirtual
wireinterfaceswherepacketsdidnotadheretovirtualwireforwardingpathsand
causedMACaddressflappingonneighbor.
77822 FixedanissueonaVMSeriesNSXeditionfirewallthatsentDynamicAddressGroup
informationonlytotheprimaryvirtualsystem(VSYS1)ontheintegratedphysical
firewallatthedatacenterperimeter.Withthisfix,aVMSeriesNSXeditionfirewall
configuredtoNotifyDeviceGroupsendsDynamicAddressGroupupdatestoall
virtualsystemsonaphysicalfirewallrunningPANOS7.0.8oralaterPANOS7.0
release.
66 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.7AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.7release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
94912 FixedanissueinPANOS7.0.6whereWF500appliancesreturnedfalsepositive
resultsprimarilyforMicrosoftWord(.docx)files.
93775 Fixedanissuewherepacketdiagnosticsfailedduetoanunnecessarilylargedebug
logrelatedtoHA3packetforwarding.
93644 FixedanissueonPA3000Seriesfirewallswhereprocessingjumboframesthatwere
largerthan7,000bytesduringaperiodofheavytrafficcausedtheFPGAtostop
responding.Withthisfix,theFPGAthresholdsareadjustedtocorrectlyhandleupto
9KBjumboframes.
93612 Asecurityrelatedfixwasmadetoaddressaprivilegeescalationissue
(PANSA20160015).
93228 FixedanissueonPA7050firewallsinanHAactive/activeconfigurationwhere
jumboframesthatincludedtheDF(donotfragment)bitweredroppedwhencrossing
dedicatedHA3ports.
92413 Asecurityrelatedchangewasmadetoaddressaboundarycheckthatcauseda
servicedisruptionofthecaptiveportal(PANSA20160013).
91771 FixedanissuewhereafirewalldidnotsendTCPpacketsoutduringthetransmit
stageinthesameorderasthosepacketswerereceived.
91443 FixedanissuewhereaPanoramaM100appliancepurgedlogsduetoanincorrect
quotasize.
91079 FixedanissueonaVMSeriesfirewallwhereanungracefulrebootcausedDynamic
IPaddressinformationtogetoutofsync.
91075 FixedanissuewheretheLSVPNtunnelinterfacefailedtopasstrafficafterupgrading
aGlobalProtectLSVPNsatellitetoaPANOS7.0releasewhiletheGlobalProtect
LSVPNgatewaywasstillrunningaPANOS6.1orearlierrelease.Additionally,the
tunnelinterfaceflappedifyouenabledtunnelmonitoring.Theseissuesoccurreddue
tochangestotheencryptionalgorithmnameswhenintroducingSuiteBciphersin
PANOS7.0.Withthisfix,GlobalProtectLSVPNsatellitesrunningPANOS7.0.7(or
PANOS7.1)orlaterreleasessuccessfullyrecognizetheoldnamesusedinPANOS
6.1andearlierreleasessothatLSVPNtunnelsareestablishedandpasstrafficas
expected.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 67
PANOS7.0.7AddressedIssues
IssueID Description
90433 FixedanissuewhereoverridesofthedefaultrulesintheSharedpolicytook
precedenceovertheoverridesofdefaultrulesinadevicegroup.Withthisfix,
overrideprecedencenowbehavesasdesigned(overridesofdefaultrulesinthe
lowestleveldevicegrouptakeprecedenceoverthosesettingsinthehigherlevel
devicegroupsandShared).
90194 FixedanissuewherefirewallswithoutanyWildFirepublicsignatures(hadnever
downloadedanyoroldsignatureshadbeendeleted)didnotproperlyleverage
WildFireprivatecloudsignatureswhenmonitoringtraffic.
90158 FixedanissueonPA7000Seriesfirewallswhereaggregateoutboundtrafficwas
incorrectlylimitedbythechassisswitchfabricswitchingcapacity.
90070 Fixedanissuewhereamemoryleakassociatedwiththeauthenticationprocess
(authd)causedintermittentaccessandauthenticationissues.
90029 FixedanissuewhereaGlobalProtectgatewayrejectedthesamerouteslearnedfrom
differentLSVPNsatelliteswhentheroutesweredestinedforadifferentvirtual
router.
89761 Fixedanissuewhereascheduledlogexportfailedtoexportthelogsifthepassword
intheconfigurationcontainedthedollarsign("$")character.
89588 FixedanissuewherepacketsthathadtoberetransmittedduringSSLdecryption
werenothandledcorrectly,whichresultedinadepletedsoftwarepacketbuffer.
89503 Fixedanissuewhereusergroupmappingswerenotproperlypopulatedintothe
dataplaneafterafirewallreboot.
89413 FixedanissuewherePanoramatemplatecommitsfailedwhenthenamesofseveral
certificatesintheDefaultTrustedCertificateAuthoritieslistchanged.Thisoccurred
whenPanoramawasrunningaPANOS7.0releaseandpushedatemplatetoa
firewallrunningaPANOS6.1orearlierrelease.
89385 FixedanissuewithfirewallsinanHAactive/activeconfigurationwheresession
timeoutsforsometrafficwereunexpectedlyrefreshedafteracommitorHAsync
attempt.
Thisfixintroducedaknownissue:PAN59037(97806).
89296 FixedanissuewhereacommitfailedafterrenamingaPanoramasharedobjectthat
wasalreadyreferencedintherulesonalocalfirewall.
89108 FixedanissuewhereafirewalldidnotadvertiseprefixestosomeBGPpeerswhen
expected.
88689 Fixedanissuewhereamemoryleakassociatedwiththeauthenticationprocess
(authd)causedcommitattemptstofail.
88450 FixedanissuewhereLayer3interfaceswithoutdefinedIPaddresses,zones,or
virtualroutersdroppedLLDPpackets,whichpreventedthefirewallfromobtaining
anddisplayingneighborinformation.
88421 FixedanissuewhereWildFirereportsweregeneratedforfilesalreadyblockedbythe
AntivirusprofileSMTPdecoder.
88325 FixedanissuewhereaPA500firewallrunningaPANOS7.0.1orlaterreleaseand
withDNSProxyenabledfailedtoconnecttoUserIDagentsusingFQDN.
68 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.7AddressedIssues
IssueID Description
88313 Fixedanissuewherereadonlydeviceadministratorswereunabletoviewlogsonthe
ACCtab.
87911 Fixedanissuewherescheduleddynamicupdatestomanagedfirewallsstopped
functioningaftermigratingthePanoramaVMtoanM500appliance.
87880 FixedanissuewheretheXMLAPIrequesttotestSecuritypolicywasnotproperly
targetedtoaspecifiedvirtualsystem(vsys),whichmadetherequestapplicableonly
tothedefaultvsys.Withthisfix,theXMLAPIrequesttotestSecuritypolicyisable
toretrieveresultsforanypreviouslytargetedvsys.
87833 FixedanissuewhereWildFireupdatescausedtheinterfacetoflap.
87729 FixedanissuewherethedataplaneonthepassivefirewallinasyncedHA
configurationrestartedduetoaDecryptionprofilethatdidn'thaveanyassociated
Decryptionpolicyrules,whichresultedinSSLproxysessionsthatweredroppedon
thepassivefirewallwhentheactivefirewallbecamesuspendedduringafailover.
87094 FixedanissuewherecommittingapolicyonPanoramathatcontainedinterfacesthat
weremanuallydefinedgeneratedtheerror: [interface name] is not an allowed
keyword.
86977 FixedanissuewhereLDAPsessionssourcedfromPanorama,afirewall,oranM100
appliancewerekeptopenandnotactivelyrefreshed,whichcausedsessionsto
timeoutwhentheytraversedthepeerfirewall(orthedataplaneonthesamefirewall)
and,ultimately,causedauthenticationattemptstofailwhenrequestscouldnolonger
reachtheLDAPserver.Withthisfix,akeepalivemechanismisaddedthatis
triggeredafter15minutesofsessioninactivityandthatallowsamaximumoffive
failedprobesbeforedroppingaconnection(probesoccurin60secondintervals).
86821 Fixedanissuewheretheserverprocess(devsrvr)stoppedrespondingwhen
attemptingtoaccessaURLwithmultiplenestedchildren,whichcausedthe
dataplanetorestart.
86686 SecurityrelatedfixesweremadetoaddressissuesreportedintheOctober2015
NTP4.2.8p4SecurityVulnerabilityAnnouncement.
86202 Fixedanissuewherethemanagementplanestoppedrespondingifyoumodifiedan
objectreferencedinalargenumberofrules.
86189 FixedanissuewherethefirewalldidnotsendSNMPv3trapsthatusedanIPv6server
address.
86122 FixedanissuewhereanLACPAggregateEthernet(AE)interfaceusingSFPcopper
portsremaineddownafteradataplanerestart.
85344 FixedanissuewherescheduleddynamicupdateinstallationcausedtheHAlinkto
flap.
85265 FixedanissueintheXMLAPIthatpreventedareadonlysuperuserfrom
downloadingcustompacketcaptures.
84997 FixedanissueonPA7000Seriesfirewallswherethefirstautocommitattemptfailed.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 69
PANOS7.0.7AddressedIssues
IssueID Description
84461 FixedaPanoramaissuewherethevirtualmemoryforaprocess(configd)exceededits
allocation,whichcausedcommitandHAsyncattemptstofail.
84146 FixedanissueinPANOS7.0releaseswherethesourceanddestinationfieldwasno
longerincludedasexpectedinerrormessagesthatweretriggeredwhenrequeststo
deleteaddressobjectsfailed.Withthisfix,thesourceanddestinationinformationis
againincludedintheerrormessage.
84027 FixedanissuewhereafirewallallowedsomeHTTPGETpacketstopassthrough
evenwhentheURLFilteringprofilewasconfiguredtoblockpacketsinthisURL
category.
83564 FixedanissuewhereacertificateCommonName(CN)containingUTF8characters
causedcommitrequeststofailbecausethedecodedCNstringexceededthe
64characterlimit.
82918 FixedanissuewherereenteringanLDAPbindpasswordthroughtheCLIusinga
hashvalue(insteadofaregularpassword)wasrejectedforhavingtoomany
characters.
77460 FixedanissueonafirewallwithanexpiredBrightCloudlicensewherethespecified
vendorwasunexpectedlyandautomaticallychangedfromBrightCloudtoPANDB
whenanyfeatureauthcodewaspushedfromPanoramatothefirewall.
76661 Fixedanissuewherevoltagealarmsweretriggeredincorrectly(voltagewaswithin
theappropriaterange).
74443 AsecurityrelatedfixwasmadetoaddressCVE20150235.
73082 Fixedanissuewhereafirewallprocess(all_pktproc)stoppedrespondingduetoan
issuewithNATpoolallocation.
70 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.6AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.6release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowto
upgradeafirewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyour
firewallorappliance,youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyou
upgradetoPANOS7.0.3oralaterrelease.
ForWF500appliances,thePANOS7.0.7maintenancereleaseaddressesanissuethatwasintroducedin
PANOS7.0.6thatcausesfrequentfalsepositiveverdictsforMicrosoftOfficedocuments.Youareadvisedto
upgradeWF500appliancesto7.0.7orlaterreleasesandareadvisednottoinstallthe7.0.6image.
IssueID Description
92671 Fixedanissuewheretrafficthatwasoffloadedtohardwarewasnotforwarded
properly.ThisoccurredonPA3050andPA3060firewallsandprimarilywithSSL
traffic.
90992 FixedanintermittentissuewheretheinitialGlobalProtectclientconnectiontoa
GlobalProtectportalorgatewayfailedwiththeerror: Valid client certificate
is required.ThisoccurredwhenthecertificateprofileusedCRL/OCSPtocheck
certificatevalidityandwasduetoaproblemwiththecertificatenotbeingavailable
inthedataplanecache.Subsequentconnectionsworkedbecausethecertificatewas
addedtothecacheduringtheinitialconnectionattempt.
90904 FixedapacketdropissueonPA7000SeriesfirewallsinHAconfigurationsrunning
aPANOS7.0.3throughPANOS7.0.5release.ThisoccurredduetoaMACaddress
lookupissueoninterfacesinanAggregateEthernet(AE)interfacegroupthatwere
partofaVLAN.
89881 FixedanissuewheretheUserIDagenttruncatedNetBIOSnameswithmorethan
14characters.Asaresult,userswithdomainnameslongerthan14characterswere
notgrantedaccess.
89317 Fixedanissuewhereimproperdatapatternorderingoccurredafteranadministrator
deleteddatapatternsfromanexistingDataFilteringprofile,whichsubsequently
causedanerror(rule is already in use)whenattemptingtoaddanewdata
pattern.Withthisfix,youcanaddordeletedatapatternsinanyorder.
88794 Fixedanissuewhereonetimepassword(OTP)RADIUSauthenticationfailedwhen
thedomainselectionfieldwasusedintheauthenticationprofile.
88696 Fixedanissuewhere,undercertainconditions,aprocess(mpreplay)frequently
restartedduetoexcessiveinternalmessaging.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 71
PANOS7.0.6AddressedIssues
IssueID Description
88570 FixedanissuewhereaNeighborSolicitation(NS)packetusedtorefreshIPv6
neighbortableswassentoutthroughaVLANinterfacewithoutaVLANtag.TheNS
packetwastaggedcorrectlywhentheneighborentrywasinitiallycreatedbutthe
packetusedtorefreshthetablewassentwithoutthetag,whichcausedthetable
updatetofailwhentheneighbordidnotreceiveanappropriatelytaggedresponse.
88168 FixedanissuewhereVMSeriesfirewallsrunningonan8coreplatformchangedthe
passivefirewalltoactivewhenasocketerroroccurred.Thesocketremainedclosed
untilaninterfacerelatedchangewasmade.
88125 FixedanissuewhereTCPsegmentsforDNSqueriesweredroppedwhenthe
segmentsweresmallerthan12bytes.
87482 Asecurityrelatedchangewasmadetomanagementplaneaccountrestrictionsto
avoidservicedisruption.
87285 FixedanissuewhereaUserActivityReportPDFforthelast30daysgeneratedan
errorwhenthereportcontainedmorethan100,000lines.
87257 Fixedanissuethatcausedadataplanerestartwhenthefirewallwasconfiguredasa
DHCPrelayandreceivedDHCPrequestsfromathirdpartyDHCPserverorclient
thatexceededthepayloadlengthspecifiedinRFC2132.
87158 Fixedanissuewheresomepacketswereduplicatedintheegressstage.Thisoccurred
onmultidataplanefirewallswhentrafficflowedfromvirtualsystemtovirtualsystem
orfromvirtualsystemtoasharedgateway.Anupdatehasbeenmadetoprevent
packetduplication.
86980 Fixedanintermittentissuewherecommitsfailedduetoinvalidfilepermission
warningsrelatedtoSSHauthentication.
86970 FixedanissuewheredecryptiononthefirewalldidnotfunctionwhenusingChrome
tobrowsecertainwebsitesbecauseChromeeliminatedinsecurefallbacktoTLS1.0.
86916 FixedanissuewheretrafficburstsenteringaPA3000Seriesfirewallcaused
shorttermpacketlosseventhoughtheoveralldataplaneutilizationremainedlow.
Thisissuewastypicallyobservedwhentwofirewallinterfacesonthesamefirewall
wereconnectedtoeachother.Withthisfix,internalthresholdsweremodifiedto
preventpacketlossintheseconditions.
