Beruflich Dokumente
Kultur Dokumente
Version 9.0.5
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2019-2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
November 14, 2019
5
6 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Release Information
© 2019 Palo Alto Networks, Inc.
Features Introduced in PAN-OS 9.0
The following topics describe the new features and new hardware introduced with the PAN-OS® 9.0
release, which requires content release version 8103 or a later version. For upgrade and downgrade
considerations and for specific information about the upgrade path for a firewall, refer to the PAN-OS 9.0
New Features Guide. The new features guide also provides additional information about how to use the
new features in this release.
• App-ID Features
• Virtualization Features
• Panorama Features
• Content Inspection Features
• GlobalProtect Features
• Management Features
• Networking Features
• User-ID Features
• WildFire Features
• Hardware Features
App-ID Features
New App-ID Feature Description
Policy Optimizer Policy Optimizer identifies all applications seen on any legacy
Security policy rule and provides an easy workflow for selecting
the applications you want to allow on that rule. Additionally, it
helps you remove unused applications from overprovisioned
application-based rules. This simplified workflow allows you to
migrate a legacy rule gradually and natively to an application-
based rule so you can safely enable applications in your
environment and improve your security posture.
(Beginning with PAN-OS 9.0.2) Policy Optimizer also gives you
the option to select applications in a legacy Security policy rule
and add applications to an existing rule so that you can leverage
pre-existing App-ID based rules and eliminate the need to
continually create new rules. You can also now choose between
container app and specific apps seen so that the web interface
clearly displays which applications have been seen on a rule and
which ones were added as part of the container but that have
not, yet, been seen on that rule.
HTTP/2 Inspection You can now safely enable applications running over HTTP/2,
without any additional configuration on the firewall. As more
websites continue to adopt HTTP/2, the firewall can enforce
security policy and detect and prevent threats on a per-stream
basis. This visibility into HTTP/2 traffic enables you to secure
web servers that provide services over HTTP/2, and allow your
users to benefit from the speed and resource efficiency gains
that HTTP/2 provides.
Strict Default Ports for Decrypted Application-default—which enables you to allow applications
Applications only on their most commonly-used ports—now enforces
strict default port usage strict standard port usage for certain
applications that use a different default port when they are
encrypted: web-browsing, SMTP, FTP, LDAP, POP3, and IMAP.
For example, with SSL decryption turned on, application-default
differentiates between cleartext and encrypted web-browsing
traffic and strictly enforces:
• cleartext web-browsing traffic (HTTP) on port 80
• and encrypted web-browsing traffic (HTTPS) on port 443.
Virtualization Features
New Virtualization Features Description
VM-Series firewall on KVM—VLAN Access In VLAN access mode with SR-IOV, when you deploy
Mode with SR-IOVAvailable starting with the VM-Series firewall as a Virtual Network Function
PAN-OS 9.0.4. (VNF) on the KVM hypervisor, it can send and receive
packets from SR-IOV virtual functions (VFs) without
VLAN tags. This capability enables you to apply
QoS policies on the access interface and provide
differentiated treatment of traffic in a multi-tenant
deployment.
VM-Series on AWS—Support for C5 and M5 The VM-Series firewall on AWS adds support for the
Instance Types with ENA C5 and M5 instance types that use the Elastic Network
Adapter (ENA). With the support for these instance
types, you can deploy the VM-Series firewall in all
regions that support C5/M5 instance types including
new AWS regions, such as AWS Paris that exclusively
use newer instance types.
Support for HA for VM-Series on Azure The VM-Series firewall on Azure now supports an
active/passive HA configuration. This capability is
delivered using the VM-Series plugin (see above).
Higher Performance for VM-Series on Azure To support higher throughput, VM-Series firewalls
using Azure Accelerated Networking (SR- deployed on D/DSv2 and D/DSv3 class of Azure VMs
IOV) include support for Accelerated Networking (SR-IOV).
You can now deploy this higher performance firewall as
an active/passive HA pair or in a scale-out deployment
with Azure load balancers.
The following Networking Features are also relevant for VM-Series deployments in
private or public cloud environments:
• Security Group Tag (SGT) EtherType Support
• FQDN Refresh Enhancement
• FQDN Support for Static Route Next Hop, PBF Next Hop, and BGP Peer
• Dynamic DNS Support for Firewall Interfaces
• Advanced Session Distribution Algorithms for Destination NAT
• VXLAN Tunnel Content Inspection
Panorama Features
Master Key When you need to change the default master key used to encrypt sensitive
Deployment from elements in the configuration, you can now deploy a master key to firewalls,
Panorama Log Collectors, and WildFire appliances from Panorama. In a large-scale
deployment, managing the master key centrally from Panorama ensures a
uniform master key deployment and provides visibility into the status of the
operation.
Device Management Scale up all your Panorama capabilities to manage up to 5,000 firewalls, using
Capacity Enhancement M-600 appliances or similarly resourced Panorama virtual appliances. This
enhancement allows you to leverage all the benefits of centralization while
utilizing the logging, reporting, device health monitoring, device deployment,
and configuration management capabilities of Panorama for a larger number
of firewalls. For example, if you are managing 3,500 firewalls using four
Panorama appliances, you can now consolidate to a single Panorama
appliance for managing your firewalls to ease the operational burden and
reduce your management footprint.
Granular Configuration In order to troubleshoot configuration errors, you can now perform
Management of Device operations such as export, revert, save, import, and load at a device group
Groups and Templates and template level. For example, this granularity allows you to independently
Streamlined Device Panorama enables simplified onboarding of new firewalls by allowing you to
Onboarding assign them to device groups, templates, collector groups, or Log Collectors
during the initial deployment. You can also elect to automatically push the
configuration to firewalls when the firewalls initially connect to Panorama.
Using this onboarding workflow, you can ensure that new firewalls are
immediately configured and ready to secure your network.
VM-Series Plugin The VM-Series plugin manages integration with public and private clouds,
allowing Palo Alto Networks to release bug fixes, new features, or new cloud
integrations, independent of a PAN-OS release.
Panorama 9.0 supports the VM-Series plugin and supplies the compatible
version, but does not install it automatically. Install the plugin if you have VM-
Series cloud integrations and you want to use Panorama to manage them
centrally.
DNS Security The firewall can now access the full database of Palo Alto
Networks DNS signatures through a new DNS Security service.
The DNS Security service also performs pro-active analysis of
DNS data to predict new malicious domains and to detect C2
evasion techniques—like domain generation algorithms and
DNS tunneling—that aim to bypass common protections.
New Security-Focused URL New security-focused URL categories enable you to implement
Categories simple security and decryption policies based on website safety,
without requiring you to decide (or even know) what website is
likely to expose you to web-based threats:
• High risk, medium risk, and low risk—These categories
indicate the level of suspicious activity a site displays. All
URLs—except those that are confirmed, malware, C2 or
phishing sites—now include this risk rating.
• Newly-registered domains—This category identifies sites
that have been registered within the last 32 days. New
domains are frequently used as tools in malicious campaigns.
These new categories can help you to reduce your attack
surface by providing targeted decryption and enforcement
for sites that pose varying levels of risk, but are not confirmed
malicious. Websites are classified with a security-related
category only so long as they meet the criteria for that
category; as site content changes, policy enforcement
dynamically adapts.
Multi-Category URL Filtering PAN-DB, the Palo Alto Networks URL database, now assigns
multiple categories to URLs that classify a site's content,
Built-In External Dynamic List for Because bulletproof hosting providers place few, if any,
Bulletproof Hosts restrictions on content, attackers frequently use these services
to host and distribute malicious, illegal, and unethical material.
The Threat Prevention subscription now includes a new built-
in external dynamic list (EDL) that you can use to block IP
addresses associated with bulletproof hosting providers.
EDL Capacity Increases External dynamic list (EDL) capacities are increased to better
accommodate the use of third-party intelligence feeds,
significantly expanding the number of threat indicators you can
leverage within your network security policies. Additionally, you
can now prioritize EDLs to make sure lists containing critical
threat indicators are committed before capacity limits are
reached.
Support for New Predefined Data To identify and protect sensitive information from leaving your
Filtering Patterns network, the firewall provides 19 new predefined data filtering
patterns that identify specific (regulated) information from
different countries of the world, such as INSEE Identification
(France) and New Zealand Internal Revenue Department
Identification Number. PAN-OS also performs a checksum
validation for all patterns to eliminate false positives.
Cellular IoT Security As your business moves to cellular IoT (CIoT) and the network
adopts 3GPP CIoT technologies, you need to secure CIoT traffic
to protect your network and CIoT from attacks. Cellular IoT
security allows you to secure CIoT traffic and gain visibility into
CIoT and device-to-device communication over your network.
If you are a mobile network operator (MNO) or a mobile virtual
network operator (MVNO), for example, a utility company
focused on oil, gas, or energy operating as MVNO, you can now
secure CIoT traffic. CIoT security also allows you to protect
MNO infrastructure and CIoT devices from DoS attacks on both
Signaling/Control and Data layers, attacks from infected CIoTs,
and spying attacks; and it allows you to detect and prevent
malware, ransomware, and vulnerabilities. Additionally, the
firewall now supports Narrowband IoT (NB-IoT) radio access
technology (RAT), 3GPP TS 29.274 for GTPv2-C up to Release
15.2.0, and 3GPP TS 29.060 for GTPv1-C up to Release 15.1.0.
