advertisement
▼
Scroll to page 2
of 48
® PAN-OS 8.0 Release Notes Version 8.0 Krome Technologies Ltd | 246 Station Road | Addlestone | Surrey | KT15 2PS | Tel: 01932 232345 | [email protected] | www.krome.co.uk Table of Contents PAN-OS® 8.0 Release Notes Revision Date: January 31, 2017 Review important information about Palo Alto Networks PAN-OS 8.0 software, including new features introduced, workarounds for open issues, and issues that are addressed in the PAN-OS 8.0 release. For installation, upgrade, and downgrade instructions, refer to the PAN-OS 8.0 New Features Guide. For the latest version of these release notes, refer to the Palo Alto Networks technical documentation portal. PAN-OS 8.0 Release Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Features Introduced in PAN-OS 8.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Panorama Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Content Inspection Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 WildFire Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 User-ID Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 App-ID Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Decryption Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Virtualization Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Networking Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 GlobalProtect Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Changes to Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 CLI and API Changes in PAN-OS 8.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Associated Software and Content Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 PAN-OS 8.0.0 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Requesting Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 2 • PAN-OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Features Introduced in PAN‐OS 8.0 Changes to Default Behavior CLI and API Changes in PAN‐OS 8.0 Associated Software and Content Versions Previously known issues carried over from previous release notes and that were identified using legacy ID numbers (6 digits without a prefix) are now assigned new issue ID numbers that also include product‐specific prefixes. Known Issues PAN‐OS 8.0.0 Addressed Issues Getting Help © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 3 Features Introduced in PAN‐OS 8.0 PAN‐OS 8.0 Release Information Features Introduced in PAN‐OS 8.0 The following topics describe the new features introduced in the PAN‐OS® 8.0 release. This release requires Content Release version 655 or later. For information about upgrading to PAN‐OS 8.0 and for details on how to use the new features, refer to the PAN‐OS 8.0 New Features Guide. Management Features Panorama Features Content Inspection Features WildFire Features Authentication Features User‐ID Features App‐ID Features Decryption Features Virtualization Features Networking Features GlobalProtect Features 4 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Features Introduced in PAN‐OS 8.0 Management Features New Management Feature Description Administrator‐Level Commit and Revert You can now commit, validate, preview, save, and revert changes that you made in a Panorama or firewall configuration independent of changes that other administrators have made. This simplifies your configuration workflow because you don't have to coordinate commits with other administrators when your changes are unrelated to theirs, or worry about reverting changes other administrators made that weren't ready. NetFlow Support for PA‐7000 Series Firewalls PA‐7000 Series firewalls now have the same ability as other Palo Alto Networks firewalls to export NetFlow records for IP traffic flows to a NetFlow collector. This gives you more comprehensive visibility into how users and devices are using network resources. PA‐7000 Series Firewall Log Forwarding to Panorama You can now forward logs from PA‐7000 Series firewalls to Panorama for improved log retention, which helps you meet regulatory requirements for your industry as well as your internal log archival requirements. Selective Log Forwarding Based on Log Attributes To enable your organization to process and respond to incident alerts more quickly, you can now create custom log forwarding filters based on any log attributes. Instead of forwarding logs based only on severity levels, you can forward just the information that various teams in your organization want to monitor or act on. For example, a security operations analyst who investigates malware incidents might be interested only in Threat logs with the type attribute set to wildfire‐virus. Action‐Oriented Log Forwarding using HTTP The firewall can now directly forward logs using HTTP/HTTPS so that you can trigger an automated action when a specific event occurs. This capability allows the firewall to integrate with external systems that provide an HTTP‐based API. And, combined with the Selective Log Forwarding Based on Log Attributes, you can now automate security workflow more efficiently, applying dynamic policy, and responding to security incidents. • Trigger an action or a workflow on a third‐party service that provides an HTTP‐based API: The firewall can now send an HTTP request as an API call. You can select the HTTP method, and customize the header, request format, and payload to trigger an action. For example, on an HA failover event, the firewall can generate an HTTP request to an IT management service to automatically create an incident report with the details in the system log. This automated workflow can help the IT infrastructure team to easily track and follow up on the issue. • Enable dynamic policy and enforcement: Tag the source or destination IP address in a log entry, register the tags to connected User‐ID agents, and take action to enforce policy at every location on your network. For example, when a Threat log indicates that the firewall has detected malware, you can tag the source or destination IP address to quarantine the malware‐infected device. Based on the tag, the IP address associated with the device becomes the member of a dynamic address group, and the Security policy rule in which the dynamic address group is referenced limits access to corporate resources until IT clears the device for use. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 5 Features Introduced in PAN‐OS 8.0 PAN‐OS 8.0 Release Information New Management Feature Description Extended SNMP Support PAN‐OS support for Simple Network Management Protocol (SNMP) now includes the following features: • Logging statistics—Using SNMP to monitor logging statistics for firewalls and Log Collectors helps you plan improvements to your log collection architecture, evaluate the health of firewall and Panorama logging functions, and troubleshoot issues such as dropped logs. You can now monitor a broader range of logging statistics, including log rate, disk usage, retention periods, the forwarding status from individual firewalls to Panorama and external servers, and the status of firewall‐to‐Log Collector connections. • HA2 statistics and traps—Monitoring SNMP statistics and traps for the interfaces that firewalls use for high availability (HA) synchronization helps you troubleshoot and verify the health of HA functions such as state changes. You can now use an SNMP manager to monitor the dedicated HA2 interfaces of firewalls, in addition to the HA1, HA2 backup, and HA3 interfaces. Increased Storage on PA‐7000 Series Firewall To provide longer retention periods for logs on the PA‐7000 Series firewall, you can now increase the log storage capacity to 4TB by installing 2TB disks in the two RAID disk pairs (formerly only 1TB disks were supported). For log storage beyond 4TB, you can enable PA‐7000 Series Firewall Log Forwarding to Panorama, which supports up to 24TB. Panorama Features New Panorama Feature Description Log Query Acceleration Panorama has an improved log query and reporting engine to enable a significant improvement in speed when generating reports and executing queries. All logs generated after the upgrade to PAN‐OS 8.0 automatically take advantage of the improved query processing architecture. To extend the performance improvements for older logs, you can migrate the logs to the new format. Logging Enhancements on You can now create a Log Collector that runs locally on the Panorama virtual appliance. the Panorama Virtual Because the local Log Collector supports multiple virtual logging disks, you can increase Appliance log storage as needed while preserving existing logs. You can increase log storage to a maximum of 24TB for a single Panorama and up to 48TB for a high availability pair. Using a local Log Collector also enables faster report generation (see Log Query Acceleration). Increased Log Storage Capacity To provide adequate disk space for a longer log retention period, you can increase the log storage capacity on the M‐500 appliance and Panorama virtual appliance to 24TB (formerly 8TB). The M‐500 appliance now supports 2TB disks and up to 12 RAID disk pairs (formerly 1TB * 8 RAID disk pairs). In addition, the Panorama virtual appliance now supports a local Log Collector with up to 24TB of virtual disk space (see Logging Enhancements on the Panorama Virtual Appliance). 6 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Features Introduced in PAN‐OS 8.0 New Panorama Feature Description Traps Logs on Panorama Panorama can now ingest Traps logs sent by the Traps Endpoint Security Manager using syslog over UDP,TCP, or SSL so that you can monitor security events relating to protected processes and executable files on Traps protected endpoints. You can filter on any log attribute and answer day‐to‐day operational questions such as, “How many different prevention events did a specific user trigger?”. The ability to see Traps logs in the same context as the firewall logs allows you to correlate discrete activity observed on the network and the endpoints. Correlated events help you see the overall picture across your network and the endpoints so that you can detect any risks that evade detection or take advantage of blind spots, and strengthen your security posture well before any damage occurs. Extensible Plug‐in Architecture Panorama now supports a plug‐in architecture to enable new third‐party integrations or updates to existing integrations (such as the VMware NSX integration) outside of a new PAN‐OS feature release. Panorama displays only the interface elements pertinent to the plug‐ins you install. The first implementation of this architecture enables VM‐Series NSX Integration Configuration through Panorama. Extended Support for Multiple Panorama Interfaces To support the demands for network segmentation and security in large‐scale deployments, you can now separate the management functions from the device management and log collection functions on the Panorama M‐Series appliances. The key improvements are: • Forward logs from the managed firewalls to Panorama and the Log Collectors on multiple interfaces, instead of a single interface. This change reduces the traffic load on an interface and provides flexibility in logging to a common infrastructure across different subnets without requiring changes to the network configuration and access control lists in your infrastructure. • Manage the configuration for firewalls and log collectors using multiple interfaces on Panorama. This capability simplifies the management of devices that belong to different subnets or are segmented for better security. • Deploy software and content updates to managed firewalls and log collectors using an interface of your choice. You can continue to use the management port or select a different interface for deploying updates to managed firewalls and log collectors running PAN‐OS 8.0. See Streamlined Deployment of Software and Content Updates from Panorama. The ability to separate these functions across multiple interfaces reduces the traffic on the dedicated management (MGT) port. You can now lock down the management port for administrative access to Panorama (HTTPS and SSH) and the Log Collectors (SSH) only; by default Collector Group communication is enabled on the management port but you can assign a different port for this traffic. Device Group, Template, and Template Stack Capacity Increase Panorama now supports up to 1,024 device groups and 1,024 templates (previously 512 each), and 1,024 template stacks (previously 128). In large‐scale deployments, these capacity improvements increase administrative ease in centrally managing from Panorama and reduce the configuration exceptions and overrides that you must manage locally on individual firewalls. Streamlined Deployment of Software and Content Updates from Panorama You can now deploy software and content updates to managed devices more quickly. Instead of pushing the updates to one device at a time, Panorama now notifies firewalls and Log Collectors when updates are available and the devices then retrieve the updates in parallel. The Extended Support for Multiple Panorama Interfaces, allows you to configure a separate interface, instead of using the management (MGT) interface, for deploying content and software updates to managed devices. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 7 Features Introduced in PAN‐OS 8.0 PAN‐OS 8.0 Release Information Content Inspection Features New Content Inspection Feature Description Credential Phishing Prevention Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the passwords that provide access to your network. You can now identify and prevent in‐progress phishing attacks by controlling sites to which users can submit corporate credentials based on the site’s URL category. This feature integrates with User‐ID (group mapping or user mapping, depending on which method you choose to detect credentials) to enable the firewall to detect when users are attempting to submit their corporate username and or username and password and block the submission. Telemetry You can now participate in a community‐driven approach to threat prevention through telemetry. Telemetry allows your firewall to periodically collect and share information about applications, threats, and device health with Palo Alto Networks. Palo Alto Networks uses the threat intelligence collected from you and other customers to improve the quality of intrusion prevention system (IPS) and spyware signatures and the classification of URLs in PAN‐DB. For example, when a threat event triggers vulnerability or spyware signatures, the firewall shares the URLs associated with the threat with the Palo Alto Networks threat research team, so they can properly classify the URLs as malicious. Telemetry also allows Palo Alto Networks to rapidly test and evaluate experimental threat signatures with no impact to your network, so that critical threat prevention signatures can be released to all customers faster. You have full control over which data the firewall shares through telemetry, and samples of this data are available to view through your Telemetry settings. Palo Alto Networks does not share your telemetry data with other customers or third‐party organizations. Palo Alto Networks Malicious IP Address Feeds Palo Alto Networks now provides malicious IP address feeds that you can use to help secure your network from known malicious hosts on the Internet. One feed contains IP addresses verified as malicious by Palo Alto Networks, and another feed contains malicious IP addresses from reputable third‐party threat advisories. Palo Alto Networks maintains both feeds, which you can reference in Security policy rules to allow or block traffic. You can also create your own external dynamic lists based on these feeds and customize them as needed. You must have an active Threat Prevention license to view and use the Palo Alto Networks malicious IP address feeds. Enhanced Coverage for Command‐and‐Control (C2) Traffic C2 signatures—signatures that detect where a compromised system is surreptitiously communicating with an attacker’s remote server—are now generated automatically. While C2 protection is not new, previous signatures looked for an exact match to a domain name or a URL to identify a C2 host. The new, automatically‐generated C2 signatures detect certain patterns in C2 traffic, providing more accurate, timely, and robust C2 detection even when the C2 host is unknown or changes rapidly. Data Filtering Support for Data filtering is enhanced to work with third‐party, endpoint DLP solutions that populate Data Loss Prevention file properties to indicate sensitive content, enabling the firewall to enforce your DLP (DLP) Solutions policy. To better secure this confidential data, you can now create Data Filtering profiles that identify the file properties and values set by a DLP solution and then log or block the files the Data Filtering profile identifies. 