86671 FixedanissuewherePanoramadidnotrecognizethreatIDsgeneratedbyaWF500
appliance,whichpreventedyoufromconfiguringanexemptionforthesethreatsin
Panoramathatcouldbepushedtomanagedfirewalls.
86633 FixedanissuewherethewebinterfaceindicatedthatanewDHCPrelayconfigured
intheCLIwasenabledeventhoughtherelaywasnot,yet,enabledfromtheCLI.
86321 FixedanissuewhereSSHdecryptioncausedadataplanememoryleakandrestart.
86251 Fixedanissuewhereanadministratorwasunabletoretrievelogpartitionutilization
usingSNMPafteraddingadditionalvirtualdiskspaceonPanorama.
85913 FixedanissuewhereanadministratorwasunabletoaddmorethanoneXAuth
GlobalProtectgatewayonthesameinterface.
72 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.6AddressedIssues
IssueID Description
85110 FixedanissuewherethefirewallsentgratuitousARP(GARP)packetsforaninterface
IPaddressusedinadestinationNATrulefromallinterfacesinthezonewherethat
interfacebelonged.Withthisfix,theGARPpacketsaresentonlyfromtheinterface
thatownstheIPaddress.
84949 FixedanissuewhereM100appliancesinanHAactive/activeconfiguration
forwardedlogsonlytoonesyslogserver,eventhoughtwosyslogserverswere
defined.Thisissueoccurredonlyontheprimarysecondaryapplianceandwasdueto
anHAsyncissue.
84665 FixedanissuewheretheCommiticonincorrectlyindicatedpendingconfiguration
changesafteranApplicationsandThreatsupdate.
84641 FixedanissuewheresomeDNSrequestswereforwardedtothewrongDNSserver
theonepreviouslybutnolongerconfiguredonthefirewall.
84339 Fixedanissuewhereasinglesessionconsumedthemajorityofthepacketbuffer
resources.Withthisfix,youcanuseinformationintheoutputoftheshow running
resource-monitor ingress-backlogscommandtoIdentifySessionsThatUsean
ExcessivePercentageofthePacketBufferandthenusetherequest
session-discardCLIoperationalcommandtomanuallydiscardsessionsasneeded.
Thesecommandsareonlyavailableonfirewallsthatsupporthardwareoffload.
84236 FixedanissuewherespecialcharactersintheSNMPv3Usersfieldcausedencryption
tofailandcausedthefirewalltorestart.
83722 FixedanissuewheredestinationbasedserviceroutesdidnotworkforRADIUS
authenticationservers.
83702 FixedanissueonPA7000SeriesfirewallsrunningPANOS7.0.2andlaterreleases
whereWildFireAnalysisreportsdidnotdisplayintheWildFire Analysis Reporttab
(Monitor > Logs > WildFire Submissions > Detailed Log View).
83361 FixedanissuewheretheDoSclassificationcounterstoppedatanabnormallyhigh
value.ThiscausedfloodtypefalsepositivesintheThreatlogs,causingthefirewallto
appearasifitreachedmaximumsessioncapacity.
83135 FixedanissuewheretheinitialredirectfailedforsomeSSLsites.(TheerrorBad
Record MACappearedaftertheuserclickedcontinuebuttheusercouldthen
refreshthepagetosuccessfullyenterthewebsite.)
83100 FixedanissuewherePanoramaHAsynchronizationfailedwhenattemptingto
upgradetoaPANOS7.0.1throughPANOS7.0.5h2release.
82756 FixedanissuewherecustomreportswerenotsentoutbytheEmailScheduler.
82443 Fixedanissuewhereunwantedcharactersweredisplayedontheloginpageaftera
failedlogin.
80507 FixedanissueinPanoramawhereThreatandContentnamesforcertainthreatsdid
notappearinACCreports,predefinedreports,andspywarereports.Thisissue
occurredonlyonPA7000SeriesfirewallsmanagedbyPanoramaandonlyduringan
Antivirusupdate.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 73
PANOS7.0.6AddressedIssues
IssueID Description
79729 FixedanissuewithfirewallsinanHAconfigurationwhereacommitoperation
abortedforalldaemonsandthentheDHCPdaemonstoppedresponding.This
occurredwhenthe set deviceconfig high-availability group {group-name}
configuration-synchronization enabled option wassetto no.
78090 FixedanissuewheretheUserIDprocessstoppedrespondingonbothpeersinanHA
active/passiveconfiguration.Thisissueoccurredafteranupgradeandwasduetoa
problemwiththeLDAPlibrary.
74333 FixedanissuewhereincrementalupdatesfornewandupdatedregisteredIP
addresseswerefailingwhenregistrationeventswereoccurringthroughtheXML
API.Withthisfix,integratingtheupdatesforregisteredIPaddressesnolongerfails
whenusingtheXMLAPI(oneitherstandalonefirewallsandappliancesorthosein
HAconfigurations).
74 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.5h2AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.5h2release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
89750 Asecurityrelatedfixwasmadetoaddressastackunderflowcondition.
89706 AsecurityrelatedfixwasmadetopreventsomeCLIcommandsfromimproperly
executingcode.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 75
PANOS7.0.5h2AddressedIssues
76 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.5AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.5release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
89752 Asecurityrelatedfixwasmadetoaddressabufferoverflowcondition.
89717 Asecurityrelatedfixwasmadetoensuretheappropriateresponsetospecialrequests
receivedthroughtheAPIinterface.
88550 FixedanissueonfirewallsrunninginCommonCriteria(CC)modewhereseedingusingan
OpenSSLdeterministicrandombitgenerator(DRBG)causedaprocess(cryptod)tostop
respondingandresultedincommitfailures.
88439 FixedanissueonaPA3000Seriesfirewallwhereadataplaneconstantlyrestarteddueto
ahardwarecontentmatchingmemoryissue.
88382 Fixedanissueinahighavailability(HA)active/activeconfigurationwithunexpectedly
short(20second)timeoutsthatoccurredwhenanHA2sessionsyncmessagefailed.This
issuewasduetoanARPproblembetweendataplanesintheHAconfigurationwhenthe
HA2backupwasinuseandusingeitherIPorUDPtransportmode.Withthisfix,
unexpectedlyshortsessiontimeoutsnolongeroccurduetothisissue.
88191 Asecurityrelatedfixwasmadetoaddressinformationleakageinsystemslogthat
impactedthewebinterface(PANSA20160016).
87565 Fixedanissuewhereafirewalldidnotforwardcorrelationeventstothesyslogserver.
87170 Fixedanissuewhereafirewalldidnotfiltergroupsusingthefiltersappliedinsearch
parameters;instead,thefirewallignoredfiltersanddisplayedallgroupsinsearchresults.
86947 Fixedarareissuewhereanactivefirewallinahighavailability(HA)configuration
incorrectlysyncedtotheconfigurationfromthepassivefirewallwhenasecondcommit
wasperformedontheactivefirewallbeforeapreviouscommitwascompleted.
86723 Fixedanissuewhereadataplanerestartedwhenclienttoservertrafficexceeded4GB
andincludedHTTPGETorPOSTrequeststhathadthesourceIPaddressintheOrigin
header.
86664 FixedanissuewithIKEv2thatcausedachildsecurityassociation(SA)toinstallincorrectly
onafirewallwhenthetunnelwasconnectedtothirdpartyequipmentusingPFS.
86390 Fixedanissuewhereavirtualsystem(vsys)createdinaPanoramatemplatedidnotdisplay
whereexpectedwhenthefirsttwocharactersofthevsysnamewas"sg"(suchas"sg01").
Withthisfix,Panoramanolongerallowsyoutocreateavsyswithanamethatbeginswith
"sg"inaPanoramatemplate.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 77
PANOS7.0.5AddressedIssues
IssueID Description
86319 Fixedanissuewhereaprocess(routed)onthefirewallstoppedrespondingandresultedin
highCPUusagewhenapplyingaBGPautonomoussystem(AS)pathfilter.
86193 Fixedanissueinahighavailability(HA)configurationwhereLDAPgroupmappingsdidnot
properlyrefreshafterafirewallbecametheactivepeeragainaftergoingthroughthe
passivestate.Thiswasduetoavariablethatwasnotinitializedproperlyandwasthenused
inanerrorcase.Withthisfix,LDAPvariablesareproperlyinitializedtoavoidthisLDAP
groupmappingissue.
86136 FixedanissuewheretheGlobalProtectgatewaysentanaccessrequestpacketwith
malformeddatainsidetheFramedIPAddressfieldtotheRADIUSserver.
86126 Fixedanissuewhereauserwithacustomrolebasedadministrativeaccountcouldn't
previewruleslistedasCombinedrules.
86091 Fixedanissuewhereacommittoconfigureatunnelinterfacethatusedastringinsteadof
anintegercausedaprocess(routed)onthefirewalltostopresponding.
86075 FixedanissueonaPA3060firewallwherethesizeoftheSMLVMEmlInfosoftwarepool
waslessthanexpected.Withthisfix,thesizeoftheSMLVMEmlInfosoftwarepoolis
increasedtotheexpectedvalue.
85888 FixedanissuewherePanoramaignoredthesessiontimeoutvalueandautomatically
refreshedadministratorswhowerestillloggedintothePanoramaapplianceevenwhen
thosesessionswereinactiveforaperiodlongerthantheconfiguredtimeout.
85879 Fixedanissuewhereafirewallinahighavailability(HA)configurationgeneratedafalse
positiveevent(Running configuration not synchronized after retries)75
secondsaftereachHAsync.Withthisfix,thiserrorisreturnedonlyforcommitsthattake
longerthan45minutestocomplete.
85878 InresponsetoanissuewhereDNSqueriessometimescausedaLogCollectortoruntoo
slowlyandcauseddelaysinlogprocessing,the debug management-server
report-namelookup disable CLIcommandisaddedtodisableDNSlookupsfor
reportingpurposes.
85863 Fixedanissuewheremulticasttrafficsentoveravirtualwire(vwire)withMulticast
Firewallingdisabled(Network > Virtual Wires > <vwire>)causedhighCPUandpacket
bufferdepletion.
85821 Fixedanissuewhereadataplanestoppedrespondingduetomemorycorruption.
85754 FixedanissuewhereaVMSeriesdiskwascorruptedandwentintomaintenancemode
afterprocessingmutatedtrafficfromthirdpartysignaturedetectionsoftware.
85675 Fixedanintermittentissuewhereaprocess(mprelay)restartedand,aftermultiplerestarts,
causedthefirewalltorestart.Thisissuewasassociatedwiththeprocessingofaddand
deleteeventsforIPv4ARPandIPv6neighborupdates.Withthisfix,IPv4ARPandIPv6
neighborupdatesnolongercausethemprelayprocessorfirewalltorestart.
78 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.5AddressedIssues
IssueID Description
85484 FixedanintermittentissuewheretheGlobalProtectportalusedthecookieinsteadofthe
authenticationinformationprovidedbytheGlobalProtectclient,whichcaused
authenticationtofail.Withthisfix,ifaclientconnectsusingacookie,theGlobalProtect
portalignoresthecookieinfavoroftheauthenticationinformationprovidedbythe
GlobalProtectclientsothatauthenticationissuccessful.
85245 Fixedanissuewhereavirtualsystem(vsys)configurationremainedinthefirewall
configurationevenafterthevsyswasdeleted.Thiscausedcommitstofailwhen
attemptingtoaddanewvsysusingthesameIDasthevsysthatwasnotsuccessfully
deleted.
85193 Fixedanissueinahighavailability(HA)configurationwheremultipleoverlappingqueries
resultedinaraceconditionthatcausedHAsyncjobstofail.
84963 FixedanissueinPanoramatemplateswhereadministratorscouldmarkacertificateas
ForwardTrustorForwardUntrustbutforwardingdidnottakeplaceasexpectedwhenthe
templatewasconfiguredtoapplyonlytoonevirtualsystem(singlevsysmode).Withthis
fix,markingacertificateasForwardTrustorForwardUntrustworksasexpectedeven
whenthetemplateisinsinglevsysmode.
84908 FixedanissuewheretheloggedsessionendreasonfordecryptedSSLsessionsalways
displayedas aged out regardlesswhetherthatwastheactualTCPsessionendreason.
Withthisfix,thesessionendreasonnowdisplayscorrectlyfordecryptedSSLsessions.
84729 FixedanissueonMSeriesappliancesandwithPA7000SeriesLogProcessingcards
whereoutputofthe show system logdb-quota CLIcommanddidn'tmatchthevalues
inLoggingandReportingSettingsinthewebinterface(Device > Setup > Management >
Logging and Reporting Settings > Log (Card) Storage)duetoadiscrepancyinspace
calculation.Withthisfix,thevaluesinthewebinterfaceaccuratelyreflectavailable
storagespaceandmatchtheoutputfromthe show system logdb-quota CLIcommand.
84538 FixedanissuewhereadataplanerestartedunexpectedlyonafirewallwithSSLdecryption
enabled.ThisoccurredduringtheSSLhandshakewhenthefirewallreceivedaHello
packetfromtheserverthathadahigherSSLprotocolversionthantheHellopacket
receivedfromtheclient.
84496 FixedanissueonPA7000Seriesfirewallswhereexcessiveorprolongedlogqueries
causedamemoryleakontheLogProcessingCard(LPC).
84239 FixedanissuewhereareadonlySuperuserwasabletoperformacommitwhenusing
XMLAPI(butnotviathewebinterface).Withthisfix,readonlySuperuserscannotuse
XMLAPItoperformcommits.
83764 Fixedanissuewhereusingwebinterfacecertificateauthenticationcausedloginfailures.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 79
PANOS7.0.5AddressedIssues
IssueID Description
83731 FixedanissueinavirtualwireconfigurationwhereafirewallincorrectlymodifiedtheMAC
addressfortrafficwhendecryptionwasenabled.Withthisfix,thefirewallnolonger
modifiestheMACaddressoftraffic.
83454 FixedanissuewithIPv6trafficthathadanextensionheaderandcausedjitterwhen
passingthroughaPA7000Seriesfirewallinahighavailability(HA)active/active
configuration.
83362 FixedanissuewhereacommitfailedwhenasubinterfacethatwaspushedfromPanorama
lostitsreferencetoitsassociatedVLANafterthesubinterfaceconfigurationonthe
firewallwasoverriddenandthenrevertedinthetemplate.Withthisfix,afteraninterface
isreverted,subinterfacesdonotlosetheirmappingtoVLANs.
83337 Fixedanissuewherefirewallsgeneratedmultiplecoredumpsafterarebootwhen
incomingpacketswereforwardedtothedataplanewhileanautocommitwasstill
processing.Withthisfix,packetsarenotforwardedtothedataplaneuntilaninprocess
autocommitiscomplete.
83145 FixedanissueonaPA7000Seriesfirewallwhereaninterfaceintapmodeunexpectedly
transmittedtrafficthatwasreceivedonthatinterface.
82916 FixedanissuewherethetrustedCAstoreonthefirewallwasmissingtheQuoVadisroot
CA2androotCA3G3certificates.Withthisfix,boththeseQuoVadiscertificatesare
includedinthetrustedCAlist.
82873 FixedanissuewithmissingfieldsandinconsistenciesintheSyslogformatforCorrelated
Eventsthatwereexportedtoasyslogserver.
82862 Fixedanissuewherethedeviceserverprocess(devsrvr)restartedunexpectedlywhen
Panoramapushedatemplatethatcontainedacertificatewithacorruptpublickey.
