Pan-Os 8.1.3 RN PDF

PAN-OS® 8.
1 Release Notes
Release 8.1.3
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2018-2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
August 23, 2018
2 PAN-OS® 8.1 RELEASE NOTES |

Table of Contents
PAN-OS 8.1 Release Information................................................................... 5
Features Introduced in PAN-OS 8.1...................................................................................................... 7
App-ID Features..............................................................................................................................7
Virtualization Features...................................................................................................................8
Decryption Features.................................................................................................................... 10
WildFire Features.........................................................................................................................11
Panorama Features...................................................................................................................... 11
Content Inspection Features..................................................................................................... 13
Authentication Features............................................................................................................. 14
GlobalProtect Features............................................................................................................... 15
Management Features................................................................................................................ 17
Networking Features...................................................................................................................18
User-ID Features.......................................................................................................................... 19
Certifications Features................................................................................................................ 20
New Hardware Introduced with PAN-OS 8.1...................................................................... 20
Changes to Default Behavior.................................................................................................................22
App-ID Changes in PAN-OS 8.1.............................................................................................. 22
Authentication Changes in PAN-OS 8.1................................................................................ 22
Content Inspection Changes in PAN-OS 8.1........................................................................ 23
GlobalProtect Changes in PAN-OS 8.1.................................................................................. 24
User-ID Changes in PAN-OS 8.1............................................................................................. 24
Panorama Changes in PAN-OS 8.1......................................................................................... 25
CLI and XML API Changes in PAN-OS 8.1........................................................................................ 26
Authentication CLI and XML API Changes............................................................................26
Content Inspection CLI and XML API Changes....................................................................28
Decryption CLI and XML API Changes.................................................................................. 28
GlobalProtect CLI and XML API Changes..............................................................................29
Management CLI and XML API Changes...............................................................................31
Panorama CLI and XML API Changes.....................................................................................32
User-ID CLI and XML API Changes.........................................................................................34
Associated Software and Content Versions.......................................................................................35
Limitations...................................................................................................................................................36
Known Issues............................................................................................................................................. 37
Known Issues Related to PAN-OS 8.1 Releases.................................................................. 37
Known Issues Specific to the WF-500 Appliance................................................................61
PAN-OS 8.1 Addressed Issues...................................................................... 63

PAN-OS 8.1.3 Addressed Issues...........................................................................................................65
Getting Help.......................................................................................................97
Related Documentation...........................................................................................................................99
Requesting Support................................................................................................................................100
TABLE OF CONTENTS iii

iv TABLE OF CONTENTS
PAN-OS 8.1 Release Information
Revision Date: August 23, 2018
Review important information about Palo Alto Networks PAN-OS® 8.1 software, including
new features introduced, workarounds for open issues, and issues that are addressed in PAN-
OS 8.1 releases. For installation, upgrade, and downgrade instructions, refer to the PAN-OS
8.1 New Features Guide.
To ensure that you are viewing the most current version of these release notes, always defer
to the web version; do not store or rely on PDFs to be current after you download them.
> Features Introduced in PAN-OS 8.1

> Changes to Default Behavior
> CLI and XML API Changes in PAN-OS 8.1
> Associated Software and Content Versions
> Limitations
> Known Issues
> PAN-OS 8.1.3 Addressed Issues
> Getting Help
5
6 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information
© 2018 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 8.1
The following topics describe the new features and new hardware introduced with the PAN-OS® 8.1
release, which requires content release version 769 or a later version. For upgrade and downgrade
considerations and for specific information about the upgrade path for a firewall, refer to the Upgrade
section of the PAN-OS 8.1 New Features Guide. The new features guide also provides additional
information about how to use the new features in this release.
• App-ID Features
• Virtualization Features
• Decryption Features
• WildFire Features
• Panorama Features
• Content Inspection Features
• Authentication Features
• GlobalProtect Features
• Management Features
• Networking Features
• User-ID Features
• Certifications Features
• New Hardware Introduced with PAN-OS 8.1
App-ID Features
New App-ID Feature Description
™
SaaS Application Hosting By leveraging the enhanced SaaS Application Hosting Characteristics in App-ID ,
Characteristics you can now identify and control SaaS applications that could pose a risk to your
organization due to unfavorable hosting characteristics. To help you understand
the enterprise readiness of a SaaS application, five new characteristics have been
added: certifications achieved, past data breaches, support for IP-based access
restrictions, financial viability, and terms of service. Using these characteristics,
you can identify and explore the extent of high risk application usage from the
Application Command Center (ACC). The SaaS Application Usage report is also
enhanced to incorporate this context with a summary page covering risky SaaS
applications and highlights the characteristics on the detailed pages. For a more
tailored view, you can use the characteristics when building custom reports. Armed
with the usage and the detailed risk profile, you can make informed decisions about
which SaaS applications should be allowed in your environment and create policy
to enforce this.
Simplified App-ID Palo Alto Networks releases new App-IDs on a monthly basis that your security
policy can begin to enforce without any additional configuration. While this
enables the firewall to dynamically control application traffic with ever-increasing
precision, it can also impact the availability of the mission-critical applications on
which your organization relies.
Together, these new App-ID features enable you to equip the firewall with the
latest application knowledge and ensure availability for mission-critical applications
at the same time. Plus, they make it easier to move to and maintain an application-
based security policy:
PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 7

New App-ID Feature Description
• New App-ID Threshold—Install content updates that include new App-IDs on
a separate schedule than those that don’t; this gives you more time to update
your security policy to account for any changes in enforcement.
• New App-ID Characteristic—Allow new App-IDs that might affect availability
for critical enterprise applications (like software development or authentication
App-IDs) and get visibility into new App-IDs activity, so that you can best refine
your security policy.
• Extended Policy Impact Review for Content Releases—In addition to new App-
IDs, get insight into how modified App-IDs affect security policy enforcement.
• Coverage Change Details for Modified App-IDs—Get details on how coverage
for a modified App-ID is expanded or more precise.
SaaS Application Access Unsanctioned usage of SaaS applications can be a way for your users to transmit
Control using HTTP sensitive information outside of your network. This kind of SaaS usage usually
Header Insertion means that the user is accessing a consumer-version of the application. At the
same time, you may have found that usage of the enterprise-version of these
applications by specific individuals or organizations is both desirable and necessary.
You can now disallow SaaS consumer accounts while allowing usage of a specific
enterprise account by managing HTTP header information. Many SaaS applications
allow or disallow application access based on information contained on specific
HTTP headers. This feature provides predefined header insertion rules for popular
SaaS application such as G Suite and Microsoft Office 365. You can also create
your own custom header insertion rules for SaaS applications for which predefined
header insertion rules have not been provided by Palo Alto Networks, but that also
use HTTP headers to limit service access.
Easy Custom Timeouts You want to migrate from your legacy firewall to a Palo Alto Networks next
for Applications and generation firewall so that you can safely and comprehensively enable the
Services applications you need to do business, but you also need to maintain any custom
timeouts configured for your mission-critical applications. Now, you can custom
timeouts for legacy applications in two quick and easy steps, where previously to
maintain custom timeouts during the move to an application-based policy, you
might have overridden App-ID (losing application visibility) or created a custom
App-ID (expending a lot of time and research).
Virtualization Features
New Virtualization Description
Features
VM-50 Lite The VM-50 Lite is a resource optimized mode of the VM-50 firewall with a
smaller memory footprint. This mode allows you to deploy the VM-Series
firewall in environments where resources are limited while providing the same
performance and features as the standard VM-50 firewall.
Integration with Azure You can now deploy the VM-Series firewall directly from the Azure Security
Security Center Center, which provides a consolidated view of the security posture of your
Microsoft Azure workloads. This integration enables you to forward URL
Filtering, Threat, and WildFire logs of high and critical severity that are
generated on the firewall to Azure Security Center so that you can monitor
security events from a single management console. When the firewall

Features
prevents an attack on your internet-facing web server and generates a threat
log for a known vulnerability on an inbound request, for example, it forwards
this log to Azure Security Center where you can directly review the security
incident.
Bootstrapping When bootstrapping the VM-Series firewall on Azure, you can now use Azure
Enhancements for VM- file storage (instead of a data disk) to store the bootstrap files. This change
Series firewall on Azure improves the bootstrapping workflow because it enables multiple virtual
machines to simultaneously access the same bootstrap package.
Support for Azure To enable monitoring and alerts on the health and performance of the
Application Insights VM-Series firewall, you can now natively publish firewall metrics to Azure
Application Insights. The integration with Azure Application Insights allows
you to monitor custom PAN-OS metrics such as total number of active
sessions or dataplane CPU utilization, in order to set alarms or trigger
automation events.
VM Monitoring for VM Monitoring of Microsoft® Azure® resources enables you to dynamically

Azure update security policy rules to consistently enforce Security policy across all
assets deployed within your Azure subscription. VM Monitoring on Azure
uses a VM Monitoring script that runs on a virtual machine within the Azure
public cloud. This script collects the IP address-to-tag mapping for all your
Azure assets and uses the API to push the VM information to your Palo Alto
Networks® firewall(s).
VM-Series Firewall on To secure your workloads on the Google Cloud Platform, you can now deploy
Google Cloud Platform the VM-Series firewall from the Google Cloud Platform Marketplace. To scale
security with your workloads, deploy one or more instances of the VM-Series
firewall behind Google Cloud load balancers and bootstrap the firewall with a
complete configuration that includes security policies at launch.
The VM-Series firewall can also natively publish metrics to the Google
Stackdriver to monitor and trigger alerts for firewall health and performance.
And, to create security policy rules that automatically adapt to changes to
your workloads—adds, moves, or deletions of virtual machines in a Google
Cloud Platform Project VPC—you can enable VM Monitoring for instances
running on Google Cloud Platform on any hardware or VM-Series firewall
running PAN-OS 8.1.
Performance The VM-Series firewall for VMware NSX can now provide higher per-host
Enhancements for the traffic throughput. In addition to PAN-OS 8.1, you must also be running
VM-Series Firewall on VMware NSX Manager 6.3.1 or higher. NSX Manager 6.3.1 introduced NetX
NSX APIs that support multiple device channels and multi-process I/O, allowing
the VM-Series firewall to use these device channels to improve performance.
NSX allocates device channels equal to the number of dataplane cores
assigned to the firewall. When you upgrade to 8.1, your VM-Series firewall
deployed in an NSX 6.3.1 or higher environment takes full advantage of the
number of maximum effective cores assigned to the dataplane.
FQDN Refresh Time In PAN-OS 8.1, VM-Series firewalls support a larger range for the FQDN
Enhancement Refresh Time than in prior releases. The range is now 60-14,399 seconds,
which allows VM-Series firewalls to refresh the IP addresses for an FQDN at

Features
shorter intervals. A shorter refresh time is helpful for VM-Series firewalls in
cloud deployments where IP addresses for FQDNs change frequently.
The shorter refresh time along with the support for using the FQDN of a
load balancer in Destination NAT policy (Dynamic IP Address Support for
Destination NAT) makes it easier for you to deploy the Amazon ELB service
and any other FQDN-based load balancer to distribute sessions evenly across
more than one IP address.
Decryption Features
New Decryption Feature Description
Decryption Broker Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic
only once. A firewall enabled as a decryption broker forwards clear text
traffic to security chains (sets of inline, third-party appliances) for additional
enforcement. This allows you to consolidate security functions on the firewall,
optimize network performance, and reduce the number of devices in your
security infrastructure.
Automatic SAN Browsers like Google Chrome and Mozilla Firefox require server certificates
Support for SSL to use a Subject Alternative Name (SAN), instead of a Common Name (CN), to
Decryption specify the domains the certificate protects. In order to continue to decrypt
SSL sessions where a server certificate contains only a CN, the firewall can
now add a SAN to the impersonation certificate it uses to establish itself as a
trusted third-party to the SSL session. The firewall populates the SAN in the
impersonation certificate based on the server certificate CN.
HSM Client Upgrade When you use a firewall as a hardware security module (HSM) client to
and SafeNet HSM manage your digital keys, that firewall HSM client now supports SafeNet
Cluster Support client versions 5.4.2 and 6.2.2 and Thales nShield version 12.30 to provide
compatibility with HSM server versions.
Additionally, SafeNet HSM server high availability is enhanced from
supporting an HA pair of HSMs to supporting an HA cluster of up to 16
HSMs.
The HSM client upgrades and SafeNet HSM high availability clusters are
supported on Panorama and all firewall models except for PA-800 Series,
PA-500, PA-220, and PA-200 firewalls.
ECDSA Certificate You can now securely store your elliptic curve private keys on a third-party
Support for SSL network HSM when you use Elliptic Curve Digital Signature Algorithm
Decryption with HSMs (ECDSA) certificates for SSL decryption. The firewall can get the ECDSA key
from the HSM to decrypt traffic between a client and server. HSM support
for ECDSA certificates applies to SSL decryption in both forward proxy and
inbound inspection modes.
ECDHE/DHE Cipher HSM integration now supports Diffie-Hellman Exchange (DHE) and Elliptic
Support on HSMs Curve DHE (ECDHE) ciphers for SSL decryption when your keys are stored on
a network HSM.

New Decryption Feature Description
Decryption Port Decryption port mirroring is now supported on all hardware-based and
Mirroring Support VM-Series firewalls. This feature enables the firewall to create a copy of
Extension decrypted traffic and send it to a traffic collection tool for archiving and
analysis.
This feature is not supported on VMware NSX, Citrix SDX, or public cloud
hypervisors (AWS, Azure, and Google Cloud Platform).
WildFire Features
New WildFire Feature Description
Static Analysis Detection The WildFire® appliance static analysis environment now
Enhancements includes improved malware detection logic that is delivered
through content releases. Previously, updates to the
WildFire appliance detection engines were limited to PAN-
OS® software releases. This feature enables the WildFire
appliance to enhance the accuracy of threat detection by
providing regular scheduled updates that can be installed to
combat zero day threats.
Download and install the latest content

updates daily to stay up-to-date with the static
analysis enhancements.
WildFire Forwarding Support for Linux You can now configure the Palo Alto Networks firewall to
and Archive Files automatically forward archive (RAR and 7-Zip) and Linux
(ELF) file types for WildFire analysis.
Encrypted Appliance-to-Appliance You can now enable encryption in WildFire appliance clusters
Communications to maintain the confidentiality of transmitted content,
including user samples. This feature allows you to configure
custom and predefined client/server certificates so that
appliances can establish encrypted appliance-to-appliance
communication. Additionally, WildFire appliances in a cluster
are now supported in FIPS-CC compliant mode when you
configure this feature using FIPS-CC compliant certificates.
Panorama Features
New Panorama Feature Description
Device Monitoring on Monitoring resource utilization on firewalls helps you assess the impact of
Panorama substantial policy changes and operational activities, benchmark across locations
with similar traffic profiles, and in proactively tracking device component health.
The data needed to conduct these analyses is often aggregated in separate tools
that firewall administrators cannot access. With Device Monitoring on Panorama
you can now track resource utilization, environmental conditions, and other key
operational metrics over time and in bulk across large deployments. With this

new ability, Panorama can highlight devices operating outside their normal ranges
and provide the data you need to accelerate investigation and make informed
decisions.
Configuration Reusability Deploying firewalls with few differences in networking/device level configuration
for Templates and often requires duplication of templates on Panorama. Such duplication increases
Template Stacks operational overhead and the chances of configuration errors. PAN-OS 8.1
introduces variables for device-specific IP values, which enable you to use the
same templates in a template stack for multiple appliances that have unique
configurations so that you can minimize template duplication and reduce
inconsistencies between appliances.
Support for Panorama The Panorama virtual appliance is now supported on AWS, AWS GovCloud,
Virtual Appliance in New Azure, Google™ Cloud Platform, KVM, and Hyper-V to provide more flexibility.
Environments The functionality and features on the Panorama virtual appliance match the
hardware-based M-Series appliances so you have the option of deploying the
entire Panorama environment on the newly supported hypervisors or on a mix of
both physical and virtual appliances and reduce your physical footprint.
Dedicated Log Collectors You can now deploy Dedicated Log Collectors in virtual environments to align with
in Virtual Environments your business strategy and reduce capital costs. Because the virtual Dedicated Log
Collectors on AWS, AWS GovCloud, Azure, Google™ Cloud Platform, KVM, Hyper-
V, and VMware ESXi provide the same functionality as hardware-based M-series
appliances, you now have the flexibility to scale your log collection infrastructure
without the challenges associated with physically deploying hardware.
Management Only Mode Panorama in Management Only mode is now available for you to offload logging
to the Logging Service and/or your on premise distributed Log Collectors. In this
mode you can continue to use Panorama for centralized configuration, device
management, and deployment of your managed firewalls, Log Collectors and
Wildfire clusters, and have a single pane for monitoring network and threat activity
on the ACC and for generating reports. On a Panorama virtual appliance this
mode provides a smaller memory footprint, and on a hardware-based Panorama
appliance it frees up resources required for log collection functions. Because
the log-related capabilities are not enabled in this mode, the configuration
management capability on Panorama is more efficient and results in faster commit
times, speedier configuration pushes, and deployment of software and content
updates.
Device Management In PAN-OS 8.1, Panorama validates that a valid device management and associated
License Enforcement for support licenses exist for the firewalls you plan to manage on Panorama. New
Panorama and existing Panorama virtual appliances running PAN-OS 8.1 have a 180-day
grace period from deployment or upgrade to download and install the device
management license if you don’t already have one installed.
Content Update Revert Revert content updates on one or more managed firewalls, Log Collectors, or
from Panorama WildFire appliances from Panorama without the need to log in to each managed
appliance to revert the content version for each appliance individually. This
capability reduces the time required to restore your environment when a content
update negatively impacts your network operations.

Direct Query of PA-7000 Because the PA-7000 Series firewall can now forward logs to Panorama, Panorama
Series Firewalls from no longer treats the PA-7000 Series firewalls it manages as Log Collectors. If you
Panorama have not configured your managed PA-7000 Series firewalls to forward logs to
Panorama, by default you can only view the logs from the local firewall and not
from Panorama. If you do not yet have a log forwarding infrastructure capable of
handling the logging rate and volume from your PA-7000 Series firewalls, you can
now enable Panorama to directly query managed PA-7000 Series firewalls so that
you can view the logs directly from Panorama.
Content Inspection Features

New Content Inspection Description
Feature
SCTP Security In mobile network operator environments, you can now enforce multilayer
security on Stream Control Transmission Protocol (SCTP) traffic to prevent
information from leaking and prevent attackers from causing denial of service,
network congestion, and outages that disrupt data and voice services for
mobile subscribers.
In addition to enabling stateful inspection with multi-homing support, multi-
chunk inspection and protocol validation of SCTP, this feature enables you
to filter SCTP traffic based on payload protocol IDs (PPIDs) and to filter
Diameter and SS7 traffic over SCTP.
SCTP security is supported only on PA-5200 Series and VM-Series firewalls
and requires content release version 785 or a later version.
Rapid Deployment When thinking about how best to deploy the latest application and threat
of the Latest Threat updates, you might have had to previously choose between a mission-critical
Prevention Updates approach—where you delay content installation until you can assess impact
to application availability—and a security-first approach—where you prioritize
immediate threat protection over possible impact to application availability.
Now, you don’t need to choose. The following features enable a blend of
both approaches, so that you can quickly deploy the latest threat prevention
updates whileensuring application availability:
• Installation Threshold for New-App-IDs—Fine tune content update
thresholds to install threat updates and application updates separately
based on your network security and availability requirements.
• Streamlined Panorama Deployment for Content Releases—Use Panorama
to more easily configure dynamic updates schedules for multiple firewalls,
and stagger updates across your network (for example, deploy updates to
locations with less business risk first, like satellite offices).
Tools to Avoid or Palo Alto Networks application and threat content releases undergo rigorous
Mitigate Content performance and quality assurance; however, because there are so many
Update Issues possible variables in a customer environment, there are rare occasions
where a content release might impact a network in an unexpected way. The
following features are now available to help you to avoid or mitigate an issue
with a content release, so that there is as little impact to your network as
possible:

New Content Inspection Description
Feature
• Content Release Validation Check—The firewall now validates that
a previously-downloaded content release is still Palo Alto Networks-
recommended at the time of installation.
• Enhanced Telemetry—The threat intelligence telemetry data that the
firewall sends to Palo Alto Networks now includes information that Palo
Alto Networks can use to identify and troubleshoot issues with content
updates.
• Critical Content Alerts—Palo Alto Networks can now directly alert you
to a critical content release issue; we’ll give you the information you
need to understand if and how the issue affects you, along with steps to
move forward. (If needed, you can also now use Panorama to easily revert
managed firewalls to the latest content update version. See Panorama
Features).
SMB Improvements Firewall SMB support now includes SMBv3 (3.0, 3.0.2, and 3.1.1) and has
with WildFire Support additional threat detection and file identification capabilities, performance,
and reliability across all versions of SMB. These improvements provide an
additional layer of security for networks, such as data center deployments,
network segments, and internal networks by allowing files transmitted
using SMB to be forwarded to WildFire for analysis. Because of the way
that SMBv3 multi-channel works in splitting up files, customers should
disable the use of multi-channel file transfer for maximum protection and
inspection of files. As a result, Palo Alto Networks recommends disabling
SMB multi-channel through the Windows PowerShell. For more information
on this task, please refer to: https://technet.microsoft.com/en-us/library/
dn610980(v=ws.11).aspx
Authentication Features
New Authentication Description
Feature
EAP Support for To securely transport credentials between the firewall and the RADIUS
RADIUS server without having to create IPSec tunnels, you can now use one of three
Extensible Authentication Protocol (EAP) methods: PEAP-MSCHAPv2,
PEAP with GTC, and EAP-TTLS with PAP. You can use this feature for
™
GlobalProtect and Captive Portal authentication and for administrative
access to the firewall and Panorama. For more information, refer to the New
Features Guide.
Authentication Using You can now deploy custom certificates to replace the predefined certificates
Custom Certificates for shipped on Palo Alto Networks appliances for management connections
WildFire and PAN-DB between WildFire or PAN-DB appliances and other products in the Palo
Alto Networks next-gen security platform. By generating and deploying
custom certificates for each appliance, you can establish a unique chain of
trust between WildFire and PAN-DB and connected Palo Alto Networks
appliances. You can generate these custom certificates locally or import them
from an existing enterprise public key infrastructure (PKI).