8 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Features Introduced in PAN‐OS 8.0 New Content Inspection Feature Description External Dynamic List Enhancements New enhancements provide better security, flexibility, and ease‐of‐use when working with external dynamic lists. The enhancements include the options to: • Enable Authentication for External Dynamic Lists to validate the identity of a list source and to forward login credentials for access to external dynamic lists that enforce basic HTTP authentication. • Use new Palo Alto Networks Malicious IP Address Feeds in security policy rules to block traffic from malicious IP addresses. • View the contents of an external dynamic list directly on the firewall, with the option to exclude entries or view threat intelligence associated with an entry in AutoFocus. New Scheduling Options The firewall can now check for the latest App‐ID, vulnerability protection, and for Application and Threat anti‐spyware signatures every 30 minutes or hourly, in addition to being able to check for Content Updates these updates daily and weekly. This feature enables more immediate coverage for newly‐discovered threats and strengthens safe enablement for updated and newly‐defined applications. Five‐Minute Updates for PAN‐DB Malware and Phishing URL Categories The Malware and Phishing URL categories in PAN‐DB are now updated every five minutes, based on the latest malicious and phishing sites WildFire identifies. These more frequent updates ensure that the firewall is equipped with the very latest information to detect and then block access to malicious and phishing sites. Globally Unique Threat IDs All Palo Alto Networks threat signatures now have permanent, globally unique IDs that you can use to look up threat signature information and create permanent threat exceptions: • Change the action (for example, block or alert) the firewall uses to enforce a threat signature—threat exceptions are useful if a signature is triggering false positives. • Easily check if a threat signature is configured as an exception. • Use threat IDs in the Threat Vault and AutoFocus to gain context for a threat signature. New Predefined File Blocking Profiles Two new predefined File Blocking profiles—basic file blocking and strict file blocking— have been added via content release version 653. You can use these profiles to quickly and easily apply the best practice file blocking settings to your Security policy allow rules to ensure that users are not inadvertently downloading malicious content into your network or exfiltrating sensitive data out of your network in legitimate application traffic. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 9 Features Introduced in PAN‐OS 8.0 PAN‐OS 8.0 Release Information WildFire Features The PAN‐OS 8.0.0 release is not available for WF‐500 appliances. New WildFire Feature Description WildFire Analysis of Blocked Files The firewall now submits blocked files that match existing antivirus signatures for WildFire analysis, in addition to unknown files, so that WildFire can extract valuable information from new malware variants. Malware signatures often match multiple variants of the same malware family, and as such, block new malware variants that the firewall has never seen before. Sending these blocked malware samples for WildFire analysis allows WildFire to analyze them for additional URLs, domain names, and IP addresses that must be blocked. Since all WildFire analysis data is also available on AutoFocus, you can now use WildFire and AutoFocus together to get a more complete perspective of all threats targeting your network, improving the efficacy of your security operations, incident response, and threat intelligence functions. WildFire Phishing Verdict The new WildFire phishing verdict classifies phishing links detected in emails separately from other emailed links found to be exploits or malware. The firewall logs WildFire submissions that are phishing links to indicate that such a link has been detected in an email. With both a WildFire license and a PAN‐DB license, you can block access to phishing sites within 5 minutes of initial discovery. The WF‐500 appliance does not support the new phishing verdict, and continues to classify suspected phishing sites as malicious. 10 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Features Introduced in PAN‐OS 8.0 Authentication Features New Authentication Feature Description SAML 2.0 Authentication The firewall and Panorama can now function as Security Assertion Markup Language (SAML) 2.0 service providers to enable single sign‐on and single logout for end users (see SAML 2.0 Authentication for GlobalProtect) and for administrators. SAML enhances the user experience by enabling a single, interactive login to provide automatic access to multiple authenticated services that are internal or external to your organization. In addition to authenticating administrator accounts that are local to the firewall and Panorama, you can use SAML to authenticate and assign roles to external administrator accounts in the identity provider (IdP) identity store. Authentication Policy and To protect your network resources from attackers, you can use the new Authentication Multi‐Factor policy to ensure all your end users authenticate when they access those resources. Authentication Authentication policy is an improved replacement for Captive Portal policy, which enforced authentication only for some users. Authentication policy has the additional benefit of enabling you to choose how many authentication challenges of different types (factors) users must respond to. Using multiple factors of authentication (MFA) is particularly useful for protecting your most sensitive resources. For example, you can force users to enter a login password and then enter a verification code that they receive by phone. This approach ensures attackers can’t invade your network and move laterally through it just by stealing passwords. If you want to spare users the hassle of responding to multiple challenges for resources that don’t need such a high degree of protection, you can also have Authentication policy rules that enforce only password or certificate authentication. The firewall makes it easy to implement MFA in your network by integrating directly with several MFA platforms (Duo v2, Okta Adaptive, and PingID) and integrating through RADIUS with all other MFA platforms. TACACS+ User Account Management To use a Terminal Access Controller Access‐Control System Plus (TACACS+) server for centrally managing all administrative accounts, you can now use Vendor‐Specific Attributes (VSAs) to manage the accounts of firewall and Panorama administrators. TACACS+ VSAs enable you to quickly reassign administrator roles and access domains without reconfiguring settings on the firewall and Panorama. Authentication Using Custom Certificates You can now deploy custom certificates to replace the predefined certificates shipped on Palo Alto Networks devices for management connections between Panorama, firewalls, and Log Collectors. By generating and deploying unique certificates for each device, you can establish a unique chain of trust between Panorama and the managed devices. You can generate these custom certificates locally or import them from an existing enterprise public key infrastructure (PKI). Panorama can manage devices in environments with a mix of predefined and custom certificates. You can also deploy custom certificates for mutual authentication between the firewall and Windows User‐ID Agent. This allows the firewall to confirm the Windows User‐ID Agent's identity before accepting User‐ID information from the agent. Deploy a custom certificate on the Windows User‐ID Agent and a certificate profile on the firewall, containing the CA of the certificate, to establish a unique trust chain between the two devices. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 11 Features Introduced in PAN‐OS 8.0 PAN‐OS 8.0 Release Information New Authentication Feature Description Authentication for External Dynamic Lists The firewall now validates the digital certificates of SSL/TLS servers that host external dynamic lists, and, if the servers enforce basic HTTP username/password authentication (client authentication), the firewall can forward login credentials to gain access to the lists. If an external dynamic list source fails server or client authentication, the firewall does not retrieve the list and ceases to enforce policy based on its contents. These security enhancements help ensure that the firewall retrieves IP addresses, domains, or URLs from a valid source over a secure, private channel. User‐ID Features New User‐ID Feature Description Panorama and Log Collectors as User‐ID Redistribution Points You can now leverage your Panorama and distributed log collection infrastructure to redistribute User‐ID mappings in large‐scale deployments. By using the existing connections from firewalls to Log Collectors to Panorama, you can aggregate the mappings without setting up and managing extra connections between firewalls. Centralized Deployment and Management of User‐ID and TS Agents You can now use endpoint management software such as Microsoft SCCM to remotely install, configure, and upgrade multiple Windows‐based User‐ID agents and Terminal Services (TS) agents in a single operation. Using endpoint management software streamlines your workflow by enabling you to deploy and configure numerous User‐ID and TS agents through an automated process instead of using a manual login session for each agent. User Groups Capacity Increase To accommodate environments where access control for each resource is based on membership in a user group, and where the number of resources and groups is increasing, you can now reference more groups in policy (the limit varies by platform). User‐ID Syslog Monitoring The following enhancements improve the accuracy of User‐ID mappings and simplify Enhancements monitoring syslog servers for mapping information: • Automatic deletion of user mappings—To improve the accuracy of your user‐based policies and reports, the firewall can now use syslog monitoring to detect when users have logged out and then delete the associated User‐ID mappings. • Multiple syslog formats—In environments with multiple points of authentication sending syslog messages in different formats, it is now easier to monitor login and logout events because the firewall can ingest multiple formats from a syslog server aggregating from various sources. Group‐Based Reporting in Panorama now provides visibility into the activities of user groups in your network Panorama through the User Activity report, SaaS Application Usage report (see SaaS Application Visibility for User Groups), custom reports, and the ACC. Panorama aggregates group activity information from managed firewalls so that you can filter logs and generate reports for all groups. 12 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Features Introduced in PAN‐OS 8.0 App‐ID Features New App‐ID Feature Description SaaS Application Visibility To help you monitor the assortment of SaaS applications that serve the productivity needs for User Groups of the user groups on your network and ensure the security and data integrity demands for the organization, the SaaS Application Usage PDF report now includes data on user groups. The report highlights the most used applications by user groups and presents the volume of data each user group transfers using sanctioned and unsanctioned applications. For a more granular view, you can customize the report to show application usage for a specific user group, application usage on a specific security zone, and report on application usage by multiple user groups within a security zone. In addition to the enhancements in the PDF report, you can now use the ACC to visualize SaaS activity trends on your network. The ACC includes global filters for viewing SaaS application usage based on risk rating or by the number of sanctioned and unsanctioned applications in use on your network. ALG Support for IPv6 The firewall can now safely enable Session Initiation Protocol (SIP) and Skinny Client Control Protocol (SCCP) for IPv6 and dual‐stack networks. You can safely allow these protocols without opening a wide range of ports to allow the traffic. Decryption Features New Decryption Feature Description Decryption for Elliptical Firewalls enabled to decrypt SSL traffic now decrypt SSL traffic from websites and Curve Cryptography (ECC) applications using ECC certificates, including Elliptical Curve Digital Signature Algorithm Certificates (ECDSA) certificates. As some organizations transition to using ECC certificates to take advantage of benefits such as strong keys and small certificate size, this feature ensures that you maintain visibility into and can safely enable ECC‐secured application and website traffic. Decryption for websites and applications using ECC certificates is not supported for traffic that is mirrored to the firewall; encrypted traffic using ECC certificates must pass through the firewall directly for the firewall to decrypt it. Management for Decryption Exclusions You now have increased flexibility to manage traffic excluded from decryption. New, centralized SSL decryption exclusion management enables you to both create your own custom decryption exclusions, and to review Palo Alto Networks predefined decryption exclusions in a single place: • A simplified workflow allows you to easily exclude traffic from decryption based on hostname. • The firewall does not decrypt applications that are known to break during decryption. Now, you can view these decryption exceptions directly on the firewall. Updates and additions to the Palo Alto Networks predefined decryption exclusions are delivered to the firewall in content updates and are enabled by default. Perfect Forward Secrecy (PFS) Support with SSL Inbound Inspection PAN‐OS 7.1 introduced PFS for SSL Forward Proxy decryption; now, in PAN‐OS 8.0, PFS support is extended to SSL Inbound Inspection. PFS ensures that data from sessions undergoing decryption cannot later be retrieved if server private keys are compromised. You can enforce Diffie‐Hellman key exchange‐based PFS (DHE) and elliptic curve Diffie‐Hellman (ECDHE)‐based PFS for decrypted SSL traffic. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 13 Features Introduced in PAN‐OS 8.0 PAN‐OS 8.0 Release Information Virtualization Features New Virtualization Feature Description VM‐Series Firewall Performance Enhancements and Expanded Model Line This feature introduces improved performance, capacity, and efficiency for all VM‐Series firewalls, including three new VM‐Series models: VM‐50, VM‐500, and VM‐700. The VM‐Series model lineup now covers a wide variety of firewalls—from small optimized firewalls in resource‐constrained environments to large, high performance firewalls for deployment in a diverse range of Network Function Virtualization (NFV) use cases. You can also leverage the expanded range of VM‐Series models coupled with flexibility and per‐tenant isolation of VM‐Series models to deploy multi‐tenant solutions. • VM‐50 Firewall—A virtual firewall with an optimized compute resource footprint. This firewall is ideal for use in virtual customer premises equipment (vCPE) and high density multi‐tenancy solutions for managed security service providers (MSSP). • VM‐500 and VM‐700 Firewalls—When utilizing a larger compute resource footprint, these virtual firewalls provide high performance and capacity. The VM‐500 and VM‐700 firewalls are ideal in NFV use cases for service provider infrastructure and data center roles. • VM‐100, VM‐200, VM‐300, VM‐1000‐HV Firewalls—Existing VM‐Series models now feature increased performance, capacity, and efficiency when compared to the same compute resources in earlier release versions. This release also consolidates the VM‐200 with the VM‐100 and the VM‐1000‐HV with the VM‐300, which means that the VM‐100 and VM‐200 are now functionally identical, as are the VM‐300 and VM‐1000‐HV. In addition, VM‐Series firewall models are now distinguished by session capacity and the number of maximum effective vCPU cores (instead of only session capacity). CloudWatch Integration VM‐Series firewalls on AWS can now natively send PAN‐OS metrics to AWS CloudWatch for the VM‐Series Firewall for advanced monitoring and auto‐scaling policy decisions. The CloudWatch integration enables you to monitor the capacity, health status, and availability of the firewalls with on AWS metrics such as total number of active sessions, GlobalProtect gateway tunnel utilization, or SSL proxy utilization, so that the security tier comprising the VM‐Series firewalls can scale dynamically when your EC2 workloads scale in response to demand. Seamless VM‐Series Model Upgrade This release introduces seamless license capacity upgrades of the VM‐Series firewall. If a tenant’s requirements increase, you can upgrade the capacity to accommodate the changes with minimal traffic and operation disruption. Additionally, VM‐Series firewalls now support HA synchronization between VM‐Series firewalls of different capacities during the upgrade process. VM‐Series NSX The new Panorama VMware NSX plug‐in streamlines the process of deploying VM‐Series Integration Configuration NSX edition firewalls and eliminates the duplicate effort in defining the security‐related through Panorama configuration on both Panorama and the NSX Manager or vCenter server. Panorama now serves as the single point of configuration that provides the NSX Manager with the contextual information required to redirect traffic from the guest virtual machines to the VM‐Series firewall. When you commit the NSX configuration, Panorama generates a security group in the NSX environment for each qualified dynamic address group and Panorama pushes each steering rule generates NSX Manager. The NSX Manager uses the steering rules to redirect traffic from the virtual machines belonging to the corresponding NSX security group. 14 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Features Introduced in PAN‐OS 8.0 New Virtualization Feature Description Support for NSX Security Tags on the VM‐Series NSX Edition Firewall The VM‐Series firewall can now dynamically tag a guest VM with NSX security tags to enable immediate isolation of compromised or infected guests. The universally unique identifier of a guest VM is now part of the Traffic and Threat logs on the firewall. By leveraging threat, antivirus, and malware detection logs on the VM‐Series firewall, NSX Manager can place guests in a quarantined security group to prevent lateral movement of the threat in the virtualized data center environment. New Serial Number The serial number format for the VM‐Series firewall now displays the name of the Format for the VM‐Series hypervisor on which the firewall is deployed so that you can consistently identify the Firewall firewalls for license management, and content and software updates. The new format is 15 characters in length, numeric for the bring your own license (BYOL) model, and alphanumeric for the Marketplace models (Bundle 1 or Bundle 2) available in public cloud environments. As part of this change, VM‐Series firewalls in AWS now support longer instance ID formats. VM‐Series Bootstrapping with Block Storage You can now bootstrap the VM‐Series firewall in ESXi, KVM, and Hyper‐V using block storage. This option provides a bootstrapping solution for environments where mounting a CD‐ROM is not supported. VM‐Series License Deactivation API Key To deactivate a VM‐Series license, you must first install a license API key on your firewall or Panorama. The deactivation API key provides an additional layer of security for communications between the Palo Alto Networks Update Server and VM‐Series firewalls and Panorama. The PAN‐OS software uses this API key to authenticate with the update and licensing servers. The API key is available through the Customer Support Portal to administrators with superuser privileges. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 15 Features Introduced in PAN‐OS 8.0 PAN‐OS 8.0 Release Information Networking Features New Networking Feature Description Tunnel Content Inspection The firewall can now inspect the traffic content of cleartext tunnel protocols: • Generic Routing Encapsulation (GRE) • Non‐encrypted IPSec traffic (NULL Encryption Algorithm for IPSec and transport mode AH IPSec) • General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP‐U) This enables you to enforce Security, DoS Protection, and QoS policies on traffic in these types of tunnels and traffic nested within another cleartext tunnel (for example, Null Encrypted IPSec inside a GRE tunnel). You can also view tunnel inspection logs and tunnel activity in the ACC to verify that tunneled traffic complies with corporate security and usage policies. The firewall supports tunnel content inspection of GRE and non‐encrypted IPSec on all firewall models. It supports tunnel content inspection of GTP‐U on VM‐Series firewalls. The firewall is not terminating the GRE, non‐encrypted IPSec, or GTP‐U tunnel. Multiprotocol BGP The firewall now supports Multiprotocol BGP (MP‐BGP) so that a firewall enabled with BGP can advertise IPv4 multicast routes and IPv6 unicast routes (in addition to the IPv4 unicast routes it already supports) in BGP Update messages. In this way, MP‐BGP provides IPv6 connectivity for your BGP networks that use either native IPv6 or dual stack IPv4 and IPv6. For example, in a service provider environment, you can offer IPv6 service to customers. In an enterprise environment, you can use IPv6 service from service providers. You can also separate your unicast and multicast traffic so they take different paths, in case you need multicast traffic to undergo less latency or take fewer hops. Static Route Removal You can now use path monitoring to determine if a static or default route is down. If path Based on Path Monitoring monitoring to one or more monitored destinations fails, the firewall considers the static or default route down and uses an alternative route so that the traffic is not black‐holed (silently discarded). Likewise, the firewall advertises an alternative static route (rather than a failed route) for route redistribution into a dynamic routing protocol. You can enable path monitoring on static routes between routers, on static routes where a peer does not support Bidirectional Forwarding Detection (BFD), and on static routes where policy‐based forwarding (PBF) path monitoring is insufficient because it does not replace failed routes with alternative routes. IPv6 Router Advertisement for DNS Configuration To make DNS resolution easier for your IPv6 hosts, the firewall now has enhanced Neighbor Discovery (ND) so that you can provision IPv6 hosts joining the network with Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) options, eliminating the need for a separate DHCPv6 server. The firewall sends IPv6 Router Advertisements with these options; thus, your IPv6 hosts are configured with: • The addresses of RDNS servers that can resolve DNS queries. • A list of the domain names (suffixes) that the DNS client appends (one at a time) to an unqualified domain name before entering the domain name into a DNS query. NDP Monitoring for Fast Device Location You can now enable Neighbor Discovery Protocol (NDP) monitoring for a dataplane interface on the firewall so that you can view the IPv6 addresses of devices on the link local network, their corresponding MAC address, and username from User‐ID (if the user of that device uses the directory service to log in). Having these three pieces of information in one place about a device that violates a security rule allows you to quickly track the device. You can also monitor IPv6 ND logs to make troubleshooting easier. 16 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Features Introduced in PAN‐OS 8.0 New Networking Feature Description Zone Protection for Non‐IP Protocols on a Layer 2 VLAN or Virtual Wire You can now whitelist or blacklist non‐IP protocols between security zones or between interfaces within a security zone in a Layer 2 VLAN or on a virtual wire. The firewall normally passes non‐IP protocols between Layer 2 zones and between virtual wire zones; with this feature, you can now control non‐IP protocols between these zones. For example, if you don’t want legacy Windows XP hosts to discover other NetBEUI‐enabled hosts on another zone, you can configure a Zone Protection profile to blacklist NetBEUI on the ingress zone. Global and Zone Protection for Multi‐path TCP (MPTCP) Evasions You can now enable or disable Multi‐path TCP (MPTCP) globally or for each network zone. MPTCP is an extension of TCP that allows a client to simultaneously use multiple paths (instead of a single path) to connect with a destination host. MPTCP especially benefits mobile users, enabling them to maintain dual connections to both Wi‐Fi and cellular networks as they move—this improves both the resilience and quality of the mobile connection and enhances the user experience. However, MPTCP can also potentially be leveraged by attackers as part of an evasion technique. This feature provides the flexibility to enable or disable MPTCP for all firewall traffic or for individual network zones, based on the visibility, performance, and security requirements for each network zone. Zone Protection for SYN Data Payloads You can now drop TCP SYN and SYN‐ACK packets that contain data in the payload during a three‐way handshake. In case the payload is malicious—for example if it contains command and control traffic or it is being used to exfiltrate data—dropping such packets can prevent successful attacks. The TCP Fast Open option preserves the speed of a connection setup by including data in the payload of SYN and SYN‐ACK packets. The Zone Protection profile treats TCP handshakes that use the Fast Open option separately from other SYN and SYN‐ACK packets; the profile is set to allow the handshake packets if they contain a valid Fast Open cookie. Hardware IP Address Blocking When you configure the firewall with a DoS Protection policy or Vulnerability Protection profile to block packets from specific IPv4 addresses, the firewall now automatically blocks that traffic in hardware before those packets use CPU or packet buffer resources. Blocking traffic by default in hardware allows the firewall to stop DoS attacks even faster than blocking traffic in software. If the amount of attack traffic exceeds the hardware block capacity, IP blocking mechanisms in software block the excess traffic. This feature is supported on PA‐3060 firewalls, PA‐3050 firewalls, PA‐5000 Series, and PA‐7000 Series firewall models. Packet Buffer Protection Packet buffer protection allows you to protect the firewall from being impacted by single source denial of service (DoS) attacks. These attacks come from sessions or IP addresses that are not blocked by Security policy. After a session is permitted by the firewall, it can generate such a high volume of traffic that it overwhelms the firewall packet buffer and causes the firewall to appear to hang as both attack and legitimate traffic are dropped. The firewall tracks the top packet buffer consumers and gives you the ability to configure global thresholds that specify when action is taken against these sessions. After identifying a session as abusive, the firewall uses Random Early Drop (RED) as a first line of defense to throttle the offending session and then discards the session if the abuse continues. If a particular IP address creates many sessions that are discarded, the firewall blocks it. Reconnaissance Zone protection’s reconnaissance protection detects and takes action against host sweep Protection Source Address and TCP and UDP port scans. This is useful against attackers searching for vulnerabilities. Exclusion However, it can also negatively impact scanning activities, such as network security testing or fingerprinting. You can now whitelist source addresses to exclude them from reconnaissance protection. This allows you to protect your network from reconnaissance attacks while allowing legitimate monitoring tools. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 17 Features Introduced in PAN‐OS 8.0 New Networking Feature PAN‐OS 8.0 Release Information Description IKE Peer and IPSec Tunnel The PA‐7000 Series, PA‐5000 Series, and PA‐3000 Series models now support more IKE Capacity Increases peers and IPSec tunnels than in prior releases. This is a benefit in service provider and large enterprise environments where you need to support many site‐to‐site VPN peers and IPSec VPN connections between remote sites. GlobalProtect Features New GlobalProtect Feature Description IPv6 for GlobalProtect GlobalProtect clients and satellites can now connect to portals and gateways using IPv6. This feature allows connections from clients that are in IPv6‐only environments, IPv4 only environments, or dual‐stack (IPv4 and IPv6) environments. You can tunnel IPv4 traffic over an IPv6 tunnel and the IP address pool can assign both IPv4 and IPv6 addresses. To use this feature, you must install a GlobalProtect subscription on each gateway that supports GlobalProtect clients that use IPv6 addresses. Clientless SSL VPN Clientless VPN, which provides secure remote access to common enterprise web applications that use HTML, HTML5, and JavaScript technologies, is now available in public beta. Users have the advantage of secure access from SSL‐enabled web browsers without installing GlobalProtect client software. This is useful when you need to enable partner or contractor access to applications, and to safely enable unmanaged assets, including personal devices. You can configure the GlobalProtect portal landing page to provide access to web applications based on users and user groups and also allow single‐sign on to SAML‐enabled applications. Supported operating systems are Windows, Mac, iOS, Android, Chrome, and Linux. Supported browsers are Chrome, Internet Explorer, Safari, and Firefox. This feature requires you to install a GlobalProtect subscription on the firewall that hosts the Clientless VPN from the GlobalProtect portal. Define Split Tunnels by Excluding Access Routes You can now exclude specific destination IP subnets traffic from being sent over the VPN tunnel. With this feature, you can send latency‐sensitive or high‐bandwidth‐consuming traffic outside of the VPN tunnel while all other traffic is routed through the VPN for inspection and policy enforcement by the GlobalProtect gateway. External Gateway Priority GlobalProtect can now use the geographic region of the GlobalProtect client to determine by Source Region the best external gateway. By including source region as part of external gateway selection logic, you can ensure that users connect to gateways that are preferred for their current region. This can help avoid distant connections when there are momentary fluctuations of network latency. This can also be used to ensure all connections stay within a region if desired. Internal Gateway Selection by Source IP Address GlobalProtect can now restrict internal gateway connection choices based on the source IP address of the client. In a distributed enterprise, this features allows you to have users from a branch to authenticate and send HIP reports to the firewall configured as the internal gateway for that branch as opposed to authenticating and sending HIP reports to all branches. 