82667 FixedanissuewherethePANOSintegratedUserIDagentfailedtoconnecttoa
monitoredserverwhentheUserIDagentwasconfiguredtousetheFQDNinsteadofthe
IPaddressfortheserver.
82358 Fixedanissuewhere,whenusingLDAPauthentication,aGlobalProtectclientincorrectly
showeda Password expired messageevenwhenthepasswordhadnotexpired.
81812 Fixedanissuewhereafirewalldidnotaccuratelycheckcertificaterevocationstatusvia
OCSPbecausetheOCSPrequestdidnotincludetheHOSTheaderoption.Withthisfix,
thefirewallusestheHOSTheaderoptionasexpectedandsuccessfullyretrievesthe
revocationstatusofthecertificateinresponsetoOCSPrequests.
81743 FixedanissuewhereURLcategorizationfailedforsomeURLsduetoanissuewith
messagebuffersize.
81425 FixedanissuewhereIPSecrenegotiationwasnotinitiatedasexpectedafteraPPPoE
interfacereceivedanewIPaddress.
81062 Fixedanissuewheretheemailactionforscheduledreportstimedoutduetoreportsthat
tooktoolongtogenerate.Withthisfix,theemailtimeoutisincreasedandreport
generationisenhancedtoavoidthisissue.
80 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.5AddressedIssues
IssueID Description
80415 FixedanissuewhereafirewallwasnotpresentingtheCaptivePortalresponsepageto
users.ThisoccurredwhentheURLcategorywasmarked not-resolved,suchaswhen
cloudserverswereunavailable.
79596 FixedanintermittentissueonPA5000Seriesfirewallswherethedataplanestopped
responding.Withthisfix,thereareadditionalsanitychecksandloggingtoavoidthisissue.
73177 FixedanissuewhereredistributedNotSoStubbyArea(NSSA)type7routesconverted
toNSSAtype5routeswerenotflushedfromtheOSPFdatabasequicklyenoughafterthe
redistributingNSSArouterwentdown.Withthisfix,theOSPFisflushedwithinthe
expectedperiodoftimesothatroutesthatgodownarenotadvertisedasstillavailable.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 81
PANOS7.0.5AddressedIssues
82 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.4AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.4release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
88869 FixedaperformancedegradationissueonaVMSeriesfirewallwith8coreswhenthreat
scanningwasenabledwhenattemptingtoprocesslargetransactionspecificSSLtraffic
types.Additionally,thisfixaddressedanintermittentissuewheretheGlobalProtectMSI
filefailedtodownloadafterauserauthenticatedtotheportalpage.
87422 Fixedanissuewheremulticasttrafficwasdroppedwhenthesourcestartedsendinggroup
trafficbecausetherewasnot,yet,acorrespondingmulticastrouteorFIBentryonthe
firewall.Withthisfix,themulticastrouteisupdatedmorequicklyandpacketsare
enqueuedinsteadofdroppedwhilethefirewallwaitsfortheupdatedrouteinformation.
87410 FixedanissuewhereanAPIcalltoadd,delete,ormodifyaURLentryfailedwhentheURL
includedasingle(')ordouble(")quotecharacterasanXMLattribute.Withthisfixto
complywithXMLXpath1.0,APIinstructionsarecompletedsuccessfullyevenwhen
actingonaURLthatincludesasingleordoublequoteusedasanXMLattribute.
87385 FixedanissuewhereallthewidgetsontheACCtabofamanagedfirewall(andwhen
exportedinaPDFfile)display Report Error whenyouaccessthefirewallthrougha
contextswitchfromPanorama(whethervirtualorMSeriesappliance).
87280 FixedanissuewherethenumberofSSLfreememorychunkswasdepletedto0,which
causedadisruptioninSSLdecryptionrelatedtraffic.
87231 FixedanissuewhereaPA7000Seriesfirewalldidnotloadbalanceegresstrafficon
AggregateEthernet(AE)interfacesasexpected.
87078 Fixedanissuewherethemanagementserverstoppedrespondingwheretherewasahigh
loggingrate,whichcausedtheLogCollectortodisconnectfromPanorama.
86938 TheclientcertificateusedbyPANOSandPanoramatoauthenticatetothePANDB
cloudservice,theWildFirecloudservice,andtoWF500appliancesexpiredonJanuary
21,2016.Theexpirationresultsinanoutageoftheseservices.Toavoidanoutage,either
upgradetocontentreleaseversion550(oralaterversion)orupgradePANOSand
PanoramainstancesrunningaPANOSorPanorama7.0releasetoPANOS(orPanorama)
7.0.4oralaterrelease.
86895 FixedanissueonMSeriesandWF500applianceswheretheEthernet1/2interface
unexpectedlybroadcastedDHCPdiscoverpacketswiththeinternalBMCIPMILANMAC
addressasthesourceMACaddresswhentheinternalBMCIPMILANwasconfiguredto
useDHCPasthesourceaddress.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 83
PANOS7.0.4AddressedIssues
IssueID Description
86803 FixedanintermittentissuewheretheidletimerforGlobalProtectIPSectunnelseitherdid
notexpireappropriately(suchaswhenthetunnelwastorndown)orexpiredatthe
configuredidletimeexpirationevenwhenauserwasactivelyusingtheconnection.With
thisfix,theGlobalProtectIPSectunnelidletimerbehavesasexpected.
86467 FixedanissueinPANOS7.0.3wherefirewallsdidnotcheckforsuperuseraccountsthat
werepushedthroughaPanoramatemplate,whichcausedanupgradeprocesserrorwhen
allsuperuseraccountswerepushedthroughaPanoramatemplate(firewallsmusthaveat
leastonesuperuseraccountintheconfiguration).Withthisfix,firewallscorrectly
recognizesuperuseraccountsthatarepushedthroughaPanoramatemplate.
85801 FixedanissuewhereafirewallthatwasforwardinglogstomultiplePanorama
managementserversandLogCollectorsstoppedforwardinglogstoanyapplianceafteran
administratorsuspendedlogforwardingontheactiveprimaryPanoramaserver.Withthis
fix,thefirewallcontinuestoforwardlogstoallPanoramamanagementserversandLog
Collectorsexceptanyapplianceforwhichanadministratorspecificallysuspendslog
forwarding.
85721 FixedanissuewherefirewallswithaspecificOCZDenevaharddisk(model
DENCSTE251M21)configuredinaRAIDandrunningPANOS7.0.1orlaterreleases
experiencedRAIDerrors.
85514 Fixedanissuewhereacommitrequestfailedduetoprocesses(configdandmongod)with
highmemoryusage.
85364 FixedanissuewhereHTTPandHTTPOnlineCertificateStatusProtocol(OCSP)
managementserviceswereenabledonlyforthefirstIPaddressonaninterfacewith
multipleIPaddresses.Withthisfix,whenHTTPandHTTPOCSPmanagementservices
areenabledonaninterface,servicesareenabledforallIPaddressesassociatedwiththat
interface.
85166 FixedanissueonaPA7000Seriesfirewallwherethefirstpacketinasessionwas
droppedwhenitarrivedbeforethefirewallfreedupaprevioussessionthatusedthesame
5tuple.Withthisfix,thefirewalltreatstheprevioussessionasaninactiveflowand
successfullycreatesthenewsession.
85091 Fixedanissueonafirewallwheresoftwarepacketbufferswerebeingdepleted.Withthis
fix,thefirewallwilldynamicallyadjusttheTCPreceivewindowbasedonpeertrafficto
avoidsoftwarepacketbufferdepletion.Additionally,thereisafixforamemoryleakin
errorhandlingofSSLForwardProxymodeandthesizeofthesoftwarebufferpoolsis
increased.
84 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.4AddressedIssues
IssueID Description
84851 Fixedanissuewherethevirtualsystem(vsys)IDonthefirewallwascomputedincorrectly
whenPanoramapushedatemplatewithForce template valueenabledandcontaining
virtualsysteminformationtothefirewall.
84811 FixedanissueonaVMSeriesfirewall(KVMonCentos7/Redhat)whereaprocess
(vmuuid)displayedasemptyafterboot.Withthisfix,thevmuuidprocessisdisplayed
correctly.
84678 FixedanissuewiththewaythemanagementplaneperformedupdatesthroughHTTPand
HTTPScalls,suchasforblocklistandcontentupdates.
84595 FixedanissuewithHTTPrequestsgeneratedbythefirewallwhenretrievingcustom
DynamicBlockLists.
84494 FixedanissuewherethesessionendreasonforasinglethreatIDwasreporteddifferently
dependingonwhichdecoderwasused.Withthisfix,onlyonesessionendreason(threat)
isreportedforallblockedSMTPtrafficregardlesswhichdecoderisused.
84465 FixedanissuewheretheexternalinterfaceonanLSVPNsatellitewasunabletoestablish
anLSVPNconnectiontotheactiveprimaryfirewallinanHAactive/activeconfiguration
thatwasactingastheGlobalProtectportalorgatewaywhentheexternalinterfaceofthe
satellitewasconfiguredasaDHCPclient.(ThisfailureoccurredeventhoughanLSVPN
connectionwassuccessfullyestablishedwiththeactivesecondaryfirewall.)Withthisfix,
theLSVPNsatellite(withtheexternalinterfaceconfiguredasaDHCPclient)successfully
establishesanLSVPNconnectiontobothfirewalls(activeprimaryandactivesecondary)
afterareboot.
84454 Fixedanissuewhereattemptstoloadapartialconfigurationforadevicegroupfroman
XMLfileresultedinanerrormessage.Withthisfix,youcansuccessfullyloadapartial
configurationforadevicegroupandmergeitwithanexistingdevicegroup.
84433 Fixedanissuewhereawebpagewouldnotloadsuccessfullywithoutrefreshingthe
browsermultipletimeswhenOpenCertificateStatusProtocol(OCSP)validationwas
enabled.Thisoccurredwhenablockpagemessagewaspresentedwithinonesecondof
theattempttoloadanHTTPSsitewhiledecryptionwasenabledonthefirewallwiththe
OCSPvalidationtimeoutsetto60seconds.
84167 FixedanissuewhereafirewallincorrectlyreorderedcertainTCPtrafficduringtransmit
stage.
84008 FixedanissuewhereanLSVPNIPSectunnelwentdownwhenthehardkeylifetime
expiredduringarekey.Withthisfix,thesoftkeylifetimeisadjustedsothatthehardkey
lifetimedoesnotexpirebeforetherekeyfinishes.
83907 Fixedanissuewhereadministratorscouldnotdisablecountersinsystemlogsusingthe
debug dataplane packet-diag set log counter <counter-name> CLIcommand
whenthosecountershadnameslongerthan31characters.
83902 FixedanissuewheremonitoringanSNMPOID(.1.3.6.1.2.1.25.2.3.1.5.41)fordiskspace
resultedinincorrectvaluesonvolumesover2TBinsize.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 85
PANOS7.0.4AddressedIssues
IssueID Description
83898 FixedanissueonPanoramaMSeriesandvirtualapplianceswhereexportingareportas
acommaseparatedvalue(CSV)file(Monitor > Reports)failedandresultedinaweb
interfaceerror(Error enqueuing export job).
83889 FixedanissuewhereaPA7000SeriesfirewallincorrectlydroppednonTCPand
nonUDPfragmentedtraffic,suchasEtherIPtraffic.
83844 FixedanissuewhereamemoryleakcausedaPA200firewalltoreboot.
83657 FixedanissuewherePanoramadidnotproperlypushdeviceortemplateconfigurations
forNTP,sendhostnameinsyslog,orWildFiresettingstoadevice.
83592 FixedanissuewheretheUserIDprocess(useridd)wentintoarebootloopandcausedthe
passivefirewallinahighavailability(HA)configurationtorestart.Thiswasduetobulkand
incrementalupdatesofterminalservicesusers.
83253 FixedanissuewherevideocallsfailedwhenH.245(openlogicalchannelack)packets
referencedapreNATaddress.
82913 FixedanissuewhereToSheaderswerenotsetcorrectlyinEncapsulatingSecurityPayload
(ESP)packetsacrossVPNtunnels.
82865 FixedanissuewithaPA5000Seriesfirewallwheresessionsownedbydataplane1(DP1)
orDP2didnotdisplayintheoutputwhenexecutingthe show session commandon
DP0.
82710 Fixedanissuewhereunexpecteddataplanerestartsoccurredduetooutofmemoryerrors
andhighresourceusageonpacketdescriptorswhenSSLForwardProxywasenabled.This
fixalsoaddressesadataplaneprocessmemoryleak.
82621 FixedanintermittentissueonaPA7000Seriesfirewallwheretrafficwasdroppedwhen
theloginterfaceanddataplaneinterfaceswerebothconfiguredonthesameNetwork
ProcessingCard(NPC).
82424 FixedanissueonaPA5000Seriesfirewallwherepacketsweredroppedorthedataplane
stoppedrespondingwhenreceivingspecificingressoregresstrafficassociatedwith
offloadedsessions.Withthisfix,afieldprogrammablegatearray(FPGA)changewas
madetoaddresstheseissues.
82138 FixedanissuewhereWildFirereportswerenotdisplayedonthewebinterfacewhen
proxysettingswereconfiguredforthemanagementinterface.
82095 Fixedanissuewhereacommitrequestdidnotfinishprocessingduetoaprocess(routed)
thatstoppedresponding.
81996 FixedanissuewhereaHIPProfiledidnotsyncbetweentheactiveandpassivefirewalls
inahighavailability(HA)configuration,whichcausedtheHIPProfiletonolongerbein
effectafterafailover.Withthisfix,theHIPProfileiscorrectlysyncedbetweentheactive
andpassivefirewallsandremainsineffectafterafailover.
86 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.4AddressedIssues
IssueID Description
81949 FixedanissuewhereDynamicAddressGroupspushedfromPanoramatoafirewallwere
notdisplayedintheoutputofCLI show commands.
81830 FixedanissuewhereSSLForwardProxydidnotincludetheappropriateTLS1.2extension
(SignatureAlgorithms)inClientHellomessages,whichpreventedsuccessful
interoperabilitywithsomeMicrosoftwebsites.
81333 Fixedanissuewheremanagedfirewallsandapplianceswereunabletoconnectto
Panoramausingthemasterkeyafterafactoryreset(orRMA).
81241 FixedarareissuewhereNATtrafficwasdroppedafterafailedcommitattempt.
80631 Fixedanissueinahighavailability(HA)configurationwheretheportsonthepassive
firewalldidnotcomeupwhenthepassivelinkstatewassettoauto(Device > High
Availability > General >ActivePassiveSettings).
79917 FixedanissueonaPA3000Seriesfirewallwherethedataplanestoppedresponding
whenreceivingspecificingressoregresstrafficassociatedwithoffloadedsessions.With
thisfix,afieldprogrammablegatearray(FPGA)changewasmadetoaddressthisissue.
78624 FixedanissuewheretheactivesecondaryfirewallinanHAactive/activeconfiguration
wasincorrectlyrespondingtoARPrequestsfortheIPaddressusedinthedestinationNAT
rulewithbindingtotheactiveprimaryfirewall.
78482 FixedanissuewhereVMInformationSourcesbypassedproxysettings.
78317 FixedanissuewherethemanagementplaneinanHAactive/passiveconfiguration
restartedduetoadataplaneprocess(mprelay)thatstoppedrespondingwhenit
experiencedmemorycorruptionandencounteredunexpectedbehaviorfromtheFIB
pointer.
77236 Fixedanissuewhereimportingacertificatemorethanoncewithdifferentnamescaused
thedataplanetostoprespondingwhenthecertificatewasusedforSSLInbound
inspection.
