PANOS7.

0ReleaseNotes

Release7.0.15

RevisionDate:April28,2017

ReviewimportantinformationaboutPaloAltoNetworksPANOS7.0software,includingnewfeatures
introduced,workaroundsforopenissues,andissuesthatareaddressedinthePANOS7.0release.For
installation,upgrade,anddowngradeinstructions,refertothePANOS7.0NewFeaturesGuide.Forthe
latestversionofthesereleasenotes,refertothePaloAltoNetworkstechnicaldocumentationportal.

ThePanoramacertificateusedtoauthenticatePanoramatofirewallcommunicationexpiresonJune16,2017.
ReviewthemostcurrentinformationabouthowtomakesureyoucancontinueusingPanoramatomanage
firewallsandtoaggregatefirewalllogsonLogCollectorsafterJune16,2017:
https://live.paloaltonetworks.com/t5/GeneralTopics/PanoramaCertificateExpirationonJune162017/mp
/150948/threadid/50050.(Physicalandvirtualfirewalls,WF500appliances,andM500appliancesrunningin
PANDBmodedonotrequireanyaction.)

PANOS7.0ReleaseInformation ....................................... 3
FeaturesIntroducedinPANOS7.0 .................................................. 4
ManagementFeatures .......................................................... 5
PanoramaFeatures ............................................................. 7
WildFireFeatures............................................................... 8
ContentInspectionFeatures....................................................10
AuthenticationFeatures ........................................................11
DecryptionFeatures ...........................................................12
UserIDFeatures..............................................................12
VirtualizationFeatures .........................................................12
NetworkingFeatures...........................................................13
PolicyFeatures ................................................................15
VPNFeatures.................................................................15
GlobalProtectFeatures .........................................................16
LicensingFeatures .............................................................17
ChangestoDefaultBehavior .......................................................18
AuthenticationChanges........................................................18
GlobalProtectChanges.........................................................19
ManagementChanges..........................................................19
PanoramaChanges ............................................................20
ThreatPreventionChanges.....................................................20
WildFireChanges ..............................................................21
CLIChangesinPANOS7.0 ........................................................22
XMLAPIChangesinPANOS7.0 ...................................................25
AssociatedSoftwareVersions.......................................................26

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 1
 TableofContents

KnownIssues ..................................................................... 27

PANOS7.0.15AddressedIssues......................................39

PANOS7.0.14AddressedIssues......................................41

PANOS7.0.13AddressedIssues......................................43

PANOS7.0.12AddressedIssues......................................45

PANOS7.0.11AddressedIssues......................................49

PANOS7.0.10AddressedIssues......................................53

PANOS7.0.9AddressedIssues .......................................57

PANOS7.0.8AddressedIssues .......................................63

PANOS7.0.7AddressedIssues .......................................67

PANOS7.0.6AddressedIssues .......................................71

PANOS7.0.5h2AddressedIssues....................................75

PANOS7.0.5AddressedIssues .......................................77

PANOS7.0.4AddressedIssues .......................................83

PANOS7.0.3AddressedIssues .......................................89

PANOS7.0.2AddressedIssues .......................................97

PANOS7.0.1AddressedIssues ..................................... 105

GettingHelp....................................................... 115
RelatedDocumentation........................................................115
RequestingSupport ...........................................................116

2 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0ReleaseInformation
FeaturesIntroducedinPANOS7.0
ChangestoDefaultBehavior
CLIChangesinPANOS7.0
XMLAPIChangesinPANOS7.0
AssociatedSoftwareVersions

ThePanoramacertificateusedtoauthenticatePanoramatofirewallcommunicationexpiresonJune16,2017.
ReviewthemostcurrentinformationabouthowtomakesureyoucancontinueusingPanoramatomanage
firewallsandtoaggregatefirewalllogsonLogCollectorsafterJune16,2017:
https://live.paloaltonetworks.com/t5/GeneralTopics/PanoramaCertificateExpirationonJune162017/mp
/150948/threadid/50050.(Physicalandvirtualfirewalls,WF500appliances,andM500appliancesrunningin
PANDBmodedonotrequireanyaction.)

KnownIssues
PANOS7.0.15AddressedIssues
PANOS7.0.14AddressedIssues
PANOS7.0.13AddressedIssues
PANOS7.0.12AddressedIssues
PANOS7.0.11AddressedIssues
PANOS7.0.10AddressedIssues
PANOS7.0.9AddressedIssues
PANOS7.0.8AddressedIssues
PANOS7.0.7AddressedIssues
PANOS7.0.6AddressedIssues
PANOS7.0.5h2AddressedIssues
PANOS7.0.5AddressedIssues
PANOS7.0.4AddressedIssues
PANOS7.0.3AddressedIssues
PANOS7.0.2AddressedIssues
PANOS7.0.1AddressedIssues
GettingHelp

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 3
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation

FeaturesIntroducedinPANOS7.0

ThefollowingtopicsdescribethenewfeaturesintroducedinPANOS7.0releases,whichrequirecontent
releaseversion497oralaterversion.Forupgradeanddowngradeconsiderationsandforspecific
informationabouttheupgradepathforafirewall,refertotheUpgradesectionofthePANOS7.0New
FeaturesGuide.Thenewfeaturesguidealsoprovidesadditionalinformationabouthowtousethenew
featuresinthisrelease.
ManagementFeatures
PanoramaFeatures
WildFireFeatures
ContentInspectionFeatures
AuthenticationFeatures
DecryptionFeatures
UserIDFeatures
VirtualizationFeatures
NetworkingFeatures
PolicyFeatures
VPNFeatures
GlobalProtectFeatures
LicensingFeatures

4 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0

ManagementFeatures

NewManagement Description
Feature

All New Application TheACCisredesignedtoprovideimprovedvisibilityintonetworktrafficandactionable

Command Center (ACC) informationonthreats.Thenewlayoutincludesatabbedviewofnetworkactivity,threat
activity,andblockedactivityandeachtabincludespertinentwidgetsforbetter
visualizationoftrafficpatternsonyournetwork.Forapersonalizedviewofyournetwork,
youcanalsoaddacustomtabandincludewidgetsthatallowyoutodrilldownintothe
informationthatismostimportanttoyou.

Automated Correlation Thenewautomatedcorrelationengineisananalyticstoolthatdetectssecurityeventson

Engine yournetwork.Itcollectsisolatedeventsacrossmultiplelogtypesonthefirewall,queries
thedataforspecificpatterns,andcorrelatesnetworkeventstoidentifyactionable
informationsuchashostbasedactivitiesthatindicateacompromisedhost.
TheautomatedcorrelationengineincludescorrelationobjectsthataredefinedbythePalo
AltoNetworksMalwareResearchteam.Theseobjectsidentifysuspicioustrafficpatterns
orasequenceofeventsthatindicateamaliciousoutcome;somecorrelationobjectscan
identifydynamicpatternsthathavebeenobservedfrommalwaresamplesinWildFire.
Correlationobjectstriggercorrelationeventswhentheymatchontrafficpatternsand
networkartifactsthatindicateacompromisedhostonyournetwork.Thus,correlated
eventsprovideactionableintelligencethatyoucanusetoremediateincidents,mitigate
risks,andsecureyournetwork.YoucanviewthecorrelatedeventlogsintheMonitortab
orseeagraphicaldisplayintheCompromisedHostswidgetontheThreatActivitytabof
theACC.TheautomatedcorrelationengineissupportedonPA3000Series,PA5000
Series,PA7000Seriesplatforms,andonPanorama.
Newcorrelationobjectswillbedeliveredwiththeweeklycontentupdates.Toobtainnew
correlationobjects,thefirewallmusthaveaThreatPreventionlicense;Panoramarequires
asupportlicenseforgettingthecorrelationobjectswiththeweeklycontentupdates.

Global Find TomakethemanagementofyourPaloAltoNetworksdevicesmoreefficient,anewglobal

findfeatureisintroducedtoenableyoutosearchtheentireconfigurationofaPANOSor
Panoramawebinterfaceforaparticularstring,suchasanIPaddress,objectname,policy
name,threatID,orapplicationname.Thesearchresultsaregroupedbycategoryand
providelinkstotheconfigurationlocationinthewebinterface,sothatyoucanquicklyand
easilyfindalloftheplaceswherethestringisreferenced.Forexample,ifyoutemporarily
deniedanapplicationthatisdefinedinmultiplesecuritypolicyrulesandyounowwantto
allowthatapplication,youcansearchontheapplicationnameandquicklylocateall
referencedpolicestochangetheactionbacktoallow.

Tag Browser Thetagbrowserintroducesawaytoviewallthetagsusedwithinarulebase.Inrulebases

withalargenumberofrules,thetagbrowsersimplifiesthedisplaybypresentingthetags,
thecolorcode,andtherulenumbersinwhichthetagsareused;italsoallowsyoutogroup
rulesusingthefirsttagappliedtotherule.Youcan,forexample,filterrulesbythefirsttag
appliedandviewtherulesgroupedbyahighlevelfunctionsuchasinternetaccessordata
centeraccess.Inthisgroupedruleview,ifyouidentifygapsincoverage,thetagbrowser
allowsyoutomoverulesoraddnewruleswithintherulebase.

Configuration Validation TheoptiontovalidateaPANOSorPanoramacandidateconfigurationbeforeyoucommit

Improvements (todeterminewhetheryourrecentchangeswillcommitsuccessfully)isenhancedtodo
syntacticandsemanticvalidationoftheconfiguration.Itthendisplaysthesameerrorsand
warningsaswoulddisplayforafullcommitorvirtualsystemcommit,suchasrule
shadowingorapplicationdependencywarnings,orerrorsindicatinganinvalidroute
destinationoramissingaccount/passwordtoqueryaserver.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 5
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation

NewManagement Description
Feature

Move and Clone Youcannowmoveorclonepoliciesandobjectstoadifferentdevicegrouporvirtual

Policies, Objects, and system.Thissavesyoutheeffortofdeleting,recreating,orrenamingtheseitemswhen
Templates onlyamoveorcopyisneeded.YoucanalsoclonetemplatesandTemplateStacks.

Extended SNMP Support ExtendedSNMPsupportincludes:

GlobalcountersforDenialofService(DoS),IPfragmentation,TCPstate,anddropped
packets,bywhichtomonitorthehealthandsecurityofyourdevicesandnetwork.
Previously,youhadtousetheCLIorXMLAPItomonitorglobalcounters.
SNMPInterfaceMIBforLogicalInterfacesThePANOSimplementationofthe
interfacesandIfMIBhasbeenextendedtosupportalllogicalinterfacesonthefirewall,
includingtunnels,aggregategroups,L2subinterfaces,L3subinterfaces,loopback
interfaces,andVLANinterfaces.ThisisinadditiontotheSNMPInterfaceMIBsupport
onphysicalinterfaces.Inaddition,theVPNtunnelstatuscannowbemonitored.
LLDPV2MIBInformationtransmittedandreceivedfromneighborsusingLinkLayer
DiscoveryProtocol(LLDP)isstoredforSNMPaccess.AllMIBobjectsunderthe
standardLLDPMIBdefinitionsaresupported.Neighborentriesareagedoutwhentheir
TTLvaluecontainedinthereceivedLLDPmessagereacheszero.

SaaS Application Usage AnewpredefinedreportisintroducedtoprovidevisibilityintoSoftwareasaService

Report (SaaS)applicationusage,enablingyoutoassessandsubsequentlymitigatetherisksto
yourenterprise'sdatawhentakingadvantageofSaaSapplications.Thereportwillalso
helptoassessriskstothesecurityofyourenterprisenetwork,suchasthedeliveryof
malwarethroughSaaSapplicationsadoptedbyyourusers.

Policy Impact Review for Beforeinstallinganewcontentrelease,youcannowreviewthepolicyimpactfornew

New Content Releases AppIDsandstageanynecessarypolicyupdates.Thisenablesyoutoassessthe
treatmentanapplicationreceivesbothbeforeandafterthenewcontentisinstalledand
thenpreparepolicyupdatestotakeeffectatthesametimethatthecontentupdateis
installed.Thisfeaturespecificallyincludesthecapabilitytomodifyexistingsecurity
policiesusingthenewAppIDscontainedinadownloadedcontentrelease(priorto
installingthenewcontent).Youcanthensimultaneouslyupdateyoursecuritypolicyrules
andinstallnewcontent,allowingforaseamlessshiftinpolicyenforcement.Youcanalso
choosetodisablenewAppIDswheninstallinganewcontentreleaseversion;thisenables
protectionagainstthelatestthreats,whilegivingyoutheflexibilitytoenablethenew
AppIDsafteryou'vehadthechancetoprepareanypolicychanges.