18 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information New GlobalProtect Feature Features Introduced in PAN‐OS 8.0 Description GlobalProtect Agent Login To simplify GlobalProtect agents and prevent unnecessary login prompts when a Enhancement username and password are not required, the panel that showed portal, username, and password is now split into two screens (one screen for the portal address and another screen for username and password). The GlobalProtect agent now displays login prompts for username and password only if this information is required. GlobalProtect automatically hides the username and password screen for authentication types—such as cookie or client certificate authentication—that do not require a username and password. Authentication Policy and Multi‐Factor Authentication for GlobalProtect You can leverage the new Authentication Policy and Multi‐Factor Authentication enhancements within GlobalProtect to support access to non‐HTTP applications that require multi‐factor authentication. GlobalProtect can now notify and prompt the user to perform the timely, multi‐factor authentication needed to access sensitive network resources. SAML 2.0 Authentication for GlobalProtect GlobalProtect portals, gateways, and clients now support SAML 2.0 Authentication. If you have chosen SAML as your authentication standard, GlobalProtect portals and gateways can act as Security Assertion Markup Language (SAML) 2.0 service providers and GlobalProtect clients can authenticate users directly to the SAML identity provider. Restrict Transparent Agent Upgrades to Internal Network Connections You can now control when transparent upgrades occur for a GlobalProtect client. With this configuration, if the user connects from outside the corporate network, the upgrade is postponed. Later, when the user connects from within the corporate network, the upgrade is activated. This feature allows you to hold the updates until users can take advantage of good network availability and high bandwidth from within the corporate network. The upgrades will not hinder users when they travel to environments with low bandwidth. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 19 Changes to Default Behavior PAN‐OS 8.0 Release Information Changes to Default Behavior PAN‐OS and Panorama 8.0 have the following changes in default behavior: The defaults for the following TCP Settings (Device > Setup > Session > TCP Settings) have been changed in 8.0: – Drop segments without flag is now enabled by default. The corresponding CLI command, set deviceconfig setting tcp drop-zero-flag is now set to yes by default. – Drop segments with null timestamp option is now enabled by default. The corresponding CLI command, set deviceconfig setting tcp check-timestamp-option is now set to yes by default. – Forward segments exceeding TCP out-of-order queue is now disabled by default. The corresponding CLI command, set deviceconfig setting bypass-exceed-op-queue is now set to no by default. The Device > Setup > Content-ID > Content-ID Settings option to Forward segments exceeding TCP App-ID inspection queue is now disabled by default. The corresponding CLI command, set deviceconfig setting application bypass-exceed-queue is now set to no by default. By default, the firewall and Panorama no longer allow management access over TLSv1.0 connections. If you accept this default, any scripts that require management access (such as API scripts) must support TLSv1.1 or later TLS versions. To overcome the default restriction, you can configure an SSL/TLS service profile that allows TLSv1.0 and assign the profile to the interface used to access the firewall or Panorama. Authentication policy replaces Captive Portal policy. When an authentication event invokes a policy rule, the firewall now generates Authentication logs instead of Security logs. You now use the web interface instead of a CLI command to set the authentication protocol to CHAP or PAP for TACACS+ and RADIUS server profiles. To configure the management (MGT) interface on the firewall, you now select Device > Setup > Interfaces instead of Device > Setup > Management. To configure interfaces on Panorama, you now select Panorama > Setup > Interfaces instead of Panorama > Setup > Management. When adding or editing a Log Collector (Panorama > Managed Collectors), you now configure interfaces in the Interfaces tab, which replaces the Management, Eth1, and Eth2 tabs in the Collector dialog. When the Panorama virtual appliance is in Panorama mode and is deployed in a high availability (HA) configuration, you can configure both HA peers to collect logs, not just the active peer. When pushing configurations to managed firewalls or Log Collectors, Panorama now pushes the running configuration instead of the candidate configuration. Therefore, you must commit changes to Panorama before pushing the changes to firewalls or Log Collectors. Firewalls and Log Collectors now retrieve software and content updates from Panorama over port 28443 instead of Panorama pushing the updates over port 3978. To create a snapshot file for the candidate configuration, you must now select Config > Save Changes instead of Save at the top right of the web interface. The login page for the web interface displays a new Single Sign-On link. The link applies only to administrators whom you configured to authenticate through a SAML identity provider. External dynamic list changes: – When retrieving an external dynamic list from a source with an HTTPS URL, the firewall now authenticates the digital certificates of the list source. You must configure a certificate profile to authenticate the source. If the source authentication fails, the firewall stops enforcing policy based on the list contents. 20 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information – – Changes to Default Behavior In PAN‐OS 7.1, the firewall supported a maximum of 30 unique sources for external dynamic lists and enforced the maximum number even if the external dynamic list was not used in policy. Beginning in PAN‐OS 8.0, only the lists you use to enforce policy will count toward the maximum number allowed. Entries in an external dynamic list (IP addresses, domains, and URLs) now only count toward the maximum number that the firewall supports if a security policy rule references the external dynamic list. If you previously enabled WildFire forwarding on your firewall, the firewall now forwards blocked files that match existing signatures, in addition to unknown files, for WildFire analysis. The WildFire Submissions log now includes log entries for blocked files. The Action column in the WildFire Submissions log now indicates if the firewall action for a sample was allow or block. In PAN‐OS 7.1 and earlier versions, the action displayed for all samples in the WildFire Submissions log was alert. In PAN‐OS 7.1 and earlier releases, passive DNS monitoring was a setting you could enable in an Anti‐Spyware Profile. You could attach the Anti‐Spyware Profile to a policy rule and then sessions that match that rule will trigger passive DNS monitoring. Beginning in PAN‐OS 8.0, passive DNS monitoring is a global setting that you can enable through the Telemetry and Threat Intelligence feature, and when enabled, the firewall acts as a passive DNS sensor for all traffic that passes through the firewall. The firewall now uses the new service route Palo Alto Networks Services to access external services that it accessed via the service routes Palo Alto Updates and WildFire Public prior to PAN‐OS 8.0. In a Zone Protection profile for Packet Based Attack Protection, the default setting is now to drop TCP SYN and SYN‐ACK packets that contain data in the payload during a three‐way handshake. (In prior PAN‐OS releases, firewall allowed such packets.) By default, a Zone Protection profile is set to allow TCP handshake packets that use the TCP Fast Open option if they contain a valid Fast Open cookie. If you have existing Zone Protection profiles in place when you upgrade to PAN‐OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly. When you use a Classified DoS Protection profile for flood protection or a Vulnerability Protection profile that is configured to Block IP addresses, the firewall will now block IP addresses in hardware first, and then in software if the hardware block list has reached its capacity. In PAN‐OS 8.0, the use of hypervisor‐assigned MAC addresses and DHCP on management interfaces are enabled on new VM‐Series firewall installations. These options are not enabled automatically when upgrading a VM‐Series firewall to PAN‐OS 8.0 from PAN‐OS 7.1 or earlier releases. The Agent > Gateways tab for GlobalProtect portal configurations is split into two separate tabs: Internal and External. Use the Internal tab to specify internal gateway settings for GlobalProtect agents and apps. Use the External tab to specify external gateway settings for GlobalProtect agents and apps. These are layout changes only—your existing PAN‐OS 7.1 configuration is preserved. The Agent > Client Settings> Network Settings tab for GlobalProtect gateway configurations is replaced with two separate tabs: IP Pools and Split Tunnel. These are layout changes only—your existing PAN‐OS 7.1 configuration is preserved. The Disable login page checkbox on the General tab for GlobalProtect portal configurations is now a Disable command in the Portal Login Page. This is a layout change only—your existing PAN‐OS 7.1 configuration is preserved. GlobalProtect has a few minor changes to menu and check box labels (refer to the table below). These are changes to wording only—your existing PAN‐OS 7.1 configuration is preserved. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 21 Changes to Default Behavior PAN‐OS 8.0 Release Information Location PAN‐OS 7.1 Label PAN‐OS 8.0 Label The General tab for GlobalProtect portal configurations Custom Login Page Portal Login Page The General tab for GlobalProtect portal configurations Custom Help Page App Help Page The Agent > External > Add > External Gateway for GlobalProtect portal configurations If this GlobalProtect gateway can be manually selected Manual (the user can manually select this gateway) In PAN‐OS 7.1 and earlier releases, to prevent potential IP address conflicts, the GlobalProtect gateway did not assign an IP address if the local network IP address sent from the endpoint was in the same subnet as the IP address pool. Users had to configure a second IP address pool that contained addresses from a separate subnet. Beginning in PAN‐OS 8.0, when you configure only one IP address pool, GlobalProtect assigns an IP address regardless of subnet overlap. This change may cause warning messages on Windows endpoints. If you are concerned about the warning message, configure a second IP address pool. Beginning with PAN‐OS 8.0, the Verify Update Server Identity global services setting for installing content and software updates is enabled by default (Device > Setup > Services > Global). Beginning with PAN‐OS 7.1.7, to deactivate a VM‐Series license you must first install a license API key on your firewall or Panorama. For more information, see Virtualization Features. Large Receive Offload (LRO) is enable be default on the new deployments of the VM‐Series firewall for NSX or deployments upgraded to 8.0. Support for Data Plane Development Kit (DPDK) is enabled by default on the VM‐Series for KVM and ESXi. However, to take advantage of DPDK, you must install the required NIC driver on your hypervisor. DPDK support is disabled by default on the VM‐Series for AWS. The firewall does not support SSL decryption of RSA keys that are larger than 8Kb in size. You can either block connections to servers with the RSA key size greater than 8kb in the certificate or skip SSL decryption for such connections in Objects > Decryption Profile. To block such connections, check SSL Forward Proxy > Unsupported Mode Checks > Block sessions with unsupported cipher suites. Leave Block sessions with unsupported cipher suites unchecked to skip decrypting such connections. 22 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information CLI and API Changes in PAN‐OS 8.0 CLI and API Changes in PAN‐OS 8.0 PAN‐OS 8.0 has changes to existing CLI commands, which also affect corresponding PAN‐OS XML API requests. If you have a script or application that uses these requests, run corresponding CLI commands in debug mode to view the corresponding XML API syntax. Operational commands are preceded by a greater‐than sign (>), while configuration commands are preceded by a hash (#). An asterisk (*) indicates that related commands in the same hierarchy have also changed. The operational command to clear User‐ID mappings for all IP addresses or a specific IP address has changed: – PAN‐OS 7.1 and earlier releases: > clear user-cache [all | ip] – PAN‐OS 8.0 release: > clear ipuser-cache [all | ip] With Authentication policy replacing Captive Portal policy, related CLI commands have changed: – PAN‐OS 7.1 and earlier releases: > show running captive-portal-policy > test cp-policy-match * # show rulebase captive-portal * # set import resource max-cp-rules <0-4000> # set rulebase captive-portal * # set shared admin-role <name> role device webui policies captive-portal-rulebase <enable|read-only|disable> # set import resource max-cp-rules <0-4000> – PAN‐OS 8.0 release: > show running authentication-policy > test authentication-policy-match * # show rulebase authentication * # set import resource max-auth-rules <0-4000> # set rulebase authentication rules * # set shared admin-role <name> role device webui policies authentication-rulebase <enable|read-only|disable> # set import resource max-auth-rules <0-4000> The User‐ID commands to clear user mappings from the dataplane have changed: – PAN‐OS 7.1 and earlier releases: > clear uid-gids-cache uid <1-2147483647> > clear uid-gids-cache all – PAN‐OS 8.0 release: > clear uid-cache uid <1-2147483647> > clear uid-cache all © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 23 CLI and API Changes in PAN‐OS 8.0 PAN‐OS 8.0 Release Information With the introduction of decryption for Elliptical Curve Cryptography (ECC) Certificates, the following CLI command has been replaced with two algorithm‐specific commands: – PAN‐OS 7.1 and earlier releases: # set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size <0|1024|2048> – PAN‐OS 8.0 release: # set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size-rsa <0|1024|2048> # set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size-ecdsa <0|256|384> With the introduction of IPv6 support in GlobalProtect, the following CLI commands have been replaced with two protocol‐specific commands: – PAN‐OS 7.1 and earlier releases: # set global-protect global-protect-portal <name> portal-config local-address ip <value> – PAN‐OS 8.0 release: # set global-protect global-protect-portal <name> portal-config local-address ip ipv4 <value> # set global-protect global-protect-portal <name> portal-config local-address ip ipv6 <value> – PAN‐OS 7.1 and earlier releases: # set global-protect global-protect-portal <name> portal-config local-address floating-ip <value> – PAN‐OS 8.0 release: # set