GlobalProtect Features
New GlobalProtect Description

Feature
Optimized Split In addition to route-based split tunnel policy, GlobalProtect™ now supports
Tunneling for split tunneling based on destination domain, client process, and HTTP/HTTPS
GlobalProtect video streaming application. This feature works on Windows and macOS
endpoints and enables you to:
• Tunnel enterprise SaaS and public cloud applications for comprehensive
SaaS application visibility and control to avoid risks associated with
Shadow-IT in environments where tunneling all traffic is not feasible.
• Send latency-sensitive traffic, such as VoIP, outside the tunnel, while
all other traffic goes through the tunnel for inspection and policy
enforcement by the GlobalProtect gateway.
• Exclude HTTP/HTTPS video streaming traffic from the tunnel. Video
streaming applications, such as YouTube and Netflix, consume large
amounts of bandwidth. By excluding lower risk video streaming traffic
from the tunnel, you can decrease bandwidth consumption on the
gateway.
Kerberos GlobalProtect endpoints running macOS 10.10 and later releases now
Authentication Support support Kerberos V5 single sign-on (SSO) for GlobalProtect portal and
for macOS gateway authentication. Kerberos SSO, which is primarily intended for
internal gateway deployments, provides accurate User-ID™ information
without user interaction and helps enforce user and HIP policies.
SAML SSO for GlobalProtect now supports SAML single sign-on (SSO) for Chrome OS. If you
GlobalProtect on configure SAML as the authentication standard for Chromebooks, users can
Chromebooks authenticate to GlobalProtect by leveraging the same login they use to access
the Chromebook applications. This allows users to connect to GlobalProtect
without having to re-enter their credentials in the GlobalProtect app. With
SSO enabled (default), Google acts as the SAML service provider while the
GlobalProtect app authenticates users directly to your organization’s SAML
identity provider.
GlobalProtect currently supports only the Post SAML HTTP

binding method.
GlobalProtect The GlobalProtect credential provider logon screen on Windows 7 and

Credential Provider Windows 10 endpoints now displays the pre-logon connection status when
Pre-Logon Connection you configure pre-logon for remote users. The pre-logon connection status
Status indicates the state of the pre-logon VPN connection prior to user logon. By
providing more visibility on the pre-logon connection status, this feature
allows end-users to determine whether they will be able to access network
resources upon logon, which prevents them from logging in prematurely
before the connection establishes and network resource become available.
If the GlobalProtect app determines that an endpoint is internal (connected
to the corporate network), the logon screen displays the GlobalProtect
connection status as Internal. If the GlobalProtect app determines that
an endpoint is external (connected to a remote network), the logon

New GlobalProtect Description
Feature
screen displays the GlobalProtect connection status as Connected or Not
Connected.
Active Directory End users can now change their Active Directory (AD) password using
Password the GlobalProtect credential provider on Windows 10 endpoints. This
Change Using the enhancement improves the single sign-on (SSO) experience by allowing
GlobalProtect users to update their AD password and access resources that are secured by
Credential Provider GlobalProtect using the GlobalProtect credential provider. Users can change
their AD password using the GlobalProtect credential provider only when
their AD password expires or an administrator requires a password change at
the next login.
Expired Active Remote users can now change their RADIUS or Active Directory (AD)
Directory Password password through the GlobalProtect app when their password expires or
Change for Remote a RADIUS/AD administrator requires a password change at the next login.
Users With this feature, users can change their RADIUS or AD password when
they are unable to access the corporate network locally and their only
option is to connect remotely using RADIUS authentication. This feature is
enabled only when the user authenticates with a RADIUS server using the
Protected Extensible Authentication Protocol Microsoft Challenge Handshake
Authentication Protocol version 2 (PEAP-MSCHAPv2).
OPSWAT SDK V4 GlobalProtect is now integrated with OPSWAT SDK V4 to detect and assess
Support the endpoint state and the third-party security applications running on the
endpoint. OPSWAT is a security tool leveraged by the Host Information
Profile (HIP) to collect information about the security status of your
endpoints. GlobalProtect uses this information for policy enforcement on the
GlobalProtect gateway.
This integration follows the end-of-life (EoL) announcement for OPSWAT
SDK V3, which is the OPSWAT SDK version supported by GlobalProtect in
PAN-OS 8.0 and earlier releases.
GlobalProtect App for The new GlobalProtect app for Linux now extends User-ID and security
Linux policy enforcement to users on Linux endpoints. The GlobalProtect app
provides a command-line interface and functions as an SSL or IPSec VPN
client. The GlobalProtect app supports common GlobalProtect features and
authentication methods, including certificate and two-factor authentication
and both user-logon and on-demand connect methods. The app can also
perform internal host detection to determine whether the Linux endpoint
is on the internal network and collects host information (such as operating
system and operating system version, domain, hostname, host ID, and
network interface). Using this information, you can allow or deny access to a
specific Linux endpoint based on the adherence of that endpoint to the host
policies you define.
The GlobalProtect app for Linux is available for the Linux distribution of
Ubuntu 14.04, RHEL 7.0, and CentOS 7.0 (and later releases of each) and
requires a GlobalProtect subscription.

Management Features
New Management Description
Feature
Rule Usage Tracking Obsolete or outdated firewall rules introduce unnecessary security risks that
can be exploited by an attacker to execute a successful cyber attack. With
rule usage tracking, you can readily identify unused rules, validate additions
to the rulebase, and evaluate whether the policy implementation matches
your enforcements needs. This capability gives you a way to identify obsolete
rules to aid in the transition from port-based rules to App-ID based rules. The
statistics for monitoring rule use include a timestamp for the most recent rule
match, a timestamp for the first rule match, and a rule hit counter.
Configuration Table Auditors often require snapshots of Panorama and firewall configuration in
Export order to track and validate changes over time or to demonstrate compliance
with industry standards. You can now export the configuration table of
your rulebases and objects into a PDF or CSV format directly from the web
interface, and provide the auditor an easy way to read and manipulate the
data for analysis.
Reporting Engine Correlate system events with user activity to investigate network and
Enhancements platform behavior and use these correlations to create policies that guard
against security risks and patterns you observe on your network. When a
network event occurs, you can now overlay system logs on top of available
activity logs in the ACC and use the newly added User Activity Report
filters to include or exclude specific users, applications, IP addresses, or URL
categories. Then, use the results of this reporting engine enhancements to
reduce or prevent future risky behavior in your network.
Enhanced Application Enable the firewall to collect data that increases network visibility for Palo
Logging Alto Networks applications. For example, this increased network visibility
enables Palo Alto Networks Magnifier to better categorize and establish a
baseline for normal network activity, in order to detect unusual behavior that
might indicate an attack. Enhanced Application Logging requires a Logging
Service license, and you cannot view enhanced application logs; they are
designed to be consumed only by Palo Alto Networks applications and
services.
Software Integrity Starting with PAN-OS 8.1.1, firewalls and Panorama perform software
Check integrity checks for tamper detection and software corruption. The software
integrity check validates that the operating system and data file structure are
intact and as delivered by Palo Alto Networks. When the check is successful,
a System log of informational severity is generated. If the check detects a
software corruption or possible appliance tampering, it generates a System
log of critical severity on PAN-OS 8.1.1 and 8.1.2. Starting PAN-OS 8.1.3, the
appliance goes in to maintenance mode when the check fails. For more details
on how the software integrity check works, see the PAN-OS 8.1.1 Software
Integrity Check article.
If you're using Panorama with GlobalProtect Cloud Service or the Logging
Service, you must install Cloud Services plugin 1.0.3 before you upgrade
Panorama to PAN-OS 8.1.1. If you attempt to upgrade Panorama to 8.1.1

New Management Description
Feature
with an Cloud Services plugin version earlier than 1.0.3, the Panorama
upgrade will fail.
Networking Features
New Networking Description
Feature
Tunnel Content Tunnel Content Inspection is enhanced so that you can separate logs for
Inspection Logging outer tunnel traffic from logs for inside traffic, which is subject to security
policy rules. This separation provides more reporting options, enhanced ACC
statistics, and makes troubleshooting long-lived sessions, such as GRE, easier.
For example, using only the default logging for a security policy rule (which
logs at session end) might not provide any logs, but now you can log tunnel
sessions at the start and end of a session, allowing you to view all GRE traffic.
You can also now forward tunnel inspection logs to one or more servers or to
Panorama, which makes it more convenient to access log data. Additionally,
when you view a detailed tunnel inspection log, it includes the name of the
tunnel inspection rule applied to a session that was captured in the log, which
makes it easier to track information about non-encrypted tunnel traffic.
Dynamic IP Address You can now configure destination NAT to a translated destination host that
Support for Destination has a DHCP-assigned IP address (not just to a host with a static IP address)
NAT because the translated address can now be an FQDN. This means that
when the DHCP server assigns a new address to the host, you don’t have to
manually update the FQDN, the DNS server, or the NAT policy rule—nor do
you need to use a separate external component to update the DNS server
with the latest FQDN-to-IP address mapping.
With this capability, if the FQDN resolves to more than one address, the
firewall automatically distributes sessions among those addresses (based on
a round-robin algorithm) to provide more evenly distributed session loading.
Also, in a single NAT rule, you can translate multiple pre-NAT destination IP
addresses to multiple post-NAT destination IP addresses to support a many-
to-many destination NAT translation.
FQDN Support for When you configure an IPSec tunnel with an IKE gateway peer, the peer’s
IKE Gateway Peer IP address can now be an FQDN or an address object that uses an FQDN,
Address which helps you avoid the need to reconfigure changed IP addresses for IKE
endpoints. For example, if you have several satellite offices with multiple hub
locations and VPN connectivity between firewalls at the satellites and hub
gateway, you can now configure the firewall in each satellite office with the
IKE peer address of the hub as an FQDN. So if one hub goes down, the DNS
server for that FQDN automatically resolves the FQDN to the IP address for
the second hub and you don’t have to manually reconfigure the IKE peer to
use the IP address of the second hub.
Configuration Capacity To help you scale your deployment and ease the migration to Palo Alto
Improvements Networks firewalls, there are several configuration capacity improvements.
Depending on the model, firewalls running PAN-OS 8.1 now support more
address groups, service groups, service entries per service group, address

New Networking Description
Feature
objects, service objects, FQDN address objects, zones, tunnel zones, security
rules, and tunnel inspection rules. Additionally, all firewalls running PAN-OS
8.1 support 63 characters per rule name.
Refresh of Default The certificate authorities (CAs) that the firewalls trusts by default are
Trusted CAs updated in PAN-OS 8.1; new CAs are added and expired CAs are removed.
The pre-installed list of CAs includes the most common and trusted certificate
providers responsible for issuing the certificates the firewall requires to
secure the connections to the internet. Because these CAs are trusted by
default, you need to add only those additional trusted enterprise CAs that are
required by your organization.
ARP Cache Timeout The fixed 1800-second timeout of ARP cache entries (mappings of IP
addresses to hardware addresses) set on the firewall might not have suited
your environment. You can now change the ARP cache timeout to a value in
the range of 60 to 65,535 seconds.
Logging of Packet- (PAN-OS 8.1.2 or later releases) You now have a way to generate a Threat
Based Attack log when the firewall receives certain types of packets, so that you can
Protection Events more easily analyze these occurrences and also fulfill audit and compliance
requirements. If you enable the following types of Packet-Based Attack
Protection in a Zone Protection profile, you can generate a Threat log when
the firewall receives and drops such packets:
• Fragmented IP packets
• IP address spoofing
• ICMP packets larger than 1024 bytes
• Packets containing ICMP fragments
• ICMP packets embedded with an error message
• First packets for a TCP session that are not SYN packets
You can also generate Threat logs on the following events (which don’t
require Packet-Based Attack Protection):
• Teardrop attack
• DoS attack using ping of death
User-ID Features
The Windows-based User-ID™ Agent 8.1 release includes the following new feature.
New User-ID Feature Description
Support for Multiple When a user logs on to multiple services with different usernames, User-
Username Formats ID™ sources send these usernames in multiple formats (for example,
jane.doe@domain.com, DOMAIN\jdoe, and jdoe). In this case, it can be
difficult to uniquely identify the user. To help you identify and consistently
enforce policy for these users, you can now configure the firewall to fetch
multiple attributes from an LDAP-compliant directory.
For more information, refer to the PAN-OS® 8.1 New Features Guide.

Certifications Features
New Certifications Feature Description
FIPS Scrub Option If you need to decommission or send in a FIPS-enabled Palo Alto Networks
firewall or appliance for repair, you can now scrub the swap memory to remove
all cryptographic security parameter (CSP) information from the swap partition(s).
Beginning with PAN-OS 8.1.2, you can add the scrub option to the shutdown or
restart CLI command as follows: > request [restart | shutdown] system with-swap-
scrub [dod | nnsa]
After the scrub completes, a System log is generated that indicates the status of
the scrub.
New Hardware Introduced with PAN-OS 8.1

New Hardware Description
PA-220R Firewall The PA-220R firewall is designed and certified for deployments in harsh
industrial environments while continuing to provide the same next-generation
security features as our other firewall models. The PA-220R firewall includes
the following main features:
• An operating temperature range from -40°F to 158°F
• Six 10/100/1000Mbps RJ-45 ports with built-in surge protection
• Passive cooling (no fans) to reduce noise, power consumption, and to
increase reliability (no moving parts)
• Two direct 12-24VDC power inputs to provide redundant DC power
• Supports active/passive and active/active high availability (HA)
configurations
For more information on the PA-220R firewall, refer to the PA-220R
Hardware Reference.
PA-3200 Series The PA-3200 Series includes the PA-3220, PA-3250, and PA-3260 firewalls,
Firewalls which are designed to deliver high-performance internet edge deployments.
These firewalls include the following main features:
• Interface speeds up to 40Gbps
• Up to five times the overall performance of the PA-3000 Series firewalls
• Decryption performance is increased by up to seven times and decryption
session capacity is increased up to twenty times compared to the PA-3000
Series firewalls
For more information on the hardware, refer to the PA-3200 Series Hardware
Reference.
PA-5280 Firewall The newest PA-5200 Series PA-5280 firewall comes with double the memory
of the PA-5260 firewall. The PA-5280 firewall uses nearly the same hardware
as the PA-5260 except that it doubles the session capacity from 32 million to
64 million sessions.
For more information on the hardware, refer to the PA-5200 Series Hardware
Reference.

New Hardware Description
M-200 and M-600 These new M-Series models are multi-functional appliances that you can
Appliances configure to run in Panorama™ Management mode, Panorama Management-
only mode, Panorama Log Collector mode, or PAN-DB Private Cloud mode.
These models include the following main features when compared to the
M-100 and M-500 appliances:
• Improved responsiveness with faster CPU and more memory
• Increased log ingestion rate
• Improved serviceability by providing dual power supplies and the ability to
replace the operating system drive if a failure occurs
For more information on the hardware, refer to the M-200 and M-600
Appliance Hardware Reference.

Changes to Default Behavior
The following topics describe changes to default behavior in PAN-OS® and Panorama™ 8.1:
• App-ID Changes in PAN-OS 8.1
• Authentication Changes in PAN-OS 8.1
• Content Inspection Changes in PAN-OS 8.1
• GlobalProtect Changes in PAN-OS 8.1
• User-ID Changes in PAN-OS 8.1
• Panorama Changes in PAN-OS 8.1
App-ID Changes in PAN-OS 8.1

PAN-OS® 8.1 has the following changes in default behavior for App-ID features:
Feature Change
App-ID cache for SSL applications The default setting of the App-ID cache for SSL
applications has changed:
• PAN-OS 8.0 and earlier releases—The App-ID
cache for SSL applications is enabled by default.
If a cloud service provider serves multiple
applications from the same IP address and
you notice the firewall misidentifying these
applications, you can disable the cache in PAN-
OS 8.0.8 and later releases. For details, see
PAN-84445 in the Addressed Issues of the
PAN-OS 8.0 Release Notes.
• PAN-OS 8.1 release—The App-ID cache for
SSL applications is disabled by default. Firewalls
running PAN-OS 8.1 do not populate the cache
when they can identify applications from the
Server Name Indication (SNI). If in rare cases
the firewall misidentifies applications, you can
manually enable the cache.
To change the default setting in PAN-OS 8.1 or
in PAN-OS 8.0.8 or a later 8.0 release, run the
following CLI command:
> set application use-appid-cache-

ssl-sni {no | yes}
Authentication Changes in PAN-OS 8.1

PAN-OS 8.1 has the following change in default behavior for Authentication features:

Feature Change
Extensible Authentication Protocol (EAP) Support All new RADIUS server profiles use PEAP-
for RADIUS MSCHAPv2 as the default Authentication
Protocol, and the Make Outer Identity
Anonymous option is enabled by default.
The Auto option for the Authentication Protocol
has been deprecated. With this deprecation,
after you upgrade a firewall that was previously
configured to use Auto, the firewall will use
CHAP or PAP based on the protocol that was in
use before the upgrade; a firewall that was not
configured to use RADIUS authentication before
upgrade will default to CHAP.
After you upgrade, Panorama templates use CHAP
as the default authentication protocol.
When you downgrade a firewall that was
configured to use PEAP-MSCHAPv2, PEAP with
GTC, or EAP-TTLS with PAP, the firewall will
default to CHAP.
Content Inspection Changes in PAN-OS 8.1

PAN-OS® 8.1 has the following change in default behavior for Content Inspection features:
Feature Change
Enhanced Application Logging As of PAN-OS 8.1.2, the Enhanced Application Log type that records
non-SYN TCP traffic is disabled by default. There aren't any Palo Alto
Networks® cloud services or apps that currently leverage non-SYN
TCP logs; however, if you enable enhanced application logging and
want to capture non-SYN TCP logs, consult your SE or contact Palo
Alto Networks Customer Support for assistance.
Critical Content Update Alerts As of PAN-OS 8.1.2, Palo Alto Networks critical content update
alerts are logged as system log entries with the Type dynamic-
updates and the Event palo-alto-networks-message. You can use the
following filter to view or set up log forwarding for these type of log
entries: (subtype eq dynamic-updates) and (eventid eq
palo-alto-networks-message).
In PAN-OS 8.1.0 and PAN-OS 8.1.1, critical content alerts are logged
with the Type general and the Event palo-alto-networks-message:
(subtype eq general) and (eventid eq palo-alto-
networks-message).
SMB Improvements with WildFire If you previously enabled WildFire® forwarding on your firewall
Support using the default WildFire analysis Security Profiles setting, the
firewall now forwards files that have been transmitted using the SMB
network protocol.

GlobalProtect Changes in PAN-OS 8.1
PAN-OS® 8.1 has the following changes in default behavior for GlobalProtect™ features:
Feature Change
GlobalProtect gateway The Client Settings > Split Tunnel tab has been split into two separate tabs: Access
agent Route and Domain and Application. Use the Access Route tab to include or
exclude specific destination IP subnet traffic from the VPN tunnel. Use the Domain
and Application tab to include or exclude software as a service (SaaS) or public
cloud applications from the VPN tunnel.
You can now add up to 100 DNS suffixes to the GlobalProtect gateway
configuration (Network > GlobalProtect > Gateways > <gateway-config> >
Agent > Network Services > DNS Suffix).
HIP categories The Antivirus and Anti-Spyware HIP categories are now deprecated and
superseded by the Anti-Malware HIP category in PAN-OS® 8.1. The Anti-Malware
category enables HIP matching based on both the antivirus and anti-spyware
coverage on GlobalProtect endpoints.
User-ID Changes in PAN-OS 8.1

PAN-OS 8.1 has the following change in default behavior for User-ID features:
Feature Change
Support for • Since multiple username attributes are supported, you must select the primary
Multiple username attribute that you want to use.
Username • Previously, the firewall normalized usernames received from User-ID sources
Formats (such as an LDAP directory) to the domain\username format. In PAN-OS 8.1,
when the Primary Username is in UPN format, it will not be normalized as in
previous PAN-OS versions. As a result, usernames are displayed on the web
interface in their original format (for example, username@domain).
• If you use a Certificate Profile for authentication and the username is Subject Alt,
the firewall does not drop the domain name from the email or Principal Name.
• To support multiple username formats, some web interface options were moved
(refer to the callouts in the following screenshots):
• (1) The Device > User Identification > Group Mapping Settings > Server
Profile > User Objects > User Name option has been moved to Device > User
Identification > Group Mapping Settings > User and Group Attributes > User
Attributes.
• (3) The Device > User Identification > Group Mapping Settings > Server
Profile > Group Objects > Group Name and Group Member options have
been moved to Device > User Identification > Group Mapping Settings >
User and Group Attributes > Group Attributes.
• (2) The Mail Domains section previously configured in Device > User
Identification > Group Mapping Settings > Server Profile was moved
to the User Attributes and Group Attributes settings in Device > User
Identification > Group Mapping Settings > User and Group Attributes.

Feature Change
Previous Group Mapping Settings
Current Group Mapping Settings
Panorama Changes in PAN-OS 8.1
Feature Change
Templates and Template Stacks You must assign managed devices to a template
stack instead of a template.
Templates and Template Stacks A maximum of 8 templates can be assigned to a

template stack.
Device Groups You can only view the template configuration

for a device group if devices in the device group,
and the template, are associated with the same
template stack.