76269 FixedanissuewhereanactiveprimaryM100applianceinanHAconfigurationwas
unabletoestablishaconnectionwiththepassivesecondaryoractivesecondaryHApeer
forlogcollection.
76197 FixedanissuewherefirewallTrafficlogsdisplayedunusuallylargebytecountsfor
http-proxy and httpy-video countersduetofrequentapplicationshiftsbetween
thoseapplicationtypepacketswithinasingleproxysession.
76103 FixedanissuewhereaddingathreatexceptiontoaVulnerabilityProtectionprofile
(Objects > Security Profiles > Vulnerability Protection >profile> Exceptions)resultedin
anerror(Schema node for Xpath was not found).
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 87
PANOS7.0.4AddressedIssues
IssueID Description
70719 InresponsetoanissuewhereadataplanerestartedduetoanincorrectflowID,PANOS
6.1.4andlaterreleasesincludedadditionalcheckstohelppreventthedataplanefrom
restartingduetothisissue.InPANOS7.0.3,thosePANOS6.1.4modificationswere
furthermodifiedtoprovideamorecompletesolutionthatavoidsinadvertentlydropping
IPv4trafficaffectedbythisissue;inPANOS7.0.4,thesolutionincludesanadditionalfix
toavoidinadvertentlydroppingIPv6trafficrelatedtothisissue.
66285 FixedanissuewherethewebinterfacecertificatedidnotproperlysyncbetweenHA
peers,whichledtoaraceconditionthatcausedacommitrequesttofail.
88 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.3release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
85065 FixedaCLIinputparsingissuethatcausedaprocessonthemanagementplanetostop
respondingwhenprocessingunexpectedinput.
84711 FixedanintermittentissuewheresomepacketsincorrectlymatchedSecuritypolicyrules,
whichresultedinAppIDpolicylookuperrorsanddiscardingofpackets.
84599 FixedanissueinPANOS7.0releaseswhereaprocess(dhcpd)didnotcorrectlyhandle
DHCPpaddingOption0whenreceivingDHCPrequestfromtheDHCPclient.This
preventedthefirewallthatwasactingastheDHCPserverfromallocatingandcommitting
theofferedIPaddresstotheDHCPclient,whichcausedthefirewalltobestuckinoffered
state.Withthisfix,theDHCPprocesscorrectlyhandlesDHCPpaddingOption0and
successfullycommitsIPaddressesofferedtoDHCPclients.
84246 FixedanissuewhereaPA7050firewallrunningPANOS7.0assignedthesameMAC
addresstoallinterfacesontwodifferentPA7050chassiswhenthechassisbaseMAC
addressesdifferedonlyinthe10thbit.WiththisfixinPANOS7.0.3,twosuchdifferent
PA7050chassisareassigneddifferentinterfaceMACaddressesasexpected.
84046 FixedanissuewhereSSLdecryptionfailedwhenacertificatewasrejectedduetoamissing
oremptybasicConstraintsextension.Withthisfix,anexceptionisaddedtoallowa
missingoremptybasicConstraintsextensionforselfsignednonCAcertificates,and
thefollowingbehaviorswillbeappliedtoCAswithregardtobasicConstraints
extensions:
IftheCAhasanextensionbasicConstraints=CA:TRUE,thenallowtheCA.
IftheCAhasanextensionbasicConstraints=CA:FALSE,thenblocktheCA,but
allowdevicetrustedCAs,includingdefaultCAsandimportedCAs.
IftheCAhasdoesnothaveabasicConstraintsextension,thenblocktheCA,but
allowdevicetrustedCAs,includingdefaultCAsandimportedCAs,andallowselfsigned
CAs.
84012 Fixedanissuewhereaprocess(ikemgr)stoppedrespondingduetoamissingIKEprofile.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 89
PANOS7.0.3AddressedIssues
IssueID Description
83867 Fixedarareissuewhereoneoftheinternaldatabaseswascorruptedafteranimproper
shutdown(poweroff)ofthefirewall.Whenthishappened,thefirewallwasunableto
automaticallyrestartandwouldnotstartupproperlythereafter.
83819 FixedanissueonanM100appliancerunningPanorama7.0whereacustomreportfailed
torunwhensettingtheDatabase(Monitor > Manage Custom Reports)toSummary
Databases > Remote Device Data > ThreatandselectingSeverityfromthelistofAvailable
ColumnswhenanyremotefirewallusedforcustomreportingwasrunningaPANOS6.1
orearlierrelease.
83637 FixedanissuewherepacketprocessingonaVMSeriesfirewallcausedthefirewalltostop
forwardingtraffic.
83574 Fixedarareissuewhere,insomescenariossuchaswhenafirewallisrestartedandIPSec
securityassociations(SAs)arenotestablishedwhenaremoteVPNpeerisunreachable
thetunnelinterfaceconfiguredwithIPSectunnelmonitoringispresentintheroutingtable
andstatusis Up.
83519 AsecurityrelatedfixwasmadetoaddressCVE20155600.
83293 FixedanissueinPanoramawhereSNMPv3settingswereremovedandcouldnotbe
updatedwhenmodifyinganexistingSNMPv3devicetemplate.
83288 FixedanissuewhereautocommitfailedwhentheGlobalProtectgatewayorCaptivePortal
certificatewaspushedthroughPanoramaafterupgradingafirewallfromaPANOS6.1
releasetoPANOS7.0.2.
83256 FixedanissuewherethefirewalldidnotblockunsupportedellipticcurveDiffieHellman
(ECDH)exchangeciphersuitesduringSSLforwardproxyevenwhenBlock sessions with
unsupported cipher suiteswasenabled(Objects > Decryption Profile > <decryptprofile>
> SSL Decryption > SSL Forward Proxy).
83149 Fixedanissuewhereamissingnode(user)intheunlockcommandprevented
administratorsfromusingthePanoramawebinterfacetounlockalockedLDAPuser.
83142 FixedanissuewheretriggeringaDHCPreleasedidnotcleartheoriginalsettingsfora
DHCPclientthatwasin renew state.
83113 Fixedanissuewhereattemptstoregeneratemetadatacausedaprocess
(update_vld_itvl_idx)tostoprespondingwhenencounteringacorruptlogfile(alogfilethat
containedinvaliddata).Withthisfix,themetadataregenerationprocessskipslogfilesthat
containinvaliddatasothatregenerationtaskissuccessfullycompleted.
83102 AddedfunctionalitytoallowcommitstosucceedevenwhenthereisnoNetwork
ProcessingCard(NPC)installed,yet,orwhentheNPCisnotsupportedorrecognizedinthe
currentPANOSrelease.Withthisfix,youcaninstallPA7000Seriescardsthatarenot
supportedinthePANOSversionshippedwithorrunningonthefirewallandthenupgrade
totheappropriatePANOSversion.
83041 Fixedanissuewhereadjustmentstothewidthofcolumnsinthewebinterfacearenot
saved,causingcolumnstoreverttoprevioussettingswhenyouviewadifferenttab.With
thisfix,changestothewidthofcolumnsinthewebinterfaceareretaineduntilchanged
again.
83004 FixedanissuewhereaZoneProtectionprofilewithstrictIPcheckingenabledresultedin
incorrectlydroppedpackets.Thesedropswerecausedbyanimpropercheckofwhether
thesourceIPaddresswasabroadcastaddress.
90 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues
IssueID Description
83001 FixedanissueonanM100appliancewhereavailabledisksizewasreportedas0bytes
duringanupgrade.ThisincorrectlycausedoldlogstobepurgedfromtheotherLog
Collectorsinthegroupinanattempttoadheretotheconfiguredlogquotaforthegroup.
Additionally,Panorama6.1.8andPanorama7.0.3(andlaterreleases)onanM100
appliancewithzerodiskspacedisplaysanerrorwhenattemptingtocommittoCollector
Group(Failed to commit collector config)orawarningwhenattemptingtocommit
toPanorama(Disk <disk-ID> on log collector <log-collector-id> in group
<group-ID> has a size of zero bytes).
82887 Fixedanissuewhereauthenticationattemptsagainstalocalauthenticationprofilewithin
anauthenticationsequencefailedwhenthelocalprofilewasnotthefirstprofileinthe
sequence.
82853 FixedanissuewhererolebasedadministratorswerenotallowedtoperformAPIcalls.
82849 FixedanissueonaPanoramavirtualapplianceusingaNetworkFileSystem(NFS)storage
partitionwherethefilesystemintegritycheckincorrectlyfailedfortheNFSdirectory,
whichcausedtheNFSmounttofailwhenrebootingPanoramaafteranupgradeto
Panorama7.0.
82838 FixedanissuewheretheUserIDprocess(useridd)stoppedrespondingwhenreading
configmessagesfromtheTerminalServices(TS)agent.
82778 Fixedanissuewherefailedauthenticationattemptswerenotclearedwhenthe
authenticationattemptwaseventuallysuccessful.Withthisfix,thefailedauthentication
attemptcounterforagivenuserisresetasexpectedaftereverysuccessfullogin.
82534 FixedanissuewhereafirewallincorrectlyinjectedSSLmessagesintotrafficonport443.
82533 FixedanissuewheretheOCSPresponderfailedtocheckthevalidityofclientcertificates
andshowedstatusas unknown whenunabletolocatethecustomrootCAusedinthe
certificateprofilefortheGlobalProtectportalconfiguration.
82377 Fixedanissuewhere,inaLargeScaleVPN(LSVPN)configuration,aGlobalProtectgateway
incorrectlyinstalledthepreviouslyallocatedIPaddressfortheGlobalProtectsatelliteas
thenexthopfortheroutesadvertisedbysatellites.Withthisfix,theGlobalProtectgateway
removesanyoldIPaddressesallocatedtothesatelliteandcorrectlyinstallsthenewIP
addressallocatedtothesatelliteasthenexthopfortheroutesadvertisedbysatellites.
82338 Fixedanissuewhereonetimepassword(OTP)RADIUSauthenticationfailedwhen
configuredinthesameauthenticationsequenceasthedomainselection.Thisissuewas
causedbythefirewallincorrectlytruncatingtheRADIUSchallengestate.AlsofixedOTP
RADIUSauthenticationissueswherethebackslash(\)characterwasincorrectlyremoved
fromtheusernameentryandwhereanincorrectpasswordresultedinlongdelaysbefore
returningapassworderrormessage.
82326 FixedanissuewhereadditionallockedusersarenotdisplayedwhenyouclickMoreinthe
webinterface(Devices > Authentication-Sequence > Locked Users).
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 91
PANOS7.0.3AddressedIssues
IssueID Description
82136 Fixedanissuewherepacketsthatmatchedapolicybasedforwarding(PBF)rulewith
ActionsettoNo PBF(Policies > Policy Based Forwarding > pbfrule> Forwarding)were
droppedwhenoffloadingwasenabled.Withthisfix,offloadedsessionsarepassedas
expectedevenwhenthetrafficmatchesaPBFrulewithForwardingsettoNo PBF.
82109 FixedanissueonaPA7000SeriesfirewallwherepassiveFTPSwithinbounddecryption
failedafterenteringpassivemode.Thisoccurredwhenpredictsessionsdidnotmergeas
expectedduetothepredictqueue.Withthisfix,proxyingressexecutesbeforethepredict
queuesothatalldatasessionsmergeasexpectedandFTPtransferissuccessfuloverTLS.
82099 Fixedanissuewheretheremotehost(From)IPaddressforthePanoramasessiondisplayed
inreverseorderdisplayedtheadministratorIPaddressintheLoggedinAdminswidget
ontheDashboard.
81944 FixedanissuewherepatchmanagementforaGlobalProtecthostinformationprofile(HIP)
checkfailedtoidentifymissingpatcheswhentheChecksettingforpatchmanagementin
HIPObjectscriteriawassettohas-all,has-any,orhas-none(Objects > GlobalProtect >
HIP Objects > Patch Management > Criteria).
81927 FixedanissuewhereafirewallstoppedsubmittingfilestoaWildFirecloud(publicor
private)whenaCPUprocess(varrcvr)stoppedresponding.Thisissueoccurredwhen
receivinganemailwithasubjectlinecontainingmorethan252characters.
81868 Fixedanissuewithapacketbuffer(FPTCP)leakandresolvedafew
dataplanetomanagementplaneconnectionissues,aswell.
81581 Fixedanissuewhereaprocess(useridd)wasunabletoaccommodatealargenumberofHIP
reportsduringHAsynchronization,whichcausedabnormallyhighCPUandmemory
utilizationonthefirewall.
81522 Fixedanissuewhereafirewallallowedcommitstosucceedevenwhentherewereno
superuseradministratoraccountsincludedintheconfiguration.Thiswouldcausethe
firewalltobeinaccessible(exceptwhenthefirewallwasmanagedbyPanorama,which
couldstillprovideaccesstothefirewallthroughPanoramacontextswitching).Withthisfix,
acommitsucceedsonlyifthereisatleastonelocalsuperuseraccountintheconfiguration;
ifnoneexist,thecommitfails.
81415 FixedanissueonPA7000Series,PA5000Series,PA3000Series,andPA500firewalls
whereanAggregateEthernet(AE)interfacewasunabletotransmitanARPrequestona
taggedsubinterfacetotheneighboringdevice.
81408 Fixedanissuewheresharedaddressobjectsthatarenotusedinsecuritypolicyruleswere
pushedtofirewallsevenwhenPanoramaSettings(Panorama > Setup > Management)was
configuredtonotShare Unused Address and Service Objects with Devices.
81370 Fixedanissuewherethefirewallwasunabletoallocatealargememoryblock,which
causedsessionstofail.Thisfixensuresadequateresourcesareavailableforalargememory
blockwhenneeded.
92 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues
IssueID Description
81367 AsecurityrelatedfixwasmadetoaddressCVE20154024.
81301 Fixedanissueonafirewallwithdecryptionenabledwhereinsufficientbufferspace
resultedindiscardedSSLsessions.
81170 FixedanissuewheretheSNMPmanagerreturnedawarning(subtype-illegal)relatedto
panVsysEntryOBJECTTYPE(panVsysName)whenaddingthePANCOMMONMIB.my
MIBfile.Withthisfix,addingthecurrentversionofMIBfilestotheSNMPmanagerdoes
nottriggera subtype-illegal warning.
81058 FixedanissueonPA7000SeriesfirewallswhereNATDynamicIPfallbackdidnotcorrectly
translateresources,whichresultedindroppedpackets.
80932 FixedanissuewherepasswordsfornonadministratorsenteredintheGlobalProtectlogin
windowweretruncatedto40characterswhenusingRADIUSauthentication.
80831 FixedanissuewhereSSLdecryptionfailedforsomesiteswhenthesizeofthecertificate
waslargerthan1.5KB.
80766 Fixedanissuewheredataplane0(DP0)onthepassivefirewallinahighavailability(HA)
configurationrestartedafterasessionwasestablishedontheactivefirewallinterfacewhen
thatsameinterfacedidnotalsoexistonthepassivefirewall.
80753 FixedanissueonaPA3060firewallwhereanetworkoutageoccurredwhenthenumber
ofactivesessionsreached100,000.Withthisfix,themaximumnumberofdetectorthreats
(dthreats)isincreasedtoavoidthisissue.
80702 Fixedanissueinahighavailability(HA)configurationwheretheARPtablesyncedwiththe
primarypeerbutwasrefreshedonlyondataplane0(DP0)ofthepassivepeer,which
causedARPentriestoexpireprematurelyonthepassivefirewallwhentheirTTLreached0.
