Pan Os Release Notes

PAN-OS® Release Notes
Version 9.0.5
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2019-2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
November 14, 2019
2 PAN-OS® RELEASE NOTES |

Table of Contents
PAN-OS 9.0 Release Information................................................................... 5
Features Introduced in PAN-OS 9.0...................................................................................................... 7
App-ID Features..............................................................................................................................7
Virtualization Features...................................................................................................................8
Panorama Features.........................................................................................................................9
Content Inspection Features..................................................................................................... 10
GlobalProtect Features............................................................................................................... 12
Management Features................................................................................................................ 15
Networking Features...................................................................................................................17
User-ID Features.......................................................................................................................... 19
WildFire Features.........................................................................................................................20
New Hardware Introduced with PAN-OS 9.0...................................................................... 20
Changes to Default Behavior.................................................................................................................22
Associated Software and Content Versions.......................................................................................26
Limitations...................................................................................................................................................27
Known Issues............................................................................................................................................. 29
Known Issues Related to PAN-OS 9.0................................................................................... 29
Known Issues Specific to the WildFire Appliance............................................................. 130
PAN-OS 9.0 Addressed Issues....................................................................131

PAN-OS 9.0.5 Addressed Issues........................................................................................................ 133
PAN-OS 9.0.3-h3 Addressed Issues.................................................................................................. 153
Getting Help.................................................................................................... 179

Related Documentation........................................................................................................................ 181
Requesting Support................................................................................................................................182
TABLE OF CONTENTS iii

iv TABLE OF CONTENTS
PAN-OS 9.0 Release Information
Revision Date: November 14, 2019
Review important information about Palo Alto Networks PAN-OS® 9.0 software, including
new features introduced and a list of known issues, workarounds for open issues, and issues
that are addressed in the PAN-OS 9.0 release. For installation, upgrade, and downgrade
instructions, refer to the PAN-OS 9.0 New Features Guide.
> Features Introduced in PAN-OS 9.0

> Changes to Default Behavior
> Associated Software and Content Versions
> Limitations
> Known Issues
> PAN-OS 9.0.5 Addressed Issues
> PAN-OS 9.0.3-h3 Addressed Issues
> Getting Help
5
6 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information
© 2019 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 9.0
The following topics describe the new features and new hardware introduced with the PAN-OS® 9.0
release, which requires content release version 8103 or a later version. For upgrade and downgrade
considerations and for specific information about the upgrade path for a firewall, refer to the PAN-OS 9.0
New Features Guide. The new features guide also provides additional information about how to use the
new features in this release.
• App-ID Features
• Virtualization Features
• Panorama Features
• Content Inspection Features
• GlobalProtect Features
• Management Features
• Networking Features
• User-ID Features
• WildFire Features
• Hardware Features
App-ID Features
New App-ID Feature Description
Policy Optimizer Policy Optimizer identifies all applications seen on any legacy
Security policy rule and provides an easy workflow for selecting
the applications you want to allow on that rule. Additionally, it
helps you remove unused applications from overprovisioned
application-based rules. This simplified workflow allows you to
migrate a legacy rule gradually and natively to an application-
based rule so you can safely enable applications in your
environment and improve your security posture.
(Beginning with PAN-OS 9.0.2) Policy Optimizer also gives you
the option to select applications in a legacy Security policy rule
and add applications to an existing rule so that you can leverage
pre-existing App-ID based rules and eliminate the need to
continually create new rules. You can also now choose between
container app and specific apps seen so that the web interface
clearly displays which applications have been seen on a rule and
which ones were added as part of the container but that have
not, yet, been seen on that rule.
HTTP/2 Inspection You can now safely enable applications running over HTTP/2,
without any additional configuration on the firewall. As more
websites continue to adopt HTTP/2, the firewall can enforce
security policy and detect and prevent threats on a per-stream
basis. This visibility into HTTP/2 traffic enables you to secure
web servers that provide services over HTTP/2, and allow your
users to benefit from the speed and resource efficiency gains
that HTTP/2 provides.
PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 7

New App-ID Feature Description
Strict Default Ports for Decrypted Application-default—which enables you to allow applications
Applications only on their most commonly-used ports—now enforces
strict default port usage strict standard port usage for certain
applications that use a different default port when they are
encrypted: web-browsing, SMTP, FTP, LDAP, POP3, and IMAP.
For example, with SSL decryption turned on, application-default
differentiates between cleartext and encrypted web-browsing
traffic and strictly enforces:
• cleartext web-browsing traffic (HTTP) on port 80
• and encrypted web-browsing traffic (HTTPS) on port 443.
Application-default is a best practice for

application-based security policies—it reduces
administrative overhead, and closes security
gaps that port-based policy introduces.
Virtualization Features
New Virtualization Features Description
VM-Series firewall on KVM—VLAN Access In VLAN access mode with SR-IOV, when you deploy
Mode with SR-IOVAvailable starting with the VM-Series firewall as a Virtual Network Function
PAN-OS 9.0.4. (VNF) on the KVM hypervisor, it can send and receive
packets from SR-IOV virtual functions (VFs) without
VLAN tags. This capability enables you to apply
QoS policies on the access interface and provide
differentiated treatment of traffic in a multi-tenant
deployment.
VM-Series on AWS—Support for C5 and M5 The VM-Series firewall on AWS adds support for the
Instance Types with ENA C5 and M5 instance types that use the Elastic Network
Adapter (ENA). With the support for these instance
types, you can deploy the VM-Series firewall in all
regions that support C5/M5 instance types including
new AWS regions, such as AWS Paris that exclusively
use newer instance types.
VM-Series Plugin The VM-Series firewalls now support a plugin

architecture that enables Palo Alto Networks to deliver
cloud features and updates, including integrations with
new cloud platforms or hypervisors, independent of
a PAN-OS release. This VM-Series plugin manages
interactions between the VM-Series firewalls and the
supported public and private cloud deployments.
The plugin is digitally signed by Palo Alto Networks
and built-in to all models of the VM-Series firewalls.
You can update the installed plugin version just like

New Virtualization Features Description
software or content updates—locally on the firewall,
using bootstrapping, or centrally from Panorama.
Support for HA for VM-Series on Azure The VM-Series firewall on Azure now supports an
active/passive HA configuration. This capability is
delivered using the VM-Series plugin (see above).
Higher Performance for VM-Series on Azure To support higher throughput, VM-Series firewalls
using Azure Accelerated Networking (SR- deployed on D/DSv2 and D/DSv3 class of Azure VMs
IOV) include support for Accelerated Networking (SR-IOV).
You can now deploy this higher performance firewall as
an active/passive HA pair or in a scale-out deployment
with Azure load balancers.
The following Networking Features are also relevant for VM-Series deployments in
private or public cloud environments:
• Security Group Tag (SGT) EtherType Support
• FQDN Refresh Enhancement
• FQDN Support for Static Route Next Hop, PBF Next Hop, and BGP Peer
• Dynamic DNS Support for Firewall Interfaces
• Advanced Session Distribution Algorithms for Destination NAT
• VXLAN Tunnel Content Inspection
Panorama Features
New Panorama Feature Description
Master Key When you need to change the default master key used to encrypt sensitive
Deployment from elements in the configuration, you can now deploy a master key to firewalls,
Panorama Log Collectors, and WildFire appliances from Panorama. In a large-scale
deployment, managing the master key centrally from Panorama ensures a
uniform master key deployment and provides visibility into the status of the
operation.
Device Management Scale up all your Panorama capabilities to manage up to 5,000 firewalls, using
Capacity Enhancement M-600 appliances or similarly resourced Panorama virtual appliances. This
enhancement allows you to leverage all the benefits of centralization while
utilizing the logging, reporting, device health monitoring, device deployment,
and configuration management capabilities of Panorama for a larger number
of firewalls. For example, if you are managing 3,500 firewalls using four
Panorama appliances, you can now consolidate to a single Panorama
appliance for managing your firewalls to ease the operational burden and
reduce your management footprint.
Granular Configuration In order to troubleshoot configuration errors, you can now perform
Management of Device operations such as export, revert, save, import, and load at a device group
Groups and Templates and template level. For example, this granularity allows you to independently

New Panorama Feature Description
revert or load the configuration of the firewalls within your access domain
without impacting changes other administrators have made.
Streamlined Device Panorama enables simplified onboarding of new firewalls by allowing you to
Onboarding assign them to device groups, templates, collector groups, or Log Collectors
during the initial deployment. You can also elect to automatically push the
configuration to firewalls when the firewalls initially connect to Panorama.
Using this onboarding workflow, you can ensure that new firewalls are
immediately configured and ready to secure your network.
VM-Series Plugin The VM-Series plugin manages integration with public and private clouds,
allowing Palo Alto Networks to release bug fixes, new features, or new cloud
integrations, independent of a PAN-OS release.
Panorama 9.0 supports the VM-Series plugin and supplies the compatible
version, but does not install it automatically. Install the plugin if you have VM-
Series cloud integrations and you want to use Panorama to manage them
centrally.
Content Inspection Features

New Content Inspection Feature Description
DNS Security The firewall can now access the full database of Palo Alto
Networks DNS signatures through a new DNS Security service.
The DNS Security service also performs pro-active analysis of
DNS data to predict new malicious domains and to detect C2
evasion techniques—like domain generation algorithms and
DNS tunneling—that aim to bypass common protections.
New Security-Focused URL New security-focused URL categories enable you to implement
Categories simple security and decryption policies based on website safety,
without requiring you to decide (or even know) what website is
likely to expose you to web-based threats:
• High risk, medium risk, and low risk—These categories
indicate the level of suspicious activity a site displays. All
URLs—except those that are confirmed, malware, C2 or
phishing sites—now include this risk rating.
• Newly-registered domains—This category identifies sites
that have been registered within the last 32 days. New
domains are frequently used as tools in malicious campaigns.
These new categories can help you to reduce your attack
surface by providing targeted decryption and enforcement
for sites that pose varying levels of risk, but are not confirmed
malicious. Websites are classified with a security-related
category only so long as they meet the criteria for that
category; as site content changes, policy enforcement
dynamically adapts.
Multi-Category URL Filtering PAN-DB, the Palo Alto Networks URL database, now assigns
multiple categories to URLs that classify a site's content,

purpose, and safety. Every URL now has up to four categories,
including a risk rating that indicates how likely it is that the page
will expose you to threats. More granular URL categorizations
means that you can move beyond a basic block-or-allow
approach to web access. Instead, control how your users
interact with content, especially websites that, while necessary
for business, are more likely to be used as part of a cyberattack
(like blogs or cloud storage services). For example, allow your
users to visit high-risk websites, but enforce read-only access
to questionable content by blocking obfuscated JavaScript and
preventing dangerous file downloads.
Built-In External Dynamic List for Because bulletproof hosting providers place few, if any,
Bulletproof Hosts restrictions on content, attackers frequently use these services
to host and distribute malicious, illegal, and unethical material.
The Threat Prevention subscription now includes a new built-
in external dynamic list (EDL) that you can use to block IP
addresses associated with bulletproof hosting providers.
EDL Capacity Increases External dynamic list (EDL) capacities are increased to better
accommodate the use of third-party intelligence feeds,
significantly expanding the number of threat indicators you can
leverage within your network security policies. Additionally, you
can now prioritize EDLs to make sure lists containing critical
threat indicators are committed before capacity limits are
reached.
Support for New Predefined Data To identify and protect sensitive information from leaving your
Filtering Patterns network, the firewall provides 19 new predefined data filtering
patterns that identify specific (regulated) information from
different countries of the world, such as INSEE Identification
(France) and New Zealand Internal Revenue Department
Identification Number. PAN-OS also performs a checksum
validation for all patterns to eliminate false positives.
Cellular IoT Security As your business moves to cellular IoT (CIoT) and the network
adopts 3GPP CIoT technologies, you need to secure CIoT traffic
to protect your network and CIoT from attacks. Cellular IoT
security allows you to secure CIoT traffic and gain visibility into
CIoT and device-to-device communication over your network.
If you are a mobile network operator (MNO) or a mobile virtual
network operator (MVNO), for example, a utility company
focused on oil, gas, or energy operating as MVNO, you can now
secure CIoT traffic. CIoT security also allows you to protect
MNO infrastructure and CIoT devices from DoS attacks on both
Signaling/Control and Data layers, attacks from infected CIoTs,
and spying attacks; and it allows you to detect and prevent
malware, ransomware, and vulnerabilities. Additionally, the
firewall now supports Narrowband IoT (NB-IoT) radio access
technology (RAT), 3GPP TS 29.274 for GTPv2-C up to Release
15.2.0, and 3GPP TS 29.060 for GTPv1-C up to Release 15.1.0.
CIoT security is supported on VM-Series firewalls, PA-5200
Series firewalls, and PA-7000 Series firewalls that have all new

cards, including new 100G NPC, new second-generation SMCs,
and new Log Forwarding Card (LFC).
GTP Event Packet Capture Firewalls now support packet capture for a GTP event to make
troubleshooting easier. GTP packet capture is supported for
events such as GTP-in-GTP, end user IP address spoofing, and
abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have
missing mandatory information elements (IE), invalid IE, invalid
header, out-of-order IE, or unsupported message type.
GTP event packet capture is supported on VM-Series firewalls,
PA-5200 Series firewalls, and PA-7000 Series firewalls that
have all new cards, including new 100G NPC, new second-
generation SMCs, and new Log Forwarding Card (LFC).
Graceful Enablement of GTP Stateful (PAN-OS 9.0.3 and later releases) You can now enable GTP
Inspection stateful inspection in the firewall gracefully with minimal
disruption to GTP traffic. You can allow GTPv2, GTPv1-C, and
GTP-U packets that fail GTP stateful inspection to pass through
a firewall. Although the firewall drops such packets by default
after GTP stateful inspection is enabled, allowing them to pass
minimizes disruption when you deploy a new firewall or when
you migrate GTP traffic.
Graceful Enablement of SCTP (PAN-OS 9.0.4 and later releases) You can now enable SCTP
Stateful Inspection stateful inspection in the firewall gracefully with minimal
disruption to SCTP traffic. You can allow SCTP packets
that fail SCTP stateful inspection to pass through a firewall.
Although the firewall drops such packets by default after SCTP
stateful inspection is enabled, allowing them to pass minimizes
disruption when you deploy a new firewall or when you migrate
SCTP traffic.
One of the new App-ID Features, HTTP/2 Inspection, enables you to enforce threat
prevention on a per-stream basis.
GlobalProtect Features
The following table describes new GlobalProtect features introduced in PAN-OS 9.0. For features related to
the GlobalProtect app, see the GlobalProtect App 5.0 Release Notes.
New GlobalProtect Description

Feature
Simplified Deployment You can now reduce the number of GlobalProtect portals and gateways you
for GlobalProtect need to deploy and manage for GlobalProtect use cases by configuring the
Portals and Gateways following features on a single firewall:
• Endpoint Tunnel Configurations Based on Source Region or IP Address—
You can now assign tunnel configurations to users based on their source
IP address or region from a particular GlobalProtect gateway. For example,

Feature
you can configure a gateway to allow all traffic for local network printing
to bypass the VPN tunnel when end users connect from a branch office
but require all traffic to route through the VPN tunnel when users connect
remotely from an unknown or untrusted network (such as a coffee shop or
library).
• Portal Configuration Assignment and HIP-Based Access Control
Using New Endpoint Attributes—You can now deploy different
configurations_and_enforce access control for managed (corporate-
owned) endpoints and unmanaged endpoints (such as in a BYOD
environment) from a particular GlobalProtect portal or gateway. To
identify the managed status of an endpoint, GlobalProtect portals and
gateways can now use the following new endpoint attributes: machine
certificate and serial number.
• DNS Configuration Assignment Based on Users or User Groups—From a
particular gateway you can now assign different DNS servers_and_DNS
suffixes to endpoints based on the user or user group. This allows you to
leverage your distributed DNS infrastructure for users connecting with
GlobalProtect.
• Mixed Authentication Method Support for Certificates or User
Credentials—You can now assign multiple combinations_of_authentication
methods with user credentials and/or client certificates from a particular
portal or gateway. For example when connecting to the same portal or
gateway, users connecting from corporate mobile devices can authenticate
using a certificate while users connecting from personal devices can
authenticate using their AD credentials.
HIP Report In data center environments, you can now use HIP report redistribution to
Redistribution ensure consistent policy enforcement across all endpoints and to simplify
policy configuration and management across internal and external gateways.
With HIP report redistribution, you use the same mechanism as User-
ID redistribution to enable the GlobalProtect gateways to send the HIP
reports to a Dedicated Log Collector (DLC), firewall, or Panorama. HIP report
redistribution eliminates the need for exception policies for external gateways
or internal gateways thereby simplifying HIP setup and configuration time for
your gateways and firewalls.
Tunnel Restoration and You can now enforce additional restrictions for enhanced security:
Authentication Cookie
• You can now choose to enable automatic restoration of VPN tunnels at
Usage Restrictions
the gateway level. For example, you can enable automatic restoration
of VPN tunnels for all gateways in the enterprise except for specific
gateways that you want to require authentication before a tunnel is
established.
• You can now choose whether to accept an authentication cookie when
the IP address attributes (IP address or IP address range) of the endpoint
change. If you choose to reject an authentication cookie when the
endpoint IP address attribute differs from the original value associated
with the authentication cookie, the user must authenticate again to
receive a new authentication cookie.

Feature
These settings provide a more restricted user connection
experience.
Pre-Logon Followed By The GlobalProtect app for Windows and Mac endpoints now supports pre-
Two-Factor and SAML logon followed by two-factor or SAML authentication for user login. After
Authentication the pre-logon tunnel is established, the user can log in to the endpoint and
authenticate using the configured authentication method. If authentication
is successful on Windows endpoints, the pre-logon tunnel is seamlessly
renamed to User tunnel and the GlobalProtect connection is established. If
authentication is successful on macOS endpoints, a new tunnel is created and
the GlobalProtect connection is established.
GlobalProtect Gateway To help users identify the geographic location of GlobalProtect gateways, you
and Portal Location can now configure a label for the physical_location. By separating the location
Configuration into a dedicated label, you can also use location-independent names when
you configure your gateways.
The GlobalProtect app displays the label for the location of the gateway
to which a user is connected and the Clientless VPN portal landing page
displays the label for the location of the portal to which a Clientless VPN user
is logged in.
When end users experience unusual behavior, such as poor network
performance, they can provide this location information to their support or
Help Desk professionals to assist with troubleshooting. They can also use this
location information to determine their proximity to the Clientless VPN portal
or gateway. Based on their proximity, they can evaluate whether they need
to switch to a closer portal or gateway. However, auto-selected gateways are
still preferred.
Refer to the GlobalProtect App 5.0 Release_Notes for more information on
gateway and portal location visibility for end users.
User Location Visibility For enhanced reporting and user activity analysis, you can now view the
on GlobalProtect source region of users_that_connect (or have previously connected) to
Gateways and Portals GlobalProtect portals and gateways. You can identify the source region of the
Clientless VPN users in the Remote Users section of the Portal configuration
and the source region of GlobalProtect users in the Remote Users section of
the Gateway configuration.
Concurrent Support You can now assign up to ten IPv4 and IPv6_DNS_servers in the client
for IPv4 and IPv6 DNS settings provided to the endpoint by the GlobalProtect gateway. This
Servers enhancement enables you to simultaneously assign multiple IPv4 and IPv6
DNS servers simultaneously to the endpoints that connect to the gateway.
Support for IPv6- GlobalProtect now supports IPv6-only deployments. With this enhancement,
Only GlobalProtect you can define an IP address pool that uses only IPv6 addresses when you
Deployments con-figure GlobalProtect gateways.
When you configure IPv6 pools, you must also enable split
tunneling to route any IPv4 traffic from the endpoint to the
internet.

Management Features
New Management Description
Feature
Cortex Data Lake Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log
Logging for Firewalls storage and aggregation for firewalls and services. With Cortex Data Lake,
without Panorama Palo Alto Networks takes care of the ongoing maintenance and monitoring of
your logging infrastructure so that you can focus on your business.
Until PAN-OS 9.0.3, Panorama was required to onboard firewalls to Cortex
Data Lake and to view logs stored in Cortex Data Lake. Now, with PAN-OS
9.0.3 and later releases, you can enable non-Panorama managed firewalls to
securely connect and send logs to Cortex Data Lake.
Enforcement of As your team creates and modifies rules, the rationale for creating or
Description, Tag and modifying rules are lost over time. To capture the reason for rule creation and
Audit Comment modification, you can now require a description, tag, or audit comment to
maintain rule revision history for auditing. For example, if you are creating a
new app-based security policy rule to replace a port-based rule, enforce these
rule creation elements to ensure that the rule is appropriately grouped, and
that the administrator describes the purpose of the rule.
Rule Changes Archive When you create or modify policy rules, you now have revision history to
audit changes. To track and analyze how your policy rules have evolved over
time, you can review the audit comment history and see differences between
two rule versions. Combined with the new Enforcement of Rule Description,
Tag and Audit Comment (see above), you can enforce audit comments with
every rule creation and modification to ensure that the audit comment history
is maintained for your policy rulebases.
Tag Based Rule Groups Visually group related rules using a new group tag to efficiently manage
large sets of related rules within any policy rulebase. You can use any tag
as a group tag to organize related rules so that you can easily move, clone,
or delete the rules in the selected group. This allows you to visually see the
organizational changes that are happening to your rulebase, and increase the
efficiency of managing large sets of rules.
Policy Match and Validate policy configuration changes of one or more firewalls directly from
Connectivity Tests the web interface to ensure network traffic matches the policy rules as
from the Web Interface expected. In addition to validating policy, you can also test that firewalls can
reach network resources. With the ability to run test commands on the web
interface, you can avoid over-provisioning administrator roles with CLI access
while still giving administrators a way to determine firewalls are configured
correctly.
Rule Usage Filtering When auditing your rulebase, you can now filter and quickly identify
unused rules to manage policy rules. Removing unused rules improves your
security posture by reducing the proliferation of rules. For example, when
transitioning from port-based rules to App-ID based rules, this information
enables you to assess whether your App-ID based rules are matched instead
of your port-based rules so that you can remove the unused rules.

