PAN-OS Release Notes PDF

PANOS7.0.
8ReleaseNotes
RevisionDate:July1,2016
ReviewimportantinformationaboutPaloAltoNetworksPANOS7.0software,includingnewfeatures
introducedinthisrelease,workaroundsforopenissues,andresolvedissues.Forthelatestversionofthese
releasenotes,refertothePaloAltoNetworkstechnicaldocumentationportal.
PANOS7.0ReleaseInformation ....................................... 3
FeaturesIntroducedinPANOS7.0 .................................................. 4
ManagementFeatures .......................................................... 5
PanoramaFeatures ............................................................. 7
WildFireFeatures............................................................... 8
ContentInspectionFeatures....................................................10
AuthenticationFeatures ........................................................11
DecryptionFeatures ...........................................................12
UserIDFeatures..............................................................12
VirtualizationFeatures .........................................................12
NetworkingFeatures...........................................................13
PolicyFeatures ................................................................15
VPNFeatures.................................................................15
GlobalProtectFeatures .........................................................16
LicensingFeatures .............................................................17
ChangestoDefaultBehavior .......................................................18
CLIChangesinPANOS7.0 ........................................................20
AssociatedSoftwareVersions.......................................................23
KnownIssues .....................................................................24
PANOS7.0.8AddressedIssues....................................... 33
PANOS7.0.5h2AddressedIssues.................................... 45
PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 1
TableofContents
PANOS7.0.3AddressedIssues .......................................59
GettingHelp.........................................................85
RelatedDocumentation......................................................... 85
RequestingSupport ............................................................ 86
2 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation
FeaturesIntroducedinPANOS7.0
ChangestoDefaultBehavior
CLIChangesinPANOS7.0
AssociatedSoftwareVersions
KnownIssues
PANOS7.0.8AddressedIssues
ForWF500appliances,thePANOS7.0.7maintenancereleaseaddressesanissuethatwasintroducedin
PANOS7.0.6thatcausesfrequentfalsepositiveverdictsforMicrosoftOfficedocuments.Youareadvisedto
upgradeWF500appliancesto7.0.7orlaterreleasesandareadvisednottoinstallthe7.0.6image.
PANOS7.0.5h2AddressedIssues
GettingHelp
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation
FeaturesIntroducedinPANOS7.0
ThefollowingtopicsdescribethenewfeaturesintroducedinthePANOS7.0release.Thisreleaserequires
ContentReleaseversion497orlater.Fordetailsonhowtousethenewfeatures,refertothePANOS7.0
NewFeaturesGuide.
ManagementFeatures
PanoramaFeatures
WildFireFeatures
ContentInspectionFeatures
AuthenticationFeatures
DecryptionFeatures
UserIDFeatures
VirtualizationFeatures
NetworkingFeatures
PolicyFeatures
VPNFeatures
GlobalProtectFeatures
LicensingFeatures
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0
ManagementFeatures
NewManagement Description
Feature
AllNewApplication TheACCisredesignedtoprovideimprovedvisibilityintonetworktrafficandactionable
CommandCenter(ACC) informationonthreats.Thenewlayoutincludesatabbedviewofnetworkactivity,threat
activity,andblockedactivityandeachtabincludespertinentwidgetsforbetter
visualizationoftrafficpatternsonyournetwork.Forapersonalizedviewofyournetwork,
youcanalsoaddacustomtabandincludewidgetsthatallowyoutodrilldownintothe
informationthatismostimportanttoyou.
AutomatedCorrelation Thenewautomatedcorrelationengineisananalyticstoolthatdetectssecurityeventson
Engine yournetwork.Itcollectsisolatedeventsacrossmultiplelogtypesonthefirewall,queries
thedataforspecificpatterns,andcorrelatesnetworkeventstoidentifyactionable
informationsuchashostbasedactivitiesthatindicateacompromisedhost.
TheautomatedcorrelationengineincludescorrelationobjectsthataredefinedbythePalo
AltoNetworksMalwareResearchteam.Theseobjectsidentifysuspicioustrafficpatterns
orasequenceofeventsthatindicateamaliciousoutcome;somecorrelationobjectscan
identifydynamicpatternsthathavebeenobservedfrommalwaresamplesinWildFire.
Correlationobjectstriggercorrelationeventswhentheymatchontrafficpatternsand
networkartifactsthatindicateacompromisedhostonyournetwork.Thus,correlated
eventsprovideactionableintelligencethatyoucanusetoremediateincidents,mitigate
risks,andsecureyournetwork.YoucanviewthecorrelatedeventlogsintheMonitortab
orseeagraphicaldisplayintheCompromisedHostswidgetontheThreatActivitytabof
theACC.TheautomatedcorrelationengineissupportedonPA3000Series,PA5000
Series,PA7000Seriesplatforms,andonPanorama.
Newcorrelationobjectswillbedeliveredwiththeweeklycontentupdates.Toobtainnew
correlationobjects,thefirewallmusthaveaThreatPreventionlicense;Panoramarequires
asupportlicenseforgettingthecorrelationobjectswiththeweeklycontentupdates.
GlobalFind TomakethemanagementofyourPaloAltoNetworksdevicesmoreefficient,anewglobal
findfeatureisintroducedtoenableyoutosearchtheentireconfigurationofaPANOSor
Panoramawebinterfaceforaparticularstring,suchasanIPaddress,objectname,policy
name,threatID,orapplicationname.Thesearchresultsaregroupedbycategoryand
providelinkstotheconfigurationlocationinthewebinterface,sothatyoucanquicklyand
easilyfindalloftheplaceswherethestringisreferenced.Forexample,ifyoutemporarily
deniedanapplicationthatisdefinedinmultiplesecuritypolicyrulesandyounowwantto
allowthatapplication,youcansearchontheapplicationnameandquicklylocateall
referencedpolicestochangetheactionbacktoallow.
TagBrowser Thetagbrowserintroducesawaytoviewallthetagsusedwithinarulebase.Inrulebases
withalargenumberofrules,thetagbrowsersimplifiesthedisplaybypresentingthetags,
thecolorcode,andtherulenumbersinwhichthetagsareused;italsoallowsyoutogroup
rulesusingthefirsttagappliedtotherule.Youcan,forexample,filterrulesbythefirsttag
applied,andviewtherulesgroupedbyahighlevelfunctionsuchasinternetaccessordata
centeraccess.Inthisgroupedruleview,ifyouidentifygapsincoverage,thetagbrowser
allowsyoutomoverulesoraddnewruleswithintherulebase.
ConfigurationValidation TheoptiontovalidateaPANOSorPanoramacandidateconfigurationbeforeyoucommit
Improvements (todeterminewhetheryourrecentchangeswillcommitsuccessfully)isenhancedtodo
syntacticandsemanticvalidationoftheconfiguration.Itthendisplaysthesameerrorsand
warningsaswoulddisplayforafullcommitorvirtualsystemcommit,suchasrule
shadowingorapplicationdependencywarnings,orerrorsindicatinganinvalidroute
destinationoramissingaccount/passwordtoqueryaserver.
Feature
MoveandClonePolicies, Youcannowmoveorclonepoliciesandobjectstoadifferentdevicegrouporvirtual
Objects,andTemplates system.Thissavesyoutheeffortofdeleting,recreating,orrenamingtheseitemswhen
onlyamoveorcopyisneeded.YoucanalsoclonetemplatesandTemplateStacks.
ExtendedSNMPSupport ExtendedSNMPsupportincludes:
GlobalcountersforDenialofService(DoS),IPfragmentation,TCPstate,anddropped
packets,bywhichtomonitorthehealthandsecurityofyourdevicesandnetwork.
Previously,youhadtousetheCLIorXMLAPItomonitorglobalcounters.
SNMPInterfaceMIBforLogicalInterfacesThePANOSimplementationofthe
interfacesandIfMIBhasbeenextendedtosupportalllogicalinterfacesonthefirewall,
includingtunnels,aggregategroups,L2subinterfaces,L3subinterfaces,loopback
interfaces,andVLANinterfaces.ThisisinadditiontotheSNMPInterfaceMIBsupport
onphysicalinterfaces.Inaddition,theVPNtunnelstatuscannowbemonitored.
LLDPV2MIBInformationtransmittedandreceivedfromneighborsusingLinkLayer
DiscoveryProtocol(LLDP)isstoredforSNMPaccess.AllMIBobjectsunderthe
standardLLDPMIBdefinitionsaresupported.Neighborentriesareagedoutwhentheir
TTLvaluecontainedinthereceivedLLDPmessagereacheszero.
SaaSApplicationUsage AnewpredefinedreportisintroducedtoprovidevisibilityintoSoftwareasaService
Report (SaaS)applicationusage,enablingyoutoassessandsubsequentlymitigatetherisksto
yourenterprise'sdatawhentakingadvantageofSaaSapplications.Thereportwillalso
helptoassessriskstothesecurityofyourenterprisenetwork,suchasthedeliveryof
malwarethroughSaaSapplicationsadoptedbyyourusers.
PolicyImpactReviewfor Beforeinstallinganewcontentrelease,youcannowreviewthepolicyimpactfornew
NewContentReleases AppIDsandstageanynecessarypolicyupdates.Thisenablesyoutoassessthe
treatmentanapplicationreceivesbothbeforeandafterthenewcontentisinstalledand
thenpreparepolicyupdatestotakeeffectatthesametimethatthecontentupdateis
installed.Thisfeaturespecificallyincludesthecapabilitytomodifyexistingsecurity
policiesusingthenewAppIDscontainedinadownloadedcontentrelease(priorto
installingthenewcontent).Youcanthensimultaneouslyupdateyoursecuritypolicyrules
andinstallnewcontent,allowingforaseamlessshiftinpolicyenforcement.Youcanalso
choosetodisablenewAppIDswheninstallinganewcontentreleaseversion;thisenables
protectionagainstthelatestthreats,whilegivingyoutheflexibilitytoenablethenew
AppIDsafteryou'vehadthechancetoprepareanypolicychanges.
SecurityProfileand Thesecurityprofilecapacitiesandnumberofaddressobjectsperaddressgrouphavebeen
AddressObjectsPer increasedasfollows:
AddressGroupCapacity SecurityProfileCapacityincreasedonallplatformsbyapproximately50%forthe
Increase followingsecurityprofiles:Antivirus,AntiSpyware,VulnerabilityProtection,URL
Filtering,FileBlocking,WildFireAnalysis,DataFiltering,andDecryption.Forexample,
thePA7050firewallsupported500securityprofilesinPANOS6.1,andnowsupports
750profilesinPANOS7.0.
AddressobjectsperaddressgroupIncreasedfrom500to2500forallplatforms.
Fordetailsonplatformcapacities,referto
https://www.paloaltonetworks.com/products/productselection.html.
VirtualSystem/Device Youcannowvieworsearchlogsorcreateareportbasedonavirtualsystemnameora
NameinReportsandLogs devicename,whicharemoreuserfriendlyattributestousethanthevirtualsystemIDor
deviceserialnumber.NowyouneednotmanuallymapavirtualsystemnametoitsID,or
mapadevicenametoitsserialnumber,inordertovieworsearchlogsorcreatereports.
VirtualSystemNameandDeviceNameareaddedasavailableattributestoPANOSand
Panoramareportsandlogs.
Feature
TimeBasedLogand Youcannowconfigureautomaticdeletionoflogsandreportsbasedontimeinsteadof
ReportDeletion justonspacequotas.Thisisusefulindeploymentswhereperiodicallydeletingmonitored
dataisdesiredornecessary.Forexample,deletinguserdataafteracertainperiodmight
bemandatoryinyourorganizationforlegalreasons.
SoftwareUpload Devicesnowdisplaydetailsaboutuploadedsoftwareupdatesthatenableyoutocheck,
Improvements beforeinstallinganupdate,thatitistheintendedone.Installinguploadedsoftwarenow
involvesfewersteps,whichmakesdeploymenteasierwhenadevicedoesnothave
externalnetworkaccess.
PanoramaFeatures
NewPanoramaFeature Description
DeviceGroupHierarchy Youcannowcreatenesteddevicegroupsinatreehierarchy,withlowerlevelgroups
inheritingthesettingsofhigherlevelgroups.Thisenablesyoutoorganizedevicesbased
onfunctionandlocationwithoutredundantconfiguration.Forexample,youcould
configureSharedsettingsthatareglobaltoallfirewalls,configuredevicegroupswith
functionspecificsettingsatthefirstlevel,andconfiguredevicegroupswith
locationspecificsettingsatsubsequentlevels.Withoutahierarchy,youwouldhaveto
configurebothfunctionandlocationspecificsettingsforeverydevicegroupinasingle
levelunderShared.CombinedwiththeRoleBasedAccessControlEnhancementsinthis
release,ahierarchyalsoenablesyoutocontroladministratoraccesstodataaccordingto
areas/levelsofresponsibility.
TemplateStacks Youcannowdefineatemplatestack,whichisacombinationoftemplates.Byassigning
firewallstoastack,youcanpushallthenecessarysettingstothemwithoutthe
redundancyofaddingeverysettingtoeverytemplate.Forexample,youcouldassignthe
firewallsinaCaliforniadatacentertoastackthathasonetemplatewithglobalsettings,
onetemplatewithCaliforniaspecificsettings,andonetemplatewithdatacenterspecific
settings.TomanagefirewallsinaCaliforniabranchoffice,youcouldthenreusetheglobal
andCaliforniaspecifictemplatesbyaddingthemtoanotherstackthatincludesatemplate
withbranchspecificsettings.
RoleBasedAccess Youcannowassociateeachaccessdomainwithanadministratorroletoenforcethe
ControlEnhancements separationofinformationamongthefunctionalorregionalareasofyourorganization.You
canassignmultipleaccessdomain/rolepairstoanadministrator(localorexternal),who
canthenfilterthePanoramawebinterfacetodisplayonlyinformationthatisrelevantto
aparticulardomain.Forcustomroles,youcanalsodefinefeaturespecificaccessto
firewalls(throughcontextswitching)separatelyfromPanoramaaccess,andprovide
additionalaccesstologsandreports,sothatadministratorscanhaveabroaderrangeof
responsibilities.
FirewallConfiguration YoucannowimportfirewallconfigurationsintoPanoramainsteadofrecreatingthem.
ImportintoPanorama PanoramaprovidestheoptiontoimportobjectsfromSharedonthefirewallintoShared
inPanorama,andimportotherobjects,policies,andsettingsintonewdevicegroupsand
templates.Aftertheimport,youcanMoveandClonePolicies,Objects,andTemplatesto
differentdevicegroups.
NewPanoramaFeature Description
PanoramaSupportfor Panoramanowsupportsmuchlargerconfigurationfiles,whichenableyoutoaddmore
LargerConfigurationFiles informationandgreatercomplexitytoindividualdevicegroups,templates,andother
configurationswithoutaffectingsystemperformanceorstability.Panoramaalsosupports
ahighernumberofconcurrent,activeadministrators.
LogRedundancyWithina YoucannowenablelogduplicationforaCollectorGroupsothateachlogwillhavetwo
CollectorGroup copiesandeachcopywillresideonadifferentLogCollector.Thisredundancyensures
that,ifanyoneLogCollectorbecomesunavailable,nologsarelost:youcanstilldisplayall
thelogsforwardedtotheCollectorGroupandrunreportsforallthelogdata.
FirewallHAStatein ThePanoramawebinterfacenowdisplaysthehighavailabilitystateoffirewalls(for
Panorama example,activeorpassive)inplaceswhereknowingthatstateisuseful.Forexample,the
ContextdropdownnowdisplaysHAstatesothatyoucanswitchcontexttothe
activeprimaryfirewallwhenyouneedtochangethefirewallconfiguration.
ScheduledUpdatesfor InPANOS7.0.3andlaterreleases,youcanscheduleAntivirus,WildFire,andURL
Antivirus,WildFire,and Filtering(BrightCloudonly)updatesforLogCollectorsusingthePanoramawebinterface
URLFilteringonLog (Panorama > Device Deployment>Dynamic Updates>Schedules)ortheCLI.For
Collectors reportingconsistency,configurescheduledcontentupdatesforalllogcollectorstoensure
theystayinsync.
WildFireFeatures
NewWildFireFeatures Description
GraywareVerdict TheWildFiregraywareverdictisintroducedtoclearlyidentifyexecutablesthatbehave
similarlytomalware,butarenotmaliciousinnatureorintent.Agraywareverdictmightbe
assignedtoexecutablesthatdonotposeadirectsecuritythreat,butdisplayotherwise
obtrusivebehavior(forexample,installingunwantedsoftware,changingvarioussystem
settings,orreducingsystemperformance).Examplesofgraywaresoftwarecantypically
includeadware,spyware,andBrowserHelperObjects(BHOs).Thegraywareverdict
allowsthesecurityrespondertoquicklydistinguishmaliciousfilesonthenetworkfrom
grayware,andtoprioritizeaccordingly.Whileantivirussignaturesarenotgeneratedfor
grayware,WildFirelogscancontinuetoalertthesecurityrespondertoendpoints
downloadinggrayware,inordertoassessifsucheventsareconcerning.
NewWildFireFeatures Description
WildFireHybridCloud EnableaWildFirehybridclouddeploymentsothatasinglefirewallcanforwardunknown
samples(filesoremaillinks)toeitheraWF500applianceortheWildFirepubliccloud,
dependingonthesample.Thisfeatureallowstheflexibilitytoanalyzeprivatedocuments
insidethenetwork,whilefilessourcedfromtheinternetcanbeanalyzedbytheWildFire
publiccloud.Forexample,PaymentCardIndustry(PCI)andProtectedHealthInformation
(PHI)datacanbeexclusivelyforwardedtotheWF500applianceforprivatecloud
analysisandlesssensitivefiles,suchasPortableExecutables(PEs),canbeforwardedto
theWildFirepubliccloud.Whenpossible,offloadingfilestotheWildFirepubliccloud
allowsyoutobenefitfromapromptverdictforfilesthathavebeenpreviouslyprocessed
bythepubliccloud,andalsofreesupWF500appliancecapacitytoprocesssensitive
content.Additionally,inaWildFirehybridclouddeployment,youcanusetheWildFire
publiccloudtoanalyzefiletypesthatarenotcurrentlysupportedforWF500appliance
analysis,suchasAndroidApplicationPackage(APK)files.
ThisfeaturealsointroducestheWildFireAnalysisprofile,tobeusedinplaceofthefile
blockingprofiletoforwardsamplesforWildFireanalysis.ExistingFileBlockingprofile
ruleswiththeactionsettoforwardorcontinue and forwardaremigratedtothenew
WildFireAnalysisprofile.ForeachWildFireanalysisprofilerule,definetraffictoforward
toeithertheWildFireprivatecloudortheWildFirepubliccloudbasedonfiletype,
application,orfiletransferdirection(uploadordownload).
WildFireAppliance TheWildFireappliancecannowlocallygenerateantivirussignaturesformaliciousJava
SupportforJavaAntivirus files(.jarand.class),sothatmaliciousJavafilesdetectedbytheWildFireapplianceno
Signatures longerhavetobeforwardedtotheWildFireCloudforsignaturegeneration.
WildFireAppliance ThefirewallcannowextractHTTP/HTTPSlinkscontainedinSMTPandPOP3email
SupportforEmailLink messagesandforwardthelinkstotheWildFireapplianceforanalysis(thisfeaturewas
Analysis supportedonlyfortheWildFirepubliccloudinPANOS6.1).Enablethisfunctionalityby
configuringthefirewalltoforwardtheemaillinkfiletype(Objects>Security Profiles>
WildFire Analysis).Notethatthefirewallonlyextractslinksandassociatedsession
information(sender,recipient,andsubject)fromtheemailmessagesthattraversethe
firewall;itdoesnotreceive,store,forward,orviewtheemailmessage.
Afterreceivinganemaillinkfromafirewall,theWildFireappliancevisitsthelinksto
determineifthecorrespondingwebpagehostsanyexploits.Ifitdetectsmalicious
behavioronthepage,itreturnsamaliciousverdictand:
GeneratesadetailedanalysisreportandlogsittotheWildFireSubmissionslogonthe
firewallthatforwardedthelinks.
CategorizestheURLasmalwareandgeneratesanddistributesasignaturetoconnected
firewalls,toallowthemtoidentifyandblockthemalware.
Ifthelinkcorrespondstoafiledownload,theWildFireappliancedoesnotanalyzethefile.
However,thefirewallwillforwardthecorrespondingfiletotheWildFireappliancefor
analysisiftheenduserclicksthelinktodownloaditaslongasthecorrespondingfiletype
isenabledforforwarding.
TheWildFireappliancedoesnotsendalogtothefirewallifitdeterminesalinktobe
benignorgrayware,evenifyouhaveenabledloggingofbenignorgraywarefilesbecause
ofthelargenumberoflogsthiswouldgenerate.
ContentInspectionFeatures
NewContentInspection Description
Features
ConfigurableDropActions TheVulnerabilityProtection,AntiSpyware,andAntivirusprofilesincludenewactionsto
inSecurityProfiles droporresetconnections.Inadditiontotheallow/alert/blockactionswithinthesecurity
profile,youcannowgranularlydefinehowtodroporresetconnectionswhenthefirewall
detectsathreat.Forexample,tosecuretheMicrosoftwebserversonyournetwork,you
cancreatearuleintheVulnerabilityProtectionprofilewithanactiontoeitherdropthe
trafficandsendaresetonlytotheserver,ordropthetrafficandblocktheoffendingclient
IPaddressfromcreatingnewconnectionsforaspecifiedtimeinterval.
IncreasedInspection Thefirewallnowidentifiesandinspectsfilesthathavebeenencodedorcompressedupto
DepthforMultiLevel fourtimes,wherepreviouslythefirewallsupportedonlytwolevelsofdecoding.Multiple
Compressionand levelsofcompressionandencodingarefrequentlyintroducedtofilesbasedonthefile
Encoding formatandtheapplicationusedforfiletransfer.Forexample,aMicrosoftOfficeOpen
XMLfile(.docx)thatiscompressed(.zip)andissentasanemailattachmenthasthreelevels
ofencoding:theOOXMLformatisonelevelofencoding,thecompressionofthefileto
theZIPformatisthesecondlevelofencoding,andthethirdlevelofencodingisadded
whentheemailattachmentisembeddedusingBase64.Inthiscase,thefirewallnow
decodesthefile,correctlyidentifiesitasaMicrosoftWorddocument,andperforms
policyenforcementincludingfileblocking,threatinspection,andWildFireanalysis.
BlockingofEncoded Anewfiletypeclassification,MultiLevelEncoding,cannowbeusedtologorblock
Content contentthathasbeencompressedorotherwiseencodedtoahighdegree.Asthefirewall
cannowdecodeandinspectuptofourlevelsofencoding(seeIncreasedInspectionDepth
forMultiLevelCompressionandEncoding),thenewclassificationcanbeusedtoblock
filesthathavebeenencodedfivetimesormore.Multiplelevelsofencodingcanbeused
asanevasiontechniquetocircumventsecuritydevices;usingtheMultiLevelEncoding
filetypetoperformfileblockingensuresthatunidentifiedfilesthathavenotbeen
processedforthreatsarenotpassedthroughthefirewall.
NegateOperatorfor AnewNegateoperatorisnowavailablewhencreatingcustomvulnerabilityorspyware
CustomThreatSignatures signatures.TheNegateoperatorcanbeusedtoensurethatthevulnerabilityorspyware
signatureisnottriggeredundercertainconditions.Forexample,createacustomsignature
totriggerwhenaUniformResourceIdentifier(URI)patternismatchedtotraffic,butonly
whentheHTTPrefererfieldisnotequaltoacertainvalue.Acustomsignaturemust
includeatleastonepositiveconditioninorderforanegatedconditiontobespecified.
PANDBPrivateCloud IfthesecurityandcompliancerequirementsinyourenterpriseprohibitthePaloAlto
Networksnextgenerationfirewallsfromdirectlyaccessingtheinternetforperforming
URLlookups,youcandeployaPANDBprivatecloud.Toprotectusersfrommalwareand
undesirablewebcontent,thefirewallscanquerythePANDBprivateclouddeployed
withinyournetworkinsteadofaccessingthePANDBpubliccloud.ThePANDBprivate
cloudsolutionensuresinformationprivacyanddoesnotsendanydataoranalyticstothe
publiccloud.
AuthenticationFeatures
NewAuthentication Description
Features
Authenticationand Theworkflowtoconfigureauthenticationserversandprofilesisnowmoreintuitiveand
Authorization consistent.YoucanalsoenableGlobalProtectclientstosendRADIUSvendorspecific
Enhancements attributestoRADIUSserverssothatRADIUSadministratorscanmakepolicydecisions
basedonthoseattributes.Forexample,RADIUSadministratorsmightusetheclient
operatingsystemattributetodefineapolicythatmandatesregularpassword
authenticationforMicrosoftWindowsusersandonetimepassword(OTP)authentication
forGoogleAndroidusers.
SSL/TLSServiceProfiles YoucannowassignSSL/TLSserviceprofilestodeviceservicesthatuseSSL/TLS,including
CaptivePortal,managementtrafficaccessusingthewebinterfaceorXMLAPI,theURL
AdminOverridefeature,theUserIDSysloglisteningservice,andtoGlobalProtect
portalsandgateways.SSL/TLSserviceprofilesspecifyacertificateandtheallowed
protocolversionorrangeofversions(nowincludingTLSv1.2).Bydefiningtheprotocol
versions,theprofilesenableyoutorestricttheciphersuitesthatareavailabletosecure
communicationwiththeclientsrequestingtheservices.Thisimprovesnetworksecurity
byenablingdevicestoavoidSSL/TLSversionsthathaveknownweaknesses.
TACACS+Authentication DevicesnowsupportTerminalAccessControllerAccessControlSystemPlus(TACACS+)
protocolforauthenticatingadministrativeusers.TACACS+providesgreatersecuritythan
RADIUSinsofarasitencryptsusernamesandpasswords(insteadofjustpasswords),and
isalsomorereliable(itusesTCPinsteadofUDP).
KerberosSingleSignon DevicesnowsupportKerberosV5singlesignonforadministratorauthenticationand
CaptivePortalauthentication.Singlesignonminimizesthenumberofloginsrequiring
userinputwhileensuringsecurityforwebservices.
SuiteBCryptography YoucannowuseSuiteBcipherstoauthenticateadministratorsandtosecuresitetosite
Support VPN,andGlobalProtectremoteaccessandlargescaleVPN(LSVPN).TosecuretheVPN
tunnelsbetweenGlobalProtectLSVPNgatewaysandendpointdevices,thelattermust
runGlobalProtectclientsoftware2.2orlaterreleases.ThenewGlobalProtectIPSec
CryptoprofilesupportsSuiteBencryptionalgorithms(andotheralgorithms)forLSVPN.
Youcanuseellipticcurve(ECDSA)certificatesforadministratorandGlobalProtect
authentication.SuiteBsupportenablesyoutomeetU.S.federalnetworksecurity
standards.
AuthenticationServer YoucannowtestanauthenticationprofiletodetermineifyourfirewallorPanorama
ConnectivityTesting managementservercancommunicatewithabackendauthenticationserverandifthe
authenticationrequestwassuccessful.Youcanperformauthenticationtestsonthe
candidateconfiguration,sothatyouknowtheconfigurationiscorrectbeforecommitting.
Authenticationserverconnectivitytestingissupportedforlocaldatabase,RADIUS,
TACACS+,LDAP,andKerberosauthentication.
DecryptionFeatures
NewDecryptionFeatures Description
SSLDecryption WhenusingSSLdecryptiontoinspectandenforcesecurityrulesforconnections
Enhancements betweenclientsanddestinationservers,enablethefollowingnewoptionsas
increasedsecuritymeasures:
Enforcetheuseofstrongciphersuites.Thisincludessupporttospecifically
enforcetheuseofAES128GCMandAES256GCMciphers.
Enforcetheuseofminimumandmaximumprotocolversions.
Enforcecertificatevalidationonaperpolicybasis(wherepreviously,certificate
validationwasperformedatthedevicelevel).
DefinetrafficthatyouwanttobedecryptedbasedonTCPportnumbers.This
enablesyoutoapplydifferentdecryptionpoliciestoasingleserver'straffic;traffic
beingtransmittedusingdifferentprotocolscanreceivedifferenttreatment.
Enforcevalidcertificatesandtrustedissuesfortrafficthatisnotdecrypted,with
theoptionstoterminateanSSLsessioniftheservercertificateisexpiredorifthe
servercertificateissueisuntrusted.
UserIDFeatures
NewUserIDFeature Description
UserAttributionBasedon YoucannowconfigureUserIDtoreaduserIPaddressesfromtheXForwardedFor(XFF)
XForwardedForHeaders headerinclientrequestsforwebserviceswhenthefirewallisdeployedbetweenthe
internetandaproxyserverthatwouldotherwisehidetheuserIPaddresses.UserID
matchestheIPaddresseswithusernamesthatyourpoliciesreferencesothatthose
policiescancontrolandlogaccessfortheassociatedusersandgroups.
CustomGroupsBasedon YoucannowdefinecustomgroupsbasedonLDAPfilterssothatyoucanbasefirewall
LDAPFilters policiesonuserattributesthatdonotmatchexistingusergroupsinanLDAPbased
servicesuchasActiveDirectory(AD).Definingcustomgroupscanbequickerthan
creatingnewgroupsorchangingexistingonesontheLDAPserver,anddoesnotrequire
anLDAPadministratortointervene.
VirtualizationFeatures
NewVirtualization Description
Feature
SupportforHigh TheVMSeriesfirewallonESXi,Xen(onSDX),andKVMnowsupportsboth
Availabilityonthe Active/PassiveHAandActive/ActiveHAwithsessionsynchronization.TheVMSeriesin
VMSeriesFirewall AmazonWebServices(AWS)supportsActive/PassiveHAonly.
InanHAconfiguration,youmustdeploybothpeersonthesametypeofhypervisor,have
identicalhardwareresourcesassignedtothem,andhavethesamesetof
licenses/subscriptions.
NewVirtualization Description
Feature
SupportforJumboFrames TheVMSeriesfirewallcannowsupportjumboframes,whichareEthernetpacketslarger
than1500bytes.Likewiththehardwarebasedfirewalls,whenyouenablejumboframes
ontheVMSeriesfirewall,thedefaultMaximumTransmissionUnit(MTU)sizeforall
Layer 3interfacesissetto9192bytes;theMTUcanrangebetween512and9216bytes.
YoucanoverridetheglobalMTU,andconfigureanexplicitvaluebetween512and9216
bytesonaperinterfacebasis.
SupportforHypervisor TheVMSeriesfirewallsupportstheabilitytodetecttheMACaddressassignedtothe
AssignedMACAddress physicalinterfacebythehost/hypervisorandusethatMACaddressontheinterfaces
assignedtotheVMSeriesfirewall. InLayer3deployments,thiscapabilityallowsa
vSwitchtoforwardtraffictothecorrectinterfaceonthefirewallwithoutrequiringthat
promiscuousmodebeenabledonthevSwitch.HypervisorassignedMACaddressesare
alsosupportedonPCIpassthroughandSRIOVcapablenetworkadapters.
ForlicensingfeaturesontheVMSeriesfirewall,seeLicensingFeatures.
NetworkingFeatures
NewNetworkingFeature Description
ECMP ThefirewallnowsupportsEqualCostMultipath(ECMP).EnableECMPfortheforwarding
tabletohaveuptofourequalcostpathstoasingledestination,whichallowsyoutoload
balancetraffic,usemoreoftheavailablebandwidth,andhavetrafficdynamicallyshiftto
anotherECMPmemberifonepathfails.Youcanchooseoneofseveralloadbalancing
algorithmstodeterminewhichequalcostpathavirtualrouterusesforanewsessionto
thedestination.
DHCPOptions AfirewallconfiguredasaDHCPservercannowsendafullrangeofDHCPoptionsto
clients,includingvendorspecificandcustomizedoptionsthatsupportawidevarietyof
officeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncode
supportsmultiplevalues,whichcanbeIPaddresses,ASCIItext,orhexadecimalvalues.
WiththeenhancedDHCPoptionsupportenabledonthefirewall,branchoffice
administratorsdonotneedtopurchaseandmanagetheirownDHCPserversinorderto
providevendorspecificandcustomizedoptionstoDHCPclients.
GranularActionsfor Whenyouconfigurethefirewalltoblocktraffic,thefirewalleitherresetstheconnection
BlockingTrafficinSecurity orsilentlydropspackets.Whenthefirewallsilentlydropspackets,itcausessome
Policy applicationstobreakandappearunresponsivetotheuser.Newactionstogracefullyblock
trafficprovideabetteruserexperience.Thenewactionsavailableare:
Droptrafficsilently,andoptionallysendanICMPUnreachableresponsetotheuser.
Blocktraffic,andautomaticallyusethedenyactionpredefinedfortheapplication.You
canviewthepredefineddenyactionforanapplicationinApplipedia.
ResettheconnectionwithaTCPresetontheclientsideconnection,ontheserverside
connection,orresetbothsidesoftheconnection.
ThesenewactionswillbeloggedintheTrafficlogsandareavailableforlogqueries.
SessionBasedDSCP DifferentiatedServicesCodePoint(DSCP)isusedtoindicatethelevelofservice
Classification requestedfortraffic,suchashighpriorityorbesteffortdelivery.Setupsessionbased
DSCPclassificationtoenablethefirewalltohonortheserviceclassrequestedfortraffic
andtomarkasessiontoreceiveprioritytreatment.SessionbasedDSCPextendsthe
powerofQualityofService(QoS),whichpolicestrafficasitpassesthroughthefirewall,
byallowingallnetworkdevicesbetweenthefirewallandtheclienttoalsopolicetraffic
basedontheDSCPvaluefortraffic.Forexample,inboundreturntrafficfromanexternal
servercannowbetreatedwiththesameprioritythatthefirewallinitiallyenforcedforthe
outboundflow.Networkdevicesintermediatetothefirewallandenduserwillalsothen
enforcethesamepriorityforthereturntraffic.
QoSonAggregate YoucannowenableQoSonAEinterfacesconfiguredonPA7000Series,PA5000Series,
Ethernet(AE)Interfaces PA3000Series,PA2000Series,andPA500platforms.AnAEinterfaceistwoormore
interfaceslinkedtogetherforcombinedbandwidthandlinkredundancy.WhenusingAE
interfacestoscaleyournetwork,enableQoSonanAEinterfacetoprioritize,allocate,and
guaranteetheincreasedbandwidthsupportedontheAEinterface.
SupportforQoSonAEinterfacesonPA7050firewallsbeganinPANOS6.0.
ImprovedPerformancefor IndeploymentswhereasingleVPNtunnelissetupbetweenaPaloAltoNetworksfirewall
aSingleVPNTunnel andanotherIPSecVPNdevice,andthetunnelsupportsmultiplesessions,thefirewallcan
nowusemultipleCPUcores(simultaneously)todecrypttraffic.WhenthevolumeofVPN
trafficishigh,thisenhancementminimizeslatencyandimprovesperformance.
PerVirtualSystemService ThesourceinterfaceandsourceIPaddressofserviceroutescannowbeconfiguredfor
Routes individualvirtualsystems,inadditiontotheglobalconfigurationofserviceroutes.
Pervirtualsystemserviceroutesprovidetheflexibilitytocustomizeserviceroutesfor
numeroustenantsordepartmentsonasinglefirewall.Anyvirtualsystemthatdoesnot
haveaservicerouteconfiguredtoaccessaparticularexternalserviceinheritsthesource
interfaceandsourceIPaddressthataresetgloballyforthatservice.ThePA7000Series
firewallsuseLogProcessingCard(LPC)subinterfacestoseparatetheloggingservicesfor
eachvirtualsystem.PriortoPANOS7.0,eachserviceroutetoaservicewasconfigured
globallyandappliedtotheentirefirewall.
LLDP YoucannowconfigureLinkLayerDiscoveryProtocol(LLDP)toenablethefirewallto
automaticallydiscoverneighboringdevicesandtheircapabilitiesatthelinklayer.LLDP
allowsthefirewalltosendandreceiveEthernetframescontainingLLDPdataunitstoand
fromneighbors.ThereceivingdevicestorestheinformationinaMIB,whichcanbe
accessedbySNMP.LLDPenablesnetworkdeviceslearncapabilitiesoftheconnected
devices,andcanbeusedtomapnetworktopology.Thismakestroubleshootingeasier,
especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygoundetected
byapingortraceroute.
NPTv6 YoucannowenableIPv6toIPv6NetworkPrefixTranslation(NPTv6)onthefirewall,to
performastateless,statictranslationofoneIPv6prefixtoanotherIPv6prefix(port
numbersarenotchanged).OnebenefitofNPTv6isthepreventionofasymmetrical
routingproblemsthatresultfromproviderindependentaddressesbeingadvertisedfrom
multipledatacenters.NPTv6allowsmorespecificroutestobeadvertisedsothatreturn
trafficarrivesatthesamefirewallthattransmittedthetraffic.Anotherbenefitisthe
independenceofprivateandpublicaddresses;youcanchangeonewithoutaffectingthe
other.AthirdbenefitofNPTv6istheabilitytotranslateuniquelocaladdresses(ULAs)to
globallyroutableaddresses.
TCPSplitHandshakeDrop PaloAltoNetworksfirewallsbydefaultcorrectlysecureTCPsessions,whethertheyuse
awellknown3wayhandshakeoravariation,suchasa4wayor5waysplithandshake
orasimultaneousopen.ThefirewallnowoffersanadditionaloptiontosimplydropaTCP
sessionthattriestousesuchavariationbecauseitispossiblymalicious.
PolicyFeatures
NewPolicyFeature Description
DoSProtectionAgainst InPANOS7.0.2andlaterreleases,youcanconfigureDoSprotectiontobetterblockIP
FloodingofNewSessions addressestohandlehighvolumesinglesessionandmultiplesessionattacksmore
efficiently.Forconfigurationdetails,seeDoSProtectionAgainstFloodingofNew
Sessions.
VPNFeatures
NewVPNFeature Description
IKEv2SupportforVPN SitetositeIPSecVPNisenhancedtosupportinternetKeyExchangeVersion2(IKEv2),
Tunnels inadditiontoIKEv1(GlobalProtectclientsarenotincludedinthisfeaturesupport).IKEv2:
ExchangesfewermessagesthanIKEv1whensettingupthetunnelendpoints.
Cannegotiatemultiplesetsoftrafficselectorstocontrolwhichtrafficcanaccessthe
tunnel.
Providesalivenesschecktodetermineifapeergatewayandtunnelarestillup.
SupportsNATTraversal.
SupportstheHashandURLcertificateexchange,whichreducesfragmentation.
SupportscookievalidationofaconnectionifathresholdnumberofconcurrentIKESA
sessionsisexceeded,reducingthepotentialforDoSattacks.
IPv6IPSecVPNSupport SitetositeIPSecVPNnowsupportsIPv6sitetositeconnections,allowingyouto
establishIKEandIPSecSecurityAssociations(SAs)betweenIPv6gateways.
IPSecVPNEnhancements Youcannowusethewebinterfacetoenable,disable,restart,orrefreshanIKEgateway
oranIPSecVPNtunneltosimplifytroubleshooting.ThisfeatureappliestoIPv4andIPv6.
GlobalProtectFeatures
ForinformationaboutnewauthenticationfeaturessupportedonGlobalProtect(SuiteB
cryptographyandSSL/TLSserviceprofiles),seeAuthenticationFeatures.
NewGlobalProtect Description
Feature
DisableDirectAccessto Youcannowdisabledirectaccesstolocalnetworkssothatuserscannotsendtrafficto
LocalNetworks proxiesorlocalresourceswhileconnectedtoaGlobalProtectVPN.Forexample,ifauser
establishesaGlobalProtectVPNtunnelwhileconnectedtoapublichotspotorhotel
WiFi,andthisfeatureisenabled,alltrafficisroutedthroughthetunnelandissubjectto
policyenforcementbythefirewall.
StaticIPAddress AnenhancementtotheIPaddressallocationlogicenablestheGlobalProtectgatewayto
Allocation maintainanindexofclientsandIPaddressessothattheendpointautomaticallyreceives
thesameIPaddressforallsubsequentGlobalProtectVPNconnections.Thegateway
continuestoissueIPaddressesinaroundrobinfashionuntilallIPaddressesare
exhausted.ToensurethatanendpointreceivesthesameaddressandtoavoidIPaddress
conflicts,createanIPaddresspoollargeenoughtoaccommodatethenumberof
endpoints.
Alternatively,youcannowconfigureaGlobalProtectgatewaytoassignfixedIPaddresses
usinganexternalauthenticationserver.Thisisusefulwhendownstreamresourcessuch
asprinters,servers,andapplicationsuseafixedsourceIPaddress/IPaddresspooltoallow
accessforaspecificuser,usergroup,orOS.Whenenabled,theGlobalProtectgateway
allocatestheIPaddresstoconnectingdevicesusingtheFramedIPattributefromthe
authenticationserver.
ApplyaGateway Youcannowspecifyoneormoreusersorusergroupsand/orclientoperatingsystemsto
ConfigurationtoUsers, whichtoapplyaremoteusertunnelconfiguration.Forexample,byconfiguringdifferent
Groups,and/orOperating IPaddresspoolsandaccessroutesforWindowsbasedclientsorforusersinusergroups
Systems suchasEngineering,youcanensurethateachclientreceivesthecorrectnetworksettings.
WelcomePage TheGlobalProtectclientconfigurationnowincludesasettingtoforcetheWelcomePage
Management todisplayeachtimeauserinitiatesaconnection.Thispreventstheuserfromdismissing
importantinformationsuchastermsandconditionsthatmayberequiredbyyour
organizationtomaintaincompliance.Alternativelyyoucanprovidetheusertheabilityto
dismissseeingtheWelcomepageatsubsequentlogins.
RemoteDesktop TheGlobalProtectVPNtunnelfunctionalityhasbeenenhancedtoallowusers,suchasIT
ConnectiontoaRemote HelpDesk,toRDPtoaclientdevicewhenconnectedoverGlobalProtectVPNenabling
Client troubleshootingandsupportforremoteWindowsusers.
Now,whenITHelpDeskpersonnellogintoaclientdevice,theGlobalProtectappcan
detectanewloginwithoutbringingdowntheRDPtunnel.Aftertheadministratorlogs
intotheremotemachineandsuccessfullyauthenticateswiththegateway,the
GlobalProtectappreassignstheRDPtunneltotheremoteadministrator.Thissecurity
measurepreventsunauthorizedaccesstoVPNresourcesbecausepolicyenforcementfor
trafficthroughtheRDPtunnelisnowenforcedandloggedbasedontheprivilegesofthe
RDPuser.
NewGlobalProtect Description
Feature
SimplifiedGlobalProtect YoucannowuseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivate
LicenseStructure network(VPN)solutionviasingleormultipleexternalgateways,withoutany
GlobalProtectlicenses.Theportallicense,whichwasrequiredtoenablethisfunctionality,
hasbeendeprecated.However,advancedfeaturesincludingHostInformationProfile
(HIP)checksandsupportfortheGlobalProtectmobileappforiOSandAndroidstillrequire
agatewaysubscription.Totakeadvantageofthenewlicensestructure,youneedto
upgradeonlythedevicerunningtheGlobalProtectportaltoaPANOS7.0orlaterrelease.
LicensingFeatures
NewLicensingFeature Description
SelfServiceLicense& ThefirewallandPanoramanowprovidethecapabilitytounassignordeactivatetheactive
SubscriptionManagement licensesonafirewallandassignthelicensestoanotherfirewall.Toreleasetheactive
licensesattributedtoafirewall,younowhavetwooptions:
DeactivateafeaturelicenseorsubscriptiononafirewallIfyouaccidentallyinstalleda
license/subscriptiononafirewallandneedtoreassignthelicensetoanotherfirewall,
youcandeactivateanindividuallicenseandreusethesameauthorizationcodeon
anotherfirewallwithouthelpfromTechnicalSupport.Thiscapabilityissupportedon
theCLIofboththehardwarebasedfirewallsandtheVMSeriesfirewalls.
DeactivatelicensesonaVMSeriesfirewallWhenyounolongerneedaninstanceof
theVMSeriesfirewall,youcanfreeupallactivelicensessubscriptionlicenses,
VMCapacitylicenses,andsupportentitlementsusingthewebinterface,CLI,orthe
XMLAPIonthefirewallorPanorama.Thelicensesarecreditedbacktoyouraccount
andyoucanusethesameauthorizationcodesonadifferentinstanceoftheVMSeries
firewall.
SupportforUsageBased TheVMSeriesfirewallinAWSnowsupportstheusagebasedpricingmodel,inaddition
LicensinginAmazonWeb totheBringYourOwnLicense(BYOL)model.Thiscapabilitymakesiteasiertoconsolidate
Services(AWS) thebillingofAWSresourcesandtheusagefeesfortheVMSeriesfirewall.
TheusagebasedmodelintheAWSMarketplaceisavailableinhourlyandannualpricing
bundles:
VMSeriescapacitylicensewiththeThreatPreventionlicenseforeachmodel
VM100,VM200,VM300,orVM1000HV.Itincludesapremiumsupport
entitlement.
VMSeriescapacitylicensewiththecompletesuiteoflicenses,whichincludesThreat
Prevention,GlobalProtect,WildFire,andPANDBURLFilteringcapabilitiesforeach
modelVM100,VM200,VM300,orVM1000HV.Itincludesapremiumsupport
entitlement.
Usagebasedsubscriptions/licensesarehandledautomaticallybyAWS;theselicenses
cannotbeactivatedonthefirewallormanagedfromPanorama.
TermBasedCapacity AtermbasedlicenseisalicensethatallowsyoutousetheVMSeriesfirewallfora
LicensesontheVMSeries specifiedperiodoftime.AtermbasedVMSeriescapacitylicensewillhaveanexpiration
Firewall dateandthewebinterfacewilldisplayrenewalnotificationsbeforethelicenseexpires.If
thecapacitylicenseexpires,althoughthefirewallwillcontinuetooperateatthelicensed
capacity,youcannotobtainsoftwareupdatesorcontentupdatesuntilyourenewthe
capacitylicense.
ChangestoDefaultBehavior PANOS7.0ReleaseInformation
ChangestoDefaultBehavior
ThefollowingarechangestodefaultbehaviorinPANOS7.0:
FIPSmodeisnolongersupportedinPANOS7.0.1andlaterreleases.IfyourfirewallisrunningaPANOS
6.1orearlierreleaseandisinFIPSmode,youmustEnableFIPSandCommonCriteriaSupportbeforeyou
upgradetoPANOS7.0.1oralaterrelease.ThePANOS7.0Upgrade/DowngradeConsiderationstopic
providesmoredetails.
FileBlockingprofileswiththeactionsettoforwardorcontinue and forwardaremigratedtothenew
WildFireAnalysisprofileinPANOS7.0.Toeditthemigratedprofilesortocreatenewprofilestoforward
filesandemaillinksforWildFireanalysis,selectObjects>Security Profiles>WildFire Analysis.Additionally,
samplesforwardedbythefirewallforWildFireanalysisarenolongeraddedasentriestotheData
Filteringlogs(Monitor>Data Filtering);instead,usetheCLItoverifythatthefirewallisforwarding
samples.SeetheWildFireAnalysisProfileforfulldetailsonthisenhancedWildFireworkflow.
Thedefaultactionsforhandlingthreatsarenowalertorreset-both(sidesoftheconnection).Inreleases
priortoPANOS7.0,thedefaultswerealertorblock.Onupgrade,theblockactionwillbeconvertedto
reset-bothandthedrop-packetsoptionisnowrenamedasdrop.
Ondowngrade,allactionsconfiguredasdroporresetwillbeconvertedtoblock.
Previously,tocheckforlicensingchangestothemanagedfirewalls,youhadtomanuallyclicktheRefresh
buttononthePanorama>Device Deployment>Licensestab.Now,Panoramaperformsadailycheckin
withthelicensingserverandretrieveslicenseupdates/renewalsandpushesthemtothemanaged
firewalls.Thedailycheckintakesplacebetween1:00amand2:00am,accordingtotheTime Zone
configuredforPanorama(Panorama>Setup>Management).
ThereisachangeinthewayvirtualsystemreportingandserverprofilesmakequeriesusingDNSproxy.
Previously,thefirewallwouldsendvirtualsystemreportqueriesandvirtualsystemserverprofilequeries
totheDNSproxythatwasspecifiedforthefirewall,eveniftherewasaDNSproxyspecifiedforthe
virtualsystem.Now,thevirtualsystemreportandvirtualsystemserverprofilesendtheirqueriestothe
DNSserverspecifiedforthevirtualsystemifthereisone.IfthereisnoDNSserverspecifiedforthe
virtualsystem,theDNSserverspecifiedforthefirewallisqueried.(ThevsysspecificDNSserverusedis
definedinDevice>Virtual Systems>General>DNS Proxy.)
Previously,whenauserloggedintoaGlobalProtectgatewaythatwasonthesamefirewallastheportal,
theportalgeneratedashortlivedgatewayuserauthenticationcookie(expiresin60seconds).The
gatewaywouldusethatcookietoauthenticatetheuserwithoutrequiringtheusertoenterasecond
onetimepassword(OTP).Thisfeatureisnowdeprecated.Toenablethesameuserexperience,whereby
theuserisonlyrequiredtoenteranOTPoncetoconnecttoGlobalProtect,youmustsetthe
Authentication ModifiertoCookie authentication for config refreshwhenconfiguringtheportal
authenticationbehavior.
ThemaximumnumberoftagsthatthefirewallandPanoramasupportisnowincreasedfrom2,500to
10,000.Thislimitisenforcedacrossthefirewall/Panoramaandisnotallocatedbyvirtualsystemor
devicegroup.
TheGlobalProtectportallicenseisnowdeprecated.Now,youcanuseallGlobalProtectportal
functionalitythatwaspreviouslyavailablewithoutinstallinganadditionallicense.However,advanced
featuresincludingHostInformationProfile(HIP)checksandsupportfortheGlobalProtectmobileapp
foriOSandAndroidstillrequireagatewaysubscription.Totakeadvantageofthenewlicensestructure,
youneedtoupgradeonlythedevicerunningtheGlobalProtectportaltoaPANOS7.0orlaterrelease
(theGlobalProtectgatewaycanrunPANOS7.0andearlierreleases).
PANOS7.0ReleaseInformation ChangestoDefaultBehavior
Withtheenhancedcapabilitytovalidateyourconfigurationbeforecommittingitonthefirewalloron
Panorama,thecommit validatecommandisnolongeravailable.Instead,youcanfullyorpartiallyvalidate
yourconfigurationtovalidate full|partial.
ThechangeintheXMLAPIsyntaxisasfollows:
PANOS6.1andearlierreleases:
/api/?type=op&cmd=<commit><validate></validate></commit>
PANOS7.0andlaterreleases:
/api/?type=op&cmd=<validate><full></full></validate>,and
/api/?type=op&cmd=<validate><partial></partial></validate>
TheXMLdocumentformattocommitsharedpoliciestodevicegroupsonPanoramausingthePANOS
XMLAPIhaschangedinPANOS7.0.Thischangeisduetoanenhancementtopermitacommitto
deviceswithinthedevicegroup:thedevicegroupnameisnowanattributenodeinsteadofatextnode.
ThechangeintheXMLAPIrequestisasfollows:
PANOS6.1andearlierreleases:
/api/?type=commit&action=all&cmd=<commit-all><shared-policy><device-group>
<name>DeviceGroupName</name></device-group></shared-policy></commit-all>
PANOS7.0andlaterreleases:
/api/?type=commit&action=all&cmd=<commit-all><shared-policy><device-group>
<entryname='DeviceGroupName'/></device-group></shared-policy></commit-all>
RADIUSadministratorscannowlogintothefirewallCLIasSSHuserswithoutfirstloggingintotheweb
interface.
WhensendingauthenticationrequeststoaRADIUSserver,PANOSandPanorama7.0andlaterreleases
alwaysusetheauthenticationprofilenameasthenetworkaccessserver(NAS)identifier,evenifthe
profileisassignedtoanauthenticationsequence.Inpre7.0releases,thefirewallandPanoramausethe
nameofwhicheverauthenticationprofileorsequenceisconfiguredfortheservicethatinitiatesthe
authenticationprocess(suchasadministratorauthentication).
Whenyoucloneanobjectorrule,thenamingconventionforthecloneisnow<originalname><n>,
where<originalname>isthenameoftheoriginalobjectorruleand<n>isanumericsuffix(startingat1
forthefirstclone)thatmakestheclonenameuniqueinitscurrentscope(virtualsystem,devicegroup,
orSharedlocation).Forexample,ifyoutwiceclonearulenamedIngressTraffic,thefirewallnamesthe
firstcloneIngressTraffic1andnamesthesecondcloneIngressTraffic2.
OnPA7000SeriesfirewallsandPanorama,APIrequestsforcustomreportsnolongersupportthe
synchronous(asynch=no)option.APIrequestsnowprovideajobID,whichyoucanusetoretrievethe
report.Additionally,APIrequestsforreports(type=report)arenowprocessedasynchronouslybydefault
onallfirewallplatforms.
CLIChangesinPANOS7.0 PANOS7.0ReleaseInformation
CLIChangesinPANOS7.0
ThefollowingtablelistsCLIcommandsthatchangedbetweenPANOS6.1(orangetext)andPANOS7.0
(greentext).Thechangesincludecommandoptionsthataredeprecatedorhavenewnames,values,or
commandpathsinPANOS7.0.
PANOS6.1Commands PANOS7.0Commands
ConfigurationModeCommands
commit validate validate [full | partial]
set deviceconfig setting wildfire cloud-server set deviceconfig setting wildfire [public-cloud-server
| private-cloud-server]
set deviceconfig setting ssl-decrypt set profiles decryption <name> ssl-forward-proxy