CLI and XML API Changes in PAN-OS 8.1
PAN-OS® 8.1 has changes to existing CLI commands, which also affect corresponding PAN-OS XML API
requests. If you have a script or application that uses these requests, run the corresponding CLI commands
in debug mode to view the XML API syntax. A greater-than sign (>) precedes operational commands, while
a hash (#) precedes configuration commands. An asterisk (*) indicates that related commands in the same
hierarchy have also changed.
• Authentication CLI and XML API Changes
• Content Inspection CLI and XML API Changes
• Decryption CLI and XML API Changes
• GlobalProtect CLI and XML API Changes
• Management CLI and XML API Changes
• Panorama CLI and XML API Changes
• User-ID CLI and XML API Changes
Authentication CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for Authentication features:
Feature Change
CLI access over SSH The minimum and maximum have changed for the
amount of data transmitted over the Management
(MGT) interface before PAN-OS regenerates the
SSH keys that administrators use to access the
firewall CLI:
• PAN-OS 8.0 and earlier releases:
# set deviceconfig system ssh

session-rekey mgmt data {1-32 |
default}
• PAN-OS 8.1 release:
# set deviceconfig system

ssh session-rekey mgmt
data {10-4000 | default}
LDAP authentication The minimum value has changed for the interval (in
seconds) after which PAN-OS tries to connect to
an LDAP server after a previous failed attempt:
# set [shared] server-

profile ldap <name> retry-
interval <1-3600>
# set [vsys <name>] server-

interval <1-3600>

Feature Change
# set [shared] server-

interval <60-3600>

interval <60-3600>
RADIUS authentication PAN-OS no longer provides the option to fall back

to Password Authentication Protocol (PAP) when
a RADIUS server doesn’t respond to Challenge-
Handshake Authentication Protocol (CHAP)
requests:
# set [shared] server-profile

radius <name> protocol {CHAP |
PAP | Auto}

profile radius <name>
protocol {CHAP | PAP | Auto}

radius <name> protocol
{EAP-TTLS-with-PAP | PEAP-
MSCHAPv2 | PEAP-with-GTC | CHAP
| PAP}

profile radius <name> protocol
{EAP-TTLS-with-PAP | PEAP-
MSCHAPv2 | PEAP-with-GTC | CHAP
| PAP}
TACACS+ authentication PAN-OS no longer provides the option to fall back

to Password Authentication Protocol (PAP) when
a TACACS+ server doesn’t respond to Challenge-
Handshake Authentication Protocol (CHAP)
requests:

Feature Change

tacplus <name> protocol {CHAP |
PAP | Auto}

profile tacplus <name>
protocol {CHAP | PAP | Auto}

tacplus <name> protocol {CHAP |
PAP}

profile tacplus <name>
protocol {CHAP | PAP}
Content Inspection CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for content inspection features:
Feature Change
Allow HTTP partial response The command to enable or disable the option for
clients to fetch only part of a file has changed:
# set deviceconfig setting ctd

skip-block-http-range {yes |
no}
# set deviceconfig setting ctd

allow-http-range {yes | no}
Decryption CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for decryption features:
Feature Change
Decryption profiles The CLI command to set administrative role

privileges for Decryption profiles have changed in
PAN-OS 8.1.

Feature Change
# set shared admin-role <name>

role {device | vsys} webui
objects
decryption-profile {enable |
read-only | disable}

role {device | vsys} webui
objects
decryption decryption-
profile {disable | enable |
read-only}
GlobalProtect CLI and XML API Changes

PAN-OS® 8.1 has the following CLI and XML API changes for GlobalProtect™ features:
Feature Change
Host information profiles (HIP) for antivirus and The commands for displaying and configuring
anti-spyware antivirus and anti-spyware matching criteria are
now consolidated under anti-malware matching
criteria:
# show [shared] profiles hip-

objects <name> [antivirus |
anti-spyware] *
# show [vsys <name>] profiles

hip-objects <name> [antivirus |
anti-spyware] *
# set [shared] profiles hip-

objects <name> [antivirus |
anti-spyware] *
# set [vsys <name>] profiles

hip-objects <name> [antivirus |
anti-spyware] *

Feature Change
# show [shared] profiles hip-

objects <name> anti-malware *
# show [vsys <name>] profiles

hip-objects <name> anti-malware
*

objects <name> anti-malware *
# set [vsys <name>] profiles

hip-objects <name> anti-malware
*
Host information profiles (HIP) for disk encryption The commands for configuring disk encryption
matching criteria changed:
PAN-OS 8.0

objects <name> disk-encryption
criteria
encrypted-locations <name>
encryption-state {is | is-not}
{full | none | not-available |
partial}
# set [vsys <name>] profiles hip-

criteria
{full | none | not-available |
partial}
PAN-OS 8.1

criteria
{encrypted | partial | unencrypted
| unknown}
# set [vsys <name>] profiles hip-

criteria

Feature Change
{encrypted | partial | unencrypted
| unknown}
GlobalProtect satellites Subnet masks were never applicable to

GlobalProtect satellite gateways and therefore
the option to enter a subnet mask is deprecated in
PAN-OS 8.1:
# set [vsys <name>] global-

protect global-protect-
portal <name> satellite-config
configs <name> gateways <name>
ip [ipv4 | ipv6] <ip/netmask>
# set [vsys <name>] global-

protect global-protect-
portal <name> satellite-config
configs <name> gateways <name>
ip [ipv4 | ipv6] <value>
Management CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for firewall management features:
Feature Change
High availability (HA) settings The syntax to set the HA group ID changed in
PAN-OS 8.1. To set the group ID, you now enter
group group-id followed by the group ID
number.
# set deviceconfig high-

availability group <name>
# set deviceconfig high-

availability group group-
id <1-63>
Core logs (PA-200 and PA-220 firewalls only) The CLI command to allocate logdb storage for
large core files now allocates 128MB instead of
4GB. This changed because allocating 4GB caused
a commit error on these models.
# set deviceconfig setting

management large-core

Feature Change
Rule use The CLI command to view used and unused

rules changed. In PA-OS 8.1, you must add the
highlight option.
> show running rule-use

vsys <value> rule-base
> show running rule-use

highlight vsys <value> rule-
base
Panorama CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for Panorama features:
Feature Change
Deploying content updates The CLI commands to set and display thresholds
for the Antivirus updates and Applications and
Threats updates that the Panorama management
server deploys to firewalls and Log Collectors have
changed in PAN-OS 8.1.
• PAN-OS 8.0.6 and later 8.0 releases have the
following operational mode commands (which
were unavailable in earlier releases):
> request batch {content | anti-

virus} threshold set <1-120>
> request batch {content | anti-

virus} threshold show
# set deviceconfig system

deployment-update-
schedule <schedule_name> <update_type>
recurring threshold <1-336>
# show deviceconfig
system deployment-update-
schedule <schedule_name>

Feature Change
Request get-template-stack The following command to view the template

stack-level configuration is deprecated in PAN-OS
8.1:
> request get-template-

stack template-
stack <value> xpath <value>
transform
<value> sortby <value>
order <value> nrec <value>
skip <value> dir <value>
anchor <value> emptyok <value>
shallow <value> xpaths request
get-template-stack
template-stack <value>
xpath <value> transform <value>
sortby <value> order <value>
nrec <value> skip <value>
dir <value> anchor <value>
emptyok <value>
shallow
<value> xpaths entry
In PAN-OS 8.1, run the following command to

view the stack-level configuration:
> show template-stack <name>
To view the merged configuration of a stack

and all inherited templates, run the following
command:
> show template <name>
Managed devices privileges The CLI command to set administrative role

privileges for managed devices has changed in
PAN-OS 8.1.
# set shared admin-role <name> role

panorama webui panorama managed-
devices

panorama webui panorama managed-
devices
{summary | health} {enable | read-only |
disable}
Context switch privileges The CLI command to set context switch privileges
for managed devices has changed in PAN-OS

Feature Change
8.1. You can configure a decryption profile and a
decryption forwarding profile.

panorama contextswitch objects
decryption-profile {enable | read-only |
disable}

role panorama contextswitch objects
decryption
{decryption-profile | decryption-forwarding-
profile} {enable | read-only | disable}
User-ID CLI and XML API Changes

PAN-OS 8.1 has the following CLI and XML API changes for User-ID features:
Feature Change
Username-to-group mapping • The command to configure the user email

attribute in group mapping configurations has
changed in PAN-OS 8.1:
# set [vsys <name>] group-

mapping <name> email {<email>
<email2> <email3>...}

mapping <name> user-
email {<email1> <email2>
<email3>}
• The following command to configure the email
domain list in group mapping configurations is
deprecated in PAN-OS 8.1:

mapping <name>
mail-domain-list {<mail-domain-
list1> <mail-domain-list2>
<mail-domain-list3>...}

Associated Software and Content Versions
The following minimum software and content release versions are compatible with PAN-OS 8.1. To see
a list of the next-generation firewall models that support PAN-OS 8.1, see the Palo Alto Networks®
Compatibility Matrix.
Palo Alto Networks Software or Minimum Compatible Version with PAN-OS 8.1
Content Release Version
Panorama 8.1
User-ID Agent 8.1
Terminal Services (TS) Agent 8.1
GlobalProtect App 4.0
Applications and Threat Content 769

Release Version
Antivirus Content Release Version 2137
VMware NSX Plugin Version 2.0.1

Limitations
The following are limitations associated with PAN-OS 8.1 releases.
Issue ID Description
— Beginning in PAN-OS 8.1.3, firewalls and appliances perform a software

integrity check periodically when they are running and when they reboot. If
you simultaneously boot up multiple instances of a VM-Series firewall on a
host or you enable CPU over-subscription on a VM-Series firewall, the firewall
boots in to maintenance mode when a processing delay results in a response
timeout during the integrity check. If your firewall goes in to maintenance
mode, please check the error and warnings in the fips.log file.
A reboot always occurs during an upgrade so if you enabled CPU over-
subscription on your VM-Series firewall, consider upgrading your firewall
during a maintenance window.
PAN-85036 If you use the Panorama management server to manage the configuration of
an active/active firewall HA pair, you must set the Device ID for each firewall
HA peer before upgrading Panorama to 8.1. If you upgrade without setting the
Device IDs, which determine which peer will be active-primary, you cannot
commit configuration changes to Panorama.
PAN-81719 You cannot form an HA pair of Panorama management servers on AWS

instances when the management interface on one HA peer is assigned an
Elastic Public IP address or when the HA peers are in different Virtual Private
Clouds (VPCs).
PAN-79669 The firewall blocks an HTTPS session when the hardware security module
(HSM) is down and a Decryption policy for inbound inspection uses the default
decryption profile for an ECDSA certificate.

Known Issues
The following topics describe known issues in PAN-OS® 8.1 releases.
For recent updates to known issues for a given PAN-OS release, refer to https://
live.paloaltonetworks.com/t5/Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/ta-
p/52882.
• Known Issues Related to PAN-OS 8.1 Releases

• Known Issues Specific to the WF-500 Appliance
• Known Issues Related to the Logging Service
Known Issues Related to PAN-OS 8.1 Releases

The following list includes known issues specific to PAN-OS® 8.1 releases, which includes known issues
specific to Panorama™ and GlobalProtect™, as well as known issues that apply more generally or that are
not identified by an issue ID. See also the Known Issues Specific to the WF-500 Appliance.
— Upgrading a PA-200 or PA-500 firewall to PAN-OS 8.1 can take 30 to

60 minutes to complete. Ensure uninterrupted power to your firewall
throughout the upgrade process.
— PAN-OS 8.1.1 introduces a new software integrity check; a failed

check results in a critical system log, while a passed check generates an
informational system log.
To check for a software integrity check failure, select Monitor > Logs and
enter the filter: (severity eq critical) and (eventid eq fips-
selftest-integ).
Please contact Palo Alto Networks Support if a device fails a software
integrity check.
GPC-2742 If you configure GlobalProtect portals and gateways to use client

certificates and LDAP as two factors of authentication, Chromebook
endpoints that run Chrome OS 47 or later versions encounter excessive
prompts to select a client certificate.
Workaround: To prevent excessive prompts, configure a policy to specify
the client certificate in the Google Admin console and deploy that policy to
your managed Chromebooks:
1. Log in to the GoogleAdminconsole and select Device management >
Chrome management > User settings.
2. In the Client Certificates section, enter the following URL pattern to
Automatically Select Client Certificate for These Sites:
{"pattern": "https://[*.]", "filter":{}}
3. Click Save. The Google Admin console deploys the policy to all devices
within a few minutes.

PAN-103276 Adding a disk to a Panorama 8.1 virtual appliance on VMware ESXi 6.5
update1 causes the Panorama virtual appliance and host web client to
become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk
again.
PAN-102828 (Panorama plugins) When you use the AND/OR boolean operators to
define the match criteria for Dynamic Address Groups on Panorama, the
boolean operators do not function properly. The member IP addresses are
not included in the address group as expected.
PAN-101688 (Panorama plugins) The IP address-to-tag mapping information registered

on a firewall or virtual system is not deleted when you remove the firewall
or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following
command to unregister the IP address-to-tag mappings: debug object
registered-ip clear all.
PAN-100686 An invalid public key is intermittently applied to the administrator account

when deploying a VM-Series firewall in Google Cloud using the Google web
interface.
Workaround: The administrator must log in to the firewall via SSH with
a valid private key using the ssh -i private-key-file admin@VM
command. Then, from the CLI, remove the invalid public key and add a
password for the admin Profile using the following configuration commands
from the CLI to enable successful commits:
# delete mgt-config users admin public-key
# set mgt-config users admin password
# commit
PAN-100154 In PAN-OS 8.1.3 (and later releases), the default static route always
becomes the active route and takes precedence over a DHCP auto-created
default route that is pointing to the same gateway regardless of the metrics
or order of installation. Thus, when the system has both a DHCP auto-
created default route and a manually configured default static route
pointing to the same gateway, the firewall always installs default static
route in the FIB.
PAN-99084 (HA configurations running PAN-OS 8.0.9 or a later PAN-OS 8.0 release) If
you disable the high availability (HA) configuration sync option (enabled by
default), User-ID data is not synced as expected between HA peers.
Workaround: Re-Enable Config Sync (Device > High Availability > General
> Setup settings).

PAN-98735 Upgrading a Panorama management server on Microsoft Azure from PAN-

OS 8.1.0 to PAN-OS 8.1.1 or PAN-OS 8.1.2 results in an autocommit
This issue is now
failure.
resolved. See PAN-OS
8.1.3 Addressed Issues. Workaround: Before you upgrade to PAN-OS 8.1.1 or PAN-OS
8.1.2, export your Panorama 8.1.0 configuration. Then upgrade the
Panorama management server and, when finished, import your exported
configuration.
Alternatively, you can export the Panorama 8.1.0 configuration, deploy a
new instance of Panorama using the 8.1.2 image on the Azure marketplace,
and then import and reload the exported configuration.
If you decide to launch a new Panorama 8.1.2 VM through

the Azure marketplace, the web interface will display the
image as PAN-OS 8.1.2-h4.
PAN-97848 Panorama on KVM deploys in Legacy mode instead of Management Only

mode even when the minimum resource requirements for Management
Only mode are met.
Workaround: Once you successfully deploy Panorama on KVM, change to
Management Only mode.
PAN-97757 GlobalProtect authentication fails with an Invalid username/

password error (because the user is not found in Allow List) after you
enable GlobalProtect authentication cookies and add a RADIUS group
to the Allow List of the authentication profile used to authenticate to
GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively,
disable (clear) Retrieve user group from RADIUS in the authentication
profile and configure group mapping from Active Directory (AD) through
LDAP.
PAN-97561 Panorama appliances running PAN-OS 8.1.2 cannot connect to the Logging
Service:
This issue is now
resolved. See PAN-OS • When you deploy a Panorama 8.1.2 virtual appliance, Panorama is
8.1.3 Addressed Issues. unable to connect to the Logging Service and firewalls are unable to
forward logs to the Logging Service.
• If you upgrade a Panorama virtual appliance with Logging Service
enabled to PAN-OS 8.1.2, both Panorama and the firewalls will continue
to connect to the Logging Service but will not display information about
Logging Services instances when you run the request logging-
service-forwarding customerinfo fetch CLI command.
PAN-96985 The request shutdown system command does not shut down the
Panorama management server.
PAN-96960 You cannot restart or shutdown a Panorama on KVM from the Virtual-
manager console or virsch CLI.

PAN-96813 The GlobalProtect gateway ignores the Enable X-Auth Support setting
when you enable or disable it through the firewall web interface
(Network > GlobalProtect > Gateways > <gateway> > Agent > Tunnel
Settings).
Workaround: Enable or disable X-Auth support by running the set
network tunnel global-protect-gateway <gateway> ipsec
third-party-client rekey-noauth {yes | no} configuration
mode CLI command.
PAN-96446 A firewall that is not included in a Collector Group fails to generate a

system log if logs are dropped when forwarded to a Panorama management
server that is running in Management Only mode.
PAN-96113 In a deployment where the firewall connects to a Border Gateway Protocol

(BGP) peer that advertises a route for which the next hop is not in the same
This issue is now
subnetwork as the BGP peer interface, the show routing protocol
bgp rib-out CLI command does not display advertised routes that the
8.1.3 Addressed Issues.
firewall sent to the BGP peer.
Workaround: Move the next hop to the same subnetwork as the BGP peer
interface.
PAN-95999 Firewalls in an active/active high availability (HA) deployment, with

a default session setup and owner configuration, drop packets in a
GlobalProtect VPN tunnel that uses a floating IP address.
PAN-95895 Firewalls that collect port-to-username mappings from Terminal Services

agents doesn't enforce user-based policies correctly because the dataplane
This issue is now
has incorrect primary-to-alternative-username mappings even after you
clear the User-ID cache.
PAN-95773 On VM-Series firewalls that have Data Plane Development Kit (DPDK)
enabled and that use the i40e network interface card (NIC), the show
session info CLI command displays an inaccurate throughput and
packet rate.
Workaround: Disable DPDK by running the set system setting
dpdk-pkt-io off CLI command.
PAN-95717 After 30,000 or more end users log in to the GlobalProtect gateway within
a two- to three-hour period, the firewall web interface responds slowly,
commits take longer than expected or intermittently fail, and Tech Support
File generation times out and fails.
PAN-95602 In a deployment where a Log Collector connects to Panorama management

servers in a high availability (HA) configuration, after you switch the Log
Collector appliance to Panorama mode, commit operations fail on the
appliance.
Workaround: Remove the following node from the running-config.xml file
on the Log Collector before switching it to Panorama mode: devices/

entry[@name='localhost.localdomain']/deviceconfig/
system/panorama-server-2.
PAN-95511 The name for an address object, address group, or an external dynamic list
must be unique. Duplicate names for these objects can result in unexpected
behavior when you reference the object in a policy rule.
PAN-95445 VM-Series firewalls for NSX and firewalls in an NSX notify group
(Panorama > VMware NSX > Notify Group) briefly drop traffic while
receiving dynamic address updates after the primary Panorama in an HA
configuration fails over.
PAN-95443 A VM-Series firewall on KVM in DPDK mode doesn't receive traffic after
you configure it to use the i40e single-root input/output virtualization (SR-
This issue is now
IOV) virtual function (VF).
PAN-95197 Mobile endpoints that use GPRS Tunneling Protocol (GTP) lose traffic and
have to reconnect because the firewall drops the response message that
This issue is now
a Gateway GPRS support node (GGSN) sends for a second Packet Data
Protocol (PDP) context update.
PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8 and
earlier releases, the firewall does not apply password profile settings
(Device > Password Profiles) until after you upgrade to PAN-OS 8.0.9
or a later release and then only after you modify the account passwords.
(Administrator accounts that you create in PAN-OS 8.0.9 or a later release
do not require you to change the passwords to apply password profile
settings.)
PAN-94864 A firewall receiving IP addresses via DHCP fails to resolve FQDN objects to
an IP address.
This issue is now
PAN-94853 Mobile endpoints that use GPRS Tunneling Protocol (GTP) lose GTP-U
traffic because the firewall drops all GTP-U packets as packets without
This issue is now
sessions after receiving two GTP requests with the same tunnel endpoint
identifiers (TEIDs) and IP addresses.
PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e virtual function
(VF) driver, the VF does not detect the link status of the physical link. The
VF link status remains up, regardless of changes to the physical link state.
PAN-94777 A 500 Internal Server error occurs for traffic that matches a Security
policy rule with a URL Filtering profile that specifies a Continue action
This issue is now
(Objects > Security Profiles > URL Filtering) because the firewall does not
treat the API keys as binary strings.
Workaround: Reboot the firewall.

