Sie sind auf Seite 1von 60

PAN-OS Release Notes

Version 4.1.11
This release note provides important information about Palo Alto Networks PAN-OS software. Please refer to the Addressed Issues section for details on what has been fixed in this release. Refer to the Known Issues section for a list of known unresolved bugs and also check the Revision History section for details on changes made to other sections of the release note.

Contents
PAN-OS 4.1 New Features .............................................................................................................................2 Changes to Default Behavior .........................................................................................................................7 Upgrade/Downgrade Procedures ..................................................................................................................8 Associated Software Versions ..................................................................................................................... 11 Addressed Issues ........................................................................................................................................ 12 Known Issues .............................................................................................................................................. 53 Documentation Errata ................................................................................................................................. 54 Related Documentation ............................................................................................................................... 58 Requesting Support ..................................................................................................................................... 58 Revision History .......................................................................................................................................... 59

PAN-OS Release Notes, version 4.1.11 rev A

PAN-OS 4.1 New Features


This section provides details about the features introduced in the PAN-OS 4.1.0 base release. Note: Maintenance releases (where only the third digit in the release number changes, e.g. 4.1.0 to 4.1.1) do not include any new features.

APPLICATION IDENTIFICATION FEATURES


H.323 ALG Enhancements The H.323 VoIP application-level gateway (ALG) has been enhanced to support dynamic prediction of media sessions (pinhole opening) based on the signaling data, as well as payload modification when performing address translation on the traffic allowing NAT/PAT traversal for H.323 VoIP traffic. URL Category in Match Criteria URL Categories can now be used as a matching criterion in the Security, QoS, and Captive Portal policies. This feature will simplify security policy creation when enforcing specific web-filtering policies by users and domain groups. QoS policies can be created to rate-limit traffic associated with specific URL categories. Captive Portal policies can be created to conditionally authenticate users based on the URL category of the website a user visits.

USER IDENTIFICATION FEATURES


User-ID Agent Consolidation The User-ID functionalities of User-ID Agent for Active Directory and User-ID Agent for LDAP have been consolidated into the new unified UserID Agent that incorporates support for Active Directory, eDirectory, and the XML-API. Active Directory Support Enhancements Several enhancements have been made to the User-ID capability relative to Active Directory environments: o Multi-domain/Forest support o Domain Controller auto discovery o PAN-OS-based group mapping configuration Exchange Server Event Log Monitoring The new User-ID Agent can be configured to monitor logon events on Microsoft Exchange Server associated with Microsoft Exchange compatible client applications. This will allow the mapping of users that potentially do not authenticate to a Domain Controller but are authenticating to Exchange. NTLM Authentication Enhancements Captive Portal NTLM authentication can now be configured to leverage multiple User-ID Agents to verify NTLM responses received from client browsers. In addition, if NTLM authentication fails, the user is now redirected to an explicit logon page instead of being presented with an error message. Agent Status in Web Interface A new Connected column has been added to the User-ID Agent and Terminal Server Agent tables to show the status of the connection to the agents.

PAN-OS Release Notes, version 4.1.11 rev A

[2]

CONTENT INSPECTION FEATURES


Rule-based Vulnerability Protection Profiles The anti-spyware and vulnerability protection profiles have been enhanced to allow granular rule creation for adding signatures to the profile. These rules will apply to all existing and new signatures when they are added via content updates. Instead of selecting between simple and custom profiles, rules will be used in conjunction with an exception list, which can change any individual signature behavior/action. WildFire The file blocking profile action list has been enhanced to include a "forward" action, which will copy and forward files matching the policy to the WildFire cloud-based malware detection service. WildFire currently supports Windows PE files (executable files), and will run submitted files in a cloud-based sandbox environment to analyze the sample for malicious behavior. An administrator can view reports of submitted samples through the WildFire web portal at wildfire.paloaltonetworks.com, and can configure automated email reports.

NETWORKING FEATURES
Multicast Routing Allows the firewall to route multicast streams using PIM Sparse Mode (PIM-SM) and PIM Source-Specific Multicast (PIM-SSM). The firewall can also act as an IGMP querier for hosts that are on the same network as the interface on which IGMP is configured. PIM and IGMP can be enabled on Layer 3 interfaces. IGMP v1, v2, and v3 are supported. DHCP Client Allows a Layer 3 interface to act as a DHCP client and receive a dynamically assigned IP address. DNS Setting Propagation Allows the firewall to propagate DNS server and other settings from a DHCP client or PPPoE client interface into a DHCP server configuration. These settings may also be propagated to GlobalProtect gateway configurations. NAT within Virtual Wire Allows the firewall to perform network address translation (NAT) when deployed in virtual wire mode. SHA-2 VPN Support Extends the list of supported authentication algorithms to include SHA-2. NAT-T NAT traversal is now supported for site-to-site tunnels on all Palo Alto Networks devices.

GLOBALPROTECT FEATURES
Worker-Threads and Redirect Two new commands have been added in 4.1.7 to help resolve bug 40669 related to GlobalProtect agent installation and updates. Configuration Command for Worker Threads set deviceconfig setting global-protect worker-threads
PAN-OS Release Notes, version 4.1.11 rev A [3]

Description- Increases the number of users that can simultaneously connect to the GlobalProtect Portal for authentication, HIP updates, and GlobalProtect Agent updates. The current default allows 10 users to connect and process services, such as downloading a new version of the GlobalProtect Agent. For example, in regards to the GlobalProtect Agent updates, 10 users can download the Agent updates at the same time and all other users will be queued and processed as other users complete the download. For large deployments, you may want to increase the number of connections to ensure that users are able to receive updates in a timely manner (default 10, range 10-100). Note This option is only available on PA-5000 Series devices. Operational Commands for Redirect set global-protect redirect <on|off> Description: Enables you to host the GlobalProtect Agent download files on a separate web server instead of using the GlobalProtect Portal. Enabling this option will reduce the connection load on the Portal for Agent updates. Use the set global-protect location command to define the web server URL that will be used. GlobalProtect Agent Filenames GlobalProtect.msi: 32-bit Windows GlobalProtect installation package GlobalProtect64.msi: GlobalProtect.pkg: 64-bit Windows GlobalProtect installation package 32-/64-bit Apple OS X GlobalProtect installation package

set global-protect location <URL> Description: Sets the location of the GlobalProtect Agent files located on a web server other than the GlobalProtect Portal. When GlobalProtect users connect to the Portal and a new GlobalProtect Agent is available, they will automatically be redirected to the defined web server for the Agent download. The set global-protect redirect option must be enabled for the redirection to occur. Example URL path: http://host/. Note- This option is available on all platforms. Unification of NetConnect and GlobalProtect The feature set of NetConnect has been integrated into GlobalProtect. GlobalProtect in its base functionality now replaces NetConnect. The advanced functionalities of GlobalProtect, such as Host Information Profiles (HIP) as well as multi-gateway support remain licensed features while single gateway configurations with no HIP capability will be available without a license. Mac OS X Support GlobalProtect is now available for Mac OS 10.6 and 10.7 on 32and 64-bit platforms. Apple iOS Support Apple iOS devices can now establish IPSec connections using the native iOS IPSec client to a GlobalProtect gateway.

PAN-OS Release Notes, version 4.1.11 rev A

[4]

Client Override Enhancements A challenge-response based feature has been added to allow for more flexible and controlled user overrides in GlobalProtect. Additionally, an administrator can specify the maximum number overrides a user can perform before a connection to a gateway is required. User/Group-based Portal Configurations The GlobalProtect Portal now supports multiple agent configurations on a per-user or user-group basis within one portal configuration. Gateway Selection Priority The mechanism the GlobalProtect Agent uses to select the best available gateway has been improved by adding a priority rating for each external Gateway. The Gateway priority, from 1-5 in which 1 is the highest priority, allows administrators to influence which Gateway will be chosen under normal operations. Response Page Enhancements New response pages have been added to GlobalProtect to allow administrators to define a custom welcome and help pages as well as rich pages in response to specific HIP object matches. Agent UI Control A new option has been added that allows administrators to change the visible UI options of GlobalProtect Agent.

NETCONNECT SSL-VPN FEATURES


NetConnect functionality has been merged with GlobalProtect. With PAN-OS 4.1, the NetConnect agent and Portal components are migrated to GlobalProtect. To cover the NetConnect functionality, basic GlobalProtect functionality is now available to all customers without a license. A GlobalProtect Portal license is still required for multiGateway deployments and a GlobalProtect Gateway subscription is required for host profiling capability. Refer to the GlobalProtect section for all new features related to NetConnect functionality.

MANAGEMENT FEATURES
Report Translation Capability to customize the language used in report headers. The supported languages are Chinese (Traditional and Simplified) and Japanese. Granular Commit Operations When performing a Commit operation, an admin now has the ability to specify which area of the configuration to commit. This allows an admin to commit policy related changes without committing in-process networking and device configuration changes. Additionally, in Panorama, the admin is now given a choice of whether to combine the Panorama configurations with the current running configuration on the device or with the candidate configuration on the device. Detailed Configuration Logging The configuration logs have been extended to include before and after fields to display the details of every configuration change. These details can also be included when forwarding logs to external systems.

PAN-OS Release Notes, version 4.1.11 rev A

[5]

Customizable Logos The various company logos in the web interface and reports can be customized. Log Database Enhancements Several performance and scalability improvements have been made to the log database including data compression, seamless format migration, indexing optimizations, and data summarization for query optimization. Web Interface Updates The interface update that began in PAN-OS 4.0 is now complete. All areas of the web interface now leverage the same dynamic framework. In addition, performance optimizations have been done to improve tab switching and content loading performance. NetFlow The system can generate and export NetFlow Version 9 records with unidirectional IP traffic flow information to an outside collector. NetFlow export can be enabled on any ingress interface in the system. Separate template records are defined for IPv4, IPv4 with NAT, and IPv6 traffic, and PAN-OS specific fields for App-ID and UserID can be optionally exported. This feature is available on all platforms except the PA-4000 Series. Structured SNMP Trap MIB A new MIB module has been added to define all SNMP traps generated by the system. Each system log in the system is now defined as an independent SNMP trap with an Object ID (OID) of its own, and individual fields in a log are defined as a variable binding (varbind) list. XML-based REST API Enhancements The REST API for both PAN-OS and Panorama has been expanded to support all operational commands, several new configuration commands, commit operations, and packet-capture (PCAP) exports. Examples of supported operational commands include setting, showing, or clearing runtime parameters, saving and loading configurations to disk, retrieving interface or system information, etc. The newly supported configuration commands include get, rename, clone, and move. SSH Key-based Authentication Key-based authentication of administrators for CLI access via SSH has been added. This will enable easy programmatic access to the device via automated scripts, without requiring a password to be entered. Each admin account contains an option to turn on public key authentication for SSH and to import a public key.

PAN-OS Release Notes, version 4.1.11 rev A

[6]

Changes to Default Behavior


The following are changes to the default behavior made in this release: DHCP Client and PPPoE are not supported on Layer 3 interfaces in an HA active/active configuration, but the configuration was allowed during a commit. As of release 4.1.7, an error will appear if you try to add this configuration. In the PAN-OS 4.1.7 release, the HA hello interval range and default value has changed on the PA-4000 Series to improve system stability. The range changed from 1000-60000 ms to 8000-60000 ms and the new default value is 8000 ms. If you have a value less than 8000 ms set, it will be ignored and 8000 ms will be used after upgrading to 4.1.7. In PAN-OS 4.0 and earlier, TCP window checking could be disabled using the following command: set deviceconfig settings tcp drop-out-of-wnd no. In PAN-OS 4.1, the configuration option has been changed to: set deviceconfig settings tcp asymmetric-path bypass. When upgrading to PAN-OS 4.1, this configuration option is not automatically migrated and is configured only through the CLI, so this option will be ignored after the upgrade. If this option is required, enter the new (PAN-OS 4.1) command and commit the configuration. User-ID Agent client probing now uses WMI as the default instead of NetBIOS. Panorama Administrator Access Control When managing administrator accounts in Panorama, granting role based access to a Device Group no longer implies permissions to each device and virtual system upon context switch. You can now set granular access to each device under Panorama management by going to the Administrators account and selecting the device and virtual system under the Device Context tab. When administrators log in, they will only be able to do a context switch to a device and virtual system to which they have access. This same functionality also applies to an Access Domain in which an external authentication server such as Radius can be used to control access. Current administrator accounts that have a defined list of device groups will be migrated to have the same permissions when switching context. You will now see those devices and virtual systems selected in the Device Context tab, which will allow you to apply more granular permissions if needed.

PAN-OS Release Notes, version 4.1.11 rev A

[7]

Upgrade/Downgrade Procedures
The following lists information related to the upgrade/downgrade procedures of the firewall as well as details related to how certain features are migrated. Upgrading PAN-OS Important In order to upgrade to PAN-OS 4.1, the device must be running PAN-OS 4.0.0 or later. Attempts to upgrade to PAN-OS 4.1 from earlier releases will be blocked.

Use the following steps to perform a software upgrade to this release: 1. Ensure the device is connected to a reliable power source as a loss of power during the upgrade could make the device unusable. 2. From the web interface, select Device > Setup > Operations and save a config backup by clicking Save named config snapshot. This backup can be used to restore the configuration in the event of a migration failure. Note: If you are upgrading from PAN-OS 4.1.x or later, a backup configuration is automatically saved. 3. Select Device > Software and click Refresh to retrieve the currently available releases that can be installed. 4. Locate the latest release and download it to the device by clicking the Download link in the row corresponding to that latest release. 5. After the download completes, click the Install link to perform the upgrade. The device must be running content update 257 or later in order to upgrade to PAN-OS 4.1. Use the following steps to perform a dynamic content update, which consists of App-ID updates as well as threat updates depending on subscription licenses. The device must be registered for the following steps to work. Please go to https://support.paloaltonetworks.com to register your device.
UH

Navigate to the Device tab in the web interface and click the Dynamic Updates link. Click Refresh to retrieve the currently available updates that can be installed. Download the latest update to the device by clicking the Download link in the row corresponding to the latest update. After the download completes, click the Install link to perform the update.