[block-unknown-cert | block-timeout-cert] [block-unknown-cert | block-timeout-cert]
set network ike crypto-profiles ike-crypto-profiles set network ike crypto-profiles ike-crypto-profiles
<name> lifetime days <value: 1-65535> <name> lifetime days <value: 1-365>
set network ike crypto-profiles ipsec-crypto-profiles set network ike crypto-profiles ipsec-crypto-profiles
<name> lifetime days <value: 1-65535> <name> lifetime days <value: 1-365>
set network tunnel global-protect-gateway <name> set vsys <name> global-protect global-protect-gateway
client ip-pool <name> remote-user-tunnel-configs <name> ip-pool
set network tunnel global-protect-gateway <name> set vsys <name> global-protect global-protect-gateway
client split-tunneling <name> remote-user-tunnel-configs <name>
split-tunneling
set network dhcp interface <name> server option set network dhcp interface <name> server option
ippool-subnet subnet-mask
set [shared | vsys <name>] profiles virus <name> set [shared | vsys <name>] profiles virus <name>
decoder <name> [action | wildfire-action] [block] decoder <name> [action | wildfire-action] [reset-both]
set [shared | vsys <name>] profiles virus <name> set [shared | vsys <name>] profiles virus <name>
application <name> action [block] application <name> action [reset-both]
set [shared | vsys <name>] profiles [spyware | set [shared | vsys <name>] profiles [spyware |
vulnerability] <name> rules action action [block] vulnerability] <name> rules action action [reset-both]
set [shared | vsys <name>] profiles file-blocking The forward and continue-and-forward optionsare
<name> rules <name> action [forward |
continue-and-forward] deprecated.ToforwardfilestoWildFire,youmustnow
configureaWildFireAnalysisprofile:
set profiles wildfire-analysis <name>
set [shared | vsys <name>] profiles [spyware | InPANOS7.0,thedropoptionperformsthesameaction

vulnerability] <name> threat-exception <threat-id>
action [drop | drop-all-packets] asthe drop-all-packets optiondoesinPANOS6.1:
set [shared | vsys <name>] profiles spyware <name>
threat-exception <threat-id> action drop
set reports <name> type url sortby user_agent The user_agent optionisdeprecated.
set reports <name> type wildfire sortby filetype The filetype optionisdeprecated.
set application-group <name> [<value1> | <value2> | ] set application-group <name> members [<value1> |
<value2> | ]
set scheduled <name> [non-recurring | recurring] set scheduled <name> schedule-type [non-recurring |
recurring]
set threats [spyware | vulnerability] <threat-id> set threats [spyware | vulnerability] <threat-id>
default-action drop-packets default-action drop
PANOS7.0ReleaseInformation CLIChangesinPANOS7.0
set [shared | vsys <name>] authentication-sequence The lockout optionsaredeprecatedforauthentication

<name> lockout [failed-attempts | lockout-time]
sequences.Younowsetthefailedloginattemptslimitand
accountlockoutdurationonlyforauthenticationprofiles.
set [shared | vsys <name>] server-profile [ldap | set [shared | vsys <name>] authentication-profile
radius] <name> domain <name> user-domain
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] authentication-profile
checkgroup <name> method radius checkgroup
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] server-profile radius <name>
timeout <value: 1-30> timeout <value: 1-120>
set [shared | vsys <name>] server-profile radius <name> set [shared | vsys <name>] server-profile radius <name>
server <name> port <value: 0-65535> server <name> port <value: 1-65535>
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] authentication-profile
<name> domain <name> user-domain
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] authentication-profile
<name> realm <name> method kerberos realm
set [shared | vsys <name>] server-profile kerberos set [shared | vsys <name>] server-profile kerberos
<name> server <name> port 0-65535 <name> server <name> port 1-65535
set [shared | vsys <name>] certificate <name> The display-common-name, display-subject,and

[display-common-name | display-subject |
display-issuer] display-issuer optionsaredeprecated.
Togeneratecertificates,alwaysusethe request
certificate generate Operationalcommand
(insteadoftheset [shared | vsys <name>]
certificatecommand).
set [vsys <name>] captive-portal server-certificate set [vsys <name>] captive-portal

ssl-tls-service-profile
set [vsys <name>] url-admin-override set [vsys <name>] url-admin-override

server-certificate ssl-tls-service-profile
set [vsys <name>] global-protect global-protect-portal set [vsys <name>] global-protect global-protect-portal
<name> portal-config server-certificate <name> portal-config ssl-tls-service-profile
set [vsys <name>] global-protect set [vsys <name>] global-protect

global-protect-gateway <name> server-certificate global-protect-gateway <name> ssl-tls-service-profile
OperationalModeCommands
clear session id <value> <value: 1-2147483648> clear session id <value> <value: 1-4294967295>
show session id <value> <value: 1-2147483648> show session id <value> <value: 1-4294967295>
delete user-file delete authentication user-file
delete software image Theimageoptionisdeprecated.Theversionoptionisnot

newbutperformsthesamefunctionastheimageoption:
delete software version
request system software install file Thefileoptionisdeprecated.Theversionoptionisnot

newbutperformsthesamefunctionasthefileoption:
request system software install version
request system software install load-config <value> Thefileoptionisdeprecated.Theversionoptionisnot

file
newbutperformsthesamefunctionasthefileoption:
request system software install load-config <value>
version
delete radius-user Theradius-useroptionisdeprecated.
CLIChangesinPANOS7.0 PANOS7.0ReleaseInformation
show user ip-user-mapping all type [NTLM | SSL/VPN] The SSL/VPN and NTLM optionsaredeprecated.Thenew
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping all type SSO
show user ip-user-mapping all option [count | detail] The SSL/VPN and NTLM optionsaredeprecated.Thenew
type [NTLM | SSL/VPN]
SSO:
show user ip-user-mapping all option [count | detail]
type SSO
show user ip-user-mapping-mp all option [count | The SSL/VPN and NTLM optionsaredeprecated.Thenew
detail] no-group-only [no | yes] type [NTLM | SSL/VPN]
SSO:
show user ip-user-mapping-mp all option [count |
detail] no-group-only [no | yes] type SSO
show user email-lookup [base | bind-dn | bind-password Allthe email-lookup optionsaredeprecatedexceptthe

| domain | group-object | name-attribute | proxy-agent
| proxy-agent-port | use-ssl | mail-attribute | server email option.Thefollowingcommandisnotnewbuthas
| server-port] similaroptions:
show user group-selection [base | bind-dn |
bind-password | group-object | name-attribute |
proxy-agent | proxy-agent-port | use-ssl | server |
server-port]
show log traffic session_end_reason show log traffic session-end-reason
show log [threat | url | data] action [equal | show log [threat | url | data] action [equal |
not-equal] drop-all-packets not-equal] drop-all
debug software restart <process> debug software restart [core | process] <process>
debug authd debug authentication
debug authd [admin-db | use-domain] The admin-db and use-domain optionsaredeprecated.

