Académique Documents
Professionnel Documents
Culture Documents
0ReleaseNotes
RevisionDate:January31,2017
ReviewimportantinformationaboutPaloAltoNetworksPANOS8.0software,includingnewfeatures
introduced,workaroundsforopenissues,andissuesthatareaddressedinthePANOS8.0release.For
installation,upgrade,anddowngradeinstructions,refertothePANOS8.0NewFeaturesGuide.Forthe
latestversionofthesereleasenotes,refertothePaloAltoNetworkstechnicaldocumentationportal.
PANOS8.0ReleaseInformation ....................................... 3
FeaturesIntroducedinPANOS8.0 .................................................. 4
ManagementFeatures .......................................................... 5
PanoramaFeatures ............................................................. 6
ContentInspectionFeatures..................................................... 8
WildFireFeatures..............................................................10
AuthenticationFeatures ........................................................11
UserIDFeatures..............................................................12
AppIDFeatures ...............................................................13
DecryptionFeatures ...........................................................13
VirtualizationFeatures .........................................................14
NetworkingFeatures...........................................................16
GlobalProtectFeatures .........................................................18
ChangestoDefaultBehavior .......................................................20
CLIandAPIChangesinPANOS8.0 .................................................23
AssociatedSoftwareandContentVersions ...........................................26
KnownIssues .....................................................................27
PANOS8.0.0AddressedIssues....................................... 41
GettingHelp ........................................................ 47
RelatedDocumentation ........................................................47
RequestingSupport ............................................................48
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 1
TableofContents
2 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation
FeaturesIntroducedinPANOS8.0
ChangestoDefaultBehavior
CLIandAPIChangesinPANOS8.0
AssociatedSoftwareandContentVersions
PreviouslyknownissuescarriedoverfrompreviousreleasenotesandthatwereidentifiedusinglegacyID
numbers(6digitswithoutaprefix)arenowassignednewissueIDnumbersthatalsoincludeproductspecific
prefixes.
KnownIssues
PANOS8.0.0AddressedIssues
GettingHelp
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 3
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
FeaturesIntroducedinPANOS8.0
ThefollowingtopicsdescribethenewfeaturesintroducedinthePANOS8.0release.Thisreleaserequires
ContentReleaseversion655orlater.ForinformationaboutupgradingtoPANOS8.0andfordetailsonhow
tousethenewfeatures,refertothePANOS8.0NewFeaturesGuide.
ManagementFeatures
PanoramaFeatures
ContentInspectionFeatures
WildFireFeatures
AuthenticationFeatures
UserIDFeatures
AppIDFeatures
DecryptionFeatures
VirtualizationFeatures
NetworkingFeatures
GlobalProtectFeatures
4 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
ManagementFeatures
NewManagement Description
Feature
AdministratorLevel Youcannowcommit,validate,preview,save,andrevertchangesthatyoumadeina
CommitandRevert Panoramaorfirewallconfigurationindependentofchangesthatotheradministratorshave
made.Thissimplifiesyourconfigurationworkflowbecauseyoudon'thavetocoordinate
commitswithotheradministratorswhenyourchangesareunrelatedtotheirs,orworry
aboutrevertingchangesotheradministratorsmadethatweren'tready.
NetFlowSupportfor PA7000SeriesfirewallsnowhavethesameabilityasotherPaloAltoNetworksfirewalls
PA7000SeriesFirewalls toexportNetFlowrecordsforIPtrafficflowstoaNetFlowcollector.Thisgivesyoumore
comprehensivevisibilityintohowusersanddevicesareusingnetworkresources.
PA7000SeriesFirewall YoucannowforwardlogsfromPA7000SeriesfirewallstoPanoramaforimprovedlog
LogForwardingto retention,whichhelpsyoumeetregulatoryrequirementsforyourindustryaswellasyour
Panorama internallogarchivalrequirements.
SelectiveLogForwarding Toenableyourorganizationtoprocessandrespondtoincidentalertsmorequickly,you
BasedonLogAttributes cannowcreatecustomlogforwardingfiltersbasedonanylogattributes.Insteadof
forwardinglogsbasedonlyonseveritylevels,youcanforwardjusttheinformationthat
variousteamsinyourorganizationwanttomonitororacton.Forexample,asecurity
operationsanalystwhoinvestigatesmalwareincidentsmightbeinterestedonlyinThreat
logswiththetypeattributesettowildfirevirus.
ActionOrientedLog ThefirewallcannowdirectlyforwardlogsusingHTTP/HTTPSsothatyoucantriggeran
ForwardingusingHTTP automatedactionwhenaspecificeventoccurs.Thiscapabilityallowsthefirewallto
integratewithexternalsystemsthatprovideanHTTPbasedAPI.And,combinedwiththe
SelectiveLogForwardingBasedonLogAttributes,youcannowautomatesecurity
workflowmoreefficiently,applyingdynamicpolicy,andrespondingtosecurityincidents.
TriggeranactionoraworkflowonathirdpartyservicethatprovidesanHTTPbased
API:ThefirewallcannowsendanHTTPrequestasanAPIcall.YoucanselecttheHTTP
method,andcustomizetheheader,requestformat,andpayloadtotriggeranaction.
Forexample,onanHAfailoverevent,thefirewallcangenerateanHTTPrequesttoan
ITmanagementservicetoautomaticallycreateanincidentreportwiththedetailsinthe
systemlog.ThisautomatedworkflowcanhelptheITinfrastructureteamtoeasilytrack
andfollowupontheissue.
Enabledynamicpolicyandenforcement:TagthesourceordestinationIPaddressina
logentry,registerthetagstoconnectedUserIDagents,andtakeactiontoenforce
policyateverylocationonyournetwork.Forexample,whenaThreatlogindicatesthat
thefirewallhasdetectedmalware,youcantagthesourceordestinationIPaddressto
quarantinethemalwareinfecteddevice.Basedonthetag,theIPaddressassociated
withthedevicebecomesthememberofadynamicaddressgroup,andtheSecurity
policyruleinwhichthedynamicaddressgroupisreferencedlimitsaccesstocorporate
resourcesuntilITclearsthedeviceforuse.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 5
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
NewManagement Description
Feature
ExtendedSNMPSupport PANOSsupportforSimpleNetworkManagementProtocol(SNMP)nowincludesthe
followingfeatures:
LoggingstatisticsUsingSNMPtomonitorloggingstatisticsforfirewallsandLog
Collectorshelpsyouplanimprovementstoyourlogcollectionarchitecture,evaluate
thehealthoffirewallandPanoramaloggingfunctions,andtroubleshootissuessuchas
droppedlogs.Youcannowmonitorabroaderrangeofloggingstatistics,includinglog
rate,diskusage,retentionperiods,theforwardingstatusfromindividualfirewallsto
Panoramaandexternalservers,andthestatusoffirewalltoLogCollectorconnections.
HA2statisticsandtrapsMonitoringSNMPstatisticsandtrapsfortheinterfacesthat
firewallsuseforhighavailability(HA)synchronizationhelpsyoutroubleshootand
verifythehealthofHAfunctionssuchasstatechanges.YoucannowuseanSNMP
managertomonitorthededicatedHA2interfacesoffirewalls,inadditiontotheHA1,
HA2backup,andHA3interfaces.
IncreasedStorageon ToprovidelongerretentionperiodsforlogsonthePA7000Seriesfirewall,youcannow
PA7000SeriesFirewall increasethelogstoragecapacityto4TBbyinstalling2TBdisksinthetwoRAIDdiskpairs
(formerlyonly1TBdisksweresupported).Forlogstoragebeyond4TB,youcanenable
PA7000SeriesFirewallLogForwardingtoPanorama,whichsupportsupto24TB.
PanoramaFeatures
NewPanoramaFeature Description
LogQueryAcceleration Panoramahasanimprovedlogqueryandreportingenginetoenableasignificant
improvementinspeedwhengeneratingreportsandexecutingqueries.Alllogsgenerated
aftertheupgradetoPANOS8.0automaticallytakeadvantageoftheimprovedquery
processingarchitecture.Toextendtheperformanceimprovementsforolderlogs,youcan
migratethelogstothenewformat.
LoggingEnhancementson YoucannowcreateaLogCollectorthatrunslocallyonthePanoramavirtualappliance.
thePanoramaVirtual BecausethelocalLogCollectorsupportsmultiplevirtualloggingdisks,youcanincrease
Appliance logstorageasneededwhilepreservingexistinglogs.Youcanincreaselogstoragetoa
maximumof24TBforasinglePanoramaandupto48TBforahighavailabilitypair.Using
alocalLogCollectoralsoenablesfasterreportgeneration(seeLogQueryAcceleration).
IncreasedLogStorage Toprovideadequatediskspaceforalongerlogretentionperiod,youcanincreasethelog
Capacity storagecapacityontheM500applianceandPanoramavirtualapplianceto24TB
(formerly8TB).TheM500appliancenowsupports2TBdisksandupto12RAIDdiskpairs
(formerly1TB*8RAIDdiskpairs).Inaddition,thePanoramavirtualappliancenow
supportsalocalLogCollectorwithupto24TBofvirtualdiskspace(seeLogging
EnhancementsonthePanoramaVirtualAppliance).
6 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NewPanoramaFeature Description
TrapsLogsonPanorama PanoramacannowingestTrapslogssentbytheTrapsEndpointSecurityManagerusing
syslogoverUDP,TCP,orSSLsothatyoucanmonitorsecurityeventsrelatingtoprotected
processesandexecutablefilesonTrapsprotectedendpoints.Youcanfilteronanylog
attributeandanswerdaytodayoperationalquestionssuchas,Howmanydifferent
preventioneventsdidaspecificusertrigger?.
TheabilitytoseeTrapslogsinthesamecontextasthefirewalllogsallowsyoutocorrelate
discreteactivityobservedonthenetworkandtheendpoints.Correlatedeventshelpyou
seetheoverallpictureacrossyournetworkandtheendpointssothatyoucandetectany
risksthatevadedetectionortakeadvantageofblindspots,andstrengthenyoursecurity
posturewellbeforeanydamageoccurs.
ExtensiblePlugin Panoramanowsupportsapluginarchitecturetoenablenewthirdpartyintegrationsor
Architecture updatestoexistingintegrations(suchastheVMwareNSXintegration)outsideofanew
PANOSfeaturerelease.Panoramadisplaysonlytheinterfaceelementspertinenttothe
pluginsyouinstall.
ThefirstimplementationofthisarchitectureenablesVMSeriesNSXIntegration
ConfigurationthroughPanorama.
DeviceGroup,Template, Panoramanowsupportsupto1,024devicegroupsand1,024templates(previously512
andTemplateStack each),and1,024templatestacks(previously128).Inlargescaledeployments,these
CapacityIncrease capacityimprovementsincreaseadministrativeeaseincentrallymanagingfromPanorama
andreducetheconfigurationexceptionsandoverridesthatyoumustmanagelocallyon
individualfirewalls.
StreamlinedDeployment Youcannowdeploysoftwareandcontentupdatestomanageddevicesmorequickly.
ofSoftwareandContent Insteadofpushingtheupdatestoonedeviceatatime,Panoramanownotifiesfirewalls
UpdatesfromPanorama andLogCollectorswhenupdatesareavailableandthedevicesthenretrievetheupdates
inparallel.
TheExtendedSupportforMultiplePanoramaInterfaces,allowsyoutoconfigurea
separateinterface,insteadofusingthemanagement(MGT)interface,fordeploying
contentandsoftwareupdatestomanageddevices.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 7
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
ContentInspectionFeatures
NewContentInspection Description
Feature
CredentialPhishing Phishingsitesaresitesthatattackersdisguiseaslegitimatewebsiteswiththeaimtosteal
Prevention userinformation,especiallythepasswordsthatprovideaccesstoyournetwork.Youcan
nowidentifyandpreventinprogressphishingattacksbycontrollingsitestowhichusers
cansubmitcorporatecredentialsbasedonthesitesURLcategory.Thisfeatureintegrates
withUserID(groupmappingorusermapping,dependingonwhichmethodyouchoose
todetectcredentials)toenablethefirewalltodetectwhenusersareattemptingtosubmit
theircorporateusernameandorusernameandpasswordandblockthesubmission.
Telemetry Youcannowparticipateinacommunitydrivenapproachtothreatpreventionthrough
telemetry.Telemetryallowsyourfirewalltoperiodicallycollectandshareinformation
aboutapplications,threats,anddevicehealthwithPaloAltoNetworks.PaloAlto
Networksusesthethreatintelligencecollectedfromyouandothercustomerstoimprove
thequalityofintrusionpreventionsystem(IPS)andspywaresignaturesandthe
classificationofURLsinPANDB.Forexample,whenathreateventtriggersvulnerability
orspywaresignatures,thefirewallsharestheURLsassociatedwiththethreatwiththe
PaloAltoNetworksthreatresearchteam,sotheycanproperlyclassifytheURLsas
malicious.TelemetryalsoallowsPaloAltoNetworkstorapidlytestandevaluate
experimentalthreatsignatureswithnoimpacttoyournetwork,sothatcriticalthreat
preventionsignaturescanbereleasedtoallcustomersfaster.
Youhavefullcontroloverwhichdatathefirewallsharesthroughtelemetry,andsamples
ofthisdataareavailabletoviewthroughyourTelemetrysettings.PaloAltoNetworks
doesnotshareyourtelemetrydatawithothercustomersorthirdpartyorganizations.
PaloAltoNetworks PaloAltoNetworksnowprovidesmaliciousIPaddressfeedsthatyoucanusetohelp
MaliciousIPAddress secureyournetworkfromknownmalicioushostsontheInternet.OnefeedcontainsIP
Feeds addressesverifiedasmaliciousbyPaloAltoNetworks,andanotherfeedcontains
maliciousIPaddressesfromreputablethirdpartythreatadvisories.PaloAltoNetworks
maintainsbothfeeds,whichyoucanreferenceinSecuritypolicyrulestoalloworblock
traffic.Youcanalsocreateyourownexternaldynamiclistsbasedonthesefeedsand
customizethemasneeded.YoumusthaveanactiveThreatPreventionlicensetoviewand
usethePaloAltoNetworksmaliciousIPaddressfeeds.
EnhancedCoveragefor C2signaturessignaturesthatdetectwhereacompromisedsystemissurreptitiously
CommandandControl communicatingwithanattackersremoteserverarenowgeneratedautomatically.While
(C2)Traffic C2protectionisnotnew,previoussignatureslookedforanexactmatchtoadomainname
oraURLtoidentifyaC2host.Thenew,automaticallygeneratedC2signaturesdetect
certainpatternsinC2traffic,providingmoreaccurate,timely,androbustC2detection
evenwhentheC2hostisunknownorchangesrapidly.
DataFilteringSupportfor Datafilteringisenhancedtoworkwiththirdparty,endpointDLPsolutionsthatpopulate
DataLossPrevention filepropertiestoindicatesensitivecontent,enablingthefirewalltoenforceyourDLP
(DLP)Solutions policy.Tobettersecurethisconfidentialdata,youcannowcreateDataFilteringprofiles
thatidentifythefilepropertiesandvaluessetbyaDLPsolutionandthenlogorblockthe
filestheDataFilteringprofileidentifies.
8 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NewContentInspection Description
Feature
ExternalDynamicList Newenhancementsprovidebettersecurity,flexibility,andeaseofusewhenworking
Enhancements withexternaldynamiclists.Theenhancementsincludetheoptionsto:
EnableAuthenticationforExternalDynamicListstovalidatetheidentityofalistsource
andtoforwardlogincredentialsforaccesstoexternaldynamicliststhatenforcebasic
HTTPauthentication.