CIoT security is supported on VM-Series firewalls, PA-5200
Series firewalls, and PA-7000 Series firewalls that have all new
GTP Event Packet Capture Firewalls now support packet capture for a GTP event to make
troubleshooting easier. GTP packet capture is supported for
events such as GTP-in-GTP, end user IP address spoofing, and
abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have
missing mandatory information elements (IE), invalid IE, invalid
header, out-of-order IE, or unsupported message type.
GTP event packet capture is supported on VM-Series firewalls,
PA-5200 Series firewalls, and PA-7000 Series firewalls that
have all new cards, including new 100G NPC, new second-
generation SMCs, and new Log Forwarding Card (LFC).
Graceful Enablement of GTP Stateful (PAN-OS 9.0.3 and later releases) You can now enable GTP
Inspection stateful inspection in the firewall gracefully with minimal
disruption to GTP traffic. You can allow GTPv2, GTPv1-C, and
GTP-U packets that fail GTP stateful inspection to pass through
a firewall. Although the firewall drops such packets by default
after GTP stateful inspection is enabled, allowing them to pass
minimizes disruption when you deploy a new firewall or when
you migrate GTP traffic.
Graceful Enablement of SCTP (PAN-OS 9.0.4 and later releases) You can now enable SCTP
Stateful Inspection stateful inspection in the firewall gracefully with minimal
disruption to SCTP traffic. You can allow SCTP packets
that fail SCTP stateful inspection to pass through a firewall.
Although the firewall drops such packets by default after SCTP
stateful inspection is enabled, allowing them to pass minimizes
disruption when you deploy a new firewall or when you migrate
SCTP traffic.
One of the new App-ID Features, HTTP/2 Inspection, enables you to enforce threat
prevention on a per-stream basis.
GlobalProtect Features
The following table describes new GlobalProtect features introduced in PAN-OS 9.0. For features related to
the GlobalProtect app, see the GlobalProtect App 5.0 Release Notes.
Simplified Deployment You can now reduce the number of GlobalProtect portals and gateways you
for GlobalProtect need to deploy and manage for GlobalProtect use cases by configuring the
Portals and Gateways following features on a single firewall:
• Endpoint Tunnel Configurations Based on Source Region or IP Address—
You can now assign tunnel configurations to users based on their source
IP address or region from a particular GlobalProtect gateway. For example,
HIP Report In data center environments, you can now use HIP report redistribution to
Redistribution ensure consistent policy enforcement across all endpoints and to simplify
policy configuration and management across internal and external gateways.
With HIP report redistribution, you use the same mechanism as User-
ID redistribution to enable the GlobalProtect gateways to send the HIP
reports to a Dedicated Log Collector (DLC), firewall, or Panorama. HIP report
redistribution eliminates the need for exception policies for external gateways
or internal gateways thereby simplifying HIP setup and configuration time for
your gateways and firewalls.
Tunnel Restoration and You can now enforce additional restrictions for enhanced security:
Authentication Cookie
• You can now choose to enable automatic restoration of VPN tunnels at
Usage Restrictions
the gateway level. For example, you can enable automatic restoration
of VPN tunnels for all gateways in the enterprise except for specific
gateways that you want to require authentication before a tunnel is
established.
• You can now choose whether to accept an authentication cookie when
the IP address attributes (IP address or IP address range) of the endpoint
change. If you choose to reject an authentication cookie when the
endpoint IP address attribute differs from the original value associated
with the authentication cookie, the user must authenticate again to
receive a new authentication cookie.
Pre-Logon Followed By The GlobalProtect app for Windows and Mac endpoints now supports pre-
Two-Factor and SAML logon followed by two-factor or SAML authentication for user login. After
Authentication the pre-logon tunnel is established, the user can log in to the endpoint and
authenticate using the configured authentication method. If authentication
is successful on Windows endpoints, the pre-logon tunnel is seamlessly
renamed to User tunnel and the GlobalProtect connection is established. If
authentication is successful on macOS endpoints, a new tunnel is created and
the GlobalProtect connection is established.
GlobalProtect Gateway To help users identify the geographic location of GlobalProtect gateways, you
and Portal Location can now configure a label for the physical_location. By separating the location
Configuration into a dedicated label, you can also use location-independent names when
you configure your gateways.
The GlobalProtect app displays the label for the location of the gateway
to which a user is connected and the Clientless VPN portal landing page
displays the label for the location of the portal to which a Clientless VPN user
is logged in.
When end users experience unusual behavior, such as poor network
performance, they can provide this location information to their support or
Help Desk professionals to assist with troubleshooting. They can also use this
location information to determine their proximity to the Clientless VPN portal
or gateway. Based on their proximity, they can evaluate whether they need
to switch to a closer portal or gateway. However, auto-selected gateways are
still preferred.
Refer to the GlobalProtect App 5.0 Release_Notes for more information on
gateway and portal location visibility for end users.
User Location Visibility For enhanced reporting and user activity analysis, you can now view the
on GlobalProtect source region of users_that_connect (or have previously connected) to
Gateways and Portals GlobalProtect portals and gateways. You can identify the source region of the
Clientless VPN users in the Remote Users section of the Portal configuration
and the source region of GlobalProtect users in the Remote Users section of
the Gateway configuration.
Concurrent Support You can now assign up to ten IPv4 and IPv6_DNS_servers in the client
for IPv4 and IPv6 DNS settings provided to the endpoint by the GlobalProtect gateway. This
Servers enhancement enables you to simultaneously assign multiple IPv4 and IPv6
DNS servers simultaneously to the endpoints that connect to the gateway.
Support for IPv6- GlobalProtect now supports IPv6-only deployments. With this enhancement,
Only GlobalProtect you can define an IP address pool that uses only IPv6 addresses when you
Deployments con-figure GlobalProtect gateways.
When you configure IPv6 pools, you must also enable split
tunneling to route any IPv4 traffic from the endpoint to the
internet.
Cortex Data Lake Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log
Logging for Firewalls storage and aggregation for firewalls and services. With Cortex Data Lake,
without Panorama Palo Alto Networks takes care of the ongoing maintenance and monitoring of
your logging infrastructure so that you can focus on your business.
Until PAN-OS 9.0.3, Panorama was required to onboard firewalls to Cortex
Data Lake and to view logs stored in Cortex Data Lake. Now, with PAN-OS
9.0.3 and later releases, you can enable non-Panorama managed firewalls to
securely connect and send logs to Cortex Data Lake.
Enforcement of As your team creates and modifies rules, the rationale for creating or
Description, Tag and modifying rules are lost over time. To capture the reason for rule creation and
Audit Comment modification, you can now require a description, tag, or audit comment to
maintain rule revision history for auditing. For example, if you are creating a
new app-based security policy rule to replace a port-based rule, enforce these
rule creation elements to ensure that the rule is appropriately grouped, and
that the administrator describes the purpose of the rule.
Rule Changes Archive When you create or modify policy rules, you now have revision history to
audit changes. To track and analyze how your policy rules have evolved over
time, you can review the audit comment history and see differences between
two rule versions. Combined with the new Enforcement of Rule Description,
Tag and Audit Comment (see above), you can enforce audit comments with
every rule creation and modification to ensure that the audit comment history
is maintained for your policy rulebases.
Tag Based Rule Groups Visually group related rules using a new group tag to efficiently manage
large sets of related rules within any policy rulebase. You can use any tag
as a group tag to organize related rules so that you can easily move, clone,
or delete the rules in the selected group. This allows you to visually see the
organizational changes that are happening to your rulebase, and increase the
efficiency of managing large sets of rules.
Policy Match and Validate policy configuration changes of one or more firewalls directly from
Connectivity Tests the web interface to ensure network traffic matches the policy rules as
from the Web Interface expected. In addition to validating policy, you can also test that firewalls can
reach network resources. With the ability to run test commands on the web
interface, you can avoid over-provisioning administrator roles with CLI access
while still giving administrators a way to determine firewalls are configured
correctly.
Rule Usage Filtering When auditing your rulebase, you can now filter and quickly identify
unused rules to manage policy rules. Removing unused rules improves your
security posture by reducing the proliferation of rules. For example, when
transitioning from port-based rules to App-ID based rules, this information
enables you to assess whether your App-ID based rules are matched instead
of your port-based rules so that you can remove the unused rules.
Objects Capacity To help you scale your deployment and ease the migration to Palo Alto
Improvements on Networks firewalls, the PA-5220 and the PA-3200 Series firewalls have
the PA-5220 and increased capacities for several objects, including increases in the number of
the PA-3200 Series address objects, address groups, service groups, service objects, zones, and
Firewalls policy rules.
API Key Lifetime If you are using the firewall or Panorama APIs to enable programmatic access,
you can now specify the API key lifetime to match the automation task
duration and control the validity period for an authenticated and secure
connection between the firewall/Panorama and the automation program or
service. Because each API call requires the API key, using a key with a limited
lifetime allows you to enforce key rotation at a regular cadence to safeguard
your network and adhere to compliance standards. You can also expire all API
keys simultaneously, if you suspect accidental exposure or a leak.
PAN-OS REST API In addition to the existing XML API, the firewalls and Panorama now support
for a Simplified a REST API for a more simplified API integration. With the REST API, the
Automation/ firewall is represented as a set of resources with URIs on which you can
Integration Experience perform operations that allow you to easily map firewall tasks to the API
interface. For example, Security policy is represented as a REST resource
with URI /restapi/9.0/Policies/SecurityRules and has a list of operations
that includes list, create, edit, delete, move, and rename. The REST API
provides the flexibility to use JSON and XML data formats in API requests
and responses, and supports versioning for backward compatibility with
future PAN-OS releases. The initial release of this API allows you to manage
the configuration of policies and objects on the firewall and Panorama and
provides reference documentation that is built in to the product.