Feature
Objects Capacity To help you scale your deployment and ease the migration to Palo Alto
Improvements on Networks firewalls, the PA-5220 and the PA-3200 Series firewalls have
the PA-5220 and increased capacities for several objects, including increases in the number of
the PA-3200 Series address objects, address groups, service groups, service objects, zones, and
Firewalls policy rules.
API Key Lifetime If you are using the firewall or Panorama APIs to enable programmatic access,
you can now specify the API key lifetime to match the automation task
duration and control the validity period for an authenticated and secure
connection between the firewall/Panorama and the automation program or
service. Because each API call requires the API key, using a key with a limited
lifetime allows you to enforce key rotation at a regular cadence to safeguard
your network and adhere to compliance standards. You can also expire all API
keys simultaneously, if you suspect accidental exposure or a leak.
PAN-OS REST API In addition to the existing XML API, the firewalls and Panorama now support
for a Simplified a REST API for a more simplified API integration. With the REST API, the
Automation/ firewall is represented as a set of resources with URIs on which you can
Integration Experience perform operations that allow you to easily map firewall tasks to the API
interface. For example, Security policy is represented as a REST resource
with URI /restapi/9.0/Policies/SecurityRules and has a list of operations
that includes list, create, edit, delete, move, and rename. The REST API
provides the flexibility to use JSON and XML data formats in API requests
and responses, and supports versioning for backward compatibility with
future PAN-OS releases. The initial release of this API allows you to manage
the configuration of policies and objects on the firewall and Panorama and
provides reference documentation that is built in to the product.
Universally Unique To simplify auditing, searching, reporting, and tracking for configuration
Identifiers for Policy changes to rules, universally unique identifiers (UUIDs) are created for all
Rules policy rulebases that you create on the firewall or push from Panorama. If you
rename or delete the rule, the UUID ensures that the rule’s history of changes
is maintained. The UUID can pinpoint the rule across multiple rulebases
containing thousands of rules that may have similar or identical names, and
simplifies automation and integration for rules into third-party systems (such
as ticketing or orchestration) that do not support names.
Temporary Master Key You can now extend the lifetime of the master key directly from the firewall
Expiration Extension or from Panorama until your next available maintenance window. If the
master key is due to expire before your planned maintenance window, the
key extension allows the firewall to remain operational and continue securing
your network.
Real-Time Enforcement To enforce security policy for entities such as IoT devices, virtual workloads,
and Expanded and containers that have bursts of traffic or short lifecycles, the firewalls can
Capacities for Dynamic now update the list of registered IP addresses within a dynamic address group
Address Groups in real time. This enhancement enables the firewall to register IP addresses
that match the tags you have defined in dynamic address groups and instantly
apply policy as soon as the endpoint is online, and then unregister the IP
addresses automatically based on a time limit that you configure. And to make
it easier for you to monitor and troubleshoot these registered IP addresses,
Panorama and the firewall now include a new IP-Tag log. Lastly, to handle a

Feature
larger volume of entities, select firewall models now have up to five-times
more capacity for registered IP addresses.
Networking Features
New Networking Feature Description
Security Group Tag (SGT) EtherType If you're using Security Group Tags (SGTs) in a Cisco Trustsec
Support network, inline firewalls in Layer 2 or Virtual Wire mode can
now inspect and enforce the tagged traffic. Layer 3 firewalls
in a Cisco Trustsec network can also inspect and enforce SGT
traffic when deployed between two SGT exchange protocol
(SXP) peers.
Processing of SGT traffic works by default and without any
configuration changes. Because the firewall does not use SGTs
as match criteria for security policy enforcement, you should
continue to define SGT-based policy in the same way you do
today.
FQDN Refresh Enhancement With cloud applications requiring frequent FQDN refresh rates
to ensure nonstop services, the FQDN refresh feature now
supports the ability to refresh cached entries based on the
DNS TTL value. You can set a minimum FQDN refresh time to
limit how frequently the firewall will refresh the FQDN cache
entries to avoid refreshing too frequently, and state how long
the firewall continues to use FQDN cached entries in the event
of a network failure where the DNS server is unreachable.
GRE Tunneling Support The firewall can now be a GRE tunnel endpoint, so you can
send traffic through a GRE tunnel to a point-to-point tunneling
peer, and the firewall will inspect and enforce policies as it
does for non-tunneling traffic. Cloud services and partner
networks often use GRE tunnels for point-to-point connectivity
to customer networks. The firewall also supports GRE over
IPSec to interoperate with other vendors’ implementations in
deployments that encrypt GRE within IPSec.
Wildcard Address Support in Security When you define private IPv4 addresses to internal devices,
Policy Rules you may use an IP addressing pattern that assigns special
meaning to certain bits in the IP address; for example, the
first three bits in the third octet of an IP address signify the
device type. This structure helps you easily identify device
type, location, and so on, based on the device’s IP address. You
may also want to use your same address structure in Security
policy rules on the firewall for easier deployment. You can now
build Security policy rules based on sources and destinations
that use a wildcard address and use only specific bits in an
IP address as a match. Thus, you won’t have to manage an
unnecessarily large number of address objects to cover all the
matching IP addressees or use less restrictive Security policy

rules than you need due to IP address capacity constraints. For
example, a rule using a single wildcard address can allow all
cash registers in the northeastern region of the U.S. to access a
specific application. This helps make your security deployment
easier in an environment that uses a discontiguous addressing
scheme.
Hostname Option Support for DHCP When your firewall interface is a DHCP client (a DHCP server
Clients assigns a dynamic IPv4 address to the interface), you can now
assign a hostname to the interface and send the hostname
(Option 12) to the DHCP server. The DHCP server can register
the hostname with the DNS server, which can automatically
manage hostname-to-dynamic IP address resolutions.
FQDN Support for Static Route Next You can now use an FQDN or FQDN address object in a static
Hop, PBF Next Hop, and BGP Peer route next hop, a PBF next hop, and a BGP peer address. Use
of FQDNs reduces configuration and management overhead.
Also, in order to simplify provisioning, you can use an FQDN
(instead of statically assigning IP addresses to these functions)
and the FQDN resolution can change from location to location.
You can map the FQDN to the IP address based on the location
and deployment requirements. For example, if you are a service
provider, you can provide FQDNs for accessing the services
and resolve these to the IP address of the closest server for
the client (based on the client’s geo-location), so that the same
FQDN can be used globally for the service connection.
Dynamic DNS Support for Firewall When you have services hosted behind the firewall or you
Interfaces need to provide remote access to the firewall, you can now
automatically register IPv4 and IPv6 address changes to a
Dynamic DNS (DDNS) provider whenever the IP address on
the firewall interface changes (for example, if the interface
is a DHCP client). The firewall registers the change with the
DDNS service, which automatically updates the DNS record
(IP address-to-hostname mappings). DDNS support helps avoid
using external mechanisms to keep the DNS records up to date.
The firewall currently supports five DDNS providers: DuckDNS,
DynDNS, FreeDNS Afraid.org, FreeDNS Afraid.org Dynamic
API, and No-IP.
HA1 SSH Key Refresh When you need to change your SSH key pairs to secure HA1
communications, you can now refresh the keys without needing
to restart the firewalls.
Advanced Session Distribution In destination NAT, translation to a pool of IP addresses or an

Algorithms for Destination NAT FQDN that resolves to multiple IP addresses can be distributed
among the addresses based on one of four additional session
distribution methods (or the existing round-robin method). The
additional distribution methods are source IP hash, IP modulo,
IP hash, and least sessions. You can use the distribution method
that best suits your destination NAT use case.

VXLAN Tunnel Content Inspection If you use VXLAN as a transport overlay you can use Tunnel
Content Inspection Policy to natively scan traffic within the
VXLAN tunnel. For example, if you use VXLAN as a transport
overlay to connect your geographically dispersed data centers
you can scan and control the individual flows within the tunnel.
With support for the VXLAN protocol in Tunnel Content
Inspection Policy, you have visibility into VXLAN traffic and can
enforce Security Policy rules to this traffic without terminating
the tunnel or implementing network changes.
LACP and LLDP Pre-Negotiation on An HA passive firewall can negotiate LACP and LLDP before it
an HA Passive Firewall becomes active. This pre-negotiation reduces failover times by
eliminating the delays incurred by LACP or LLDP negotiations.
This functionality, previously supported on several firewall
models, extends to PA-220, PA-220R, PA-820, PA-850,
PA-3200 Series, and PA-5280 firewalls.
DNS Rewrite for Destination NAT (Requires Applications and Threats content update 8147 or
a later version) Beginning with PAN-OS 9.0.2 and later 9.0
releases, you can configure a destination NAT policy rule for a
static translation of an IPv4 address to also translate the IPv4
address in a DNS response that matches the rule. This DNS
rewrite (translation) prevents the DNS server on one side of
the firewall from providing an internal IP address to its client
on the external side of the firewall, or vice versa. Thus, the IPv4
address in the DNS response undergoes NAT and the firewall
forwards the appropriate IPv4 address to the client to reach the
destination service.
User-ID Features
New User-ID Feature Description
WinRM Support for To create User-ID mappings, the PAN-OS integrated User-ID agent can
Server Monitoring now connect to Microsoft Active Directory and Exchange servers using the
lightweight Windows Remote Management (WinRM) protocol. The WinRM
protocol greatly improves the speed and efficiency of collecting User-ID
mappings.
Shared User-ID To easily enforce user-based policy in a multi-vsys environment, you can
Mappings Across assign a virtual system as the User-ID hub to share mappings with other
Virtual Systems virtual systems. This reduces configuration complexity and maximizes the
number of mappings available to each virtual system.
User-ID Support for To consistently enforce user-based security policy in environments with a
Large Numbers of large number of terminal servers, you can now monitor an increased number
Terminal Servers of terminal servers per firewall. This simplifies the complexity of network
design and firewall configuration, resulting in centralized visibility and policy
enforcement for all terminal server users.

WildFire Features
New WildFire Feature Description
WildFire Forwarding Support for Script You can now configure the Palo Alto Networks firewall to
Files automatically forward scripts (JScript, VBScript, and PowerShell
Script) for WildFire analysis.
WildFire Appliance Monitoring The WildFire appliance now features new CLI commands and logs
Enhancements additional system events for you to better monitor and manage
your appliance performance and resources, as well as providing
additional assistance when troubleshooting various issues.
Increased WildFire File Forwarding The quantity and maximum size of files that a firewall can forward
Capacity to WildFire is increased to provide greater visibility and detection
of uncommonly large malicious samples.
WildFire Appliance Archive Support The WildFire appliance can now analyze and classify RAR and
7-Zip archives, which can be used by an adversary to covertly
deliver malicious payloads to users. When the WildFire appliance
determines that the file contents of an archive are malicious, it
generates a signature for the entire archive. The appliance then
provides the signature to all connected firewalls to prevent future
attacks.
New Hardware Introduced with PAN-OS 9.0

New Hardware Description
PA-7000 100G The new 100G NPC provides more session capacity than in previous NPCs
Network Processing and improved performance. This new NPC provides the following main
Card (NPC) features:
• App-ID throughput (AppMix) of 72Gbps
• Threat throughput (AppMix) of 35Gbps
• Session capacity up to 32 million
• Four QSFP+/QSFP28 (40Gbps/100Gbps) ports
• Eight SFP/SFP+ (1Gbps/10Gbps) ports
• A new service LED that allows a remote administrator to illuminate the
SVC LED on a specific front-slot card so an on-site technician can locate
the card.
PA-7000 Switch The new second-generation SMCs (PA-7050-SMC-B and PA-7080-SMC-B)

Management Cards provide the following main features:
(SMC-B)
• Higher performance
• Redundant solid-state drives (SSDs) for PAN-OS and management log
storage
• MGT-A, MGT-B, HA1-A, and HA1-B support 1G SFP or 10G SFP+
transceivers
• Micro USB management port

New Hardware Description
PA-7000 Log The new Log Forwarding Card (LFC) implements the high speed log
Forwarding Card (LFC) forwarding feature introduced in PAN-OS 8.0. The LFC includes the following
main features:
• High-speed log forwarding of all dataplane logs to an external log collector
(For example, Panorama or syslog servers)
• Supports up to 350,000 logs per second to Panorama
• QSFP/QSFP+ ports (port 1 at 10Gbps and port 9 at 40Gbps)
PA-7050 FANTRAY-L/ The new second-generation fan trays for the PA-7050 provide more cooling
R-A capacity than the first-generation fan trays and are required when you install
the second-generation hardware in a PA-7050 firewall.
PA-7080 EMI Filter This new EMI filter for existing PA-7080 firewalls reduces electromagnetic
interference and is required when you install the second-generation hardware
in a PA-7080 firewall. New chassis will have this new filter pre-installed.

Changes to Default Behavior
The following table details the changes in default behavior upon upgrade to PAN-OS 9.0. You may also
want to review the CLI Changes in PAN-OS 9.0 and the Upgrade/Downgrade Considerations before
upgrading to this release.
Feature Change
API Key Lifetime When you generate a new API key, the key metadata
includes a timestamp of the creation date which makes
the key size larger than those generated with PAN-OS
version earlier than 9.0.
Default Administrator Password Starting with PAN-OS 9.0.4, you must change the default
Requirements administrator password (admin/admin) on the first
admin account log in on a device. The new password
must be a minimum of eight characters and include a
minimum of one lowercase and one uppercase character,
as well as one number or special character. On a new
installation, password complexity is enabled with a
minimum password length of eight characters. This
change does not affect other administrative users on
upgrades.
HTTP/2 Inspection The firewall now processes and inspects HTTP/2 traffic
by default.
If you want to disable HTTP/2 inspection, you can
specify for the firewall to remove any value contained in
the Application-Layer Protocol Negotiation (ALPN) TLS
extension: select Objects > Decryption > Decryption
Profile > SSL Decryption > SSL Forward Proxy and
then select Strip ALPN. ALPN is used to secure HTTP/2
connections—when there is no value specified for this
TLS extension, the firewall either downgrades HTTP/2
traffic to HTTP/1.1 or classifies it as unknown TCP
traffic.
Strict Default Ports for Decrypted Application default—which enables you to allow
Applications, Including Web-Browsing applications only on their most commonly-used ports—
now enforces standard port usage for certain applications
that use a different default port when encrypted: web-
browsing, SMTP, FTP, LDAP, IMAP and POP3.
This means that, if you’re decrypting SSL traffic, a
security policy that allows web-browsing on the
application default ports now strictly enforces web-
browsing on port 80 and SSL-tunneled web-browsing on
port 443.
To enhance security, if you currently have a security
policy rule configured to allow web-browsing on
service-HTTP and service-HTTPS, you might consider

Feature Change
updating the rule to instead allow web-browsing on the
application-default ports:
Network Processing Card Session The session capacity for these two 20Gbps Network
Capacity Change (PA-7000-20G-NPC and Processing Cards changed from 4 million sessions per
PA-7000-20GQ-NPC) NPC to 3.2 million sessions per NPC on firewalls running
a PAN-OS 9.0 or later release.
Refresh of Default Trusted CAs The certificate authorities (CAs) that the firewall trusts by
default are updated; new trusted root CAs are added and
expired CAs are removed. To view and manage the lists
of CAs that the firewall trusts by default, select Device >
Certificate Management > Certificates > Default Trusted
Certificate Authorities.
VM-50 and VM-50 Lite Firewalls The minimum memory requirement has changed from
4GB to 4.5GB for the VM-50 Lite and from 4.5GB
to 5.5GB for the VM-50 in PAN-OS 9.0. You cannot
upgrade the VM-50 Lite without allocating additional
memory. If you upgrade the VM-50 with less than 5.5GB
memory, it will default to the system capacities (number
of sessions, rules, security zones, address objects, etc)
associated with the VM-50 Lite.
See Upgrade/Downgrade Considerations for more
information.
VM-Series Plugin Beginning with PAN-OS 9.0, the built-in VM-Series

plugin manages interactions between the VM-Series
firewalls and the supported public and private cloud
platforms. Also, the bootstrap package now has an
optional /plugins folder for upgrading a plugin. To
configure plugin integrations, select Device > VM-Series.
In Panorama 9.0 the VM-Series plugin is available in
Panorama > Plugins but must be manually installed.
VXLAN Tunnel Content Inspection In PAN-OS 8.1 and earlier releases, the firewall used the
UDP Session key to create UDP sessions for all tunnel
content inspection protocols. It is a six-tuple key (zone,
source IP, destination IP, protocol, source port, and
destination port), and it remains in use.
PAN-OS 9.0 introduces the VNI Session key specifically
for VXLAN tunnel content inspection. The VNI Session
key is a five-tuple key incorporating the zone, source
IP, destination IP, protocol, and the VXLAN Network
Identifier (VNI).

Feature Change
By default, VXLAN tunnels now automatically use the
VNI Session key to create a VNI Session, which is visible
in logs.
If you prefer to use the UDP Session key for
VXLAN (as you did in previous releases), you can
define a custom application for VXLAN and use an
application override policy to invoke your custom
application.
Panorama Commit and push operations • Commit is unavailable (grayed out) when you
have no pending changes on Panorama and all
managed firewalls and Log Collectors are in sync with
Panorama (which means that you have successfully
pushed all changes you made on Panorama to all
managed firewalls and appliances).
• Commit displays as a green downward arrow ( )
when you have pending changes on Panorama that
must be committed and pushed to managed devices.
• Commit displays as a yellow sideways arrow ( )
when managed firewalls and Log Collectors are out
of sync, and you must push the committed Panorama
configuration.
• When you Commit and Push your configuration
changes on Panorama, you must Edit Selections to
specify the Push Scope to managed devices.
Security Group Tag (SGT) Ethertype Support If you're using Security Group Tags (SGTs) to control user
and device access in a Cisco Trustsec network, inline
firewalls in Layer 2 or Virtual Wire mode now inspect
and provide threat prevention for the tagged traffic
by default. Before PAN-OS 9.0, a firewall in Layer 2 or
virtual wire mode could allow SGT traffic but did not
process and inspect it.
The firewall does not enforce security

policy based on SGTs.
Authentication Policy In PAN-OS 8.1 and earlier, administrators needed to add

a rule to decrypt TLS sessions to apply authentication
policy. In PAN-OS 9.0, the firewall applies the
authentication policy without needing to decrypt the
session.
IP Address Registration and Dynamic In PAN-OS 8.1 and earlier, it could take up to 60
Address Groups seconds to register an IP address, and the associated
tags, and update the membership information for a
dynamic address group (DAG). In PAN-OS 9.0, IP address
registration occurs in real time. Any policy matches for
updates on a registered IP address (IP-tag mapping) are
reflected only in new sessions. Any existing sessions

Feature Change
are reevaluated for a policy match when you perform a
commit or the App-ID on the session changes.
URL Filtering Overrides In earlier release versions, URL Filtering overrides had
priority enforcement ahead of custom URL categories.
As part of the upgrade to PAN-OS 9.0, URL category
overrides are converted to custom URL categories,
and no longer receive priority enforcement over other
custom URL categories. Instead of the action you defined
for the category override in previous release versions,
the new custom URL category is enforced by the security
policy rule with the strictest URL Filtering profile action.
From most strict to least strict, possible URL Filtering
profile actions are: block, override, continue, alert, and
allow. This means that, if you had URL category overrides
with the action allow, there’s a possibility the overrides
might be blocked after they are converted to custom URL
categories in PAN-OS 9.0.
Workaround:
1. Create a URL Filtering Profile that defines site access
for a custom URL category. Select Objects > Security
Profiles > URL Filtering > Categories, and set the
Site Access (like allow or block) for Custom URL
Categories that you want to exclude from a URL
category.
2. Create a new security policy rule to prioritize
enforcement for URL category exceptions. Attach
the URL Filtering profile you just created to that rule
(Policies > Security > Actions > Profile Setting >
Profiles). Because the firewall evaluates rules from
top to bottom, make sure that this rule appears at the
top of your security policy (Policies > Security).
The Overrides tab objects are removed

and Custom URL Category objects are
created for firewalls running PAN-OS 8.1
or earlier releases when managed by a
Panorama management server that is
upgraded to PAN-OS 9.0.
For more details on this, review PAN-OS 9.0 Upgrade

and Downgrade Considerations.
CLI Commands for the Option to Hold Web The CLI commands for this feature are now the
Requests During URL Category Lookup following:
(PAN-OS 9.0.4 or later)
1. Enter configure to access Configuration Mode.
2. Enter set deviceconfig setting ctd hold-
client-request yes to enable the feature.
3. Commit your changes.

