PANOS8.

0ReleaseNotes

RevisionDate:January31,2017

ReviewimportantinformationaboutPaloAltoNetworksPANOS8.0software,includingnewfeatures
introduced,workaroundsforopenissues,andissuesthatareaddressedinthePANOS8.0release.For
installation,upgrade,anddowngradeinstructions,refertothePANOS8.0NewFeaturesGuide.Forthe
latestversionofthesereleasenotes,refertothePaloAltoNetworkstechnicaldocumentationportal.

PANOS8.0ReleaseInformation ....................................... 3
FeaturesIntroducedinPANOS8.0 .................................................. 4
ManagementFeatures .......................................................... 5
PanoramaFeatures ............................................................. 6
ContentInspectionFeatures..................................................... 8
WildFireFeatures..............................................................10
AuthenticationFeatures ........................................................11
UserIDFeatures..............................................................12
AppIDFeatures ...............................................................13
DecryptionFeatures ...........................................................13
VirtualizationFeatures .........................................................14
NetworkingFeatures...........................................................16
GlobalProtectFeatures .........................................................18
ChangestoDefaultBehavior .......................................................20
CLIandAPIChangesinPANOS8.0 .................................................23
AssociatedSoftwareandContentVersions ...........................................26
KnownIssues .....................................................................27

PANOS8.0.0AddressedIssues....................................... 41

GettingHelp ........................................................ 47
RelatedDocumentation ........................................................47
RequestingSupport ............................................................48

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 1
 TableofContents

2 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS8.0ReleaseInformation
FeaturesIntroducedinPANOS8.0
ChangestoDefaultBehavior
CLIandAPIChangesinPANOS8.0
AssociatedSoftwareandContentVersions

PreviouslyknownissuescarriedoverfrompreviousreleasenotesandthatwereidentifiedusinglegacyID
numbers(6digitswithoutaprefix)arenowassignednewissueIDnumbersthatalsoincludeproductspecific
prefixes.

KnownIssues
PANOS8.0.0AddressedIssues
GettingHelp

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 3
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

FeaturesIntroducedinPANOS8.0

ThefollowingtopicsdescribethenewfeaturesintroducedinthePANOS8.0release.Thisreleaserequires
ContentReleaseversion655orlater.ForinformationaboutupgradingtoPANOS8.0andfordetailsonhow
tousethenewfeatures,refertothePANOS8.0NewFeaturesGuide.
ManagementFeatures
PanoramaFeatures
ContentInspectionFeatures
WildFireFeatures
AuthenticationFeatures
UserIDFeatures
AppIDFeatures
DecryptionFeatures
VirtualizationFeatures
NetworkingFeatures
GlobalProtectFeatures

4 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

ManagementFeatures

NewManagement Description
Feature

AdministratorLevel Youcannowcommit,validate,preview,save,andrevertchangesthatyoumadeina
CommitandRevert Panoramaorfirewallconfigurationindependentofchangesthatotheradministratorshave
made.Thissimplifiesyourconfigurationworkflowbecauseyoudon'thavetocoordinate
commitswithotheradministratorswhenyourchangesareunrelatedtotheirs,orworry
aboutrevertingchangesotheradministratorsmadethatweren'tready.

NetFlowSupportfor PA7000SeriesfirewallsnowhavethesameabilityasotherPaloAltoNetworksfirewalls
PA7000SeriesFirewalls toexportNetFlowrecordsforIPtrafficflowstoaNetFlowcollector.Thisgivesyoumore
comprehensivevisibilityintohowusersanddevicesareusingnetworkresources.

PA7000SeriesFirewall YoucannowforwardlogsfromPA7000SeriesfirewallstoPanoramaforimprovedlog
LogForwardingto retention,whichhelpsyoumeetregulatoryrequirementsforyourindustryaswellasyour
Panorama internallogarchivalrequirements.

SelectiveLogForwarding Toenableyourorganizationtoprocessandrespondtoincidentalertsmorequickly,you
BasedonLogAttributes cannowcreatecustomlogforwardingfiltersbasedonanylogattributes.Insteadof
forwardinglogsbasedonlyonseveritylevels,youcanforwardjusttheinformationthat
variousteamsinyourorganizationwanttomonitororacton.Forexample,asecurity
operationsanalystwhoinvestigatesmalwareincidentsmightbeinterestedonlyinThreat
logswiththetypeattributesettowildfirevirus.

ActionOrientedLog ThefirewallcannowdirectlyforwardlogsusingHTTP/HTTPSsothatyoucantriggeran
ForwardingusingHTTP automatedactionwhenaspecificeventoccurs.Thiscapabilityallowsthefirewallto
integratewithexternalsystemsthatprovideanHTTPbasedAPI.And,combinedwiththe
SelectiveLogForwardingBasedonLogAttributes,youcannowautomatesecurity
workflowmoreefficiently,applyingdynamicpolicy,andrespondingtosecurityincidents.
TriggeranactionoraworkflowonathirdpartyservicethatprovidesanHTTPbased
API:ThefirewallcannowsendanHTTPrequestasanAPIcall.YoucanselecttheHTTP
method,andcustomizetheheader,requestformat,andpayloadtotriggeranaction.
Forexample,onanHAfailoverevent,thefirewallcangenerateanHTTPrequesttoan
ITmanagementservicetoautomaticallycreateanincidentreportwiththedetailsinthe
systemlog.ThisautomatedworkflowcanhelptheITinfrastructureteamtoeasilytrack
andfollowupontheissue.
Enabledynamicpolicyandenforcement:TagthesourceordestinationIPaddressina
logentry,registerthetagstoconnectedUserIDagents,andtakeactiontoenforce
policyateverylocationonyournetwork.Forexample,whenaThreatlogindicatesthat
thefirewallhasdetectedmalware,youcantagthesourceordestinationIPaddressto
quarantinethemalwareinfecteddevice.Basedonthetag,theIPaddressassociated
withthedevicebecomesthememberofadynamicaddressgroup,andtheSecurity
policyruleinwhichthedynamicaddressgroupisreferencedlimitsaccesstocorporate
resourcesuntilITclearsthedeviceforuse.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 5
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

NewManagement Description
Feature

ExtendedSNMPSupport PANOSsupportforSimpleNetworkManagementProtocol(SNMP)nowincludesthe
followingfeatures:
LoggingstatisticsUsingSNMPtomonitorloggingstatisticsforfirewallsandLog
Collectorshelpsyouplanimprovementstoyourlogcollectionarchitecture,evaluate
thehealthoffirewallandPanoramaloggingfunctions,andtroubleshootissuessuchas
droppedlogs.Youcannowmonitorabroaderrangeofloggingstatistics,includinglog
rate,diskusage,retentionperiods,theforwardingstatusfromindividualfirewallsto
Panoramaandexternalservers,andthestatusoffirewalltoLogCollectorconnections.
HA2statisticsandtrapsMonitoringSNMPstatisticsandtrapsfortheinterfacesthat
firewallsuseforhighavailability(HA)synchronizationhelpsyoutroubleshootand
verifythehealthofHAfunctionssuchasstatechanges.YoucannowuseanSNMP
managertomonitorthededicatedHA2interfacesoffirewalls,inadditiontotheHA1,
HA2backup,andHA3interfaces.

IncreasedStorageon ToprovidelongerretentionperiodsforlogsonthePA7000Seriesfirewall,youcannow
PA7000SeriesFirewall increasethelogstoragecapacityto4TBbyinstalling2TBdisksinthetwoRAIDdiskpairs
(formerlyonly1TBdisksweresupported).Forlogstoragebeyond4TB,youcanenable
PA7000SeriesFirewallLogForwardingtoPanorama,whichsupportsupto24TB.

PanoramaFeatures

NewPanoramaFeature Description

LogQueryAcceleration Panoramahasanimprovedlogqueryandreportingenginetoenableasignificant
improvementinspeedwhengeneratingreportsandexecutingqueries.Alllogsgenerated
aftertheupgradetoPANOS8.0automaticallytakeadvantageoftheimprovedquery
processingarchitecture.Toextendtheperformanceimprovementsforolderlogs,youcan
migratethelogstothenewformat.

LoggingEnhancementson YoucannowcreateaLogCollectorthatrunslocallyonthePanoramavirtualappliance.
thePanoramaVirtual BecausethelocalLogCollectorsupportsmultiplevirtualloggingdisks,youcanincrease
Appliance logstorageasneededwhilepreservingexistinglogs.Youcanincreaselogstoragetoa
maximumof24TBforasinglePanoramaandupto48TBforahighavailabilitypair.Using
alocalLogCollectoralsoenablesfasterreportgeneration(seeLogQueryAcceleration).

IncreasedLogStorage Toprovideadequatediskspaceforalongerlogretentionperiod,youcanincreasethelog
Capacity storagecapacityontheM500applianceandPanoramavirtualapplianceto24TB
(formerly8TB).TheM500appliancenowsupports2TBdisksandupto12RAIDdiskpairs
(formerly1TB*8RAIDdiskpairs).Inaddition,thePanoramavirtualappliancenow
supportsalocalLogCollectorwithupto24TBofvirtualdiskspace(seeLogging
EnhancementsonthePanoramaVirtualAppliance).

6 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

NewPanoramaFeature Description

TrapsLogsonPanorama PanoramacannowingestTrapslogssentbytheTrapsEndpointSecurityManagerusing
syslogoverUDP,TCP,orSSLsothatyoucanmonitorsecurityeventsrelatingtoprotected
processesandexecutablefilesonTrapsprotectedendpoints.Youcanfilteronanylog
attributeandanswerdaytodayoperationalquestionssuchas,Howmanydifferent
preventioneventsdidaspecificusertrigger?.
TheabilitytoseeTrapslogsinthesamecontextasthefirewalllogsallowsyoutocorrelate
discreteactivityobservedonthenetworkandtheendpoints.Correlatedeventshelpyou
seetheoverallpictureacrossyournetworkandtheendpointssothatyoucandetectany
risksthatevadedetectionortakeadvantageofblindspots,andstrengthenyoursecurity
posturewellbeforeanydamageoccurs.

ExtensiblePlugin Panoramanowsupportsapluginarchitecturetoenablenewthirdpartyintegrationsor
Architecture updatestoexistingintegrations(suchastheVMwareNSXintegration)outsideofanew
PANOSfeaturerelease.Panoramadisplaysonlytheinterfaceelementspertinenttothe
pluginsyouinstall.
ThefirstimplementationofthisarchitectureenablesVMSeriesNSXIntegration
ConfigurationthroughPanorama.

ExtendedSupportfor Tosupport thedemandsfornetworksegmentationandsecurityinlargescale

MultiplePanorama deployments,youcannowseparatethemanagementfunctionsfromthedevice
Interfaces managementandlogcollectionfunctionsonthePanoramaMSeriesappliances.Thekey
improvementsare:
ForwardlogsfromthemanagedfirewallstoPanoramaandtheLogCollectorson
multipleinterfaces,insteadofasingleinterface.Thischangereducesthetrafficloadon
aninterfaceandprovidesflexibilityinloggingtoacommoninfrastructureacross
differentsubnetswithoutrequiringchangestothenetworkconfigurationandaccess
controllistsinyourinfrastructure.
Managetheconfigurationforfirewallsandlogcollectorsusingmultipleinterfaceson
Panorama.Thiscapabilitysimplifiesthemanagementofdevicesthatbelongtodifferent
subnetsoraresegmentedforbettersecurity.
Deploysoftwareandcontentupdatestomanagedfirewallsandlogcollectorsusingan
interfaceofyourchoice.Youcancontinuetousethemanagementportorselecta
differentinterfacefordeployingupdatestomanagedfirewallsandlogcollectors
runningPANOS8.0.SeeStreamlinedDeploymentofSoftwareandContentUpdates
fromPanorama.
Theabilitytoseparatethesefunctionsacrossmultipleinterfacesreducesthetrafficonthe
dedicatedmanagement(MGT)port.Youcannowlockdownthemanagementportfor
administrativeaccesstoPanorama(HTTPSandSSH)andtheLogCollectors(SSH)only;by
defaultCollectorGroupcommunicationisenabledonthemanagementportbutyoucan
assignadifferentportforthistraffic.

DeviceGroup,Template, Panoramanowsupportsupto1,024devicegroupsand1,024templates(previously512
andTemplateStack each),and1,024templatestacks(previously128).Inlargescaledeployments,these
CapacityIncrease capacityimprovementsincreaseadministrativeeaseincentrallymanagingfromPanorama
andreducetheconfigurationexceptionsandoverridesthatyoumustmanagelocallyon
individualfirewalls.

StreamlinedDeployment Youcannowdeploysoftwareandcontentupdatestomanageddevicesmorequickly.
ofSoftwareandContent Insteadofpushingtheupdatestoonedeviceatatime,Panoramanownotifiesfirewalls
UpdatesfromPanorama andLogCollectorswhenupdatesareavailableandthedevicesthenretrievetheupdates
inparallel.
TheExtendedSupportforMultiplePanoramaInterfaces,allowsyoutoconfigurea
separateinterface,insteadofusingthemanagement(MGT)interface,fordeploying
contentandsoftwareupdatestomanageddevices.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 7
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

ContentInspectionFeatures

NewContentInspection Description
Feature

CredentialPhishing Phishingsitesaresitesthatattackersdisguiseaslegitimatewebsiteswiththeaimtosteal
Prevention userinformation,especiallythepasswordsthatprovideaccesstoyournetwork.Youcan
nowidentifyandpreventinprogressphishingattacksbycontrollingsitestowhichusers
cansubmitcorporatecredentialsbasedonthesitesURLcategory.Thisfeatureintegrates
withUserID(groupmappingorusermapping,dependingonwhichmethodyouchoose
todetectcredentials)toenablethefirewalltodetectwhenusersareattemptingtosubmit
theircorporateusernameandorusernameandpasswordandblockthesubmission.

Telemetry Youcannowparticipateinacommunitydrivenapproachtothreatpreventionthrough
telemetry.Telemetryallowsyourfirewalltoperiodicallycollectandshareinformation
aboutapplications,threats,anddevicehealthwithPaloAltoNetworks.PaloAlto
Networksusesthethreatintelligencecollectedfromyouandothercustomerstoimprove
thequalityofintrusionpreventionsystem(IPS)andspywaresignaturesandthe
classificationofURLsinPANDB.Forexample,whenathreateventtriggersvulnerability
orspywaresignatures,thefirewallsharestheURLsassociatedwiththethreatwiththe
PaloAltoNetworksthreatresearchteam,sotheycanproperlyclassifytheURLsas
malicious.TelemetryalsoallowsPaloAltoNetworkstorapidlytestandevaluate
experimentalthreatsignatureswithnoimpacttoyournetwork,sothatcriticalthreat
preventionsignaturescanbereleasedtoallcustomersfaster.
Youhavefullcontroloverwhichdatathefirewallsharesthroughtelemetry,andsamples
ofthisdataareavailabletoviewthroughyourTelemetrysettings.PaloAltoNetworks
doesnotshareyourtelemetrydatawithothercustomersorthirdpartyorganizations.

PaloAltoNetworks PaloAltoNetworksnowprovidesmaliciousIPaddressfeedsthatyoucanusetohelp
MaliciousIPAddress secureyournetworkfromknownmalicioushostsontheInternet.OnefeedcontainsIP
Feeds addressesverifiedasmaliciousbyPaloAltoNetworks,andanotherfeedcontains
maliciousIPaddressesfromreputablethirdpartythreatadvisories.PaloAltoNetworks
maintainsbothfeeds,whichyoucanreferenceinSecuritypolicyrulestoalloworblock
traffic.Youcanalsocreateyourownexternaldynamiclistsbasedonthesefeedsand
customizethemasneeded.YoumusthaveanactiveThreatPreventionlicensetoviewand
usethePaloAltoNetworksmaliciousIPaddressfeeds.

EnhancedCoveragefor C2signaturessignaturesthatdetectwhereacompromisedsystemissurreptitiously
CommandandControl communicatingwithanattackersremoteserverarenowgeneratedautomatically.While
(C2)Traffic C2protectionisnotnew,previoussignatureslookedforanexactmatchtoadomainname
oraURLtoidentifyaC2host.Thenew,automaticallygeneratedC2signaturesdetect
certainpatternsinC2traffic,providingmoreaccurate,timely,androbustC2detection
evenwhentheC2hostisunknownorchangesrapidly.