debug device-server pan-url-db ThefollowingConfiguremodecommandreplacesthe
[cloud-static-list-enable | cloud-static-list-disable]
cloud-static-list-enable and
cloud-static-list-disable options:
set deviceconfig setting pan-url-db cloud-static-list
debug dataplane packet-diag clear debug dataplane packet-diag clear

filter-marked-session id <value: 1-2147483648> filter-marked-session id <value: 1-4294967295>
debug user-id test ntlm-login The ntlm-login optionisdeprecated.Thenew

sso-login (singlesignon)optionisforbothNTLMand
KerberosSSO:
debug user-id test sso-login
set management-server unlock request authentication [unlock-admin | unlock-user]
request certificate generate nbits request certificate generate certificate-name <value>

<name> <value> algorithm [ECDSA | RSA] [ecdsa-nbits |
rca-nbits]
PANOS7.0ReleaseInformation AssociatedSoftwareVersions
AssociatedSoftwareVersions
ThefollowingminimumsoftwareversionsaresupportedwithPANOS7.0:
PaloAltoNetworksSoftware MinimumSupportedVersionwithPANOS7.0
Panorama 7.0.1
UserIDAgent 6.0.0
TerminalServerAgent 6.0.0
NetConnect NotsupportedwithPANOS7.0
GlobalProtectAgent 2.2.0
GlobalProtectMobileSecurity 6.1.0
Manager
ContentReleaseVersion 497
KnownIssues PANOS7.0ReleaseInformation
KnownIssues
ThefollowinglistdescribesknownissuesinthePANOS7.0release:
ForrecentupdatestoknownissuesforagivenPANOSrelease,referto
https://live.paloaltonetworks.com/t5/Articles/CriticalIssuesAddressedinPANOSReleases/tap/52882.
IssueID Description
98112 ForafirewallinanHAactive/activeconfiguration,sessiontimeoutsforsometraffic
unexpectedlyrefreshafteracommitorHAsyncattempt.
97806 ForfirewallsrunningPANOS7.0.7inanHAactive/activeconfiguration,thepeerthatis
notthesessionownerintermittentlyincorrectlyagesoutsessions,whichresultsinthe
prematureremovalofthosesessionsfrombothpeers.
97584 Theautomaticlicensedeactivationworkflowforfirewallswithdirectinternetaccessdoes
notwork.
Workaround:Usethe request license deactivate key features <name> mode
manual CLIcommandtoDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.To
DeactivateaVM,chooseComplete Manually(insteadofContinue)andfollowthesteps
tomanuallydeactivatetheVM.
95611 ThereisacachingissuewiththemanagementplanethatresultsinWildFirereportsand
alertsforfilesthatarealreadyuploadedatleastoncetothefirewallandthatarefollowed
byaconfigurationchangeorthreatcontentupdateonthefirewallthatspecificallyblocks
thosesamefiles.
95260 The pan-comm optionforrestartingthedataplanecommunicationprocessisnotavailable

inthe debug software restart process operationalCLIcommand.
91395 SimultaneoustransferoflargefilesfromtwodifferentSMBserversoveraGlobalProtect
connectionfromaWindows8clientcausestheconnectiontofail.
Workaround:InPANOS7.0.8andlaterreleases,enableHeuristicsonWindows8clients
orsetthetunnelinterfaceMTUsizeto1,300toavoidthisissue.
91075 IfyouconfigureLSVPNtunnelinterfacesbetweenaGlobalProtectLSVPNgatewayand
This issue is now resolved. anLSVPNsatellite,youcannotupgradetheLSVPNsatellitetoaPANOS7.0releasewhile
See PAN-OS 7.0.7 theLSVPNgatewaycontinuestorunaPANOS6.1orearlierrelease;ifyoudo,theLSVPN
Addressed Issues. tunnelsnolongerpasstrafficasexpectedduetochangesmadetotheencryption
algorithmnameswhenintroducingSuiteBciphersinPANOS7.0.
Workaround:UpgradebothfirewallstoPANOS7.0oralaterrelease.Ifyoucannot
upgradetheLSVPNgatewaytoPANOS7.0oralaterrelease,thenupgradetheLSVPN
satellitetoPANOS7.0.7oralaterrelease(ortoaPANOS7.1release)toavoidthisissue.
90326 ThebotnetlogcleanupjobonaPA7000Seriesfirewallrunstwohoursbeforethe
This issue is now resolved. systemgeneratedbotnetreportsaretriggered,whichresultsinemptyornobotnet
See PAN-OS 7.0.8 reportswhennologsarecollectedbetweenjobs.
Addressed Issues.
PANOS7.0ReleaseInformation KnownIssues
IssueID Description
90256 DecryptedSSHsessionsarenotmirroredtothedecryptmirrorinterfaceasexpected.
This issue is now resolved.
See PAN-OS 7.0.8
Addressed Issues.
89595 AttemptstoHide Panorama background header(Panorama>Setup>Operations>

Custom Logos)resultinanerror(Edit breaks config validity).
89385 ForafirewallinanHAactive/activeconfiguration,sessiontimeoutsforsometraffic
unexpectedlyrefreshafteracommitorHAsyncattempt.
Thisfixintroducedaknownissue:97806.
See PAN-OS 7.0.7
Addressed Issues.
88141 LoginattemptsonPanoramaforadministratorswithanaccessdomainnamelongerthan
31characterswillfailwiththefollowingerror: Login could not be completed. Please
contact the administrator. ThisisbecausetheAccessDomainfieldallowsupto63
charactersbutloginoperationsallowamaximumofonly31characters.
Workaround:Ensurethattheaccessdomainnameforalladministratorsisnolongerthan
31charactersorupgradetoaPANOS7.1release,whichallowsthelongeraccessdomain
names(upto63characters).
88029 Ifyouhaveasystemwidefirewallproxyconfiguration(Device>Setup>Services)ina
PANOS6.1orearlierreleaseandthenupgradetoPANOS7.0,theupgradeprocesswill
notautomaticallyextendtheproxyconfigurationtotheWildFirepubliccloud,which
includesaseparateproxyconfiguration(Device>Setup>WildFire)inPANOS7.0.
Workaround:AfteryouupgradeafirewalltoPANOS7.0,addthenecessaryproxy
configurationforaccessingtheWildFirepubliccloud(Device>Setup>WildFire).
86623 AfirewallinanHAactive/passiveconfigurationwithanestablishedFTPsessiondrops
This issue is now resolved. FTPPORTcommandpacketsafterafailover.
See PAN-OS 7.0.8
Addressed Issues.
85397 APaloAltoNetworksfirewall,M100appliance,orWF500applianceconfiguredtouse
FIPSoperationalmodewillfailtobootwhenrebootingafteranupgradetoaPANOS7.0
release.
Workaround:EnableFIPSandCommonCriteriasupportonanyPaloAltoNetworks
firewallorappliancebeforeyouupgradetoaPANOS7.0release.
83702 WildFireAnalysisreportsdonotdisplayasexpectedintheWildFire Analysis Reporttab

(Monitor > Logs > WildFire Submissions > Detailed Log View)onaPA7000Series
firewallrunningPANOS7.0.2orlaterreleases.
See PAN-OS 7.0.6
Workaround:UsetheWildFireportal(https://wildfire.paloaltonetworks.com)orthe
Addressed Issues.
WildFireAPItoretrieveWildFireAnalysisreports.
82849 APanoramavirtualapplianceusingaNetworkFileSystem(NFS)storagepartition
This issue is now resolved. incorrectlyfailsthefilesystemintegritycheckfortheNFSdirectorywhenrebooting
See PAN-OS 7.0.6 PanoramaafteranupgradetoaPanorama7.0release.
Addressed Issues.
82605 Offloadedpolicybasedforwarding(PBF)sessionswillfailtoegressafirewallrunning
This issue is now resolved. PANOS6.1.4andlaterreleasesifyouEnforce Symmetric Return(Policies > Policy
See PAN-OS 7.0.4 Based Forwarding >pbfrule> Forwarding).
Addressed Issues. Workaround:DisableEnforce Symmetric ReturnandcreatebidirectionalPBFpolicies.
IssueID Description
82470 Insomeenvironments,IPSectunnelthroughputperformanceislowerthanexpecteddue
This issue is now resolved. toincorrecthardwaretagging.
See PAN-OS 7.0.7
Addressed Issues.
82299 ThereisacriticalsecurityvulnerabilityaffectingPANOS7.0.0.Thisissuespecifically
This issue is now resolved. affectsdevicesrunningPANOS7.0.0thatareconfiguredtouseLDAPauthenticationfor
See PAN-OS 7.0.1 CaptivePortalorfordevicemanagement,includingPanorama.Thisissuedoesnotaffect
Addressed Issues. devicesconfiguredtouseRADIUSorlocalauthenticationinsteadofLDAPauthentication,
nordoesitaffectanyPANOSreleaseotherthanPANOS7.0.0.Duetothecriticalnature
ofthisvulnerability,westronglyadviseallcustomerswhohaveinstalledPANOS7.0.0to
upgradeassoonaspossibletoPANOS7.0.1.Alternatively,youcandowngradetoan
olderversionofPANOS,suchasPANOS6.1orPANOS6.0.
81584 InPanorama7.0,outputfromthe show ntp commanddoesnotalwaysdisplaythecorrect

This issue is now resolved. NTPstatus.ThisprimarilyoccurswhenthereisonlyoneNTPserverconfiguredwhere,
See PAN-OS 7.0.3 evenwhencorrectlyconnectedtotheNTPserver,the show ntp status displaysas
rejected.
Addressed Issues.
81373 WhenthefirewallisconfiguredtocommunicatewithaWildFirecloud(publicorprivate)
This issue is now resolved. throughaproxyserver,WildFireAnalysisreportsforsamplesanalyzedintheWildFire
See PAN-OS 7.0.2 publiccloudarenotdisplayedintheWildFireSubmissionslog(Monitor>WildFire
Addressed Issues. Submissions).
Workaround:UsetheWildFireportal(https://wildfire.paloaltonetworks.com)orthe
WildFireAPItoretrieveWildFireAnalysisreports.
80903 APA7050firewallrunningaPANOS6.1orearlierreleaseandmanagedbyPanorama
This issue is now resolved. runningPANOS7.0.0cannotaccuratelyhandlequeriesfromPanorama.Thisresultsin
See PAN-OS 7.0.1 theinabilitytodisplaydataintheApplicationCommandCenter(ACC)widgetsand
Addressed Issues. preventslogdatafromthePA7050firewallfrombeingincludedinreportsgeneratedon
Panorama.
80871 WildFireAnalysisreportsarenotdisplayedforWildFire Submissionslogentrieswhen

This issue is now resolved. thefirewallisconfiguredtouseaservicerouteinsteadofthemanagementinterfaceto
See PAN-OS 7.0.1 communicatewithaWildFirecloud(publicorprivate).
Addressed Issues. Workaround:ForfirewallsrunningPANOS7.0.1,youcanretrieveWildFireAnalysis
reportsthroughtheWildFireportal(wildfire.paloaltonetworks.com)ortheWildFireAPI.
Additionally,youcanspecificallyconfigurewildfire.paloaltonetworks.comasthe
WildFirepubliccloudtoviewintegratedreportsfromwithinthewebinterface:
Webinterface:selectDevice>Setup>WildFire>General Settings.
CLI:usetheset deviceconfig setting wildfire public-cloud-server
wildfire.paloaltonetworks.comcommandinconfigurationmode.
80799 FilesandemaillinkssentusingSimpleMailTransferProtocol(SMTP)orPostOffice
This issue is now resolved. Protocolversion3(POP3)arenotforwardedtotheWildFirepubliccloudforanalysis
See PAN-OS 7.0.1 unlessthefirewallisalsoconfiguredtoforwardfilestoaWildFireprivatecloud.For
Addressed Issues. firewallsconnectedtoaWildFire Private Cloud,forwardingtoboththeWildFirepublic
cloudandWildFireprivatecloudworkscorrectly(Device>Setup>WildFire).
80750 WhenspecifyingthedevicegroupandtemplatefortheVMSeriesNSXeditionfirewall,
youcannotselectatemplatestackoradescendantdevicegroupdefinedinadevicegroup
hierarchyonPanorama.Youcanassignthefirewallstoatemplateandaparentdevice
grouponly.
80589 TheVMSeriesfirewallonCitrixSDXdoesnotsupportjumboframes.
IssueID Description
80561 SoftwareforwardingofLayer3multicasttrafficwithProtocolIndependentMulticast
This issue is now resolved. (PIM)doesnotfunctioncorrectly.
See PAN-OS 7.0.1
Addressed Issues.
80398 Ifyouconfigurethefirewalltouseclientcertificatestoauthenticateadministratorswhen
This issue is now resolved. theyaccessthewebinterface,andyouenableOnlineCertificateStatusProtocol(OCSP)
See PAN-OS 7.0.1 verification,thentheauthenticationwillfailandadministratorscan'tlogin.
Addressed Issues. Workaround:CleartheBlock session if certificate status is unknownandBlock session
if certificate status cannot be retrieved within timeoutcheckboxesinthecertificate
profilethatthefirewallusestoauthenticateadministrators.
80387 IPv6toIPv6NetworkPrefixTranslation(NPTv6)isnotsupportedwhenconfiguredona
sharedgateway.
80373 TheoptionstoCloneobjectsorpoliciesinasharedgatewaylocationandtoMoveobjects
This issue is now resolved. orpoliciesfromavirtualsystemtoasharedgatewaylocationdonotworkcorrectly.
See PAN-OS 7.0.1
Addressed Issues.
80323 Onreboot,thelinkstatesforfirewallinterfacesdonotcomeup.Thisissueoccurswhen
This issue is now resolved. youdisablehighavailability(HA)onafirewallthatwasconfiguredinHAandthenreboot
See PAN-OS 7.0.1 thefirewall.
Addressed Issues. Workaround:Usethedelete deviceconfig high-availability enabledCLI
commandinconfigurationmodetodeletethehighavailabilityconfigurationnode.
80268 WhenswitchingtoCommonCriteria(CC)modeonaPA7050firewallrunningPANOS
This issue is now resolved. 7.0.0,theoperationdoesnotcompleteandshowsthefollowingerror:Set CCEAL4 Mode
Sysd Error.ThisissueoccursbecausetheCCmodeoperationattemptstochangethe
See PAN-OS 7.0.1
Addressed Issues. operationalmodebeforethesystemprocess(sysd)isfullyloaded.Thisoperationsetsthe
firewalltothefactorydefaultconfigurationwithoutCCconfigurationchanges.
Workaround:ChangetoCCmodewhilerunningaPANOS6.1releasebeforeupgrading
toPANOS7.0.0.
80266 IfyouconfigurethePA200,PA500,orPA2050firewalltouseaservicerouteinstead
This issue is now resolved. ofthemanagement(MGT)interfacetoconnecttoanLDAPserver,theconnectionwont
See PAN-OS 7.0.1 workandanyfirewallfunctionsthatrelyontheconnectionwillfail.
Addressed Issues. Workaround:IfyouconfiguredaserviceroutebeforeupgradingtoaPANOS7.0release,
reconfigureitasadestinationservicerouteortosettheSource InterfaceandSource
Addressfieldsoftheserviceroute(Device>Setup>Services>Global>Service Route
Configuration>IPv4orIPv6)toUse default.
80177 TheURLblockpagedoesnotdisplayasexpectedwhenproxiedrequestsfromclientuse
CONNECTmethod.
79470 PanoramadoesnotdisplayWildFireAnalysisreportscorrectlyintheWildFire
This issue is now resolved. Submissionslog.
See PAN-OS 7.0.2 Workaround:IntheContextdropdown,selectthefirewallthatforwardedthelogand
Addressed Issues. displaythereportinthefirewallcontext.
79462 IfyoulogintoPanoramaasaDeviceGroupandTemplateadministratorandrenamea
devicegroup,thePanorama>Device Groupspagenolongerdisplaysanydevicegroups.
Workaround:Afteryourenameadevicegroup,performacommit,logout,andlogback
in;thepagethendisplaysthedevicegroupswiththeupdatedvalues.
IssueID Description
78803 InPanorama,templatesettingsthatareglobaltoeveryvirtualsystem(vsys)onafirewall
This issue is now resolved. (forexample,Systemlogsettings)cantreferenceconfigurationelements(forexample,an
See PAN-OS 7.0.2 Emailserverprofile)thatyouaddtoaspecificvsysinsteadoftotheSharedlocation.Only
Addressed Issues. templateanddevicegroupsettingsthatPanoramacanpushtoaspecificvsys(for
example,LogForwardingprofiles)canreferenceelementsthatyouaddtoaspecificvsys.
Tocreateanelementthatbothglobalandvsysspecificsettingscanreference,youmust
setthetemplateModetoMulti VSYSenabledand,whenaddingtheelement,setits
LocationtoShared.
78646 Firewallsincorrectlyreplacemultibytecharacterswithaperiodcharacter( . )when

This issue is now resolved. forwardinglogsoreventinformationtoSNMPtraps,toasyslogserver,throughemail,or
See PAN-OS 7.0.1 inscheduledlogexports.ThisissuealsooccurswhenexportinglogstoCSV.
Addressed Issues.
77850 WebpagesusingtheHTTPStrictTransportSecurity(HSTS)protocolsometimesdonot
displayproperlyforendusers.
Workaround:Endusersshouldimportanappropriateforwardproxycertificatefortheir
browsers.
77775 Avalidationerroroccurswhenyoutrytomoveanobjectfromitscurrentdevicegroupto
This issue is now resolved. adestinationdevicegroupthatislowerinthehierarchyevenifthepolicyrulesorobjects
See PAN-OS 7.0.2 thatreferencetheobjectareinthesamedestinationorareinadevicegroupthatshould
Addressed Issues. inherittheobject.
Workaround:Clonetheobjecttothedestination.
77299 WhenusingaFirefoxbrowsertoaccessthefirewallwebinterface,WildFireAnalysis
This issue is now resolved. reportsdonotshowtheCoverageStatusforthesample,evenwhenasignatureis
See PAN-OS 7.0.3 generatedtoidentifythesample(Monitor>Logs>WildFire Submissions>Detailed Log
Addressed Issues. View>WildFire Analysis Report).
Workaround:ToviewthecorrectCoverageStatusforasample,useChromeorinternet
ExplorerbrowserstoaccessWildFire Submissions logsonthefirewallwebinterface.
76601 WhenyouuseaMacOSSafaribrowser,clientcertificateswillnotworkforCaptivePortal
authentication.
Workaround:OnaMacOSsystem,instructenduserstouseadifferentbrowser(for
example,MozillaFirefoxorGoogleChrome).
75806 Inafirewallwithmultiplevirtualsystems,ifyouaddanauthenticationprofiletoavirtual
systemandgivetheprofilethesamenameasanauthenticationsequenceinShared,
referenceerrorsoccur.ThesameerrorsoccuriftheprofileisinSharedandthesequence
withthesamenameisinavirtualsystem.
Workaround:Whencreatingauthenticationprofilesandsequences,alwaysenterunique
names,regardlessoftheirlocation.Forexistingauthenticationprofilesandsequences
withsimilarnames,renametheonesthatarecurrentlyassignedtoconfigurations(for
example,aGlobalProtectgateway)toensureuniqueness.
74423 Whenfetchingadynamicblocklist,afirewallrunningPANOS7.0.1incorrectlyusesthe
This issue is now resolved. URLUpdatesservicerouteinsteadoftheserviceroutethatisattachedtothePaloAlto
See PAN-OS 7.0.2 Updatesintheservicerouteconfiguration(Device>Setup>Services>Global).
Addressed Issues.
73997 OntheACC>Network Activity tab,ifyouaddthelabelUnknownasaglobalfilter,the

filtergetsaddedasA1andqueryresultsdisplayA1insteadofUnknown.
IssueID Description
73674 Thelinkona1GbpsSFPportonaVMSeriesfirewalldeployedonaCitrixSDXserverdoes
notcomeupwhensuccessivefailoversaretriggered.Thisbehaviorisonlyobservedinan
HAactive/activeconfiguration.
Workaround:Usea10GbpsSFPportinsteadofthe1GbpsSFPportontheVMSeries
firewalldeployedonaCitrixSDXserver.
73518 WildFireAnalysisreportscannotbeviewedonfirewallsrunningPANOS6.1release
versionsifconnectedtoaWF500applianceinCommonCriteriamodethatisrunninga
PANOS7.0release.
71624 VulnerabilitydetectionofSSLv3failswhenSSLdecryptionisenabled.Thiscanoccur
whenyouattachaVulnerabilityProtectionprofile(thatdetectsSSLv3CVE20143566)
toaSecuritypolicyruleandthatSecuritypolicyruleandanSSLDecryptionpolicyruleare
configuredonthesamevirtualsysteminthesamezone.AfterperformingSSLdecryption,
thefirewallseesdecrypteddataandnolongerseestheSSLversionnumber.Inthiscase,
theSSLv3vulnerabilityisnotidentified.
Workaround:SSLDecryptionEnhancementswereintroducedinPANOS7.0thatenable
youtoprohibittheinherentlyweakerSSL/TLSversions,whicharemorevulnerableto
attacks.Forexample,youcanuseaDecryptionprofiletoenforceaminimumprotocol
versionofTLS1.2orselectBlock sessions with unsupported versionstodisallow
unsupportedprotocolversions(Objects>Decryption Profile>SSL Decryption>SSL
Forward Proxyand/orSSL Inbound Inspection).
70335 WhenatunnelmonitorisenabledforalargescaleVPN(LSVPN)andthetunnelmonitor
This issue is now resolved. isinwaitrecovermode,accessroutesfromtheGlobalProtectgatewaycannotbeinstalled
See PAN-OS 7.0.1 ontheGlobalProtectsatellite.
Addressed Issues.
70222 IfthepasswordfortheadministratoraccountontheNSXManagercontainsspecial
characters,suchas$,PanoramacannotcommunicatewiththeNSXManager.The
inabilitytocommunicatepreventscontextbasedinformation,suchasDynamicAddress
Groups,frombeingavailabletoPanorama.
Workaround:RemovespecialcharactersfromtheadministratorpasswordontheNSX
Manager.
69458 WhenyouuseafirewallloopbackinterfaceasaGlobalProtectgatewayinterface,traffic
isnotroutedcorrectlyforthirdpartyIPSecclients,suchasStrongSwan.
Workaround:Useaphysicalfirewallinterfaceinsteadofaloopbackfirewallinterfaceas
theGlobalProtectgatewayinterfaceforthirdpartyIPSecclients.Alternatively,configure
theloopbackinterfacethatisusedastheGlobalProtectgatewaytobeinthesamezone
asthephysicalingressinterfaceforthirdpartyIPSectraffic.
68330 WhenyouconfigureafirewalltoretrieveaWildFiresignaturepackage,theSystemlog
shows unknown version forthepackage.Forexample,afterascheduledWildFire
packageupdate,thesystemlogshows: Wildfire package upgraded from version
<unknown version> to 38978-45470. Thisisacosmeticissueonlyanddoesnotprevent
theWildFirepackagefrominstalling.
68095 IfyouaccessDevice>Log SettingsonadevicerunningaPANOS7.0orlaterreleaseand

thenusetheCLItodowngradethedevicetoPANOS6.1oranearlierreleaseandreboot,
anerrormessageappearsthenexttimeyouaccessLog Settings.Thisoccursbecause
PANOS7.0andlaterreleasesdisplayLog SettingsinasinglepagewhereasPANOS6.1
andearlierreleasesdisplaythesettingsinmultiplesubpages.Toclearthemessage,
navigatetoanotherpageandreturntoanyLog Settings subpage.Theerrorwillnotrecur
insubsequentsessions.
IssueID Description
67713 PANOSallowsdowngradetocontentreleaseversions(ApplicationsandThreats)onthe
This issue is now resolved. firewalltoversionsthatthecurrentPANOSreleasedoesnotsupport.Forexample,ifthe
See PAN-OS 7.0.1 firewallisrunningPANOS7.0.1andtheminimumcontentreleaseversionis497,the
Addressed Issues. administratorshouldnotbeabletodowngradetoaversionearlierthan497.
67624 WhenusingawebbrowsertoviewaWildFireAnalysisreportfromafirewallthatisusing
aWF500applianceforfilesampleanalysis,thereportmaynotappearuntilthebrowser
downloadstheWF500certificate.Thisissueoccursafterupgradingafirewallandthe
WF500appliancetoaPANOS6.1orlaterrelease.
Workaround:BrowsetotheIPaddressorhostnameoftheWF500appliance,whichwill
downloadthecertificateintothebrowser.Forexample,iftheIPaddressoftheWF500
applianceis10.3.4.99,openabrowserandenterhttps://10.3.4.99.Youcanthen
accessthereportfromthefirewallbyselectingMonitor>WildFire Submissions,clickthe
logdetailsiconandthenclicktheWildFire Analysis Reporttab.
67552 FirewallsrunningPANOS6.0andearlierreleasessendaNILvalue(orendash)tothe
syslogserverwhennodomainorhostnamevalueisconfiguredonthefirewall.InPANOS
6.1andlaterreleases,thefirewalldoesnotsendanyvaluewhenthedomainand
hostnamefieldsareempty;instead,thisfieldisleftblankinsyslogheaders.
66976 IntheWildFireSubmissionlogs,theemailrecipientaddressisnotcorrectlymappedtoa
usernamewhenconfiguringmappingwithgroupmappingprofilesthatarepushedina
Panoramatemplate.
66887 TheVMSeriesfirewallonKVM,forallsupportedLinuxdistributions,doesnotsupportthe
BroadcomnetworkadaptersforPCIpassthroughfunctionality.
66879 TheVMSeriesfirewallonKVMrunningonUbuntu12.04LTSdoesnotsupportPCI
passthroughfunctionality.
66745 OnmanagedmobiledevicesrunningiOS8,unenrollingthedevicedoesnotalwaysremove
theVPNprofileandtheMobileSecurityManagerprofile.
66233 TheURLloggingrateisreducedwhenHTTPheaderloggingisenabledintheURLFiltering
profile(Objects>Security Profiles>URL Filtering><URLFilteringprofile>>Settings).
66059 RegardlessoftheTime FrameyouspecifyforascheduledcustomreportonaPanorama