Security Profile and Thesecurityprofilecapacitiesandnumberofaddressobjectsperaddressgrouphavebeen

Address Objects Per increasedasfollows:
Address Group Capacity SecurityProfileCapacityincreasedonallplatformsbyapproximately50%forthe
Increase followingsecurityprofiles:Antivirus,AntiSpyware,VulnerabilityProtection,URL
Filtering,FileBlocking,WildFireAnalysis,DataFiltering,andDecryption.Forexample,
thePA7050firewallsupported500securityprofilesinPANOS6.1,andnowsupports
750profilesinPANOS7.0.
AddressobjectsperaddressgroupIncreasedfrom500to2500forallplatforms.
Fordetailsonplatformcapacities,referto
https://www.paloaltonetworks.com/products/productselection.html.

Virtual System/Device Youcannowvieworsearchlogsorcreateareportbasedonvirtualsystemnamesand

Name in Reports and devicenames,whicharemoreuserfriendlyattributestousethanvirtualsystemIDsand
Logs deviceserialnumbers.Nowyoudonotneedtomanuallymapavirtualsystemnametoits
IDormapadevicenametoitsserialnumber,tovieworsearchlogsorcreatereports.
VirtualSystemNameandDeviceNameareaddedasavailableattributestoPANOSand
Panoramareportsandlogs.

6 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0

NewManagement Description
Feature

Time-Based Log and Youcannowconfigureautomaticdeletionoflogsandreportsbasedontimeinsteadof

Report Deletion justonspacequotas.Thisisusefulindeploymentswhereperiodicallydeletingmonitored
dataisdesiredornecessary.Forexample,deletinguserdataafteracertainperiodmight
bemandatoryinyourorganizationforlegalreasons.

Software Upload Devicesnowdisplaydetailsaboutuploadedsoftwareupdatesthatenableyoutocheck,

Improvements beforeinstallinganupdate,thatitistheintendedone.Installinguploadedsoftwarenow
involvesfewersteps,whichmakesdeploymenteasierwhenadevicedoesnothave
externalnetworkaccess.

PanoramaFeatures

NewPanoramaFeature Description

Device Group Hierarchy Youcannowcreatenesteddevicegroupsinatreehierarchywithlowerlevelgroups

inheritingthesettingsofhigherlevelgroups.Thisenablesyoutoorganizedevicesbased
onfunctionandlocationwithoutredundantconfiguration.Forexample,youcould
configureSharedsettingsthatareglobaltoallfirewalls,configuredevicegroupswith
functionspecificsettingsatthefirstlevel,andconfiguredevicegroupswith
locationspecificsettingsatsubsequentlevels.Withoutahierarchy,youwouldhaveto
configurebothfunctionandlocationspecificsettingsforeverydevicegroupinasingle
levelunderShared.CombinedwiththeRoleBasedAccessControlEnhancementsinthis
release,ahierarchyalsoenablesyoutocontroladministratoraccesstodataaccordingto
areas/levelsofresponsibility.

Template Stacks Youcannowdefineatemplatestack,whichisacombinationoftemplates.Byassigning

firewallstoastack,youcanpushallthenecessarysettingstothemwithoutthe
redundancyofaddingeverysettingtoeverytemplate.Forexample,youcouldassignthe
firewallsinaCaliforniadatacentertoastackthathasonetemplatewithglobalsettings,
onetemplatewithCaliforniaspecificsettings,andonetemplatewithdatacenterspecific
settings.TomanagefirewallsinaCaliforniabranchoffice,youcouldthenreusetheglobal
andCaliforniaspecifictemplatesbyaddingthemtoanotherstackthatincludesatemplate
withbranchspecificsettings.

Role-Based Access Youcannowassociateeachaccessdomainwithanadministratorroletoenforcethe

Control Enhancements separationofinformationamongthefunctionalorregionalareasofyourorganization.You
canassignmultipleaccessdomain/rolepairstoanadministrator(localorexternal),who
canthenfilterthePanoramawebinterfacetodisplayonlyinformationthatisrelevantto
aparticulardomain.Forcustomroles,youcanalsodefinefeaturespecificaccessto
firewalls(throughcontextswitching)separatelyfromPanoramaaccess,andprovide
additionalaccesstologsandreports,sothatadministratorscanhaveabroaderrangeof
responsibilities.

Firewall Configuration YoucannowimportfirewallconfigurationsintoPanoramainsteadofrecreatingthem.

Import into Panorama PanoramaprovidestheoptiontoimportobjectsfromSharedonthefirewallintoShared
inPanorama,andimportotherobjects,policies,andsettingsintonewdevicegroupsand
templates.Aftertheimport,youcanMoveandClonePolicies,Objects,andTemplatesto
differentdevicegroups.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 7
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation

NewPanoramaFeature Description

Panorama Support for Panoramanowsupportsmuchlargerconfigurationfiles,whichenableyoutoaddmore

Larger Configuration informationandgreatercomplexitytoindividualdevicegroups,templates,andother
Files configurationswithoutaffectingsystemperformanceorstability.Panoramaalsosupports
ahighernumberofconcurrent,activeadministrators.

Log Redundancy Within YoucannowenablelogduplicationforaCollectorGroupsothateachlogwillhavetwo

a Collector Group copiesandeachcopywillresideonadifferentLogCollector.Thisredundancyensures
that,ifanyoneLogCollectorbecomesunavailable,nologsarelost:youcanstilldisplayall
thelogsforwardedtotheCollectorGroupandrunreportsforallthelogdata.

Firewall HA State in ThePanoramawebinterfacenowdisplaysthehighavailabilitystateoffirewalls(for

Panorama example,activeorpassive)inplaceswhereknowingthatstateisuseful.Forexample,the
ContextdropdownnowdisplaysHAstatesothatyoucanswitchcontexttothe
activeprimaryfirewallwhenyouneedtochangethefirewallconfiguration.

Scheduled Updates for InPANOS7.0.3andlaterreleases,youcanscheduleAntivirus,WildFire,andURL

Antivirus, WildFire, and Filtering(BrightCloudonly)updatesforLogCollectorsusingthePanoramawebinterface
URL Filtering on Log (Panorama > Device Deployment>Dynamic Updates>Schedules)ortheCLI.For
Collectors reportingconsistency,configurescheduledcontentupdatesforalllogcollectorstoensure
theystayinsync.

WildFireFeatures

NewWildFireFeatures Description

Grayware Verdict TheWildFiregraywareverdictisintroducedtoclearlyidentifyexecutablesthatbehave

similarlytomalwarebutarenotmaliciousinnatureorintent.Agraywareverdictmightbe
assignedtoexecutablesthatdonotposeadirectsecuritythreatbutdisplayotherwise
obtrusivebehavior(forexample,installingunwantedsoftware,changingvarioussystem
settings,orreducingsystemperformance).Examplesofgraywaresoftwaretypically
includeadware,spyware,andBrowserHelperObjects(BHOs).Thegraywareverdict
allowsthesecurityrespondertoquicklydistinguishmaliciousfilesonthenetworkfrom
graywareandtoprioritizeaccordingly.Whileantivirussignaturesarenotgeneratedfor
grayware,WildFirelogscancontinuetoalertthesecurityrespondertoendpoints
downloadinggraywaresotherespondercanassesswhethersucheventsareconcerning.

8 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0

NewWildFireFeatures Description

WildFire Hybrid Cloud EnableaWildFirehybridclouddeploymentsothatasinglefirewallcanforwardunknown

samples(filesoremaillinks)toeitheraWF500applianceortheWildFirepubliccloud,
dependingonthesample.Thisfeatureallowstheflexibilitytoanalyzeprivatedocuments
insidethenetwork,whilefilessourcedfromtheinternetcanbeanalyzedbytheWildFire
publiccloud.Forexample,PaymentCardIndustry(PCI)andProtectedHealthInformation
(PHI)datacanbeexclusivelyforwardedtotheWF500applianceforprivatecloud
analysisandlesssensitivefiles,suchasPortableExecutables(PEs),canbeforwardedto
theWildFirepubliccloud.Whenpossible,offloadingfilestotheWildFirepubliccloud
allowsyoutobenefitfromapromptverdictforfilesthathavebeenpreviouslyprocessed
bythepubliccloudandalsofreesupWF500appliancecapacitytoprocesssensitive
content.Additionally,inaWildFirehybridclouddeployment,youcanusetheWildFire
publiccloudtoanalyzefiletypesthatarenotcurrentlysupportedforWF500appliance
analysis,suchasAndroidApplicationPackage(APK)files.
ThisfeaturealsointroducestheWildFireAnalysisprofile,tobeusedinplaceofthefile
blockingprofiletoforwardsamplesforWildFireanalysis.ExistingFileBlockingprofile
ruleswiththeactionsettoforwardorcontinue and forwardaremigratedtothenew
WildFireAnalysisprofile.ForeachWildFireanalysisprofilerule,definetraffictoforward
toeithertheWildFireprivatecloudortheWildFirepubliccloudbasedonfiletype,
application,orfiletransferdirection(uploadordownload).

WildFire Appliance TheWildFireappliancecannowlocallygenerateantivirussignaturesformaliciousJava

Support for Java files(.jarand.class),sothatmaliciousJavafilesdetectedbytheWildFireapplianceno
Antivirus Signatures longerhavetobeforwardedtotheWildFireCloudforsignaturegeneration.

WildFire Appliance ThefirewallcannowextractHTTP/HTTPSlinkscontainedinSMTPandPOP3email

Support for Email Link messagesandforwardthelinkstotheWildFireapplianceforanalysis(thisfeaturewas
Analysis supportedonlyfortheWildFirepubliccloudinPANOS6.1).Enablethisfunctionalityby
configuringthefirewalltoforwardtheemaillinkfiletype(Objects>Security Profiles>
WildFire Analysis).Notethatthefirewallonlyextractslinksandassociatedsession
information(sender,recipient,andsubject)fromtheemailmessagesthattraversethe
firewall;itdoesnotreceive,store,forward,orviewtheemailmessage.
Afterreceivinganemaillinkfromafirewall,theWildFireappliancevisitsthelinkto
determineifthecorrespondingwebpagehostsanyexploits.Ifitdetectsmalicious
behavioronthepage,itreturnsamaliciousverdictand:
GeneratesadetailedanalysisreportandlogsittotheWildFireSubmissionslogonthe
firewallthatforwardedthelinks.
CategorizestheURLasmalwareandgeneratesanddistributesasignaturetoconnected
firewallstoallowthemtoidentifyandblockthemalware.
Ifthelinkcorrespondstoafiledownload,theWildFireappliancedoesnotanalyzethefile.
However,thefirewallwillforwardthecorrespondingfiletotheWildFireappliancefor
analysisiftheenduserclicksthelinktodownloaditaslongasthecorrespondingfiletype
isenabledforforwarding.
TheWildFireappliancedoesnotsendalogtothefirewallifitdeterminesalinktobe
benignorgraywareevenifyouenabledloggingofbenignorgraywarefilesbecauseof
thelargenumberoflogsthiswouldgenerate.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 9
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation

ContentInspectionFeatures

NewContentInspection Description
Features

Configurable Drop TheVulnerabilityProtection,AntiSpyware,andAntivirusprofilesincludenewactionsto

Actions in Security droporresetconnections.Inadditiontotheallow/alert/blockactionswithinthesecurity
Profiles profile,youcannowgranularlydefinehowtodroporresetconnectionswhenthefirewall
detectsathreat.Forexample,tosecuretheMicrosoftwebserversonyournetwork,you
cancreatearuleintheVulnerabilityProtectionprofilewithanactiontoeitherdropthe
trafficandsendaresetonlytotheserverordropthetrafficandblocktheoffendingclient
IPaddressfromcreatingnewconnectionsforaspecifiedtimeinterval.

Increased Inspection Thefirewallnowidentifiesandinspectsfilesthathavebeenencodedorcompressedupto

Depth for Multi-Level fourtimes,wherepreviouslythefirewallsupportedonlytwolevelsofdecoding.Multiple
Compression and levelsofcompressionandencodingarefrequentlyintroducedtofilesbasedonthefile
Encoding formatandtheapplicationusedforfiletransfer.Forexample,aMicrosoftOfficeOpen
XMLfile(.docx)thatiscompressed(.zip)andissentasanemailattachmenthasthreelevels
ofencoding:theOOXMLformatisonelevelofencoding,thecompressionofthefileto
theZIPformatisthesecondlevelofencoding,andthethirdlevelofencodingisadded
whentheemailattachmentisembeddedusingBase64.Inthiscase,thefirewallnow
decodesthefile,correctlyidentifiesitasaMicrosoftWorddocument,andperforms
policyenforcementincludingfileblocking,threatinspection,andWildFireanalysis.