Associated Software and Content Versions
The following minimum software and content release versions are compatible with PAN-OS 9.0. To see
a list of the next-generation firewall models that support PAN-OS 9.0, see the Palo Alto Networks®
Compatibility Matrix.
Palo Alto Networks Software or Minimum Compatible Version with PAN-OS 9.0
Content Release Version
Panorama 9.0
User-ID Agent 9.0
Terminal Services (TS) Agent 9.0
GlobalProtect App 4.1
Applications and Threats Content 8103

Release Version
Antivirus Content Release Version 2874
VMware NSX Plugin Version 2.0.3

Limitations
The following are limitations associated with PAN-OS 9.0 releases.
Issue ID Description
— Firewalls and appliances perform a software integrity check periodically

when they are running and when they reboot. If you simultaneously boot up
multiple instances of a VM-Series firewall on a host or you enable CPU over-
subscription on a VM-Series firewall, the firewall boots in to maintenance
mode when a processing delay results in a response timeout during the
integrity check. If your firewall goes in to maintenance mode, please check the
error and warnings in the fips.log file.
A reboot always occurs during an upgrade so if you enabled CPU over-
subscription on your VM-Series firewall, consider upgrading your firewall
during a maintenance window.
PAN-107142 After adding a new virtual system from the CLI, you must log out and log back
in to see the new virtual system within the CLI.
PAN-102264 On Panorama, the number of Apps Seen on a Security policy rule depends
on whether you created the rule in a Shared context or in the context of a
particular device group.
For rules created in the Shared context, Apps Seen displays the total number
of unique applications seen on each rule in all of the device groups in the
Shared context so a Shared context that includes two device groups—DG1
and DG2—displays the combined number of unique applications seen on the
rule in both groups. For example, if DG1 saw two unique applications on the
rule and DG2 saw eight unique applications on the rule, Apps Seen shows
ten applications seen on the rule, which is the aggregate number of unique
applications seen in both device groups; it does not show the number of
unique applications in each individual group.
For rules created in a specific device group context, Apps Seen displays the
total number of unique applications seen on each rule in that particular device
group. For example, if DG2 saw eight unique applications on a rule, Apps Seen
shows eight applications seen on the rule.
To get an accurate count of the Apps Seen on a rule for a device group, change
the context to the device group in which you created the rule.
PAN-99845 After an HA firewall fails over to its HA peer, sessions established before the
failover might not undergo the following actions in a reliable manner:
• SIP call modifications (some examples include resuming a call that was on
hold, transferring a call, and picking up a parked call).
• Call tear-down.
PAN-97821 The commit all job is executed from Panorama to the firewall only if the
newly added firewall is running PAN-OS 8.1 or a later release with Auto Push
on 1st Connect enabled.

PAN-92719 When performing destination NAT to a translated address that is Dynamic IP

(with session distribution), the firewall does not remove duplicate IP addresses
from the list of destination IP addresses before the firewall distributes
sessions. The firewall distributes sessions to the duplicate addresses in the
same way it distributes sessions to non-duplicate addresses.
PAN-85036 If you use the Panorama management server to manage the configuration of
firewalls in an HA active/active configuration, you must set the Device ID for
each firewall in the HA pair before you upgrade Panorama. If you upgrade
without setting the Device IDs (which determine which peer is the active-
primary peer), you cannot commit configuration changes to Panorama.
PAN-81719 You cannot form an HA pair of Panorama management servers on AWS

instances when the management interface on one HA peer is assigned an
Elastic Public IP address or when the HA peers are in different Virtual Private
Clouds (VPCs).
PAN-79669 The firewall blocks an HTTPS session when the hardware security module
(HSM) is down and a Decryption policy for inbound inspection uses the default
decryption profile for an ECDSA certificate.

Known Issues
The following topics describe known issues in PAN-OS® 9.0 releases.
For recent updates to known issues for a given PAN-OS release, refer to https://
live.paloaltonetworks.com/t5/Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/ta-
p/52882.
• Known Issues Related to PAN-OS 9.0 Releases

• Known Issues Related to Cortex Data Lake
Known Issues Related to PAN-OS 9.0

The Consolidated List of PAN-OS 9.0 Known Issues includes all known issues that impact a PAN-OS®
9.0 release. This list includes both outstanding issues and issues that are addressed in Panorama™,
GlobalProtect™, VM-Series plugins, and WildFire®, as well as known issues that apply more generally or
that are not identified by a specific issue ID.
To review the subset of outstanding known issues for a specific PAN-OS 9.0 maintenance release, see the
following lists:
• PAN-OS 9.0.5 Known Issues
• PAN-OS 9.0.3 (and 9.0.3-h2 and 9.0.3-h3) Known Issues
• PAN-OS 9.0.2 (and 9.0.2-h4) Known Issues
Consolidated List of PAN-OS 9.0 Known Issues
Issue ID PAN-OS 9.0 Known Issue Description
— Upgrading Panorama with a local Log Collector and Dedicated

Log Collectors to PAN-OS 8.1 or a later PAN-OS release
can take up to six hours to complete due to significant
infrastructure changes. Ensure uninterrupted power to all
appliances throughout the upgrade process.
— A critical System log is generated on the VM-Series firewall

if the minimum memory requirement for the model is not
available.
• When the memory allocated is less than 4.5GB, you
cannot upgrade the firewall. The following error message
displays: Failed to install 9.0.0 with the
following error: VM-50 in 9.0.0 requires
5.5GB memory, VM-50 Lite requires 4.5GB
memory.Please configure this VM with enough
memory before upgrading.
• If the memory allocation is more than 4.5GB but less that
the licensed capacity requirement for the model, it will
default to the capacity associated with the VM-50.

The System log message System capacity adjusted
to VM-50 capacity due to insufficient
memory for VM-<xxx> license, indicates that you
must allocate the additional memory required for licensed
capacity for the firewall model.
WF500-4200 The Create Date shown when using the

showwildfireglobal sample-status sha256
equal<hash> or showwildfireglobal sample-
analysis CLI command is two hours behind the actual time
for WF-500 appliance samples.
PLUG-1854 (PAN-OS 9.0.2 and later releases on AWS and GCP only) You
cannot swap the management interface.
This issue is resolved after you
upgrade to VM-Series plugin 1.0.3 and
reboot the firewall.
PLUG-1827 (Microsoft Azure only) The firewall drops packets due to larger
than expected packet sizes when Accelerated networking is
enabled on the firewall (Settings > Networking).
PLUG-1709 (Microsoft Azure only) There is an intermittent issue where

the secondary IP address becomes associated with the passive
This issue is resolved with VM-Series
firewall after multiple failovers.
plugin 1.0.3.
Workaround: Reassign IP addresses to the active and passive
firewalls in Azure as needed.
PLUG-1694 (PAYG licenses only) Your pay-as-you-go (PAYG) license is not

retained when you upgrade from a PAN-OS 8.1 release to a
PAN-OS 9.0 release.
Workaround: Upgrade to VM-Series plugin 1.0.2 (or later)
after you upgrade to a PAN-OS 9.0 release and then reboot
the firewall to recover your PAYG license.
PLUG-1681 If you bootstrap a PAN-OS 9.0.1 image while using VM-Series

plugin 1.0.0, the firewall will not apply the capacity license. To
downgrade the VM-Series plugin from version 1.0.2 to 1.0.0,
first bootstrap the PAN-OS 9.0.1 image and then downgrade
the plugin.
PLUG-1642 After a high availability (HA) failover, the dataplane interface

on a VM-Series firewall on Azure with Accelerated Networking
(SR-IOV) becomes disabled when, as a result of the failover,
plugin 1.0.2.
the secondary IP address is detached from or attached to the
firewall and moved to its HA peer.
PLUG-1503 When a VM-Series firewall on AWS running on a C5 or M5

instance experiences a high availability (HA) failover, the

This issue is resolved with VM-Series dataplane interfaces from the previously active firewall are not
plugin 1.0.3. moved to the newly active (previously passive) peer.
Workaround: Check for the latest VM-Series plugin version
and install the VM-Series plugin 9.0.0 version; the built-in
version is 9.0.0-c29.
PLUG-1074 On the VM-Series firewall on AWS, when you change the

instance type, the firewall no longer has a serial number
or a license. Additionally, if you manage this firewall using
Panorama, it is no longer connected to Panorama.
PLUG-380 When you rename a device group, template, or template stack

in Panorama that is part of a VMware NSX service definition,
the new name is not reflected in NSX Manager. Therefore, any
ESXi hosts that you add to a vSphere cluster are not added to
the correct device group, template, or template stack and your
Security policy is not pushed to VM-Series firewalls that you
deploy after you rename those objects. There is no impact to
existing VM-Series firewalls.
PAN-128269 (PA-5250, PA-5260, and PA-5280 firewalls with 100GB

AOC cables only) When you upgrade the first peer in a high
availability (HA) configuration to PAN-OS 9.0.3 or a later PAN-
OS 9.0 release, the High Speed Chassis Interconnect (HSCI)
port does not come up due to an FEC mismatch until after you
finish upgrading the second peer.
PAN-125775 There is an issue where Panorama management servers

deployed using the C5 or M5 instance types on Amazon
This issue is now resolved. See PAN-
Web Services (AWS) cause the Panorama instance to stop
OS 9.0.5 Addressed Issues.
responding in regions that support these instance types.
PAN-125121 (VM-Series firewalls on AWS only) There is an issue where

custom images do not function as expected for PAN-OS 9.0.
OS 9.0.5 Addressed Issues. Workaround: Use PAN-OS 8.1 for creating custom images.
PAN-124956 There is an issue where VM-Series firewalls do not support

packet buffer protection.
PAN-121449 (PAN-OS 9.0.3 and later releases only) The Remove Config
button on Panorama > Plugins does not remove the
configuration for any plugins you have set up on Panorama.
Workaround: Manually remove the plugin configuration.
Manually delete the plugin configuration. Select your plugin
on Panorama, clear the values from all fields and Commit your
changes.
PAN-120662 (PA-7000 series firewalls using PA-7000-20G-NPC cards only)

There is an intermittent issue where an out-of-memory (OOM)

condition causes dataplane or internal path monitoring to stop
responding.
PAN-120440 There is an issue on M-500 Panorama management servers

where any ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity only supports the following
format: 2001:DB9:85A3:0:0:8A2E:370:2.
PAN-120303 There is an issue where the firewall remains connected to the

PAN-DB-URL server through the old management IP address
on the M-500 Panorama management server, even when you
configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the
firewall using one of the methods below.
• Modify the PAN-DB Server IP address on the managed
firewall.
1. On the web interface, delete the PAN-DB Server IP
address (Device > Setup > Content ID > URL Filtering
settings).
3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
• Restart the firewall (devsrvr) process.
1. Log in to the firewall CLI.
2. Restart the devsrvr process: debug software
restart process device-server
PAN-118628 There is an issue where after you deploy Panorama in Azure,

you cannot log in to Panorama with the username and
password that was provided during the deployment process.
PAN-118525 (PA-5250, PA-5260, PA-5280, and PA-7000 Series firewalls

only) There is an issue where the QSFP28 port does not
come up with the TR-FC13L-N00 version of the PAN-
QSFP28-100GBASE-LR4 optical transceiver on firewalls
running a PAN-OS 9.0 release. For assistance, please contact
Support.
PAN-118414 (PAN-OS 9.0.2 and later releases only) There is an intermittent

issue where a Panorama management server and managing
Prisma Access or Cortex Data Lake fails to authorize one-time-
password (OTP) submissions during the onboarding process.
Workaround: Downgrade to PAN-OS 9.0.1.
PAN-118108 There is an issue where an API call against a Panorama

management server, which triggers the request analyze-
shared-policy command causes Panorama to reboot after
you execute the command.

PAN-118065 (M-Series Panorama management servers in Management

Only mode) When you delete the local Log Collector
(Panorama > Managed Collectors), it disables the 1/1 ethernet
interface in the Panorama configuration as expected but the
interface still displays as Up when you execute the show
interface all command in the CLI after you commit.
Workaround: Disable the 1/1 ethernet interface before
you delete the local log collector and then commit the
configuration change.
PAN-117918 The logs are not visible after you upgrade a Panorama
management server in an HA configuration from PAN-OS 8.1
to PAN-OS 9.0.
Workaround: After you complete the upgrade, log in to the
web interface of the primary Panorama HA peer and perform
a Collector Group push (Commit > Push to Devices > Edit
Selections) or log in to the CLI of the primary Panorama HA
peer and commit force the local configuration.
PAN-117424 Cortex Data Lake without Panorama—where we removed

Panorama as a requirement to send logs to Cortex Data
Lake—was introduced in PAN-OS 9.0.2, and was not initially
supported for PA-220 and PA-800 Series firewalls. This issue
details an update we made to support this feature across all
firewall platforms. If you successfully onboarded the firewall
to Cortex Data Lake before PAN-OS 9.0.3 released, this issue
does not impact you. But following the release of PAN-OS
9.0.3, this feature is no longer supported in PAN-OS 9.0.2. If
this is a feature you would like to implement, you’ll need to
upgrade to PAN-OS 9.0.3. Here’s how you can get started
with Cortex Data Lake now.
PAN-117043 There is an issue on the Panorama management server and all

supported firewalls where special characters contained in the
tag names of the Security policy rules returns the following
error message: group-tag is invalid when you commit
or push a configuration.
Workaround: Modify the tags and group tags (Objects > Tags)
to exclude special characters.
PAN-116436 (Panorama virtual appliances only) There is a disk space

calculation error that eventually leads to an erroneous opt/
panlogs/ partition full condition and causes a process (CDB) to
stop responding.
PAN-116084 VM-Series firewalls on Microsoft Azure deployed using MMAP

drops traffic when the firewall experiences heavy traffic.

PAN-116069 (PA-200 firewalls only) There is a rare out-of-memory (OOM)

condition.
PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.
PAN-115816 (Microsoft Azure only) There is an intermittent issue where

an Ethernet (eth1) interface does not come up when you first
boot up the firewall.
Workaround: Reboot the firewall.
PAN-115733 (PAN-OS firewalls in an HA configuration only) There is a rare

issue where data interfaces do not come up after you reboot
the firewall when running a C5 or M5 instance type in AWS.
PAN-114495 Alibaba Cloud runs on a KVM hypervisor and supports two

Virtio modes: DPDK (default) and MMAP. If you deploy a VM-
Series firewall running PAN-OS 9.0 in DPDK packet mode
and you then switch to MMAP packet mode, the VM-Series
firewall duplicates packets that originate from or terminate
on the firewall. As an example, if a load balancer or a server
behind the firewall pings the VM-Series firewall after you
switch from DPDK packet mode to MMAP packet mode, the
firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-
Series firewall using MMAP packet mode.
PAN-113614 There is an issue with a memory leak associated with commits

on Panorama appliances that eventually causes an unexpected
restart of the configuration (configd) process.
PAN-113501 The Panorama management server returns a Secure Copy

(SCP) server connection error after you create an SCP
Scheduled Config Export profile (Panorama > Scheduled
Config Export) due to the SCP server password exceeding 15
characters in length.
PAN-113340 (PA-200 firewalls only) There is an issue where the

management plane memory is lower than expected, which
causes the management plane to restart.
PAN-113117 A newly launched firewall does not get its configuration from
Panorama when it first connects if you installed the VM-Series

This issue is now resolved. See PAN- plugin on Panorama. When a newly launched firewall that is
OS 9.0.3 Addressed Issues. bootstrapped connects to Panorama, a process restart occurs
on Panorama. Upon restart, you are logged out of the user
interface and you need to log in and push the device group
and template configuration to the newly connected firewall.
PAN-113098 In the firewall web interface, you can temporarily submit

change requests for the following URL categories: insufficient-
content, high-risk, medium-risk, low-risk, and newly-
registered-domains. However, Palo Alto Networks does not
support or process change requests for these categories.
PAN-112983 (Firewalls with multiple virtual systems only; no impact to

Panorama) If you select any Location other than Shared when
you generate or import a new CA Certificate in a Certificate
Profile (Device > Certificate Management > Certificate
Profile), the firewall adds the newly generated or imported
certificate to vsys1. For example, if you specify vsys3 as the
Location, Add a CA Certificate, and then Generate a new
certificate, the firewall adds the certificate to vsys1 instead of
vsys3. When you click OK to configure the Certificate Profile,
the firewall returns an Operation Failed error message
because it sees a certificate for vsys1 added to vsys3.
Workaround 1:
1. Generate or import the new certificate in a Certificate
Profile (Device > Certificate Management > Certificates >
Device Certificates) and select the appropriate vsys
Location when you generate or import the certificate.
2. When you create or edit the Certificate Profile, specify the
vsys Location and Add the certificate that you generated
(or imported) from the list of existing certificates.
Workaround 2: When you generate or import a new
certificate when you configure a Certificate Profile for a vsys
other than vsys1, specify the Location as Shared.
PAN-112814 H.323-based calls lose audio when the predicted H.245

session cannot convert to Active status, which causes the
firewall to incorrectly drop H.245 traffic.
PAN-112700 (PA-7000 Series firewalls in an HA configuration only) After

you upgrade to PAN-OS 9.0, some logs may display a different
rule name than the rule name associated with the universally
unique identifier (UUID).
Workaround: If you are using Panorama, make a policy
change (such as cloning a rule) in the corresponding device
group, commit the change, and push the updated policy to
managed devices. If you are not using Panorama to manage
your firewalls, make a policy change (such as cloning a rule) on
the firewall and commit the change.

PAN-112699 (VM-Series firewall on AWS running on a C5 or M5 instance

only) You cannot use the mgmt-interface-swap command
to swap the interfaces for deploying a VM-Series firewall
behind a web load balancer (such as AWS ALB or Classic ELB).
PAN-112694 (Firewalls with multiple virtual systems only) If you configure

dynamic DNS (DDNS) on a new interface (associated with
vsys1 or another virtual system) and you then create a
New Certificate Profile from the drop-down, you must set
the location for the Certificate Profile to Shared. If you
configure DDNS on an existing interface and then create a
new Certificate Profile, we also recommend that you choose
the Shared location instead of a specific virtual system.
Alternatively, you can select a preexisting certificate profile
instead of creating a new one.
PAN-112626 When you upgrade to PAN-OS 9.0 with a PAYG Bundle 2

license, the new DNS Security subscription is not available on
your VM-Series firewall.
This subscription is included with the BYOL and VM-Series
ELA when you upgrade.
PAN-112562 The Log Forwarding Card (LFC) subinterface incorrectly uses

the interface IP address instead of the subinterface IP address
for all services that forward logs (such as syslog, email, and
SNMP) for selected virtual systems.
PAN-112456 You can temporarily submit a change request for a URL

Category with more than two suggested categories. However,
we support only two suggested categories so add no more
than two suggested categories to a change request until we
address this issue. If you submit more than two suggested
categories, we will use only the first two categories you enter.
PAN-112340 If you enable URL Filtering without enabling Threat Prevention

and your environment processes a large number (thousands)
of URL look-ups per second per dataplane, you are likely to
experience performance issues, including high CPU usage.
PAN-111928 Invalid configuration errors are not displayed as expected

when you revert a Panorama management server
configuration.
Workaround: After you revert the Panorama configuration,
Commit (Commit > Commit to Panorama) the reverted
configuration to display the invalid configuration errors.

PAN-111866 The push scope selection on the Panorama web interface

displays incorrectly even though the commit scope displays
as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates
that affect multiple firewalls and a different administrator
attempts to push those changes.
Workaround: Perform one of the following tasks.
• Initiate a Commit to Panorama operation followed by a
Push to Devices operation for the modified device group
and template configurations.
• Manually select the devices that belong to the modified
device group and template configurations.
PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.
PAN-111708 (PA-3200 Series firewalls only) There is a rare issue where a

software issue causes the dataplane to restart unexpectedly.
PAN-111670 Tagged VLAN traffic fails when sent through an SR-IOV

adapter.
PAN-111553 On the Panorama management server, the Include Device and

Network Templates setting is disabled by default when you
attempt to push changes to managed devices, which causes
your push to fail.
Workaround: Before you commit and push the configuration
changes from Panorama to your managed devices, edit the
push scope (Commit > Push to Devices > Edit Selections or
Commit > Commit and Push > Edit Selections) to Include
Device and Network Templates.
PAN-111251 Using the CLI to enable or disable DNS Rewrite under a

Destination NAT policy rule has no effect.
PAN-110794 DGA-based threats shown in the firewall threat log display the
same name for all such instances.
PAN-110603 In some cases, when a port on an PA-7000 Series 100Gbps

Network Processor Card (NPC) has an SFP+ transceiver
inserted but no cable is connected, the system detects a signal
and attempts to tune and link with that port. As a result, if the
device at the other end of the connection is rebooted or has
an HA failover event, the link is sometimes held down for an
extended period of time while the interface attempts to tune
itself.

