PANOS8.

0ReleaseNotes

Release8.0.1

RevisionDate:April5,2017

ReviewimportantinformationaboutPaloAltoNetworksPANOS8.0software,includingnewfeatures
introduced,workaroundsforopenissues,andissuesthatareaddressedinthePANOS8.0release.For
installation,upgrade,anddowngradeinstructions,refertothePANOS8.0NewFeaturesGuide.Forthe
latestversionofthesereleasenotes,refertothePaloAltoNetworkstechnicaldocumentationportal.

PANOS8.0ReleaseInformation ....................................... 3
FeaturesIntroducedinPANOS8.0 .................................................. 4
ManagementFeatures .......................................................... 5
PanoramaFeatures ............................................................. 6
ContentInspectionFeatures..................................................... 8
WildFireFeatures..............................................................10
AuthenticationFeatures ........................................................11
UserIDFeatures..............................................................12
AppIDFeatures ...............................................................13
DecryptionFeatures ...........................................................13
VirtualizationFeatures .........................................................14
NetworkingFeatures...........................................................16
GlobalProtectFeatures .........................................................18
ChangestoDefaultBehavior .......................................................20
ManagementChanges..........................................................20
AuthenticationChanges........................................................21
ContentInspectionChanges ....................................................21
PanoramaChanges ............................................................22
WildFireChanges ..............................................................22
VMSeriesFirewallChanges ....................................................22
GlobalProtectChanges.........................................................23
CLIandAPIChangesinPANOS8.0 .................................................24
AssociatedSoftwareandContentVersions ...........................................27
Limitations .......................................................................28
KnownIssues .....................................................................29
KnownIssuesRelatedtoPANOS8.0Releases ....................................29
KnownIssuesSpecifictotheWF500Appliance...................................44

PANOS8.0.1AddressedIssues....................................... 49

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 1
 TableofContents

PANOS8.0.0AddressedIssues .......................................53

GettingHelp.........................................................59
RelatedDocumentation......................................................... 59
RequestingSupport ............................................................ 60

2 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS8.0ReleaseInformation
FeaturesIntroducedinPANOS8.0
ChangestoDefaultBehavior
CLIandAPIChangesinPANOS8.0
AssociatedSoftwareandContentVersions
Limitations
KnownIssues

PreviouslyknownissuescarriedoverfrompreviousreleasenotesandthatwereidentifiedusinglegacyIDnumbers
(5or6digitswithoutaprefix)arenowassignednewissueIDnumbersthatalsoincludeproductspecificprefixes.

PANOS8.0.1AddressedIssues
PANOS8.0.0AddressedIssues
GettingHelp

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 3
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

FeaturesIntroducedinPANOS8.0

ThefollowingtopicsdescribethenewfeaturesintroducedinthePANOS8.0release,whichrequires
contentreleaseversion655oralaterversion.Forupgradeanddowngradeconsiderationsandforspecific
informationabouttheupgradepathforafirewall,refertotheUpgradesectionofthePANOS8.0New
FeaturesGuide.Thenewfeaturesguidealsoprovidesadditionalinformationabouthowtousethenew
featuresinthisrelease.
ManagementFeatures
PanoramaFeatures
ContentInspectionFeatures
WildFireFeatures
AuthenticationFeatures
UserIDFeatures
AppIDFeatures
DecryptionFeatures
VirtualizationFeatures
NetworkingFeatures
GlobalProtectFeatures

4 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

ManagementFeatures

NewManagement Description
Features

AdministratorLevel Youcannowcommit,validate,preview,save,andrevertchangesthatyoumadeina
CommitandRevert Panoramaorfirewallconfigurationindependentofchangesthatotheradministratorshave
made.Thissimplifiesyourconfigurationworkflowbecauseyoudon'thavetocoordinate
commitswithotheradministratorswhenyourchangesareunrelatedtotheirs,orworry
aboutrevertingchangesotheradministratorsmadethatweren'tready.

NetFlowSupportfor PA7000SeriesfirewallsnowhavethesameabilityasotherPaloAltoNetworksfirewalls
PA7000SeriesFirewalls toexportNetFlowrecordsforIPtrafficflowstoaNetFlowcollector.Thisgivesyoumore
comprehensivevisibilityintohowusersanddevicesareusingnetworkresources.

PA7000SeriesFirewall YoucannowforwardlogsfromPA7000SeriesfirewallstoPanoramaforimprovedlog
LogForwardingto retention,whichhelpsyoumeetregulatoryrequirementsforyourindustryaswellasyour
Panorama internallogarchivalrequirements.

SelectiveLogForwarding Toenableyourorganizationtoprocessandrespondtoincidentalertsmorequickly,you
BasedonLogAttributes cannowcreatecustomlogforwardingfiltersbasedonanylogattributes.Insteadof
forwardinglogsbasedonlyonseveritylevels,youcanforwardjusttheinformationthat
variousteamsinyourorganizationwanttomonitororacton.Forexample,asecurity
operationsanalystwhoinvestigatesmalwareincidentsmightbeinterestedonlyinThreat
logswiththetypeattributesettowildfirevirus.

ActionOrientedLog ThefirewallcannowdirectlyforwardlogsusingHTTP/HTTPSsothatyoucantriggeran
ForwardingusingHTTP automatedactionwhenaspecificeventoccurs.Thiscapabilityallowsthefirewallto
integratewithexternalsystemsthatprovideanHTTPbasedAPI.And,combinedwiththe
SelectiveLogForwardingBasedonLogAttributes,youcannowautomatesecurity
workflowmoreefficiently,applyingdynamicpolicy,andrespondingtosecurityincidents.
TriggeranactionoraworkflowonathirdpartyservicethatprovidesanHTTPbased
API:ThefirewallcannowsendanHTTPrequestasanAPIcall.YoucanselecttheHTTP
method,andcustomizetheheader,requestformat,andpayloadtotriggeranaction.
Forexample,onanHAfailoverevent,thefirewallcangenerateanHTTPrequesttoan
ITmanagementservicetoautomaticallycreateanincidentreportwiththedetailsinthe
systemlog.ThisautomatedworkflowcanhelptheITinfrastructureteamtoeasilytrack
andfollowupontheissue.
Enabledynamicpolicyandenforcement:TagthesourceordestinationIPaddressina
logentry,registerthetagstoconnectedUserIDagents,andtakeactiontoenforce
policyateverylocationonyournetwork.Forexample,whenaThreatlogindicatesthat
thefirewallhasdetectedmalware,youcantagthesourceordestinationIPaddressto
quarantinethemalwareinfecteddevice.Basedonthetag,theIPaddressassociated
withthedevicebecomesthememberofadynamicaddressgroup,andtheSecurity
policyruleinwhichthedynamicaddressgroupisreferencedlimitsaccesstocorporate
resourcesuntilITclearsthedeviceforuse.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 5
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

NewManagement Description
Features(Continued)

ExtendedSNMPSupport PANOSsupportforSimpleNetworkManagementProtocol(SNMP)nowincludesthe
followingfeatures:
LoggingstatisticsUsingSNMPtomonitorloggingstatisticsforfirewallsandLog
Collectorshelpsyouplanimprovementstoyourlogcollectionarchitecture,evaluate
thehealthoffirewallandPanoramaloggingfunctions,andtroubleshootissuessuchas
droppedlogs.Youcannowmonitorabroaderrangeofloggingstatistics,includinglog
rate,diskusage,retentionperiods,theforwardingstatusfromindividualfirewallsto
Panoramaandexternalservers,andthestatusoffirewalltoLogCollectorconnections.
HA2statisticsandtrapsMonitoringSNMPstatisticsandtrapsfortheinterfacesthat
firewallsuseforhighavailability(HA)synchronizationhelpsyoutroubleshootand
verifythehealthofHAfunctionssuchasstatechanges.YoucannowuseanSNMP
managertomonitorthededicatedHA2interfacesoffirewalls,inadditiontotheHA1,
HA2backup,andHA3interfaces.

IncreasedStorageon ToprovidelongerretentionperiodsforlogsonthePA7000Seriesfirewall,youcannow
PA7000SeriesFirewall increasethelogstoragecapacityto4TBbyinstalling2TBdisksinthetwoRAIDdiskpairs
(formerlyonly1TBdisksweresupported).Forlogstoragebeyond4TB,youcanenable
PA7000SeriesFirewallLogForwardingtoPanorama,whichsupportsupto24TBfor
eachM500applianceintheCollectorGroup.

PanoramaFeatures

NewPanorama Description
Features

LogQueryAcceleration Panoramahasanimprovedlogqueryandreportingenginetoenableasignificant
improvementinspeedwhengeneratingreportsandexecutingqueries.Alllogsgenerated
aftertheupgradetoPANOS8.0automaticallytakeadvantageoftheimprovedquery
processingarchitecture.Toextendtheperformanceimprovementsforolderlogs,youcan
migratethelogstothenewformat.

LoggingEnhancements YoucannowcreateaLogCollectorthatrunslocallyonthePanoramavirtualappliance.
onthePanoramaVirtual BecausethelocalLogCollectorsupportsmultiplevirtualloggingdisks,youcanincreaselog
Appliance storageasneededwhilepreservingexistinglogs.Youcanincreaselogstoragetoamaximum
of24TBforasinglePanoramaandupto48TBforahighavailabilitypair.UsingalocalLog
Collectoralsoenablesfasterreportgeneration(seeLogQueryAcceleration).

IncreasedLogStorage Toprovideadequatediskspaceforalongerlogretentionperiod,youcanincreasethelog
Capacity storagecapacityontheM500applianceandPanoramavirtualapplianceto24TB(formerly
8TB).TheM500appliancenowsupports2TBdisksandupto12RAIDdiskpairs(formerly
1TB*8RAIDdiskpairs).Inaddition,thePanoramavirtualappliancenowsupportsalocal
LogCollectorwithupto24TBofvirtualdiskspace(seeLoggingEnhancementsonthe
PanoramaVirtualAppliance).

6 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

NewPanoramaFeatures Description
(Continued)

TrapsLogsonPanorama PanoramacannowingestTrapslogssentbytheTrapsEndpointSecurityManagerusing
syslogoverUDP,TCP,orSSLsothatyoucanmonitorsecurityeventsrelatingtoprotected
processesandexecutablefilesonTrapsprotectedendpoints.Youcanfilteronanylog
attributeandanswerdaytodayoperationalquestionssuchas,Howmanydifferent
preventioneventsdidaspecificusertrigger?
TheabilitytoseeTrapslogsinthesamecontextasthefirewalllogsallowsyoutocorrelate
discreteactivityobservedonthenetworkandtheendpoints.Correlatedeventshelpyousee
theoverallpictureacrossyournetworkandtheendpointssothatyoucandetectanyrisks
thatevadedetectionortakeadvantageofblindspots,andstrengthenyoursecurityposture
wellbeforeanydamageoccurs.

ExtensiblePlugin Panoramanowsupportsapluginarchitecturetoenablenewthirdpartyintegrationsor
Architecture updatestoexistingintegrations(suchastheVMwareNSXintegration)outsideofanew
PANOSfeaturerelease.Panoramadisplaysonlytheinterfaceelementspertinenttothe
pluginsyouinstall.
ThefirstimplementationofthisarchitectureenablesVMSeriesNSXIntegration
ConfigurationthroughPanorama.

ExtendedSupportfor Tosupport thedemandsfornetworksegmentationandsecurityinlargescaledeployments,

MultiplePanorama youcannowseparatethemanagementfunctionsfromthedevicemanagementandlog
Interfaces collectionfunctionsonthePanoramaMSeriesappliances.Thekeyimprovementsare:
ForwardlogsfromthemanagedfirewallstoPanoramaandtheLogCollectorsonmultiple
interfaces,insteadofasingleinterface.Thischangereducesthetrafficloadonan
interfaceandprovidesflexibilityinloggingtoacommoninfrastructureacrossdifferent
subnetswithoutrequiringchangestothenetworkconfigurationandaccesscontrollists
inyourinfrastructure.
Managetheconfigurationforfirewallsandlogcollectorsusingmultipleinterfaceson
Panorama.Thiscapabilitysimplifiesthemanagementofdevicesthatbelongtodifferent
subnetsoraresegmentedforbettersecurity.
Deploysoftwareandcontentupdatestomanagedfirewallsandlogcollectorsusingan
interfaceofyourchoice.Youcancontinuetousethemanagementportorselecta
differentinterfacefordeployingupdatestomanagedfirewallsandlogcollectorsrunning
PANOS8.0.SeeStreamlinedDeploymentofSoftwareandContentUpdatesfrom
Panorama.
Theabilitytoseparatethesefunctionsacrossmultipleinterfacesreducesthetrafficonthe
dedicatedmanagement(MGT)port.Youcannowlockdownthemanagementportfor
administrativeaccesstoPanorama(HTTPSandSSH)andtheLogCollectors(SSH)only;by
defaultCollectorGroupcommunicationisenabledonthemanagementportbutyoucan
assignadifferentportforthistraffic.

DeviceGroup,Template, Panoramanowsupportsupto1,024devicegroupsand1,024templates(previously512
andTemplateStack each),and1,024templatestacks(previously128).Inlargescaledeployments,these
CapacityIncrease capacityimprovementsincreaseadministrativeeaseincentrallymanagingfromPanorama
andreducetheconfigurationexceptionsandoverridesthatyoumustmanagelocallyon
individualfirewalls.

Streamlined Youcannowdeploysoftwareandcontentupdatestomanageddevicesmorequickly.
DeploymentofSoftware Insteadofpushingtheupdatestoonedeviceatatime,Panoramanownotifiesfirewallsand
andContentUpdates LogCollectorswhenupdatesareavailableandthedevicesthenretrievetheupdatesin
fromPanorama parallel.
TheExtendedSupportforMultiplePanoramaInterfacesenablesyoutoconfigureaseparate
interface,insteadofusingthemanagement(MGT)interface,fordeployingcontentand
softwareupdatestomanageddevices.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 7
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

ContentInspectionFeatures

NewContentInspection Description
Features

CredentialPhishing Phishingsitesaresitesthatattackersdisguiseaslegitimatewebsiteswiththeaimtosteal
Prevention userinformation,especiallythepasswordsthatprovideaccesstoyournetwork.Youcan
nowidentifyandpreventinprogressphishingattacksbycontrollingsitestowhichusers
cansubmitcorporatecredentialsbasedonthesitesURLcategory.Thisfeatureintegrates
withUserID(groupmappingorusermapping,dependingonwhichmethodyouchoose
todetectcredentials)toenablethefirewalltodetectwhenusersareattemptingtosubmit
theircorporateusernameandorusernameandpasswordandblockthesubmission.

Telemetry Youcannowparticipateinacommunitydrivenapproachtothreatpreventionthrough
telemetry.Telemetryallowsyourfirewalltoperiodicallycollectandshareinformation
aboutapplications,threats,anddevicehealthwithPaloAltoNetworks.PaloAlto
Networksusesthethreatintelligencecollectedfromyouandothercustomerstoimprove
thequalityofintrusionpreventionsystem(IPS)andspywaresignaturesandthe
classificationofURLsinPANDB.Forexample,whenathreateventtriggersvulnerability
orspywaresignatures,thefirewallsharestheURLsassociatedwiththethreatwiththe
PaloAltoNetworksthreatresearchteam,sotheycanproperlyclassifytheURLsas
malicious.TelemetryalsoallowsPaloAltoNetworkstorapidlytestandevaluate
experimentalthreatsignatureswithnoimpacttoyournetwork,sothatcriticalthreat
preventionsignaturescanbereleasedtoallcustomersfaster.
Youhavefullcontroloverwhichdatathefirewallsharesthroughtelemetry,andsamples
ofthisdataareavailabletoviewthroughyourTelemetrysettings.PaloAltoNetworks
doesnotshareyourtelemetrydatawithothercustomersorthirdpartyorganizations.

PaloAltoNetworks PaloAltoNetworksnowprovidesmaliciousIPaddressfeedsthatyoucanusetohelp
MaliciousIPAddress secureyournetworkfromknownmalicioushostsontheInternet.OnefeedcontainsIP
Feeds addressesverifiedasmaliciousbyPaloAltoNetworks,andanotherfeedcontains
maliciousIPaddressesfromreputablethirdpartythreatadvisories.PaloAltoNetworks
maintainsbothfeeds,whichyoucanreferenceinSecuritypolicyrulestoalloworblock
traffic.Youcanalsocreateyourownexternaldynamiclistsbasedonthesefeedsand
customizethemasneeded.YoumusthaveanactiveThreatPreventionlicensetoviewand
usethePaloAltoNetworksmaliciousIPaddressfeeds.

EnhancedCoveragefor C2signaturessignaturesthatdetectwhereacompromisedsystemissurreptitiously
CommandandControl communicatingwithanattackersremoteserverarenowgeneratedautomatically.While
(C2)Traffic C2protectionisnotnew,previoussignatureslookedforanexactmatchtoadomainname
oraURLtoidentifyaC2host.Thenew,automaticallygeneratedC2signaturesdetect
certainpatternsinC2traffic,providingmoreaccurate,timely,androbustC2detection
evenwhentheC2hostisunknownorchangesrapidly.

DataFilteringSupportfor Datafilteringisenhancedtoworkwiththirdparty,endpointDLPsolutionsthatpopulate
DataLossPrevention filepropertiestoindicatesensitivecontent,enablingthefirewalltoenforceyourDLP
(DLP)Solutions policy.Tobettersecurethisconfidentialdata,youcannowcreateDataFilteringprofiles
thatidentifythefilepropertiesandvaluessetbyaDLPsolutionandthenlogorblockthe
filestheDataFilteringprofileidentifies.

8 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

NewContentInspection Description
Features(Continued)

ExternalDynamicList Newenhancementsprovidebettersecurity,flexibility,andeaseofusewhenworking
Enhancements withexternaldynamiclists.Theenhancementsincludetheoptionsto:
EnableAuthenticationforExternalDynamicListstovalidatetheidentityofalistsource
andtoforwardlogincredentialsforaccesstoexternaldynamicliststhatenforcebasic
HTTPauthentication.
UsenewPaloAltoNetworksMaliciousIPAddressFeedsinsecuritypolicyrulesto
blocktrafficfrommaliciousIPaddresses.
Viewthecontentsofanexternaldynamiclistdirectlyonthefirewall,withtheoptionto
excludeentriesorviewthreatintelligenceassociatedwithanentryinAutoFocus.

NewSchedulingOptions ThefirewallcannowcheckforthelatestAppID,vulnerabilityprotection,and
forApplicationandThreat antispywaresignaturesevery30minutesorhourly,inadditiontobeingabletocheckfor
ContentUpdates theseupdatesdailyandweekly.Thisfeatureenablesmoreimmediatecoveragefor
newlydiscoveredthreatsandstrengthenssafeenablementforupdatedand
newlydefinedapplications.

FiveMinuteUpdatesfor TheMalwareandPhishingURLcategoriesinPANDBarenowupdatedeveryfive
PANDBMalwareand minutes,basedonthelatestmaliciousandphishingsitesWildFireidentifies.Thesemore
PhishingURLCategories frequentupdatesensurethatthefirewallisequippedwiththeverylatestinformationto
detectandthenblockaccesstomaliciousandphishingsites.

GloballyUnique AllPaloAltoNetworksthreatsignaturesnowhavepermanent,globallyuniqueIDsthat
Threat IDs youcanusetolookupthreatsignatureinformationandcreatepermanentthreat
exceptions:
Changetheaction(forexample,blockoralert)thefirewallusestoenforceathreat
signaturethreatexceptionsareusefulifasignatureistriggeringfalsepositives.
Easilycheckifathreatsignatureisconfiguredasanexception.
UsethreatIDsintheThreatVaultandAutoFocustogaincontextforathreatsignature.

NewPredefinedFile TwonewpredefinedFileBlockingprofilesbasicfileblockingandstrictfileblocking
BlockingProfiles havebeenaddedviacontentreleaseversion653.Youcanusetheseprofilestoquicklyand
easilyapplythebestpracticefileblockingsettingstoyourSecuritypolicyallowrulesto
ensurethatusersarenotinadvertentlydownloadingmaliciouscontentintoyournetwork
orexfiltratingsensitivedataoutofyournetworkinlegitimateapplicationtraffic.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 9
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

WildFireFeatures

ThePANOS8.0.0releaseisnotavailableforWF500appliances.

NewWildFireFeatures Description

WildFireAnalysisof ThenewWildFireAnalysisofBlockedFilesenablesthefirewalltosubmitblockedfiles
BlockedFiles thatmatchexistingantivirussignaturesforWildFireanalysis,inadditiontounknownfiles,
sothatWildFirecanextractvaluableinformationfromnewmalwarevariants.Malware
signaturesoftenmatchmultiplevariantsofthesamemalwarefamily,andassuch,block
newmalwarevariantsthatthefirewallhasneverseenbefore.Sendingtheseblocked
malwaresamplesforWildFireanalysisallowsWildFiretoanalyzethemforadditional
URLs,domainnames,andIPaddressesthatmustbeblocked.SinceallWildFireanalysis
dataisalsoavailableonAutoFocus,youcannowuseWildFireandAutoFocustogetherto
getamorecompleteperspectiveofallthreatstargetingyournetwork,improvingthe
efficacyofyoursecurityoperations,incidentresponse,andthreatintelligencefunctions.