DataFilteringSupportfor Datafilteringisenhancedtoworkwiththirdparty,endpointDLPsolutionsthatpopulate
DataLossPrevention filepropertiestoindicatesensitivecontent,enablingthefirewalltoenforceyourDLP
(DLP)Solutions policy.Tobettersecurethisconfidentialdata,youcannowcreateDataFilteringprofiles
thatidentifythefilepropertiesandvaluessetbyaDLPsolutionandthenlogorblockthe
filestheDataFilteringprofileidentifies.

8 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

NewContentInspection Description
Feature

ExternalDynamicList Newenhancementsprovidebettersecurity,flexibility,andeaseofusewhenworking
Enhancements withexternaldynamiclists.Theenhancementsincludetheoptionsto:
EnableAuthenticationforExternalDynamicListstovalidatetheidentityofalistsource
andtoforwardlogincredentialsforaccesstoexternaldynamicliststhatenforcebasic
HTTPauthentication.
UsenewPaloAltoNetworksMaliciousIPAddressFeedsinsecuritypolicyrulesto
blocktrafficfrommaliciousIPaddresses.
Viewthecontentsofanexternaldynamiclistdirectlyonthefirewall,withtheoptionto
excludeentriesorviewthreatintelligenceassociatedwithanentryinAutoFocus.

NewSchedulingOptions ThefirewallcannowcheckforthelatestAppID,vulnerabilityprotection,and
forApplicationandThreat antispywaresignaturesevery30minutesorhourly,inadditiontobeingabletocheckfor
ContentUpdates theseupdatesdailyandweekly.Thisfeatureenablesmoreimmediatecoveragefor
newlydiscoveredthreatsandstrengthenssafeenablementforupdatedand
newlydefinedapplications.

FiveMinuteUpdatesfor TheMalwareandPhishingURLcategoriesinPANDBarenowupdatedeveryfive
PANDBMalwareand minutes,basedonthelatestmaliciousandphishingsitesWildFireidentifies.Thesemore
PhishingURLCategories frequentupdatesensurethatthefirewallisequippedwiththeverylatestinformationto
detectandthenblockaccesstomaliciousandphishingsites.

GloballyUnique AllPaloAltoNetworksthreatsignaturesnowhavepermanent,globallyuniqueIDsthat
Threat IDs youcanusetolookupthreatsignatureinformationandcreatepermanentthreat
exceptions:
Changetheaction(forexample,blockoralert)thefirewallusestoenforceathreat
signaturethreatexceptionsareusefulifasignatureistriggeringfalsepositives.
Easilycheckifathreatsignatureisconfiguredasanexception.
UsethreatIDsintheThreatVaultandAutoFocustogaincontextforathreatsignature.

NewPredefinedFile TwonewpredefinedFileBlockingprofilesbasicfileblockingandstrictfileblocking
BlockingProfiles havebeenaddedviacontentreleaseversion653.Youcanusetheseprofilestoquicklyand
easilyapplythebestpracticefileblockingsettingstoyourSecuritypolicyallowrulesto
ensurethatusersarenotinadvertentlydownloadingmaliciouscontentintoyournetwork
orexfiltratingsensitivedataoutofyournetworkinlegitimateapplicationtraffic.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 9
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

WildFireFeatures

ThePANOS8.0.0releaseisnotavailableforWF500appliances.

NewWildFireFeature Description

WildFireAnalysisof ThefirewallnowsubmitsblockedfilesthatmatchexistingantivirussignaturesforWildFire
BlockedFiles analysis,inadditiontounknownfiles,sothatWildFirecanextractvaluableinformation
fromnewmalwarevariants.Malwaresignaturesoftenmatchmultiplevariantsofthesame
malwarefamily,andassuch,blocknewmalwarevariantsthatthefirewallhasneverseen
before.SendingtheseblockedmalwaresamplesforWildFireanalysisallowsWildFireto
analyzethemforadditionalURLs,domainnames,andIPaddressesthatmustbeblocked.
SinceallWildFireanalysisdataisalsoavailableonAutoFocus,youcannowuseWildFire
andAutoFocustogethertogetamorecompleteperspectiveofallthreatstargetingyour
network,improvingtheefficacyofyoursecurityoperations,incidentresponse,andthreat
intelligencefunctions.

WildFirePhishingVerdict ThenewWildFirephishingverdictclassifiesphishinglinksdetectedinemailsseparately
fromotheremailedlinksfoundtobeexploitsormalware.ThefirewalllogsWildFire
submissionsthatarephishinglinkstoindicatethatsuchalinkhasbeendetectedinan
email.
WithbothaWildFirelicenseandaPANDBlicense,youcanblockaccesstophishingsites
within5minutesofinitialdiscovery.
TheWF500appliancedoesnotsupportthenewphishingverdict,andcontinuesto
classifysuspectedphishingsitesasmalicious.

10 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

AuthenticationFeatures

NewAuthentication Description
Feature

SAML2.0Authentication ThefirewallandPanoramacannowfunctionasSecurityAssertionMarkupLanguage
(SAML)2.0serviceproviderstoenablesinglesignonandsinglelogoutforendusers(see
SAML2.0AuthenticationforGlobalProtect)andforadministrators.SAMLenhancesthe
userexperiencebyenablingasingle,interactivelogintoprovideautomaticaccessto
multipleauthenticatedservicesthatareinternalorexternaltoyourorganization.
Inadditiontoauthenticatingadministratoraccountsthatarelocaltothefirewalland
Panorama,youcanuseSAMLtoauthenticateandassignrolestoexternaladministrator
accountsintheidentityprovider(IdP)identitystore.

AuthenticationPolicyand Toprotectyournetworkresourcesfromattackers,youcanusethenewAuthentication
MultiFactor policytoensureallyourendusersauthenticatewhentheyaccessthoseresources.
Authentication AuthenticationpolicyisanimprovedreplacementforCaptivePortalpolicy,which
enforcedauthenticationonlyforsomeusers.Authenticationpolicyhastheadditional
benefitofenablingyoutochoosehowmanyauthenticationchallengesofdifferenttypes
(factors)usersmustrespondto.Usingmultiplefactorsofauthentication(MFA)is
particularlyusefulforprotectingyourmostsensitiveresources.Forexample,youcan
forceuserstoenteraloginpasswordandthenenteraverificationcodethattheyreceive
byphone.Thisapproachensuresattackerscantinvadeyournetworkandmovelaterally
throughitjustbystealingpasswords.Ifyouwanttospareusersthehassleofresponding
tomultiplechallengesforresourcesthatdontneedsuchahighdegreeofprotection,you
canalsohaveAuthenticationpolicyrulesthatenforceonlypasswordorcertificate
authentication.
ThefirewallmakesiteasytoimplementMFAinyournetworkbyintegratingdirectlywith
severalMFAplatforms(Duov2,OktaAdaptive,andPingID)andintegratingthrough
RADIUSwithallotherMFAplatforms.

TACACS+UserAccount TouseaTerminalAccessControllerAccessControlSystemPlus(TACACS+)serverfor
Management centrallymanagingalladministrativeaccounts,youcannowuseVendorSpecific
Attributes(VSAs)tomanagetheaccountsoffirewallandPanoramaadministrators.
TACACS+VSAsenableyoutoquicklyreassignadministratorrolesandaccessdomains
withoutreconfiguringsettingsonthefirewallandPanorama.

AuthenticationUsing Youcannowdeploycustomcertificatestoreplacethepredefinedcertificatesshippedon
CustomCertificates PaloAltoNetworksdevicesformanagementconnectionsbetweenPanorama,firewalls,
andLogCollectors.Bygeneratinganddeployinguniquecertificatesforeachdevice,you
canestablishauniquechainoftrustbetweenPanoramaandthemanageddevices.You
cangeneratethesecustomcertificateslocallyorimportthemfromanexistingenterprise
publickeyinfrastructure(PKI).Panoramacanmanagedevicesinenvironmentswithamix
ofpredefinedandcustomcertificates.
Youcanalsodeploycustomcertificatesformutualauthenticationbetweenthefirewall
andWindowsUserIDAgent.ThisallowsthefirewalltoconfirmtheWindowsUserID
Agent'sidentitybeforeacceptingUserIDinformationfromtheagent.Deployacustom
certificateontheWindowsUserIDAgentandacertificateprofileonthefirewall,
containingtheCAofthecertificate,toestablishauniquetrustchainbetweenthetwo
devices.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 11
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

NewAuthentication Description
Feature

Authenticationfor ThefirewallnowvalidatesthedigitalcertificatesofSSL/TLSserversthathostexternal
ExternalDynamicLists dynamiclists,and,iftheserversenforcebasicHTTPusername/passwordauthentication
(clientauthentication),thefirewallcanforwardlogincredentialstogainaccesstothelists.
Ifanexternaldynamiclistsourcefailsserverorclientauthentication,thefirewalldoesnot
retrievethelistandceasestoenforcepolicybasedonitscontents.Thesesecurity
enhancementshelpensurethatthefirewallretrievesIPaddresses,domains,orURLsfrom
avalidsourceoverasecure,privatechannel.

UserIDFeatures

NewUserIDFeature Description

PanoramaandLog YoucannowleverageyourPanoramaanddistributedlogcollectioninfrastructureto
CollectorsasUserID redistributeUserIDmappingsinlargescaledeployments.Byusingtheexisting
RedistributionPoints connectionsfromfirewallstoLogCollectorstoPanorama,youcanaggregatethe
mappingswithoutsettingupandmanagingextraconnectionsbetweenfirewalls.

CentralizedDeployment YoucannowuseendpointmanagementsoftwaresuchasMicrosoftSCCMtoremotely
andManagementof install,configure,andupgrademultipleWindowsbasedUserIDagentsandTerminal
UserIDandTSAgents Services(TS)agentsinasingleoperation.Usingendpointmanagementsoftware
streamlinesyourworkflowbyenablingyoutodeployandconfigurenumerousUserID
andTSagentsthroughanautomatedprocessinsteadofusingamanualloginsessionfor
eachagent.

UserGroupsCapacity Toaccommodateenvironmentswhereaccesscontrolforeachresourceisbasedon
Increase membershipinausergroup,andwherethenumberofresourcesandgroupsisincreasing,
youcannowreferencemoregroupsinpolicy(thelimitvariesbyplatform).

UserIDSyslogMonitoring ThefollowingenhancementsimprovetheaccuracyofUserIDmappingsandsimplify
Enhancements monitoringsyslogserversformappinginformation:
AutomaticdeletionofusermappingsToimprovetheaccuracyofyouruserbased
policiesandreports,thefirewallcannowusesyslogmonitoringtodetectwhenusers
haveloggedoutandthendeletetheassociatedUserIDmappings.
MultiplesyslogformatsInenvironmentswithmultiplepointsofauthentication
sendingsyslogmessagesindifferentformats,itisnoweasiertomonitorloginand
logouteventsbecausethefirewallcaningestmultipleformatsfromasyslogserver
aggregatingfromvarioussources.

GroupBasedReportingin Panoramanowprovidesvisibilityintotheactivitiesofusergroupsinyournetwork
Panorama throughtheUserActivityreport,SaaSApplicationUsagereport(seeSaaSApplication
VisibilityforUserGroups),customreports,andtheACC.Panoramaaggregatesgroup
activityinformationfrommanagedfirewallssothatyoucanfilterlogsandgenerate
reportsforallgroups.

12 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

AppIDFeatures

NewAppIDFeature Description

SaaSApplicationVisibility TohelpyoumonitortheassortmentofSaaSapplicationsthatservetheproductivityneeds
forUserGroups oftheusergroupsonyournetworkandensurethesecurityanddataintegritydemands
fortheorganization,theSaaSApplicationUsagePDFreportnowincludesdataonuser
groups.Thereporthighlightsthemostusedapplicationsbyusergroupsandpresentsthe
volumeofdataeachusergrouptransfersusingsanctionedandunsanctionedapplications.
Foramoregranularview,youcancustomizethereporttoshowapplicationusagefora
specificusergroup,applicationusageonaspecificsecurityzone,andreportonapplication
usagebymultipleusergroupswithinasecurityzone.
InadditiontotheenhancementsinthePDFreport,youcannowusetheACCtovisualize
SaaSactivitytrendsonyournetwork.TheACCincludesglobalfiltersforviewingSaaS
applicationusagebasedonriskratingorbythenumberofsanctionedandunsanctioned
applicationsinuseonyournetwork.

ALGSupportforIPv6 ThefirewallcannowsafelyenableSessionInitiationProtocol(SIP)andSkinnyClient
ControlProtocol(SCCP)forIPv6anddualstacknetworks.Youcansafelyallowthese
protocolswithoutopeningawiderangeofportstoallowthetraffic.

DecryptionFeatures

NewDecryptionFeature Description

DecryptionforElliptical FirewallsenabledtodecryptSSLtrafficnowdecryptSSLtrafficfromwebsitesand
CurveCryptography(ECC) applicationsusingECCcertificates,includingEllipticalCurveDigitalSignatureAlgorithm
Certificates (ECDSA)certificates.AssomeorganizationstransitiontousingECCcertificatestotake
advantageofbenefitssuchasstrongkeysandsmallcertificatesize,thisfeatureensures
thatyoumaintainvisibilityintoandcansafelyenableECCsecuredapplicationand
websitetraffic.
DecryptionforwebsitesandapplicationsusingECCcertificatesisnotsupported
fortrafficthatismirroredtothefirewall;encryptedtrafficusingECCcertificates
mustpassthroughthefirewalldirectlyforthefirewalltodecryptit.

Managementfor Younowhaveincreasedflexibilitytomanagetrafficexcludedfromdecryption.New,
DecryptionExclusions centralizedSSLdecryptionexclusionmanagementenablesyoutobothcreateyourown
customdecryptionexclusions,andtoreviewPaloAltoNetworkspredefineddecryption
exclusionsinasingleplace:
Asimplifiedworkflowallowsyoutoeasilyexcludetrafficfromdecryptionbasedon
hostname.
Thefirewalldoesnotdecryptapplicationsthatareknowntobreakduringdecryption.
Now,youcanviewthesedecryptionexceptionsdirectlyonthefirewall.Updatesand
additionstothePaloAltoNetworkspredefineddecryptionexclusionsaredeliveredto
thefirewallincontentupdatesandareenabledbydefault.

PerfectForwardSecrecy PANOS7.1introducedPFSforSSLForwardProxydecryption;now,inPANOS8.0,PFS
(PFS)SupportwithSSL supportisextendedtoSSLInboundInspection.PFSensuresthatdatafromsessions
InboundInspection undergoingdecryptioncannotlaterberetrievedifserverprivatekeysarecompromised.
YoucanenforceDiffieHellmankeyexchangebasedPFS(DHE)andellipticcurve
DiffieHellman(ECDHE)basedPFSfordecryptedSSLtraffic.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 13
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

VirtualizationFeatures

NewVirtualization Description
Feature

VMSeriesFirewall Thisfeatureintroducesimprovedperformance,capacity,andefficiencyforallVMSeries
Performance firewalls,includingthreenewVMSeriesmodels:VM50,VM500,andVM700.The
Enhancementsand VMSeriesmodellineupnowcoversawidevarietyoffirewallsfromsmalloptimized
ExpandedModelLine firewallsinresourceconstrainedenvironmentstolarge,highperformancefirewallsfor
deploymentinadiverserangeofNetworkFunctionVirtualization(NFV)usecases.You
canalsoleveragetheexpandedrangeofVMSeriesmodelscoupledwithflexibilityand
pertenantisolationofVMSeriesmodelstodeploymultitenantsolutions.
VM50FirewallAvirtualfirewallwithanoptimizedcomputeresourcefootprint.This
firewallisidealforuseinvirtualcustomerpremisesequipment(vCPE)andhighdensity
multitenancysolutionsformanagedsecurityserviceproviders(MSSP).
VM500andVM700FirewallsWhenutilizingalargercomputeresourcefootprint,
thesevirtualfirewallsprovidehighperformanceandcapacity.TheVM500and
VM700firewallsareidealinNFVusecasesforserviceproviderinfrastructureanddata
centerroles.
VM100,VM200,VM300,VM1000HVFirewallsExistingVMSeriesmodelsnow
featureincreasedperformance,capacity,andefficiencywhencomparedtothesame
computeresourcesinearlierreleaseversions.Thisreleasealsoconsolidatesthe
VM200withtheVM100andtheVM1000HVwiththeVM300,whichmeansthat
theVM100andVM200arenowfunctionallyidentical,asaretheVM300and
VM1000HV.
Inaddition,VMSeriesfirewallmodelsarenowdistinguishedbysessioncapacityandthe
numberofmaximumeffectivevCPUcores(insteadofonlysessioncapacity).