Blocking of Encoded Anewfiletypeclassification,MultiLevelEncoding,cannowbeusedtologorblock

Content contentthathasbeencompressedorotherwiseencodedtoahighdegree.Asthefirewall
cannowdecodeandinspectuptofourlevelsofencoding(seeIncreasedInspectionDepth
forMultiLevelCompressionandEncoding),thenewclassificationcanbeusedtoblock
filesthathavebeenencodedfivetimesormore.Multiplelevelsofencodingcanbeused
asanevasiontechniquetocircumventsecuritydevices;usingtheMultiLevelEncoding
filetypetoperformfileblockingensuresthatunidentifiedfilesthathavenotbeen
processedforthreatsarenotpassedthroughthefirewall.

Negate Operator for AnewNegateoperatorisnowavailablewhencreatingcustomvulnerabilityorspyware

Custom Threat signatures.TheNegateoperatorcanbeusedtoensurethatthevulnerabilityorspyware
Signatures signatureisnottriggeredundercertainconditions.Forexample,createacustomsignature
totriggerwhenaUniformResourceIdentifier(URI)patternismatchedtotrafficbutonly
whentheHTTPrefererfieldisnotequaltoacertainvalue.Acustomsignaturemust
includeatleastonepositiveconditionforanegatedconditiontobespecified.

PAN-DB Private Cloud IfthesecurityandcompliancerequirementsinyourenterpriseprohibitthePaloAlto

Networksnextgenerationfirewallsfromdirectlyaccessingtheinternetforperforming
URLlookups,youcandeployaPANDBprivatecloud.Toprotectusersfrommalwareand
undesirablewebcontent,thefirewallscanquerythePANDBprivateclouddeployed
withinyournetworkinsteadofaccessingthePANDBpubliccloud.ThePANDBprivate
cloudsolutionensuresinformationprivacyanddoesnotsendanydataoranalyticstothe
publiccloud.

10 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0

AuthenticationFeatures

NewAuthentication Description
Features

Authentication and Theworkflowtoconfigureauthenticationserversandprofilesisnowmoreintuitiveand

Authorization consistent.YoucanalsoenableGlobalProtectclientstosendRADIUSvendorspecific
Enhancements attributestoRADIUSserverssothatRADIUSadministratorscanmakepolicydecisions
basedonthoseattributes.Forexample,RADIUSadministratorsmightusetheclient
operatingsystemattributetodefineapolicythatmandatesregularpassword
authenticationforMicrosoftWindowsusersandonetimepassword(OTP)authentication
forGoogleAndroidusers.

SSL/TLS Service Profiles YoucannowassignSSL/TLSserviceprofilestodeviceservicesthatuseSSL/TLS,including

CaptivePortal,managementtrafficaccessusingthewebinterfaceorXMLAPI,theURL
AdminOverridefeature,theUserIDSysloglisteningservice,andyoucanassignprofiles
toGlobalProtectportalsandgateways.SSL/TLSserviceprofilesspecifyacertificateand
theallowedprotocolversionorrangeofversions(nowincludingTLSv1.2).Bydefiningthe
protocolversions,theprofilesenableyoutorestricttheciphersuitesthatareavailableto
securecommunicationwithenpointsthatarerequestingtheservices.Thisimproves
networksecuritybyallowingyoutoconfigureendpointstoavoidSSL/TLSversionsthat
haveknownweaknesses.

TACACS+ DevicesnowsupporttheTerminalAccessControllerAccessControlSystemPlus
Authentication (TACACS+)protocolforauthenticatingadministrativeusers.TACACS+providesgreater
securitythanRADIUSinsofarasitencryptsusernamesandpasswords(insteadofjust
passwords)andisalsomorereliable(usesTCPinsteadofUDP).

Kerberos Single Sign-on DevicesnowsupportKerberosV5singlesignon(SSO)foradministratorauthentication

andCaptivePortalauthentication.Singlesignonminimizesthenumberofloginsrequiring
userinputwhileensuringsecurityforwebservices.

Suite B Cryptography YoucannowuseSuiteBcipherstoauthenticateadministrators,tosecuresitetosite

Support VPN,andtosecureGlobalProtectremoteaccessandlargescaleVPN(LSVPN).Tosecure
theVPNtunnelsbetweenGlobalProtectLSVPNgatewaysandendpointdevices,thelatter
mustrunGlobalProtectclientagent2.2oralaterrelease.ThenewGlobalProtectIPSec
CryptoprofilesupportsSuiteBencryptionalgorithms(andotheralgorithms)forLSVPN.
Youcanuseellipticcurve(ECDSA)certificatesforadministratorandGlobalProtect
authentication.SuiteBsupportenablesyoutomeetU.S.federalnetworksecurity
standards.

Authentication Server YoucannowtestanauthenticationprofiletodetermineifyourfirewallorPanorama

Connectivity Testing managementservercancommunicatewithabackendauthenticationserverandifthe
authenticationrequestwassuccessful.Youcanperformauthenticationtestsonthe
candidateconfiguration,sothatyouknowtheconfigurationiscorrectbeforecommitting.
Authenticationserverconnectivitytestingissupportedforlocaldatabase,RADIUS,
TACACS+,LDAP,andKerberosauthentication.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 11
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation

DecryptionFeatures

NewDecryptionFeatures Description

SSL Decryption WhenusingSSLdecryptiontoinspectandenforcesecurityrulesforconnections

Enhancements betweenclientsanddestinationservers,enablethefollowingnewoptionsas
increasedsecuritymeasures:
Enforcetheuseofstrongciphersuites.Thisincludessupporttospecifically
enforcetheuseofAES128GCMandAES256GCMciphers.
Enforcetheuseofminimumandmaximumprotocolversions.
Enforcecertificatevalidationonaperpolicybasis(wherepreviously,certificate
validationwasperformedatthedevicelevel).
DefinetrafficthatyouwanttobedecryptedbasedonTCPportnumbers.This
enablesyoutoapplydifferentdecryptionpoliciestoasingleserver'straffic;traffic
beingtransmittedusingdifferentprotocolscanreceivedifferenttreatment.
Enforcevalidcertificatesandtrustedissuesfortrafficthatisnotdecrypted,with
theoptionstoterminateanSSLsessioniftheservercertificateisexpiredorifthe
servercertificateissueisuntrusted.

UserIDFeatures

NewUserIDFeature Description

User Attribution Based YoucannowconfigureUserIDtoreaduserIPaddressesfromtheXForwardedFor(XFF)

on X-Forwarded-For headerinclientrequestsforwebserviceswhenthefirewallisdeployedbetweenthe
Headers internetandaproxyserverthatwouldotherwisehidetheuserIPaddresses.UserID
matchestheIPaddresseswithusernamesthatyourpoliciesreferencesothatthose
policiescancontrolandlogaccessfortheassociatedusersandgroups.

Custom Groups Based YoucannowdefinecustomgroupsbasedonLDAPfilterssothatyoucanbasefirewall

on LDAP Filters policiesonuserattributesthatdonotmatchexistingusergroupsinanLDAPbased
servicesuchasActiveDirectory(AD).Definingcustomgroupscanbequickerthan
creatingnewgroupsorchangingexistingonesontheLDAPserveranddoesnotrequire
anLDAPadministratortointervene.

VirtualizationFeatures

NewVirtualization Description
Feature

Support for High TheVMSeriesfirewallonESXi,Xen(onSDX),andKVMnowsupportsboth

Availability on the Active/PassiveHAandActive/ActiveHAwithsessionsynchronization.TheVMSeriesin
VM-Series Firewall AmazonWebServices(AWS)supportsActive/PassiveHAonly.
InanHAconfiguration,youmustdeploybothpeersonthesametypeofhypervisor,have
identicalhardwareresourcesassignedtothem,andhavethesamesetoflicensesand
subscriptions.

12 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0

NewVirtualization Description
Feature

Support for Jumbo TheVMSeriesfirewallcannowsupportjumboframes,whichareEthernetpacketslarger

Frames than1,500bytes.Likewithhardwarebasedfirewalls,whenyouenablejumboframeson
aVMSeriesfirewall,thedefaultMaximumTransmissionUnit(MTU)sizeforallLayer 3
interfacesissetto9,192bytes;theMTUcanrangebetween512and9,216bytes.You
canoverridetheglobalMTUandconfigureanexplicitvaluebetween512and9,216bytes
onaperinterfacebasis.

Support for Hypervisor TheVMSeriesfirewallsupportstheabilitytodetecttheMACaddressassignedtothe

Assigned MAC Address physicalinterfacebythehost/hypervisorandusethatMACaddressontheinterfaces
assignedtotheVMSeriesfirewall. InLayer3deployments,thiscapabilityallowsa
vSwitchtoforwardtraffictothecorrectinterfaceonthefirewallwithoutrequiringthat
promiscuousmodebeenabledonthevSwitch.HypervisorassignedMACaddressesare
alsosupportedonPCIpassthroughandSRIOVcapablenetworkadapters.

ForlicensingfeaturesontheVMSeriesfirewall,seeLicensingFeatures.

NetworkingFeatures

NewNetworkingFeature Description

ECMP ThefirewallnowsupportsEqualCostMultipath(ECMP).EnableECMPfortheforwarding
tabletohaveuptofourequalcostpathstoasingledestination,whichallowsyoutoload
balancetraffic,usemoreoftheavailablebandwidth,andhavetrafficdynamicallyshiftto
anotherECMPmemberifonepathfails.Youcanchooseoneofseveralloadbalancing
algorithmstodeterminewhichequalcostpathavirtualrouterusesforanewsessionto
thedestination.

DHCP Options AfirewallconfiguredasaDHCPservercannowsendafullrangeofDHCPoptionsto

clients,includingvendorspecificandcustomizedoptionsthatsupportawidevarietyof
officeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncode
supportsmultiplevalues,whichcanbeIPaddresses,ASCIItext,orhexadecimalvalues.
WiththeenhancedDHCPoptionsupportenabledonthefirewall,branchoffice
administratorsdonotneedtopurchaseandmanagetheirownDHCPserverstoprovide
vendorspecificandcustomizedoptionstoDHCPclients.

Granular Actions for Whenyouconfigurethefirewalltoblocktraffic,thefirewalleitherresetstheconnection

Blocking Traffic in orsilentlydropspackets.Whenthefirewallsilentlydropspackets,itcausessome
Security Policy applicationstobreakandappearunresponsivetotheuser.Newactionstogracefullyblock
trafficprovideabetteruserexperience.Thenewactionsavailableare:
Droptrafficsilentlyand,optionally,sendanICMPUnreachableresponsetotheuser.
Blocktrafficand,automatically,usethedenyactionpredefinedfortheapplication.You
canviewthepredefineddenyactionforanapplicationinApplipedia.
ResettheconnectionwithaTCPresetontheclientsideconnection,ontheserverside
connection,orbothsidesoftheconnection.
ThesenewactionswillbeloggedintheTrafficlogsandareavailableforlogqueries.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 13
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation

NewNetworkingFeature Description

Session-Based DSCP DifferentiatedServicesCodePoint(DSCP)classificationisusedtoindicatethelevelof

Classification servicerequestedfortraffic,suchashighpriorityorbesteffortdelivery.Setup
sessionbasedDSCPclassificationtoenablethefirewalltohonortheserviceclass
requestedfortrafficandtomarkasessiontoreceiveprioritytreatment.Sessionbased
DSCPextendsthepowerofQualityofService(QoS),whichpolicestrafficasitpasses
throughthefirewall,byallowingallnetworkdevicesbetweenthefirewallandtheclientto
alsopolicetrafficbasedontheDSCPvalueforthetraffic.Forexample,inboundreturn
trafficfromanexternalservercannowbetreatedwiththesameprioritythatthefirewall
initiallyenforcedfortheoutboundflow.Networkdevicesintermediatetothefirewalland
enduserwillalsothenenforcethesamepriorityforthereturntraffic.

QoS on Aggregate YoucannowenableQoSonAEinterfacesconfiguredonPA7000Series,PA5000Series,

Ethernet (AE) Interfaces PA3000Series,PA2000Series,andPA500platforms.AnAEinterfaceistwoormore
interfaceslinkedtogetherforcombinedbandwidthandlinkredundancy.WhenusingAE
interfacestoscaleyournetwork,enableQoSonanAEinterfacetoprioritize,allocate,and
guaranteetheincreasedbandwidthsupportedontheAEinterface.
SupportforQoSonAEinterfacesonPA7050firewallsbeganinPANOS6.0.