global-protect global-protect-portal <name> portal-config local-address floating-ip ipv4 <value> # set global-protect global-protect-portal <name> portal-config local-address floating-ip ipv6 <value> With new support for malicious IP address feeds, related CLI commands have changed to support IP addresses, URLs, and domains: – PAN‐OS 7.1 and earlier releases: # set external-list <name> * – PAN‐OS 8.0 release: # # # # set set set set external-list external-list external-list external-list <name> <name> <name> <name> type type type type ip * predefined-ip * domain * url * CLI commands related to SafeNet Network HSM (formerly Luna SA) now reflect the new name: – PAN‐OS 7.1 and earlier releases: # show deviceconfig system hsm-settings provider safenet-luna-sa * # set deviceconfig system hsm-settings provider safenet-luna-sa * – PAN‐OS 8.0 release: # show deviceconfig system hsm-settings provider safenet-network * # set deviceconfig system hsm-settings provider safenet-network * 24 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information With the introduction of selective log forwarding based on log attributes, you must now specify the name of a custom‐filter match list in related CLI commands: – PAN‐OS 7.1 and earlier releases: # # # # # # # # – show shared log-settings system * set shared log-settings system * show shared log-settings config * set shared log-settings config * show shared log-settings hipmatch * set shared log-settings hipmatch * show shared log-settings profiles <name> * set shared log-settings profiles <name> * PAN‐OS 8.0 release: # # # # # # # # CLI and API Changes in PAN‐OS 8.0 show shared log-settings system match-list * set shared log-settings system match-list * show shared log-settings config match-list * set shared log-settings config match-list * show shared log-settings hipmatch match-list * set shared log-settings hipmatch match-list * show shared log-settings profiles <name> match-list * set shared log-settings profiles <name> match-list * CLI commands related to configuring the User‐ID agent must now include “host‐port”: – PAN‐OS 7.1 and earlier releases: # # # # # # – set set set set set set user-id-agent user-id-agent user-id-agent user-id-agent user-id-agent user-id-agent <name> <name> <name> <name> <name> <name> host <ip/netmask>|<value> port <1-65535> ntlm-auth <yes|no> ldap-proxy <yes|no> collectorname <value> secret <value> <name> <name> <name> <name> <name> <name> host-port host-port host-port host-port host-port host-port PAN‐OS 8.0 release: # # # # # # set set set set set set user-id-agent user-id-agent user-id-agent user-id-agent user-id-agent user-id-agent © Palo Alto Networks, Inc. host <ip/netmask>|<value> port <1-65535> ntlm-auth <yes|no> ldap-proxy <yes|no> collectorname <value> secret <value> PAN‐OS 8.0 Release Notes • 25 Associated Software and Content Versions PAN‐OS 8.0 Release Information Associated Software and Content Versions The following minimum software and content versions are supported with PAN‐OS 8.0 releases: Palo Alto Networks Software or Content Release Version Minimum Supported Version with PAN‐OS 8.0 Panorama 8.0.0 User‐ID Agent 8.0.0 Terminal Services (TS) Agent 8.0.0 GlobalProtect Agent 4.0 Applications and Threat Content Release Version 655 Antivirus Content Release Version 2137 26 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Known Issues Known Issues The following table describes known issues in the PAN‐OS 8.0 release. For recent updates to known issues for a given PAN‐OS release, refer to https://live.paloaltonetworks.com/t5/Articles/Critical‐Issues‐Addressed‐in‐PAN‐OS‐Releases/ta‐p/52882. Issue ID Description — Upgrading a PA‐200 or PA‐500 firewall to PAN‐OS 8.0 can take 30‐60 minutes to complete. Ensure uninterrupted power to your firewall throughout the upgrade process. — Panorama 8.0 does not currently support management of appliances running WildFire 7.1 or earlier releases. Even though these management options are visible on the Panorama 8.0 web interface (Panorama > Managed WildFire Clusters and Panorama > Managed WildFire Appliances), making changes to these settings for appliances running WildFire 7.1 or earlier releases has no effect. ATF‐2661 If you launch an AutoFocus search for an artifact on the firewall through the AutoFocus Intelligence Summary and your preferred scope setting in AutoFocus is set to Public Samples, AutoFocus incorrectly displays no search results. Workaround: In the AutoFocus window you just launched, view the search results for All Samples, and then switch back to My Samples. The My Samples tab then displays the correct search results. GPC‐2742 If you configure GlobalProtect portals and gateways to use client certificates and LDAP as two factors of authentication, Chromebook users that are running Chrome OS 47 or later versions can encounter excessive prompts to select a client certificate. Workaround: To prevent excessive prompts, configure a policy to specify the client certificate in the Google Admin console and deploy that policy to your managed Chromebooks: GPC‐1737 © Palo Alto Networks, Inc. 1. Log in to the Google Admin console (https://admin.google.com) and select Device management > Chrome management > User settings. 2. In the Client Certificates section, enter the following URL pattern to Automatically Select Client Certificate for These Sites: {""pattern"": ""https://[*.]"", ""filter"":{}} 3. Click Save. The Google Admin console deploys the policy to all devices within a few minutes. By default, the GlobalProtect app adds a route on iOS mobile devices that causes traffic to the GP‐100 GlobalProtect Mobile Security Manager to bypass the VPN tunnel. Workaround: To configure the GlobalProtect app on iOS mobile devices to route all traffic—including traffic to the GP‐100 GlobalProtect Mobile Security Manager—to pass through the VPN tunnel, perform the following tasks on the firewall hosting the GlobalProtect gateway (Network > GlobalProtect > Gateways > <gateway-config> > Agent > Client Settings > <client-settings-config> > Network Settings > Access Route): • Add ""0.0.0.0/0"" as an access route. • Enter the IP address for the GlobalProtect Mobile Security Manager as an additional access route. PAN‐OS 8.0 Release Notes • 27 Known Issues PAN‐OS 8.0 Release Information Issue ID Description GPC‐1517 For the GlobalProtect app to access an MDM server through a Squid proxy, you must add the MDM server SSL access ports to the proxy server allow list. For example, if the SSL access port is 8443, add acl SSL_ports port 8443 to the allow list. WF500‐1584 When using a web browser to view a WildFire Analysis Report from a firewall that is using a WF‐500 appliance for file sample analysis, the report may not appear until the browser downloads the WF‐500 certificate. This issue occurs after upgrading a firewall and the WF‐500 appliance to a PAN‐OS 6.1 or later release. Workaround: Browse to the IP address or hostname of the WF‐500 appliance, which will temporarily download the certificate into the browser. For example, if the IP address of the WF‐500 is 10.3.4.99, open a browser and enter https://10.3.4.99. You can then access the report from the firewall by selecting Monitor > WildFire Submissions, clicking log details, and then clicking the WildFire Analysis Report tab. PAN‐73879 You cannot clone the strict file blocking profile in PAN‐OS 8.0; however, cloning the basic file blocking profile (or any other Security Profile types) works as expected. PAN‐73363 After you enable reporting and filtering on groups, Panorama still displays no results when you filter logs or generate reports based on user groups. The workaround is to access the Panorama CLI and run the debug software restart process reportd operational command. PAN‐73316 When a GlobalProtect user first logs in with a RADIUS authentication profile, the Domain-UserName appears as user@domain (instead of domain\user) in the PAN‐OS web interface. Workaround: Once a HIP report is generated, the username format is normalized and updated to the correct format. PAN‐73307 When you use the ACC tab to view Tunnel Activity and you Jump to Logs, the Tunnel Inspection logs display tunnel as the tunnel type. Workaround: Remove tunnel type from the query in tunnel logs. PAN‐73254 After you install the VMware NSX plugin on Panorama in a high availability (HA) deployment, Panorama does not automatically synchronize configuration changes between the HA peers unless you first update settings related to the NSX plugin. Workaround: Configure the NSX settings and commit your changes to Panorama. PAN‐73207 If the firewall integrates with Okta Adaptive as the multi‐factor authentication (MFA) vendor, you cannot use push notification as an authentication factor. PAN‐73168 If the PAN‐OS Web Interface and the GlobalProtect portal that hosts clientless VPN applications are configured to share the same FQDN, you can get a “400 Bad Request” error message from your browser when you try to access the PAN‐OS Web Interface. Workaround: Best practice is to configure separate FQDNs for the PAN‐OS Web Interface and the GlobalProtect portal that hosts clientless VPN applications. As a short‐term fix, clear the browser cache or close all browser windows and then open a separate browser window to log in to the PAN‐OS web interface. PAN‐73006 When logging rates are high, the App Scope Change Monitor and Network Monitor reports sometimes display no data when you filter by Source or Destination IP addresses. The App Scope Summary report also might not display data for the Top 5 Bandwidth Consuming Source and Top 5 Threats when logging rates are high. 28 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Known Issues Issue ID Description PAN‐72861 When you configure a PA‐7000 Series firewall to perform tunnel‐in‐tunnel inspection, which includes GRE keep‐alive packets (Policies > Tunnel Inspection > Inspection > Inspect Options), and you run the clear session all CLI command while traffic is traversing a tunnel, the firewall temporarily drops tunneled packets. PAN‐72843 If you commit a configuration that enables clientless VPN on multiple GlobalProtect portals using different DNS proxies, the commit fails. Workaround: Restart the firewall data plane and repeat the configuration commit. PAN‐72402 If you configure a BGP IPv6 aggregate address with an Advertise Filter consisting of both a prefix filter and a next‐hop filter, the firewall advertises only the aggregate address and not the specific routes covered by the Advertise Filter. The workaround is to remove the next‐hop filter; then the firewall advertises both the aggregate address and the more specific routes. This issue applies only to routes learned from another BGP peer; the behavior is as expected for locally‐injected routes. PAN‐71833 For a TACACS+ authentication profile, the output of the test authentication authentication-profile CLI command intermittently displays authentication/authorization failed for user even though the administrator can successfully log in to the web interface or CLI using the same credentials as were specified in the test command. PAN‐71765 Deactivating a VM‐Series firewall from Panorama completes successfully but the web interface does not update to show that deactivation is complete. Workaround: View deactivation status from Managed Devices (Panorama > Managed Devices). PAN‐71556 MAC address table entries with a time‐to‐live (TTL) value of 0 are not removed as expected, which results in a table that continually grows larger in size. PAN‐71329 Local users and user groups created under Shared (all virtual systems) are not available to be part of the user‐to‐application mapping for GlobalProtect Clientless VPN applications (Clientless VPN > Applications on the GlobalProtect Portal). Workaround: Create users and user groups under Vsys for multiple virtual systems. For single virtual systems (like VM), users and user groups are created under Shared and are not configurable for Clientless VPN applications. PAN‐71271 During the process of migrating logs to the new log storage format in PAN‐OS 8.0 (using the CLI command request logdb migrate lc serial-number <serial_number> start), older existing logs might be lost if the logging disks on a Log Collector are close to maximum capacity. PAN‐71215 Deactivating a VM‐Series firewall from Panorama fails when Panorama is configured to Verify Update Server Identity (Panorama > Setup > Services > Verify Update Server Identity) and this setting is disabled on the firewall (Device > Setup > Services); this failure causes the firewall to become unreachable. Workaround: Ensure that you configure both Panorama and the VM‐Series firewall to Verify Update Server Identity before you deactivate the firewall. PAN‐70906 If the PAN‐OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out from the GlobalProtect portal, the administrative user is logged out from the PAN‐OS web interface as well. This issue is compounded when the portal is configured for GlobalProtect Clientless VPN because it can increase the number of users who access the portal. Workaround: Use the IP address to access the PAN‐OS web interface and a FQDN to access the GlobalProtect portal. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 29 Known Issues PAN‐OS 8.0 Release Information Issue ID Description PAN‐70353 Clientless VPN does not work if you configure the GlobalProtect portal that hosts the Clientless VPN on an interface configured to use the DHCP Client. Workaround: Configure the interface to use static IP addresses. PAN‐70323 Firewalls running in FIPS‐CC mode do not allow import of SHA‐1 CA certificates even when the private key is not included; instead, firewalls display the following error: Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode. PAN‐70046 A standard browser 404 error displays when you try to use GlobalProtect Clientless VPN without the correct content update. Workaround: Clientless VPN requires you to install a GlobalProtect subscription on the firewall that hosts the Clientless VPN from the GlobalProtect portal. You also need the GlobalProtect Clientless VPN dynamic updates to use this feature. PAN‐70027 The output of the show object registered-IP all command does not include the Source of IP tag (service profile name and ID). PAN‐70023 Authentication using auto‐filled credentials intermittently fails when you access an application using GlobalProtect Clientless VPN. Workaround: Manually enter the credentials. PAN‐69505 When viewing an external dynamic list that requires client authentication and you Test Source URL, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error. PAN‐69340 When you use a license authorization code (capacity license or a bundle) to bootstrap a VM‐Series firewall, the capacity license is not applied. This issue occurs because the firewall does not reboot after the license is applied. Workaround: Use the request restart software CLI command or reboot the firewall manually to activate session capacity for a VM‐Series firewall. PAN‐69141 On PA‐7000 Series firewalls and on Panorama log collectors, log collection processes consume excess memory and do not process logs as expected. This issue occurs when DNS response times are slow and scheduled reports contain fields that require DNS lookups. Workaround: Use the debug management-server report-namelookup disable CLI command to disable DNS lookups for reporting purposes. PAN‐67987 The GlobalProtect agent fails to connect using a client cert if the intermediate CA is signed using the ECDSA hash algorithm. PAN‐67971 When you configure an endpoint running a GlobalProtect agent 3.x release to use a fully‐qualified domain name (FQDN) to connect to a dual‐stack PAN‐OS 8.0 gateway, the firewall incorrectly displays an IPv6 address instead of an IPv4 address for the connection. Workaround: Use GlobalProtect agent 4.0 to connect to PAN‐OS 8.0. PAN‐66531 Fixed an issue where the Commit Scope column in the Commit window was empty after manually uploading and installing a content update and then committing. Although the content update was not listed under Commit Scope, the commit continued and showed 100% complete. PAN‐66122 Tunnel content inspection is not supported in a virtual‐system‐to‐virtual‐system topology. 