PAN-OS Release Notes, version 4.1.11 rev A

[8]

NetConnect to GlobalProtect Migration When upgrading to PAN-OS 4.1 on a firewall that is configured with NetConnect, the feature set of NetConnect will be integrated into GlobalProtect. It is important that you carefully plan your rollout of the GlobalProtect Agent to existing NetConnect clients to ensure uninterrupted service for your remote users. Important: NetConnect clients will no longer be able to connect to a PAN-OS device after it is upgraded to PAN-OS 4.1. NetConnect customers should plan the migration to the GlobalProtect prior to upgrading from PAN-OS 4.0 to PAN-OS 4.1. Refer to the following Tech Note for migration information https://live.paloaltonetworks.com/docs/DOC-2017. You should be aware of the following changes after the upgrade: When upgrading your firewall to PAN-OS 4.1, NetConnect will be replaced by GlobalProtect and the NetConnect configuration will automatically migrate to a single portal/single gateway GlobalProtect configuration. In the web interface, the NetConnect side menu in the Network tab will be replaced with a GlobalProtect menu. GlobalProtect users will automatically be upgraded to the new GlobalProtect Agent when they connect to the upgraded portal. NetConnect clients that connect to the upgraded firewall will be upgraded to the GlobalProtect Agent and the NetConnect client will be removed. Note: In order for a NetConnect client to upgrade to GlobalProtect, users will need administrative privileges on their systems. You can choose to upgrade the client agent transparently, or you can prompt the user. If the Agent Configuration is set to prompt, the user will be prompted to select a 32-bit or 64-bit version of the client. After the GlobalProtect Agent installs, a VPN connection will be established using the new GlobalProtect Agent. To control the client install method, go to the web interface on your firewall, select Network > GlobalProtect, then click your portal name. In the Agent tab, you will see options for the Agent UI and under Agent Configuration you will see Client Upgrade with options for prompt or transparent. Basic GlobalProtect functionality does not require a license. For additional functionality, the portal license is required for multi-gateway deployment and the gateway subscription license is required for host profiling.

For more information, refer to the GlobalProtect Features section in this release note and the Palo Alto Networks Administrators Guide.

PAN-OS Release Notes, version 4.1.11 rev A

[9]

Downgrading PAN-OS In the event the device needs to be downgraded, use the following procedure: Important: In a feature release (where the first or second digit in the PAN-OS version changes, example PAN-OS 4.0 to PAN-OS 4.1), the configuration may be migrated to accommodate new features, so you should not downgrade unless you also restore the configuration for that release, as detailed in the following procedure. Maintenance releases, where the third digit in the release changes (PAN-OS 3.1.0 to PAN-OS 3.1.1), can be downgraded without having to restore the configuration. Unmatched software and configurations can result in failed downgrades or even force the system into maintenance mode. If you have a problem with a downgrade, you may need to enter maintenance mode and reset the device to factory default and then restore the configuration from the original config file that you exported prior to the upgrade. 1. Save a backup of the current configuration file by navigating to the Device > Setup > Operations tab and clicking Export named configuration snapshot, select runningconfig.xml and click OK to save the configuration file. You can use this backup to restore the configuration if you have problems with the downgrade and you need to do a factory reset. 2. Navigate to Device > Software and click Refresh. You will see the software page that lists all PAN-OS versions that can be downloaded, or that have already been downloaded. 3. To downgrade to an older maintenance release, click Install in the Action column for the desired release. If the version you want to use shows Download, click the Download link to retrieve the software package and then click Install. Note: If you are downgrading to an earlier major release, navigate to the page that shows that release. When you click the Install link, you will see a pop-up that shows an autosave configuration (as of PAN-OS 4.1). This saved configuration is created when you upgrade to a feature release and should be used when downgrading to restore PAN-OS to the configuration that was present before the upgrade to the feature release. For example, if you upgrade from PAN-OS 4.0 to PAN-OS 4.1, the autosave configuration is created and can be used to downgrade back to PAN-OS 4.0. If you upgrade from PAN-OS 3.1 to PAN-OS 4.0, the autosave configuration is not created, so you will need to do a factory reset and restore your configuration manually. 4. After PAN-OS has been downgraded, click OK to reboot the device to activate the new version.

PAN-OS Release Notes, version 4.1.11 rev A

[10]

Rule-based Vulnerability Protection Profiles Backward Compatibility When upgrading to Panorama or PAN-OS 4.1, simple style vulnerability protection and anti-spyware profiles are automatically converted to rules of equivalent meaning. Custom style profiles are converted to exceptions that specify signature-specific actions, with no rules required. User-ID Agent Upgrade After installing PAN-OS 4.1, you will need perform the following steps before upgrading to the new User-ID Agent: Note: The new PAN-OS 4.1.0 User-ID Agent replaces the old Pan Agent service and User-ID Agent. 1. Add your directory server information to the Device > Server Profiles > LDAP configuration. 2. In the Device > User Identification > Group Mappings Settings tab, add the LDAP server that you configured in the previous step. 3. Upgrade to the new User-ID Agent.

Associated Software Versions


Software Panorama User-ID Agent (AD) User-ID Agent (LDAP) Terminal Server Agent GlobalProtect Agent Minimum Supported Version with PAN-OS 4.1 4.1.0 3.1.0 3.1.0 3.0.0 1.0.0

PAN-OS Release Notes, version 4.1.11 rev A

[11]

Addressed Issues
This section contains addressed issues for this release and earlier maintenance releases.

ADDRESSED ISSUES 4.1.11


The following issues have been addressed in the 4.1.11 release: 47409 - OSPF issues occurring after a failover and then a recovery in an active/passive configuration with the Preemptive option set. Issue due to a problem where the passive device changed to active, but the router daemon still received route messages that had a different RTM generation ID. Update made to drop the route messages if the device is already active. 47397 - When viewing the Devices > Administrators page in the web interface, the Locked User column was not showing the lock icon for administrators that were currently locked out. This occurred when the Failed Attempts option was set in Authentication Settings and although the administrator failed to log in correctly more times than the set threshold, the lock icon did not appear for the given account. 47385 - On PA-4000 Series devices, asymmetric traffic was experiencing latency issues of approximately 10 microseconds with TCP traffic traversing the firewall that arrived on virtual wire 1 and returned on virtual wire 2. Issue due to a problem where the network processor was not properly handling traffic when the egress information is not the same. This caused the packets to be sent to the main CPU for forwarding instead of directly from the network processor. 47195 - When the App-ID cache feature was enabled in previous releases (enabled by default), it was possible to pollute the cache to allow some applications to pass through the firewall, even when a rule was set to block the application. If you are running an older version of PAN-OS, you can disable the application cache by running set deviceconfig setting application cache no until you can upgrade. With this update, the App-ID cache will not be used in security policies by default. The following new CLI command has also been introduced to control whether or not the App-ID cache is used: set deviceconfig setting application-use-cachefor-identification and is set to no by default. For more information, please refer to the Security Advisory PAN-SA-2013-0001 at https://securityadvisories.paloaltonetworks.com/. 46936 - In an active/active HA configuration, configuration sync was not occurring automatically and when a manual sync was performed, the HA link started to intermittently lose connectivity. Issue due to a problem where HA1-Backup was incorrectly determined to be down during a commit, but after a few seconds the pings continued and the interface was fine.

PAN-OS Release Notes, version 4.1.11 rev A

[12]

46922 - Dynamic update was ignoring the update threshold when a threshold was set for both Applications/Threats and Antivirus. For example, if you set an Application/Threat update to only download updates older than 120 hours and also set a threshold for Antivirus updates, the Application/Threat update would ignore the threshold and would update regardless of the age of the update package. 46832 - Fixed a policy lookup error that occurred when a custom URL category was used to define a URL pattern. With this fix, when performing a policy lookup, the firewall will first evaluate custom categories configured on the device before using the predefined categories included in the URL database. 46741 - The GlobalProtect login page no longer allows the user to enter a URL from which the GlobalProtect agent can be downloaded. Once installed, the agent will only connect to the portal IP address and gateway IP address defined on the firewall. 46547 - Fixed a dataplane restart in the URL filtering module after an HA failover was triggered. 46405 - The User-ID agent on a Windows 2008 server was intermittently failing to respond when the directory contained 50,000+ users, causing valid user to IP mapping information to be deleted on the firewall. This occurred when the session limit of the firewall was being reached. Issue was due to a buffer problem that occurred when trying to write the user to IP mapping to the firewall. In order for this fix to work properly, the User-ID agent must be at 5.0.1 or later. 46306 - Administrator observed that TCP packets were intermittently being re-ordered when they went through the firewall over a virtual wire. The issue caused problems with an external print server because the two hosts could not establish a proper handshake. Previous to this release, if an app override rule existed for a session, the session was not offloaded until after the first data packet. This caused a race condition and a re-ordering of packets when a FIN was received while the data packet was being processed by another PAN-OS task. The update made in this release will turn off the App-ID task that caused this issue on the final ACK of the 3-way handshake if PAN-OS determines the application for the session and there is no decoder for the protocol. 46197 - In an active/active HA configuration with virtual wire interfaces, traffic was not being processed properly. This issue is now resolved and the traffic flow is effectively managed on the firewall. 46157 - Very large web-browsing sessions (over 4GB) were causing the dataplane to restart. 46150 - Traffic log quotas were not being accurately adhered to in Panorama VM when the total log quota was reached in a 24 hour period or if the quota was set close to the total disk size. The issue was due to the management server process calculation being slightly off from the actual disk usage being consumed on the drive. Over time, this mismatch increased and could cause the disks to become full and manual purging did not resolve the issue.

PAN-OS Release Notes, version 4.1.11 rev A

[13]

45795 - When using a traffic generator to send multicast traffic through PA-5000 Series firewalls for testing hardware offload, some packets were being dropped. Issue due to a problem occurring when sessions exist on one dataplane and the remaining dataplanes are not refreshed, causing the multicast FIB to age out. 45649 - When using the Classified option in a DoS profile and then applying that profile to a DoS policy, threat logs were not generated when the Alarm rate was exceeded. Update made to properly handle the Classified option. 45556 - Administrator was not able to modify logging and reporting settings on the passive device in an HA active/passive Panorama configuration. This part of the configuration was not synced, so when the active device was updated, the change was not synced to the passive device. Update made to allow disk quota for logging and reporting settings to be configured on a passive device. 45425 - Fixed a discrepancy in the output generated using the traffic summary view in Panorama versus the output in a scheduled report. 45313 - Resolved a dataplane restart that occurred when SSL decryption was triggered on a security rule with a file blocking profile. 45219 - When an in-box failure occurred across one of two virtual wires being used for a network route, the SSL decrypt session information would not be persistent to the path that failed over. The decrypted session would fail and the users would have to re-establish the connection in order to access the requested content. This issue is now addressed; SSL decrypt information is being synced and the SSL session does not need to be requested again/reloaded, on failover. 45125 - In virtual-wire mode, when the security policy denied access to the application traffic, the firewall would send a bogus MAC address in the TCP reset packet. This bogus MAC address issue has been addressed. 44767 - Export of private keys was not generating a system log. This issue has been resolved so that the export of a private key from the web interface, CLI, or XML API now generates a Critical system log entry indicating which key was exported and which admin exported it. 44648 - Scheduled Config Export and log was not working properly due to incorrect permissions being set on the config output. This caused access issues with the cron.d job, which is used to perform scheduled tasks. 44626 - Received the error OSError: [Errno 28] in Panorama when trying to create a tech support file. Issue due to lack of space on the partition where the support files are stored (/dev/sda2) and was caused by a log rotation issue. A new cron job has been created for Panorama VM that will prevent this issue. 44250 - The Panorama management server stopped responding when doing a filter query from the traffic logs page. Issue due to the corruption of a log index file that occurred

PAN-OS Release Notes, version 4.1.11 rev A

[14]

when upgrading to a new PAN-OS feature release. Preventative measures put in place to prevent issues with the log conversion process that occurs when upgrading between feature releases. 43373 - Performance bottlenecks were causing the Panorama web server to stop responding. The cause of the bottlenecks has been identified and the issue has been resolved by releasing any locks as soon as possible. 42738 - When an administrative user switched the device context on Panorama to launch the web interface of a managed device, if the connection was idle for 600 seconds (10 minutes) the user was logged out of the device. With this fix, the timeout value for an idle connection from Panorama to the firewall has been changed from a fixed value of 600 seconds to the value configured on the device that is being accessed. The timeout value on the device is user-configurable. 42561 - Log export from Panorama was causing long response times and unresponsiveness from the web interface and CLI. 42035 - Although the PAN-TRAPS MIB file contained traps for management server system start (panGeneralSystemStartTrap) and system shutdown (panGeneralSystemShutdownTrap), these traps were not being triggered because they had not been implemented on the device. These events now trigger both syslog messages and SNMP traps. 41393 - When filtering sessions on a minimum number of bytes, the filter only compared against client to server sessions. This issue has been resolved so that the filter is now compared against both client to server and server to client sessions. 41353 - AV updates were triggering a full retrieval of the group mappings and, during the buffering process, group names using double-byte character sets were being inadvertently encoded and added to the Group Include List improperly. As a result, policy was not being enforced properly for members of the affected groups because the group name on the Group Include List no longer matched the actual group name. This issue has been resolved. 41277 - Enabling an IPv6 address on a VLAN interface causes the dataplane to restart due to an insufficient Maximum Response Delay setting issued by the multicast listener on the VLAN. 40584 - After establishment of peer-to-peer calls running through the firewall, call traffic was only running one way because NAT port translation was not occurring before forwarding. 40520 - Discrepancies seemed to be appearing when running two different reports that should produce identical outputs for a threat report and a threat summary report. In this case, the data being collected was correct, but due to the time intervals in which the report was being invoked, the reports seemed to be inconsistent. For example, when the report thread is invoked, it may not start exactly on the hour and may be offsite slightly

PAN-OS Release Notes, version 4.1.11 rev A

[15]

and will be written every 15 minutes. If the report starts 5 minutes past the hour, it will run at 5 minutes past the hour, at 20 minutes, 35 minutes, and then again at 50 minutes after the hour. Also, if summary logs for the last 15 minutes are written into the current 15 minute interval, the log may be written to the next time slot. For example, summary logs from 10:45 AM to 11 AM may be written to the 11:00AM to 11:15 AM time slot and may show the same receive time as when the summary timer was triggered. An update has been made to generate the summary reports at the 0, 15, 30, and 45 minute boundary.