MSeriesappliance,theearliestpossiblestartdateforthereportdataiseffectivelythe
datewhenyouconfiguredthereport.Forexample,ifyouconfigurethereportonthe15th
ofthemonthandsettheTime FrametoLast 30 Days,thereportthatPanoramagenerates
onthe16thwillincludeonlydatafromthe15thonward.Thisissueappliesonlyto
scheduledreports;ondemandreportsincludealldatawithinthespecifiedTime Frame.
Workaround:Togenerateanondemandreport,clickRun Nowwhenyouconfigurethe
customreport.
65824 UnusedNATIPaddresspoolsarenotclearedafterasinglecommit,soacommitfailsifthe
totalcacheofunusedpools,existingusedpools,andnewpoolsexceedthememorylimit.
Workaround:Commitasecondtime,whichclearstheoldpoolallocation.
IssueID Description
63962 ConfigurationspushedfromPanorama6.1andlaterreleasestofirewallsrunningPANOS
6.0.3orearlierreleaseswillfailtocommitduetoanunexpectedRule Typeerror.This
issueiscausedbythenewRule Typesettinginsecuritypolicyrulesthatwasnotincluded
intheupgradetransformand,therefore,thenewruletypesarenotrecognizedondevices
runningPANOS6.0.3orearlierreleases.
Workaround:OnlyupgradePanoramatoversion6.1orlaterreleasesifyouarealso
planningtoupgradeallmanagedfirewallstoaPANOS6.0.4orlaterreleasebefore
pushingconfigurationtofirewalls.
63186 IfyouperformafactoryresetonaPanoramavirtualapplianceandconfiguretheserial
number,loggingdoesnotworkuntilyourebootPanoramaorexecutethedebug
software restart management-serverCLIcommand.
61720 Bydefault,theGlobalProtectappaddsarouteoniOSmobiledevicesthatcausestraffic
totheGP100GlobalProtectMobileSecurityManagertobypasstheVPNtunnel.
Workaround:ToconfiguretheGlobalProtectapponiOSmobiledevicestorouteall
trafficincludingtraffictotheGP100GlobalProtectMobileSecurityManagertopass
throughtheVPNtunnel,performthefollowingtasksonthefirewallhostingthe
GlobalProtectgateway(Network>GlobalProtect>Gateways>Client Configuration>
Network Settings > Access Route):
Add 0.0.0.0/0 asanaccessroute.
EntertheIPaddressfortheGlobalProtectMobileSecurityManagerasanadditional
accessroute.
60851 DuetoalimitationrelatedtotheEthernetchipdrivingtheSFP+ports,PA5050and
PA5060firewallswillnotperformlinkfaultsignalingasstandardizedwhenafiberinthe
fiberpairiscutordisconnected.
59856 AfterdeployingtheVMSeriesfirewall,whenthefirewallconnectstoPanorama,youmust
issueaPanoramacommittoensurethatPanoramarecognizesthefirewallasamanaged
device.IfyourebootPanoramawithoutcommittingthechanges,thefirewallwillnot
connectbacktoPanorama;althoughthedevicegroupwilldisplaythelistofdevices,the
devicewillnotdisplayinPanorama>Managed Devices.
Further,ifPanoramaisconfiguredinanHAconfiguration,theVMSeriesfirewallisnot
addedtothepassivePanoramapeeruntiltheactivePanoramapeersynchronizesthe
configuration.Duringthistime,thepassivePanoramapeerwilllogacriticalmessage:
vm-cfg: failed to process registration from svm device. vm-state: active.
ThismessageisloggeduntilyoucommitthechangesontheactivePanorama,whichthen
initiatessynchronizationbetweenthePanoramaHApeersandtheVMSeriesfirewallis
addedtothepassivePanoramapeer.
Workaround:Toreestablishtheconnectiontothemanageddevices,commityour
changestoPanorama(clickCommitandselectCommitTypePanorama).IncaseofanHA
setup,thecommitwillinitiatethesynchronizationoftherunningconfigurationbetween
thePanoramapeers.
59573 LivemigrationoftheVMSeriesfirewallisnotsupportedwhenyouenableSSLdecryption
usingtheSSLforwardproxymethod.UseSSLinboundinspectionifyouneedsupportfor
livemigration.
58839 WhendeletingtheVMSeriesdeployment,allVMsaredeletedsuccessfully;however,
sometimesafewinstancesstillremaininthedatastore.
Workaround:ManuallydeletetheVMSeriesfirewallsfromthedatastore.
IssueID Description
58260 IfanHAfailoveroccursonPanoramaatthetimethattheNSXManagerisdeployingthe
VMSeriesNSXeditionfirewall,thelicensingprocessfailswiththeerror:vm-cfg: failed
to process registration from svm device. vm-state: active.
Workaround:DeletetheunlicensedinstanceoftheVMSeriesfirewalloneachESXihost
andthenredeploythePaloAltoNetworksnextgenerationfirewallservicefromtheNSX
Manager.
58202 WhenviewingtheSessionBrowser(Monitor>Session Browser),usingtheglobalrefresh

option(toprightcorner)toupdatethelistofsessionscausestheFiltermenutodisplay
incorrectlyandclearsanypreviouslyselectedfilters.
Workaround:Tomaintainandapplyselectedfilterstoanupdatedlistofsessions,clickthe
greenarrowtotherightoftheFiltersfieldinsteadoftheglobal(orbrowser)refresh
option.
49742 Thefollowingissuesapplywhenconfiguringafirewalltouseahardwaresecuritymodule
(HSM):
ThalesnShieldConnectThefirewallrequiresatleastfourminutestodetectthatan
HSMhasbeendisconnected,causingSSLfunctionalitytobeunavailableduringthe
delay.
SafeNetNetworkWhenlosingconnectivitytoeitherorbothHSMsinanHA
configuration,thedisplayofinformationfromthe show ha-statusandshow hsm info
commandsisblockedfor20seconds.
49322 AfteryouconfigureaPanoramaMSeriesapplianceforHAandsynchronizethe
configuration,theLogCollectorofthepassivepeercannotconnecttotheactivepeeruntil
yourebootthepassivepeer.
45464 ThePanoramavirtualappliancedoesnotwritesummarylogsfortrafficandthreatsas
expectedafteryouenterthe clear log command.
Workaround:Reboot Panoramamanagementserver(Panorama>Setup>Operations)
toenablesummarylogs.
40436 FirewallsrunningPANOS6.1andlaterreleasesdonotupdateFQDNentriesunlessyou
enabletheDNSproxyCacheoption(Network>DNS Proxy><DNSProxyconfig>>
Advanced).
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.8release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.
IssueID Description
97313 FixedanissuewherethemanagementplaneofPanoramaM100andM500
appliancesstoppedrespondingwhenrenamingobjectsorsecuritypoliciesdueto
memorycorruption.
96792 FixedanissuewherecommitsfailedduetoamemoryleakrelatedtoHAsyncofthe
candidateconfigurationthatcausedthepassivePanoramapeertostopresponding.
94757 FixedarareissueonfirewallswhereSecuritypolicyrulesincludedemptydynamic
blocklists(0.0.0.0/0)afteraCommitfromPanoramawithForce Template Values
enabled.
93729 FixedanissuewhereSSHdecryptioncausedadataplanememoryleakandrestart.
93072 Asecurityrelatedchangewasmadetoaddressanissueinthepolicyconfiguration
dialog.
92763 Fixedanissuewherecommitsfailedduetoavalidationerrorthatoccurredwhen
PanoramapushedAuthenticationSequenceprofilesthatincludedavirtualsystem
thatwasnotmigratedproperlyduringanupgradefromaPanorama6.1releasetoa
Panorama7.0orlaterrelease.
92391 FixedanissuewherefirewallTrafficlogsdisplayedunusuallylargebytecountsfor
sessionspassingthroughproxyservers.
92293 AsecurityrelatedfixwasmadetoaddressCVE20161712.
91900 FixedanissuewhereaPanoramavalidateoperationfollowedbyanFQDNrefresh
causedthevalidateconfigtocommittothefirewall.
91876 FixedanissuewherethepassivefirewallinaVMSeriesESXiconfigurationwas
processingandforwardingtraffic.
91799 FixedanissuewereaPA7050firewalldidnotdisplaylogsasexpectedandcaused
aprocess(logrcvr)tostopresponding.
91728 AsecurityrelatedfixwasmadetoaddressaDenialofServiceconditionrelatedto
theAPI.
91724 Fixedanissuewhereanautocommitofanincrementalantivirusupdatefailedaftera
reloadduetoacorruptvirussignaturesfileandafailedincrementalinstallation.With
thisfix,incrementalcontentinstallationhasenhancedprotectionstoprevent
autocommitfailures,andwilllogadditionalinformationtoassistwith
troubleshooting.
91653 FixedanissuewhereSSLdecryptiondidnotworkasexpectedforresumedsessions.
IssueID Description
91643 FixedarareissuewheretrafficthattriggeredanSSLdecryptURLproxyaction
causedaprocess(all_task)torestart.
91497 FixedanissuewherestalenexthopMACentriespersistedonthesessionoffload
processorafteryoumodifiedasubinterfaceconfiguration,whichcausedSSH
connectionstofail.Withthisfix,themanagementplanecachenolongerduplicates
nexthopMACentries,whichpreventsthestaleentriesthatcausedSSHconnections
tofail.
91336 Fixedanissuewherethepacketprocessorstoppedrespondingwhenproxypackets
wereswitchedtothefastpathgrouponthedataplane.
90982 FixedanissuewhereupgradingfromaPANOS6.1releasetoPANOS7.0.3ora
laterPANOS7.0releasecausedtheGlobalProtectportalorgatewayandSSL
decryptionprocessestostopresponding.ThisissueoccurredbecauseSSL/TLS
ServiceProfiles(introducedinPANOS7.0)werenotcreatedsuccessfullyifyoudid
notenablemultiplevirtualsystem(multivsys)functionalityonthefirewall.Withthis
fix,SSL/TLSServiceprofilesarenowsuccessfullycreatedonnonmultivsys
platformswhenupgradingtoPANOS7.0.8orlaterreleasesortoPANOS7.1
releases.
90857 FixedanissuewithaPanoramapassivepeerinanHAconfigurationwhere
administratorswereunabletoconfiguretheDynamicUpdatesschedulefor
ApplicationsandThreatsupdates.
90856 Fixedanissuewherethedialogforcreatingcertificatesandthedialogforediting
certificateshaddifferentcharacterlimitsforthecertificatename.Withthisfix,the
certificatenamefieldinbothdialogsallowsupto63characters.
90842 FixedanissuewherethefirewallreceivedanunencryptedemptyISAKMPpacketin
quickmodethatcausedaprocess(ikemgr)tostopresponding.
90794 Fixedanissuewherealogfile(/var/log/wtmp)inflatedandconsumedthe
availablediskspace.Withthisfix,PANOSusesalogrotationfunctiontopreventlog
filesfromconsumingmorediskspacethannecessary.
90680 FixedanissueonPA500firewallswherecertainprocesses(l3svcandsslvpn)stopped
respondingafterthefirewallattemptedadynamicupdate.
90635 Asecurityrelatedfixwasmadetoaddressacrosssitescriptingconditioninthe
ApplicationCommandCenter(ACC).
90553 FixedanissuewhereDataFilteringandWildFireSubmissionslogsfornonNAT
sessionscontainedincorrectorinvalidNATinformation.
90326 FixedanissueonPA7000Seriesfirewallswherebotnetreportswerenotcreated
consistentlyduetoalogcleanupjobthatranjustpriortowhenthebotnetreports
weregenerated,whichonsomedaysresultedinemptyornobotnetreports.With
thisfix,thebotnetlogcleanupjobtakesplaceafterthedailygenerationofbotnet
reportssothatdailyreportsarecreatedandpopulatedasexpected.
90256 FixedanissuewheredecryptedSSHsessionswerenotmirroredtothedecrypt
mirrorinterfaceasexpected.
90249 FixedanissuewhereupgradingfromaPANOS6.1orearlierreleaseprevented
administratorsfromoverridingLDAPgroupmappingsthatwerepushedfrom
Panorama.
IssueID Description
90044 FixedanissuewherelogforwardinginPanoramafailedwhenusingsyslogoverTCP.
89979 FixedanissuewheretheAggregateEthernet(AE)interfaceportinvirtualwiremode
withlinkstatepassthroughenabledcameupafteracommit;althoughitspeerAE
interfaceportwasdown.Withthisfix,theotherAEinterfaceportwillcomeupafter
thecommitandisthenbroughtdowninapproximately10seconds.Thiscausesboth
AEinterfacestostaydownuntilthefirstAEinterfacerecovers.
89917 FixedanintermittentissuewhereoneormoreinterfacesonaVMSeriesfirewall
deployedintheAmazonWebServices(AWS)cloudcouldnotobtainIPaddresses
fromaDHCPserverafterbootingup.
89910 FixedanissuewhereallLLDPpacketsweresentwiththesourceMACaddressofthe
MGTinterfaceinsteadofthedataplaneinterfacefromwhichtheyweretransmitted.
Withthisfix,LLDPpacketsareencapsulatedwiththesourceMACaddressofthe
interfacethattransmittedthepacket.
89743 Fixedanissuewherecommitsfailedduetoprocesses(configdandmgmtsrvr)that
stoppedresponding.Thisissuewascausedbymemorycorruptionrelatedtothe
schedulingofWildFiredynamicupdates.
89551 FixedanissuewhereUserActivityReportsdeliveredviatheEmailSchedulerdidnot
includeusernamesthatcontainedGermancharacters.
88646 FixedanissuewherepredictedFTPsessionswerenotestablishedasexpectedfrom
theparentFTPsession.
88346 FixedanissuewhereafirewallwassendingBGPpacketswiththewrongMD5
authenticationvalue.
88327 FixedanissuewhereseveralvalidcountrycodesweremissingintheCertificate
Attributessectionwhengeneratingacertificatefromthewebinterface.
88157 Fixedanissuewithreducedthroughputfortrafficoriginatingonthefirewalland
traversingaVPNtunnel.
87851 Fixedanissuewherehighratesoffragmentedpacketscausedthefirewallto
experienceaspikeinpacketbuffer,descriptor,andCPUusage.
87741 FixedanissueonPA3000Seriesfirewallswherethedataplanerestartedafteran
upgrade.
87179 Fixedanissuewhereavirtualsystem(vsys)inaPanoramatemplatewasassigned
duplicatevsysnumbersduringcommittothefirewall.
86623 FixedanissuewhereafirewallinanHAactive/passiveconfigurationdroppedFTP
PORTcommandpacketsafterafailover.
86123 FixedanissuewhereanM100applianceinanHApairhadaprocess(configd)
repeatedlyrestart,causingHAsynctofail.
85160 Fixedanissuewhereafirewalllostmembersofadomaingroupafterafailoverfrom
theprimarytothesecondaryLDAPserverwhenthelastmodifiedtimestampforthe
groupwasnotthesameonbothservers.
84115 Fixedanissuewherevirtualsystemadministrators(fullaccessorreadonly)were
unabletoaccesssettingsundertheNetworktab(Panel for undefined not
registeredwasdisplayed,instead).
IssueID Description
83239 FixedanissuewhereinboundSSLdecryptiondidnotworkasexpectedwhenyou
enabledSYNcookies.
80953 FixedanissueonfirewallsinanHAactive/activeconfigurationthatincludedvirtual
wireinterfaceswherepacketsdidnotadheretovirtualwireforwardingpathsand
causedMACaddressflappingonneighbor.
77822 FixedanissueonaVMSeriesNSXeditionfirewallthatsentDynamicAddressGroup
informationonlytotheprimaryvirtualsystem(VSYS1)ontheintegratedphysical
firewallatthedatacenterperimeter.Withthisfix,aVMSeriesNSXeditionfirewall
configuredtoNotifyDeviceGroupsendsDynamicAddressGroupupdatestoall
virtualsystemsonaphysicalfirewallrunningPANOS7.0.8oralaterPANOS7.0
release.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.
IssueID Description
94912 FixedanissueinPANOS7.0.6whereWF500appliancesreturnedfalsepositive
resultsprimarilyforMicrosoftWord(.docx)files.
93775 Fixedanissuewherepacketdiagnosticsfailedduetoanunnecessarilylargedebug
logrelatedtoHA3packetforwarding.
93644 FixedanissueonPA3000Seriesfirewallswhereprocessingjumboframesthatwere
largerthan7,000bytesduringaperiodofheavytrafficcausedtheFPGAtostop
responding.Withthisfix,theFPGAthresholdsareadjustedtocorrectlyhandleupto
9KBjumboframes.
93612 Asecurityrelatedfixwasmadetoaddressaprivilegeescalationissue.
93228 FixedanissueonPA7050firewallsinanHAactive/activeconfigurationwhere
jumboframesthatincludedtheDF(donotfragment)bitweredroppedwhencrossing
dedicatedHA3ports.
92413 Asecurityrelatedchangewasmadetoaddressaboundarycheckthatcauseda
servicedisruptionofthecaptiveportal.
91771 FixedanissuewhereafirewalldidnotsendTCPpacketsoutduringthetransmit
stageinthesameorderasthosepacketswerereceived.
91443 FixedanissuewhereaPanoramaM100appliancepurgedlogsduetoanincorrect
quotasize.
91079 FixedanissueonaVMSeriesfirewallwhereanungracefulrebootcausedDynamic
IPaddressinformationtogetoutofsync.
91075 FixedanissuewheretheLSVPNtunnelinterfacefailedtopasstrafficafterupgrading
aGlobalProtectLSVPNsatellitetoaPANOS7.0releasewhiletheGlobalProtect
LSVPNgatewaywasstillrunningaPANOS6.1orearlierrelease.Additionally,the
tunnelinterfaceflappedifyouenabledtunnelmonitoring.Theseissuesoccurreddue
tochangestotheencryptionalgorithmnameswhenintroducingSuiteBciphersin
PANOS7.0.Withthisfix,GlobalProtectLSVPNsatellitesrunningPANOS7.0.7(or
PANOS7.1)orlaterreleasessuccessfullyrecognizetheoldnamesusedinPANOS
6.1andearlierreleasessothatLSVPNtunnelsareestablishedandpasstrafficas
expected.
IssueID Description
90433 FixedanissuewhereoverridesofthedefaultrulesintheSharedpolicytook
precedenceovertheoverridesofdefaultrulesinadevicegroup.Withthisfix,
overrideprecedencenowbehavesasdesigned(overridesofdefaultrulesinthe
lowestleveldevicegrouptakeprecedenceoverthosesettingsinthehigherlevel
devicegroupsandShared).
90194 FixedanissuewherefirewallswithoutanyWildFirepublicsignatures(hadnever
downloadedanyoroldsignatureshadbeendeleted)didnotproperlyleverage
WildFireprivatecloudsignatureswhenmonitoringtraffic.
90158 FixedanissueonPA7000Seriesfirewallswhereaggregateoutboundtrafficwas
incorrectlylimitedbythechassisswitchfabricswitchingcapacity.
90070 Fixedanissuewhereamemoryleakassociatedwiththeauthenticationprocess
(authd)causedintermittentaccessandauthenticationissues.
90029 FixedanissuewhereaGlobalProtectgatewayrejectedthesamerouteslearnedfrom
differentLSVPNsatelliteswhentheroutesweredestinedforadifferentvirtual
router.
89761 Fixedanissuewhereascheduledlogexportfailedtoexportthelogsifthepassword
intheconfigurationcontainedthedollarsign("$")character.
89588 FixedanissuewherepacketsthathadtoberetransmittedduringSSLdecryption
werenothandledcorrectly,whichresultedinadepletedsoftwarepacketbuffer.
89503 Fixedanissuewhereusergroupmappingswerenotproperlypopulatedintothe
dataplaneafterafirewallreboot.
89413 FixedanissuewherePanoramatemplatecommitsfailedwhenthenamesofseveral
certificatesintheDefaultTrustedCertificateAuthoritieslistchanged.Thisoccurred
whenPanoramawasrunningaPANOS7.0releaseandpushedatemplatetoa
firewallrunningaPANOS6.1orearlierrelease.
89385 FixedanissuewithfirewallsinanHAactive/activeconfigurationwheresession
timeoutsforsometrafficwereunexpectedlyrefreshedafteracommitorHAsync
attempt.
Thisfixintroducedaknownissue:97806.
89296 FixedanissuewhereacommitfailedafterrenamingaPanoramasharedobjectthat
wasalreadyreferencedintherulesonalocalfirewall.
89108 FixedanissuewhereafirewalldidnotadvertiseprefixestosomeBGPpeerswhen
expected.
88689 Fixedanissuewhereamemoryleakassociatedwiththeauthenticationprocess
(authd)causedcommitattemptstofail.
88450 FixedanissuewhereLayer3interfaceswithoutdefinedIPaddresses,zones,or
virtualroutersdroppedLLDPpackets,whichpreventedthefirewallfromobtaining
anddisplayingneighborinformation.
88421 FixedanissuewhereWildFirereportsweregeneratedforfilesalreadyblockedbythe
AntivirusprofileSMTPdecoder.
88325 FixedanissuewhereaPA500firewallrunningaPANOS7.0.1orlaterreleaseand
withDNSProxyenabledfailedtoconnecttoUserIDagentsusingFQDN.
IssueID Description
88313 Fixedanissuewherereadonlydeviceadministratorswereunabletoviewlogsonthe
ACCtab.
87911 Fixedanissuewherescheduleddynamicupdatestomanagedfirewallsstopped
functioningaftermigratingthePanoramaVMtoanM500appliance.
87880 FixedanissuewheretheXMLAPIrequesttotestSecuritypolicywasnotproperly
targetedtoaspecifiedvirtualsystem(vsys),whichmadetherequestapplicableonly
tothedefaultvsys.Withthisfix,theXMLAPIrequesttotestSecuritypolicyisable
toretrieveresultsforanypreviouslytargetedvsys.
87833 FixedanissuewhereWildFireupdatescausedtheinterfacetoflap.
87729 FixedanissuewherethedataplaneonthepassivefirewallinasyncedHA
configurationrestartedduetoaDecryptionprofilethatdidn'thaveanyassociated
Decryptionpolicyrules,whichresultedinSSLproxysessionsthatweredroppedon
thepassivefirewallwhentheactivefirewallbecamesuspendedduringafailover.
87594 FixedanissueonMSeriesappliancesthatcausedthe show ntp CLIcommandto

timeout.
87094 FixedanissuewherecommittingapolicyonPanoramathatcontainedinterfacesthat
weremanuallydefinedgeneratedtheerror: [interface name] is not an allowed
keyword.
86977 FixedanissuewhereLDAPsessionssourcedfromPanorama,afirewall,oranM100
appliancewerekeptopenandnotactivelyrefreshed,whichcausedsessionsto
timeoutwhentheytraversedthepeerfirewall(orthedataplaneonthesamefirewall)
and,ultimately,causedauthenticationattemptstofailwhenrequestscouldnolonger
reachtheLDAPserver.Withthisfix,akeepalivemechanismisaddedthatis
triggeredafter15minutesofsessioninactivityandthatallowsamaximumoffive
failedprobesbeforedroppingaconnection(probesoccurin60secondintervals).
86821 Fixedanissuewheretheserverprocess(devsrvr)stoppedrespondingwhen
attemptingtoaccessaURLwithmultiplenestedchildren,whichcausedthe
dataplanetorestart.
86686 SecurityrelatedfixesweremadetoaddressissuesreportedintheOctober2015
NTP4.2.8p4SecurityVulnerabilityAnnouncement.
86313 Fixedanissuewherethe failed to handle CONFIG_COMMIT errorwasdisplayed

duringacommit.
86202 Fixedanissuewherethemanagementplanestoppedrespondingifyoumodifiedan
objectreferencedinalargenumberofrules.
86189 FixedanissuewherethefirewalldidnotsendSNMPv3trapsthatusedanIPv6server
address.
86122 FixedanissuewhereanLACPAggregateEthernet(AE)interfaceusingSFPcopper
portsremaineddownafteradataplanerestart.
85344 FixedanissuewherescheduleddynamicupdateinstallationcausedtheHAlinkto
flap.
85265 FixedanissueintheXMLAPIthatpreventedareadonlysuperuserfrom
downloadingcustompacketcaptures.
84997 FixedanissueonPA7000Seriesfirewallswherethefirstautocommitattemptfailed.
IssueID Description
84461 FixedaPanoramaissuewherethevirtualmemoryforaprocess(configd)exceededits
allocation,whichcausedcommitandHAsyncattemptstofail.
84146 FixedanissueinPANOS7.0releaseswherethesourceanddestinationfieldwasno
longerincludedasexpectedinerrormessagesthatweretriggeredwhenrequeststo
deleteaddressobjectsfailed.Withthisfix,thesourceanddestinationinformationis
againincludedintheerrormessage.
84027 FixedanissuewhereafirewallallowedsomeHTTPGETpacketstopassthrough
evenwhentheURLFilteringprofilewasconfiguredtoblockpacketsinthisURL
category.
83564 FixedanissuewhereacertificateCommonName(CN)containingUTF8characters
causedcommitrequeststofailbecausethedecodedCNstringexceededthe
64characterlimit.
82918 FixedanissuewherereenteringanLDAPbindpasswordthroughtheCLIusinga
hashvalue(insteadofaregularpassword)wasrejectedforhavingtoomany
characters.
82470 FixedanissuewithIPSectunnelthroughputperformancecausedbyincorrect
hardwaretagging.
77460 FixedanissueonafirewallwithanexpiredBrightCloudlicensewherethespecified
vendorwasunexpectedlyandautomaticallychangedfromBrightCloudtoPANDB
whenanyfeatureauthcodewaspushedfromPanoramatothefirewall.
76661 Fixedanissuewherevoltagealarmsweretriggeredincorrectly(voltagewaswithin
theappropriaterange).
73082 Fixedanissuewhereafirewallprocess(all_pktproc)stoppedrespondingduetoan
issuewithNATpoolallocation.
BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowto
upgradeafirewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyour
firewallorappliance,youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyou
upgradetoPANOS7.0.3oralaterrelease.
ForWF500appliances,thePANOS7.0.7maintenancereleaseaddressesanissuethatwasintroducedin
PANOS7.0.6thatcausesfrequentfalsepositiveverdictsforMicrosoftOfficedocuments.Youareadvisedto
upgradeWF500appliancesto7.0.7orlaterreleasesandareadvisednottoinstallthe7.0.6image.
IssueID Description
92671 Fixedanissuewheretrafficthatwasoffloadedtohardwarewasnotforwarded
properly.ThisoccurredonPA3050andPA3060firewallsandprimarilywithSSL
traffic.
90992 FixedanintermittentissuewheretheinitialGlobalProtectclientconnectiontoa
GlobalProtectportalorgatewayfailedwiththeerror: Valid client certificate
is required.ThisoccurredwhenthecertificateprofileusedCRL/OCSPtocheck
certificatevalidityandwasduetoaproblemwiththecertificatenotbeingavailable
inthedataplanecache.Subsequentconnectionsworkedbecausethecertificatewas
addedtothecacheduringtheinitialconnectionattempt.
90904 FixedapacketdropissueonPA7000SeriesfirewallsinHAconfigurationsrunning
aPANOS7.0.3throughPANOS7.0.5release.ThisoccurredduetoaMACaddress
lookupissueoninterfacesinanAggregateEthernet(AE)interfacegroupthatwere
partofaVLAN.
89881 FixedanissuewheretheUserIDagenttruncatedNetBIOSnameswithmorethan
14characters.Asaresult,userswithdomainnameslongerthan14characterswere
notgrantedaccess.
89880 AddedanewCLIoperationalcommand(set authentication radius-auth-type

<auto|chap|pap>)forMSeriesappliancesinPanoramamodetoaddressan
incompatibilityissuebetweenPANOSandsomeRADIUSservers.Withthisfix,you
canmanuallyoverridetheautomaticselectionmechanismandchoosebetween
CHAPandPAP.
89317 Fixedanissuewhereimproperdatapatternorderingoccurredafteranadministrator
deleteddatapatternsfromanexistingDataFilteringprofile,whichsubsequently
causedanerror(rule is already in use)whenattemptingtoaddanewdata
pattern.Withthisfix,youcanaddordeletedatapatternsinanyorder.
88794 Fixedanissuewhereonetimepassword(OTP)RADIUSauthenticationfailedwhen
thedomainselectionfieldwasusedintheauthenticationprofile.
88696 Fixedanissuewhere,undercertainconditions,aprocess(mpreplay)frequently
restartedduetoexcessiveinternalmessaging.
IssueID Description
88570 FixedanissuewhereaNeighborSolicitation(NS)packetusedtorefreshIPv6
neighbortableswassentoutthroughaVLANinterfacewithoutaVLANtag.TheNS
packetwastaggedcorrectlywhentheneighborentrywasinitiallycreatedbutthe
packetusedtorefreshthetablewassentwithoutthetag,whichcausedthetable
updatetofailwhentheneighbordidnotreceiveanappropriatelytaggedresponse.
88168 FixedanissuewhereVMSeriesfirewallsrunningonan8coreplatformchangedthe
passivefirewalltoactivewhenasocketerroroccurred.Thesocketremainedclosed
untilaninterfacerelatedchangewasmade.
88125 FixedanissuewhereTCPsegmentsforDNSqueriesweredroppedwhenthe
segmentsweresmallerthan12bytes.
87482 Asecurityrelatedchangewasmadetomanagementplaneaccountrestrictionsto
avoidservicedisruption.
87285 FixedanissuewhereaUserActivityReportPDFforthelast30daysgeneratedan
errorwhenthereportcontainedmorethan100,000lines.
87257 Fixedanissuethatcausedadataplanerestartwhenthefirewallwasconfiguredasa
DHCPrelayandreceivedDHCPrequestsfromathirdpartyDHCPserverorclient
thatexceededthepayloadlengthspecifiedinRFC2132.
87158 Fixedanissuewheresomepacketswereduplicatedintheegressstage.Thisoccurred
onmultidataplanefirewallswhentrafficflowedfromvirtualsystemtovirtualsystem
orfromvirtualsystemtoasharedgateway.Anupdatehasbeenmadetoprevent
packetduplication.
86980 Fixedanintermittentissuewherecommitsfailedduetoinvalidfilepermission
warningsrelatedtoSSHauthentication.
86970 FixedanissuewheredecryptiononthefirewalldidnotfunctionwhenusingChrome
tobrowsecertainwebsitesbecauseChromeeliminatedinsecurefallbacktoTLS1.0.
86916 FixedanissuewheretrafficburstsenteringaPA3000Seriesfirewallcaused
shorttermpacketlosseventhoughtheoveralldataplaneutilizationremainedlow.
Thisissuewastypicallyobservedwhentwofirewallinterfacesonthesamefirewall
wereconnectedtoeachother.Withthisfix,internalthresholdsweremodifiedto
preventpacketlossintheseconditions.
86671 FixedanissuewherePanoramadidnotrecognizethreatIDsgeneratedbyaWF500
appliance,whichpreventedyoufromconfiguringanexemptionforthesethreatsin
Panoramathatcouldbepushedtomanagedfirewalls.
86633 FixedanissuewherethewebinterfaceindicatedthatanewDHCPrelayconfigured
intheCLIwasenabledeventhoughtherelaywasnot,yet,enabledfromtheCLI.
86321 FixedanissuewhereSSHdecryptioncausedadataplanememoryleakandrestart.
86251 Fixedanissuewhereanadministratorwasunabletoretrievelogpartitionutilization
usingSNMPafteraddingadditionalvirtualdiskspaceonPanorama.
85913 FixedanissuewhereanadministratorwasunabletoaddmorethanoneXAuth
GlobalProtectgatewayonthesameinterface.
85880 Enhancedthesyslogvariablelisttoinclude cef-number-of-severity.
IssueID Description
85110 FixedanissuewherethefirewallsentgratuitousARP(GARP)packetsforaninterface
IPaddressusedinadestinationNATrulefromallinterfacesinthezonewherethat
interfacebelonged.Withthisfix,theGARPpacketsaresentonlyfromtheinterface
thatownstheIPaddress.
84949 FixedanissuewhereM100appliancesinanHAactive/activeconfiguration
forwardedlogsonlytoonesyslogserver,eventhoughtwosyslogserverswere
defined.Thisissueoccurredonlyontheprimarysecondaryapplianceandwasdueto
anHAsyncissue.
84665 FixedanissuewheretheCommiticonincorrectlyindicatedpendingconfiguration
changesafteranApplicationsandThreatsupdate.
84641 FixedanissuewheresomeDNSrequestswereforwardedtothewrongDNSserver
theonepreviouslybutnolongerconfiguredonthefirewall.
84339 Fixedanissuewhereasinglesessionconsumedthemajorityofthepacketbuffer
resources.Withthisfix,youcanuseinformationintheoutputoftheshow running
resource-monitor ingress-backlogscommandtoIdentifySessionsThatUsean
ExcessivePercentageofthePacketBufferandthenusetherequest
session-discardCLIoperationalcommandtomanuallydiscardsessionsasneeded.
Thesecommandsareonlyavailableonfirewallsthatsupporthardwareoffload.
84236 FixedanissuewherespecialcharactersintheSNMPv3Usersfieldcausedencryption
tofailandcausedthefirewalltorestart.
83722 FixedanissuewheredestinationbasedserviceroutesdidnotworkforRADIUS
authenticationservers.
83702 FixedanissueonPA7000SeriesfirewallsrunningPANOS7.0.2andlaterreleases
whereWildFireAnalysisreportsdidnotdisplayintheWildFire Analysis Reporttab
(Monitor > Logs > WildFire Submissions > Detailed Log View).
83361 FixedanissuewheretheDoSclassificationcounterstoppedatanabnormallyhigh
value.ThiscausedfloodtypefalsepositivesintheThreatlogs,causingthefirewallto
appearasifitreachedmaximumsessioncapacity.
83135 FixedanissuewheretheinitialredirectfailedforsomeSSLsites.(TheerrorBad
Record MACappearedaftertheuserclickedcontinuebuttheusercouldthen
refreshthepagetosuccessfullyenterthewebsite.)
83100 FixedanissuewherePanoramaHAsynchronizationfailedwhenattemptingto
upgradetoaPANOS7.0.1throughPANOS7.0.5h2release.
82756 FixedanissuewherecustomreportswerenotsentoutbytheEmailScheduler.
82443 Fixedanissuewhereunwantedcharactersweredisplayedontheloginpageaftera
failedlogin.
80721 FixedanissuewheretheXMLAPIcommand show dos-protection rule