30 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Known Issues Issue ID Description PAN‐63611 On Panorama, when you generate a custom report or the SaaS Application Usage report on demand (Run Now), the report may be incomplete if you have a large dataset. To generate the report successfully, try the following workarounds. Workaround Option 1: Reduce the scope of the report. You can either limit the time period or the dataset (volume of logs) for the report. For example, in the SaaS Application Usage report, clear the Include detailed application category information in report check box or generate the report for a selected user group or zone instead of on all users and zones. Option 2: Increase the timeout for generating reports. Use the following CLI command on Panorama and each Log Collector in your DLC architecture: set reportd timeout <value in seconds> The default timeout is 1200 seconds but you can increase it to a maximum of 5 hrs (18000 seconds). PAN‐63274 When tunnel content inspection is configured for traffic in a shared gateway topology (the firewall has multiple virtual systems), inner flow sessions installed on DP1 fail. Also, when networking devices behind the shared gateway initiate traffic, that traffic doesn't reach the networking devices behind the virtual systems. PAN‐63207 Fixed an issue on PA‐7000 Series firewalls where group mappings did not populate when the group include list was pushed from Panorama. PAN‐62820 If you use the Apple Safari browser in Private Browsing mode to request a service or application that requires multi‐factor authentication (MFA), the firewall does not redirect you to the service or application even after authentication succeeds. PAN‐62513 Fixed an issue on PA‐7000 Series firewalls in an active/passive HA configuration where the "show high‐availability path‐monitoring" command always shows NPC slot 1; even though the path monitoring IP address was assigned to an interface in a different NPC slot. This occurred only when the path monitoring IP address was assigned to an interface in an aggregate interface group and the interface group was in a slot other than slot 1. PAN‐62453 Entering vSphere maintenance mode on a VM‐Series firewall without first shutting down the Guest OS for the agent VMs causes the firewall to shut down abruptly and causes issues that persist after the firewall is powered on again. Refer to Issue 1332563 in the VMware release notes: https://www.vmware.com/support/pubs/nsx_pubs.html. Workaround: VM‐Series firewalls are Service Virtual Machines (SVMs) pinned to ESXi hosts and should not be migrated. Before you enter vSphere maintenance mode, use the VMware tools to ensure a graceful shutdown of the VM‐Series firewall. PAN‐61840 The show global-protect-portal statistics CLI command is not supported. PAN‐61284 Fixed an issue where User‐ID consumed a large amount of memory when the firewall experienced a high rate of incoming IP address‐to‐username mapping data and there were more than ten redistribution client firewalls at the same time. PAN‐59124 Objects > Custom Objects > Data Patterns provides predefined patterns (Pattern Type > Predefined Pattern), such as social security numbers and credit card numbers, to check for in the incoming file types that you specify. The firewall no longer supports checking for these predefined patterns in GZIP and ZIP files. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 31 Known Issues PAN‐OS 8.0 Release Information Issue ID Description PAN‐58872 The automatic license deactivation workflow for firewalls with direct internet access does not work. Workaround: Use the request license deactivate key features <name> mode manual CLI command to Deactivate a Feature License or Subscription Using the CLI. To Deactivate a VM, choose Complete Manually (instead of Continue) and follow the steps to manually deactivate the VM. PAN‐57215 Fixed an issue where an HTTP 416 error appeared when trying to download updates to a client from an IBM BigFix update server. PAN‐56217 You cannot configure multiple DNS proxy objects that specify for the firewall to listen for DNS requests on the same interface (Network > DNS Proxy > Interfaces). If multiple DNS proxy objects are configured with the same interface, only the first DNS proxy object settings are applied. Workaround: If there are DNS proxy objects configured with the same interface, you must modify the DNS proxy objects so that each object specifies unique interfaces: • To modify a DNS proxy object that specifies only one interface, delete the DNS proxy object and reconfigure the object with an interface that is not shared among any other objects. • To modify a DNS proxy object configured with multiple interfaces, delete the interface that is shared with other DNS proxy objects, click OK to save the modified object, and then Commit. PAN‐55825 Performing an AutoFocus remote search that is targeted to a PAN‐OS firewall or Panorama does not work correctly when the search condition contains a single or double quotation mark. PAN‐55437 High availability (HA) for VM‐Series firewalls does not work in AWS regions that do not support the signature version 2 signing process for EC2 API calls. Unsupported regions include AWS EU (Frankfurt) and Korea (Seoul). PAN‐55203 When you change the reporting period for a scheduled report, such as the SaaS Application Usage PDF report, the report can have incomplete or no data for the reporting period. Workaround: If you need to change the reporting period for any scheduled report, create a new report for the desired time period instead of modifying the time period on an existing report. PAN‐54254 In Traffic logs, the following session end reasons for Captive Portal or a GlobalProtect SSL VPN tunnel indicated the incorrect reason for session termination: decrypt-cert-validation, decrypt-unsupport-param, or decrypt-error. PAN‐53825 For the VM‐Series NSX edition firewall, when you add or modify an NSX service profile zone on Panorama, you must perform a Panorama commit and then perform a Device Group commit with the Include Device and Network Templates option selected. To successfully redirect traffic to the VM‐Series NSX edition firewall, you must perform both a Template and a Device Group commit when you modify the zone configuration to ensure that the zones are available on the firewall. PAN‐53663 When you open the SaaS Application Usage report (Monitor > PDF Reports > SaaS Application Usage) on multiple tabs in a browser, each for a different virtual system (vsys), and you then attempt to export PDFs from each tab, only the first request is accurate; all successive attempts will result in PDFs that are duplicates of the first report. Workaround: Export only one PDF at a time and wait for that export process to finish before you trigger the next export request. 32 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Known Issues Issue ID Description PAN‐53601 Panorama running on an M‐500 appliance cannot connect to a SafeNet Network or Thales Nshield Connect hardware security module (HSM). PAN‐51969 On the NSX Manager, when you unbind an NSX Security Group from an NSX Security Policy rule, the dynamic tag and registered IP address are updated on Panorama but are not sent to the VM‐Series firewalls. Workaround: To push the Dynamic Address Group updates to the VM‐Series firewalls, you must manually synchronize the configuration with the NSX Manager (Panorama > VMware Service Manager and select NSX Config-Sync). PAN‐51952 If a security group overlap occurs in an NSX Security policy where the same security group is weighted with a higher and a lower priority value, the traffic may be redirected to the wrong service profile (VM‐Series firewall instance). This issue occurs because an NSX Security policy with a higher weight does not always take precedence over a policy with a lower weight. Workaround: Make sure that members that are assigned to a security group are not overlapping with another Security group and that each security group is assigned to a unique NSX Security policy rule. This allows you to ensure that NSX Security policy does not redirect traffic to the wrong service profile (VM‐Series firewall). PAN‐51870 When using the CLI to configure the management interface as a DHCP client, the commit fails if you do not provide all four DHCP parameters in the command. For a successful commit when using the set deviceconfig system type dhcp-client command, you must include each of the following parameters: accept-dhcp-domain, accept-dhcp-hostname, send-client-id, and send-hostname. PAN‐51869 Canceling pending commits does not immediately remove them from the commit queue. The commits remain in the queue until PAN‐OS dequeues them. PAN‐51673 BFD sessions are not established between two RIP peers when there are no RIP advertisements. Workaround: Enable RIP on another interface to provide RIP advertisements from a remote peer. PAN‐51216 The NSX Manager fails to redirect traffic to the VM‐Series firewall when you define new Service Profile zones for NSX on Panorama. This issue occurs intermittently on the NSX Manager when you define security rules to redirect traffic to the new service profiles that are available for traffic introspection and results in the following error: Firewall configuration is not in sync with NSX Manager. Conflict with Service Profile Oddhost on service (Palo Alto Networks NGFW) when binding to host<name>. PAN‐51181 A Palo Alto Networks firewall, M‐100 appliance, or WF‐500 appliance configured to use FIPS operational mode fails to boot when rebooting after an upgrade to PAN‐OS 7.0 or later releases. Workaround: Enable FIPS and Common Criteria support on all Palo Alto Networks firewalls and appliances before you upgrade to a PAN‐OS 7.0 or later release. PAN‐51122 For the VM‐Series firewall, if you manually reset a heartbeat failure alarm on the vCenter server to indicate that the VM‐Series firewall is healthy (change color to green), the vCenter server does not trigger a heartbeat failure alarm again. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 33 Known Issues PAN‐OS 8.0 Release Information Issue ID Description PAN‐50651 On PA‐7000 Series firewalls, one data port must be configured as a log card interface because the traffic and logging capabilities of this platform exceed the capabilities of the management port. A log card interface performs WildFire file‐forwarding and log forwarding for syslog, email, and SNMP and these services require DNS support. If you set up a custom service route for the firewall to perform DNS queries, services using the log card interface might not be able to generate DNS requests. This is only an issue if you’ve configured the firewall to use a service route for DNS requests and, in this case, you must perform a workaround to enable communication between the firewall dataplane and the log card interface. Workaround: Enable DNS Proxy on the firewall and do not specify an interface for the DNS proxy object to use (ensure that Network > DNS Proxy > Interface is not configured). PAN‐50641 Enabling or disabling BFD for BGP or changing a BFD profile that a BGP peer uses causes BGP to flap. PAN‐50038 When you enable jumbo frames from the CLI on a VM‐Series firewall in AWS, the maximum transmission unit (MTU) size on the interfaces does not increase. The MTU on each interface remains at a maximum value of 1500 bytes. PAN‐48565 The VM‐Series firewall on Citrix SDX does not support jumbo frames. PAN‐48456 IPv6‐to‐IPv6 Network Prefix Translation (NPTv6) is not supported when configured on a shared gateway. PAN‐47969 If you log in to Panorama as a Device Group and Template administrator and you rename a device group, the Panorama > Device Groups page no longer displays any device groups. Workaround: After you rename a device group, perform a commit, log out, and log back in; the page then displays the device groups with the updated values. PAN‐47073 Web pages using the HTTP Strict Transport Security (HSTS) protocol do not always display properly for end users. Workaround: End users must import an appropriate forward‐proxy‐certificate for their browsers. PAN‐46344 When you use a Mac OS Safari browser, client certificates will not work for Captive Portal authentication. Workaround: On a Mac OS system, instruct end users to use a different browser (for example, Mozilla Firefox or Google Chrome). PAN‐45793 On a firewall with multiple virtual systems, if you add an authentication profile to a virtual system and give the profile the same name as an authentication sequence in Shared, reference errors occur. The same errors occur if the profile is in Shared and the sequence with the same name is in a virtual system. Workaround: When creating authentication profiles and sequences, always enter unique names, regardless of their location. For existing authentication profiles and sequences with similar names, rename the ones that are currently assigned to configurations (for example, a GlobalProtect gateway) to ensure uniqueness. PAN‐44616 On the ACC > Network Activity tab, if you add the label Unknown as a global filter, the filter gets added as A1 and query results display A1 instead of Unknown. PAN‐44400 The link on a 1Gbps SFP port on a VM‐Series firewall deployed on a Citrix SDX server does not come up when successive failovers are triggered. This behavior is only observed in a high availability (HA) active/active configuration. Workaround: Use a 10Gbps SFP port instead of the 1Gbps SFP port on the VM‐Series firewall deployed on a Citrix SDX server. 