CloudWatchIntegration VMSeriesfirewallsonAWScannownativelysendPANOSmetricstoAWSCloudWatch
fortheVMSeriesFirewall foradvancedmonitoringandautoscalingpolicydecisions.TheCloudWatchintegration
onAWS enablesyoutomonitorthecapacity,healthstatus,andavailabilityofthefirewallswith
metricssuchastotalnumberofactivesessions,GlobalProtectgatewaytunnelutilization,
orSSLproxyutilization,sothatthesecuritytiercomprisingtheVMSeriesfirewallscan
scaledynamicallywhenyourEC2workloadsscaleinresponsetodemand.

SeamlessVMSeries ThisreleaseintroducesseamlesslicensecapacityupgradesoftheVMSeriesfirewall.Ifa
ModelUpgrade tenantsrequirementsincrease,youcanupgradethecapacitytoaccommodatethe
changeswithminimaltrafficandoperationdisruption.Additionally,VMSeriesfirewalls
nowsupportHAsynchronizationbetweenVMSeriesfirewallsofdifferentcapacities
duringtheupgradeprocess.

VMSeriesNSX ThenewPanoramaVMwareNSXpluginstreamlinestheprocessofdeployingVMSeries
IntegrationConfiguration NSXeditionfirewallsandeliminatestheduplicateeffortindefiningthesecurityrelated
throughPanorama configurationonbothPanoramaandtheNSXManagerorvCenterserver.Panoramanow
servesasthesinglepointofconfigurationthatprovidestheNSXManagerwiththe
contextualinformationrequiredtoredirecttrafficfromtheguestvirtualmachinestothe
VMSeriesfirewall.WhenyoucommittheNSXconfiguration,Panoramageneratesa
securitygroupintheNSXenvironmentforeachqualifieddynamicaddressgroupand
PanoramapusheseachsteeringrulegeneratesNSXManager.TheNSXManagerusesthe
steeringrulestoredirecttrafficfromthevirtualmachinesbelongingtothecorresponding
NSXsecuritygroup.

14 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

NewVirtualization Description
Feature

SupportforNSXSecurity TheVMSeriesfirewallcannowdynamicallytagaguestVMwithNSXsecuritytagsto
TagsontheVMSeries enableimmediateisolationofcompromisedorinfectedguests.Theuniversallyunique
NSXEditionFirewall identifierofaguestVMisnowpartoftheTrafficandThreatlogsonthefirewall.By
leveragingthreat,antivirus,andmalwaredetectionlogsontheVMSeriesfirewall,NSX
Managercanplaceguestsinaquarantinedsecuritygrouptopreventlateralmovementof
thethreatinthevirtualizeddatacenterenvironment.

NewSerialNumber TheserialnumberformatfortheVMSeriesfirewallnowdisplaysthenameofthe
FormatfortheVMSeries hypervisoronwhichthefirewallisdeployedsothatyoucanconsistentlyidentifythe
Firewall firewallsforlicensemanagement,andcontentandsoftwareupdates.Thenewformatis
15charactersinlength,numericforthebringyourownlicense(BYOL)model,and
alphanumericfortheMarketplacemodels(Bundle1orBundle2)availableinpubliccloud
environments.Aspartofthischange,VMSeriesfirewallsinAWSnowsupportlonger
instanceIDformats.

VMSeriesBootstrapping YoucannowbootstraptheVMSeriesfirewallinESXi,KVM,andHyperVusingblock
withBlockStorage storage.Thisoptionprovidesabootstrappingsolutionforenvironmentswheremounting
aCDROMisnotsupported.

VMSeriesLicense TodeactivateaVMSerieslicense,youmustfirstinstallalicenseAPIkeyonyourfirewall
DeactivationAPIKey orPanorama.ThedeactivationAPIkeyprovidesanadditionallayerofsecurityfor
communicationsbetweenthePaloAltoNetworksUpdateServerandVMSeriesfirewalls
andPanorama.ThePANOSsoftwareusesthisAPIkeytoauthenticatewiththeupdate
andlicensingservers.
TheAPIkeyisavailablethroughtheCustomerSupportPortaltoadministratorswith
superuserprivileges.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 15
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

NetworkingFeatures

NewNetworkingFeature Description

TunnelContentInspection Thefirewallcannowinspectthetrafficcontentofcleartexttunnelprotocols:
GenericRoutingEncapsulation(GRE)
NonencryptedIPSectraffic(NULLEncryptionAlgorithmforIPSecandtransportmode
AHIPSec)
GeneralPacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU)
ThisenablesyoutoenforceSecurity,DoSProtection,andQoSpoliciesontrafficinthese
typesoftunnelsandtrafficnestedwithinanothercleartexttunnel(forexample,Null
EncryptedIPSecinsideaGREtunnel).Youcanalsoviewtunnelinspectionlogsandtunnel
activityintheACCtoverifythattunneledtrafficcomplieswithcorporatesecurityand
usagepolicies.
ThefirewallsupportstunnelcontentinspectionofGREandnonencryptedIPSeconall
firewallmodels.ItsupportstunnelcontentinspectionofGTPUonVMSeriesfirewalls.
ThefirewallisnotterminatingtheGRE,nonencryptedIPSec,orGTPUtunnel.

MultiprotocolBGP ThefirewallnowsupportsMultiprotocolBGP(MPBGP)sothatafirewallenabledwith
BGPcanadvertiseIPv4multicastroutesandIPv6unicastroutes(inadditiontotheIPv4
unicastroutesitalreadysupports)inBGPUpdatemessages.Inthisway,MPBGPprovides
IPv6connectivityforyourBGPnetworksthatuseeithernativeIPv6ordualstackIPv4and
IPv6.Forexample,inaserviceproviderenvironment,youcanofferIPv6serviceto
customers.Inanenterpriseenvironment,youcanuseIPv6servicefromserviceproviders.
Youcanalsoseparateyourunicastandmulticasttrafficsotheytakedifferentpaths,in
caseyouneedmulticasttraffictoundergolesslatencyortakefewerhops.

StaticRouteRemoval Youcannowusepathmonitoringtodetermineifastaticordefaultrouteisdown.Ifpath
BasedonPathMonitoring monitoringtooneormoremonitoreddestinationsfails,thefirewallconsidersthestaticor
defaultroutedownandusesanalternativeroutesothatthetrafficisnotblackholed
(silentlydiscarded).Likewise,thefirewalladvertisesanalternativestaticroute(ratherthan
afailedroute)forrouteredistributionintoadynamicroutingprotocol.
Youcanenablepathmonitoringonstaticroutesbetweenrouters,onstaticrouteswhere
apeerdoesnotsupportBidirectionalForwardingDetection(BFD),andonstaticroutes
wherepolicybasedforwarding(PBF)pathmonitoringisinsufficientbecauseitdoesnot
replacefailedrouteswithalternativeroutes.

IPv6Router TomakeDNSresolutioneasierforyourIPv6hosts,thefirewallnowhasenhanced
AdvertisementforDNS NeighborDiscovery(ND)sothatyoucanprovisionIPv6hostsjoiningthenetworkwith
Configuration RecursiveDNSServer(RDNSS)andDNSSearchList(DNSSL)options,eliminatingthe
needforaseparateDHCPv6server.ThefirewallsendsIPv6RouterAdvertisementswith
theseoptions;thus,yourIPv6hostsareconfiguredwith:
TheaddressesofRDNSserversthatcanresolveDNSqueries.
Alistofthedomainnames(suffixes)thattheDNSclientappends(oneatatime)toan
unqualifieddomainnamebeforeenteringthedomainnameintoaDNSquery.

NDPMonitoringforFast YoucannowenableNeighborDiscoveryProtocol(NDP)monitoringforadataplane
DeviceLocation interfaceonthefirewallsothatyoucanviewtheIPv6addressesofdevicesonthelink
localnetwork,theircorrespondingMACaddress,andusernamefromUserID(iftheuser
ofthatdeviceusesthedirectoryservicetologin).Havingthesethreepiecesof
informationinoneplaceaboutadevicethatviolatesasecurityruleallowsyoutoquickly
trackthedevice.YoucanalsomonitorIPv6NDlogstomaketroubleshootingeasier.

16 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

NewNetworkingFeature Description

ZoneProtectionfor YoucannowwhitelistorblacklistnonIPprotocolsbetweensecurityzonesorbetween
NonIPProtocolsona interfaceswithinasecurityzoneinaLayer2VLANoronavirtualwire.Thefirewall
Layer2VLANorVirtual normallypassesnonIPprotocolsbetweenLayer2zonesandbetweenvirtualwirezones;
Wire withthisfeature,youcannowcontrolnonIPprotocolsbetweenthesezones.For
example,ifyoudontwantlegacyWindowsXPhoststodiscoverotherNetBEUIenabled
hostsonanotherzone,youcanconfigureaZoneProtectionprofiletoblacklistNetBEUI
ontheingresszone.

GlobalandZone YoucannowenableordisableMultipathTCP(MPTCP)globallyorforeachnetworkzone.
ProtectionforMultipath MPTCPisanextensionofTCPthatallowsaclienttosimultaneouslyusemultiplepaths
TCP(MPTCP)Evasions (insteadofasinglepath)toconnectwithadestinationhost.MPTCPespeciallybenefits
mobileusers,enablingthemtomaintaindualconnectionstobothWiFiandcellular
networksastheymovethisimprovesboththeresilienceandqualityofthemobile
connectionandenhancestheuserexperience.However,MPTCPcanalsopotentiallybe
leveragedbyattackersaspartofanevasiontechnique.Thisfeatureprovidestheflexibility
toenableordisableMPTCPforallfirewalltrafficorforindividualnetworkzones,based
onthevisibility,performance,andsecurityrequirementsforeachnetworkzone.

ZoneProtectionforSYN YoucannowdropTCPSYNandSYNACKpacketsthatcontaindatainthepayloadduring
DataPayloads athreewayhandshake.Incasethepayloadismaliciousforexampleifitcontains
commandandcontroltrafficoritisbeingusedtoexfiltratedatadroppingsuchpackets
canpreventsuccessfulattacks.
TheTCPFastOpenoptionpreservesthespeedofaconnectionsetupbyincludingdatain
thepayloadofSYNandSYNACKpackets.TheZoneProtectionprofiletreatsTCP
handshakesthatusetheFastOpenoptionseparatelyfromotherSYNandSYNACK
packets;theprofileissettoallowthehandshakepacketsiftheycontainavalidFastOpen
cookie.

HardwareIPAddress WhenyouconfigurethefirewallwithaDoSProtectionpolicyorVulnerabilityProtection
Blocking profiletoblockpacketsfromspecificIPv4addresses,thefirewallnowautomatically
blocksthattrafficinhardwarebeforethosepacketsuseCPUorpacketbufferresources.
BlockingtrafficbydefaultinhardwareallowsthefirewalltostopDoSattacksevenfaster
thanblockingtrafficinsoftware.Iftheamountofattacktrafficexceedsthehardware
blockcapacity,IPblockingmechanismsinsoftwareblocktheexcesstraffic.Thisfeatureis
supportedonPA3060firewalls,PA3050firewalls,PA5000Series,andPA7000Series
firewallmodels.

PacketBufferProtection Packetbufferprotectionallowsyoutoprotectthefirewallfrombeingimpactedbysingle
sourcedenialofservice(DoS)attacks.TheseattackscomefromsessionsorIPaddresses
thatarenotblockedbySecuritypolicy.Afterasessionispermittedbythefirewall,itcan
generatesuchahighvolumeoftrafficthatitoverwhelmsthefirewallpacketbufferand
causesthefirewalltoappeartohangasbothattackandlegitimatetrafficaredropped.The
firewalltracksthetoppacketbufferconsumersandgivesyoutheabilitytoconfigure
globalthresholdsthatspecifywhenactionistakenagainstthesesessions.After
identifyingasessionasabusive,thefirewallusesRandomEarlyDrop(RED)asafirstline
ofdefensetothrottletheoffendingsessionandthendiscardsthesessioniftheabuse
continues.IfaparticularIPaddresscreatesmanysessionsthatarediscarded,thefirewall
blocksit.

Reconnaissance Zoneprotectionsreconnaissanceprotectiondetectsandtakesactionagainsthostsweep
ProtectionSourceAddress andTCPandUDPportscans.Thisisusefulagainstattackerssearchingforvulnerabilities.
Exclusion However,itcanalsonegativelyimpactscanningactivities,suchasnetworksecurity
testingorfingerprinting.Youcannowwhitelistsourceaddressestoexcludethemfrom
reconnaissanceprotection.Thisallowsyoutoprotectyournetworkfromreconnaissance
attackswhileallowinglegitimatemonitoringtools.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 17
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation

NewNetworkingFeature Description

IKEPeerandIPSecTunnel ThePA7000Series,PA5000Series,andPA3000SeriesmodelsnowsupportmoreIKE
CapacityIncreases peersandIPSectunnelsthaninpriorreleases.Thisisabenefitinserviceproviderandlarge
enterpriseenvironmentswhereyouneedtosupportmanysitetositeVPNpeersand
IPSecVPNconnectionsbetweenremotesites.

GlobalProtectFeatures

NewGlobalProtect Description
Feature

IPv6forGlobalProtect GlobalProtectclientsandsatellitescannowconnecttoportalsandgatewaysusingIPv6.
ThisfeatureallowsconnectionsfromclientsthatareinIPv6onlyenvironments,IPv4only
environments,ordualstack(IPv4andIPv6)environments.YoucantunnelIPv4traffic
overanIPv6tunnelandtheIPaddresspoolcanassignbothIPv4andIPv6addresses.To
usethisfeature,youmustinstallaGlobalProtectsubscriptiononeachgatewaythat
supportsGlobalProtectclientsthatuseIPv6addresses.

ClientlessSSLVPN ClientlessVPN,whichprovidessecureremoteaccesstocommonenterpriseweb
applications thatuseHTML,HTML5,andJavaScripttechnologies,isnowavailablein
publicbeta.UsershavetheadvantageofsecureaccessfromSSLenabledweb
browsers withoutinstallingGlobalProtectclientsoftware.Thisisusefulwhenyouneedto
enablepartnerorcontractoraccesstoapplications,andtosafelyenableunmanaged
assets,includingpersonaldevices.Youcan configuretheGlobalProtectportallanding
pagetoprovideaccesstowebapplicationsbasedonusersandusergroupsandalso allow
singlesignontoSAMLenabledapplications.SupportedoperatingsystemsareWindows,
Mac,iOS,Android,Chrome,andLinux.SupportedbrowsersareChrome,Internet
Explorer,Safari,andFirefox.ThisfeaturerequiresyoutoinstallaGlobalProtect
subscriptiononthefirewallthathoststheClientlessVPNfromtheGlobalProtectportal.

DefineSplitTunnelsby YoucannowexcludespecificdestinationIPsubnetstrafficfrombeingsentovertheVPN
ExcludingAccessRoutes tunnel.Withthisfeature,youcansendlatencysensitiveorhighbandwidthconsuming
trafficoutsideoftheVPNtunnelwhileallothertrafficisroutedthroughtheVPNfor
inspectionandpolicyenforcementbytheGlobalProtectgateway.

ExternalGatewayPriority GlobalProtectcannowusethegeographicregionoftheGlobalProtectclienttodetermine
bySourceRegion thebestexternalgateway.Byincludingsourceregionaspartofexternalgateway
selectionlogic,youcanensurethatusersconnecttogatewaysthatarepreferredfortheir
currentregion.Thiscanhelpavoiddistantconnectionswhentherearemomentary
fluctuationsofnetworklatency.Thiscanalsobeusedtoensureallconnectionsstaywithin
aregionifdesired.

InternalGateway GlobalProtectcannowrestrictinternalgatewayconnectionchoicesbasedonthesource
SelectionbySourceIP IPaddressoftheclient.Inadistributedenterprise,thisfeaturesallowsyoutohaveusers
Address fromabranchtoauthenticateandsendHIPreportstothefirewallconfiguredasthe
internalgatewayforthatbranchasopposedtoauthenticatingandsendingHIPreportsto
allbranches.