PAN-94452 The firewall records GPRS Tunneling Protocol (GTP) packets multiple times
in firewall-stage packet captures (PCAPs).
This issue is now
PAN-94402 Upgrading firewalls from PAN-OS 8.0 to 8.1 causes the loss of user
mapping information and therefore disrupts user-based policies in the
following high availability (HA) configurations:
• Active/active (in this example, the primary/secondary peers are
firewall1/firewall2)—During the period after you upgrade firewall1
to PAN-OS 8.1 but before you upgrade firewall2, firewall1 loses user
mapping information. When you finish upgrading both firewalls to PAN-
OS 8.1, HA synchronization restores the lost mapping information on
firewall1.
• Active/passive (in this example, the active/passive peers are firewall1/
firewall2)—After you upgrade firewall2 to PAN-OS 8.1 but before you
upgrade firewall1, firewall2 loses user mapping information but does
not enforce policies because it is still in a passive state. However, after
you trigger failover by suspending firewall1 (in anticipation of upgrading
it), firewall2 becomes the active peer and fails to enforce user-based
policies because its mapping information is still missing. After you then
upgrade firewall1 and trigger failback, firewall1 resumes enforcing policy
and HA synchronization ensures the mapping information is complete
on both firewalls.
In both configurations, whichever firewall is missing user mapping
information also cannot collect new user mappings through the PAN-OS
XML API until you finish upgrading both HA peers.
PAN-94135 Device monitoring does not work on the Panorama management server.
This issue is now Workaround: To enable Panorama to receive device monitoring
resolved. See PAN-OS information from firewalls running PAN-OS 8.1, run the monitoring
8.1.1 Addressed Issues. cfg-send device <device_serial_number> CLI command on
Panorama.
PAN-93937 The management server process (mgmtsrvr) on the firewall restarts

whenever you push configurations from the Panorama management server.
This issue is now
PAN-93930 When you enable SSL decryption on a firewall, decryption errors cause
a process (all_pktproc) to stop responding and causes the dataplane to
This issue is now
restart.
PAN-93865 The GlobalProtect agent can't split tunnel applications based on the
destination domain because the Include Domain and Exclude Domain lists
This issue is now
are not pushed to the agent after the user establishes the GlobalProtect
connection (Network > GlobalProtect > Gateways > <gateway-config> >

Agent > Client Settings > <client-setting-config> > Split Tunnel > Domain
and Application).
In addition, the GlobalProtect agent can't include applications in the VPN
tunnel based on the application process name because the Include Client
Application Process Name list is not pushed to the agent after the user
establishes the GlobalProtect connection.
PAN-93864 The password field does not display in the GlobalProtect portal login dialog
if you attach the certificate profile to the portal configuration.
This issue is now
resolved. See PAN-OS Workaround: Remove the certificate profile from the portal configuration
8.1.3 Addressed Issues. or set the username field to None in the certificate profile.
PAN-93842 The logging status of a Panorama Log Collector deployed on AWS or

Azure displays as disconnected when you configure the ethernet1/1
to ethernet1/5 interfaces for log collection (Panorama > Managed
Collectors > Interfaces). This results in firewalls not sending logs to the Log
Collector.
Workaround: Configure the management (MGT) interface for log collection.
PAN-93753 High log rates cause disk space on PA-200 firewalls to reach maximum
capacity.
PAN-93705 Configuring additional interfaces (such as ethernet1/1 or ethernet1/2) on

the Panorama management server in Management Only mode causes an
This issue is now
attempt to create a local Log Collector when you commit the configuration
(Panorama > Setup > Interfaces). This will cause the commit to fail because
a local Log Collector is not supported on a Panorama management sever in
Management Only mode.
PAN-93640 On firewalls, the Log Collector preference list displays the IP address of
a Panorama Log Collector deployed on AWS as unknown if the interface
This issue is now
(ethernet1/1 to ethernet1/5) used for sending logs does not have a public
IP address configured and you push configurations to the Collector Group.
Workaround: Configure the management (MGT) interface for log collection.
PAN-93607 When you configure a VM-500 firewall with an SCTP Protection profile
(Objects > Security Profiles > SCTP Protection) and you try to add the
profile to an existing Security Profile Group (Objects > Security Profile
Groups), the Security Profile Group doesn’t list the SCTP Protection profile
in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP
Protection profile from there.
PAN-93532 When you configure a firewall running PAN-OS 8.1 as a Thales HSM client,
the web interface on the firewall displays the Thales server status as Not
Authenticated, even though the HSM state is up (Device > Setup > HSM).
PAN-93522 On firewalls in a high availability (HA) configuration, traffic is disrupted

because the dataplane restarts unexpectedly when the firewall concurrently

This issue is now processes HA messages and packets for the same session. This issue applies
resolved. See PAN-OS to all firewall models except the PA-200 and VM-50 firewalls.
PAN-93318 Firewall CPU usage reaches 100 per cent due to SNMP polling for logical
interfaces based on updates to the Link Layer Discovery Protocol (LLDP)
This issue is now
MIB (LLDP-V2-MIB.my).
8.1.2 Addressed Issues. Workaround: Restart the snmpd process by running the debug software
restart process snmp CLI command. Note that restarting snmpd
reduces the CPU usage to allow other operations, but does not prevent the
issue from recurring the next time SNMP polling occurs for the LLDP-V2-
MIB.my MIB.
PAN-93233 PA-7000 Series firewalls cause slow traffic over IPSec VPN tunnels when
the tunnel session and inner traffic session are on different dataplanes
This issue is now
because the firewalls reorder TCP segments during IPSec encryption.
8.1.2 Addressed Issues. Workaround: Keep the tunnel session and inner traffic session on the same
dataplane. To determine which dataplane the tunnel session uses, first
run the show vpn tunnel name <tunnel_name> CLI command to
see the tunnel identifier, and then run the show vpn flow tunnel-
id <tunnel_id> command to display the dataplane (owner cpuid).
To force the inner traffic session onto the same dataplane, run the set
session distribution-policy fixed <dataplane>command.
PAN-93207 The firewall reports the incorrect hostname when responding to SNMP get
requests.
This issue is now
PAN-93193 The memory-optimized VM-50 Lite intermittently performs slowly and

stops processing traffic when memory utilization is critically high. To
prevent this issue, make sure that you do not:
• Switch to the firewall Context on the Panorama management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical
System log for memory utilization, wait for 5 minutes and then manually
reboot the firewall.
Use the Task Manager to verify that you are not performing memory
intensive tasks such as installing dynamic updates, committing changes or
generating reports, at the same time, on the firewall.
PAN-93184 (VM-50 Lite firewalls only) There are intermittent instances of wild-
fire-auth faileddueto ssl error 58 in the system log due
This issue is now
to management plane out-of-memory errors when the varcvr process
attempts to register to the cloud.

PAN-93091 When adding a logging disk to a live Panorama management server on

Azure, the Azure Portal notification tab will display Updating virtual
machinedisk even after the logging disk has been successfully added.
Workaround: Power off the Panorama management server on Azure, add
the virtual logging disk, and power the Panorama management server back
on.
PAN-93090 When configuring a Google Cloud Platform (GCP) instance to assign an

L3 DHCP interface to ethernet1/2, the GCP DHCP Server takes 30-50
This issue is now
seconds to respond to the DHCP discover request. This delay causes DHCP
resolved. SeePAN-OS
IP assignments to fail.
Workaround: To bypass the need to wait for the DHCP response, set the
firewall interface to match the static IP address that GCP assigned to the
network interface at creation. In the GCP console, this address is in the
“Primary internal IP” column.
PAN-93072 For hardware firewalls that are decrypting SSL traffic, multiple commits in
a short period of time can cause the firewall to become unresponsive. This
This issue is now
issue applies only to a hardware firewall with SSL decryption enabled; it
does not apply to virtual firewalls.
PAN-93005 The firewall generates System logs with high severity for Dataplane
under severe load conditions that do not affect traffic.
This issue is now
PAN-92892 (VM-50 Lite firewalls only) There are intermittent instances of Failed
to back up PAN-DB in the system log due to management plane out-
This issue is now
of-memory errors when the devsrvr process attempts to run an md5
checksum.
PAN-92858 The Panorama management server cannot generate reports, and the ACC
page intermittently becomes unresponsive when too many heartbeats are
This issue is now
missed because report IDs greater than 65535 are never cleared.
PAN-92808 On a Panorama management server in Panorama mode, the configd process

intermittently becomes unresponsive during a Panorama commit.
PAN-92678 On Panorama management servers in a high availability (HA) configuration,

after failover causes the secondary HA peer to become active, it fails to
This issue is now
deploy scheduled dynamic updates to Log Collectors and firewalls.
8.1.1 Addressed Issues. Workaround: Manually deploy the dynamic updates (Panorama > Device
Deployment > Dynamic Updates).
PAN-92604 A Panorama Collector Group does not forward logs to some external
servers after you configure multiple server profiles (Panorama > Collector
Groups > <Collector_Group> > Collector Log Forwarding).

This issue is now
PAN-92564 A small percentage of writable third-party SFP transceivers (not purchased

from Palo Alto Networks®) can stop working or experience other issues
This issue is now
after you upgrade the firewall to which the SFPs are connected to a PAN-
OS 8.0 or PAN-OS 8.1 release. If your firewall uses third-party SFPs, Palo
Alto Networks recommends that you do not upgrade to a PAN-OS 8.0 or
PAN-OS 8.1 release until we release maintenance releases that address this
issue. Additionally, after we provide releases with this fix and you begin the
upgrade process, you must not reboot the firewall after you download and
install the PAN-OS 8.0 or PAN-OS 8.1 base image until after you download
and install a maintenance release with this fix.
For additional details, upgrade considerations, and instructions for
upgrading your firewalls, refer to the PAN-OS 8.0 upgrade information or
the PAN-OS 8.1 upgrade information, as appropriate.
PAN-92487 Enabling jumbo frames (Device > Setup > Session) reduces throughput
because:
This issue is now
resolved. See PAN-OS • The firewalls hardcode the maximum segment size (TCP MSS) within
8.1.1 Addressed Issues. TCP SYN packets and in server-to-client traffic at 1,460 bytes when
packets exceed that size.
• PA-7000 Series and PA-5200 Series firewalls hardcode the maximum
transmission unit (MTU) at 1,500 bytes for the encapsulation stage
when tunneled clear-text traffic and the originating tunnel session reside
on different dataplanes.
PAN-92366 PA-5200 Series firewalls in an active/passive HA configuration drop

Bidirectional Forwarding Detection (BFD) sessions when the passive
This issue is now
firewall is in an initialization state after you reboot it
8.1.2 Addressed Issues. Workaround: On the passive firewall, set the Passive Link State to
Shutdown (Device > High Availability > General > Active/Passive Settings).
PAN-92155 You cannot configure an IP address using templates for HA2 (Device > High
Availability > Data Link (HA2)) when set to IP or Ethernet for Panorama
management servers in a high availability (HA) configuration.
Workaround: Configure HA2 in the CLI using the following commands:
> configure
# set template <template_name> config

deviceconfig high-availability interface ha2 ip-
address <IP_address>
PAN-92152 The firewall web interface displays a blank Device > Licenses page when
the customer has 10 x 5 phone support.

This issue is now
PAN-92149 On PA-3250 and PA-3260 firewalls, the hardware signature match engine
is disabled and the PAN-OS software performs signature matching instead,
This issue is now
resulting in a ten percent degradation in threat detection performance.
PAN-92105 Panorama Log Collectors do not receive some firewall logs and take longer
than expected to receive all logs when the Collector Group has spaces in its
name.
Workaround: Configure Collector Group names without spaces.
PAN-92017 Panorama Log Collectors do not receive some firewall logs and take longer
than expected to receive all logs when the Collector Group has spaces in its
name.
Workaround: Configure Collector Group names without spaces.
PAN-91946 The Panorama management server intermittently does not refresh data
about the health of managed firewalls (Panorama > Managed Devices >
This issue is now
Health). This results in some session statistics being displayed as 0.
PAN-91809 After you reboot the VM-Series firewall for Azure, some interfaces
configured as DHCP clients intermittently do not receive DHCP-assigned IP
This issue is now
addresses.
8.1.1 Addressed Issues. Workaround: First, configure static IP addresses on the affected interfaces
on the firewall and commit the change. Then enable DHCP on the same
interfaces and commit again. When the commit finishes, the interfaces will
receive DHCP-assigned IP addresses.
PAN-91802 The CLI command clear session all does not clear GTP sessions.
PAN-91776 End users cannot authenticate to GlobalProtect after you specify a User
Domain with Microsoft-supported symbols such as the dollar symbol ($) in
This issue is now
the authentication profile (Device > Authentication Profile).
PAN-91716 The GlobalProtect agent cannot connect to external gateways that

are configured with a loopback interface due to a misbehavior by the
connected Layer 2 interface. When this misbehavior occurs, the Address
Resolution Protocol (ARP) request that the agent sends to the firewall (on
which the gateway is configured) to determine the MAC address of the
loopback interface leaks to multiple Layer 3 interfaces on the firewall. Each
Layer 3 interface responds to the ARP request, which causes the agent to
receive multiple ARP replies.
Workaround: Add static ARP entries on the endpoint.

PAN-91689 The Panorama management server removes address objects and, in

the Network tab settings and NAT policy rules, uses the associated IP
This issue is now
address values without reference to the address objects before pushing
configurations to firewalls.
PAN-91236 The Panorama management server does not display new logs collected
on M-Series Log Collectors because the logging search engine does
not register during system startup when logging disk checks and RAID
mounting take longer than two hours to complete.
PAN-91142 After you upgrade the Panorama virtual appliance from a PAN-OS 7.1 or
earlier release to PAN-OS 8.1 and run the request logdb migrate CLI
command to migrate logs to the format required for the PAN-OS 8.1, the
migration does not progress because the RAID logging disks have read-only
permissions.
PAN-91088 On PA-7000 Series firewalls in a high availability (HA) configuration, the

HA3 link does not come up after you upgrade to PAN-OS 8.0.6 or a later
This issue is now
release.
8.1.2 Addressed Issues. Workaround: Unplug and replug the HSCI modules.
PAN-91059 GTP log query filters do not work when you filter based on a value of
unknown for the message type or GTP interface fields (Monitor > Logs >
GTP).
PAN-90947 The PA-5250 firewall stops responding when you configure 2,900 or more
DHCP relay agent interfaces.
PAN-90736 On the Panorama management server, you cannot compare the data plane
CPU usage with other metrics of managed firewalls (Panorama > Managed
Devices > Health).
PAN-90565 The firewall does not accept wildcards (*) as standalone characters to match
all IMSI identifiers when you configure IMSI Filtering in a GTP Protection
profile (Objects > Security Profiles > GTP Protection > Filtering Options >
IMSI Filtering).
PAN-90404 The Panorama management server intermittently displays the connections

among Log Collectors as disconnected after pushing configurations to a
This issue is now
Collector Group (Panorama > Managed Collectors).
PAN-90301 The firewall generates false positives during GTP-in-GTP checks because
it detects some DNS-in-GTP packets as GTP-in-GTP packets (Objects >
Security Profiles > GTP Protection > <GTP_Protection_profile> > GTP
Inspection > GTP-U).
PAN-90096 Threat logs record incorrect IMSI values for GTP packets after you enable
Packet Capture in Vulnerability Protection profiles (Objects > Security

Profiles > Vulnerability Protection > <Vulnerability_Protection_profile> >
Rules).
PAN-89443 On PA-5200 Series firewalls, frequent changes in the fan speeds

intermittently cause disk errors in the log drives. (In PAN-OS 8.1.2, the fix
for PAN-93715 mitigates this issue but does not completely resolve it.)
PAN-89402 On PA-3200 Series firewalls, Ethernet ports 2, 3, 4, 6, 7, 8, and 10 function

only at 1,000Mbps (1Gbps); you should not configure these ports to run
at any other speed. (Ethernet ports 1, 5, 9, 11, and 12 function at 10Mbps,
100Mbps, or 1,000Mbps.)
PAN-88987 When you configure a PA-5220, PA-5250, PA-5260, or PA-5280 firewall

with Dynamic IP and Port (DIPP) NAT, the number of translated IP
addresses can't exceed 1800/2800/3600/3600 respectively; otherwise, the
commit fails. There is no workaround.
PAN-88852 VM-Series firewalls stop displaying URL Filtering logs after you configure a
URL Filtering profile with an alert action (Objects > Security Profiles > URL
This issue is now
Filtering).
PAN-88649 After receiving machine account names in UPN format from a Windows-
based User-ID agent, the firewall misidentifies them as user accounts
This issue is now
and overrides usernames with machine names in IP address-to-username
mappings.
PAN-88487 The firewall stops enforcing policy after you manually refresh an External
Dynamic List (EDL) that has an invalid IP address or that resides on an
unreachable web server.
Workaround: Do not refresh EDLs that have invalid IP addresses or that
reside on unreachable web servers.
PAN-88048 A VM-Series firewall on KVM in MMAP mode doesn't receive traffic after
you configure it to use the i40e single-root input/output virtualization (SR-
This issue is now
IOV) virtual function (VF).
PAN-87990 The WF-500 appliance becomes inaccessible over SSH and becomes stuck
in a boot loop after you upgrade from a release lower than PAN-OS 8.0.1
and try to upgrade to PAN-OS 8.0.5 or a later release.
PAN-87425 Policy rule hit count data intermittently do not display correctly for the
VM-50 firewall.
PAN-87309 When you configure a GlobalProtect gateway to exclude all video

streaming traffic from the VPN tunnel, Hulu and Sling TV traffic cannot
This issue is now
be redirected if you do not configure any security profiles (such as a File
Blocking profile) for your firewall Security policy.

PAN-86936 Logs are temporarily unavailable on Panorama Log Collectors because the
vldmgr process restarts.
PAN-86903 In rare cases, PA-800 Series firewalls shut themselves down due to a false
over-current measurement.
PAN-86028 (HA active/active configurations only) Traffic in a GlobalProtect VPN tunnel

in SSL mode fails after Layer 7 processing is completed if asymmetric
This issue is now
routing is involved.
PAN-85691 Authentication policy rules based on multi-factor authentication (MFA)

don't block connections to an MFA vendor when the MFA server profile
specifies a Certificate Profile that has the wrong certificate authority (CA)
certificate.
PAN-84488 On PA-7000 Series and PA-5200 Series firewalls, client systems can use
a translated IP address-and-port pair for only one connection even if you
configure the Dynamic IP and Port (DIPP) NAT Oversubscription Rate to
allow multiple connections (Device > Setup > Session > Session Settings >
NAT Oversubscription).
PAN-84199 After you disable the Skip Auth on IKE Rekey option in the GlobalProtect
gateway, the firewall still applies the option: end users with endpoints
that use Extended Authentication (X-Auth) don't have to re-authenticate
when the key used to establish the IPSec tunnel expires (Network >
GlobalProtect > Gateways > <gateway> > Agent > Tunnel Settings).
PAN-84045 VM-Series firewalls in an HA configuration with Data Plane Development

Kit (DPDK) enabled experience HA path monitoring failures and (in active/
passive deployments) HA failover.
PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100 network processor)
that has session offload enabled (default) incorrectly resets the UDP
checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently
disable session offload for only UDP traffic using the set session udp-
offload no CLI command.
PAN-83598 VM-Series firewalls cannot monitor more than 500 virtual machine (VM)
information sources (Device > VM Information Sources).
PAN-83236 The VM-Series firewall on Google Compute Platform does not publish
firewall metrics to Google Stack Monitoring when you manually configure a
DNS server IP address (Device > Setup > Services).
Workaround: The VM-Series firewall on Google Cloud Platform must use
the DNS server that Google provides.

PAN-83215 SSL decryption based on ECDSA certificates does not work when you
import the ECDSA private keys onto a Thales nShield hardware security
module (HSM).
™
PAN-83069 An M-100 appliance in Panorama mode cannot ingest Traps Endpoint
Security Manager (ESM) logs from ESM Server releases 4.0.0 to 4.0.2.
Workaround: Upgrade the ESM Server to release 4.0.3 or later to enable
log ingestion on Panorama.
PAN-82987 The web interface intermittently becomes unresponsive during ACC

queries.
PAN-82278 Filtering does not work for Threat logs when you filter for threat names
that contain certain characters: single quotation (’), double quotation (”),
back slash (\), forward slash (/), backspace (\b), form feed (\f), new line
(\n), carriage return (\r), and tab (\t).
PAN-81521 Endpoints failed to authenticate to GlobalProtect through Kerberos when

you specify an FQDN instead of an IP address in the Kerberos server profile
(Device > Server Profiles > Kerberos).
Workaround: Replace the FQDN with the IP address in the Kerberos server
profile.
PAN-79423 Panorama cannot push address group objects from device groups to
managed firewalls when zones specify the objects in the User Identification
ACL include or exclude lists (Network > Zones) and the Share Unused
Address and Service Objects with Devices option is disabled (Panorama >
Setup > Management > Panorama Settings).
PAN-79291 PA-3050, PA-3060, PA-5000 Series, PA-5200 Series, and PA-7000 Series
firewalls that support ZIP hardware offloading intermittently identify ZIP
This issue is now
files as threats when they are sent over Simple Mail Transfer Protocol
(SMTP).
Workaround: Switch the firewall to software-based decompression by
running the set deviceconfig setting zip mode sw configuration
mode CLI command and then committing the change.
PAN-77125 PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured
in tap mode don’t close offloaded sessions after processing the associated
traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of
tap mode, or disable session offloading by running the set session
offload no CLI command.
PAN-75457 (PAN-OS 8.0.1 and later releases) In WildFire appliance clusters that have
three or more nodes, the Panorama management server does not support
changing node roles. In a three-node cluster for example, you cannot use
Panorama to configure the worker node as a controller node by adding the
HA and cluster controller configurations, configure an existing controller
node as a worker node by removing the HA configuration, and then commit

and push the configuration. Attempts to change cluster node roles from
Panorama results in a validation error—the commit fails and the cluster
becomes unresponsive.
PAN-73530 The firewall does not generate a packet capture (pcap) when a Data
Filtering profile blocks files.
PAN-73401 (PAN-OS 8.0.1 and later releases) When you import a two-node WildFire
appliance cluster into the Panorama management server, the controller
nodes report their state as out-of-sync if either of the following conditions
exist:
• You did not configure a worker list to add at least one worker node
to the cluster. (In a two-node cluster, both nodes are controller nodes
configured as an HA pair. Adding a worker node would make the cluster
a three-node cluster.)
• You did not configure a service advertisement (either by enabling or not
enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller
nodes:
• After you import the two-node cluster into Panorama, push the
configuration from Panorama to the cluster. After the push succeeds,
Panorama reports that the controller nodes are in sync.
• Configure a worker list on the cluster controller:
admin@wf500(active-controller)# set deviceconfig

cluster mode controller worker-list <worker-ip-
address>
(<worker-ip-address> is the IP address of the worker node you

are adding to the cluster.) This creates a three-node cluster. After you
import the cluster into Panorama, Panorama reports that the controller
nodes are in sync. When you want the cluster to have only two nodes,
use a different workaround.
• Configure service advertisement on the local CLI of the cluster
controller and then import the configuration into Panorama. The service
advertisement can advertise that DNS is or is not enabled.

cluster mode controller service-advertisement
dns-service enabled yes
or

cluster mode controller service-advertisement

dns-service enabled no
Both commands result in Panorama reporting that the controller nodes

are in sync.
PAN-72861 When you configure a PA-7000 Series or PA-5200 Series firewall to

perform tunnel-in-tunnel inspection, which includes GRE keep-alive packets
(Policies > Tunnel Inspection > <tunnel_inspection_rule> > Inspection >
Inspect Options), and you run the clear session all CLI command
while traffic is traversing a tunnel, the firewall temporarily drops tunneled
packets.
PAN-71765 Deactivating a VM-Series firewall from Panorama completes successfully

but the web interface does not update to indicate that deactivation
finished.
Workaround: View deactivation status from Panorama > Managed
Devices.
PAN-71329 Local users and user groups in the Shared location (all virtual systems)
are not available to be part of the user-to-application mapping for
GlobalProtect Clientless VPN applications (Network > GlobalProtect >
Portals > <portal> > Clientless VPN > Applications).
Workaround: Create users and user groups in specific virtual systems on
firewalls that have multiple virtual systems. For single virtual systems (like
VM-Series firewalls), users and user groups are created under Shared and
are not configurable for Clientless VPN applications.
PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are enabled on
the same IP address, then when a user logs out from the GlobalProtect
portal, the administrative user is logged out from the PAN-OS web
interface as well. This issue is compounded when the portal is configured
for GlobalProtect Clientless VPN because it can increase the number of
users who access the portal.
Workaround: Use the IP address to access the PAN-OS web interface and
an FQDN to access the GlobalProtect portal.
PAN-70023 Authentication using auto-filled credentials intermittently fails when you

access an application using GlobalProtect Clientless VPN.
Workaround: Manually enter the credentials.
PAN-69505 When viewing an external dynamic list that requires client authentication
and you Test Source URL, the firewall fails to indicate whether it can reach
the external dynamic list server and returns a URL access error (Objects >
External Dynamic Lists).
PAN-62820 If you use the Apple Safari browser in Private Browsing mode to request
a service or application that requires multi-factor authentication (MFA),
the firewall does not redirect you to the service or application even after
authentication succeeds.