Universally Unique To simplify auditing, searching, reporting, and tracking for configuration
Identifiers for Policy changes to rules, universally unique identifiers (UUIDs) are created for all
Rules policy rulebases that you create on the firewall or push from Panorama. If you
rename or delete the rule, the UUID ensures that the rule’s history of changes
is maintained. The UUID can pinpoint the rule across multiple rulebases
containing thousands of rules that may have similar or identical names, and
simplifies automation and integration for rules into third-party systems (such
as ticketing or orchestration) that do not support names.
Temporary Master Key You can now extend the lifetime of the master key directly from the firewall
Expiration Extension or from Panorama until your next available maintenance window. If the
master key is due to expire before your planned maintenance window, the
key extension allows the firewall to remain operational and continue securing
your network.
Real-Time Enforcement To enforce security policy for entities such as IoT devices, virtual workloads,
and Expanded and containers that have bursts of traffic or short lifecycles, the firewalls can
Capacities for Dynamic now update the list of registered IP addresses within a dynamic address group
Address Groups in real time. This enhancement enables the firewall to register IP addresses
that match the tags you have defined in dynamic address groups and instantly
apply policy as soon as the endpoint is online, and then unregister the IP
addresses automatically based on a time limit that you configure. And to make
it easier for you to monitor and troubleshoot these registered IP addresses,
Panorama and the firewall now include a new IP-Tag log. Lastly, to handle a
Networking Features
New Networking Feature Description
Security Group Tag (SGT) EtherType If you're using Security Group Tags (SGTs) in a Cisco Trustsec
Support network, inline firewalls in Layer 2 or Virtual Wire mode can
now inspect and enforce the tagged traffic. Layer 3 firewalls
in a Cisco Trustsec network can also inspect and enforce SGT
traffic when deployed between two SGT exchange protocol
(SXP) peers.
Processing of SGT traffic works by default and without any
configuration changes. Because the firewall does not use SGTs
as match criteria for security policy enforcement, you should
continue to define SGT-based policy in the same way you do
today.
FQDN Refresh Enhancement With cloud applications requiring frequent FQDN refresh rates
to ensure nonstop services, the FQDN refresh feature now
supports the ability to refresh cached entries based on the
DNS TTL value. You can set a minimum FQDN refresh time to
limit how frequently the firewall will refresh the FQDN cache
entries to avoid refreshing too frequently, and state how long
the firewall continues to use FQDN cached entries in the event
of a network failure where the DNS server is unreachable.
GRE Tunneling Support The firewall can now be a GRE tunnel endpoint, so you can
send traffic through a GRE tunnel to a point-to-point tunneling
peer, and the firewall will inspect and enforce policies as it
does for non-tunneling traffic. Cloud services and partner
networks often use GRE tunnels for point-to-point connectivity
to customer networks. The firewall also supports GRE over
IPSec to interoperate with other vendors’ implementations in
deployments that encrypt GRE within IPSec.
Wildcard Address Support in Security When you define private IPv4 addresses to internal devices,
Policy Rules you may use an IP addressing pattern that assigns special
meaning to certain bits in the IP address; for example, the
first three bits in the third octet of an IP address signify the
device type. This structure helps you easily identify device
type, location, and so on, based on the device’s IP address. You
may also want to use your same address structure in Security
policy rules on the firewall for easier deployment. You can now
build Security policy rules based on sources and destinations
that use a wildcard address and use only specific bits in an
IP address as a match. Thus, you won’t have to manage an
unnecessarily large number of address objects to cover all the
matching IP addressees or use less restrictive Security policy
Hostname Option Support for DHCP When your firewall interface is a DHCP client (a DHCP server
Clients assigns a dynamic IPv4 address to the interface), you can now
assign a hostname to the interface and send the hostname
(Option 12) to the DHCP server. The DHCP server can register
the hostname with the DNS server, which can automatically
manage hostname-to-dynamic IP address resolutions.
FQDN Support for Static Route Next You can now use an FQDN or FQDN address object in a static
Hop, PBF Next Hop, and BGP Peer route next hop, a PBF next hop, and a BGP peer address. Use
of FQDNs reduces configuration and management overhead.
Also, in order to simplify provisioning, you can use an FQDN
(instead of statically assigning IP addresses to these functions)
and the FQDN resolution can change from location to location.
You can map the FQDN to the IP address based on the location
and deployment requirements. For example, if you are a service
provider, you can provide FQDNs for accessing the services
and resolve these to the IP address of the closest server for
the client (based on the client’s geo-location), so that the same
FQDN can be used globally for the service connection.
Dynamic DNS Support for Firewall When you have services hosted behind the firewall or you
Interfaces need to provide remote access to the firewall, you can now
automatically register IPv4 and IPv6 address changes to a
Dynamic DNS (DDNS) provider whenever the IP address on
the firewall interface changes (for example, if the interface
is a DHCP client). The firewall registers the change with the
DDNS service, which automatically updates the DNS record
(IP address-to-hostname mappings). DDNS support helps avoid
using external mechanisms to keep the DNS records up to date.
The firewall currently supports five DDNS providers: DuckDNS,
DynDNS, FreeDNS Afraid.org, FreeDNS Afraid.org Dynamic
API, and No-IP.
HA1 SSH Key Refresh When you need to change your SSH key pairs to secure HA1
communications, you can now refresh the keys without needing
to restart the firewalls.
VXLAN Tunnel Content Inspection If you use VXLAN as a transport overlay you can use Tunnel
Content Inspection Policy to natively scan traffic within the
VXLAN tunnel. For example, if you use VXLAN as a transport
overlay to connect your geographically dispersed data centers
you can scan and control the individual flows within the tunnel.
With support for the VXLAN protocol in Tunnel Content
Inspection Policy, you have visibility into VXLAN traffic and can
enforce Security Policy rules to this traffic without terminating
the tunnel or implementing network changes.
LACP and LLDP Pre-Negotiation on An HA passive firewall can negotiate LACP and LLDP before it
an HA Passive Firewall becomes active. This pre-negotiation reduces failover times by
eliminating the delays incurred by LACP or LLDP negotiations.
This functionality, previously supported on several firewall
models, extends to PA-220, PA-220R, PA-820, PA-850,
PA-3200 Series, and PA-5280 firewalls.
DNS Rewrite for Destination NAT (Requires Applications and Threats content update 8147 or
a later version) Beginning with PAN-OS 9.0.2 and later 9.0
releases, you can configure a destination NAT policy rule for a
static translation of an IPv4 address to also translate the IPv4
address in a DNS response that matches the rule. This DNS
rewrite (translation) prevents the DNS server on one side of
the firewall from providing an internal IP address to its client
on the external side of the firewall, or vice versa. Thus, the IPv4
address in the DNS response undergoes NAT and the firewall
forwards the appropriate IPv4 address to the client to reach the
destination service.
User-ID Features
New User-ID Feature Description
WinRM Support for To create User-ID mappings, the PAN-OS integrated User-ID agent can
Server Monitoring now connect to Microsoft Active Directory and Exchange servers using the
lightweight Windows Remote Management (WinRM) protocol. The WinRM
protocol greatly improves the speed and efficiency of collecting User-ID
mappings.
Shared User-ID To easily enforce user-based policy in a multi-vsys environment, you can
Mappings Across assign a virtual system as the User-ID hub to share mappings with other
Virtual Systems virtual systems. This reduces configuration complexity and maximizes the
number of mappings available to each virtual system.
User-ID Support for To consistently enforce user-based security policy in environments with a
Large Numbers of large number of terminal servers, you can now monitor an increased number
Terminal Servers of terminal servers per firewall. This simplifies the complexity of network
design and firewall configuration, resulting in centralized visibility and policy
enforcement for all terminal server users.
WildFire Forwarding Support for Script You can now configure the Palo Alto Networks firewall to
Files automatically forward scripts (JScript, VBScript, and PowerShell
Script) for WildFire analysis.
WildFire Appliance Monitoring The WildFire appliance now features new CLI commands and logs
Enhancements additional system events for you to better monitor and manage
your appliance performance and resources, as well as providing
additional assistance when troubleshooting various issues.
Increased WildFire File Forwarding The quantity and maximum size of files that a firewall can forward
Capacity to WildFire is increased to provide greater visibility and detection
of uncommonly large malicious samples.
WildFire Appliance Archive Support The WildFire appliance can now analyze and classify RAR and
7-Zip archives, which can be used by an adversary to covertly
deliver malicious payloads to users. When the WildFire appliance
determines that the file contents of an archive are malicious, it
generates a signature for the entire archive. The appliance then
provides the signature to all connected firewalls to prevent future
attacks.
PA-7000 100G The new 100G NPC provides more session capacity than in previous NPCs
Network Processing and improved performance. This new NPC provides the following main
Card (NPC) features:
• App-ID throughput (AppMix) of 72Gbps
• Threat throughput (AppMix) of 35Gbps
• Session capacity up to 32 million
• Four QSFP+/QSFP28 (40Gbps/100Gbps) ports
• Eight SFP/SFP+ (1Gbps/10Gbps) ports
• A new service LED that allows a remote administrator to illuminate the
SVC LED on a specific front-slot card so an on-site technician can locate
the card.