18 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0

NewGlobalProtect Description
Feature

GlobalProtectAgentLogin TosimplifyGlobalProtectagentsandpreventunnecessaryloginpromptswhena
Enhancement usernameandpasswordarenotrequired,thepanelthatshowedportal,username,and
passwordisnowsplitintotwoscreens(onescreenfortheportaladdressandanother
screenforusernameandpassword).TheGlobalProtectagentnowdisplaysloginprompts
forusernameandpasswordonlyifthisinformationisrequired.GlobalProtect
automaticallyhidestheusernameandpasswordscreenforauthenticationtypessuchas
cookieorclientcertificateauthenticationthatdonotrequireausernameandpassword.

AuthenticationPolicyand YoucanleveragethenewAuthenticationPolicyandMultiFactorAuthentication
MultiFactor enhancementswithinGlobalProtecttosupportaccesstononHTTPapplicationsthat
Authenticationfor requiremultifactorauthentication.GlobalProtectcannownotifyandprompttheuserto
GlobalProtect performthetimely,multifactorauthenticationneededtoaccesssensitivenetwork
resources.

SAML2.0Authentication GlobalProtectportals,gateways,andclientsnowsupportSAML2.0Authentication.Ifyou
forGlobalProtect havechosenSAMLasyourauthenticationstandard,GlobalProtectportalsandgateways
canactasSecurityAssertionMarkupLanguage(SAML)2.0serviceprovidersand
GlobalProtectclientscanauthenticateusersdirectlytotheSAMLidentityprovider.

RestrictTransparent YoucannowcontrolwhentransparentupgradesoccurforaGlobalProtectclient.With
AgentUpgradesto thisconfiguration,iftheuserconnectsfromoutsidethecorporatenetwork,theupgrade
InternalNetwork ispostponed.Later,whentheuserconnectsfromwithinthecorporatenetwork,the
Connections upgradeisactivated.Thisfeatureallowsyoutoholdtheupdatesuntiluserscantake
advantageofgoodnetworkavailabilityandhighbandwidthfromwithinthecorporate
network.Theupgradeswillnothinderuserswhentheytraveltoenvironmentswithlow
bandwidth.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 19
ChangestoDefaultBehavior PANOS8.0ReleaseInformation

ChangestoDefaultBehavior

PANOSandPanorama8.0havethefollowingchangesindefaultbehavior:
ThedefaultsforthefollowingTCPSettings(Device > Setup > Session > TCP Settings)havebeenchangedin
8.0:
Drop segments without flagisnowenabledbydefault.ThecorrespondingCLIcommand,set
deviceconfig setting tcp drop-zero-flagisnowsettoyesbydefault.
Drop segments with null timestamp option isnowenabledbydefault.ThecorrespondingCLIcommand,
set deviceconfig setting tcp check-timestamp-optionisnowsettoyesbydefault.
Forward segments exceeding TCP out-of-order queue isnowdisabledbydefault.ThecorrespondingCLI
command,set deviceconfig setting bypass-exceed-op-queueisnowsettonobydefault.
TheDevice > Setup > Content-ID > Content-ID SettingsoptiontoForward segments exceeding TCP App-ID
inspection queueisnowdisabledbydefault.ThecorrespondingCLIcommand,set deviceconfig setting
application bypass-exceed-queue isnowsettonobydefault.
Bydefault,thefirewallandPanoramanolongerallowmanagementaccessoverTLSv1.0connections.If
youacceptthisdefault,anyscriptsthatrequiremanagementaccess(suchasAPIscripts)mustsupport
TLSv1.1orlaterTLSversions.Toovercomethedefaultrestriction,youcanconfigureanSSL/TLSservice
profilethatallowsTLSv1.0andassigntheprofiletotheinterfaceusedtoaccessthefirewallorPanorama.
AuthenticationpolicyreplacesCaptivePortalpolicy.
Whenanauthenticationeventinvokesapolicyrule,thefirewallnowgeneratesAuthenticationlogs
insteadofSecuritylogs.
YounowusethewebinterfaceinsteadofaCLIcommandtosettheauthenticationprotocoltoCHAPor
PAPforTACACS+andRADIUSserverprofiles.
Toconfigurethemanagement(MGT)interfaceonthefirewall,younowselectDevice > Setup > Interfaces
insteadofDevice > Setup > Management.
ToconfigureinterfacesonPanorama,younowselectPanorama > Setup > InterfacesinsteadofPanorama
> Setup > Management.
WhenaddingoreditingaLogCollector(Panorama > Managed Collectors),younowconfigureinterfacesin
theInterfacestab,whichreplacestheManagement,Eth1,andEth2tabsintheCollectordialog.
WhenthePanoramavirtualapplianceisinPanoramamodeandisdeployedinahighavailability(HA)
configuration,youcanconfigurebothHApeerstocollectlogs,notjusttheactivepeer.
WhenpushingconfigurationstomanagedfirewallsorLogCollectors,Panoramanowpushestherunning
configurationinsteadofthecandidateconfiguration.Therefore,youmustcommitchangestoPanorama
beforepushingthechangestofirewallsorLogCollectors.
FirewallsandLogCollectorsnowretrievesoftwareandcontentupdatesfromPanoramaoverport28443
insteadofPanoramapushingtheupdatesoverport3978.
Tocreateasnapshotfileforthecandidateconfiguration,youmustnowselectConfig > Save Changes
insteadofSaveatthetoprightofthewebinterface.
TheloginpageforthewebinterfacedisplaysanewSingle Sign-Onlink.Thelinkappliesonlyto
administratorswhomyouconfiguredtoauthenticatethroughaSAMLidentityprovider.
Externaldynamiclistchanges:
WhenretrievinganexternaldynamiclistfromasourcewithanHTTPSURL,thefirewallnow
authenticatesthedigitalcertificatesofthelistsource.Youmustconfigureacertificateprofileto
authenticatethesource.Ifthesourceauthenticationfails,thefirewallstopsenforcingpolicybased
onthelistcontents.

20 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation ChangestoDefaultBehavior

InPANOS7.1,thefirewallsupportedamaximumof30uniquesourcesforexternaldynamiclists
andenforcedthemaximumnumbereveniftheexternaldynamiclistwasnotusedinpolicy.
BeginninginPANOS8.0,onlythelistsyouusetoenforcepolicywillcounttowardthemaximum
numberallowed.
Entriesinanexternaldynamiclist(IPaddresses,domains,andURLs)nowonlycounttowardthe
maximumnumberthatthefirewallsupportsifasecuritypolicyrulereferencestheexternaldynamic
list.
IfyoupreviouslyenabledWildFireforwardingonyourfirewall,thefirewallnowforwardsblockedfiles
thatmatchexistingsignatures,inadditiontounknownfiles,forWildFireanalysis.TheWildFire
Submissionslognowincludeslogentriesforblockedfiles.
TheActioncolumnintheWildFireSubmissionslognowindicatesifthefirewallactionforasamplewas
alloworblock.InPANOS7.1andearlierversions,theactiondisplayedforallsamplesintheWildFire
Submissionslogwasalert.
InPANOS7.1andearlierreleases,passiveDNSmonitoringwasasettingyoucouldenableinan
AntiSpywareProfile.YoucouldattachtheAntiSpywareProfiletoapolicyruleandthensessionsthat
matchthatrulewilltriggerpassiveDNSmonitoring.BeginninginPANOS8.0,passiveDNSmonitoring
isaglobalsettingthatyoucanenablethroughtheTelemetryandThreatIntelligencefeature,andwhen
enabled,thefirewallactsasapassiveDNSsensorforalltrafficthatpassesthroughthefirewall.
ThefirewallnowusesthenewserviceroutePalo Alto Networks Servicestoaccessexternalservicesthat
itaccessedviatheserviceroutesPalo Alto UpdatesandWildFire PublicpriortoPANOS8.0.
InaZoneProtectionprofileforPacketBasedAttackProtection,thedefaultsettingisnowtodropTCP
SYNandSYNACKpacketsthatcontaindatainthepayloadduringathreewayhandshake.(Inprior
PANOSreleases,firewallallowedsuchpackets.)Bydefault,aZoneProtectionprofileissettoallowTCP
handshakepacketsthatusetheTCPFastOpenoptioniftheycontainavalidFastOpencookie.Ifyou
haveexistingZoneProtectionprofilesinplacewhenyouupgradetoPANOS8.0,thethreedefault
settingswillapplytoeachprofileandthefirewallwillactaccordingly.
WhenyouuseaClassifiedDoSProtectionprofileforfloodprotectionoraVulnerabilityProtectionprofile
thatisconfiguredtoBlockIPaddresses,thefirewallwillnowblockIPaddressesinhardwarefirst,and
theninsoftwareifthehardwareblocklisthasreacheditscapacity.
InPANOS8.0,theuseofhypervisorassignedMACaddressesandDHCPonmanagementinterfacesare
enabledonnewVMSeriesfirewallinstallations.Theseoptionsarenotenabledautomaticallywhen
upgradingaVMSeriesfirewalltoPANOS8.0fromPANOS7.1orearlierreleases.
TheAgent > GatewaystabforGlobalProtectportalconfigurationsissplitintotwoseparatetabs:Internal
andExternal.UsetheInternaltabtospecifyinternalgatewaysettingsforGlobalProtectagentsandapps.
UsetheExternaltabtospecifyexternalgatewaysettingsforGlobalProtectagentsandapps.Theseare
layoutchangesonlyyourexistingPANOS7.1configurationispreserved.
TheAgent > Client Settings> Network SettingstabforGlobalProtectgatewayconfigurationsisreplaced
withtwoseparatetabs:IP PoolsandSplit Tunnel.ThesearelayoutchangesonlyyourexistingPANOS
7.1configurationispreserved.
TheDisable login pagecheckboxontheGeneraltabforGlobalProtectportalconfigurationsisnowa
DisablecommandinthePortal Login Page.ThisisalayoutchangeonlyyourexistingPANOS7.1
configurationispreserved.
GlobalProtecthasafewminorchangestomenuandcheckboxlabels(refertothetablebelow).These
arechangestowordingonlyyourexistingPANOS7.1configurationispreserved.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 21
ChangestoDefaultBehavior PANOS8.0ReleaseInformation

Location PANOS7.1Label PANOS8.0Label

TheGeneraltabforGlobalProtect CustomLoginPage PortalLoginPage

portalconfigurations

TheGeneraltabforGlobalProtect CustomHelpPage AppHelpPage

portalconfigurations

TheAgent > External> Add > IfthisGlobalProtectgatewaycanbe Manual(theusercanmanuallyselect

External GatewayforGlobalProtect manuallyselected thisgateway)
portalconfigurations

InPANOS7.1andearlierreleases,topreventpotentialIPaddressconflicts,theGlobalProtectgateway
didnotassignanIPaddressifthelocalnetworkIPaddresssentfromtheendpointwasinthesamesubnet
astheIPaddresspool.UsershadtoconfigureasecondIPaddresspoolthatcontainedaddressesfroma
separatesubnet.BeginninginPANOS8.0,whenyouconfigureonlyoneIPaddresspool,GlobalProtect
assignsanIPaddressregardlessofsubnetoverlap.Thischangemaycausewarningmessageson
Windowsendpoints.Ifyouareconcernedaboutthewarningmessage,configureasecondIPaddress
pool.
BeginningwithPANOS8.0,theVerify Update Server Identityglobalservicessettingforinstallingcontent
andsoftwareupdatesisenabledbydefault(Device > Setup > Services > Global).
BeginningwithPANOS7.1.7,todeactivateaVMSerieslicenseyoumustfirstinstallalicenseAPIkey
onyourfirewallorPanorama.Formoreinformation,seeVirtualizationFeatures.
LargeReceiveOffload(LRO)isenablebedefaultonthenewdeploymentsoftheVMSeriesfirewallfor
NSXordeploymentsupgradedto8.0.
SupportforDataPlaneDevelopmentKit(DPDK)isenabledbydefaultontheVMSeriesforKVMand
ESXi.However,totakeadvantageofDPDK,youmustinstalltherequiredNICdriveronyourhypervisor.
DPDKsupportisdisabledbydefaultontheVMSeriesforAWS.
ThefirewalldoesnotsupportSSLdecryptionofRSAkeysthatarelargerthan8Kbinsize.Youcaneither
blockconnectionstoserverswiththeRSAkeysizegreaterthan8kbinthecertificateorskipSSL
decryptionforsuchconnectionsinObjects > Decryption Profile.Toblocksuchconnections,checkSSL
Forward Proxy > Unsupported Mode Checks > Block sessions with unsupported cipher suites.LeaveBlock
sessions with unsupported cipher suitesuncheckedtoskipdecryptingsuchconnections.

22 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation CLIandAPIChangesinPANOS8.0

CLIandAPIChangesinPANOS8.0

PANOS8.0haschangestoexistingCLIcommands,whichalsoaffectcorrespondingPANOSXMLAPI
requests.Ifyouhaveascriptorapplicationthatusestheserequests,runcorrespondingCLIcommandsin
debugmodetoviewthecorrespondingXMLAPIsyntax.
Operationalcommandsareprecededbyagreaterthansign(>),whileconfigurationcommandsarepreceded
byahash(#).Anasterisk(*)indicatesthatrelatedcommandsinthesamehierarchyhavealsochanged.

TheoperationalcommandtoclearUserIDmappingsforallIPaddressesoraspecificIPaddresshas
changed:

PANOS7.1andearlierreleases:
> clear user-cache [all | ip]

PANOS8.0release:
> clear ipuser-cache [all | ip]
WithAuthenticationpolicyreplacingCaptivePortalpolicy,relatedCLIcommandshavechanged:

PANOS7.1andearlierreleases:
> show running captive-portal-policy
> test cp-policy-match *
# show rulebase captive-portal *
# set import resource max-cp-rules <0-4000>
# set rulebase captive-portal *
# set shared admin-role <name> role device webui policies captive-portal-rulebase
<enable|read-only|disable>
# set import resource max-cp-rules <0-4000>

PANOS8.0release:
> show running authentication-policy
> test authentication-policy-match *
# show rulebase authentication *
# set import resource max-auth-rules <0-4000>
# set rulebase authentication rules *
# set shared admin-role <name> role device webui policies authentication-rulebase
<enable|read-only|disable>
# set import resource max-auth-rules <0-4000>
TheUserIDcommandstoclearusermappingsfromthedataplanehavechanged:

PANOS7.1andearlierreleases:
> clear uid-gids-cache uid <1-2147483647>
> clear uid-gids-cache all

PANOS8.0release:
> clear uid-cache uid <1-2147483647>
> clear uid-cache all

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 23
CLIandAPIChangesinPANOS8.0 PANOS8.0ReleaseInformation

WiththeintroductionofdecryptionforEllipticalCurveCryptography(ECC)Certificates,thefollowing
CLIcommandhasbeenreplacedwithtwoalgorithmspecificcommands:

PANOS7.1andearlierreleases:
# set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size <0|1024|2048>

PANOS8.0release:
# set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size-rsa <0|1024|2048>
# set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size-ecdsa <0|256|384>

WiththeintroductionofIPv6supportinGlobalProtect,thefollowingCLIcommandshavebeenreplaced
withtwoprotocolspecificcommands:

PANOS7.1andearlierreleases:
# set global-protect global-protect-portal <name> portal-config local-address ip <value>

PANOS8.0release:
# set global-protect global-protect-portal <name> portal-config local-address ip ipv4
<value>
# set global-protect global-protect-portal <name> portal-config local-address ip ipv6
<value>

PANOS7.1andearlierreleases:
# set global-protect global-protect-portal <name> portal-config local-address floating-ip
<value>

PANOS8.0release:
# set global-protect global-protect-portal <name> portal-config local-address floating-ip
ipv4 <value>
# set global-protect global-protect-portal <name> portal-config local-address floating-ip
ipv6 <value>
WithnewsupportformaliciousIPaddressfeeds,relatedCLIcommandshavechangedtosupportIP
addresses,URLs,anddomains:

PANOS7.1andearlierreleases:
# set external-list <name> *

PANOS8.0release:
# set external-list <name> type ip *
# set external-list <name> type predefined-ip *
# set external-list <name> type domain *
# set external-list <name> type url *
CLIcommandsrelatedtoSafeNetNetworkHSM(formerlyLunaSA)nowreflectthenewname:

PANOS7.1andearlierreleases:
# show deviceconfig system hsm-settings provider safenet-luna-sa *
# set deviceconfig system hsm-settings provider safenet-luna-sa *

PANOS8.0release:
# show deviceconfig system hsm-settings provider safenet-network *
# set deviceconfig system hsm-settings provider safenet-network *

24 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation CLIandAPIChangesinPANOS8.0

Withtheintroductionofselectivelogforwardingbasedonlogattributes,youmustnowspecifythename
ofacustomfiltermatchlistinrelatedCLIcommands:

PANOS7.1andearlierreleases:
# show shared log-settings system *
# set shared log-settings system *
# show shared log-settings config *
# set shared log-settings config *
# show shared log-settings hipmatch *
# set shared log-settings hipmatch *
# show shared log-settings profiles <name> *
# set shared log-settings profiles <name> *

PANOS8.0release:
# show shared log-settings system match-list *
# set shared log-settings system match-list *
# show shared log-settings config match-list *
# set shared log-settings config match-list *
# show shared log-settings hipmatch match-list *
# set shared log-settings hipmatch match-list *
# show shared log-settings profiles <name> match-list *
# set shared log-settings profiles <name> match-list *

CLIcommandsrelatedtoconfiguringtheUserIDagentmustnowincludehostport:

PANOS7.1andearlierreleases:
# set user-id-agent <name> host <ip/netmask>|<value>
# set user-id-agent <name> port <1-65535>
# set user-id-agent <name> ntlm-auth <yes|no>
# set user-id-agent <name> ldap-proxy <yes|no>
# set user-id-agent <name> collectorname <value>
# set user-id-agent <name> secret <value>

PANOS8.0release:
# set user-id-agent <name> host-port host <ip/netmask>|<value>
# set user-id-agent <name> host-port port <1-65535>
# set user-id-agent <name> host-port ntlm-auth <yes|no>
# set user-id-agent <name> host-port ldap-proxy <yes|no>
# set user-id-agent <name> host-port collectorname <value>
# set user-id-agent <name> host-port secret <value>

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 25
AssociatedSoftwareandContentVersions PANOS8.0ReleaseInformation

AssociatedSoftwareandContentVersions

ThefollowingminimumsoftwareandcontentversionsaresupportedwithPANOS8.0releases:

PaloAltoNetworksSoftwareor MinimumSupportedVersionwithPANOS8.0
ContentReleaseVersion

Panorama 8.0.0

UserIDAgent 8.0.0

TerminalServices(TS)Agent 8.0.0

GlobalProtectAgent 4.0

ApplicationsandThreatContent 655
ReleaseVersion

AntivirusContentReleaseVersion 2137

26 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

KnownIssues

ThefollowingtabledescribesknownissuesinthePANOS8.0release.