WildFirePhishingVerdict ThenewWildFirePhishingVerdictclassifiesphishinglinksdetectedinemailsseparately
fromotheremailedlinksfoundtobeexploitsormalware.ThefirewalllogsWildFire
submissionsthatarephishinglinkstoindicatethatsuchalinkhasbeendetectedinan
email.
WithbothaWildFirelicenseandaPANDBlicense,youcanblockaccesstophishingsites
within5minutesofinitialdiscovery.
TheWF500appliancedoesnotsupportthenewphishingverdict,andcontinuesto
classifysuspectedphishingsitesasmalicious.

10 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

AuthenticationFeatures

NewAuthentication Description
Features

SAML2.0Authentication ThefirewallandPanoramacannowfunctionasSecurityAssertionMarkupLanguage
(SAML)2.0serviceproviderstoenablesinglesignonandsinglelogoutforendusers(see
SAML2.0AuthenticationforGlobalProtect)andforadministrators.SAMLenhancesthe
userexperiencebyenablingasingle,interactivelogintoprovideautomaticaccessto
multipleauthenticatedservicesthatareinternalorexternaltoyourorganization.
Inadditiontoauthenticatingadministratoraccountsthatarelocaltothefirewalland
Panorama,youcanuseSAMLtoauthenticateandassignrolestoexternaladministrator
accountsintheidentityprovider(IdP)identitystore.

AuthenticationPolicyand Toprotectyournetworkresourcesfromattackers,youcanusethenewAuthentication
MultiFactor policytoensureallyourendusersauthenticatewhentheyaccessthoseresources.
Authentication AuthenticationpolicyisanimprovedreplacementforCaptivePortalpolicy,which
enforcedauthenticationonlyforsomeusers.Authenticationpolicyhastheadditional
benefitofenablingyoutochoosehowmanyauthenticationchallengesofdifferenttypes
(factors)usersmustrespondto.Usingmultiplefactorsofauthentication(MFA)is
particularlyusefulforprotectingyourmostsensitiveresources.Forexample,youcan
forceuserstoenteraloginpasswordandthenenteraverificationcodethattheyreceive
byphone.Thisapproachensuresattackerscantinvadeyournetworkandmovelaterally
throughitjustbystealingpasswords.Ifyouwanttospareusersthehassleofresponding
tomultiplechallengesforresourcesthatdontneedsuchahighdegreeofprotection,you
canalsohaveAuthenticationpolicyrulesthatenforceonlypasswordorcertificate
authentication.
ThefirewallmakesiteasytoimplementMFAinyournetworkbyintegratingdirectlywith
severalMFAplatforms(Duov2,OktaAdaptive,andPingID)andintegratingthrough
RADIUSwithallotherMFAplatforms.

TACACS+UserAccount TouseaTerminalAccessControllerAccessControlSystemPlus(TACACS+)serverfor
Management centrallymanagingalladministrativeaccounts,youcannowuseVendorSpecific
Attributes(VSAs)tomanagetheaccountsoffirewallandPanoramaadministrators.
TACACS+VSAsenableyoutoquicklyreassignadministratorrolesandaccessdomains
withoutreconfiguringsettingsonthefirewallandPanorama.

AuthenticationUsing Youcannowdeploycustomcertificatestoreplacethepredefinedcertificatesshippedon
CustomCertificates PaloAltoNetworksdevicesformanagementconnectionsbetweenPanorama,firewalls,
andLogCollectors.Bygeneratinganddeployinguniquecertificatesforeachdevice,you
canestablishauniquechainoftrustbetweenPanoramaandthemanageddevices.You
cangeneratethesecustomcertificateslocallyorimportthemfromanexistingenterprise
publickeyinfrastructure(PKI).Panoramacanmanagedevicesinenvironmentswithamix
ofpredefinedandcustomcertificates.
Youcanalsodeploycustomcertificatesformutualauthenticationbetweenthefirewall
andWindowsUserIDAgent.ThisallowsthefirewalltoconfirmtheWindowsUserID
Agent'sidentitybeforeacceptingUserIDinformationfromtheagent.Deployacustom
certificateontheWindowsUserIDAgentandacertificateprofileonthefirewall,
containingtheCAofthecertificate,toestablishauniquetrustchainbetweenthetwo
devices.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 11
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

NewAuthentication Description
Features(Continued)

Authenticationfor ThefirewallnowvalidatesthedigitalcertificatesofSSL/TLSserversthathostexternal
ExternalDynamicLists dynamiclists,and,iftheserversenforcebasicHTTPusername/passwordauthentication
(clientauthentication),thefirewallcanforwardlogincredentialstogainaccesstothelists.
Ifanexternaldynamiclistsourcefailsserverorclientauthentication,thefirewalldoesnot
retrievethelistandceasestoenforcepolicybasedonitscontents.Thesesecurity
enhancementshelpensurethatthefirewallretrievesIPaddresses,domains,orURLsfrom
avalidsourceoverasecure,privatechannel.

UserIDFeatures

NewUserIDFeatures Description

PanoramaandLog YoucannowleverageyourPanoramaanddistributedlogcollectioninfrastructureto
CollectorsasUserID redistributeUserIDmappingsinlargescaledeployments.Byusingtheexisting
RedistributionPoints connectionsfromfirewallstoLogCollectorstoPanorama,youcanaggregatethe
mappingswithoutsettingupandmanagingextraconnectionsbetweenfirewalls.

CentralizedDeployment YoucannowuseendpointmanagementsoftwaresuchasMicrosoftSCCMtoremotely
andManagementof install,configure,andupgrademultipleWindowsbasedUserIDagentsandTerminal
UserIDandTSAgents Services(TS)agentsinasingleoperation.Usingendpointmanagementsoftware
streamlinesyourworkflowbyenablingyoutodeployandconfigurenumerousUserID
andTSagentsthroughanautomatedprocessinsteadofusingamanualloginsessionfor
eachagent.

UserGroupsCapacity Toaccommodateenvironmentswhereaccesscontrolforeachresourceisbasedon
Increase membershipinausergroup,andwherethenumberofresourcesandgroupsisincreasing,
youcannowreferencemoregroupsinpolicy(thelimitvariesbyplatform).

UserIDSyslogMonitoring ThefollowingenhancementsimprovetheaccuracyofUserIDmappingsandsimplify
Enhancements monitoringsyslogserversformappinginformation:
AutomaticdeletionofusermappingsToimprovetheaccuracyofyouruserbased
policiesandreports,thefirewallcannowusesyslogmonitoringtodetectwhenusers
haveloggedoutandthendeletetheassociatedUserIDmappings.
MultiplesyslogformatsInenvironmentswithmultiplepointsofauthentication
sendingsyslogmessagesindifferentformats,itisnoweasiertomonitorloginand
logouteventsbecausethefirewallcaningestmultipleformatsfromasyslogserver
aggregatingfromvarioussources.

GroupBasedReportingin Panoramanowprovidesvisibilityintotheactivitiesofusergroupsinyournetwork
Panorama throughtheUserActivityreport,SaaSApplicationUsagereport(seeSaaSApplication
VisibilityforUserGroups),customreports,andtheACC.Panoramaaggregatesgroup
activityinformationfrommanagedfirewallssothatyoucanfilterlogsandgenerate
reportsforallgroups.

12 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

AppIDFeatures

NewAppIDFeatures Description

SaaSApplicationVisibility TohelpyoumonitortheassortmentofSaaSapplicationsthatservetheproductivityneeds
forUserGroups oftheusergroupsonyournetworkandensurethesecurityanddataintegritydemands
fortheorganization,theSaaSApplicationUsagePDFreportnowincludesdataonuser
groups.Thereporthighlightsthemostusedapplicationsbyusergroupsandpresentsthe
volumeofdataeachusergrouptransfersusingsanctionedandunsanctionedapplications.
Foramoregranularview,youcancustomizethereporttoshowapplicationusagefora
specificusergroup,applicationusageonaspecificsecurityzone,andreportonapplication
usagebymultipleusergroupswithinasecurityzone.
InadditiontotheenhancementsinthePDFreport,youcannowusetheACCtovisualize
SaaSactivitytrendsonyournetwork.TheACCincludesglobalfiltersforviewingSaaS
applicationusagebasedonriskratingorbythenumberofsanctionedandunsanctioned
applicationsinuseonyournetwork.

ALGSupportforIPv6 ThefirewallcannowsafelyenableSessionInitiationProtocol(SIP)andSkinnyClient
ControlProtocol(SCCP)forIPv6anddualstacknetworks.Youcansafelyallowthese
protocolswithoutopeningawiderangeofportstoallowthetraffic.

DecryptionFeatures

NewDecryptionFeatures Description

DecryptionforElliptical FirewallsenabledtodecryptSSLtrafficnowdecryptSSLtrafficfromwebsitesand
CurveCryptography(ECC) applicationsusingECCcertificates,includingEllipticalCurveDigitalSignatureAlgorithm
Certificates (ECDSA)certificates.AssomeorganizationstransitiontousingECCcertificatestotake
advantageofbenefitssuchasstrongkeysandsmallcertificatesize,thisfeatureensures
thatyoumaintainvisibilityintoandcansafelyenableECCsecuredapplicationand
websitetraffic.
DecryptionforwebsitesandapplicationsusingECCcertificatesisnotsupported
fortrafficthatismirroredtothefirewall;encryptedtrafficusingECCcertificates
mustpassthroughthefirewalldirectlyforthefirewalltodecryptit.

Managementfor Younowhaveincreasedflexibilitytomanagetrafficexcludedfromdecryption.New,
DecryptionExclusions centralizedSSLdecryptionexclusionmanagementenablesyoutobothcreateyourown
customdecryptionexclusions,andtoreviewPaloAltoNetworkspredefineddecryption
exclusionsinasingleplace:
Asimplifiedworkflowallowsyoutoeasilyexcludetrafficfromdecryptionbasedon
hostname.
Thefirewalldoesnotdecryptapplicationsthatareknowntobreakduringdecryption.
Now,youcanviewthesedecryptionexceptionsdirectlyonthefirewall.Updatesand
additionstothePaloAltoNetworkspredefineddecryptionexclusionsaredeliveredto
thefirewallincontentupdatesandareenabledbydefault.

PerfectForwardSecrecy PANOS7.1introducedPFSforSSLForwardProxydecryption;now,inPANOS8.0,PFS
(PFS)SupportwithSSL supportisextendedtoSSLInboundInspection.PFSensuresthatdatafromsessions
InboundInspection undergoingdecryptioncannotlaterberetrievedifserverprivatekeysarecompromised.
YoucanenforceDiffieHellmankeyexchangebasedPFS(DHE)andellipticcurve
DiffieHellman(ECDHE)basedPFSfordecryptedSSLtraffic.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 13
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

VirtualizationFeatures

NewVirtualization Description
Features

VMSeriesFirewall Thisfeatureintroducesimprovedperformance,capacity,andefficiencyforallVMSeries
Performance firewalls,includingthreenewVMSeriesmodels:VM50,VM500,andVM700.The
Enhancementsand VMSeriesmodellineupnowcoversawidevarietyoffirewallsfromsmalloptimized
ExpandedModelLine firewallsinresourceconstrainedenvironmentstolarge,highperformancefirewallsfor
deploymentinadiverserangeofNetworkFunctionVirtualization(NFV)usecases.You
canalsoleveragetheexpandedrangeofVMSeriesmodelscoupledwithflexibilityand
pertenantisolationofVMSeriesmodelstodeploymultitenantsolutions.
VM50FirewallAvirtualfirewallwithanoptimizedcomputeresourcefootprint.This
firewallisidealforuseinvirtualcustomerpremisesequipment(vCPE)andhighdensity
multitenancysolutionsformanagedsecurityserviceproviders(MSSP).
VM500andVM700FirewallsWhenutilizingalargercomputeresourcefootprint,
thesevirtualfirewallsprovidehighperformanceandcapacity.TheVM500and
VM700firewallsareidealinNFVusecasesforserviceproviderinfrastructureanddata
centerroles.
VM100,VM200,VM300,VM1000HVFirewallsExistingVMSeriesmodelsnow
featureincreasedperformance,capacity,andefficiencywhencomparedtothesame
computeresourcesinearlierreleaseversions.Thisreleasealsoconsolidatesthe
VM200withtheVM100andtheVM1000HVwiththeVM300,whichmeansthat
theVM100andVM200arenowfunctionallyidentical,asaretheVM300and
VM1000HV.
Inaddition,VMSeriesfirewallmodelsarenowdistinguishedbysessioncapacityandthe
numberofmaximumeffectivevCPUcores(insteadofonlysessioncapacity).

CloudWatchIntegration VMSeriesfirewallsonAWScannownativelysendPANOSmetricstoAWSCloudWatch
fortheVMSeriesFirewall foradvancedmonitoringandautoscalingpolicydecisions.TheCloudWatchintegration
onAWS enablesyoutomonitorthecapacity,healthstatus,andavailabilityofthefirewallswith
metricssuchastotalnumberofactivesessions,GlobalProtectgatewaytunnelutilization,
orSSLproxyutilization,sothatthesecuritytiercomprisingtheVMSeriesfirewallscan
scaledynamicallywhenyourEC2workloadsscaleinresponsetodemand.

SeamlessVMSeries ThisreleaseintroducesseamlesslicensecapacityupgradesoftheVMSeriesfirewall.Ifa
ModelUpgrade tenantsrequirementsincrease,youcanupgradethecapacitytoaccommodatethe
changeswithminimaltrafficandoperationdisruption.Additionally,VMSeriesfirewalls
nowsupportHAsynchronizationbetweenVMSeriesfirewallsofdifferentcapacities
duringtheupgradeprocess.

VMSeriesNSX ThenewPanoramaVMwareNSXpluginstreamlinestheprocessofdeployingVMSeries
IntegrationConfiguration firewallforNSXandeliminatestheduplicateeffortindefiningthesecurityrelated
throughPanorama configurationonbothPanoramaandtheNSXManagerorvCenterserver.Panoramanow
servesasthesinglepointofconfigurationthatprovidestheNSXManagerwiththe
contextualinformationrequiredtoredirecttrafficfromtheguestvirtualmachinestothe
VMSeriesfirewall.WhenyoucommittheNSXconfiguration,Panoramageneratesa
securitygroupintheNSXenvironmentforeachqualifieddynamicaddressgroupand
PanoramapusheseachsteeringrulegeneratesNSXManager.TheNSXManagerusesthe
steeringrulestoredirecttrafficfromthevirtualmachinesbelongingtothecorresponding
NSXsecuritygroup.

14 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

NewVirtualization Description
Features(Continued)

SupportforNSXSecurity TheVMSeriesfirewallcannowdynamicallytagaguestVMwithNSXsecuritytagsto
TagsontheVMSeries enableimmediateisolationofcompromisedorinfectedguests.Theuniversallyunique
NSXEditionFirewall identifierofaguestVMisnowpartoftheTrafficandThreatlogsonthefirewall.By
leveragingthreat,antivirus,andmalwaredetectionlogsontheVMSeriesfirewall,NSX
Managercanplaceguestsinaquarantinedsecuritygrouptopreventlateralmovementof
thethreatinthevirtualizeddatacenterenvironment.

NewSerialNumber TheserialnumberformatfortheVMSeriesfirewallnowdisplaysthenameofthe
FormatfortheVMSeries hypervisoronwhichthefirewallisdeployedsothatyoucanconsistentlyidentifythe
Firewall firewallsforlicensemanagement,andcontentandsoftwareupdates.Thenewformatis
15charactersinlength,numericforthebringyourownlicense(BYOL)model,and
alphanumericfortheMarketplacemodels(Bundle1orBundle2)availableinpubliccloud
environments.Aspartofthischange,VMSeriesfirewallsinAWSnowsupportlonger
instanceIDformats.

VMSeriesBootstrapping YoucannowbootstraptheVMSeriesfirewallinESXi,KVM,andHyperVusingblock
withBlockStorage storage.Thisoptionprovidesabootstrappingsolutionforenvironmentswheremounting
aCDROMisnotsupported.

VMSeriesLicense TodeactivateaVMSerieslicense,youmustfirstinstallalicensedeactivationAPIkeyon
DeactivationAPIKey yourfirewallorPanorama.ThedeactivationAPIkeyprovidesanadditionallayerof
securityforcommunicationsbetweenthePaloAltoNetworksUpdateServerand
VMSeriesfirewallsandPanorama.ThePANOSsoftwareusesthisAPIkeyto
authenticatewiththeupdateandlicensingservers.
TheAPIkeyisavailablethroughtheCustomerSupportPortaltoadministratorswith
superuserprivileges.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 15
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

NetworkingFeatures

NewNetworking Description
Features

TunnelContentInspection Thefirewallcannowinspectthetrafficcontentofcleartexttunnelprotocols:
GenericRoutingEncapsulation(GRE)
NonencryptedIPSectraffic(NULLEncryptionAlgorithmforIPSecandtransportmode
AHIPSec)
GeneralPacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU)
ThisenablesyoutoenforceSecurity,DoSProtection,andQoSpoliciesontrafficinthese
typesoftunnelsandtrafficnestedwithinanothercleartexttunnel(forexample,Null
EncryptedIPSecinsideaGREtunnel).Youcanalsoviewtunnelinspectionlogsandtunnel
activityintheACCtoverifythattunneledtrafficcomplieswithcorporatesecurityand
usagepolicies.
ThefirewallsupportstunnelcontentinspectionofGREandnonencryptedIPSeconall
firewallmodels.ItsupportstunnelcontentinspectionofGTPUonPA5200Series
firewallsandVMSeriesfirewalls.ThefirewallisnotterminatingtheGRE,nonencrypted
IPSec,orGTPUtunnel.

MultiprotocolBGP ThefirewallnowsupportsMultiprotocolBGP(MPBGP)sothatafirewallenabledwith
BGPcanadvertiseIPv4multicastroutesandIPv6unicastroutes(inadditiontotheIPv4
unicastroutesitalreadysupports)inBGPUpdatemessages.Inthisway,MPBGPprovides
IPv6connectivityforyourBGPnetworksthatuseeithernativeIPv6ordualstackIPv4and
IPv6.Forexample,inaserviceproviderenvironment,youcanofferIPv6serviceto
customers.Inanenterpriseenvironment,youcanuseIPv6servicefromserviceproviders.
Youcanalsoseparateyourunicastandmulticasttrafficsotheytakedifferentpaths,in
caseyouneedmulticasttraffictoundergolesslatencyortakefewerhops.

StaticRouteRemoval Youcannowusepathmonitoringtodetermineifastaticordefaultrouteisdown.Ifpath
BasedonPathMonitoring monitoringtooneormoremonitoreddestinationsfails,thefirewallconsidersthestaticor
defaultroutedownandusesanalternativeroutesothatthetrafficisnotblackholed
(silentlydiscarded).Likewise,thefirewalladvertisesanalternativestaticroute(ratherthan
afailedroute)forrouteredistributionintoadynamicroutingprotocol.
Youcanenablepathmonitoringonstaticroutesbetweenrouters,onstaticrouteswhere
apeerdoesnotsupportBidirectionalForwardingDetection(BFD),andonstaticroutes
wherepolicybasedforwarding(PBF)pathmonitoringisinsufficientbecauseitdoesnot
replacefailedrouteswithalternativeroutes.

IPv6Router TomakeDNSresolutioneasierforyourIPv6hosts,thefirewallnowhasenhanced
AdvertisementforDNS NeighborDiscovery(ND)sothatyoucanprovisionIPv6hostsjoiningthenetworkwith
Configuration RecursiveDNSServer(RDNSS)andDNSSearchList(DNSSL)options,eliminatingthe
needforaseparateDHCPv6server.ThefirewallsendsIPv6RouterAdvertisementswith
theseoptions;thus,yourIPv6hostsareconfiguredwith:
TheaddressesofRDNSserversthatcanresolveDNSqueries.
Alistofthedomainnames(suffixes)thattheDNSclientappends(oneatatime)toan
unqualifieddomainnamebeforeenteringthedomainnameintoaDNSquery.

NDPMonitoringforFast YoucannowenableNeighborDiscoveryProtocol(NDP)monitoringforadataplane
DeviceLocation interfaceonthefirewallsothatyoucanviewtheIPv6addressesofdevicesonthelink
localnetwork,theircorrespondingMACaddress,andusernamefromUserID(iftheuser
ofthatdeviceusesthedirectoryservicetologin).Havingthesethreepiecesof
informationinoneplaceaboutadevicethatviolatesasecurityruleallowsyoutoquickly
trackthedevice.YoucanalsomonitorIPv6NDlogstomaketroubleshootingeasier.

16 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

NewNetworkingFeatures Description
(Continued)

ZoneProtectionfor YoucannowwhitelistorblacklistnonIPprotocolsbetweensecurityzonesorbetween
NonIPProtocolsona interfaceswithinasecurityzoneinaLayer2VLANoronavirtualwire.Thefirewall
Layer2VLANorVirtual normallypassesnonIPprotocolsbetweenLayer2zonesandbetweenvirtualwirezones;
Wire withthisfeature,youcannowcontrolnonIPprotocolsbetweenthesezones.For
example,ifyoudontwantlegacyWindowsXPhoststodiscoverotherNetBEUIenabled
hostsonanotherzone,youcanconfigureaZoneProtectionprofiletoblacklistNetBEUI
ontheingresszone.