PA-7000 Log The new Log Forwarding Card (LFC) implements the high speed log
Forwarding Card (LFC) forwarding feature introduced in PAN-OS 8.0. The LFC includes the following
main features:
• High-speed log forwarding of all dataplane logs to an external log collector
(For example, Panorama or syslog servers)
• Supports up to 350,000 logs per second to Panorama
• QSFP/QSFP+ ports (port 1 at 10Gbps and port 9 at 40Gbps)
PA-7050 FANTRAY-L/ The new second-generation fan trays for the PA-7050 provide more cooling
R-A capacity than the first-generation fan trays and are required when you install
the second-generation hardware in a PA-7050 firewall.
PA-7080 EMI Filter This new EMI filter for existing PA-7080 firewalls reduces electromagnetic
interference and is required when you install the second-generation hardware
in a PA-7080 firewall. New chassis will have this new filter pre-installed.
Feature Change
API Key Lifetime When you generate a new API key, the key metadata
includes a timestamp of the creation date which makes
the key size larger than those generated with PAN-OS
version earlier than 9.0.
Default Administrator Password Starting with PAN-OS 9.0.4, you must change the default
Requirements administrator password (admin/admin) on the first
admin account log in on a device. The new password
must be a minimum of eight characters and include a
minimum of one lowercase and one uppercase character,
as well as one number or special character. On a new
installation, password complexity is enabled with a
minimum password length of eight characters. This
change does not affect other administrative users on
upgrades.
HTTP/2 Inspection The firewall now processes and inspects HTTP/2 traffic
by default.
If you want to disable HTTP/2 inspection, you can
specify for the firewall to remove any value contained in
the Application-Layer Protocol Negotiation (ALPN) TLS
extension: select Objects > Decryption > Decryption
Profile > SSL Decryption > SSL Forward Proxy and
then select Strip ALPN. ALPN is used to secure HTTP/2
connections—when there is no value specified for this
TLS extension, the firewall either downgrades HTTP/2
traffic to HTTP/1.1 or classifies it as unknown TCP
traffic.
Strict Default Ports for Decrypted Application default—which enables you to allow
Applications, Including Web-Browsing applications only on their most commonly-used ports—
now enforces standard port usage for certain applications
that use a different default port when encrypted: web-
browsing, SMTP, FTP, LDAP, IMAP and POP3.
This means that, if you’re decrypting SSL traffic, a
security policy that allows web-browsing on the
application default ports now strictly enforces web-
browsing on port 80 and SSL-tunneled web-browsing on
port 443.
To enhance security, if you currently have a security
policy rule configured to allow web-browsing on
service-HTTP and service-HTTPS, you might consider
Network Processing Card Session The session capacity for these two 20Gbps Network
Capacity Change (PA-7000-20G-NPC and Processing Cards changed from 4 million sessions per
PA-7000-20GQ-NPC) NPC to 3.2 million sessions per NPC on firewalls running
a PAN-OS 9.0 or later release.
Refresh of Default Trusted CAs The certificate authorities (CAs) that the firewall trusts by
default are updated; new trusted root CAs are added and
expired CAs are removed. To view and manage the lists
of CAs that the firewall trusts by default, select Device >
Certificate Management > Certificates > Default Trusted
Certificate Authorities.
VM-50 and VM-50 Lite Firewalls The minimum memory requirement has changed from
4GB to 4.5GB for the VM-50 Lite and from 4.5GB
to 5.5GB for the VM-50 in PAN-OS 9.0. You cannot
upgrade the VM-50 Lite without allocating additional
memory. If you upgrade the VM-50 with less than 5.5GB
memory, it will default to the system capacities (number
of sessions, rules, security zones, address objects, etc)
associated with the VM-50 Lite.
See Upgrade/Downgrade Considerations for more
information.
VXLAN Tunnel Content Inspection In PAN-OS 8.1 and earlier releases, the firewall used the
UDP Session key to create UDP sessions for all tunnel
content inspection protocols. It is a six-tuple key (zone,
source IP, destination IP, protocol, source port, and
destination port), and it remains in use.
PAN-OS 9.0 introduces the VNI Session key specifically
for VXLAN tunnel content inspection. The VNI Session
key is a five-tuple key incorporating the zone, source
IP, destination IP, protocol, and the VXLAN Network
Identifier (VNI).
Panorama Commit and push operations • Commit is unavailable (grayed out) when you
have no pending changes on Panorama and all
managed firewalls and Log Collectors are in sync with
Panorama (which means that you have successfully
pushed all changes you made on Panorama to all
managed firewalls and appliances).
• Commit displays as a green downward arrow ( )
when you have pending changes on Panorama that
must be committed and pushed to managed devices.
• Commit displays as a yellow sideways arrow ( )
when managed firewalls and Log Collectors are out
of sync, and you must push the committed Panorama
configuration.
• When you Commit and Push your configuration
changes on Panorama, you must Edit Selections to
specify the Push Scope to managed devices.
Security Group Tag (SGT) Ethertype Support If you're using Security Group Tags (SGTs) to control user
and device access in a Cisco Trustsec network, inline
firewalls in Layer 2 or Virtual Wire mode now inspect
and provide threat prevention for the tagged traffic
by default. Before PAN-OS 9.0, a firewall in Layer 2 or
virtual wire mode could allow SGT traffic but did not
process and inspect it.
IP Address Registration and Dynamic In PAN-OS 8.1 and earlier, it could take up to 60
Address Groups seconds to register an IP address, and the associated
tags, and update the membership information for a
dynamic address group (DAG). In PAN-OS 9.0, IP address
registration occurs in real time. Any policy matches for
updates on a registered IP address (IP-tag mapping) are
reflected only in new sessions. Any existing sessions
URL Filtering Overrides In earlier release versions, URL Filtering overrides had
priority enforcement ahead of custom URL categories.
As part of the upgrade to PAN-OS 9.0, URL category
overrides are converted to custom URL categories,
and no longer receive priority enforcement over other
custom URL categories. Instead of the action you defined
for the category override in previous release versions,
the new custom URL category is enforced by the security
policy rule with the strictest URL Filtering profile action.
From most strict to least strict, possible URL Filtering
profile actions are: block, override, continue, alert, and
allow. This means that, if you had URL category overrides
with the action allow, there’s a possibility the overrides
might be blocked after they are converted to custom URL
categories in PAN-OS 9.0.
Workaround:
1. Create a URL Filtering Profile that defines site access
for a custom URL category. Select Objects > Security
Profiles > URL Filtering > Categories, and set the
Site Access (like allow or block) for Custom URL
Categories that you want to exclude from a URL
category.
2. Create a new security policy rule to prioritize
enforcement for URL category exceptions. Attach
the URL Filtering profile you just created to that rule
(Policies > Security > Actions > Profile Setting >
Profiles). Because the firewall evaluates rules from
top to bottom, make sure that this rule appears at the
top of your security policy (Policies > Security).
CLI Commands for the Option to Hold Web The CLI commands for this feature are now the
Requests During URL Category Lookup following:
(PAN-OS 9.0.4 or later)
1. Enter configure to access Configuration Mode.
2. Enter set deviceconfig setting ctd hold-
client-request yes to enable the feature.
3. Commit your changes.
Palo Alto Networks Software or Minimum Compatible Version with PAN-OS 9.0
Content Release Version
Panorama 9.0
Issue ID Description
PAN-107142 After adding a new virtual system from the CLI, you must log out and log back
in to see the new virtual system within the CLI.
PAN-102264 On Panorama, the number of Apps Seen on a Security policy rule depends
on whether you created the rule in a Shared context or in the context of a
particular device group.
For rules created in the Shared context, Apps Seen displays the total number
of unique applications seen on each rule in all of the device groups in the
Shared context so a Shared context that includes two device groups—DG1
and DG2—displays the combined number of unique applications seen on the
rule in both groups. For example, if DG1 saw two unique applications on the
rule and DG2 saw eight unique applications on the rule, Apps Seen shows
ten applications seen on the rule, which is the aggregate number of unique
applications seen in both device groups; it does not show the number of
unique applications in each individual group.
For rules created in a specific device group context, Apps Seen displays the
total number of unique applications seen on each rule in that particular device
group. For example, if DG2 saw eight unique applications on a rule, Apps Seen
shows eight applications seen on the rule.
To get an accurate count of the Apps Seen on a rule for a device group, change
the context to the device group in which you created the rule.
PAN-99845 After an HA firewall fails over to its HA peer, sessions established before the
failover might not undergo the following actions in a reliable manner:
• SIP call modifications (some examples include resuming a call that was on
hold, transferring a call, and picking up a parked call).
• Call tear-down.
PAN-97821 The commit all job is executed from Panorama to the firewall only if the
newly added firewall is running PAN-OS 8.1 or a later release with Auto Push
on 1st Connect enabled.
PAN-85036 If you use the Panorama management server to manage the configuration of
firewalls in an HA active/active configuration, you must set the Device ID for
each firewall in the HA pair before you upgrade Panorama. If you upgrade
without setting the Device IDs (which determine which peer is the active-
primary peer), you cannot commit configuration changes to Panorama.
PAN-79669 The firewall blocks an HTTPS session when the hardware security module
(HSM) is down and a Decryption policy for inbound inspection uses the default
decryption profile for an ECDSA certificate.
For recent updates to known issues for a given PAN-OS release, refer to https://
live.paloaltonetworks.com/t5/Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/ta-
p/52882.