ForrecentupdatestoknownissuesforagivenPANOSrelease,referto
https://live.paloaltonetworks.com/t5/Articles/CriticalIssuesAddressedinPANOSReleases/tap/52882.

IssueID Description

UpgradingaPA200orPA500firewalltoPANOS8.0cantake3060minutesto
complete.Ensureuninterruptedpowertoyourfirewallthroughouttheupgradeprocess.

Panorama8.0doesnotcurrentlysupportmanagementofappliancesrunningWildFire7.1
orearlierreleases.EventhoughthesemanagementoptionsarevisibleonthePanorama
8.0webinterface(Panorama > Managed WildFire ClustersandPanorama > Managed
WildFire Appliances),makingchangestothesesettingsforappliancesrunningWildFire
7.1orearlierreleaseshasnoeffect.

ATF2661 IfyoulaunchanAutoFocussearchforanartifactonthefirewallthroughtheAutoFocus
IntelligenceSummaryandyourpreferredscopesettinginAutoFocusissettoPublic
Samples,AutoFocusincorrectlydisplaysnosearchresults.
Workaround:IntheAutoFocuswindowyoujustlaunched,viewthesearchresultsforAll
Samples,andthenswitchbacktoMySamples.TheMySamplestabthendisplaysthe
correctsearchresults.

GPC2742 IfyouconfigureGlobalProtectportalsandgatewaystouseclientcertificatesandLDAPas
twofactorsofauthentication,ChromebookusersthatarerunningChromeOS47orlater
versionscanencounterexcessivepromptstoselectaclientcertificate.
Workaround:Topreventexcessiveprompts,configureapolicytospecifytheclient
certificateintheGoogleAdminconsoleanddeploythatpolicytoyourmanaged
Chromebooks:
1. LogintotheGoogleAdminconsole(https://admin.google.com)andselectDevice
management > Chrome management > User settings.
2. IntheClientCertificatessection,enterthefollowingURLpatterntoAutomatically
Select Client Certificate for These Sites:
{""pattern"":""https://[*.]"",""filter"":{}}
3. ClickSave.TheGoogleAdminconsoledeploysthepolicytoalldeviceswithinafew
minutes.

GPC1737 Bydefault,theGlobalProtectappaddsarouteoniOSmobiledevicesthatcausestraffic
totheGP100GlobalProtectMobileSecurityManagertobypasstheVPNtunnel.
Workaround:ToconfiguretheGlobalProtectapponiOSmobiledevicestorouteall
trafficincludingtraffictotheGP100GlobalProtectMobileSecurityManagertopass
throughtheVPNtunnel,performthefollowingtasksonthefirewallhostingthe
GlobalProtectgateway(Network > GlobalProtect > Gateways > <gateway-config> >
Agent > Client Settings > <client-settings-config> > Network Settings > Access Route):
Add""0.0.0.0/0""asanaccessroute.
EntertheIPaddressfortheGlobalProtectMobileSecurityManagerasanadditional
accessroute.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 27
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

GPC1517 FortheGlobalProtectapptoaccessanMDMserverthroughaSquidproxy,youmustadd
theMDMserverSSLaccessportstotheproxyserverallowlist.Forexample,iftheSSL
accessportis8443,addacl SSL_ports port 8443totheallowlist.

WF5001584 WhenusingawebbrowsertoviewaWildFireAnalysisReportfromafirewallthatisusing
aWF500applianceforfilesampleanalysis,thereportmaynotappearuntilthebrowser
downloadstheWF500certificate.Thisissueoccursafterupgradingafirewallandthe
WF500appliancetoaPANOS6.1orlaterrelease.
Workaround:BrowsetotheIPaddressorhostnameoftheWF500appliance,whichwill
temporarilydownloadthecertificateintothebrowser.Forexample,iftheIPaddressof
theWF500is10.3.4.99,openabrowserandenterhttps://10.3.4.99.Youcanthen
accessthereportfromthefirewallbyselectingMonitor > WildFire Submissions,clicking
log details,andthenclickingtheWildFire Analysis Reporttab.

PAN73879 YoucannotclonethestrictfileblockingprofileinPANOS8.0;however,cloningthebasic
fileblockingprofile(oranyotherSecurityProfiletypes)worksasexpected.

PAN73363 Afteryouenablereportingandfilteringongroups,Panoramastilldisplaysnoresultswhen
youfilterlogsorgeneratereportsbasedonusergroups.Theworkaroundistoaccessthe
PanoramaCLIandrunthedebug software restart process reportdoperational
command.

PAN73316 WhenaGlobalProtectuserfirstlogsinwithaRADIUSauthenticationprofile,the
Domain-UserNameappearsasuser@domain(insteadofdomain\user)inthePANOS
webinterface.
Workaround:OnceaHIPreportisgenerated,theusernameformatisnormalizedand
updatedtothecorrectformat.

PAN73307 WhenyouusetheACCtabtoviewTunnelActivityandyouJump to Logs,theTunnel

Inspectionlogsdisplaytunnelasthetunneltype.
Workaround:Removetunneltypefromthequeryintunnellogs.

PAN73254 AfteryouinstalltheVMwareNSXpluginonPanoramainahighavailability(HA)
deployment,Panoramadoesnotautomaticallysynchronizeconfigurationchanges
betweentheHApeersunlessyoufirstupdatesettingsrelatedtotheNSXplugin.
Workaround:ConfiguretheNSXsettingsandcommityourchangestoPanorama.

PAN73207 IfthefirewallintegrateswithOktaAdaptiveasthemultifactorauthentication(MFA)
vendor,youcannotusepushnotificationasanauthenticationfactor.

PAN73168 IfthePANOSWebInterfaceandtheGlobalProtectportalthathostsclientlessVPN
applicationsareconfiguredtosharethesameFQDN,youcangeta400BadRequest
errormessagefromyourbrowserwhenyoutrytoaccessthePANOSWebInterface.
Workaround:BestpracticeistoconfigureseparateFQDNsforthePANOSWeb
InterfaceandtheGlobalProtectportalthathostsclientlessVPNapplications.Asa
shorttermfix,clearthebrowsercacheorcloseallbrowserwindowsandthenopena
separatebrowserwindowtologintothePANOSwebinterface.

PAN73006 Whenloggingratesarehigh,theAppScopeChangeMonitorandNetworkMonitor
reportssometimesdisplaynodatawhenyoufilterbySourceorDestinationIPaddresses.
TheAppScopeSummaryreportalsomightnotdisplaydatafortheTop5Bandwidth
ConsumingSourceandTop5Threatswhenloggingratesarehigh.

28 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN72861 WhenyouconfigureaPA7000Seriesfirewalltoperformtunnelintunnelinspection,
whichincludesGREkeepalivepackets(Policies > Tunnel Inspection > Inspection >
Inspect Options),andyouruntheclear session allCLIcommandwhiletrafficis
traversingatunnel,thefirewalltemporarilydropstunneledpackets.

PAN72843 IfyoucommitaconfigurationthatenablesclientlessVPNonmultipleGlobalProtect
portalsusingdifferentDNSproxies,thecommitfails.
Workaround:Restartthefirewalldataplaneandrepeattheconfigurationcommit.

PAN72402 IfyouconfigureaBGPIPv6aggregateaddresswithanAdvertiseFilterconsistingofboth
aprefixfilterandanexthopfilter,thefirewalladvertisesonlytheaggregateaddressand
notthespecificroutescoveredbytheAdvertiseFilter.Theworkaroundistoremovethe
nexthopfilter;thenthefirewalladvertisesboththeaggregateaddressandthemore
specificroutes.ThisissueappliesonlytorouteslearnedfromanotherBGPpeer;the
behaviorisasexpectedforlocallyinjectedroutes.

PAN71833 ForaTACACS+authenticationprofile,theoutputofthetest authentication

authentication-profileCLIcommandintermittentlydisplays
authentication/authorization failed for usereventhoughtheadministratorcan
successfullylogintothewebinterfaceorCLIusingthesamecredentialsaswerespecified
inthetestcommand.

PAN71765 DeactivatingaVMSeriesfirewallfromPanoramacompletessuccessfullybuttheweb
interfacedoesnotupdatetoshowthatdeactivationiscomplete.
Workaround:ViewdeactivationstatusfromManagedDevices(Panorama > Managed
Devices).

PAN71556 MACaddresstableentrieswithatimetolive(TTL)valueof0arenotremovedas
expected,whichresultsinatablethatcontinuallygrowslargerinsize.

PAN71329 LocalusersandusergroupscreatedunderShared(allvirtualsystems)arenotavailableto
bepartoftheusertoapplicationmappingforGlobalProtectClientlessVPNapplications
(Clientless VPN > ApplicationsontheGlobalProtectPortal).
Workaround:CreateusersandusergroupsunderVsysformultiplevirtualsystems.For
singlevirtualsystems(likeVM),usersandusergroupsarecreatedunderSharedandare
notconfigurableforClientlessVPNapplications.

PAN71271 DuringtheprocessofmigratinglogstothenewlogstorageformatinPANOS8.0(using
theCLIcommandrequest logdb migrate lc serial-number <serial_number>
start),olderexistinglogsmightbelostiftheloggingdisksonaLogCollectorarecloseto
maximumcapacity.

PAN71215 DeactivatingaVMSeriesfirewallfromPanoramafailswhenPanoramaisconfiguredto
Verify Update Server Identity(Panorama > Setup > Services > Verify Update Server
Identity)andthissettingisdisabledonthefirewall(Device > Setup > Services);thisfailure
causesthefirewalltobecomeunreachable.
Workaround:EnsurethatyouconfigurebothPanoramaandtheVMSeriesfirewallto
Verify Update Server Identitybeforeyoudeactivatethefirewall.

PAN70906 IfthePANOSwebinterfaceandtheGlobalProtectportalareenabledonthesameIP
address,thenwhenauserlogsoutfromtheGlobalProtectportal,theadministrativeuser
isloggedoutfromthePANOSwebinterfaceaswell.Thisissueiscompoundedwhenthe
portalisconfiguredforGlobalProtectClientlessVPNbecauseitcanincreasethenumber
ofuserswhoaccesstheportal.
Workaround:UsetheIPaddresstoaccessthePANOSwebinterfaceandaFQDNto
accesstheGlobalProtectportal.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 29
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN70353 ClientlessVPNdoesnotworkifyouconfiguretheGlobalProtectportalthathoststhe
ClientlessVPNonaninterfaceconfiguredtousetheDHCP Client.
Workaround:ConfiguretheinterfacetousestaticIPaddresses.

PAN70323 FirewallsrunninginFIPSCCmodedonotallowimportofSHA1CAcertificateseven
whentheprivatekeyisnotincluded;instead,firewallsdisplaythefollowingerror:Import
of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.

PAN70046 Astandardbrowser404errordisplayswhenyoutrytouseGlobalProtectClientlessVPN
withoutthecorrectcontentupdate.
Workaround:ClientlessVPNrequiresyoutoinstallaGlobalProtectsubscriptiononthe
firewallthathoststheClientlessVPNfromtheGlobalProtectportal.Youalsoneedthe
GlobalProtectClientlessVPNdynamicupdatestousethisfeature.

PAN70027 Theoutputoftheshow object registered-IP allcommanddoesnotincludethe

SourceofIPtag(serviceprofilenameandID).

PAN70023 Authenticationusingautofilledcredentialsintermittentlyfailswhenyouaccessan
applicationusingGlobalProtectClientlessVPN.
Workaround:Manuallyenterthecredentials.

PAN69505 WhenviewinganexternaldynamiclistthatrequiresclientauthenticationandyouTest
Source URL,thefirewallfailstoindicatewhetheritcanreachtheexternaldynamiclist
serverandreturnsaURLaccesserror.

PAN69340 Whenyouusealicenseauthorizationcode(capacitylicenseorabundle)tobootstrapa
VMSeriesfirewall,thecapacitylicenseisnotapplied.Thisissueoccursbecausethe
firewalldoesnotrebootafterthelicenseisapplied.
Workaround:UsetherequestrestartsoftwareCLIcommandorrebootthefirewall
manuallytoactivatesessioncapacityforaVMSeriesfirewall.

PAN69141 OnPA7000SeriesfirewallsandonPanoramalogcollectors,logcollectionprocesses
consumeexcessmemoryanddonotprocesslogsasexpected.Thisissueoccurswhen
DNSresponsetimesareslowandscheduledreportscontainfieldsthatrequireDNS
lookups.
Workaround:Usethedebug management-server report-namelookup disableCLI
commandtodisableDNSlookupsforreportingpurposes.

PAN67987 TheGlobalProtectagentfailstoconnectusingaclientcertiftheintermediateCAissigned
usingtheECDSAhashalgorithm.

PAN67971 WhenyouconfigureanendpointrunningaGlobalProtectagent3.xreleasetousea
fullyqualifieddomainname(FQDN)toconnecttoadualstackPANOS8.0gateway,the
firewallincorrectlydisplaysanIPv6addressinsteadofanIPv4addressfortheconnection.
Workaround:UseGlobalProtectagent4.0toconnecttoPANOS8.0.

PAN66531 FixedanissuewheretheCommitScopecolumnintheCommitwindowwasemptyafter
manuallyuploadingandinstallingacontentupdateandthencommitting.Althoughthe
contentupdatewasnotlistedunderCommitScope,thecommitcontinuedandshowed
100%complete.

PAN66122 Tunnelcontentinspectionisnotsupportedinavirtualsystemtovirtualsystemtopology.

30 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN63611 OnPanorama,whenyougenerateacustomreportortheSaaSApplicationUsagereport
ondemand(Run Now),thereportmaybeincompleteifyouhavealargedataset.To
generatethereportsuccessfully,trythefollowingworkarounds.
Workaround
Option1:Reducethescopeofthereport.Youcaneitherlimitthetimeperiodorthe
dataset(volumeoflogs)forthereport.Forexample,intheSaaSApplicationUsagereport,
cleartheInclude detailed application category information in report checkboxor
generatethereportforaselectedusergrouporzoneinsteadofonallusersandzones.
Option2:Increasethetimeoutforgeneratingreports.UsethefollowingCLIcommandon
PanoramaandeachLogCollectorinyourDLCarchitecture:
set reportd timeout<value in seconds>
Thedefaulttimeoutis1200secondsbutyoucanincreaseittoamaximumof5hrs(18000
seconds).