Improved Performance IndeploymentswhereasingleVPNtunnelissetupbetweenaPaloAltoNetworksfirewall

for a Single VPN Tunnel andanotherIPSecVPNdeviceandwherethattunnelsupportsmultiplesessions,the
firewallcannowusemultipleCPUcores(simultaneously)todecrypttraffic.Whenthe
volumeofVPNtrafficishigh,thisenhancementminimizeslatencyandimproves
performance.

Per-Virtual System ThesourceinterfaceandsourceIPaddressofserviceroutescannowbeconfiguredfor

Service Routes individualvirtualsystems,inadditiontotheglobalconfigurationofserviceroutes.
Pervirtualsystemserviceroutesprovidetheflexibilitytocustomizeserviceroutesfor
numeroustenantsordepartmentsonasinglefirewall.Anyvirtualsystemthatdoesnot
haveaservicerouteconfiguredtoaccessaparticularexternalserviceinheritsthesource
interfaceandsourceIPaddressthataresetgloballyforthatservice.ThePA7000Series
firewallsuseLogProcessingCard(LPC)subinterfacestoseparatetheloggingservicesfor
eachvirtualsystem.PriortoPANOS7.0,eachserviceroutetoaservicewasconfigured
globallyandappliedtotheentirefirewall.

LLDP YoucannowconfigureLinkLayerDiscoveryProtocol(LLDP)toenablethefirewallto
automaticallydiscoverneighboringdevicesandtheircapabilitiesatthelinklayer.LLDP
allowsthefirewalltosendandreceiveEthernetframescontainingLLDPdataunitstoand
fromneighbors.ThereceivingdevicestorestheinformationinaMIB,whichcanbe
accessedbySNMP.LLDPenablesnetworkdevicestolearnthecapabilitiesofthe
connecteddevicesandcanbeusedtomapnetworktopology.Thismakestroubleshooting
easier,especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygo
undetectedbyapingortraceroute.

NPTv6 YoucannowenableIPv6toIPv6NetworkPrefixTranslation(NPTv6)onthefirewallto
performastateless,statictranslationofoneIPv6prefixtoanotherIPv6prefix(port
numbersarenotchanged).OnebenefitofNPTv6isthepreventionofasymmetrical
routingproblemsthatresultfromproviderindependentaddressesbeingadvertisedfrom
multipledatacenters.NPTv6allowsmorespecificroutestobeadvertisedsothatreturn
trafficarrivesatthesamefirewallthattransmittedthetraffic.Anotherbenefitisthe
independenceofprivateandpublicaddresses;youcanchangeonewithoutaffectingthe
other.AthirdbenefitofNPTv6istheabilitytotranslateuniquelocaladdresses(ULAs)to
globallyroutableaddresses.

14 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0

NewNetworkingFeature Description

TCP Split Handshake PaloAltoNetworksfirewallsbydefaultcorrectlysecureTCPsessions,whethertheyuse

Drop awellknown3wayhandshakeoravariation,suchasa4wayor5waysplithandshake
orasimultaneousopen.ThefirewallnowoffersanadditionaloptiontosimplydropaTCP
sessionthattriestousesuchavariationbecauseitispossiblymalicious.

Increased Address InprePANOS7.0releases,youcanresolveamaximumof10IPv4addressesand10IPv6

Resolution per FQDN addresses(foratotalmaximumof20addressobjects)perFQDN.InPANOS7.0andlater
releases,youcannowresolveamaximumof64addresses(32ofeach)perFQDNaddress
object.
ThereisaKnownIssue(PAN59614(98576))wherethenumberofaddressesyou
cansuccessfullyresolveislimitedtoacombinationofaddresstypes(IPv4and
IPv6)thatdoesnotexceedatotalof512B(thecurrentDNSserverresponse
packetsize).

PolicyFeatures

NewPolicyFeature Description

DoS Protection Against InPANOS7.0.2andlaterreleases,youcanconfigureDoSprotectiontobetterblockIP

Flooding of New addressestohandlehighvolumesinglesessionandmultiplesessionattacksmore
Sessions efficiently.Forconfigurationdetails,seeDoSProtectionAgainstFloodingofNew
Sessions.

VPNFeatures

NewVPNFeature Description

IKEv2 Support for VPN SitetositeIPSecVPNisenhancedtosupportinternetKeyExchangeVersion2(IKEv2),

Tunnels inadditiontoIKEv1(theGlobalProtectagentisnotincludedinthisfeaturesupport).
IKEv2:
ExchangesfewermessagesthanIKEv1whensettingupthetunnelendpoints.
Cannegotiatemultiplesetsoftrafficselectorstocontrolwhichtrafficcanaccessthe
tunnel.
Providesalivenesschecktodetermineifapeergatewayandtunnelarestillup.
SupportsNATTraversal.
SupportstheHashandURLcertificateexchange,whichreducesfragmentation.
SupportscookievalidationofaconnectionifathresholdnumberofconcurrentIKESA
sessionsisexceeded,reducingthepotentialforDoSattacks.

IPv6 IPSec VPN Support SitetositeIPSecVPNnowsupportsIPv6sitetositeconnections,whichallowsyouto

establishIKEandIPSecSecurityAssociations(SAs)betweenIPv6gateways.

IPSec VPN Youcannowusethewebinterfacetoenable,disable,restart,orrefreshanIKEgateway

Enhancements oranIPSecVPNtunneltosimplifytroubleshooting.ThisfeatureappliestoIPv4andIPv6
tunnels.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 15
FeaturesIntroducedinPANOS7.0 PANOS7.0ReleaseInformation

GlobalProtectFeatures

ForinformationaboutnewauthenticationfeaturessupportedonGlobalProtect(SuiteB
cryptographyandSSL/TLSserviceprofiles),seeAuthenticationFeatures.

NewGlobalProtect Description
Feature

Disable Direct Access to Youcannowdisabledirectaccesstolocalnetworkssothatuserscannotsendtrafficto

Local Networks proxiesorlocalresourceswhileconnectedtoaGlobalProtectVPN.Forexample,ifauser
establishesaGlobalProtectVPNtunnelwhileconnectedtoapublichotspotorhotelWiFi
andthisfeatureisenabled,alltrafficisroutedthroughthetunnelandissubjecttopolicy
enforcementbythefirewall.

Static IP Address AnenhancementtotheIPaddressallocationlogicenablestheGlobalProtectgatewayto

Allocation maintainanindexofclientsandIPaddressessothattheendpointautomaticallyreceives
thesameIPaddressforallsubsequentGlobalProtectVPNconnections.Thegateway
continuestoissueIPaddressesinaroundrobinfashionuntilallIPaddressesare
exhausted.ToensurethatanendpointreceivesthesameaddressandtoavoidIPaddress
conflicts,createanIPaddresspoollargeenoughtoaccommodatethenumberof
endpoints.
Alternatively,youcannowconfigureaGlobalProtectgatewaytoassignfixedIPaddresses
usinganexternalauthenticationserver.Thisisusefulwhendownstreamresources,such
asprinters,servers,andapplications,useafixedsourceIPaddress/IPaddresspoolto
allowaccessforaspecificuser,usergroup,orOS.Whenenabled,theGlobalProtect
gatewayallocatestheIPaddresstoconnectingdevicesusingtheFramedIPattribute
fromtheauthenticationserver.

Apply a Gateway Youcannowspecifyoneormoreusersorusergroupsand/orclientoperatingsystemsto

Configuration to Users, whichtoapplyaremoteusertunnelconfiguration.Forexample,byconfiguringdifferent
Groups, and/or IPaddresspoolsandaccessroutesforWindowsbasedclientsorforusersinusergroups
Operating Systems suchasEngineering,youcanensurethateachclientreceivesthecorrectnetworksettings.

Welcome Page TheGlobalProtectclientconfigurationnowincludesasettingtoforcetheWelcomePage

Management todisplayeachtimeauserinitiatesaconnection.Thispreventstheuserfromdismissing
importantinformationsuchastermsandconditionsthatmayberequiredbyyour
organizationtomaintaincompliance.Alternativelyyoucanprovidetheusertheabilityto
dismissseeingtheWelcomepageatsubsequentlogins.

Remote Desktop TheGlobalProtectVPNtunnelfunctionalityhasbeenenhancedtoallowusers,suchasIT

Connection to a Remote HelpDesk,toRDPtoaclientdevicewhenconnectedoverGlobalProtectVPNenabling
Client troubleshootingandsupportforremoteWindowsusers.
Now,whenITHelpDeskpersonnellogintoaclientdevice,theGlobalProtectappcan
detectanewloginwithoutbringingdowntheRDPtunnel.Aftertheadministratorlogs
intotheremotemachineandsuccessfullyauthenticateswiththegateway,the
GlobalProtectappreassignstheRDPtunneltotheremoteadministrator.Thissecurity
measurepreventsunauthorizedaccesstoVPNresourcesbecausepolicyenforcementfor
trafficthroughtheRDPtunnelisnowenforcedandloggedbasedontheprivilegesofthe
RDPuser.

16 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation FeaturesIntroducedinPANOS7.0

NewGlobalProtect Description
Feature

Simplified GlobalProtect YoucannowuseGlobalProtecttoprovideasecure,remoteaccessorvirtualprivate

License Structure network(VPN)solutionviasingleormultipleexternalgateways,withoutany
GlobalProtectlicenses.Theportallicense,whichwasrequiredtoenablethisfunctionality,
hasbeendeprecated.However,advancedfeaturesthatincludeHostInformationProfile
(HIP)checksandsupportfortheGlobalProtectmobileappforiOSandAndroidstillrequire
agatewaysubscription.Totakeadvantageofthenewlicensestructure,youneedto
upgradeonlythedevicerunningtheGlobalProtectportaltoaPANOS7.0orlaterrelease.

LicensingFeatures

NewLicensingFeature Description

Self-Service License & ThefirewallandPanoramanowprovidethecapabilitytounassignordeactivatetheactive

Subscription licensesonafirewallandassignthelicensestoanotherfirewall.Toreleasetheactive
Management licensesattributedtoafirewall,younowhavetwooptions:
DeactivateafeaturelicenseorsubscriptiononafirewallIfyouaccidentallyinstalleda
license/subscriptiononafirewallandneedtoreassignthelicensetoanotherfirewall,
youcandeactivateanindividuallicenseandreusethesameauthorizationcodeon
anotherfirewallwithouthelpfromTechnicalSupport.Thiscapabilityissupportedon
theCLIofboththehardwarebasedfirewallsandtheVMSeriesfirewalls.
DeactivatelicensesonaVMSeriesfirewallWhenyounolongerneedaninstanceof
theVMSeriesfirewall,youcanfreeupallactivelicensessubscriptionlicenses,
VMCapacitylicenses,andsupportentitlementsusingthewebinterfaceorCLIonthe
firewallorPanorama.Thelicensesarecreditedbacktoyouraccountandyoucanuse
thesameauthorizationcodesonadifferentinstanceoftheVMSeriesfirewall.

Support for TheVMSeriesfirewallinAWSnowsupportstheusagebasedpricingmodel,inaddition

Usage-Based Licensing totheBringYourOwnLicense(BYOL)model.Thiscapabilitymakesiteasiertoconsolidate
in Amazon Web Services thebillingofAWSresourcesandtheusagefeesfortheVMSeriesfirewall.
(AWS) TheusagebasedmodelintheAWSMarketplaceisavailableinhourlyandannualpricing
bundles:
VMSeriescapacitylicensewiththeThreatPreventionlicenseforeachmodel
VM100,VM200,VM300,orVM1000HV.Itincludesapremiumsupport
entitlement.
VMSeriescapacitylicensewiththecompletesuiteoflicenses,whichincludesThreat
Prevention,GlobalProtect,WildFire,andPANDBURLFilteringcapabilitiesforeach
modelVM100,VM200,VM300,orVM1000HV.Itincludesapremiumsupport
entitlement.
Usagebasedsubscriptions/licensesarehandledautomaticallybyAWS;theselicenses
cannotbeactivatedonthefirewallormanagedfromPanorama.

Term-Based Capacity AtermbasedlicenseisalicensethatallowsyoutousetheVMSeriesfirewallfora

Licenses on the specifiedperiodoftime.AtermbasedVMSeriescapacitylicensewillhaveanexpiration
VM-Series Firewall dateandthewebinterfacewilldisplayrenewalnotificationsbeforethelicenseexpires.If
thecapacitylicenseexpires,althoughthefirewallwillcontinuetooperateatthelicensed
capacity,youcannotobtainsoftwareupdatesorcontentupdatesuntilyourenewthe
capacitylicense.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 17
ChangestoDefaultBehavior PANOS7.0ReleaseInformation

ChangestoDefaultBehavior

ThefollowingarechangestodefaultbehaviorinPANOS7.0:

YoucanalsoseeCLIChangesinPANOS7.0andXMLAPIChangesinPANOS7.0.