UsenewPaloAltoNetworksMaliciousIPAddressFeedsinsecuritypolicyrulesto
blocktrafficfrommaliciousIPaddresses.
Viewthecontentsofanexternaldynamiclistdirectlyonthefirewall,withtheoptionto
excludeentriesorviewthreatintelligenceassociatedwithanentryinAutoFocus.
NewSchedulingOptions ThefirewallcannowcheckforthelatestAppID,vulnerabilityprotection,and
forApplicationandThreat antispywaresignaturesevery30minutesorhourly,inadditiontobeingabletocheckfor
ContentUpdates theseupdatesdailyandweekly.Thisfeatureenablesmoreimmediatecoveragefor
newlydiscoveredthreatsandstrengthenssafeenablementforupdatedand
newlydefinedapplications.
FiveMinuteUpdatesfor TheMalwareandPhishingURLcategoriesinPANDBarenowupdatedeveryfive
PANDBMalwareand minutes,basedonthelatestmaliciousandphishingsitesWildFireidentifies.Thesemore
PhishingURLCategories frequentupdatesensurethatthefirewallisequippedwiththeverylatestinformationto
detectandthenblockaccesstomaliciousandphishingsites.
GloballyUnique AllPaloAltoNetworksthreatsignaturesnowhavepermanent,globallyuniqueIDsthat
Threat IDs youcanusetolookupthreatsignatureinformationandcreatepermanentthreat
exceptions:
Changetheaction(forexample,blockoralert)thefirewallusestoenforceathreat
signaturethreatexceptionsareusefulifasignatureistriggeringfalsepositives.
Easilycheckifathreatsignatureisconfiguredasanexception.
UsethreatIDsintheThreatVaultandAutoFocustogaincontextforathreatsignature.
NewPredefinedFile TwonewpredefinedFileBlockingprofilesbasicfileblockingandstrictfileblocking
BlockingProfiles havebeenaddedviacontentreleaseversion653.Youcanusetheseprofilestoquicklyand
easilyapplythebestpracticefileblockingsettingstoyourSecuritypolicyallowrulesto
ensurethatusersarenotinadvertentlydownloadingmaliciouscontentintoyournetwork
orexfiltratingsensitivedataoutofyournetworkinlegitimateapplicationtraffic.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 9
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
WildFireFeatures
ThePANOS8.0.0releaseisnotavailableforWF500appliances.
NewWildFireFeature Description
WildFireAnalysisof ThefirewallnowsubmitsblockedfilesthatmatchexistingantivirussignaturesforWildFire
BlockedFiles analysis,inadditiontounknownfiles,sothatWildFirecanextractvaluableinformation
fromnewmalwarevariants.Malwaresignaturesoftenmatchmultiplevariantsofthesame
malwarefamily,andassuch,blocknewmalwarevariantsthatthefirewallhasneverseen
before.SendingtheseblockedmalwaresamplesforWildFireanalysisallowsWildFireto
analyzethemforadditionalURLs,domainnames,andIPaddressesthatmustbeblocked.
SinceallWildFireanalysisdataisalsoavailableonAutoFocus,youcannowuseWildFire
andAutoFocustogethertogetamorecompleteperspectiveofallthreatstargetingyour
network,improvingtheefficacyofyoursecurityoperations,incidentresponse,andthreat
intelligencefunctions.
WildFirePhishingVerdict ThenewWildFirephishingverdictclassifiesphishinglinksdetectedinemailsseparately
fromotheremailedlinksfoundtobeexploitsormalware.ThefirewalllogsWildFire
submissionsthatarephishinglinkstoindicatethatsuchalinkhasbeendetectedinan
email.
WithbothaWildFirelicenseandaPANDBlicense,youcanblockaccesstophishingsites
within5minutesofinitialdiscovery.
TheWF500appliancedoesnotsupportthenewphishingverdict,andcontinuesto
classifysuspectedphishingsitesasmalicious.
10 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
AuthenticationFeatures
NewAuthentication Description
Feature
SAML2.0Authentication ThefirewallandPanoramacannowfunctionasSecurityAssertionMarkupLanguage
(SAML)2.0serviceproviderstoenablesinglesignonandsinglelogoutforendusers(see
SAML2.0AuthenticationforGlobalProtect)andforadministrators.SAMLenhancesthe
userexperiencebyenablingasingle,interactivelogintoprovideautomaticaccessto
multipleauthenticatedservicesthatareinternalorexternaltoyourorganization.
Inadditiontoauthenticatingadministratoraccountsthatarelocaltothefirewalland
Panorama,youcanuseSAMLtoauthenticateandassignrolestoexternaladministrator
accountsintheidentityprovider(IdP)identitystore.
AuthenticationPolicyand Toprotectyournetworkresourcesfromattackers,youcanusethenewAuthentication
MultiFactor policytoensureallyourendusersauthenticatewhentheyaccessthoseresources.
Authentication AuthenticationpolicyisanimprovedreplacementforCaptivePortalpolicy,which
enforcedauthenticationonlyforsomeusers.Authenticationpolicyhastheadditional
benefitofenablingyoutochoosehowmanyauthenticationchallengesofdifferenttypes
(factors)usersmustrespondto.Usingmultiplefactorsofauthentication(MFA)is
particularlyusefulforprotectingyourmostsensitiveresources.Forexample,youcan
forceuserstoenteraloginpasswordandthenenteraverificationcodethattheyreceive
byphone.Thisapproachensuresattackerscantinvadeyournetworkandmovelaterally
throughitjustbystealingpasswords.Ifyouwanttospareusersthehassleofresponding
tomultiplechallengesforresourcesthatdontneedsuchahighdegreeofprotection,you
canalsohaveAuthenticationpolicyrulesthatenforceonlypasswordorcertificate
authentication.
ThefirewallmakesiteasytoimplementMFAinyournetworkbyintegratingdirectlywith
severalMFAplatforms(Duov2,OktaAdaptive,andPingID)andintegratingthrough
RADIUSwithallotherMFAplatforms.
TACACS+UserAccount TouseaTerminalAccessControllerAccessControlSystemPlus(TACACS+)serverfor
Management centrallymanagingalladministrativeaccounts,youcannowuseVendorSpecific
Attributes(VSAs)tomanagetheaccountsoffirewallandPanoramaadministrators.
TACACS+VSAsenableyoutoquicklyreassignadministratorrolesandaccessdomains
withoutreconfiguringsettingsonthefirewallandPanorama.
AuthenticationUsing Youcannowdeploycustomcertificatestoreplacethepredefinedcertificatesshippedon
CustomCertificates PaloAltoNetworksdevicesformanagementconnectionsbetweenPanorama,firewalls,
andLogCollectors.Bygeneratinganddeployinguniquecertificatesforeachdevice,you
canestablishauniquechainoftrustbetweenPanoramaandthemanageddevices.You
cangeneratethesecustomcertificateslocallyorimportthemfromanexistingenterprise
publickeyinfrastructure(PKI).Panoramacanmanagedevicesinenvironmentswithamix
ofpredefinedandcustomcertificates.
Youcanalsodeploycustomcertificatesformutualauthenticationbetweenthefirewall
andWindowsUserIDAgent.ThisallowsthefirewalltoconfirmtheWindowsUserID
Agent'sidentitybeforeacceptingUserIDinformationfromtheagent.Deployacustom
certificateontheWindowsUserIDAgentandacertificateprofileonthefirewall,
containingtheCAofthecertificate,toestablishauniquetrustchainbetweenthetwo
devices.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 11
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
NewAuthentication Description
Feature
Authenticationfor ThefirewallnowvalidatesthedigitalcertificatesofSSL/TLSserversthathostexternal
ExternalDynamicLists dynamiclists,and,iftheserversenforcebasicHTTPusername/passwordauthentication
(clientauthentication),thefirewallcanforwardlogincredentialstogainaccesstothelists.
Ifanexternaldynamiclistsourcefailsserverorclientauthentication,thefirewalldoesnot
retrievethelistandceasestoenforcepolicybasedonitscontents.Thesesecurity
enhancementshelpensurethatthefirewallretrievesIPaddresses,domains,orURLsfrom
avalidsourceoverasecure,privatechannel.
UserIDFeatures
NewUserIDFeature Description
PanoramaandLog YoucannowleverageyourPanoramaanddistributedlogcollectioninfrastructureto
CollectorsasUserID redistributeUserIDmappingsinlargescaledeployments.Byusingtheexisting
RedistributionPoints connectionsfromfirewallstoLogCollectorstoPanorama,youcanaggregatethe
mappingswithoutsettingupandmanagingextraconnectionsbetweenfirewalls.
CentralizedDeployment YoucannowuseendpointmanagementsoftwaresuchasMicrosoftSCCMtoremotely
andManagementof install,configure,andupgrademultipleWindowsbasedUserIDagentsandTerminal
UserIDandTSAgents Services(TS)agentsinasingleoperation.Usingendpointmanagementsoftware
streamlinesyourworkflowbyenablingyoutodeployandconfigurenumerousUserID
andTSagentsthroughanautomatedprocessinsteadofusingamanualloginsessionfor
eachagent.
UserGroupsCapacity Toaccommodateenvironmentswhereaccesscontrolforeachresourceisbasedon
Increase membershipinausergroup,andwherethenumberofresourcesandgroupsisincreasing,
youcannowreferencemoregroupsinpolicy(thelimitvariesbyplatform).
UserIDSyslogMonitoring ThefollowingenhancementsimprovetheaccuracyofUserIDmappingsandsimplify
Enhancements monitoringsyslogserversformappinginformation:
AutomaticdeletionofusermappingsToimprovetheaccuracyofyouruserbased
policiesandreports,thefirewallcannowusesyslogmonitoringtodetectwhenusers
haveloggedoutandthendeletetheassociatedUserIDmappings.
MultiplesyslogformatsInenvironmentswithmultiplepointsofauthentication
sendingsyslogmessagesindifferentformats,itisnoweasiertomonitorloginand
logouteventsbecausethefirewallcaningestmultipleformatsfromasyslogserver
aggregatingfromvarioussources.
GroupBasedReportingin Panoramanowprovidesvisibilityintotheactivitiesofusergroupsinyournetwork
Panorama throughtheUserActivityreport,SaaSApplicationUsagereport(seeSaaSApplication
VisibilityforUserGroups),customreports,andtheACC.Panoramaaggregatesgroup
activityinformationfrommanagedfirewallssothatyoucanfilterlogsandgenerate
reportsforallgroups.
12 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
AppIDFeatures
NewAppIDFeature Description
SaaSApplicationVisibility TohelpyoumonitortheassortmentofSaaSapplicationsthatservetheproductivityneeds
forUserGroups oftheusergroupsonyournetworkandensurethesecurityanddataintegritydemands
fortheorganization,theSaaSApplicationUsagePDFreportnowincludesdataonuser
groups.Thereporthighlightsthemostusedapplicationsbyusergroupsandpresentsthe
volumeofdataeachusergrouptransfersusingsanctionedandunsanctionedapplications.
Foramoregranularview,youcancustomizethereporttoshowapplicationusagefora
specificusergroup,applicationusageonaspecificsecurityzone,andreportonapplication
usagebymultipleusergroupswithinasecurityzone.
InadditiontotheenhancementsinthePDFreport,youcannowusetheACCtovisualize
SaaSactivitytrendsonyournetwork.TheACCincludesglobalfiltersforviewingSaaS
applicationusagebasedonriskratingorbythenumberofsanctionedandunsanctioned
applicationsinuseonyournetwork.
ALGSupportforIPv6 ThefirewallcannowsafelyenableSessionInitiationProtocol(SIP)andSkinnyClient
ControlProtocol(SCCP)forIPv6anddualstacknetworks.Youcansafelyallowthese
protocolswithoutopeningawiderangeofportstoallowthetraffic.
DecryptionFeatures
NewDecryptionFeature Description
DecryptionforElliptical FirewallsenabledtodecryptSSLtrafficnowdecryptSSLtrafficfromwebsitesand
CurveCryptography(ECC) applicationsusingECCcertificates,includingEllipticalCurveDigitalSignatureAlgorithm
Certificates (ECDSA)certificates.AssomeorganizationstransitiontousingECCcertificatestotake
advantageofbenefitssuchasstrongkeysandsmallcertificatesize,thisfeatureensures
thatyoumaintainvisibilityintoandcansafelyenableECCsecuredapplicationand
websitetraffic.
DecryptionforwebsitesandapplicationsusingECCcertificatesisnotsupported
fortrafficthatismirroredtothefirewall;encryptedtrafficusingECCcertificates
mustpassthroughthefirewalldirectlyforthefirewalltodecryptit.
Managementfor Younowhaveincreasedflexibilitytomanagetrafficexcludedfromdecryption.New,
DecryptionExclusions centralizedSSLdecryptionexclusionmanagementenablesyoutobothcreateyourown
customdecryptionexclusions,andtoreviewPaloAltoNetworkspredefineddecryption
exclusionsinasingleplace:
Asimplifiedworkflowallowsyoutoeasilyexcludetrafficfromdecryptionbasedon
hostname.
Thefirewalldoesnotdecryptapplicationsthatareknowntobreakduringdecryption.
Now,youcanviewthesedecryptionexceptionsdirectlyonthefirewall.Updatesand
additionstothePaloAltoNetworkspredefineddecryptionexclusionsaredeliveredto
thefirewallincontentupdatesandareenabledbydefault.
PerfectForwardSecrecy PANOS7.1introducedPFSforSSLForwardProxydecryption;now,inPANOS8.0,PFS
(PFS)SupportwithSSL supportisextendedtoSSLInboundInspection.PFSensuresthatdatafromsessions
InboundInspection undergoingdecryptioncannotlaterberetrievedifserverprivatekeysarecompromised.
YoucanenforceDiffieHellmankeyexchangebasedPFS(DHE)andellipticcurve
DiffieHellman(ECDHE)basedPFSfordecryptedSSLtraffic.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 13
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
VirtualizationFeatures
NewVirtualization Description
Feature
VMSeriesFirewall Thisfeatureintroducesimprovedperformance,capacity,andefficiencyforallVMSeries
Performance firewalls,includingthreenewVMSeriesmodels:VM50,VM500,andVM700.The
Enhancementsand VMSeriesmodellineupnowcoversawidevarietyoffirewallsfromsmalloptimized
ExpandedModelLine firewallsinresourceconstrainedenvironmentstolarge,highperformancefirewallsfor
deploymentinadiverserangeofNetworkFunctionVirtualization(NFV)usecases.You
canalsoleveragetheexpandedrangeofVMSeriesmodelscoupledwithflexibilityand
pertenantisolationofVMSeriesmodelstodeploymultitenantsolutions.
VM50FirewallAvirtualfirewallwithanoptimizedcomputeresourcefootprint.This
firewallisidealforuseinvirtualcustomerpremisesequipment(vCPE)andhighdensity
multitenancysolutionsformanagedsecurityserviceproviders(MSSP).
VM500andVM700FirewallsWhenutilizingalargercomputeresourcefootprint,
thesevirtualfirewallsprovidehighperformanceandcapacity.TheVM500and
VM700firewallsareidealinNFVusecasesforserviceproviderinfrastructureanddata
centerroles.
VM100,VM200,VM300,VM1000HVFirewallsExistingVMSeriesmodelsnow
featureincreasedperformance,capacity,andefficiencywhencomparedtothesame
computeresourcesinearlierreleaseversions.Thisreleasealsoconsolidatesthe
VM200withtheVM100andtheVM1000HVwiththeVM300,whichmeansthat
theVM100andVM200arenowfunctionallyidentical,asaretheVM300and
VM1000HV.