statistics (usedtoretrieveDoSprotectionstatistics)returnedanerror:invalid
command option.
80507 FixedanissueinPanoramawhereThreatandContentnamesforcertainthreatsdid
notappearinACCreports,predefinedreports,andspywarereports.Thisissue
occurredonlyonPA7000SeriesfirewallsmanagedbyPanoramaandonlyduringan
Antivirusupdate.
IssueID Description
79729 FixedanissuewithfirewallsinanHAconfigurationwhereacommitoperation
abortedforalldaemonsandthentheDHCPdaemonstoppedresponding.This
occurredwhenthe set deviceconfig high-availability group {group-name}
configuration-synchronization enabled option wassetto no.
78090 FixedanissuewheretheUserIDprocessstoppedrespondingonbothpeersinanHA
active/passiveconfiguration.Thisissueoccurredafteranupgradeandwasduetoa
problemwiththeLDAPlibrary.
74333 FixedanissuewhereincrementalupdatesfornewandupdatedregisteredIP
addresseswerefailingwhenregistrationeventswereoccurringthroughtheXML
API.Withthisfix,integratingtheupdatesforregisteredIPaddressesnolongerfails
whenusingtheXMLAPI(oneitherstandalonefirewallsandappliancesorthosein
HAconfigurations).
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.5h2release.Foranoverviewofnew
oralaterrelease.
IssueID Description
89750 Asecurityrelatedfixwasmadetoaddressastackunderflowcondition.
89706 AsecurityrelatedfixwasmadetopreventsomeCLIcommandsfromimproperly
executingcode.
oralaterrelease.
IssueID Description
89752 Asecurityrelatedfixwasmadetoaddressabufferoverflowcondition.
89717 Asecurityrelatedfixwasmadetoensuretheappropriateresponsetospecialrequests
receivedthroughtheAPIinterface.
88550 FixedanissueonfirewallsrunninginCommonCriteria(CC)modewhereseedingusingan
OpenSSLdeterministicrandombitgenerator(DRBG)causedaprocess(cryptod)tostop
respondingandresultedincommitfailures.
88439 FixedanissueonaPA3000Seriesfirewallwhereadataplaneconstantlyrestarteddueto
ahardwarecontentmatchingmemoryissue.
88382 Fixedanissueinahighavailability(HA)active/activeconfigurationwithunexpectedly
short(20second)timeoutsthatoccurredwhenanHA2sessionsyncmessagefailed.This
issuewasduetoanARPproblembetweendataplanesintheHAconfigurationwhenthe
HA2backupwasinuseandusingeitherIPorUDPtransportmode.Withthisfix,
unexpectedlyshortsessiontimeoutsnolongeroccurduetothisissue.
88191 Asecurityrelatedfixwasmadetoaddressinformationleakageinsystemslogthat
impactedthewebinterface.
87565 Fixedanissuewhereafirewalldidnotforwardcorrelationeventstothesyslogserver.
87170 Fixedanissuewhereafirewalldidnotfiltergroupsusingthefiltersappliedinsearch
parameters;instead,thefirewallignoredfiltersanddisplayedallgroupsinsearchresults.
86947 Fixedarareissuewhereanactivefirewallinahighavailability(HA)configuration
incorrectlysyncedtotheconfigurationfromthepassivefirewallwhenasecondcommit
wasperformedontheactivefirewallbeforeapreviouscommitwascompleted.
86723 Fixedanissuewhereadataplanerestartedwhenclienttoservertrafficexceeded4GB
andincludedHTTPGETorPOSTrequeststhathadthesourceIPaddressintheOrigin
header.
86664 FixedanissuewithIKEv2thatcausedachildsecurityassociation(SA)toinstallincorrectly
onafirewallwhenthetunnelwasconnectedtothirdpartyequipmentusingPFS.
86390 Fixedanissuewhereavirtualsystem(vsys)createdinaPanoramatemplatedidnotdisplay
whereexpectedwhenthefirsttwocharactersofthevsysnamewas"sg"(suchas"sg01").
Withthisfix,Panoramanolongerallowsyoutocreateavsyswithanamethatbeginswith
"sg"inaPanoramatemplate.
IssueID Description
86319 Fixedanissuewhereaprocess(routed)onthefirewallstoppedrespondingandresultedin
highCPUusagewhenapplyingaBGPautonomoussystem(AS)pathfilter.
86312 Fixedanissuewherethe last update timeneverexceeded1secondaftermakinga

changetotheupdateintervalofagroupmappingservice.
86193 Fixedanissueinahighavailability(HA)configurationwhereLDAPgroupmappingsdidnot
properlyrefreshafterafirewallbecametheactivepeeragainaftergoingthroughthe
passivestate.Thiswasduetoavariablethatwasnotinitializedproperlyandwasthenused
inanerrorcase.Withthisfix,LDAPvariablesareproperlyinitializedtoavoidthisLDAP
groupmappingissue.
86136 FixedanissuewheretheGlobalProtectgatewaysentanaccessrequestpacketwith
malformeddatainsidetheFramedIPAddressfieldtotheRADIUSserver.
86126 Fixedanissuewhereauserwithacustomrolebasedadministrativeaccountcouldn't
previewruleslistedasCombinedrules.
86091 Fixedanissuewhereacommittoconfigureatunnelinterfacethatusedastringinsteadof
anintegercausedaprocess(routed)onthefirewalltostopresponding.
86075 FixedanissueonaPA3060firewallwherethesizeoftheSMLVMEmlInfosoftwarepool
waslessthanexpected.Withthisfix,thesizeoftheSMLVMEmlInfosoftwarepoolis
increasedtotheexpectedvalue.
85888 Fixedanissuewherethefirewallignoredthesessiontimeoutvalueandautomatically
refreshedadministratorswhowerestillloggedintothefirewallevenwhenthosesessions
wereinactiveforaperiodlongerthantheconfiguredtimeout.
85879 Fixedanissuewhereafirewallinahighavailability(HA)configurationgeneratedafalse
positiveevent(Running configuration not synchronized after retries)75
secondsaftereachHAsync.Withthisfix,thiserrorisreturnedonlyforcommitsthattake
longerthan45minutestocomplete.
85878 InresponsetoanissuewhereDNSqueriessometimescausedaLogCollectortoruntoo
slowlyandcauseddelaysinlogprocessing,the debug management-server
report-namelookup disable CLIcommandisaddedtodisableDNSlookupsfor
reportingpurposes.
85863 Fixedanissuewheremulticasttrafficsentoveravirtualwire(vwire)withMulticast
Firewallingdisabled(Network > Virtual Wires > <vwire>)causedhighCPUandpacket
bufferdepletion.
85821 Fixedanissuewhereadataplanestoppedrespondingduetomemorycorruption.
85754 FixedanissuewhereaVMSeriesdiskwascorruptedandwentintomaintenancemode
afterprocessingmutatedtrafficfromthirdpartysignaturedetectionsoftware.
85687 Fixedanissuewherethesystemlogentriesdisplayed logged in via Web from

127.0.0.1 foradministratorswhologgedinviaXMLAPI.Withthisfix,thesystemlog
displaysthecorrectIPaddressforadministratorswhologgedinviaXMLAPI.
85675 Fixedanintermittentissuewhereaprocess(mprelay)restartedand,aftermultiplerestarts,
causedthefirewalltorestart.Thisissuewasassociatedwiththeprocessingofaddand
deleteeventsforIPv4ARPandIPv6neighborupdates.Withthisfix,IPv4ARPandIPv6
neighborupdatesnolongercausethemprelayprocessorfirewalltorestart.
IssueID Description
85611 Fixedanissuewherethe number of fib entries for device FIBcounterwas

inaccuratewithECMPenabled.Withthisfix,thefirewallmaintainsanaccuratecountof
entriesintheFIBtableforthe number of fib entries for device FIBcounter.
85484 FixedanintermittentissuewheretheGlobalProtectportalusedthecookieinsteadofthe
authenticationinformationprovidedbytheGlobalProtectclient,whichcaused
authenticationtofail.Withthisfix,ifaclientconnectsusingacookie,theGlobalProtect
portalignoresthecookieinfavoroftheauthenticationinformationprovidedbythe
GlobalProtectclientsothatauthenticationissuccessful.
85358 FixedanissuewhereSSLdecryptionsessionswerenotclearedafterexecutingthe clear

session all filter ssl-decrypt yes CLIcommand(oranyothersessionclearing
commandthatusedthe ssl-decrypt yes filter).Withthisfix,SSLdecryptsessionsare
clearedasexpectedwhenexecutingsessionclearingcommandsthatincludethe
ssl-decrypt yes filter.
85245 Fixedanissuewhereavirtualsystem(vsys)configurationremainedinthefirewall
configurationevenafterthevsyswasdeleted.Thiscausedcommitstofailwhen
attemptingtoaddanewvsysusingthesameIDasthevsysthatwasnotsuccessfully
deleted.
85193 Fixedanissueinahighavailability(HA)configurationwheremultipleoverlappingqueries
resultedinaraceconditionthatcausedHAsyncjobstofail.
84963 FixedanissueinPanoramatemplateswhereadministratorscouldmarkacertificateas
ForwardTrustorForwardUntrustbutforwardingdidnottakeplaceasexpectedwhenthe
templatewasconfiguredtoapplyonlytoonevirtualsystem(singlevsysmode).Withthis
fix,markingacertificateasForwardTrustorForwardUntrustworksasexpectedeven
whenthetemplateisinsinglevsysmode.
84908 FixedanissuewheretheloggedsessionendreasonfordecryptedSSLsessionsalways
displayedas aged out regardlesswhetherthatwastheactualTCPsessionendreason.
Withthisfix,thesessionendreasonnowdisplayscorrectlyfordecryptedSSLsessions.
84729 FixedanissueonMSeriesappliancesandwithPA7000SeriesLogProcessingcards
whereoutputofthe show system logdb-quota CLIcommanddidn'tmatchthevalues
inLoggingandReportingSettingsinthewebinterface(Device > Setup > Management >
Logging and Reporting Settings > Log (Card) Storage)duetoadiscrepancyinspace
calculation.Withthisfix,thevaluesinthewebinterfaceaccuratelyreflectavailable
storagespaceandmatchtheoutputfromthe show system logdb-quota CLIcommand.
84552 Fixedanissuewherethe debug user-id reset ts-agent/user-id-agent CLI

commanddidnotworkasexpected.
84538 FixedanissuewhereadataplanerestartedunexpectedlyonafirewallwithSSLdecryption
enabled.ThisoccurredduringtheSSLhandshakewhenthefirewallreceivedaHello
packetfromtheserverthathadahigherSSLprotocolversionthantheHellopacket
receivedfromtheclient.
84496 FixedanissueonPA7000Seriesfirewallswhereexcessiveorprolongedlogqueries
causedamemoryleakontheLogProcessingCard(LPC).
84239 FixedanissuewhereareadonlySuperuserwasabletoperformacommitwhenusing
XMLAPI(butnotviathewebinterface).Withthisfix,readonlySuperuserscannotuse
XMLAPItoperformcommits.
83764 Fixedanissuewhereusingwebinterfacecertificateauthenticationcausedloginfailures.
IssueID Description
83731 FixedanissueinavirtualwireconfigurationwhereafirewallincorrectlymodifiedtheMAC
addressfortrafficwhendecryptionwasenabled.Withthisfix,thefirewallnolonger
modifiestheMACaddressoftraffic.
83454 FixedanissuewithIPv6trafficthathadanextensionheaderandcausedjitterwhen
passingthroughaPA7000Seriesfirewallinahighavailability(HA)active/active
configuration.
83362 FixedanissuewhereacommitfailedwhenasubinterfacethatwaspushedfromPanorama
lostitsreferencetoitsassociatedVLANafterthesubinterfaceconfigurationonthe
firewallwasoverriddenandthenrevertedinthetemplate.Withthisfix,afteraninterface
isreverted,subinterfacesdonotlosetheirmappingtoVLANs.
83337 Fixedanissuewherefirewallsgeneratedmultiplecoredumpsafterarebootwhen
incomingpacketswereforwardedtothedataplanewhileanautocommitwasstill
processing.Withthisfix,packetsarenotforwardedtothedataplaneuntilaninprocess
autocommitiscomplete.
83328 FixedanissuewhereanM100applianceexperiencedamemorylimitcondition.Withthis
fix,thevirtualmemoryforthemanagementserverprocessisincreasedtoavoidthisissue.
83145 FixedanissueonaPA7000Seriesfirewallwhereaninterfaceintapmodeunexpectedly
transmittedtrafficthatwasreceivedonthatinterface.
82916 FixedanissuewherethetrustedCAstoreonthefirewallwasmissingtheQuoVadisroot
CA2androotCA3G3certificates.Withthisfix,boththeseQuoVadiscertificatesare
includedinthetrustedCAlist.
82873 FixedanissuewithmissingfieldsandinconsistenciesintheSyslogformatforCorrelated
Eventsthatwereexportedtoasyslogserver.
82862 Fixedanissuewherethedeviceserverprocess(devsrvr)restartedunexpectedlywhen
Panoramapushedatemplatethatcontainedacertificatewithacorruptpublickey.
82667 FixedanissuewherethePANOSintegratedUserIDagentfailedtoconnecttoa
monitoredserverwhentheUserIDagentwasconfiguredtousetheFQDNinsteadofthe
IPaddressfortheserver.
82358 Fixedanissuewhere,whenusingLDAPauthentication,aGlobalProtectclientincorrectly
showeda Password expired messageevenwhenthepasswordhadnotexpired.
81812 Fixedanissuewhereafirewalldidnotaccuratelycheckcertificaterevocationstatusvia
OSCPbecausetheOCSPrequestdidnotincludetheHOSTheaderoption.Withthisfix,
thefirewallusestheHOSTheaderoptionasexpectedandsuccessfullyretrievesthe
revocationstatusofthecertificateinresponsetoOCSPrequests.
81743 FixedanissuewhereURLcategorizationfailedforsomeURLsduetoanissuewith
messagebuffersize.
81425 FixedanissuewhereIPSecrenegotiationwasnotinitiatedasexpectedafteraPPPoE
interfacereceivedanewIPaddress.
81424 Fixedanissuewherethe From columnintheoutputofthe show admins commandwas

Console insteadofthecorrectIPaddresswhenconnectedtotheCLIviatelnetorSSH.
81062 Fixedanissuewheretheemailactionforscheduledreportstimedoutduetoreportsthat
tooktoolongtogenerate.Withthisfix,theemailtimeoutisincreasedandreport
generationisenhancedtoavoidthisissue.
IssueID Description
80415 FixedanissuewhereafirewallwasnotpresentingtheCaptivePortalresponsepageto
users.ThisoccurredwhentheURLcategorywasmarked not-resolved,suchaswhen
cloudserverswereunavailable.
79596 FixedanintermittentissueonPA5000Seriesfirewallswherethedataplanestopped
responding.Withthisfix,thereareadditionalsanitychecksandloggingtoavoidthisissue.
73177 FixedanissuewhereredistributedNotSoStubbyArea(NSSA)type7routesconverted
toNSSAtype5routeswerenotflushedfromtheOSPFdatabasequicklyenoughafterthe
redistributingNSSArouterwentdown.Withthisfix,theOSPFisflushedwithinthe
expectedperiodoftimesothatroutesthatgodownarenotadvertisedasstillavailable.
oralaterrelease.
IssueID Description
88869 FixedaperformancedegradationissueonaVMSeriesfirewallwith8coreswhenthreat
scanningwasenabledwhenattemptingtoprocesslargetransactionspecificSSLtraffic
types.Additionally,thisfixaddressedanintermittentissuewheretheGlobalProtectMSI
filefailedtodownloadafterauserauthenticatedtotheportalpage.
87422 Fixedanissuewheremulticasttrafficwasdroppedwhenthesourcestartedsendinggroup
trafficbecausetherewasnot,yet,acorrespondingmulticastrouteorFIBentryonthe
firewall.Withthisfix,themulticastrouteisupdatedmorequicklyandpacketsare
enqueuedinsteadofdroppedwhilethefirewallwaitsfortheupdatedrouteinformation.
87410 FixedanissuewhereanAPIcalltoadd,delete,ormodifyaURLentryfailedwhentheURL
includedasingle(')ordouble(")quotecharacterasanXMLattribute.Withthisfixto
complywithXMLXpath1.0,APIinstructionsarecompletedsuccessfullyevenwhen
actingonaURLthatincludesasingleordoublequoteusedasanXMLattribute.
87385 FixedanissuewhereallthewidgetsontheACCtabofamanagedfirewall(andwhen
exportedinaPDFfile)display Report Error whenyouaccessthefirewallthrougha
contextswitchfromPanorama(whethervirtualorMSeriesappliance).
87280 FixedanissuewherethenumberofSSLfreememorychunkswasdepletedto0,which
causedadisruptioninSSLdecryptionrelatedtraffic.
87231 FixedanissuewhereaPA7000Seriesfirewalldidnotloadbalanceegresstrafficon
AggregateEthernet(AE)interfacesasexpected.
87078 Fixedanissuewherethemanagementserverstoppedrespondingwheretherewasahigh
loggingrate,whichcausedtheLogCollectortodisconnectfromPanorama.
86938 TheclientcertificateusedbyPANOSandPanoramatoauthenticatetothePANDB
cloudservice,theWildFirecloudservice,andtoWF500appliancesexpiredonJanuary
21,2016.Theexpirationresultsinanoutageoftheseservices.Toavoidanoutage,either
upgradetocontentreleaseversion550(oralaterversion)orupgradePANOSand
PanoramainstancesrunningaPANOSorPanorama7.0releasetoPANOS(orPanorama)
7.0.4oralaterrelease.
86895 FixedanissueonMSeriesandWF500applianceswheretheEthernet1/2interface
unexpectedlybroadcastedDHCPdiscoverpacketswiththeinternalBMCIPMILANMAC
addressasthesourceMACaddresswhentheinternalBMCIPMILANwasconfiguredto
useDHCPasthesourceaddress.
IssueID Description
86803 FixedanintermittentissuewheretheidletimerforGlobalProtectIPSectunnelseitherdid
notexpireappropriately(suchaswhenthetunnelwastorndown)orexpiredatthe
configuredidletimeexpirationevenwhenauserwasactivelyusingtheconnection.With
thisfix,theGlobalProtectIPSectunnelidletimerbehavesasexpected.
86467 FixedanissueinPANOS7.0.3wherefirewallsdidnotcheckforsuperuseraccountsthat
werepushedthroughaPanoramatemplate,whichcausedanupgradeprocesserrorwhen
allsuperuseraccountswerepushedthroughaPanoramatemplate(firewallsmusthaveat
leastonesuperuseraccountintheconfiguration).Withthisfix,firewallscorrectly
recognizesuperuseraccountsthatarepushedthroughaPanoramatemplate.
86212 AddedanewCLIoperationalcommand(set authentication radius-auth-type

<auto|chap|pap>)toaddressanincompatibilityissuebetweenPANOSandsome
RADIUSservers.Withthisfix,youcanmanuallyoverridetheautomaticselection
mechanismintroducedwithChallengeHandshakeAuthenticationProtocol(CHAP)
supportinPANOS7.0toselecteitherCHAPorPasswordAuthenticationProtocol(PAP)
asneeded.
85801 FixedanissuewhereafirewallthatwasforwardinglogstomultiplePanorama
managementserversandLogCollectorsstoppedforwardinglogstoanyapplianceafteran
administratorsuspendedlogforwardingontheactiveprimaryPanoramaserver.Withthis
fix,thefirewallcontinuestoforwardlogstoallPanoramamanagementserversandLog
Collectorsexceptanyapplianceforwhichanadministratorspecificallysuspendslog
forwarding.
85721 FixedanissuewherefirewallswithaspecificOCZDenevaharddisk(model
DENCSTE251M21)configuredinaRAIDandrunningPANOS7.0.1orlaterreleases
experiencedRAIDerrors.
85514 Fixedanissuewhereacommitrequestfailedduetoprocesses(configdandmongod)with
highmemoryusage.
85364 FixedanissuewhereHTTPandHTTPOnlineCertificateStatusProtocol(OCSP)
managementserviceswereenabledonlyforthefirstIPaddressonaninterfacewith
multipleIPaddresses.Withthisfix,whenHTTPandHTTPOCSPmanagementservices
areenabledonaninterface,servicesareenabledforallIPaddressesassociatedwiththat
interface.
85285 Fixedanissuewhereoutputfromthe show ntp commanddidnotalwaysdisplaythe

correctNTPstatus.Primarily,thisissueoccurredwhentherewasonlyoneNTPserver
configuredand,evenwhencorrectlyconnectedtotheNTPserver,theoutputofthe show
ntp status commanddisplayedas rejected.Withthisfix,outputfromthe show ntp
commandcorrectlydisplaysNTPstatusas synchronized afterthefirewallsuccessfully
connectstoanNTPserver.
85166 FixedanissueonaPA7000Seriesfirewallwherethefirstpacketinasessionwas
droppedwhenitarrivedbeforethefirewallfreedupaprevioussessionthatusedthesame
5tuple.Withthisfix,thefirewalltreatstheprevioussessionasaninactiveflowand
successfullycreatesthenewsession.
85091 Fixedanissueonafirewallwheresoftwarepacketbufferswerebeingdepleted.Withthis
fix,thefirewallwilldynamicallyadjusttheTCPreceivewindowbasedonpeertrafficto
avoidsoftwarepacketbufferdepletion.Additionally,thereisafixforamemoryleakin
errorhandlingofSSLForwardProxymodeandthesizeofthesoftwarebufferpoolsis
increased.
IssueID Description
84851 Fixedanissuewherethevirtualsystem(vsys)IDonthefirewallwascomputedincorrectly
whenPanoramapushedatemplatewithForce template valueenabledandcontaining
virtualsysteminformationtothefirewall.
84811 FixedanissueonaVMSeriesfirewall(KVMonCentos7/Redhat)whereaprocess
(vmuuid)displayedasemptyafterboot.Withthisfix,thevmuuidprocessisdisplayed
correctly.
84678 FixedanissuewiththewaythemanagementplaneperformedupdatesthroughHTTPand
HTTPScalls,suchasforblocklistandcontentupdates.
84595 FixedanissuewithHTTPrequestsgeneratedbythefirewallwhenretrievingcustom
DynamicBlockLists.
84495 Fixedanissuewhere,insomecases,generatingoutputforthe show running url-cache

all CLIcommandcausedashortdelayincommunicationwiththedataplane.Withthis
fix,toavoidthiscommunicationdelay,theoutputofthe show running url-cache all
commandisnolongerincludedwhengeneratingthetechsupportfile.
84494 FixedanissuewherethesessionendreasonforasinglethreatIDwasreporteddifferently
dependingonwhichdecoderwasused.Withthisfix,onlyonesessionendreason(threat)
isreportedforallblockedSMTPtrafficregardlesswhichdecoderisused.
84465 FixedanissuewheretheexternalinterfaceonanLSVPNsatellitewasunabletoestablish
anLSVPNconnectiontotheactiveprimaryfirewallinanHAactive/activeconfiguration
thatwasactingastheGlobalProtectportalorgatewaywhentheexternalinterfaceofthe
satellitewasconfiguredasaDHCPclient.(ThisfailureoccurredeventhoughanLSVPN
connectionwassuccessfullyestablishedwiththeactivesecondaryfirewall.)Withthisfix,
theLSVPNsatellite(withtheexternalinterfaceconfiguredasaDHCPclient)successfully
establishesanLSVPNconnectiontobothfirewalls(activeprimaryandactivesecondary)
afterareboot.
84454 Fixedanissuewhereattemptstoloadapartialconfigurationforadevicegroupfroman
XMLfileresultedinanerrormessage.Withthisfix,youcansuccessfullyloadapartial
configurationforadevicegroupandmergeitwithanexistingdevicegroup.
84433 Fixedanissuewhereawebpagewouldnotloadsuccessfullywithoutrefreshingthe
browsermultipletimeswhenOpenCertificateStatusProtocol(OCSP)validationwas
enabled.Thisoccurredwhenablockpagemessagewaspresentedwithinonesecondof
theattempttoloadanHTTPSsitewhiledecryptionwasenabledonthefirewallwiththe
OCSPvalidationtimeoutsetto60seconds.
84167 FixedanissuewhereafirewallincorrectlyreorderedcertainTCPtrafficduringtransmit
stage.
84008 FixedanissuewhereanLSVPNIPSectunnelwentdownwhenthehardkeylifetime
expiredduringarekey.Withthisfix,thesoftkeylifetimeisadjustedsothatthehardkey
lifetimedoesnotexpirebeforetherekeyfinishes.
83907 Fixedanissuewhereadministratorscouldnotdisablecountersinsystemlogsusingthe
debug dataplane packet-diag set log counter <counter-name> CLIcommand
whenthosecountershadnameslongerthan31characters.
83902 FixedanissuewheremonitoringanSNMPOID(.1.3.6.1.2.1.25.2.3.1.5.41)fordiskspace
resultedinincorrectvaluesonvolumesover2TBinsize.
IssueID Description
83898 FixedanissueonPanoramaMSeriesandvirtualapplianceswhereexportingareportas
acommaseparatedvalue(CSV)file(Monitor > Reports)failedandresultedinaweb
interfaceerror(Error enqueuing export job).
83889 FixedanissuewhereaPA7000SeriesfirewallincorrectlydroppednonTCPand
nonUDPfragmentedtraffic,suchasEtherIPtraffic.
83844 FixedanissuewhereamemoryleakcausedaPA200firewalltoreboot.
83657 FixedanissuewherePanoramadidnotproperlypushdeviceortemplateconfigurations
forNTP,sendhostnameinsyslog,orWildFiresettingstoadevice.
83592 FixedanissuewheretheUserIDprocess(useridd)wentintoarebootloopandcausedthe
passivefirewallinahighavailability(HA)configurationtorestart.Thiswasduetobulkand
incrementalupdatesofterminalservicesusers.
83253 FixedanissuewherevideocallsfailedwhenH.245(openlogicalchannelack)packets
referencedapreNATaddress.
82913 FixedanissuewhereToSheaderswerenotsetcorrectlyinEncapsulatingSecurityPayload
(ESP)packetsacrossVPNtunnels.
82865 FixedanissuewithaPA5000Seriesfirewallwheresessionsownedbydataplane1(DP1)
orDP2didnotdisplayintheoutputwhenexecutingthe show session commandon
DP0.
82710 Fixedanissuewhereunexpecteddataplanerestartsoccurredduetooutofmemoryerrors
andhighresourceusageonpacketdescriptorswhenSSLForwardProxywasenabled.This
fixalsoaddressesadataplaneprocessmemoryleak.
82621 FixedanintermittentissueonaPA7000Seriesfirewallwheretrafficwasdroppedwhen
theloginterfaceanddataplaneinterfaceswerebothconfiguredonthesameNetwork
ProcessingCard(NPC).
82605 Fixedanissuewherepolicybasedforwarding(PBF)withEnforce Symmetric Return

enabled(Policies > Policy Based Forwarding > pbfrule > Forwarding)causedoffloaded
PBFsessionstofailwhenattemptingtoegressthefirewall.
82424 FixedanissueonaPA5000Seriesfirewallwherepacketsweredroppedorthedataplane
stoppedrespondingwhenreceivingspecificingressoregresstrafficassociatedwith
offloadedsessions.Withthisfix,afieldprogrammablegatearray(FPGA)changewas
madetoaddresstheseissues.
82138 FixedanissuewhereWildFirereportswerenotdisplayedonthewebinterfacewhen
proxysettingswereconfiguredforthemanagementinterface.
82118 FixedanissueontheQoS Statisticspanel(Network > QoS)wheredatawasdisplayedonly

onthebandwidthtab;allothertabs(Applications,Source Users,Destination Users,
Security Rules,andQoS Rules)wereempty.
82095 Fixedanissuewhereacommitrequestdidnotfinishprocessingduetoaprocess(routed)
thatstoppedresponding.
81996 FixedanissuewhereaHIPProfiledidnotsyncbetweentheactiveandpassivefirewalls
inahighavailability(HA)configuration,whichcausedtheHIPProfiletonolongerbein
effectafterafailover.Withthisfix,theHIPProfileiscorrectlysyncedbetweentheactive
andpassivefirewallsandremainsineffectafterafailover.
IssueID Description
81949 FixedanissuewhereDynamicAddressGroupspushedfromPanoramatoafirewallwere
notdisplayedintheoutputofCLI show commands.
81830 FixedanissuewhereSSLForwardProxydidnotincludetheappropriateTLS1.2extension
(SignatureAlgorithms)inClientHellomessages,whichpreventedsuccessful
interoperabilitywithsomeMicrosoftwebsites.
81333 Fixedanissuewheremanagedfirewallsandapplianceswereunabletoconnectto
Panoramausingthemasterkeyafterafactoryreset(orRMA).
81241 FixedarareissuewhereNATtrafficwasdroppedafterafailedcommitattempt.
80631 Fixedanissueinahighavailability(HA)configurationwheretheportsonthepassive
firewalldidnotcomeupwhenthepassivelinkstatewassettoauto(Device > High
Availability > General >ActivePassiveSettings).
79917 FixedanissueonaPA3000Seriesfirewallwherethedataplanestoppedresponding
whenreceivingspecificingressoregresstrafficassociatedwithoffloadedsessions.With
thisfix,afieldprogrammablegatearray(FPGA)changewasmadetoaddressthisissue.
79531 Fixedanissuewhereanerrorwasdisplayed(No Data to Display)intheThreatMonitor

window(Monitor > App Scope > Threat Monitor)whenselectingtheShow Filesfilter.
78624 FixedanissuewheretheactivesecondaryfirewallinanHAactive/activeconfiguration
wasincorrectlyrespondingtoARPrequestsfortheIPaddressusedinthedestinationNAT
rulewithbindingtotheactiveprimaryfirewall.
78482 FixedanissuewhereVMInformationSourcesbypassedproxysettings.
78317 FixedanissuewherethemanagementplaneinanHAactive/passiveconfiguration
restartedduetoadataplaneprocess(mprelay)thatstoppedrespondingwhenit
experiencedmemorycorruptionandencounteredunexpectedbehaviorfromtheFIB
pointer.
77236 Fixedanissuewhereimportingacertificatemorethanoncewithdifferentnamescaused
thedataplanetostoprespondingwhenthecertificatewasusedforSSLInbound
inspection.
76269 FixedanissuewhereanactiveprimaryM100applianceinanHAconfigurationwas
unabletoestablishaconnectionwiththepassivesecondaryoractivesecondaryHApeer
forlogcollection.
76197 FixedanissuewherefirewallTrafficlogsdisplayedunusuallylargebytecountsfor
http-proxy and httpy-video countersduetofrequentapplicationshiftsbetween
thoseapplicationtypepacketswithinasingleproxysession.
76103 FixedanissuewhereaddingathreatexceptiontoaVulnerabilityProtectionprofile
(Objects > Security Profiles > Vulnerability Protection >profile> Exceptions)resultedin
anerror(Schema node for Xpath was not found).
73187 FixedanissuewheretheWildFireAnalysisreport(Monitor > WildFire Submissions >