PAN-62453 Entering vSphere maintenance mode on a VM-Series firewall without first

shutting down the Guest OS for the agent VMs causes the firewall to shut
down abruptly, and results in issues after the firewall is powered on again.
Refer to Issue 1332563 in the VMware Release Notes.
Workaround: VM-Series firewalls are Service Virtual Machines (SVMs)
pinned to ESXi hosts and you should not migrate those firewalls. Before
you enter vSphere maintenance mode, use the VMware tools to ensure a
graceful shutdown of the VM-Series firewall.
PAN-58872 The automatic license deactivation workflow for firewalls with direct
internet access does not work.
Workaround: Use the request license deactivate key features
<name> mode manual CLI command to Deactivate a Feature License
or SubscriptionUsingtheCLI. To Deactivate a VM-Series firewall, choose
Complete Manually (instead of Continue) and follow the steps to manually
deactivate the VM.
PAN-55825 Performing an AutoFocus remote search that is targeted to a firewall or

Panorama management server does not work correctly when the search
condition contains a single or double quotation mark.
PAN-55437 High availability (HA) for VM-Series firewalls does not work in AWS regions
that do not support the signature version 2 signing process for EC2 API
calls. Unsupported regions include AWS EU (Frankfurt) and Korea (Seoul).
PAN-55203 When you change the reporting period for a scheduled report, such as the
SaaS Application Usage PDF report, the report can have incomplete or no
data for the reporting period.
Workaround: If you need to change the reporting period for any scheduled
report, create a new report for the desired time period instead of modifying
the time period on an existing report.
PAN-54254 In Traffic logs, the following session end reasons for Captive Portal or a
GlobalProtect SSL VPN tunnel indicated the incorrect reason for session
termination: decrypt-cert-validation, decrypt-unsupport-param, or decrypt-
error.
PAN-53825 On the VM-Series for NSX firewall, when you add or modify an NSX service
profile zone on Panorama, you must perform a Panorama commit and then
push device group configurations with the Include Device and Network
Templates option selected (Commit > Commit and Push). To successfully
redirect traffic to the VM-Series for NSX firewall, you must push both
device group and template configurations when you modify the zone
configuration to ensure that the zones are available on the firewall.
PAN-53663 When you open the SaaS Application Usage report (Monitor > PDF
Reports > SaaS Application Usage) on multiple tabs in a browser, each for
a different virtual system (vsys), and you then attempt to export PDFs from
each tab, only the first request is accurate; all successive attempts result in
PDFs that are duplicates of the first report.

Workaround: Export only one PDF at a time and wait for that export
process to finish before initiating the next export request.
PAN-51969 On the NSX Manager, when you unbind an NSX Security Group from an
NSX Security Policy rule, the dynamic tag and registered IP address are
updated on the Panorama management server but are not sent to the VM-
Series firewalls.
Workaround: To push the Dynamic Address Group updates to the VM-
Series firewalls, you must manually synchronize the configuration with the
NSX Manager (select Panorama > VMware Service Manager and select
NSX Config-Sync).
PAN-51952 If a security group overlap occurs in an NSX Security policy where the same
security group is weighted with a higher and a lower priority value, the
traffic may be redirected to the wrong service profile (VM-Series firewall
instance). This issue occurs because an NSX Security policy with a higher
weight does not always take precedence over a policy with a lower weight.
Workaround: Make sure that members that are assigned to a security
group are not overlapping with another Security group and that each
security group is assigned to a unique NSX Security policy rule. This allows
you to ensure that NSX Security policy does not redirect traffic to the
wrong service profile (VM-Series firewall).
PAN-51870 When using the CLI to configure the management interface as a

DHCP client, the commit fails if you do not provide all four DHCP
parameters in the command. For a successful commit when using the set
deviceconfig system type dhcp-client configuration mode CLI
command, you must include each of the following parameters: accept-
dhcp-domain, accept-dhcp-hostname, send-client-id, and
send-hostname.
PAN-51869 Canceling pending commits does not immediately remove them from the
commit queue. The commits remain in the queue until PAN-OS dequeues
them.
PAN-51673 BFD sessions are not established between two RIP peers when there are no
RIP advertisements.
Workaround: Enable RIP on another interface to provide RIP
advertisements from a remote peer.
PAN-51216 The NSX Manager fails to redirect traffic to the VM-Series firewall
when you define new Service Profile zones for NSX on the Panorama
management server. This issue occurs intermittently on the NSX Manager
when you define security rules to redirect traffic to the new service profiles
that are available for traffic introspection and results in the following error:
Firewallconfigurationis not in sync with NSX Manager.
Conflict with ServiceProfile Oddhoston service (Palo
Alto Networks NGFW) when bindingto host<name>.

PAN-51181 A Palo Alto Networks firewall, M-100 appliance, or WF-500 appliance

configured to use FIPS operational mode will fail to boot when rebooting
after an upgrade to PAN-OS 7.0 or later releases.
Workaround: Enable FIPS and CC support on all Palo Alto Networks
firewalls and appliances before you upgrade to a PAN-OS 7.0 or later
release.
PAN-51122 For the VM-Series firewall, after you manually reset a heartbeat failure
alarm on the vCenter server to indicate that the VM-Series firewall is
healthy (change color to green), the vCenter server does not trigger a
heartbeat failure alarm again.
PAN-50038 When you enable jumbo frames on a VM-Series firewall in AWS using the
set deviceconfig setting jumbo-frame mtu configuration mode
CLI command, the maximum transmission unit (MTU) size on the interfaces
does not increase. The MTU on each interface remains at a maximum value
of 1,500 bytes.
PAN-48565 The VM-Series firewall on Citrix SDX does not support jumbo frames.
PAN-48456 IPv6-to-IPv6 Network Prefix Translation (NPTv6) is not supported when

configured on a shared gateway.
PAN-46344 When you use a Mac OS Safari browser, client certificates will not work for
Captive Portal authentication.
Workaround: On a Mac OS system, instruct end users to use a different
browser (for example, Mozilla Firefox or Google Chrome).
PAN-45793 On a firewall with multiple virtual systems, when you add an authentication
profile to a virtual system and give the profile the same name as an
authentication sequence in Shared, reference errors occur. The same errors
occur if the profile is in Shared and the sequence with the same name is in a
virtual system.
Workaround: When creating authentication profiles and sequences, always
enter unique names, regardless of their location. For existing authentication
profiles and sequences with similar names, rename the ones that are
currently assigned to configurations (such as a GlobalProtect gateway) to
ensure uniqueness.
PAN-44400 The link on a 1Gbps SFP port on a VM-Series firewall deployed on a Citrix
SDX server does not come up when successive failovers are triggered. This
behavior is only observed in an active/active HA configuration.
Workaround: Use a 10Gbps SFP port instead of the 1Gbps SFP port on the
VM-Series firewall deployed on a Citrix SDX server.
PAN-43000 Vulnerability detection of SSLv3 fails when SSL decryption is enabled. This
occurs when you attach a Vulnerability Protection profile (that detects
SSLv3—CVE-2014-3566) to a Security policy rule and that Security policy
rule and a Decryption policy rule are configured on the same virtual system
in the same zone. After performing SSL decryption, the firewall sees

decrypted data and no longer sees the SSL version number. In this case, the
SSLv3 vulnerability is not identified.
Workaround: PAN-OS 7.0 introduced SSL Decryption Enhancements that
enable you to prohibit the inherently weaker SSL/TLS versions, which are
more vulnerable to attacks. For example, you can use a Decryption Profile
to enforce a minimum protocol version of TLS 1.2 or select Block sessions
with unsupported versions to disallow unsupported protocol versions
(Objects > Decryption Profile > SSL Decryption > {SSL Forward Proxy | SSL
Inbound Inspection}.
PAN-41558 When you use a firewall loopback interface as a GlobalProtect gateway

interface, traffic is not routed correctly for third-party IPSec clients, such as
StrongSwan.
Workaround: Use a physical firewall interface instead of a loopback firewall
interface as the GlobalProtect gateway interface for third-party IPSec
clients. Alternatively, configure the loopback interface that is used as the
GlobalProtect gateway to be in the same zone as the physical ingress
interface for third-party IPSec traffic.
PAN-40842 When you configure a firewall to retrieve a WildFire signature package,

the System log displays unknown version for the package. For example,
after a scheduled WildFire package update, the System log displays:
WildFire package upgradedfrom version<unknown version>
to 38978-45470. This is a cosmetic issue only and does not prevent the
WildFire package from installing.
PAN-40130 In the WildFire Submissions logs, the email recipient address is not correctly
mapped to a username after you push LDAP group mappings to the firewall
from a Panorama template.
PAN-40079 The VM-Series firewall on KVM, for all supported Linux distributions,
does not support the Broadcom network adapters for PCI pass-through
functionality.
PAN-40075 The VM-Series firewall on KVM running on Ubuntu 12.04 LTS does not
support PCI pass-through functionality.
PAN-39728 The URL logging rate is reduced after you enable HTTP header logging
in the URL Filtering profile (Objects > Security Profiles > URL Filtering >
<URL_Filtering_profile> > Settings).
PAN-39636 Regardless of the Time Frame you specify for a scheduled custom report
on a Panorama M-Series appliance, the earliest possible start date for
the report data is effectively the date when you configured the report
(Monitor > Manage Custom Reports). For example, if you configure the
report on the 15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include only data from
the 15th onward. This issue applies only to scheduled reports; on-demand
reports include all data within the specified Time Frame.

Workaround: To generate an on-demand report, click Run Now when you
configure the custom report.
PAN-39501 The firewall does not clear unused NAT IP address pools after a single
commit, so a commit fails when the combined cache of unused pools,
existing used pools, and new pools exceeds the memory limit.
Workaround: Commit a second time, which clears the old pool allocation.
PAN-38255 When you perform a factory reset on a Panorama virtual appliance and
configure the serial number, logging does not work until you reboot
Panorama or execute the debug software restart process
management-server CLI command.
PAN-37511 Due to a limitation related to the Ethernet chip driving the SFP+ ports,
PA-5050 and PA-5060 firewalls will not perform link fault signaling as
standardized when a fiber in the fiber pair is cut or disconnected.
PAN-37177 After deploying the VM-Series firewall and it connects to the Panorama
management server, you must commit to Panorama (Commit > Commit to
Panorama) to ensure that Panorama recognizes the firewall as a managed
device. If you reboot Panorama without committing the changes, the
firewall does not reconnect with Panorama; although the device group
displays the list of firewalls, the firewall does not display in Panorama >
Managed Devices.
Furthermore, when Panorama has an HA configuration, the VM-Series
firewall is not added to the passive Panorama peer until the active
Panorama peer synchronizes the configuration. During this time, the
passive Panorama peer logs a critical message: vm-cfg: failedto
processregistration from svm device. vm-state: active.
The passive peer logs this message until you commit the changes on
the active Panorama, which then initiates synchronization between the
Panorama HA peers and the VM-Series firewall is added to the passive
Panorama peer.
Workaround: To reconnect to the managed firewalls, commit your
changes to Panorama. In an HA deployment, the commit initiates the
synchronization of the running configuration between the Panorama HA
peers.
PAN-36730 When deleting the VM-Series deployment, all VMs are deleted successfully;
however, sometimes a few instances still remain in the datastore.
Workaround: Manually delete the VM-Series firewalls from the datastore.
PAN-36728 In some scenarios, traffic from newly added guests or virtual machines is
not steered to the VM-Series firewall even when the guests belong to a
Security Group and are attached to a Security Policy that redirects traffic to
the VM-Series firewall.
Workaround: Reapply the Security Policy on the NSX Manager.
PAN-36727 The VM-Series firewall fails to deploy and displays the following error
message: Invalid OVF FormatinAgent Configuration.

Workaround: Use the following command to restart the ESX Agent
Manager process on the vCenter Server: /etc/init.d/vmware-vpxd
tomcat-restart.
PAN-36433 When HA failover occurs on Panorama at the time that the NSX Manager
is deploying the VM-Series NSX edition firewall, the licensing process fails
with the following error: vm-cfg:failedto process registration
from svm device. vm-state: active.
Workaround: Delete the unlicensed instance of the VM-Series firewall on
each ESXi host and then redeploy the Palo Alto Networks next-generation
firewall service from the NSX Manager.
PAN-36394 When the datastore is migrated for a guest, all current sessions are no
longer steered to the VM-Series firewall. However, all new sessions are
secured properly.
PAN-36393 When deploying the VM-Series firewall, the Task Console displays Error
while enabling agent. Cannotcompletethe operation. See
the event log for details. This error displays even on a successful
deployment. You can ignore the message if the VM-Series firewall is
successfully deployed.
PAN-36289 When you deploy the VM-Series firewall and assign it to a template, the
bootstrap file does not record the change.
Workaround: Delete the Palo Alto Networks NGFW Service on the NSX
Manager, verify that the template is specified in Panorama > VMware
Service Manager, register the service, and re-deploy the VM-Series firewall.
PAN-36088 When an ESXi host is rebooted or shut down, the functional status of the
guests is not updated. Because the IP address is not updated, the dynamic
tags do not accurately reflect the functional state of the guests that are
unavailable.
PAN-36049 The VMware vCenter Server/vmtools displays the IP address for a guest
incorrectly after VLAN tags are added to an Ethernet port. The display does
not accurately show the IP addresses associated with the tagged Ethernet
port and the untagged Ethernet port. This issue occurs on some Linux OS
versions such as Ubuntu.
PAN-35903 When you edit a traffic introspection rule (to steer traffic to the VM-
Series firewall) on the NSX Manager, an invalid (tcp) port number
error or invalid (udp)portnumber error displays when you
remove the destination (TCP or UDP) port.
Workaround: Delete the rule and add a new one.
PAN-35875 When defining traffic introspection rules (to steer traffic to the VM-Series
firewall) on the NSX Manager, either the source or the destination for the
rule must reference the name of a Security Group; you cannot create a rule
from any to any Security Group.

Workaround: To redirect all traffic to the VM-Series firewall, you must
create a Security Group that includes all the guests in the cluster. Then you
can define a security policy that redirects traffic from and to the cluster so
that the firewall can inspect and enforce policy on the east-west traffic.
PAN-35874 Duplicate packets are steered to the VM-Series firewall after you enable
distributed vSwitch for steering in promiscuous mode.
Workaround: Disable promiscuous mode.
PAN-34966 On a VM-Series NSX edition firewall, when adding or removing a Security

Group (Container) that is bound to a Security Policy, the Panorama
management server does not get a dynamic update of the added or
removed Security Group.
Workaround: Select Panorama > VMware Service Manager, and
Synchronize Dynamic Objects to initiate a manual synchronization to get
the latest update.
PAN-34855 On a VM-Series NSX edition firewall, Dynamic Tags (update) do not reflect
the actual IP address set on the guest. This issue occurs because the
vCenter Server cannot accurately view the IP address of the guest.
PAN-33316 Adding or removing ports on the SDX server after deploying the VM-Series
firewall can cause a configuration mismatch on the firewall. To avoid the
need to reconfigure the interfaces, consider the total number of data ports
that you require on the firewall and assign the relevant number of ports on
the SDX server when deploying the VM-Series firewall.
For example, if you assign ports 1/3 and 1/4 on the SDX server as data
interfaces on the VM-Series firewall, the ports are mapped to eth1 and
eth2. If you then add port 1/1 or 1/2 on the SDX server, eth1 will be
mapped to 1/1 or 1/2, eth2 will be mapped to 1/3 and eth3 to1/4. If ports
1/3 and 1/4 were set up as a virtual wire, this remapping will require you to
reconfigure the network interfaces on the firewall.
PAN-31832 The following issues apply when configuring a firewall to use a hardware
security module (HSM):
• Thales nShield Connect—The firewall requires at least four minutes to
detect that an HSM was disconnected, causing SSL functionality to be
unavailable during the delay.
• SafeNet Network—When losing connectivity to either or both HSMs in
an HA configuration, the display of information from the show high-
availability state and show hsm info commands are blocked
for 20 seconds.
PAN-25046 Firewalls store SSH host keys used for SCP log exports in the known
hosts file. In an HA deployment, PAN-OS synchronizes the SCP log export
configuration between the firewall HA peers (Device > Scheduled Log
Export), but not the known host file. When a failover occurs, the SCP log
export fails.
Workaround: Log in to each peer in HA, select Device > Scheduled Log
Export > <log_export_configuration>, and Test SCP server connection to

confirm the host key so that SCP log forwarding continues to work after a
failover.
PAN-23732 After you use a Panorama template to push a log export schedule that
specifies an SCP server as the destination (Device > Scheduled Log Export),
you must log in to each firewall that receives the schedule and Test SCP
server connection. The connection is not established until the firewall
accepts the host key for the SCP server.
Known Issues Specific to the WF-500 Appliance

The following list includes known issues specific to WildFire® 8.1 releases running on the WF-500
appliance. See also the specific and general Known Issues Related to PAN-OS 8.1 Releases.
— A Panorama™ management server running PAN-OS® 8.1 does not

currently support management of appliances running WildFire 7.1
or earlier releases. Even though these management options are
visible on the Panorama 8.1 web interface (Panorama > Managed
WildFire Clusters and Panorama > Managed WildFire Appliances),
making changes to these settings for appliances running WildFire
7.1 or an earlier release has no effect.
WF500-4200 The Create Date shown when using the show wildfire
global sample-status sha256 equal<hash> and show
wildfire global sample-analysis CLI commands is two
hours behind the actual time for WF-500 appliance samples.
WF500-3935 WildFire appliances build and release all untested signatures to the
connected firewalls every five minutes, which is the maximum time
that a signature remains untested (not released to firewalls). When
a WildFire appliance joins a cluster, if any untested (unreleased)
signatures are on the appliance, they may be lost instead of
migrating to the cluster, depending on when the last build of
untested signatures occurred.

PAN-OS 8.1 Addressed Issues
Review the issues that were addressed in each maintenance release of the PAN-OS® 8.1
release.
For new features, associated software versions, known issues, and changes in default behavior
in the PAN-OS 8.1 release, see PAN-OS 8.1 Release Information.

63
64 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Addressed Issues
PAN-OS 8.1.3 Addressed Issues
WF500-4645 Fixed an issue where RAID rebuilding after disk replacement either failed or
took longer than expected.
PAN-101101 Fixed an issue with inconsistencies in the IP address-to-username mappings

after upgrading the User-ID agent to a User-ID agent 8.1 release.
PAN-100896 Fixed an issue where the dataplane restarted multiple times when multiple
processes stopped responding when accessing invalid memory.
PAN-100870 Fixed an issue where the GlobalProtect app incorrectly displays a warning
(Password Warning: Password expires in 0 days) even though the
password has not, yet, expired.
PAN-100312 Fixed an intermittent issue where the dataplane restarted when processing
Clientless VPN traffic.
PAN-100015 Fixed an issue where a PA-7000 Series firewall with a 20GQ Network
Processing Card (NPC) failed to properly initiate all QSFP modules.
PAN-99968 Fixed an issue where the firewall incorrectly dropped GTPv2-C Modify Bearer
Response packets due to a sequence-number mismatch.
PAN-99896 Fixed an issue where the route (routed) process on a passive firewall in a high
availability (HA) cluster restarted when receiving an update from the active
peer for a multicast route destined for a multicast group that does not exist on
the firewall.
PAN-99624 Fixed an issue where emails were not sent using the configured email service
route as expected.
PAN-99585 Fixed an issue where a PA-3200 Series firewall processed traffic that was in
suspended mode
PAN-99584 Fixed an issue where a PA-5200 Series firewall processed traffic that was in
suspended mode.
PAN-99380 Fixed an issue where the dataplane stopped responding when a tunnel
interface on the firewall received fragmented packets.
PAN-99362 Fixed an issue on a VM-Series firewall on Azure where a process (logrcvr)

stopped responding.
PAN-99316 Fixed an issue where the SAP Success Factor app failed to load because the
Cipher-cloud was configuring cookies with the at ( @ ) character in the cookie
name but Palo Alto Networks firewalls used the @ character as a separator for
storing cookies locally, which caused the firewall to misinterpret the cookies.
PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Addressed Issues 65

PAN-99263 Fixed an issue where NetFlow caused an invalid memory-access issue that
caused the pan_task process to stop responding.
PAN-99212 Fixed an issue where the firewall incorrectly dropped ARP packets and
increased the flow_arp_throttle counter.
PAN-99067 Fixed an issue where a firewall frequently flapped a BGP session when the
firewall did not receive any response from the BFD peer or when BFD was
configured only on the firewall.
PAN-99055 (PA-3200 Series firewalls only) Fixed an issue where the dataplane restarted
due to an internal-path monitor failure.
PAN-98735 Fixed an issue where upgrading a Panorama management server on Microsoft

Azure from PAN-OS 8.1.0 to PAN-OS 8.1.1 or PAN-OS 8.1.2 resulted in an
autocommit failure.
PAN-98624 Fixed an issue where an administrator who has all administrative rights is
unable to add a device to Panorama from the web interface.
PAN-98530 Fixed a memory leak associated with the logrcvr process when using custom
syslog filters in a syslog profile.
PAN-98470 Fixed an issue on a firewall with GTP stateful inspection enabled where the
firewall incorrectly identified GTP echo packets as GTP-U application packets.
PAN-98397 Fixed an issue on PA-3200 series firewalls where the offload processor did not
process route-deletion update messages , which left behind stale route entries
and caused sessions to become unresponsive during the session-offload stage.
PAN-98329 (PA-3200 Series firewalls only) Fixed an issue where an SFP+ (10Gbps PAN-
SFP-PLUS-CU-5M) transceiver was incorrectly identified as an SFP (1Gbps)
transceiver.
PAN-98217 Fixed an issue where user-account group members in subgroups (n+1) were
unnecessarily queried when nested level was set to n.
PAN-98116 (PA-3000 Series firewalls only) Fixed an issue where firewalls passed file-
descriptors in a dataplane (pan_comm) process during content (apps and
threat) installation as well as FQDNRefresh job execution, which caused the
hardware Layer 7 engine to incorrectly identify applications.
PAN-98097 Fixed an issue on PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200
Series, and PA-7000 Series firewalls where Captive Portal was inaccessible for
traffic on Secure HTTP (https) websites when SSL decryption was enabled and
users were behind a proxy server.
PAN-98088 Fixed an issue where an error (mail send: failed to get stat of
file) appeared in the System log due to an incorrect condition check even
though there were no issues with the firewall sending PDF reports.