Inaddition,VMSeriesfirewallmodelsarenowdistinguishedbysessioncapacityandthe
numberofmaximumeffectivevCPUcores(insteadofonlysessioncapacity).
CloudWatchIntegration VMSeriesfirewallsonAWScannownativelysendPANOSmetricstoAWSCloudWatch
fortheVMSeriesFirewall foradvancedmonitoringandautoscalingpolicydecisions.TheCloudWatchintegration
onAWS enablesyoutomonitorthecapacity,healthstatus,andavailabilityofthefirewallswith
metricssuchastotalnumberofactivesessions,GlobalProtectgatewaytunnelutilization,
orSSLproxyutilization,sothatthesecuritytiercomprisingtheVMSeriesfirewallscan
scaledynamicallywhenyourEC2workloadsscaleinresponsetodemand.
SeamlessVMSeries ThisreleaseintroducesseamlesslicensecapacityupgradesoftheVMSeriesfirewall.Ifa
ModelUpgrade tenantsrequirementsincrease,youcanupgradethecapacitytoaccommodatethe
changeswithminimaltrafficandoperationdisruption.Additionally,VMSeriesfirewalls
nowsupportHAsynchronizationbetweenVMSeriesfirewallsofdifferentcapacities
duringtheupgradeprocess.
VMSeriesNSX ThenewPanoramaVMwareNSXpluginstreamlinestheprocessofdeployingVMSeries
IntegrationConfiguration NSXeditionfirewallsandeliminatestheduplicateeffortindefiningthesecurityrelated
throughPanorama configurationonbothPanoramaandtheNSXManagerorvCenterserver.Panoramanow
servesasthesinglepointofconfigurationthatprovidestheNSXManagerwiththe
contextualinformationrequiredtoredirecttrafficfromtheguestvirtualmachinestothe
VMSeriesfirewall.WhenyoucommittheNSXconfiguration,Panoramageneratesa
securitygroupintheNSXenvironmentforeachqualifieddynamicaddressgroupand
PanoramapusheseachsteeringrulegeneratesNSXManager.TheNSXManagerusesthe
steeringrulestoredirecttrafficfromthevirtualmachinesbelongingtothecorresponding
NSXsecuritygroup.
14 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NewVirtualization Description
Feature
SupportforNSXSecurity TheVMSeriesfirewallcannowdynamicallytagaguestVMwithNSXsecuritytagsto
TagsontheVMSeries enableimmediateisolationofcompromisedorinfectedguests.Theuniversallyunique
NSXEditionFirewall identifierofaguestVMisnowpartoftheTrafficandThreatlogsonthefirewall.By
leveragingthreat,antivirus,andmalwaredetectionlogsontheVMSeriesfirewall,NSX
Managercanplaceguestsinaquarantinedsecuritygrouptopreventlateralmovementof
thethreatinthevirtualizeddatacenterenvironment.
NewSerialNumber TheserialnumberformatfortheVMSeriesfirewallnowdisplaysthenameofthe
FormatfortheVMSeries hypervisoronwhichthefirewallisdeployedsothatyoucanconsistentlyidentifythe
Firewall firewallsforlicensemanagement,andcontentandsoftwareupdates.Thenewformatis
15charactersinlength,numericforthebringyourownlicense(BYOL)model,and
alphanumericfortheMarketplacemodels(Bundle1orBundle2)availableinpubliccloud
environments.Aspartofthischange,VMSeriesfirewallsinAWSnowsupportlonger
instanceIDformats.
VMSeriesBootstrapping YoucannowbootstraptheVMSeriesfirewallinESXi,KVM,andHyperVusingblock
withBlockStorage storage.Thisoptionprovidesabootstrappingsolutionforenvironmentswheremounting
aCDROMisnotsupported.
VMSeriesLicense TodeactivateaVMSerieslicense,youmustfirstinstallalicenseAPIkeyonyourfirewall
DeactivationAPIKey orPanorama.ThedeactivationAPIkeyprovidesanadditionallayerofsecurityfor
communicationsbetweenthePaloAltoNetworksUpdateServerandVMSeriesfirewalls
andPanorama.ThePANOSsoftwareusesthisAPIkeytoauthenticatewiththeupdate
andlicensingservers.
TheAPIkeyisavailablethroughtheCustomerSupportPortaltoadministratorswith
superuserprivileges.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 15
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
NetworkingFeatures
NewNetworkingFeature Description
TunnelContentInspection Thefirewallcannowinspectthetrafficcontentofcleartexttunnelprotocols:
GenericRoutingEncapsulation(GRE)
NonencryptedIPSectraffic(NULLEncryptionAlgorithmforIPSecandtransportmode
AHIPSec)
GeneralPacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU)
ThisenablesyoutoenforceSecurity,DoSProtection,andQoSpoliciesontrafficinthese
typesoftunnelsandtrafficnestedwithinanothercleartexttunnel(forexample,Null
EncryptedIPSecinsideaGREtunnel).Youcanalsoviewtunnelinspectionlogsandtunnel
activityintheACCtoverifythattunneledtrafficcomplieswithcorporatesecurityand
usagepolicies.
ThefirewallsupportstunnelcontentinspectionofGREandnonencryptedIPSeconall
firewallmodels.ItsupportstunnelcontentinspectionofGTPUonVMSeriesfirewalls.
ThefirewallisnotterminatingtheGRE,nonencryptedIPSec,orGTPUtunnel.
MultiprotocolBGP ThefirewallnowsupportsMultiprotocolBGP(MPBGP)sothatafirewallenabledwith
BGPcanadvertiseIPv4multicastroutesandIPv6unicastroutes(inadditiontotheIPv4
unicastroutesitalreadysupports)inBGPUpdatemessages.Inthisway,MPBGPprovides
IPv6connectivityforyourBGPnetworksthatuseeithernativeIPv6ordualstackIPv4and
IPv6.Forexample,inaserviceproviderenvironment,youcanofferIPv6serviceto
customers.Inanenterpriseenvironment,youcanuseIPv6servicefromserviceproviders.
Youcanalsoseparateyourunicastandmulticasttrafficsotheytakedifferentpaths,in
caseyouneedmulticasttraffictoundergolesslatencyortakefewerhops.
StaticRouteRemoval Youcannowusepathmonitoringtodetermineifastaticordefaultrouteisdown.Ifpath
BasedonPathMonitoring monitoringtooneormoremonitoreddestinationsfails,thefirewallconsidersthestaticor
defaultroutedownandusesanalternativeroutesothatthetrafficisnotblackholed
(silentlydiscarded).Likewise,thefirewalladvertisesanalternativestaticroute(ratherthan
afailedroute)forrouteredistributionintoadynamicroutingprotocol.
Youcanenablepathmonitoringonstaticroutesbetweenrouters,onstaticrouteswhere
apeerdoesnotsupportBidirectionalForwardingDetection(BFD),andonstaticroutes
wherepolicybasedforwarding(PBF)pathmonitoringisinsufficientbecauseitdoesnot
replacefailedrouteswithalternativeroutes.
IPv6Router TomakeDNSresolutioneasierforyourIPv6hosts,thefirewallnowhasenhanced
AdvertisementforDNS NeighborDiscovery(ND)sothatyoucanprovisionIPv6hostsjoiningthenetworkwith
Configuration RecursiveDNSServer(RDNSS)andDNSSearchList(DNSSL)options,eliminatingthe
needforaseparateDHCPv6server.ThefirewallsendsIPv6RouterAdvertisementswith
theseoptions;thus,yourIPv6hostsareconfiguredwith:
TheaddressesofRDNSserversthatcanresolveDNSqueries.
Alistofthedomainnames(suffixes)thattheDNSclientappends(oneatatime)toan
unqualifieddomainnamebeforeenteringthedomainnameintoaDNSquery.
NDPMonitoringforFast YoucannowenableNeighborDiscoveryProtocol(NDP)monitoringforadataplane
DeviceLocation interfaceonthefirewallsothatyoucanviewtheIPv6addressesofdevicesonthelink
localnetwork,theircorrespondingMACaddress,andusernamefromUserID(iftheuser
ofthatdeviceusesthedirectoryservicetologin).Havingthesethreepiecesof
informationinoneplaceaboutadevicethatviolatesasecurityruleallowsyoutoquickly
trackthedevice.YoucanalsomonitorIPv6NDlogstomaketroubleshootingeasier.
16 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NewNetworkingFeature Description
ZoneProtectionfor YoucannowwhitelistorblacklistnonIPprotocolsbetweensecurityzonesorbetween
NonIPProtocolsona interfaceswithinasecurityzoneinaLayer2VLANoronavirtualwire.Thefirewall
Layer2VLANorVirtual normallypassesnonIPprotocolsbetweenLayer2zonesandbetweenvirtualwirezones;
Wire withthisfeature,youcannowcontrolnonIPprotocolsbetweenthesezones.For
example,ifyoudontwantlegacyWindowsXPhoststodiscoverotherNetBEUIenabled
hostsonanotherzone,youcanconfigureaZoneProtectionprofiletoblacklistNetBEUI
ontheingresszone.
GlobalandZone YoucannowenableordisableMultipathTCP(MPTCP)globallyorforeachnetworkzone.
ProtectionforMultipath MPTCPisanextensionofTCPthatallowsaclienttosimultaneouslyusemultiplepaths
TCP(MPTCP)Evasions (insteadofasinglepath)toconnectwithadestinationhost.MPTCPespeciallybenefits
mobileusers,enablingthemtomaintaindualconnectionstobothWiFiandcellular
networksastheymovethisimprovesboththeresilienceandqualityofthemobile
connectionandenhancestheuserexperience.However,MPTCPcanalsopotentiallybe
leveragedbyattackersaspartofanevasiontechnique.Thisfeatureprovidestheflexibility
toenableordisableMPTCPforallfirewalltrafficorforindividualnetworkzones,based
onthevisibility,performance,andsecurityrequirementsforeachnetworkzone.
ZoneProtectionforSYN YoucannowdropTCPSYNandSYNACKpacketsthatcontaindatainthepayloadduring
DataPayloads athreewayhandshake.Incasethepayloadismaliciousforexampleifitcontains
commandandcontroltrafficoritisbeingusedtoexfiltratedatadroppingsuchpackets
canpreventsuccessfulattacks.
TheTCPFastOpenoptionpreservesthespeedofaconnectionsetupbyincludingdatain
thepayloadofSYNandSYNACKpackets.TheZoneProtectionprofiletreatsTCP
handshakesthatusetheFastOpenoptionseparatelyfromotherSYNandSYNACK
packets;theprofileissettoallowthehandshakepacketsiftheycontainavalidFastOpen
cookie.
HardwareIPAddress WhenyouconfigurethefirewallwithaDoSProtectionpolicyorVulnerabilityProtection
Blocking profiletoblockpacketsfromspecificIPv4addresses,thefirewallnowautomatically
blocksthattrafficinhardwarebeforethosepacketsuseCPUorpacketbufferresources.
BlockingtrafficbydefaultinhardwareallowsthefirewalltostopDoSattacksevenfaster
thanblockingtrafficinsoftware.Iftheamountofattacktrafficexceedsthehardware
blockcapacity,IPblockingmechanismsinsoftwareblocktheexcesstraffic.Thisfeatureis
supportedonPA3060firewalls,PA3050firewalls,PA5000Series,andPA7000Series
firewallmodels.
PacketBufferProtection Packetbufferprotectionallowsyoutoprotectthefirewallfrombeingimpactedbysingle
sourcedenialofservice(DoS)attacks.TheseattackscomefromsessionsorIPaddresses
thatarenotblockedbySecuritypolicy.Afterasessionispermittedbythefirewall,itcan
generatesuchahighvolumeoftrafficthatitoverwhelmsthefirewallpacketbufferand
causesthefirewalltoappeartohangasbothattackandlegitimatetrafficaredropped.The
firewalltracksthetoppacketbufferconsumersandgivesyoutheabilitytoconfigure
globalthresholdsthatspecifywhenactionistakenagainstthesesessions.After
identifyingasessionasabusive,thefirewallusesRandomEarlyDrop(RED)asafirstline
ofdefensetothrottletheoffendingsessionandthendiscardsthesessioniftheabuse
continues.IfaparticularIPaddresscreatesmanysessionsthatarediscarded,thefirewall
blocksit.
Reconnaissance Zoneprotectionsreconnaissanceprotectiondetectsandtakesactionagainsthostsweep
ProtectionSourceAddress andTCPandUDPportscans.Thisisusefulagainstattackerssearchingforvulnerabilities.
Exclusion However,itcanalsonegativelyimpactscanningactivities,suchasnetworksecurity
testingorfingerprinting.Youcannowwhitelistsourceaddressestoexcludethemfrom
reconnaissanceprotection.Thisallowsyoutoprotectyournetworkfromreconnaissance
attackswhileallowinglegitimatemonitoringtools.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 17
FeaturesIntroducedinPANOS8.0 PANOS8.0ReleaseInformation
NewNetworkingFeature Description
IKEPeerandIPSecTunnel ThePA7000Series,PA5000Series,andPA3000SeriesmodelsnowsupportmoreIKE
CapacityIncreases peersandIPSectunnelsthaninpriorreleases.Thisisabenefitinserviceproviderandlarge
enterpriseenvironmentswhereyouneedtosupportmanysitetositeVPNpeersand
IPSecVPNconnectionsbetweenremotesites.
GlobalProtectFeatures
NewGlobalProtect Description
Feature
IPv6forGlobalProtect GlobalProtectclientsandsatellitescannowconnecttoportalsandgatewaysusingIPv6.
ThisfeatureallowsconnectionsfromclientsthatareinIPv6onlyenvironments,IPv4only
environments,ordualstack(IPv4andIPv6)environments.YoucantunnelIPv4traffic
overanIPv6tunnelandtheIPaddresspoolcanassignbothIPv4andIPv6addresses.To
usethisfeature,youmustinstallaGlobalProtectsubscriptiononeachgatewaythat
supportsGlobalProtectclientsthatuseIPv6addresses.
ClientlessSSLVPN ClientlessVPN,whichprovidessecureremoteaccesstocommonenterpriseweb
applications thatuseHTML,HTML5,andJavaScripttechnologies,isnowavailablein
publicbeta.UsershavetheadvantageofsecureaccessfromSSLenabledweb
browsers withoutinstallingGlobalProtectclientsoftware.Thisisusefulwhenyouneedto
enablepartnerorcontractoraccesstoapplications,andtosafelyenableunmanaged
assets,includingpersonaldevices.Youcan configuretheGlobalProtectportallanding
pagetoprovideaccesstowebapplicationsbasedonusersandusergroupsandalso allow
singlesignontoSAMLenabledapplications.SupportedoperatingsystemsareWindows,
Mac,iOS,Android,Chrome,andLinux.SupportedbrowsersareChrome,Internet
Explorer,Safari,andFirefox.ThisfeaturerequiresyoutoinstallaGlobalProtect
subscriptiononthefirewallthathoststheClientlessVPNfromtheGlobalProtectportal.
DefineSplitTunnelsby YoucannowexcludespecificdestinationIPsubnetstrafficfrombeingsentovertheVPN
ExcludingAccessRoutes tunnel.Withthisfeature,youcansendlatencysensitiveorhighbandwidthconsuming
trafficoutsideoftheVPNtunnelwhileallothertrafficisroutedthroughtheVPNfor
inspectionandpolicyenforcementbytheGlobalProtectgateway.