80648 Fixedanissuewhereadevicegroupcommitfailedwhenusingthedestinationinterfacein
aNATruleconfiguredonPanorama.
80533 FixedanissuewhereadministratorscouldviewaddressesandusernamesintheApplication
CommandCenter(ACC)viewevenwhentheShow Full IP AddressesorShow User
Names In Logs And ReportsoptionwasdisabledfortheAdminRoleprofileassociatedwith
thoseadministrators(Device > Admin Roles ><AdminRoleProfile>> Web UI >Privacy
settings).
80397 FixedanissuewhereyoucouldcreateanewMonitorprofilewhencreatingapolicybased
forwarding(PBF)ruleonPanoramaevenwhenthetargettemplatewasunknown(thePBF
ruleispartofadevicegroupandtheMonitorprofileispartofatemplateconfiguration).
Withthisfix,youcannolongercreateanewMonitorprofilewhencreatingaPBFruleon
Panorama.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 93
PANOS7.0.3AddressedIssues
IssueID Description
80389 FixedanissueonaPA5060firewallwhereinternalpacketpathmonitoringfailedwhen
underaheavyload.Withthisfix,internalpacketpathmonitoringisforwardedusinga
prioritysettingthatpreventsthesefailuresevenwhenexperiencinghightrafficconditions.
80086 Fixedanissuewereafirewalldisplayedanincorrectlocationforthesourceordestination
ontheTrafficMap.
79841 Fixedanissuewhere,incertaincircumstances,therewerediscrepanciesbetweena
scheduledreportandthatsamereportgeneratedusingtherun nowoption(Monitor >
Manage Custom Reports > <CustomReport>).
79746 FixedanissueonaPA2000SeriesfirewallwhereanAggregateEthernet(AE)interfacewas
unabletotransmitanARPrequestonataggedsubinterfacetotheneighboringdevice.
78848 Fixedarareissuewhereacommit(suchasanantivirusupdateorFQDNrefresh)caused
thefirewalltostopprocessingtraffic.Thisissueoccurredafterahighavailability(HA)
synchronizationeventwhentheautocommittriggeredbythesynchronizationeventwas
ignored.Withthisfix,aforcecommitrequestisautomaticallyandrepeatedlygenerated
untilsuccessful.
78426 FixedanissuewhereaCPUprocess(pan_dhcpd)spikedwhenDHCPNAKpacketswere
receivedontheDHCPrelayinterface.
78210 Fixedanissueinahighavailability(HA)active/passiveconfigurationwherethemulticast
treefailedtoconvergenonoffloadedmulticasttrafficasquicklyasexpectedaftera
failover.Withthisfix,themulticasttreeconvergencetimeisreducedfornonoffloaded
multicasttrafficafteranHAactive/passivefailover.
77299 FixedanissuewhereWildFireanalysisreportsdidnotdisplayCoverageStatusforthe
samplewhenusingaFirefoxbrowserevenwhenasignaturewasgeneratedtoidentifythe
sample(Monitor > Logs > WildFire Submissions > Detailed Log View > WildFire Analysis
Report).Withthisfix,youcanviewthecorrectCoverageStatusforasamplewhenusinga
Firefoxbrowser.
76811 FixedanissuewherepacketlosscouldoccurwithasymmetrictrafficwhentwoPA4060
firewallsweresetupaspeersinahighavailability(HA)active/activeconfiguration.This
issueoccurredwithVLANtaggedtrafficwhenjumboframesprocessingwasdisabledand
largenonjumboframespassedovertheHA3linkandbecamejumboframes.
94 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues
IssueID Description
76481 FixedanintermittentissuewhereaCategoryforasessionintheURLFilteringlogdidnot
matchtheactualcategorizationofthatsession.Withthisfix,thelogicforremovingexpired
orunresolvedURLcacheentriesisimprovedsothataCategoryintheURLFilteringlog
staysinsyncwiththeactualcategorizationofasession.
72115 WhenthewebinterfacewassettodisplayinanylanguageotherthanEnglish,service
routestospecifyhowthefirewallcommunicateswithotherserversordevicescouldnotbe
configured(Device > Setup > Services > Service Route Configuration).Thisissuehasbeen
fixedsothatserviceroutescanbeconfiguredandworkcorrectlywhenthewebinterface
issettoanylanguagepreference.
70719 InresponsetoanissuewhereadataplanerestartedduetoanincorrectflowID,PANOS
6.1.4andlaterreleasesincludedadditionalcheckstohelppreventthedataplanefrom
restartingduetothisissue.WiththisfixinPANOS7.0.3,thosePANOS6.1.4
modificationsarefurthermodifiedtoprovideamorecompletesolutionthatavoids
inadvertentlydroppingIPv4trafficaffectedbythisissue.
67254 FixedanissuewhereanXMLAPIcallforsystemRAIDfailedwithanattributeerrorfor
raid_handler object.
66607 FixedanissueonaPA200firewallwhereadministratorscouldconfigureafirewalldirectly
orusePanoramatopushexternalblocklists(EBLs)withatotalnumberofEBLlistsorIP
addressesthatexceededlimitationsanddidnotreceiveanerrormessage.(Lowend
platformssupportamaximumof10listsand50,000IPaddresses;highendplatforms
supportamaximumof30listsand150,000IPaddresses;thereisnoperlistmaximumfor
anyplatform.)Withthisfix,anerrormessageisdisplayedasexpectedwhenconfiguringa
PA200firewalldirectlyorthroughapushfromPanorama(orPANOSreleasedowngrade)
wherethenumberofEBLlistsorIPaddressesexceedsthelimitationsofthatfirewallorof
thecurrentPANOSrelease.
34340 Fixedanissuewherealargenumberofinformationallogsforthekeymanagerprocess
(keymgr)wereincludedinreportswhenlogsettingforkeymgrlogswassetto normal.With
thisfix,informationallogsforkeymgrareincludedonlywhenyouconfigureloggingfor
keymgrmessagestothedebugsettingusingthe debug keymgr on debug CLIcommand.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 95
PANOS7.0.3AddressedIssues
96 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.2AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.2release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.
IssueID Description
82724 FixedanissuewhereoldregisteredIPaddressesinaDynamicAddressGrouponahigh
availability(HA)active/passivepairweredeletedfromthepassivefirewallwhenthat
firewallswitchedfromnonfunctionaltopassivestateandreceivedanincrementalupdate
ofregisteredIPaddressesfromtheactivefirewall.Thisfixalsoaddressedarelatedissuein
anHAactive/activeconfigurationwheretheactivesecondaryfirewallretainedoldIP
addressesintheDynamicAddressGroupafterswitchingtoafunctionalstatewhenthe
activesecondaryfirewallswitchedtononfunctionalstateandallIPaddressesinthe
DynamicAddressGroupbecameunregisteredontheactiveprimaryfirewall.
82717 Fixedanissuewhereadataplanestoppedrespondingafterarebootduetoaninitialization
issueonSFP+ports.
82675 FixedanissueonanM100appliancewhere,afteranupgradetoPANOS7.0.1,an
authenticationprocess(authd)stoppedrespondingwhentheLDAPbindingpassword
containedspecialcharacters.
82370 Fixedanintermittentissuewhereadataplaneprocess(mprelay)experiencedamemoryleak
thatcausedthevirtualmemorytoincreaseuntilittriggeredadataplanerestart.
82310 Inresponsetoafragmentationissue,viruspatternsaresplitintosmallerchunkstoreduce
thepossibilityofmemoryallocationfailure.
82087 Fixedanissuewhereafirewalldisplayedanalertforlowdiskspace.Withthisfix,the
/opt/contentdirectorywasremovedtoimprovethediskcleanupprocess.
82009 FixedanissuewhereadocumentfiletriggeredanattempttopinganIPaddress.
81981 FixedanissuewheretheLLDPSystemNamefielddisplayedthefirewallmodelnumberand
couldnotbemodifiedtodifferentiatefromothersimilarfirewalls.Withthisfix,thefirewall
populatestheLLDPSystemNamefieldusingtheconfigurablehostnamevalue.
81970 FixedanissuewheresomeActiveDirectory(AD)serverswereincorrectlydisplayinga
Password expires in x daysmessageevenafterselectingPassword never expireson
theADserver.Withthisfix,theADserverignoresthemaximumpasswordage
(maxPwdAge)valuewhenthePassword never expiresoptionisselected.
81955 FixedanissueonafirewallwherefileswerenotsenttoWildFireasexpectedwhenthefirst
8bytesofthefileweresplitacrossdifferentpacketsordecryptedbuffers.
81941 FixedanissuewhereadataplanerestartedwhenencounteringresumedSSLsessionsusing
inboundSSLdecryption.
81819 FixedanissuewheretheSystemlogreportedthatafirewallinahighavailability(HA)
active/activeconfigurationReceived conflicting ARP forthefloatingIPaddressofits
HApeer.Withthisfix,duplicateIPaddressdetectioncontinuestologconflictsfor
nonfloatingIPaddresses,aswellasduplicateaddressesdetectedforafloatingIPaddress
receivedfromanyotherdevicethatisnotamemberoftheHApair.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 97
PANOS7.0.2AddressedIssues
IssueID Description
81816 RemovedsupportforSSLv3onPanoramaforconnectionstomanageddevices.
81797 FixedanissuewhereASCIIandspecialcharacterswerenotsupportedintheuseractivity
reportusernamefield.
81783 Fixedanissuewhereafirewallpickedthewrongdecryptioncipherwhenconfiguredwith
multipleIPSecCryptoprofilesforIKEv2negotiation.
81676 Fixedanissuewhereafirewallallowedadministratorstoconfiguresubinterfacewithusing
invalidnotation(suchasethernet1/1.1.1).
81577 FixedanissuewherecustomURLcategoriesassociatedwithaDecryptionpolicydidnot
matchtrafficdestinedforaproxyserver.
81572 FixedanissueonaPA7000SeriesfirewallthatdisplayedincorrecttimestampsinTraffic,
Threat,andURLFilteringlogs.
81535 Fixedanissuewherethegrouplistwasemptyafterpushingthegroupmapping
configurationfromPanoramatoamultivsysfirewallduringanattempttoconfigureusers
inaSecuritypolicyruleeventhoughthegroupmappingstatewassynchronized.
81510 FixedanissuewhereDeviceGroupandTemplateadministratorswereabletocreateand
modifySharedobjects.Withthisfix,DeviceGroupandTemplateadministratorsare
allowedtocreateandmodifyonlyobjectsspecifictothedevicegroupsandtemplatesto
whichtheyhaveaccessnotSharedobjects.
81500 FixedanissuewhereaVMSeriesfirewallinaVMwareNSXconfigurationrunningonan
ESXiserverrestartedwhenaprocess(all_task)stoppedresponding.
81485 FixedanissueonPA200andVMSeriesfirewallswherelocalobjectswerenotresolvedin
theTrafficlogafterselectingtheResolve hostnameoption(bottomoftheMonitor > Logs
> Traffictab).
81452 FixedanissuewhereswitchingcontextfromthePanoramawebinterfacetoamanaged
firewalldidnotindicatewhethertheadministratorwasloggedinoveranencryptedSSL
connection;theSystemlogmessagewasalwaysUser admin logged in via Panorama
from x.x.x.x using httpregardlesswhethertheconnectionwasencrypted.Withthis
fix,theSystemlognowspecificallyreportsUser admin logged in via Panorama from
x.x.x.x using http over an SSL connectionwhentheadministratorisconnected
throughanencryptedSSLconnectiontodifferentiatefromnonencryptedconnections.
81373 FixedanissuewhereWildFireAnalysisreportsforsamplesanalyzedinaWildFirecloud
(publicorprivate)werenotdisplayedintheWildFireSubmissionslog(Monitor > WildFire
Submissions)whenthefirewallwasconfiguredtocommunicatewiththeWildFirecloud
throughaproxyserver.
81312 FixedanissuewherefirewallDeviceadministratorswereunabletorunandviewoutputon
afirewallforthe show panorama-status CLIcommand.Withthisfix,Device
administrator,Deviceadministrator(readonly),Superuser,andSuperuser(readonly)
users(Device>Administrators><administrator>)canrunandviewoutputforthe show
panorama-status commandfromthefirewall.
81271 FixedanissuewherethesecondattempttoaccesssomewebsitesoverHTTPSfailedwhen
SSLForwardProxywasenabled.
98 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.2AddressedIssues
IssueID Description
81219 FixedanissuewithstabilitywhenaddingLogCollectorstoaCollectorGroup.
81115 Fixedanissuewhereadministratorsexperiencedlongdelayswhenexecutinglogqueries
consistingofmultipleattributes.
81110 FixedasessionreuseissuewhereanincomingSYN/ACKpacketforanestablishedsession
causedafailureinTCPreassembly,whichresultedinadroppedpacketeventheReject
NonSYNTCPoptionwasdisabled(Network > Network Profiles > Zone Protection >
<ZoneProtectionprofile> > Packet Based Attack Protection > TCP Drop).Withthisfix,
initiatingsessionreusewithaSYN/ACKpacketissuccessfulregardlessoftheReject
NonSYNTCPsetting.
80993 FixedanissueinPANOS7.0(aswellasinPanorama5.1andlaterreleases)whereXMLAPI
POSTrequestsfailedwhenincludingaQUERY_STRINGbutnocontentlengthheader.
Withthisfix(inbothPANOSandPanorama7.0.2releases),POSTrequestswitha
QUERY_STRINGandamissingcontentlengthheaderaresuccessful.
80933 FixedarareissuewhereaPA7000Seriesfirewallexperiencedheartbeatfailuresonthe
HA1andHA1backuplinksthatcausedsplitbraininahighavailability(HA)configuration.
80924 FixedanissuewhereaGlobalProtectLargeScaleVPN(LSVPN)satelliteconfiguration
causedthesatellitefirewalltoProxyARPforthedefinedaccessroutesubnetsonalllogical
andphysicalinterfaces.
80896 Fixedanissuewheresomeactionsthatutilizethe/opt/pancfg/partition,suchasdynamic
updatesandcommits,werefailingwhenthatpartitionranoutofspaceduetoalarge
numberofHIPreportsreceivedfromUserIDXMLAPI.Withthisfix,HIPreportsareno
longersavedinthe/opt/pancfg/partitionofthefirewall.
80840 FixedanissuewheretheURLfilterdidnotcorrectlyparsethecommonname(CN)value
whenaMACaddresswasspecifiedastheCNvalueintheservercertificate.
80767 InresponsetoaveryrareissuewheretheconfiguredNATpoolormethodwasnotutilized
asexpected,anenhancementwasmadetoTechSupportfilegenerationthatincludes
additionaldatatohelptroubleshoottheissue.
80720 Fixedanissuewhereafirewallexperiencedadataplanerestartwhenthepacketprocessing
daemonterminatedduetoadoublefreeconditionassociatedwithaspecificpacketbuffer
(fptcp).
80687 FixedanissueonPA7000Series,PA5000Series,andPA3000Seriesfirewallswhere
softwarepacketbuffersweredepleted(althougheventuallyrecovered)whenreceiving
TCPpacketswithlargepayloads.Withthisfix,modificationstoprocessesforallocating
softwarebuffersandhandlingTCPcongestionensurethatsoftwarepacketbuffersdonot
getdepletedduetopacketswithlargepayloads.
80669 FixedanissueonfirewallsinCCEALmodewherethemanagementserverwouldrestart
whenthefirewallattemptedtosendanSNMPv3trap.