34 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Known Issues Issue ID Description PAN‐44300 WildFire analysis reports cannot be viewed on firewalls running PAN‐OS 6.1 release versions if connected to a WF‐500 appliance in Common Criteria mode that is running PAN‐OS 7.0 or later releases. PAN‐43000 Vulnerability detection of SSLv3 fails when SSL decryption is enabled. This occurs when you attach a Vulnerability Protection profile (that detects SSLv3—CVE‐2014‐3566) to a Security policy rule and that Security policy rule and an SSL Decryption policy rule are configured on the same virtual system in the same zone. After performing SSL decryption, the firewall sees decrypted data and no longer sees the SSL version number. In this case, the SSLv3 vulnerability is not identified. Workaround: SSL Decryption Enhancements were introduced in PAN‐OS 7.0 that enable you to prohibit the inherently weaker SSL/TLS versions, which are more vulnerable to attacks. For example, you can use a Decryption Profile to enforce a minimum protocol version of TLS 1.2 or you can Block sessions with unsupported versions to disallow unsupported protocol versions (Objects > Decryption Profile > SSL Decryption > SSL Forward Proxy and/or SSL Inbound Inspection). PAN‐41558 When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third‐party IPSec clients, such as StrongSwan. Workaround: Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third‐party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third‐party IPSec traffic. PAN‐40842 When you configure a firewall to retrieve a WildFire signature package, the System log shows unknown version for the package. For example, after a scheduled WildFire package update, the system log shows: WildFire package upgraded from version <unknown version> to 38978-45470. This is a cosmetic issue only and does not prevent the WildFire package from installing. PAN‐40714 If you access Device > Log Settings on a device running a PAN‐OS 7.0 or later release and then use the CLI to downgrade the device to a PAN‐OS 6.1 or earlier release and reboot, an error message appears the next time you access Log Settings. This occurs because PAN‐OS 7.0 and later releases display Log Settings in a single page whereas PAN‐OS 6.1 and earlier releases display the settings in multiple sub‐pages. To clear the message, navigate to another page and return to any Log Settings sub‐page; the error will not recur in subsequent sessions. PAN‐40130 In the WildFire Submissions logs, the email recipient address is not correctly mapped to a username when configuring LDAP group mappings that are pushed in a Panorama template. PAN‐40079 The VM‐Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass‐through functionality. PAN‐40075 The VM‐Series firewall on KVM running on Ubuntu 12.04 LTS does not support PCI pass‐through functionality. PAN‐39728 The URL logging rate is reduced when HTTP header logging is enabled in the URL Filtering profile (Objects > Security Profiles > URL Filtering > URL Filtering profile > Settings). © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 35 Known Issues PAN‐OS 8.0 Release Information Issue ID Description PAN‐39636 Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M‐Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report. For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on‐demand reports include all data within the specified Time Frame. Workaround: To generate an on‐demand report, click Run Now when you configure the custom report. PAN‐39501 Unused NAT IP address pools are not cleared after a single commit, so a commit fails if the combined cache of unused pools, existing used pools, and new pools exceeds the memory limit. Workaround: Commit a second time, which clears the old pool allocation. PAN‐38584 Configurations pushed from Panorama 6.1 and later releases to firewalls running PAN‐OS 6.0.3 or earlier PAN‐OS 6.0 releases will fail to commit due to an unexpected Rule Type error. This issue is caused by the Rule Type setting in Security policy rules that was not included in the upgrade transform and, therefore, the new rule types are not recognized on devices running PAN‐OS 6.0.3 or earlier releases. Workaround: Only upgrade Panorama to version 6.1 or later releases if you are also planning to upgrade all managed firewalls running PAN‐OS 6.0.3 or an earlier PAN‐OS 6.0 release to a PAN‐OS 6.0.4 or later release before pushing a configuration to the devices. PAN‐38255 If you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart management-server CLI command. PAN‐37511 Due to a limitation related to the Ethernet chip driving the SFP+ ports, PA‐5050 and PA‐5060 firewalls will not perform link fault signaling as standardized when a fiber in the fiber pair is cut or disconnected. PAN‐37177 After deploying the VM‐Series firewall, when the firewall connects to Panorama, you must issue a Panorama commit to ensure that Panorama recognizes the firewall as a managed device. If you reboot Panorama without committing the changes, the firewall will not connect back to Panorama; although the device group will display the list of devices, the device will not display in Panorama > Managed Devices. Further, if Panorama is configured in an HA configuration, the VM‐Series firewall is not added to the passive Panorama peer until the active Panorama peer synchronizes the configuration. During this time, the passive Panorama peer will log a critical message: vm-cfg: failed to process registration from svm device. vm-state: active. This message is logged until you commit the changes on the active Panorama, which then initiates synchronization between the Panorama HA peers and the VM‐Series firewall is added to the passive Panorama peer. Workaround: To reestablish the connection to the managed devices, commit your changes to Panorama (click Commit and select Commit Type: Panorama). In case of an HA setup, the commit will initiate the synchronization of the running configuration between the Panorama peers. PAN‐37127 On the Panorama web interface, the Policies > Security > Post Rules > Combined Rules Preview window does not display post rules and local rules for managed devices. PAN‐37044 Live migration of the VM‐Series firewall is not supported when you enable SSL decryption using the SSL forward proxy method. Use SSL inbound inspection if you need support for live migration. 36 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Known Issues Issue ID Description PAN‐36730 When deleting the VM‐Series deployment, all VMs are deleted successfully; however, sometimes a few instances still remain in the datastore. Workaround: Manually delete the VM‐Series firewalls from the datastore. PAN‐36728 In some scenarios, traffic from newly added guests or virtual machines is not steered to the VM‐Series firewall even when the guests belong to a Security Group and are attached to a Security Policy that redirects traffic to the VM‐Series firewall. Workaround: Reapply the Security Policy on the NSX Manager. PAN‐36727 The VM‐Series firewall fails to deploy with an error message: Invalid OVF Format in Agent Configuration. Workaround: Use the following command to restart the ESX Agent Manager process on the vCenter Server: /etc/init.d/vmware-vpxd tomcat-restart. PAN‐36433 If a high availability (HA) failover occurs on Panorama at the time that the NSX Manager is deploying the VM‐Series NSX edition firewall, the licensing process fails with the error: vm-cfg: failed to process registration from svm device. vm-state: active. Workaround: Delete the unlicensed instance of the VM‐Series firewall on each ESXi host and then redeploy the Palo Alto Networks next‐generation firewall service from the NSX Manager. PAN‐36409 When viewing the Session Browser (Monitor > Session Browser), using the global refresh option (top right corner) to update the list of sessions causes the Filter menu to display incorrectly and clears any previously selected filters. Workaround: To maintain and apply selected filters to an updated list of sessions, click the green arrow to the right of the Filters field instead of the global (or browser) refresh option. PAN‐36394 When the datastore is migrated for a guest, all current sessions are no longer steered to the VM‐Series firewall. However, all new sessions are secured properly. PAN‐36393 When deploying the VM‐Series firewall, the Task Console displays Error while enabling agent. Cannot complete the operation. See the event log for details. This error displays even on a successful deployment. You can ignore the message if the VM‐Series firewall is successfully deployed. PAN‐36333 The Service dialog for adding or editing a service object in the web interface displays the incorrect port range for both source and destination ports: 1-65535. The correct port range is 0-65535 and specifying port number 0 for either a source or destination port is successful. PAN‐36289 If you deploy the VM‐Series firewall and then assign the firewall to a template, the change is not recorded in the bootstrap file. Workaround: Delete the Palo Alto Networks NGFW Service on the NSX Manager, and verify that the template is specified on Panorama > VMware Service Manager, register the service, and re‐deploy the VM‐Series firewall. PAN‐36088 When an ESXi host is rebooted or shut down, the functional status of the guests is not updated. Because the IP address is not updated, the dynamic tags do not accurately reflect the functional state of the guests that are unavailable. PAN‐36049 The vCenter Server/vmtools displayed the IP Address for a guest incorrectly after vlan tags were added to an Ethernet port. The display did not accurately show the IP addresses associated with the tagged Ethernet port and the untagged Ethernet port. This issue was seen on some Linux OS versions such as Ubuntu. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 37 Known Issues PAN‐OS 8.0 Release Information Issue ID Description PAN‐35903 When you edit a traffic introspection rule (to steer traffic to the VM‐Series firewall) on the NSX Manager, an invalid (tcp) port number error—or invalid (udp) port number error—displays when you remove the destination (TCP or UDP) port. Workaround: Delete the rule and add a new one. PAN‐35875 When defining traffic introspection rules (to steer traffic to the VM‐Series firewall) on the NSX Manager, either the source or the destination for the rule must reference the name of a Security Group; you cannot create a rule from any to any Security Group. Workaround: To redirect all traffic to the VM‐Series firewall, you must create a Security Group that includes all the guests in the cluster. Then you can define a security policy that redirects traffic from and to the cluster so that the firewall can inspect and enforce policy on the east‐west traffic. PAN‐35874 Duplicate packets are being steered to the VM‐Series firewall. This issue occurs if you enable distributed vSwitch for steering in promiscuous mode. Workaround: Disable promiscuous mode. PAN‐34966 On a VM‐Series NSX edition firewall, when adding or removing a Security Group (Container) that is bound to a Security Policy, Panorama does not get a dynamic update of the added or removed Security Group. Workaround: On Panorama > VMware Service Manager, click Synchronize Dynamic Objects to initiate a manual synchronization to get the latest update. PAN‐34855 On a VM‐Series NSX edition firewall, Dynamic Tags (update) do not reflect the actual IP address set on the guest. This issue occurs because the vCenter Server cannot accurately view the IP address of the guest. PAN‐33316 Adding or removing ports on the SDX server after deploying the VM‐Series firewall can cause a configuration mismatch on the firewall. To avoid the need to reconfigure the interfaces, consider the total number of data ports that you require on the firewall and assign the relevant number of ports on the SDX server when deploying the VM‐Series firewall. For example, if you assign ports 1/3 and 1/4 on the SDX server as data interfaces on the VM‐Series firewall, the ports are mapped to eth1 and eth2. If you then add port 1/1 or 1/2 on the SDX server, eth1 will be mapped to 1/1 or 1/2, eth2 will be mapped to 1/3 and eth3 to1/4. If ports 1/3 and 1/4 were set up as a virtual wire, this remapping will require you to reconfigure the network interfaces on the firewall. PAN‐31832 The following issues apply when configuring a firewall to use a hardware security module (HSM): • Thales nShield Connect—The firewall requires at least four minutes to detect that an HSM has been disconnected, causing SSL functionality to be unavailable during the delay. • SafeNet Network—When losing connectivity to either or both HSMs in a high availability (HA) configuration, the display of information from the show ha-status or show hsm info command is blocked for 20 seconds. PAN‐31593 After you configure a Panorama M‐Series appliance for HA and synchronize the configuration, the Log Collector of the passive peer cannot connect to the active peer until you reboot the passive peer. PAN‐29441 The Panorama virtual appliance does not write summary logs for traffic and threats as expected after you enter the ""clear log"" command. Workaround: Reboot Panorama management server (Panorama > Setup > Operations) to enable summary logs. 38 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Information Known Issues Issue ID Description PAN‐29411 In some configurations, when you switch context from Panorama and access the web interface of a managed device, you are unable to upgrade the PAN‐OS software image. Workaround: Use the Panorama > Device Deployment > Software tab to deploy and install the software image on the managed device. PAN‐29385 You cannot configure the management IP address on an M‐100 appliance while it is operating as the secondary passive peer in an HA pair. Workaround: To set the IP address for the management interface, you must suspend the active Panorama peer, promote the passive peer to active state, change the configuration, and then reset the active peer to active state. PAN‐29053 By default, the hostname is not included in the IP header of syslog messages sent from the firewall. However, some syslog implementations require this field to be present. Workaround: Enable the firewall to include the IP address of the firewall as the hostname in the syslog header by selecting Send Hostname in Syslog (Device > Setup). PAN‐28794 If a Panorama Log Collector MGT port is configured with an IPv4 address and you want to have only an IPv6 address configured, you can use the Panorama web interface to configure the new IPv6 address but you cannot use Panorama to remove the IPv4 address. Workaround: Configure the MGT port with the new IPv6 address and then apply the configuration to the Log Collector and test connectivity using the IPv6 address to ensure that you do not lose access when you remove the IPv4 address. After you confirm the Log Collector is accessible using the IPv6 address, go to the CLI on the Log Collector and remove the IPv4 address (using the delete deviceconfig system ip-address command) and then commit your changes. PAN‐25101 If you add a Decryption policy rule that instructs the firewall to block SSL traffic that was not previously being blocked, the firewall will continue to forward the undecrypted traffic. Workaround: Use the debug dataplane reset ssl-decrypt exclude-cache command to clear the SSL decrypt exclude cache. PAN‐25046 SSH host keys used for SCP log export are stored in the known hosts file on the firewall. In a high availability (HA) configuration, the SCP log export configuration is synchronized with the peer device, but the known host file is not synchronized. When a failover occurs, the SCP log export fails. Workaround: Log in to each peer in HA and Test SCP server connection to confirm the host key so that SCP log forwarding continues to work after a failover. PAN‐23732 When you use Panorama templates to schedule a log export (Device > Scheduled Log Export) to an SCP server, you must log in to each managed device and Test SCP server connection after the template is pushed. The connection is not established until the firewall accepts the host key for the SCP server. PAN‐20656 Attempts to reset the master key from the web interface (Panorama > Master Key and Diagnostics) or the CLI on Panorama will fail. However, this should not cause a problem when pushing a configuration from Panorama to a device because it is not necessary for the keys to match. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 39 Known Issues PAN‐OS 8.0 Release Information Issue ID Description PAN‐20162 If a client PC uses RDP to connect to a server running remote desktop services and the user logs in to the remote server with a different username, when the User‐ID agent queries the Active Directory server to gather user to IP mapping from the security logs, the second username will be retrieved. For example, if UserA logs in to a client PC and then logs in to the remote server using the username for UserB, the security log on the Active Directory server will record UserA, but will then be updated with UserB. The username UserB is then picked up by the User‐ID agent for the user to IP mapping information, which is not the intended user mapping. 