PLUG-1854 (PAN-OS 9.0.2 and later releases on AWS and GCP only) You
cannot swap the management interface.
This issue is resolved after you
upgrade to VM-Series plugin 1.0.3 and
reboot the firewall.
PLUG-1827 (Microsoft Azure only) The firewall drops packets due to larger
than expected packet sizes when Accelerated networking is
This issue is resolved after you
enabled on the firewall (Settings > Networking).
upgrade to VM-Series plugin 1.0.3 and
reboot the firewall.
PAN-121449 (PAN-OS 9.0.3 and later releases only) The Remove Config
button on Panorama > Plugins does not remove the
This issue is now resolved. See PAN-
configuration for any plugins you have set up on Panorama.
OS 9.0.4 Addressed Issues.
Workaround: Manually remove the plugin configuration.
Manually delete the plugin configuration. Select your plugin
on Panorama, clear the values from all fields and Commit your
changes.
PAN-117918 The logs are not visible after you upgrade a Panorama
management server in an HA configuration from PAN-OS 8.1
to PAN-OS 9.0.
Workaround: After you complete the upgrade, log in to the
web interface of the primary Panorama HA peer and perform
a Collector Group push (Commit > Push to Devices > Edit
Selections) or log in to the CLI of the primary Panorama HA
peer and commit force the local configuration.
PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.
PAN-113117 A newly launched firewall does not get its configuration from
Panorama when it first connects if you installed the VM-Series
PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.
PAN-110794 DGA-based threats shown in the firewall threat log display the
same name for all such instances.
PAN-109526 The system log does not correctly display the URL for CRL
files; instead, the URLs are displayed with encoded characters.
PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction equal
<direction> <dst> | <src> in <object-name>
PAN-94093 HTTP Header Insertion does not work when jumbo frames are
received out of order.
> configure
# set
template <template_name> config
deviceconfig high-availability interface ha2
ip-address <IP_address>
PAN-91236 The Panorama management server does not display new logs
collected on M-Series Log Collectors because the logging
search engine does not register during system startup when
logging disk checks and RAID mounting take longer than two
hours to complete.
PAN-84670 When you disable decryption for HTTPS traffic, end users who
don't have valid authentication timestamps can access HTTPS
This issue is now resolved. See PAN-
services and applications regardless of Authentication policy.
OS 9.0.4 Addressed Issues.
Workaround: Create a Security policy rule that blocks HTTPS
traffic that is not decrypted.
PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
worker-list <worker-ip-address>
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
yes
or
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
no
PAN-71329 Local users and user groups in the Shared location (all virtual
systems) are not available to be part of the user-to-application
mapping for GlobalProtect Clientless VPN applications
(Network > GlobalProtect > Portals > <portal> > Clientless
VPN > Applications).
Workaround: Create users and user groups in specific virtual
systems on firewalls that have multiple virtual systems. For
single virtual systems (like VM-Series firewalls), users and user
groups are created under Shared and are not configurable for
Clientless VPN applications.
PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.
PAN-25046 Firewalls store SSH host keys used for SCP log exports in the
known hosts file. In an HA deployment, PAN-OS synchronizes
the SCP log export configuration between the firewall HA
peers (Device > Scheduled Log Export), but not the known
host file. When a failover occurs, the SCP log export fails.
Workaround: Log in to each peer in HA, select Device >
Scheduled Log Export > <log_export_configuration>, and Test
SCP server connection to confirm the host key so that SCP log
forwarding continues to work after a failover.
Issue ID Description
WF500-4200 The Create Date shown when using the show wildfire
global sample-status sha256 equal<hash> or show
wildfire global sample-analysis CLI command
is two hours behind the actual time for WF-500 appliance
samples.
PLUG-1854 (PAN-OS 9.0.2 and later releases on AWS and GCP only) You
cannot swap the management interface.
This issue is resolved with VM-Series
plugin 1.0.3.
PLUG-1827 (Microsoft Azure only) The firewall drops packets due to larger
than expected packet sizes when Accelerated networking is
This issue is resolved after you
enabled on the firewall (Settings > Networking).
upgrade to VM-Series plugin 1.0.3 and
reboot the firewall.
PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.
PAN-113117 A newly launched firewall does not get its configuration from
Panorama when it first connects if you installed the VM-Series
plugin on Panorama. When a newly launched firewall that is
bootstrapped connects to Panorama, a process restart occurs
on Panorama. Upon restart, you are logged out of the user
interface and you need to log in and push the device group
and template configuration to the newly connected firewall.
PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.
PAN-110794 DGA-based threats shown in the firewall threat log display the
same name for all such instances.
PAN-109526 The system log does not correctly display the URL for CRL
files; instead, the URLs are displayed with encoded characters.
PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction equal
<direction> <dst> | <src> in <object-name>
command on a managed firewall only returns address and
address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>
PAN-94093 HTTP Header Insertion does not work when jumbo frames are
received out of order.
PAN-91236 The Panorama management server does not display new logs
collected on M-Series Log Collectors because the logging
search engine does not register during system startup when
logging disk checks and RAID mounting take longer than two
hours to complete.
PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
worker-list <worker-ip-address>
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
yes
or
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
no
PAN-71329 Local users and user groups in the Shared location (all virtual
systems) are not available to be part of the user-to-application
mapping for GlobalProtect Clientless VPN applications
(Network > GlobalProtect > Portals > <portal> > Clientless
VPN > Applications).
Workaround: Create users and user groups in specific virtual
systems on firewalls that have multiple virtual systems. For
single virtual systems (like VM-Series firewalls), users and user
groups are created under Shared and are not configurable for
Clientless VPN applications.
PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.
PAN-25046 Firewalls store SSH host keys used for SCP log exports in the
known hosts file. In an HA deployment, PAN-OS synchronizes
the SCP log export configuration between the firewall HA
Issue ID Description
WF500-4200 The Create Date shown when using the show wildfire
global sample-status sha256 equal<hash> or show
wildfire global sample-analysis CLI command
is two hours behind the actual time for WF-500 appliance
samples.
PLUG-1854 (PAN-OS 9.0.2 and later releases on AWS and GCP only) You
cannot swap the management interface.
This issue is resolved with VM-Series
plugin 1.0.3.
PLUG-1827 (Microsoft Azure only) The firewall drops packets due to larger
than expected packet sizes when Accelerated networking is
This issue is resolved after you
enabled on the firewall (Settings > Networking).
upgrade to VM-Series plugin 1.0.3 and
reboot the firewall.
PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.
PAN-113117 A newly launched firewall does not get its configuration from
Panorama when it first connects if you installed the VM-Series
plugin on Panorama. When a newly launched firewall that is
bootstrapped connects to Panorama, a process restart occurs
on Panorama. Upon restart, you are logged out of the user
interface and you need to log in and push the device group
and template configuration to the newly connected firewall.
PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.
PAN-110794 DGA-based threats shown in the firewall threat log display the
same name for all such instances.
PAN-109526 The system log does not correctly display the URL for CRL
files; instead, the URLs are displayed with encoded characters.
PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction equal
<direction> <dst> | <src> in <object-name>
command on a managed firewall only returns address and
address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>
PAN-94093 HTTP Header Insertion does not work when jumbo frames are
received out of order.
PAN-91236 The Panorama management server does not display new logs
collected on M-Series Log Collectors because the logging
search engine does not register during system startup when
logging disk checks and RAID mounting take longer than two
hours to complete.
PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
worker-list <worker-ip-address>
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
yes
or
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
no
PAN-71329 Local users and user groups in the Shared location (all virtual
systems) are not available to be part of the user-to-application
mapping for GlobalProtect Clientless VPN applications
(Network > GlobalProtect > Portals > <portal> > Clientless
VPN > Applications).
Workaround: Create users and user groups in specific virtual
systems on firewalls that have multiple virtual systems. For
single virtual systems (like VM-Series firewalls), users and user
groups are created under Shared and are not configurable for
Clientless VPN applications.
PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.
PAN-25046 Firewalls store SSH host keys used for SCP log exports in the
known hosts file. In an HA deployment, PAN-OS synchronizes
the SCP log export configuration between the firewall HA
Issue ID Description
PLUG-1854 (PAN-OS 9.0.2 and later releases on AWS and GCP only) You
cannot swap the management interface.
This issue is resolved with VM-Series
plugin 1.0.3.
PLUG-1827 (Microsoft Azure only) The firewall drops packets due to larger
than expected packet sizes when Accelerated networking is
This issue is resolved after you
enabled on the firewall (Settings > Networking).
upgrade to VM-Series plugin 1.0.3 and
reboot the firewall.
PAN-121449 The Remove Config button on Panorama > Plugins does not
remove the configuration for any plugins you have set up on
Panorama.
Workaround: Manually remove the plugin configuration.
Manually delete the plugin configuration. Select your plugin
on Panorama, clear the values from all fields and Commit your
changes.
PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.
PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.
PAN-110794 DGA-based threats shown in the firewall threat log display the
same name for all such instances.
PAN-109526 The system log does not correctly display the URL for CRL
files; instead, the URLs are displayed with encoded characters.
PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction equal
<direction> <dst> | <src> in <object-name>
command on a managed firewall only returns address and
address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>
PAN-94093 HTTP Header Insertion does not work when jumbo frames are
received out of order.
PAN-91236 The Panorama management server does not display new logs
collected on M-Series Log Collectors because the logging
search engine does not register during system startup when
logging disk checks and RAID mounting take longer than two
hours to complete.