Workaround: Connect a cable to the installed SFP+
transceiver to allow the system to tune and link. Then, when
you disconnect the cable, the system will correctly detect that
the link is down. Alternatively, remove the SFP+ transceiver
from the port.
PAN-109759 The firewall does not generate a notification for the

GlobalProtect client when the firewall denies an unencrypted
TLS session due to an authentication policy match.
PAN-109526 The system log does not correctly display the URL for CRL
files; instead, the URLs are displayed with encoded characters.
PAN-108113 If you configure a firewall to use a static route whose next

hop is an FQDN and you configure Bidirectional Forwarding
Detection (BFD) for that static route, BFD is non-operational
for that static route.
PAN-108111 If you configure a firewall with a BGP peer that is identified

by an FQDN and you configure Bidirectional Forwarding
Detection (BFD) for that BGP peer, then BFD is non-
operational for that BGP peer.
PAN-106989 (PAN-OS 9.0.1 and later PAN-OS 9.0 releases) There is a

display-only issue on Panorama that results in a commit
failed status for Template Last Commit State (Panorama >
Managed Devices > Summary).
Workaround: Push templates to managed devices.
PAN-106675 After upgrading the Panorama management server to PAN-OS

8.1 or a later release, predefined reports do not display a list of
top attackers.
Workaround: Create new threat summary reports (Monitor >
PDF Reports > Manage PDF Summary) containing the top
attackers to mimic the predefined reports.
PAN-105210 (Panorama in FIPS mode only when managing non-FIPS

firewalls) You cannot configure a GlobalProtect portal on
Panorama in FIPS mode when managing a non-FIPS firewall.
If you attempt to do so, you will receive the following error
message: agent-user-override-key unexpected
here Portal_fips.
PAN-104808 There is an issue where scheduled SaaS reports generate and

email empty PDF reports.
OS 9.0.4 Addressed Issues. Workaround: Manually generate the report from the
Panorama web interface.
PAN-104780 If you configure a HIP object to match only when a connecting

endpoint is managed (Objects > GlobalProtect > HIP

Objects > <hip-object> > General > Managed), iOS and
Android endpoints that are managed by AirWatch are unable
to successfully match the HIP object and the HIP report
incorrectly indicates that these endpoints are not managed.
This issue occurs because GlobalProtect gateways cannot
correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch
are unable to match HIP objects based on the endpoint serial
number because GlobalProtect gateways cannot identify the
serial numbers of these endpoints; these serial numbers do not
appear in the HIP report.
PAN-103336 (HA configurations only) When you downgrade a VM-Series

firewall on Azure from PAN-OS 9.0 to an earlier release, you
do not receive warnings. Do not downgrade your firewall
without saving and exporting your current configuration.
Workaround: Because HA is not supported in earlier versions
of VM-Series firewalls on Azure, to prevent the loss of your
configuration:
• Save and export the configuration before you downgrade.
• After you downgrade, load the saved configuration and
commit your changes. The firewall will resume operation
without the HA configuration.
PAN-103276 Adding a disk to a virtual appliance running Panorama 8.1

or a later release on VMware ESXi 6.5 update1 causes the
Panorama virtual appliance and host web client to become
unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and
add the disk again.
PAN-103018 (Panorama plugins) When you use the AND/OR boolean

operators to define the match criteria for Dynamic Address
Groups on Panorama, the boolean operators do not function
properly. The member IP addresses are not included in the
address group as expected.
PAN-101688 (Panorama plugins) The IP address-to-tag mapping information

registered on a firewall or virtual system is not deleted when
you remove the firewall or virtual system from a Device
Group.
Workaround: Log in to the CLI on the firewall and enter
the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all.
PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction equal
<direction> <dst> | <src> in <object-name>

command on a managed firewall only returns address and
address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>
PAN-99084 (HA configurations running PAN-OS 8.0.9 or a later PAN-OS

release) If you disable the high availability (HA) configuration
sync option (enabled by default), User-ID data does not sync
as expected between HA peers.
Workaround: Re-Enable Config Sync (Device > High
Availability > General > Setup settings).
PAN-98803 If you configure the Panorama plugin to monitor virtual

machines or endpoints in your AWS, Azure, or Cisco ACI
environment without installing the NSX plugin, the IP-
address-to-tag mappings for Dynamic Address Groups are not
displayed on Panorama.
Workaround: Install the NSX plugin (you do not need to use
the NSX plugin for the installation to resolve this display issue).
PAN-98520 When booting or rebooting a PA-7000 Series Firewall with the

SMC-B installed, the BIOS console output displays attempts to
connect to the card's controller in the System Memory Speed
section. The messages can be ignored.
PAN-97757 GlobalProtect authentication fails with an Invalid

username/password error (because the user is not found
in Allow List) after you enable GlobalProtect authentication
cookies and add a RADIUS group to the Allow List of the
authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies.
Alternatively, disable (clear) Retrieve user group from RADIUS
in the authentication profile and configure group mapping
from Active Directory (AD) through LDAP.
PAN-97524 (Panorama management server only) The Security Zone and

Virtual System columns (Network tab) display None after a
Device Group and Template administrator with read-only
privileges performs a context switch.
PAN-96985 The request shutdown system command does not shut

down the Panorama management server.
PAN-96960 You cannot restart or shutdown a Panorama on KVM from the

Virtual-manager console or virsch CLI.

PAN-96446 A firewall that is not included in a Collector Group fails to

generate a system log if logs are dropped when forwarded to a
Panorama management server that is running in Management
Only mode.
PAN-95773 On VM-Series firewalls that have Data Plane Development Kit

(DPDK) enabled and that use the i40e network interface card
(NIC), the show session info CLI command displays an
inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system
setting dpdk-pkt-io off CLI command.
PAN-95717 After 30,000 or more end users log in to the GlobalProtect

gateway within a two- to three-hour period, the firewall web
interface responds slowly, commits take longer than expected
or intermittently fail, and Tech Support File generation times
out and fails.
PAN-95602 In a deployment where a Log Collector connects to Panorama

management servers in a high availability (HA) configuration,
after you switch the Log Collector appliance to Panorama
mode, commit operations fail on the appliance.
Workaround: Remove the following node from
the running-config.xml file on the Log Collector
before switching it to Panorama mode: devices/
entry[@name='localhost.localdomain']/
deviceconfig/system/panorama-server-2
PAN-95511 The name for an address object, address group, or an external

dynamic list must be unique. Duplicate names for these
objects can result in unexpected behavior when you reference
the object in a policy rule.
PAN-95028 For administrator accounts that you created in PAN-OS 8.0.8

and earlier releases, the firewall does not apply password
profile settings (Device > Password Profiles) until after you
upgrade to PAN-OS 8.0.9 or a later release and then only after
you modify the account passwords. (Administrator accounts
that you create in PAN-OS 8.0.9 or a later release do not
require you to change the passwords to apply password profile
settings.)
PAN-94966 After you delete disconnected and connected Terminal Server

(TS) agents in the same operation, the firewall still displays
the IP address-to-port-user mappings (show user ip-
port-user-mapping CLI command) for the disconnected TS
agents you deleted (Device > User Identification > Terminal
Services Agents).
Workaround: Do not delete both disconnected and connected
TS agents in the same operation.

PAN-94846 When DPDK is enabled on the VM-Series firewall with i40e

virtual function (VF) driver, the VF does not detect the link
status of the physical link. The VF link status remains up,
regardless of changes to the physical link state.
PAN-94402 Upgrading firewalls from PAN-OS 8.1 to PAN-OS 9.0 causes

the loss of user mapping information and therefore disrupts
user-based policies in the following HA configurations:
• Active/active (in this example, the primary/secondary
peers are firewall1/firewall2)—During the period after you
upgrade firewall1 to PAN-OS 9.0 but before you upgrade
firewall2, firewall1 loses user mapping information. When
you finish upgrading both firewalls to PAN-OS 9.0, HA
synchronization restores the lost mapping information on
firewall1.
• Active/passive (in this example, the active/passive peers
are firewall1/firewall2)—After you upgrade firewall2 to
PAN-OS 9.0 but before you upgrade firewall1, firewall2
loses user mapping information but does not enforce
policies because it is still in a passive state. However, after
you trigger failover by suspending firewall1 (in anticipation
of upgrading it), firewall2 becomes the active peer and
fails to enforce user-based policies because its mapping
information is still missing. After you then upgrade firewall1
and trigger failback, firewall1 resumes enforcing policy and
HA synchronization ensures the mapping information is
complete on both firewalls.
In both configurations, whichever firewall is missing user
mapping information also cannot collect new user mappings
through the PAN-OS XML API until you finish upgrading both
HA peers.
PAN-94093 HTTP Header Insertion does not work when jumbo frames are
received out of order.
PAN-93968 The firewall and Panorama web interfaces display vulnerability

threat IDs that are not available in PAN-OS 9.0 releases
(Objects > Security Profiles > Vulnerability Protection >
<profile> > Exceptions). To confirm whether a particular threat
ID is available in your release, monitor the release notes for
each new Applications and Threats content update or check
the Palo Alto Networks Threat Vault to see the minimum PAN-
OS release version for a threat signature.
PAN-93842 The logging status of a Panorama Log Collector deployed on

AWS or Azure displays as disconnected when you configure
the ethernet1/1 to ethernet1/5 interfaces for log collection
(Panorama > Managed Collectors > Interfaces). This results in
firewalls not sending logs to the Log Collector.

Workaround: Configure the management (MGT) interface for
log collection.
PAN-93607 When you configure a VM-500 firewall with an SCTP

Protection profile (Objects > Security Profiles > SCTP
Protection) and you try to add the profile to an existing
Security Profile Group (Objects > Security Profile Groups), the
Security Profile Group doesn’t list the SCTP Protection profile
in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select
the SCTP Protection profile from there.
PAN-93532 When you configure a firewall running PAN-OS 9.0 as a Thales

HSM client, the web interface on the firewall displays the
Thales server status as Not Authenticated, even though the
HSM state is up (Device > Setup > HSM).
PAN-93193 The memory-optimized VM-50 Lite intermittently performs

slowly and stops processing traffic when memory utilization
is critically high. To prevent this issue, make sure that you do
not:
• Switch to the firewall Context on the Panorama
management server.
• Commit changes when a dynamic update is being installed.
• Generate a custom report when a dynamic update is being
installed.
• Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see
a critical System log for memory utilization, wait for 5 minutes
and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing
memory intensive tasks such as installing dynamic updates,
committing changes or generating reports, at the same time,
on the firewall.
PAN-92155 You cannot configure an IP address using templates for HA2

(Device > High Availability > Data Link (HA2)) when set to
IP or Ethernet for Panorama management servers in a high
availability (HA) configuration.
Workaround: Configure HA2 in the CLI using the following
commands:
> configure
# set
template <template_name> config
deviceconfig high-availability interface ha2
ip-address <IP_address>

PAN-91802 On a VM-Series firewall, the clear session all CLI command

does not clear GTP sessions.
PAN-91236 The Panorama management server does not display new logs
collected on M-Series Log Collectors because the logging
search engine does not register during system startup when
logging disk checks and RAID mounting take longer than two
hours to complete.
PAN-88987 When you configure a PA-5220 firewall with Dynamic IP and

Port (DIPP) NAT, the number of translated IP addresses cannot
exceed 3,000; otherwise, the commit fails.
PAN-86903 In rare cases, PA-800 Series firewalls shut themselves down

due to a false over-current measurement.
PAN-85691 Authentication policy rules based on multi-factor

authentication (MFA) don't block connections to an MFA
vendor when the MFA server profile specifies a Certificate
Profile that has the wrong certificate authority (CA) certificate.
PAN-84670 When you disable decryption for HTTPS traffic, end users who
don't have valid authentication timestamps can access HTTPS
services and applications regardless of Authentication policy.
Workaround: Create a Security policy rule that blocks HTTPS
traffic that is not decrypted.
PAN-84488 On PA-7000 Series and PA-5200 Series firewalls, client

systems can use a translated IP address-and-port pair for
only one connection even if you configure the Dynamic IP
and Port (DIPP) NAT Oversubscription Rate to allow multiple
connections (Device > Setup > Session > Session Settings >
NAT Oversubscription).
PAN-84045 VM-Series firewalls in an HA configuration with Data Plane

Development Kit (DPDK) enabled experience HA path
monitoring failures and (in active/passive deployments) HA
failover.
PAN-83610 In rare cases, a PA-5200 Series firewall (with an FE100

network processor) that has session offload enabled (default)
incorrectly resets the UDP checksum of outgoing UDP
packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can
persistently disable session offload for only UDP traffic using
the set session udp-off load no CLI command.
PAN-83598 VM-Series firewalls cannot monitor more than 500 virtual

machine (VM) information sources (Device > VM Information
Sources).

PAN-83236 The VM-Series firewall on Google Compute Platform does not

publish firewall metrics to Google Stack Monitoring when you
manually configure a DNS server IP address (Device > Setup >
Services).
Workaround: The VM-Series firewall on Google Cloud
Platform must use the DNS server that Google provides.
PAN-83215 SSL decryption based on ECDSA certificates does not work

when you import the ECDSA private keys onto a Thales
nShield hardware security module (HSM).
PAN-81521 Endpoints failed to authenticate to GlobalProtect through

Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles >
Kerberos).
Workaround: Replace the FQDN with the IP address in the
Kerberos server profile.
PAN-79423 Panorama cannot push address group objects from device

groups to managed firewalls when zones specify the objects in
the User Identification ACL include or exclude lists (Network >
Zones) and the Share Unused Address and Service Objects
with Devices option is disabled (Panorama > Setup >
Management > Panorama Settings).
PAN-77125 PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls

configured in tap mode don’t close offloaded sessions after
processing the associated traffic; the sessions remain open
until they time out.
Workaround: Configure the firewalls in virtual wire mode
instead of tap mode, or disable session offloading by running
the set session off load no CLI command.
PAN-75457 (PAN-OS 8.0.1 and later releases) In WildFire appliance

clusters that have three or more nodes, the Panorama
management server does not support changing node roles. In
a three-node cluster for example, you cannot use Panorama
to configure the worker node as a controller node by adding
the HA and cluster controller configurations, configure an
existing controller node as a worker node by removing the HA
configuration, and then commit and push the configuration.
Attempts to change cluster node roles from Panorama results
in a validation error—the commit fails and the cluster becomes
unresponsive.
PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.
PAN-73401 (PAN-OS 8.0.1 and later releases) When you import a

two-node WildFire appliance cluster into the Panorama

management server, the controller nodes report their state as
out-of-sync if either of the following conditions exist:
• You did not configure a worker list to add at least one
worker node to the cluster. (In a two-node cluster, both
nodes are controller nodes configured as an HA pair.
Adding a worker node would make the cluster a three-node
cluster.)
• You did not configure a service advertisement (either by
enabling or not enabling advertising DNS service on the
controller nodes).
Workaround: There are three possible workarounds to sync
the controller nodes:
• After you import the two-node cluster into Panorama, push
the configuration from Panorama to the cluster. After the
push succeeds, Panorama reports that the controller nodes
are in sync.
• Configure a worker list on the cluster controller:
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
worker-list <worker-ip-address>
(<worker-ip-address> is the IP address of the worker

node you are adding to the cluster.) This creates a three-
node cluster. After you import the cluster into Panorama,
Panorama reports that the controller nodes are in sync.
When you want the cluster to have only two nodes, use a
different workaround.
• Configure service advertisement on the local CLI of the
cluster controller and then import the configuration into
Panorama. The service advertisement can advertise that
DNS is or is not enabled.
service-advertisement dns-service
enabled
yes
or
enabled
no
Both commands result in Panorama reporting that the

controller nodes are in sync.

PAN-71329 Local users and user groups in the Shared location (all virtual
systems) are not available to be part of the user-to-application
mapping for GlobalProtect Clientless VPN applications
(Network > GlobalProtect > Portals > <portal> > Clientless
VPN > Applications).
Workaround: Create users and user groups in specific virtual
systems on firewalls that have multiple virtual systems. For
single virtual systems (like VM-Series firewalls), users and user
groups are created under Shared and are not configurable for
Clientless VPN applications.
PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.
PAN-69505 When viewing an external dynamic list that requires client

authentication and you Test Source URL, the firewall fails to
indicate whether it can reach the external dynamic list server
and returns a URL access error (Objects > External Dynamic
Lists).
PAN-41558 When you use a firewall loopback interface as a GlobalProtect

gateway interface, traffic is not routed correctly for third-party
IPSec clients, such as strongSwan.
Workaround: Use a physical firewall interface instead of a
loopback firewall interface as the GlobalProtect gateway
interface for third-party IPSec clients. Alternatively, configure
the loopback interface that is used as the GlobalProtect
gateway to be in the same zone as the physical ingress
interface for third-party IPSec traffic.
PAN-40079 The VM-Series firewall on KVM, for all supported Linux

distributions, does not support the Broadcom network
adapters for PCI pass-through functionality.
PAN-39636 Regardless of the Time Frame you specify for a scheduled

custom report on a Panorama M-Series appliance, the earliest
possible start date for the report data is effectively the date
when you configured the report (Monitor > Manage Custom
Reports). For example, if you configure the report on the
15th of the month and set the Time Frame to Last 30 Days,
the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to
scheduled reports; on-demand reports include all data within
the specified Time Frame.
Workaround: To generate an on-demand report, click Run
Now when you configure the custom report.

PAN-38255 When you perform a factory reset on a Panorama virtual

appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug
software restart process management-server CLI
command.
PAN-31832 The following issues apply when configuring a firewall to use a

hardware security module (HSM):
• Thales nShield Connect—The firewall requires at least four
minutes to detect that an HSM was disconnected, causing
SSL functionality to be unavailable during the delay.
• SafeNet Network—When losing connectivity to either
or both HSMs in an HA configuration, the display of
information from the show high-availability
state and show hsm info commands are blocked for
20 seconds.
PAN-25046 Firewalls store SSH host keys used for SCP log exports in the
known hosts file. In an HA deployment, PAN-OS synchronizes
the SCP log export configuration between the firewall HA
peers (Device > Scheduled Log Export), but not the known
host file. When a failover occurs, the SCP log export fails.
Workaround: Log in to each peer in HA, select Device >
Scheduled Log Export > <log_export_configuration>, and Test
SCP server connection to confirm the host key so that SCP log
forwarding continues to work after a failover.
PAN-OS 9.0.5 Known Issues

The following list includes only outstanding known issues specific to the PAN-OS 9.0.5 maintenance and
hotfix releases. This list includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and
WildFire®, as well as known issues that apply more generally or that are not identified by an issue ID. For a
complete list of existing and addressed known issues in all PAN-OS 9.0 releases, see the Consolidated List
of PAN-OS 9.0 Known Issues.


available.

— A Panorama™ management server running PAN-OS® 9.0

does not currently support management of appliances
running WildFire 7.1 or earlier releases. Even though these
management options are visible on the Panorama 9.0 web
interface (Panorama > Managed WildFire Clusters and
Panorama > Managed WildFire Appliances), making changes
to these settings for appliances running WildFire 7.1 or an
earlier release has no effect.
WF500-4200 The Create Date shown when using the show wildfire
global sample-status sha256 equal<hash> or show
wildfire global sample-analysis CLI command
is two hours behind the actual time for WF-500 appliance
samples.
plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.


the plugin.

plugin 1.0.2.

dataplane interfaces from the previously active firewall are not
plugin 1.0.3.
moved to the newly active (previously passive) peer.





format: 2001:DB9:85A3:0:0:8A2E:370:2.


firewall.
settings).

Support.







plugin on Panorama. When a newly launched firewall that is
bootstrapped connects to Panorama, a process restart occurs


Workaround 1:






configuration.



adapter.

itself.
from the port.
PAN-106989 There is a display-only issue on Panorama that results in a

commit failed status for Template Last Commit State
(Panorama > Managed Devices > Summary).

top attackers.


here Portal_fips.


configuration:

unresponsive.
add the disk again.


Group.










Only mode.


out and fails.



settings.)


Services Agents).


firewall1.
HA peers.



log collection.



not:
management server.
installed.
on the firewall.

hours to complete.




failover.

packets.
persistently disable session off load for only UDP traffic using

Sources).

Services).


Kerberos).




unresponsive.

cluster.)
controller nodes).
are in sync.

enabled
yes
or
enabled
no



Lists).




command.

20 seconds.


WildFire®, as well as known issues that apply more generally or that are not identified by an issue ID. For a
complete list of existing and addressed known issues in all PAN-OS 9.0 releases, see the Consolidated List
of PAN-OS 9.0 Known Issues.


available.


WF500-4200 The Create Date shown when using the show wildfire
global sample-status sha256 equal<hash> or show
wildfire global sample-analysis CLI command
is two hours behind the actual time for WF-500 appliance
samples.
plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.

plugin 1.0.2.

plugin 1.0.3.






Workaround: Use PAN-OS 8.1 for creating custom images.


format: 2001:DB9:85A3:0:0:8A2E:370:2.

firewall.

settings).


Support.









Workaround 1:






configuration.



adapter.

itself.
from the port.


top attackers.


here Portal_fips.


configuration:

unresponsive.
add the disk again.


Group.










Only mode.


out and fails.



settings.)