Detailed Log View > WildFire Analysis Report)didnotdisplayonversions9or10of
InternetExplorerduetoascripterror.
IssueID Description
70719 InresponsetoanissuewhereadataplanerestartedduetoanincorrectflowID,PANOS
6.1.4andlaterreleasesincludedadditionalcheckstohelppreventthedataplanefrom
restartingduetothisissue.InPANOS7.0.3,thosePANOS6.1.4modificationswere
furthermodifiedtoprovideamorecompletesolutionthatavoidsinadvertentlydropping
IPv4trafficaffectedbythisissue;inPANOS7.0.4,thesolutionincludesanadditionalfix
toavoidinadvertentlydroppingIPv6trafficrelatedtothisissue.
66285 FixedanissuewherethewebinterfacecertificatedidnotproperlysyncbetweenHA
peers,whichledtoaraceconditionthatcausedacommitrequesttofail.
oralaterrelease.
IssueID Description
85065 FixedaCLIinputparsingissuethatcausedaprocessonthemanagementplanetostop
respondingwhenprocessingunexpectedinput.
84711 FixedanintermittentissuewheresomepacketsincorrectlymatchedSecuritypolicyrules,
whichresultedinAppIDpolicylookuperrorsanddiscardingofpackets.
84599 FixedanissueinPANOS7.0releaseswhereaprocess(dhcpd)didnotcorrectlyhandle
DHCPpaddingOption0whenreceivingDHCPrequestfromtheDHCPclient.This
preventedthefirewallthatwasactingastheDHCPserverfromallocatingandcommitting
theofferedIPaddresstotheDHCPclient,whichcausedthefirewalltobestuckinoffered
state.Withthisfix,theDHCPprocesscorrectlyhandlesDHCPpaddingOption0and
successfullycommitsIPaddressesofferedtoDHCPclients.
84246 FixedanissuewhereaPA7050firewallrunningPANOS7.0assignedthesameMAC
addresstoallinterfacesontwodifferentPA7050chassiswhenthechassisbaseMAC
addressesdifferedonlyinthe10thbit.WiththisfixinPANOS7.0.3,twosuchdifferent
PA7050chassisareassigneddifferentinterfaceMACaddressesasexpected.
84094 Fixedanissuewhereauseractivityreport(Monitor > PDF Reports > User Activity Report)

containednostatisticsforuserswithadomain+usernamestringlengththatexceeded32
characters.
84046 FixedanissuewhereSSLdecryptionfailedwhenacertificatewasrejectedduetoamissing
oremptybasicConstraintsextension.Withthisfix,anexceptionisaddedtoallowamissing
oremptybasicConstraintsextensionforselfsignednonCAcertificates.
84012 Fixedanissuewhereaprocess(ikemgr)stoppedrespondingduetoamissingIKEprofile.
83907 Fixedanissuewherethe debug dataplane packet-diag set log counter

<counter-name> CLIcommanddidnotacceptcounternameslongerthan31characters,
whichpreventedadministratorsfromaddingsuchcountersforlogginginsystemlogs.
83867 Fixedarareissuewhereoneoftheinternaldatabaseswascorruptedafteranimproper
shutdown(poweroff)ofthefirewall.Whenthishappened,thefirewallwasunableto
automaticallyrestartandwouldnotstartupproperlythereafter.
83819 FixedanissueonanM100appliancerunningPanorama7.0whereacustomreportfailed
torunwhensettingtheDatabase(Monitor > Manage Custom Reports)toSummary
Databases > Remote Device Data > ThreatandselectingSeverityfromthelistofAvailable
ColumnswhenanyremotefirewallusedforcustomreportingwasrunningaPANOS6.1
orearlierrelease.
IssueID Description
83637 FixedanissuewherepacketprocessingonaVMSeriesfirewallcausedthefirewalltostop
forwardingtraffic.
83574 Fixedarareissuewhere,insomescenariossuchaswhenafirewallisrestartedandIPSec
securityassociations(SAs)arenotestablishedwhenaremoteVPNpeerisunreachable
thetunnelinterfaceconfiguredwithIPSectunnelmonitoringispresentintheroutingtable
andstatusis Up.
83293 FixedanissueinPanoramawhereSNMPv3settingswereremovedandcouldnotbe
updatedwhenmodifyinganexistingSNMPv3devicetemplate.
83288 FixedanissuewhereautocommitfailedwhentheGlobalProtectgatewayorCaptivePortal
certificatewaspushedthroughPanoramaafterupgradingafirewallfromaPANOS6.1
releasetoPANOS7.0.2.
83256 FixedanissuewherethefirewalldidnotblockunsupportedellipticcurveDiffieHellman
(ECDH)exchangeciphersuitesduringSSLforwardproxyevenwhenBlock sessions with
unsupported cipher suiteswasenabled(Objects > Decryption Profile > <decryptprofile>
> SSL Decryption > SSL Forward Proxy).
83149 Fixedanissuewhereamissingnode(user)intheunlockcommandprevented
administratorsfromusingthePanoramawebinterfacetounlockalockedLDAPuser.
83142 FixedanissuewheretriggeringaDHCPreleasedidnotcleartheoriginalsettingsfora
DHCPclientthatwasin renew state.
83113 Fixedanissuewhereattemptstoregeneratemetadatacausedaprocess
(update_vld_itvl_idx)tostoprespondingwhenencounteringacorruptlogfile(alogfilethat
containedinvaliddata).Withthisfix,themetadataregenerationprocessskipslogfilesthat
containinvaliddatasothatregenerationtaskissuccessfullycompleted.
83102 AddedfunctionalitytoallowcommitstosucceedevenwhenthereisnoNetwork
ProcessingCard(NPC)installed,yet,orwhentheNPCisnotsupportedorrecognizedinthe
currentPANOSrelease.Withthisfix,youcaninstallPA7000Seriescardsthatarenot
supportedinthePANOSversionshippedwithorrunningonthefirewallandthenupgrade
totheappropriatePANOSversion.
83041 Fixedanissuewhereadjustmentstothewidthofcolumnsinthewebinterfacearenot
saved,causingcolumnstoreverttoprevioussettingswhenyouviewadifferenttab.With
thisfix,changestothewidthofcolumnsinthewebinterfaceareretaineduntilchanged
again.
83004 FixedanissuewhereaZoneProtectionprofilewithstrictIPcheckingenabledresultedin
incorrectlydroppedpackets.Thesedropswerecausedbyanimpropercheckofwhether
thesourceIPaddresswasabroadcastaddress.
83001 FixedanissueonanM100appliancewhereavailabledisksizewasreportedas0bytes
duringanupgrade.ThisincorrectlycausedoldlogstobepurgedfromtheotherLog
Collectorsinthegroupinanattempttoadheretotheconfiguredlogquotaforthegroup.
Additionally,Panorama6.1.8andPanorama7.0.3(andlaterreleases)onanM100
appliancewithzerodiskspacedisplaysanerrorwhenattemptingtocommittoCollector
Group(Failed to commit collector config)orawarningwhenattemptingtocommit
toPanorama(Disk <disk-ID> on log collector <log-collector-id> in group
<group-ID> has a size of zero bytes).
IssueID Description
82887 Fixedanissuewhereauthenticationattemptsagainstalocalauthenticationprofilewithin
anauthenticationsequencefailedwhenthelocalprofilewasnotthefirstprofileinthe
sequence.
82853 FixedanissuewhererolebasedadministratorswerenotallowedtoperformAPIcalls.
82849 FixedanissueonaPanoramavirtualapplianceusingaNetworkFileSystem(NFS)storage
partitionwherethefilesystemintegritycheckincorrectlyfailedfortheNFSdirectory,
whichcausedtheNFSmounttofailwhenrebootingPanoramaafteranupgradeto
Panorama7.0.
82838 FixedanissuewheretheUserIDprocess(useridd)stoppedrespondingwhenreading
configmessagesfromtheTerminalServices(TS)agent.
82778 Fixedanissuewherefailedauthenticationattemptswerenotclearedwhenthe
authenticationattemptwaseventuallysuccessful.Withthisfix,thefailedauthentication
attemptcounterforagivenuserisresetasexpectedaftereverysuccessfullogin.
82560 FixedanissuewhereapassiveVMSeriesfirewallinanHApairwithUse Hypervisor

Assigned MAC Addressenabled(Device > Management > Setup)wassendingGARP
requestswithoutanestablishedHA2connection.Withthisfix,apassiveVMSeriesfirewall
nolongersendstheseGARPrequestswhenyouenableUse Hypervisor Assigned MAC
AddresswithoutanHA2connection.
82534 FixedanissuewhereafirewallincorrectlyinjectedSSLmessagesintotrafficonport443.
82533 FixedanissuewheretheOSCPresponderfailedtocheckthevalidityofclientcertificates
andshowedstatusas unknown whenunabletolocatethecustomrootCAusedinthe
certificateprofilefortheGlobalProtectportalconfiguration.
82377 Fixedanissuewhere,inaLargeScaleVPN(LSVPN)configuration,aGlobalProtectgateway
incorrectlyinstalledthepreviouslyallocatedIPaddressfortheGlobalProtectsatelliteas
thenexthopfortheroutesadvertisedbysatellites.Withthisfix,theGlobalProtectgateway
removesanyoldIPaddressesallocatedtothesatelliteandcorrectlyinstallsthenewIP
addressallocatedtothesatelliteasthenexthopfortheroutesadvertisedbysatellites.
82338 Fixedanissuewhereonetimepassword(OTP)RADIUSauthenticationfailedwhen
configuredinthesameauthenticationsequenceasthedomainselection.Thisissuewas
causedbythefirewallincorrectlytruncatingtheRADIUSchallengestate.AlsofixedOTP
RADIUSauthenticationissueswherethebackslash(\)characterwasincorrectlyremoved
fromtheusernameentryandwhereanincorrectpasswordresultedinlongdelaysbefore
returningapassworderrormessage.
82326 FixedanissuewhereadditionallockedusersarenotdisplayedwhenyouclickMoreinthe
webinterface(Devices > Authentication-Sequence > Locked Users).
82136 Fixedanissuewherepacketsthatmatchedapolicybasedforwarding(PBF)rulewith
ActionsettoNo PBF(Policies > Policy Based Forwarding > pbfrule> Forwarding)were
droppedwhenoffloadingwasenabled.Withthisfix,offloadedsessionsarepassedas
expectedevenwhenthetrafficmatchesaPBFrulewithForwardingsettoNo PBF.
82109 FixedanissueonaPA7000SeriesfirewallwherepassiveFTPSwithinbounddecryption
failedafterenteringpassivemode.Thisoccurredwhenpredictsessionsdidnotmergeas
expectedduetothepredictqueue.Withthisfix,proxyingressexecutesbeforethepredict
queuesothatalldatasessionsmergeasexpectedandFTPtransferissuccessfuloverTLS.
IssueID Description
82099 Fixedanissuewheretheremotehost(From)IPaddressforthePanoramasessiondisplayed
inreverseorderdisplayedtheadministratorIPaddressintheLoggedinAdminswidget
ontheDashboard.
81944 FixedanissuewherepatchmanagementforaGlobalProtecthostinformationprofile(HIP)
checkfailedtoidentifymissingpatcheswhentheChecksettingforpatchmanagementin
HIPObjectscriteriawassettohas-all,has-any,orhas-none(Objects > GlobalProtect >
HIP Objects > Patch Management > Criteria).
81927 FixedanissuewhereafirewallstoppedsubmittingfilestoaWildFirecloud(publicor
private)whenaCPUprocess(varrcvr)stoppedresponding.Thisissueoccurredwhen
receivinganemailwithasubjectlinecontainingmorethan252characters.
81868 Fixedanissuewithapacketbuffer(FPTCP)leakandresolvedafew
dataplanetomanagementplaneconnectionissues,aswell.
81584 FixedanissueinPanorama7.0whereoutputfromthe show ntp commanddidnotalways

displaythecorrectNTPstatus.Primarily,thisissueoccurredwhentherewasonlyoneNTP
serverconfiguredand,evenwhencorrectlyconnectedtotheNTPserver,the show ntp
status displayedas rejected.Withthisfix,outputfromthe show ntp command
correctlydisplaysNTPstatusas synchronized.
81581 Fixedanissuewhereaprocess(useridd)wasunabletoaccommodatealargenumberofHIP
reportsduringHAsynchronization,whichcausedabnormallyhighCPUandmemory
utilizationonthefirewall.
81522 Fixedanissuewhereafirewallallowedcommitstosucceedevenwhentherewereno
superuseradministratoraccountsincludedintheconfiguration.Thiswouldcausethe
firewalltobeinaccessible(exceptwhenthefirewallwasmanagedbyPanorama,which
couldstillprovideaccesstothefirewallthroughPanoramacontextswitching).Withthisfix,
acommitsucceedsonlyifthereisatleastonelocalsuperuseraccountintheconfiguration;
ifnoneexist,thecommitfails.
81415 FixedanissueonPA7000Series,PA5000Series,PA3000Series,andPA500firewalls
whereanAggregateEthernet(AE)interfacewasunabletotransmitanARPrequestona
taggedsubinterfacetotheneighboringdevice.
81408 Fixedanissuewheresharedaddressobjectsthatarenotusedinsecuritypolicyruleswere
pushedtofirewallsevenwhenPanoramaSettings(Panorama > Setup > Management)was
configuredtonotShare Unused Address and Service Objects with Devices.
81383 Fixedanissuewherethe show routing route CLIcommandoutputwasmissingacomma

(",").Withthisfix,theoutputdisplayscorrectly.
81370 Fixedanissuewherethefirewallwasunabletoallocatealargememoryblock,which
causedsessionstofail.Thisfixensuresadequateresourcesareavailableforalargememory
blockwhenneeded.
81301 Fixedanissueonafirewallwithdecryptionenabledwhereinsufficientbufferspace
resultedindiscardedSSLsessions.
81170 FixedanissuewheretheSNMPmanagerreturnedawarning(subtype-illegal)relatedto
panVsysEntryOBJECTTYPE(panVsysName)whenaddingthePANCOMMONMIB.my
MIBfile.Withthisfix,addingthecurrentversionofMIBfilestotheSNMPmanagerdoes
nottriggera subtype-illegal warning.
IssueID Description
81079 Fixedanissuewhere,inaDynamicUpdatesschedulepopup(Device > Dynamic Updates

><Schedule>),hoveringovertheoverrideiconsdisplayedincorrectvaluesforthe
RecurrencesettingforantivirusandcontentupdateswhentheRecurrencesettingonthe
firewallwasoverriddenbyatemplatepush.Withthisfix,hoveringovertheRecurrence
valueoverrideiconforaDynamicUpdatescheduledisplaysthecorrectinformationeven
whentheRecurrencesettingwaspushedtothefirewallthroughatemplatepush.
81058 FixedanissueonPA7000SeriesfirewallswhereNATDynamicIPfallbackdidnotcorrectly
translateresources,whichresultedindroppedpackets.
80932 FixedanissuewherepasswordsfornonadministratorsenteredintheGlobalProtectlogin
windowweretruncatedto40characterswhenusingRADIUSauthentication.
80831 FixedanissuewhereSSLdecryptionfailedforsomesiteswhenthesizeofthecertificate
waslargerthan1.5KB.
80766 Fixedanissuewheredataplane0(DP0)onthepassivefirewallinahighavailability(HA)
configurationrestartedafterasessionwasestablishedontheactivefirewallinterfacewhen
thatsameinterfacedidnotalsoexistonthepassivefirewall.
80753 FixedanissueonaPA3060firewallwhereanetworkoutageoccurredwhenthenumber
ofactivesessionsreached100,000.Withthisfix,themaximumnumberofdetectorthreats
(dthreats)isincreasedtoavoidthisissue.
80702 Fixedanissueinahighavailability(HA)configurationwheretheARPtablesyncedwiththe
primarypeerbutwasrefreshedonlyondataplane0(DP0)ofthepassivepeer,which
causedARPentriestoexpireprematurelyonthepassivefirewallwhentheirTTLreached0.
80648 Fixedanissuewhereadevicegroupcommitfailedwhenusingthedestinationinterfacein
aNATruleconfiguredonPanorama.
80533 FixedanissuewhereadministratorscouldviewaddressesandusernamesintheApplication
CommandCenter(ACC)viewevenwhentheShow Full IP AddressesorShow User
Names In Logs And ReportsoptionwasdisabledfortheAdminRoleprofileassociatedwith
thoseadministrators(Device > Admin Roles ><AdminRoleProfile>> Web UI >Privacy
settings).
80463 FixedanissuewherealocalcommitonPanoramafailed(invalid reference)ona

templateortemplatestackwhenaLogForwardingprofilewasconfiguredtosendlogsto
syslog(Objects > Log Forwarding).
80397 FixedanissuewhereyoucouldcreateanewMonitorprofilewhencreatingapolicybased
forwarding(PBF)ruleonPanoramaevenwhenthetargettemplatewasunknown(thePBF
ruleispartofadevicegroupandtheMonitorprofileispartofatemplateconfiguration).
Withthisfix,youcannolongercreateanewMonitorprofilewhencreatingaPBFruleon
Panorama.
80389 FixedanissueonaPA5060firewallwhereinternalpacketpathmonitoringfailedwhen
underaheavyload.Withthisfix,internalpacketpathmonitoringisforwardedusinga
prioritysettingthatpreventsthesefailuresevenwhenexperiencinghightrafficconditions.
80086 Fixedanissuewereafirewalldisplayedanincorrectlocationforthesourceordestination
ontheTrafficMap.
79841 Fixedanissuewhere,incertaincircumstances,therewerediscrepanciesbetweena
scheduledreportandthatsamereportgeneratedusingtherun nowoption(Monitor >
Manage Custom Reports > <CustomReport>).
IssueID Description
79746 FixedanissueonaPA2000SeriesfirewallwhereanAggregateEthernet(AE)interfacewas
unabletotransmitanARPrequestonataggedsubinterfacetotheneighboringdevice.
79328 FixedanissuewhereApplicationsandSecurityrulesinQoSstatisticsview(Network >

QoS > <interface>)werenotdisplayedwhentheingressinterfacewasconfiguredtouseL2
VLAN.
78848 Fixedarareissuewhereacommit(suchasanantivirusupdateorFQDNrefresh)caused
thefirewalltostopprocessingtraffic.Thisissueoccurredafterahighavailability(HA)
synchronizationeventwhentheautocommittriggeredbythesynchronizationeventwas
ignored.Withthisfix,aforcecommitrequestisautomaticallyandrepeatedlygenerated
untilsuccessful.
78773 Fixedanissuewherethe debug dataplane flow-control enable port and debug

dataplane flow-control disable port CLIcommandsfailedtomodifyflowcontrol
settingsasexpected.
78426 FixedanissuewhereaCPUprocess(pan_dhcpd)spikedwhenDHCPNAKpacketswere
receivedontheDHCPrelayinterface.
78210 Fixedanissueinahighavailability(HA)active/passiveconfigurationwherethemulticast
treefailedtoconvergenonoffloadedmulticasttrafficasquicklyasexpectedaftera
failover.Withthisfix,themulticasttreeconvergencetimeisreducedfornonoffloaded
multicasttrafficafteranHAactive/passivefailover.
78040 Fixedanissuewheretheoutputofthe show zone-protection zone CLIcommanddid

notcorrectlydisplayzoneprotectioninformationforadefinedvirtualsystem(VSYS).
77376 FixedanissuewhereagatewayConfigrefreshonasatellitedevice(Network > IPSec

Tunnels > Gateway Info(foragateway)> select<gateway> > Refresh GW Config)causeda
delayintunnelinstallationandresultedinconnectivityissuesforthedurationofthedelay.
77299 FixedanissuewhereWildFireanalysisreportsdidnotdisplayCoverageStatusforthe
samplewhenusingaFirefoxbrowserevenwhenasignaturewasgeneratedtoidentifythe
sample(Monitor > Logs > WildFire Submissions > Detailed Log View > WildFire Analysis
Report).Withthisfix,youcanviewthecorrectCoverageStatusforasamplewhenusinga
Firefoxbrowser.
76981 Fixedanissuewhereacertificatecontainingaspacecharacter(" ")intheCommonName

fieldofthecertificatefailedtoestablishasecuresyslogconnectionwiththesyslogserver.
Withthisfix,certificatesestablishsyslogconnectionsasexpectedevenwhencontaining
spacecharactersintheCommonName.
76811 FixedanissuewherepacketlosscouldoccurwithasymmetrictrafficwhentwoPA4060
firewallsweresetupaspeersinahighavailability(HA)active/activeconfiguration.This
issueoccurredwithVLANtaggedtrafficwhenjumboframesprocessingwasdisabledand
largenonjumboframespassedovertheHA3linkandbecamejumboframes.
76481 FixedanintermittentissuewhereaCategoryforasessionintheURLFilteringlogdidnot
matchtheactualcategorizationofthatsession.Withthisfix,thelogicforremovingexpired
orunresolvedURLcacheentriesisimprovedsothataCategoryintheURLFilteringlog
staysinsyncwiththeactualcategorizationofasession.
IssueID Description
72115 WhenthewebinterfacewassettodisplayinanylanguageotherthanEnglish,service
routestospecifyhowthefirewallcommunicateswithotherserversordevicescouldnotbe
configured(Device > Setup > Services > Service Route Configuration).Thisissuehasbeen
fixedsothatserviceroutescanbeconfiguredandworkcorrectlywhenthewebinterface
issettoanylanguagepreference.
70719 InresponsetoanissuewhereadataplanerestartedduetoanincorrectflowID,PANOS
6.1.4andlaterreleasesincludedadditionalcheckstohelppreventthedataplanefrom
restartingduetothisissue.WiththisfixinPANOS7.0.3,thosePANOS6.1.4
modificationsarefurthermodifiedtoprovideamorecompletesolutionthatavoids
inadvertentlydroppingIPv4trafficaffectedbythisissue.
67254 FixedanissuewhereanXMLAPIcallforsystemRAIDfailedwithanattributeerrorfor
raid_handler object.
66607 FixedanissueonaPA200firewallwhereadministratorscouldconfigureafirewalldirectly
orusePanoramatopushexternalblocklists(EBLs)withatotalnumberofEBLlistsorIP
addressesthatexceededlimitationsanddidnotreceiveanerrormessage.(Lowend
platformssupportamaximumof10listsand50,000IPaddresses;highendplatforms
supportamaximumof30listsand150,000IPaddresses;thereisnoperlistmaximumfor
anyplatform.)Withthisfix,anerrormessageisdisplayedasexpectedwhenconfiguringa
PA200firewalldirectlyorthroughapushfromPanorama(orPANOSreleasedowngrade)
wherethenumberofEBLlistsorIPaddressesexceedsthelimitationsofthatfirewallorof
thecurrentPANOSrelease.
34340 Fixedanissuewherealargenumberofinformationallogsforthekeymanagerprocess
(keymgr)wereincludedinreportswhenlogsettingforkeymgrlogswassetto normal.With
thisfix,informationallogsforkeymgrareincludedonlywhenyouconfigureloggingfor
keymgrmessagestothedebugsettingusingthe debug keymgr on debug CLIcommand.
IssueID Description
82724 FixedanissuewhereoldregisteredIPaddressesinaDynamicAddressGrouponahigh
availability(HA)active/passivepairweredeletedfromthepassivefirewallwhenthat
firewallswitchedfromnonfunctionaltopassivestateandreceivedanincrementalupdate
ofregisteredIPaddressesfromtheactivefirewall.Thisfixalsoaddressedarelatedissuein
anHAactive/activeconfigurationwheretheactivesecondaryfirewallretainedoldIP
addressesintheDynamicAddressGroupafterswitchingtoafunctionalstatewhenthe
activesecondaryfirewallswitchedtononfunctionalstateandallIPaddressesinthe
DynamicAddressGroupbecameunregisteredontheactiveprimaryfirewall.
82717 Fixedanissuewhereadataplanestoppedrespondingafterarebootduetoaninitialization
issueonSFP+ports.
82675 FixedanissueonanM100appliancewhere,afteranupgradetoPANOS7.0.1,an
authenticationprocess(authd)stoppedrespondingwhentheLDAPbindingpassword
containedspecialcharacters.
82370 Fixedanintermittentissuewhereadataplaneprocess(mprelay)experiencedamemoryleak
thatcausedthevirtualmemorytoincreaseuntilittriggeredadataplanerestart.
82310 Inresponsetoafragmentationissue,viruspatternsaresplitintosmallerchunkstoreduce
thepossibilityofmemoryallocationfailure.
82087 Fixedanissuewhereafirewalldisplayedanalertforlowdiskspace.Withthisfix,the
/opt/contentdirectorywasremovedtoimprovethediskcleanupprocess.
82009 FixedanissuewhereadocumentfiletriggeredanattempttopinganIPaddress.
81981 FixedanissuewheretheLLDPSystemNamefielddisplayedthefirewallmodelnumberand
couldnotbemodifiedtodifferentiatefromothersimilarfirewalls.Withthisfix,thefirewall
populatestheLLDPSystemNamefieldusingtheconfigurablehostnamevalue.
81970 FixedanissuewheresomeActiveDirectory(AD)serverswereincorrectlydisplayinga
Password expires in x daysmessageevenafterselectingPassword never expireson
theADserver.Withthisfix,theADserverignoresthemaximumpasswordage
(maxPwdAge)valuewhenthePassword never expiresoptionisselected.
81955 FixedanissueonafirewallwherefileswerenotsenttoWildFireasexpectedwhenthefirst
8bytesofthefileweresplitacrossdifferentpacketsordecryptedbuffers.
81941 FixedanissuewhereadataplanerestartedwhenencounteringresumedSSLsessionsusing
inboundSSLdecryption.
81819 FixedanissuewheretheSystemlogreportedthatafirewallinahighavailability(HA)
active/activeconfigurationReceived conflicting ARP forthefloatingIPaddressofits
HApeer.Withthisfix,duplicateIPaddressdetectioncontinuestologconflictsfor
nonfloatingIPaddresses,aswellasduplicateaddressesdetectedforafloatingIPaddress
receivedfromanyotherdevicethatisnotamemberoftheHApair.
81816 RemovedsupportforSSLv3onPanoramaforconnectionstomanageddevices.
IssueID Description
81797 FixedanissuewhereASCIIandspecialcharacterswerenotsupportedintheuseractivity
reportusernamefield.
81783 Fixedanissuewhereafirewallpickedthewrongdecryptioncipherwhenconfiguredwith
multipleIPSecCryptoprofilesforIKEv2negotiation.
81676 Fixedanissuewhereafirewallallowedadministratorstoconfiguresubinterfacewithusing
invalidnotation(suchasethernet1/1.1.1).
81577 FixedanissuewherecustomURLcategoriesassociatedwithaDecryptionpolicydidnot
matchtrafficdestinedforaproxyserver.
81572 FixedanissueonaPA7000SeriesfirewallthatdisplayedincorrecttimestampsinTraffic,
Threat,andURLFilteringlogs.
81535 Fixedanissuewherethegrouplistwasemptyafterpushingthegroupmapping
configurationfromPanoramatoamultivsysfirewallduringanattempttoconfigureusers
inaSecuritypolicyruleeventhoughthegroupmappingstatewassynchronized.
81510 FixedanissuewhereDeviceGroupandTemplateadministratorswereabletocreateand
modifySharedobjects.Withthisfix,DeviceGroupandTemplateadministratorsare
allowedtocreateandmodifyonlyobjectsspecifictothedevicegroupsandtemplatesto
whichtheyhaveaccessnotSharedobjects.
81500 FixedanissuewhereaVMSeriesfirewallinaVMwareNSXconfigurationrunningonan
ESXiserverrestartedwhenaprocess(all_task)stoppedresponding.
81485 FixedanissueonPA200andVMSeriesfirewallswherelocalobjectswerenotresolvedin
theTrafficlogafterselectingtheResolve hostnameoption(bottomoftheMonitor > Logs
> Traffictab).
81452 FixedanissuewhereswitchingcontextfromthePanoramawebinterfacetoamanaged
firewalldidnotindicatewhethertheadministratorwasloggedinoveranencryptedSSL
connection;theSystemlogmessagewasalwaysUser admin logged in via Panorama
from x.x.x.x using httpregardlesswhethertheconnectionwasencrypted.Withthis
fix,theSystemlognowspecificallyreportsUser admin logged in via Panorama from
x.x.x.x using http over an SSL connectionwhentheadministratorisconnected
throughanencryptedSSLconnectiontodifferentiatefromnonencryptedconnections.
81389 Fixedanissuewheretheoutputoftheshow admins allcommanddisplayedall

administratoraccountsonthefirewall,includingrootaccounts.Withthisfix,show admins
allcommandoutputdisplaysonlylocalandnonlocaladministratoraccounts.
81373 FixedanissuewhereWildFireAnalysisreportsforsamplesanalyzedinaWildFirecloud
(publicorprivate)werenotdisplayedintheWildFireSubmissionslog(Monitor > WildFire
Submissions)whenthefirewallwasconfiguredtocommunicatewiththeWildFirecloud
throughaproxyserver.
81312 FixedanissuewherefirewallDeviceadministratorswereunabletorunandviewoutputon
afirewallforthe show panorama-status CLIcommand.Withthisfix,Device
administrator,Deviceadministrator(readonly),Superuser,andSuperuser(readonly)
users(Device>Administrators><administrator>)canrunandviewoutputforthe show
panorama-status commandfromthefirewall.
81271 FixedanissuewherethesecondattempttoaccesssomewebsitesoverHTTPSfailedwhen
SSLForwardProxywasenabled.
IssueID Description
81264 FixedanissuewhereThreatlogsweregeneratedfor Threat Name - IP fragment

overlap, ID - 8705 afterupgradingtoaPANOS7.0release.
81219 FixedanissuewithstabilitywhenaddingLogCollectorstoaCollectorGroup.
81115 Fixedanissuewhereadministratorsexperiencedlongdelayswhenexecutinglogqueries
consistingofmultipleattributes.
81110 FixedasessionreuseissuewhereanincomingSYN/ACKpacketforanestablishedsession
causedafailureinTCPreassembly,whichresultedinadroppedpacketeventheReject
NonSYNTCPoptionwasdisabled(Network > Network Profiles > Zone Protection >
<ZoneProtectionprofile> > Packet Based Attack Protection > TCP Drop).Withthisfix,
initiatingsessionreusewithaSYN/ACKpacketissuccessfulregardlessoftheReject
NonSYNTCPsetting.
80993 FixedanissueinPANOS7.0(aswellasinPanorama5.1andlaterreleases)whereXMLAPI
POSTrequestsfailedwhenincludingaQUERY_STRINGbutnocontentlengthheader.
Withthisfix(inbothPANOSandPanorama7.0.2releases),POSTrequestswitha
QUERY_STRINGandamissingcontentlengthheaderaresuccessful.
80960 FixedanissuewhereattemptingtoTest SCP server connection(Device > Scheduled Log