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 99
PANOS7.0.2AddressedIssues
IssueID Description
80624 Fixedanissuewhereadministratorsexperienceddelaysaccessingthefirewallweb
interfacewhenthefirewallreconnectedtoPanoramaandhadalargenumberoflogsto
send.
80592 Fixedanissuewherefirewallsinahighavailability(HA)active/passiveconfigurationdidnot
synctheDynamicAddressGroupwhenoneofthefirewallsstoppedfunctioningandthen
changedtoafunctionalstate.
80567 InresponsetoanissuewhereraceconditionsaffectingBlockIPtableoperations
inadvertentlycausedsomepacketstobemarkedas drop ip block withoutanyentryin
theBlockIPtable.
80532 FixedanissuewherefileswerenotbeingforwardedasexpectedtotheWildFirecloud
(publicorprivate)duetoaterminatedprocess(varrcvr).Thisissueoccurredwhenthe
SubjectfieldinforwardedemailscontainednonASCIIcharacters.
80404 FixedanissuewherePA2000Seriesfirewallsexperiencedconnectivityissueswhen
autonegotiatingduplexandspeedsettingsonthemanagementinterfaceconnectiontoa
thirdpartydevice.Withthisfix,anewdriverisaddedtoensurethatthemanagement
interfaceremainsaccessibleandtoprovideamorereliabletransitionwhenspeedsare
changed(suchasfrom1,000Mbpsoverfullduplex1000/Fullto100/Full)whenthereis
littleornotrafficflowingthroughthefirewall.Usethefollowingbestpractice
recommendationstoensuresuccessfultransitions:
Whenpossible,setboththePA2000Seriesfirewallandthethirdpartydeviceto
autonegotiatemode,whereeachsideselectsthehighestpossiblecommonmaximum
speedandduplexsetting.
Ifyoumustmanuallyconfigurethespeedandduplexsettingforeitherthefirewall
(Device > Setup > Management > Management Interface Settings)orthethirdparty
device,youshouldmanuallyconfigurethesamespeedandduplexsettingsonbothsides
sothattheyareinsync.Ifyoudonotmanuallyconfigurethesettingstobethesameat
bothendsoftheconnection,trafficflowwillbeimpactedbecausethePA2000Series
firewallcannotdeterminethecorrectduplexmodeandwilldefaulttohalfduplexmode,
whichcancauseaduplexmismatch.
Ifyoumanuallyconfigurebothsidesoftheconnection:
Donotsettheportonthethirdpartydeviceto1000Mbpsmastermode,asthis
willcompletelystoptrafficandtheportswillnotrecover(bothportstrytocontrol
thelinkandneitherissuccessful).
Donotattempttochangethespeedorduplexsettingwhiletrafficisflowing
throughtheconnection:pausetraffic,configurethetwopeerportsappropriately,
makesuretheportsaresettothesamespeedandduplexvalues,andthenresume
trafficflow.
80386 Fixedanissuewhereaconfigurationoverridefailedwhenpushingsystemlogsettingsto
firewallsfromPanoramaresultinginthefollowingerror: edit failed, may need to
override template object informational first.
80318 FixedanintermittentissueonaPA7000Seriesfirewallwheresomepacketsweredropped
duringtheinitialsessionsetupprocess.Thisissueoccurredwhentwopacketsinthesame
sessionweresentalmostsimultaneously,causingthesecondofthetwopacketstoget
dropped.
IssueID Description
80251 Fixedanissueonafirewallwhereadataplanerestartedwithmultiplecorefiles(all_pktproc,
flow_ctrl,andflow_mgmt)afterthefirewallreceivedpercentencodedHTTPrequestsfrom
aproxyserverwhenboththeparsingofXForwardedFor(XFF)attributesandstrippingof
XFFfromHTTPHeaderswereenabled(configuredwiththe set system setting ctd
CLIcommand).Withthisfix,youcanenablebothXFFactionswithoutcausingthe
dataplanetorestartwhenthefirewallreceivespercentencodedHTTPrequestfroma
proxyserver.
80063 FixedanissueonanM100appliancewheretheconfigurationdaemon(configd)stopped
respondingwhenprocessinganullvalue.
79960 Fixedanissuewherethefirewallsentanextracarriagereturnlinefeed(CRLF)inHTTP/1.1
POSTpacketswhenrequestinganupdatefromtheBrightCloudURLdatabase.Thisissue
occurredwhenusingaproxyserver,whichcorrectlyrejectsthepacketsandreturns
HTTP/1.1400BadRequestmessagesduetotheextraCRLF(perRFC7230).
79929 Fixedanissuewhereaprocess(mprelay)stoppedrespondinganddidnotreceivearefresh
oftheconfigurationwhenitrestarted.
79925 Fixedanissuewherevirtualwire(vwire)pathmonitoringfailedandthefirewallstopped
sendingICMPpacketsoverthevwireinterfaceafterahighavailability(HA)failover.
79719 Fixedarareissuewhereadataplanerestartedwhenmultipleprocesses(flow_ctrland
mprelay)stoppedrespondingduetoasoftwarebufferleak.
79709 FixedanintermittentissuewhereZIPprocessingmaycausethedataplanetorestart.
79535 Fixedanissueinahighavailability(HA)configurationwherethemonitoreddestinationIP
addressforPathMonitoringdisplayedas up evenwhenunavailable,preventingthe
firewallfromdisplayingas tentative asexpected.Withthisfix,themonitoreddestination
IPaddresscorrectlyshowsas down whenunavailable,whichresultsinthefirewallcorrectly
changingstatusto tentative.
79504 FixedanissuewhereapassiveM100applianceinahighavailability(HA)configurationlost
itsdevicegroupandtemplateconfiguration.
79470 FixedanissuewherePanoramadidnotdisplayWildFireAnalysisreportscorrectlyinthe
WildFireSubmissionslogforWF500appliancesrunningPANOS6.1orearlierreleases.
YoucanfetchthesereportsusingasecurechannelonlyforWF500appliances
runningPANOS7.0.2orlaterreleases;asecurechannelisnotusedwhenfetching
reportsfromaWF500appliancerunningPANOS7.0.1orearlierreleases.
79382 FixedanissuewhereIPaddressregistrationthroughtheXMLAPIfailedtopopulatethe
DynamicAddressGroupfollowingan AddrObjRefresh jobfailureduringatemplate
commitfromPanoramawhentheForce Template Valuesoptionwaschecked,resultingin
an Error: Failed to parse security policy.
79347 Fixedanissuewhereafirewallstoppedrespondingandtriggeredadataplanerestartwhen
receivingincompleteandinsufficientparametersinAPIcalls.Withthisfix,checksarein
placetopreventthedataplanerestartwhenreceivingAPIrequestswithinvalidor
insufficientparameters.
IssueID Description
79046 FixedanissueonanMSeriesappliancerunninginLogCollectormodewherelog
forwardingtoanexternalsyslogserverstoppedworkingafteraPanoramacommitwhen
forwardinglogsthroughTCPport514(default)insteadofUDPport514(Device > Server
Profiles > Syslog).Withthisfix,younolongerneedtoperformaCollectorGroupcommit
toresumelogforwardingafteraPanoramacommitwhenthesyslogserverisconfiguredto
useTCP.
78891 FixedanissuewheretheuseofregionbasedobjectsintheSecuritypolicycaused
consistentlyhighdataplaneCPUutilization.
78803 FixedanissueinPanoramawheretemplatesettingsthatwereglobaltoeveryvirtual
system(vsys)onafirewall(forexample,Systemlogsettings)wereunabletoreference
configurationelements(forexample,anEmailserverprofile)whenthatelementwasadded
toaspecificvsysinsteadoftotheSharedlocation.Withthisfix,Panoramacanpush
templateanddevicegroupsettingseventhosethatarenotorcan'tbepushedtoaspecific
vsysregardlesswhetherthosesettingsrefertoSharedelementsorelementsthatare
specifictoavsys.
78571 FixedanintermittentissuewhereafirewallreceivedaVirtualSystemslicensethatallowed
forahighernumberofvirtualsystemsthanthemaximumamountsupportedforthe
platform.Withthisfix,thelicensedvirtualsystemsactivatedonafirewallcannotbehigher
thanthemaximumamountofvirtualsystemssupportedonthefirewall.
78568 FixedanissuewherePA3000,PA5000,andPA7000Seriesfirewallsexperienceda
memoryleakassociatedwithimproperpurgingofold,replacedentriesintheARP/NDtable
whenthetablereachedcapacity.
78511 FixedanissuewheretheDHCPrelayagentincorrectlysetthegatewayIPaddress(giaddr)
valuetozero(insteadoftheIPaddressoftheingressinterfaceasdefinedinRFC1542)
whenrespondingtoDHCPrequests.
78064 Fixedanintermittentissuewhereauthenticationfailedinatwophaseauthentication
processwhentheloginresponsecontainedcustomerdata.
77816 FixedanintermittentissuewheresomeWindows7GlobalProtectclientsusingtwofactor
authentication(LDAPandcertificate)lostconnectiontotheportalorgatewayandcould
notreconnectduetoafailedauthenticationwiththeerror Required client
certificate is not found evenwhenthecertificatewasavailable.
77775 Fixedanissuewhereavalidationerroroccurredwhenattemptingtomoveanobjectfrom
itscurrentdevicegrouptoadestinationdevicegroupthatwaslowerinthehierarchyeven
whenthepolicyrulesorobjectsthatreferencetheobjectbeingmovedwereinthesame
destinationorinadevicegroupthatshouldinherittheobject.
IssueID Description
76875 Fixedanissuewherethedataplanerebootedwhenaprocess(brdagent)wasterminatedby
thefirewallinresponsetoanoutofmemorycondition.Withthefix,dataplanerebootsare
nolongertriggeredbytheseoutofmemoryeventsbecausethefirewallnolonger
considersthebrdagentprocessforterminationwhenattemptingtoaddressan
outofmemoryevent.
76781 FixedanissuewhereafirewallincorrectlycalculatedpacketlengthandTCPsequencedue
toaonebytezerowindowprobepacketwhenthatpacketwassentfromonevsysto
another.
76631 FixedanissueonPA7000SeriesfirewallswheretheLogProcessingCard(LPC)failedto
resolvetheFQDNofthesyslogserver.Withthisfix,thefirewallwillreinitiatetheDNS
lookuprequestuntilthelookupsucceeds.
76561 FixedanissuewheretheDHCPrelayagentdroppedDHCPDISCOVERpacketsthatthe
agentcouldnotprocessduetomultipleBOOTPflags.Withthisfix,theDHCPrelayagent
recognizesthefirstBOOTPflaginaDHCPDISCOVERpacketandignoresanyadditional
BOOTPflagsthatmayexist(perRFC1542)sothatmultipleBOOTPflagsdonotcause
DHCPDISCOVERpacketstobedropped.
76238 AsecurityrelatedfixwasmadetoaddressCVE20151873.
75803 AddressedanissueregardinghowoftenpasswordAPIkeysareregenerated.
75344 Fixedanissuewhereamemoryprocessrestartedandcausedaninvalidmemoryreference;
theinvalidmemoryreferenceresultedinamanagementplanerestart.
74423 FixedanissuewhereafirewallrunningPANOS7.0.1wasincorrectlyusingtheURL
UpdatesserviceroutewhenfetchingaDynamicBlockListinsteadofusingtheservice
routeattachedtothePaloAltoUpdatesintheServiceRouteConfiguration(Device > Setup
> Services > Global).
73443 Fixedanintermittentissuethatresultedincorruptedforwardingentriesontheoffload
processor.
71331 FixedanissueonaPA500firewallwherethefirewallassignedaDHCPaddressforthe
management(MGT)interfaceevenaftertheadministratorconfiguredastaticIPaddressfor
thatport.Withthisfix,DHCPinitiationfortheMGTinterfaceisdisabled.
70887 FixedanissuewhereclickingtheMorelinktoviewtheregisteredIPaddressunderObject
> Address GroupsresultedinanerrorifthenameofaDynamicAddressGroupincludeda
space.Withthisfix,spacesinDynamicAddressGroupnamesnolongercauseanerror
whendisplayingtheIPaddress.
70302 FixedanissuewheretheautocommitprocessfailedafterupgradingaPA7050orPA5000
SeriesfirewalltoaPANOS6.1orPANOS7.0release.
69132 Fixedanissuewhereoccasionaldataplanerestartsoccurredduetoakernelmemory
allocationfailure.
64602 Inresponsetoanissuewhereafirewallgeneratedcorefilesforaprocess(pktproc)whena
dataplanestoppedresponding,anadditionalcheckandassociatederroroutputisaddedto
helptroubleshootanissuewhereanFPGArunningtheAhoCorasickalgorithmreturnsa
sessionindexmappedtoaNULLpointer.
IssueID Description
64531 Fixedanissuewhereahighavailability(HA)failoveroccurredduetoinsufficientkernel
memoryonaPA5000Seriesfirewall.Withthisfix,PA5000Seriesfirewallsincludesome
cacheflushingeventsandincreasedkernelmemorytoensuresufficientkernelmemory
remainsavailableforpingrequestsandkeepalivemessagestoavoidtheseHAfailovers.
64266 Fixedarareissuewherecertainprocesses(l3svcandsslvpn)stoppedrespondingwhena
ContentupdateandFQDNrefreshoccurredsimultaneously.
IssueID Description
PAN-73605 FixedanissuewherethefirewalldidnotcorrectlyidentifytheURLcategoryofaweb
sessionwhentheHTTPheaderinformationwassplitacrossmultiplepacketsduetoa
sequenceofabnormallylargeHTTPcookies.
82299 FixedacriticalsecurityvulnerabilityforfirewallsandPanoramarunningPANOS7.0.0that
wereconfiguredtouseLDAPauthenticationforCaptivePortalorfordevicemanagement.
(ThisissuedoesnotaffectdevicesconfiguredtouseRADIUSorlocalauthentication.)
81374 FixedanissueonaPA200firewallwheretheMACaddressconfiguredforthe
managementinterfacewasinadvertentlychangedafteranupgradetoPANOS7.0.0.With
thisfix,themanagementinterfaceMACaddressconfiguredbeforeanupgraderemainsthe
sameaftertheupgrade.
81174 FixedanissuewhereanautocommitfailedafteranupgradetoPANOS7.0.0duetoafailed
IKECryptoprofileverificationwhentwoIKEgatewayswereconfiguredusingadynamic
peerinmainmodeonthesamelocalinterface.
81167 FixedanissuewheretheAppsonly(noThreats)versionofContentUpdatesfailedtoinstall
onadeviceregisteredwithstandardsupport.
81158 FixedanissuewhereanIPSectunnelfailedtonegotiateanewsessionanddroppedpackets
duringanSArekeyinIKEv2mode.
81024 FixedanissuewherePanorama7.0.0failedtoproperlypushDeviceGroupandService
GroupobjectstodevicesrunningPANOS6.1orearlierreleases.Withthisfix,Panorama
pushesDeviceGroupandServiceGroupobjectsasexpectedtodevicesrunningany
supportedPANOSrelease.
80903 FixedanissuewherePA7050firewallsrunningPANOS6.1orearlierreleasesdidnot
accuratelyhandlequeriesfromPanoramarunningPANOS7.0.0,whichresultedinthe
inabilitytodisplaydataintheApplicationCommandCenter(ACC)widgetsandprevented
logdatafromthePA7050firewallfrombeingincludedinreportsgeneratedonPanorama.