PAN-84670 When you disable decryption for HTTPS traffic, end users who
don't have valid authentication timestamps can access HTTPS
services and applications regardless of Authentication policy.
Workaround: Create a Security policy rule that blocks HTTPS
traffic that is not decrypted.
PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
worker-list <worker-ip-address>
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
yes
or
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
no
PAN-71329 Local users and user groups in the Shared location (all virtual
systems) are not available to be part of the user-to-application
mapping for GlobalProtect Clientless VPN applications
(Network > GlobalProtect > Portals > <portal> > Clientless
VPN > Applications).
Workaround: Create users and user groups in specific virtual
systems on firewalls that have multiple virtual systems. For
single virtual systems (like VM-Series firewalls), users and user
groups are created under Shared and are not configurable for
Clientless VPN applications.
PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.
PAN-25046 Firewalls store SSH host keys used for SCP log exports in the
known hosts file. In an HA deployment, PAN-OS synchronizes
the SCP log export configuration between the firewall HA
peers (Device > Scheduled Log Export), but not the known
host file. When a failover occurs, the SCP log export fails.
Workaround: Log in to each peer in HA, select Device >
Scheduled Log Export > <log_export_configuration>, and Test
SCP server connection to confirm the host key so that SCP log
forwarding continues to work after a failover.
Issue ID Description
PLUG-1854 (PAN-OS 9.0.2 and later releases on AWS and GCP only) You
cannot swap the management interface.
PLUG-1827 (Microsoft Azure only) The firewall drops packets due to larger
than expected packet sizes when Accelerated networking is
This issue is resolved after you
enabled on the firewall (Settings > Networking).
upgrade to VM-Series plugin 1.0.3 and
reboot the firewall.
PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
PAN-113117 A newly launched firewall does not get its configuration from
Panorama when it first connects if you installed the VM-Series
plugin on Panorama. When a newly launched firewall that is
bootstrapped connects to Panorama, a process restart occurs
on Panorama. Upon restart, you are logged out of the user
interface and you need to log in and push the device group
and template configuration to the newly connected firewall.
PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.
PAN-110794 DGA-based threats shown in the firewall threat log display the
same name for all such instances.
PAN-109526 The system log does not correctly display the URL for CRL
files; instead, the URLs are displayed with encoded characters.
PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction equal
<direction> <dst> | <src> in <object-name>
command on a managed firewall only returns address and
address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>
PAN-94093 HTTP Header Insertion does not work when jumbo frames are
received out of order.
PAN-91236 The Panorama management server does not display new logs
collected on M-Series Log Collectors because the logging
search engine does not register during system startup when
logging disk checks and RAID mounting take longer than two
hours to complete.
PAN-84670 When you disable decryption for HTTPS traffic, end users who
don't have valid authentication timestamps can access HTTPS
services and applications regardless of Authentication policy.
Workaround: Create a Security policy rule that blocks HTTPS
traffic that is not decrypted.
PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
worker-list <worker-ip-address>
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
yes
or
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
no
PAN-71329 Local users and user groups in the Shared location (all virtual
systems) are not available to be part of the user-to-application
mapping for GlobalProtect Clientless VPN applications
(Network > GlobalProtect > Portals > <portal> > Clientless
VPN > Applications).
Workaround: Create users and user groups in specific virtual
systems on firewalls that have multiple virtual systems. For
single virtual systems (like VM-Series firewalls), users and user
groups are created under Shared and are not configurable for
Clientless VPN applications.
PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.
PAN-25046 Firewalls store SSH host keys used for SCP log exports in the
known hosts file. In an HA deployment, PAN-OS synchronizes
the SCP log export configuration between the firewall HA
peers (Device > Scheduled Log Export), but not the known
host file. When a failover occurs, the SCP log export fails.
Workaround: Log in to each peer in HA, select Device >
Scheduled Log Export > <log_export_configuration>, and Test
SCP server connection to confirm the host key so that SCP log
forwarding continues to work after a failover.
Issue ID Description
PLUG-1827 (Microsoft Azure only) The firewall drops packets due to larger
than expected packet sizes when Accelerated networking is
This issue is resolved after you
enabled on the firewall (Settings > Networking).
upgrade to VM-Series plugin 1.0.3 and
reboot the firewall.
PAN-116017 (Google Cloud Platform (GCP) only) The firewall does not
accept the DNS value from the initial configuration (init-cfg)
file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in
the bootstrap folder and complete the bootstrap process.
PAN-113117 A newly launched firewall does not get its configuration from
Panorama when it first connects if you installed the VM-Series
plugin on Panorama. When a newly launched firewall that is
bootstrapped connects to Panorama, a process restart occurs
on Panorama. Upon restart, you are logged out of the user
interface and you need to log in and push the device group
and template configuration to the newly connected firewall.
PAN-111729 If you disable DPDK mode and enable it again, you must
immediately reboot the firewall.
PAN-110794 DGA-based threats shown in the firewall threat log display the
same name for all such instances.
PAN-109526 The system log does not correctly display the URL for CRL
files; instead, the URLs are displayed with encoded characters.
PAN-101537 After you configure and push address and address group
objects in Shared and vsys-specific device groups from
the Panorama management server to managed firewalls,
executing the show log <log-type> direction equal
<direction> <dst> | <src> in <object-name>
command on a managed firewall only returns address and
address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal
<direction> query equal ‘vsys eq <vsys-name>’
<dst> | <src> in <object-name>
PAN-94093 HTTP Header Insertion does not work when jumbo frames are
received out of order.
PAN-91236 The Panorama management server does not display new logs
collected on M-Series Log Collectors because the logging
search engine does not register during system startup when
logging disk checks and RAID mounting take longer than two
hours to complete.
PAN-84670 When you disable decryption for HTTPS traffic, end users who
don't have valid authentication timestamps can access HTTPS
services and applications regardless of Authentication policy.
Workaround: Create a Security policy rule that blocks HTTPS
traffic that is not decrypted.
PAN-73530 The firewall does not generate a packet capture (pcap) when a
Data Filtering profile blocks files.
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
worker-list <worker-ip-address>
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
yes
or
admin@wf500(active-controller)# set
deviceconfig cluster mode controller
service-advertisement dns-service
enabled
no
PAN-71329 Local users and user groups in the Shared location (all virtual
systems) are not available to be part of the user-to-application
mapping for GlobalProtect Clientless VPN applications
(Network > GlobalProtect > Portals > <portal> > Clientless
VPN > Applications).
Workaround: Create users and user groups in specific virtual
systems on firewalls that have multiple virtual systems. For
single virtual systems (like VM-Series firewalls), users and user
groups are created under Shared and are not configurable for
Clientless VPN applications.
PAN-70906 If the PAN-OS web interface and the GlobalProtect portal are
enabled on the same IP address, then when a user logs out of
the GlobalProtect portal, the administrative user is also logged
out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web
interface and an FQDN to access the GlobalProtect portal.
PAN-25046 Firewalls store SSH host keys used for SCP log exports in the
known hosts file. In an HA deployment, PAN-OS synchronizes
the SCP log export configuration between the firewall HA
peers (Device > Scheduled Log Export), but not the known
host file. When a failover occurs, the SCP log export fails.
Workaround: Log in to each peer in HA, select Device >
Scheduled Log Export > <log_export_configuration>, and Test
SCP server connection to confirm the host key so that SCP log
forwarding continues to work after a failover.
131
132 PAN-OS® RELEASE NOTES | PAN-OS 9.0 Addressed Issues
© 2019 Palo Alto Networks, Inc.
PAN-OS 9.0.5 Addressed Issues
Issue ID Description
PAN-126534 (PAN-OS 8.1.10 and later releases only) Fixed an issue where
the data from Security policies did not export as expected.
PAN-126354 Fixed an issue where log in and commits took longer than
expected when you used XML API calls to create new address
objects.
PAN-125933 Fixed an issue where the receiving firewall deleted the host
information profile (HIP) report due to the report containing the
same IPv4 address in the IP and IP2 fields and caused a process
(useridd) to stop responding.
PAN-125452 Fixed an issue where the firewall did not list registered
addresses from the Dynamic Address Group when the same IP-
tag information was received from two sources, which caused
the traffic flow to stop responding as expected.
PAN-124890 Fixed a configuration lock issue where you were unable to log
in after you upgraded from PAN-OS 8.1.6 to PAN-OS 8.1.9.
PAN-124630 Fixed an issue where new logs were not ingested due to
a buffer exhaustion condition caused by invalid messages
incorrectly handled by elastic search.
PAN-123362 Fixed an issue where the firewall used more than expected
virtual memory when you decreased the maximum elastic
search heap size.
PAN-122601 Fixed a memory leak issue with a process (configd) when you
performed device group related operations.
PAN-121523 Fixed an issue where an API call triggered memory errors, which
caused a process (configd) to stop responding and triggered
SIGABRT logs.
PAN-121447 Fixed an issue where the BGP did not remove the IPv6 default
route from the forwarding table after the route was withdrawn.
PAN-119680 Fixed a rare issue where the show running CLI commands for
policy addresses caused file descriptor leaks.
PAN-118881 Fixed an issue where the user domain information was missing
from the user IP mapping entry when you configured Allow
Authentication with User Credentials or Client Certificate
to Yes while using a client certificate for GlobalProtect
authentication.
PAN-117907 Fixed an issue where the date and time provided for a request
license information output did not match the show clock output
provided by the NTP server.