AuthenticationChanges
GlobalProtectChanges
ManagementChanges
PanoramaChanges
ThreatPreventionChanges
WildFireChanges

AuthenticationChanges

PANOS7.0hasthefollowingchangesindefaultbehaviorforauthenticationfeatures:

Feature Change

RADIUS authentication RADIUSadministratorscannowlogintothefirewallCLIasSSHuserswithoutfirst

loggingintothewebinterface.
WhensendingauthenticationrequeststoaRADIUSserver,PANOSandPanorama
7.0andlaterreleasesalwaysusetheauthenticationprofilenameasthenetwork
accessserver(NAS)identifier,eveniftheprofileisassignedtoanauthentication
sequence.Inpre7.0releases,thefirewallandPanoramausethenameof
whicheverauthenticationprofileorsequenceisconfiguredfortheservicethat
initiatestheauthenticationprocess(suchasadministratorauthentication).

18 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation ChangestoDefaultBehavior

GlobalProtectChanges

PANOS7.0hasthefollowingchangesindefaultbehaviorforGlobalProtectfeatures:

Feature Change

OTP Authentication Previously,whenauserloggedintoaGlobalProtectgatewaythatwasonthesame

firewallastheportal,theportalgeneratedashortlivedgatewayuserauthentication
cookie(expiredin60seconds).Thegatewaywouldusethatcookietoauthenticate
theuserwithoutrequiringtheusertoenterasecondonetimepassword(OTP).This
featureisnowdeprecated.Toenablethesameuserexperience,wherebytheuseris
onlyrequiredtoenteranOTPoncetoconnecttoGlobalProtect,youmustsetthe
Authentication ModifiertoCookie authentication for config refreshwhen
configuringtheportalauthenticationbehavior.

Portal licenses TheGlobalProtectportallicenseisnowdeprecated.StartingwiththePANOS7.0

release,youcanuseallGlobalProtectportalfunctionality(whichwaspreviously
available)withoutinstallinganadditionallicense.However,advancedfeatures
includingHostInformationProfile(HIP)checksandsupportfortheGlobalProtect
mobileappforiOSandAndroidstillrequireagatewaysubscription.Totake
advantageofthenewlicensestructure,youneedtoupgradeonlythedevicerunning
theGlobalProtectportaltoaPANOS7.0orlaterrelease(thedevicerunningthe
GlobalProtectgatewaycanrunPANOS7.0andearlierreleases).

ManagementChanges

PANOS7.0hasthefollowingchangesindefaultbehaviorformanagementfeatures:

Feature Change

Operational modes FIPSmodeisnolongersupportedinPANOS7.0andlaterreleases.Ifyourfirewall

isrunningaPANOS6.1orearlierreleaseandisinFIPSmode,youmustEnableFIPS
andCommonCriteriaSupportbeforeyouupgradetoaPANOS7.0orlaterrelease.
RefertothePANOS7.0Upgrade/DowngradeConsiderationsformoredetails.

DNS proxy Thereisachangeinthewayvirtualsystemreportingandserverprofilesmakequeries

usingDNSproxy.Previously,thefirewallwouldsendvirtualsystemreportqueries
andvirtualsystemserverprofilequeriestotheDNSproxythatwasspecifiedforthe
firewall,eveniftherewasaDNSproxyspecifiedforthevirtualsystem.Now,the
virtualsystemreportandvirtualsystemserverprofilesendtheirqueriestotheDNS
serverspecifiedforthevirtualsystemifthereisone.IfthereisnoDNSserver
specifiedforthevirtualsystem,theDNSserverspecifiedforthefirewallisqueried.
(ThevsysspecificDNSserverusedisdefinedinDevice>Virtual Systems>General
>DNS Proxy.)

Tags ThemaximumnumberoftagsthatthefirewallandPanoramasupportisnow
increasedfrom2,500to10,000.Thislimitisenforcedacrossthefirewall/Panorama
andisnotallocatedbyvirtualsystemordevicegroup.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 19
ChangestoDefaultBehavior PANOS7.0ReleaseInformation

Feature Change

Policy objects Whenyoucloneanobjectorrule,thenamingconventionforthecloneisnow

<original-name>-<n>,where<original-name>isthenameoftheoriginalobject
orruleand<n>isanumericsuffix(startingat1forthefirstclone)thatmakesthe
clonenameuniqueinitscurrentscope(virtualsystem,devicegroup,orShared
location).Forexample,ifyoutwiceclonearulenamedIngressTraffic,thefirewall
namesthefirstcloneIngressTraffic1andnamesthesecondcloneIngressTraffic2.

PanoramaChanges

PANOS7.0hasthefollowingchangesindefaultbehaviorforPanoramafeatures:

Feature Change

Firewall licenses Previously,tocheckforlicensingchangestothemanagedfirewalls,youhadto

manuallyclicktheRefreshbuttononthePanorama>Device Deployment>
Licensestab.Now,Panoramaperformsadailycheckinwiththelicensingserverand
retrieveslicenseupdates/renewalsandpushesthemtothemanagedfirewalls.The
dailycheckintakesplacebetween1:00amand2:00am,accordingtotheTime Zone
configuredforPanorama(Panorama>Setup>Management).

ThreatPreventionChanges

PANOS7.0hasthefollowingchangesindefaultbehaviorforthreatpreventionfeatures:

Feature Change

Security profiles Thedefaultactionsforhandlingthreatsarenowalertorreset-both(sidesofthe

connection).InreleasespriortoPANOS7.0,thedefaultswerealertorblock.On
upgrade,theblockactionwillbeconvertedtoreset-bothandthedrop-packets
optionisnowrenamedasdrop.
Ondowngrade,allactionsconfiguredasdroporresetwillbeconvertedtoblock.

20 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation ChangestoDefaultBehavior

WildFireChanges

PANOS7.0hasthefollowingchangesindefaultbehaviorforWildFirefeatures:

Feature Change

WildFire Analysis profile FileBlockingprofileswiththeactionsettoforwardorcontinue and forwardare

migratedtothenewWildFireAnalysisprofileinPANOS7.0.Toeditthemigrated
profilesortocreatenewprofilestoforwardfilesandemaillinksforWildFireanalysis,
selectObjects>Security Profiles>WildFire Analysis.Additionally,samples
forwardedbythefirewallforWildFireanalysisarenolongeraddedasentriestothe
DataFilteringlogs(Monitor>Data Filtering);instead,usetheCLItoverifythatthe
firewallisforwardingsamples.SeetheWildFireAnalysisProfileforfulldetailsonthis
enhancedWildFireworkflow.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 21
CLIChangesinPANOS7.0
CLIChangesinPANOS7.0
ThefollowingtablelistsCLIcommandsthatchangedbetweenPANOS6.1(orangetext)andPANOS7.0
(greentext).Thechangesincludecommandoptionsthataredeprecatedorhavenewnames,values,or
commandpathsinPANOS7.0.
PANOS6.1Commands
ConfigurationModeCommands
commit validate
set deviceconfig setting wildfire cloud-server
set deviceconfig setting ssl-decrypt
[block-unknown-cert | block-timeout-cert]
set network ike crypto-profiles ike-crypto-profiles
<name> lifetime days <value: 1-65535>
set network ike crypto-profiles ipsec-crypto-profiles
<name> lifetime days <value: 1-65535>
set network tunnel global-protect-gateway <name>
client ip-pool
set network tunnel global-protect-gateway <name>
client split-tunneling
set network dhcp interface <name> server option
ippool-subnet
set [shared | vsys <name>] profiles virus <name>
decoder <name> [action | wildfire-action] [block]
set [shared | vsys <name>] profiles virus <name>
application <name> action [block]
set [shared | vsys <name>] profiles [spyware |
vulnerability] <name> rules action action [block]
set [shared | vsys <name>] profiles file-blocking
<name> rules <name> action [forward |
continue-and-forward]
set [shared | vsys <name>] profiles [spyware |
vulnerability] <name> threat-exception <threat-id>
action [drop | drop-all-packets]
set reports <name> type url sortby user_agent
set reports <name> type wildfire sortby filetype
set application-group <name> [<value1> | <value2> | ]
set scheduled <name> [non-recurring | recurring]
set threats [spyware | vulnerability] <threat-id>
default-action drop-packets
22 PANOS7.0ReleaseNotes
PANOS7.0ReleaseInformation
PANOS7.0Commands
validate [full | partial]
set deviceconfig setting wildfire [public-cloud-server
| private-cloud-server]
set profiles decryption <name> ssl-forward-proxy
[block-unknown-cert | block-timeout-cert]
set network ike crypto-profiles ike-crypto-profiles
<name> lifetime days <value: 1-365>
set network ike crypto-profiles ipsec-crypto-profiles
<name> lifetime days <value: 1-365>
set vsys <name> global-protect global-protect-gateway
<name> remote-user-tunnel-configs <name> ip-pool
set vsys <name> global-protect global-protect-gateway
<name> remote-user-tunnel-configs <name>
split-tunneling
set network dhcp interface <name> server option
subnet-mask
set [shared | vsys <name>] profiles virus <name>
decoder <name> [action | wildfire-action] [reset-both]
set [shared | vsys <name>] profiles virus <name>
application <name> action [reset-both]
set [shared | vsys <name>] profiles [spyware |
vulnerability] <name> rules action action [reset-both]
The forward and continue-and-forward optionsare
deprecated.ToforwardfilestoWildFire,youmustnow
configureaWildFireAnalysisprofile:
set profiles wildfire-analysis <name>
InPANOS7.0,thedropoptionperformsthesameaction
asthe drop-all-packets optiondoesinPANOS6.1:
set [shared | vsys <name>] profiles spyware <name>
threat-exception <threat-id> action drop
The user_agent optionisdeprecated.
The filetype optionisdeprecated.
set application-group <name> members [<value1> |
<value2> | ]
set scheduled <name> schedule-type [non-recurring |
recurring]
set threats [spyware | vulnerability] <threat-id>
default-action drop
PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation
PANOS6.1Commands PANOS7.0Commands
set [shared | vsys <name>] authentication-sequence
<name> lockout [failed-attempts | lockout-time]
set [shared | vsys <name>] server-profile [ldap |
radius] <name> domain
set [shared | vsys <name>] server-profile radius <name>
checkgroup
set [shared | vsys <name>] server-profile radius <name>
timeout <value: 1-30>
set [shared | vsys <name>] server-profile radius <name>
server <name> port <value: 0-65535>
set [shared | vsys <name>] server-profile kerberos
<name> domain
set [shared | vsys <name>] server-profile kerberos
<name> realm
set [shared | vsys <name>] server-profile kerberos
<name> server <name> port 0-65535
set [shared | vsys <name>] certificate <name>
[display-common-name | display-subject |
display-issuer]
set [vsys <name>] captive-portal server-certificate
set [vsys <name>] url-admin-override
server-certificate
set [vsys <name>] global-protect global-protect-portal
<name> portal-config server-certificate
set [vsys <name>] global-protect
global-protect-gateway <name> server-certificate
OperationalModeCommands
clear session id <value> <value: 1-2147483648>
show session id <value> <value: 1-2147483648>
delete user-file
delete software image
request system software install file
request system software install load-config <value>
file
delete radius-user
PaloAltoNetworks,Inc.
CLIChangesinPANOS7.0
The lockout optionsaredeprecatedforauthentication
sequences.Younowsetthefailedloginattemptslimitand
accountlockoutdurationonlyforauthenticationprofiles.
set [shared | vsys <name>] authentication-profile
<name> user-domain
set [shared | vsys <name>] authentication-profile
<name> method radius checkgroup
set [shared | vsys <name>] server-profile radius <name>
timeout <value: 1-120>
set [shared | vsys <name>] server-profile radius <name>
server <name> port <value: 1-65535>
set [shared | vsys <name>] authentication-profile
<name> user-domain
set [shared | vsys <name>] authentication-profile
<name> method kerberos realm
set [shared | vsys <name>] server-profile kerberos
<name> server <name> port 1-65535
The display-common-name, display-subject,and
display-issuer optionsaredeprecated.
Togeneratecertificates,alwaysusethe request
certificate generateoperationalcommand
(insteadoftheset [shared | vsys <name>]
certificatecommand).
set [vsys <name>] captive-portal
ssl-tls-service-profile
set [vsys <name>] url-admin-override
ssl-tls-service-profile
set [vsys <name>] global-protect global-protect-portal
<name> portal-config ssl-tls-service-profile
set [vsys <name>] global-protect
global-protect-gateway <name> ssl-tls-service-profile
clear session id <value> <value: 1-4294967295>
show session id <value> <value: 1-4294967295>
delete authentication user-file
Theimageoptionisdeprecated.Theversionoptionisnot
newbutperformsthesamefunctionastheimageoption:
delete software version
Thefileoptionisdeprecated.Theversionoptionisnot
newbutperformsthesamefunctionasthefileoption:
request system software install version
Thefileoptionisdeprecated.Theversionoptionisnot
newbutperformsthesamefunctionasthefileoption:
request system software install load-config <value>
version
Theradius-useroptionisdeprecated.
PANOS7.0ReleaseNotes 23
CLIChangesinPANOS7.0
PANOS6.1Commands PANOS7.0Commands
show user ip-user-mapping all type [NTLM | SSL/VPN]
show user ip-user-mapping all option [count | detail]
type [NTLM | SSL/VPN]
show user ip-user-mapping-mp all option [count |
detail] no-group-only [no | yes] type [NTLM | SSL/VPN]
show user email-lookup [base | bind-dn | bind-password
| domain | group-object | name-attribute | proxy-agent
| proxy-agent-port | use-ssl | mail-attribute | server
| server-port]
show log traffic session_end_reason
show log [threat | url | data] action [equal |
not-equal] drop-all-packets
debug software restart <process>
debug authd
debug authd [admin-db | use-domain]
debug device-server pan-url-db
[cloud-static-list-enable | cloud-static-list-disable]
debug dataplane packet-diag clear
filter-marked-session id <value: 1-2147483648>
debug user-id test ntlm-login
set management-server unlock
request certificate generate nbits
24 PANOS7.0ReleaseNotes
PANOS7.0ReleaseInformation
The SSL/VPN and NTLM optionsaredeprecated.Thenew
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping all type SSO
The SSL/VPN and NTLM optionsaredeprecated.Thenew
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping all option [count | detail]
type SSO
The SSL/VPN and NTLM optionsaredeprecated.Thenew
SSO (singlesignon)optionisforbothNTLMandKerberos
SSO:
show user ip-user-mapping-mp all option [count |
detail] no-group-only [no | yes] type SSO
Allthe email-lookup optionsaredeprecatedexceptthe
email option.Thefollowingcommandisnotnewbuthas
similaroptions:
show user group-selection [base | bind-dn |
bind-password | group-object | name-attribute |
proxy-agent | proxy-agent-port | use-ssl | server |
server-port]
show log traffic session-end-reason
show log [threat | url | data] action [equal |
not-equal] drop-all
debug software restart [core | process] <process>
debug authentication
The admin-db and use-domain optionsaredeprecated.
Thefollowingconfiguremodecommandreplacesthe
cloud-static-list-enable and
cloud-static-list-disable options:
set deviceconfig setting pan-url-db cloud-static-list
debug dataplane packet-diag clear
filter-marked-session id <value: 1-4294967295>
The ntlm-login optionisdeprecated.Thenew
sso-login (singlesignon)optionisforbothNTLMand
KerberosSSO:
debug user-id test sso-login
request authentication [unlock-admin | unlock-user]
request certificate generate certificate-name <value>
<name> <value> algorithm [ECDSA | RSA] [ecdsa-nbits |
rca-nbits]
PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation XMLAPIChangesinPANOS7.0