GlobalandZone YoucannowenableordisableMultipathTCP(MPTCP)globallyorforeachnetworkzone.
ProtectionforMultipath MPTCPisanextensionofTCPthatallowsaclienttosimultaneouslyusemultiplepaths
TCP(MPTCP)Evasions (insteadofasinglepath)toconnectwithadestinationhost.MPTCPespeciallybenefits
mobileusers,enablingthemtomaintaindualconnectionstobothWiFiandcellular
networksastheymovethisimprovesboththeresilienceandqualityofthemobile
connectionandenhancestheuserexperience.However,MPTCPcanalsopotentiallybe
leveragedbyattackersaspartofanevasiontechnique.Thisfeatureprovidestheflexibility
toenableordisableMPTCPforallfirewalltrafficorforindividualnetworkzones,based
onthevisibility,performance,andsecurityrequirementsforeachnetworkzone.

ZoneProtectionforSYN YoucannowdropTCPSYNandSYNACKpacketsthatcontaindatainthepayloadduring
DataPayloads athreewayhandshake.Incasethepayloadismaliciousforexampleifitcontains
commandandcontroltrafficoritisbeingusedtoexfiltratedatadroppingsuchpackets
canpreventsuccessfulattacks.
TheTCPFastOpenoptionpreservesthespeedofaconnectionsetupbyincludingdatain
thepayloadofSYNandSYNACKpackets.TheZoneProtectionprofiletreatsTCP
handshakesthatusetheFastOpenoptionseparatelyfromotherSYNandSYNACK
packets;theprofileissettoallowthehandshakepacketsiftheycontainavalidFastOpen
cookie.

HardwareIPAddress WhenyouconfigurethefirewallwithaDoSProtectionpolicyorVulnerabilityProtection
Blocking profiletoblockpacketsfromspecificIPv4addresses,thefirewallnowautomatically
blocksthattrafficinhardwarebeforethosepacketsuseCPUorpacketbufferresources.
BlockingtrafficbydefaultinhardwareallowsthefirewalltostopDoSattacksevenfaster
thanblockingtrafficinsoftware.Iftheamountofattacktrafficexceedsthehardware
blockcapacity,IPblockingmechanismsinsoftwareblocktheexcesstraffic.Thisfeatureis
supportedonPA3060firewalls,PA3050firewalls,PA5000Series,PA5200Series,and
PA7000Seriesfirewallmodels.

PacketBufferProtection Packetbufferprotectionallowsyoutoprotectthefirewallfrombeingimpactedbysingle
sourcedenialofservice(DoS)attacks.TheseattackscomefromsessionsorIPaddresses
thatarenotblockedbySecuritypolicy.Afterasessionispermittedbythefirewall,itcan
generatesuchahighvolumeoftrafficthatitoverwhelmsthefirewallpacketbufferand
causesthefirewalltoappeartohangasbothattackandlegitimatetrafficaredropped.The
firewalltracksthetoppacketbufferconsumersandgivesyoutheabilitytoconfigure
globalthresholdsthatspecifywhenactionistakenagainstthesesessions.After
identifyingasessionasabusive,thefirewallusesRandomEarlyDrop(RED)asafirstline
ofdefensetothrottletheoffendingsessionandthendiscardsthesessioniftheabuse
continues.IfaparticularIPaddresscreatesmanysessionsthatarediscarded,thefirewall
blocksit.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 17
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

NewNetworkingFeatures Description
(Continued)

Reconnaissance Zoneprotectionsreconnaissanceprotectiondetectsandtakesactionagainsthostsweep
ProtectionSourceAddress andTCPandUDPportscans.Thisisusefulagainstattackerssearchingforvulnerabilities.
Exclusion However,itcanalsonegativelyimpactscanningactivities,suchasnetworksecurity
testingorfingerprinting.Youcannowwhitelistsourceaddressestoexcludethemfrom
reconnaissanceprotection.Thisallowsyoutoprotectyournetworkfromreconnaissance
attackswhileallowinglegitimatemonitoringtools.

IKEPeerandIPSecTunnel ThePA7000Series,PA5000Series,andPA3000SeriesmodelsnowsupportmoreIKE
CapacityIncreases peersandIPSectunnelsthaninpriorreleases.Thisisabenefitinserviceproviderandlarge
enterpriseenvironmentswhereyouneedtosupportmanysitetositeVPNpeersand
IPSecVPNconnectionsbetweenremotesites.

GlobalProtectFeatures

NewGlobalProtect Description
Features

IPv6forGlobalProtect GlobalProtectclientsandsatellitescannowconnecttoportalsandgatewaysusingIPv6.
ThisfeatureallowsconnectionsfromclientsthatareinIPv6onlyenvironments,IPv4only
environments,ordualstack(IPv4andIPv6)environments.YoucantunnelIPv4traffic
overanIPv6tunnelandtheIPaddresspoolcanassignbothIPv4andIPv6addresses.To
usethisfeature,youmustinstallaGlobalProtectsubscriptiononeachgatewaythat
supportsGlobalProtectclientsthatuseIPv6addresses.

ClientlessSSLVPN ClientlessVPN,whichprovidessecureremoteaccesstocommonenterpriseweb
applications thatuseHTML,HTML5,andJavaScripttechnologies,isnowavailablein
publicbeta.UsershavetheadvantageofsecureaccessfromSSLenabledweb
browsers withoutinstallingGlobalProtectclientsoftware.Thisisusefulwhenyouneedto
enablepartnerorcontractoraccesstoapplications,andtosafelyenableunmanaged
assets,includingpersonaldevices.Youcan configuretheGlobalProtectportallanding
pagetoprovideaccesstowebapplicationsbasedonusersandusergroupsandalso allow
singlesignontoSAMLenabledapplications.SupportedoperatingsystemsareWindows,
Mac,iOS,Android,Chrome,andLinux.SupportedbrowsersareChrome,Internet
Explorer,Safari,andFirefox.ThisfeaturerequiresyoutoinstallaGlobalProtect
subscriptiononthefirewallthathoststheClientlessVPNfromtheGlobalProtectportal.

DefineSplitTunnelsby YoucannowexcludespecificdestinationIPsubnetstrafficfrombeingsentovertheVPN
ExcludingAccessRoutes tunnel.Withthisfeature,youcansendlatencysensitiveorhighbandwidthconsuming
trafficoutsideoftheVPNtunnelwhileallothertrafficisroutedthroughtheVPNfor
inspectionandpolicyenforcementbytheGlobalProtectgateway.

ExternalGatewayPriority GlobalProtectcannowusethegeographicregionoftheGlobalProtectclienttodetermine
bySourceRegion thebestexternalgateway.includingsourceregionaspartofexternalgatewayselection
logic,youcanensurethatusersconnecttogatewaysthatarepreferredfortheircurrent
region.Thiscanhelpavoiddistantconnectionswhentherearemomentaryfluctuationsof
networklatency.Thiscanalsobeusedtoensureallconnectionsstaywithinaregionif
desired.

18 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

NewGlobalProtect Description
Features(Continued)

InternalGateway GlobalProtectcannowrestrictinternalgatewayconnectionchoicesbasedonthesource
SelectionbySourceIP IPaddressoftheclient.Inadistributedenterprise,thisfeaturesallowsyoutohaveusers
Address fromabranchtoauthenticateandsendHIPreportstothefirewallconfiguredasthe
internalgatewayforthatbranchasopposedtoauthenticatingandsendingHIPreportsto
allbranches.

GlobalProtectAgentLogin TosimplifyGlobalProtectagentsandpreventunnecessaryloginpromptswhena
Enhancement usernameandpasswordarenotrequired,thepanelthatshowedportal,username,and
passwordisnowsplitintotwoscreens(onescreenfortheportaladdressandanother
screenforusernameandpassword).TheGlobalProtectagentnowdisplaysloginprompts
forusernameandpasswordonlyifthisinformationisrequired.GlobalProtect
automaticallyhidestheusernameandpasswordscreenforauthenticationtypessuchas
cookieorclientcertificateauthenticationthatdonotrequireausernameandpassword.

AuthenticationPolicyand YoucanleveragethenewAuthenticationPolicyandMultiFactorAuthentication
MultiFactor enhancementswithinGlobalProtecttosupportaccesstononHTTPapplicationsthat
Authenticationfor requiremultifactorauthentication.GlobalProtectcannownotifyandprompttheuserto
GlobalProtect performthetimely,multifactorauthenticationneededtoaccesssensitivenetwork
resources.

SAML2.0Authentication GlobalProtectportals,gateways,andclientsnowsupportSAML2.0Authentication.Ifyou
forGlobalProtect havechosenSAMLasyourauthenticationstandard,GlobalProtectportalsandgateways
canactasSecurityAssertionMarkupLanguage(SAML)2.0serviceprovidersand
GlobalProtectclientscanauthenticateusersdirectlytotheSAMLidentityprovider.

RestrictTransparent YoucannowcontrolwhentransparentupgradesoccurforaGlobalProtectclient.With
AgentUpgradesto thisconfiguration,iftheuserconnectsfromoutsidethecorporatenetwork,theupgrade
InternalNetwork ispostponed.Later,whentheuserconnectsfromwithinthecorporatenetwork,the
Connections upgradeisactivated.Thisfeatureallowsyoutoholdtheupdatesuntiluserscantake
advantageofgoodnetworkavailabilityandhighbandwidthfromwithinthecorporate
network.Theupgradeswillnothinderuserswhentheytraveltoenvironmentswithlow
bandwidth.

AirWatchMDM ThePANOSWindowsUserIDagenthasbeenextendedtosupportanewAirWatch
Integration MDMIntegrationservice.ThisserviceactsareplacementfortheGlobalProtectMobile
SecurityManagerandenablesGlobalProtecttousethehostinformationcollectedbythe
servicetoenforceHIPbasedpoliciesondevicesmanagedbyVMwareAirWatch.Running
aspartofthePANOSWindowsUserIDagent,theAirWatchMDMintegrationservice
usestheAirWatchAPItocollectinformationfrommobiledevices(includingAndroidand
iOS)thataremanagedbyAirWatchandtranslatethisdataintohostinformation.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 19
ChangestoDefaultBehavior PANOS8.0ReleaseInformation

ChangestoDefaultBehavior

ThefollowingtopicsdescribechangestodefaultbehaviorinPANOSandPanorama8.0:
ManagementChanges
AuthenticationChanges
ContentInspectionChanges
PanoramaChanges
WildFireChanges
VMSeriesFirewallChanges
GlobalProtectChanges

ManagementChanges

Bydefault,thefirewallandPanoramanolongerallowmanagementaccessoverTLSv1.0connections.If
youacceptthisdefault,anyscriptsthatrequiremanagementaccess(suchasAPIscripts)mustsupport
TLSv1.1orlaterTLSversions.Toovercomethedefaultrestriction,youcanconfigureanSSL/TLSservice
profilethatallowsTLSv1.0andassigntheprofiletotheinterfaceusedtoaccessthefirewallorPanorama.
Toconfigurethemanagement(MGT)interfaceonthefirewall,younowselectDevice > Setup > Interfaces
insteadofDevice > Setup > Management.
Tocreateasnapshotfileforthecandidateconfiguration,youmustnowselectConfig > Save Changes
insteadofSaveatthetoprightofthewebinterface.
Externaldynamiclistchanges:
WhenretrievinganexternaldynamiclistfromasourcewithanHTTPSURL,thefirewallnow
authenticatesthedigitalcertificatesofthelistsource.Youmustconfigureacertificateprofileto
authenticatethesource.Ifthesourceauthenticationfails,thefirewallstopsenforcingpolicybased
onthelistcontents.
InPANOS7.1,thefirewallsupportedamaximumof30uniquesourcesforexternaldynamiclists
andenforcedthemaximumnumbereveniftheexternaldynamiclistwasnotusedinpolicy.
BeginninginPANOS8.0,onlythelistsyouusetoenforcepolicywillcounttowardthemaximum
numberallowed.
Entriesinanexternaldynamiclist(IPaddresses,domains,andURLs)nowonlycounttowardthe
maximumnumberthatthefirewallsupportsifasecuritypolicyrulereferencestheexternaldynamic
list.
InPANOS7.1andearlierreleases,passiveDNSmonitoringwasasettingyoucouldenableinan
AntiSpywareProfile.YoucouldattachtheAntiSpywareProfiletoapolicyruleandthensessionsthat
matchthatrulewilltriggerpassiveDNSmonitoring.BeginninginPANOS8.0,passiveDNSmonitoring
isaglobalsettingthatyoucanenablethroughtheTelemetryandThreatIntelligencefeature,andwhen
enabled,thefirewallactsasapassiveDNSsensorforalltrafficthatpassesthroughthefirewall.
ThefirewallnowusesthenewserviceroutePalo Alto Networks Servicestoaccessexternalservicesthat
itaccessedviatheserviceroutesPalo Alto UpdatesandWildFire PublicpriortoPANOS8.0.
BeginningwithPANOS8.0,theVerify Update Server Identityglobalservicessettingforinstallingcontent
andsoftwareupdatesisenabledbydefault(Device > Setup > Services > Global).

20 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation ChangestoDefaultBehavior

AuthenticationChanges

AuthenticationpolicyreplacesCaptivePortalpolicy.
Whenanauthenticationeventinvokesapolicyrule,thefirewallnowgeneratesAuthenticationlogs
insteadofSystemlogs.
YounowusethewebinterfaceinsteadofaCLIcommandtosettheauthenticationprotocoltoCHAPor
PAPforTACACS+andRADIUSserverprofiles.

ContentInspectionChanges

ThedefaultsforthefollowingTCPSettings(Device > Setup > Session > TCP Settings)havebeenchangedin

8.0:
Drop segments without flagisnowenabledbydefault.ThecorrespondingCLIcommand,set
deviceconfig setting tcp drop-zero-flagisnowsettoyesbydefault.
Drop segments with null timestamp option isnowenabledbydefault.ThecorrespondingCLIcommand,
set deviceconfig setting tcp check-timestamp-optionisnowsettoyesbydefault.
Forward segments exceeding TCP out-of-order queue isnowdisabledbydefault.ThecorrespondingCLI
command,set deviceconfig setting bypass-exceed-op-queueisnowsettonobydefault.
Forward segments exceeding TCP App-ID inspection queue(Device > Setup > Content-ID > Content-ID Settings)
isnowdisabledbydefault.ThecorrespondingCLIcommand,set deviceconfig setting application
bypass-exceed-queue isnowsettonobydefault.

InaZoneProtectionprofileforPacketBasedAttackProtection,thedefaultsettingisnowtodropTCP
SYNandSYNACKpacketsthatcontaindatainthepayloadduringathreewayhandshake.(Inprior
PANOSreleases,firewallallowedsuchpackets.)Bydefault,aZoneProtectionprofileissettoallowTCP
handshakepacketsthatusetheTCPFastOpenoptioniftheycontainavalidFastOpencookie.Ifyou
haveexistingZoneProtectionprofilesinplacewhenyouupgradetoPANOS8.0,thethreedefault
settingswillapplytoeachprofileandthefirewallwillactaccordingly.
ThefirewalldoesnotsupportSSLdecryptionofRSAkeysthatarelargerthan8Kbinsize.Youcaneither
blockconnectionstoserverswiththeRSAkeysizegreaterthan8kbinthecertificateorskipSSL
decryptionforsuchconnectionsinObjects > Decryption Profile.Toblocksuchconnections,checkSSL
Forward Proxy > Unsupported Mode Checks > Block sessions with unsupported cipher suites.LeaveBlock
sessions with unsupported cipher suitesuncheckedtoskipdecryptingsuchconnections.
WhenafirewallrunningPANOS8.0connectswithPANDB(publicorprivatecloud),itvalidatesthe
CommonNameontheservercertificatebeforeestablishinganSSLconnection.Ifthevalidationfails,the
connectionisrefusedandthefirewallgeneratesasystemlog.
Objects > Custom Objects > Data Patternsprovidespredefinedpatterns(Pattern Type > Predefined Pattern),such
associalsecuritynumbersandcreditcardnumbers,tocheckforintheincomingfiletypesthatyouspecify.The
firewallnolongersupportscheckingforthesepredefinedpatternsinGZIPandZIPfiles.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 21
ChangestoDefaultBehavior PANOS8.0ReleaseInformation

PanoramaChanges

ToconfigureinterfacesonPanorama,younowlocatedunderPanorama > Setup > Interfaces(insteadof

Panorama > Setup > Management).
WhenaddingoreditingaLogCollector(Panorama > Managed Collectors),younowconfigureinterfacesin
theInterfacestab,whichreplacestheManagement,Eth1,andEth2tabsintheCollectordialog.
WhenthePanoramavirtualapplianceisinPanoramamodeandisdeployedinahighavailability(HA)
configuration,youcanconfigurebothHApeerstocollectlogs,notjusttheactivepeer.
WhenpushingconfigurationstomanagedfirewallsorLogCollectors,Panoramanowpushestherunning
configurationinsteadofthecandidateconfiguration.Therefore,youmustcommitchangestoPanorama
beforepushingthechangestofirewallsorLogCollectors.
FirewallsandLogCollectorsnowretrievesoftwareandcontentupdatesfromPanoramaoverport28443
insteadofPanoramapushingtheupdatesoverport3978.

WildFireChanges

IfyoupreviouslyenabledWildFireforwardingonyourfirewall,thefirewallnowforwardsblockedfiles
thatmatchexistingsignatures,inadditiontounknownfiles,forWildFireanalysis.TheWildFire
Submissionslognowincludeslogentriesforblockedfiles.
TheActioncolumnintheWildFireSubmissionslognowindicatesifthefirewallactionforasamplewas
alloworblock.InPANOS7.1andearlierversions,theactiondisplayedforallsamplesintheWildFire
Submissionslogwasalert.
WhenyouuseaClassifiedDoSProtectionprofileforfloodprotectionoraVulnerabilityProtectionprofile
thatisconfiguredtoBlockIPaddresses,thefirewallwillnowblockIPaddressesinhardwarefirst,and
theninsoftwareifthehardwareblocklisthasreacheditscapacity.

VMSeriesFirewallChanges

InPANOS8.0,theuseofhypervisorassignedMACaddressesandDHCPonmanagementinterfacesare
enabledonnewVMSeriesfirewallinstallations.Theseoptionsarenotenabledautomaticallywhen
upgradingaVMSeriesfirewalltoPANOS8.0fromPANOS7.1orearlierreleases.
BeginningwithPANOS7.1.7,todeactivateaVMSerieslicenseyoumustfirstinstallalicenseAPIkey
onyourfirewallorPanorama.Formoreinformation,seeVirtualizationFeatures.
LargeReceiveOffload(LRO)isenablebedefaultonthenewdeploymentsoftheVMSeriesfirewallfor
NSXordeploymentsupgradedto8.0.
SupportforDataPlaneDevelopmentKit(DPDK)isenabledbydefaultontheVMSeriesforKVMand
ESXi.However,totakeadvantageofDPDK,youmustinstalltherequiredNICdriveronyourhypervisor.
DPDKsupportisdisabledbydefaultontheVMSeriesforAWS.

22 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation ChangestoDefaultBehavior

GlobalProtectChanges

TheAgent > GatewaystabforGlobalProtectportalconfigurationsissplitintotwoseparatetabs:Internal

andExternal.UsetheInternaltabtospecifyinternalgatewaysettingsforGlobalProtectagentsandapps.
UsetheExternaltabtospecifyexternalgatewaysettingsforGlobalProtectagentsandapps.Theseare
layoutchangesonlyyourexistingPANOS7.1configurationispreserved.
TheAgent > Client Settings> Network SettingstabforGlobalProtectgatewayconfigurationsisreplaced
withtwoseparatetabs:IP PoolsandSplit Tunnel.ThesearelayoutchangesonlyyourexistingPANOS
7.1configurationispreserved.
TheDisable login pagecheckboxontheGeneraltabforGlobalProtectportalconfigurationsisnowa
DisablecommandinthePortal Login Page.ThisisalayoutchangeonlyyourexistingPANOS7.1
configurationispreserved.
InPANOS7.1andearlierreleases,topreventpotentialIPaddressconflicts,theGlobalProtectgateway
didnotassignanIPaddressifthelocalnetworkIPaddresssentfromtheendpointwasinthesamesubnet
astheIPaddresspool.UsershadtoconfigureasecondIPaddresspoolthatcontainedaddressesfroma
separatesubnet.BeginninginPANOS8.0,whenyouconfigureonlyoneIPaddresspool,GlobalProtect
assignsanIPaddressregardlessofsubnetoverlap.Thischangemaycausewarningmessageson
Windowsendpoints.Ifyouareconcernedaboutthewarningmessage,configureasecondIPaddress
pool.
GlobalProtecthasafewminorchangestomenuandcheckboxlabels(refertothetablebelow).These
arechangestowordingonlyyourexistingPANOS7.1configurationispreserved.