Export)createdanunnecessaryConfiglockthatpreventedanyadditionalchangestothe
runningconfiguration.
80933 FixedarareissuewhereaPA7000Seriesfirewallexperiencedheartbeatfailuresonthe
HA1andHA1backuplinksthatcausedsplitbraininahighavailability(HA)configuration.
80924 FixedanissuewhereaGlobalProtectLargeScaleVPN(LSVPN)satelliteconfiguration
causedthesatellitefirewalltoProxyARPforthedefinedaccessroutesubnetsonalllogical
andphysicalinterfaces.
80896 Fixedanissuewheresomeactionsthatutilizethe/opt/pancfg/partition,suchasdynamic
updatesandcommits,werefailingwhenthatpartitionranoutofspaceduetoalarge
numberofHIPreportsreceivedfromUserIDXMLAPI.Withthisfix,HIPreportsareno
longersavedinthe/opt/pancfg/partitionofthefirewall.
80840 FixedanissuewheretheURLfilterdidnotcorrectlyparsethecommonname(CN)value
whenaMACaddresswasspecifiedastheCNvalueintheservercertificate.
80839 Fixedanissuewhere error isdisplayedforTorstatusintheCLIoutputforboththe show

wildfire status and test wildfire tor CLIcommands.
80767 InresponsetoaveryrareissuewheretheconfiguredNATpoolormethodwasnotutilized
asexpected,anenhancementwasmadetoTechSupportfilegenerationthatincludes
additionaldatatohelptroubleshoottheissue.
80720 Fixedanissuewhereafirewallexperiencedadataplanerestartwhenthepacketprocessing
daemonterminatedduetoadoublefreeconditionassociatedwithaspecificpacketbuffer
(fptcp).
80687 FixedanissueonPA7000Series,PA5000Series,andPA3000Seriesfirewallswhere
softwarepacketbuffersweredepleted(althougheventuallyrecovered)whenreceiving
TCPpacketswithlargepayloads.Withthisfix,modificationstoprocessesforallocating
softwarebuffersandhandlingTCPcongestionensurethatsoftwarepacketbuffersdonot
getdepletedduetopacketswithlargepayloads.
80669 FixedanissueonfirewallsinCCEALmodewherethemanagementserverwouldrestart
whenthefirewallattemptedtosendanSNMPv3trap.
IssueID Description
80624 Fixedanissuewhereadministratorsexperienceddelaysaccessingthefirewallweb
interfacewhenthefirewallreconnectedtoPanoramaandhadalargenumberoflogsto
send.
80592 Fixedanissuewherefirewallsinahighavailability(HA)active/passiveconfigurationdidnot
synctheDynamicAddressGroupwhenoneofthefirewallsstoppedfunctioningandthen
changedtoafunctionalstate.
80567 InresponsetoanissuewhereraceconditionsaffectingBlockIPtableoperations
inadvertentlycausedsomepacketstobemarkedas drop ip block withoutanyentryin
theBlockIPtable.
80532 FixedanissuewherefileswerenotbeingforwardedasexpectedtotheWildFirecloud
(publicorprivate)duetoaterminatedprocess(varrcvr).Thisissueoccurredwhenthe
SubjectfieldinforwardedemailscontainednonASCIIcharacters.
80404 FixedanissuewherePA2000Seriesfirewallsexperiencedconnectivityissueswhen
autonegotiatingduplexandspeedsettingsonthemanagementinterfaceconnectiontoa
thirdpartydevice.Withthisfix,anewdriverisaddedtoensurethatthemanagement
interfaceremainsaccessibleandtoprovideamorereliabletransitionwhenspeedsare
changed(suchasfrom1,000Mbpsoverfullduplex1000/Fullto100/Full)whenthereis
littleornotrafficflowingthroughthefirewall.Usethefollowingbestpractice
recommendationstoensuresuccessfultransitions:
Whenpossible,setboththePA2000Seriesfirewallandthethirdpartydeviceto
autonegotiatemode,whereeachsideselectsthehighestpossiblecommonmaximum
speedandduplexsetting.
Ifyoumustmanuallyconfigurethespeedandduplexsettingforeitherthefirewall
(Device > Setup > Management > Management Interface Settings)orthethirdparty
device,youshouldmanuallyconfigurethesamespeedandduplexsettingsonbothsides
sothattheyareinsync.Ifyoudonotmanuallyconfigurethesettingstobethesameat
bothendsoftheconnection,trafficflowwillbeimpactedbecausethePA2000Series
firewallcannotdeterminethecorrectduplexmodeandwilldefaulttohalfduplexmode,
whichcancauseaduplexmismatch.
Ifyoumanuallyconfigurebothsidesoftheconnection:
Donotsettheportonthethirdpartydeviceto1000Mbpsmastermode,asthis
willcompletelystoptrafficandtheportswillnotrecover(bothportstrytocontrol
thelinkandneitherissuccessful).
Donotattempttochangethespeedorduplexsettingwhiletrafficisflowing
throughtheconnection:pausetraffic,configurethetwopeerportsappropriately,
makesuretheportsaresettothesamespeedandduplexvalues,andthenresume
trafficflow.
80386 Fixedanissuewhereaconfigurationoverridefailedwhenpushingsystemlogsettingsto
firewallsfromPanoramaresultinginthefollowingerror: edit failed, may need to
override template object informational first.
80318 FixedanintermittentissueonaPA7000Seriesfirewallwheresomepacketsweredropped
duringtheinitialsessionsetupprocess.Thisissueoccurredwhentwopacketsinthesame
sessionweresentalmostsimultaneously,causingthesecondofthetwopacketstoget
dropped.
IssueID Description
80251 Fixedanissueonafirewallwhereadataplanerestartedwithmultiplecorefiles(all_pktproc,
flow_ctrl,andflow_mgmt)afterthefirewallreceivedpercentencodedHTTPrequestsfrom
aproxyserverwhenboththeparsingofXForwardedFor(XFF)attributesandstrippingof
XFFfromHTTPHeaderswereenabled(configuredwiththe set system setting ctd
CLIcommand).Withthisfix,youcanenablebothXFFactionswithoutcausingthe
dataplanetorestartwhenthefirewallreceivespercentencodedHTTPrequestfroma
proxyserver.
80187 Fixedanissuewherethe test authentication authentication-profile command

resultsinoutputthatusesthemanagementinterfaceasthesourceregardlesswhetheryou
configuredaserviceroutetoprovideadifferentsource.
80063 FixedanissueonanM100appliancewheretheconfigurationdaemon(configd)stopped
respondingwhenprocessinganullvalue.
79960 Fixedanissuewherethefirewallsentanextracarriagereturnlinefeed(CRLF)inHTTP/1.1
POSTpacketswhenrequestinganupdatefromtheBrightCloudURLdatabase.Thisissue
occurredwhenusingaproxyserver,whichcorrectlyrejectsthepacketsandreturns
HTTP/1.1400BadRequestmessagesduetotheextraCRLF(perRFC7230).
79929 Fixedanissuewhereaprocess(mprelay)stoppedrespondinganddidnotreceivearefresh
oftheconfigurationwhenitrestarted.
79925 Fixedanissuewherevirtualwire(vwire)pathmonitoringfailedandthefirewallstopped
sendingICMPpacketsoverthevwireinterfaceafterahighavailability(HA)failover.
79719 Fixedarareissuewhereadataplanerestartedwhenmultipleprocesses(flow_ctrland
mprelay)stoppedrespondingduetoasoftwarebufferleak.
79709 FixedanintermittentissuewhereZIPprocessingmaycausethedataplanetorestart.
79535 Fixedanissueinahighavailability(HA)configurationwherethemonitoreddestinationIP
addressforPathMonitoringdisplayedas up evenwhenunavailable,preventingthe
firewallfromdisplayingas tentative asexpected.Withthisfix,themonitoreddestination
IPaddresscorrectlyshowsas down whenunavailable,whichresultsinthefirewallcorrectly
changingstatusto tentative.
79504 FixedanissuewhereapassiveM100applianceinahighavailability(HA)configurationlost
itsdevicegroupandtemplateconfiguration.
79470 FixedanissuewherePanoramadidnotdisplayWildFireAnalysisreportscorrectlyinthe
WildFireSubmissionslogforWF500appliancesrunningPANOS6.1orearlierreleases.
YoucanfetchthesereportsusingasecurechannelonlyforWF500appliances
runningPANOS7.0.2orlaterreleases;asecurechannelisnotusedwhenfetching
reportsfromaWF500appliancerunningPANOS7.0.1orearlierreleases.
79382 FixedanissuewhereIPaddressregistrationthroughtheXMLAPIfailedtopopulatethe
DynamicAddressGroupfollowingan AddrObjRefresh jobfailureduringatemplate
commitfromPanoramawhentheForce Template Valuesoptionwaschecked,resultingin
an Error: Failed to parse security policy.
79347 Fixedanissuewhereafirewallstoppedrespondingandtriggeredadataplanerestartwhen
receivingincompleteandinsufficientparametersinAPIcalls.Withthisfix,checksarein
placetopreventthedataplanerestartwhenreceivingAPIrequestswithinvalidor
insufficientparameters.
IssueID Description
79279 Fixedanissuethatcausedanerrortobedisplayed(ntp-servers unexpected here.

Discarding.)whenpushingadevicegroupconfigurationthroughtemplatesaftera
Panoramaupgrade.
79046 FixedanissueonanMSeriesappliancerunninginLogCollectormodewherelog
forwardingtoanexternalsyslogserverstoppedworkingafteraPanoramacommitwhen
forwardinglogsthroughTCPport514(default)insteadofUDPport514(Device > Server
Profiles > Syslog).Withthisfix,younolongerneedtoperformaCollectorGroupcommit
toresumelogforwardingafteraPanoramacommitwhenthesyslogserverisconfiguredto
useTCP.
78891 FixedanissuewheretheuseofregionbasedobjectsintheSecuritypolicycaused
consistentlyhighdataplaneCPUutilization.
78803 FixedanissueinPanoramawheretemplatesettingsthatwereglobaltoeveryvirtual
system(vsys)onafirewall(forexample,Systemlogsettings)wereunabletoreference
configurationelements(forexample,anEmailserverprofile)whenthatelementwasadded
toaspecificvsysinsteadoftotheSharedlocation.Withthisfix,Panoramacanpush
templateanddevicegroupsettingseventhosethatarenotorcan'tbepushedtoaspecific
vsysregardlesswhetherthosesettingsrefertoSharedelementsorelementsthatare
specifictoavsys.
78571 FixedanintermittentissuewhereafirewallreceivedaVirtualSystemslicensethatallowed
forahighernumberofvirtualsystemsthanthemaximumamountsupportedforthe
platform.Withthisfix,thelicensedvirtualsystemsactivatedonafirewallcannotbehigher
thanthemaximumamountofvirtualsystemssupportedonthefirewall.
78568 FixedanissuewherePA3000,PA5000,andPA7000Seriesfirewallsexperienceda
memoryleakassociatedwithimproperpurgingofold,replacedentriesintheARP/NDtable
whenthetablereachedcapacity.
78511 FixedanissuewheretheDHCPrelayagentincorrectlysetthegatewayIPaddress(giaddr)
valuetozero(insteadoftheIPaddressoftheingressinterfaceasdefinedinRFC1542)
whenrespondingtoDHCPrequests.
78084 Theoutputforthecommand show log collector serial number displayeddifferent

logdatawhenexecutedonaprimaryactivePanoramathantheoutputthatwasdisplayed
whenthecommandwasexecutedfromthesecondarypassivePanorama.Thisissueisfixed
sothattheoutputforthecommand show log collector serial number correctly
displaysthelatestlogdataformanagedLogCollectors.
78064 Fixedanintermittentissuewhereauthenticationfailedinatwophaseauthentication
processwhentheloginresponsecontainedcustomerdata.
77816 FixedanintermittentissuewheresomeWindows7GlobalProtectclientsusingtwofactor
authentication(LDAPandcertificate)lostconnectiontotheportalorgatewayandcould
notreconnectduetoafailedauthenticationwiththeerror Required client
certificate is not found evenwhenthecertificatewasavailable.
77775 Fixedanissuewhereavalidationerroroccurredwhenattemptingtomoveanobjectfrom
itscurrentdevicegrouptoadestinationdevicegroupthatwaslowerinthehierarchyeven
whenthepolicyrulesorobjectsthatreferencetheobjectbeingmovedwereinthesame
destinationorinadevicegroupthatshouldinherittheobject.
77103 FixedanissuewhereaSystemlogmessage(Failed to upgrade WildFire package to

version <unknown version>)displayedonthefirewallevenwhennoWildFirelicense
existedonthefirewall.
IssueID Description
76875 Fixedanissuewherethedataplanerebootedwhenaprocess(brdagent)wasterminatedby
thefirewallinresponsetoanoutofmemorycondition.Withthefix,dataplanerebootsare
nolongertriggeredbytheseoutofmemoryeventsbecausethefirewallnolonger
considersthebrdagentprocessforterminationwhenattemptingtoaddressan
outofmemoryevent.
76781 FixedanissuewhereafirewallincorrectlycalculatedpacketlengthandTCPsequencedue
toaonebytezerowindowprobepacketwhenthatpacketwassentfromonevsysto
another.
76631 FixedanissueonPA7000SeriesfirewallswheretheLogProcessingCard(LPC)failedto
resolvetheFQDNofthesyslogserver.Withthisfix,thefirewallwillreinitiatetheDNS
lookuprequestuntilthelookupsucceeds.
76561 FixedanissuewheretheDHCPrelayagentdroppedDHCPDISCOVERpacketsthatthe
agentcouldnotprocessduetomultipleBOOTPflags.Withthisfix,theDHCPrelayagent
recognizesthefirstBOOTPflaginaDHCPDISCOVERpacketandignoresanyadditional
BOOTPflagsthatmayexist(perRFC1542)sothatmultipleBOOTPflagsdonotcause
DHCPDISCOVERpacketstobedropped.
75803 AddressedanissueregardinghowoftenpasswordAPIkeysareregenerated.
75344 Fixedanissuewhereamemoryprocessrestartedandcausedaninvalidmemoryreference;
theinvalidmemoryreferenceresultedinamanagementplanerestart.
74423 FixedanissuewhereafirewallrunningPANOS7.0.1wasincorrectlyusingtheURL
UpdatesserviceroutewhenfetchingaDynamicBlockListinsteadofusingtheservice
routeattachedtothePaloAltoUpdatesintheServiceRouteConfiguration(Device > Setup
> Services > Global).
73443 Fixedanintermittentissuethatresultedincorruptedforwardingentriesontheoffload
processor.
71331 FixedanissueonaPA500firewallwherethefirewallassignedaDHCPaddressforthe
management(MGT)interfaceevenaftertheadministratorconfiguredastaticIPaddressfor
thatport.Withthisfix,DHCPinitiationfortheMGTinterfaceisdisabled.
70887 FixedanissuewhereclickingtheMorelinktoviewtheregisteredIPaddressunderObject
> Address GroupsresultedinanerrorifthenameofaDynamicAddressGroupincludeda
space.Withthisfix,spacesinDynamicAddressGroupnamesnolongercauseanerror
whendisplayingtheIPaddress.
70302 FixedanissuewheretheautocommitprocessfailedafterupgradingaPA7050orPA5000
SeriesfirewalltoaPANOS6.1orPANOS7.0release.
69132 Fixedanissuewhereoccasionaldataplanerestartsoccurredduetoakernelmemory
allocationfailure.
64602 Inresponsetoanissuewhereafirewallgeneratedcorefilesforaprocess(pktproc)whena
dataplanestoppedresponding,anadditionalcheckandassociatederroroutputisaddedto
helptroubleshootanissuewhereanFPGArunningtheAhoCorasickalgorithmreturnsa
sessionindexmappedtoaNULLpointer.
IssueID Description
64531 Fixedanissuewhereahighavailability(HA)failoveroccurredduetoinsufficientkernel
memoryonaPA5000Seriesfirewall.Withthisfix,PA5000Seriesfirewallsincludesome
cacheflushingeventsandincreasedkernelmemorytoensuresufficientkernelmemory
remainsavailableforpingrequestsandkeepalivemessagestoavoidtheseHAfailovers.
64266 Fixedarareissuewherecertainprocesses(l3svcandsslvpn)stoppedrespondingwhena
ContentupdateandFQDNrefreshoccurredsimultaneously.
ThefollowingtableliststheissuesthatarefixedinthePANOS7.0.1release.(AsthebasePANOS7.0
image,thisreleaseandthelistbelowalsoincludeallissuesinitiallyaddressedforPANOS7.0.0.)Foran
overviewofnewfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistof
knownissues,seePANOS7.0ReleaseInformation.
IssueID Description
82299 FixedacriticalsecurityvulnerabilityforfirewallsandPanoramarunningPANOS7.0.0that
wereconfiguredtouseLDAPauthenticationforCaptivePortalorfordevicemanagement.
(ThisissuedoesnotaffectdevicesconfiguredtouseRADIUSorlocalauthentication.)
81374 FixedanissueonaPA200firewallwheretheMACaddressconfiguredforthe
managementinterfacewasinadvertentlychangedafteranupgradetoPANOS7.0.0.With
thisfix,themanagementinterfaceMACaddressconfiguredbeforeanupgraderemainsthe
sameaftertheupgrade.
81174 FixedanissuewhereanautocommitfailedafteranupgradetoPANOS7.0.0duetoafailed
IKECryptoprofileverificationwhentwoIKEgatewayswereconfiguredusingadynamic
peerinmainmodeonthesamelocalinterface.
81167 FixedanissuewheretheAppsonly(noThreats)versionofContentUpdatesfailedtoinstall
onadeviceregisteredwithstandardsupport.
81158 FixedanissuewhereanIPSectunnelfailedtonegotiateanewsessionanddroppedpackets
duringanSArekeyinIKEv2mode.
81024 FixedanissuewherePanorama7.0.0failedtoproperlypushDeviceGroupandService
GroupobjectstodevicesrunningPANOS6.1orearlierreleases.Withthisfix,Panorama
pushesDeviceGroupandServiceGroupobjectsasexpectedtodevicesrunningany
supportedPANOSrelease.
80903 FixedanissuewherePA7050firewallsrunningPANOS6.1orearlierreleasesdidnot
accuratelyhandlequeriesfromPanoramarunningPANOS7.0.0,whichresultedinthe
inabilitytodisplaydataintheApplicationCommandCenter(ACC)widgetsandprevented
logdatafromthePA7050firewallfrombeingincludedinreportsgeneratedonPanorama.
Withthisfix,PanoramaqueriestoPA7050firewallsaredisabledbydefaultsothatACC
widgetsdisplaycorrectlyforallotherdevicesyoumanagethroughPanorama.
80871 FixedanissuewhereWildFireanalysisreportswerenotdisplayedinDetailedLogView
(Monitor > WildFire Submissions > Detailed Log View > WildFire Analysis Report)for
WildFireSubmissionslogentrieswhenthefirewallwasconfiguredtouseaserviceroute
insteadofthemanagementinterfacetocommunicateeitherwithaWildFireprivatecloud
orwiththeWildFirepubliccloud.However,forfirewallsrunningPANOS7.0.1,toviewthe
integratedreportsfromwithinthewebinterfaceonthefirewall,youmustfirstconfigure
wildfire.paloaltonetworks.comastheWildFirepubliccloud;eitherintheweb
interface(Device > Setup > WildFire > General Settings)orusingtheset deviceconfig
setting wildfire public-cloud-server wildfire.paloaltonetworks.comCLI
command.
80849 FixedanissuewhereIPv4andIPv6trafficforwardingfailedwhensentthroughanLACP
AggregatedEthernet(AE)interfaceduetoanincorrectsystemMACaddress.
IssueID Description
80799 FixedanissuewherefilesandemaillinkssentusingSimpleMailTransferProtocol(SMTP)
orPostOfficeProtocolversion3(POP3)werenotforwardedtotheWildFirepubliccloud
foranalysisunlessthefirewallwasalsoconfiguredtoforwardfilestoaWildFireprivate
cloud.Withthisfix,firewallsconnectedonlytotheWildFirepubliccloudappropriately
forwardtotheWildFirepubliccloudallfilesandemaillinksthataresentusingSMTPor
POP3.
80607 Fixedanissuewhereafirewallrebootedwhenanunusuallylargenumberoffragmented
packetspassedthroughthefirewallwhentheNAT64 IPv6 Minimum Network MTUsetting
wasconfiguredtoavalueotherthan1500(Device > Setup > Session > Session Settings),
whichtriggeredamemoryleak.Withthisfix,fragmentedpacketsnolongercausea
memoryleak.Additionally,anewcounterwastomonitorwhetherresourcesareavailable
forfragmentingpacketswhenneeded.
80561 FixedanissuewheresoftwareforwardingofLayer3multicasttrafficwithProtocol
IndependentMulticast(PIM)didnotfunctionproperly.
80408 Fixedanissuewhere,insomeenvironments,newcontentupdatescouldnolongerbe
accommodatedbythememoryonthefirewallthatisallottedforthesefilesduetoa
continuallyincreasingnumberofapplicationsintheupdates.Withthisfix,allocated
memoryforcontentupdatesisincreasedsothatcontinuedgrowthofcontentupdateswill
notpreventsuccessfuldownloadandinstallationofthoseupdates.
80398 Fixedanissuewhereadministratorswereunabletologinthroughthewebinterfacewhen
thefirewallwasconfiguredtoauthenticateadministratorsusingclientcertificatesandwas
configuredwithOnlineCertificateStatusProtocol(OCSP)verificationenabled.
80373 FixedanissuewhereattemptstoCloneobjectsorpoliciesinasharedgatewaylocationor
Moveobjectsorpoliciesfromavirtualsystemtoasharedgatewaylocationdidnotwork
correctly.
80323 Fixedanissuewherethelinkstatesforfirewallinterfacesdidnotcomeupwhenrebooting
thefirewallafterdisablinghighavailability(HA).
80286 FixedanissuewhereacommitfailedafteranupgradetoPANOS7.0.0whenDefaultsfor
anapplicationwassettoICMP Type(Objects > Applications > application > Advanced).
Withthisfix,commitsdonotfailafteranupgradetoPANOS7.0.1orlaterreleases
regardlessofthisDefaultssetting.
80268 FixedanissueonaPA7050firewallrunningPANOS7.0.0whereattemptstoswitchto
CommonCriteria(CC)modefailedwiththefollowingerror:Set CCEAL4 Mode Sysd
Error.ThisissueoccurredbecausetheCCmodeoperationattemptedtochangethe
operationalmodebeforethesystemprocess(sysd)wasfullyloaded.Thisoperationresulted
insettingthefirewalltothefactorydefaultconfigurationwithoutCCconfiguration
changes.
80266 FixedanissuewherePA200,PA500,andPA2050firewallsrunningPANOS7.0.0and
configuredtouseaservicerouteinsteadofthemanagement(MGT)interfacetoconnect
toanLDAPserverwereunabletoestablishaconnection,whichcausedallfirewall
functionsthatreliedonthatconnectiontofail.Withthisfix,firewallssuccessfullyconnect
throughaconfiguredserviceroutetoanLDAPserver.
79854 FixedanissuewherePanoramawasunabletodisplaySystemandConfiglogsforPA7000
Seriesfirewalls.
IssueID Description
79844 Fixedanissuewherelogssenttoalogcollectorgroupwerenotproperlysavedandcould
notbedisplayedwhenthatlogcollectorgroupcontainedaspaceinthename.Withthisfix,
logsaresavedanddisplayedcorrectlyevenwhenthereisaspaceinthelogcollectorgroup
name.
79522 Fixedanintermittentissuewhereafirewallwithhardwareoffloadenabledincludedan
incorrectIPchecksumvalueinoutgoingNATpackets,whichcausedsomepacketstobe
dropped.
79511 FixedanissueonPanoramawheredisablingtheShare Unused Address and Service