Withthisfix,PanoramaqueriestoPA7050firewallsaredisabledbydefaultsothatACC
widgetsdisplaycorrectlyforallotherdevicesyoumanagethroughPanorama.
80871 FixedanissuewhereWildFireanalysisreportswerenotdisplayedinDetailedLogView
(Monitor > WildFire Submissions > Detailed Log View > WildFire Analysis Report)for
WildFireSubmissionslogentrieswhenthefirewallwasconfiguredtouseaserviceroute
insteadofthemanagementinterfacetocommunicateeitherwithaWildFireprivatecloud
orwiththeWildFirepubliccloud.However,forfirewallsrunningPANOS7.0.1,toviewthe
integratedreportsfromwithinthewebinterfaceonthefirewall,youmustfirstconfigure
wildfire.paloaltonetworks.comastheWildFirepubliccloud;eitherintheweb
interface(Device > Setup > WildFire > General Settings)orusingtheset deviceconfig
setting wildfire public-cloud-server wildfire.paloaltonetworks.comCLI
command.
IssueID Description
80849 FixedanissuewhereIPv4andIPv6trafficforwardingfailedwhensentthroughanLACP
AggregatedEthernet(AE)interfaceduetoanincorrectsystemMACaddress.
80799 FixedanissuewherefilesandemaillinkssentusingSimpleMailTransferProtocol(SMTP)
orPostOfficeProtocolversion3(POP3)werenotforwardedtotheWildFirepubliccloud
foranalysisunlessthefirewallwasalsoconfiguredtoforwardfilestoaWildFireprivate
cloud.Withthisfix,firewallsconnectedonlytotheWildFirepubliccloudappropriately
forwardtotheWildFirepubliccloudallfilesandemaillinksthataresentusingSMTPor
POP3.
80607 Fixedanissuewhereafirewallrebootedwhenanunusuallylargenumberoffragmented
packetspassedthroughthefirewallwhentheNAT64 IPv6 Minimum Network MTUsetting
wasconfiguredtoavalueotherthan1500(Device > Setup > Session > Session Settings),
whichtriggeredamemoryleak.Withthisfix,fragmentedpacketsnolongercausea
memoryleak.Additionally,anewcounterwastomonitorwhetherresourcesareavailable
forfragmentingpacketswhenneeded.
80561 FixedanissuewheresoftwareforwardingofLayer3multicasttrafficwithProtocol
IndependentMulticast(PIM)didnotfunctionproperly.
80408 Fixedanissuewhere,insomeenvironments,newcontentupdatescouldnolongerbe
accommodatedbythememoryonthefirewallthatisallottedforthesefilesduetoa
continuallyincreasingnumberofapplicationsintheupdates.Withthisfix,allocated
memoryforcontentupdatesisincreasedsothatcontinuedgrowthofcontentupdateswill
notpreventsuccessfuldownloadandinstallationofthoseupdates.
80398 Fixedanissuewhereadministratorswereunabletologinthroughthewebinterfacewhen
thefirewallwasconfiguredtoauthenticateadministratorsusingclientcertificatesandwas
configuredwithOnlineCertificateStatusProtocol(OCSP)verificationenabled.
80373 FixedanissuewhereattemptstoCloneobjectsorpoliciesinasharedgatewaylocationor
Moveobjectsorpoliciesfromavirtualsystemtoasharedgatewaylocationdidnotwork
correctly.
80323 Fixedanissuewherethelinkstatesforfirewallinterfacesdidnotcomeupwhenrebooting
thefirewallafterdisablinghighavailability(HA).
80286 FixedanissuewhereacommitfailedafteranupgradetoPANOS7.0.0whenDefaultsfor
anapplicationwassettoICMP Type(Objects > Applications > application > Advanced).
Withthisfix,commitsdonotfailafteranupgradetoPANOS7.0.1orlaterreleases
regardlessofthisDefaultssetting.
80268 FixedanissueonaPA7050firewallrunningPANOS7.0.0whereattemptstoswitchto
CommonCriteria(CC)modefailedwiththefollowingerror:Set CCEAL4 Mode Sysd
Error.ThisissueoccurredbecausetheCCmodeoperationattemptedtochangethe
operationalmodebeforethesystemprocess(sysd)wasfullyloaded.Thisoperationresulted
insettingthefirewalltothefactorydefaultconfigurationwithoutCCconfiguration
changes.
80266 FixedanissuewherePA200,PA500,andPA2050firewallsrunningPANOS7.0.0and
configuredtouseaservicerouteinsteadofthemanagement(MGT)interfacetoconnect
toanLDAPserverwereunabletoestablishaconnection,whichcausedallfirewall
functionsthatreliedonthatconnectiontofail.Withthisfix,firewallssuccessfullyconnect
throughaconfiguredserviceroutetoanLDAPserver.
79854 FixedanissuewherePanoramawasunabletodisplaySystemandConfiglogsforPA7000
Seriesfirewalls.
IssueID Description
79844 Fixedanissuewherelogssenttoalogcollectorgroupwerenotproperlysavedandcould
notbedisplayedwhenthatlogcollectorgroupcontainedaspaceinthename.Withthisfix,
logsaresavedanddisplayedcorrectlyevenwhenthereisaspaceinthelogcollectorgroup
name.
79522 Fixedanintermittentissuewhereafirewallwithhardwareoffloadenabledincludedan
incorrectIPchecksumvalueinoutgoingNATpackets,whichcausedsomepacketstobe
dropped.
79478 Fixedanissuewherethefirewallconnecteddirectlytoadirectoryserverinsteadofthe
UserIDagentconfiguredasanLDAPproxy.Withthisfix,thefirewallcorrectlyusesthe
UserIDagentwhentheagentisconfiguredforuseasanLDAPproxy.
79463 FixedanissuewhereCPUmemoryonaPA7050firewallspikedwhenattemptingtoview
reportsintheApplicationCommandCenter(ACC).Thisissueoccurredwhentaskcreation
notificationswerenotprocessedproperlyand,asaresult,theLogCollectordidnot
terminatefailedrequestsasexpected.Withthisfix,taskcreationnotificationsare
processedappropriatelyandfailedtasksareproperlyterminated.
79443 Fixedanissueinthewebinterfacewhere,insomecases,thePHPsessioncookie
(PHPSESSID)wasnotmarkedassecure.
79401 VM1000HVfirewallsrunningoneightvCPUsdidnotsaveanddisplayTrafficandThreat
logs.Withthisfix,VM1000HVfirewallsproperlysaveanddisplaythelogs.Thisissuedid
notaffectVMSeriesfirewallsrunningontwoorfourvCPUs.
79367 FixedanissueinPANOSwhereGlobalProtectclientsexperienceddelaysand
intermittentlyfailedtoretrievethegatewayconfigurationforconnectingtoa
GlobalProtectgatewaywhenthefirewallwasinahighavailability(HA)configurationand
underaheavyload.ThisissueoccurredduetoanissuewiththesynchronizationofHIP
reportsbetweengatewaysonHApeerswhentherewasahighnumberof
nearsimultaneousGlobalProtectconnectionrequests.Withthisfix,thesyncprocessis
modifiedsothatGlobalProtectclientsareabletodownloadtheconfigurationandconnect
tothenetworkasexpectedevenwhenmultipleclientsareattemptingtoconnectatthe
sametime.
79278 Fixedanissuewheretheactivedeviceinahighavailability(HA)configurationfailedto
generatetechsupportfilesduetoabufferlimitationthatcouldnotaccommodatethe
outputfromsomecommands.Withthisfix,thecommandsthatpreventgenerationoftech
supportfileshavebeenremovedsothatreportsaregeneratedasexpected.
79260 FixedarareissueonaWF500appliancewhereanICMPpacketcontainingaFIN+ACK
packetwasincorrectlyforwardedoutthroughthemanagement(MGT)interface.Withthis
fix,ICMPpacketscontainingaFIN+ACKpacketaredropped,instead.
IssueID Description
79104 FixedarareissueonaPA7000SeriesfirewallwheretheHA1andHA1backuplinks
experiencedheartbeatfailuresthatcausedsplitbraininahighavailability(HA)
configuration.
78798 FixedanissuewheretheURLfieldintheURLFilteringlogbecameblankorwaslogged
withoutahostname.
78652 FixedarareissuewhereafirewalldroppedURLrequestswhenthemanagementplane(MP)
URLtrie(datastructure)reached100%capacity.Withthisfix,whentheMPURLtrie
reaches90%capacity,URLsinthecachearecleareduntiltheMPURLtrieutilizesonly50%
ofcapacitysothatthetriecannotreachmaximumcapacityandcauserequeststobe
dropped.
78646 Fixedanissuewhereafirewallreplacedmultibytecharacterswithaperiodcharacter( . )
whenforwardinglogsoreventinformationtoSNMPtraps,toasyslogserver,through
email,orinscheduledlogexports.ThisissuealsooccurredwhenexportinglogstoCSV.
Withthisfix,multibytecharactersareforwardedandexportedcorrectlywithone
exception:inPANOS7.0.1,PA7000Seriesfirewallswillstillincorrectlyreplacemultibyte
characterswithperiodcharacterswhenexportinglogstoCSV.
78621 FixedanissuethatoccurredwhenChileadoptednewofficialtimesandtheofficialtimefor
ContinentalChilebecameUTC03:00.APA200firewallconfiguredtousetheChile
ContinentaltimeincorrectlycontinuedtodisplaytheofficialtimeasUTC04:00.
78556 FixedanissueinPanoramawhereusingtheoptiontoimportacertificatewhenconfiguring
aGlobalProtectgatewayorportaldidnotresultintheimportedcertificatebeingaddedto
thedropdown.TheimportedcertificatealsodidnotdisplayontheTemplates > Device >
Certificatespage.(However,theimportedcertificatediddisplaycorrectlyaftera
Panoramacommit.)Withthisfix,importedcertificatesaredisplayedimmediatelyonthe
webinterfacewhereexpected.
78448 Fixedanissuewhereacustomresponsepagecontaininganinvalidsubstringcausedthe
processforcommunicatingbetweenthedataplaneandmanagementplanes(mprelay)to
stoprespondingwhenattemptingtocommitconfigurationchanges.
78436 Fixedanissuewherethemanagementplanestoppedrespondingwhenmorethanone
processattemptedtomodifythedevicetableduringaconfigurationpushfrom
Panorama.Withthisfix,thedevicetableislockedandmodifiablebyonlyoneprocessat
atimetoavoidconflictingmodifications.
78413 FixedanissueonaPA7000Seriesfirewallwithmultiplevirtualsystemswhereamemory
leakwasobservedrelatedtotheFirstPacketProcessor(FPP)managementplaneprocess
whenrunningtheshow session meterCLIcommand.
78343 Fixedanissuethatoccurredwithdecryptionenabled,wheresomewebsiteswerenot
decryptedduetoanissuewithcertificateserialnumbers.
78304 Asecurityrelatedfixwasmadetoaddressacrosssiterequestforgery(CSRF)issueinthe
webinterface.
78197 HIPreportsforuserscannowberetrievedusingtheXMLAPI(inadditiontoviewingHIP
reportsusingtheCLI).
IssueID Description
78187 Fixedanintermittentissuewithasystemprocess(all_task)thatcausedadevicetorestart
unexpectedly.Thisfixincludesanadjustmenttoaninternaltimertoavoidtheserestarts.
78166 FixedanissuewheretheVirusTotallinkintheCoverageStatussectionofWildFire
AnalysisreportsdidnotcorrectlyopentheVirusTotalpage.
78155 AddressedanissuewheretwoDoSprotectionpolicyrulesthatwerenotoverlapping
incorrectlyresultedinawarningthatoneoftheruleswasshadowingtheotherrule.
77907 FixedanissuewherelogforwardingtoaLogCollectordidnotstopasexpectedwhen
executingtherequest log-fwd-ctrl device <s/n> action stopCLIcommandon
Panorama.Withthisfix,logforwardingtoaLogCollectorstopsasexpectedwhen
executingtherequest log-fwd-ctrl device <s/n> action stopcommandsolongas
boththefirewallandPanoramaarerunningPANOS7.0.1orlaterreleases.
77784 FixedanissueonPanoramawhereadministratorswereunabletofilterDeviceGroupsby
tagsinthecommitwindow.
77721 FixedanissueonaPA200firewallwhereareboottookmuchlongerthanexpected(more
than20minutes).ThisissueoccurredwhentheContentUpdatesdatabasewascorrupted
andupdatesdidnotstoporpauseasexpectedtoallowthereboottotakeplace.Withthis
fix,thefirewallreinitializesthedatabaseifitiscorruptedtoallowtheContentUpdateand
systemreboottoproceedasexpected.
77477 FixedanissuewhereauserwasnolongerabletoconnecttoaVMSeriesfirewall
configuredasaGlobalProtectgatewayanddeployedinAmazonWebServices(AWS)after
theuserhadbeenconnectedforseveralhoursandtheusercouldnotreconnectuntilthe
gatewaywasrestarted.Withthisfix,usersnolongerlosetheirconnectiontothe
GlobalProtectgatewayiftheystayconnectedforseveralhours.
77413 FixedanissuewheretheauthenticationprocessfailedtoparsethebaseDistinguished
Name(DN)correctlywhenitcontainedaspace("")character.
77342 WhenusingtheXMLAPItoretrieveHAcontrollinkstatistics,thestatisticsretrievedwere
notthesameasthosedisplayedintheoutputfortheCLIoperationalcommandshow
high-availability and control-link statistics.
77163 Fixedanissuewherethe/var/log/securelogfileinflatedandconsumedavailabledisk
space.Withthisfix,PANOSusesalogrotationfunctionforthislogfiletoavoidconsuming
morediskspacethanisnecessary.
77140 FixedanissuewhereanerrorwasdisplayedwhenusingPanoramatochangeapassword
foramanagedfirewalladmin.
76847 FixedanissuewhereIKEphase2rekeywashappeningtoofrequentlyforanIPSec
sitetositeVPNconfiguredwithtunnelmonitoringonmultipleProxyIDswhenQoSwas
enabled.
IssueID Description
76759 FixedanissuewhereanSSLscanofaWF500appliancereturnedSSLv3connectionsand
RC4cipherseventhoughtheWF500appliancenolongersupportsSSLv3.Withthisfix,
theWF500appliancereturnsonlyTLSv1connections.
76688 FixedanissuewheretheIPv6sourceaddresswasnotdisplayedintheHostcolumnfor
Configlogs.Withthisfix,theIPv6sourceaddressisdisplayedintheHostcolumnas
expected(insteadof0.0.0.0).
76575 FixedanissueonaPA5000SeriesfirewallwhereanoccasionalinconsistencyintheIPv6
neighborcacheondifferentdataplanescausedIPv6trafficsenttocertainhoststoget
dropped.Withthisfix,thefirewallkeepstheIPv6neighborcacheinsyncbetween
dataplanessothatIPv6packetsarenotdropped.
76489 FixedanissuewherethreatupdatesdidnotinstallcorrectlyafteraddingaThreat
PreventionlicenseandinstallinganApplicationsandThreatscontentreleaseversion.This
occurredeventhoughtheoutputoftheshow system infoCLIcommandverifiedthatthe
ThreatPreventionlicensewasinstalled.
76282 FixedanissuewhereFQDNobjectswerenotresolvedwhenallthefollowingconditions
weretrue:
TheFQDNobjectwasbeingusedasataginaDynamicAddressGroup.