PAN63274 Whentunnelcontentinspectionisconfiguredfortrafficinasharedgatewaytopology(the
firewallhasmultiplevirtualsystems),innerflowsessionsinstalledonDP1fail.Also,when
networkingdevicesbehindthesharedgatewayinitiatetraffic,thattrafficdoesn'treach
thenetworkingdevicesbehindthevirtualsystems.

PAN63207 FixedanissueonPA7000Seriesfirewallswheregroupmappingsdidnotpopulatewhen
thegroupincludelistwaspushedfromPanorama.

PAN62820 IfyouusetheAppleSafaribrowserinPrivateBrowsingmodetorequestaserviceor
applicationthatrequiresmultifactorauthentication(MFA),thefirewalldoesnotredirect
youtotheserviceorapplicationevenafterauthenticationsucceeds.

PAN62513 FixedanissueonPA7000Seriesfirewallsinanactive/passiveHAconfigurationwhere
the"showhighavailabilitypathmonitoring"commandalwaysshowsNPCslot1;even
thoughthepathmonitoringIPaddresswasassignedtoaninterfaceinadifferentNPCslot.
ThisoccurredonlywhenthepathmonitoringIPaddresswasassignedtoaninterfaceinan
aggregateinterfacegroupandtheinterfacegroupwasinaslototherthanslot1.

PAN62453 EnteringvSpheremaintenancemodeonaVMSeriesfirewallwithoutfirstshuttingdown
theGuestOSfortheagentVMscausesthefirewalltoshutdownabruptlyandcauses
issuesthatpersistafterthefirewallispoweredonagain.RefertoIssue1332563inthe
VMwarereleasenotes:https://www.vmware.com/support/pubs/nsx_pubs.html.
Workaround:VMSeriesfirewallsareServiceVirtualMachines(SVMs)pinnedtoESXi
hostsandshouldnotbemigrated.BeforeyouentervSpheremaintenancemode,usethe
VMwaretoolstoensureagracefulshutdownoftheVMSeriesfirewall.

PAN61840 Theshow global-protect-portal statisticsCLIcommandisnotsupported.

PAN61284 FixedanissuewhereUserIDconsumedalargeamountofmemorywhenthefirewall
experiencedahighrateofincomingIPaddresstousernamemappingdataandtherewere
morethantenredistributionclientfirewallsatthesametime.

PAN59124 Objects > Custom Objects > Data Patternsprovidespredefinedpatterns(Pattern Type >
Predefined Pattern),suchassocialsecuritynumbersandcreditcardnumbers,tocheck
forintheincomingfiletypesthatyouspecify.Thefirewallnolongersupportscheckingfor
thesepredefinedpatternsinGZIPandZIPfiles.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 31
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN58872 Theautomaticlicensedeactivationworkflowforfirewallswithdirectinternetaccessdoes
notwork.
Workaround:Usetherequest license deactivate key features <name> mode
manualCLIcommandtoDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.To
DeactivateaVM,chooseComplete Manually(insteadofContinue)andfollowthesteps
tomanuallydeactivatetheVM.

PAN57215 FixedanissuewhereanHTTP416errorappearedwhentryingtodownloadupdatestoa
clientfromanIBMBigFixupdateserver.

PAN56217 YoucannotconfiguremultipleDNSproxyobjectsthatspecifyforthefirewalltolistenfor
DNSrequestsonthesameinterface(Network > DNS Proxy > Interfaces).IfmultipleDNS
proxyobjectsareconfiguredwiththesameinterface,onlythefirstDNSproxyobject
settingsareapplied.
Workaround:IfthereareDNSproxyobjectsconfiguredwiththesameinterface,youmust
modifytheDNSproxyobjectssothateachobjectspecifiesuniqueinterfaces:
TomodifyaDNSproxyobjectthatspecifiesonlyoneinterface,deletetheDNSproxy
objectandreconfiguretheobjectwithaninterfacethatisnotsharedamonganyother
objects.
TomodifyaDNSproxyobjectconfiguredwithmultipleinterfaces,deletetheinterface
thatissharedwithotherDNSproxyobjects,clickOKtosavethemodifiedobject,and
thenCommit.

PAN55825 PerforminganAutoFocusremotesearchthatistargetedtoaPANOSfirewallor
Panoramadoesnotworkcorrectlywhenthesearchconditioncontainsasingleordouble
quotationmark.

PAN55437 Highavailability(HA)forVMSeriesfirewallsdoesnotworkinAWSregionsthatdonot
supportthesignatureversion2signingprocessforEC2APIcalls.Unsupportedregions
includeAWSEU(Frankfurt)andKorea(Seoul).

PAN55203 Whenyouchangethereportingperiodforascheduledreport,suchastheSaaS
ApplicationUsagePDFreport,thereportcanhaveincompleteornodataforthereporting
period.
Workaround:Ifyouneedtochangethereportingperiodforanyscheduledreport,create
anewreportforthedesiredtimeperiodinsteadofmodifyingthetimeperiodonan
existingreport.

PAN54254 InTrafficlogs,thefollowingsessionendreasonsforCaptivePortaloraGlobalProtectSSL
VPNtunnelindicatedtheincorrectreasonforsessiontermination:
decrypt-cert-validation,decrypt-unsupport-param,ordecrypt-error.

PAN53825 FortheVMSeriesNSXeditionfirewall,whenyouaddormodifyanNSXserviceprofile
zoneonPanorama,youmustperformaPanoramacommitandthenperformaDevice
GroupcommitwiththeIncludeDeviceandNetworkTemplatesoptionselected.To
successfullyredirecttraffictotheVMSeriesNSXeditionfirewall,youmustperformboth
aTemplateandaDevice Groupcommitwhenyoumodifythezoneconfigurationto
ensurethatthezonesareavailableonthefirewall.

PAN53663 WhenyouopentheSaaSApplicationUsagereport(Monitor > PDF Reports > SaaS

Application Usage)onmultipletabsinabrowser,eachforadifferentvirtualsystem(vsys),
andyouthenattempttoexportPDFsfromeachtab,onlythefirstrequestisaccurate;all
successiveattemptswillresultinPDFsthatareduplicatesofthefirstreport.
Workaround:ExportonlyonePDFatatimeandwaitforthatexportprocesstofinish
beforeyoutriggerthenextexportrequest.

32 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN53601 PanoramarunningonanM500appliancecannotconnecttoaSafeNetNetworkorThales
NshieldConnecthardwaresecuritymodule(HSM).

PAN51969 OntheNSXManager,whenyouunbindanNSXSecurityGroupfromanNSXSecurity
Policyrule,thedynamictagandregisteredIPaddressareupdatedonPanoramabutare
notsenttotheVMSeriesfirewalls.
Workaround:TopushtheDynamicAddressGroupupdatestotheVMSeriesfirewalls,
youmustmanuallysynchronizetheconfigurationwiththeNSXManager(Panorama >
VMware Service ManagerandselectNSX Config-Sync).

PAN51952 IfasecuritygroupoverlapoccursinanNSXSecuritypolicywherethesamesecuritygroup
isweightedwithahigherandalowerpriorityvalue,thetrafficmayberedirectedtothe
wrongserviceprofile(VMSeriesfirewallinstance).ThisissueoccursbecauseanNSX
Securitypolicywithahigherweightdoesnotalwaystakeprecedenceoverapolicywitha
lowerweight.
Workaround:Makesurethatmembersthatareassignedtoasecuritygrouparenot
overlappingwithanotherSecuritygroupandthateachsecuritygroupisassignedtoa
uniqueNSXSecuritypolicyrule.ThisallowsyoutoensurethatNSXSecuritypolicydoes
notredirecttraffictothewrongserviceprofile(VMSeriesfirewall).

PAN51870 WhenusingtheCLItoconfigurethemanagementinterfaceasaDHCPclient,thecommit
failsifyoudonotprovideallfourDHCPparametersinthecommand.Forasuccessful
commitwhenusingtheset deviceconfig system type dhcp-clientcommand,you
mustincludeeachofthefollowingparameters:accept-dhcp-domain,
accept-dhcp-hostname,send-client-id,andsend-hostname.

PAN51869 Cancelingpendingcommitsdoesnotimmediatelyremovethemfromthecommitqueue.
ThecommitsremaininthequeueuntilPANOSdequeuesthem.

PAN51673 BFDsessionsarenotestablishedbetweentwoRIPpeerswhentherearenoRIP
advertisements.
Workaround:EnableRIPonanotherinterfacetoprovideRIPadvertisementsfroma
remotepeer.

PAN51216 TheNSXManagerfailstoredirecttraffictotheVMSeriesfirewallwhenyoudefinenew
ServiceProfilezonesforNSXonPanorama.ThisissueoccursintermittentlyontheNSX
Managerwhenyoudefinesecurityrulestoredirecttraffictothenewserviceprofilesthat
areavailablefortrafficintrospectionandresultsinthefollowingerror:Firewall
configuration is not in sync with NSX Manager. Conflict with Service
Profile Oddhost on service (Palo Alto Networks NGFW) when binding to
host<name>.

PAN51181 APaloAltoNetworksfirewall,M100appliance,orWF500applianceconfiguredtouse
FIPSoperationalmodefailstobootwhenrebootingafteranupgradetoPANOS7.0or
laterreleases.
Workaround:EnableFIPSandCommonCriteriasupportonallPaloAltoNetworks
firewallsandappliancesbeforeyouupgradetoaPANOS7.0orlaterrelease.

PAN51122 FortheVMSeriesfirewall,ifyoumanuallyresetaheartbeatfailurealarmonthevCenter
servertoindicatethattheVMSeriesfirewallishealthy(changecolortogreen),the
vCenterserverdoesnottriggeraheartbeatfailurealarmagain.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 33
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN50651 OnPA7000Seriesfirewalls,onedataportmustbeconfiguredasalogcardinterface
becausethetrafficandloggingcapabilitiesofthisplatformexceedthecapabilitiesofthe
managementport.AlogcardinterfaceperformsWildFirefileforwardingandlog
forwardingforsyslog,email,andSNMPandtheseservicesrequireDNSsupport.Ifyouset
upacustomservicerouteforthefirewalltoperformDNSqueries,servicesusingthelog
cardinterfacemightnotbeabletogenerateDNSrequests.Thisisonlyanissueifyouve
configuredthefirewalltouseaservicerouteforDNSrequestsand,inthiscase,youmust
performaworkaroundtoenablecommunicationbetweenthefirewalldataplaneandthe
logcardinterface.
Workaround:EnableDNSProxyonthefirewallanddonotspecifyaninterfaceforthe
DNSproxyobjecttouse(ensurethatNetwork > DNS Proxy > Interfaceisnotconfigured).

PAN50641 EnablingordisablingBFDforBGPorchangingaBFDprofilethataBGPpeerusescauses
BGPtoflap.

PAN50038 WhenyouenablejumboframesfromtheCLIonaVMSeriesfirewallinAWS,the
maximumtransmissionunit(MTU)sizeontheinterfacesdoesnotincrease.TheMTUon
eachinterfaceremainsatamaximumvalueof1500bytes.

PAN48565 TheVMSeriesfirewallonCitrixSDXdoesnotsupportjumboframes.

PAN48456 IPv6toIPv6NetworkPrefixTranslation(NPTv6)isnotsupportedwhenconfiguredona
sharedgateway.

PAN47969 IfyoulogintoPanoramaasaDeviceGroupandTemplateadministratorandyourename
adevicegroup,thePanorama > Device Groupspagenolongerdisplaysanydevicegroups.
Workaround:Afteryourenameadevicegroup,performacommit,logout,andlogback
in;thepagethendisplaysthedevicegroupswiththeupdatedvalues.

PAN47073 WebpagesusingtheHTTPStrictTransportSecurity(HSTS)protocoldonotalways
displayproperlyforendusers.
Workaround:Endusersmustimportanappropriateforwardproxycertificatefortheir
browsers.

PAN46344 WhenyouuseaMacOSSafaribrowser,clientcertificateswillnotworkforCaptivePortal
authentication.
Workaround:OnaMacOSsystem,instructenduserstouseadifferentbrowser(for
example,MozillaFirefoxorGoogleChrome).

PAN45793 Onafirewallwithmultiplevirtualsystems,ifyouaddanauthenticationprofiletoavirtual
systemandgivetheprofilethesamenameasanauthenticationsequenceinShared,
referenceerrorsoccur.ThesameerrorsoccuriftheprofileisinSharedandthesequence
withthesamenameisinavirtualsystem.
Workaround:Whencreatingauthenticationprofilesandsequences,alwaysenterunique
names,regardlessoftheirlocation.Forexistingauthenticationprofilesandsequences
withsimilarnames,renametheonesthatarecurrentlyassignedtoconfigurations(for
example,aGlobalProtectgateway)toensureuniqueness.

PAN44616 OntheACC > Network Activitytab,ifyouaddthelabelUnknownasaglobalfilter,the

filtergetsaddedasA1andqueryresultsdisplayA1insteadofUnknown.

PAN44400 Thelinkona1GbpsSFPportonaVMSeriesfirewalldeployedonaCitrixSDXserverdoes
notcomeupwhensuccessivefailoversaretriggered.Thisbehaviorisonlyobservedina
highavailability(HA)active/activeconfiguration.
Workaround:Usea10GbpsSFPportinsteadofthe1GbpsSFPportontheVMSeries
firewalldeployedonaCitrixSDXserver.

34 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN44300 WildFireanalysisreportscannotbeviewedonfirewallsrunningPANOS6.1release
versionsifconnectedtoaWF500applianceinCommonCriteriamodethatisrunning
PANOS7.0orlaterreleases.

PAN43000 VulnerabilitydetectionofSSLv3failswhenSSLdecryptionisenabled.Thisoccurswhen
youattachaVulnerabilityProtectionprofile(thatdetectsSSLv3CVE20143566)toa
SecuritypolicyruleandthatSecuritypolicyruleandanSSLDecryptionpolicyruleare
configuredonthesamevirtualsysteminthesamezone.AfterperformingSSLdecryption,
thefirewallseesdecrypteddataandnolongerseestheSSLversionnumber.Inthiscase,
theSSLv3vulnerabilityisnotidentified.
Workaround:SSLDecryptionEnhancementswereintroducedinPANOS7.0thatenable
youtoprohibittheinherentlyweakerSSL/TLSversions,whicharemorevulnerableto
attacks.Forexample,youcanuseaDecryptionProfiletoenforceaminimumprotocol
versionofTLS1.2oryoucanBlock sessions with unsupported versionstodisallow
unsupportedprotocolversions(Objects > Decryption Profile > SSL Decryption > SSL
Forward Proxyand/orSSL Inbound Inspection).

PAN41558 WhenyouuseafirewallloopbackinterfaceasaGlobalProtectgatewayinterface,traffic
isnotroutedcorrectlyforthirdpartyIPSecclients,suchasStrongSwan.
Workaround:Useaphysicalfirewallinterfaceinsteadofaloopbackfirewallinterfaceas
theGlobalProtectgatewayinterfaceforthirdpartyIPSecclients.Alternatively,configure
theloopbackinterfacethatisusedastheGlobalProtectgatewaytobeinthesamezone
asthephysicalingressinterfaceforthirdpartyIPSectraffic.

PAN40842 WhenyouconfigureafirewalltoretrieveaWildFiresignaturepackage,theSystemlog
showsunknown versionforthepackage.Forexample,afterascheduledWildFire
packageupdate,thesystemlogshows:WildFire package upgraded from version
<unknown version> to 38978-45470.Thisisacosmeticissueonlyanddoesnotprevent
theWildFirepackagefrominstalling.

PAN40714 IfyouaccessDevice > Log SettingsonadevicerunningaPANOS7.0orlaterreleaseand

thenusetheCLItodowngradethedevicetoaPANOS6.1orearlierreleaseandreboot,
anerrormessageappearsthenexttimeyouaccessLog Settings.Thisoccursbecause
PANOS7.0andlaterreleasesdisplayLog SettingsinasinglepagewhereasPANOS6.1
andearlierreleasesdisplaythesettingsinmultiplesubpages.Toclearthemessage,
navigatetoanotherpageandreturntoanyLog Settingssubpage;theerrorwillnotrecur
insubsequentsessions.