Location PANOS7.1Label PANOS8.0Label

TheGeneraltabforGlobalProtect CustomLoginPage PortalLoginPage

portalconfigurations

TheGeneraltabforGlobalProtect CustomHelpPage AppHelpPage

portalconfigurations

TheAgent > External> Add > IfthisGlobalProtectgatewaycanbe Manual(theusercanmanuallyselect

External GatewayforGlobalProtect manuallyselected thisgateway)
portalconfigurations

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 23
CLIandAPIChangesinPANOS8.0 PANOS8.0ReleaseInformation

CLIandAPIChangesinPANOS8.0

PANOS8.0haschangestoexistingCLIcommands,whichalsoaffectcorrespondingPANOSXMLAPI
requests.Ifyouhaveascriptorapplicationthatusestheserequests,runcorrespondingCLIcommandsin
debugmodetoviewthecorrespondingXMLAPIsyntax.
Operationalcommandsareprecededbyagreaterthansign(>),whileconfigurationcommandsarepreceded
byahash(#).Anasterisk(*)indicatesthatrelatedcommandsinthesamehierarchyhavealsochanged.

TheoperationalcommandtoclearUserIDmappingsforallIPaddressesoraspecificIPaddresshas
changed:

PANOS7.1andearlierreleases:
> clear user-cache [all | ip]

PANOS8.0release:
> clear ipuser-cache [all | ip]

WithAuthenticationpolicyreplacingCaptivePortalpolicy,relatedCLIcommandshavechanged:

PANOS7.1andearlierreleases:
> show running captive-portal-policy
> test cp-policy-match *
# show rulebase captive-portal *
# set import resource max-cp-rules <0-4000>
# set rulebase captive-portal *
# set shared admin-role <name> role device webui policies captive-portal-rulebase
<enable|read-only|disable>
# set import resource max-cp-rules <0-4000>

PANOS8.0release:
> show running authentication-policy
> test authentication-policy-match *
# show rulebase authentication *
# set import resource max-auth-rules <0-4000>
# set rulebase authentication rules *
# set shared admin-role <name> role device webui policies authentication-rulebase
<enable|read-only|disable>
# set import resource max-auth-rules <0-4000>

TheUserIDcommandstoclearusermappingsfromthedataplanehavechanged:

PANOS7.1andearlierreleases:
> clear uid-gids-cache uid <1-2147483647>
> clear uid-gids-cache all

PANOS8.0release:
> clear uid-cache uid <1-2147483647>
> clear uid-cache all

24 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation CLIandAPIChangesinPANOS8.0

WiththeintroductionofdecryptionforEllipticalCurveCryptography(ECC)Certificates,thefollowing
CLIcommandhasbeenreplacedwithtwoalgorithmspecificcommands:

PANOS7.1andearlierreleases:
# set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size <0|1024|2048>

PANOS8.0release:
# set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size-rsa <0|1024|2048>
# set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size-ecdsa <0|256|384>

WiththeintroductionofIPv6supportinGlobalProtect,thefollowingCLIcommandshavebeenreplaced
withtwoprotocolspecificcommands:

PANOS7.1andearlierreleases:
# set global-protect global-protect-portal <name> portal-config local-address ip <value>

PANOS8.0release:
# set global-protect global-protect-portal <name> portal-config local-address ip ipv4
<value>
# set global-protect global-protect-portal <name> portal-config local-address ip ipv6
<value>

PANOS7.1andearlierreleases:
# set global-protect global-protect-portal <name> portal-config local-address floating-ip
<value>

PANOS8.0release:
# set global-protect global-protect-portal <name> portal-config local-address floating-ip
ipv4 <value>
# set global-protect global-protect-portal <name> portal-config local-address floating-ip
ipv6 <value>

WithnewsupportformaliciousIPaddressfeeds,relatedCLIcommandshavechangedtosupportIP
addresses,URLs,anddomains:

PANOS7.1andearlierreleases:
# set external-list <name> *

PANOS8.0release:
# set external-list <name> type ip *
# set external-list <name> type predefined-ip *
# set external-list <name> type domain *
# set external-list <name> type url *

CLIcommandsrelatedtoSafeNetNetworkHSM(formerlyLunaSA)nowreflectthenewname:

PANOS7.1andearlierreleases:
# show deviceconfig system hsm-settings provider safenet-luna-sa *
# set deviceconfig system hsm-settings provider safenet-luna-sa *

PANOS8.0release:
# show deviceconfig system hsm-settings provider safenet-network *
# set deviceconfig system hsm-settings provider safenet-network *

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 25
CLIandAPIChangesinPANOS8.0 PANOS8.0ReleaseInformation

Withtheintroductionofselectivelogforwardingbasedonlogattributes,youmustnowspecifythename
ofacustomfiltermatchlistinrelatedCLIcommands:

PANOS7.1andearlierreleases:
# show shared log-settings system *
# set shared log-settings system *
# show shared log-settings config *
# set shared log-settings config *
# show shared log-settings hipmatch *
# set shared log-settings hipmatch *
# show shared log-settings profiles <name> *
# set shared log-settings profiles <name> *

PANOS8.0release:
# show shared log-settings system match-list *
# set shared log-settings system match-list *
# show shared log-settings config match-list *
# set shared log-settings config match-list *
# show shared log-settings hipmatch match-list *
# set shared log-settings hipmatch match-list *
# show shared log-settings profiles <name> match-list *
# set shared log-settings profiles <name> match-list *

CLIcommandsrelatedtoconfiguringtheUserIDagentmustnowincludehostport:

PANOS7.1andearlierreleases:
# set user-id-agent <name> host <ip/netmask>|<value>
# set user-id-agent <name> port <1-65535>
# set user-id-agent <name> ntlm-auth <yes|no>
# set user-id-agent <name> ldap-proxy <yes|no>
# set user-id-agent <name> collectorname <value>
# set user-id-agent <name> secret <value>

PANOS8.0release:
# set user-id-agent <name> host-port host <ip/netmask>|<value>
# set user-id-agent <name> host-port port <1-65535>
# set user-id-agent <name> host-port ntlm-auth <yes|no>
# set user-id-agent <name> host-port ldap-proxy <yes|no>
# set user-id-agent <name> host-port collectorname <value>
# set user-id-agent <name> host-port secret <value>

26 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation AssociatedSoftwareandContentVersions

AssociatedSoftwareandContentVersions

ThefollowingminimumsoftwareversionsaresupportedwithPANOS8.0.Toseealistofthenextgen
firewallmodelsthatsupportPANOS8.0,seethePaloAltoNetworksCompatibilityMatrix.

PaloAltoNetworksSoftwareor MinimumSupportedVersionwithPANOS8.0
ContentReleaseVersion

Panorama 8.0

UserIDAgent 8.0

TerminalServices(TS)Agent 8.0

GlobalProtectAgent 4.0

ApplicationsandThreatContent 655
ReleaseVersion

AntivirusContentReleaseVersion 2137

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 27
Limitations PANOS8.0ReleaseInformation

Limitations

ThefollowingtableincludeslimitationsassociatedwiththePANOS8.0release.

IssueID Description

PAN68997 TheWildFireapplianceclustermembershiplistmaynotbeaccurateifclustermembersare
offlineorthemembershiplistisstale.YoucanimportaconfigurationfromanyWildFire
applianceorapplianceclusterintoPanorama,addanyconnectedWildFireappliancetoa
cluster,andassignitaroleintheclustersothatyouhavemoreflexibilitywhenconfiguring
andreconfiguringclusters.
Afteryouimportaclusterconfiguration,youcanviewtheclustermembersfromthe
Panoramawebinterface(Panorama > Managed Wildfire Clusters).Checkthecluster
membershiplisttoensurethatalllistedmembersarenodesinthecluster.Addmissing
nodestotheclusterasneeded.
IfyouimportaWildFireappliancethatisalreadypartofaclusteroryouimportaWildFire
applianceandlateraddittoaclusterusinglocalconfiguration,thePanoramaweb
interfacedisplaysitasastandaloneapplianceandshowsittobeoutofsync.Toresolve
thisissue,addthenodetothecluster,whichsyncstheconfigurationsinPanorama.
Toavoidaninaccuratemembershiplist,beforeyouaddanodetoacluster,makesurethat
anyWildFireapplianceyouaddtotheclusterisnotamemberofanothercluster.
Controllerandcontrollerbackupnodesperformcriticalclustermanagementtasks.
Ifyouchangethecontrollerorcontrollerbackupnode,ensurethatthe
replacementnodeisaclustermember.Ifyouinadvertentlyaddanodetomore
thanonecluster,orifyouspecifyacontrollerorcontrollerbackupnodethatdoes
notbelongtothecluster,theconsequencesvarydependingonwhetheryoupush
thechangestotheclusters.
IfyoudidnotyetcommitthechangesonthePanoramaappliance,orifyouonly
committedthechangesbutdidnotpushthemyet,thenfirstreconfigurethe
clusterandCommittoPanoramatoavoidunintendedconsequences.
Ifyoupushamisconfigurationtoclusters,clusterbehaviorisunpredictableandcanaffect
morethanoneclusterifthepushedPanoramaconfigurationincludesnodesthatare
assignedtomorethanonecluster.Ifyouinadvertentlyaddanodetomorethanone
cluster,maketheappropriatechangetocorrectthemisconfiguration:
IfyouhavenotcommittedtheconfigurationonPanorama,removethenodefromthe
cluster.
IfyouhavealreadycommittedthechangesonPanorama,removethenodefromthe
clusterandrecommitthechangestoPanorama.
IfyouhavealreadycommittedthechangesonPanoramaandpushedthechangesto
managedWildFireapplianceclusters,removethenodefromthecluster,andthen
recommittoPanoramaandrepushtotheWildFireapplianceclusters.
Ifyouinadvertentlyspecifyacontrollerorcontrollerbackupnodethatisnotacluster
member,maketheappropriatechangetocorrectthemisconfiguration:
IfyouhavenotcommittedtheconfigurationonPanorama,specifyavalidclusternode
asthecontrollerorcontrollerbackupnode.
IfyouhavealreadycommittedthechangesonPanorama,specifyavalidclusternode
asthecontrollerorcontrollerbackupnodeandCommit to Panorama.
IfyouhavealreadycommittedthechangesonPanoramaandpushedthechangesto
managedWildFireapplianceclusters,specifyavalidclusternodeasthecontrolleror
controllerbackupnode,andthenrecommittoPanoramaandrepushtotheWildFire
applianceclusters.

28 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

KnownIssues

ThefollowingtopicsdescribeknownissuesinPANOS8.0releases.

ForrecentupdatestoknownissuesforagivenPANOSrelease,referto
https://live.paloaltonetworks.com/t5/Articles/CriticalIssuesAddressedinPANOSReleases/tap/52882.

KnownIssuesRelatedtoPANOS8.0Releases
KnownIssuesSpecifictotheWF500Appliance

KnownIssuesRelatedtoPANOS8.0Releases

ThefollowinglistincludesknownissuesspecifictoPANOS8.0releases,whichincludesknownissues
specifictoPanoramaandGlobalProtect,aswellasknownissuesthatapplymoregenerallyorthatarenot
identifiedbyanissueID.SeealsotheKnownIssuesSpecifictotheWF500Appliance.

IssueID Description

UpgradingaPA200orPA500firewalltoPANOS8.0cantake3060minutesto
complete.Ensureuninterruptedpowertoyourfirewallthroughouttheupgradeprocess.

GPC2742 IfyouconfigureGlobalProtectportalsandgatewaystouseclientcertificatesandLDAPas
twofactorsofauthentication,ChromebookusersthatarerunningChromeOS47orlater
versionscanencounterexcessivepromptstoselectaclientcertificate.
Workaround:Topreventexcessiveprompts,configureapolicytospecifytheclient
certificateintheGoogleAdminconsoleanddeploythatpolicytoyourmanaged
Chromebooks:
1. LogintotheGoogleAdminconsole(https://admin.google.com)andselectDevice
management > Chrome management > User settings.
2. IntheClientCertificatessection,enterthefollowingURLpatterntoAutomatically
Select Client Certificate for These Sites:
{""pattern"":""https://[*.]"",""filter"":{}}
3. ClickSave.TheGoogleAdminconsoledeploysthepolicytoalldeviceswithinafew
minutes.

GPC1737 Bydefault,theGlobalProtectappaddsarouteoniOSmobiledevicesthatcausestraffic
totheGP100GlobalProtectMobileSecurityManagertobypasstheVPNtunnel.
Workaround:ToconfiguretheGlobalProtectapponiOSmobiledevicestorouteall
trafficincludingtraffictotheGP100GlobalProtectMobileSecurityManagertopass
throughtheVPNtunnel,performthefollowingtasksonthefirewallhostingthe
GlobalProtectgateway(Network > GlobalProtect > Gateways > <gateway-config> >
Agent > Client Settings > <client-settings-config> > Network Settings > Access Route):
Add""0.0.0.0/0""asanaccessroute.
EntertheIPaddressfortheGlobalProtectMobileSecurityManagerasanadditional
accessroute.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 29
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

GPC1517 FortheGlobalProtectapptoaccessanMDMserverthroughaSquidproxy,youmustadd
theMDMserverSSLaccessportstotheproxyserverallowlist.Forexample,iftheSSL
accessportis8443,addacl SSL_ports port 8443totheallowlist.

PAN76162 LogsforPA7000seriesfirewallsrunningPANOS7.0cannotbeseeninPanorama8.0.
Workaround:AccessthePanoramaCLIandchangethePanoramaskipquery/report
requesttono(debug skip-condor-reports no)andthenrestartthereportdprocessin
orderforthecommandtotakeeffect(debug software restart process reportd).
OncethePA7000seriesfirewallhasbeenupgradedtoPANOS8.0,accessthePanorama
CLItochangethePanoramaskipquery/reportrequestbacktoyes(debug
skip-condor-reports yes),andthenrestartthereportdprocessinorderforthe
commandtotakeeffect(debug software restart process reportd).

PAN75457 InWildFireapplianceclustersthathavethreeormorenodes,Panoramadoesnotsupport
changingnoderoles.Forexample,onPanorama,inathreenodecluster,youcannot
configuretheworkernodeasacontrollernodebyaddingthehighavailabilityandcluster
controllerconfigurations,configureanexistingcontrollernodeasaworkernodeby
removingtheHAconfiguration,andthencommitandpushtheconfiguration.Attemptsto
changeclusternoderolesfromPanoramaresultsinavalidationerrorthecommitwillfail
andtheclusterbecomesunresponsive.

PAN74934 DonotupgradeM500privatecloudappliancestoPANOS8.0.1.QueriedURLsdonot
resolvetoacategorywhentheyareabestmatchtoanentryintheurldatabasethathas
manysubdomainsandpathlevels.

PAN73964 DonotupgradeVMSeriesfirewallsonAWStoPANOS8.0.0iftheyaredeployedina
Thisissueisnowresolved. highavailability(HA)configuration.
SeePANOS8.0.1
AddressedIssues.

PAN73879 YoucannotclonethestrictfileblockingprofileinPANOS8.0;however,cloningthebasic
Thisissueisresolvedwith fileblockingprofile(oranyotherSecurityProfiletypes)worksasexpected.
contentreleaseversion
658andlaterreleases.

PAN73877 YoucannotusethefirewallwebinterfacetogenerateaSAMLmetadatafileforCaptive
Thisissueisnowresolved. PortalorGlobalProtectifthefirewallhasmultiplevirtualsystems;afteryouclickthe
SeePANOS8.0.1 Metadatalinkassociatedwithanauthenticationprofile,novirtualsystemsareavailableto
AddressedIssues. select.
Workaround:AccessthefirewallCLI,switchtothevirtualsystemwhereyouassignedthe
authenticationprofile(set system setting target-vsys <vsys-name>),andgenerate
themetadatafile(show sp-metadata [captive-portal | global-protect] vsys
<value> authprofile <value> ip-hostname <value>).

PAN73859 TheVMSeriesfirewallonAzuresupportsamaximumof5interfaces(onemanagement
interfaceandfourdataplaneinterfaces).

30 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN73849 Afteryouperformafactoryresetorprivatedataresetonafreshinstallationofthe
Panoramavirtualappliance,thePanorama > Pluginspagedoesnotdisplaythepreloaded
VMwareNSXpluginandthereforeyoucannotusethewebinterfacetoinstalltheplugin.
Workarounds:
Usetherequest plugins install vmware_nsx-<version>CLIcommandtoinstall
theplugin.
RebootthePanoramavirtualappliance;afterthereboot,thewebinterfacedisplaysthe
pluginforyoutoinstall.
DownloadthepluginfromthePaloAltoNetworksSupportPortalandthenuploadthe
plugintoPanorama.Thewebinterfacethendisplaysthepluginforyoutoinstall.

PAN73579 AfteryouupgradeafirewalltoPANOS8.0,thefirewalldoesnotapplyupdatestothe
Thisissueisnowresolved. predefinedPaloAltoNetworksmaliciousIPaddressfeeds(deliveredthroughthedaily
SeePANOS8.0.1 antiviruscontentupdates)untilyouperformacommitonthefirewall.
AddressedIssues. Workaround:Commitchangestothefirewalldailytoensureyoualwayshavethelatest
versionofthemaliciousIPaddressfeeds.

PAN73545 WhenaddinginterfacestoaVM300,VM500,orVM700firewall,youmustcommit
Thisissueisnowresolved. twicefortraffictopassnormally.
SeePANOS8.0.1
AddressedIssues.

PAN73401 OnatwonodeWildFireappliancecluster,ifyouimporttheclusterintoPanorama,the
controllernodesreporttheirstateasoutofsyncifeitherofthefollowingtwoconditions
exist:
Youdonotconfigureaworkerlisttoaddatleastoneworkernodetothecluster.(Ina
twonodecluster,bothnodesarecontrollernodesconfiguredasahighavailabilitypair.
Addingaworkernodewouldmaketheclusterathreenodecluster.)
Youdonotconfigureaserviceadvertisement(eitherbyenablingornotenabling
advertisingDNSserviceonthecontrollernodes).
Workaround:Therearethreepossibleworkaroundstosyncthecontrollernodes:
AfteryouimportthetwonodeclusterintoPanorama,pushtheconfigurationfrom
Panoramatothecluster.Afterthepushsucceeds,Panoramareportsthatthecontroller
nodesareinsync.
Configureaworkerlistontheclustercontroller:
admin@wf500(active-controller)# set deviceconfig cluster mode
controller worker-list <worker-ip-address>
(<workeripaddress>istheIPaddressoftheworkernodeyouareaddingto
thecluster.)Thiscreatesathreenodecluster.ImporttheclustertoPanorama
andPanoramareportsthatthecontrollernodesareinsync.Ifyouwantthe
clustertohaveonlytwonodes,useadifferentworkaround.
ConfigureserviceadvertisementonthelocalCLIoftheclustercontrollerandthen
importtheconfigurationintoPanorama.Theserviceadvertisementcanadvertisethat
DNSisenabled,orthatDNSisnotenabled:
admin@wf500(active-controller)# set deviceconfig cluster mode
controller service-advertisement dns-service enabled yes
or
admin@wf500(active-controller)# set deviceconfig cluster mode
controller service-advertisement dns-service enabled no
BothcommandsresultinPanoramareportingthatthecontrollernodesarein
sync.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 31
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN73363 Afteryouenablereportingandfilteringongroups,Panoramastilldoesnotdisplayresults
Thisissueisnowresolved. whenyoufilterlogsorgeneratereportsbasedonusergroups.
SeePANOS8.0.1 Workaround:AccessthePanoramaCLIandrunthedebug software restart process
AddressedIssues. reportdoperationalcommand.

PAN73316 WhenaGlobalProtectuserfirstlogsinwithaRADIUSauthenticationprofile,the
Domain-UserNameappearsasuser@domain(insteadofdomain\user)inthePANOS
webinterface.
Workaround:OnceaHIPreportisgenerated,theusernameformatisnormalizedand
updatedtothecorrectformat.

PAN73307 WhenyouusetheACCtabtoviewTunnelActivityandyouJump to Logs,theTunnel

Inspectionlogsdisplaytunnelasthetunneltype.
Workaround:Removetunneltypefromthequeryintunnellogs.

PAN73291 IfyousetupclientcertificateauthenticationforGlobalProtectportalsandgateways,you
Thisissueisnowresolved. canspecifyaCertificateProfilewithmultiplecertificateauthority(CA)certificatesthat
SeePANOS8.0.1 havethesamecommonname.However,authenticationfailsforclientcertificatessigned
AddressedIssues. byaCAcertificatethatisnotlistedfirstintheCertificateProfile.

PAN73254 AfteryouinstalltheVMwareNSXpluginonPanoramainahighavailability(HA)
deployment,Panoramadoesnotautomaticallysynchronizeconfigurationchanges
betweentheHApeersunlessyoufirstupdatesettingsrelatedtotheNSXplugin.
Workaround:ConfiguretheNSXsettingsandcommityourchangestoPanorama.

PAN73207 IfthefirewallintegrateswithOktaAdaptiveasthemultifactorauthentication(MFA)
Thisissueisnowresolved. vendor,youcannotusepushnotificationasanauthenticationfactor.
SeePANOS8.0.1
AddressedIssues.