ExternalGatewayPriority GlobalProtectcannowusethegeographicregionoftheGlobalProtectclienttodetermine
bySourceRegion thebestexternalgateway.Byincludingsourceregionaspartofexternalgateway
selectionlogic,youcanensurethatusersconnecttogatewaysthatarepreferredfortheir
currentregion.Thiscanhelpavoiddistantconnectionswhentherearemomentary
fluctuationsofnetworklatency.Thiscanalsobeusedtoensureallconnectionsstaywithin
aregionifdesired.
InternalGateway GlobalProtectcannowrestrictinternalgatewayconnectionchoicesbasedonthesource
SelectionbySourceIP IPaddressoftheclient.Inadistributedenterprise,thisfeaturesallowsyoutohaveusers
Address fromabranchtoauthenticateandsendHIPreportstothefirewallconfiguredasthe
internalgatewayforthatbranchasopposedtoauthenticatingandsendingHIPreportsto
allbranches.
18 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation FeaturesIntroducedinPANOS8.0
NewGlobalProtect Description
Feature
GlobalProtectAgentLogin TosimplifyGlobalProtectagentsandpreventunnecessaryloginpromptswhena
Enhancement usernameandpasswordarenotrequired,thepanelthatshowedportal,username,and
passwordisnowsplitintotwoscreens(onescreenfortheportaladdressandanother
screenforusernameandpassword).TheGlobalProtectagentnowdisplaysloginprompts
forusernameandpasswordonlyifthisinformationisrequired.GlobalProtect
automaticallyhidestheusernameandpasswordscreenforauthenticationtypessuchas
cookieorclientcertificateauthenticationthatdonotrequireausernameandpassword.
AuthenticationPolicyand YoucanleveragethenewAuthenticationPolicyandMultiFactorAuthentication
MultiFactor enhancementswithinGlobalProtecttosupportaccesstononHTTPapplicationsthat
Authenticationfor requiremultifactorauthentication.GlobalProtectcannownotifyandprompttheuserto
GlobalProtect performthetimely,multifactorauthenticationneededtoaccesssensitivenetwork
resources.
SAML2.0Authentication GlobalProtectportals,gateways,andclientsnowsupportSAML2.0Authentication.Ifyou
forGlobalProtect havechosenSAMLasyourauthenticationstandard,GlobalProtectportalsandgateways
canactasSecurityAssertionMarkupLanguage(SAML)2.0serviceprovidersand
GlobalProtectclientscanauthenticateusersdirectlytotheSAMLidentityprovider.
RestrictTransparent YoucannowcontrolwhentransparentupgradesoccurforaGlobalProtectclient.With
AgentUpgradesto thisconfiguration,iftheuserconnectsfromoutsidethecorporatenetwork,theupgrade
InternalNetwork ispostponed.Later,whentheuserconnectsfromwithinthecorporatenetwork,the
Connections upgradeisactivated.Thisfeatureallowsyoutoholdtheupdatesuntiluserscantake
advantageofgoodnetworkavailabilityandhighbandwidthfromwithinthecorporate
network.Theupgradeswillnothinderuserswhentheytraveltoenvironmentswithlow
bandwidth.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 19
ChangestoDefaultBehavior PANOS8.0ReleaseInformation
ChangestoDefaultBehavior
PANOSandPanorama8.0havethefollowingchangesindefaultbehavior:
ThedefaultsforthefollowingTCPSettings(Device > Setup > Session > TCP Settings)havebeenchangedin
8.0:
Drop segments without flagisnowenabledbydefault.ThecorrespondingCLIcommand,set
deviceconfig setting tcp drop-zero-flagisnowsettoyesbydefault.
Drop segments with null timestamp option isnowenabledbydefault.ThecorrespondingCLIcommand,
set deviceconfig setting tcp check-timestamp-optionisnowsettoyesbydefault.
Forward segments exceeding TCP out-of-order queue isnowdisabledbydefault.ThecorrespondingCLI
command,set deviceconfig setting bypass-exceed-op-queueisnowsettonobydefault.
TheDevice > Setup > Content-ID > Content-ID SettingsoptiontoForward segments exceeding TCP App-ID
inspection queueisnowdisabledbydefault.ThecorrespondingCLIcommand,set deviceconfig setting
application bypass-exceed-queue isnowsettonobydefault.
Bydefault,thefirewallandPanoramanolongerallowmanagementaccessoverTLSv1.0connections.If
youacceptthisdefault,anyscriptsthatrequiremanagementaccess(suchasAPIscripts)mustsupport
TLSv1.1orlaterTLSversions.Toovercomethedefaultrestriction,youcanconfigureanSSL/TLSservice
profilethatallowsTLSv1.0andassigntheprofiletotheinterfaceusedtoaccessthefirewallorPanorama.
AuthenticationpolicyreplacesCaptivePortalpolicy.
Whenanauthenticationeventinvokesapolicyrule,thefirewallnowgeneratesAuthenticationlogs
insteadofSecuritylogs.
YounowusethewebinterfaceinsteadofaCLIcommandtosettheauthenticationprotocoltoCHAPor
PAPforTACACS+andRADIUSserverprofiles.
Toconfigurethemanagement(MGT)interfaceonthefirewall,younowselectDevice > Setup > Interfaces
insteadofDevice > Setup > Management.
ToconfigureinterfacesonPanorama,younowselectPanorama > Setup > InterfacesinsteadofPanorama
> Setup > Management.
WhenaddingoreditingaLogCollector(Panorama > Managed Collectors),younowconfigureinterfacesin
theInterfacestab,whichreplacestheManagement,Eth1,andEth2tabsintheCollectordialog.
WhenthePanoramavirtualapplianceisinPanoramamodeandisdeployedinahighavailability(HA)
configuration,youcanconfigurebothHApeerstocollectlogs,notjusttheactivepeer.
WhenpushingconfigurationstomanagedfirewallsorLogCollectors,Panoramanowpushestherunning
configurationinsteadofthecandidateconfiguration.Therefore,youmustcommitchangestoPanorama
beforepushingthechangestofirewallsorLogCollectors.
FirewallsandLogCollectorsnowretrievesoftwareandcontentupdatesfromPanoramaoverport28443
insteadofPanoramapushingtheupdatesoverport3978.
Tocreateasnapshotfileforthecandidateconfiguration,youmustnowselectConfig > Save Changes
insteadofSaveatthetoprightofthewebinterface.
TheloginpageforthewebinterfacedisplaysanewSingle Sign-Onlink.Thelinkappliesonlyto
administratorswhomyouconfiguredtoauthenticatethroughaSAMLidentityprovider.
Externaldynamiclistchanges:
WhenretrievinganexternaldynamiclistfromasourcewithanHTTPSURL,thefirewallnow
authenticatesthedigitalcertificatesofthelistsource.Youmustconfigureacertificateprofileto
authenticatethesource.Ifthesourceauthenticationfails,thefirewallstopsenforcingpolicybased
onthelistcontents.
20 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation ChangestoDefaultBehavior
InPANOS7.1,thefirewallsupportedamaximumof30uniquesourcesforexternaldynamiclists
andenforcedthemaximumnumbereveniftheexternaldynamiclistwasnotusedinpolicy.
BeginninginPANOS8.0,onlythelistsyouusetoenforcepolicywillcounttowardthemaximum
numberallowed.
Entriesinanexternaldynamiclist(IPaddresses,domains,andURLs)nowonlycounttowardthe
maximumnumberthatthefirewallsupportsifasecuritypolicyrulereferencestheexternaldynamic
list.
IfyoupreviouslyenabledWildFireforwardingonyourfirewall,thefirewallnowforwardsblockedfiles
thatmatchexistingsignatures,inadditiontounknownfiles,forWildFireanalysis.TheWildFire
Submissionslognowincludeslogentriesforblockedfiles.
TheActioncolumnintheWildFireSubmissionslognowindicatesifthefirewallactionforasamplewas
alloworblock.InPANOS7.1andearlierversions,theactiondisplayedforallsamplesintheWildFire
Submissionslogwasalert.
InPANOS7.1andearlierreleases,passiveDNSmonitoringwasasettingyoucouldenableinan
AntiSpywareProfile.YoucouldattachtheAntiSpywareProfiletoapolicyruleandthensessionsthat
matchthatrulewilltriggerpassiveDNSmonitoring.BeginninginPANOS8.0,passiveDNSmonitoring
isaglobalsettingthatyoucanenablethroughtheTelemetryandThreatIntelligencefeature,andwhen
enabled,thefirewallactsasapassiveDNSsensorforalltrafficthatpassesthroughthefirewall.
ThefirewallnowusesthenewserviceroutePalo Alto Networks Servicestoaccessexternalservicesthat
itaccessedviatheserviceroutesPalo Alto UpdatesandWildFire PublicpriortoPANOS8.0.
InaZoneProtectionprofileforPacketBasedAttackProtection,thedefaultsettingisnowtodropTCP
SYNandSYNACKpacketsthatcontaindatainthepayloadduringathreewayhandshake.(Inprior
PANOSreleases,firewallallowedsuchpackets.)Bydefault,aZoneProtectionprofileissettoallowTCP
handshakepacketsthatusetheTCPFastOpenoptioniftheycontainavalidFastOpencookie.Ifyou
haveexistingZoneProtectionprofilesinplacewhenyouupgradetoPANOS8.0,thethreedefault
settingswillapplytoeachprofileandthefirewallwillactaccordingly.
WhenyouuseaClassifiedDoSProtectionprofileforfloodprotectionoraVulnerabilityProtectionprofile
thatisconfiguredtoBlockIPaddresses,thefirewallwillnowblockIPaddressesinhardwarefirst,and
theninsoftwareifthehardwareblocklisthasreacheditscapacity.
InPANOS8.0,theuseofhypervisorassignedMACaddressesandDHCPonmanagementinterfacesare
enabledonnewVMSeriesfirewallinstallations.Theseoptionsarenotenabledautomaticallywhen
upgradingaVMSeriesfirewalltoPANOS8.0fromPANOS7.1orearlierreleases.
TheAgent > GatewaystabforGlobalProtectportalconfigurationsissplitintotwoseparatetabs:Internal
andExternal.UsetheInternaltabtospecifyinternalgatewaysettingsforGlobalProtectagentsandapps.
UsetheExternaltabtospecifyexternalgatewaysettingsforGlobalProtectagentsandapps.Theseare
layoutchangesonlyyourexistingPANOS7.1configurationispreserved.
TheAgent > Client Settings> Network SettingstabforGlobalProtectgatewayconfigurationsisreplaced
withtwoseparatetabs:IP PoolsandSplit Tunnel.ThesearelayoutchangesonlyyourexistingPANOS
7.1configurationispreserved.
TheDisable login pagecheckboxontheGeneraltabforGlobalProtectportalconfigurationsisnowa
DisablecommandinthePortal Login Page.ThisisalayoutchangeonlyyourexistingPANOS7.1
configurationispreserved.
GlobalProtecthasafewminorchangestomenuandcheckboxlabels(refertothetablebelow).These
arechangestowordingonlyyourexistingPANOS7.1configurationispreserved.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 21
ChangestoDefaultBehavior PANOS8.0ReleaseInformation
InPANOS7.1andearlierreleases,topreventpotentialIPaddressconflicts,theGlobalProtectgateway
didnotassignanIPaddressifthelocalnetworkIPaddresssentfromtheendpointwasinthesamesubnet
astheIPaddresspool.UsershadtoconfigureasecondIPaddresspoolthatcontainedaddressesfroma
separatesubnet.BeginninginPANOS8.0,whenyouconfigureonlyoneIPaddresspool,GlobalProtect
assignsanIPaddressregardlessofsubnetoverlap.Thischangemaycausewarningmessageson
Windowsendpoints.Ifyouareconcernedaboutthewarningmessage,configureasecondIPaddress
pool.
BeginningwithPANOS8.0,theVerify Update Server Identityglobalservicessettingforinstallingcontent
andsoftwareupdatesisenabledbydefault(Device > Setup > Services > Global).
BeginningwithPANOS7.1.7,todeactivateaVMSerieslicenseyoumustfirstinstallalicenseAPIkey
onyourfirewallorPanorama.Formoreinformation,seeVirtualizationFeatures.
LargeReceiveOffload(LRO)isenablebedefaultonthenewdeploymentsoftheVMSeriesfirewallfor
NSXordeploymentsupgradedto8.0.
SupportforDataPlaneDevelopmentKit(DPDK)isenabledbydefaultontheVMSeriesforKVMand
ESXi.However,totakeadvantageofDPDK,youmustinstalltherequiredNICdriveronyourhypervisor.
DPDKsupportisdisabledbydefaultontheVMSeriesforAWS.
ThefirewalldoesnotsupportSSLdecryptionofRSAkeysthatarelargerthan8Kbinsize.Youcaneither
blockconnectionstoserverswiththeRSAkeysizegreaterthan8kbinthecertificateorskipSSL
decryptionforsuchconnectionsinObjects > Decryption Profile.Toblocksuchconnections,checkSSL
Forward Proxy > Unsupported Mode Checks > Block sessions with unsupported cipher suites.LeaveBlock
sessions with unsupported cipher suitesuncheckedtoskipdecryptingsuchconnections.
22 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation CLIandAPIChangesinPANOS8.0
CLIandAPIChangesinPANOS8.0
PANOS8.0haschangestoexistingCLIcommands,whichalsoaffectcorrespondingPANOSXMLAPI
requests.Ifyouhaveascriptorapplicationthatusestheserequests,runcorrespondingCLIcommandsin
debugmodetoviewthecorrespondingXMLAPIsyntax.
Operationalcommandsareprecededbyagreaterthansign(>),whileconfigurationcommandsarepreceded
byahash(#).Anasterisk(*)indicatesthatrelatedcommandsinthesamehierarchyhavealsochanged.