Objects with Devicesoption(Panorama > Setup > Management > Panorama Settings)
whennoSharedobjectswereconfiguredcausedaprocesstorestartduringacommit.
79478 Fixedanissuewherethefirewallconnecteddirectlytoadirectoryserverinsteadofthe
UserIDagentconfiguredasanLDAPproxy.Withthisfix,thefirewallcorrectlyusesthe
UserIDagentwhentheagentisconfiguredforuseasanLDAPproxy.
79463 FixedanissuewhereCPUmemoryonaPA7050firewallspikedwhenattemptingtoview
reportsintheApplicationCommandCenter(ACC).Thisissueoccurredwhentaskcreation
notificationswerenotprocessedproperlyand,asaresult,theLogCollectordidnot
terminatefailedrequestsasexpected.Withthisfix,taskcreationnotificationsare
processedappropriatelyandfailedtasksareproperlyterminated.
79443 Fixedanissueinthewebinterfacewhere,insomecases,thePHPsessioncookie
(PHPSESSID)wasnotmarkedassecure.
79401 VM1000HVfirewallsrunningoneightvCPUsdidnotsaveanddisplayTrafficandThreat
logs.Withthisfix,VM1000HVfirewallsproperlysaveanddisplaythelogs.Thisissuedid
notaffectVMSeriesfirewallsrunningontwoorfourvCPUs.
79367 FixedanissueinPANOSwhereGlobalProtectclientsexperienceddelaysand
intermittentlyfailedtoretrievethegatewayconfigurationforconnectingtoa
GlobalProtectgatewaywhenthefirewallwasinahighavailability(HA)configurationand
underaheavyload.ThisissueoccurredduetoanissuewiththesynchronizationofHIP
reportsbetweengatewaysonHApeerswhentherewasahighnumberof
nearsimultaneousGlobalProtectconnectionrequests.Withthisfix,thesyncprocessis
modifiedsothatGlobalProtectclientsareabletodownloadtheconfigurationandconnect
tothenetworkasexpectedevenwhenmultipleclientsareattemptingtoconnectatthe
sametime.
79335 FixedanissuewhereattemptingtofilterSystemlogsusingthelogfilter Type equal

globalprotect didnotwork.Aspacewasautomaticallyaddedtothelogfilter,causing
anerrortobedisplayed.
79291 FixedanissuewheretheBytescolumnresultsdisplayedwhenclickingRun Nowfora

customreport(Monitor > Manage Custom Reports)didnotmatchtheresultsdisplayedin
thatsamereportwhenemailedorexportedoutinPDFformat.
79278 Fixedanissuewheretheactivedeviceinahighavailability(HA)configurationfailedto
generatetechsupportfilesduetoabufferlimitationthatcouldnotaccommodatethe
outputfromsomecommands.Withthisfix,thecommandsthatpreventgenerationoftech
supportfileshavebeenremovedsothatreportsaregeneratedasexpected.
79260 FixedarareissueonaWF500appliancewhereanICMPpacketcontainingaFIN+ACK
packetwasincorrectlyforwardedoutthroughthemanagement(MGT)interface.Withthis
fix,ICMPpacketscontainingaFIN+ACKpacketaredropped,instead.
IssueID Description
79104 FixedarareissueonaPA7000SeriesfirewallwheretheHA1andHA1backuplinks
experiencedheartbeatfailuresthatcausedsplitbraininahighavailability(HA)
configuration.
78652 FixedarareissuewhereafirewalldroppedURLrequestswhenthemanagementplane(MP)
URLtrie(datastructure)reached100%capacity.Withthisfix,whentheMPURLtrie
reaches90%capacity,URLsinthecachearecleareduntiltheMPURLtrieutilizesonly50%
ofcapacitysothatthetriecannotreachmaximumcapacityandcauserequeststobe
dropped.
78646 Fixedanissuewhereafirewallreplacedmultibytecharacterswithaperiodcharacter( . )
whenforwardinglogsoreventinformationtoSNMPtraps,toasyslogserver,through
email,orinscheduledlogexports.ThisissuealsooccurredwhenexportinglogstoCSV.
Withthisfix,multibytecharactersareforwardedandexportedcorrectlywithone
exception:inPANOS7.0.1,PA7000Seriesfirewallswillstillincorrectlyreplacemultibyte
characterswithperiodcharacterswhenexportinglogstoCSV.
78621 FixedanissuethatoccurredwhenChileadoptednewofficialtimesandtheofficialtimefor
ContinentalChilebecameUTC03:00.APA200firewallconfiguredtousetheChile
ContinentaltimeincorrectlycontinuedtodisplaytheofficialtimeasUTC04:00.
78556 FixedanissueinPanoramawhereusingtheoptiontoimportacertificatewhenconfiguring
aGlobalProtectgatewayorportaldidnotresultintheimportedcertificatebeingaddedto
thedropdown.TheimportedcertificatealsodidnotdisplayontheTemplates > Device >
Certificatespage.(However,theimportedcertificatediddisplaycorrectlyaftera
Panoramacommit.)Withthisfix,importedcertificatesaredisplayedimmediatelyonthe
webinterfacewhereexpected.
78448 Fixedanissuewhereacustomresponsepagecontaininganinvalidsubstringcausedthe
processforcommunicatingbetweenthedataplaneandmanagementplanes(mprelay)to
stoprespondingwhenattemptingtocommitconfigurationchanges.
78436 Fixedanissuewherethemanagementplanestoppedrespondingwhenmorethanone
processattemptedtomodifythedevicetableduringaconfigurationpushfrom
Panorama.Withthisfix,thedevicetableislockedandmodifiablebyonlyoneprocessat
atimetoavoidconflictingmodifications.
78413 FixedanissueonaPA7000Seriesfirewallwithmultiplevirtualsystemswhereamemory
leakwasobservedrelatedtotheFirstPacketProcessor(FPP)managementplaneprocess
whenrunningtheshow session meterCLIcommand.
78343 Fixedanissuethatoccurredwithdecryptionenabled,wheresomewebsiteswerenot
decryptedduetoanissuewithcertificateserialnumbers.
78304 Asecurityrelatedfixwasmadetoaddressacrosssiterequestforgery(CSRF)issueinthe
webinterface.
78289 Fixedanissuewherethereceive errorsinterfacecounterdisplayedvalueslargerthan

theactualnumberofpacketsthatshouldbecountedaserrors.Thisissueoccurredbecause
somepacketswerecountedtwice.Withthisfix,thereceive errorscounterdisplaysthe
correctvalue.
78197 HIPreportsforuserscannowberetrievedusingtheXMLAPI(inadditiontoviewingHIP
reportsusingtheCLI).
78187 Fixedanintermittentissuewithasystemprocess(all_task)thatcausedadevicetorestart
unexpectedly.Thisfixincludesanadjustmenttoaninternaltimertoavoidtheserestarts.
IssueID Description
78166 FixedanissuewheretheVirusTotallinkintheCoverageStatussectionofWildFire
AnalysisreportsdidnotcorrectlyopentheVirusTotalpage.
78155 AddressedanissuewheretwoDoSprotectionpolicyrulesthatwerenotoverlapping
incorrectlyresultedinawarningthatoneoftheruleswasshadowingtheotherrule.
77907 FixedanissuewherelogforwardingtoaLogCollectordidnotstopasexpectedwhen
executingtherequest log-fwd-ctrl device <s/n> action stopCLIcommandon
Panorama.Withthisfix,logforwardingtoaLogCollectorstopsasexpectedwhen
executingtherequest log-fwd-ctrl device <s/n> action stopcommandsolongas
boththefirewallandPanoramaarerunningPANOS7.0.1orlaterreleases.
77784 FixedanissueonPanoramawhereadministratorswereunabletofilterDeviceGroupsby
tagsinthecommitwindow.
77749 FixedanissuewhereclickingMoretoviewtheregisteredIPaddressunderPolicies >

Security > Object > Address Groupsresultedinanerror.
77721 FixedanissueonaPA200firewallwhereareboottookmuchlongerthanexpected(more
than20minutes).ThisissueoccurredwhentheContentUpdatesdatabasewascorrupted
andupdatesdidnotstoporpauseasexpectedtoallowthereboottotakeplace.Withthis
fix,thefirewallreinitializesthedatabaseifitiscorruptedtoallowtheContentUpdateand
systemreboottoproceedasexpected.
77477 FixedanissuewhereauserwasnolongerabletoconnecttoaVMSeriesfirewall
configuredasaGlobalProtectgatewayanddeployedinAmazonWebServices(AWS)after
theuserhadbeenconnectedforseveralhoursandtheusercouldnotreconnectuntilthe
gatewaywasrestarted.Withthisfix,usersnolongerlosetheirconnectiontothe
GlobalProtectgatewayiftheystayconnectedforseveralhours.
77413 FixedanissuewheretheauthenticationprocessfailedtoparsethebaseDistinguished
Name(DN)correctlywhenitcontainedaspace("")character.
77342 WhenusingtheXMLAPItoretrieveHAcontrollinkstatistics,thestatisticsretrievedwere
notthesameasthosedisplayedintheoutputfortheCLIoperationalcommandshow
high-availability and control-link statistics.
77307 FixedanissuewheretheCLIseemedunresponsiveafterrunningtheshow config diff

commandduetotheextendedperiodoftimeittooktoprocessandreturnresultsforadiff
containingalargenumberofconfigurationchanges.Withthisfix,theshow config diff
commandreturnsresultswithoutanysignificantdelay.
77163 Fixedanissuewherethe/var/log/securelogfileinflatedandconsumedavailabledisk
space.Withthisfix,PANOSusesalogrotationfunctionforthislogfiletoavoidconsuming
morediskspacethanisnecessary.
77140 FixedanissuewhereanerrorwasdisplayedwhenusingPanoramatochangeapassword
foramanagedfirewalladmin.
76847 FixedanissuewhereIKEphase2rekeywashappeningtoofrequentlyforanIPSec
sitetositeVPNconfiguredwithtunnelmonitoringonmultipleProxyIDswhenQoSwas
enabled.
76759 FixedanissuewhereanSSLscanofaWF500appliancereturnedSSLv3connectionsand
RC4cipherseventhoughtheWF500appliancenolongersupportsSSLv3.Withthisfix,
theWF500appliancereturnsonlyTLSv1connections.
IssueID Description
76729 Fixedanissuewheretheresponsereturnedbythe request batch license info XML

APIrequestwasnotwrappedwith<response> <result>.
76688 FixedanissuewheretheIPv6sourceaddresswasnotdisplayedintheHostcolumnfor
Configlogs.Withthisfix,theIPv6sourceaddressisdisplayedintheHostcolumnas
expected(insteadof0.0.0.0).
76575 FixedanissueonaPA5000SeriesfirewallwhereanoccasionalinconsistencyintheIPv6
neighborcacheondifferentdataplanescausedIPv6trafficsenttocertainhoststoget
dropped.Withthisfix,thefirewallkeepstheIPv6neighborcacheinsyncbetween
dataplanessothatIPv6packetsarenotdropped.
76489 FixedanissuewherethreatupdatesdidnotinstallcorrectlyafteraddingaThreat
PreventionlicenseandinstallinganApplicationsandThreatscontentreleaseversion.This
occurredeventhoughtheoutputoftheshow system infoCLIcommandverifiedthatthe
ThreatPreventionlicensewasinstalled.
76282 FixedanissuewhereFQDNobjectswerenotresolvedwhenallthefollowingconditions
weretrue:
TheFQDNobjectwasbeingusedasataginaDynamicAddressGroup.
TheDynamicAddressGroupwasnotamemberofthesametag.
TheFQDNobjectwasnotattachedtoasecuritypolicyrule.
TheFQDNobjectwasnotincludedinaregularaddressgroupthatwasattachedtoa
securitypolicyrule.
76083 FixedanissuewherenoSystemlogsweregeneratedforfailedloginattemptsusingtheCLI
overanSSHconnection.Withthisfix,additionalSystemlogsnowprovidevisibilityfor
failedloginstothemanagementinterfaceevenifthoseattemptscomefromaCLIoveran
SSHconnection.
76079 FixedanissueonPA7000SeriesfirewallswhereTrafficlogsonAdvancedMezzanine
Cards(AMCs)couldnotberecoveredafterinstallingtheAMCsontoanewLogProcessing
Card(LPC).Withthisfix,anewCLIcommand(request metadata-regenerate slot
<slotnum>)isavailableforretrievinglogsfromtheoldAMCdisksafterinstallingthemina
newLPC.
Whenyouusethiscommand,youshouldensurethedeviceisnotprocessingtrafficuntil
theregenerationrequestiscomplete.Additionally,youcanignoretheerroneouserror
message(Failure communicating with given slot)thatdisplays60secondsafter
runningtherequest metadata-regeneratecommand:theregenerationprocesswill
continuetorunasexpectedandyouwillneedtowaitforittofinishbeforeresumingtraffic
flow.Itcantakeuptotwohours,orlonger,toregenerateallmetadatadependingonthe
numberoflogsrecovered.Todetermineifregenerationiscomplete,usethefollowingCLI
commandtolookfortheDone generating metadata for LD:xmessage:
less s8lp-log vld-<amcslotnum>-0.log
75881 FixedanissueonaPA5000Seriesfirewallwherethemanagementplaneanddataplane
restartedduetoaraceconditionthatoccurredwhentheEnforce Symmetric Return
optionwasenabledinthepolicybasedforwarding(PBF)rules(Policies > Policy Based
Forwarding > Forwarding).ThisraceconditioncausedinaccuratePBFreturn-mac ager
lists,whichcausedtherestarts.Withthisfix,thefirewallretrievesandchecksreturnMAC
entriestoavoidthisraceconditionandassociatedrestarts.
IssueID Description
75825 FixedarareissueonaPA5000Seriesfirewallwherearaceconditionoccurredbetween
dataplanes1and2(DP1andDP2)anddataplane0(DP0)thatincorrectlycausedaresetof
thetimeoutvalueforparentsessionsownedbyDP1andDP2whencreatingpredict
sessions,whichcausedthoseparentsessionstotimeoutprematurely.Withthisfix,the
timeoutforparentsessionsisnotchangedwhenthepredictsessionsarecreated.
75758 FixedanissuewherethedataplanerestartedonaPA5000Seriesfirewallinahigh
availability(HA)clusterduetocorruptionofARPpackets.
75744 Fixedanissuewhereadataplanestoppedrespondingafteracommitthatchangedthe
interfaceindexwhenhighavailability(HA)sessionpacketswerereferencingthatinterface
indexusinganinterfacepointer.
75677 FixedaPanoramaissuewhereclearingthesettingRequire SSL/TLS secured connection

foravsysspecificLDAPserverprofile(Templates > Device > Server Profiles > LDAP)
displayedanerror.
75404 Fixedanissuefortheshow logCLIcommand,whereyoucouldnotfilterthedisplayedlogs

byusernameiftheuser/srcuseroptionusedcharactersotherthananalphanumeric
character,underscore,dash,dot,forwardslash,orcolon.
75003 Fixedanissuewhereonlythefirst15charactersofazonenamewasdisplayedinlogs.
Completezonenamesarenowdisplayedinlogs.
74654 FixedanissueonanM100devicewhereanattempttodownloadContentUpdatesfailed
duetoalackofdiskspace.ThisissueoccurredwhencontinuousXMLAPIqueriesfilledthe
/opt/pancfgpartitionbecauseSTOPmessagesweregettingdroppedbetweenPanorama
andtheLogCollectorandquerieswerenotproperlyremovedwhennolongerneeded.
Withthisfix,STOPmessagesshouldnotbedropped.Additionally,incaseSTOPmessages
aredroppedforanyotherreason,atimeoutsettingforqueriesisinplacetoensurethat
stalequeriesareremovedfromdiskspacebeforecausingastoragespaceissue.
74609 FixedanissueonaPA5000SeriesfirewallwherePREDICTsessionswerehandledby
dataplane0(DP0)buttheSIPparentsessionswereonadifferentdataplane.Withthisfix,
youcanusetheset session filter-ip-proc-cpu dest-ip <IPaddr>CLIcommandto
specifyalldestinationSIPproxyIPaddressesinafilterlistonthefirewall.Youcanthenuse
thelisttoconfigurethefirewallsothatDP0receivesandhandlesanyinboundpacketthat
isdestinedforanyofthespecifiedSIPproxyIPaddresses.
74600 AsecurityrelatedfixwasmadetotheOpenSSLpackagetoaddressmultiplevulnerabilities
impactingtheOpenSSLlibraries.
74489 Fixedanissuewithregularexpressionwhereusingtheverticalbarorpipecharacter(|)
causederrors.
74315 FixedanissuewherecommentsaddedtoanAggregateEthernet(AE)interfacewerenot
savedalongwiththeAEinterfaceconfigurationandtheCommentfielddisplayedasempty
afterclosingtheconfigurationwindow.
73692 UpdatedanerrormessagethatoriginallynotedthatanAntiviruscontentdownloadfailed
becauseanAntiviruscontentdownloadwasinprogress.Theerrormessageisupdatedto
correctlystatethatthefailedAntiviruscontentdownloadwasduetoaWildFirecontent
downloadbeinginprogress.
73631 FixedanissuewhereseveralNTPsyncerrorsweredisplayedfollowingafirewallsoftware
upgrade.
IssueID Description
73317 FixedanissuewheretheSystemlogdisplayedanIPv4addressforafirewallthatwas
connectedtoanActiveDirectory(AD)serverthroughamanagementportusinganIPv6
address.Forexample:ldap cfg <group_name> connected to server <IPv6 address>,
initiated by: <IPv4 address>.Withthisfix,theappropriateIPaddressandformatis
displayedfortheinitiatingdeviceevenwhenconnectedusinganIPv6address.
73158 Theportrangeyoucanusetodefineportsforcustomapplicationshasbeenupdatedtobe
fromport065535.Theupdatematchestheportsyoucandefineforapplicationoverride
policyrules(also065535).Previously,youcouldnotdefineport0forcustom
applications.
73064 WhenafirewallwasconfiguredasaDHCPclient,itfailedtoreneworreleasethe
DHCPassignedIPaddresswhenthefirewallinterfacewasthenconnectedtoanewDHCP
server.
73058 FixedanissuewheresourceanddestinationfieldsinSNMPtrapswerenotpopulatedfor
trafficusingIPv6addresses.WiththisfixandRev.BofthePANOS6.1EnterpriseSNMP
MIBmodules,newIPversionneutralfieldswereadded(InetAddressandInetAddressType
inplaceoftheIpAddressfield)tofullysupportIPv6addresses.(TheIpAddressfieldis
retainedforbackwardcompatibilitybutisdeprecated;administratorsareexpectedto
transitiontothenewfields.)
72933 FixedanissuewherePanoramaadministratorswereunabletoviewtheBotnetreport
optionwhenswitchedtothefirewallcontext.
72806 TheGlobalProtectprelogonconnectmethoddidnotworkwhenacertificateprofilewas
configuredtouseasubjectalternativename(SAN)andthematchingdevicecertificatedid
notcontaintheSAN.
72756 Fixedanintermittentissuewherearaceconditioncausedbymultipleprocesses
asynchronouslyattemptingtoretrievethelastsavedconfigurationfilecausedCaptive
PortalortheFQDNrefreshjobtofail.
72719 FixedanissuewheretheTunnelMonitorThresholdvaluedisplayedforaGlobalProtect
satellitewasincorrectlydisplayedasaunitoftime(seconds).TheTunnelMonitor
Thresholdactuallyspecifiesthenumberofheartbeatstowaitforbeforethefirewalltakes
specifiedaction,andisnolongerdisplayedinseconds.
72544 AsecurityrelatedfixwasmadetoaddressCVE20148730.Foradditionalinformation,
refertothePANSA20140224securityadvisoryonthePaloAltoNetworksSecurity
Advisorieswebsiteathttps://securityadvisories.paloaltonetworks.com.
72371 WhenacustomQoSprofilewasenabledonaninterface,theQoSstatisticsforthecustom
profilewereinsteaddisplayedasthedefaultQoSprofilestatistics.Thisissuehasbeen
resolvedsoQoSstatisticsaredisplayedcorrectlywiththecorrespondingQoSprofile(and
foreachclassintheprofile).
72153 FixedanissuewherethefirstSYNpacketinaTCPconnectionthatpassedthroughtwo
virtualsystemsdidnotreachthedestinationserver.Thisoccurredwhen:
ThefirstvirtualsystemwasconfiguredwithDNAT.
ThesecondvirtualsystemwasconfiguredwithSNAT.
Sessionswereallocatedondifferentdataplanes(DPs),withthefirstsessiononDP0.
72075 WhenthefirewallwasconfiguredtoaccessanLDAPserverthroughadatainterface,the
firewallcouldnotconnecttotheLDAPserverifitwasalsoconfiguredtoaccessthe
UserIDagentusingadifferentdatainterface.
IssueID Description
71860 Addressedanissuewhereconfigurationchangeswerenotreflectedintheconfiguration
logsafterimportingSSHkeys.
71682 FixedanissueonaPA5000Seriesdevicewhereaportthatwasinusewassometimes
reusedwhendynamicporttranslationwasenabledwithNATandsessionswereinitiated
ondifferentdataplanes.Withthisfix,ActiveFTPsessionssucceedwithaNATpolicysetup.
71340 Fixedanissuewherefirewalladministratorswereunabletocloneanyofthethree
predefinedcommoncriteriaadminroles;attemptingtodosoresultedinanerror.
71250 FixedanissuewheredecryptionpolicieswithadestinationaddressandaURLcategory
definedasmatchingcriteriacausedcommitfailures.
71049 MadeanupdatetoensurethattheCLIcommandrequest system shutdown canonlybe

executedbyuserswithsuperuseraccessprivileges.
70537 AddedanewdebugCLIcommand(debug dataplane internal pdt pci list)toprovide

adumpoftheperipheralcomponentinterconnect(PCI)whenattemptingtoidentifythe
rootcauseforthedata_plane_X: Startup Script Failureerror.
70431 FixedanissuewhereacustomURLcategorywiththenameanycausedunexpected
results.Withthisfix,thenameanyisnolongerallowedwhencreatingacustomURL
category(Objects > Custom Objects > URL Category).
70335 FixedanissuewhereaccessroutesfromtheGlobalProtectgatewaycouldnotbeinstalled
onasatellitewhenthetunnelmonitorwasenabledforaLargeScaleVPN(LSVPN)andthe
tunnelmonitorwasinwait recovermode.
69961 FixedanissuewherePanoramaandafirewallrunningthesamereleaseversion,didnot
displaythesamedropdownselectionstoaddasmatchingcriteriatoasecuritypolicyrule.
Now,ifPanoramaandafirewallarerunningthesamereleaseversion,thesameobjectsare
displayedandcanbeaddedtoasecuritypolicyrule,regardlessofwhethertheruleisbeing
definedonPanoramaorafirewall.
69752 Fixedanissuewherethewebinterfacedidnotdisplayconcurrentlyloggedin
administratorsifthoseadministratorshadnotlocallyauthenticatedtothefirewall.
69685 UpdatesweremadetoexistingRussiantimezonesandnewRussiantimezoneswereadded
totheavailablelistofglobaltimezonesforadevice,toaccommodatethe2014changesto
Russiantimezones.
69419 Fixedanissuethatwasseenwithpredictsessionswhentraffictraversedafirewallinvirtual
wiremodetwice.
68508 FixedanissuewheretheDHCPserversentDHCPleaseoffersonthewronginterfaceafter
ahighavailability(HA)failoverduetointerfaceIDsbeingoutofsyncontheHApeers.
68484 IfthePanoramasettingtoShare Unused Address and Service Objects with Deviceswas

enabled,committingchangestoadevicegroupdidnotcorrectlypushobjectstomanaged
firewalls.
68178 WhenconfiguringathreatexceptionforanAntiSpywareorVulnerabilityProtection
profile,addinganIPaddressexemptiontotheexceptiondidnotworkiftheinputincluded
asubnet(forexample,XXX.XXX.XXX.XXX/32).OnlyIPaddressexemptionsenteredwithout
asubnetwereacceptedbythefirewall.ThisissueisfixedsothatyoucanaddanIPaddress
withasubnetasanexemptionwithinathreatexception(Objects > Vulnerability
Protect/Anti-Spyware > Exceptions).
IssueID Description
67713 Anadministratorwasallowedtodowngradethecontentversion(ApplicationsandThreats)
onthefirewalltoaversionthatwasnotsupportedwiththePANOSsoftwarerelease
versionrunningonthefirewall.Forexample,ifthefirewallwasrunningPANOS7.0and
theminimumcontentversionwas497,theadministratorwasincorrectlyableto
downgradetoaversionpriorto497.
66681 Resolvedadataplanerestartissueduetoraceconditions.
65959 AddedanenhancementtodisplaypredefinedURLcategoriesinadditiontocustom
URLcategoriesintheAllowCategoriescolumnforURLFilteringprofilerules(Objects >
Security Profiles > URL Filtering).
63652 FixedanissuewheresomefilesforwardedtoWildFirewerenotuploadedsuccessfullydue
toaCANCEL_OFFSET_NO_MATCHerror.Withthisfix,theoffset(causedbyabufferoverload)
isnolongeranissue.
63524 FixedanissuethatoccurredwhenperformingatemplatecommittoaPA200firewallon
Panorama.Theoperationfailedifyouchangedthevsys1displaynameonthefirewallusing
theset display-name <name>CLIcommand.
62276 FixedanissuewheretheApplicationCommandCenter(ACC)failedtoloadanywidgetsand
displayedthefollowingerror:The selected filters cannot be applied to any of
the acc reports.ThisissueoccurredwhennavigatingfromMonitor > Reports > HTTP
ApplicationstotheACC.
61259 RemovedwhitespaceprecedingaresponsethatwasdisplayedwhenusingtheXMLAPIto
submitafileforWildFireanalysis.
GettingHelp
Thefollowingtopicsprovideinformationonwheretofindmoreaboutourproductsandhowtorequest
support:
RelatedDocumentation
RequestingSupport
RelatedDocumentation
RefertothefollowingdocumentsontheTechnicalDocumentationportalat
https://www.paloaltonetworks.com/documentationformoreinformationonourproducts:
NewFeaturesGuideDetailedinformationonconfiguringthefeaturesintroducedinthisrelease.
PANOSAdministrator'sGuideProvidestheconceptsandsolutionstogetthemostoutofyourPalo
AltoNetworksnextgenerationfirewalls.Thisincludestakingyouthroughtheinitialconfigurationand
basicsetuponyourPaloAltoNetworksfirewalls.
PanoramaAdministrator'sGuideProvidesthebasicframeworktoquicklysetupthePanoramavirtual
applianceoranMSeriesapplianceforcentralizedadministrationofthePaloAltoNetworksfirewalls.
WildFireAdministrator'sGuideProvidesstepstosetupaPaloAltoNetworksfirewalltoforward
samplesforWildFireAnalysis,todeploytheWF500appliancetohostaWildFireprivateorhybrid
cloud,andtomonitorWildFireactivity.
VMSeriesDeploymentGuideProvidesdetailsondeployingandlicensingtheVMSeriesfirewallonall
supportedhypervisors.Itincludesexampleofsupportedtopologiesoneachhypervisor.
GlobalProtectAdministrator'sGuideTakesyouthroughtheconfigurationandmaintenanceofyour
GlobalProtectinfrastructure.
OnlineHelpSystemDetailed,contextsensitivehelpsystemintegratedwiththefirewallwebinterface.
OpenSourceSoftware(OSS)ListingsOSSlicensesusedwithPaloAltoNetworksproductsand
software:
PANOS7.0
Panorama7.0
WildFire7.0
GettingHelp
RequestingSupport
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopen
asupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
20152016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistof
ourtrademarkscanbefoundathttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarks
mentionedhereinmaybetrademarksoftheirrespectivecompanies.
RevisionDate:July1,2016

PAN-OS Release Notes PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAN-OS Release Notes PDF

Uploaded by

Copyright:

Available Formats

PANOS7.0.

set deviceconfig setting ssl-decrypt set profiles decryption <name> ssl-forward-proxy

set [shared | vsys <name>] profiles [spyware | InPANOS7.0,thedropoptionperformsthesameaction

set [shared | vsys <name>] authentication-sequence The lockout optionsaredeprecatedforauthentication

set [shared | vsys <name>] certificate <name> The display-common-name, display-subject,and

set [vsys <name>] captive-portal server-certificate set [vsys <name>] captive-portal

set [vsys <name>] url-admin-override set [vsys <name>] url-admin-override

set [vsys <name>] global-protect set [vsys <name>] global-protect

delete user-file delete authentication user-file

delete software image Theimageoptionisdeprecated.Theversionoptionisnot

request system software install file Thefileoptionisdeprecated.Theversionoptionisnot

request system software install load-config <value> Thefileoptionisdeprecated.Theversionoptionisnot

delete radius-user Theradius-useroptionisdeprecated.

show user email-lookup [base | bind-dn | bind-password Allthe email-lookup optionsaredeprecatedexceptthe

show log traffic session_end_reason show log traffic session-end-reason

debug authd debug authentication

debug authd [admin-db | use-domain] The admin-db and use-domain optionsaredeprecated.

debug dataplane packet-diag clear debug dataplane packet-diag clear

debug user-id test ntlm-login The ntlm-login optionisdeprecated.Thenew

set management-server unlock request authentication [unlock-admin | unlock-user]

request certificate generate nbits request certificate generate certificate-name <value>

95260 The pan-comm optionforrestartingthedataplanecommunicationprocessisnotavailable

89595 AttemptstoHide Panorama background header(Panorama>Setup>Operations>

83702 WildFireAnalysisreportsdonotdisplayasexpectedintheWildFire Analysis Reporttab

81584 InPanorama7.0,outputfromthe show ntp commanddoesnotalwaysdisplaythecorrect

80871 WildFireAnalysisreportsarenotdisplayedforWildFire Submissionslogentrieswhen

78646 Firewallsincorrectlyreplacemultibytecharacterswithaperiodcharacter( . )when

73997 OntheACC>Network Activity tab,ifyouaddthelabelUnknownasaglobalfilter,the

68095 IfyouaccessDevice>Log SettingsonadevicerunningaPANOS7.0orlaterreleaseand

66059 RegardlessoftheTime FrameyouspecifyforascheduledcustomreportonaPanorama

58202 WhenviewingtheSessionBrowser(Monitor>Session Browser),usingtheglobalrefresh

87594 FixedanissueonMSeriesappliancesthatcausedthe show ntp CLIcommandto

86313 Fixedanissuewherethe failed to handle CONFIG_COMMIT errorwasdisplayed

89880 AddedanewCLIoperationalcommand(set authentication radius-auth-type

85880 Enhancedthesyslogvariablelisttoinclude cef-number-of-severity.

80721 FixedanissuewheretheXMLAPIcommand show dos-protection rule

86312 Fixedanissuewherethe last update timeneverexceeded1secondaftermakinga

85687 Fixedanissuewherethesystemlogentriesdisplayed logged in via Web from

85611 Fixedanissuewherethe number of fib entries for device FIBcounterwas

85358 FixedanissuewhereSSLdecryptionsessionswerenotclearedafterexecutingthe clear

84552 Fixedanissuewherethe debug user-id reset ts-agent/user-id-agent CLI

81424 Fixedanissuewherethe From columnintheoutputofthe show admins commandwas

86212 AddedanewCLIoperationalcommand(set authentication radius-auth-type

85285 Fixedanissuewhereoutputfromthe show ntp commanddidnotalwaysdisplaythe

84495 Fixedanissuewhere,insomecases,generatingoutputforthe show running url-cache

82605 Fixedanissuewherepolicybasedforwarding(PBF)withEnforce Symmetric Return

82118 FixedanissueontheQoS Statisticspanel(Network > QoS)wheredatawasdisplayedonly

79531 Fixedanissuewhereanerrorwasdisplayed(No Data to Display)intheThreatMonitor

73187 FixedanissuewheretheWildFireAnalysisreport(Monitor > WildFire Submissions >

84094 Fixedanissuewhereauseractivityreport(Monitor > PDF Reports > User Activity Report)

83907 Fixedanissuewherethe debug dataplane packet-diag set log counter

82560 FixedanissuewhereapassiveVMSeriesfirewallinanHApairwithUse Hypervisor

81584 FixedanissueinPanorama7.0whereoutputfromthe show ntp commanddidnotalways

81383 Fixedanissuewherethe show routing route CLIcommandoutputwasmissingacomma

81079 Fixedanissuewhere,inaDynamicUpdatesschedulepopup(Device > Dynamic Updates

80463 FixedanissuewherealocalcommitonPanoramafailed(invalid reference)ona

79328 FixedanissuewhereApplicationsandSecurityrulesinQoSstatisticsview(Network >

78773 Fixedanissuewherethe debug dataplane flow-control enable port and debug

78040 Fixedanissuewheretheoutputofthe show zone-protection zone CLIcommanddid

77376 FixedanissuewhereagatewayConfigrefreshonasatellitedevice(Network > IPSec

76981 Fixedanissuewhereacertificatecontainingaspacecharacter(" ")intheCommonName

81389 Fixedanissuewheretheoutputoftheshow admins allcommanddisplayedall

81264 FixedanissuewhereThreatlogsweregeneratedfor Threat Name - IP fragment