Services Agents).


firewall1.
HA peers.



log collection.



not:
management server.
installed.
on the firewall.

hours to complete.




failover.

packets.

Sources).

Services).


Kerberos).




unresponsive.

cluster.)
controller nodes).
are in sync.

enabled
yes
or
enabled
no



Lists).




command.

20 seconds.

PAN-OS 9.0.3 (and 9.0.3-h2 and 9.0.3-h3) Known Issues

WildFire®, as well as known issues that apply more generally or that are not identified by an issue ID. For
a complete list of existing and addressed known issues in all PAN-OS 9.0 releases, see the Known Issues
Related to PAN-OS 9.0.


available.



plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.

plugin 1.0.2.

plugin 1.0.3.







PAN-121449 The Remove Config button on Panorama > Plugins does not
remove the configuration for any plugins you have set up on
Panorama.
Workaround: Manually remove the plugin configuration.
Manually delete the plugin configuration. Select your plugin
on Panorama, clear the values from all fields and Commit your
changes.

responding.


format: 2001:DB9:85A3:0:0:8A2E:370:2.

firewall.
settings).


Support.



PAN-117424 PA-220 and PA-800 Series firewalls do not support Cortex

Data Lake logging without Panorama—for these firewalls,
continue to use Panorama to enable Cortex Data Lake logging.


stop responding.

condition.







Workaround 1:







configuration.


adapter.


itself.
from the port.


top attackers.

here Portal_fips.

Workaround: Manually generate the report from the



configuration:

unresponsive.
add the disk again.


Group.









Only mode.



out and fails.



settings.)

Services Agents).



firewall1.
HA peers.


log collection.




not:
management server.
installed.
on the firewall.

hours to complete.




failover.

packets.

Sources).

Services).


Kerberos).




unresponsive.

cluster.)
controller nodes).
are in sync.


enabled
yes
or
enabled
no


Lists).





command.

20 seconds.

PAN-OS 9.0.2 (and 9.0.2-h4) Known Issues
The following list includes only outstanding known issues specific to PAN-OS 9.0.2 (and PAN-OS 9.0.2-h4).
This list includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins, and WildFire®, as well
as known issues that apply more generally or that are not identified by an issue ID. For a complete list of
existing and addressed known issues in all PAN-OS 9.0 releases, see the Known Issues Related to PAN-OS
9.0.


available.



plugin 1.0.3.

plugin 1.0.3.

PAN-OS 9.0 release.

the plugin.

plugin 1.0.2.

plugin 1.0.3.







responding.

format: 2001:DB9:85A3:0:0:8A2E:370:2.

firewall.
settings).



Support.



details an update we made to support this feature across all
firewall platforms. If you successfully onboarded the firewall
to Cortex Data Lake before PAN-OS 9.0.3 released, this issue
does not impact you. But following the release of PAN-OS
9.0.3, this feature is no longer supported in PAN-OS 9.0.2. If
this is a feature you would like to implement, you’ll need to
upgrade to PAN-OS 9.0.3. Here’s how you can get started
with Cortex Data Lake now.


stop responding.

condition.








Workaround 1:





configuration.



adapter.

itself.
from the port.



top attackers.

here Portal_fips.



configuration:

unresponsive.

add the disk again.


Group.









Only mode.


out and fails.




settings.)

Services Agents).


firewall1.

HA peers.


log collection.



not:
management server.
installed.

on the firewall.

hours to complete.



failover.

packets.

Sources).


Services).


Kerberos).



unresponsive.


cluster.)
controller nodes).
are in sync.

enabled
yes
or
enabled
no



Lists).





command.

20 seconds.

The following list includes only outstanding known issues specific to the first PAN-OS® 9.0 maintenance
release—PAN-OS 9.0.1. This list includes issues specific to Panorama™, GlobalProtect™, VM-Series plugins,
and WildFire®, as well as known issues that apply more generally or that are not identified by an issue ID.
For a complete list of existing and addressed known issues in all PAN-OS 9.0 releases, see the Known Issues
Related to PAN-OS 9.0.


available.




plugin 1.0.3.

PAN-OS 9.0 release.


the plugin.

plugin 1.0.2.

plugin 1.0.3.






responding.


format: 2001:DB9:85A3:0:0:8A2E:370:2.

firewall.
settings).


Support.

PAN-118065 (M-Series Panorama management servers in Management

Only mode) When you delete the local Log Collector
(Panorama > Managed Collectors), it disables the 1/1 ethernet
interface in the Panorama configuration as expected but the
interface still displays as Up when you execute the show
interface all command in the CLI after you commit.
Workaround: Disable the 1/1 ethernet interface before
you delete the local log collector and then commit the
configuration change.



stop responding.
PAN-116084 VM-Series firewalls on Microsoft Azure deployed using MMAP

drops traffic when the firewall experiences heavy traffic.

condition.







Workaround 1:
PAN-112814 H.323-based calls lose audio when the predicted H.245

session cannot convert to Active status, which causes the
firewall to incorrectly drop H.245 traffic.

only) You cannot use the mgmt-interface-swap command
to swap the interfaces for deploying a VM-Series firewall
behind a web load balancer (such as AWS ALB or Classic ELB).







configuration.



adapter.
PAN-111553 On the Panorama management server, the Include Device and

Network Templates setting is disabled by default when you
attempt to push changes to managed devices, which causes
your push to fail.
Workaround: Before you commit and push the configuration
changes from Panorama to your managed devices, edit the
push scope (Commit > Push to Devices > Edit Selections or
Commit > Commit and Push > Edit Selections) to Include
Device and Network Templates.
PAN-111251 Using the CLI to enable or disable DNS Rewrite under a

Destination NAT policy rule has no effect.

itself.
from the port.



top attackers.

here Portal_fips.



configuration:

unresponsive.

add the disk again.


Group.









Only mode.


out and fails.




settings.)

Services Agents).


firewall1.

HA peers.


log collection.



not:
management server.
installed.

on the firewall.

hours to complete.



failover.

packets.

Sources).


Services).


Kerberos).



unresponsive.


cluster.)
controller nodes).
are in sync.

enabled
yes
or
enabled
no



Lists).





command.

20 seconds.
Known Issues Specific to the WildFire Appliance

Beginning with the PAN-OS 9.0.1 release, known issues specific to WildFire® 9.0 releases running on the
WF-500 appliance are included with the Known Issues Related to PAN-OS 9.0.

PAN-OS 9.0 Addressed Issues
Review the issues that were addressed in each maintenance release of the PAN-OS® 9.0
release.
For new features, associated software versions, known issues, and changes in default behavior
in the PAN-OS 9.0 release, see the PAN-OS 9.0 Release Information.

131
132 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Addressed Issues
PAN-OS 9.0.5 Addressed Issues
WF500-5137 Fixed an issue where the show wildfire global last-

device-registration all CLI command incorrectly
returned an error message: Failed, even when you registered
the firewall correctly.
PAN-128561 Fixed an issue where a process (all_pktproc) stopped

responding after you upgraded the firewall to PAN-OS® 9.0.4.
PAN-128324 Fixed an issue on PA-7000 Series firewalls with at least one

PA-7000-100G-NPC card where heartbeat failures on all slots
caused the firewall to reboot.
PAN-127807 Fixed an issue on Panorama™ M-Series and virtual appliances

where a process (configd) stopped responding when you
performed a commit to a large number of firewalls.
PAN-126697 Fixed an HTTPD issue with PHP where it leaked memory.
PAN-126547 Fixed an issue where a process (configd) stopped responding

when an XML API call with type=config&action=get
triggered during a commit.
PAN-126534 (PAN-OS 8.1.10 and later releases only) Fixed an issue where
the data from Security policies did not export as expected.
PAN-126354 Fixed an issue where log in and commits took longer than
expected when you used XML API calls to create new address
objects.
PAN-125933 Fixed an issue where the receiving firewall deleted the host
information profile (HIP) report due to the report containing the
same IPv4 address in the IP and IP2 fields and caused a process
(useridd) to stop responding.
PAN-125833 Fixed an issue on a firewall in a high availability (HA) active/

passive configuration where a daemon (routed) did not receive
the updated interface status after an HA failover, which caused
routes to remain in the routing and FIB tables.
PAN-125775 Fixed an issue where Panorama management servers deployed

using the C5 or M5 instance types on Amazon Web Services
(AWS) caused the Panorama instance to stop responding in
regions that supported these instance types.
PAN-125517 An enhancement was made to improve firewall performance for

stream control transmission protocol (SCTP) flows. To enable
PAN-OS® RELEASE NOTES | PAN-OS 9.0 Addressed Issues 133

this enhancement, run the set sctp fast-sack yes CLI
command.
PAN-125515 Fixed an issue on VM-Series firewalls where the firewall

dropped all traffic traversing from the dataplane to the
management plane.
PAN-125478 Fixed an issue on a firewall in an HA active/passive

configuration where the route to the passive firewall dropped
during a failover.
PAN-125452 Fixed an issue where the firewall did not list registered
addresses from the Dynamic Address Group when the same IP-
tag information was received from two sources, which caused
the traffic flow to stop responding as expected.
PAN-125346 An enhancement was made to enable you to configure IPv6

in the web interface and through a CLI command when you
added IPv6 virtual addresses to a firewall in an HA active/active
configuration.
PAN-125121 (VM-Series firewalls on AWS only) Fixed an issue where custom

images did not function as expected for PAN-OS 9.0.
PAN-125069 An enhancement was made to enable you to delete the GTP-C

tunnel with all GTP-U tunnel sessions after the firewall received
a Delete Bearer Response message where default bearer ID=5.
To enable this enhancement, run the set gtp ebi5-del-
gtpc [yes/no] CLI command.
PAN-124996 Fixed an issue where a GlobalProtect™ daemon (rasmgr)

stopped responding when you connected with an overlapping
IPv6 address, which caused subsequent GlobalProtect
connections to fail.
PAN-124890 Fixed a configuration lock issue where you were unable to log
in after you upgraded from PAN-OS 8.1.6 to PAN-OS 8.1.9.
PAN-124630 Fixed an issue where new logs were not ingested due to
a buffer exhaustion condition caused by invalid messages
incorrectly handled by elastic search.
PAN-124481 Fixed an issue where the dataplane stopped responding when

SMTP sessions were used.
PAN-124299 Fixed an issue on VM-Series firewalls in an HA active/passive

configuration where the active firewall leaked packet buffers
when links were disconnected from the hypervisor.
PAN-123850 (PA-5200 and PA-7000 Series firewalls only) Fixed an issue

where conflicting GTP sessions were installed in short interval,

which caused the firewall to queue GTP packets and deplete
packet buffers.
PAN-123600 Fixed an issue where the firewall was unable to establish

a connection to the DNS Security feature domain
(dns.service.paloaltonetworks.com) when the firewall could not
connect with the primary DNS server but could connect with
the secondary DNS server.
PAN-123446 Fixed an issue where an administrator with a Superuser role

could not reset administrator credentials.
PAN-123362 Fixed an issue where the firewall used more than expected
virtual memory when you decreased the maximum elastic
search heap size.

configuration where a process (useridd) restarted multiple times
and caused the firewall to reboot.
PAN-123030 Fixed an issue with a memory leak associated with a process

(mgmtsrvr) when you pushed a commit.
PAN-122662 (PA-5260 firewalls only) Fixed an issue where a process

(mpreplay) stopped responding after a commit when you
configured the firewall with more than 200 virtual systems
(vsys) running on PAN-OS 8.1.9.
PAN-122601 Fixed a memory leak issue with a process (configd) when you
performed device group related operations.
PAN-122550 Fixed an issue where VM-Series firewalls on Microsoft Azure

experienced traffic latency due to an incompatible driver.
PAN-121945 Fixed an issue on Panorama M-Series and virtual appliances

where after you deployed the firewall in Google Cloud the
Panorama serial console stopped responding.
PAN-121911 Fixed an issue where a process (logrcvr) restarted during

commits.
PAN-121667 Fixed an issue where traffic incorrectly matched Security

policies when configured static address groups and FQDN IP
addresses on Security policies overlapped.
PAN-121523 Fixed an issue where an API call triggered memory errors, which
caused a process (configd) to stop responding and triggered
SIGABRT logs.
PAN-121447 Fixed an issue where the BGP did not remove the IPv6 default
route from the forwarding table after the route was withdrawn.


where a validation job triggered a memory leak in a process
(configd), which caused context switching between Panorama
and the web interface to respond slower than expected.
PAN-121001 Fixed an issue where the firewall only reported a maximum

of two logs when you configured more than two hardware
security modules (HSM).

where partial commits did not apply configuration changes as
expected.

where objects were not compressed, which caused higher than
expected CPU and memory usage.
PAN-120287 Fixed a JavaScript error due to an incorrect HTTP response,

which prevented GlobalProtect Clientless VPN applications to
load.
PAN-120151 Fixed an issue where the DNS packet parser incorrectly

processed DNS packet headers when the QD count is 0. With
this fix, the DNS packet parser aborts further processing when
QD != 1.
PAN-119765 Fixed an intermittent issue where the firewall dropped sessions

that used a large number of predict sessions.
PAN-119680 Fixed a rare issue where the show running CLI commands for
policy addresses caused file descriptor leaks.

where you were unable to query Cortex Data Lake by the serial
number filter.
PAN-119225 Fixed an issue where an inaccurate sequence number check for

an RST packet caused the packet to drop.
PAN-119185 Fixed an issue where a process (panio) caused more than

expected CPU consumption.
PAN-119172 Fixed an issue where the firewall incorrectly enforced URL

category policies and erroneously triggered alert instead of
block.

where a process (configd) experienced high memory utilization
and a memory leak condition, which caused slower than
expected performance.

PAN-118881 Fixed an issue where the user domain information was missing
from the user IP mapping entry when you configured Allow
Authentication with User Credentials or Client Certificate
to Yes while using a client certificate for GlobalProtect
authentication.
PAN-118783 Fixed an intermittent issue where a daemon (dnsproxy) stopped

responding when you configured an HTTP proxy on the
firewall.
PAN-118762 Fixed an issue where the GlobalProtect portal used an outdated

jQuery library.
PAN-118720 Fixed an issue on a firewall in an HA active/active configuration

where Oracle traffic SYN packets dropped intermittently with
the flow_fpp_owner_err_no_predict counter.
PAN-118628 Fixed an issue where after you deployed Panorama in Azure,

you were unable to log in to Panorama with the username and
PAN-118583 Fixed a memory allocation issue that prevented URL filtering

logs from displaying the full URL.
PAN-118430 Fixed an issue where pushed template configurations were

overridden when you made a configuration change in the
Master Key Lifetime (Device > Master Key and Diagnostic >
Edit) field.
PAN-118370 Fixed an issue where the firewall displayed incorrect application

dependency warnings during commits when a Security policy
used a wildcard address.
PAN-118277 Fixed an issue where the firewall stopped responding due to a

race condition.
PAN-118256 Fixed an issue where a DNS Security signature response from a

cloud service caused a daemon (dnsproxyd) to stop responding.
PAN-118183 Fixed an issue where a process (dnsproxyd) stopped responding

due to higher than expected CPU usage.
PAN-118180 Fixed an issue on firewalls configured with authentication

policies where UDP and ICMP packets matching an
authentication policy did not generate traffic logs as defined in
the Security policy when sessions were redirected or denied.

configuration where a process (all_pktproc) stopped responding
and the dataplane restarted, which caused an internal path
monitoring failure and an HA failover event.

PAN-118055 Fixed an issue where administrators were unable to export

Security Assertion Markup Language (SAML) metadata files
from virtual system (vsys) specific authentication profiles.
PAN-117959 Fixed an issue where LDAP authentication failed when you

configured the authentication server with an FQDN.
PAN-117907 Fixed an issue where the date and time provided for a request
license information output did not match the show clock output
provided by the NTP server.
PAN-117900 Fixed an issue where commits failed when you moved an object
referenced in a policy to a shared group.
PAN-117888 Fixed an issue where the firewall was unable to detect the
hardware security module (HSM), which caused the firewall to
drop SSL traffic.
PAN-117878 Fixed an issue where you were unable to add a service

definition to the NSX manager and the following error message
displayed: Failed to create object service-
definition. Ret code is 400.
PAN-117835 Fixed an intermittent issue where a process (all_pktproc)

stopped responding, which caused a heartbeat failure and the
firewall to drop LACP and OSPF connections.
PAN-117738 (PA-3050 and PA-3060 firewalls only) Fixed an issue where a

higher than expected number of flow_fpga_flow_update
messages occurred when you configured QoS.
PAN-117727 Fixed an issue where job threads were deadlocked, which

prevented log in attempts and displayed the following error
message: CONFIG_LOCK: write lock TIMEDOUT for
cmd.

where the connection between Panorama and managed
firewalls timed out when you upgraded PAN-OS 9.0.0 to PAN-
OS 9.0.1 and displayed the following error message: Error -
time out sending/receiving message.
PAN-117303 Fixed an issue where the BGP aggregate prefix, which is

advertised to multiple BGP peers was removed from RIB OUT
when you disabled one of the BGP peers.

where a process (configd) restarted due to virtual memory
issues.

PAN-117086 Fixed an issue where community attributes to BGP routes had

a character limit of 31 characters, which caused expressions to
take longer than expected to process.

where memory utilization increased more than expected when
you deleted several rules with an XML API delete command.
PAN-116977 Fixed an issue on VM-Series firewalls where you could not

upgrade to PAN-OS 9.0.1 or a later release with a pre-licensed
firewall.
PAN-116949 Fixed a memory leak issue with a process (mprelay), which

caused the dataplane to restart.

where you were unable to configure Enable X-Auth Support
(Network > GlobalProtect > Gateways > Template >
<Template-stack> > Agent > Tunnel Settings) at the Template-
stack level.
PAN-116772 Fixed an issue where the firewall sent empty attributes in the
LDAP query when you did not configure Alternate Username 1
- 3 (Device > User Identification > Group Mapping Settings >
<group-name> > User and Group Attributes) in the User
Attributes web interface.
PAN-116708 Fixed an issue where administrators were unable to export

policies and objects in PDF format.
PAN-116611 Fixed an issue where an API call for correlated events did not
return any events.
PAN-116473 Fixed an issue where the firewall logged URL categories

configured for Allow in the URL filtering logs.
PAN-116334 Fixed an issue where a process (mgmtsrvr) leaked memory

caused by SNMP traps.
PAN-116286 Fixed an issue where commits failed after you upgraded from
PAN-OS 8.0.16 to PAN-OS 8.1.6 due to an invalid encryption
state for a host information profile (HIP) object.
PAN-116274 Fixed an issue where the firewall was unable to authenticate

when you pushed a public key from Panorama.
PAN-116189 Fixed an issue where Session Initiation Protocol (SIP) calls failed
and displayed the following error message: end-reason:
resources-unavailable.

PAN-115990 Fixed an issue where the FQDN address object (Policy >
Security > <address-object> > Value) displayed the following
unrelated error: <FQDN-name> Not used.
PAN-115959 Fixed an issue where DNS names with more than 63 characters
did not resolve FQDN address objects during an FQDN refresh.
PAN-115890 Fixed an issue where the show system info CLI command
incorrectly displayed VMware ESXi as VMWare ESXi.
PAN-115879 Fixed an issue on a firewall where a bypass switch sent

heartbeat messages to the firewall, which triggered non-stop
link status change interrupts through a Marvell switch.
PAN-115549 Fixed an issue where predict sessions were incorrectly created

with a captive-portal zone, which caused the firewall to
drop RTP traffic.
PAN-115349 Fixed an issue where an incorrect predict session was created

when a policy-based forwarding (PBF) policy was used without
a NAT in the parent session, which caused the firewall to drop
RTP and RTCP packets.
PAN-115344 Fixed an issue where the Username Modifier%USERDOMAIN

%\%USERINPUT% enabled you to log in to a locked out user
account.

configuration where the passive firewall experienced higher
than expected dataplane CPU usage caused by HA IPSec
messages bouncing between dataplanes.
PAN-115282 Fixed an issue where temporary download files were deleted

before a download job was completed, which caused the
progress bar to remain at 0% and prevented a timeout when
downloads fail.
PAN-115281 Fixed an issue where the firewall did not resolve an external
dynamic list server address when the DNS proxy configured it
as a static entry.
PAN-115110 An enhancement was made to enable you to configure syslog

parameters through the CLI debug command. To view the
available parameters and change the configurations, run the
debug syslogng-params settings CLI command and
perform a commit force to apply the edits.

where scheduled uploading and installation of WildFire®
content meta files to WF-500 appliances failed and displayed
the following error message: device not supported.