ADDRESSED ISSUES 4.1.10


The following issues have been addressed in the 4.1.10 release: 46712 The management plane stopped responding when processing abnormal GlobalProtect requests due to an issue verifying user input. Also, the User-ID process failed during HIP rematch when the number of reports exceeded the maximum entries in the HIP cache due to a race condition. 46699 The GlobalProtect login page was failing PCI scanning because autocomplete was enabled. 46678 Improved validation of user data on the firewall's web interface. 46655 Jobs were getting stuck in the pending state when batches of scheduled reports were suspended without successfully resuming. 46538 In an HA lite configuration on a PA-200 device, if the passive link state was set to auto the device would send empty HELLO messages, causing flapping neighbor adjacencies. 46477 The DHCP client on the firewall was sending an invalid option (option 54) in its renewal requests, causing the DHCP server to ignore the requests. This issue has been resolved. 46329 Active device in an HA configuration went to non-functional on PA-5000 Series firewalls due to a segmentation fault. 46136 After enabling GlobalProtect on the firewall, agents connecting to the portal or gateway would sometimes receive an error code stating that a specific path could not be found on the firewall. The response page has been changed so that it now only shows an HTTP 404 Not Found error, rather than revealing the path.

PAN-OS Release Notes, version 4.1.11 rev A

[16]

46059 Session timeout settings were not in effect when set to the maximum value. 46014 Policy rules with schedule settings that rolled over into a second day (for example, 13:00-01:00 instead of 13:00-23:59 00:00-01:00) were not being enforced. 45994 Actions in the web interface, such as saving an object or performing a commit, were causing the firewall to be unresponsive in cases where the locked users list was very large (over 18,000 entries). 45943 Fixed a firewall restart issue that occurred when a URL database update was triggered at the same time that a top-URLs report was being run. The database update process will now be on hold until the report is finished generating. 45942 In active/active HA deployments, active sessions would sometimes break during failover if the HA3 link failure notification was received before the HA1 link failure notification. To resolve this issue, the HA3 link down timeout has been increased. 45815 Fixed an SSH connection failure that occurred on multi vsys and shared gateway deployments that had enabled zone protection profiles with SYN cookies. 45604 PA-200 device was experiencing latency issues and the device utilization was over 89% when an L2 sub-interface was configured on an L3 VLAN interface. Issue due to a packet buffer leak caused by an invalid port being set on the packets traversing the VLAN interface. 45463 When a large number of groups (between 136 and the maximum of 640) were associated with security policies, the security policy would randomly lose groups and users associated with that security policy would fall through to the default policy. With this fix, the device accurately displays the groups that the user belongs to and applies the best match policy defined for the user group. 45458 Zone-protection profiles were not displayed in the CLI output. Now, the CLI output for the 'show zone-protection zone <zone_name> command accurately displays the zone protection profile attached to a specific target vsys or all vsys that use the same zone name. 45338 When using Chrome and IE for web browsing, IPv6 traffic was identified incorrectly as "Unknown TCP" traffic. This issue is now resolved. 45294 NetFlow export was not working properly when more than one interface was set

PAN-OS Release Notes, version 4.1.11 rev A

[17]

up for export. 44805 When a user entered incorrect login credentials and was locked out of the firewall, you could not unlock the user account using the web interface when an authentication sequence or an authentication profile was defined for the user. This issue is now resolved, the web interface permits you to unlock the user account. 44678 If Policy-Based Forwarding rules were configured with multiple next hop addresses, on occasion, forwarded traffic would fail because the hardware next-hop table was written incorrectly. This issue is now resolved and traffic is forwarded properly. 44647 When the firewall was configured to redistribute BGP sourced routes into a NSSA OSPF area, it transmitted the NSSA External LSA without setting the NP flag or PBit. This caused routing issues because the ABR did not convert and redistribute a type 7 route to area 0. This issue is now fixed. 44366 The Panorama ACC page was not properly updating the virtual system information for managed devices when viewing threat information for these devices. This was noticed when viewing the Top Ingress Zones and Top Egress Zones in the ACC and both managed devices displayed the same virtual system name, when they should have displayed two different virtual system names. The issue was due to a problem where the serial number information for each managed devices was not properly sent to the ACC. 44184 Custom vulnerability profile was not saved after upgrading the firewall to a newer release and had to be re-created. The issue was caused by a problem with the upgrade migration script related to vulnerability profiles, specifically when upgrading from 4.0.11 to 4.1.7. 44067 Certain NetFlow analyzers unable to parse packets from the firewall due to a non-standard SNMP interface index. 44022 PA-200 firewall intermittently restarted when a sub-interface was configured with DHCP and no DHCP server was defined to issue addresses. In this case, a Policy Based Forwarding (PBF) rule was also configured on the interface and when outbound traffic hit the PBF rule on the sub-interface, the firewall would eventually restart. Issue due to a memory problem that occurred with this configuration. 43838 When URL filtering was enabled with an admin override for certain categories, when IE clients accessed a site that is in the defined category and invalid credentials are submitted three times, the site should be blocked and the client should not receive another login prompt. With this issue, no matter how many failed logins occurred, the user was

PAN-OS Release Notes, version 4.1.11 rev A

[18]

continually prompted to log in and the site was not blocked. Update made to block the sites after three failed logins when using the enter key to submit credentials. 43760 NetFlow export on traffic with bi-directional NAT enabled was showing incorrect IP information in the server to client fields, but client to server traffic showed all of the correct addresses. In this case, the server to client source address was correct, but the destination address was not showing the translated address. Update made to ensure that addresses are always set according to direction and NAT. 43665 Admin was not able to unlock another admin account that was locked after failed login attempts when an authentication sequence was configured to check the LDAP profile and then the local profile. 42322 PA-5000 Series devices in an HA active/active configuration were experiencing failures with the packet processing engine, which caused failovers to occur. Issue due to problems with packets that were passed over the HA ports, which may have been caused by the intermediate device connecting the two the firewalls. 41439 The route daemon on the firewall in an HA configuration was consuming a large amount of memory and causing system daemon problems when large numbers of routes were received from BGP peers. Improvements implemented to better handle route distribution between the management and dataplane to reduce memory consumption. 40625 When authenticating to an LDAP server that is not a Microsoft Active Directory server, authentication issues occurred because the modify timestamp option was included in the LDAP query to the LDAP server. To resolve this issue, a new configuration option use-modify-timestamp has been added in the CLI. This setting allows the user to configure whether or not the timestamp is sent in the LDAP query to the server. 40137 The firewall was not able to renew its DCHP settings with certain ISP network connections. In this case, a Verizon FiOS connection was in place and during a DHCP refresh that occurred every hour, the request timed out. Issue was due to an interoperability problem between the firewalls DHCP client and the DHCP services on the ISP network, which has been resolved in this release. 33914 In the Network tab under Global Protect > Portals/Gateways config windows, there is an IP Address field used for the IP address of the interface for the device. You can populate this field by using the drop down for a statically assigned interface, or leave it blank for a dynamically assigned interface. In the web interface you could not click OK to save the config if the IP Address field is blank. Workaround Use the CLI.

PAN-OS Release Notes, version 4.1.11 rev A

[19]

ADDRESSED ISSUES 4.1.9


The following issues have been addressed in the 4.1.9 release: 45623 The log password field was not being handled properly when administrators log in to the firewall using client certificate authentication. 45563 On PA-200 devices, the Chassis Master Alarm: Power alarm was being triggered, even though no issues were occurring at the time. Issue due to the threshold being set to aggressively. Alert threshold has been changed from 11.4 volts to 11.1 volts in order to eliminate false alarms. 45531 When removing a group in Active Directory, the User-ID group mapping on the firewall was being updated, but other groups were inadvertently being removed. 45530 The first Encapsulated Security Payload (ESP) packet was being dropped after an HA failover occurred causing issues with IP Phones on one side of the firewall attempting to communicate with a call server on the other side of the firewall. The first ESP packet was dropped, but remaining packets were received, the drop in the first packet caused the IP phones to reboot. Issue due to a hard-coded Security Parameter Index (SPI) that the firewall uses for pass-through IPSec. 45518 This bug resolves the remaining issues that were found in bug 45340, where a 1% packet drop was still observed after the fix. Description for bug 45340: On PA-5000 Series devices, packet drops were occurring with IPv6 traffic due to issues broadcasting IPv6 packets to the dataplanes. 45349 PA-5050 with multiple virtual systems configured restarted after configuring a new LDAP server for User-ID. The restart occurred when expanding the groups in the User Identification group-mapping page. Issue occurred because an LDAP server profile was not configured. Update made to not allow group expansion unless an LDAP server profile is created in Device > Server Profiles > LDAP. 45340 On PA-5000 Series devices, packet drops were occurring with IPv6 traffic due to issues broadcasting IPv6 packets to the dataplanes. 45205 User-ID agent on the domain controller configured with WMI probing with the default probing interval of 2 minutes and the Enable Security Log Monitor set to no could not retrieve user to IP mapping data for roaming users after changes were made to the agent, such as modifying the probing interval. Issue due to a stale flag that remained in the agent for the roaming user, so further attempts to probe for mapping information was not occurring. 45143 Automatic configuration synchronization was not occurring between peers in an HA configuration after a policy change. Status of the synchronization was not correct, the device that the config change was made on showed sync was complete, but the peer device showed it was in progress.

PAN-OS Release Notes, version 4.1.11 rev A

[20]

45000 Network latency was occurring on the firewall that was in FIPS mode with aggregate interfaces. The firewall was also configured to forward PE files to WildFire. Issue due to a problem with memory pool depletion with this configuration. 44889 Performing set commands on the firewall using the REST API was causing the firewalls management server to stop responding. 44792 Unexpected input in the management web interface was causing the management server to stop responding. 44760 Certificate Revocation List (CRL) checks were not able to reach the intended host to perform the certificate checks when a Bluecoat proxy was between the firewall and the host. 44758 Captive Portal authentication through a web proxy was failing due to an issue where Captive Portal was adding the proxy port (8080) to the URL after authentication. This caused an issue when trying to redirect the user to the intended website. 44449 Resolved the issue that caused the inability to form an IPSEC VPN tunnel, which led to a failure in processing traffic. 44444 HA active-primary device in an active/active configuration was having issues with dataplane restarts. Restarts occurred because of flapping on the firewall interface configured in virtual wire mode receiving asymmetric traffic from the neighbor router. Issue due to problems with HA session ownership handling. 44416 An IOS 6 device behind a NAT device failed to connect to Global Protect and displayed the error Negotiation with the VPN server failed. This issue is now fixed and IOS 6 devices can successfully connect to Global Protect. 44408 Improved the time to commit and responsiveness in the Web UI and the CLI on a firewall that constitutes a large number of multi virtual systems. 44330 Addressed a management plane restart issue that occurred on a configuration commit. 44247 The URL category information on an HTTPS request was not displayed in the response page that displayed when the SSL Decryption Opt-out option was enabled. This issue is now fixed; the URL category is included in the response page. 44113 Fixed an HA failover issue that was caused by missed heartbeats, from the management plane, during initialization. 44003 The virtual memory limit for Panorama was insufficient. This fix provides the Panorama superuser and admin-role with the commands debug software no-virtlimit and debug software virt-limit commands that previously only existed on PAN-OS firewalls. You can now adjust the virtual memory from 0-4294967295 (4GB)
[21]

PAN-OS Release Notes, version 4.1.11 rev A

using the virt-limit <value> option. 43872 The block page for SSL traffic was not displayed when a policy match occurred for a URL filtering profile configured with a block action. With this fix, the SSL block page displays. 43681 If you use Panorama pre and/or post rules to manage your devices and configure an address object that doesn't exist on Panorama, the attempt to commit the rules would fail even if the address object was valid on the PANOS device. With this fix, the debug skip-policy-address-check yes command was added to Panorama to skip the address object checking on Panorama and the validation of the object occurs on the device. 43656 Botnet reports were inaccurate when the Browsing IP Domains option was disabled in the Monitor > Botnet > Configure tab. This issue is resolved and URLs for IP domains that are disabled are now excluded from the Botnet report. 43399 For devices managed using Panorama, the Global Protect Portal license was displayed as License Expired in the Panorama > Deployment > Licenses tab. With this fix, the validity of the license is displayed accurately. 43323 In an active-active HA configuration, a Global Protect Gateway configured with a floating ip and configured for external authentication, failed to bind to the server; Cannot assign requested address message was logged in the system logs of the on the active-secondary device. This issue has been resolved. 42968 Addressed an issue that caused a delay when downloading compressed zip files. 42575 The hardware table on the firewall occasionally retained information on stale sessions. This issue is now fixed and the entries in the hardware table only match active sessions on the device. 41966 If the Global Protect Portal or Gateway were configured in a zone with a zone protection profile configured for syn-cookies, then Global Protect clients were unable to connect to the Portal or Gateway over SSL. This issue is now resolved, and a Global Protect client can now make an SSL connection to a zone configured with syn-cookie protection. 41929 Added performance improvements in Panorama to address the responsiveness issues when switching device context. 41910 Added XML support for the show system services command. The API now displays the XML results for the request. 41670 Resolved the issue that caused a spike in interface utilization traffic on the monitored interfaces, when SNMP was enabled.