PAN-97905 Fixed an issue where device-group operations were discarded when a

concurrent commit was triggered by a different administrator.
PAN-97810 Fixed an issue where, after upgrading to PAN-OS 8.1.1, User-ID usernames
were not populated in traffic logs as expected even though User-ID mappings
were present on the dataplane.
PAN-97724 Fixed an issue with the Japanese language mode where a firewall displayed
garbled characters when an administrator was logging in to the web interface.
PAN-97634 Fixed an issue where the firewall rebooted when the management (MGT)
interface was connected to a network that contained a network loop, which
caused excessive traffic flow on the interface. This issue was observed only on
a PA-220 firewall.
PAN-97594 Fixed an issue where administrators could not use the new colors that were
introduced in PAN-OS 8.1 for creating and modifying banners and messages;
these colors were unavailable from the CLI and, though available from the web
interface (Device > Setup > Management > Banners and Messages > Banners),
administrators received an Operation Failed error when attempting to use
them.
PAN-97561 Fixed an issue where a Panorama appliance running PAN-OS 8.1.2 was unable
to connect to the Logging Service.
PAN-97497 Fixed an issue where the default for newly added cloned security rules was
Move Top, which placed the new rule at the top of the list. With this fix, the
default is After Rule as it was in PAN-OS 8.0 and earlier releases.
PAN-97282 Fixed an issue where Inbound inspection failed when a cipher was cleared from
the TLS structure during session resumption.
PAN-97225 Fixed an issue where new Vendor names for the HIP check were not included
when Panorama pushed the configuration to firewalls.
PAN-97208 Fixed an issue where a firewall in a high availability (HA) active/active virtual
wire (vwire) configuration with SSL decryption enabled passed traffic through
the wrong firewall.
PAN-97084 Fixed a rare issue where the task manager failed to load in the web interface
when a pending job caused subsequent completed jobs to be inappropriately
held in memory.
PAN-97082 Fixed an issue where the firewall incorrectly blocked SSL sessions subjected
to Inbound decryption due to Unsupported Version when the Decryption
rule referenced a decryption profile with Min - Max TLS Version, even
though Block sessions with unsupported versions was disabled (Objects >
Decryption > Decryption Profile). With this fix, the firewall checks the TLS
version that the server accepted and compares it with the decryption profile
settings when evaluating whether to allow or bypass sessions based on
Decryption rules.

PAN-97060 Fixed an issue where the User-ID (useridd) process stopped responding due to
an out-of-memory issue related to User-ID group mapping.
PAN-97045 Fixed an issue on PA-850 firewalls where the session rematch option failed
to execute when you added an IP address to the External Dynamic List (EDL)
block list.
PAN-96997 Fixed an intermittent issue where detecting an unreachable WF-500 node took
longer than expected.
PAN-96978 Fixed an issue where the GlobalProtect Clientless VPN and GlobalProtect
Data options did not display as expected on Panorama (Template > Device >
Dynamic Updates).
PAN-96918 Fixed an issue where an unreachable DNS server due to aggressive timers
increased the time of PPPoE negotiation and, in some cases, caused
negotiation to fail.
PAN-96909 A security-related fix was made to address a Denial of Service (DoS)

that existed in the PAN-OS management web interface and allowed an
authenticated user to shut down all management sessions, which causes the
firewall to redirect all logged-in users to the login page (CVE-2018-10140).
PAN-96889 Fixed an issue where administrators were required to perform a commit force
before pushing a partial or regular commit operation to managed appliances
when the management server (mgmtsrvr) or configuration (configd) process
encountered a virtual memory leak and restarted.
PAN-96779 Fixed an issue where using the the XML API to retrieve Hit Count on a security
rule returned an error message: An error occurred. See dagger.log
for information.
PAN-96737 Fixed an issue with an incorrect policy match because google-docs-base was
incorrectly identified as SSL.
PAN-96388 Fixed an issue in a non-vsys configuration where a firewall dropped the Client
Hello packet from tunneled traffic when inbound decryption was enabled
because the firewall considered that packet to be an inter-vsys inbound
packet.
PAN-96326 Fixed an issue where endpoints could not authenticate to a GlobalProtect

portal or gateway through client certificate authentication due to an OCSP
status of Unknown when the portal or the gateway used a Certificate profile
that specified Online Certificate Status Protocol (OCSP) to validate certificates
(Network > GlobalProtect > Portals > <portal> > Authentication).
PAN-96200 Fixed an issue where PA-220 firewalls that were bootstrapped with a
configuration that enabled jumbo frames did not change the packet buffer size
as expected, which resulted in a dataplane restart.

PAN-96150 Fixed a memory corruption error that caused the dataplane to restart when
content decode length was zero.
PAN-96113 Fixed an issue where the show routing protocol bgp rib-out CLI
command did not display advertised routes that the firewall sent to the
BGP peer. This issue was observed only in a deployment where a firewall
is connected to a Border Gateway Protocol (BGP) peer that advertised a
route for which the next hop is not in the same subnetwork as the BGP peer
interface.
PAN-96003 Fixed an issue where the GTP Protection profile name did not appear in the
Global Find and Filter options in the Profile column of the security rule to
which the GTP profile was attached.
PAN-95996 Fixed an issue where Panorama virtual appliances converted from legacy mode
to Panorama mode did not properly purge logs, which caused low disk space
issues in /opt/panlogs partition.
PAN-95993 Fixed an issue where the firewall did not properly identify the google-translate
application.
PAN-95955 Fixed an issue on PA-3200 Series firewalls where incorrect internal memory
allocation reduced the number of simultaneous SSL decryption sessions that
the firewall could support.
PAN-95884 Fixed an issue where routing FIB entries that were learned from a BGP peer
were not deleted when BGP Peering went down.
PAN-95854 Fixed an issue where the Filter drop-down did not display properly when you
keep the default Target for a Policy rule set to Any.
PAN-95766 Fixed an issue where Q-in-Q-tagged packets passed through a firewall without
inspection or session creation.
PAN-95740 Fixed an issue where multicast FIB entries were inconsistent across dataplanes,
which caused the firewall to intermittently drop multicast packets.
PAN-95730 Fixed an issue where a firewall dropped SIP-RTP packets flowing through a
GRE tunnel when a Tunnel Inspection Policy was configured with Security
Options (Tunnel Inspection zones).
PAN-95712 Fixed an issue where browsers failed to load custom response pages on
decrypted websites when those pages were larger than 8,191 bytes. With this
fix, the firewall supports decryption of custom response pages up to 17,999
bytes.
PAN-95509 Fixed an issue where the parent device group in the hierarchy did not
automatically acquire read-only access for a URL Profile as expected after you
assigned write access to a child device group of that parent.

PAN-95476 Fixed an issue where a certificate failed to load when the certificate public key
exceeded the supported number of characters (2,048).
PAN-95439 Fixed an issue where using the test nat-policy-match command from
the XML API does not result in any matches when the matching policy is a
destination NAT policy.
PAN-95339 Fixed an issue where a firewall sent packets out of order when the sending
rate was too high.
PAN-95192 Fixed an issue where the SSL Certificate Error Notify page didn't display the
<certname/> <issuer/> variables in the SSL-cert-status-page.
PAN-95120 Fixed an issue where VM-Series firewall bootstrapping failed when you
transferred the bootstrap package using a base64 encoded user-data file.
PAN-95114 Fixed an issue where TACACS+ authorization responded with Illegal

packet version because a firewall was incorrectly sending minor
version 1, which impacts TACACS+ servers and causes a failed
authorization.
PAN-95113 Fixed an where issue where non-local administrators using TACACS were
unable to log in to the CLI.
PAN-95090 Fixed an issue where imported custom applications did not display in Security
Policies that were created through the web interface.
PAN-95061 Fixed an issue on PA-220 firewalls where either a commit or an EDLRefresh

job failed with the following error message: failed to handle
CONFIG_UPDATE_START. This issue occurred after an increase in the number
of type URL entries in an external dynamic list.
PAN-95046 Fixed an issue where the dataplane restarted on a VM-Series firewall on KVM.
PAN-94920 Fixed an issue where PA-5200 Series firewalls in a high availability (HA) active/
active configuration experienced internal packet corruption that caused the
firewalls to stop passing traffic when the active member of a cluster came back
up as passive after being either suspended or rebooted (moving from tentative
to passive state).
PAN-94864 Fixed an issue where firewalls receiving IP addresses via DHCP failed to
resolve FQDN objects to an IP address.
PAN-94777 Fixed an issue where a 500 Internal Server error occurred for traffic
that matched a Security policy rule with a URL Filtering profile that specified
a continue action (Objects > Security Profiles > URL Filtering) because the
firewall did not treat the API keys as binary strings.
PAN-94698 Fixed an issue on PA-5000 Series firewalls where a process (all_pktproc) on

the dataplane stopped responding if you enabled the send icmp unreachable
Action Setting (Policies > <rule> > Actions).

PAN-94646 Fixed an issue with firewalls in a high availability (HA) configuration where
a an HA sync initiated from the active peer caused a race condition while
processing the previous request.
PAN-94637 Fixed an issue where an XML API call to execute the request system
external-list show command did not escape the ampersand ( & )
character in the Source section of the XML output, which resulted in a parse
error.
PAN-94571 Fixed an issue on PA-800 Series, PA-3200 Series, and PA-5200 Series firewalls
where tunnel-bound traffic was incorrectly routed through an ECMP route
instead of a PBF route as expected.
PAN-94497 Fixed an issue where the default static route was not present in the routing
table after you removed the DHCP-provided default gateway when you
configured a default static route and DHCP provided the same default route.
PAN-94452 Fixed an issue where the firewall recorded GPRS Tunneling Protocol (GTP)
packets multiple times in firewall-stage packet captures (pcaps).
PAN-94447 Fixed an issue where deleting all FQDN objects that are no longer in use did
not remove them from the FQDN refresh table, which caused firewalls to
continue resolving these old objects per the schedule.
PAN-94409 Fixed an issue where FTP traffic failed and hit an incorrect security policy due
to missing predict sessions.
PAN-94385 Fixed an issue on Log Collectors where the show log-collector serial-
number <LC_serial_number> CLI command displayed log ages that
exceeded log expiration periods.
PAN-94291 Fixed an issue where a firewall failed to process packets if the previous session
was cleared (either from the CLI or web interface), the client uses the same
source port, and when the new session is installed on dataplane1 (dp1).
PAN-94221 Fixed an issue when QoS was configured where the dataplane restarted due to
a packet process failure.
PAN-94124 Fixed an issue where a PA-800 Series firewall dropped UDP packets traversing
port 0.
PAN-94062 Fixed an issue where the dataplane stopped responding due to a failed packet
buffer initialization after the firewall rebooted.
PAN-94043 Fixed an issue where, when an administrator made and committed partial
changes, the address objects used in security policy were pushed from
Panorama and retained on the firewall as expected but were deleted when an
administrator performed a full commit from Panorama.

PAN-93990 Fixed an issue where a VM-Series firewall was unable to ping the gateway in
a multiple virtual router configuration when interfaces received IP address
through DHCP.
PAN-93973 Fixed an issue on an M-100 appliance where logging stopped when a process
(vldmgr) stopped responding.
PAN-93930 Fixed an issue on firewalls with SSL decryption configured where the
dataplane restarted because the all_pktproc process stopped responding after
decryption errors occurred.
PAN-93864 Fixed an issue where the password field did not display in the GlobalProtect
portal login dialog if you attached the certificate profile to the portal
configuration.
PAN-93811 Fixed an issue where the Panorama task manager view on the web interface
stopped responding after multiple appliances reported multiple errors and
warnings in commit job details.
PAN-93754 A security-related fix was made to address vulnerabilities related to some

SAML implementations (CVE-2018-0486 and CVE-2018-0489). Refer to
https://www.kb.cert.org/vuls/id/475445 for details.
PAN-93609 Fixed an issue where the firewall silently dropped the first packet of a session
when that packet was received as a fragmented packet (typically with UDP
traffic).
PAN-93457 Fixed an issue where continuous renewal for a session that went into
DISCARD state when the firewall reached its resource limit prevented the
creation of new sessions that matched that DISCARD session.
PAN-93331 Fixed an issue where the firewall applied the wrong checksum when a re-
transmitted packet in a NAT session had different TCP flags, which caused the
recipient to drop those packets.
PAN-93329 Fixed an issue where the non-session-owner firewall in a high availability (HA)
active/active configuration with asymmetric traffic flow dropped TCP traffic
when TCP reassembly failed.
PAN-93184 (VM-50 Lite firewalls only) Fixed an intermittent issue where the firewall
reported wild-fire-auth failed due to ssl error 58 errors in the
system log due to management plane out-of-memory errors when a process
(varrcvr) attempted to register to the cloud.
PAN-93152 Fixed an intermittent Panorama issue where, after upgrading to PAN-OS 8.0 or
a later release and when connected to a WF-500 appliance, commit validations
failed due to a mismatched threat ID range on the WildFire private cloud.
PAN-93005 Fixed an issue where the firewall generated System logs with high severity
for Dataplane under severe load conditions that did not affect traffic.

With this fix, the System logs have low severity for Dataplane under
severe load conditions that do not affect traffic.
PAN-92609 Fixed an issue where the firewall could not forward full information for a
Protocol-Independent Multicast (PIM) group to a peer PIM router when the
PIM bootstrap message was larger than the maximum transmission unit (MTU)
of the firewall interface.
PAN-92257 Fixed an issue where the firewall was intermittently sending incorrect bytes-
per-packet values for some flows to the NetFlow collector.
PAN-92033 Fixed an issue during the software download process that prevented some
firewalls and appliances from properly receiving these images.
PAN-91926 Fixed an issue where GlobalProtect users could not access some websites
decrypted by the firewall due to an issue with premature deletion of proxy
sessions.
PAN-91662 Fixed an issue where a certificate was loaded without a digital signature, which
caused the configuration (configd) daemon to stop responding.
PAN-91316 Fixed an issue where you couldn't unlock administrator accounts with expired
passwords because the firewall didn't display a lock icon for their accounts in
the Locked User column (Device > Administrators).
PAN-91259 Fixed an issue where the predict session for the rmi-iiop application was not
created correctly, which caused server-to-client initiated sessions to traverse
slow-path inspection and, eventually, policy rules denied the traffic associated
with these sessions.
PAN-91021 Fixed an issue where, in a multiple virtual system (vsys) configuration on

Panorama, you could not add a certificate defined in vsys to a certificate profile
in the same vsys unless the vsys was defined using the default name.
PAN-90952 Fixed an issue on PA-5000 Series firewalls where multicast traffic failed
because PAN-OS did not remove stale sessions from the hardware session
offload processor.
PAN-90752 Fixed an issue on Panorama where the Last Commit State column (Panorama >
Managed Devices) did not get updated after a Template-Only configuration
push to firewalls.
PAN-90535 Fixed an issue where the firewall unnecessarily sent an Authorize-only request
to the RADIUS server which was denied during the login process if you
disabled the Retrieve Framed-IP-Address attribute from authentication
server (Network > GlobalProtect > Gateways > <gateway> > Agent > Client
Settings > <clients_configuration> > IP Pools) in the GlobalProtect gateway
configuration.
PAN-89620 Fixed an intermittent issue where traffic stopped flowing through the IPSec
tunnel in a hub-and-spoke multiple-vendor configuration.

PAN-89346 Fixed an issue where an XML API call to execute the show system raid
detail command returned an error.
PAN-88473 Fixed an issue where the firewall was sending incorrect bytes-per-packet
values to the NetFlow collector when two servers were configured in the same
NetFlow profile.
PAN-88048 Fixed an issue where a VM-Series firewall on KVM in MMAP mode

didn't receive traffic after you enabled the i40e single-root input/output
virtualization (SR-IOV) virtual function (VF).
PAN-87855 Fixed an issue where some ICMP Type 4 traffic was not blocked as expected
after you created a deny Security policy rule with custom App-ID for ICMP
Type 4 traffic.
PAN-87166 Fixed a rare issue on PA-7000 Series firewalls where 20GQ NPC QSFP+ ports
didn't link up (during online insertion and removal (OIR), link-state change, or
boot up events) and became unrecoverable until the NPC was restarted.
PAN-86769 Fixed an issue where a firewall did not forward logs when using the category
eq command-and-control filter.
PAN-86630 Fixed an issue where the firewall dropped H.323 gatekeeper-assisted calls
after failing to perform NAT translation of third-party addresses in H.323
messages.
PAN-86327 Fixed an issue where the firewall rebooted into maintenance mode.
PAN-85522 Fixed an issue on PA-5200 Series firewalls where an SFP+ (10Gbps)

transceiver (PAN-SFP-PLUS-CU-5M) was incorrectly identified as an SFP
(1Gbps) transceiver.
PAN-80091 Fixed an issue where no results were returned for a Global Find request when
using the short name domain\group format.
PAN-79291 Fixed an issue where PA-3050, PA-3060, PA-5000 Series, PA-5200 Series, and
PA-7000 Series firewalls that supported ZIP hardware offloading intermittently
identified ZIP files as threats when they were sent over Simple Mail Transfer
Protocol (SMTP).
PAN-42036 Fixed a rare intermittent issue on PA-800 Series, PA-2000 Series, PA-3000
Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where
the firewall unexpectedly rebooted due to memory page allocation failure,
which generated a non-maskable interrupt (NMI) watchdog error on the serial
console.
PAN-33746 Fixed an issue where the firewall dropped IKE traffic when another IKE
session was in the discard state on the firewall because the the new session
matched the discard session. This issue persisted because the discard sessions
remained on the firewall longer than expected because the firewall refreshed

the discard-session timeout each time the 5-tuple on a new session matched
the 5-tuple on the discard session.

WF500-4625 Fixed an issue where the WF-500 appliance provided no option to configure
the master key. With this fix, you can use the request master-key new-
master-key <key> lifetime <lifetime> CLI command to configure
the master key.
PAN-97531 Fixed an issue on PA-3200 Series firewalls where powering down a copper
interface disrupted the operations of other interfaces that were grouped with
it at the hardware level.
PAN-97283 Fixed an issue on PA-3200 Series firewalls where SFP/SFP+ ports

intermittently failed to come up after a reboot.
PAN-97003 Fixed an issue on offline VM-Series firewalls where the web interface and CLI
did not display license information after you activated licenses.
PAN-96938 Fixed an issue with dataplane restarts when the mix of network traffic included
a high ratio of RTP and RTP Control Protocol (RTCP) traffic.
PAN-96734 Fixed an issue where a process (configd) stopped responding during a partial
revert operation when reverting an interface configuration.
PAN-96622 Fixed an issue where the GlobalProtect™ portal landing page did not return the
HTTP Strict Transport Security (HSTS) header in the error response page when
sending the response to an endpoint.
PAN-96587 Fixed an issue where PA-7000 Series and PA-5200 Series firewalls
intermittently failed to forward logs to Log Collectors or the Logging Service
due to DNS resolution failure for the FQDNs of those log receivers.
PAN-96572 Fixed an issue where, after end users successfully authenticated to access a
service or application, their web browsers briefly displayed a page indicating
authentication completed before redirecting to an unknown URL, which the
user never specified.
PAN-96490 Fixed an issue where syslog servers misrepresented HIP Match,

Authentication, and User-ID™ logs received from the firewall because the
order changed in the first seven syslog fields for those log types. With this fix,
the first seven syslog fields are the same for all log types.
PAN-96102 Fixed an issue on the Panorama™ management server where partial revert
operations failed with the following error after you used the PAN-OS®
XML API to create template stacks: template-stack -> is missing
'settings' template-stack is invalid.
PAN-96088 Fixed an issue where the active firewall in a high availability (HA) configuration
did not synchronize the GlobalProtect data file to the passive firewall.

PAN-95895 Fixed an issue on firewalls that collect port-to-username mappings from

Terminal Services agents where the firewalls didn't enforce user-based policies
correctly because the dataplane had incorrect primary-to-alternative-username
mappings even after you cleared the User-ID cache.
PAN-95736 Fixed an issue where the mprelay process stopped responding when a commit
occurred while the firewall was identifying flows that needed a NetFlow
update.
PAN-95683 Fixed an issue where, after you upgraded the firewall to PAN-OS 8.1, a 500
Internal Server error occurred for traffic that matched a Security policy
rule with a URL Filtering profile that specified a continue action (Objects >
Security Profiles > URL Filtering) because the firewall did not correctly
apply AES encryption or synchronize the associated API key between the
management plane and dataplane.
PAN-95513 Fixed an issue on the Panorama management server where selecting additional
target firewalls for a shared policy rule cleared any existing firewall selections
for that rule (Panorama > Policies > <policy_type> > {Pre Rules | Post Rules |
Default Rules} > Target).
PAN-95486 Fixed an issue with VM-Series firewalls on Azure where dynamic updates failed
for the GlobalProtect Data File when you scheduled the updates using the
management interface.
PAN-95443 Fixed an issue where a VM-Series firewall on KVM in DPDK mode didn't
receive traffic after you configured it to use the i40e single-root input/output
virtualization (SR-IOV) virtual function (VF). This fix requires that you install
i40e driver version 2.1.16 or later, and that you set the VF to be trusted by
running the following CLI command on the KVM host:
ip link set dev eth0 vf 1 trust on
PAN-95197 Fixed an issue where mobile endpoints that used GPRS Tunneling Protocol
(GTP) lost traffic and had to reconnect because the firewall dropped the
response message that a Gateway GPRS support node (GGSN) sent for a
second Packet Data Protocol (PDP) context update.
PAN-95163 Fixed an issue where, after you added group mapping configurations, an
out-of-memory condition developed that intermittently caused the User-
ID process (useridd) to restart and temporarily prevented the firewall from
receiving updates to user mappings and group mappings.
PAN-95130 Fixed an issue on the firewall and Panorama management server where you
could not assign tags that contained a colon ( : ) to service or service group
objects.
PAN-95124 Fixed an issue where the firewall did not correctly modify the Configuration
XML file (by removing ctd skip-block-http-range) when you upgraded
from PAN-OS 8.0 to PAN-OS 8.1.