PAN-114880 Fixed an issue where the debug management-server

summary-logs flush-options max-keys CLI command
did not persist through a system reboot.

where Decrypt Mirror (Objects > Decryption > Decryption
Profile > <Device Group-name>) did not appear in the Interface
drop-down menu when you tried to configure a Decryption
Profile.

configuration where a split-brain condition occurred after you
upgraded from PAN-OS 8.1.3 to PAN-OS 8.1.6.
PAN-114628 Fixed an issue where Panorama was unable to query logs

forwarded from the firewall to the log collector.
PAN-114540 Fixed an issue where renaming a template stack did not change
the value and reset to the original value after you commit the
change.
PAN-114456 Fixed an issue where extended packet capture (pcap) for threat
logs caused a process (mgmtsrvr) to stop responding.
PAN-114270 Fixed an issue where the firewall dropped TCP trace route
traffic after you upgraded to PAN-OS 8.1.5. To leverage this
fix, run the set session tcp-reject-diff-syn no CLI
command.
PAN-114247 Fixed an issue where a larger than expected number of

Could not find entry for interface ethernet1/
<interface>.<subinterface> in CPS table filled the
snmpd.log, which caused the log file to rotate more frequently
than expected.
PAN-113610 Fixed an issue where Panorama incorrectly deleted valid device

group directories and was unable to generate reports.
PAN-113606 Fixed an issue where the Throughput column (Panorama >

Managed Devices > Health) was incorrectly labeled.
PAN-113261 (PA-5200 Series firewalls only) Fixed an issue where the total
entries for the URL filtering allow list, block list, and custom
categories were incorrectly set to an entry limit value other
than 100,000.
PAN-113162 Fixed an issue where you were unable to create shared URL
filtering profiles from the Panorama web interface.

PAN-112661 Fixed an issue where you were unable to access a firewall due
to a defective small form-factor pluggable (SFP)/SFP+ module
inserted into the firewall.

configured as log collectors where SSH did not respond after
you enabled SSH on ethernet1/1.
PAN-110685 Fixed a rare issue where an incorrect User-ID™ match to the

respective LDAP group caused a security policy mismatch.

configuration where you were unable to synchronize
configurations or dynamic updates between HA pairs.
PAN-109874 Fixed a memory leak issue on a firewall during a commit, which

prevented the firewall from generating GlobalProtect client
configurations.
PAN-108876 Fixed an issue where the firewall dropped Session Initiation

Protocol (SIP) registration packets, which caused SIP sessions to
fail.
PAN-108373 Fixed an issue where an application dependency warning

incorrectly displayed when you configured negate-source
yes on a security rule to deny an application.

where you could not add and generate a certificate as expected.
PAN-106434 Fixed an issue where a process (keymgr) stopped responding

due to missed heartbeats, which caused IPSec tunnels to stop
responding.
PAN-102195 Fixed an issue where the firewall did not detect all threat
sessions while the App and Threat content installation was
processed.
PAN-100977 (VM-Series NSX edition firewalls only) Fixed an issue where

the existing logs for dynamic address updates had insufficient
information to debug the root cause of an issue and where
the dynamic address update logs were larger than expected,
which caused the file to roll over every five minutes and did not
provide a sufficient log history to debug issues.

- (Microsoft Azure only) Updates to support changes in Azure

Accelerated Networking (AN).
WF500-4785 Fixed a rare issue on WF-500 appliances where the firewall did
not respond after you upgraded the appliance from a PAN-OS®
8.0.1 release to a PAN-OS 8.0.10 or later release. With this fix,
you can run the new debug software raid fixup auto
CLI command to recover the RAID controller.
PAN-124658 Fixed an issue where the timer system call activated more
frequently than expected, which caused higher than expected
CPU usage.
PAN-123371 Fixed an issue where the Wildfire Analysis Report incorrectly

displayed the following error message: You are not
authorized to access this page on the web
interface.
PAN-123079 Fixed an intermittent issue where after a configuration change,

a commit caused the dataplane to stop responding.

where the firewall stopped forwarding logs to Cortex Data Lake
after you upgraded the cloud services plugin to 1.4.
PAN-122489 (Microsoft Azure only) Fixed an issue where VM-Series firewalls

incorrectly renamed (to eth) interfaces connected to Mellanox
appliances when Accelerated networking was enabled on the
firewall.
PAN-122004 (PA-5200 Series firewalls only) Fixed an issue where the Quad
Small Form-factor Pluggable (QSFP) 28 ports 21 and 22 did not
respond when plugged in with a Finisar 100G AOC cable.
PAN-121449 Fixed an issue where Remove Config (Panorama > Plugins) did
not remove the configuration for any plugins you have set up
on Panorama.
PAN-121185 Fixed an intermittent issue where domains were not

normalized, which caused an incorrect verdict response.
PAN-120662 (PA-7000 Series firewalls using PA-7000-20G-NPC cards only)

Fixed an intermittent issue where an out-of-memory (OOM)
condition caused the dataplane or internal path monitoring to
stop responding.

PAN-120548 Fixed an issue where the Captive Portal request limit was
ignored when you configured the Captive Portal authentication
method to browser-challenge.
PAN-120409 (PA-7000 Series firewalls only) Fixed an issue where firewalls

running a 20G Network Processing Card (NPC) or a 20GQ
NPC dropped stream control transmission protocol (SCTP)
connections due to incorrect session handling.
PAN-120342 Fixed an intermittent issue where the dataplane stopped

responding when processing a UDP packet that passed through
an IPSec tunnel.
PAN-120194 (Virtual and M-Series Panorama appliances and Log Collectors

only) Fixed an issue where closed Elasticsearch (ES) indices
were continuing to receive and re-queue logs, which resulted in
high CPU usage.
PAN-119257 Fixed an issue where the firewall could not establish an IKEv2
connection with SHA256 certificates.
PAN-119187 (Panorama only) Fixed an issue where a file lock was released
before the lock was taken, which triggered an erroneous
maximum connection timeout that prevented administrators
from logging in to and executing commands from the
command-line interface (CLI).

where bootstrapped managed firewalls were disconnected
after you performed a partial revert if you did not first perform
a manual commit. With this fix, the manual commit is not
required.
PAN-118964 Fixed an issue on VM-Series firewalls where single root I/O

virtualization (SR-IOV) did not support packet mmap in access
mode and DPDK mode.
PAN-118784 Fixed an intermittent issue where the firewall dropped a

message: Update PDP Context Response and did not
update the General Packet Radio Service (GPRS) Tunneling
Protocol for User Data (GTP-U).

where shared policies were out of sync due to an empty stream
control transmission protocol (SCTP) after you upgraded the
firewall from PAN-OS 8.0.16 to PAN-OS 8.1.8.
PAN-118423 Fixed an intermittent issue with local high availability (HA)

status changes where a process (mprelay) failed to commit
changes to the HA state.

PAN-118411 Fixed an issue where ARP entries took longer than expected to
age out in a single run.
PAN-118407 Fixed an issue where an internal path monitoring failure due to

a buffer leak caused the firewall to reboot.
PAN-117923 Fixed an issue where the management server stopped

responding when an incorrect filter was used to filter traffic
logs instead of displaying an error message.
PAN-117921 Fixed an issue where you were unable to create GTP inner
sessions, which caused the firewall to drop GTP-U data packets
when the firewall was deployed on S1-U and S-11 interfaces.
PAN-117916 Fixed an issue where the dataplane stopped responding when

you pushed permitted IP addresses from Panorama to managed
firewalls.
PAN-117720 (GlobalProtect™ Clientless VPN environments only) Fixed an

issue where a process (all_pktproc) stopped responding and
caused the firewall to restart unexpectedly when processing
GlobalProtect Clientless VPN traffic. To leverage this fix,
you must first upgrade (Devices > Dynamic Updates) to
GlobalProtect Clientless VPN content release 79 or a later
release.
PAN-116807 (PA-7000, PA-5200, and PA-3200 Series firewalls only) Fixed

an issue where the firewall dropped ICMP error messages when
the security policy was configured to allow ICMP.

where the progress bar for a commit all job incorrectly
remained at 0% after a job was completed.
PAN-116769 Fixed an issue where a process (pan_comm) stopped

responding due to a memory allocation error.
PAN-116729 Fixed an issue where you were unable to deploy bootstrapped

content in offline environments due to content validity checks.
PAN-116634 Fixed an issue where the date in the GlobalProtect HTTP

header was incorrectly set to a random date instead of a zero
(0), which negatively and falsely impacted security scorecard
ratings.
PAN-116613 Fixed an issue on a VM-Series firewall deployed in Microsoft

Azure where packets dropped silently due to a kernel error.
PAN-116513 Fixed an issue where VM-Series firewalls did not bootstrap

successfully when you included the software version in the
software folder of the bootstrap package.

PAN-116436 (Panorama virtual appliances only) Fixed an issue where a disk

calculation error resulted in an erroneous opt/panlogs/ partion
full condition and caused a process (CDB) to stop responding.
PAN-116416 Fixed an issue on Panaorama M-Series and virtual appliances

where a process (configd) stopped responding when you
performed a commit to a large number of firewalls.
PAN-116383 Fixed an issue with Panorama on Azure where the configuration

of an HA pair became out of sync due to different plugin
versions being detected even though the same versions were
installed on both peers.
PAN-116280 Fixed an issue where the firewall displayed a static route

warning when the next hop IP address was not included in the
subnet of the outgoing interface.

where traffic logs did not display data when the IPv6 address
filter is based on netmask.
PAN-116218 Fixed an issue where the test routing bgp virtual-

router default restart peer Peer-v6 CLI command
did not execute the operational request and returned the
following error message: op command for client routed
timed out as client is not available.
PAN-116128 Fixed an issue where a process (logrcvr) stopped responding

when packet captures (pcap) were generated for HTTP2 traffic.
PAN-116123 Fixed an issue where a process (devsrvr) stopped responding

when you performed a commit or a configuration validation
when the proxy ID contained 24 or more characters.
PAN-115856 Fixed an issue where Dynamic IP and Port (DIPP) NAT pools did
not release used ports after all sessions were removed.
PAN-115852 Fixed an issue on VM-Series firewalls on AWS where you could

not change maximum transmission unit (MTU) values from
the web interface and displayed the following error message:
Malformed Request.
PAN-115794 Fixed an issue where, after you upgraded the firewall from
PAN-OS 8.1.5 to PAN-OS 9.0.0, the firewall displayed the
following validation error: plugins 'read-only' is not
an allowed keyword.
PAN-115792 Fixed an issue where after a refresh of the external dynamic list
values from the previous list were not retained, which caused
the list values to display 0.0.0.0 and displayed the following
error message: HTTP/1.1 500 Internal Server Error.

PAN-115748 Fixed an intermittent issue on Panorama M-Series and virtual

appliances where a memory issue caused the firewall to reboot.
PAN-115738 Fixed an issue where data logs were generated but the firewall
did not forward the logs to the syslog server.
PAN-115695 Fixed an intermittent issue where a large number of packets

were received before acknowledgments were complete, which
depleted descriptor queue entries and resulted in high latency
during data transfers even though CPU usage looked normal.
PAN-115450 Fixed a rare issue where a race condition occurred between

daemons during a tunnel re-key, which caused BGP sessions
to drop from Large Scale VPN tunnels. To leverage this fix,
you must run the debug rasmgr delay-nh-update CLI
command.

where renaming a device group followed by a partial commit
did not change the device group hierarchy as expected.
PAN-115287 Fixed an issue where commits failed and displayed the following
error message: Commit job was not queued. All
daemons are not available.

where Global Find caused the web interface to stop responding
when you searched for common English words.
PAN-115186 Fixed an issue where SaaS reports were not generated due to
report definitions not getting pushed to the log collector.
PAN-114958 Fixed an issue where the User-ID™ (useridd) process consumed

more CPU cycles than expected when you configured User-ID
redistribution.
PAN-114889 Fixed an issue where a Panorama template push to a firewall

with a PAN-OS 8.1 release or earlier resulted in the deletion of
split tunnel configurations when any address objects or address
groups are included. With this fix, you still must remove all
address groups before pushing templates to a PAN-OS 8.1 or
earlier release.
PAN-114867 Fixed an issue where GlobalProtect gateway client

configuration generation failed when a matching rule existed.

where malformed API calls caused the firewall to reboot.
PAN-114779 Fixed an issue where log purging took longer than expected,
which prevented the firewall from capturing traffic logs.

PAN-114567 Fixed an issue where the Eventid eq

globalprotectportal-config-succ system query caused
the management server (mgmtsrvr) process to stop responding.
PAN-114566 Fixed an issue where after a commit the firewall displayed

the following error message: No Valid DNS Security
License even when the license was valid and successfully
applied.
PAN-114533 Fixed an issue where traffic was blocked by the safe search
enforcement instead of the intended allow rule.
PAN-114526 Fixed an issue where larger than expected number of packets

sent over a GTP-U tunnel caused packet captures to fill the
files faster than expected. With this fix, you can run the debug
dataplane packet-diag set capture gtpu-lvl
[1-30] command to ensure GTP-U traffic are captured.
PAN-114475 Fixed an issue where Panorama in FIPS mode defaulted to FIPS-

CC mode instead of Normal mode.
PAN-114427 Fixed an issue where an empty host name in the HTTP header
caused a web server process (websrvr) to stop responding when
you accessed the captive portal redirect page.
PAN-114264 Fixed an issue where sessions were offloaded as the application

identification was performed when you configured a custom
application with Continue scanning for other application.
PAN-114160 Fixed an issue where you were unable to download ZIP files
greater than 3GB through a GlobalProtect Clientless VPN
application.
PAN-114105 Fixed an issue on a Panorama M-Series appliance where the

Summary (Panorama > Managed Devices > Summary) web
interface refreshes every 10 seconds when set to manually
refresh.
PAN-114090 Fixed an issue on a Panorama virtual appliance in Legacy mode

and in an HA active/passive configuration where logs were
forwarded only to the active firewall.
PAN-114002 Fixed an issue where you were unable to import variable CSV
files when variable names contained a character space.
PAN-113971 (PA-7000 Series firewalls only) Fixed an issue where the High
Speed Chassis Interconnect (HSCI) link flapped after you
rebooted the firewall.

PAN-113930 Fixed an issue on VM-Series firewalls where CPU loads were

uneven across cores when more than 8 cores were allocated to
the dataplane.
PAN-113912 Fixed an issue where a process (ikemgr) stopped responding

and caused the firewall to reboot.
PAN-113887 Fixed an issue where loading custom app tags did not complete
successfully, which prevented subsequent requests (such as
commits, content installs, and FQDN refreshes) from executing
as expected.
PAN-113870 Fixed an issue where Security policies were not evaluated in

sequential order when the policy was based on URL categories.
PAN-113796 Fixed an issue where GlobalProtect configured with the

pre-logon then on-demand connect method was unable to
authenticate during pre-logon when you configured the portal
and gateway with an Authentication Override and without a
certification profile.
PAN-113767 Fixed an issue where the firewall silently dropped packets when
security profiles were attached and FPGA enabled AHO and
DFA.
PAN-113619 Fixed an issue where the GlobalProtect gateway did not assign
an IP address when the local IP address was a supernet of the
GlobalProtect pool.
PAN-113501 Fixed an issue where the Panorama management server

returned a Security Copy (SCP) server connection error
after you created an SCP Scheduled Config Export profile
(Panorama > Scheduled Config Export) due to the SCP server
password exceeding 15 characters in length.
PAN-113229 Fixed an issue on Panorama M-Series and virtual appliances in

an HA active/passive configuration where the passive firewall
displayed an out-of-sync shared policy status when you edited
the Device Group.
PAN-113185 Fixed an issue where the passive firewall in an HA active/

passive configuration was processing traffic.
PAN-112988 Fixed an issue where a process (useridd) leaked memory, which

caused the firewall to drop traffic and display the following
error message: Out-of-memory condition detected,
kill process.
PAN-112972 Fixed an issue where scheduled reports were not generated as

expected when you added groups in a query builder.

PAN-112566 Fixed an issue where the GlobalProtect Client was unable

to download files from a web interface, sessions went into
DISCARD state, and displayed the following message: Packet
dropped, control plane service not allowed.
PAN-112529 Fixed an issue where the firewall incorrectly sent several benign
critical content alerts daily.
PAN-112467 Fixed an issue where obsolete IPv6 Neighbor Discovery (ND)

entries did not clear as expected, which caused the IPv6 table
to reach full capacity and caused new IPv6 ND entries to fail.
PAN-112308 Fixed an issue where hardware security module (HSM) accounts

were locked out after three attempts when you ran the show
hsm ha-status CLI command.
PAN-112016 Fixed an issue on VM-Series firewalls where the physical port

counters on the dataplane interfaces did not increase on KVM
when you disabled DPDK.
PAN-111698 Fixed an issue where administrators were unable to log in when

character spaces were used in usernames.
PAN-111660 Fixed an issue where an incorrect SSH key initialization caused

a process (pan_comm) to stop responding every 15 minutes
when you configured an SSH proxy on the firewall.
PAN-110990 Fixed an issue where a logical operation not configured

with receive_time in the traffic log filter did not respond as
expected.

where commits failed when you configured an address group
object in the Include List (Network > Zone > <zone-name> >
Include List).
PAN-110839 Fixed a rare issue where a dataplane restart or a commit

triggered a large number of route updates, which caused a
process (routed) to stop responding as expected.
PAN-110628 Fixed an issue where user groups were deleted from the Group
Include List ("Device > User identification > Group Mapping
Settings > <group-name> > Group Include List) if you changed
the LDAP server profile account password.
PAN-110234 Fixed an issue where administrators with a Superuser (read-

only) role was able to initiate a commit through the CLI.
PAN-110168 Fixed an issue where the firewall and Panorama web interface
did not present HSTS headers to your web browser.

PAN-109803 Fixed an issue where credential phishing prevention did not

detect user or password phishing when passwords, which
contained two discontiguous character spaces were used.
PAN-109759 Fixed an issue where the firewall did not generate a notification
for the GlobalProtect client when the firewall denied
unencrypted TLS sessions due to an authentication policy
match.
PAN-107207 Fixed an issue where the VPN tunnel operational status

incorrectly displays up even though the VPN tunnel is down.
PAN-106889 Fixed a rare issue on a firewall in an HA active/passive

configuration running in FIPS-CC mode where the passive
firewall rebooted in to maintenance mode.
PAN-106628 Fixed an issue where the firewall did not generate a system log
when the firewall detected a RAM issue.
PAN-106449 Fixed an issue when you connected to an internal GlobalProtect

gateway on a firewall in an HA active/passive configuration
and authenticated with multi-factor authentication (MFA) to
access a resource, the first and second authentication factors
succeeded but you would not be redirected to the actual
resource.
PAN-106100 (PA-3200 Series firewalls only) Fixed an issue on a firewall in an

HA active/active configuration where SSL traffic through the
GlobalProtect VPN (in SSL mode) tunnel stopped responding
after Layer 7 processing completed and when asymmetric
routing occurred.
PAN-105286 Fixed an issue where the firewall did not record email header
information in Data Filtering logs when you triggered a test mail
that contained a data leak prevention (DLP) pattern.
PAN-104909 Fixed an issue where the firewall incorrectly forwarded traffic

when you configured the ingress interface with a QoS policy
and the egress interface as a tunnel.
PAN-104808 Fixed an issue where scheduled SaaS reports generated and

emailed empty PDF reports.
PAN-104251 Fixed an issue where the syslog server TCP keep-alive

parameter caused the connection to unexpectedly age out.
PAN-103865 Fixed an issue where the firewall did not detect user credentials
when the number of users exceeded 60,000.
PAN-103847 Fixed a memory buffer allocation issue that caused the Session
Initiation Protocol (SIP) traffic NAT to stop responding.

PAN-101613 (PA-800 Series firewalls only) Fixed an intermittent issue where

a congestion condition occurred during periods of low traffic.
With this fix, run the set system setting hol-system
enable CLI command to enable the HOL system mode.
PAN-84670 Fixed an issue where firewalls that were not configured to

decrypt HTTPS services and applications traffic allowed users
without valid authentication timestamps to access those
resources regardless of Authentication Policy settings. To
prevent such access, either configure the firewall to decrypt
traffic or run the debug device-server cp-deny-
encrypted on command and perform a force commit (this
command will persist across reboots).

PAN-OS 9.0.3-h3 Addressed Issues
PAN-123700 A security-related fix was made to prevent a memory corruption

vulnerability in PAN-OS® software (PAN-SA-2019-0023 /
CVE-2019-1582).
PAN-123603 A security-related fix was made to prevent a memory corruption

vulnerability in PAN-OS® software (PAN-SA-2019-0021 /
CVE-2019-1580).
PAN-123564 A security-related fix was made to prevent a mitigation bypass that

led to a remote code execution (RCE) vulnerability in PAN-OS®
software (PAN-SA-2019-0022 / CVE-2019-1581).
PAN-121814 Fixed an issue where the threat log incorrectly displayed

informational severity-level threats with high severity level.

PAN-120745 An enhancement was made to the IP Options field in the

TCP/IP header for zone protection profiles.