TheoperationalcommandtoclearUserIDmappingsforallIPaddressesoraspecificIPaddresshas
changed:
PANOS7.1andearlierreleases:
> clear user-cache [all | ip]
PANOS8.0release:
> clear ipuser-cache [all | ip]
WithAuthenticationpolicyreplacingCaptivePortalpolicy,relatedCLIcommandshavechanged:
PANOS7.1andearlierreleases:
> show running captive-portal-policy
> test cp-policy-match *
# show rulebase captive-portal *
# set import resource max-cp-rules <0-4000>
# set rulebase captive-portal *
# set shared admin-role <name> role device webui policies captive-portal-rulebase
<enable|read-only|disable>
# set import resource max-cp-rules <0-4000>
PANOS8.0release:
> show running authentication-policy
> test authentication-policy-match *
# show rulebase authentication *
# set import resource max-auth-rules <0-4000>
# set rulebase authentication rules *
# set shared admin-role <name> role device webui policies authentication-rulebase
<enable|read-only|disable>
# set import resource max-auth-rules <0-4000>
TheUserIDcommandstoclearusermappingsfromthedataplanehavechanged:
PANOS7.1andearlierreleases:
> clear uid-gids-cache uid <1-2147483647>
> clear uid-gids-cache all
PANOS8.0release:
> clear uid-cache uid <1-2147483647>
> clear uid-cache all
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 23
CLIandAPIChangesinPANOS8.0 PANOS8.0ReleaseInformation
WiththeintroductionofdecryptionforEllipticalCurveCryptography(ECC)Certificates,thefollowing
CLIcommandhasbeenreplacedwithtwoalgorithmspecificcommands:
PANOS7.1andearlierreleases:
# set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size <0|1024|2048>
PANOS8.0release:
# set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size-rsa <0|1024|2048>
# set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size-ecdsa <0|256|384>
WiththeintroductionofIPv6supportinGlobalProtect,thefollowingCLIcommandshavebeenreplaced
withtwoprotocolspecificcommands:
PANOS7.1andearlierreleases:
# set global-protect global-protect-portal <name> portal-config local-address ip <value>
PANOS8.0release:
# set global-protect global-protect-portal <name> portal-config local-address ip ipv4
<value>
# set global-protect global-protect-portal <name> portal-config local-address ip ipv6
<value>
PANOS7.1andearlierreleases:
# set global-protect global-protect-portal <name> portal-config local-address floating-ip
<value>
PANOS8.0release:
# set global-protect global-protect-portal <name> portal-config local-address floating-ip
ipv4 <value>
# set global-protect global-protect-portal <name> portal-config local-address floating-ip
ipv6 <value>
WithnewsupportformaliciousIPaddressfeeds,relatedCLIcommandshavechangedtosupportIP
addresses,URLs,anddomains:
PANOS7.1andearlierreleases:
# set external-list <name> *
PANOS8.0release:
# set external-list <name> type ip *
# set external-list <name> type predefined-ip *
# set external-list <name> type domain *
# set external-list <name> type url *
CLIcommandsrelatedtoSafeNetNetworkHSM(formerlyLunaSA)nowreflectthenewname:
PANOS7.1andearlierreleases:
# show deviceconfig system hsm-settings provider safenet-luna-sa *
# set deviceconfig system hsm-settings provider safenet-luna-sa *
PANOS8.0release:
# show deviceconfig system hsm-settings provider safenet-network *
# set deviceconfig system hsm-settings provider safenet-network *
24 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation CLIandAPIChangesinPANOS8.0
Withtheintroductionofselectivelogforwardingbasedonlogattributes,youmustnowspecifythename
ofacustomfiltermatchlistinrelatedCLIcommands:
PANOS7.1andearlierreleases:
# show shared log-settings system *
# set shared log-settings system *
# show shared log-settings config *
# set shared log-settings config *
# show shared log-settings hipmatch *
# set shared log-settings hipmatch *
# show shared log-settings profiles <name> *
# set shared log-settings profiles <name> *
PANOS8.0release:
# show shared log-settings system match-list *
# set shared log-settings system match-list *
# show shared log-settings config match-list *
# set shared log-settings config match-list *
# show shared log-settings hipmatch match-list *
# set shared log-settings hipmatch match-list *
# show shared log-settings profiles <name> match-list *
# set shared log-settings profiles <name> match-list *
CLIcommandsrelatedtoconfiguringtheUserIDagentmustnowincludehostport:
PANOS7.1andearlierreleases:
# set user-id-agent <name> host <ip/netmask>|<value>
# set user-id-agent <name> port <1-65535>
# set user-id-agent <name> ntlm-auth <yes|no>
# set user-id-agent <name> ldap-proxy <yes|no>
# set user-id-agent <name> collectorname <value>
# set user-id-agent <name> secret <value>
PANOS8.0release:
# set user-id-agent <name> host-port host <ip/netmask>|<value>
# set user-id-agent <name> host-port port <1-65535>
# set user-id-agent <name> host-port ntlm-auth <yes|no>
# set user-id-agent <name> host-port ldap-proxy <yes|no>
# set user-id-agent <name> host-port collectorname <value>
# set user-id-agent <name> host-port secret <value>
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 25
AssociatedSoftwareandContentVersions PANOS8.0ReleaseInformation
AssociatedSoftwareandContentVersions
ThefollowingminimumsoftwareandcontentversionsaresupportedwithPANOS8.0releases:
PaloAltoNetworksSoftwareor MinimumSupportedVersionwithPANOS8.0
ContentReleaseVersion
Panorama 8.0.0
UserIDAgent 8.0.0
TerminalServices(TS)Agent 8.0.0
GlobalProtectAgent 4.0
ApplicationsandThreatContent 655
ReleaseVersion
AntivirusContentReleaseVersion 2137
26 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
KnownIssues
ThefollowingtabledescribesknownissuesinthePANOS8.0release.
ForrecentupdatestoknownissuesforagivenPANOSrelease,referto
https://live.paloaltonetworks.com/t5/Articles/CriticalIssuesAddressedinPANOSReleases/tap/52882.
IssueID Description
UpgradingaPA200orPA500firewalltoPANOS8.0cantake3060minutesto
complete.Ensureuninterruptedpowertoyourfirewallthroughouttheupgradeprocess.
Panorama8.0doesnotcurrentlysupportmanagementofappliancesrunningWildFire7.1
orearlierreleases.EventhoughthesemanagementoptionsarevisibleonthePanorama
8.0webinterface(Panorama > Managed WildFire ClustersandPanorama > Managed
WildFire Appliances),makingchangestothesesettingsforappliancesrunningWildFire
7.1orearlierreleaseshasnoeffect.
ATF2661 IfyoulaunchanAutoFocussearchforanartifactonthefirewallthroughtheAutoFocus
IntelligenceSummaryandyourpreferredscopesettinginAutoFocusissettoPublic
Samples,AutoFocusincorrectlydisplaysnosearchresults.
Workaround:IntheAutoFocuswindowyoujustlaunched,viewthesearchresultsforAll
Samples,andthenswitchbacktoMySamples.TheMySamplestabthendisplaysthe
correctsearchresults.
GPC2742 IfyouconfigureGlobalProtectportalsandgatewaystouseclientcertificatesandLDAPas
twofactorsofauthentication,ChromebookusersthatarerunningChromeOS47orlater
versionscanencounterexcessivepromptstoselectaclientcertificate.
Workaround:Topreventexcessiveprompts,configureapolicytospecifytheclient
certificateintheGoogleAdminconsoleanddeploythatpolicytoyourmanaged
Chromebooks:
1. LogintotheGoogleAdminconsole(https://admin.google.com)andselectDevice
management > Chrome management > User settings.
2. IntheClientCertificatessection,enterthefollowingURLpatterntoAutomatically
Select Client Certificate for These Sites:
{""pattern"":""https://[*.]"",""filter"":{}}
3. ClickSave.TheGoogleAdminconsoledeploysthepolicytoalldeviceswithinafew
minutes.
GPC1737 Bydefault,theGlobalProtectappaddsarouteoniOSmobiledevicesthatcausestraffic
totheGP100GlobalProtectMobileSecurityManagertobypasstheVPNtunnel.
Workaround:ToconfiguretheGlobalProtectapponiOSmobiledevicestorouteall
trafficincludingtraffictotheGP100GlobalProtectMobileSecurityManagertopass
throughtheVPNtunnel,performthefollowingtasksonthefirewallhostingthe
GlobalProtectgateway(Network > GlobalProtect > Gateways > <gateway-config> >
Agent > Client Settings > <client-settings-config> > Network Settings > Access Route):
Add""0.0.0.0/0""asanaccessroute.
EntertheIPaddressfortheGlobalProtectMobileSecurityManagerasanadditional
accessroute.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 27
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
GPC1517 FortheGlobalProtectapptoaccessanMDMserverthroughaSquidproxy,youmustadd
theMDMserverSSLaccessportstotheproxyserverallowlist.Forexample,iftheSSL
accessportis8443,addacl SSL_ports port 8443totheallowlist.
WF5001584 WhenusingawebbrowsertoviewaWildFireAnalysisReportfromafirewallthatisusing
aWF500applianceforfilesampleanalysis,thereportmaynotappearuntilthebrowser
downloadstheWF500certificate.Thisissueoccursafterupgradingafirewallandthe
WF500appliancetoaPANOS6.1orlaterrelease.
Workaround:BrowsetotheIPaddressorhostnameoftheWF500appliance,whichwill
temporarilydownloadthecertificateintothebrowser.Forexample,iftheIPaddressof
theWF500is10.3.4.99,openabrowserandenterhttps://10.3.4.99.Youcanthen
accessthereportfromthefirewallbyselectingMonitor > WildFire Submissions,clicking
log details,andthenclickingtheWildFire Analysis Reporttab.
PAN73879 YoucannotclonethestrictfileblockingprofileinPANOS8.0;however,cloningthebasic
fileblockingprofile(oranyotherSecurityProfiletypes)worksasexpected.
PAN73363 Afteryouenablereportingandfilteringongroups,Panoramastilldisplaysnoresultswhen
youfilterlogsorgeneratereportsbasedonusergroups.Theworkaroundistoaccessthe
PanoramaCLIandrunthedebug software restart process reportdoperational
command.
PAN73316 WhenaGlobalProtectuserfirstlogsinwithaRADIUSauthenticationprofile,the
Domain-UserNameappearsasuser@domain(insteadofdomain\user)inthePANOS
webinterface.
Workaround:OnceaHIPreportisgenerated,theusernameformatisnormalizedand
updatedtothecorrectformat.
PAN73254 AfteryouinstalltheVMwareNSXpluginonPanoramainahighavailability(HA)
deployment,Panoramadoesnotautomaticallysynchronizeconfigurationchanges
betweentheHApeersunlessyoufirstupdatesettingsrelatedtotheNSXplugin.
Workaround:ConfiguretheNSXsettingsandcommityourchangestoPanorama.
PAN73207 IfthefirewallintegrateswithOktaAdaptiveasthemultifactorauthentication(MFA)
vendor,youcannotusepushnotificationasanauthenticationfactor.
PAN73168 IfthePANOSWebInterfaceandtheGlobalProtectportalthathostsclientlessVPN
applicationsareconfiguredtosharethesameFQDN,youcangeta400BadRequest
errormessagefromyourbrowserwhenyoutrytoaccessthePANOSWebInterface.
Workaround:BestpracticeistoconfigureseparateFQDNsforthePANOSWeb
InterfaceandtheGlobalProtectportalthathostsclientlessVPNapplications.Asa
shorttermfix,clearthebrowsercacheorcloseallbrowserwindowsandthenopena
separatebrowserwindowtologintothePANOSwebinterface.
PAN73006 Whenloggingratesarehigh,theAppScopeChangeMonitorandNetworkMonitor
reportssometimesdisplaynodatawhenyoufilterbySourceorDestinationIPaddresses.
TheAppScopeSummaryreportalsomightnotdisplaydatafortheTop5Bandwidth
ConsumingSourceandTop5Threatswhenloggingratesarehigh.
28 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN72861 WhenyouconfigureaPA7000Seriesfirewalltoperformtunnelintunnelinspection,
whichincludesGREkeepalivepackets(Policies > Tunnel Inspection > Inspection >
Inspect Options),andyouruntheclear session allCLIcommandwhiletrafficis
traversingatunnel,thefirewalltemporarilydropstunneledpackets.
PAN72843 IfyoucommitaconfigurationthatenablesclientlessVPNonmultipleGlobalProtect
portalsusingdifferentDNSproxies,thecommitfails.
Workaround:Restartthefirewalldataplaneandrepeattheconfigurationcommit.
PAN72402 IfyouconfigureaBGPIPv6aggregateaddresswithanAdvertiseFilterconsistingofboth
aprefixfilterandanexthopfilter,thefirewalladvertisesonlytheaggregateaddressand
notthespecificroutescoveredbytheAdvertiseFilter.Theworkaroundistoremovethe
nexthopfilter;thenthefirewalladvertisesboththeaggregateaddressandthemore
specificroutes.ThisissueappliesonlytorouteslearnedfromanotherBGPpeer;the
behaviorisasexpectedforlocallyinjectedroutes.
PAN71765 DeactivatingaVMSeriesfirewallfromPanoramacompletessuccessfullybuttheweb
interfacedoesnotupdatetoshowthatdeactivationiscomplete.
Workaround:ViewdeactivationstatusfromManagedDevices(Panorama > Managed
Devices).
PAN71556 MACaddresstableentrieswithatimetolive(TTL)valueof0arenotremovedas
expected,whichresultsinatablethatcontinuallygrowslargerinsize.
PAN71329 LocalusersandusergroupscreatedunderShared(allvirtualsystems)arenotavailableto
bepartoftheusertoapplicationmappingforGlobalProtectClientlessVPNapplications
(Clientless VPN > ApplicationsontheGlobalProtectPortal).
Workaround:CreateusersandusergroupsunderVsysformultiplevirtualsystems.For
singlevirtualsystems(likeVM),usersandusergroupsarecreatedunderSharedandare
notconfigurableforClientlessVPNapplications.
PAN71271 DuringtheprocessofmigratinglogstothenewlogstorageformatinPANOS8.0(using
theCLIcommandrequest logdb migrate lc serial-number <serial_number>
start),olderexistinglogsmightbelostiftheloggingdisksonaLogCollectorarecloseto
maximumcapacity.
PAN71215 DeactivatingaVMSeriesfirewallfromPanoramafailswhenPanoramaisconfiguredto
Verify Update Server Identity(Panorama > Setup > Services > Verify Update Server
Identity)andthissettingisdisabledonthefirewall(Device > Setup > Services);thisfailure
causesthefirewalltobecomeunreachable.
Workaround:EnsurethatyouconfigurebothPanoramaandtheVMSeriesfirewallto
Verify Update Server Identitybeforeyoudeactivatethefirewall.
PAN70906 IfthePANOSwebinterfaceandtheGlobalProtectportalareenabledonthesameIP
address,thenwhenauserlogsoutfromtheGlobalProtectportal,theadministrativeuser
isloggedoutfromthePANOSwebinterfaceaswell.Thisissueiscompoundedwhenthe
portalisconfiguredforGlobalProtectClientlessVPNbecauseitcanincreasethenumber
ofuserswhoaccesstheportal.
Workaround:UsetheIPaddresstoaccessthePANOSwebinterfaceandaFQDNto
accesstheGlobalProtectportal.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 29
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN70353 ClientlessVPNdoesnotworkifyouconfiguretheGlobalProtectportalthathoststhe
ClientlessVPNonaninterfaceconfiguredtousetheDHCP Client.
Workaround:ConfiguretheinterfacetousestaticIPaddresses.
PAN70323 FirewallsrunninginFIPSCCmodedonotallowimportofSHA1CAcertificateseven
whentheprivatekeyisnotincluded;instead,firewallsdisplaythefollowingerror:Import
of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
PAN70046 Astandardbrowser404errordisplayswhenyoutrytouseGlobalProtectClientlessVPN
withoutthecorrectcontentupdate.
Workaround:ClientlessVPNrequiresyoutoinstallaGlobalProtectsubscriptiononthe
firewallthathoststheClientlessVPNfromtheGlobalProtectportal.Youalsoneedthe
GlobalProtectClientlessVPNdynamicupdatestousethisfeature.
PAN70023 Authenticationusingautofilledcredentialsintermittentlyfailswhenyouaccessan
applicationusingGlobalProtectClientlessVPN.
Workaround:Manuallyenterthecredentials.
PAN69505 WhenviewinganexternaldynamiclistthatrequiresclientauthenticationandyouTest
Source URL,thefirewallfailstoindicatewhetheritcanreachtheexternaldynamiclist
serverandreturnsaURLaccesserror.
PAN69340 Whenyouusealicenseauthorizationcode(capacitylicenseorabundle)tobootstrapa
VMSeriesfirewall,thecapacitylicenseisnotapplied.Thisissueoccursbecausethe
firewalldoesnotrebootafterthelicenseisapplied.
Workaround:UsetherequestrestartsoftwareCLIcommandorrebootthefirewall
manuallytoactivatesessioncapacityforaVMSeriesfirewall.