PAN-95056 Fixed an issue on the Panorama management server where the configd process
restarted when an external health monitoring script (such as GoldenGate)
executed against Panorama, which became unusable until configd finished
restarting.
PAN-94917 Fixed an issue on Panorama Log Collectors where the show system
masterkey-properties CLI command did not display the master key
lifetime and reminder settings.
PAN-94912 Fixed an issue where PA-5200 Series and PA-3200 Series firewalls in an
active/active high availability (HA) configuration sent packets in the wrong
direction in a virtual wire deployment.
PAN-94853 Fixed an issue where mobile endpoints that use GPRS Tunneling Protocol
(GTP) lose GTP-U traffic because the firewall dropped all GTP-U packets as
packets without sessions after receiving two GTP requests with the same
tunnel endpoint identifiers (TEIDs) and IP addresses.
PAN-94697 Fixed an issue where commit failures occurred after you configured a DHCP-
enabled subinterface as the local Interface for an IKE gateway configuration
(Network > Network Profiles > IKE Gateways > <IKE_gateway> > General).
PAN-94586 Fixed an issue where the Panorama management server exported reports
slowly or not at all due to DNS resolution failures.
PAN-94582 Fixed an issue where the firewall did not correctly re-learn a User-ID mapping
after that mapping was temporarily lost and recovered through successful
WMI probing.
PAN-94578 Fixed an issue where WildFire submissions with a filename that contained
%20n or a subject that contained %n caused the management server
(mgmtsrvr) process to stop responding.
PAN-94575 Fixed an issue where a Panorama management server running PAN-OS 8.1
failed to push host information profile (HIP) objects that specified Encrypted
Locations with State values to firewalls running PAN-OS 8.0 or an earlier
release (Objects > GlobalProtect > HIP Objects > <HIP_object> > Disk
Encryption > Criteria > <encrypted_location>).
PAN-94516 Fixed an issue on PA-500, PA-220, PA-220-R, and PA-200 firewalls where
commits failed after the Panorama management server pushed a Decryption
profile that you configured to Block sessions if HSM not available to firewalls
that did not support a hardware security module (HSM).
PAN-94510 Fixed an issue where the total log storage utilization that the firewall displayed
did not account for IP Tag storage that was set to less than two per cent
(Device > > Setup > Management > Logging and Reporting Settings > Log
Storage).

PAN-94450 Fixed an issue where QSFP+ interfaces (13 and 14) on a PA-7000-20GQ-NPC
Network Processing Card (NPC) unexpectedly flapped when the card was
booting up.
PAN-94382 Fixed an issue on the Panorama management server where the Task Manager
displayed Completed status immediately after you initiated a push operation
to firewalls (Commit all job) even though the push operation was still in
progress.
PAN-94318 Fixed an issue where the VM-Series firewall for Azure intermittently failed to
resolve URLs and generated the following error because Azure prematurely
timed out the connection to the PAN-DB cloud after four minutes: Failed
to send Update Request to the Cloud.
PAN-94278 Fixed an issue where a Panorama Collector Group forwarded Threat and
WildFire® Submission logs to the wrong external server after you configured
match list profiles with the same name for both log types (Panorama >
Collector Groups > <Collector_Group> > Collector Log Forwarding > {Threat |
WildFire} > <match_list_profile>).
PAN-94239 Fixed an issue where the firewall routed Open Shortest Path First (OSPF)
unicast hello messages (P2MP non-broadcast) using a forwarding information
base (FIB) instead of sending the messages over the interface to which the
OSPF neighbor connected.
PAN-94187 Fixed an issue where the firewall did not apply tag-based matching rules
for dynamic address groups unless you enclosed the tag names with single
quotes ('<tag_name>') in the matching rules (Objects > Address Groups >
<address_group>).
PAN-94165 Fixed an issue where the firewall used an incorrect next hop in the Border
Gateway Protocol (BGP) route that it advertised to External BGP (eBGP) peers
in the BGP peer group.
PAN-94163 Fixed an issue on firewalls deployed in virtual wire mode where SSL decryption
failed due to a memory pool allocation failure.
PAN-94122 Fixed an issue where firewalls intermittently blocked SSL traffic due to a
certificate timeout error after you enabled SSL Forward Proxy decryption and
configured the firewall to Block sessions on certificate status check timeout
(Objects > Decryption > Decryption Profile > <Decryption_profile> > SSL
Decryption > SSL Forward Proxy).
PAN-94070 Fixed an issue where Bidirectional Forwarding Detection (BFD) sessions were
active in only one virtual router when two or more virtual routers had active
BGP sessions (with BFD enabled) using the same peer IP address.
PAN-94023 Fixed an issue where the request system external-list show type
ip name <EDL_name> CLI command did not display external dynamic list
entries after you restarted the management server (mgmtsrvr) process.

PAN-93937 Fixed an issue where the management server (mgmtsrvr) process on the
firewall restarted when you pushed configurations from the Panorama
management server.
PAN-93889 Fixed an issue where the Panorama management server generated high-
severity System logs with the Syslog connection established to
server message after you configured Traps log ingestion (Panorama >
Log Ingestion Profile) for forwarding to a syslog server (Panorama > Server
Profiles > Syslog) and committed configuration changes (Commit > Commit to
Panorama).
PAN-93755 Fixed an issue where SSL decrypted traffic failed after you configured the
firewall to Enforce Symmetric Return in Policy Based Forwarding (PBF) policy
rules (Policies > Policy Based Forwarding).
PAN-93722 Fixed an issue where the firewall failed to perform decryption because
endpoints tried to resume decrypted inbound perfect forward secrecy (PFS)
sessions.
PAN-93715 In certain customer environments, enhancements in PAN-OS 8.1.2 to change

fan speeds may help reduce rare cases of drive communication failure in
PA-5200 Series firewalls.
PAN-93705 Fixed an issue where configuring additional interfaces (such as ethernet1/1 or

ethernet1/2) on the Panorama management server in Management Only mode
caused an attempt to create a local Log Collector when you committed the
configuration (Panorama > Setup > Interfaces), which caused the commit to
fail because a local Log Collector is not supported on a Panorama management
sever in Management Only mode.
PAN-93522 Fixed an issue on firewalls in a high availability (HA) configuration where traffic
was disrupted because the dataplane restarted unexpectedly when the firewall
concurrently processed HA messages and packets for the same session. This
issue occurred on all firewall models except the PA-200 and VM-50 firewalls.
PAN-93412 Fixed an issue where the Security policy rules pushed from Panorama to a
firewall did not display in the list of available rules in the global filters list in the
Application Command Center (ACC).
PAN-93411 Fixed an issue on VM-Series firewalls for KVM where applications that
relied on multicasting failed because the firewalls filtered multicast traffic by
the physical function (PF) after you configured them to use single root I/O
virtualization (SR-IOV) virtual function (VF) devices.
PAN-93410 Fixed an issue where PA-5200 Series firewalls sent logs to the passive or
suspended Panorama virtual appliance in Legacy mode in a high availability
(HA) configuration. With this fix, the firewalls send logs only to the active
Panorama.

PAN-93318 Fixed an issue where firewall CPU usage reached 100 per cent due to SNMP
polling for logical interfaces based on updates to the Link Layer Discovery
Protocol (LLDP) MIB (LLDP-V2-MIB.my).
PAN-93244 A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack
through the PAN-OS session browser (CVE-2018-9335).
PAN-93242 A security-related fix was made to prevent a Cross-Site Scripting

(XSS) vulnerability in a PAN-OS web interface administration page
(CVE-2018-9337).
PAN-93233 Fixed an issue where PA-7000 Series firewalls caused slow traffic over IPSec
VPN tunnels because the firewalls reordered TCP segments during IPSec
encryption when the tunnel session and inner traffic session were on different
dataplanes.
PAN-93207 Fixed an issue where the firewall reported the incorrect hostname when
responding to SNMP get requests.
PAN-93046 Fixed an issue where administrators whose roles have the Privacy privilege
disabled (Device > Admin Roles > <role> > Web UI) can view details about
source IP addresses and usernames in the PDF reports exported from the
firewall.
PAN-92958 Fixed an issue where disk utilization increased unnecessarily because the
firewall did not archive and rotate the /var/on file, which therefore grew to
over 40MB.
PAN-92892 (VM-50 Lite firewalls only) Fixed an intermittent issue where Failed to
back up PAN-DB errors were reported in the system log due to management
plane out-of-memory errors when a process (devsrvr) attempted to run an md5
checksum.
PAN-92821 Fixed an issue where WildFire Submission logs did not correctly display the
subject fields of emails because the firewall did not remove white spaces
between encoded chunks in those fields.
PAN-92676 Fixed an issue where an administrator whose Admin Role profile had the
Command Line privileges set to superuser (Device > Admin Roles > <role> >
Command Line) could not request tech-support dump from the CLI.
PAN-92569 Fixed an issue where the firewall displayed a continue-and-override response

page when users tried to access a URL that the firewall incorrectly categorized
as unknown because it learned the URL field as an IP address.
PAN-92456 Fixed an issue on the Panorama management server where administrators

couldn't log in to the web interface because disk space utilization reached 100
per cent due to the continuous growth of cmserror log files.
PAN-92366 Fixed an issue where PA-5200 Series firewalls in an active/passive high

availability (HA) configuration dropped Bidirectional Forwarding Detection

(BFD) sessions when the passive firewall was in an initialization state after you
rebooted it.
PAN-92149 Fixed an issue on PA-3250 and PA-3260 firewalls where the hardware
signature match engine was disabled and the PAN-OS software performed
signature matching instead, resulting in a ten percent degradation in threat
detection performance.
PAN-91689 Fixed an issue where the Panorama management server removed address
objects and—in the Network tab settings and NAT policy rules—used the
associated IP address values without reference to the address objects before
pushing configurations to firewalls.
PAN-91421 Fixed an issue where the firewall dataplane restarted, causing temporary traffic
loss, when any process stopped responding while system resource usage was
high on the firewall.
PAN-91238 Fixed an issue where an aggregate Ethernet (AE) interface with Link
Aggregation Control Protocol (LACP) enabled on the firewall went down after
an LACP peer that was a cisco-nexus primary virtual port channel (vPC) switch
rebooted and came up.
PAN-91088 Fixed an issue on PA-7000 Series firewalls in a high availability (HA)

configuration where the HA3 link did not come up after you upgraded to PAN-
OS 8.1.0 or a later PAN-OS 8.1 release.
PAN-90920 Fixed an issue on PA-5200 Series firewalls where the dataplane restarted due
to an internal path monitoring failure.
PAN-90692 Fixed an issue where PA-5200 Series firewalls dropped offloaded traffic after
you enabled session offloading (enabled by default), configured subinterfaces
on the second aggregate Ethernet (AE) interface group (ae2), and configured
QoS on a non-AE interface.
PAN-90690 Fixed an issue where Panorama appliances ignored the time-zone offset in logs
sent from the Traps Endpoint Security Manager (ESM).
PAN-90623 Fixed an issue where the Panorama management server displayed template
configurations as Out of Sync for firewalls with multiple virtual systems
even though the template configurations were in sync.
PAN-90418 Fixed an issue where PA-7000 Series, PA-5200 Series, PA-5000 Series,
PA-3200 Series, and PA-3000 Series firewalls dropped packets because their
dataplanes restarted due to QoS queue corruption.
PAN-89988 Fixed an issue where the firewall dataplane intermittently restarted, causing
traffic loss, after you attached a NetFlow server profile to an interface for
which the firewall assigned an invalid identifier.
PAN-89794 Fixed an issue on PA-3050, PA-3060, PA-5000 Series, PA-5200 Series,

and PA-7000 Series firewalls in a high availability (HA) configuration where

multicast sessions intermittently stopped forwarding traffic after HA failover
on firewalls with hardware offloading enabled (default).
PAN-88674 Fixed an issue on the Panorama management server where administrators

with the superuser read-only role could view the Password Hash used to
access a Log Collector CLI after another superuser used browser developer
tools to modify the input type for that field (Panorama > Managed Collectors >
<Log_Collector> > Authentication).
PAN-88428 Fixed an issue where the VM-Series firewall incorrectly displayed network
interfaces as having a Link Speed of 1000 and a Link Duplex set to half
when the actual values were different (Network > Interfaces > <interface> >
Advanced).
PAN-87265 Fixed an issue where the Panorama management server displayed no output
for the User Activity Report (Monitor > PDF Reports > User Activity Report).
PAN-87079 (PA-3060, PA-3050, PA-5000 Series, PA-5200 Series, and PA-7000 Series
firewalls only) Fixed an issue where Threat logs displayed an Other IP
Flood message instead of identifying the threat name of the correct
protocol (such as TCP Flood) when traffic reached the configured SYN
flood max-rate threshold (Objects > Security Profiles > DoS Protection >
<DoS_Protection_profile> > Flood Protection > SYN Flood).
PAN-86672 Fixed an issue where in rare cases a commit caused the disk to become full
due to an incorrect disk quota size value, and as a result the firewall behaved
unpredictably (for example, the web interface and CLI became unresponsive).
PAN-86647 Fixed an issue on the Panorama management server where editing the
Description of a shared policy rule and clicking OK caused the Target setting
to revert to Any firewalls instead of the selected firewalls.
PAN-84647 Fixed an issue with scheduled log exports that prevented firewalls running in
FIPS-CC mode from successfully exporting the logs using Secure Copy (SCP).
PAN-84238 Fixed an issue where the Panorama management server failed to push
configurations to firewalls running a PAN-OS 7.1 release and displayed the
following error:
wins-server -> primary is invalid
PAN-80922 Fixed an issue where the firewall failed to parse the merged configuration file
after you changed the master key; it parsed only the running configuration file.
With this fix, the firewall parses both files as expected after you change the
master key.
PAN-68256 Fixed an issue on PA-7000 Series firewalls in a high availability (HA)

configuration where the HA data link (HSCI) interfaces intermittently failed to
initialize properly during bootup.
PAN-48553 Fixed an issue where, after pushing the high availability (HA) Group ID from
a Panorama management server to a firewall and overriding the value on the

firewall (Device > High Availability > General > Setup), the following error
displayed even though the value was within the permitted range:
deviceconfig -> high-availability -> group -> should be
equal to or between 1 and 63.

WF500-4599 Fixed an issue on WF-500 appliance clusters where attempts to submit

samples for analysis through the WildFire XML API failed with a 499 or 502
error in the HTTP response when the local worker was fully loaded.
WF500-4535 Fixed an issue where the WF-500 appliance couldn’t forward logs over TCP or
SSL to a syslog server.
WF500-4473 Fixed an issue where the root partition on the WF-500 appliance reached
its maximum storage capacity because the following log files had no
size limit and grew continuously: appweb_access.log, trap-access.log,
wpc_build_detail.log, rsyncd.log, cluster-mgr.log, and cluster-script.log. With
this fix, the appweb_access.log, trap-access.log, and wpc_build_detail.log logs
have a limit of 10MB and the WF-500 appliance maintains one rotating backup
file for each of these logs to store old data when a log exceeds the limit. Also
with this fix, the rsyncd.log, cluster-mgr.log, and cluster-script.log logs have a
limit of 5MB and the WF-500 appliance maintains eight rotating backup files
for each of these logs.
WF500-4397 Fixed an issue in a WF-500 appliance cluster where the controller backup node
was stuck in global-db-service: WaitingforLeaderReady status
when you tried to add nodes to the cluster.
WF500-4363 Fixed an issue where firewalls and Panorama management servers couldn’t
retrieve reports from a WF-500 appliance due to an interruption in its data
migration after you upgraded the appliance from a PAN-OS 7.1 release to
a PAN-OS 8.0 or later release. With this fix, you can run the new debug
device data-migration show CLI command on the WF-500 appliance
after each upgrade to verify data migration finished successfully (output
is Migration in MySQL is successful). Don't perform additional
upgrades on the WF-500 appliance until the data migration finishes.
PAN-95536 Fixed an issue where Dedicated Log Collectors failed to forward logs to syslog
servers.
PAN-95504 Fixed an issue on the firewall and Panorama management server where the
web interface became unresponsive because the management server process
(mgmtsrvr) restarted after you set its debugging level to debug (through the
debug management-server on debug CLI command).
PAN-95288 Fixed an issue where the firewall web interface didn't display System logs
(Monitor > Logs > System) after you upgraded to PAN-OS 8.1 and then logged
in using an administrative account that existed before the upgrade.
PAN-94845 Fixed an issue where App-ID didn’t recognize GPRS Tunneling Protocol
User Plane (GTP-U) in GTP messages on port 2152 when only single-
direction message packets arrived (Traffic logs indicated application
insufficient-data).

PAN-94741 Fixed an issue on the Panorama management server where characters in the
Secret string of a TACACS+ server profile changed on the firewall after you
pushed the server profile configuration from a template stack (Device > Server
Profiles > TACACS+).
PAN-94700 Fixed an issue on the PA-200, PA-220, PA-220R, PA-500, and PA-800
Series firewalls where the GlobalProtect data file installation failed after you
upgraded the firewall to PAN-OS 8.1.
PAN-94661 Fixed an issue where the firewall and Panorama management server displayed
policy rules in a jumbled order when you scrolled the rule list in the Policies
tab. The firewall and Panorama also opened the wrong rule for editing when
you double-clicked one.
PAN-94640 Fixed an issue where System logs included the following debugging
information even though the firewall successfully resolved IP addresses:
Failed to resolve domain name:xxx.yyy.zz after trying
all attempts to name servers: A.B.C.D, W.X.Y.Z. With this fix,
daemon logs include that debugging information instead of System logs.
PAN-94633 Fixed an issue where, after upgrading the firewall to PAN-OS 8.1, LDAP
authentication failed if the associated authentication profile had an Allow List
with entries other than All (Device > Authentication Profile).
PAN-94569 Fixed an issue where GlobalProtect client authentication failed

after you entered domains in upper case characters in the Allow
List of an authentication profile (Device > Authentication Profile >
<authentication_profile> > Advanced).
PAN-94445 Fixed an issue where Server Message Block (SMB) sessions were in a discard
state with the session end reason resources-unavailable.
PAN-94387 Fixed an issue where the Check URL Category link in URL Filtering profiles
opened a page that displayed a page not found error instead of opening
the web page used to check the PAN-DB URL Filtering database for the URL
Filtering category of a URL (Objects > Security Profiles > URL Filtering).
PAN-94386 Fixed an issue where the firewall dropped packet data protocol (PDP) context
update and delete messages that had a tunnel endpoint identifier (TEID) of
zero in GPRS Tunneling Protocol (GTP) traffic, and the traffic failed when the
dropped messages were valid.
PAN-94379 Fixed an issue in a Panorama deployment with a Collector Group containing

multiple Log Collectors where the logging search engine restarted after you
changed the SSH keys used for high availability (HA). The disruption to the
search engine caused an out-of-memory condition and caused Panorama
to display logs and report data from only one Log Collector in the Collector
Group.
PAN-94317 Fixed the following LDAP authentication issues:

• Authentication failed for users who belonged to user groups for which you
specified LDAP short names instead of long names in the Allow List of an
authentication profile (Device > Authentication Profile).
• When performing LDAP lookups based on entries in the Allow List of
LDAP authentication profiles, the firewall treated unknown group names as
usernames.
• Authentication failed for users who belonged to multiple groups that you
entered in the Allow List of different LDAP authentication profiles.
PAN-94288 Fixed an issue where the default view and maximized view of the Application
Usage report (ACC > Network Activity) didn't display matching values when
you set the Time to Last 12 Hrs or a longer period.
PAN-94170 Fixed an issue where GTP traffic failed because the firewall dropped GTP-U
echo request packets.
PAN-94135 Fixed an issue where device monitoring did not work on the Panorama
management server.
PAN-93930 Fixed an issue on firewalls with SSL decryption configured where the
dataplane restarted because the all_pktproc process stopped responding after
decryption errors occurred.
PAN-93865 Fixed an issue where the GlobalProtect agent couldn't split tunnel applications
based on the destination domain because the Include Domain and Exclude
Domain lists were not pushed to the agent after the user established
the GlobalProtect connection (Network > GlobalProtect > Gateways >
gateway> > Agent > Client Settings > client_settings_configuration> > Split
Tunnel > Domain and Application). In addition, the GlobalProtect agent
couldn't include applications in the VPN tunnel based on the application
process name because the Include Client Application Process Name list
was not pushed to the agent after the user established the GlobalProtect
connection.
PAN-93854 Fixed an issue where the VM-Series firewall for NSX randomly disrupted traffic
due to high CPU usage by the pan_task process.
PAN-93640 Fixed an issue on firewalls where the Log Collector preference list displayed
the IP address as unknown for a Panorama Log Collector deployed on AWS if
the interface (ethernet1/1 to ethernet1/5) used for sending logs did not have
a public IP address configured and you pushed configurations to the Collector
Group.
PAN-93431 Fixed an issue where the Panorama management server failed to export Traffic
logs as a CSV file (Monitor > Logs > Traffic) after you set the Max Rows in
CSV Export to more than 500,000 rows (Panorama > Setup > Management >
Logging and Reporting Settings > Log Export and Reporting).
PAN-93430 Fixed an issue where the firewall web interface didn't display Host Information
Profile (HIP) information in HIP Match logs for end users who had Microsoft-
supported special characters in their domains or usernames.