XMLAPIChangesinPANOS7.0

ThePANOS7.0XMLAPIhasthefollowingchanges:

Feature Change

Custom reports OnPA7000SeriesfirewallsandPanorama,APIrequestsforcustomreportsno

longersupportthesynchronous(asynch=no)option.APIrequestsnowprovideajob
ID,whichyoucanusetoretrievethereport.Additionally,APIrequestsforreports
(type=report)arenowprocessedasynchronouslybydefaultonallfirewall
platforms.

Commits and validation Youcannowfullyorpartiallyvalidateyourconfigurationonthefirewallor

Panorama.ThechangeintheXMLAPIsyntaxisasfollows:
PANOS6.1andearlierreleases:
/api/?type=op&cmd=<commit><validate></validate></commit>
PANOS7.0andlaterreleases:
/api/?type=op&cmd=<validate><full></full></validate>, and
/api/?type=op&cmd=<validate><partial></partial></validate>
TheXMLdocumentformattocommitsharedpoliciestodevicegroupson
PanoramausingthePANOSXMLAPIhaschangedinPANOS7.0.Thischangeis
duetoanenhancementtopermitacommittodeviceswithinthedevicegroup:the
devicegroupnameisnowanattributenodeinsteadofatextnode.
ThechangeintheXMLAPIrequestisasfollows:
PANOS6.1andearlierreleases:
/api/?type=commit&action=all&cmd=<commit-all><shared-policy><dev
ice-group>
<name>DeviceGroupName</name></device-group></shared-policy></commit-a
ll>
PANOS7.0andlaterreleases:
/api/?type=commit&action=all&cmd=<commit-all><shared-policy><dev
ice-group>
<entryname='DeviceGroupName'/></device-group></shared-policy></commit
-all>

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 25
AssociatedSoftwareVersions PANOS7.0ReleaseInformation

AssociatedSoftwareVersions

ThefollowingminimumsoftwareversionsaresupportedwithPANOS7.0.Toseealistofthenextgen
firewallmodelsthatsupportPANOS7.0,seethePaloAltoNetworksCompatibilityMatrix.

PaloAltoNetworksSoftware MinimumSupportedVersionwithPANOS7.0

Panorama 7.0.1

User-ID Agent 6.0.0

Terminal Server Agent 6.0.0

NetConnect NotsupportedwithPANOS7.0

GlobalProtect Agent 2.2.0

GlobalProtect Mobile Security Manager 6.1.0

Content Release Version 497

26 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues

KnownIssues

ThefollowinglistdescribesWildFireKnownIssues,GlobalProtectKnownIssues,andFirewallandPanorama
KnownIssuesinthePANOS7.0release:

StartingwithPANOS7.0.11,thesereleasenotesidentifyallunresolvedknownissuesusingnewissueIDs
thatincludeaproductspecificprefix.KnownissuesforearlierreleasesuseboththeirnewissueIDsandtheir
originalissueIDs(inparentheses).
ForrecentupdatestoknownissuesforagivenPANOSrelease,referto
https://live.paloaltonetworks.com/t5/Articles/CriticalIssuesAddressedinPANOSReleases/tap/52882.

IssueID Description

WildFire Known Issues

WF500-1907 (77299) WhenusingaFirefoxbrowsertoaccessthefirewallwebinterface,WildFireAnalysis

This issue is now resolved. reportsdonotshowtheCoverageStatusforthesample,evenwhenasignatureis
See PAN-OS 7.0.3 generatedtoidentifythesample(Monitor>Logs>WildFire Submissions>Detailed Log
Addressed Issues. View>WildFire Analysis Report).
Workaround:ToviewthecorrectCoverageStatusforasample,useChromeorinternet
ExplorerbrowserstoaccessWildFire Submissions logsonthefirewallwebinterface.

WF500-1584 (67624) WhenusingawebbrowsertoviewaWildFireAnalysisReportfromafirewallthatisusing

aWF500applianceforfilesampleanalysis,thereportmaynotappearuntilthebrowser
downloadstheWF500certificate.Thisissueoccursafterupgradingafirewallandthe
WF500appliancetoaPANOS6.1orlaterrelease.
Workaround:BrowsetotheIPaddressorhostnameoftheWF500appliance,whichwill
temporarilydownloadthecertificateintothebrowser.Forexample,iftheIPaddressof
theWF500applianceis10.3.4.99,openabrowserandenterhttps://10.3.4.99.You
canthenaccessthereportfromthefirewallbyselectingMonitor>WildFire Submissions,
clickingthelogdetailsicon,andthenselectingtheWildFire Analysis Reporttab.

GlobalProtect Known Issues

GPC-1941 (66745) OnmanagedmobiledevicesrunningiOS8,unenrollingthedevicedoesnotalwaysremove

theVPNprofileandtheMobileSecurityManagerprofile.

GPC-1737 (61720) Bydefault,theGlobalProtectappaddsarouteoniOSmobiledevicesthatcausestraffic

totheGP100GlobalProtectMobileSecurityManagertobypasstheVPNtunnel.
Workaround:ToconfiguretheGlobalProtectapponiOSmobiledevicestorouteall
trafficincludingtraffictotheGP100GlobalProtectMobileSecurityManagertopass
throughtheVPNtunnel,performthefollowingtasksonthefirewallhostingthe
GlobalProtectgateway(Network>GlobalProtect>Gateways>Client Configuration>
Network Settings > Access Route):
Add 0.0.0.0/0 asanaccessroute.
EntertheIPaddressfortheGlobalProtectMobileSecurityManagerasanadditional
accessroute.

Firewall and Panorama Known Issues

PAN-77237 Usingthedebug skip-condor-reports noCLIcommandtoforcePanorama8.0toquery

PA7000SeriesfirewallscausesPA7000SeriesfirewallsrunningaPANOS7.0release
toreboot.DonotusethiscommandifyouusePanorama8.0tomanageaPA7000Series
firewallthatisrunningaPANOS7.0release.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 27
KnownIssues PANOS7.0ReleaseInformation

IssueID Description

PAN-76162 Panorama8.0failstoqueryPA7000SeriesfirewallsrunningaPANOS7.0release.
Donotusethedebug skip-condor-reports nocommandtoworkaroundthis
issueifyouusePanorama8.0tomanageaPA7000Seriesfirewallthatisrunning
aPANOS7.0release(knownissuePAN77237).

PAN-75881 EstablishingaTCPsession,theninstallingacontentupdate,andtheninstallingan
AntivirusorWildFireupdatecausesthefirewalltodiscard,usewrongcontent,orfailto
inspectandperformNATforthesession.

PAN-67072 InPANOS6.1and7.0,thefirewallappliesthewrongsecuritypolicyifauserattemptsto
downloadablockedfilebyselectingResumeintheblockedpagedialogpresentedbythe
browser,allowingtheusertodownloadtheblockedfile.Thisissueoccurswhenasecurity
policythatblocksdownloadshasalowerprioritythanasecuritypolicythatappliesan
actionsuchasURLfiltering(butdoesnotblockdownloads)onthesametraffic.Thisissue
isresolvedinPANOS7.1andlaterreleases.
Workaround:Changetheorderofthesecuritypoliciessothatthedownloadblocking
policyhasahigherprioritythantheURLfilteringpolicy.

PAN-62453 (102159) EnteringvSpheremaintenancemodeonaVMSeriesfirewallwithoutfirstshuttingdown

theGuestOSfortheagentVMscausesthefirewalltoshutdownabruptly,andresultsin
issuesafterthefirewallispoweredonagain.RefertoIssue1332563intheVMware
releasenotes:www.vmware.com/support/pubs/nsx_pubs.html
Workaround:VMSeriesfirewallsareServiceVirtualMachines(SVMs)pinnedtoESXi
hostsandshouldnotbemigrated.BeforeyouentervSpheremaintenancemode,usethe
VMwaretoolstoensureagracefulshutdownoftheVMSeriesfirewall.

PAN-61724 (101293) TheNetwork Monitorreport(Monitor > App Scope > Network Monitor)displaysonly
partialdatawhenyouselectSourceorDestinationforadatasetthatincludesalarge
numberofsourceordestinationIPaddressesandusernames.However,thereportdoes
displayalldataasexpectedwhenyouinsteadselectApplicationorApplication Category
foralargedataset.

PAN-61267 (100700) IfyouplantoconfiguretheGlobalProtectportalonaninterfaceassignedtoavirtual

routerthatispartofavirtualrouterchaininthesamezone,youmustconfiguretheportal
onthefirstingressinterfaceintheVRchain.Thisisbecausethesessionisestablished
whenthepacketingressestheinterfaceonthefirstvirtualrouter.Whenitingressesthe
secondvirtualrouter,becauseitisinthesamezoneanditmatchesanexistingsession,a
secondsecuritylookupisnotperformedandthepacketisthereforenotroutedtothe
properportontheportalinterface.

PAN-59636 (98602) ThePanoramamanagementserverhasamemoryincreaseduetosyncingofWildFire

This issue is now resolved. reportsfromPanoramatologcollectors.
See PAN-OS 7.0.10
Addressed Issues.

PAN-59614 (98576) InPANOS7.0andlaterreleases,themaximumnumberofaddressobjectsyoucan

resolveforanFQDNisincreasedfrom10ofeachaddresstype(IPv4andIPv6)toa
maximumof32each.However,thecombinationofIPv4andIPv6addressescannot
exceed512B;ifitdoes,addressesthatarenotincludedinthefirst512Baredroppedand
notresolved.