PAN73168 IfthePANOSwebinterfaceandtheGlobalProtectportalthathostsClientlessVPN
applicationsareconfiguredtosharethesameFQDN,youcangeta400 Bad Request
errorfromyourbrowserwhenyoutrytoaccessthePANOSwebinterface.
Workaround:BestpracticeistoconfigureseparateFQDNsforthePANOSwebinterface
andtheGlobalProtectportalthathostsClientlessVPNapplications.Asashorttermfix,
clearthebrowsercacheorcloseallbrowserwindowsandthenopenaseparatebrowser
windowtologintothePANOSwebinterface.

PAN73006 Whenloggingratesarehigh,theAppScopeChangeMonitorandNetworkMonitor
Thisissueisnowresolved. reportssometimesfailtodisplaydatawhenyoufilterbySourceorDestinationIP
SeePANOS8.0.1 addresses.Additionally,theAppScopeSummaryreportsometimesfailstodisplaydatafor
AddressedIssues. theTop5BandwidthConsumingSourceandTop5Threatswhenloggingratesarehigh.

PAN72861 WhenyouconfigureaPA5200SeriesorPA7000Seriesfirewalltoperform
tunnelintunnelinspection,whichincludesGREkeepalivepackets(Policies > Tunnel
Inspection > Inspection > Inspect Options),andyouruntheclear session allCLI
commandwhiletrafficistraversingatunnel,thefirewalltemporarilydropstunneled
packets.

PAN72843 IfyoucommitaconfigurationthatenablesclientlessVPNonmultipleGlobalProtect
portalsusingdifferentDNSproxies,thecommitfails.
Workaround:Restartthefirewalldataplaneandrepeattheconfigurationcommit.

32 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN72402 IfyouconfigureaBGPIPv6aggregateaddresswithanAdvertiseFilterthatconsistsof
Thisissueisnowresolved. bothaprefixfilterandanexthopfilter,thefirewalladvertisesonlytheaggregateaddress
SeePANOS8.0.1 anddoesnotadvertisethespecificroutescoveredbytheAdvertiseFilter.
AddressedIssues. Workaround:Removethenexthopfiltersothatthefirewalladvertisesboththe
aggregateaddressandthemorespecificroutes.Thisappliesonlytorouteslearnedfrom
anotherBGPpeer;thefirewalladvertiseslocallyinjectedroutesasexpectedwithoutthis
workaround.

PAN71833 ForaTACACS+authenticationprofile,theoutputofthetest authentication

authentication-profileCLIcommandintermittentlydisplays
authentication/authorization failed for usereventhoughtheadministratorcan
successfullylogintothewebinterfaceorCLIusingthesamecredentialsaswerespecified
inthetestcommand.

PAN71829 Insomecases,whenyoumakespecificchangesonaPA5000Seriesfirewallrelatedto
Thisissueisnowresolved. certificatesorSSLprofilesforaGlobalProtectconfiguration,thedataplanerestarts.
SeePANOS8.0.1 Changesthatresultinarestartincludeconfiguringanewgateway,changingacertificate
AddressedIssues. linkedtoGlobalProtect,orchangingtheminimumormaximumversionoftheTLSprofile
linkedtoGlobalProtect;othertypesofchangestoGlobalProtectconfigurationsdonot
triggeradataplanerestart.

PAN71765 DeactivatingaVMSeriesfirewallfromPanoramacompletessuccessfullybuttheweb
interfacedoesnotupdatetoshowthatdeactivationiscomplete.
Workaround:ViewdeactivationstatusfromManagedDevices(Panorama > Managed
Devices).

PAN71556 MACaddresstableentrieswithatimetolive(TTL)valueof0arenotremovedas
Thisissueisnowresolved. expectedinLayer2deployments,whichresultsinatablethatcontinuallygrowslargerin
SeePANOS8.0.1 size.
AddressedIssues. Workaround:Monitorthenumberoftableentriesandruntheclear mac allCLI
commandorrebootasneededtoclearthetable.

PAN71334 OnaPA5200Seriesfirewall,whenyousetupaVoIPcallusingtheSessionInitiation
Thisissueisnowresolved. Protocol(SIP),youcanexperienceadelayofupto10secondsbeforethefirewall
SeePANOS8.0.1 transmitstheaudio/videostream.
AddressedIssues.

PAN71329 LocalusersandusergroupscreatedunderShared(allvirtualsystems)arenotavailableto
bepartoftheusertoapplicationmappingforGlobalProtectClientlessVPNapplications
(Clientless VPN > ApplicationsontheGlobalProtectPortal).
Workaround:Createusersandusergroupsundervsysformultiplevirtualsystems.For
singlevirtualsystems(likeVM),usersandusergroupsarecreatedunderSharedandare
notconfigurableforClientlessVPNapplications.

PAN71271 Ifthelogpurgingprocessstartsrunningbeforelogmigrationbeginsafteranupgradeto
Thisissueisnowresolved. PANOS8.0,thelogmigrationprocessfailsanddropsnewlogs.
SeePANOS8.0.1 Youcannotworkaroundthisissueifthelogpurgingprocessstartsbeforeyoustart
AddressedIssues. migration.Todeterminewhetherlogpurginghasbegun,runtheless mp-log
es_purge.logCLIcommand,enteraforwardslash("/"),enterdeleting,andcheckthe
output.Ifthereareanymatches,youcannotmigrate;iftherearenomatches,thenyou
canstartlogmigration.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 33
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN71215 DeactivatingaVMSeriesfirewallfromPanoramafailswhenPanoramaisconfiguredto
Verify Update Server Identity(Panorama > Setup > Services > Verify Update Server
Identity)andthissettingisdisabledonthefirewall(Device > Setup > Services);thisfailure
causesthefirewalltobecomeunreachable.
Workaround:EnsurethatyouconfigurebothPanoramaandtheVMSeriesfirewallto
Verify Update Server Identitybeforeyoudeactivatethefirewall.

PAN70906 IfthePANOSwebinterfaceandtheGlobalProtectportalareenabledonthesameIP
address,thenwhenauserlogsoutfromtheGlobalProtectportal,theadministrativeuser
isloggedoutfromthePANOSwebinterfaceaswell.Thisissueiscompoundedwhenthe
portalisconfiguredforGlobalProtectClientlessVPNbecauseitcanincreasethenumber
ofuserswhoaccesstheportal.
Workaround:UsetheIPaddresstoaccessthePANOSwebinterfaceandanFQDNto
accesstheGlobalProtectportal.

PAN70353 ClientlessVPNdoesnotworkifyouconfiguretheGlobalProtectportalthathoststhe
ClientlessVPNonaninterfacewithDHCP Clientenabled.
Workaround:ConfiguretheinterfacetousestaticIPaddresses.

PAN70323 FirewallsrunninginFIPSCCmodedonotallowimportofSHA1CAcertificateseven
Thisissueisnowresolved. whentheprivatekeyisnotincluded;instead,firewallsdisplaythefollowingerror:Import
of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
SeePANOS8.0.1
AddressedIssues.

PAN70181 PA7000Seriesfirewallsthatrunalargenumberofscheduleddailyreports(near1,000or
more)willeventuallyexperienceamemoryissuethatcausesCLIcommandstofailand
ultimatelycausesSSHconnectionattemptstothemanagementIPaddresstofail,aswell.
Workaround:Monitormemoryusageandrestartthemgmtsrvrprocesswhenmgmtsrvr
virtualmemoryexceeds6GBormgmtsrvrresidentmemoryexceeds4GB.

PAN70046 Astandard404browsererrordisplaysifyoutrytouseGlobalProtectClientlessVPN
withoutthecorrectcontentreleaseversion.
Workaround:ClientlessVPNrequiresyoutoinstallaGlobalProtectsubscriptiononthe
firewallthathoststheClientlessVPNfromtheGlobalProtectportal.Additionally,you
needGlobalProtectClientlessVPNdynamicupdatestousethisfeature.

PAN70027(PLUG216) Theoutputoftheshow object registered-IP allcommanddoesnotincludethe

Thisissueisresolvedwith SourceofIPtag(serviceprofilenameandID).
theVMwareNSX1.0.1
plugin.

PAN70023 Authenticationusingautofilledcredentialsintermittentlyfailswhenyouaccessan
applicationusingGlobalProtectClientlessVPN.
Workaround:Manuallyenterthecredentials.

PAN69874 WhenthePANOSXMLAPIsendsusermappingswithnotimeoutvaluetoafirewallthat
hastheEnable User Identification Timeoutoptiondisabled,thefirewallassignsthe
mappingsatimeoutof60minutesinsteadofnever.

PAN69505 WhenviewinganexternaldynamiclistthatrequiresclientauthenticationandyouTest
Source URL,thefirewallfailstoindicatewhetheritcanreachtheexternaldynamiclist
serverandreturnsaURLaccesserror.

34 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN69340 Whenyouusealicenseauthorizationcode(capacitylicenseorabundle)tobootstrapa
VMSeriesfirewall,thecapacitylicenseisnotapplied.Thisissueoccursbecausethe
firewalldoesnotrebootafterthelicenseisapplied.
Workaround:Usetherequest restart softwareCLIcommandorrebootthefirewall
manuallytoactivatesessioncapacityforaVMSeriesfirewall.

PAN69141 OnPA7000SeriesfirewallsandonPanoramalogcollectors,logcollectionprocesses
consumeexcessmemoryanddonotprocesslogsasexpected.Thisissueoccurswhen
DNSresponsetimesareslowandscheduledreportscontainfieldsthatrequireDNS
lookups.
Workaround:Usethedebug management-server report-namelookup disableCLI
commandtodisableDNSlookupsforreportingpurposesandthenrestartthelogreceiver
byrunningdebug software restart process log-receiver.

PAN67987 TheGlobalProtectagentfailstoconnectusingaclientcertiftheintermediateCAissigned
usingtheECDSAhashalgorithm.

PAN67971 WhenyouconfigureanendpointrunningaGlobalProtectagent3.xreleasetousea
fullyqualifieddomainname(FQDN)toconnecttoadualstackPANOS8.0gateway,the
firewallincorrectlydisplaysanIPv6addressinsteadofanIPv4addressfortheconnection.
Workaround:UseGlobalProtectagent4.0toconnecttoPANOS8.0.

PAN67422 TheFirewallreregisterswithWildFireevery15daysunlessaconnectionfailureoccurs.
IfafirewallregisteredwithastandaloneWildFireapplianceandthenyouconfigurethe
firewalltoregisterwithaWildFireappliancecluster,thefirewallshowsasregisteredboth
totheclusterandtothestandaloneappliance,whichcreatesduplicateentries.
ToverifythatafirewallisconnectedtoaWildFireapplianceandaWildFireappliance
cluster,runthefollowingcommandontheWildFireclusterandstandaloneWildFire
appliancetodisplayallfirewallsregisteredtothatclusterandappliance:
admin@Panorama> show wildfire-appliance last-device-registration all
serial-number <value>"
The<value>isthe12digitserialnumberoftheWildFireclustercontrollernodeorthe
WildFireappliance.Forexample,toviewallfirewallsonaclusterwhosecontrollernode
hastheserialnumber002001000099,runthefollowingcommand:
admin@Panorama> show wildfire-appliance last-device-registration all
serial-number <002001000099>
Workaround:Runtheshow wildfire global devices-reporting-datacommandto
showonlyfirewallsthatarereportingdatatotheWildFireappliance.Ifafirewallhasnot
submittedasampletotheWildFireapplianceduringthepast24hours,thefirewallisnot
listed.

PAN66122 Tunnelcontentinspectionisnotsupportedinavirtualsystemtovirtualsystemtopology.
Thisissueisnowresolved.
SeePANOS8.0.1
AddressedIssues.

PAN66032 WhenyoumonitorBlockIPListentries,anIPaddressblockedbyaVulnerability
ProtectionprofileorAntiSpywareprofiledisplaystheBlockSourcetobetheThreatID
(TID)andvirtualsystem(ifapplicable),insteadofthenameofthethreatthatblockedthe
IPaddress.Forexample,theBlockSourcedisplays41000:vsys1(or41000:*ifthereisno
virtualsystem).

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 35
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN63274 Whenyouconfiguretunnelcontentinspectionfortrafficinasharedgatewaytopology
Thisissueisnowresolved. (thefirewallhasmultiplevirtualsystems),innerflowsessionsinstalledondataplane1
SeePANOS8.0.1 (DP1)willfail.Additionally,whennetworkingdevicesbehindthesharedgatewayinitiate
AddressedIssues. traffic,thattrafficdoesn'treachthenetworkingdevicesbehindthevirtualsystems.

PAN62820 IfyouusetheAppleSafaribrowserinPrivateBrowsingmodetorequestaserviceor
applicationthatrequiresmultifactorauthentication(MFA),thefirewalldoesnotredirect
youtotheserviceorapplicationevenafterauthenticationsucceeds.

PAN62453 EnteringvSpheremaintenancemodeonaVMSeriesfirewallwithoutfirstshuttingdown
theGuestOSfortheagentVMscausesthefirewalltoshutdownabruptlyandcauses
issuesthatpersistafterthefirewallispoweredonagain.RefertoIssue1332563inthe
VMwarereleasenotes:https://www.vmware.com/support/pubs/nsx_pubs.html.
Workaround:VMSeriesfirewallsareServiceVirtualMachines(SVMs)pinnedtoESXi
hostsandshouldnotbemigrated.BeforeyouentervSpheremaintenancemode,usethe
VMwaretoolstoensureagracefulshutdownoftheVMSeriesfirewall.

PAN61840 Theshow global-protect-portal statisticsCLIcommandisnotsupported.

Thisissueisnowresolved.
SeePANOS8.0.1
AddressedIssues.

PAN58872 Theautomaticlicensedeactivationworkflowforfirewallswithdirectinternetaccessdoes
notwork.
Workaround:Usetherequest license deactivate key features <name> mode
manualCLIcommandtoDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.To
DeactivateaVM,chooseComplete Manually(insteadofContinue)andfollowthesteps
tomanuallydeactivatetheVM.

PAN56217 YoucannotconfiguremultipleDNSproxyobjectsthatspecifyforthefirewalltolistenfor
DNSrequestsonthesameinterface(Network > DNS Proxy > Interfaces).IfmultipleDNS
proxyobjectsareconfiguredwiththesameinterface,onlythefirstDNSproxyobject
settingsareapplied.
Workaround:IfthereareDNSproxyobjectsconfiguredwiththesameinterface,youmust
modifytheDNSproxyobjectssothateachobjectspecifiesuniqueinterfaces:
TomodifyaDNSproxyobjectthatspecifiesonlyoneinterface,deletetheDNSproxy
objectandreconfiguretheobjectwithaninterfacethatisnotsharedamonganyother
objects.
TomodifyaDNSproxyobjectconfiguredwithmultipleinterfaces,deletetheinterface
thatissharedwithotherDNSproxyobjects,clickOKtosavethemodifiedobject,and
thenCommit.

PAN55825 PerforminganAutoFocusremotesearchthatistargetedtoaPANOSfirewallor
Panoramadoesnotworkcorrectlywhenthesearchconditioncontainsasingleordouble
quotationmark.

PAN55437 Highavailability(HA)forVMSeriesfirewallsdoesnotworkinAWSregionsthatdonot
supportthesignatureversion2signingprocessforEC2APIcalls.Unsupportedregions
includeAWSEU(Frankfurt)andKorea(Seoul).

36 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN55203 Whenyouchangethereportingperiodforascheduledreport,suchastheSaaS
ApplicationUsagePDFreport,thereportcanhaveincompleteornodataforthereporting
period.
Workaround:Ifyouneedtochangethereportingperiodforanyscheduledreport,create
anewreportforthedesiredtimeperiodinsteadofmodifyingthetimeperiodonan
existingreport.

PAN54254 InTrafficlogs,thefollowingsessionendreasonsforCaptivePortaloraGlobalProtectSSL
VPNtunnelindicatedtheincorrectreasonforsessiontermination:
decrypt-cert-validation,decrypt-unsupport-param,ordecrypt-error.

PAN53825 FortheVMSeriesNSXeditionfirewall,whenyouaddormodifyanNSXserviceprofile
zoneonPanorama,youmustperformaPanoramacommitandthenperformaDevice
GroupcommitwiththeIncludeDeviceandNetworkTemplatesoptionselected.To
successfullyredirecttraffictotheVMSeriesNSXeditionfirewall,youmustperformboth
aTemplateandaDevice Groupcommitwhenyoumodifythezoneconfigurationto
ensurethatthezonesareavailableonthefirewall.

PAN53663 WhenyouopentheSaaSApplicationUsagereport(Monitor > PDF Reports > SaaS

Application Usage)onmultipletabsinabrowser,eachforadifferentvirtualsystem(vsys),
andyouthenattempttoexportPDFsfromeachtab,onlythefirstrequestisaccurate;all
successiveattemptswillresultinPDFsthatareduplicatesofthefirstreport.
Workaround:ExportonlyonePDFatatimeandwaitforthatexportprocesstofinish
beforeyoutriggerthenextexportrequest.

PAN53601 PanoramarunningonanM500appliancecannotconnecttoaSafeNetNetworkorThales
NshieldConnecthardwaresecuritymodule(HSM).

PAN51969 OntheNSXManager,whenyouunbindanNSXSecurityGroupfromanNSXSecurity
Policyrule,thedynamictagandregisteredIPaddressareupdatedonPanoramabutare
notsenttotheVMSeriesfirewalls.
Workaround:TopushtheDynamicAddressGroupupdatestotheVMSeriesfirewalls,
youmustmanuallysynchronizetheconfigurationwiththeNSXManager(Panorama >
VMware Service ManagerandselectNSX Config-Sync).

PAN51952 IfasecuritygroupoverlapoccursinanNSXSecuritypolicywherethesamesecuritygroup
isweightedwithahigherandalowerpriorityvalue,thetrafficmayberedirectedtothe
wrongserviceprofile(VMSeriesfirewallinstance).ThisissueoccursbecauseanNSX
Securitypolicywithahigherweightdoesnotalwaystakeprecedenceoverapolicywitha
lowerweight.
Workaround:Makesurethatmembersthatareassignedtoasecuritygrouparenot
overlappingwithanotherSecuritygroupandthateachsecuritygroupisassignedtoa
uniqueNSXSecuritypolicyrule.ThisallowsyoutoensurethatNSXSecuritypolicydoes
notredirecttraffictothewrongserviceprofile(VMSeriesfirewall).

PAN51870 WhenusingtheCLItoconfigurethemanagementinterfaceasaDHCPclient,thecommit
failsifyoudonotprovideallfourDHCPparametersinthecommand.Forasuccessful
commitwhenusingtheset deviceconfig system type dhcp-clientcommand,you
mustincludeeachofthefollowingparameters:accept-dhcp-domain,
accept-dhcp-hostname,send-client-id,andsend-hostname.

PAN51869 Cancelingpendingcommitsdoesnotimmediatelyremovethemfromthecommitqueue.
ThecommitsremaininthequeueuntilPANOSdequeuesthem.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 37
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN51673 BFDsessionsarenotestablishedbetweentwoRIPpeerswhentherearenoRIP
advertisements.
Workaround:EnableRIPonanotherinterfacetoprovideRIPadvertisementsfroma
remotepeer.

PAN51216 TheNSXManagerfailstoredirecttraffictotheVMSeriesfirewallwhenyoudefinenew
ServiceProfilezonesforNSXonPanorama.ThisissueoccursintermittentlyontheNSX
Managerwhenyoudefinesecurityrulestoredirecttraffictothenewserviceprofilesthat
areavailablefortrafficintrospectionandresultsinthefollowingerror:Firewall
configuration is not in sync with NSX Manager. Conflict with Service
Profile Oddhost on service (Palo Alto Networks NGFW) when binding to
host<name>.

PAN51181 APaloAltoNetworksfirewall,M100appliance,orWF500applianceconfiguredtouse
FIPSoperationalmodefailstobootwhenrebootingafteranupgradetoPANOS7.0or
laterreleases.
Workaround:EnableFIPSandCommonCriteriasupportonallPaloAltoNetworks
firewallsandappliancesbeforeyouupgradetoaPANOS7.0orlaterrelease.

PAN51122 FortheVMSeriesfirewall,ifyoumanuallyresetaheartbeatfailurealarmonthevCenter
servertoindicatethattheVMSeriesfirewallishealthy(changecolortogreen),the
vCenterserverdoesnottriggeraheartbeatfailurealarmagain.

PAN50651 OnPA7000Seriesfirewalls,onedataportmustbeconfiguredasalogcardinterface
becausethetrafficandloggingcapabilitiesofthisplatformexceedthecapabilitiesofthe
managementport.AlogcardinterfaceperformsWildFirefileforwardingandlog
forwardingforsyslog,email,andSNMPandtheseservicesrequireDNSsupport.Ifyouset
upacustomservicerouteforthefirewalltoperformDNSqueries,servicesusingthelog
cardinterfacemightnotbeabletogenerateDNSrequests.Thisisonlyanissueifyouve
configuredthefirewalltouseaservicerouteforDNSrequestsand,inthiscase,youmust
performaworkaroundtoenablecommunicationbetweenthefirewalldataplaneandthe
logcardinterface.
Workaround:EnableDNSProxyonthefirewallanddonotspecifyaninterfaceforthe
DNSproxyobjecttouse(ensurethatNetwork > DNS Proxy > Interfaceisnotconfigured).

PAN50641 EnablingordisablingBFDforBGPorchangingaBFDprofilethataBGPpeerusescauses
BGPtoflap.