PAN-117900 Fixed an issue where commits failed when you moved an object
referenced in a policy to a shared group.
PAN-117888 Fixed an issue where the firewall was unable to detect the
hardware security module (HSM), which caused the firewall to
drop SSL traffic.
PAN-116772 Fixed an issue where the firewall sent empty attributes in the
LDAP query when you did not configure Alternate Username 1
- 3 (Device > User Identification > Group Mapping Settings >
<group-name> > User and Group Attributes) in the User
Attributes web interface.
PAN-116611 Fixed an issue where an API call for correlated events did not
return any events.
PAN-116286 Fixed an issue where commits failed after you upgraded from
PAN-OS 8.0.16 to PAN-OS 8.1.6 due to an invalid encryption
state for a host information profile (HIP) object.
PAN-116189 Fixed an issue where Session Initiation Protocol (SIP) calls failed
and displayed the following error message: end-reason:
resources-unavailable.
PAN-115990 Fixed an issue where the FQDN address object (Policy >
Security > <address-object> > Value) displayed the following
unrelated error: <FQDN-name> Not used.
PAN-115959 Fixed an issue where DNS names with more than 63 characters
did not resolve FQDN address objects during an FQDN refresh.
PAN-115890 Fixed an issue where the show system info CLI command
incorrectly displayed VMware ESXi as VMWare ESXi.
PAN-115281 Fixed an issue where the firewall did not resolve an external
dynamic list server address when the DNS proxy configured it
as a static entry.
PAN-114540 Fixed an issue where renaming a template stack did not change
the value and reset to the original value after you commit the
change.
PAN-114456 Fixed an issue where extended packet capture (pcap) for threat
logs caused a process (mgmtsrvr) to stop responding.
PAN-114270 Fixed an issue where the firewall dropped TCP trace route
traffic after you upgraded to PAN-OS 8.1.5. To leverage this
fix, run the set session tcp-reject-diff-syn no CLI
command.
PAN-113261 (PA-5200 Series firewalls only) Fixed an issue where the total
entries for the URL filtering allow list, block list, and custom
categories were incorrectly set to an entry limit value other
than 100,000.
PAN-113162 Fixed an issue where you were unable to create shared URL
filtering profiles from the Panorama web interface.
PAN-112661 Fixed an issue where you were unable to access a firewall due
to a defective small form-factor pluggable (SFP)/SFP+ module
inserted into the firewall.
PAN-102195 Fixed an issue where the firewall did not detect all threat
sessions while the App and Threat content installation was
processed.
WF500-4785 Fixed a rare issue on WF-500 appliances where the firewall did
not respond after you upgraded the appliance from a PAN-OS®
8.0.1 release to a PAN-OS 8.0.10 or later release. With this fix,
you can run the new debug software raid fixup auto
CLI command to recover the RAID controller.
PAN-124658 Fixed an issue where the timer system call activated more
frequently than expected, which caused higher than expected
CPU usage.
PAN-122004 (PA-5200 Series firewalls only) Fixed an issue where the Quad
Small Form-factor Pluggable (QSFP) 28 ports 21 and 22 did not
respond when plugged in with a Finisar 100G AOC cable.
PAN-121449 Fixed an issue where Remove Config (Panorama > Plugins) did
not remove the configuration for any plugins you have set up
on Panorama.
PAN-120548 Fixed an issue where the Captive Portal request limit was
ignored when you configured the Captive Portal authentication
method to browser-challenge.
PAN-119257 Fixed an issue where the firewall could not establish an IKEv2
connection with SHA256 certificates.
PAN-119187 (Panorama only) Fixed an issue where a file lock was released
before the lock was taken, which triggered an erroneous
maximum connection timeout that prevented administrators
from logging in to and executing commands from the
command-line interface (CLI).
PAN-118411 Fixed an issue where ARP entries took longer than expected to
age out in a single run.
PAN-117921 Fixed an issue where you were unable to create GTP inner
sessions, which caused the firewall to drop GTP-U data packets
when the firewall was deployed on S1-U and S-11 interfaces.
PAN-115856 Fixed an issue where Dynamic IP and Port (DIPP) NAT pools did
not release used ports after all sessions were removed.
PAN-115794 Fixed an issue where, after you upgraded the firewall from
PAN-OS 8.1.5 to PAN-OS 9.0.0, the firewall displayed the
following validation error: plugins 'read-only' is not
an allowed keyword.
PAN-115792 Fixed an issue where after a refresh of the external dynamic list
values from the previous list were not retained, which caused
the list values to display 0.0.0.0 and displayed the following
error message: HTTP/1.1 500 Internal Server Error.
PAN-115738 Fixed an issue where data logs were generated but the firewall
did not forward the logs to the syslog server.
PAN-115287 Fixed an issue where commits failed and displayed the following
error message: Commit job was not queued. All
daemons are not available.
PAN-115186 Fixed an issue where SaaS reports were not generated due to
report definitions not getting pushed to the log collector.
PAN-114779 Fixed an issue where log purging took longer than expected,
which prevented the firewall from capturing traffic logs.
PAN-114533 Fixed an issue where traffic was blocked by the safe search
enforcement instead of the intended allow rule.
PAN-114427 Fixed an issue where an empty host name in the HTTP header
caused a web server process (websrvr) to stop responding when
you accessed the captive portal redirect page.
PAN-114160 Fixed an issue where you were unable to download ZIP files
greater than 3GB through a GlobalProtect Clientless VPN
application.
PAN-114002 Fixed an issue where you were unable to import variable CSV
files when variable names contained a character space.
PAN-113971 (PA-7000 Series firewalls only) Fixed an issue where the High
Speed Chassis Interconnect (HSCI) link flapped after you
rebooted the firewall.
PAN-113887 Fixed an issue where loading custom app tags did not complete
successfully, which prevented subsequent requests (such as
commits, content installs, and FQDN refreshes) from executing
as expected.
PAN-113767 Fixed an issue where the firewall silently dropped packets when
security profiles were attached and FPGA enabled AHO and
DFA.
PAN-113619 Fixed an issue where the GlobalProtect gateway did not assign
an IP address when the local IP address was a supernet of the
GlobalProtect pool.
PAN-112529 Fixed an issue where the firewall incorrectly sent several benign
critical content alerts daily.
PAN-110628 Fixed an issue where user groups were deleted from the Group
Include List ("Device > User identification > Group Mapping
Settings > <group-name> > Group Include List) if you changed
the LDAP server profile account password.
PAN-110168 Fixed an issue where the firewall and Panorama web interface
did not present HSTS headers to your web browser.
PAN-109759 Fixed an issue where the firewall did not generate a notification
for the GlobalProtect client when the firewall denied
unencrypted TLS sessions due to an authentication policy
match.
PAN-106628 Fixed an issue where the firewall did not generate a system log
when the firewall detected a RAM issue.
PAN-105286 Fixed an issue where the firewall did not record email header
information in Data Filtering logs when you triggered a test mail
that contained a data leak prevention (DLP) pattern.
PAN-103865 Fixed an issue where the firewall did not detect user credentials
when the number of users exceeded 60,000.
PAN-103847 Fixed a memory buffer allocation issue that caused the Session
Initiation Protocol (SIP) traffic NAT to stop responding.
PAN-118949 Fixed an issue where after you changed the filter configuration
in the user.src notin 'cns\proxy full profile, the
firewall displayed the following error message: Unknown user
group cns\Proxy Full.
PAN-118640 Fixed an issue where the GTP-U session did not match the
correct policy, which caused the IMSI and IMEI not to display in
the inner session traffic and threat logs.
PAN-117249 Fixed an issue where end users who don't have REST API
authentication roles were able to list and edit configuration
rules.
PAN-116579 Fixed an issue where the firewall sent truncated URLs to the
Captive Portal Redirect message when HTTPS traffic sent
through a proxy server was subjected to decryption.
PAN-116022 Fixed an issue where the NSX Manager passed a blank string to
Panorama, which added a null entry into the configuration and
caused commits to fail.
PAN-115379 Fixed an issue where you were unable to create a custom log
forwarding profile when you configured a filter with the "in"
and "not in" configurations (Objects > Log Forwarding > Add >
Add > Filter > Filter Builder) and resulted in the following error
message: Invalid filter policy-logging-cf-ent ->
match-list -> ITS_url_logs -> filteris invalid.
PAN-115339 Fixed a rare issue where a commit caused the firewall to stop
responding when you enabled flow debug and configured a
NAT policy.
PAN-115035 Fixed a rare issue where Threat log and URL log stopped
generating.
PAN-114642 Fixed an issue where firewall logs incorrectly included the end-
user IP address in GTP message logs when you configured PAA
IE with IPv4 and IPv6 dual stack in the Create Session Response
message.
PAN-114607 Fixed an issue where all the log collectors did not get queued
when you configured more than 32 collector groups.
PAN-114275 Fixed an issue where the firewall dropped GTPv1 DELETE PDP
response packets that had a termination endpoint ID (TEID)
value of 0.
PAN-112293 Fixed an issue where the connection between the firewall and
Log Collector flapped.
PAN-112167 Fixed an issue where IPv4 BGP routes were missing from the
routing table and FIB after a failover event.
PAN-112106 Fixed an issue where the firewall was unable to add IPv6
loopback IP address ::1 to the external dynamic list and
displayed the following error message: Invalid ips: ::1.
PAN-111976 Fixed an issue where you were unable to generate user activity
reports when the username included a colon ( : ), ampersand
( & ), single parenthesis ( ' ) character.