PAN-93336 Fixed an issue where the firewall intermittently became unresponsive because
the management server process (mgmtsrvr) stopped responding during a
commit after you configured policy rules to use external dynamic lists (EDLs).
PAN-93106 Fixed an issue where the Google Chrome browser displayed certificate
warnings for self-signed ECDSA certificates that you generated on the firewall.
PAN-93090 Fixed an issue where the GCP DHCP Server took 30-50 seconds to respond to
a DHCP discover request, causing DHCP IP assignments to fail.
PAN-93089 A security-related fix was made to prevent denial of service (DoS) to the
management web interface (CVE-2018-8715).
PAN-93072 Fixed an issue on hardware firewalls that were decrypting SSL traffic where
multiple commits in a short period of time caused the firewalls to become
unresponsive.
PAN-93052 Fixed an issue where IPv6 BGP peering persisted (not all BGP routes were
withdrawn) after the associated firewall interface went down.
PAN-92950 Fixed an issue where a Panorama appliance experienced memory

depletion after allowing you to mistakenly enter the IP address of the
appliance when using the set deviceconfig system panorama-
server <IP_address> or set log-collector <Log_Collector>
deviceconfig system configuration mode CLI commands. These
commands enable connectivity with separate appliances. With this fix, the
command displays an error message when you specify the IP address of the
appliance on which you run the command instead of the appliance to which
it must connect. The correct IP address depends on the type of appliance on
which you run the command:
• Panorama management server in an HA configuration—Specify the IP
address of the Panorama HA peer.
• Dedicated Log Collector—Specify the IP addresses of the Panorama
management servers, where panorama-server specifies the primary
HA Panorama (or the only Panorama in a non-HA configuration) and
panorama-server-2 specifies the secondary HA Panorama: set
log-collector <Log_Collector> deviceconfig system
{panorama-server | panorama-server-2} <IP_address>.
PAN-92944 Fixed an issue where the firewall assigned the wrong URL filtering category
to traffic that contained a malformed host header. With this fix, the firewall
enables the blocking of any traffic with a malformed URL.
PAN-92858 Fixed an issue where the Panorama management server could not generate
reports and the ACC page became unresponsive when too many heartbeats
were missed because Panorama never cleared reportIDs greater than 65535.
PAN-92445 Fixed an issue where the Panorama management server didn't display log data
in Monitor > Logs, the ACC tab, or reports when Panorama was in a different
timezone than the Dedicated Log Collectors because Panorama applied the
wrong time filter.

PAN-92082 Fixed an issue where the firewall didn't generate URL Filtering logs for user
credential submissions associated with a URL that was not a container page
after you selected Log container page only and set the User Credential
Submission action to alert for the URL category in a URL Filtering profile
(Objects > Security Profiles > URL Filtering > <ULR_Filtering_profile>).
With this fix, the firewall generates URL Filtering logs for user credential
submissions regardless of whether you enable Log container page only in the
URL Filtering profile.
PAN-92789 Fixed an issue where VM-Series firewalls deleted logs by reinitializing the
logging disk when the periodic file system integrity check (FSCK) took over 30
minutes during bootup.
PAN-92788 Fixed an issue where the PAN-OS XML API returned the same job IDs for all
report jobs on the firewall. With this fix, the PAN-OS XML API returns the
correct job ID for each report job.
PAN-92738 Fixed an issue on the Panorama management server where administrators with
read-only privileges couldn’t view deployment Schedules for content updates
(Panorama > Device Deployment > Dynamic Updates).
PAN-92678 Fixed an issue on Panorama management servers in an HA configuration

where, after failover caused the secondary HA peer to become active, it failed
to deploy scheduled dynamic updates to Log Collectors and firewalls.
PAN-92604 Fixed an issue where a Panorama Collector Group didn’t forward logs to some
external servers after you configured multiple server profiles (Panorama >
Collector Groups > <Collector_Group> > Collector Log Forwarding).
PAN-92564 Fixed an issue where a small percentage of writable third-party SFP

transceivers (not purchased from Palo Alto Networks®) stopped working or
experienced other issues after you upgraded the firewall to which the SFPs
are connected to a PAN-OS 8.1 release. With this fix, you must not reboot
the firewall after you download and install the PAN-OS 8.1 base image until
after you download and install the PAN-OS 8.1.1 release. For additional details,
upgrade considerations, and instructions for upgrading your firewalls, refer to
the PAN-OS 8.1 upgrade information.
PAN-92560 Fixed an issue where SSL Forward Proxy decryption didn’t work after you
excluded every predefined Hostname from decryption (Device > Certificate
Management > SSL Decryption Exclusion).
PAN-92487 Fixed an issue where enabling jumbo frames (Device > Setup > Session)
reduced throughput because:
• The firewalls hardcoded the maximum segment size (TCP MSS) within TCP
SYN packets and in server-to-client traffic at 1,460 bytes when packets
exceed that size. With this fix, the firewalls no longer hardcode the TCP
MSS value for TCP sessions.
• PA-7000 Series and PA-5200 Series firewalls hardcoded the maximum
transmission unit (MTU) at 1,500 bytes for the encapsulation stage when
tunneled clear-text traffic and the originating tunnel session were on

different dataplanes. With this fix, the firewalls use the MTU configured
for the interface (Network > Interfaces > <interface> > Advanced > Other
Info) instead of hardcoding the MTU at 1,500 bytes.
PAN-92380 Fixed an issue where, when you tried to export a custom report, and your
Chrome or Firefox browser was configured to block popup windows, the
firewall instead downloaded a Tech Support File to your client system.
PAN-92256 Fixed an issue where the firewall didn't Block sessions with unsupported
cipher suites based on Decryption policy rules for SSL Inbound Inspection
when the rules referenced a Decryption Profile with a list of allowed ciphers
that didn't match the ciphers that the destination server specified (Objects >
Decryption > Decryption Profile). With this fix, the firewall checks the ciphers
of both the source client and destination server against the cipher list in
Decryption profiles when evaluating whether to allow sessions based on
Decryption policy.
PAN-92251 Fixed an issue where VM-Series firewalls used the incorrect MAC address
in DHCP messages initiated from a subinterface after you configured
that subinterface as a DHCP Client (Network > Interfaces > Ethernet >
<subinterface> > IPv4) and disabled the Use Hypervisor Assigned MAC
Address option (Device > Management > Setup).
PAN-92163 Fixed an issue where firewalls in an active/passive HA configuration took

longer than expected to fail over after you configured them to redistribute
routes between an interior gateway protocol (IGP) and Border Gateway
Protocol (BGP).
PAN-92152 Fixed an issue where the firewall web interface displayed a blank Device >
Licenses page when you had 10 x 5 phone support.
PAN-91946 Fixed an issue where the Panorama management server intermittently did not
refresh health data for managed firewalls (Panorama > Managed Devices >
Health) and therefore displayed 0 for session statistics.
PAN-91945 Fixed an issue where the firewall didn't generate a System log to indicate when
the reason that end users couldn’t authenticate to a GlobalProtect portal was
a DNS resolution failure for the FQDNs in a RADIUS server profile (Device >
Server Profiles > RADIUS).
PAN-91809 Fixed an issue on VM-Series firewalls for Azure where, after the firewall
rebooted, some interfaces configured as DHCP clients intermittently did not
receive DHCP-assigned IP addresses.
PAN-91776 Fixed an issue where endpoint users could not authenticate to GlobalProtect
when specifying a User Domain with Microsoft-supported symbols such as
the dollar symbol ($) in the authentication profile (Device > Authentication
Profile).
PAN-91597 As an enhancement to improve security for the firewall, the management

(MGT) interface now includes the following HTTP security headers: X-XSS-
Protection, X-Content-Type-Options, and Content-Security-Policy.

PAN-91591 Fixed an issue where the GlobalProtect agent failed to establish a TCP
connection with the GlobalProtect gateway when TCP SYN packets had
unsupported congestion notification flag bits set (ECN or CWR).
PAN-91564 A security-related fix was made to prevent a local privilege escalation

vulnerability that allowed administrators to access the password hashes of
local users (CVE-2018-9334).
PAN-91559 Fixed an issue where PA-5200 Series firewalls caused slow traffic over IPSec
VPN tunnels because the firewalls reordered TCP segments during IPSec
encryption.
PAN-91429 Fixed an issue where PA-5200 Series firewalls rebooted when you ran the set
ssh service-restart mgmt CLI command multiple times.
PAN-91370 Fixed an issue where the firewall dropped IPv6 traffic while enforcing IPv6
bidirectional NAT policy rules because the firewall incorrectly translated the
destination address for a host that resided on a directly attached network.
PAN-91360 Fixed an issue where, in rare cases, the firewall couldn't establish connections
with GlobalProtect agents because the rasmgr process stopped responding
when hundreds of end users logged in and out of GlobalProtect at the same
time.
PAN-91254 Fixed an issue where end user accounts were locked out after you configured
authentication based on a RADIUS server profile with multiple servers
(Device > Server Profiles > RADIUS) and enabled the gateway to Retrieve
Framed-IP-Address attribute from authentication server (Network >
GlobalProtect > Gateways > <gateway> > Agent > Client Settings >
<client_settings_configuration> > IP Pools). With this fix, instead of requesting
framed IP addresses from all the servers in a RADIUS server profile at the same
time, the firewall sends the request to only one server at a time until one of the
servers responds.
PAN-90824 An enhancement was made to improve compatibility for the HTTP log
forwarding feature so that you can specify the TLS version that the HTTP log
forwarding feature uses to connect to the HTTP server.
To specify the version, use the debug system https-settings tls-
version CLI command. (To view the version that is currently specified, use
the debug system https-settings command.)
PAN-90753 Fixed an issue where firewalls in an active/passive HA configuration didn’t

synchronize multicast sessions between the firewall HA peers.
PAN-90448 Fixed an issue where PA-7000 Series and PA-5200 Series firewalls didn't
properly Rematch all sessions on config policy change for offloaded sessions
(Device > Setup > Session).
PAN-90411 Fixed an issue where PA-5200 Series firewalls didn’t forward buffered logs
to Panorama Log Collectors after connectivity between the firewalls and Log
Collectors was disrupted and then restored.

PAN-90404 Fixed an issue where the Panorama management server intermittently

displayed the connections among Log Collectors as disconnected after pushing
configurations to a Collector Group (Panorama > Managed Collectors).
PAN-90347 Fixed an issue on a PA-5000 Series firewall configured to use an IPSec tunnel
containing multiple proxy IDs (Network > IPSec Tunnels > <tunnel> > Proxy
IDs) where the firewall dropped tunneled traffic after clear text sessions were
established on a different dataplane than the first dataplane (DP0).
PAN-90190 Fixed an issue on the Panorama virtual appliance on a VMware ESXi server
where VMware Tools failed to start after you upgraded to PAN-OS 8.1.
PAN-90143 Fixed an issue where administrators intermittently failed to log in to the

firewall because it intermittently restarted processes continuously due to an
out-of-memory condition.
PAN-90048 Fixed an issue where automatic commits failed after you configured Security
policy rules that referenced region objects for the source or destination and
then upgraded the PAN-OS software.
PAN-89992 Fixed an issue where the firewall didn’t efficiently handle traffic in which the
number of Address Resolution Protocol (ARP) packets exceeded the processing
capacity of the firewall. With this fix, the firewall handles ARP packets more
efficiently.
PAN-89748 Fixed an issue on the Panorama virtual appliance for Azure where commit
operations failed after you added administrator accounts other than the
default admin account, switched from Panorama mode to Log Collector mode,
made configuration changes, and then tried to commit your changes. With this
fix, Panorama removes all administrator accounts other than the default admin
account when you switch to Log Collector mode. Dedicated Log Collectors
support only the default admin account.
PAN-89715 Fixed an issue on PA-5200 Series firewalls in an active/passive HA

configuration where failover took a few seconds longer than expected when it
was triggered after the passive firewall rebooted.
PAN-89525 Fixed a configuration parsing issue where a default setup of the Authentication
Profile caused the firewall to reboot during commit. If the administrator
configured the Authentication Profile with any allowed values, including
the default values, the configuration committed successfully. The issue was
observed on a PA-500 firewall in FIPS-CC mode.
PAN-89171 Fixed an issue on firewalls in an HA configuration where an auto-commit

failed (the error message was Error: Duplicate user name) after you
connected a new suspended-secondary peer to an active-primary peer.
PAN-88852 Fixed an issue where VM-Series firewalls stopped displaying URL Filtering
logs after you configured a URL Filtering profile with an alert action (Objects >
Security Profiles > URL Filtering).

PAN-88752 Fixed an issue where User-ID agents configured to detect credential phishing
didn’t detect passwords that contained a blank space.
PAN-88649 Fixed an issue where, after receiving machine account names in UPN format
from a Windows-based User-ID agent, the firewall misidentified them as user
accounts and overrode usernames with machine names in IP address-to-
username mappings.
PAN-88428 Fixed an issue where the VM-Series firewall incorrectly displayed network
interfaces as having a Link Speed of 1000 and a Link Duplex set to half
when the actual values were different (Network > Interfaces > <interface> >
Advanced).
PAN-87964 Fixed an issue where the firewall couldn't render URL content for end users
after you configured GlobalProtect Clientless VPN with a Hostname set to a
Layer 3 subinterface or VLAN interface (Network > GlobalProtect > Portals >
<portal> > Clientless VPN > General).
PAN-87309 Fixed an issue where, after you configured a GlobalProtect gateway to exclude
all video streaming traffic from the VPN tunnel, Hulu and Sling TV traffic could
not be redirected if you did not configure any security profiles (such as a File
Blocking profile) for your firewall Security policies.
PAN-86934 Fixed an issue where the firewall applied case sensitivity to the names of
shared user groups that were defined in its local database and, as a result,
users who belonged to those groups couldn't access applications through
GlobalProtect Clientless VPN even after successful authentication. With this
fix, the firewall ignores character case when evaluating the names of user
groups in its local database.
PAN-86076 As an enhancement to improve security for GlobalProtect deployments, the

GlobalProtect portal now includes the following HTTP security headers in
responses to end user login requests: X-XSS-Protection, X-Content-Type-
Options, and Content-Security-Policy.
PAN-86028 Fixed an issue in an HA active/active configuration where traffic in a

GlobalProtect VPN tunnel in SSL mode failed after Layer 7 processing if
asymmetric routing was involved.
PAN-85308 Fixed an issue in the output for on-demand custom reports (select
Monitor > Manage Custom Reports > <report> and Run Now) where the
<column_heading> drop-down displayed a Columns option even though you
couldn't add or remove columns. With this fix, the <column_heading> drop-
down no longer displays a Columns option.
PAN-83001 Fixed an issue where the firewall dropped packets based on a QoS class even
though traffic didn’t exceed the maximum bandwidth for that class.
PAN-81495 Fixed an issue where connections that the firewall handles as an Application
Level Gateway (ALG) service were disconnected when destination NAT and
decryption were enabled.

PAN-80664 Fixed an issue where, after end users who haven't yet enrolled in Duo failed to
authenticate to a GlobalProtect portal that used a RADIUS server integrated
with Duo for multi-factor authentication, the portal login page displayed
Invalid username or password as the authentication error instead of
displaying a Duo enrollment URL so that the users could enroll.

PAN-92268 Fixed an issue on PA-7000 Series, PA-5200 Series, and PA-3200 Series
firewalls where one or more dataplanes did not pass traffic when you ran
several operational commands (from any firewall user interface or from the
Panorama management server) while committing changes to device or network
settings or while installing a content update.
PAN-91774 Fixed an issue on Panorama virtual appliances for AWS in an HA configuration

where the primary peer did not synchronize template changes to the
secondary peer.
PAN-91429 Fixed an issue where PA-5200 Series firewalls rebooted when you ran the set
ssh service-restart mgmt CLI command multiple times.
PAN-90954 A security-related fix was made to prevent a local privilege escalation

vulnerability that could potentially result in the deletion of files
(CVE-2018-9242).
PAN-90842 Fixed an issue where commits failed after you changed the default Size Limit
to a custom value for MacOSX files that the firewall forwarded to WildFire
(Device > Setup > WildFire).
PAN-90835 A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack
through the PAN-OS session browser (CVE-2018-7636).
PAN-90521 Fixed an issue on the Panorama management server where Device Group and
Template administrators could not display or edit the Device > Log Settings in
a template.
PAN-90168 Fixed an issue where, after you downgraded a firewall from PAN-OS 8.1 to a
previous PAN-OS release and then clicked Revert Content on the Panorama
management server (Panorama > Device Deployment > Dynamic Updates) the
Current Version column displayed the content release version of the firewall
when it ran PAN-OS 8.1 regardless of the content version currently installed
on the firewall.
PAN-89471 Fixed an issue where firewalls rebooted because the userid process restarted
too often due to a socket binding failure that caused a memory leak.
PAN-89030 Fixed an issue where the firewall could not authenticate to a hardware security
module (HSM) partition when the partition password contained special
characters.
PAN-88292 Fixed an issue on Panorama management servers in a high availability (HA)

configuration where the Log Collector that ran locally on the passive peer did
not forward logs to syslog servers.

PAN-88200 Fixed an issue where firewalls with multiple virtual systems did not import
external dynamic lists that you assigned to policy rules.
PAN-86873 Fixed an issue where the firewall advertised the OSPF not-so-stubby area
(NSSA) link-state advertisement (LSA) type 7 default route to NSSA neighbors
even when the OSPF backbone area was down.
PAN-84836 A security-related fix was made to address a Cross-Site Scripting (XSS)

vulnerability in the PAN-OS response to a GlobalProtect gateway
(CVE-2018-10139).
PAN-83900 Fixed an issue where the Panorama management server did not run ACC
reports or custom reports because the reportd process stopped responding
when an administrator tried to access a device group to which that
administrator did not have access.
PAN-82942 Fixed an issue where the firewall rebooted because the User-ID process
(useridd) restarted several times when endpoints, while requesting services
that could not process HTTP 302 responses (such as Microsoft update
services), authenticated to Captive Portal through NT LAN Manager (NTLM)
and immediately disconnected.
PAN-81521 Fixed an issue where endpoints failed to authenticate to GlobalProtect through

Kerberos when you specified the active directory (AD) FQDN instead of
the AD IP address in the Kerberos server profile (Device > Server Profiles >
Kerberos).
PAN-81417 Fixed an issue on the Panorama management server where, after an

administrator selected Force Template Values when editing Push Scope
selections (Commit > Push to Devices), the setting persisted as enabled for
that administrator in all subsequent push operations instead of defaulting
to disabled. With this fix, Force Template Values is disabled by default for
every push operation until, and only if, the administrator manually enables the
setting.
PAN-80569 Fixed an issue where firewalls could not connect to M-500 or M-600
appliances in PAN-DB mode due to certificate validation failures. With this fix,
the appliances add an IP address to the Subject Alternative Name (SAN) field
when generating the certificates used for firewall connections.
PAN-75775 Fixed an issue where SNMP managers indicated syntax errors in PAN-OS
MIBs, such as forward slash (/) characters not used within quotation marks
(“”). You can find the updated MIBs at https://www.paloaltonetworks.com/
documentation/misc/snmp-mibs.html.

Getting Help
The following topics provide information on where to find more about this release and how to
request support:
> Related Documentation

> Requesting Support
97
98 PAN-OS® 8.1 RELEASE NOTES | Getting Help
Related Documentation
Refer to the PAN-OS® 8.1 documentation on the Technical Documentation portal using the links below.
You can also search the documentation for more information on our products:
• PAN-OS 8.1 New Features Guide—Detailed information on configuring the features introduced in this
release.
• PAN-OS 8.1 Administrator’s Guide—Provides the concepts and solutions to get the most out of your
Palo Alto Networks® next-generation firewalls. This includes taking you through the initial configuration
and basic set up on your Palo Alto Networks firewalls.
• Panorama 8.1 Administrator’s Guide—Provides the basic framework to quickly set up the Panorama™
virtual appliance or an M-Series appliance for centralized administration of the Palo Alto Networks
firewalls.
• WildFire 8.1 Administrator’s Guide—Provides steps to set up a Palo Alto Networks firewall to forward
samples for WildFire® Analysis, to deploy the WF-500 appliance to host a WildFire private or hybrid
cloud, and to monitor WildFire activity.
• VM-Series 8.1 Deployment Guide—Provides details on deploying and licensing the VM-Series firewall on
all supported hypervisors. It includes example of supported topologies on each hypervisor.
• GlobalProtect 8.1 Administrator’s Guide—Describes how to set up and manage GlobalProtect™.
• PAN-OS 8.1 Online Help System—Detailed, context-sensitive help system integrated with the firewall
web interface.
• Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility
information for Palo Alto Networks next-generation firewalls, appliances, and agents.
• Open Source Software (OSS) Listings—OSS licenses used with Palo Alto Networks products and
software:
• PAN-OS 8.1
• Panorama 8.1
• Wildfire 8.1
PAN-OS® 8.1 RELEASE NOTES | Getting Help 99

Requesting Support
For contacting support, for information on support programs, to manage your account or devices, or to
open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
You can also use the Palo Alto Networks® Contact Information as needed.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
100 PAN-OS® 8.1 RELEASE NOTES | Getting Help

Pan-Os 8.1.3 RN PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pan-Os 8.1.3 RN PDF

Uploaded by

Copyright:

Available Formats

PAN-OS® 8.

About the Documentation

2 PAN-OS® 8.1 RELEASE NOTES |

PAN-OS 8.1 Addressed Issues...................................................................... 63

TABLE OF CONTENTS iii

> Features Introduced in PAN-OS 8.1

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 7

8 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information

VM Monitoring for VM Monitoring of Microsoft® Azure® resources enables you to dynamically

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 9

10 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information

Download and install the latest content

New Panorama Feature Description

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 11

12 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information

Content Inspection Features

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 13

14 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information

New GlobalProtect Description

GlobalProtect currently supports only the Post SAML HTTP

GlobalProtect The GlobalProtect credential provider logon screen on Windows 7 and

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 15

16 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 17

18 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information

New User-ID Feature Description

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 19

New Hardware Introduced with PAN-OS 8.1

20 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 21

App-ID Changes in PAN-OS 8.1

> set application use-appid-cache-

Authentication Changes in PAN-OS 8.1

22 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information

Content Inspection Changes in PAN-OS 8.1

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 23

User-ID Changes in PAN-OS 8.1

24 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information

Previous Group Mapping Settings

Current Group Mapping Settings

Panorama Changes in PAN-OS 8.1

Templates and Template Stacks A maximum of 8 templates can be assigned to a

Device Groups You can only view the template configuration

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 25

Authentication CLI and XML API Changes

# set deviceconfig system ssh

# set deviceconfig system

# set [shared] server-

# set [vsys <name>] server-

26 PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information

# set [shared] server-

# set [vsys <name>] server-

RADIUS authentication PAN-OS no longer provides the option to fall back

# set [shared] server-profile

# set [vsys <name>] server-

# set [shared] server-profile

# set [vsys <name>] server-

TACACS+ authentication PAN-OS no longer provides the option to fall back

PAN-OS® 8.1 RELEASE NOTES | PAN-OS 8.1 Release Information 27

# set [shared] server-profile

# set [vsys <name>] server-

# set [shared] server-profile

# set [vsys <name>] server-