PAN50038 WhenyouenablejumboframesfromtheCLIonaVMSeriesfirewallinAWS,the
maximumtransmissionunit(MTU)sizeontheinterfacesdoesnotincrease.TheMTUon
eachinterfaceremainsatamaximumvalueof1500bytes.

PAN48565 TheVMSeriesfirewallonCitrixSDXdoesnotsupportjumboframes.

PAN48456 IPv6toIPv6NetworkPrefixTranslation(NPTv6)isnotsupportedwhenconfiguredona
sharedgateway.

PAN47969 IfyoulogintoPanoramaasaDeviceGroupandTemplateadministratorandyourename
adevicegroup,thePanorama > Device Groupspagenolongerdisplaysanydevicegroups.
Workaround:Afteryourenameadevicegroup,performacommit,logout,andlogback
in;thepagethendisplaysthedevicegroupswiththeupdatedvalues.

PAN47073 WebpagesusingtheHTTPStrictTransportSecurity(HSTS)protocoldonotalways
displayproperlyforendusers.
Workaround:Endusersmustimportanappropriateforwardproxycertificatefortheir
browsers.

38 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN46344 WhenyouuseaMacOSSafaribrowser,clientcertificateswillnotworkforCaptivePortal
authentication.
Workaround:OnaMacOSsystem,instructenduserstouseadifferentbrowser(for
example,MozillaFirefoxorGoogleChrome).

PAN45793 Onafirewallwithmultiplevirtualsystems,ifyouaddanauthenticationprofiletoavirtual
systemandgivetheprofilethesamenameasanauthenticationsequenceinShared,
referenceerrorsoccur.ThesameerrorsoccuriftheprofileisinSharedandthesequence
withthesamenameisinavirtualsystem.
Workaround:Whencreatingauthenticationprofilesandsequences,alwaysenterunique
names,regardlessoftheirlocation.Forexistingauthenticationprofilesandsequences
withsimilarnames,renametheonesthatarecurrentlyassignedtoconfigurations(for
example,aGlobalProtectgateway)toensureuniqueness.

PAN44616 OntheACC > Network Activitytab,ifyouaddthelabelUnknownasaglobalfilter,the

filtergetsaddedasA1andqueryresultsdisplayA1insteadofUnknown.

PAN44400 Thelinkona1GbpsSFPportonaVMSeriesfirewalldeployedonaCitrixSDXserverdoes
notcomeupwhensuccessivefailoversaretriggered.Thisbehaviorisonlyobservedina
highavailability(HA)active/activeconfiguration.
Workaround:Usea10GbpsSFPportinsteadofthe1GbpsSFPportontheVMSeries
firewalldeployedonaCitrixSDXserver.

PAN44300 WildFireanalysisreportscannotbeviewedonfirewallsrunningPANOS6.1release
versionsifconnectedtoaWF500applianceinCommonCriteriamodethatisrunning
PANOS7.0orlaterreleases.

PAN43000 VulnerabilitydetectionofSSLv3failswhenSSLdecryptionisenabled.Thisoccurswhen
youattachaVulnerabilityProtectionprofile(thatdetectsSSLv3CVE20143566)toa
SecuritypolicyruleandthatSecuritypolicyruleandanSSLDecryptionpolicyruleare
configuredonthesamevirtualsysteminthesamezone.AfterperformingSSLdecryption,
thefirewallseesdecrypteddataandnolongerseestheSSLversionnumber.Inthiscase,
theSSLv3vulnerabilityisnotidentified.
Workaround:SSLDecryptionEnhancementswereintroducedinPANOS7.0thatenable
youtoprohibittheinherentlyweakerSSL/TLSversions,whicharemorevulnerableto
attacks.Forexample,youcanuseaDecryptionProfiletoenforceaminimumprotocol
versionofTLS1.2oryoucanBlock sessions with unsupported versionstodisallow
unsupportedprotocolversions(Objects > Decryption Profile > SSL Decryption > SSL
Forward Proxyand/orSSL Inbound Inspection).

PAN41558 WhenyouuseafirewallloopbackinterfaceasaGlobalProtectgatewayinterface,traffic
isnotroutedcorrectlyforthirdpartyIPSecclients,suchasStrongSwan.
Workaround:Useaphysicalfirewallinterfaceinsteadofaloopbackfirewallinterfaceas
theGlobalProtectgatewayinterfaceforthirdpartyIPSecclients.Alternatively,configure
theloopbackinterfacethatisusedastheGlobalProtectgatewaytobeinthesamezone
asthephysicalingressinterfaceforthirdpartyIPSectraffic.

PAN40842 WhenyouconfigureafirewalltoretrieveaWildFiresignaturepackage,theSystemlog
showsunknown versionforthepackage.Forexample,afterascheduledWildFire
packageupdate,thesystemlogshows:WildFire package upgraded from version
<unknown version> to 38978-45470.Thisisacosmeticissueonlyanddoesnotprevent
theWildFirepackagefrominstalling.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 39
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN40714 IfyouaccessDevice > Log SettingsonadevicerunningaPANOS7.0orlaterreleaseand

thenusetheCLItodowngradethedevicetoaPANOS6.1orearlierreleaseandreboot,
anerrormessageappearsthenexttimeyouaccessLog Settings.Thisoccursbecause
PANOS7.0andlaterreleasesdisplayLog SettingsinasinglepagewhereasPANOS6.1
andearlierreleasesdisplaythesettingsinmultiplesubpages.Toclearthemessage,
navigatetoanotherpageandreturntoanyLog Settingssubpage;theerrorwillnotrecur
insubsequentsessions.

PAN40130 IntheWildFireSubmissionslogs,theemailrecipientaddressisnotcorrectlymappedtoa
usernamewhenconfiguringLDAPgroupmappingsthatarepushedinaPanorama
template.

PAN40079 TheVMSeriesfirewallonKVM,forallsupportedLinuxdistributions,doesnotsupportthe
BroadcomnetworkadaptersforPCIpassthroughfunctionality.

PAN40075 TheVMSeriesfirewallonKVMrunningonUbuntu12.04LTSdoesnotsupportPCI
passthroughfunctionality.

PAN39728 TheURLloggingrateisreducedwhenHTTPheaderloggingisenabledintheURLFiltering
profile(Objects > Security Profiles > URL Filtering > URL Filtering profile > Settings).

PAN39636 RegardlessoftheTimeFrameyouspecifyforascheduledcustomreportonaPanorama
MSeriesappliance,theearliestpossiblestartdateforthereportdataiseffectivelythe
datewhenyouconfiguredthereport.Forexample,ifyouconfigurethereportonthe15th
ofthemonthandsettheTimeFrametoLast30Days,thereportthatPanoramagenerates
onthe16thwillincludeonlydatafromthe15thonward.Thisissueappliesonlyto
scheduledreports;ondemandreportsincludealldatawithinthespecifiedTimeFrame.
Workaround:Togenerateanondemandreport,clickRun Nowwhenyouconfigurethe
customreport.

PAN39501 UnusedNATIPaddresspoolsarenotclearedafterasinglecommit,soacommitfailsifthe
combinedcacheofunusedpools,existingusedpools,andnewpoolsexceedsthememory
limit.
Workaround:Commitasecondtime,whichclearstheoldpoolallocation.

PAN38584 ConfigurationspushedfromPanorama6.1andlaterreleasestofirewallsrunningPANOS
6.0.3orearlierPANOS6.0releaseswillfailtocommitduetoanunexpectedRuleType
error.ThisissueiscausedbytheRule TypesettinginSecuritypolicyrulesthatwasnot
includedintheupgradetransformand,therefore,thenewruletypesarenotrecognized
ondevicesrunningPANOS6.0.3orearlierreleases.
Workaround:OnlyupgradePanoramatoversion6.1orlaterreleasesifyouarealso
planningtoupgradeallmanagedfirewallsrunningPANOS6.0.3oranearlierPANOS6.0
releasetoaPANOS6.0.4orlaterreleasebeforepushingaconfigurationtothedevices.

PAN38255 IfyouperformafactoryresetonaPanoramavirtualapplianceandconfiguretheserial
number,loggingdoesnotworkuntilyourebootPanoramaorexecutethedebug
software restart management-serverCLIcommand.

PAN37511 DuetoalimitationrelatedtotheEthernetchipdrivingtheSFP+ports,PA5050and
PA5060firewallswillnotperformlinkfaultsignalingasstandardizedwhenafiberinthe
fiberpairiscutordisconnected.

40 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN37177 AfterdeployingtheVMSeriesfirewall,whenthefirewallconnectstoPanorama,youmust
issueaPanoramacommittoensurethatPanoramarecognizesthefirewallasamanaged
device.IfyourebootPanoramawithoutcommittingthechanges,thefirewallwillnot
connectbacktoPanorama;althoughthedevicegroupwilldisplaythelistofdevices,the
devicewillnotdisplayinPanorama > Managed Devices.
Further,ifPanoramaisconfiguredinanHAconfiguration,theVMSeriesfirewallisnot
addedtothepassivePanoramapeeruntiltheactivePanoramapeersynchronizesthe
configuration.Duringthistime,thepassivePanoramapeerwilllogacriticalmessage:
vm-cfg: failed to process registration from svm device. vm-state: active.
ThismessageisloggeduntilyoucommitthechangesontheactivePanorama,whichthen
initiatessynchronizationbetweenthePanoramaHApeersandtheVMSeriesfirewallis
addedtothepassivePanoramapeer.
Workaround:Toreestablishtheconnectiontothemanageddevices,commityour
changestoPanorama(clickCommitandselectCommitType:Panorama).IncaseofanHA
setup,thecommitwillinitiatethesynchronizationoftherunningconfigurationbetween
thePanoramapeers.

PAN37127 OnthePanoramawebinterface,thePolicies > Security > Post Rules > Combined Rules
Previewwindowdoesnotdisplaypostrulesandlocalrulesformanageddevices.

PAN37044 LivemigrationoftheVMSeriesfirewallisnotsupportedwhenyouenableSSLdecryption
usingtheSSLforwardproxymethod.UseSSLinboundinspectionifyouneedsupportfor
livemigration.

PAN36730 WhendeletingtheVMSeriesdeployment,allVMsaredeletedsuccessfully;however,
sometimesafewinstancesstillremaininthedatastore.
Workaround:ManuallydeletetheVMSeriesfirewallsfromthedatastore.

PAN36728 Insomescenarios,trafficfromnewlyaddedguestsorvirtualmachinesisnotsteeredto
theVMSeriesfirewallevenwhentheguestsbelongtoaSecurityGroupandareattached
toaSecurityPolicythatredirectstraffictotheVMSeriesfirewall.
Workaround:ReapplytheSecurityPolicyontheNSXManager.

PAN36727 TheVMSeriesfirewallfailstodeploywithanerrormessage:Invalid OVF Format in

Agent Configuration.
Workaround:UsethefollowingcommandtorestarttheESXAgentManagerprocesson
thevCenterServer:/etc/init.d/vmware-vpxd tomcat-restart.

PAN36433 Ifahighavailability(HA)failoveroccursonPanoramaatthetimethattheNSXManager
isdeployingtheVMSeriesNSXeditionfirewall,thelicensingprocessfailswiththeerror:
vm-cfg: failed to process registration from svm device. vm-state: active.
Workaround:DeletetheunlicensedinstanceoftheVMSeriesfirewalloneachESXihost
andthenredeploythePaloAltoNetworksnextgenerationfirewallservicefromtheNSX
Manager.

PAN36409 WhenviewingtheSessionBrowser(Monitor > Session Browser),usingtheglobalrefresh

option(toprightcorner)toupdatethelistofsessionscausestheFiltermenutodisplay
incorrectlyandclearsanypreviouslyselectedfilters.
Workaround:Tomaintainandapplyselectedfilterstoanupdatedlistofsessions,clickthe
greenarrowtotherightoftheFiltersfieldinsteadoftheglobal(orbrowser)refresh
option.

PAN36394 Whenthedatastoreismigratedforaguest,allcurrentsessionsarenolongersteeredto
theVMSeriesfirewall.However,allnewsessionsaresecuredproperly.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 41
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN36393 WhendeployingtheVMSeriesfirewall,theTaskConsoledisplaysError while

enabling agent. Cannot complete the operation. See the event log for
details.Thiserrordisplaysevenonasuccessfuldeployment.Youcanignorethe
messageiftheVMSeriesfirewallissuccessfullydeployed.

PAN36333 TheServicedialogforaddingoreditingaserviceobjectinthewebinterfacedisplaysthe
incorrectportrangeforbothsourceanddestinationports:1-65535.Thecorrectport
rangeis0-65535andspecifyingportnumber0foreitherasourceordestinationportis
successful.

PAN36289 IfyoudeploytheVMSeriesfirewallandthenassignthefirewalltoatemplate,thechange
isnotrecordedinthebootstrapfile.
Workaround:DeletethePaloAltoNetworksNGFWServiceontheNSXManager,and
verifythatthetemplateisspecifiedonPanorama > VMware Service Manager,register
theservice,andredeploytheVMSeriesfirewall.

PAN36088 WhenanESXihostisrebootedorshutdown,thefunctionalstatusoftheguestsisnot
updated.BecausetheIPaddressisnotupdated,thedynamictagsdonotaccuratelyreflect
thefunctionalstateofthegueststhatareunavailable.

PAN36049 ThevCenterServer/vmtoolsdisplayedtheIPAddressforaguestincorrectlyaftervlan
tagswereaddedtoanEthernetport.ThedisplaydidnotaccuratelyshowtheIPaddresses
associatedwiththetaggedEthernetportandtheuntaggedEthernetport.Thisissuewas
seenonsomeLinuxOSversionssuchasUbuntu.

PAN35903 Whenyoueditatrafficintrospectionrule(tosteertraffictotheVMSeriesfirewall)onthe
NSXManager,aninvalid (tcp) port numbererrororinvalid (udp) port number
errordisplayswhenyouremovethedestination(TCPorUDP)port.
Workaround:Deletetheruleandaddanewone.

PAN35875 Whendefiningtrafficintrospectionrules(tosteertraffictotheVMSeriesfirewall)onthe
NSXManager,eitherthesourceorthedestinationfortherulemustreferencethename
ofaSecurityGroup;youcannotcreatearulefromanytoanySecurityGroup.
Workaround:ToredirectalltraffictotheVMSeriesfirewall,youmustcreateaSecurity
Groupthatincludesalltheguestsinthecluster.Thenyoucandefineasecuritypolicythat
redirectstrafficfromandtotheclustersothatthefirewallcaninspectandenforcepolicy
ontheeastwesttraffic.

PAN35874 DuplicatepacketsarebeingsteeredtotheVMSeriesfirewall.Thisissueoccursifyou
enabledistributedvSwitchforsteeringinpromiscuousmode.
Workaround:Disablepromiscuousmode.

PAN34966 OnaVMSeriesNSXeditionfirewall,whenaddingorremovingaSecurityGroup
(Container)thatisboundtoaSecurityPolicy,Panoramadoesnotgetadynamicupdateof
theaddedorremovedSecurityGroup.
Workaround:OnPanorama > VMware Service Manager,clickSynchronize Dynamic
Objectstoinitiateamanualsynchronizationtogetthelatestupdate.

PAN34855 OnaVMSeriesNSXeditionfirewall,DynamicTags(update)donotreflecttheactualIP
addresssetontheguest.ThisissueoccursbecausethevCenterServercannotaccurately
viewtheIPaddressoftheguest.

42 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN33316 AddingorremovingportsontheSDXserverafterdeployingtheVMSeriesfirewallcan
causeaconfigurationmismatchonthefirewall.Toavoidtheneedtoreconfigurethe
interfaces,considerthetotalnumberofdataportsthatyourequireonthefirewalland
assigntherelevantnumberofportsontheSDXserverwhendeployingtheVMSeries
firewall.
Forexample,ifyouassignports1/3and1/4ontheSDXserverasdatainterfacesonthe
VMSeriesfirewall,theportsaremappedtoeth1andeth2.Ifyouthenaddport1/1or1/2
ontheSDXserver,eth1willbemappedto1/1or1/2,eth2willbemappedto1/3and
eth3to1/4.Ifports1/3and1/4weresetupasavirtualwire,thisremappingwillrequire
youtoreconfigurethenetworkinterfacesonthefirewall.

PAN31832 Thefollowingissuesapplywhenconfiguringafirewalltouseahardwaresecuritymodule
(HSM):
ThalesnShieldConnectThefirewallrequiresatleastfourminutestodetectthatan
HSMhasbeendisconnected,causingSSLfunctionalitytobeunavailableduringthe
delay.
SafeNetNetworkWhenlosingconnectivitytoeitherorbothHSMsinahigh
availability(HA)configuration,thedisplayofinformationfromtheshow ha-statusor
show hsm infocommandisblockedfor20seconds.

PAN31593 AfteryouconfigureaPanoramaMSeriesapplianceforHAandsynchronizethe
configuration,theLogCollectorofthepassivepeercannotconnecttotheactivepeeruntil
yourebootthepassivepeer.

PAN29441 ThePanoramavirtualappliancedoesnotwritesummarylogsfortrafficandthreatsas
expectedafteryouenterthe""clearlog""command.
Workaround:Reboot Panoramamanagementserver(Panorama > Setup > Operations)to
enablesummarylogs.

PAN29411 Insomeconfigurations,whenyouswitchcontextfromPanoramaandaccesstheweb
interfaceofamanageddevice,youareunabletoupgradethePANOSsoftwareimage.
Workaround:UsethePanorama > Device Deployment > Softwaretabtodeployand
installthesoftwareimageonthemanageddevice.

PAN29385 YoucannotconfigurethemanagementIPaddressonanM100appliancewhileitis
operatingasthesecondarypassivepeerinanHApair.
Workaround:TosettheIPaddressforthemanagementinterface,youmustsuspendthe
activePanoramapeer,promotethepassivepeertoactivestate,changetheconfiguration,
andthenresettheactivepeertoactivestate.

PAN29053 Bydefault,thehostnameisnotincludedintheIPheaderofsyslogmessagessentfromthe
firewall.However,somesyslogimplementationsrequirethisfieldtobepresent.
Workaround:EnablethefirewalltoincludetheIPaddressofthefirewallasthehostname
inthesyslogheaderbyselectingSend Hostname in Syslog(Device > Setup).

PAN28794 IfaPanoramaLogCollectorMGTportisconfiguredwithanIPv4addressandyouwantto
haveonlyanIPv6addressconfigured,youcanusethePanoramawebinterfaceto
configurethenewIPv6addressbutyoucannotusePanoramatoremovetheIPv4address.
Workaround:ConfiguretheMGTportwiththenewIPv6addressandthenapplythe
configurationtotheLogCollectorandtestconnectivityusingtheIPv6addresstoensure
thatyoudonotloseaccesswhenyouremovetheIPv4address.AfteryouconfirmtheLog
CollectorisaccessibleusingtheIPv6address,gototheCLIontheLogCollectorand
removetheIPv4address(usingthedelete deviceconfig system ip-address
command)andthencommityourchanges.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 43
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN25101 IfyouaddaDecryptionpolicyrulethatinstructsthefirewalltoblockSSLtrafficthatwas
notpreviouslybeingblocked,thefirewallwillcontinuetoforwardtheundecryptedtraffic.
Workaround:Usethedebug dataplane reset ssl-decrypt exclude-cachecommand
tocleartheSSLdecryptexcludecache.

PAN25046 SSHhostkeysusedforSCPlogexportarestoredintheknownhostsfileonthefirewall.
Inahighavailability(HA)configuration,theSCPlogexportconfigurationissynchronized
withthepeerdevice,buttheknownhostfileisnotsynchronized.Whenafailoveroccurs,
theSCPlogexportfails.
Workaround:LogintoeachpeerinHAandTest SCP server connectiontoconfirmthe
hostkeysothatSCPlogforwardingcontinuestoworkafterafailover.

PAN23732 WhenyouusePanoramatemplatestoschedulealogexport(Device > Scheduled Log

Export)toanSCPserver,youmustlogintoeachmanageddeviceandTest SCP server
connectionafterthetemplateispushed.Theconnectionisnotestablisheduntilthe
firewallacceptsthehostkeyfortheSCPserver.

PAN20656 Attemptstoresetthemasterkeyfromthewebinterface(Panorama > Master Key and

Diagnostics)ortheCLIonPanoramawillfail.However,thisshouldnotcauseaproblem
whenpushingaconfigurationfromPanoramatoadevicebecauseitisnotnecessaryfor
thekeystomatch.

PAN20162 IfaclientPCusesRDPtoconnecttoaserverrunningremotedesktopservicesandthe
userlogsintotheremoteserverwithadifferentusername,whentheUserIDagent
queriestheActiveDirectoryservertogatherusertoIPmappingfromthesecuritylogs,
thesecondusernamewillberetrieved.Forexample,ifUserAlogsintoaclientPCandthen
logsintotheremoteserverusingtheusernameforUserB,thesecuritylogontheActive
DirectoryserverwillrecordUserA,butwillthenbeupdatedwithUserB.Theusername
UserBisthenpickedupbytheUserIDagentfortheusertoIPmappinginformation,
whichisnottheintendedusermapping.