PAN-OS Release Notes, version 4.1.11 rev A

[22]

41347 Packet capture filters were not filtering information accurately. The fix ensures that the pcap filters match the criteria defined on the device and accurately capture all relevant frames in the session. 40643 When remote users authenticate to the firewall using an RSA server that is configured to use User Principal Name (UPN) style login (user@domain.com), the firewall did not authenticate the user due to an issue interpreting the UPN format. 38822 Resolved the issue that caused a restart when the hardware offload chip entered a loop because of an error in the scan output. 35989 When using a custom log format, the information displayed in the report was inaccurate for multiple traffic log entries for different source users. The issue has been fixed and the report accurately reflects the data on traffic per user/ip.

ADDRESSED ISSUES 4.1.8


The following issues have been addressed in the 4.1.8 release: 44454 Corrected an issue in Panorama with the handling of session data in the web interface back end. 43803 After upgrading to PAN-OS 4.1.7, faulty disks caused RAID failure due to changes in disk error recovery processes. 43575 After upgrading to PAN-OS 4.1.7, the management interfaces (web interface and CLI) sometimes stopped responding due to a conflict between the authentication and logging processes. 43562 After upgrading to PAN-OS 4.1.7, Panorama commits were failing if the management configuration did not include a storage partition setting. 43550 Dataplane restarts were sometimes triggered because the device was improperly detecting a packet descriptor leak. This fix includes threshold changes that prevent this type of false leak detection. 43547 When editing the IP address in a NAT source translation rule, changes to the IP address were not displayed in the web interface, although the rule worked as expected. 43511 The clear user cache all command was not clearing all cached user data on devices with multiple dataplanes due to a logic error. 43492 When users browsed to HTTPS sites using Chrome version 21, SSL decryption was failing due to incompatibilities with TLS 1.1.

PAN-OS Release Notes, version 4.1.11 rev A

[23]

43372 Client sessions were timing out due to a TCP handshake error when requests were routed to the firewall through a proxy server in an active/active HA deployment if the device receiving the request was not the session owner. 43224 SSL VPN restarts were being triggered by NULL client passwords. This fix adds support for NULL values for parameters that are not included. 43040 When filtering the list of application or application group objects, the web interface did not always return proper results if the search term included the parent application. 43030 SSL decryption was failing in proxy/monitor sessions in which the browser was configured to use TLS 1.2 only due to version incompatibilities. 43027 On PA-5000 Series devices, traffic matching an explicit Deny All rule displayed incorrect source and destination zones and App-ID values in the logs because the device was using network order rather than host order to perform the ID-to-name mappings. 42758 Devices in FIPS mode would intermittently stop passing traffic because the device was inadvertently calling the FIPS function twice. 42757 The XML API was returning chunk encoded responses to HTTP/1.0 clients that do not support transfer encoding. 42720 Attempts to upgrade the device or restart the management plane during periods when the communication channel between the power supply and the CPU was locked would fail due to looping timeouts in the boot loader. 42711 User-ID group/user mappings failed to show in policy for some virtual systems because the VSYS IDs were corrupted. 42624 In the web interface, BGP import/export rules were showing that the exact match setting was enabled even when it wasnt due to an error rendering the settings within the web interface. 42447 The device was losing PIM neighbors during commit because the PIM allowed neighbors list was being re-installed unnecessarily. 42437 Attempts to clear groups on a single virtual system device using the debug user-id clear group command would fail because the default virtual system was not being set properly. 42409 The Panorama ACC Threat Prevention table was not being sorted properly because the remote devices were not sending session and count labels to the log collector. 42355 Panorama allows removal of a managed device even if the device is a member of a device group. With this fix, Panorama will now display an error message when you
[24]

PAN-OS Release Notes, version 4.1.11 rev A

attempt to remove a device that is the member of a group. 42327 Attempts to fetch group mapping information using the REST API resulted in an XML error. 42320 A Layer 3 link aggregated interface on occasion dropped 50% of the ICMP traffic when ports were disconnected and reconnected. With this fix, there is no loss in ICMP traffic on reconnections. 42159 The failure to export logs to an external storage server is resolved. 42106 Resolved the failure in delivering scheduled email notification reports. This issue was seen after upgrading to PAN-OS 4.1.5. 42103 With asymmetric traffic flows in an active/active HA configuration, TFTP traffic was erroneously classified as unknown UDP traffic and dropped. This fix enables the device to accurately identify the traffic as TFTP. 42018 Increased the global shared memory allocated on the device to fix the inability to commit profiles to multiple virtual systems. 41994 Fixed an issue regarding proper processing and validation of XSLT transforms. 41959 On PA-4000 Series firewalls, traffic in a load sharing group was not being evenly distributed across links in an Aggregate Ethernet interface due to an issue with the network processor load distribution logic. 41958 In an HA Active/Passive deployment, the dataplane on the passive device sometimes restarted upon receipt of invalid HA messages. 41937 Windows 7 DHCP clients were not receiving DHCP addresses from the firewall in a timely manner when they had previously received an IP address from a third party DHCP server. Issue due to a problem where the firewalls DHCP server was not sending a NAK to the client when the request was received. 41923 When using a third party tool designed to scan web servers for vulnerabilities through the firewall, the internal IP/port of the web server was exposed due to an issue with firewalls default redirect page. Although only the local host IP 127.0.0.1 was exposed, which is of no use to attackers, the port number should not have been exposed. 41908 When trying to view the NTP configuration using the API web browser on the firewall, an error occurred and the data was not displayed. 41850 When using the API to view fib-lookup with the following query: https://firewall-hostname/esp/restapi.esp?type=op&cmd=<test><routing><fiblookup><virtual-router>default</virtual-router><ip>10.5.60.1/32</ip> </fib-lookup></routing></test> when the subnet is appended to the IP address, an error
[25]

PAN-OS Release Notes, version 4.1.11 rev A

occurs. When using the CLI, a different error appeared. Update made to allow subnet information in this type of query, for example 192.168.2.5/24. 41849 Disabling jumbo frames from the web interface was not working properly, but the CLI worked fine. Update made to fix the web interface for this option. 41840 When configuring a vulnerability profile that specifies a brute force threat as an exception with a signature that has been customized with new interval, hit number, aggregate by, or different attributes options, the signature was ignored and the appropriate action was not taken. 41811 Not able to create a tech support file from the web interface on a firewall without access to the Palo Alto Networks external update server. Issue due to the fact that support license information needs to be pulled from the update server during this type of request. This issue only occurred in the web interface; the CLI was able to generate the support file. Update made to fix this functionality in the web interface. 41772 Email notifications stopped sending in an HA active/passive firewall configuration when using an email relay server. Issue due to a problem where an IPv4 and IPv6 address were returned from the DNS query and the firewall only used the IPv6 address to try and resolve the host, which failed. Update made to the email process to try both IP addresses in this scenario. 41753 When the firewall forwarded traffic and threat logs to a Panorama server that was in a different time zone, the App Scope threat monitor report graph for the last seven days showed two columns for Monday and Tuesday with no data. Issue due to problems with the process in Panorama that manages the conversion of dates and times from the devices local time to the date/time of the Panorama server. 41738 For ease of device administration, the Access Domain > Device Context widget in Panorama now allows you to select one or more virtual systems on a device, or to select the entire group of virtual systems on a multi-virtual system device. 41724 The error in the API response for the show high-availability state command is fixed. The response accurately depicts the HA configuration on the device. 41719 The error in the API response for displaying the top URLs, top 10 URLs or the category for the top URLs is resolved. The XML response now accurately displays the top-urls for the API request. 41715 Fixed an ARP table issue that caused returning packets to be sent to an incorrect MAC address. This behavior was observed sporadically on Layer 2 interfaces configured with Layer 3 forwarding. 41672 A Panorama administrative user with domain access to specified devices or device groups was unable to view traffic or threat logs. The administrator can now view

PAN-OS Release Notes, version 4.1.11 rev A

[26]

the logs, and the error message no longer displays. 41557 The Highlight Unused Rules option in the Policies > Application Override page highlighted all the rules configured on the device instead of only highlighting the rules that were not in use on the device. This display issue is resolved. 41547 FTP transfers from the firewall to an FTP server failed when an HA failover occurred. This issue was observed when the passive or active-secondary device transitioned from a suspended state to an active state. 41524 Resolved a failure that caused the device to boot into maintenance mode when FIPS mode was enabled. 41499 When a VPN tunnel name was created and a Proxy ID was defined for the tunnel, the show command to display the tunnel would result in an error when the combined tunnel name and Proxy ID string was more than 31 characters in length. The error occurred because of a 31 character limit for tunnel names. This error no longer occurs because the maximum length has been increased to allow 63 characters for the tunnel name, separating colon character, and the Proxy ID string. 41473 When using two LDAP server profiles for one domain to populate User-ID user/group mapping information and more than one group-mapping is pointing to the same domain and collecting the same group information, when one of the groupmappings is disabled or deleted the groups are deleted and the group information is lost. Update made to re-query remaining group-mappings when other group-mappings are disabled or deleted. 41419 GlobalProtect non-tunnel users being counted in the total user count, preventing users from connecting even though the actual user count has not been reached. 41261 If a virtual wire configuration exists with no interfaces and the configuration is committed, even though the commit fails, a revertible version of the configuration is saved. After an AV update occurs, the revertible config file is used and the running configuration is updated and the bad virtual wire configuration is present, which causes the firewall to restart and go into maintenance mode. Update made to remove the revertible configuration file if the commit fails. 41119 Panorama email profiles with a scheduler defined that are pushed down to managed devices were receiving the following error when the profile is tested on the managed device No gateway or recipient emails defined. 41006 When accessing certain websites through a GlobalProtect VPN to a firewall with SSL decryption enabled for forward and inbound proxy, the sites would not load. Issue due to a queuing problem when a large number of small packets were being processed for these sites.

PAN-OS Release Notes, version 4.1.11 rev A

[27]

40963 Firewalls with SSL decryption enabled with a blocking profile set with the action continue and forward for PE and zip files did not display the continue prompt in Internet Explorer versions 8 and 9, but worked in other browsers. 40881 When configuring a Scheduled Config Export from Panorama and using the FTP protocol, if the username contains the / notation (server/username), the / symbol is removed during authentication, which causes authentication to fail. Update made to allow this notation in FTP usernames. 40880 Race conditions occurring during heavy load on the firewall causing SSH connection issues due to ARP learning problems resulting in incomplete ARP entries. 40669 GlobalProtect VPN clients experienced slow response times from the GlobalProtect Portal when a large amount of GlobalProtect client update installs were occurring due to an issue with thread limits on the Portal. 40643 When remote users authenticate to the firewall using an RSA server that is configured to use User Principal Name (UPN) style login (user@domain.com), the firewall did not authenticate the user due to an issue interpreting the UPN format. Refer to the following link for more information on this bug: https://live.paloaltonetworks.com/docs/DOC-3860. 40378 Dataplane restarted after turning on the packet capture option without any filters defined. This is not recommended since all traffic will be captured, which can use excessive system resources. It is recommended that you use the snaplen option in the packet-capture debug command to limit the length of the packet capture. Update also made to try and prevent the device from becoming unresponsive in this scenario. 40074 When clicking the Commit confirmation window and holding until the commit progress window appears caused the cursor to stop responding and the admin could not move the cursor to interact with the web interface. 39671 User-ID group mapping information was not updating properly when users were removed from an Active Directory group. This caused issues with applying the correct policies for these users because the mapping information still had them as members of the given group. Update made to refresh group mapping information immediately after members are removed from a group. 39614 HA path monitoring on a VLAN interface not working properly due to an issue where the ARP packets for the path monitoring did not have the VLAN ID, causing one of the devices in the HA pair to go into non-functional state. 39358 Panorama role-based admins with support functions enabled could not perform the action Activate support using authorization code. There was also an issue where links were missing for role-based admins when viewing the Panorama > Support page.

PAN-OS Release Notes, version 4.1.11 rev A

[28]

39210 In Panorama with a large configuration, administrators are experiencing slow response times and are disconnected at times. The issue was due to the web server process being temporarily blocked while waiting for results of long running operational commands from the management server. This state was most apparent on a heavily utilized Panorama install with many concurrent admins connected and large configuration file commits occurring. Timeouts have been added so that long running operational commands do not block the web server from responding to heartbeats. To further improve this issue, in PAN-OS 4.1.8, long running operational command portion of commit was converted to utilize a job scheduling system. This bug is related to bug 36427.

38680 When you selected the Refresh or Check Now options to refresh the list of available software images for upgrading the software version, an Unknown action error displayed. With this fix, the software versions available for download display in the web interface. 38545 The option to enable the Multi Virtual System Capability has been removed from the Device > Setup > General Settings widget on the web interface. The option to enable multiple virtual systems now displays only after you install a valid multiple virtual systems license on devices that support this capability. 35558 When a shared object in Panorama was renamed with the same name as a local object on a device, the security rule defined for the local object was overwritten with the rule defined for the shared object. With this fix, when you use Panorama to push the configuration, a configuration check validates that two objects are not named similarly. If a conflict is detected, an error message displays. 31491 When a connection timeout to a valid NTP server occurred, the output of the show ntp command displayed a system error message instead of a timeout error. The fix now displays a timeout error message when a connection timeout occurs. 24940 When defining how the firewall communicates with other servers or services (on the Device > Setup > Services page) you could not enter a subnet as a service destination route; only an IP address was allowed. You can now enter a subnet, such as 192.168.254.0/24 as your service destination.