WF500-4995 Fixed an issue on Panorama™ M-Series and WF-500 appliances

where administrators were unable to run the debugsoftware
disk-usage aggressive-cleaning enable CLI
command and resulted in the following error message: Server
error:Failed to execute op command.
PAN-118949 Fixed an issue where after you changed the filter configuration
in the user.src notin 'cns\proxy full profile, the
firewall displayed the following error message: Unknown user
group cns\Proxy Full.
PAN-118640 Fixed an issue where the GTP-U session did not match the
correct policy, which caused the IMSI and IMEI not to display in
the inner session traffic and threat logs.

details a change we've made in PAN-OS 9.0.3 to support this
feature across all firewall platforms. Here’s how you can get
started with Cortex Data Lake now.
PAN-117359 (Firewalls with an AutoFocus license only) Fixed an issue where

AutoFocus™ threat intelligence did not display when hovering
over source and destination addresses in the logs when you
configure a service route or proxy.
PAN-117249 Fixed an issue where end users who don't have REST API
authentication roles were able to list and edit configuration
rules.
PAN-117149 Fixed an issue on firewalls configured with authentication

policies where sessions matching an authentication policy did
not generate traffic logs as defined in the security policy when
sessions were redirected or denied.
PAN-116969 Fixed an issue where authentication failed when you configured

a User Principal Name (UPN) and included a group in the
profile.
PAN-116848 Fixed an issue where multiple device group administrators

simultaneously enabled configuration locks caused a race
condition.


where the management server and a process (configd) used
higher than expected CPU and memory.
PAN-116069 (PA-200 firewalls only) Fixed a rare out-of-memory (OOM)

condition.
PAN-116579 Fixed an issue where the firewall sent truncated URLs to the
Captive Portal Redirect message when HTTPS traffic sent
through a proxy server was subjected to decryption.
PAN-116188 Fixed an issue where communication between tunnel interfaces

did not respond when you configured a generic routing
encapsulation (GRE) tunnel.
PAN-116022 Fixed an issue where the NSX Manager passed a blank string to
Panorama, which added a null entry into the configuration and
caused commits to fail.
PAN-115930 Fixed an intermittent issue where after a configuration change,

a commit caused the dataplane to stop responding.
PAN-115526 Fixed an issue where a dataplane process (all_pktproc) stopped

responding due to a packet buffer protection feature.
PAN-115494 Fixed an issue where the /opt/pancfg/ partition became full

due to a configuration preview operation not responding.
PAN-115415 Fixed an issue where a session created from a predict session

went into DISCARD state.
PAN-115379 Fixed an issue where you were unable to create a custom log
forwarding profile when you configured a filter with the "in"
and "not in" configurations (Objects > Log Forwarding > Add >
Add > Filter > Filter Builder) and resulted in the following error
message: Invalid filter policy-logging-cf-ent ->
match-list -> ITS_url_logs -> filteris invalid.
PAN-115339 Fixed a rare issue where a commit caused the firewall to stop
responding when you enabled flow debug and configured a
NAT policy.
PAN-115035 Fixed a rare issue where Threat log and URL log stopped
generating.
PAN-115012 Fixed an issue where a process (appweb) stopped responding,

which caused the web interface to stop responding.
PAN-114867 Fixed an issue where GlobalProtect gateway client

configuration generation failed when a matching rule existed.


where, after you upgraded the firewall to PAN-OS® 8.1,
commits failed when Panorama was configured to manage
shared gateway objects for managed firewalls.
PAN-114695 Fixed an issue where a daemon (authd) stopped responding

when you configured a GlobalProtect portal and gateway with
Security Assertion Markup Language (SAML) authentication.
PAN-114642 Fixed an issue where firewall logs incorrectly included the end-
user IP address in GTP message logs when you configured PAA
IE with IPv4 and IPv6 dual stack in the Create Session Response
message.
PAN-114607 Fixed an issue where all the log collectors did not get queued
when you configured more than 32 collector groups.
PAN-114593 Fixed an issue where the setsystem setting layer4-

checksum disable CLI command did not disable the Layer 4
checksum check as expected.

where you were unable to authenticate when the
authentication profile contained a server profile that used the
FQDN of the server.

where, after you upgraded the firewall from PAN-OS 8.0.8 to
PAN-OS 8.1.4, commits took longer than expected when you
configured the Device Group with large group hierarchies.
PAN-114435 Fixed an issue where multiple dataplanes stopped responding

and caused traffic outages after you enabled IPSec tunnels.
PAN-114434 Fixed an issue where the firewall created incorrect predict

sessions, which caused flow sessions to fail for applications.

where serial numbers for deployed firewalls did not display in
the web interface with the exception of GlobalProtect cloud
service firewalls.
PAN-114395 Fixed an issue on a VM-Series firewall where a process

(all_task) stopped responding, which caused the firewall to
reboot.
PAN-114275 Fixed an issue where the firewall dropped GTPv1 DELETE PDP
response packets that had a termination endpoint ID (TEID)
value of 0.

PAN-114181 Fixed an issue where the firewall incorrectly triggered Reverse

Path Forwarding (RPF), which caused packet leaks.
PAN-113795 Fixed an issue on a firewall configured with GlobalProtect

Clientless VPN where a process (all_pkts) stopped responding,
which caused the dataplane to restart.
PAN-113775 Fixed an issue where the firewall dropped

UpdatePDPContext reponse packets and displayed the
following GTP log event: 122113.
PAN-113631 A security-related fix was made to address a use-after-free

(UAF) vulnerability in the Linux kernel (PAN-SA-2019-0017 /
CVE-2019-8912)
PAN-113614 Fixed an issue with a memory leak on Panorama appliances

associated with commits that eventually caused an unexpected
restart of the configuration (configd) process.
PAN-113340 (PA-200 firewalls only) Fixed an issue where the management

plane (MP) memory was lower than expected, which caused the
MP to restart.
PAN-113189 A security-related fix was made to correct log file string-

conversion errors that caused parsing issues, which caused the
User-ID (useridd) process to stop running.
PAN-113117 Fixed an issue on Panorama VM-Series firewalls where you

were logged out of the web interface and had to log back in to
push a device group and template configuration from a newly
launched bootstrapped firewall.
PAN-113046 (PA-5200 Series firewalls only)Fixed an issue where a process

(brdagent) stopped responding, which caused the management
plane to stop responding.
PAN-112674 Fixed an issue where an escape ( “\” ) character was added to

HTTP log s when a log contained a comma.
PAN-112577 Fixed an issue on a VM-Series firewall in an HA active/passive

configuration where the HA1 port flapped and caused a split-
brain condition.
PAN-112446 Fixed an issue where a predefined report (blocked credential

post) generated reports using the incorrect query builder
(flags has credential-builder), which caused the
report to incorrectly display logs for alerts.
PAN-112293 Fixed an issue where the connection between the firewall and
Log Collector flapped.

PAN-112167 Fixed an issue where IPv4 BGP routes were missing from the
routing table and FIB after a failover event.
PAN-112106 Fixed an issue where the firewall was unable to add IPv6
loopback IP address ::1 to the external dynamic list and
displayed the following error message: Invalid ips: ::1.
PAN-111976 Fixed an issue where you were unable to generate user activity
reports when the username included a colon ( : ), ampersand
( & ), single parenthesis ( ' ) character.
PAN-111872 A security-related fix was made to address a command injection

vulnerability (PAN-SA-2019-0018 / CVE-2019-1576).
PAN-111708 (PA-3200 Series firewalls only) Fixed a rare software issue that
caused the dataplane to restart unexpectedly. To leverage this
fix, you must run the debug dataplane set pow no-
desched yes CLI command.
PAN-111380 (PA-5200, PA-3200, and PA-7000 Series firewalls with

100Gbps cards only) Fixed an issue where the show qos
interface ae1 throughput 0 CLI command incorrectly
displayed the active data stream only and QoS was not working
as expected on the first subinterface.
PAN-111286 Fixed an issue where you were unable to generate a custom

report (Monitor > Manage Custom Report > <device-name> >
Report Setting).
PAN-110996 Fixed an issue where the dataplane stopped responding due to

an incorrectly calculated offset when you configured Exclude
video traffic from the tunnel (Network > GlobalProtect >
Gateways > <gateway-name> > Agent > Video Traffic).
PAN-110962 Fixed an issue where a process (all_pktproc) stopped

responding when SSH decryption was enabled, which caused
the dataplane to restart.
PAN-110883 Fixed an issue on a VM-Series firewall where all jobs did not
execute and returned the following error message: Error-
time out sending/receiving message.
PAN-110873 Fixed an issue where member interfaces of the aggregate

interface did not display on web interface (Panorama >
Managed Devices > Health > All Devices > <device-name> >
Interfaces).

where you were unable to configure the firewall to disable the
portal log in page.

PAN-110638 Fixed an issue where you were unable to establish a

GlobalProtect connection on IPv6 and displayed the following
error message: Packet too big due to the firewall
MTU value set lower than normal on the neighboring
firewall.
PAN-110548 Fixed an intermittent issue where heartbeats failed on the

management plane (MP), which caused the dataplane to
stop responding and displayed the following error message:
Dataplaneis down: controlplane exit failure.
PAN-110526 Fixed an issue where Captive Portal authentication required

two log-in attempts when the authentication sequence was
configured as an authentication profile.
PAN-110293 Fixed an issue where GTP-U traffic dropped when the GTP
tunnel endpoint ID (TEID) was not updated correctly during a
GTP-C update.
PAN-109966 Fixed an issue where the content update threshold downloaded

and installed an older content version after you manually
installed a newer content version.
PAN-109954 Fixed an issue where a commit failed with an error message:

cluster is missing 'encryption' when HA Traffic
Encryption (Panorama > Managed WildFire Clusters >
<appliance-name> > Communication) was not configured and
after upgrading from PAN-OS 8.0.12 to PAN-OS 8.1.4.
PAN-109944 Fixed an intermittent issue where a process (configd) restarted

due to a race condition when generating custom reports.
PAN-109663 Fixed an intermittent issue where the firewall dropped packets

when the policy rule was set to allow but denied the packets
during a commit or high availability (HA) sync.
PAN-109837 Fixed an issue where a race condition occurred when

a configuration push and NetFlow update occurred
simultaneously, which caused the dataplane to restart.
PAN-109575 Fixed an issue where you were unable to configure more than
one device certificate (Device > Certificate Management >
Certificates > <device certificate-name>) with Trusted Root
CA.
PAN-109336 (PA-500 and PA-800 Series firewalls only) Fixed an issue

where commits failed after you imported a device state from
Panorama the template configuration referenced Bidirectional
Forwarding Detection (BFD).

PAN-109186 Fixed an issue where the dataplane stopped responding and

caused a failover event.
PAN-109101 Fixed an issue where you were unable to override IKE Gateway
configurations (Network > IKE Gateways > <template-name>)
in the template stack. However, with this fix, you still cannot
override template stacks when you configure any value with
none. Additionally, to override the Local Identification, select
Authentication in the pop-up dialogue.
PAN-109024 Fixed an issue where, after you upgrade the firewall from PAN-
OS 8.0 to PAN-OS 8.1, firewalls configured with the User-ID™
agent and group mapping incorrectly mapped users to groups.
PAN-108990 Fixed an intermittent issue on a firewall where configuring

Force Template Values (Network > Interfaces > Commit >
Push to Devices > Templates) deleted the zone assigned to an
interface.
PAN-108878 Fixed an issue where host traffic ICMP packets larger than
9,180 bytes dropped when you configured a jumbo frame with
a maximum MTU value of 9,216 bytes and with the DF option
enabled.
PAN-108846 Fixed an issue where a higher than expected rate of tunnel

resolution packets occurred due to an internal loop, which
caused a spike in dataplane CPU usage for firewalls that
support distributed tunnel ownership.
PAN-108785 Fixed an intermittent issue on a firewall in an HA active/

passive configuration where a ping test stopped responding
on Ethernet 1/1, 1/2, and 1/4 due to input errors on the
corresponding switch port after a HA failover.
PAN-108715 Fixed an issue where the firewall did not update the dataplane
DNS cache after the management plane (MP) DNS entries
expired, which caused evasion signatures to erroneously trigger
a Suspicious TLS/HTTP(S)Evasion Found event.
PAN-108164 Fixed an issue where a process (tund) caused the dataplane to

restart during a commit.
PAN-107989 Fixed an issue where the Strict IP Address Check incorrectly

triggered when you enabled ECMP (Network > Virtual
Routers > Add > Router settings > ECMP).

where client-bound DHCPv6 packets dropped when you
configured the firewall as a DHCPv6 relay agent.
PAN-107370 Fixed an issue where IPv6 traffic throughput reduced more

than expected after you updated a static ND entry (Network >

Interfaces > <interface-name> > Advanced > ND Entries) by
moving the interface to a different virtual router.
PAN-107126 Fixed an issue where an SSL inbound session cache corruption

caused a process (all_pktproc) to stop responding.
PAN-106861 Fixed an issue where stale route entries remained in the FIB
after the routes were removed from the routing table when you
used a redistribution rule without a profile.
PAN-106857 Fixed an issue where the dataplane restarted due to an internal

path monitoring failure Caused by large SSL decrypted file
transfer sessions.

where the show vpn ipsec-sa CLI command incorrectly
returned an error message: Server error: An error
occurred. See dagger.log for information when
you ran the command on the active secondary firewall.
PAN-106344 Fixed an issue where the log collector within a collector group
retained varying numbers of detailed firewall logs when you
enabled log redundancy.
PAN-106274 Fixed an issue on a firewall where a Layer 2 interface that

contained a VLAN sub-interface in conjunction with policy
based forwarding (PBF) caused the firewall to forward the
return traffic to the incorrect web interface.

configuration where the passive firewall reported a higher
number of GlobalProtect user accounts than the active firewall.
PAN-105925 Fixed an issue where the GlobalProtect™ Gateway web

interface did not display the list of previous users.
PAN-105412 Fixed an issue where forward error correction (FEC) was

disabled by default for AOC modules, which caused QSFP ports
to flap or remain in the DOWN state. With this fix, FEC is enabled
by default for AOC modules.
PAN-105397 Fixed an issue where a firewall incorrectly processed path

monitoring, which originated from a NAT firewall on the same
network segment.
PAN-105091 Fixed an issue on a firewall where stateful inspection failed,

which caused the firewall to drop GTPv2-C Modify Bearer
Request packets.
PAN-104568 Fixed an issue where the firewall did not send emails when you
configured the email gateway with an FQDN.

PAN-104274 Addressed an issue where in a slow network environment the

firewall displayed an error message: error online 1 at
column 1: document is empty when you used an API call
to fetch a license even when the auth code was successfully
applied. Extremely slow networks may still see this issue.
PAN-103285 Fixed an issue where an API call (show system disk

details), responded with the following error message: An
error occurred. See dagger.log for information.

where the Task Manager did not display progress after you
pushed a configuration to a firewall.
PAN-102979 Fixed an issue where Dynamic Updates did not display

expired threat prevention licenses when you tried to install an
application from Panorama.
PAN-102745 Fixed an intermittent issue on a firewall where a commit and

FQDN refresh took longer than expected.
PAN-101970 Fixed an issue where the decode filter was unable to detect
the end characters of a file name, which caused the firewall to
bypass the file blocking profile.
PAN-101764 Fixed an issue where a process (slmgr) stopped responding

during an auto-commit.
PAN-101379 Fixed an issue where an invalid Captive Portal authentication

policy was successfully pushed to managed firewalls, which
caused auto-commits to fail.

where Panorama unnecessarily checked and updated licenses
for VM-Series firewalls on AWS after every commit, which
resulted in new log entries. With this fix, Panorama no longer
checks licenses after every commit.
PAN-100773 (PA-7000 Series firewalls only) Fixed an issue where the Quad
Small Form-factor Pluggable (QSFP) port on a 20GQ NPC card
took longer than expected to respond.
PAN-100742 Fixed an issue Panorama M-Series and virtual appliances

where scheduled reports generated more than one DNS
lookups, which caused inconsistent name resolutions for DNS
deployments.
PAN-100693 Fixed an issue where you were unable to process Address

Group match criteria when the match name included the double
quotation ( " ) character.

PAN-99354 Fixed an issue where the firewall incorrectly denied URL access
when the URL filtering profile was configured to alert.
PAN-99134 Fixed an issue where temporary files generated during preview

changes did not get cleared, which caused disk space issues.
PAN-98746 Fixed an issue where GlobalProtect clientless VPN did not

get redirected to the application URL when you used Internet
Explorer as a web browser.
PAN-97288 Fixed an issue on GlobalProtect Clientless VPN where the URL

gets truncated when you exclude the domain from the Rewrite
Exclude Domain List (Network > GlobalProtect > Portals >
<portal-name> > Clientless VPN > Advanced Settings).
PAN-92872 Fixed an intermittent issue where the firewall sent packets

incorrectly to an outgoing interface.
PAN-89820 Fixed an intermittent issue where the Data Filtering (Monitor >
Data Filtering) and Threat Log (Monitor > Threat) did not
display file names when you transferred multiple files into a
single session.
PAN-81778 Fixed an issue where scheduled reports did not generate as

expected due to a race condition.

PAN-119745 A security-related fix was made to address the Netflix

Linux kernel TCP SACK vulnerability (PAN-SA-2019-0013 /
CVE-2019-11477,CVE-2019-11478,CVE-2019-11479, and
CVE-2019-5599).
PAN-118869 A security-related fix was made to address an issue where the

php-debug log incorrectly displayed non-sanitized data (PAN-
SA-2019-0019 / CVE-2019-1575).
PAN-107239 A security-related fix was made to address cleartext passwords

and keys that were visible in the logs for XML API calls (PAN-
SA-2019-0019 / CVE-2019-1575).

WF500-5023 Fixed an issue on WF-500 appliances where the cluster service

took longer than expected to start due to a large number of
queued sample data.
WF500-5022 Fixed an issue where a non-functioning CLI command was

removed from WF-500 appliances.
WF500-4974 Fixed an issue on a WF-500 appliance where the static analysis

results displayed in the PDF report but did not display in the
WildFire® analysis summary of the web interface.
WF500-4844 Fixed an issue on WildFire appliance clusters where the

passive-controller responded with the incorrect Common Name
(CN) in the certificate, which caused the registration to fail.
WF500-4838 Fixed an intermittent issue on a WF-500 appliance where

WildFire reports took longer than expected to generate, which
caused the task to automatically timeout.
WF500-4784 Fixed an issue on a WF-500 appliance where during a reboot,

the following error message displayed: FATAL: module nbd
not found.
WF500-4743 Fixed an intermittent issue on a WF-500 appliance where the

CLI command debug wildfire reset global-database
fix became unresponsive.
PAN-118065 (M-Series Panorama management servers in Management Only

mode) When you delete the local Log Collector (Panorama >
Managed Collectors), it disables the 1/1 ethernet interface in
the Panorama configuration as expected but the interface still
displays as Up when you execute the show interface all
command in the CLI after you commit.
Workaround:Disable the 1/1 ethernet interface before you
delete the local log collector and then commit the configuration
change.
PAN-116919 (Microsoft Azure only) Fixed an issue where the firewall

dropped packets passing through IPSec tunnels if you enabled
jumbo frames (Device > Setup > Session > Session Settings).
PAN-116658 Fixed a rare issue where the firewall sent HTTP/2 DATA
frames with incorrect padding byte lengths, which caused
software buffer corruption and a process (all_pktproc) to stop
responding.

PAN-116316 Fixed an issue where RTP and RTCP predict sessions failed,
which caused the firewall to stop processing RTSP-based video
streaming.
PAN-116084 Fixed an issue where a VM-Series firewall on Microsoft Azure

deployed using MMAP dropped traffic when the firewall was
experiencing heavy traffic.
PAN-115592 Fixed an issue where the firewall rebooted due to a plugin

memory leak.
PAN-115591 Fixed an issue where the snmpd process was leaking memory
when polling for global counters.
PAN-114893 Fixed an issue where a context switch from Panorama™ to a

firewall did not respond as expected when a web browser was
used.
PAN-114804 Fixed an issue where a configuration change resets to "default"

when you conducted a search in the Categories (Objects > URL
Filtering > Categories) web interface.
PAN-114601 Fixed an issue where the Allow List (Device > Setup >
Authentication Setting > <authentication profile - name> >
Authentication) did not update after you added new users to a
group in the Active Directory.
PAN-114255 Fixed an issue where Bidirectional Forwarding Detection (BFD)

went down temporarily during a commit or EDL refresh if you
configured a large value for the BFD Hold Time.
PAN-114003 Fixed an issue on a Panorama management server running

PAN-OS 9.0 where a context switch to firewalls did not
respond.
PAN-113829 Fixed an issue where, after you upgraded the firewall to PAN-
OS® 9.0, a firewall configured from "none" to "allow" in the
custom URL category reverted to "none" after a commit.
PAN-113692 Fixed an intermittent issue on a firewall in a high availability

(HA) active/passive configuration where five minutes after
a failover test IP routes disappeared, which caused traffic
interruptions.
PAN-113608 Fixed an issue on a firewall with packet capture (pcap) enabled

where the log receiver stopped responding when larger than
expected packets were received.
PAN-113414 Fixed an issue where the User-ID (useridd) process stopped

responding.


configuration where a process (useridd) did not respond to the
alternate user attribute (Device > User Identification > Group
Mapping Settings > <group mapping-name> > User and Group
Attributes) on the passive firewall during a restart.
PAN-112814 Fixed an issue where H.323-based calls lost audio because the
predicted H.245 session was not converted to Active status,
which caused the firewall to drop the H.245 traffic.

where Decrypted Sessions Info (Panorama > Managed
Devices > Health > All Devices > <device-name> > Sessions)
did not display as expected for VM-Series firewalls.

only) Fixed an issue where you were unable use the mgmt-
interface-swap command to swap the interfaces for
deploying a VM-Series firewall behind a web load balancer
(such as AWS ALB or Classic ELB).
PAN-112626 Fixed an issue where a new DNS Security subscription was not
available on your VM-Series firewall after you upgraded to a
PAN-OS 9.0 release with a PAYG Bundle 2 license.

configuration where a race condition caused the firewall to stop
responding after an HA1 link flap.
PAN-112340 Fixed an issue with performance, including high CPU usage,

that occurred when you enabled URL Filtering without enabling
Threat Prevention in an environment that processes a large
number (thousands) of URL look-ups per second per dataplane.
PAN-112194 Fixed an issue where packet buffers did not release

GlobalProtect™ clientless VPN packets, which caused the
firewall to stop responding.
PAN-111679 Fixed an issue where URL filtering profiles were being

incorrectly applied to security policies during a commit.
PAN-111553 Fixed an issue on the Panorama management server where

the Include Device and Network Templates setting (Commit >
Push to Devices > Edit Selections or Commit > Commit and
Push > Edit Selections) was disabled by default and caused
your push attempts to fail. With this fix, your push will Include
Device and Network Templates by default.
PAN-111540 Fixed an issue on PA-5200 Series firewalls where the dataplane

stopped responding when the session table was full.