KnownIssuesSpecifictotheWF500Appliance

ThefollowinglistincludesknownissuesspecifictoWildFire8.0releasesrunningontheWF500appliance.
SeealsothespecificandgeneralKnownIssuesRelatedtoPANOS8.0Releases.

IssueID Description

WF5004218 AspartofandafterupgradingaWildFireappliancetoaPANOS8.0release,rebooting
aclusternode(request cluster reboot-local-node)sometimesresultsinthenode
goingofflineorfailingtoreboot.
Workaround:Usethedebug cluster agent restart-agentCLIcommandtobringthe
nodebackonlineandtorestarttheclusteragentasneeded.

WF5004200 TheCreateDateshownwhenusingtheshow wildfire global sample-status

sha256 equal <hash>andshow wildfire global sample-analysiscommandsistwo
hoursbehindtheactualtimeforWF500appliancesamples.

44 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

WF5004186 InathreenodeWildFireappliancecluster,ifyoudecommissionthebackupcontroller
nodeortheworkernode(request cluster decommission start)andthendeletethe
clusterrelatedconfiguration(highavailabilityandclustermembership)fromthe
decommissionednode,insomecases,theclusterstopsfunctioning.Runningtheshow
cluster membershipcommandontheprimarycontrollernodeshows:
Service Summary: Cluster:offline, HA:peer-offline
In this state, the cluster does not function and does not accept new samples for
processing.
Workaround:Reboottheprimarycontroller(runtherequest cluster
reboot-local-nodecommandontheprimarycontrollerslocalCLI).Aftertheprimary
controllerreboots,theclusterfunctionsagainandacceptsnewsamplesforprocessing.

WF5004176 Afteryouremoveanodefromacluster,iftheclusterwasstoringsampleinformationon
thatnode,thatserialnumberofthatnodemayappearinthelistofstoragenodeswhen
youshowthesamplestatus(show wildfire global sample-status sha256 equal
<value>)eventhoughthenodenolongerbelongstothecluster.

WF5004173 IntegratedreportsarenotavailableforfirewallsconnectedtoaWF500appliance
runninginFIPSmode.

WF5004166 InaWildFireapplianceclusterwiththreeormorenodesandwithtwocontrollernodes,
ifyoutrytoconfigureaworkernodeasacontrollernode,thechangeshouldfailbecause
aclustercanhaveonlytwocontrollernodes(primaryandbackupcontrollernodes).
However,thecommitoperationontheworkernodesucceedsandcausestheclusterto
seetheworkernodeasathirdcontrollernodethatcannotbeallowedinthecluster.This
preventstheconvertedworkernodefromconnectingtotheclustermanagerandthe
nodeisremovedfromthecluster.Theresultwhenrunningtheshow cluster task
localcommanddisplays:
Server error: Cannot connect to cluster-mgr daemon, please check it is running.
Status Report: <node-ip-address>: reported leader <ip-address>, age 0.
<node-ip-address>: quit cluster due to too many controllers.

Workaround:Performthefollowingtaskstoworkaroundthisissue:
1. Reconfigurethenodetoruninworkermodeusingtheset deviceconfig cluster
mode workercommand.
2. Runthecommit forcecommand.(Astandardcommitoperationfailsandreturnsa
messagethattheclustermanagerisnonresponsive.)
3. Afterthecommitforceoperationsucceeds,rebootthenodeusingtherequest
cluster reboot-local-nodecommand.Untilyourebootthenode,thenodes
applicationservicesdonotrespond.

WF5004158 WhenyouupgradeWildFireapplianceclustersfromPanorama,donotReboot device

after Install.RebootingtheclusterfromPanoramaresultsinanungracefulrebootthat
causestheclustertobecomeunresponsiveinsomecases.
Workaround:PushtheupgradefromPanoramawithRebootdeviceafterInstall
disabled.Afterthesoftwareupgradeiscomplete,rebooteachclusternodeindividually
usingtherequest cluster reboot-local-nodecommandoneachnodeslocalCLI.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 45
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

WF5004132 IfyouremoveanodefromatwonodeWildFireapplianceclusterbydeletingthe
highavailabilityconfiguration(delete deviceconfig high-availability)andthe
clusterconfiguration(delete deviceconfig cluster),thesingleremainingcluster
nodecannotprocesssamples.
Workaround:Useeitherofthefollowworkaroundstoenabletheremainingclusternode
toprocesssamples:
MaketheclusternodeastandaloneWildFireapplianceDeletetheHAandcluster
configurationsontheremainingclusternodeandrebootthenode.Thenodecomes
backupasastandaloneWildFireappliance.
RecreatetheclusterReconfigurethenodeyouremovedasaclusternodebyadding
theclusterandHAconfigurationsusingthefollowingcommandssothatbothnodes
comebackupasclusternodesandcanprocesssamples:
admin@WF-500# set deviceconfig cluster cluster-name
<name> interface <cluster-communication-interface> node
controller
admin@WF-500# set deviceconfig high-availability enabled
yes interface ha1 port <port> peer-ip-address
<node-port-ip-address>
admin@WF-500# set deviceconfig high-availability
election-option priority (primary | secondary)
admin@WF-500# set deviceconfig high-availability
interface ha1-backup peer-ip-address
<node-backup-ha-interface-ip-address>
WF5004047 InathreenodeWildFireappliancecluster,decommissioningtheactive(primary)
controllernodefails.Attemptingtodecommissiontheactivecontrollernodebyrunning
therequest cluster decommission startcommandresultsinasuspensionof
servicesonthenode.Usetheshow cluster membershipcommandtoverifythatthe
nodeservices(Service Summaryandwildfire-apps-service)aresuspended.
Workaround: Instead of using the request cluster decommission start command
to decommission the active controller, failover the active controller so that it becomes
the passive (backup) controller first and then decommission the passive controller:
1. Ensurethatpreemptionisnotenabled(Preemptive: no)byrunningtheshow
high-availability statecommand(preemptionforcestheactivecontrollerto
resumeitsroleastheactivecontrollersothatafterafailover,whentheactive
controllercomesbackuptheactivecontrollerresumesitsroleastheactive
controllerinsteadofbecomingthepassivebackupcontroller).
Ifpreemptionisenabled,disablepreemptionontheactivecontrollerbyrunningthe
set deviceconfig high-availability election-option preemptive no
commandandthencommittheconfiguration.
2. Failovertheactivecontrollersothatitbecomesthepassive(backup)controllerby
runningtherequest cluster reboot-local-nodeoperationalcommandonthe
activecontroller.
3. Waitfortheformeractivecontrollertocomeupcompletely.Itsnewclusterroleis
thepassivecontroller(asshownintheprompt).
4. Whenthenodeisinthepassivecontrollerstate,removetheHAconfiguration
(delete deviceconfig high-availability)andtheclusterconfiguration(delete
deviceconfig cluster)andthencommittheconfiguration.
5. Decommissionthenodebyrunningtherequest cluster decommission start
command.

46 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

WF5004044 RemovinganodefromaclusterusingPanoramaisnotsupported.
Workaround:DeleteanodefromaclusterusingthelocalWildFireCLI.

WF5004001 OnPanorama,youcanconfigureanauthenticationprofileandAddgroupsor
administratorstotheAllow Listintheprofile(Panorama > Authentication Profile >
<auth-profile> > Advanced).However,WildFireappliancesandapplianceclusters
supportonlytheallvalueforthegroupsintheallowlistforanauthenticationprofile.
TheanalogousWildFireapplianceCLIcommandisset shared
authentication-profile <name> allow-list [all],withallastheonlyallowed
parameter.
Attemptingtopushandcommitaconfigurationthatspecifiesagroupornameotherthan
allintheauthenticationprofilefromPanoramatoaWildFireapplianceorappliance
clusterisnotsuccessful.However,Panoramashowsthatthecommitsucceededasthe
Last Commit StateeventhoughtheconfigurationwasnotpushedtotheWildFire
applianceorappliancecluster.ConfigStatusdisplaysclusternodesasOut of Syncand
whenyouclickLast Commit State > commit succeeded,theLast Push State Details
displaysanerrormessage.
Forexample,ifyouAddagroupnamedabcdtoanauthenticationprofilenamedauth5in
PanoramaandthenattempttopushtheconfigurationtoaWildFireappliancecluster,
Panoramareturnstheerrorauthentication-profile auth5 allow-list abcd is
not an allowed keyword.ThisisbecauseWildFireappliancesandapplianceclusters
seetheallowlistargumentasakeyword,notasavariable,andtheonlykeywordallowed
isall.

WF5003966 Therequest cluster join ip <ip-address>CLIcommandisnotfunctionaland

shouldnotbeused.

WF5003935 WildFireappliancesbuildandreleasealluntestedsignaturestotheconnectedfirewalls
everyfiveminutes,whichisthemaximumtimethatasignatureremainsuntested(not
releasedtofirewalls).WhenaWildFireappliancejoinsacluster,ifanyuntested
(unreleased)signaturesareontheappliance,theymaybelostinsteadofmigratingtothe
cluster,dependingonwhenthelastbuildofuntestedsignaturesoccurred.

WF5003892 Therequest cluster reboot-all-nodesCLIcommandisnotfunctionalandshould

notbeused.
Workaround:Torebootallnodesinacluster,rebooteachnodeindividuallyusingthe
request cluster reboot-local-nodecommandfromthenodeslocalCLI.

WF5003868 InaWildFireapplianceclusterwithtwocontrollernodesinanHAconfiguration,under
certaincircumstances,synchronizingthecontrollernoderunningconfigurationscan
causeavalidationerrorthatpreventstheconfigurationfromcommittingonthepeer
controller.
Whenyouruntherequest high-availability sync-to-remote
running-configurationcommandononecontrollernode,itoverwritesthecandidate
configurationonthepeercontrollerandcommitsthenew(synchronized)configuration.
However,ifyouthenchangetheconfigurationonthepeercontrollerandcommitthe
change,thecommitfailsandreturnsavalidationerror:
Validation Error:
template unexpected here
Workaround:Toavoidthevalidationerror,onthecontrollernodeonwhichthecommit
failed,savetheconfigurationtoafileusingthesave config to <filename>operational
commandandthenloadthesavedconfigurationusingtheload config from
<filename>command.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 47
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

WF5001584 WhenusingawebbrowsertoviewaWildFireAnalysisReportfromafirewallthatis
usingaWF500applianceforfilesampleanalysis,thereportmaynotappearuntilthe
browserdownloadstheWF500certificate.Thisissueoccursafterupgradingafirewall
andtheWF500appliancetoaPANOS6.1orlaterrelease.
Workaround:BrowsetotheIPaddressorhostnameoftheWF500appliance,whichwill
temporarilydownloadthecertificateintothebrowser.Forexample,iftheIPaddressof
theWF500is10.3.4.99,openabrowserandenterhttps://10.3.4.99.Youcan
thenaccessthereportfromthefirewallbyselectingMonitor > WildFire Submissions,
clickinglog details,andthenclickingtheWildFire Analysis Reporttab.

48 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS8.0.1AddressedIssues
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.1release.Fornewfeatures,
associatedsoftwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,see
PANOS8.0ReleaseInformation.

IssueID Description

PAN-74932 Fixedanissuewherethedirection(dir)parameterusedintype=logXMLAPIrequestswas
incorrectlymadearequiredparameter,whichcausedapplicationsthatusethetype=log
requesttofailwhenthedirargumentwasnotincludedintherequest.Withthisfix,the
directionparameterisagainoptional.

PAN-74829 FixedanissuewhereAuthenticationpolicyincorrectlymatchedtrafficcomingfrom
knownusersthoseincludedintheTerminalServices(TS)agentusermappingand
displayedthecaptiveportalpage.Withthisfix,onlyunknownusersaredirectedtothe
captiveportalpage.

PAN-74367 FixedanissuewheresomeplatformsdidnotconnecttoBrightCloudafteryouupgraded
toPANOS8.0.

PAN-74264 FixedanissuewherenewfieldsinThreatandHIPMatchlogswereinsertedbetween
existingfields,whichdisruptedsomethirdpartyintegrations.Withthisfix,thenewfields
areappendedattheendofallpreexistingfields.

PAN-73977 FixedanissuewherefirewallsandPanoramadidnotforwardlogsasexpectedwhenthe
localmachinetimewasnotsettocurrentlocaltimeandwassettoatimebetweencurrent
UTCtimeandcurrentUTCtimeplus<n>,where<n>istheUTC+<n>valueforthecurrent
timezone.

PAN-73964 FixedanissuewhereyoucouldnotupgradeVMSeriesfirewallsonAWSinanHA
configurationtoPANOS8.0.Withthisfix,youcanupgradeVMSeriesfirewallsonAWS
inanHAconfigurationtoPANOS8.0.1.

PAN-73877 FixedanissuewhereyouwereunabletogenerateaSAMLmetadatafileforCaptivePortal
orGlobalProtectwhenthefirewallhadmultiplevirtualsystemsbecausetherewereno
virtualsystemsavailableforyoutoselectwhenyouclickedtheMetadatalinkassociated
withanauthenticationprofile.

PAN-73579 Fixedanissuewhere,afteryouupgradedafirewalltoPANOS8.0,thefirewalldidn'tapply
updatestothepredefinedPaloAltoNetworksmaliciousIPaddressfeeds(delivered
throughthedailyantiviruscontentupdates)untilafteryouperformedacommitonthe
firewall.Withthisfix,changestothepredefinedmaliciousIPaddressfeedsare
automaticallyappliedwhendeliveredtothefirewall.

PAN-73545 FixedanissueonVM300,VM500,andVM700firewallswhereyouwererequiredto
commitchangesasecondtimeafteraddinganinterfacebeforetrafficwouldpass
normally.

PAN-73363 FixedanissuewherePanoramadidnotdisplayanyresultswhenyoufilteredlogsor
generatedreportsbasedonusergroupsevenafteryouenabledreportingandfilteringon
groups.

PAN-73360 FixedanissuewherethepassivePanoramapeerinanHAconfigurationshowedshared
policytobeoutofsyncevenwhenthedevicegroupcommitfromtheactivepeerwas
successful.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 49
 PANOS8.0.1AddressedIssues

IssueID Description

PAN-73291 FixedanissuewhereauthenticationfailedforclientcertificatessignedbyaCAcertificate
thatwasnotlistedfirstintheCertificateProfileconfiguredwithclientcertificate
authenticationforGlobalProtectportalsandgateways.

PAN-73207 Fixedanissuewhereyoucouldnotpushnotificationsasanauthenticationfactorifthe
firewallwasintegratedwithOktaAdaptiveasthemultifactorauthentication(MFA)
vendor.

PAN-73006 FixedanissuewheretheAppScopeChangeMonitorandNetworkMonitorreportsfailed
todisplaydataifyoufilteredbySourceorDestinationIPaddresseswhenloggingrates
werehigh.ThisfixalsoaddressesanissuewheretheAppScopeSummaryreportfailedto
displaydatafortheTop5BandwidthConsumingSourcesandTop5Threatswhenlogging
rateswerehigh.

PAN-72952 ImprovedfiletypeidentificationforOfficeOpenXML(OOXML)files,whichimprovesthe
abilityforWildFiretoaccuratelyclassifyOOXMLfilesasbenignormalicious.

PAN-72849 FixedanissueinPanoramaHAactive/passiveconfigurationswhereElasticsearch
parameterswerenotpushedtothepassivepeer.

PAN-72726 FixedanissuewherethefirewallwasunabletomarkBFDpacketswithappropriateDSCP
values.

PAN-72667 Fixedanissuewherethefirewallwebinterfacedisplayedincorrectvaluesforthelog
storagequotasettings.

PAN-72547 Fixedanissuewhererunningtheclear session allCLIcommandonaPA5200Series

firewallinahighavailability(HA)configurationcausedthefirewalltofailoverduetoan
issuewithpathmonitoring.

PAN-72402 Fixedanissuewherethefirewalladvertisedonlytheaggregateaddressanddidnot
advertisethespecificroutescoveredbytheAdvertiseFilterwhenyouconfiguredaBGP
IPv6aggregateaddresswithanAdvertiseFilterthatconsistedofbothaprefixfilteranda
nexthopfilter.

PAN-72246 FixedanissuewherethefirewallgeneratedanECDSAcertificatesigningrequest(CSR)
usingtheSHA1algorithminsteadoftheselectedalgorithm.

PAN-71829 FixedanissueonPA5000Seriesfirewallswherethedataplanerestartedduetospecific
changesrelatedtocertificatesorSSLprofilesinaGlobalProtectconfiguration;specifically,
configuringanewgateway,changingacertificatelinkedtoGlobalProtect,orchangingthe
minimumormaximumversionoftheTLSprofilelinkedtoGlobalProtect.

PAN-71556 FixedanissuewhereMACaddresstableentrieswithatimetolive(TTL)valueof0were
notremovedasexpected,whichcausedthetabletocontinuallyincreaseinsize.

PAN-71530 *Fixedin7.1.9and8.0.1*FixedanissuewhereLDAPauthenticationfailed
intermittentlyduetoaracecondition.

PAN-71334 Fixedanissuewithdelaysofupto10secondsbeforethefirewalltransmittedthe
audio/videostreamwhenyousetupaVoIPcallonaPA5200Seriesfirewallusingthe
SessionInitiationProtocol(SIP).

PAN-71271 Fixedanissuewherenewlogswerelostifthelogpurgingprocessstartedrunningbefore
youstartedlogmigrationafteranupgradetoPANOS8.0.

50 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.1AddressedIssues

IssueID Description

PAN-70323 FixedanissuewherefirewallsrunninginFIPSCCmodedidnotallowimportofSHA1CA
certificatesevenwhentheprivatekeywasnotincluded;instead,firewallsdisplayedthe
followingerror:Import of <cert name> failed. Unsupported digest or keys used
in FIPS-CC mode.

PAN-69932 FixedanissuewherethePanoramawebinterfaceandCLIrespondslowlywhennumerous
NSXpluginsareinprogress.

PAN-69622 Fixedanissuewherethefirewalldidnotproperlycloseasessionafterreceivingareset
(RST)messagefromtheserveriftheSYNCookiesactionwastriggered.

PAN-68185 Fixedanissuewherethe7.1SNMPtrapsMIB(PANTRAPS.my)hadanincorrect
descriptionforthepanHostnameattribute.

PAN-67629 Fixedanissuewhereexistinguserswereremovedfromusergroupmappingwhenthe
ActiveDirectory(AD)didnotreturnanLDAPPageControlinresponsetoanLDAP
refresh,whichresultedinthefollowingUserID(useridd)logs:
debug: pan_ldap_search(pan_ldap.c:602): ldap_parse_result error code: 4
Error: pan_ldap_search(pan_ldap.c:637): Page Control NOT found

PAN-66122 Fixedanissuewheretunnelcontentinspectionwasnotsupportedinavirtual
systemtovirtualsystemtopology.

PAN-64164 FixedanissueonPanoramavirtualappliancesinanHAconfigurationwhere,ifyou
enabledlogforwardingtosyslog,boththeactiveandpassivepeerssentlogs.Withthisfix,
onlytheactivepeersendslogswhenyouenablelogforwardingtosyslog.

PAN-63274 Fixedanissueonfirewallswithmultiplevirtualsystemswhereinnerflowsessionsinstalled
ondataplane1(DP1)failedifyouconfiguredtunnelcontentinspectionfortrafficina
sharedgatewaytopology.Additionallywiththisfix,whennetworkingdevicesbehindthe
sharedgatewayinitiatetraffic,thattrafficcannowreachthenetworkingdevicesbehind
thevirtualsystems.

PAN-61840 Fixedanissuewheretheshow global-protect-portal statisticsCLIcommandwas

notsupported.

PAN-58979 Fixedanissuewherethedataplanerestartedduetoamemoryleak(mprelay)thatoccurred
ifyoudidnotdisableLLDPUforadisabledinterface.

PAN-57553 FixedanissuewhereaQoSprofilefailedtoworkasexpectedwhenappliedtoacleartext
nodeconfiguredwithanAggregateEthernet(AE)sourceinterfacethatincludedAE
subinterfaces.

PAN-57142 FixedanissueonPA7000SeriesfirewallsinanHAactive/passiveconfigurationwhere
QoSlimitswerenotcorrectlyenforcedonAggregateEthernet(AE)subinterfaces.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 51
 PANOS8.0.1AddressedIssues

52 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS8.0.0AddressedIssues
ThefollowingtablesliststheissuesthatareaddressedinthePANOS8.0.0release.Fornewfeatures,
associatedsoftwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,see
PANOS8.0ReleaseInformation.

IssueID Description

PAN-72346 Fixedanissuewhereexportingbotnetreportsfailedwiththefollowingerror:Missing
reportjobid.

PAN-72242 FixedanissuewhereconfiguringasourceaddressexclusioninReconnaissanceProtection
tabunderzoneprotectionprofilewasnotallowed.

PAN-71892 FixedanissuewhereanLDAPprofiledidnotusetheconfiguredport;theprofileusedthe
defaultport,instead.

PAN-71615 Fixedanissuewheretheintrazoneblockruleshadowedtheuniversalrulethathas
differentsourceanddestinationzones.

PAN-71384 Fixedanissuewiththepassivefirewallinahighavailability(HA)configurationthathad
LACPprenegotiationenabledwherethefirewallstoppedcorrectlyprocessingLACP
BPDUpacketsthroughaninterfacethathadpreviouslyphysicallyflapped.