ADDRESSED ISSUES 4.1.7


The following issues have been addressed in the 4.1.7 release: 42446 Both Panorama instances in an HA configuration are restarting and going into maintenance mode due to a problem with corrupt logs being received from one of the managed devices.

PAN-OS Release Notes, version 4.1.11 rev A

[29]

42105 The Threat Monitor report does not show more time-granular data because it is using database tables with a less granular roll-up of data. 41963 Firewalls in an HA configuration stop responding and reboot due to a problem with the system kernel handling a script that accesses the firewalls via SSH and collects the results of a CLI output. 41791 Failure to re-establish OSPF adjacencies when fragmented LSAs dropped because of DoS protection policies. 41690 User-ID stops responding due to a corrupt HIP cache. 41656 DHCP clients in a shared gateway configuration not receiving DHCP relay requests because the session terminated on host flag was not being set properly. 41641 On platforms that contain multiple dataplanes, users may be prompted to click continue multiple times on a file blocking continue page before the file is downloaded because cookies are not synchronized between data planes. 41582 Certain NetFlow analyzers unable to parse packets from the firewall due to a non-standard SNMP interface index. 41511 Device groups created from the Panorama CLI cannot be viewed or edited from the Panorama web interface if the group does not contain any devices. 41466 When using an aggregate profile, such as a DoS protection profile, on a shared VSYS (VSYS 0), session statistics are not accurately displayed in CLI command output. 41447 When viewing log usage statistics with the command show system logdb-quota, incorrect information for log and index file sizes were displayed. Issue due to a problem where the .bdx files (used for index files only) were being counted in the log size calculation. An issue also occurred where deprecated logs and index files were included in the calculation that existed when a device was downgraded from 4.1 to 4.0. Note- This bug should have been reported in the 4.1.7 release note. 41427 On platforms that contain multiple data planes, aggregate DoS protection rules do not properly enforce block IP actions if the session is hosted by a dataplane other than dataplane zero. 41419 GlobalProtect non-tunnel users being counted in the total user count, preventing users from connecting even though the actual user count has not been reached. 41395 When editing a rule base containing a large number of rules, the web GUI may not refresh the list of rules properly after you perform an operation such as deleting a rule.

PAN-OS Release Notes, version 4.1.11 rev A

[30]

41377 Primary firewall in a PA-5060 pair failed due to link issues between the switch fabric and L4 forwarding hardware and a failure in the recovery processes that would normally resolve this type of issue. 41352 Not able to configure static ARP entries when specifying L2 aggregate Ethernet interfaces. The device was also allowing the configuration of a VLANs static ARP without specifying an interface, which should not have been allowed. 41331 On platforms that contain multiple dataplanes, block IP actions using custom vulnerability definitions are not enforced properly unless the session is being processed by dataplane zero. 41325 When logging into Panorama using RADIUS vendor-specific attributes (VSAs), users with the admin-role unable to perform some operations such as generating technical support files, creating Panorama shared objects, and viewing botnet reports due to role permissions issues with the VSA custom role user accounts. 41309 Device becomes unresponsive during debugging because all file logging is aggregated to a single file by default. 41297 When attempting to commit a request using the XML API, the management plane restarts if the request includes elements that should not be saved in the configuration file. 41283 Panorama stops acquiring threat logs after encountering a corrupted log file. 41277 Enabling an IPv6 address on a VLAN interface causes the dataplane to restart due to an insufficient Maximum Response Delay setting issued by the multicast listener on the VLAN. 41270 Traffic was not passing through the firewall on a PA-5000 series device after upgrading from 4.0.11 to 4.1.6 due to issues where MAC entries were being purged on only one dataplane after the commit. 41267 If you create a role-based administrative account in Panorama and assign device context rights for the account, the administrator will be logged out of the web interface when attempting to make interface changes after switching to a device context. 41264 If the regular expression (regex) configured for custom signature data patterns requires more memory than is available to compile the threat database, auto-commit will fail upon reload without displaying the reason for the error. 41224 Fragmented inter-VSYS traffic causes the dataplane to fail due to an internal debug check.

PAN-OS Release Notes, version 4.1.11 rev A

[31]

41157 Custom application is timing out through the firewall about every 30 minutes, causing the application to stop functioning for clients. In this case, when the client attempting to use the custom application sends a SYN that ingresses the firewall on one VLAN port, the packet is flooded to the other ports in the VLAN. When the server that is hosting the application responds, the server's MAC address has not been learned properly by the firewall, so the SYN/ACK are dropped instead of flooding it back out the other ports. The fix for this issue also resolved bug 41151. 41151 On a PA-5000 Series device, certain hosts with persistent TCP connections to the firewall are intermittently disconnecting/terminating due to issues clearing MAC addresses and MAC learning. 41095 When adding an additional prefix to an existing BGP export rule and then committing, all IBGP routes are getting advertised to adjacent routers until the routes are successfully withdrawn, causing routing problems. Issue due to a BGP route refresh occurring when BGP, interface, or route changes are committed. 41058 On a PA-5000 Series device, certain hosts with persistent TCP connections to the firewall are intermittently disconnecting/terminating due to issues clearing MAC addresses and MAC learning. 41023 Although the web interface allows configuration of DHCP-client and PPPoE in an Active-Active HA deployment, these configurations are not supported. 41020 Changing LDAP server settings and/or group mapping configurations unnecessarily triggers a refresh of user and group information, causing a drop in traffic processing. 41018 The control plane may restart after a disk failure even if there is another good disk in the RAID array because the firewall was expecting a response even though disk recovery operations were in progress. 41000 The firewall may sporadically lose connectivity with OSPF neighbors during periods when there is frequent disk access, such as during a commit, because of frequent IPS trace log updates. 40998 GlobalProtect Agent HIP reports that contain plist values rather than keys are not parsed properly by the GlobalProtect gateway even if the gateway configuration contains a corresponding plist HIP object. 40995 QoS rules applied on the inside interface can cause delays in traffic in asymmetric routing environments if packets are forwarded out of a different egress interface than expected by the QoS logic, causing a QoS mismatch. 40989 Active device in a PA-5000 Series HA pair failed over to the primary and then became non-functional due to a failure on the dataplane caused by too many missed

PAN-OS Release Notes, version 4.1.11 rev A

[32]

heartbeats. 40970 In rare cases, memory corruption may cause the dataplane to restart in an active/active HA deployment. 40926 The web interface does not allow you to delete a physical interface from an aggregate group. 40922 CRL checking for client certificates fails when the first entry is an LDAP URL due to a parsing error during CRL checking. 40908 Alert notifications are appearing when logging into the firewall web interface, even though no alerts are currently present. Issue due to a problem where acknowledged alarms are not cleared properly when the clear log alarm command is run. 40905 After upgrading to PAN-OS 4.1.x, erroneous Chassis Master Alarm messages regarding power supplies and fans are intermittently displayed in the system log due to an error in the bus retry logic. 40890 When pushing LDAP configuration changes from a Panorama 4.1.x server to a firewall running PAN-OS 4.0.8, the commit will fail if the LDAP server Type is set to other due to an error in the Panorama upgrade script. 40857 When monitoring VPN tunnels with multiple proxy ID pairs, flows for only one proxy are displayed even though the other proxies associated with the tunnel are actively passing traffic. 40829 When assigning a QoS policy to a custom URL category, other applications besides those that match the custom URL category may have the QoS policy enforced due to an error in the way that applications with URLs are looked up when used with QoS policies. 40828 In an active/active HA deployment, when an IP packet with a TTL of 1 is received, the session owner may transmit ICMP type 11 (time-to-live-exceeded) packets using the source MAC address of its peer instead of its own, causing neighbor switches to report MAC address flapping and consequently send frames out the wrong port. 40826 When creating a security policy, cloning a rule causes any filters that had previously been set to become inactive even though the filter text is still present. 40819 A race condition between packet processing and a new configuration commit occurred causing the dataplane to stop responding. 40780 When manually installing a Dynamic Update on a PA-200 device in HA mode, a pop-up message appears showing the error text [object Object]. The correct messages should show New content scheduled to be pushed via job x. Issue due to a problem printing the correct description to the pop-up window. This also appeared in the Threat
[33]

PAN-OS Release Notes, version 4.1.11 rev A

logs in the country field. 40777 When logging into the firewall using HTTPS and a log rotation has occurred for the access.log file, the log entries for new sessions were still writing to the rotated access.log.old file, instead of the newly created log file. 40771 One of the peers in a PA-5000 Series HA configuration rebooted due to memory issues that occurred because of a port in Tap mode that was flapping. 40706 When configuring firewall admin access via RADIUS and Active Directory, login problems occurred with usernames that contained spaces. RADIUS does allow spaces in usernames, but the firewall did not, so authentication failed. 40673 On a PA-5000 Series device in an HA active/passive configuration with NTLM being used for user to IP mapping, some users were not mapped due to an issue where mapping information sent through one of the dataplanes was being dropped. 40669 GlobalProtect VPN clients experienced slow response times from the GlobalProtect Portal when a large amount of GlobalProtect Agent update installs were occurring due to an issue with thread limits on the Portal. 40661 When creating an L3 subinterface as a DHCP client and the subinterface number is more than 3 digits, the number is truncated to 3 digits causing a commit error. Issue due to the interface field name not being long enough. 40599 In an HA configuration under heavy load, a failover occurred due to the masterd_core process failing after multiple missed heartbeats. 40572 HA active/passive pair failed due to the PAN-OS web server restarting multiple times. Update made to prevent web server failures from rebooting the firewall. 40513 On PA-5000 Series device under very heavy load, the error Masterd internal error; please contact support may appear. Issue caused by a critical system log alert that was put in place in an earlier release and since the related issue has been resolved, the alert is no longer needed and has been removed in this release. 40497 When pushing Dynamic Updates or Software from Panorama to managed devices, when you click install a pop-up will appear listing the available devices, but the menus at the bottom of the pop-up used to page through the available devices did not appear until the window was expanded. 40442 In an active/active HA configuration, traffic performance issues occurring for clients connecting through the firewall and then through a proxy server due to an issue where duplicate ACK packets were being forward by the firewall. 40438 URLs categorized as unknown by the URL web filtering feature are not being cleared from the dynamic URL filtering cache when a new BrightCloud URL database is
[34]

PAN-OS Release Notes, version 4.1.11 rev A

downloaded to the firewall. This causes the URL to remain as unknown, even though the new database has a new category for the URL. 40433 When configuring a NAT rule and there is a mismatch of the destination address translation range, no error appears when saving the rule, only at commit time. It was not possible to implement an error on saving, so the commit error message has been improved to make it easier to identify the issue. 40432 BrightCloud update checks received by the management port cannot be disabled even in environments without Internet access, causing the system logs to fill up with extraneous update errors. 40409 Palo Alto Networks firewall not able to setup an OSPF link when using P2P to a Cisco router with jumbo-frames enabled, but broadcast mode does work. Issue with to P2P mode only, which has been fixed. 40253 When registering WildFire and the SSL connection fails between the firewall and the WildFire system, the log still shows that the connection was successful. This issue was due to the fact that only the HTTP return code was used to verify the connection when HTTPS should be used. Also, the reason SSL failed in this case is because a proxy server was between the firewall and WildFire, so WildFire could not verify the client-side certificate on the firewall. 40246 Passive device intermittently failing over to the passive device due to web management server socket bind issues. 40219 When multiple virtual systems exist on a firewall and two admins put a commit lock on different virtual systems, if one of the admins attempts to commit a shared object, the following message appears Other administrators are holding commit locks. This should not occur, update made to allow this scenario. 40174 Panorama Superuser (read-only) admins are not able to read the configuration pushed by Panorama to managed devices. Running the command show config pushed on a device shows a permission error. Update made to allow this function for Superuser (read-only), Device Admin, and Device Admin (read-only). 40077 One of the peers in an HA configuration is intermittently restarting due to missed heartbeats that are occurring when the maximum number of sessions is being reached. 40047 In a DoS protection profile with the Classified option set, ICMP floods are not being logged when the defined alarm rate threshold is exceeded. The same rule worked fine when the Aggregate option was specified. 39924 Incorrectly formatted Link State Advertisement (LSA) messages sent from the Palo Alto Network firewall causing the adjacent router to be lost. The LSA format sent by

PAN-OS Release Notes, version 4.1.11 rev A

[35]

the firewall uses interface-ip/netmask and it should be subnet/netmask. 39906 When upgrading PAN-OS 4.0 to 4.1 with NetConnect configured, the NetConnect configuration is automatically converted to a GlobalProtect configuration, but the login-lifetime or inactivity-logout value is not converted properly if the value is less than 24 hours. The GlobalProtect login-lifetime value range is 24-720 hours, but the NetConnect range is 1-720 hours. If the NetConnect config has a value lower than 24 hours, as of PAN-OS 4.1.7, the upgrade conversion will now set this value to the GlobalProtect minimum of 24 hours. 39768 When selecting a VSYS from the Virtual System drop down from the Policies tab and the VSYS name uses the maximum of 31 characters, only the first 27 characters appear. Issue due to a web interface display problem. 39766 LDAP authentication profile failing to authenticate when the profile contains a space in the name due to an issue with the character that was used to replace the space in the config. 39755 Hardware buffer allocation issue on a PA-200 device intermittently caused the buffer pool to become exhausted and the device had to be rebooted to restore operation. 39727 VPN tunnel not passing traffic when the tunnel interface is in a different VSYS than the physical interface. 39664 DHCP lease start time was not being logged to the system log. 39609 The User-ID/log-receiver process causing high CPU on the firewall. This causes HA split-brain issues and the log process stops. Issue due to a problem with multiple User-ID agents trying to delete the same user mapping information that was not in the proper UTF format. 39607 Intermittent split-brain issues occurring in an HA configuration due to problems with the agent process that provided HA link status information to the peers. 39589 Administrators are able to create role-based admin accounts that already exist as pre-defined accounts due to an issue where case sensitivity for new account names were not being recognized properly. 39580 A race condition occurred when a local commit, HA sync, and diff-all occurred simultaneously, causing the management server to stop responding due to an issue with PAN-OS handling these functions in the correct order. 39578 PA-5050 device with multiple virtual systems enabled did not show VSYS specific attributes in the commit verification error messages when the All Vsys option is selected. This made it difficult to determine which VSYS contained configuration errors.