PAN40130 IntheWildFireSubmissionslogs,theemailrecipientaddressisnotcorrectlymappedtoa
usernamewhenconfiguringLDAPgroupmappingsthatarepushedinaPanorama
template.

PAN40079 TheVMSeriesfirewallonKVM,forallsupportedLinuxdistributions,doesnotsupportthe
BroadcomnetworkadaptersforPCIpassthroughfunctionality.

PAN40075 TheVMSeriesfirewallonKVMrunningonUbuntu12.04LTSdoesnotsupportPCI
passthroughfunctionality.

PAN39728 TheURLloggingrateisreducedwhenHTTPheaderloggingisenabledintheURLFiltering
profile(Objects > Security Profiles > URL Filtering > URL Filtering profile > Settings).

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 35
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN39636 RegardlessoftheTimeFrameyouspecifyforascheduledcustomreportonaPanorama
MSeriesappliance,theearliestpossiblestartdateforthereportdataiseffectivelythe
datewhenyouconfiguredthereport.Forexample,ifyouconfigurethereportonthe15th
ofthemonthandsettheTimeFrametoLast30Days,thereportthatPanoramagenerates
onthe16thwillincludeonlydatafromthe15thonward.Thisissueappliesonlyto
scheduledreports;ondemandreportsincludealldatawithinthespecifiedTimeFrame.
Workaround:Togenerateanondemandreport,clickRun Nowwhenyouconfigurethe
customreport.

PAN39501 UnusedNATIPaddresspoolsarenotclearedafterasinglecommit,soacommitfailsifthe
combinedcacheofunusedpools,existingusedpools,andnewpoolsexceedsthememory
limit.
Workaround:Commitasecondtime,whichclearstheoldpoolallocation.

PAN38584 ConfigurationspushedfromPanorama6.1andlaterreleasestofirewallsrunningPANOS
6.0.3orearlierPANOS6.0releaseswillfailtocommitduetoanunexpectedRuleType
error.ThisissueiscausedbytheRule TypesettinginSecuritypolicyrulesthatwasnot
includedintheupgradetransformand,therefore,thenewruletypesarenotrecognized
ondevicesrunningPANOS6.0.3orearlierreleases.
Workaround:OnlyupgradePanoramatoversion6.1orlaterreleasesifyouarealso
planningtoupgradeallmanagedfirewallsrunningPANOS6.0.3oranearlierPANOS6.0
releasetoaPANOS6.0.4orlaterreleasebeforepushingaconfigurationtothedevices.

PAN38255 IfyouperformafactoryresetonaPanoramavirtualapplianceandconfiguretheserial
number,loggingdoesnotworkuntilyourebootPanoramaorexecutethedebug
software restart management-serverCLIcommand.

PAN37511 DuetoalimitationrelatedtotheEthernetchipdrivingtheSFP+ports,PA5050and
PA5060firewallswillnotperformlinkfaultsignalingasstandardizedwhenafiberinthe
fiberpairiscutordisconnected.

PAN37177 AfterdeployingtheVMSeriesfirewall,whenthefirewallconnectstoPanorama,youmust
issueaPanoramacommittoensurethatPanoramarecognizesthefirewallasamanaged
device.IfyourebootPanoramawithoutcommittingthechanges,thefirewallwillnot
connectbacktoPanorama;althoughthedevicegroupwilldisplaythelistofdevices,the
devicewillnotdisplayinPanorama > Managed Devices.
Further,ifPanoramaisconfiguredinanHAconfiguration,theVMSeriesfirewallisnot
addedtothepassivePanoramapeeruntiltheactivePanoramapeersynchronizesthe
configuration.Duringthistime,thepassivePanoramapeerwilllogacriticalmessage:
vm-cfg: failed to process registration from svm device. vm-state: active.
ThismessageisloggeduntilyoucommitthechangesontheactivePanorama,whichthen
initiatessynchronizationbetweenthePanoramaHApeersandtheVMSeriesfirewallis
addedtothepassivePanoramapeer.
Workaround:Toreestablishtheconnectiontothemanageddevices,commityour
changestoPanorama(clickCommitandselectCommitType:Panorama).IncaseofanHA
setup,thecommitwillinitiatethesynchronizationoftherunningconfigurationbetween
thePanoramapeers.

PAN37127 OnthePanoramawebinterface,thePolicies > Security > Post Rules > Combined Rules
Previewwindowdoesnotdisplaypostrulesandlocalrulesformanageddevices.

PAN37044 LivemigrationoftheVMSeriesfirewallisnotsupportedwhenyouenableSSLdecryption
usingtheSSLforwardproxymethod.UseSSLinboundinspectionifyouneedsupportfor
livemigration.

36 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN36730 WhendeletingtheVMSeriesdeployment,allVMsaredeletedsuccessfully;however,
sometimesafewinstancesstillremaininthedatastore.
Workaround:ManuallydeletetheVMSeriesfirewallsfromthedatastore.

PAN36728 Insomescenarios,trafficfromnewlyaddedguestsorvirtualmachinesisnotsteeredto
theVMSeriesfirewallevenwhentheguestsbelongtoaSecurityGroupandareattached
toaSecurityPolicythatredirectstraffictotheVMSeriesfirewall.
Workaround:ReapplytheSecurityPolicyontheNSXManager.

PAN36727 TheVMSeriesfirewallfailstodeploywithanerrormessage:Invalid OVF Format in

Agent Configuration.
Workaround:UsethefollowingcommandtorestarttheESXAgentManagerprocesson
thevCenterServer:/etc/init.d/vmware-vpxd tomcat-restart.

PAN36433 Ifahighavailability(HA)failoveroccursonPanoramaatthetimethattheNSXManager
isdeployingtheVMSeriesNSXeditionfirewall,thelicensingprocessfailswiththeerror:
vm-cfg: failed to process registration from svm device. vm-state: active.
Workaround:DeletetheunlicensedinstanceoftheVMSeriesfirewalloneachESXihost
andthenredeploythePaloAltoNetworksnextgenerationfirewallservicefromtheNSX
Manager.

PAN36409 WhenviewingtheSessionBrowser(Monitor > Session Browser),usingtheglobalrefresh

option(toprightcorner)toupdatethelistofsessionscausestheFiltermenutodisplay
incorrectlyandclearsanypreviouslyselectedfilters.
Workaround:Tomaintainandapplyselectedfilterstoanupdatedlistofsessions,clickthe
greenarrowtotherightoftheFiltersfieldinsteadoftheglobal(orbrowser)refresh
option.

PAN36394 Whenthedatastoreismigratedforaguest,allcurrentsessionsarenolongersteeredto
theVMSeriesfirewall.However,allnewsessionsaresecuredproperly.

PAN36393 WhendeployingtheVMSeriesfirewall,theTaskConsoledisplaysError while

enabling agent. Cannot complete the operation. See the event log for
details.Thiserrordisplaysevenonasuccessfuldeployment.Youcanignorethe
messageiftheVMSeriesfirewallissuccessfullydeployed.

PAN36333 TheServicedialogforaddingoreditingaserviceobjectinthewebinterfacedisplaysthe
incorrectportrangeforbothsourceanddestinationports:1-65535.Thecorrectport
rangeis0-65535andspecifyingportnumber0foreitherasourceordestinationportis
successful.

PAN36289 IfyoudeploytheVMSeriesfirewallandthenassignthefirewalltoatemplate,thechange
isnotrecordedinthebootstrapfile.
Workaround:DeletethePaloAltoNetworksNGFWServiceontheNSXManager,and
verifythatthetemplateisspecifiedonPanorama > VMware Service Manager,register
theservice,andredeploytheVMSeriesfirewall.

PAN36088 WhenanESXihostisrebootedorshutdown,thefunctionalstatusoftheguestsisnot
updated.BecausetheIPaddressisnotupdated,thedynamictagsdonotaccuratelyreflect
thefunctionalstateofthegueststhatareunavailable.

PAN36049 ThevCenterServer/vmtoolsdisplayedtheIPAddressforaguestincorrectlyaftervlan
tagswereaddedtoanEthernetport.ThedisplaydidnotaccuratelyshowtheIPaddresses
associatedwiththetaggedEthernetportandtheuntaggedEthernetport.Thisissuewas
seenonsomeLinuxOSversionssuchasUbuntu.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 37
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN35903 Whenyoueditatrafficintrospectionrule(tosteertraffictotheVMSeriesfirewall)onthe
NSXManager,aninvalid (tcp) port numbererrororinvalid (udp) port number
errordisplayswhenyouremovethedestination(TCPorUDP)port.
Workaround:Deletetheruleandaddanewone.

PAN35875 Whendefiningtrafficintrospectionrules(tosteertraffictotheVMSeriesfirewall)onthe
NSXManager,eitherthesourceorthedestinationfortherulemustreferencethename
ofaSecurityGroup;youcannotcreatearulefromanytoanySecurityGroup.
Workaround:ToredirectalltraffictotheVMSeriesfirewall,youmustcreateaSecurity
Groupthatincludesalltheguestsinthecluster.Thenyoucandefineasecuritypolicythat
redirectstrafficfromandtotheclustersothatthefirewallcaninspectandenforcepolicy
ontheeastwesttraffic.

PAN35874 DuplicatepacketsarebeingsteeredtotheVMSeriesfirewall.Thisissueoccursifyou
enabledistributedvSwitchforsteeringinpromiscuousmode.
Workaround:Disablepromiscuousmode.

PAN34966 OnaVMSeriesNSXeditionfirewall,whenaddingorremovingaSecurityGroup
(Container)thatisboundtoaSecurityPolicy,Panoramadoesnotgetadynamicupdateof
theaddedorremovedSecurityGroup.
Workaround:OnPanorama > VMware Service Manager,clickSynchronize Dynamic
Objectstoinitiateamanualsynchronizationtogetthelatestupdate.

PAN34855 OnaVMSeriesNSXeditionfirewall,DynamicTags(update)donotreflecttheactualIP
addresssetontheguest.ThisissueoccursbecausethevCenterServercannotaccurately
viewtheIPaddressoftheguest.

PAN33316 AddingorremovingportsontheSDXserverafterdeployingtheVMSeriesfirewallcan
causeaconfigurationmismatchonthefirewall.Toavoidtheneedtoreconfigurethe
interfaces,considerthetotalnumberofdataportsthatyourequireonthefirewalland
assigntherelevantnumberofportsontheSDXserverwhendeployingtheVMSeries
firewall.
Forexample,ifyouassignports1/3and1/4ontheSDXserverasdatainterfacesonthe
VMSeriesfirewall,theportsaremappedtoeth1andeth2.Ifyouthenaddport1/1or1/2
ontheSDXserver,eth1willbemappedto1/1or1/2,eth2willbemappedto1/3and
eth3to1/4.Ifports1/3and1/4weresetupasavirtualwire,thisremappingwillrequire
youtoreconfigurethenetworkinterfacesonthefirewall.

PAN31832 Thefollowingissuesapplywhenconfiguringafirewalltouseahardwaresecuritymodule
(HSM):
ThalesnShieldConnectThefirewallrequiresatleastfourminutestodetectthatan
HSMhasbeendisconnected,causingSSLfunctionalitytobeunavailableduringthe
delay.
SafeNetNetworkWhenlosingconnectivitytoeitherorbothHSMsinahigh
availability(HA)configuration,thedisplayofinformationfromtheshow ha-statusor
show hsm infocommandisblockedfor20seconds.

PAN31593 AfteryouconfigureaPanoramaMSeriesapplianceforHAandsynchronizethe
configuration,theLogCollectorofthepassivepeercannotconnecttotheactivepeeruntil
yourebootthepassivepeer.

PAN29441 ThePanoramavirtualappliancedoesnotwritesummarylogsfortrafficandthreatsas
expectedafteryouenterthe""clearlog""command.
Workaround:Reboot Panoramamanagementserver(Panorama > Setup > Operations)to
enablesummarylogs.

38 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues

IssueID Description

PAN29411 Insomeconfigurations,whenyouswitchcontextfromPanoramaandaccesstheweb
interfaceofamanageddevice,youareunabletoupgradethePANOSsoftwareimage.
Workaround:UsethePanorama > Device Deployment > Softwaretabtodeployand
installthesoftwareimageonthemanageddevice.

PAN29385 YoucannotconfigurethemanagementIPaddressonanM100appliancewhileitis
operatingasthesecondarypassivepeerinanHApair.
Workaround:TosettheIPaddressforthemanagementinterface,youmustsuspendthe
activePanoramapeer,promotethepassivepeertoactivestate,changetheconfiguration,
andthenresettheactivepeertoactivestate.

PAN29053 Bydefault,thehostnameisnotincludedintheIPheaderofsyslogmessagessentfromthe
firewall.However,somesyslogimplementationsrequirethisfieldtobepresent.
Workaround:EnablethefirewalltoincludetheIPaddressofthefirewallasthehostname
inthesyslogheaderbyselectingSend Hostname in Syslog(Device > Setup).

PAN28794 IfaPanoramaLogCollectorMGTportisconfiguredwithanIPv4addressandyouwantto
haveonlyanIPv6addressconfigured,youcanusethePanoramawebinterfaceto
configurethenewIPv6addressbutyoucannotusePanoramatoremovetheIPv4address.
Workaround:ConfiguretheMGTportwiththenewIPv6addressandthenapplythe
configurationtotheLogCollectorandtestconnectivityusingtheIPv6addresstoensure
thatyoudonotloseaccesswhenyouremovetheIPv4address.AfteryouconfirmtheLog
CollectorisaccessibleusingtheIPv6address,gototheCLIontheLogCollectorand
removetheIPv4address(usingthedelete deviceconfig system ip-address
command)andthencommityourchanges.

PAN25101 IfyouaddaDecryptionpolicyrulethatinstructsthefirewalltoblockSSLtrafficthatwas
notpreviouslybeingblocked,thefirewallwillcontinuetoforwardtheundecryptedtraffic.
Workaround:Usethedebug dataplane reset ssl-decrypt exclude-cachecommand
tocleartheSSLdecryptexcludecache.

PAN25046 SSHhostkeysusedforSCPlogexportarestoredintheknownhostsfileonthefirewall.
Inahighavailability(HA)configuration,theSCPlogexportconfigurationissynchronized
withthepeerdevice,buttheknownhostfileisnotsynchronized.Whenafailoveroccurs,
theSCPlogexportfails.
Workaround:LogintoeachpeerinHAandTest SCP server connectiontoconfirmthe
hostkeysothatSCPlogforwardingcontinuestoworkafterafailover.

PAN23732 WhenyouusePanoramatemplatestoschedulealogexport(Device > Scheduled Log

Export)toanSCPserver,youmustlogintoeachmanageddeviceandTest SCP server
connectionafterthetemplateispushed.Theconnectionisnotestablisheduntilthe
firewallacceptsthehostkeyfortheSCPserver.

PAN20656 Attemptstoresetthemasterkeyfromthewebinterface(Panorama > Master Key and

Diagnostics)ortheCLIonPanoramawillfail.However,thisshouldnotcauseaproblem
whenpushingaconfigurationfromPanoramatoadevicebecauseitisnotnecessaryfor
thekeystomatch.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 39
KnownIssues PANOS8.0ReleaseInformation

IssueID Description

PAN20162 IfaclientPCusesRDPtoconnecttoaserverrunningremotedesktopservicesandthe
userlogsintotheremoteserverwithadifferentusername,whentheUserIDagent
queriestheActiveDirectoryservertogatherusertoIPmappingfromthesecuritylogs,
thesecondusernamewillberetrieved.Forexample,ifUserAlogsintoaclientPCandthen
logsintotheremoteserverusingtheusernameforUserB,thesecuritylogontheActive
DirectoryserverwillrecordUserA,butwillthenbeupdatedwithUserB.Theusername
UserBisthenpickedupbytheUserIDagentfortheusertoIPmappinginformation,
whichisnottheintendedusermapping.

40 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS8.0.0AddressedIssues
ThefollowingtablesliststheissuesthatarefixedinthePANOS8.0.0release.Fornewfeatures,associated
softwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,seePANOS8.0
ReleaseInformation.

IssueID Description

PAN72346 Fixedanissuewhereexportingbotnetreportsfailedwiththefollowingerror:Missing
reportjobid.

PAN72242 FixedanissuewhereconfiguringasourceaddressexclusioninReconnaissanceProtection
tabunderzoneprotectionprofilewasnotallowed.

PAN71892 FixedanissuewhereanLDAPprofiledidnotusetheconfiguredport;theprofileusedthe
defaultport,instead.