TheDynamicAddressGroupwasnotamemberofthesametag.
TheFQDNobjectwasnotattachedtoasecuritypolicyrule.
TheFQDNobjectwasnotincludedinaregularaddressgroupthatwasattachedtoa
securitypolicyrule.
76083 FixedanissuewherenoSystemlogsweregeneratedforfailedloginattemptsusingtheCLI
overanSSHconnection.Withthisfix,additionalSystemlogsnowprovidevisibilityfor
failedloginstothemanagementinterfaceevenifthoseattemptscomefromaCLIoveran
SSHconnection.
76079 FixedanissueonPA7000SeriesfirewallswhereTrafficlogsonAdvancedMezzanine
Cards(AMCs)couldnotberecoveredafterinstallingtheAMCsontoanewLogProcessing
Card(LPC).Withthisfix,anewCLIcommand(request metadata-regenerate slot
<slotnum>)isavailableforretrievinglogsfromtheoldAMCdisksafterinstallingthemina
newLPC.
Whenyouusethiscommand,youshouldensurethedeviceisnotprocessingtrafficuntil
theregenerationrequestiscomplete.Additionally,youcanignoretheerroneouserror
message(Failure communicating with given slot)thatdisplays60secondsafter
runningtherequest metadata-regeneratecommand:theregenerationprocesswill
continuetorunasexpectedandyouwillneedtowaitforittofinishbeforeresumingtraffic
flow.Itcantakeuptotwohours,orlonger,toregenerateallmetadatadependingonthe
numberoflogsrecovered.Todetermineifregenerationiscomplete,usethefollowingCLI
commandtolookfortheDone generating metadata for LD:xmessage:
less s8lp-log vld-<amcslotnum>-0.log
75881 FixedanissueonaPA5000Seriesfirewallwherethemanagementplaneanddataplane
restartedduetoaraceconditionthatoccurredwhentheEnforce Symmetric Return
optionwasenabledinthepolicybasedforwarding(PBF)rules(Policies > Policy Based
Forwarding > Forwarding).ThisraceconditioncausedinaccuratePBFreturn-mac ager
lists,whichcausedtherestarts.Withthisfix,thefirewallretrievesandchecksreturnMAC
entriestoavoidthisraceconditionandassociatedrestarts.
IssueID Description
75825 FixedarareissueonaPA5000Seriesfirewallwherearaceconditionoccurredbetween
dataplanes1and2(DP1andDP2)anddataplane0(DP0)thatincorrectlycausedaresetof
thetimeoutvalueforparentsessionsownedbyDP1andDP2whencreatingpredict
sessions,whichcausedthoseparentsessionstotimeoutprematurely.Withthisfix,the
timeoutforparentsessionsisnotchangedwhenthepredictsessionsarecreated.
75758 FixedanissuewherethedataplanerestartedonaPA5000Seriesfirewallinahigh
availability(HA)clusterduetocorruptionofARPpackets.
75744 Fixedanissuewhereadataplanestoppedrespondingafteracommitthatchangedthe
interfaceindexwhenhighavailability(HA)sessionpacketswerereferencingthatinterface
indexusinganinterfacepointer.
75003 Fixedanissuewhereonlythefirst15charactersofazonenamewasdisplayedinlogs.
Completezonenamesarenowdisplayedinlogs.
74654 FixedanissueonanM100devicewhereanattempttodownloadContentUpdatesfailed
duetoalackofdiskspace.ThisissueoccurredwhencontinuousXMLAPIqueriesfilledthe
/opt/pancfgpartitionbecauseSTOPmessagesweregettingdroppedbetweenPanorama
andtheLogCollectorandquerieswerenotproperlyremovedwhennolongerneeded.
Withthisfix,STOPmessagesshouldnotbedropped.Additionally,incaseSTOPmessages
aredroppedforanyotherreason,atimeoutsettingforqueriesisinplacetoensurethat
stalequeriesareremovedfromdiskspacebeforecausingastoragespaceissue.
74609 FixedanissueonaPA5000SeriesfirewallwherePREDICTsessionswerehandledby
dataplane0(DP0)buttheSIPparentsessionswereonadifferentdataplane.Withthisfix,
youcanusetheset session filter-ip-proc-cpu dest-ip <IPaddr>CLIcommandto
specifyalldestinationSIPproxyIPaddressesinafilterlistonthefirewall.Youcanthenuse
thelisttoconfigurethefirewallsothatDP0receivesandhandlesanyinboundpacketthat
isdestinedforanyofthespecifiedSIPproxyIPaddresses.
74600 AsecurityrelatedfixwasmadetotheOpenSSLpackagetoaddressmultiplevulnerabilities
impactingtheOpenSSLlibraries.
74489 Fixedanissuewithregularexpressionwhereusingtheverticalbarorpipecharacter(|)
causederrors.
74315 FixedanissuewherecommentsaddedtoanAggregateEthernet(AE)interfacewerenot
savedalongwiththeAEinterfaceconfigurationandtheCommentfielddisplayedasempty
afterclosingtheconfigurationwindow.
73692 UpdatedanerrormessagethatoriginallynotedthatanAntiviruscontentdownloadfailed
becauseanAntiviruscontentdownloadwasinprogress.Theerrormessageisupdatedto
correctlystatethatthefailedAntiviruscontentdownloadwasduetoaWildFirecontent
downloadbeinginprogress.
73631 FixedanissuewhereseveralNTPsyncerrorsweredisplayedfollowingafirewallsoftware
upgrade.
IssueID Description
73317 FixedanissuewheretheSystemlogdisplayedanIPv4addressforafirewallthatwas
connectedtoanActiveDirectory(AD)serverthroughamanagementportusinganIPv6
address.Forexample:ldap cfg <group_name> connected to server <IPv6 address>,
initiated by: <IPv4 address>.Withthisfix,theappropriateIPaddressandformatis
displayedfortheinitiatingdeviceevenwhenconnectedusinganIPv6address.
73158 Theportrangeyoucanusetodefineportsforcustomapplicationshasbeenupdatedtobe
fromport065535.Theupdatematchestheportsyoucandefineforapplicationoverride
policyrules(also065535).Previously,youcouldnotdefineport0forcustom
applications.
73064 WhenafirewallwasconfiguredasaDHCPclient,itfailedtoreneworreleasethe
DHCPassignedIPaddresswhenthefirewallinterfacewasthenconnectedtoanewDHCP
server.
73058 FixedanissuewheresourceanddestinationfieldsinSNMPtrapswerenotpopulatedfor
trafficusingIPv6addresses.WiththisfixandRev.BofthePANOS6.1EnterpriseSNMP
MIBmodules,newIPversionneutralfieldswereadded(InetAddressandInetAddressType
inplaceoftheIpAddressfield)tofullysupportIPv6addresses.(TheIpAddressfieldis
retainedforbackwardcompatibilitybutisdeprecated;administratorsareexpectedto
transitiontothenewfields.)
72933 FixedanissuewherePanoramaadministratorswereunabletoviewtheBotnetreport
optionwhenswitchedtothefirewallcontext.
72806 TheGlobalProtectprelogonconnectmethoddidnotworkwhenacertificateprofilewas
configuredtouseasubjectalternativename(SAN)andthematchingdevicecertificatedid
notcontaintheSAN.
72756 Fixedanintermittentissuewherearaceconditioncausedbymultipleprocesses
asynchronouslyattemptingtoretrievethelastsavedconfigurationfilecausedCaptive
PortalortheFQDNrefreshjobtofail.
72719 FixedanissuewheretheTunnelMonitorThresholdvaluedisplayedforaGlobalProtect
satellitewasincorrectlydisplayedasaunitoftime(seconds).TheTunnelMonitor
Thresholdactuallyspecifiesthenumberofheartbeatstowaitforbeforethefirewalltakes
specifiedaction,andisnolongerdisplayedinseconds.
72544 AsecurityrelatedfixwasmadetoaddressCVE20148730.Foradditionalinformation,
refertothePANSA20140224securityadvisoryonthePaloAltoNetworksSecurity
Advisorieswebsiteathttps://securityadvisories.paloaltonetworks.com.
72371 WhenacustomQoSprofilewasenabledonaninterface,theQoSstatisticsforthecustom
profilewereinsteaddisplayedasthedefaultQoSprofilestatistics.Thisissuehasbeen
resolvedsoQoSstatisticsaredisplayedcorrectlywiththecorrespondingQoSprofile(and
foreachclassintheprofile).
72153 FixedanissuewherethefirstSYNpacketinaTCPconnectionthatpassedthroughtwo
virtualsystemsdidnotreachthedestinationserver.Thisoccurredwhen:
ThefirstvirtualsystemwasconfiguredwithDNAT.
ThesecondvirtualsystemwasconfiguredwithSNAT.
Sessionswereallocatedondifferentdataplanes(DPs),withthefirstsessiononDP0.
72075 WhenthefirewallwasconfiguredtoaccessanLDAPserverthroughadatainterface,the
firewallcouldnotconnecttotheLDAPserverifitwasalsoconfiguredtoaccessthe
UserIDagentusingadifferentdatainterface.
IssueID Description
71860 Addressedanissuewhereconfigurationchangeswerenotreflectedintheconfiguration
logsafterimportingSSHkeys.
71682 FixedanissueonaPA5000Seriesdevicewhereaportthatwasinusewassometimes
reusedwhendynamicporttranslationwasenabledwithNATandsessionswereinitiated
ondifferentdataplanes.Withthisfix,ActiveFTPsessionssucceedwithaNATpolicysetup.
71340 Fixedanissuewherefirewalladministratorswereunabletocloneanyofthethree
predefinedcommoncriteriaadminroles;attemptingtodosoresultedinanerror.
71250 FixedanissuewheredecryptionpolicieswithadestinationaddressandaURLcategory
definedasmatchingcriteriacausedcommitfailures.
70431 FixedanissuewhereacustomURLcategorywiththenameanycausedunexpected
results.Withthisfix,thenameanyisnolongerallowedwhencreatingacustomURL
category(Objects > Custom Objects > URL Category).
70335 FixedanissuewhereaccessroutesfromtheGlobalProtectgatewaycouldnotbeinstalled
onasatellitewhenthetunnelmonitorwasenabledforaLargeScaleVPN(LSVPN)andthe
tunnelmonitorwasinwait recovermode.
69961 FixedanissuewherePanoramaandafirewallrunningthesamereleaseversion,didnot
displaythesamedropdownselectionstoaddasmatchingcriteriatoasecuritypolicyrule.
Now,ifPanoramaandafirewallarerunningthesamereleaseversion,thesameobjectsare
displayedandcanbeaddedtoasecuritypolicyrule,regardlessofwhethertheruleisbeing
definedonPanoramaorafirewall.
69752 Fixedanissuewherethewebinterfacedidnotdisplayconcurrentlyloggedin
administratorsifthoseadministratorshadnotlocallyauthenticatedtothefirewall.
69685 UpdatesweremadetoexistingRussiantimezonesandnewRussiantimezoneswereadded
totheavailablelistofglobaltimezonesforadevice,toaccommodatethe2014changesto
Russiantimezones.
69419 Fixedanissuethatwasseenwithpredictsessionswhentraffictraversedafirewallinvirtual
wiremodetwice.
68508 FixedanissuewheretheDHCPserversentDHCPleaseoffersonthewronginterfaceafter
ahighavailability(HA)failoverduetointerfaceIDsbeingoutofsyncontheHApeers.
68178 WhenconfiguringathreatexceptionforanAntiSpywareorVulnerabilityProtection
profile,addinganIPaddressexemptiontotheexceptiondidnotworkiftheinputincluded
asubnet(forexample,XXX.XXX.XXX.XXX/32).OnlyIPaddressexemptionsenteredwithout
asubnetwereacceptedbythefirewall.ThisissueisfixedsothatyoucanaddanIPaddress
withasubnetasanexemptionwithinathreatexception(Objects > Vulnerability
Protect/Anti-Spyware > Exceptions).
IssueID Description
67713 Anadministratorwasallowedtodowngradethecontentversion(ApplicationsandThreats)
onthefirewalltoaversionthatwasnotsupportedwiththePANOSsoftwarerelease
versionrunningonthefirewall.Forexample,ifthefirewallwasrunningPANOS7.0and
theminimumcontentversionwas497,theadministratorwasincorrectlyableto
downgradetoaversionpriorto497.
66681 Resolvedadataplanerestartissueduetoraceconditions.
65959 AddedanenhancementtodisplaypredefinedURLcategoriesinadditiontocustom
URLcategoriesintheAllowCategoriescolumnforURLFilteringprofilerules(Objects >
Security Profiles > URL Filtering).
63652 FixedanissuewheresomefilesforwardedtoWildFirewerenotuploadedsuccessfullydue
toaCANCEL_OFFSET_NO_MATCHerror.Withthisfix,theoffset(causedbyabufferoverload)
isnolongeranissue.
63524 FixedanissuethatoccurredwhenperformingatemplatecommittoaPA200firewallon
Panorama.Theoperationfailedifyouchangedthevsys1displaynameonthefirewallusing
theset display-name <name>CLIcommand.
62276 FixedanissuewheretheApplicationCommandCenter(ACC)failedtoloadanywidgetsand
displayedthefollowingerror:The selected filters cannot be applied to any of
the acc reports.ThisissueoccurredwhennavigatingfromMonitor > Reports > HTTP
ApplicationstotheACC.
61259 RemovedwhitespaceprecedingaresponsethatwasdisplayedwhenusingtheXMLAPIto
submitafileforWildFireanalysis.
RelatedDocumentation
RefertothefollowingdocumentsontheTechnicalDocumentationportalat
https://www.paloaltonetworks.com/documentationformoreinformationonourproducts:
NewFeaturesGuideDetailedinformationonconfiguringthefeaturesintroducedinthisrelease.
PANOSAdministrator'sGuideProvidestheconceptsandsolutionstogetthemostoutofyourPalo
AltoNetworksnextgenerationfirewalls.Thisincludestakingyouthroughtheinitialconfigurationand
basicsetuponyourPaloAltoNetworksfirewalls.
PanoramaAdministrator'sGuideProvidesthebasicframeworktoquicklysetupthePanoramavirtual
applianceoranMSeriesapplianceforcentralizedadministrationofthePaloAltoNetworksfirewalls.
WildFireAdministrator'sGuideProvidesstepstosetupaPaloAltoNetworksfirewalltoforward
samplesforWildFireAnalysis,todeploytheWF500appliancetohostaWildFireprivateorhybrid
cloud,andtomonitorWildFireactivity.
VMSeriesDeploymentGuideProvidesdetailsondeployingandlicensingtheVMSeriesfirewallonall
supportedhypervisors.Itincludesexampleofsupportedtopologiesoneachhypervisor.
GlobalProtectAdministrator'sGuideTakesyouthroughtheconfigurationandmaintenanceofyour
GlobalProtectinfrastructure.
OnlineHelpSystemDetailed,contextsensitivehelpsystemintegratedwiththefirewallwebinterface.
CompatibilityMatrixDetailedreferencetodeterminesupportforPaloAltoNetworksfirewalls,
appliances,agents,andOSreleases.
OpenSourceSoftware(OSS)ListingsOSSlicensesusedwithPaloAltoNetworksproductsand
software:
PANOS7.0
Panorama7.0
WildFire7.0
RequestingSupport
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopen
asupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
20152017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistof
ourtrademarkscanbefoundathttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarks
mentionedhereinmaybetrademarksoftheirrespectivecompanies.
RevisionDate:April28,2017