PAN69141 OnPA7000SeriesfirewallsandonPanoramalogcollectors,logcollectionprocesses
consumeexcessmemoryanddonotprocesslogsasexpected.Thisissueoccurswhen
DNSresponsetimesareslowandscheduledreportscontainfieldsthatrequireDNS
lookups.
Workaround:Usethedebug management-server report-namelookup disableCLI
commandtodisableDNSlookupsforreportingpurposes.
PAN67987 TheGlobalProtectagentfailstoconnectusingaclientcertiftheintermediateCAissigned
usingtheECDSAhashalgorithm.
PAN67971 WhenyouconfigureanendpointrunningaGlobalProtectagent3.xreleasetousea
fullyqualifieddomainname(FQDN)toconnecttoadualstackPANOS8.0gateway,the
firewallincorrectlydisplaysanIPv6addressinsteadofanIPv4addressfortheconnection.
Workaround:UseGlobalProtectagent4.0toconnecttoPANOS8.0.
PAN66531 FixedanissuewheretheCommitScopecolumnintheCommitwindowwasemptyafter
manuallyuploadingandinstallingacontentupdateandthencommitting.Althoughthe
contentupdatewasnotlistedunderCommitScope,thecommitcontinuedandshowed
100%complete.
PAN66122 Tunnelcontentinspectionisnotsupportedinavirtualsystemtovirtualsystemtopology.
30 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN63611 OnPanorama,whenyougenerateacustomreportortheSaaSApplicationUsagereport
ondemand(Run Now),thereportmaybeincompleteifyouhavealargedataset.To
generatethereportsuccessfully,trythefollowingworkarounds.
Workaround
Option1:Reducethescopeofthereport.Youcaneitherlimitthetimeperiodorthe
dataset(volumeoflogs)forthereport.Forexample,intheSaaSApplicationUsagereport,
cleartheInclude detailed application category information in report checkboxor
generatethereportforaselectedusergrouporzoneinsteadofonallusersandzones.
Option2:Increasethetimeoutforgeneratingreports.UsethefollowingCLIcommandon
PanoramaandeachLogCollectorinyourDLCarchitecture:
set reportd timeout<value in seconds>
Thedefaulttimeoutis1200secondsbutyoucanincreaseittoamaximumof5hrs(18000
seconds).
PAN63274 Whentunnelcontentinspectionisconfiguredfortrafficinasharedgatewaytopology(the
firewallhasmultiplevirtualsystems),innerflowsessionsinstalledonDP1fail.Also,when
networkingdevicesbehindthesharedgatewayinitiatetraffic,thattrafficdoesn'treach
thenetworkingdevicesbehindthevirtualsystems.
PAN63207 FixedanissueonPA7000Seriesfirewallswheregroupmappingsdidnotpopulatewhen
thegroupincludelistwaspushedfromPanorama.
PAN62820 IfyouusetheAppleSafaribrowserinPrivateBrowsingmodetorequestaserviceor
applicationthatrequiresmultifactorauthentication(MFA),thefirewalldoesnotredirect
youtotheserviceorapplicationevenafterauthenticationsucceeds.
PAN62513 FixedanissueonPA7000Seriesfirewallsinanactive/passiveHAconfigurationwhere
the"showhighavailabilitypathmonitoring"commandalwaysshowsNPCslot1;even
thoughthepathmonitoringIPaddresswasassignedtoaninterfaceinadifferentNPCslot.
ThisoccurredonlywhenthepathmonitoringIPaddresswasassignedtoaninterfaceinan
aggregateinterfacegroupandtheinterfacegroupwasinaslototherthanslot1.
PAN62453 EnteringvSpheremaintenancemodeonaVMSeriesfirewallwithoutfirstshuttingdown
theGuestOSfortheagentVMscausesthefirewalltoshutdownabruptlyandcauses
issuesthatpersistafterthefirewallispoweredonagain.RefertoIssue1332563inthe
VMwarereleasenotes:https://www.vmware.com/support/pubs/nsx_pubs.html.
Workaround:VMSeriesfirewallsareServiceVirtualMachines(SVMs)pinnedtoESXi
hostsandshouldnotbemigrated.BeforeyouentervSpheremaintenancemode,usethe
VMwaretoolstoensureagracefulshutdownoftheVMSeriesfirewall.
PAN61284 FixedanissuewhereUserIDconsumedalargeamountofmemorywhenthefirewall
experiencedahighrateofincomingIPaddresstousernamemappingdataandtherewere
morethantenredistributionclientfirewallsatthesametime.
PAN59124 Objects > Custom Objects > Data Patternsprovidespredefinedpatterns(Pattern Type >
Predefined Pattern),suchassocialsecuritynumbersandcreditcardnumbers,tocheck
forintheincomingfiletypesthatyouspecify.Thefirewallnolongersupportscheckingfor
thesepredefinedpatternsinGZIPandZIPfiles.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 31
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN58872 Theautomaticlicensedeactivationworkflowforfirewallswithdirectinternetaccessdoes
notwork.
Workaround:Usetherequest license deactivate key features <name> mode
manualCLIcommandtoDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.To
DeactivateaVM,chooseComplete Manually(insteadofContinue)andfollowthesteps
tomanuallydeactivatetheVM.
PAN57215 FixedanissuewhereanHTTP416errorappearedwhentryingtodownloadupdatestoa
clientfromanIBMBigFixupdateserver.
PAN56217 YoucannotconfiguremultipleDNSproxyobjectsthatspecifyforthefirewalltolistenfor
DNSrequestsonthesameinterface(Network > DNS Proxy > Interfaces).IfmultipleDNS
proxyobjectsareconfiguredwiththesameinterface,onlythefirstDNSproxyobject
settingsareapplied.
Workaround:IfthereareDNSproxyobjectsconfiguredwiththesameinterface,youmust
modifytheDNSproxyobjectssothateachobjectspecifiesuniqueinterfaces:
TomodifyaDNSproxyobjectthatspecifiesonlyoneinterface,deletetheDNSproxy
objectandreconfiguretheobjectwithaninterfacethatisnotsharedamonganyother
objects.
TomodifyaDNSproxyobjectconfiguredwithmultipleinterfaces,deletetheinterface
thatissharedwithotherDNSproxyobjects,clickOKtosavethemodifiedobject,and
thenCommit.
PAN55825 PerforminganAutoFocusremotesearchthatistargetedtoaPANOSfirewallor
Panoramadoesnotworkcorrectlywhenthesearchconditioncontainsasingleordouble
quotationmark.
PAN55437 Highavailability(HA)forVMSeriesfirewallsdoesnotworkinAWSregionsthatdonot
supportthesignatureversion2signingprocessforEC2APIcalls.Unsupportedregions
includeAWSEU(Frankfurt)andKorea(Seoul).
PAN55203 Whenyouchangethereportingperiodforascheduledreport,suchastheSaaS
ApplicationUsagePDFreport,thereportcanhaveincompleteornodataforthereporting
period.
Workaround:Ifyouneedtochangethereportingperiodforanyscheduledreport,create
anewreportforthedesiredtimeperiodinsteadofmodifyingthetimeperiodonan
existingreport.
PAN54254 InTrafficlogs,thefollowingsessionendreasonsforCaptivePortaloraGlobalProtectSSL
VPNtunnelindicatedtheincorrectreasonforsessiontermination:
decrypt-cert-validation,decrypt-unsupport-param,ordecrypt-error.
PAN53825 FortheVMSeriesNSXeditionfirewall,whenyouaddormodifyanNSXserviceprofile
zoneonPanorama,youmustperformaPanoramacommitandthenperformaDevice
GroupcommitwiththeIncludeDeviceandNetworkTemplatesoptionselected.To
successfullyredirecttraffictotheVMSeriesNSXeditionfirewall,youmustperformboth
aTemplateandaDevice Groupcommitwhenyoumodifythezoneconfigurationto
ensurethatthezonesareavailableonthefirewall.
32 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN53601 PanoramarunningonanM500appliancecannotconnecttoaSafeNetNetworkorThales
NshieldConnecthardwaresecuritymodule(HSM).
PAN51969 OntheNSXManager,whenyouunbindanNSXSecurityGroupfromanNSXSecurity
Policyrule,thedynamictagandregisteredIPaddressareupdatedonPanoramabutare
notsenttotheVMSeriesfirewalls.
Workaround:TopushtheDynamicAddressGroupupdatestotheVMSeriesfirewalls,
youmustmanuallysynchronizetheconfigurationwiththeNSXManager(Panorama >
VMware Service ManagerandselectNSX Config-Sync).
PAN51952 IfasecuritygroupoverlapoccursinanNSXSecuritypolicywherethesamesecuritygroup
isweightedwithahigherandalowerpriorityvalue,thetrafficmayberedirectedtothe
wrongserviceprofile(VMSeriesfirewallinstance).ThisissueoccursbecauseanNSX
Securitypolicywithahigherweightdoesnotalwaystakeprecedenceoverapolicywitha
lowerweight.
Workaround:Makesurethatmembersthatareassignedtoasecuritygrouparenot
overlappingwithanotherSecuritygroupandthateachsecuritygroupisassignedtoa
uniqueNSXSecuritypolicyrule.ThisallowsyoutoensurethatNSXSecuritypolicydoes
notredirecttraffictothewrongserviceprofile(VMSeriesfirewall).
PAN51870 WhenusingtheCLItoconfigurethemanagementinterfaceasaDHCPclient,thecommit
failsifyoudonotprovideallfourDHCPparametersinthecommand.Forasuccessful
commitwhenusingtheset deviceconfig system type dhcp-clientcommand,you
mustincludeeachofthefollowingparameters:accept-dhcp-domain,
accept-dhcp-hostname,send-client-id,andsend-hostname.
PAN51869 Cancelingpendingcommitsdoesnotimmediatelyremovethemfromthecommitqueue.
ThecommitsremaininthequeueuntilPANOSdequeuesthem.
PAN51673 BFDsessionsarenotestablishedbetweentwoRIPpeerswhentherearenoRIP
advertisements.
Workaround:EnableRIPonanotherinterfacetoprovideRIPadvertisementsfroma
remotepeer.
PAN51216 TheNSXManagerfailstoredirecttraffictotheVMSeriesfirewallwhenyoudefinenew
ServiceProfilezonesforNSXonPanorama.ThisissueoccursintermittentlyontheNSX
Managerwhenyoudefinesecurityrulestoredirecttraffictothenewserviceprofilesthat
areavailablefortrafficintrospectionandresultsinthefollowingerror:Firewall
configuration is not in sync with NSX Manager. Conflict with Service
Profile Oddhost on service (Palo Alto Networks NGFW) when binding to
host<name>.
PAN51181 APaloAltoNetworksfirewall,M100appliance,orWF500applianceconfiguredtouse
FIPSoperationalmodefailstobootwhenrebootingafteranupgradetoPANOS7.0or
laterreleases.
Workaround:EnableFIPSandCommonCriteriasupportonallPaloAltoNetworks
firewallsandappliancesbeforeyouupgradetoaPANOS7.0orlaterrelease.
PAN51122 FortheVMSeriesfirewall,ifyoumanuallyresetaheartbeatfailurealarmonthevCenter
servertoindicatethattheVMSeriesfirewallishealthy(changecolortogreen),the
vCenterserverdoesnottriggeraheartbeatfailurealarmagain.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 33
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN50651 OnPA7000Seriesfirewalls,onedataportmustbeconfiguredasalogcardinterface
becausethetrafficandloggingcapabilitiesofthisplatformexceedthecapabilitiesofthe
managementport.AlogcardinterfaceperformsWildFirefileforwardingandlog
forwardingforsyslog,email,andSNMPandtheseservicesrequireDNSsupport.Ifyouset
upacustomservicerouteforthefirewalltoperformDNSqueries,servicesusingthelog
cardinterfacemightnotbeabletogenerateDNSrequests.Thisisonlyanissueifyouve
configuredthefirewalltouseaservicerouteforDNSrequestsand,inthiscase,youmust
performaworkaroundtoenablecommunicationbetweenthefirewalldataplaneandthe
logcardinterface.
Workaround:EnableDNSProxyonthefirewallanddonotspecifyaninterfaceforthe
DNSproxyobjecttouse(ensurethatNetwork > DNS Proxy > Interfaceisnotconfigured).
PAN50641 EnablingordisablingBFDforBGPorchangingaBFDprofilethataBGPpeerusescauses
BGPtoflap.
PAN50038 WhenyouenablejumboframesfromtheCLIonaVMSeriesfirewallinAWS,the
maximumtransmissionunit(MTU)sizeontheinterfacesdoesnotincrease.TheMTUon
eachinterfaceremainsatamaximumvalueof1500bytes.
PAN48565 TheVMSeriesfirewallonCitrixSDXdoesnotsupportjumboframes.
PAN48456 IPv6toIPv6NetworkPrefixTranslation(NPTv6)isnotsupportedwhenconfiguredona
sharedgateway.
PAN47969 IfyoulogintoPanoramaasaDeviceGroupandTemplateadministratorandyourename
adevicegroup,thePanorama > Device Groupspagenolongerdisplaysanydevicegroups.
Workaround:Afteryourenameadevicegroup,performacommit,logout,andlogback
in;thepagethendisplaysthedevicegroupswiththeupdatedvalues.
PAN47073 WebpagesusingtheHTTPStrictTransportSecurity(HSTS)protocoldonotalways
displayproperlyforendusers.
Workaround:Endusersmustimportanappropriateforwardproxycertificatefortheir
browsers.
PAN46344 WhenyouuseaMacOSSafaribrowser,clientcertificateswillnotworkforCaptivePortal
authentication.
Workaround:OnaMacOSsystem,instructenduserstouseadifferentbrowser(for
example,MozillaFirefoxorGoogleChrome).
PAN45793 Onafirewallwithmultiplevirtualsystems,ifyouaddanauthenticationprofiletoavirtual
systemandgivetheprofilethesamenameasanauthenticationsequenceinShared,
referenceerrorsoccur.ThesameerrorsoccuriftheprofileisinSharedandthesequence
withthesamenameisinavirtualsystem.
Workaround:Whencreatingauthenticationprofilesandsequences,alwaysenterunique
names,regardlessoftheirlocation.Forexistingauthenticationprofilesandsequences
withsimilarnames,renametheonesthatarecurrentlyassignedtoconfigurations(for
example,aGlobalProtectgateway)toensureuniqueness.
PAN44400 Thelinkona1GbpsSFPportonaVMSeriesfirewalldeployedonaCitrixSDXserverdoes
notcomeupwhensuccessivefailoversaretriggered.Thisbehaviorisonlyobservedina
highavailability(HA)active/activeconfiguration.
Workaround:Usea10GbpsSFPportinsteadofthe1GbpsSFPportontheVMSeries
firewalldeployedonaCitrixSDXserver.
34 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN44300 WildFireanalysisreportscannotbeviewedonfirewallsrunningPANOS6.1release
versionsifconnectedtoaWF500applianceinCommonCriteriamodethatisrunning
PANOS7.0orlaterreleases.
PAN43000 VulnerabilitydetectionofSSLv3failswhenSSLdecryptionisenabled.Thisoccurswhen
youattachaVulnerabilityProtectionprofile(thatdetectsSSLv3CVE20143566)toa
SecuritypolicyruleandthatSecuritypolicyruleandanSSLDecryptionpolicyruleare
configuredonthesamevirtualsysteminthesamezone.AfterperformingSSLdecryption,
thefirewallseesdecrypteddataandnolongerseestheSSLversionnumber.Inthiscase,
theSSLv3vulnerabilityisnotidentified.