40 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0.0 Addressed Issues The following tables lists the issues that are fixed in the PAN‐OS® 8.0.0 release. For new features, associated software versions, known issues, and changes in default behavior in PAN‐OS 8.0 releases, see PAN‐OS 8.0 Release Information. Issue ID Description PAN‐72346 Fixed an issue where exporting botnet reports failed with the following error: “Missing report job id. PAN‐72242 Fixed an issue where configuring a source address exclusion in Reconnaissance Protection tab under zone protection profile was not allowed. PAN‐71892 Fixed an issue where an LDAP profile did not use the configured port; the profile used the default port, instead. PAN‐71615 Fixed an issue where the intrazone block rule shadowed the universal rule that has different source and destination zones. PAN‐71307 Fixed an issue where the scp stats-dump report did not run correctly because source (src) and destination (dst) options were determined to be invalid arguments. PAN‐71192 Fixed an issue where performing a log query or log export with a specific number of logs caused the management server to stop responding. This occurred only when the number of logs was a multiple of 64 plus 63. For example, 128 is a multiple of 64 and if you add 63 to 128 that equals 191 logs. In this case, if you performed a log query or export and there were 191 logs, the management server would stop responding. PAN‐70483 Fixed an issue on an M‐Series appliance in Panorama mode where shared service groups did not populate in the service pull down when attempting to add a new item to a security policy. The issue occurred when the drop down contained 5,000 or more entries. PAN‐70323 Fixed an issue where firewalls running in FIPS‐CC mode did not allow import of SHA‐1 CA certificates even when the private key was not included; instead, firewalls displayed the following error: Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode. PAN‐70057 Fixed an issue where running the validate option on a candidate configuration in Panorama caused changes to the running configuration on the managed device. The configuration change occurred after a subsequent FQDN refresh occurred. PAN‐69951 Fixed an issue where the firewall failed to forward system logs to Panorama when the dataplane was under severe load. PAN‐69235 Fixed an issue where committing a configuration with a large number of layer 3 subinterfaces (4,000 in this case) caused the dataplane to stop responding. PAN‐69194 Fixed an issue where performing a device group commit from a Panorama server running version 7.1 to a managed firewalls running PAN‐OS 6.1 failed to commit when the custom spyware profile action was set to Drop. With this fix, Panorama translates the action from Drop to Drop packets for firewalls running PAN‐OS 6.1, which allows the device group commit to succeed. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 41 PAN‐OS 8.0.0 Addressed Issues Issue ID Description PAN‐68873 Fixed an issue where customizing the block duration for threat ID 40015 in a Vulnerability Protection profile did not adhere to the defined block interval. For example, if you set Number of Hits (SSH hello messages) to 3 and per seconds to 60, after three consecutive SSH hello messages from the client, the firewall failed to block the client for the full 60 seconds. PAN‐68766 Fixed an issue where navigating to the IPSec tunnel configuration in a Panorama template caused the Panorama management web interface to stop responding and displayed a "502 Bad Gateway" error. PAN‐68658 Fixed an issue where handling out‐of‐order TCP FIN packets resulted in dropped packets due to TCP reassembly that was out‐of‐sync. PAN‐68654 Fixed an issue where the firewall was not populating User‐ID mappings based on the defined syslog filters. PAN‐68034 The show netstat CLI command was removed in the 7.1 release for Panorama, Panorama log collector, and WildFire. With this fix, the show netstat command is reintroduced. PAN‐67987 Fixed an issue where the GlobalProtect agent failed to connect using a client certificate if the intermediate CA is signed using the ECDSA hash algorithm. PAN‐67944 Fixed an issue where a process (all_pktproc) stopped responding because a race condition occurred when closing sessions. PAN‐67639 Fixed an issue where Auth Password and Priv Password for the SNMPv3 server profile were not properly masked when viewing the configuration change in the configuration log. PAN‐67599 In PAN‐OS 7.0 and 7.1, a restriction was added to prevent an administrator from configuring OSPF router ID 0.0.0.0. This restriction is removed in PAN‐OS 8.0. PAN‐67224 Fixed an issue where the firewall displayed a validation error after Panorama imported the firewall configuration and then pushed the configuration back to the firewall so it could be managed by Panorama. This issue occurred because log forwarding profiles were not replaced with the profiles configured in Panorama. With this fix, Panorama will properly remove the existing configuration on the managed firewall before applying the pushed configuration. PAN‐67090 Fixed an issue where the web interface displayed an obsolete flag for the nation of Myanmar. PAN‐66675 Fixed an issue where extended packet captures were consuming an excessive amount of storage space in /opt/panlogs. PAN‐66104 Fixed an issue where vsys‐specific custom response pages (Captive portal, URL continue, and URL override) did not display; they were replaced by shared response pages, instead. PAN‐64981 Fixed an issue where an internal buffer could be overwritten, causing the management plane to stop responding. PAN‐64723 Fixed an issue where the test authentication CLI command was incorrectly sending vsys‐specific information to the User‐ID process for group‐mapping query that allowed the authentication test to succeed when it should have failed. PAN‐64638 Fixed an issue where the firewall failed to send a RADIUS access request after changing the IP address of the management interface. PAN‐64579 Error message is now displayed when installing apps package manually from file on passive Panorama. 42 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0.0 Addressed Issues Issue ID Description PAN‐64520 Fixed an issue where H.323‐based video calls failed when using source NAT (dynamic or static) due to incorrect translation of the destCallSignalAddress payload in the H.225 call setup. PAN‐64436 Fixed an issue where creation of IGMP sessions failed due to a timeout issue. PAN‐64419 Fixed an issue where firewall displays inconsistent shadow rule warnings during a commit for QOS policies. PAN‐64081 Fixed an issue on PA‐5000 Series firewalls where the dataplane stopped responding due to a race condition during hardware offload. PAN‐63969 Fixed an issue where an SSH sessions running on a non‐standard port was categorized by URL filtering as unknown, causing the firewall to block the traffic. With this fix, the firewall will no longer perform a URL lookup on SSH traffic that is not decrypted. PAN‐63925 Fixed an issue where the firewall did not generate a log when a content update failed or was interrupted. PAN‐63908 Fixed an issue where SSH sessions subject to URL category lookup were handled incorrectly even though SSH decryption was not enabled. With this fix, SSH traffic is not subject to URL category lookup when SSH decryption is disabled. PAN‐63612 Fixed an issue where User activity reports on Panorama did not include any entries when there was a space in the Device Group name. PAN‐63520 Fixed an issue where the wrong source zone was used when logging vsys‐to‐vsys sessions. PAN‐63054 Fixed an issue on VM‐Series firewalls where enabling software QoS resulted in dropped packets under heavy traffic conditions. With this fix, VM‐Series firewalls no longer drop packets due to heavy loads with software QoS enabled and software QoS performance in general is improved for all Palo Alto Networks firewalls. PAN‐63013 Fixed an issue where a commit validation error displayed when pushing a template configuration with a modified WildFire file‐size setting. With this fix, commit validation takes place on the managed firewall that tries to commit new template values. PAN‐62937 Fixed an issue where, when TLS was enabled, establishing an LDAP connection over a slow or unstable connection caused commits to fail. With this fix, if TLS is enabled, the firewall does not attempt to establish LDAP connections when you perform a commit; it waits until after the commit is complete. PAN‐62797 Fixed an issue where a process (cdb) intermittently restarted, which prevented jobs from completing successfully. PAN‐62057 Fixed an issue where the GlobalProtect agent failed to authenticate using a client certificate that had a signature algorithm that was not SHA1/SHA256. With this fix, the firewall provides support for the SHA384 signature algorithm for client‐based authentication. PAN‐61877 Fixed an issue where Authentication Override in the GlobalProtect portal configuration didn't work when the certificate used for encrypting and decrypting cookies was generated using RSA 4,096 bit keys. PAN‐61871 Fixed an issue where the firewall matched traffic to a URL category and on first lookup, which caused some traffic to be matched to the wrong security profile. With this fix, the firewall matches traffic to URL categories a second time to ensure that traffic is matched to the correct security profile. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 43 PAN‐OS 8.0.0 Addressed Issues Issue ID Description PAN‐61837 Fixed an issue on PA‐3000 Series and PA‐5000 Series firewalls where the dataplane stopped responding when a session crossed vsys boundaries and could not find the correct egress port. This issue occurred when zone protection was enabled with a SYN Cookies action (Network > Zone Protection > Flood Protection). PAN‐61813 Fixed an issue where a custom scheduled report configured per device was empty when exported. PAN‐61797 Fixed an issue on the passive peer in an HA configuration where LACP flapped when the link state was set to shutdown/auto and pre‐negotiation was disabled. PAN‐61465 Fixed an issue where the web interface (Objects > Decryption Profile > SSL Decryption > SSL Protocol Settings > Encryption Algorithms) still displayed the 3DES encryption algorithm as enabled even after you disabled it. PAN‐61365 Fixed an issue where data filtering logs (Monitor > Logs > Data Filtering) do not take into account the file direction (upload or download) so it was not possible to differentiate uploaded files from downloaded files in the logs. With this fix, you configure the file direction (upload, download, or both) in Objects > Security Profiles > Data Filtering and select the Direction column in Monitor > Logs > Data Filtering to view the file direction in the logs. PAN‐61252 Fixed an issue on firewalls in an HA active/active configuration where the floating IP address was not active on the secondary firewall after the link went down on the primary firewall. PAN‐60753 Fixed an issue where changing the RSA key from a 2,048‐bit key to a 1,024‐bit key forced the encryption algorithm to change from SHA256 to SHA1 for SSL forward proxy decryption. PAN‐60581 Added check to not include all the applications in the Application filter if no application category is selected by the user. User have to explicitly add all the categories to create an application filter with all the applications. PAN‐60577 Added check in the Application Filter UI to not allow user to create or save an application filter without any application category selected by the user. PAN‐60556 Added support in the certificate profile to also configure a non CA certificate as an additional certificate to verify the OCSP response received for certificate status validation. The OCSP Verify CA field in the certificate profile has been changed to OCSP Verify Certificate. PAN‐60402 Fixed an issue where renaming an address object caused the commit to a Device Group to fail. PAN‐60340 Fixed an issue where the Panorama application database did not display all applications in the browser. PAN‐60035 An enhancement to alleviate Dynamic IP NAT translation conflict between different Packet Processors (PP) and thus to improve DIP NAT pool utilization. PAN‐59676 Fixed an issue where custom admin role user is unable to download dynamic updates / software releases PAN‐59654 Fixed an issue where commits failed on the firewall after upgrading from one release (such as PAN‐OS 6.1) to another (such as PAN‐OS 7.0) due to a problem with cached files on the firewall. With this fix, upgrading from PAN‐OS 7.1 (or earlier releases) to PAN‐OS 8.0 replaces the cached files with new files that do not cause commit failures. 44 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. PAN‐OS 8.0.0 Addressed Issues Issue ID Description PAN‐58636 Fixed an issue where the Device Server on the Firewall stopped responding. PAN‐58496 Fixed an issue where custom reports using threat summary were not populated. PAN‐58382 Fixed an issue where users were matched to the incorrect security policies. PAN‐57529 Fixed an issue where the firewall acted as a DHCP relay and wireless devices on a VLAN did not receive a DHCP address (all other devices on the VLAN did receive a DHCP address). With this fix, all devices on a VLAN receive a DHCP address when the firewall acts as a DHCP relay. PAN‐57440 Fixed an issue where OSPFv3 link‐state updates were sent with the incorrect OSPF checksum when the OSPF packet needed to advertise more link‐state advertisements (LSAs) than fit into a 1,500‐byte packet. With this fix, the firewall sends the correct OSPF checksum to neighboring switches and routers even when the number of LSAs doesn’t fit into a 1,500‐byte packet. PAN‐56700 Fixed an issue where the SNMP OID "ifHCOutOctets" did not contain the expected data. PAN‐50973 Fixed an issue for VM‐Series firewalls on Microsoft Hyper‐V where, although the FIPS‐CC mode option was visible in the maintenance mode menu, you could not enable it. With this fix, FIPS‐CC mode is supported for and can be enabled from the maintenance mode menu in VM‐Series firewalls on Microsoft Hyper‐V. © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 45 PAN‐OS 8.0.0 Addressed Issues 46 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc. Getting Help The following topics provide information on where to find more about this release and how to request support: Related Documentation Requesting Support Related Documentation Refer to the following PAN‐OS 8.0 documentation on the Technical Documentation portal or search the documentation for more information on our products: New Features Guide—Detailed information on configuring the features introduced in this release. PAN‐OS Administrator's Guide—Provides the concepts and solutions to get the most out of your Palo Alto Networks next‐generation firewalls. This includes taking you through the initial configuration and basic set up on your Palo Alto Networks firewalls. Panorama Administrator's Guide—Provides the basic framework to quickly set up the Panorama™ virtual appliance or an M‐Series appliance for centralized administration of the Palo Alto Networks firewalls. WildFire Administrator's Guide—Provides steps to set up a Palo Alto Networks firewall to forward samples for WildFire™ Analysis, to deploy the WF‐500 appliance to host a WildFire private or hybrid cloud, and to monitor WildFire activity. VM‐Series Deployment Guide—Provides details on deploying and licensing the VM‐Series firewall on all supported hypervisors. It includes example of supported topologies on each hypervisor. GlobalProtect Administrator's Guide—Describes how to set up and manage GlobalProtect™. Online Help System—Detailed, context‐sensitive help system integrated with the firewall web interface. Open Source Software (OSS) Listings—OSS licenses used with Palo Alto Networks products and software: – PAN‐OS 8.0 – Panorama 8.0 – WildFire 8.0 © Palo Alto Networks, Inc. PAN‐OS 8.0 Release Notes • 47 Getting Help Requesting Support For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html. To provide feedback on the documentation, please write to us at: [email protected]. Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 https://www.paloaltonetworks.com/company/contact‐support Palo Alto Networks, Inc. www.paloaltonetworks.com © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: January 31, 2017 48 • PAN‐OS 8.0 Release Notes © Palo Alto Networks, Inc.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download PDF
advertisement