PAN-111708 (PA-3200 Series firewalls only) Fixed a rare software issue that
caused the dataplane to restart unexpectedly. To leverage this
fix, you must run the debug dataplane set pow no-
desched yes CLI command.
PAN-110883 Fixed an issue on a VM-Series firewall where all jobs did not
execute and returned the following error message: Error-
time out sending/receiving message.
PAN-110293 Fixed an issue where GTP-U traffic dropped when the GTP
tunnel endpoint ID (TEID) was not updated correctly during a
GTP-C update.
PAN-109575 Fixed an issue where you were unable to configure more than
one device certificate (Device > Certificate Management >
Certificates > <device certificate-name>) with Trusted Root
CA.
PAN-109101 Fixed an issue where you were unable to override IKE Gateway
configurations (Network > IKE Gateways > <template-name>)
in the template stack. However, with this fix, you still cannot
override template stacks when you configure any value with
none. Additionally, to override the Local Identification, select
Authentication in the pop-up dialogue.
PAN-109024 Fixed an issue where, after you upgrade the firewall from PAN-
OS 8.0 to PAN-OS 8.1, firewalls configured with the User-ID™
agent and group mapping incorrectly mapped users to groups.
PAN-108878 Fixed an issue where host traffic ICMP packets larger than
9,180 bytes dropped when you configured a jumbo frame with
a maximum MTU value of 9,216 bytes and with the DF option
enabled.
PAN-108715 Fixed an issue where the firewall did not update the dataplane
DNS cache after the management plane (MP) DNS entries
expired, which caused evasion signatures to erroneously trigger
a Suspicious TLS/HTTP(S)Evasion Found event.
PAN-106861 Fixed an issue where stale route entries remained in the FIB
after the routes were removed from the routing table when you
used a redistribution rule without a profile.
PAN-106344 Fixed an issue where the log collector within a collector group
retained varying numbers of detailed firewall logs when you
enabled log redundancy.
PAN-104568 Fixed an issue where the firewall did not send emails when you
configured the email gateway with an FQDN.
PAN-101970 Fixed an issue where the decode filter was unable to detect
the end characters of a file name, which caused the firewall to
bypass the file blocking profile.
PAN-100773 (PA-7000 Series firewalls only) Fixed an issue where the Quad
Small Form-factor Pluggable (QSFP) port on a 20GQ NPC card
took longer than expected to respond.
PAN-99354 Fixed an issue where the firewall incorrectly denied URL access
when the URL filtering profile was configured to alert.
PAN-89820 Fixed an intermittent issue where the Data Filtering (Monitor >
Data Filtering) and Threat Log (Monitor > Threat) did not
display file names when you transferred multiple files into a
single session.
PAN-116658 Fixed a rare issue where the firewall sent HTTP/2 DATA
frames with incorrect padding byte lengths, which caused
software buffer corruption and a process (all_pktproc) to stop
responding.
PAN-116316 Fixed an issue where RTP and RTCP predict sessions failed,
which caused the firewall to stop processing RTSP-based video
streaming.
PAN-115591 Fixed an issue where the snmpd process was leaking memory
when polling for global counters.
PAN-114601 Fixed an issue where the Allow List (Device > Setup >
Authentication Setting > <authentication profile - name> >
Authentication) did not update after you added new users to a
group in the Active Directory.
PAN-113829 Fixed an issue where, after you upgraded the firewall to PAN-
OS® 9.0, a firewall configured from "none" to "allow" in the
custom URL category reverted to "none" after a commit.
PAN-112814 Fixed an issue where H.323-based calls lost audio because the
predicted H.245 session was not converted to Active status,
which caused the firewall to drop the H.245 traffic.
PAN-112626 Fixed an issue where a new DNS Security subscription was not
available on your VM-Series firewall after you upgraded to a
PAN-OS 9.0 release with a PAYG Bundle 2 license.
PAN-109344 Fixed an issue where service objects did not import into
Panorama when you configured them identically but with
different names.
PAN-112592 Fixed an issue on a firewall where the system log did not
generate an alert for AutoFocus™ license expiry.
PAN-112305 Fixed an issue where source (Object > Dynamic Lists <list-
name> > Create List) URLs, which contained double escape
characters caused external dynamic list entries to display
incorrect values in the policies.
PAN-111897 Fixed an issue where the tags were not set on OSPFv3 routes
redistributed to BGP-3.
PAN-111850 Fixed an issue where the firewall did not capture the number of
packets in the threat packet capture (pcap) as configured in the
extended packet capture length setting.
PAN-111638 Fixed an issue where the external dynamic list did not update
after a scheduled refresh of the list.
PAN-110341 Fixed an issue where the firewall sent RIP updates more
frequently than expected.
PAN-108620 Fixed an issue where Traps ESM logs were sent to the Log
Collector but did not display in the web interface (Monitor >
Traps ESM).
PAN-107006 Fixed an issue where you were unable to search for service
objects by destination port numbers.
PAN-106963 Fixed an issue where the firewall did not display the full URL
information in the URL Filtering log (Monitor > URL Filtering)
after a ( '\r' ) return character.
PAN-104263 Fixed an issue where the RTC battery reading exceeded the
maximum threshold value.
PAN-96827 Fixed an issue where BGP command output formats did not
display consistently across different PAN-OS releases.
PAN-109096 Fixed an issue where the firewall did not remove the 4 Byte AS
Format number when Remove Private AS is enabled.
PAN-107887 Fixed an issue where an API call did not return the details of the
security policy when you added a service group.
PAN-105737 Fixed an issue where AUX ports remained in Down state after
you upgraded to PAN-OS 8.1.7.
PAN-104616 Fixed an issue where certificate imports failed when you used a
backslash ( \ ) character in a password to export certificates.
PAN-103863 Fixed an issue where the IPSec tunnel restart (Network >
IPSec Tunnels > IKE Info) did not display properly on the web
interface.
PAN-103192 Fixed an issue on a firewall where the Global Find for IPSec
tunnels displayed incorrect search results.
PAN-103055 Fixed an issue where you were unable to filter Address Groups
(Objects > Address Groups) by an address object name.
PAN-101391 Fixed an issue where the scheduled nightly custom report was
not generated or emailed as expected.
PAN-101365 Fixed an intermittent issue where the session ID did not clear
when the session ID is set to 0.
PAN-100154 Fixed an issue where the default static route always became the
active route and took precedence over a DHCP auto-created
default route that was pointing to the same gateway regardless
of the metrics or order of installation. With this fix, the firewall
PAN-99945 Fixed an issue on Panorama where the progress bar in the web
interface stopped responding and did not display any status
after sending a commit or activating an auth code even though
the task completed successfully.
PAN-98005 Fixed an issue where adding more than eight Log Collectors to
a collector group caused the configuration (configd) process to
stop responding.
PAN-96344 Fixed an issue on a firewall where TCP reset packets were sent
even after you set the vulnerability profile action to drop the
packets.
PAN-95445 Fixed an issue where VM-Series firewalls for NSX and firewalls
in an NSX notify group (Panorama > VMware NSX > Notify
This fix requires the VMware NSX
Group) briefly dropped traffic while receiving dynamic address
2.0.4 or a later plugin.
updates after the primary Panorama in a high availability (HA)
configuration failed over.
PAN-94486 Fixed an issue where the dataplane did not get a dynamic IP
address assigned because the process (routed) did not release it.
PAN-82278 Fixed an issue where filtering did not work for Threat logs
when you filtered for threat names that contained certain
characters: single quotation (’), double quotation (”), back slash
(\), forward slash (/), backspace (\b), form feed (\f), new line
(\n), carriage return (\r), and tab (\t).
179
180 PAN-OS® RELEASE NOTES | Getting Help
© 2019 Palo Alto Networks, Inc.
Related Documentation
Refer to the PAN-OS® 9.0 documentation on the Technical Documentation portal for general information
on how to configure and use already-released features.
• PAN-OS 9.0 New Features Guide—Detailed information on configuring the features introduced in this
release.
• PAN-OS 9.0 Administrator’s Guide—Provides the concepts and solutions to get the most out of your
Palo Alto Networks next-generation firewalls. This includes taking you through the initial configuration
and basic set up on your Palo Alto Networks firewalls.
• Panorama 9.0 Administrator’s Guide—Provides the basic framework to quickly set up the Panorama™
virtual appliance or an M-Series appliance for centralized administration of the Palo Alto Networks
firewalls.
• WildFire 9.0 Administrator’s Guide—Provides steps to set up a Palo Alto Networks firewall to forward
samples for WildFire® Analysis, to deploy the WF-500 appliance to host a WildFire private or hybrid
cloud, and to monitor WildFire activity.
• VM-Series 9.0 Deployment Guide—Provides details on deploying and licensing the VM-Series firewall on
all supported hypervisors. It includes example of supported topologies on each hypervisor.
• GlobalProtect 9.0 Administrator’s Guide—Describes how to set up and manage GlobalProtect™ features.
• PAN-OS 9.0 Web Interface Help—Detailed, context-sensitive help system integrated with the firewall
and Panorama web interface.
• Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility
information for Palo Alto Networks next-generation firewalls, appliances, and agents.
• Open Source (OSS) Listings—OSS licenses used with Palo Alto Networks products and software:
• PAN-OS 9.0
• Panorama 9.0
• Wildfire 9.0
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
Palo Alto Networks, Inc.
www.paloaltonetworks.com