PAN-71307 Fixedanissuewherethescp stats-dumpreportdidnotruncorrectlybecausesource(src)

anddestination(dst)optionsweredeterminedtobeinvalidarguments.

PAN-71192 Fixedanissuewhereperformingalogqueryorlogexportwithaspecificnumberoflogs
causedthemanagementservertostopresponding.Thisoccurredonlywhenthenumber
oflogswasamultipleof64plus63.Forexample,128isamultipleof64andifyouadd63
to128thatequals191logs.Inthiscase,ifyouperformedalogqueryorexportandthere
were191logs,themanagementserverwouldstopresponding.

PAN-70969 Fixedanissueonavirtualwirewhere,ifyouenabledLinkStatePassThrough(Network >

Virtual Wires),thereweresignificantdelaysinlinkstatepropagationoreveninstances
whereaninterfacestayeddownpermanentlyevenwhenportswerereenabledonthe
neighbordevice.

PAN-70483 FixedanissueonanMSeriesapplianceinPanoramamodewheresharedservicegroups
didnotpopulateintheservicepulldownwhenattemptingtoaddanewitemtoasecurity
policy.Theissueoccurredwhenthedropdowncontained5,000ormoreentries.

PAN-70428 Asecurityrelatedfixwasmadetopreventinappropriateinformationdisclosureto
authenticatedusers(CVE20175583/PANSA20170005).

PAN-70323 FixedanissuewherefirewallsrunninginFIPSCCmodedidnotallowimportofSHA1CA
certificatesevenwhentheprivatekeywasnotincluded;instead,firewallsdisplayedthe
followingerror:Import of <cert name> failed. Unsupported digest or keys used
in FIPS-CC mode.

PAN-70057 FixedanissuewhererunningthevalidateoptiononacandidateconfigurationinPanorama
causedchangestotherunningconfigurationonthemanageddevice.Theconfiguration
changeoccurredafterasubsequentFQDNrefreshoccurred.

PAN-69951 FixedanissuewherethefirewallfailedtoforwardsystemlogstoPanoramawhenthe
dataplanewasundersevereload.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 53
 PANOS8.0.0AddressedIssues

IssueID Description

PAN-69235 Fixedanissuewherecommittingaconfigurationwithalargenumberoflayer3
subinterfaces(4,000inthiscase)causedthedataplanetostopresponding.

PAN-69194 FixedanissuewhereperformingadevicegroupcommitfromaPanoramaserverrunning
version7.1toamanagedfirewallsrunningPANOS6.1failedtocommitwhenthecustom
spywareprofileactionwassettoDrop.Withthisfix,Panoramatranslatestheactionfrom
DroptoDrop packetsforfirewallsrunningPANOS6.1,whichallowsthedevicegroup
committosucceed.

PAN-69146 FixedanissuewheretheRemoteUserslinkforagateway(Network > GlobalProtect >

Gateways)becameinactiveandpreventedyoufromreopeningtheUserInformation
dialogifyouclosedthedialogusingtheEsckeyinsteadofclickingClose.

PAN-68873 FixedanissuewherecustomizingtheblockdurationforthreatID40015inaVulnerability
Protectionprofiledidnotadheretothedefinedblockinterval.Forexample,ifyouset
Number of Hits(SSHhellomessages)to3andpersecondsto60,afterthreeconsecutive
SSHhellomessagesfromtheclient,thefirewallfailedtoblocktheclientforthefull60
seconds.

PAN-68823 Fixedanissuewherecustomthreatreportsfailedtogeneratedatawhenyouspecified
ThreatCategoryforeithertheGroupByorSelectedColumnsetting.

PAN-68766 FixedanissuewherenavigatingtotheIPSectunnelconfigurationinaPanoramatemplate
causedthePanoramamanagementwebinterfacetostoprespondinganddisplayeda"502
BadGateway"error.

PAN-68658 FixedanissuewherehandlingoutoforderTCPFINpacketsresultedindroppedpackets
duetoTCPreassemblythatwasoutofsync.

PAN-68654 FixedanissuewherethefirewallwasnotpopulatingUserIDmappingsbasedonthe
definedsyslogfilters.

PAN-68074 AsecurityrelatedfixwasmadetoaddressCVE20165195(PANSA20170003).

PAN-68034 Theshow netstatCLIcommandwasremovedinthe7.1releaseforPanorama,Panorama

logcollector,andWildFire.Withthisfix,theshow netstatcommandisreintroduced.

PAN-67987 FixedanissuewheretheGlobalProtectagentfailedtoconnectusingaclientcertificateif
theintermediateCAissignedusingtheECDSAhashalgorithm.

PAN-67944 Fixedanissuewhereaprocess(all_pktproc)stoppedrespondingbecausearacecondition
occurredwhenclosingsessions.

PAN-67639 FixedanissuewhereAuth PasswordandPriv PasswordfortheSNMPv3serverprofile

werenotproperlymaskedwhenviewingtheconfigurationchangeintheconfigurationlog.

PAN-67599 InPANOS7.0and7.1releases,arestrictionwasaddedtopreventanadministratorfrom
configuringOSPFrouterID0.0.0.0.ThisrestrictionisremovedinPANOS8.0.

PAN-67224 FixedanissuewherethefirewalldisplayedavalidationerrorafterPanoramaimportedthe
firewallconfigurationandthenpushedtheconfigurationbacktothefirewallsoitcouldbe
managedbyPanorama.Thisissueoccurredbecauselogforwardingprofileswerenot
replacedwiththeprofilesconfiguredinPanorama.Withthisfix,Panoramawillproperly
removetheexistingconfigurationonthemanagedfirewallbeforeapplyingthepushed
configuration.

PAN-67090 Fixedanissuewherethewebinterfacedisplayedanobsoleteflagforthenationof
Myanmar.

54 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues

IssueID Description

PAN-67079 FixedanissueinPANOS7.1.6whereSSLsessionswerediscardediftheservercertificate
chainsizeexceeded23KB.

PAN-66838 AsecurityrelatedfixwasmadetoaddressaCrossSiteScripting(XSS)vulnerabilityonthe
managementwebinterface(CVE20175584/PANSA20170004).

PAN-66675 Fixedanissuewhereextendedpacketcaptureswereconsuminganexcessiveamountof
storagespacein/opt/panlogs.

PAN-66654 Fixedanissuewherethestatusofatunnelinterfaceremaineddownevenafterdisabling
thetunnelmonitoringoptionforIPSectunnels.

PAN-66531 FixedanissuewheretheCommitScopecolumnintheCommitwindowwasemptyafter
manuallyuploadingandinstallingacontentupdateandthencommitting.Althoughthe
contentupdatewasnotlistedunderCommitScope,thecommitcontinuedandshowed
100%complete.

PAN-66104 Fixedanissuewherevsysspecificcustomresponsepages(Captiveportal,URLcontinue,
andURLoverride)didnotdisplay;theywerereplacedbysharedresponsepages,instead.

PAN-64981 Fixedanissuewhereaninternalbuffercouldbeoverwritten,causingthemanagement
planetostopresponding.

PAN-64723 Fixedanissuewherethetest authenticationCLIcommandwasincorrectlysending

vsysspecificinformationtotheUserIDprocessforgroupmappingquerythatallowed
theauthenticationtesttosucceedwhenitshouldhavefailed.

PAN-64638 FixedanissuewherethefirewallfailedtosendaRADIUSaccessrequestafterchanging
theIPaddressofthemanagementinterface.

PAN-64579 Errormessageisnowdisplayedwheninstallingappspackagemanuallyfromfileonpassive
Panorama.

PAN-64525 FixedanissuewhereUserIDfailedtoupdatetheallowlistforagroupnamethatwas
largerthan128bytes.

PAN-64520 FixedanissuewhereH.323basedvideocallsfailedwhenusingsourceNAT(dynamicor
static)duetoincorrecttranslationofthedestCallSignalAddresspayloadinthe
H.225callsetup.

PAN-64436 FixedanissuewherecreationofIGMPsessionsfailedduetoatimeoutissue.

PAN-64419 Fixedanissuewherefirewalldisplaysinconsistentshadowrulewarningsduringacommit
forQOSpolicies.

PAN-64081 FixedanissueonPA5000Seriesfirewallswherethedataplanestoppedrespondingdue
toaraceconditionduringhardwareoffload.

PAN-63969 FixedanissuewhereanSSHsessionsrunningonanonstandardportwascategorizedby
URLfilteringasunknown,causingthefirewalltoblockthetraffic.Withthisfix,thefirewall
willnolongerperformaURLlookuponSSHtrafficthatisnotdecrypted.

PAN-63925 Fixedanissuewherethefirewalldidnotgeneratealogwhenacontentupdatefailedor
wasinterrupted.

PAN-63908 FixedanissuewhereSSHsessionswereincorrectlysubjectedtoaURLcategorylookup
evenwhenSSHdecryptionwasdisabled.Withthisfix,SSHtrafficisnotsubjecttoaURL
categorylookupwhenSSHdecryptionisdisabled.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 55
 PANOS8.0.0AddressedIssues

IssueID Description

PAN-63612 FixedanissuewhereUseractivityreportsonPanoramadidnotincludeanyentrieswhen
therewasaspaceintheDeviceGroupname.

PAN-63520 Fixedanissuewherethewrongsourcezonewasusedwhenloggingvsystovsyssessions.

PAN-63207 FixedanissueonPA7000Seriesfirewallswheregroupmappingsdidnotpopulatewhen
thegroupincludelistwaspushedfromPanorama.

PAN-63054 FixedanissueonVMSeriesfirewallswhereenablingsoftwareQoSresultedindropped
packetsunderheavytrafficconditions.Withthisfix,VMSeriesfirewallsnolongerdrop
packetsduetoheavyloadswithsoftwareQoSenabledandsoftwareQoSperformancein
generalisimprovedforallPaloAltoNetworksfirewalls.

PAN-63013 Fixedanissuewhereacommitvalidationerrordisplayedwhenpushingatemplate
configurationwithamodifiedWildFirefilesizesetting.Withthisfix,commitvalidation
takesplaceonthemanagedfirewallthattriestocommitnewtemplatevalues.

PAN-62937 Fixedanissuewhere,whenTLSwasenabled,establishinganLDAPconnectionoveraslow
orunstableconnectioncausedcommitstofail.Withthisfix,ifTLSisenabled,thefirewall
doesnotattempttoestablishLDAPconnectionswhenyouperformacommit;itwaitsuntil
afterthecommitiscomplete.

PAN-62797 Fixedanissuewhereaprocess(cdb)intermittentlyrestarted,whichpreventedjobsfrom
completingsuccessfully.

PAN-62513 FixedanissueonPA7000SeriesfirewallsinanHAactive/passiveconfigurationwhere
theshow high-availability path-monitoringcommandalwaysshowedtheNPCas
slot 1eventhoughthepathmonitoringIPaddresswasassignedtoaninterfaceina
differentNPCslot.ThisoccurredonlywhenthepathmonitoringIPaddresswasassigned
toaninterfaceinanAggregateEthernet(AE)interfacegroupandtheinterfacegroupwas
inaslototherthanslot1.

PAN-62057 FixedanissuewheretheGlobalProtectagentfailedtoauthenticateusingaclient
certificatethathadasignaturealgorithmthatwasnotSHA1/SHA256.Withthisfix,the
firewallprovidessupportfortheSHA384signaturealgorithmforclientbased
authentication.

PAN-61877 FixedanissuewhereAuthentication OverrideintheGlobalProtectportalconfiguration

didn'tworkwhenthecertificateusedforencryptinganddecryptingcookieswas
generatedusingRSA4,096bitkeys.

PAN-61871 FixedanissuewherethefirewallmatchedtraffictoaURLcategoryandonfirstlookup,
whichcausedsometraffictobematchedtothewrongsecurityprofile.Withthisfix,the
firewallmatchestraffictoURLcategoriesasecondtimetoensurethattrafficismatched
tothecorrectsecurityprofile.

PAN-61837 FixedanissueonPA3000SeriesandPA5000Seriesfirewallswherethedataplane
stoppedrespondingwhenasessioncrossedvsysboundariesandcouldnotfindthecorrect
egressport.ThisissueoccurredwhenzoneprotectionwasenabledwithaSYN Cookies
action(Network > Zone Protection > Flood Protection).

PAN-61813 Fixedanissuewhereacustomscheduledreportconfiguredperdevicewasemptywhen
exported.

PAN-61797 FixedanissueonthepassivepeerinanHAconfigurationwhereLACPflappedwhenthe
linkstatewassettoshutdown/autoandprenegotiationwasdisabled.

56 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues

IssueID Description

PAN-61465 Fixedanissuewherethewebinterface(Objects > Decryption Profile > SSL Decryption >

SSL Protocol Settings > Encryption Algorithms)stilldisplayedthe3DESencryption
algorithmasenabledevenafteryoudisabledit.

PAN-61365 Fixedanissuewheredatafilteringlogs(Monitor > Logs > Data Filtering)donottakeinto

accountthefiledirection(uploadordownload)soitwasnotpossibletodifferentiate
uploadedfilesfromdownloadedfilesinthelogs.Withthisfix,youconfigurethefile
direction(upload,download,orboth)inObjects > Security Profiles > Data Filteringand
selecttheDirectioncolumninMonitor > Logs > Data Filteringtoviewthefiledirectionin
thelogs.

PAN-61284 FixedanissuewhereUserIDconsumedalargeamountofmemorywhenthefirewall
experiencedahighrateofincomingIPaddresstousernamemappingdataandtherewere
morethantenredistributionclientfirewallsatthesametime.

PAN-61252 FixedanissueonfirewallsinanHAactive/activeconfigurationwherethefloatingIP
addresswasnotactiveonthesecondaryfirewallafterthelinkwentdownontheprimary
firewall.

PAN-60797 Fixedanissuewherereadonlysuperuserswereabletoviewthreatpacketcaptures
(pcaps)onthefirewallbutreceivedanerror(File not found)whentheyattemptedto
exportcertaintypesofpcapfiles(threat,threatextpcap,app,andfiltering).

PAN-60753 FixedanissuewherechangingtheRSAkeyfroma2,048bitkeytoa1,024bitkeyforced
theencryptionalgorithmtochangefromSHA256toSHA1forSSLforwardproxy
decryption.

PAN-60581 AddedchecktonotincludealltheapplicationsintheApplicationfilterifnoapplication
categoryisselectedbytheuser.Userhavetoexplicitlyaddallthecategoriestocreatean
applicationfilterwithalltheapplications.

PAN-60577 AddedcheckintheApplicationFilterUItonotallowusertocreateorsaveanapplication
filterwithoutanyapplicationcategoryselectedbytheuser.

PAN-60556 AddedsupportinthecertificateprofiletoalsoconfigureanonCAcertificateasan
additionalcertificatetoverifytheOCSPresponsereceivedforcertificatestatusvalidation.
TheOCSPVerifyCAfieldinthecertificateprofilehasbeenchangedtoOCSPVerify
Certificate.

PAN-60402 FixedanissuewhererenaminganaddressobjectcausedthecommittoaDeviceGroupto
fail.

PAN-60340 FixedanissuewherethePanoramaapplicationdatabasedidnotdisplayallapplicationsin
thebrowser.

PAN-60035 EnhanceddynamicIPNATtranslationtopreventconflictsbetweendifferentpacket
processorsandimprovedynamicIPNATpoolutilization.

PAN-59676 Fixedanissuewherecustomadminroleuserisunabletodownloaddynamicupdates/
softwarereleases

PAN-59654 FixedanissuewherecommitsfailedonthefirewallafterupgradingfromaPANOS6.1
releaseduetoincorrectsettingsfortheHexaTechVPNapplicationonthefirewall.With
thisfix,upgradingfromaPANOS6.1releasetoaPANOS8.0.0orlaterreleasedoesnot
causecommitfailuresrelatedtothesesettings.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 57
 PANOS8.0.0AddressedIssues

IssueID Description

PAN-59614 Fixedanissuewhereadministratorswereunabletofullyutilizethemaximumof64
addressobjectsperFQDNduetothe512BDNSserverresponsepacketsize;specified
addressesthatwerenotincludedinthefirst512Bweredroppedandnotresolved.With
thisfix,thesizeoftheDNSserverresponsepacketisincreasedto4,096B,whichfully
supportsthemaximum64combinedaddressobjectsperFQDN(upto32eachIPv4and
IPv6addresses).

PAN-58636 Fixedanissuewhereconfiguringtoomanyapplicationsandindividualportsinasecurity
rulecausedthefirewalltostopresponding.Withthisfix,thefirewallcontinuesresponding
andsendsthefollowingerrormessage:
Error: Security Policy '58636_rule' is exceeding maximum number of
combinations supported for service ports(51) and applications(2291). To fix
this, please convert this Security Policy into multiple policies by either
splitting applications or service ports.
Error: Failed to parse security policy
(Module: device)
Commit failed

PAN-58496 Fixedanissuewherecustomreportsusingthreatsummarywerenotpopulated.

PAN-58382 Fixedanissuewhereuserswerematchedtotheincorrectsecuritypolicies.

PAN-57529 FixedanissuewherethefirewallactedasaDHCPrelayandwirelessdevicesonaVLAN
didnotreceiveaDHCPaddress(allotherdevicesontheVLANdidreceiveaDHCP
address).Withthisfix,alldevicesonaVLANreceiveaDHCPaddresswhenthefirewall
actsasaDHCPrelay.

PAN-57440 FixedanissuewhereOSPFv3linkstateupdatesweresentwiththeincorrectOSPF
checksumwhentheOSPFpacketneededtoadvertisemorelinkstateadvertisements
(LSAs)thanfitintoa1,500bytepacket.Withthisfix,thefirewallsendsthecorrectOSPF
checksumtoneighboringswitchesandroutersevenwhenthenumberofLSAsdoesntfit
intoa1,500bytepacket.

PAN-57215 FixedanissuewhereanHTTP416errorappearedwhentryingtodownloadupdatestoa
clientfromanIBMBigFixupdateserver.

PAN-56700 FixedanissuewheretheSNMPOID"ifHCOutOctets"didnotcontaintheexpecteddata.

PAN-56684 FixedanissuewhereDNSproxystaticentriesstoppedworkingwhentherewereduplicate
entriesintheconfiguration.

PAN-53659 Fixedanissuewherethesumofalllinkaggregationgroup(LAG)interfaceswasgreater
thanthevalueoftheAggregateEthernet(AE)interface.

PAN-50973 FixedanissueforVMSeriesfirewallsonMicrosoftHyperVwhere,althoughtheFIPSCC
modeoptionwasvisibleinthemaintenancemodemenu,youcouldnotenableit.Withthis
fix,FIPSCCmodeissupportedforandcanbeenabledfromthemaintenancemodemenu
inVMSeriesfirewallsonMicrosoftHyperV.

PAN-48095 FixedanissueonPA200firewallswherethePanoramadynamicupdatescheduleignored
thecurrentlyinstalleddynamicupdateversionandinstalledunnecessarydynamic
updates.

58 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
 GettingHelp
Thefollowingtopicsprovideinformationonwheretofindmoreaboutthisreleaseandhowtorequest
support:
RelatedDocumentation
RequestingSupport

RelatedDocumentation
RefertothefollowingPANOS8.0documentationontheTechnicalDocumentationportalorsearchthe
documentationformoreinformationonourproducts:
NewFeaturesGuideDetailedinformationonconfiguringthefeaturesintroducedinthisrelease.
PANOSAdministrator'sGuideProvidestheconceptsandsolutionstogetthemostoutofyourPalo
AltoNetworksnextgenerationfirewalls.Thisincludestakingyouthroughtheinitialconfigurationand
basicsetuponyourPaloAltoNetworksfirewalls.
PanoramaAdministrator'sGuideProvidesthebasicframeworktoquicklysetupthePanoramavirtual
applianceoranMSeriesapplianceforcentralizedadministrationofthePaloAltoNetworksfirewalls.
WildFireAdministrator'sGuideProvidesstepstosetupaPaloAltoNetworksfirewalltoforward
samplesforWildFireAnalysis,todeploytheWF500appliancetohostaWildFireprivateorhybrid
cloud,andtomonitorWildFireactivity.
VMSeriesDeploymentGuideProvidesdetailsondeployingandlicensingtheVMSeriesfirewallonall
supportedhypervisors.Itincludesexampleofsupportedtopologiesoneachhypervisor.
GlobalProtectAdministrator'sGuideDescribeshowtosetupandmanageGlobalProtect.
OnlineHelpSystemDetailed,contextsensitivehelpsystemintegratedwiththefirewallwebinterface.
PaloAltoNetworksCompatibilityMatrixProvidesoperatingsystemandothercompatibility
informationforPaloAltoNetworksnextgenerationfirewalls,appliances,andagents.
OpenSourceSoftware(OSS)ListingsOSSlicensesusedwithPaloAltoNetworksproductsand
software:
PANOS8.0
Panorama8.0
WildFire8.0

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 59
 GettingHelp

RequestingSupport

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopen
asupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.

ContactInformation

CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
https://www.paloaltonetworks.com/company/contactsupport

PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofour
trademarkscanbefoundathttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarks
mentionedhereinmaybetrademarksoftheirrespectivecompanies.

RevisionDate:April5,2017

60 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.