PAN-OS Release Notes, version 4.1.11 rev A

[36]

39523 PA-500 having buffer issues related to the kernel, which caused an intermittent reboot of the device. 39516 When using the remember me option for GlobalProtect in OTP configurations (one time password), the GlobalProtect Agent was not properly handling this setting. With the option disabled, user credentials were still retained and the client was not prompted for login information. This caused an issue when a password change was required. Note- This bug should have been reported in the 4.1.7 release note. 39511 When trying to view objects in a security policy as an Admin that is part of a role-based profile with all permissions enabled, the web interface stopped responding and the value would not display. 39506 Dataplane stopped responding in an HA configuration during a commit failure that was performed after a content update. 39452 When QoS is configured on a 10GbE port, the Guaranteed and Maximum Egress (Mbps) information is not displayed when viewing QoS statistics for the interface due to an issue calculating egress statistics values. 39431 Firewall dropping RST ACK packets from certain servers causing delays in the authentication process when logging into an application on the server. Issue due to PANOS sending a SYN packet to a port that was not listening, which triggered a reset. 39334 When uploading a custom logo in Panorama with Firefox 11 over HTTPS, the upload does not complete due to a buffer size issue that occurred with larger image files. 39318 Log error SYSTEM ALERT : low :keyacquire, cannot find selector: gw occurring on firewalls with IPSec tunnels configured due to a new API command that was not available in the 4.1 release. 39275 User-ID process consumed 100% of the processors when User-ID is enabled on a zone with an interface in Tap mode, which also impacted logging. Issue due to a queuing problem that occurred when a very large number of mapping data existed. 39250 Dataplane stopped responding when the device was configured to forward .exe and .dll files to WildFire due to a buffer issue that occurred when forwarding a large amount of .exe files. 39243 On a PA-5000 Series device, the virtual memory was exceeded, causing the devsrvr service to restart due to issues where the virt-limit CLI command was not working properly. 39228 Same issue as 39089 where a . was at the end of the domain name, but in this case the symptom was that a new Group Mapping Settings profile could not be created

PAN-OS Release Notes, version 4.1.11 rev A

[37]

for User-ID. 39200 VSYS level commit failures due to incorrect REST management API syntax cause the management plane to stop responding. 39188 Applications not working properly after upgrading from 4.0.x to 4.1.x due to configuration migration errors. 39183 The firewall is attempting to connect to the BrightCloud servers, even though the device is not licensed for URL filtering. 39160 Several improvements made to resolve issues related to Panorama context switching and timeouts that occurred under heavy load. 39155 Panorama Device Group name field limited to 31 characters, even though the maximum field length should be 64 characters to accommodate the device name plus the virtual system name. 39149 Management server fails if you do a partial commit and a full commit at the same time. For example, if you make a change in the web interface and commit and then do a partial commit from the CLI, the management server will stop responding. 39132 Dataplane restart occurred in an HA pair due to an issue where fragmented packets traversing the SSL VPN tunnel were not properly reset by PAN-OS. 39089 When querying a user group in a security policy, the group mapping information is not displayed in the browser due to an issue where a . was at the end of the domain name causing the User-ID agent to obtain invalid mapping information. 39016 The ARP table on the PA-5000 Series firewalls was insufficient in many deployments, so it has been increased from 20480 entries to 32000 entries. 38942 When creating a local admin account in Panorama and then deleting that account and creating the same account name on a RADIUS server for authentication, the local account is not properly deleted, which causes a conflict between the local account and RADIUS account. 38929 The primary device in a Panorama HA configuration went into maintenance mode due to a problem with the system managing empty log files, which caused Panorama to misinterpret the available space on the log partition. 38917 Passive device on PA-5000 Series devices in HA mode experiencing dataplane issues when site-to-site IPSec tunnel is configured with NAT-T due to a problem with host tunnel sessions not being distributed correctly to the dataplane processors. 38859 Commit failing when pushing an Anti-spyware object action from Panorama to a managed device and both devices were recently upgraded from 4.0 to 4.1. Issue due to a
[38]

PAN-OS Release Notes, version 4.1.11 rev A

transform issue that occurs on the object where any block action was changed to drop, which is no longer supported in 4.0 and later. 38857 Role-based administrators that are granted permissions to modify the configuration, but not commit, are not able to lock the configuration when editing. 38852 When performing a configuration audit from the web interface and private keys exist in the config, the keys are not wrapping to reduce the column size making it difficult to read the audit information. 38702 GlobalProtect data files used for the HIP check process are not updating properly on a non-management port configured with as a service route. 38654 Certain routes are intermittently failing to be shared between the active device and the passive device in an HA configuration due to issues with the interface ID initialization process. 38537 Email notifications did not contain details when enabled in Device > Log Settings > Config due to an issue where the XML format of the configuration file was not converted properly for the email notification. 38503 The SSL decryption opt-out response page is not appearing for clients when browsing SSL sites due to an issue that occurs when the http header spans across multiple SSL records. This causes a timeout to occur before SSL is detected and a response page can be presented to the client. 38371 Safari web browser client not able to connect and authenticate through Captive Portal due to an issue where PAN-OS was not properly sending back an acknowledgement packet during negotiation. 38356 Intermittent issues accessing the CLI and web interface management due to a rare condition where the show system info command tried to access a download job that was invalid and caused a memory issue. 38335 Not able to delete packet capture filters defined in Monitor > Packet Capture > Managed Filters from the web interface, the filter could only be deleted from the CLI. 38324 On a pair of PA-2050 devices in HA mode, a large amount of ICMP error packets hitting the firewall caused packets to drop due to the packet forward rate not being sufficient. 38314 User-ID policy not working properly due to an issue mapping users to groups when querying the Active Directory group Domain Users. This group is a default group in AD and does not use the same attributes as other groups created by the domain administrator. If a user only belonged to the Domain Users group and were not part of another group or a sub group of Domain Users, they were not mapped properly.

PAN-OS Release Notes, version 4.1.11 rev A

[39]

38283 DHCP discover messages are being dropped by the firewall when the firewall is configured with a DHCP relay server. Issue due to a problem relaying requests from certain host types that contain unrecognized padding in the DHCP messages. 38280 Management web interface stopped responding due to memory issues during a Content update. 38232 On PA-5000 Series devices, intermittent traffic drop issues may occur for traffic which uses predict session due to a problem with the firewall determining the correct session start time and parent sessions. 38137 File blocking profile not blocking all file types correctly when the profile is configured to only allow file transfers in one direction. 38069 Problem viewing all details of application statistics from Panorama for a specific device with an admin role configured with full report permission only. Issue due to Panorama aggregating application stats for all devices, so application stats for an individual device could not be view unless the admin switched to the device context. 38059 Memory issues occurring when the firewall was configured to send logs to a syslog server and Panorama, causing system instability during a commit. 38037 WildFire configured with a service route on PA-200 and PA-500 devices caused resources to be depleted on the firewall, which eventually resulted in a reboot. 38025 When creating a custom report in Panorama, you can select Group by and select Device. After you click OK to save the report and then attempt to modify it, the Device option is no longer available due to a display issue. 38009 System stopped responding after receiving fragmented packets with reply TTL enabled in a zone with zone protection disabled due to issues resetting the fragmentation marker after the marker has been released. 38007 Slow response time when trying to display IPSec tunnels (250+) in the web interface due to problems with the changes made in PAN-OS 4.1 for listing tunnel details. 38001 PA-200 device intermittently restarting due to an issue with the processor that occurred under rare circumstances. 37970 When the & symbol is use in an Active Directory OU and the AD groups are picked up by the User-ID agent, when the group is expanded on the firewall, a malformed error appears. Update made to better handle special characters in the web interface for this type of operation. 37902 Hardware buffering issues causing the firewall to stop responding when inbound SSL forward proxy decryption is enabled.

PAN-OS Release Notes, version 4.1.11 rev A

[40]

37889 In an active/active HA configuration with session owner set to first-packet, issues with the load sharing process may result in high dataplane CPU utilization and slow network performance. 37881 LDAP authentication not working properly when clients attempt to login using GlobalProtect due to a problem where the username format that the firewall was sending was not correct. PAN-OS was sending domain_name\username and the Open LDAP server only accepts username@domain_name.com. 37880 Under certain situations, when the PAN-OS management server process is restarted and pending jobs are in progress, such as Content or Antivirus updates, the management server may not restart properly. Improved socket handling has been put in place to better handle the management server restart process. 37816 When configuring Aggregate Ethernet interfaces on an active device in an active/passive HA configuration, the configuration change was not properly detected for synchronization, so the passive device configuration was not properly synched with the active device. 37778 In an HA active/active configuration, SSL decryption was failing on asymmetric traffic when the set session offload option is set to yes. 37744 When configuring QoS for tunneled interfaces, each tunnel interface in the QoS profile must specify an individual or default QoS profile. When this was not done, a commit error occurred that was not identifying the issue properly. The error message for this type of issue has been updated to better identify the configuration problem. 37715 When adding a BGP policy with the aggregation commands, commit errors occur due to an issue with the aggregation table not being cleared. 37713 PA-200 with the untrust interface configured as a DHCP client intermittently failing to renew its DHCP address after the lease time expiration. Issue occurred when multiple DHCP servers existed on the same network segment and the PA-200 tries to renew its IP from a server other than the server in which it received its original lease, causing the renew to fail. 37612 VPN tunnels between Palo Alto Networks firewalls and firewalls by another vendor are losing connectivity due to memory issues causing a stale Security Association (SA). 37480 Antivirus and Content updates are being downloaded, but not installed in an HA configuration due to failed or slow commit times. Timeout increased to allow for the antivirus/content updates to complete during a slow commit. 37395 Denial of Service (DoS) protection policies causing dataplane issues when similar DoS policies exist in multiple virtual systems.

PAN-OS Release Notes, version 4.1.11 rev A

[41]

37200 Traffic is not being forwarded properly between interfaces in the same VLAN due to the NetBios name server L2 broadcast being blocked on the L3 VLAN. Update made to allow L2 broadcast to be forward in L3 mode. 36926 Custom regions were not appearing as a choice when configuring Security Policies in Panorama. Only the standard regions were displayed. 36896 When creating a custom Threat report in Panorama from Monitor > Manage Custom Reports, if you select an item in the Group By drop-down, you cannot save the report. Update made to allow the group by direction option for custom threat reports. 36805 BGP requests received by the firewall were being intermittently rejected from an adjacent router that was sending a large amount of routes. Issue due to buffering problems with the interface being used as the route to the next-hop. 36767 SMTP traffic using TLS is not being correctly identified for some sessions. 36641 Dataplane issues occurring when a larger number of L2 traffic flows were present on a PA-5000 Series firewall due to flow management memory issues. 36546 When clicking the Monitor tab in the PAN-OS web interface, the error XML Parsing Error: no element found occurred due to problems reading certain UTF-8 characters that appeared in the logs. 36504 After upgrading from Panorama 4.0 to 4.1, vulnerability profiles with the packet capture option enabled were not handled properly for devices running PAN-OS 4.0. After the profile is pushed to the 4.0 device, the packet capture option was enabled for the entire profile, instead of for individual rules. 36501 LED display issue on copper and fiber ports with virtual wire with link state pass through configured. The LED indicators on all fiber ports showed that they were down, even though only one copper port cable was removed. This was an LED issue only and the ports were not actually down. 36498 In Panorama, when an object is nested in a group and the object name is changed, the parent object did not recognize the change. 36427 In Panorama with a large configuration, administrators are experiencing slow responses times and are disconnected at times. The issue was due to the web server process being temporarily blocked while waiting for results of long running operational commands from the management server. This state was most apparent on a heavily utilized Panorama install with many concurrent admins connected and large configuration file commits occurring. Timeouts have been added so long running operational commands do not block the web server from responding to heartbeats. To further improve this issue, in PAN-OS 4.1.8, long running operational command portion of commit was converted to utilize a job scheduling system.

PAN-OS Release Notes, version 4.1.11 rev A

[42]

Note- This bug should have been reported in the 4.1.7 release note. 36257 Exported Netflow data shows incorrect values for some flows for fields such as octet and packet counts, TCP flags, interfaces, and direction. 36150 When viewing service objects, the order of objects for IP addresses and source ports were not being sorted in ascending order. 35250 SSL access to the Panorama web interface failed due to issues with the client certificates in Panorama not being copied to the correct directory after an upgrade. 35111 Non browser based HTTP clients causing issues with URL filtering when the Continue action is specified. 35103 After upgrading Panorama from 4.0 to 4.1, Panorama rebooted and entered maintenance mode due to the presence of corrupt log files. Additional log validation processes put in place to avoid this issue. 34882 When performing a commit from the CLI, the commit progress messages are not appearing when the job is pending. Update made to show 0% status, until the pending job proceeds with the commit. 34771 When creating a GlobalProtect gateway in a VSYS using the VSYS admin account, the gateway is not created after clicking OK. Issue occurs when configuring the SSL-VPN or tunnel-mode portions of the gateway configuration. This is due to the fact that the VSYS admin does not have permission to modify settings outside of the VSYS. Changes made so these options are not available to the VSYS admin. The device admin will need to perform the network portions of the gateway config before the VSYS admin can create the gateway. 34461 The source and destination address fields in NAT policies were not being validated properly. This allowed invalid IP address formats to be entered and no error was being generated on commit. 34368 When trying to manually install the Apps + Threats and Antivirus package to Panorama from a local PC (when Panorama does not have Internet access) the Antivirus packages could not be installed. Issue occurs because the SCP (secure copy) upload process used to copy the Antivirus package to Panorama causes encoding issues, so the installed file is no longer valid. 33889 The report title is missing on custom reports that are part of a report-group and do not contain data. 33520 All available options for the CLI command edit network interface Ethernet ethernet1/2 layer3 were not appearing.