PAN-59258 (98112) ForafirewallinanHAactive/activeconfiguration,sessiontimeoutsforsometraffic

This issue is now resolved. unexpectedlyrefreshafteracommitorHAsyncattempt.
See PAN-OS 7.0.9
Addressed Issues.

28 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues

IssueID Description

PAN-59037 (97806) ForfirewallsrunningPANOS7.0.7inanHAactive/activeconfiguration,thepeerthatis

notthesessionownerintermittentlyincorrectlyagesoutsessions,whichresultsinthe
prematureremovalofthosesessionsfrombothpeers.

PAN-58872 (97584) Theautomaticlicensedeactivationworkflowforfirewallswithdirectinternetaccessdoes

notwork.
Workaround:Usethe request license deactivate key features <name> mode
manual CLIcommandtoDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.To
DeactivateaVM,chooseComplete Manually(insteadofContinue)andfollowthesteps
tomanuallydeactivatetheVM.

PAN-57471 (95611) ThereisacachingissuewiththemanagementplanethatresultsinWildFirereportsand

alertsforfilesthatarealreadyuploadedatleastoncetothefirewallandthatarefollowed
byaconfigurationchangeorthreatcontentupdateonthefirewallthatspecificallyblocks
thosesamefiles.

PAN-57218 (95260) The pan-comm optionforrestartingthedataplanecommunicationprocessisnotavailable

inthe debug software restart process operationalCLIcommand.

PAN-55437 (92423) Highavailability(HA)forVMSeriesfirewallsdoesnotworkinAWSregionsthatdonot

supportthesignatureversion2signingprocessforEC2APIcalls.Unsupportedregions
includeAWSEU(Frankfurt)andKorea(Seoul).

PAN-54806 (91395) SimultaneoustransferoflargefilesfromtwodifferentSMBserversoveraGlobalProtect

connectionfromaWindows8endpointcausestheconnectiontofail.
Workaround:InPANOS7.0.8andlaterreleases,enableHeuristicsonWindows8
endpointsorsetthetunnelinterfaceMTUsizeto1,300toavoidthisissue.

PAN-54611 (91086) ThereisanissuewherethefirewallexperiencesBGPdisconnectionsbecausethefirewall

This issue is now resolved. failstosendkeepalivemessagestoneighborswithinspecifiedtimers.
See PAN-OS 7.0.10
Addressed Issues.

PAN-54604 (91075) IfyouconfigureLSVPNtunnelinterfacesbetweenaGlobalProtectLSVPNgatewayand

This issue is now resolved. anLSVPNsatellite,youcannotupgradetheLSVPNsatellitetoaPANOS7.0releasewhile
See PAN-OS 7.0.7 theLSVPNgatewaycontinuestorunaPANOS6.1orearlierrelease;ifyoudo,theLSVPN
Addressed Issues. tunnelsnolongerpasstrafficasexpectedduetochangesmadetotheencryption
algorithmnameswhenintroducingSuiteBciphersinPANOS7.0.
Workaround:UpgradebothfirewallstoPANOS7.0oralaterrelease.Ifyoucannot
upgradetheLSVPNgatewaytoPANOS7.0oralaterrelease,thenupgradetheLSVPN
satellitetoPANOS7.0.7oralaterrelease(ortoaPANOS7.1release)toavoidthisissue.

PAN-54153 (90326) ThebotnetlogcleanupjobonaPA7000Seriesfirewallrunstwohoursbeforethe

This issue is now resolved. systemgeneratedbotnetreportsaretriggered,whichresultsinemptyornobotnet
See PAN-OS 7.0.8 reportswhennologsarecollectedbetweenjobs.
Addressed Issues.

PAN-54100 (90256) DecryptedSSHsessionsarenotmirroredtothedecryptmirrorinterfaceasexpected.

This issue is now resolved.
See PAN-OS 7.0.8
Addressed Issues.

PAN-53686 (89595) AttemptstoHide Panorama background header(Panorama>Setup>Operations>

Custom Logos)resultinanerror(Edit breaks config validity).

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 29
KnownIssues PANOS7.0ReleaseInformation

IssueID Description

PAN-53550 (89385) ForafirewallinanHAactive/activeconfiguration,sessiontimeoutsforsometraffic

This issue is now resolved. unexpectedlyrefreshafteracommitorHAsyncattempt.
See PAN-OS 7.0.7 Thefixforthisissueintroducedaknownissue:PAN59037(97806).
Addressed Issues.

PAN-52812 (88141) LoginattemptsonPanoramaforadministratorswithanaccessdomainnamelongerthan

31characterswillfailwiththefollowingerror: Login could not be completed. Please
contact the administrator. ThisisbecausetheAccessDomainfieldallowsupto63
charactersbutloginoperationsallowamaximumofonly31characters.
Workaround:Ensurethattheaccessdomainnameforalladministratorsisnolongerthan
31charactersorupgradetoaPANOS7.1release,whichallowsthelongeraccessdomain
names(upto63characters).

PAN-52743 (88029) Ifyouhaveasystemwidefirewallproxyconfiguration(Device>Setup>Services)ina

PANOS6.1orearlierreleaseandthenupgradetoPANOS7.0,theupgradeprocesswill
notautomaticallyextendtheproxyconfigurationtotheWildFirepubliccloud,which
includesaseparateproxyconfiguration(Device>Setup>WildFire)inPANOS7.0.
Workaround:AfteryouupgradeafirewalltoPANOS7.0,addthenecessaryproxy
configurationforaccessingtheWildFirepubliccloud(Device>Setup>WildFire).

PAN-51943 (86623) AfirewallinanHAactive/passiveconfigurationwithanestablishedFTPsessiondrops

This issue is now resolved. FTPPORTcommandpacketsafterafailover.
See PAN-OS 7.0.8
Addressed Issues.

PAN-51181 (85397) APaloAltoNetworksfirewall,M100appliance,orWF500applianceconfiguredtouse

FIPSoperationalmodewillfailtobootwhenrebootingafteranupgradetoaPANOS7.0
release.
Workaround:EnableFIPSandCommonCriteriasupportonanyPaloAltoNetworks
firewallorappliancebeforeyouupgradetoaPANOS7.0release.

PAN-50651 (84594) OnPA7000Seriesfirewalls,onedataportmustbeconfiguredasalogcardinterface

becausethetrafficandloggingcapabilitiesofthisplatformexceedthecapabilitiesofthe
managementport.AlogcardinterfaceperformsWildFirefileforwardingandlog
forwardingforsyslog,email,andSNMPandtheseservicesrequireDNSsupport.Ifyou
havesetupacustomservicerouteforthefirewalltousetoperformDNSqueries,services
usingthelogcardinterfacemightnotbeabletogenerateDNSrequests.Thisisonlyan
issueifyouveconfiguredthefirewalltouseaservicerouteforDNSrequests,andinthis
case,youmustperformthefollowingworkaroundtoenablecommunicationbetweenthe
firewalldataplaneandthelogcardinterface.
Workaround:EnabletheDNSProxyonthefirewall,anddonotspecifyaninterfacefor
theDNSproxyobject(leavethefieldNetwork>DNS Proxy>Interfaceclear).Seethe
stepstoenableDNSproxyorusetheCLIcommandset deviceconfig system
dns-setting dns-proxy-object.

PAN-50186 (83702) WildFireAnalysisreportsdonotdisplayasexpectedintheWildFire Analysis Reporttab

This issue is now resolved. (Monitor > Logs > WildFire Submissions > Detailed Log View)onaPA7000Series
See PAN-OS 7.0.6 firewallrunningPANOS7.0.2orlaterreleases.
Addressed Issues. Workaround:UsetheWildFireportal(https://wildfire.paloaltonetworks.com)orthe
WildFireAPItoretrieveWildFireAnalysisreports.

30 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues

IssueID Description

PAN-49708 (82849) APanoramavirtualapplianceusingaNetworkFileSystem(NFS)storagepartition

This issue is now resolved. incorrectlyfailsthefilesystemintegritycheckfortheNFSdirectorywhenrebooting
See PAN-OS 7.0.6 PanoramaafteranupgradetoaPanorama7.0release.
Addressed Issues.

PAN-49577 (82605) Offloadedpolicybasedforwarding(PBF)sessionswillfailtoegressafirewallrunning

This issue is now resolved. PANOS6.1.4andlaterreleasesifyouEnforce Symmetric Return(Policies>Policy
See PAN-OS 7.0.4 Based Forwarding><pbfrule>>Forwarding).
Addressed Issues. Workaround:DisableEnforce Symmetric ReturnandcreatebidirectionalPBFpolicies.

PAN-49399 (82299) ThereisacriticalsecurityvulnerabilityaffectingPANOS7.0.0.Thisissuespecifically

This issue is now resolved. affectsdevicesrunningPANOS7.0.0thatareconfiguredtouseLDAPauthenticationfor
See PAN-OS 7.0.1 CaptivePortalorfordevicemanagement,includingPanorama.Thisissuedoesnotaffect
Addressed Issues. devicesconfiguredtouseRADIUSorlocalauthenticationinsteadofLDAPauthentication,
nordoesitaffectanyPANOSreleaseotherthanPANOS7.0.0.Duetothecriticalnature
ofthisvulnerability,westronglyadviseallcustomerswhohaveinstalledPANOS7.0.0to
upgradeassoonaspossibletoPANOS7.0.1.Alternatively,youcandowngradetoan
olderversionofPANOS,suchasPANOS6.1orPANOS6.0.

PAN-49044 (81584) InPanorama7.0,outputfromthe show ntp commanddoesnotalwaysdisplaythecorrect

This issue is now resolved. NTPstatus.ThisprimarilyoccurswhenthereisonlyoneNTPserverconfiguredwhere,
See PAN-OS 7.0.3 evenwhencorrectlyconnectedtotheNTPserver,the show ntp status displaysas
Addressed Issues. rejected.

PAN-48933 (81373) WhenthefirewallisconfiguredtocommunicatewithaWildFirecloud(publicorprivate)

This issue is now resolved. throughaproxyserver,WildFireAnalysisreportsforsamplesanalyzedintheWildFire
See PAN-OS 7.0.2 publiccloudarenotdisplayedintheWildFireSubmissionslog(Monitor>WildFire
Addressed Issues. Submissions).
Workaround:UsetheWildFireportal(https://wildfire.paloaltonetworks.com)orthe
WildFireAPItoretrieveWildFireAnalysisreports.

PAN-48719 (80903) APA7050firewallrunningaPANOS6.1orearlierreleaseandmanagedbyPanorama

This issue is now resolved. runningPANOS7.0.0cannotaccuratelyhandlequeriesfromPanorama.Thisresultsin
See PAN-OS 7.0.1 theinabilitytodisplaydataintheApplicationCommandCenter(ACC)widgetsand
Addressed Issues. preventslogdatafromthePA7050firewallfrombeingincludedinreportsgeneratedon
Panorama.

PAN-48702 (80871) WildFireAnalysisreportsarenotdisplayedforWildFire Submissionslogentrieswhen

This issue is now resolved. thefirewallisconfiguredtouseaservicerouteinsteadofthemanagementinterfaceto
See PAN-OS 7.0.1 communicatewithaWildFirecloud(publicorprivate).
Addressed Issues. Workaround:ForfirewallsrunningPANOS7.0.1,youcanretrieveWildFireAnalysis
reportsthroughtheWildFireportal(wildfire.paloaltonetworks.com)ortheWildFireAPI.
Additionally,youcanspecificallyconfigurewildfire.paloaltonetworks.comasthe
WildFirepubliccloudtoviewintegratedreportsfromwithinthewebinterface:
Webinterface:selectDevice>Setup>WildFire>General Settings.
CLI:usetheset deviceconfig setting wildfire public-cloud-server
wildfire.paloaltonetworks.comcommandinconfigurationmode.

PAN-48667 (80799) FilesandemaillinkssentusingSimpleMailTransferProtocol(SMTP)orPostOffice

This issue is now resolved. Protocolversion3(POP3)arenotforwardedtotheWildFirepubliccloudforanalysis
See PAN-OS 7.0.1 unlessthefirewallisalsoconfiguredtoforwardfilestoaWildFireprivatecloud.For
Addressed Issues. firewallsconnectedtoaWildFire Private Cloud,forwardingtoboththeWildFirepublic
cloudandWildFireprivatecloudworkscorrectly(Device>Setup>WildFire).

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 31
KnownIssues PANOS7.0ReleaseInformation

IssueID Description

PAN-48647 (80750) WhenspecifyingthedevicegroupandtemplatefortheVMSeriesNSXeditionfirewall,

youcannotselectatemplatestackoradescendantdevicegroupdefinedinadevicegroup
hierarchyonPanorama.Youcanassignthefirewallstoatemplateandaparentdevice
grouponly.