Workaround:SSLDecryptionEnhancementswereintroducedinPANOS7.0thatenable
youtoprohibittheinherentlyweakerSSL/TLSversions,whicharemorevulnerableto
attacks.Forexample,youcanuseaDecryptionProfiletoenforceaminimumprotocol
versionofTLS1.2oryoucanBlock sessions with unsupported versionstodisallow
unsupportedprotocolversions(Objects > Decryption Profile > SSL Decryption > SSL
Forward Proxyand/orSSL Inbound Inspection).
PAN41558 WhenyouuseafirewallloopbackinterfaceasaGlobalProtectgatewayinterface,traffic
isnotroutedcorrectlyforthirdpartyIPSecclients,suchasStrongSwan.
Workaround:Useaphysicalfirewallinterfaceinsteadofaloopbackfirewallinterfaceas
theGlobalProtectgatewayinterfaceforthirdpartyIPSecclients.Alternatively,configure
theloopbackinterfacethatisusedastheGlobalProtectgatewaytobeinthesamezone
asthephysicalingressinterfaceforthirdpartyIPSectraffic.
PAN40842 WhenyouconfigureafirewalltoretrieveaWildFiresignaturepackage,theSystemlog
showsunknown versionforthepackage.Forexample,afterascheduledWildFire
packageupdate,thesystemlogshows:WildFire package upgraded from version
<unknown version> to 38978-45470.Thisisacosmeticissueonlyanddoesnotprevent
theWildFirepackagefrominstalling.
PAN40130 IntheWildFireSubmissionslogs,theemailrecipientaddressisnotcorrectlymappedtoa
usernamewhenconfiguringLDAPgroupmappingsthatarepushedinaPanorama
template.
PAN40079 TheVMSeriesfirewallonKVM,forallsupportedLinuxdistributions,doesnotsupportthe
BroadcomnetworkadaptersforPCIpassthroughfunctionality.
PAN40075 TheVMSeriesfirewallonKVMrunningonUbuntu12.04LTSdoesnotsupportPCI
passthroughfunctionality.
PAN39728 TheURLloggingrateisreducedwhenHTTPheaderloggingisenabledintheURLFiltering
profile(Objects > Security Profiles > URL Filtering > URL Filtering profile > Settings).
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 35
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN39636 RegardlessoftheTimeFrameyouspecifyforascheduledcustomreportonaPanorama
MSeriesappliance,theearliestpossiblestartdateforthereportdataiseffectivelythe
datewhenyouconfiguredthereport.Forexample,ifyouconfigurethereportonthe15th
ofthemonthandsettheTimeFrametoLast30Days,thereportthatPanoramagenerates
onthe16thwillincludeonlydatafromthe15thonward.Thisissueappliesonlyto
scheduledreports;ondemandreportsincludealldatawithinthespecifiedTimeFrame.
Workaround:Togenerateanondemandreport,clickRun Nowwhenyouconfigurethe
customreport.
PAN39501 UnusedNATIPaddresspoolsarenotclearedafterasinglecommit,soacommitfailsifthe
combinedcacheofunusedpools,existingusedpools,andnewpoolsexceedsthememory
limit.
Workaround:Commitasecondtime,whichclearstheoldpoolallocation.
PAN38584 ConfigurationspushedfromPanorama6.1andlaterreleasestofirewallsrunningPANOS
6.0.3orearlierPANOS6.0releaseswillfailtocommitduetoanunexpectedRuleType
error.ThisissueiscausedbytheRule TypesettinginSecuritypolicyrulesthatwasnot
includedintheupgradetransformand,therefore,thenewruletypesarenotrecognized
ondevicesrunningPANOS6.0.3orearlierreleases.
Workaround:OnlyupgradePanoramatoversion6.1orlaterreleasesifyouarealso
planningtoupgradeallmanagedfirewallsrunningPANOS6.0.3oranearlierPANOS6.0
releasetoaPANOS6.0.4orlaterreleasebeforepushingaconfigurationtothedevices.
PAN38255 IfyouperformafactoryresetonaPanoramavirtualapplianceandconfiguretheserial
number,loggingdoesnotworkuntilyourebootPanoramaorexecutethedebug
software restart management-serverCLIcommand.
PAN37511 DuetoalimitationrelatedtotheEthernetchipdrivingtheSFP+ports,PA5050and
PA5060firewallswillnotperformlinkfaultsignalingasstandardizedwhenafiberinthe
fiberpairiscutordisconnected.
PAN37177 AfterdeployingtheVMSeriesfirewall,whenthefirewallconnectstoPanorama,youmust
issueaPanoramacommittoensurethatPanoramarecognizesthefirewallasamanaged
device.IfyourebootPanoramawithoutcommittingthechanges,thefirewallwillnot
connectbacktoPanorama;althoughthedevicegroupwilldisplaythelistofdevices,the
devicewillnotdisplayinPanorama > Managed Devices.
Further,ifPanoramaisconfiguredinanHAconfiguration,theVMSeriesfirewallisnot
addedtothepassivePanoramapeeruntiltheactivePanoramapeersynchronizesthe
configuration.Duringthistime,thepassivePanoramapeerwilllogacriticalmessage:
vm-cfg: failed to process registration from svm device. vm-state: active.
ThismessageisloggeduntilyoucommitthechangesontheactivePanorama,whichthen
initiatessynchronizationbetweenthePanoramaHApeersandtheVMSeriesfirewallis
addedtothepassivePanoramapeer.
Workaround:Toreestablishtheconnectiontothemanageddevices,commityour
changestoPanorama(clickCommitandselectCommitType:Panorama).IncaseofanHA
setup,thecommitwillinitiatethesynchronizationoftherunningconfigurationbetween
thePanoramapeers.
PAN37127 OnthePanoramawebinterface,thePolicies > Security > Post Rules > Combined Rules
Previewwindowdoesnotdisplaypostrulesandlocalrulesformanageddevices.
PAN37044 LivemigrationoftheVMSeriesfirewallisnotsupportedwhenyouenableSSLdecryption
usingtheSSLforwardproxymethod.UseSSLinboundinspectionifyouneedsupportfor
livemigration.
36 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN36730 WhendeletingtheVMSeriesdeployment,allVMsaredeletedsuccessfully;however,
sometimesafewinstancesstillremaininthedatastore.
Workaround:ManuallydeletetheVMSeriesfirewallsfromthedatastore.
PAN36728 Insomescenarios,trafficfromnewlyaddedguestsorvirtualmachinesisnotsteeredto
theVMSeriesfirewallevenwhentheguestsbelongtoaSecurityGroupandareattached
toaSecurityPolicythatredirectstraffictotheVMSeriesfirewall.
Workaround:ReapplytheSecurityPolicyontheNSXManager.
PAN36433 Ifahighavailability(HA)failoveroccursonPanoramaatthetimethattheNSXManager
isdeployingtheVMSeriesNSXeditionfirewall,thelicensingprocessfailswiththeerror:
vm-cfg: failed to process registration from svm device. vm-state: active.
Workaround:DeletetheunlicensedinstanceoftheVMSeriesfirewalloneachESXihost
andthenredeploythePaloAltoNetworksnextgenerationfirewallservicefromtheNSX
Manager.
PAN36394 Whenthedatastoreismigratedforaguest,allcurrentsessionsarenolongersteeredto
theVMSeriesfirewall.However,allnewsessionsaresecuredproperly.
PAN36333 TheServicedialogforaddingoreditingaserviceobjectinthewebinterfacedisplaysthe
incorrectportrangeforbothsourceanddestinationports:1-65535.Thecorrectport
rangeis0-65535andspecifyingportnumber0foreitherasourceordestinationportis
successful.
PAN36289 IfyoudeploytheVMSeriesfirewallandthenassignthefirewalltoatemplate,thechange
isnotrecordedinthebootstrapfile.
Workaround:DeletethePaloAltoNetworksNGFWServiceontheNSXManager,and
verifythatthetemplateisspecifiedonPanorama > VMware Service Manager,register
theservice,andredeploytheVMSeriesfirewall.
PAN36088 WhenanESXihostisrebootedorshutdown,thefunctionalstatusoftheguestsisnot
updated.BecausetheIPaddressisnotupdated,thedynamictagsdonotaccuratelyreflect
thefunctionalstateofthegueststhatareunavailable.
PAN36049 ThevCenterServer/vmtoolsdisplayedtheIPAddressforaguestincorrectlyaftervlan
tagswereaddedtoanEthernetport.ThedisplaydidnotaccuratelyshowtheIPaddresses
associatedwiththetaggedEthernetportandtheuntaggedEthernetport.Thisissuewas
seenonsomeLinuxOSversionssuchasUbuntu.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 37
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN35903 Whenyoueditatrafficintrospectionrule(tosteertraffictotheVMSeriesfirewall)onthe
NSXManager,aninvalid (tcp) port numbererrororinvalid (udp) port number
errordisplayswhenyouremovethedestination(TCPorUDP)port.
Workaround:Deletetheruleandaddanewone.
PAN35875 Whendefiningtrafficintrospectionrules(tosteertraffictotheVMSeriesfirewall)onthe
NSXManager,eitherthesourceorthedestinationfortherulemustreferencethename
ofaSecurityGroup;youcannotcreatearulefromanytoanySecurityGroup.
Workaround:ToredirectalltraffictotheVMSeriesfirewall,youmustcreateaSecurity
Groupthatincludesalltheguestsinthecluster.Thenyoucandefineasecuritypolicythat
redirectstrafficfromandtotheclustersothatthefirewallcaninspectandenforcepolicy
ontheeastwesttraffic.
PAN35874 DuplicatepacketsarebeingsteeredtotheVMSeriesfirewall.Thisissueoccursifyou
enabledistributedvSwitchforsteeringinpromiscuousmode.
Workaround:Disablepromiscuousmode.
PAN34966 OnaVMSeriesNSXeditionfirewall,whenaddingorremovingaSecurityGroup
(Container)thatisboundtoaSecurityPolicy,Panoramadoesnotgetadynamicupdateof
theaddedorremovedSecurityGroup.
Workaround:OnPanorama > VMware Service Manager,clickSynchronize Dynamic
Objectstoinitiateamanualsynchronizationtogetthelatestupdate.
PAN34855 OnaVMSeriesNSXeditionfirewall,DynamicTags(update)donotreflecttheactualIP
addresssetontheguest.ThisissueoccursbecausethevCenterServercannotaccurately
viewtheIPaddressoftheguest.
PAN33316 AddingorremovingportsontheSDXserverafterdeployingtheVMSeriesfirewallcan
causeaconfigurationmismatchonthefirewall.Toavoidtheneedtoreconfigurethe
interfaces,considerthetotalnumberofdataportsthatyourequireonthefirewalland
assigntherelevantnumberofportsontheSDXserverwhendeployingtheVMSeries
firewall.
Forexample,ifyouassignports1/3and1/4ontheSDXserverasdatainterfacesonthe
VMSeriesfirewall,theportsaremappedtoeth1andeth2.Ifyouthenaddport1/1or1/2
ontheSDXserver,eth1willbemappedto1/1or1/2,eth2willbemappedto1/3and
eth3to1/4.Ifports1/3and1/4weresetupasavirtualwire,thisremappingwillrequire
youtoreconfigurethenetworkinterfacesonthefirewall.
PAN31832 Thefollowingissuesapplywhenconfiguringafirewalltouseahardwaresecuritymodule
(HSM):
ThalesnShieldConnectThefirewallrequiresatleastfourminutestodetectthatan
HSMhasbeendisconnected,causingSSLfunctionalitytobeunavailableduringthe
delay.
SafeNetNetworkWhenlosingconnectivitytoeitherorbothHSMsinahigh
availability(HA)configuration,thedisplayofinformationfromtheshow ha-statusor
show hsm infocommandisblockedfor20seconds.
PAN31593 AfteryouconfigureaPanoramaMSeriesapplianceforHAandsynchronizethe
configuration,theLogCollectorofthepassivepeercannotconnecttotheactivepeeruntil
yourebootthepassivepeer.
PAN29441 ThePanoramavirtualappliancedoesnotwritesummarylogsfortrafficandthreatsas
expectedafteryouenterthe""clearlog""command.
Workaround:Reboot Panoramamanagementserver(Panorama > Setup > Operations)to
enablesummarylogs.
38 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0ReleaseInformation KnownIssues
IssueID Description
PAN29411 Insomeconfigurations,whenyouswitchcontextfromPanoramaandaccesstheweb
interfaceofamanageddevice,youareunabletoupgradethePANOSsoftwareimage.
Workaround:UsethePanorama > Device Deployment > Softwaretabtodeployand
installthesoftwareimageonthemanageddevice.
PAN29385 YoucannotconfigurethemanagementIPaddressonanM100appliancewhileitis
operatingasthesecondarypassivepeerinanHApair.
Workaround:TosettheIPaddressforthemanagementinterface,youmustsuspendthe
activePanoramapeer,promotethepassivepeertoactivestate,changetheconfiguration,
andthenresettheactivepeertoactivestate.
PAN29053 Bydefault,thehostnameisnotincludedintheIPheaderofsyslogmessagessentfromthe
firewall.However,somesyslogimplementationsrequirethisfieldtobepresent.
Workaround:EnablethefirewalltoincludetheIPaddressofthefirewallasthehostname
inthesyslogheaderbyselectingSend Hostname in Syslog(Device > Setup).
PAN28794 IfaPanoramaLogCollectorMGTportisconfiguredwithanIPv4addressandyouwantto
haveonlyanIPv6addressconfigured,youcanusethePanoramawebinterfaceto
configurethenewIPv6addressbutyoucannotusePanoramatoremovetheIPv4address.
Workaround:ConfiguretheMGTportwiththenewIPv6addressandthenapplythe
configurationtotheLogCollectorandtestconnectivityusingtheIPv6addresstoensure
thatyoudonotloseaccesswhenyouremovetheIPv4address.AfteryouconfirmtheLog
CollectorisaccessibleusingtheIPv6address,gototheCLIontheLogCollectorand
removetheIPv4address(usingthedelete deviceconfig system ip-address
command)andthencommityourchanges.
PAN25101 IfyouaddaDecryptionpolicyrulethatinstructsthefirewalltoblockSSLtrafficthatwas
notpreviouslybeingblocked,thefirewallwillcontinuetoforwardtheundecryptedtraffic.
Workaround:Usethedebug dataplane reset ssl-decrypt exclude-cachecommand
tocleartheSSLdecryptexcludecache.
PAN25046 SSHhostkeysusedforSCPlogexportarestoredintheknownhostsfileonthefirewall.
Inahighavailability(HA)configuration,theSCPlogexportconfigurationissynchronized
withthepeerdevice,buttheknownhostfileisnotsynchronized.Whenafailoveroccurs,
theSCPlogexportfails.
Workaround:LogintoeachpeerinHAandTest SCP server connectiontoconfirmthe
hostkeysothatSCPlogforwardingcontinuestoworkafterafailover.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 39
KnownIssues PANOS8.0ReleaseInformation
IssueID Description
PAN20162 IfaclientPCusesRDPtoconnecttoaserverrunningremotedesktopservicesandthe
userlogsintotheremoteserverwithadifferentusername,whentheUserIDagent
queriestheActiveDirectoryservertogatherusertoIPmappingfromthesecuritylogs,
thesecondusernamewillberetrieved.Forexample,ifUserAlogsintoaclientPCandthen
logsintotheremoteserverusingtheusernameforUserB,thesecuritylogontheActive
DirectoryserverwillrecordUserA,butwillthenbeupdatedwithUserB.Theusername
UserBisthenpickedupbytheUserIDagentfortheusertoIPmappinginformation,
whichisnottheintendedusermapping.