PAN-OS Release Notes, version 4.1.11 rev A

[43]

33509 When creating App-ID policies from Panorama, custom applications are no longer distinguishable from the standard applications delivered by content updates. Custom applications should show a pencil icon next to them. 32869 In an HA active/passive configuration, some users were not able to authenticate through captive portal with LDAP configured on the firewall. Issue due to a problem with the authentication daemon failing when a large amount of requests were being made simultaneously when LDAP with SSL is enabled. 32142 When changing the Virtual System drop-down menu from All to a specific VSYS while on the Monitor tab, the Packet Capture option on the left menu is no longer available. This is by design since the Packet Capture option is only available for device admins, not VSYS admins. 31682 Unable to unlock a locked user account that is part of an Authentication Profile from the web interface when the username field is empty. 30661 A DoS protection profile with resource protection enabled does not log events when a hosts packets are dropped by the DoS profile. New threat log added for session limit protection. 30444 Exported Netflow data shows incorrect start time for some flows.

ADDRESSED ISSUES 4.1.6


The following issues have been addressed in the 4.1.6 release: 39853 GlobalProtect Agent installation file not being downloaded properly to remote access clients. Partial file download occurring, causing installation to fail when the client attempts to install. 39844 IPSec VPN tunnel not coming up when Palo Alto Networks firewall initiates a connection to a Cisco ASA device. 39769 Performance issues occurring in an active/active configuration due to an issue with session lookup when non UDP/TCP traffic goes to a closed state. 39721/39603 PA-5000 series devices with inter-VSYS, tunnel, or a shared gateway configured experiencing some traffic loss. 38755 Delayed failover occurring in an HA configuration with active 1GB and 10GB interfaces configured. When both interfaces send an interrupt simultaneously, the process is not handled properly and a delay occurs.

PAN-OS Release Notes, version 4.1.11 rev A

[44]

ADDRESSED ISSUES 4.1.5


The following issues have been addressed in the 4.1.5 release: 38598 Fragmented IPv6 frames causing dataplane issues due to buffer problems with this type of traffic. 38494 Performance issue occurring due to the log database becoming full and when space was cleared, traffic was not resumed properly. 38045 Custom report in Panorama that specifies a range of last 30 days looks ok when generated manually, but the schedule report sent via email is only showing one day. Issue with the web interface which allowed you to specify a day range, but day ranges were not supported in schedule reports. Update made to allow day ranges for this type of report generation. 38034 Intermittent commit errors occurring due to the firewall not using memory properly when calculating shadow rules when rules contain a large amount of addresses (2000+ in this case). 38010 LDAP bind error occurring in User-ID group mapping when a parenthesis ( is used in any part of the bindDN string due to this character not being supported. Update made to include all characters that can be used in bindDN in LDAP. 38002 GlobalProtect client configured on an iPad using the native VPN client and connecting to the firewall via IPSec VPN caused dataplane issues when the iPad did multiple successive connects and disconnects. 37970 When the & symbol is use in an Active Directory OU and the AD groups are picked up by the User-ID agent, when the group is expanded on the firewall, a malformed error appears. Update made to better handle special characters in the web interface for this type of operation. 37967 PA-4020 pair in HA active/passive mode experienced dataplane issues due to a problem handling oversize packets being sent from certain hosts. 37904 When a firewall managed by Panorama has more than seven virtual systems and you view shared policies for that device in Device Groups, you only see the first seven virtual systems. Update made to show all virtual systems without having to click a More link.

PAN-OS Release Notes, version 4.1.11 rev A

[45]

37903 Management server on the firewall stopped responding when a threat summary reports and ACC reports were being generated at the same time, causing issues with memory. 37890 Android device using the native VPN client to establish an IPSec VPN to the firewall using PSK auth is causing IKE manager problems because the firewall only supports IKE/XAuth. 37886 When doing a context switch from Panorama 4.1 to managed devices running 4.0, in some instances policies and objects are not appearing on the managed device. The issue is intermittent and logging off and back on resolved the problem. Updates made to prevent session key problems that were occurring. 37671 When an Android device uses its native VPN client to connect to a GlobalProtect gateway using X-Auth and the gateway is configured with a DNS suffix, the suffix is not being picked up when the device establishes a VPN. 37661 Inter-VLAN communication failing due to a problem with ARP not automatically picking up the MAC addresses on interfaces in different VLANs. 37646 The Chrome browser not being detected properly by Captive Portal with NTLM authentication configured. 37608 Threat logs not being forwarded to the syslog server, although other logs worked fine. Issue due to a problem with the log forwarding queue for threat logs. 37465 When upgrading from Panorama 4.0.7 to 4.1.2 and then pushing Anti-spyware and vulnerability profiles to 4.0.7 devices in device groups, the profiles lost the action settings. Issue due to changes made in the action field between the releases and the process to convert the fields did not work properly. 37449 User-ID process causing the management plane to spike due to a conflict with the port used in the User-ID agent XML API configuration. 37076 HA active/passive pair failed due to the PAN-OS web server restarting multiple times. Update put in place to improve visibility of failed processes and to log this type of error as critical. 37008 The display output of the show routing route destination address command is showing incorrect data due to an issue where only the first byte of the IP address was

PAN-OS Release Notes, version 4.1.11 rev A

[46]

being compared. 36910 Threat prevention stopped working after upgrading from 3.1 to 4.1.2 due to a problem handling profiles that contained exceptions, but no rules. 36844 Performance issues are occurring on hosts going through an HA active/active pair in virtual wire mode due to problems handling session synchronization particularly when the HA2 and HA3 ports were connected using different link speeds. 36831 On PA-5000 Series devices, the traffic log byte counts are showing up as doubled due to an issue with the Netflow counter. 36767 SMTP traffic being misidentified due to an issue with content update 289. 36730 After upgrading an HA active/passive pair from PAN-OS 4.1.1 to 4.1.2, the HA1 and HA2 ports started flapping due to an issue with multicast and layer 2 interfaces. 36663 Android device is able to connect to the GlobalProtect gateway, but when disconnected it cannot reconnect due to a problem with sessions not clearing properly 36588 Captive portal authentication failing after a commit due to an issue with the firewall not properly decrypting the LDAP bind password. 36423 When configuring a custom log format for Host Information Profile (HIP) match events, the default format is still used. Issue due to a problem with how the custom log configuration was being saved. 36265 When forwarding configuration logs from a device running PAN-OS 3.0 or 3.1 to a Panorama 4.1 device, traffic log file are corrupt due to an issue with compatibility between these releases. Issue was fixed in 4.0 and is now fixed in 4.1.5. 36186 Memory allocation issues caused problems with commits when high levels of SSL traffic traversed the device with SSL decryption enabled. 36148 Problem submitting a virtual router configuration with a large amount of static routes when using Firefox over HTTPS. Issue due to Firefox sending larger packet sizes than other browsers, which the firewall could not process because of a limited buffer size. 35812 The option to enable OSPF and RIP on untagged subinterface was being allowed in the web interface even though this configuration is not supported.

PAN-OS Release Notes, version 4.1.11 rev A

[47]

35001 On the PA-5000 Series devices, when viewing PDF summary reports the Risk Trend table is empty due to an issue with how this data is aggregated on devices with multiple dataplanes. 34183 Downed L3 aggregate interfaces are still populating routing tables, causing incorrect route updates to occur. Issue due to a problem were aggregated subinterfaces are remaining active. 21247 Slow response (up to 5 minutes) in Panorama when doing a context switch to a managed firewall that is under heavy load due to an issue caching static device files.

ADDRESSED ISSUES 4.1.4


The following issues have been addressed in this release: 37728 - In an HA active/passive configuration, the dataplane occasionally stopped responding for a few seconds when URL database downloads occurs and recategorization is performed to update the URL DB cache entries. Issued due to a problem with updating the passive device URL cache and an update has been made to only send diffs to the passive device after the DB update. 37563 - When viewing the User-ID Agent or Terminal Services Agent table from the Device > User Identification pages, if more than 40 agents exist, all agents past the 40th item shows as offline, even though they are connected. Issue due to a problem with displaying more than 40 agents from the web interface. 37529 - Problem logging the correct email send time for traffic from certain email clients because the + symbol is not used when calculating the time zone offset value. The + symbol has been added to the time zone offset value (example- UTC+09:00). The minus - symbol already existed. 37484 - Firewall experiencing intermittent packet loss with an L2 connected router using virtual MAC addresses. Issue due to a problem where the firewall used the physical MAC of the connected router interface, instead of the virtual MAC, which caused ARP issues. 37298 - TCP RST packets sent from servers are being dropped as they traverse the firewall when TCP SYN cookie protection is enabled in a zone protection profile. Update applied to forward TCP RST instead of dropping them with this configuration.

PAN-OS Release Notes, version 4.1.11 rev A

[48]

37180 - If a security policy name ends with a space, a commit error is generated for that policy. Updated applied to trim leading and trailing spaces in policy names. 37095 - When using the CLI command clear dhcp lease interface interface-name expiredonly is used to clear all expired DHCP leases, active leases were also being cleared. 37091 - In an active/active HA configuration, the active-secondary device is not emailing scheduled reports. Issue due to the fact that report generation and email delivery was not enabled for active-secondary devices in the firewall software. 37005 - When configuring SNMPv3 and entering the Auth Password and then the Priv Password for encryption, the information is not accepted when using the web interface, but the CLI works fine. Web interface updated to fix password verification issues for SNMPv3. 37001 - ARP table size on PA-5050 and PA-5060 devices was only about 20k entries when it should be 32k. Fixed applied to increases the table size to 32k. 36977 - Expired DHCP leases are not being cleared properly and when clearing expired leases manually, all leases are cleared. Updates applied to fix the clear expired lease command and improvements made for handling of automatic clearing of expired leases. 36932 - The test URL command test url-resolve-path URL is showing some sites as category unknown, but the test url URL command on the same site is fine. Update made so both commands use the Dynamic DB to look up site categorization. 36893 - Running the CLI operational command show unused rules is incorrectly identifying some QoS rules as unused when they are actually in use and configured properly. The CLI does show the correct information, so the issue only occurred when viewing unused rules from the web interface. 36837 - HTTP redirects not working properly when SSL decryption is enabled on the firewall. Issue due to a buffer problem with certificate signing. 36823 - In certain multipurpose sites, where part of a site may contain shopping or auction type information, and other sections of the site may contain adult content, URL filtering was not correctly categorizing the adult section. Issue due to cache problems where URL paths and URL directories were not being handled properly, so not all sections of a site was being categorized properly.

PAN-OS Release Notes, version 4.1.11 rev A

[49]

36772 - Panorama using admin roles with access domains defined to read attributes from Radius was not correctly restricting permissions to managed device groups. Issue due to a problem where the admin role permissions were not being applied when the remote admin did a context switch to specific devices. 36736 - Radius admin authentication problems occurred in a nested domain configuration because the domain name was not being passed to the Radius server. 36733 - WildFire not uploading files to the WildFire servers due to a corrupt file being stuck in the upload queue, which prevented other files from being uploaded. Update applied to handle corrupt files, so the queue will continue processing. 36728 - Problems occurring with the GlobalProtect configuration when a commit is performed and only the Include commit and Object configuration option is selected. Issue due to a problem handling this type of commit when GlobalProtect is configured. 36570 - On a PA-5000 Series device in HA mode, the HA2 data link interface was not working in UDP or IP mode due to an issue with the HA2 ARP resolution messages not being synched properly. 36538 - User-ID agent not able to connect to the firewall for several minutes during long commits due to issues building the application dependency hash table. 36378 - Custom anti-spyware and vulnerability profiles created in Panorama were not migrated properly after upgrading from 4.0 to 4.1. 36351 - Long commit times occurring (10+ minutes) due to an issue handling application groups when large numbers of categories and sub-categories exist in the configuration. 36298 - System log is showing unknown for the event commit installed, when it should show general. 36259 - When downloading files through the firewall from an SSL site and SSL decryption and forward proxy are enabled on the firewall, the traffic log is showing double the file size. Issue due to the system adding both the proxy packet byte count and packet count as the total file size. 36091 - Management plane not responding due to a problem with the email log forwarding process failing to deliver logs causing high memory issues.