PAN71615 Fixedanissuewheretheintrazoneblockruleshadowedtheuniversalrulethathas
differentsourceanddestinationzones.

PAN71307 Fixedanissuewherethescp stats-dumpreportdidnotruncorrectlybecausesource(src)

anddestination(dst)optionsweredeterminedtobeinvalidarguments.

PAN71192 Fixedanissuewhereperformingalogqueryorlogexportwithaspecificnumberoflogs
causedthemanagementservertostopresponding.Thisoccurredonlywhenthenumber
oflogswasamultipleof64plus63.Forexample,128isamultipleof64andifyouadd63
to128thatequals191logs.Inthiscase,ifyouperformedalogqueryorexportandthere
were191logs,themanagementserverwouldstopresponding.

PAN70483 FixedanissueonanMSeriesapplianceinPanoramamodewheresharedservicegroups
didnotpopulateintheservicepulldownwhenattemptingtoaddanewitemtoasecurity
policy.Theissueoccurredwhenthedropdowncontained5,000ormoreentries.

PAN70323 FixedanissuewherefirewallsrunninginFIPSCCmodedidnotallowimportofSHA1CA
certificatesevenwhentheprivatekeywasnotincluded;instead,firewallsdisplayedthe
followingerror:Import of <cert name> failed. Unsupported digest or keys used
in FIPS-CC mode.

PAN70057 FixedanissuewhererunningthevalidateoptiononacandidateconfigurationinPanorama
causedchangestotherunningconfigurationonthemanageddevice.Theconfiguration
changeoccurredafterasubsequentFQDNrefreshoccurred.

PAN69951 FixedanissuewherethefirewallfailedtoforwardsystemlogstoPanoramawhenthe
dataplanewasundersevereload.

PAN69235 Fixedanissuewherecommittingaconfigurationwithalargenumberoflayer3
subinterfaces(4,000inthiscase)causedthedataplanetostopresponding.

PAN69194 FixedanissuewhereperformingadevicegroupcommitfromaPanoramaserverrunning
version7.1toamanagedfirewallsrunningPANOS6.1failedtocommitwhenthecustom
spywareprofileactionwassettoDrop.Withthisfix,Panoramatranslatestheactionfrom
DroptoDrop packetsforfirewallsrunningPANOS6.1,whichallowsthedevicegroup
committosucceed.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 41
 PANOS8.0.0AddressedIssues

IssueID Description

PAN68873 FixedanissuewherecustomizingtheblockdurationforthreatID40015inaVulnerability
Protectionprofiledidnotadheretothedefinedblockinterval.Forexample,ifyouset
Number of Hits(SSHhellomessages)to3andpersecondsto60,afterthreeconsecutive
SSHhellomessagesfromtheclient,thefirewallfailedtoblocktheclientforthefull60
seconds.

PAN68766 FixedanissuewherenavigatingtotheIPSectunnelconfigurationinaPanoramatemplate
causedthePanoramamanagementwebinterfacetostoprespondinganddisplayeda"502
BadGateway"error.

PAN68658 FixedanissuewherehandlingoutoforderTCPFINpacketsresultedindroppedpackets
duetoTCPreassemblythatwasoutofsync.

PAN68654 FixedanissuewherethefirewallwasnotpopulatingUserIDmappingsbasedonthe
definedsyslogfilters.

PAN68034 Theshow netstatCLIcommandwasremovedinthe7.1releaseforPanorama,Panorama

logcollector,andWildFire.Withthisfix,theshow netstatcommandisreintroduced.

PAN67987 FixedanissuewheretheGlobalProtectagentfailedtoconnectusingaclientcertificateif
theintermediateCAissignedusingtheECDSAhashalgorithm.

PAN67944 Fixedanissuewhereaprocess(all_pktproc)stoppedrespondingbecausearacecondition
occurredwhenclosingsessions.

PAN67639 FixedanissuewhereAuth PasswordandPriv PasswordfortheSNMPv3serverprofile

werenotproperlymaskedwhenviewingtheconfigurationchangeintheconfigurationlog.

PAN67599 InPANOS7.0and7.1,arestrictionwasaddedtopreventanadministratorfrom
configuringOSPFrouterID0.0.0.0.ThisrestrictionisremovedinPANOS8.0.

PAN67224 FixedanissuewherethefirewalldisplayedavalidationerrorafterPanoramaimportedthe
firewallconfigurationandthenpushedtheconfigurationbacktothefirewallsoitcouldbe
managedbyPanorama.Thisissueoccurredbecauselogforwardingprofileswerenot
replacedwiththeprofilesconfiguredinPanorama.Withthisfix,Panoramawillproperly
removetheexistingconfigurationonthemanagedfirewallbeforeapplyingthepushed
configuration.

PAN67090 Fixedanissuewherethewebinterfacedisplayedanobsoleteflagforthenationof
Myanmar.

PAN66675 Fixedanissuewhereextendedpacketcaptureswereconsuminganexcessiveamountof
storagespacein/opt/panlogs.

PAN66104 Fixedanissuewherevsysspecificcustomresponsepages(Captiveportal,URLcontinue,
andURLoverride)didnotdisplay;theywerereplacedbysharedresponsepages,instead.

PAN64981 Fixedanissuewhereaninternalbuffercouldbeoverwritten,causingthemanagement
planetostopresponding.

PAN64723 Fixedanissuewherethetest authenticationCLIcommandwasincorrectlysending

vsysspecificinformationtotheUserIDprocessforgroupmappingquerythatallowed
theauthenticationtesttosucceedwhenitshouldhavefailed.

PAN64638 FixedanissuewherethefirewallfailedtosendaRADIUSaccessrequestafterchanging
theIPaddressofthemanagementinterface.

PAN64579 Errormessageisnowdisplayedwheninstallingappspackagemanuallyfromfileonpassive
Panorama.

42 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues

IssueID Description

PAN64520 FixedanissuewhereH.323basedvideocallsfailedwhenusingsourceNAT(dynamicor
static)duetoincorrecttranslationofthedestCallSignalAddresspayloadinthe
H.225callsetup.

PAN64436 FixedanissuewherecreationofIGMPsessionsfailedduetoatimeoutissue.

PAN64419 Fixedanissuewherefirewalldisplaysinconsistentshadowrulewarningsduringacommit
forQOSpolicies.

PAN64081 FixedanissueonPA5000Seriesfirewallswherethedataplanestoppedrespondingdue
toaraceconditionduringhardwareoffload.

PAN63969 FixedanissuewhereanSSHsessionsrunningonanonstandardportwascategorizedby
URLfilteringasunknown,causingthefirewalltoblockthetraffic.Withthisfix,thefirewall
willnolongerperformaURLlookuponSSHtrafficthatisnotdecrypted.

PAN63925 Fixedanissuewherethefirewalldidnotgeneratealogwhenacontentupdatefailedor
wasinterrupted.

PAN63908 FixedanissuewhereSSHsessionssubjecttoURLcategorylookupwerehandled
incorrectlyeventhoughSSHdecryptionwasnotenabled.Withthisfix,SSHtrafficisnot
subjecttoURLcategorylookupwhenSSHdecryptionisdisabled.

PAN63612 FixedanissuewhereUseractivityreportsonPanoramadidnotincludeanyentrieswhen
therewasaspaceintheDeviceGroupname.

PAN63520 Fixedanissuewherethewrongsourcezonewasusedwhenloggingvsystovsyssessions.

PAN63054 FixedanissueonVMSeriesfirewallswhereenablingsoftwareQoSresultedindropped
packetsunderheavytrafficconditions.Withthisfix,VMSeriesfirewallsnolongerdrop
packetsduetoheavyloadswithsoftwareQoSenabledandsoftwareQoSperformancein
generalisimprovedforallPaloAltoNetworksfirewalls.

PAN63013 Fixedanissuewhereacommitvalidationerrordisplayedwhenpushingatemplate
configurationwithamodifiedWildFirefilesizesetting.Withthisfix,commitvalidation
takesplaceonthemanagedfirewallthattriestocommitnewtemplatevalues.

PAN62937 Fixedanissuewhere,whenTLSwasenabled,establishinganLDAPconnectionoveraslow
orunstableconnectioncausedcommitstofail.Withthisfix,ifTLSisenabled,thefirewall
doesnotattempttoestablishLDAPconnectionswhenyouperformacommit;itwaitsuntil
afterthecommitiscomplete.

PAN62797 Fixedanissuewhereaprocess(cdb)intermittentlyrestarted,whichpreventedjobsfrom
completingsuccessfully.

PAN62057 FixedanissuewheretheGlobalProtectagentfailedtoauthenticateusingaclient
certificatethathadasignaturealgorithmthatwasnotSHA1/SHA256.Withthisfix,the
firewallprovidessupportfortheSHA384signaturealgorithmforclientbased
authentication.

PAN61877 FixedanissuewhereAuthentication OverrideintheGlobalProtectportalconfiguration

didn'tworkwhenthecertificateusedforencryptinganddecryptingcookieswas
generatedusingRSA4,096bitkeys.

PAN61871 FixedanissuewherethefirewallmatchedtraffictoaURLcategoryandonfirstlookup,
whichcausedsometraffictobematchedtothewrongsecurityprofile.Withthisfix,the
firewallmatchestraffictoURLcategoriesasecondtimetoensurethattrafficismatched
tothecorrectsecurityprofile.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 43
 PANOS8.0.0AddressedIssues

IssueID Description

PAN61837 FixedanissueonPA3000SeriesandPA5000Seriesfirewallswherethedataplane
stoppedrespondingwhenasessioncrossedvsysboundariesandcouldnotfindthecorrect
egressport.ThisissueoccurredwhenzoneprotectionwasenabledwithaSYN Cookies
action(Network > Zone Protection > Flood Protection).

PAN61813 Fixedanissuewhereacustomscheduledreportconfiguredperdevicewasemptywhen
exported.

PAN61797 FixedanissueonthepassivepeerinanHAconfigurationwhereLACPflappedwhenthe
linkstatewassettoshutdown/autoandprenegotiationwasdisabled.

PAN61465 Fixedanissuewherethewebinterface(Objects > Decryption Profile > SSL Decryption >

SSL Protocol Settings > Encryption Algorithms)stilldisplayedthe3DESencryption
algorithmasenabledevenafteryoudisabledit.

PAN61365 Fixedanissuewheredatafilteringlogs(Monitor > Logs > Data Filtering)donottakeinto

accountthefiledirection(uploadordownload)soitwasnotpossibletodifferentiate
uploadedfilesfromdownloadedfilesinthelogs.Withthisfix,youconfigurethefile
direction(upload,download,orboth)inObjects > Security Profiles > Data Filteringand
selecttheDirectioncolumninMonitor > Logs > Data Filteringtoviewthefiledirectionin
thelogs.

PAN61252 FixedanissueonfirewallsinanHAactive/activeconfigurationwherethefloatingIP
addresswasnotactiveonthesecondaryfirewallafterthelinkwentdownontheprimary
firewall.

PAN60753 FixedanissuewherechangingtheRSAkeyfroma2,048bitkeytoa1,024bitkeyforced
theencryptionalgorithmtochangefromSHA256toSHA1forSSLforwardproxy
decryption.

PAN60581 AddedchecktonotincludealltheapplicationsintheApplicationfilterifnoapplication
categoryisselectedbytheuser.Userhavetoexplicitlyaddallthecategoriestocreatean
applicationfilterwithalltheapplications.

PAN60577 AddedcheckintheApplicationFilterUItonotallowusertocreateorsaveanapplication
filterwithoutanyapplicationcategoryselectedbytheuser.

PAN60556 AddedsupportinthecertificateprofiletoalsoconfigureanonCAcertificateasan
additionalcertificatetoverifytheOCSPresponsereceivedforcertificatestatusvalidation.
TheOCSPVerifyCAfieldinthecertificateprofilehasbeenchangedtoOCSPVerify
Certificate.

PAN60402 FixedanissuewhererenaminganaddressobjectcausedthecommittoaDeviceGroupto
fail.

PAN60340 FixedanissuewherethePanoramaapplicationdatabasedidnotdisplayallapplicationsin
thebrowser.

PAN60035 AnenhancementtoalleviateDynamicIPNATtranslationconflictbetweendifferent
PacketProcessors(PP)andthustoimproveDIPNATpoolutilization.

PAN59676 Fixedanissuewherecustomadminroleuserisunabletodownloaddynamicupdates/
softwarereleases

PAN59654 Fixedanissuewherecommitsfailedonthefirewallafterupgradingfromonerelease(such
asPANOS6.1)toanother(suchasPANOS7.0)duetoaproblemwithcachedfilesonthe
firewall.Withthisfix,upgradingfromPANOS7.1(orearlierreleases)toPANOS8.0
replacesthecachedfileswithnewfilesthatdonotcausecommitfailures.

44 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues

IssueID Description

PAN58636 FixedanissuewheretheDeviceServerontheFirewallstoppedresponding.

PAN58496 Fixedanissuewherecustomreportsusingthreatsummarywerenotpopulated.

PAN58382 Fixedanissuewhereuserswerematchedtotheincorrectsecuritypolicies.

PAN57529 FixedanissuewherethefirewallactedasaDHCPrelayandwirelessdevicesonaVLAN
didnotreceiveaDHCPaddress(allotherdevicesontheVLANdidreceiveaDHCP
address).Withthisfix,alldevicesonaVLANreceiveaDHCPaddresswhenthefirewall
actsasaDHCPrelay.

PAN57440 FixedanissuewhereOSPFv3linkstateupdatesweresentwiththeincorrectOSPF
checksumwhentheOSPFpacketneededtoadvertisemorelinkstateadvertisements
(LSAs)thanfitintoa1,500bytepacket.Withthisfix,thefirewallsendsthecorrectOSPF
checksumtoneighboringswitchesandroutersevenwhenthenumberofLSAsdoesntfit
intoa1,500bytepacket.

PAN56700 FixedanissuewheretheSNMPOID"ifHCOutOctets"didnotcontaintheexpecteddata.

PAN50973 FixedanissueforVMSeriesfirewallsonMicrosoftHyperVwhere,althoughtheFIPSCC
modeoptionwasvisibleinthemaintenancemodemenu,youcouldnotenableit.Withthis
fix,FIPSCCmodeissupportedforandcanbeenabledfromthemaintenancemodemenu
inVMSeriesfirewallsonMicrosoftHyperV.

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 45
 PANOS8.0.0AddressedIssues

46 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
 GettingHelp
Thefollowingtopicsprovideinformationonwheretofindmoreaboutthisreleaseandhowtorequest
support:
RelatedDocumentation
RequestingSupport

RelatedDocumentation
RefertothefollowingPANOS8.0documentationontheTechnicalDocumentationportalorsearchthe
documentationformoreinformationonourproducts:
NewFeaturesGuideDetailedinformationonconfiguringthefeaturesintroducedinthisrelease.
PANOSAdministrator'sGuideProvidestheconceptsandsolutionstogetthemostoutofyourPalo
AltoNetworksnextgenerationfirewalls.Thisincludestakingyouthroughtheinitialconfigurationand
basicsetuponyourPaloAltoNetworksfirewalls.
PanoramaAdministrator'sGuideProvidesthebasicframeworktoquicklysetupthePanoramavirtual
applianceoranMSeriesapplianceforcentralizedadministrationofthePaloAltoNetworksfirewalls.
WildFireAdministrator'sGuideProvidesstepstosetupaPaloAltoNetworksfirewalltoforward
samplesforWildFireAnalysis,todeploytheWF500appliancetohostaWildFireprivateorhybrid
cloud,andtomonitorWildFireactivity.
VMSeriesDeploymentGuideProvidesdetailsondeployingandlicensingtheVMSeriesfirewallonall
supportedhypervisors.Itincludesexampleofsupportedtopologiesoneachhypervisor.
GlobalProtectAdministrator'sGuideDescribeshowtosetupandmanageGlobalProtect.
OnlineHelpSystemDetailed,contextsensitivehelpsystemintegratedwiththefirewallwebinterface.
OpenSourceSoftware(OSS)ListingsOSSlicensesusedwithPaloAltoNetworksproductsand
software:
PANOS8.0
Panorama8.0
WildFire8.0

PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 47
 GettingHelp

RequestingSupport

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopen
asupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.

ContactInformation

CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
https://www.paloaltonetworks.com/company/contactsupport

PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofour
trademarkscanbefoundathttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarks
mentionedhereinmaybetrademarksoftheirrespectivecompanies.

RevisionDate:January31,2017

48 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.