40 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues
ThefollowingtablesliststheissuesthatarefixedinthePANOS8.0.0release.Fornewfeatures,associated
softwareversions,knownissues,andchangesindefaultbehaviorinPANOS8.0releases,seePANOS8.0
ReleaseInformation.
IssueID Description
PAN72346 Fixedanissuewhereexportingbotnetreportsfailedwiththefollowingerror:Missing
reportjobid.
PAN72242 FixedanissuewhereconfiguringasourceaddressexclusioninReconnaissanceProtection
tabunderzoneprotectionprofilewasnotallowed.
PAN71892 FixedanissuewhereanLDAPprofiledidnotusetheconfiguredport;theprofileusedthe
defaultport,instead.
PAN71615 Fixedanissuewheretheintrazoneblockruleshadowedtheuniversalrulethathas
differentsourceanddestinationzones.
PAN71192 Fixedanissuewhereperformingalogqueryorlogexportwithaspecificnumberoflogs
causedthemanagementservertostopresponding.Thisoccurredonlywhenthenumber
oflogswasamultipleof64plus63.Forexample,128isamultipleof64andifyouadd63
to128thatequals191logs.Inthiscase,ifyouperformedalogqueryorexportandthere
were191logs,themanagementserverwouldstopresponding.
PAN70483 FixedanissueonanMSeriesapplianceinPanoramamodewheresharedservicegroups
didnotpopulateintheservicepulldownwhenattemptingtoaddanewitemtoasecurity
policy.Theissueoccurredwhenthedropdowncontained5,000ormoreentries.
PAN70323 FixedanissuewherefirewallsrunninginFIPSCCmodedidnotallowimportofSHA1CA
certificatesevenwhentheprivatekeywasnotincluded;instead,firewallsdisplayedthe
followingerror:Import of <cert name> failed. Unsupported digest or keys used
in FIPS-CC mode.
PAN70057 FixedanissuewhererunningthevalidateoptiononacandidateconfigurationinPanorama
causedchangestotherunningconfigurationonthemanageddevice.Theconfiguration
changeoccurredafterasubsequentFQDNrefreshoccurred.
PAN69951 FixedanissuewherethefirewallfailedtoforwardsystemlogstoPanoramawhenthe
dataplanewasundersevereload.
PAN69235 Fixedanissuewherecommittingaconfigurationwithalargenumberoflayer3
subinterfaces(4,000inthiscase)causedthedataplanetostopresponding.
PAN69194 FixedanissuewhereperformingadevicegroupcommitfromaPanoramaserverrunning
version7.1toamanagedfirewallsrunningPANOS6.1failedtocommitwhenthecustom
spywareprofileactionwassettoDrop.Withthisfix,Panoramatranslatestheactionfrom
DroptoDrop packetsforfirewallsrunningPANOS6.1,whichallowsthedevicegroup
committosucceed.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 41
PANOS8.0.0AddressedIssues
IssueID Description
PAN68873 FixedanissuewherecustomizingtheblockdurationforthreatID40015inaVulnerability
Protectionprofiledidnotadheretothedefinedblockinterval.Forexample,ifyouset
Number of Hits(SSHhellomessages)to3andpersecondsto60,afterthreeconsecutive
SSHhellomessagesfromtheclient,thefirewallfailedtoblocktheclientforthefull60
seconds.
PAN68766 FixedanissuewherenavigatingtotheIPSectunnelconfigurationinaPanoramatemplate
causedthePanoramamanagementwebinterfacetostoprespondinganddisplayeda"502
BadGateway"error.
PAN68658 FixedanissuewherehandlingoutoforderTCPFINpacketsresultedindroppedpackets
duetoTCPreassemblythatwasoutofsync.
PAN68654 FixedanissuewherethefirewallwasnotpopulatingUserIDmappingsbasedonthe
definedsyslogfilters.
PAN67987 FixedanissuewheretheGlobalProtectagentfailedtoconnectusingaclientcertificateif
theintermediateCAissignedusingtheECDSAhashalgorithm.
PAN67944 Fixedanissuewhereaprocess(all_pktproc)stoppedrespondingbecausearacecondition
occurredwhenclosingsessions.
PAN67599 InPANOS7.0and7.1,arestrictionwasaddedtopreventanadministratorfrom
configuringOSPFrouterID0.0.0.0.ThisrestrictionisremovedinPANOS8.0.
PAN67224 FixedanissuewherethefirewalldisplayedavalidationerrorafterPanoramaimportedthe
firewallconfigurationandthenpushedtheconfigurationbacktothefirewallsoitcouldbe
managedbyPanorama.Thisissueoccurredbecauselogforwardingprofileswerenot
replacedwiththeprofilesconfiguredinPanorama.Withthisfix,Panoramawillproperly
removetheexistingconfigurationonthemanagedfirewallbeforeapplyingthepushed
configuration.
PAN67090 Fixedanissuewherethewebinterfacedisplayedanobsoleteflagforthenationof
Myanmar.
PAN66675 Fixedanissuewhereextendedpacketcaptureswereconsuminganexcessiveamountof
storagespacein/opt/panlogs.
PAN66104 Fixedanissuewherevsysspecificcustomresponsepages(Captiveportal,URLcontinue,
andURLoverride)didnotdisplay;theywerereplacedbysharedresponsepages,instead.
PAN64981 Fixedanissuewhereaninternalbuffercouldbeoverwritten,causingthemanagement
planetostopresponding.
PAN64638 FixedanissuewherethefirewallfailedtosendaRADIUSaccessrequestafterchanging
theIPaddressofthemanagementinterface.
PAN64579 Errormessageisnowdisplayedwheninstallingappspackagemanuallyfromfileonpassive
Panorama.
42 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues
IssueID Description
PAN64520 FixedanissuewhereH.323basedvideocallsfailedwhenusingsourceNAT(dynamicor
static)duetoincorrecttranslationofthedestCallSignalAddresspayloadinthe
H.225callsetup.
PAN64436 FixedanissuewherecreationofIGMPsessionsfailedduetoatimeoutissue.
PAN64419 Fixedanissuewherefirewalldisplaysinconsistentshadowrulewarningsduringacommit
forQOSpolicies.
PAN64081 FixedanissueonPA5000Seriesfirewallswherethedataplanestoppedrespondingdue
toaraceconditionduringhardwareoffload.
PAN63969 FixedanissuewhereanSSHsessionsrunningonanonstandardportwascategorizedby
URLfilteringasunknown,causingthefirewalltoblockthetraffic.Withthisfix,thefirewall
willnolongerperformaURLlookuponSSHtrafficthatisnotdecrypted.
PAN63925 Fixedanissuewherethefirewalldidnotgeneratealogwhenacontentupdatefailedor
wasinterrupted.
PAN63908 FixedanissuewhereSSHsessionssubjecttoURLcategorylookupwerehandled
incorrectlyeventhoughSSHdecryptionwasnotenabled.Withthisfix,SSHtrafficisnot
subjecttoURLcategorylookupwhenSSHdecryptionisdisabled.
PAN63612 FixedanissuewhereUseractivityreportsonPanoramadidnotincludeanyentrieswhen
therewasaspaceintheDeviceGroupname.
PAN63520 Fixedanissuewherethewrongsourcezonewasusedwhenloggingvsystovsyssessions.
PAN63054 FixedanissueonVMSeriesfirewallswhereenablingsoftwareQoSresultedindropped
packetsunderheavytrafficconditions.Withthisfix,VMSeriesfirewallsnolongerdrop
packetsduetoheavyloadswithsoftwareQoSenabledandsoftwareQoSperformancein
generalisimprovedforallPaloAltoNetworksfirewalls.
PAN63013 Fixedanissuewhereacommitvalidationerrordisplayedwhenpushingatemplate
configurationwithamodifiedWildFirefilesizesetting.Withthisfix,commitvalidation
takesplaceonthemanagedfirewallthattriestocommitnewtemplatevalues.
PAN62937 Fixedanissuewhere,whenTLSwasenabled,establishinganLDAPconnectionoveraslow
orunstableconnectioncausedcommitstofail.Withthisfix,ifTLSisenabled,thefirewall
doesnotattempttoestablishLDAPconnectionswhenyouperformacommit;itwaitsuntil
afterthecommitiscomplete.
PAN62797 Fixedanissuewhereaprocess(cdb)intermittentlyrestarted,whichpreventedjobsfrom
completingsuccessfully.
PAN62057 FixedanissuewheretheGlobalProtectagentfailedtoauthenticateusingaclient
certificatethathadasignaturealgorithmthatwasnotSHA1/SHA256.Withthisfix,the
firewallprovidessupportfortheSHA384signaturealgorithmforclientbased
authentication.
PAN61871 FixedanissuewherethefirewallmatchedtraffictoaURLcategoryandonfirstlookup,
whichcausedsometraffictobematchedtothewrongsecurityprofile.Withthisfix,the
firewallmatchestraffictoURLcategoriesasecondtimetoensurethattrafficismatched
tothecorrectsecurityprofile.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 43
PANOS8.0.0AddressedIssues
IssueID Description
PAN61837 FixedanissueonPA3000SeriesandPA5000Seriesfirewallswherethedataplane
stoppedrespondingwhenasessioncrossedvsysboundariesandcouldnotfindthecorrect
egressport.ThisissueoccurredwhenzoneprotectionwasenabledwithaSYN Cookies
action(Network > Zone Protection > Flood Protection).
PAN61813 Fixedanissuewhereacustomscheduledreportconfiguredperdevicewasemptywhen
exported.
PAN61797 FixedanissueonthepassivepeerinanHAconfigurationwhereLACPflappedwhenthe
linkstatewassettoshutdown/autoandprenegotiationwasdisabled.
PAN61252 FixedanissueonfirewallsinanHAactive/activeconfigurationwherethefloatingIP
addresswasnotactiveonthesecondaryfirewallafterthelinkwentdownontheprimary
firewall.
PAN60753 FixedanissuewherechangingtheRSAkeyfroma2,048bitkeytoa1,024bitkeyforced
theencryptionalgorithmtochangefromSHA256toSHA1forSSLforwardproxy
decryption.
PAN60581 AddedchecktonotincludealltheapplicationsintheApplicationfilterifnoapplication
categoryisselectedbytheuser.Userhavetoexplicitlyaddallthecategoriestocreatean
applicationfilterwithalltheapplications.
PAN60577 AddedcheckintheApplicationFilterUItonotallowusertocreateorsaveanapplication
filterwithoutanyapplicationcategoryselectedbytheuser.
PAN60556 AddedsupportinthecertificateprofiletoalsoconfigureanonCAcertificateasan
additionalcertificatetoverifytheOCSPresponsereceivedforcertificatestatusvalidation.
TheOCSPVerifyCAfieldinthecertificateprofilehasbeenchangedtoOCSPVerify
Certificate.
PAN60402 FixedanissuewhererenaminganaddressobjectcausedthecommittoaDeviceGroupto
fail.
PAN60340 FixedanissuewherethePanoramaapplicationdatabasedidnotdisplayallapplicationsin
thebrowser.
PAN60035 AnenhancementtoalleviateDynamicIPNATtranslationconflictbetweendifferent
PacketProcessors(PP)andthustoimproveDIPNATpoolutilization.
PAN59676 Fixedanissuewherecustomadminroleuserisunabletodownloaddynamicupdates/
softwarereleases
PAN59654 Fixedanissuewherecommitsfailedonthefirewallafterupgradingfromonerelease(such
asPANOS6.1)toanother(suchasPANOS7.0)duetoaproblemwithcachedfilesonthe
firewall.Withthisfix,upgradingfromPANOS7.1(orearlierreleases)toPANOS8.0
replacesthecachedfileswithnewfilesthatdonotcausecommitfailures.
44 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS8.0.0AddressedIssues
IssueID Description
PAN58636 FixedanissuewheretheDeviceServerontheFirewallstoppedresponding.
PAN58496 Fixedanissuewherecustomreportsusingthreatsummarywerenotpopulated.
PAN58382 Fixedanissuewhereuserswerematchedtotheincorrectsecuritypolicies.
PAN57529 FixedanissuewherethefirewallactedasaDHCPrelayandwirelessdevicesonaVLAN
didnotreceiveaDHCPaddress(allotherdevicesontheVLANdidreceiveaDHCP
address).Withthisfix,alldevicesonaVLANreceiveaDHCPaddresswhenthefirewall
actsasaDHCPrelay.
PAN57440 FixedanissuewhereOSPFv3linkstateupdatesweresentwiththeincorrectOSPF
checksumwhentheOSPFpacketneededtoadvertisemorelinkstateadvertisements
(LSAs)thanfitintoa1,500bytepacket.Withthisfix,thefirewallsendsthecorrectOSPF
checksumtoneighboringswitchesandroutersevenwhenthenumberofLSAsdoesntfit
intoa1,500bytepacket.
PAN56700 FixedanissuewheretheSNMPOID"ifHCOutOctets"didnotcontaintheexpecteddata.
PAN50973 FixedanissueforVMSeriesfirewallsonMicrosoftHyperVwhere,althoughtheFIPSCC
modeoptionwasvisibleinthemaintenancemodemenu,youcouldnotenableit.Withthis
fix,FIPSCCmodeissupportedforandcanbeenabledfromthemaintenancemodemenu
inVMSeriesfirewallsonMicrosoftHyperV.
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 45
PANOS8.0.0AddressedIssues
46 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.
GettingHelp
Thefollowingtopicsprovideinformationonwheretofindmoreaboutthisreleaseandhowtorequest
support:
RelatedDocumentation
RequestingSupport
RelatedDocumentation
RefertothefollowingPANOS8.0documentationontheTechnicalDocumentationportalorsearchthe
documentationformoreinformationonourproducts:
NewFeaturesGuideDetailedinformationonconfiguringthefeaturesintroducedinthisrelease.
PANOSAdministrator'sGuideProvidestheconceptsandsolutionstogetthemostoutofyourPalo
AltoNetworksnextgenerationfirewalls.Thisincludestakingyouthroughtheinitialconfigurationand
basicsetuponyourPaloAltoNetworksfirewalls.
PanoramaAdministrator'sGuideProvidesthebasicframeworktoquicklysetupthePanoramavirtual
applianceoranMSeriesapplianceforcentralizedadministrationofthePaloAltoNetworksfirewalls.
WildFireAdministrator'sGuideProvidesstepstosetupaPaloAltoNetworksfirewalltoforward
samplesforWildFireAnalysis,todeploytheWF500appliancetohostaWildFireprivateorhybrid
cloud,andtomonitorWildFireactivity.
VMSeriesDeploymentGuideProvidesdetailsondeployingandlicensingtheVMSeriesfirewallonall
supportedhypervisors.Itincludesexampleofsupportedtopologiesoneachhypervisor.
GlobalProtectAdministrator'sGuideDescribeshowtosetupandmanageGlobalProtect.
OnlineHelpSystemDetailed,contextsensitivehelpsystemintegratedwiththefirewallwebinterface.
OpenSourceSoftware(OSS)ListingsOSSlicensesusedwithPaloAltoNetworksproductsand
software:
PANOS8.0
Panorama8.0
WildFire8.0
PaloAltoNetworks,Inc. PANOS8.0ReleaseNotes 47
GettingHelp
RequestingSupport
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopen
asupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
https://www.paloaltonetworks.com/company/contactsupport
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofour
trademarkscanbefoundathttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarks
mentionedhereinmaybetrademarksoftheirrespectivecompanies.
RevisionDate:January31,2017
48 PANOS8.0ReleaseNotes PaloAltoNetworks,Inc.