PAN-OS Release Notes, version 4.1.11 rev A

[50]

36041 - Unable to commit the configuration due to issues with the authentication daemon trying to process group membership updates from the User-ID agent when an authentication profile uses all in the allow list. 35984 - On an HA active/passive configuration, the log indexer was being triggered for regular traffic and threat logs, causing too much memory to be used and then causing a reboot. Updates made to better control the log indexer during heavy traffic loads. 35982 - Not able to commit the configuration due to high memory issues, which is causing the commit to timeout before it can complete. Issued caused by the firewall not properly handling a 10GbE port that was flapping. 35889 - User-ID not responding due to an issue where the domain name was not being included when the system checked the state of the User-ID agent. 35745 - Receiving a commit error after importing certificates when the expiration date of the certificate is more than 20 years from the current date. 35716 - Receiving shadow rule warning when adding the service udp-1024-65535 to a group due to an issue where security policy parsing is recognizing this as a conflict with all lower rules using UDP and TCP ports. 35667 - PA-5050 with a DC power supply could not commit properly due to issues with the I2c bus. 35656 - Traffic logs were not being collected during heavy loads due to a problem that occurred when threat log forwarding was failing. 35601 - Issue completing downloads of some large applications from an Android device on a wireless network behind a firewall due to issues handling FIN and ACK responses properly. 35352 - On a PA-5000 Series device, sub-interfaces, tunnel, and VLAN interfaces were available for QoS source matching, but these types of interfaces cannot be used in this configuration; only physical Ethernet and aggregate interfaces are allowed. 35258 - When a user account in Active Directory has a different value for the userPrincipleName (UPN) name and the sAMAccountName, group mapping is not working correctly because the user to IP mapping process uses the sAMAccountName and user to group mapping process uses the UPN name. Update made so both processes use

PAN-OS Release Notes, version 4.1.11 rev A

[51]

the sAMAccountName. 34826 - SSL decryption not working after upgrading from 3.1.6 to 4.0.7 due to an issue where traffic was being decrypted that should not have been decrypted, causing the proxy cache to fill up and cause memory issues. 34710 - On a PA-5000 Series device, host connections between a host on the L3 interface and a host on an L2 interface are dropping after a commit is initiated. Issue due to MAC ARP entries not updating properly between dataplanes. 33540 - Not able to select the interface IP address to be used as a floating IP in an HA active/active configuration when the interface IP is behind NAT. Only the translated IP address could be selected. Issue fixed to allow the interface address to be selected. 33502 - When viewing the traffic log from the Monitor tab and setting a refresh of every 10 seconds, then setting to manual and then to a new refresh interval, the new interval does not work. Issue due to a log monitor refresh problem.
32781 - Sending a traceroute to a firewall over a tunnel interface returns 0.0.0.0 when the

destination interface does not have an IP address assigned. Issue due to the firewall incorrectly returning ICMP/ICMP6 error messages when an interface address is not assigned to a tunnel interface on the remote side.

PAN-OS Release Notes, version 4.1.11 rev A

[52]

Known Issues
The following lists known unresolved bugs in this release: For recent updates to known issues for a given PAN-OS release, refer to https://live.paloaltonetworks.com/docs/DOC-1982. 42343 Image files that contain alpha channel information are not supported in PDF reports. For example, when adding a custom logo in Device > Setup > Operations > Miscellaneous > Custom Logos, the supported file type is png, gif, and jpg, but they cannot contain alpha channel information. If the image file contains alpha channels, the PDF report will not be generated properly. This issue occurs when adding a custom logo to PDF Report Title Page or PDF Report Footer. 32908 If a client PC uses RDP to connect to a server running remote desktop services and the user logs in to the remote server with a different username, when the User-ID agent queries the Active Directory server to gather user-to-IP mapping from the security logs, the second user name will be retrieved. For example, if "UserA" logs in to a client PC and then logs in to the remote server with "UserB" as the username, the security log on the Active Directory server will record UserA, but will then be updated with UserB. The username UserB is then picked up by the User-ID agent for the user-to-IP mapping information, which is not the intended user mapping. 21601 NetConnect may not upgrade properly from 1.1.x to 1.2 without clearing the Java cache. 21489 NetConnect will not install with Java 1.5 or earlier. Java 1.6 or later is required. 13391 In some environments, the threat count on the top level of ACC did not match the counts on the lower levels. 10800 Connecting the PA-2000 Series management port to a device that is hard set to full duplex will cause unpredictable behavior on the management port. Always set the port connected to the PA-2000 Series management port to auto-negotiate. 7495 The CLI allows the import of more keys than the system can use. 5145 Requesting an App-Scope graph for Source or Destination on a system with a very large number of sources or destinations can take 5-10 minutes to complete. 1475 Some non-browser based applications that use SSL were not functioning properly with SSL decryption. 908 LLC SNAP/802.2 packets do not pass through the device.

PAN-OS Release Notes, version 4.1.11 rev A

[53]

Documentation Errata
The following lists outstanding issues related to the PAN-OS documentation. In the 4.1 Palo Alto Networks Administrators Guide in the DNS Proxy table, the description for Static Entries is incorrect. It stated that the FQDN field is for the DNS server. The correct description follows: Static Entries - Provide static FQDN to IP address mappings that will be delivered in response to DNS queries made by hosts. Click Add and specify the following information: NameEnter a name for the Static Entry. FQDNEnter the Fully Qualified Domain Name (FQDN) that will be mapped to the static IP addresses defined in the Address field. AddressClick Add and enter the IP addresses that map to this domain. Repeat to add additional addresses. To delete an address, select the address and click Delete. The following bugs were fixed, but were not reported in the 4.1.9 release note. 43708 (associated bugs: 46406 (fixed in 4.1.10), 43700, 42566) Bug description: When sending threat and traffic logs to an external syslog server and to Panorama, some of the threat logs were being discarded and did not appear on both log servers. Issue was due to bind errors that occurred on the firewall during heavy log traffic. The Change to Default Behavior section has been updated based on bug 40643 that was addressed in release 4.1.8. Please refer to that section for more information on this bug. In the Palo Alto Networks Administrators Guide, the Captive Portal Settings table for Idle Timer states that the default value is 5 minutes. The correct default value is 15 minutes. In the Palo Alto Networks Administrators Guide in the Virtual Routers Settings OSPF table the Type description spells out ABR as Available Bit Rate. The correct term is Area Border Router. The following bugs should have been listed in the 4.1.7 release notes: 36427, 39516 and 41447. Bug descriptions added to the Addressed Issues section for 4.1.7. Also, bug 30444, which was a known issue in previous releases was fixed in 4.1.7, but was listed in the 4.1.6 addressed issues section. In the Palo Alto Networks Administrators Guide in the Captive Portal Settings Tab table, the description of Timer is incorrect. The correct field name for this option is Expiration and the range is 1-1440 minutes, default 60 minutes. Also, the correct numbers for Idle

PAN-OS Release Notes, version 4.1.11 rev A

[54]

Timer is 1-1440 minutes, default 15 minutes, not 5-1440 minutes, default 5 minutes. In the PAN-OS 4.1 Command Line Interface Reference Guide, the help text for the command set network ike gateway name protocol protocol-common states IKE Protocol settings common to IKEv1 and IKEv2. However, IKEv2 is not supported in this release. When configuring an LDAP Server Profile for authentication from Device > Server Profiles > LDAP, the Domain field should use the NETBIOS name of your domain, not the FQDN. This information has been added to this field description in the next release of the Palo Alto Networks Administrators Guide. In the Palo Alto Networks Administrators Guide in the Dashboard Charts table, the Resource Information should be named System Resources. The description for this widget is also incorrect; the widget shows the interface ports being used, the Management CPU usage, Data Plane Usages, and the Session Count, which displays the number of sessions established through the firewall. In the Palo Alto Networks Administrators Guide in the HA Settings table in the Control Link (HA1) field descriptions theres a description for Control Link Monitor Hold Time (ms) and a description for Monitor Hold Time (ms). There should only be one field description named Monitor Hold Time (ms) and the correct description for this field is as follows: Enter the length of time (milliseconds) that the system will wait before acting on the control link failure (1000-60000 ms, default 3000 ms). Configure this setting for the primary HA1 interface. In the Palo Alto Networks Administrators Guide in the Upgrading the PAN-OS Software section, the third bullet states the following: you must have 4.1.0 downloaded (not installed) before you can upgrade your 3.1.9 device to 4.1.4. This is partially true, you first need to install 4.0.1 (base image for 4.0), then download (not install) the 4.1.0 base image, and then you can upgrade to the 4.1.4 maintenance release. This is due to the fact that you cannot skip a feature release when upgrading. Also, when going from 4.0.1 to 4.1.4, you must have the 4.1.0 base images file downloaded (not installed) because the 4.1.4 maintenance release only contains software that has changed since the 4.1 release and the base image is used to complete the install. In the Palo Alto Networks Administrators Guide in the URL Filtering Profile section the Block List and Allow List field descriptions it states the following: you can omit the http[s]:// portion of the URLs. This should say you must omit the http and https portion of the URLs. If you put http or https in the URL for the allow or block list, the

PAN-OS Release Notes, version 4.1.11 rev A

[55]

action will not function properly. The Federal Information Processing Standards Support (FIPS) appendix in the Palo Alto Networks Administrators Guide does not mention that a factory reset is performed when the firewall is changed to FIPS mode, so the configuration will be cleared. The admin password is also reset to paloalto. See the appendix for more information on FIPS and the default configuration options that will be set. The Palo Alto Networks Administrators Guide states that a security zone name can be up to 31 characters, but the correct character limit is 15. In the PAN-OS Command Line Interface Reference Guide, the syntax for set allowforward-decrypted-content command is not correct. It should be set setting ssl-decrypt allow-forwarded-decrypted-content. In the PAN-OS Command Line Interface Reference Guide, the definition for the strip-x-fwd-for command states the following: Set whether to strip x-forwardedfor in the http header. To clarify, only the x-forwarded-for value is stripped. The firewall zeroes out the header value before forwarding the request, and the forwarded packets do not contain internal source IP information. In the Palo Alto Networks Administrators Guide in the Panorama Overview section it states the following: You can install Panorama on VMware Server or VMware ESX(i) 4.x or 3.5. This should state that you can install Panorama on VMware Server or VMware ESX(i) 3.5 or later. In the Palo Alto Networks Administrators Guide on page 214 under Captive Portals, it states the following Captive portal rules work only for HTTP web traffic. As of this release (4.1), Captive Portal supports HTTP and HTTPS web traffic. In the Palo Alto Networks Administrators Guide, the definition of Preemption Hold Time incorrectly states that the value that can be set is 1-60000 ms; the correct value range is 1-60 minutes and the default is 1 minute. In the File Blocking Profiles table in the Palo Alto Networks Administrators Guide, it states the following: The rules are processed in sequence. To change the position of a rule, select the rule and click Move Up or Move Down. This is not the case; the file blocking rules are not processed sequentially, so you can no longer change the order. This statement was removed in rev B of the guide. The following debug commands are no longer available in this release and should have been removed from the Command Line Interface Reference Guide: o debug device-server dump ts-agent o debug device-server dump user-group

PAN-OS Release Notes, version 4.1.11 rev A

[56]

o debug device-server dump userid-agent In the PAN-OS Command Line Interface Reference Guide for release 4.1, the request tech-support command states that the Required Privilege Level is superuser, vsysadmin, deviceadmin. It should only state that a superuser can perform this operation. This is not an error in documentation, but rather provides additional information related to OSPF that should have been mentioned in the Administrators Guide. PAN-OS uses a classification mechanism that assigns all multicast and broadcast packets to the base interface, so these packets cannot be assigned to a subinterface. Due to this process and the fact that OSPF uses multicast, OSPF is not supported on untagged subinterfaces.

PAN-OS Release Notes, version 4.1.11 rev A

[57]

Related Documentation
The following additional documentation is provided: Administrators GuideDescribes how to administer the Palo Alto Networks firewall using the devices web interface. The guide is intended for system administrators responsible for deploying, operating, and maintaining the firewall. PAN-OS Command Line Interface Reference GuideDetailed reference explaining how to access and use the command line interface (CLI) on the firewall. Hardware Reference GuidesDetailed reference containing the specifics of the various hardware platforms, including specifications, LED behaviors, and installation procedures. Online Help SystemDetailed, context-sensitive help system integrated with the firewalls web interface.

Requesting Support
For technical support, call 1-866-898-9087 or send email to support@paloaltonetworks.com.

PAN-OS Release Notes, version 4.1.11 rev A

[58]

Revision History
Date January 30, 2013 Revision PAN-OS 4.1.11 Comment In 4.1.10, several bugs were incorrectly moved from the Known Issues section to the 4.1.10 Addressed Issues section. Updates follow: 35352 This bug was addressed in 4.1.4, so it has been moved to that list in 4.1.11. 34703 This bug was addressed in 4.1.1 h1 and 4.1.2. The history of this doc does not go back to 4.1.2, so this bug has been removed from the Addressed Issues list. 33914 This bug was addressed in 4.1.2. The history of this doc does not go back to 4.1.2, so this bug has been removed from the Addressed Issues list. 13397 Moved back to Known Issues. 1985 This bug was addressed in 3.0.0. The main issue that was addressed was to support link settings on HA interfaces. Original description of the bug: Using a straight

cable between HA2 ports with high traffic load was causing packet loss.
December 17, 2012 PAN-OS 4.1.10 1475 This is still an issue, so its been moved back to Known Issues. Some older bugs that were listed in the Known Issues section of this release were fixed in past 4.1.x releases, but were not moved to the Addressed Issues sections. This includes the following bugs: 35352, 34703, 33914, 13391, 1985, and 1475.

October 30, 2012 PAN-OS 4.1.9

section.

Bug 42343 added to the known issues

Additional information related to bug 40643 that was addressed in 4.1.8 has been added to the Changes to Default Behavior section. UPDATE November 5, 2012 This bug is no longer an issue as of 4.1.8 and 4.1.9.

PAN-OS Release Notes, version 4.1.11 rev A

[59]

Date September 19, 2012

Revision PAN-OS 4.1.8

Comment Two new commands were added in the 4.1.7 release to help resolve bug 40669, but was not mentioned in the 4.1.7 release note. See the GlobalProtect Features section under PAN-OS 4.1 New Features for details related to the redirect and work-threads commands. FIPS information added to the Documentation Errata section. New change in default behavior added for DHCP Client and PPPoE on Layer 3 interfaces in an HA active/active configuration. This configuration is not supported, so an error will now appear if these options are configured. New change in default behavior added for the HA hello interval. Documentation Errata Updates: o o Security zone name field length. Upgrading the PAN-OS Software section in the Administrators Guide.

July 31, 2012

PAN-OS 4.1.7 release

Administrator Guide issue related to the Dashboard Resource information description.


Updated the NetConnect to GlobalProtect Migration section with a reference to the migration Tech Note.

2012, Palo Alto Networks. All rights reserved. PAN-OS, Palo Alto Networks are either trademarks or trade names of Palo Alto Networks. All other trademarks are the property of their respective owners.

PAN-OS Release Notes, version 4.1.11 rev A

[60]