PAN-111251 Fixed an issue where administrators were unable to use the

CLI to enable or disable DNS Rewrite under a Destination NAT
policy rule (they were able to execute the command but the
firewall did not implement the change).
PAN-110390 Fixed an issue on PA-7000 Series firewalls where invalid filters

caused the device management server to stop responding when
you generated a database (DB) report from a remote firewall.
PAN-110273 Fixed an issue where you were unable to establish OSPF

neighborship when an OSPF routing protocol was configured
with MD5 authentication and one of the firewalls was
restarted.
PAN-109672 Fixed an issue on a VM-Series firewall in an HA active/passive

configuration where the passive firewall received buffered
packets while in an idle state when the data plane development
kit (DPDK) is enabled.
PAN-109344 Fixed an issue where service objects did not import into
Panorama when you configured them identically but with
different names.
PAN-108374 Fixed an issue on GlobalProtect where you were unable to

authenticate when the domain name included the ampersand
( "&" ) character.

where predefined DHCP options did not accept template
variables when you configured a DHCP server for a template.
PAN-101341 Fixed an issue where administrators configured with Device

Group and Template Admin type were unable to
perform a global search and returned the following message:
Unauthorized request.

PAN-113911 Fixed an issue on PA-5200 Series firewalls where the dataplane

stopped responding due to a deadlock when you accessed the
stream session table.
PAN-113845 Fixed an issue where content installation failed and displayed

the following error message: Error: failed to handle
TDB_UPDATE_BLOCK, after you upgraded to PAN-OS 9.0.
PAN-113771 A security-related fix was made to allow Online Certificate

Status Protocol (OCSP) checks while disallowing HTTP calls.
PAN-113682 Fixed an issue where the dataplane restarted when processing

HTTP/2 traffic with padded DATA frames.
PAN-113675 A security-related fix was made to address an authentication

bypass vulnerability in PAN-OS Management Web Interface
(CVE-2019-1572/PAN-SA-2019-0005).
PAN-113512 Fixed an issue where an XML API response for an external

dynamic list did not return invalid or ignored members after you
upgraded to PAN-OS® 9.0.
PAN-113446 Fixed an issue where the firewall unintentionally generated

the following system log: Installed content package
WildFire is newer than available package,
skipping, when you checked for WildFire® updates.
PAN-113302 Fixed an issue where commits to the Panorama™ configuration

after you upgraded to PAN-OS 9.0 failed with the following
error message: statistics-service is invalid.
PAN-112700 (PA-7000 Series firewalls in an HA configuration only) Fixed an

issue that occurred after you upgraded to PAN-OS 9.0 where
some logs displayed a different rule name than the rule name
associated with the universally unique identifier (UUID).
PAN-112592 Fixed an issue on a firewall where the system log did not
generate an alert for AutoFocus™ license expiry.
PAN-112458 Fixed an issue on a firewall where the management server

stopped responding when debugs were configured and you
exported traffic logs (Monitor > Traffic <traffic-name> > Export
to CSV).
PAN-112428 Fixed an intermittent issue where autocommits failed and

Panorama stopped displaying device groups when managing
a WildFire appliance that was running an earlier maintenance

release of the same feature release (such as using Panorama
running PAN-OS 8.1.6 to manage a WF-500 appliance that was
running PAN-OS 8.1.3).
PAN-112305 Fixed an issue where source (Object > Dynamic Lists <list-
name> > Create List) URLs, which contained double escape
characters caused external dynamic list entries to display
incorrect values in the policies.

where a process (configd) stopped responding when a role-
based user with privacy settings disabled, viewed a scheduled
report that required data anonymization.
PAN-112098 Fixed an intermittent issue on a firewall where outbound traffic

failed with an error message: (proxy decrypt failure)
when configured with HTTP Header Insertion (Objects >
Security Profiles > URL Filtering <filter-name> > HTTP Header
Insertion).
PAN-111897 Fixed an issue where the tags were not set on OSPFv3 routes
redistributed to BGP-3.
PAN-111850 Fixed an issue where the firewall did not capture the number of
packets in the threat packet capture (pcap) as configured in the
extended packet capture length setting.

an intermittent issue on a firewall configured with policy-based
forwarding (PBF) and symmetric return, where traffic dropped
because the ARP table did not get updated.
PAN-111638 Fixed an issue where the external dynamic list did not update
after a scheduled refresh of the list.
PAN-111052 Fixed an issue where a firewall in a virtual wire (vwire)

deployment silently dropped TCP packets when the antivirus
profile was enabled.
PAN-110441 (PA-5200 Series firewall only) Fixed an intermittent issue where

the internal path monitoring failed, which caused the firewall to
unexpectedly restart.
PAN-110341 Fixed an issue where the firewall sent RIP updates more
frequently than expected.
PAN-110336 (PA-3000, PA-3200, PA-5000, PA-5200, and PA-7000 Series

firewalls only) Fixed an issue where a process (mpreplay)
restarted and caused the offload traffic to drop.

PAN-108620 Fixed an issue where Traps ESM logs were sent to the Log
Collector but did not display in the web interface (Monitor >
Traps ESM).
PAN-108575 Fixed an issue where a process (configd) stopped responding

and displayed the following error message: configd is
down.

passive configuration where scheduled dynamic updates
pushed from Panorama to the managed firewalls failed.

did not function on a static route for which the next hop for
that route was an FQDN (instead of an IP address).

did not function on a BGP peer that was identified using an
FQDN (instead of an IP address).
PAN-107677 Fixed an issue on GlobalProtect™ where Security Assertion

Markup Language (SAML) authentication failed when you used
a macOS operating system.
PAN-107006 Fixed an issue where you were unable to search for service
objects by destination port numbers.
PAN-106963 Fixed an issue where the firewall did not display the full URL
information in the URL Filtering log (Monitor > URL Filtering)
after a ( '\r' ) return character.

an issue where the Block IP List option, which is not
supported, displayed in the administrator role profile (Device >
Admin Role > Web UI).
PAN-104263 Fixed an issue where the RTC battery reading exceeded the
maximum threshold value.
PAN-103023 Fixed an intermittent issue where a job type (content) caused

a firewall configuration failure and the firewall to stop
responding.
PAN-96827 Fixed an issue where BGP command output formats did not
display consistently across different PAN-OS releases.
PAN-92155 Fixed an issue where administrators were unable to configure

an IP address using templates for HA2 (Device > High
Availability > Data Link (HA2)) after setting the configuration
to IP or Ethernet for Panorama management servers in HA
configuration.

PAN-85691 Fixed an issue where Authentication policy rules that were

based on multi-factor authentication (MFA) didn't block
connections to an MFA vendor when the MFA server profile
specified a Certificate Profile that had the wrong certificate
authority (CA) certificate.

WF500-4811 Fixed an issue where WF-500 appliances displayed the wrong

WildFire® content version (show system info) after a
WildFire content update.
PAN-109668 A security related fix was made to limit the amount of

information returned from an API call error message.
PAN-109124 A security-related fix was made to address an issue where you

were unable to retrieve GlobalProtect™ cloud service threat
packet captures from the Logging Service on Panorama M-
Series and virtual appliances.
PAN-109096 Fixed an issue where the firewall did not remove the 4 Byte AS
Format number when Remove Private AS is enabled.

where a process (configd) stopped responding during a local
commit.
PAN-107887 Fixed an issue where an API call did not return the details of the
security policy when you added a service group.
PAN-107779 Fixed an issue where Wildfire signature version information

was no longer displayed after you activated a GlobalProtect
client.
PAN-107117 Fixed an issue where device administrators were unable to

manually upload signature files (Device > Dynamic Updates)
and the firewall displayed the following error message:
Youneed superuser privileges to do that.
PAN-106784 Fixed an issue where the firewall revealed password hashes in

the web interface when changing administrator passwords.
PAN-106721 Fixed an intermittent issue where a processor cache memory

corruption caused a reload when the firewall freed packets
from the buffer.

passive configuration where the Panorama management server
enabled the administrator to clone a rule on the passive firewall.
PAN-106181 Fixed an issue where the Cancel option was removed to

prevent access when you Require Password Change on First
Login (Device > Setup > Management).

PAN-106019 Fixed an issue where a process (routed) stopped responding

when an incomplete command ran in the XML API.
PAN-105849 A security-related fix was made to address an issue with the

wf_curl.log file in WF-500 appliances (WildFire).
PAN-105737 Fixed an issue where AUX ports remained in Down state after
you upgraded to PAN-OS 8.1.7.
PAN-105684 Fixed as issue on a firewall in an HA active/passive

configuration where OSPF and BGP running on an Aggregate
Ethernet (AE) with LACP enabled took longer than expected
after a failover.
PAN-105040 Fixed an issue where the dataplane processor caused memory

loss in the packet buffer pool.
PAN-104623 Fixed an issue where a process (brdagent) printed QoS

information messages in the brdagent.log file, which caused a
missed heartbeat and the firewall to restart.
PAN-104616 Fixed an issue where certificate imports failed when you used a
backslash ( \ ) character in a password to export certificates.
PAN-104578 (PA-800 Series firewalls only) Fixed an issue on a firewall in an

HA active/passive configuration where the HA failover took
longer than expected.

where the configd.log file displayed schema error messages
after you created an administrator role with context switch UI
permissions enabled.

configuration where the passive firewall ran a configuration out
of sync after a restart.
PAN-104078 Fixed an issue where administrators could not successfully

add conditional advertisements (Network > Virtual Routers >
<virtual-router> > BGP > Conditional Adv) for BGP routing
tables (changes were lost after commit).
PAN-103863 Fixed an issue where the IPSec tunnel restart (Network >
IPSec Tunnels > IKE Info) did not display properly on the web
interface.

configuration where the suspended firewall processed traffic.
PAN-103615 Fixed an issue where scheduled log exports failed on

nonstandard ports.

PAN-103192 Fixed an issue on a firewall where the Global Find for IPSec
tunnels displayed incorrect search results.
PAN-103061 Fixed an issue where special characters contained in the CLI

comment field caused the process (devsrvr) to stop responding.
PAN-103055 Fixed an issue where you were unable to filter Address Groups
(Objects > Address Groups) by an address object name.
PAN-102779 Fixed an issue on a PA-3000 Series firewall where multiple

(all_pktproc) processes failed and caused the dataplane to stop
responding.

where disk quota edits failed and displayed the following error
message: quota-settings -> disk-quota is invalid.
PAN-102029 Fixed an issue on a firewall where the DNS resolution routed

through the dataplane and configured with a service route,
stopped responding when the management interface was not
configured.
PAN-101821 Fixed an issue where Referer was spelled incorrectly in the

HTTP Headers section of the Detailed Log View (Monitor >
URL Filtering).
PAN-101451 Fixed an issue where SNMP queries displayed incorrect values.
PAN-101391 Fixed an issue where the scheduled nightly custom report was
not generated or emailed as expected.
PAN-101365 Fixed an intermittent issue where the session ID did not clear
when the session ID is set to 0.
PAN-101294 Fixed an issue where administrators were allowed to create

tunnel interfaces from the template stack.
PAN-101068 Fixed an issue where the object identifier (OID) ifAdminStatus

incorrectly displayed up when configured to down.
PAN-100656 Fixed an issue Panorama M-Series and virtual appliances where

duplicate entries in BGP redistribution configurations were not
verified, which caused commits to fail.
PAN-100464 Fixed an issue where the sub-interfaces and the configurations

were deleted when you tried to override the subinterface of a
template stack.
PAN-100154 Fixed an issue where the default static route always became the
active route and took precedence over a DHCP auto-created
default route that was pointing to the same gateway regardless
of the metrics or order of installation. With this fix, the firewall

no longer installs the default static route in the FIB when the
system has both a DHCP auto-created default route and a
manually configured default static route pointing to the same
gateway.

where Push Scope Selection (Commit > Push to Devices)
selected firewalls not in the hierarchy of the firewall you
selected.
PAN-99945 Fixed an issue on Panorama where the progress bar in the web
interface stopped responding and did not display any status
after sending a commit or activating an auth code even though
the task completed successfully.
PAN-99640 A security-related fix was made to address a denial of service

(DoS) vulnerability in PAN-OS Linux Kernel (CVE-2017-8890).

configuration where the User-ID™ process stopped responding
on the passive firewall when the system was managing a high
number of (more than 30,000) active users.
PAN-99447 "Virtual and M-Series Panorama appliances and Log Collectors

only) Fixed an issue where a Log Collector received logs
destined for closed Elasticsearch (ES) indices, which caused
indices to return failure messages and, when the issue persisted
for more than a few hours, caused Log Collectors to disconnect
and reconnect repeatedly when attempting (and failing) to
process the re-queued logs.
PAN-98130 Fixed an intermittent issue where the firewall allowed traffic

based on an unmatched rule after a session rematch is
triggered.
PAN-98005 Fixed an issue where adding more than eight Log Collectors to
a collector group caused the configuration (configd) process to
stop responding.
PAN-97848 Fixed an issue where if you deployed Panorama on KVM, it

deployed in Legacy mode instead of Management Only mode
even when meeting the minimum resource requirements for
Management Only mode.
PAN-97417 Fixed an issue where the loopback IP address redistributed to

the Local RIB table instead of the Adj-RIBs-out table.
PAN-96344 Fixed an issue on a firewall where TCP reset packets were sent
even after you set the vulnerability profile action to drop the
packets.

PAN-96297 Fixed an issue where a process (useridd) stopped responding

due to the syslog server messages not parsing with field
identifiers.
PAN-95445 Fixed an issue where VM-Series firewalls for NSX and firewalls
in an NSX notify group (Panorama > VMware NSX > Notify
This fix requires the VMware NSX
Group) briefly dropped traffic while receiving dynamic address
2.0.4 or a later plugin.
updates after the primary Panorama in a high availability (HA)
configuration failed over.
PAN-94486 Fixed an issue where the dataplane did not get a dynamic IP
address assigned because the process (routed) did not release it.
PAN-92725 Fixed an issue on the firewall and Panorama management

server where the web interface became unresponsive because
the (cord) process restarted after you configured multiple
log forwarding destinations in a single forwarding rule for
Correlation logs (Device > Log Settings).

where you were unable to set the MTU (Network >
Interfaces > Ethernet > <Interface> > Ethernet Interface >
Advanced > Other Info) value to more than 1460 bytes with
Jumbo Frames enabled.

where you were unable to type in tunnel zone names in the
Tunnel Source Zone (Policies > > Pre Rules > > <rule-name> >
Inspection > Security Options) field.
PAN-91499 Fixed an issue on a firewall where an address object FQDN

resolution returned the IPv6 DNS record but did not return all
associated -- IPv4 and IPv6 -- DNS records.
PAN-91442 Fixed an issue where an external dynamic list with an invalid

IPv6 address range caused commits to fail.
PAN-82278 Fixed an issue where filtering did not work for Threat logs
when you filtered for threat names that contained certain
characters: single quotation (’), double quotation (”), back slash
(\), forward slash (/), backspace (\b), form feed (\f), new line
(\n), carriage return (\r), and tab (\t).
PAN-72861 Fixed an issue where when you configured a PA-5200 Series or

PA-7000 Series firewall to perform tunnel-in-tunnel inspection,
which includes GRE keep-alive packets (Policies > Tunnel
Inspection > <tunnel_inspection_rule> > Inspection > Inspect
Options), and ran the clear session all CLI command
while traffic was traversing a tunnel, the firewall temporarily
dropped tunneled packets.

Getting Help
The following topics provide information on where to find more about this release and how to
request support:
> Related Documentation

> Requesting Support
179
180 PAN-OS® RELEASE NOTES | Getting Help
Related Documentation
Refer to the PAN-OS® 9.0 documentation on the Technical Documentation portal for general information
on how to configure and use already-released features.
• PAN-OS 9.0 New Features Guide—Detailed information on configuring the features introduced in this
release.
• PAN-OS 9.0 Administrator’s Guide—Provides the concepts and solutions to get the most out of your
Palo Alto Networks next-generation firewalls. This includes taking you through the initial configuration
and basic set up on your Palo Alto Networks firewalls.
• Panorama 9.0 Administrator’s Guide—Provides the basic framework to quickly set up the Panorama™
virtual appliance or an M-Series appliance for centralized administration of the Palo Alto Networks
firewalls.
• WildFire 9.0 Administrator’s Guide—Provides steps to set up a Palo Alto Networks firewall to forward
samples for WildFire® Analysis, to deploy the WF-500 appliance to host a WildFire private or hybrid
cloud, and to monitor WildFire activity.
• VM-Series 9.0 Deployment Guide—Provides details on deploying and licensing the VM-Series firewall on
all supported hypervisors. It includes example of supported topologies on each hypervisor.
• GlobalProtect 9.0 Administrator’s Guide—Describes how to set up and manage GlobalProtect™ features.
• PAN-OS 9.0 Web Interface Help—Detailed, context-sensitive help system integrated with the firewall
and Panorama web interface.
• Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility
information for Palo Alto Networks next-generation firewalls, appliances, and agents.
• Open Source (OSS) Listings—OSS licenses used with Palo Alto Networks products and software:
• PAN-OS 9.0
• Panorama 9.0
• Wildfire 9.0
PAN-OS® RELEASE NOTES | Getting Help 181

Requesting Support
For contacting support, for information on support programs, to manage your account or devices, or to
open a support case, go to https://support.paloaltonetworks.com.
You can also use the Palo Alto Networks® Contact Information as needed.
To provide feedback on the documentation, please write to us at: .
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
Palo Alto Networks, Inc.
www.paloaltonetworks.com
182 PAN-OS® RELEASE NOTES | Getting Help

Pan Os Release Notes

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Pan Os Release Notes

Hochgeladen von

Copyright:

Verfügbare Formate

PAN-OS® Release Notes

About the Documentation

2 PAN-OS® RELEASE NOTES |

PAN-OS 9.0 Addressed Issues....................................................................131

Getting Help.................................................................................................... 179

TABLE OF CONTENTS iii

> Features Introduced in PAN-OS 9.0

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 7

Application-default is a best practice for

VM-Series Plugin The VM-Series firewalls now support a plugin

8 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

New Panorama Feature Description

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 9

Content Inspection Features

10 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 11

New GlobalProtect Description

12 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 13

14 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 15

16 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 17

Advanced Session Distribution In destination NAT, translation to a pool of IP addresses or an

18 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 19

New Hardware Introduced with PAN-OS 9.0

PA-7000 Switch The new second-generation SMCs (PA-7050-SMC-B and PA-7080-SMC-B)

20 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 21

22 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

VM-Series Plugin Beginning with PAN-OS 9.0, the built-in VM-Series

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 23

The firewall does not enforce security

Authentication Policy In PAN-OS 8.1 and earlier, administrators needed to add

24 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

The Overrides tab objects are removed

For more details on this, review PAN-OS 9.0 Upgrade

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 25

User-ID Agent 9.0

Terminal Services (TS) Agent 9.0

GlobalProtect App 4.1

Applications and Threats Content 8103

Antivirus Content Release Version 2874

VMware NSX Plugin Version 2.0.3

26 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

— Firewalls and appliances perform a software integrity check periodically

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 27

PAN-92719 When performing destination NAT to a translated address that is Dynamic IP

PAN-81719 You cannot form an HA pair of Panorama management servers on AWS

28 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information

• Known Issues Related to PAN-OS 9.0 Releases

Known Issues Related to PAN-OS 9.0

Consolidated List of PAN-OS 9.0 Known Issues

Issue ID PAN-OS 9.0 Known Issue Description

— Upgrading Panorama with a local Log Collector and Dedicated

— A critical System log is generated on the VM-Series firewall

PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information 29

WF500-4200 The Create Date shown when using the

PLUG-1709 (Microsoft Azure only) There is an intermittent issue where

PLUG-1694 (PAYG licenses only) Your pay-as-you-go (PAYG) license is not

PLUG-1681 If you bootstrap a PAN-OS 9.0.1 image while using VM-Series

PLUG-1642 After a high availability (HA) failover, the dataplane interface