PAN-48565 (80589) TheVMSeriesfirewallonCitrixSDXdoesnotsupportjumboframes.

PAN-48550 (80561) SoftwareforwardingofLayer3multicasttrafficwithProtocolIndependentMulticast

This issue is now resolved. (PIM)doesnotfunctioncorrectly.
See PAN-OS 7.0.1
Addressed Issues.

PAN-48463 (80398) Ifyouconfigurethefirewalltouseclientcertificatestoauthenticateadministratorswhen

This issue is now resolved. theyaccessthewebinterfaceandyouenableOnlineCertificateStatusProtocol(OCSP)
See PAN-OS 7.0.1 verification,thentheauthenticationwillfailandadministratorscan'tlogin.
Addressed Issues. Workaround:CleartheBlock session if certificate status is unknownandBlock session
if certificate status cannot be retrieved within timeoutcheckboxesinthecertificate
profilethatthefirewallusestoauthenticateadministrators.

PAN-48456 (80387) IPv6toIPv6NetworkPrefixTranslation(NPTv6)isnotsupportedwhenconfiguredona

sharedgateway.

PAN-48446 (80373) TheoptionstoCloneobjectsorpoliciesinasharedgatewaylocationandtoMoveobjects

This issue is now resolved. orpoliciesfromavirtualsystemtoasharedgatewaylocationdonotworkcorrectly.
See PAN-OS 7.0.1
Addressed Issues.

PAN-48421 (80323) Onreboot,thelinkstatesforfirewallinterfacesdonotcomeup.Thisissueoccurswhen

This issue is now resolved. youdisablehighavailability(HA)onafirewallthatwasconfiguredinHAandthenreboot
See PAN-OS 7.0.1 thefirewall.
Addressed Issues. Workaround:Usethedelete deviceconfig high-availability enabledCLI
commandinconfigurationmodetodeletethehighavailabilityconfigurationnode.

PAN-48394 (80268) WhenswitchingtoCommonCriteria(CC)modeonaPA7050firewallrunningPANOS

This issue is now resolved. 7.0.0,theoperationdoesnotcompleteandshowsthefollowingerror:Set CCEAL4 Mode
See PAN-OS 7.0.1 Sysd Error.ThisissueoccursbecausetheCCmodeoperationattemptstochangethe
Addressed Issues. operationalmodebeforethesystemprocess(sysd)isfullyloaded.Thisoperationsetsthe
firewalltothefactorydefaultconfigurationwithoutCCconfigurationchanges.
Workaround:ChangetoCCmodewhilerunningaPANOS6.1releasebeforeupgrading
toPANOS7.0.0.

PAN-48392 (80266) IfyouconfigurethePA200,PA500,orPA2050firewalltouseaservicerouteinstead

This issue is now resolved. ofthemanagement(MGT)interfacetoconnecttoanLDAPserver,theconnectionwont
See PAN-OS 7.0.1 workandanyfirewallfunctionsthatrelyontheconnectionwillfail.
Addressed Issues. Workaround:IfyouconfiguredaserviceroutebeforeupgradingtoaPANOS7.0release,
reconfigureitasadestinationservicerouteortosettheSource InterfaceandSource
Addressfieldsoftheserviceroute(Device>Setup>Services>Global>Service Route
Configuration>IPv4orIPv6)toUse default.

PAN-48346 (80177) TheURLblockpagedoesnotdisplayasexpectedwhenproxiedrequestsfromclientuse

CONNECTmethod.

32 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues

IssueID Description

PAN-47976 (79470 PanoramadoesnotdisplayWildFireAnalysisreportscorrectlyintheWildFire

This issue is now resolved. Submissionslog.
See PAN-OS 7.0.2 Workaround:IntheContextdropdown,selectthefirewallthatforwardedthelogand
Addressed Issues. displaythereportinthefirewallcontext.

PAN-47969 (79462) IfyoulogintoPanoramaasaDeviceGroupandTemplateadministratorandrenamea

devicegroup,thePanorama>Device Groupspagenolongerdisplaysanydevicegroups.
Workaround:Afteryourenameadevicegroup,performacommit,logout,andlogback
in;thepagethendisplaysthedevicegroupswiththeupdatedvalues.

PAN-47611 (78803) InPanorama,templatesettingsthatareglobaltoeveryvirtualsystem(vsys)onafirewall

This issue is now resolved. (forexample,Systemlogsettings)cantreferenceconfigurationelements(forexample,an
See PAN-OS 7.0.2 Emailserverprofile)thatyouaddtoaspecificvsysinsteadoftotheSharedlocation.Only
Addressed Issues. templateanddevicegroupsettingsthatPanoramacanpushtoaspecificvsys(for
example,LogForwardingprofiles)canreferenceelementsthatyouaddtoaspecificvsys.
Tocreateanelementthatbothglobalandvsysspecificsettingscanreference,youmust
setthetemplateModetoMulti VSYSenabledand,whenaddingtheelement,setits
LocationtoShared.

PAN-47518 (78646) Firewallsincorrectlyreplacemultibytecharacterswithaperiodcharacter( . )when

This issue is now resolved. forwardinglogsoreventinformationtoSNMPtraps,toasyslogserver,throughemail,or
See PAN-OS 7.0.1 inscheduledlogexports.ThisissuealsooccurswhenexportinglogstoCSV.
Addressed Issues.

PAN-47073 (77850) WebpagesusingtheHTTPStrictTransportSecurity(HSTS)protocolsometimesdonot

displayproperlyforendusers.
Workaround:Endusersshouldimportanappropriateforwardproxycertificatefortheir
browsers.

PAN-47038 (77775) Avalidationerroroccurswhenyoutrytomoveanobjectfromitscurrentdevicegroupto

This issue is now resolved. adestinationdevicegroupthatislowerinthehierarchyevenifthepolicyrulesorobjects
See PAN-OS 7.0.2 thatreferencetheobjectareinthesamedestinationorareinadevicegroupthatshould
Addressed Issues. inherittheobject.
Workaround:Clonetheobjecttothedestination.

PAN-46344 (76601) WhenyouuseaMacOSSafaribrowser,clientcertificateswillnotworkforCaptivePortal

authentication.
Workaround:OnaMacOSsystem,instructenduserstouseadifferentbrowser(for
example,MozillaFirefoxorGoogleChrome).

PAN-45793 (75806) Inafirewallwithmultiplevirtualsystems,ifyouaddanauthenticationprofiletoavirtual

systemandgivetheprofilethesamenameasanauthenticationsequenceinShared,
referenceerrorsoccur.ThesameerrorsoccuriftheprofileisinSharedandthesequence
withthesamenameisinavirtualsystem.
Workaround:Whencreatingauthenticationprofilesandsequences,alwaysenterunique
names,regardlessoftheirlocation.Forexistingauthenticationprofilesandsequences
withsimilarnames,renametheonesthatarecurrentlyassignedtoconfigurations(for
example,aGlobalProtectgateway)toensureuniqueness.

PAN-44901 (74423) Whenfetchingadynamicblocklist,afirewallrunningPANOS7.0.1incorrectlyusesthe

This issue is now resolved. URLUpdatesservicerouteinsteadoftheserviceroutethatisattachedtothePaloAlto
See PAN-OS 7.0.2 Updatesintheservicerouteconfiguration(Device>Setup>Services>Global).
Addressed Issues.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 33
KnownIssues PANOS7.0ReleaseInformation

IssueID Description

PAN-44616 (73997) OntheACC>Network Activity tab,ifyouaddthelabelUnknownasaglobalfilter,the

filtergetsaddedasA1andqueryresultsdisplayA1insteadofUnknown.

PAN-44400 (73674) Thelinkona1GbpsSFPportonaVMSeriesfirewalldeployedonaCitrixSDXserverdoes

notcomeupwhensuccessivefailoversaretriggered.Thisbehaviorisonlyobservedinan
HAactive/activeconfiguration.
Workaround:Usea10GbpsSFPportinsteadofthe1GbpsSFPportontheVMSeries
firewalldeployedonaCitrixSDXserver.

PAN-44300 (73518) WildFireAnalysisreportscannotbeviewedonfirewallsrunningPANOS6.1release

versionsifconnectedtoaWF500applianceinCommonCriteriamodethatisrunninga
PANOS7.0release.

PAN-43000 (71624) VulnerabilitydetectionofSSLv3failswhenSSLdecryptionisenabled.Thiscanoccur

whenyouattachaVulnerabilityProtectionprofile(thatdetectsSSLv3CVE20143566)
toaSecuritypolicyruleandthatSecuritypolicyruleandanSSLDecryptionpolicyruleare
configuredonthesamevirtualsysteminthesamezone.AfterperformingSSLdecryption,
thefirewallseesdecrypteddataandnolongerseestheSSLversionnumber.Inthiscase,
theSSLv3vulnerabilityisnotidentified.
Workaround:SSLDecryptionEnhancementswereintroducedinPANOS7.0thatenable
youtoprohibittheinherentlyweakerSSL/TLSversions,whicharemorevulnerableto
attacks.Forexample,youcanuseaDecryptionprofiletoenforceaminimumprotocol
versionofTLS1.2orselectBlock sessions with unsupported versionstodisallow
unsupportedprotocolversions(Objects>Decryption Profile>SSL Decryption>SSL
Forward Proxyand/orSSL Inbound Inspection).

PAN-42141 (70335) WhenatunnelmonitorisenabledforalargescaleVPN(LSVPN)andthetunnelmonitor

This issue is now resolved. isinwaitrecovermode,accessroutesfromtheGlobalProtectgatewaycannotbeinstalled
See PAN-OS 7.0.1 ontheGlobalProtectsatellite.
Addressed Issues.

IfthepasswordfortheadministratorsaccountontheNSXManagercontainsspecial
PAN-42058 (70222) characters(suchas$),PanoramacannotcommunicatewiththeNSXManager.The
inabilitytocommunicatepreventscontextbasedinformation,suchasDynamicAddress
Groups,frombeingavailabletoPanorama.
Workaround:RemovespecialcharactersfromthepasswordontheNSXManager.

PAN-41558 (69458) WhenyouuseafirewallloopbackinterfaceasaGlobalProtectgatewayinterface,traffic

isnotroutedcorrectlyforthirdpartyIPSecclients,suchasStrongSwan.
Workaround:Useaphysicalfirewallinterfaceinsteadofaloopbackfirewallinterfaceas
theGlobalProtectgatewayinterfaceforthirdpartyIPSecclients.Alternatively,configure
theloopbackinterfacethatisusedastheGlobalProtectgatewaytobeinthesamezone
asthephysicalingressinterfaceforthirdpartyIPSectraffic.

PAN-40842 (68330) WhenyouconfigureafirewalltoretrieveaWildFiresignaturepackage,theSystemlog

shows unknown version forthepackage.Forexample,afterascheduledWildFire
packageupdate,thesystemlogshows: Wildfire package upgraded from version
<unknown version> to 38978-45470. Thisisacosmeticissueonlyanddoesnotprevent
theWildFirepackagefrominstalling.

34 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues

IssueID Description

PAN-40714 (68095) IfyouaccessDevice>Log SettingsonadevicerunningaPANOS7.0orlaterreleaseand

thenusetheCLItodowngradethedevicetoPANOS6.1oranearlierreleaseandreboot,
anerrormessageappearsthenexttimeyouaccessLog Settings.Thisoccursbecause
PANOS7.0andlaterreleasesdisplayLog SettingsinasinglepagewhereasPANOS6.1
andearlierreleasesdisplaythesettingsinmultiplesubpages.Toclearthemessage,
navigatetoanotherpageandreturntoanyLog Settings subpage.Theerrorwillnotrecur
insubsequentsessions.

PAN-40501 (67713) PANOSallowsdowngradetocontentreleaseversions(ApplicationsandThreats)onthe

This issue is now resolved. firewalltoversionsthatthecurrentPANOSreleasedoesnotsupport.Forexample,ifthe
See PAN-OS 7.0.1 firewallisrunningPANOS7.0.1andtheminimumcontentreleaseversionis497,the
Addressed Issues. administratorshouldnotbeabletodowngradetoaversionearlierthan497.

PAN-40429 (67552) FirewallsrunningPANOS6.0andearlierreleasessendaNILvalue(orendash)tothe

syslogserverwhennodomainorhostnamevalueisconfiguredonthefirewall.InPANOS
6.1andlaterreleases,thefirewalldoesnotsendanyvaluewhenthedomainand
hostnamefieldsareempty;instead,thisfieldisleftblankinsyslogheaders.

PAN-40130 (66976) IntheWildFireSubmissionsLogs,theemailrecipientaddressisnotcorrectlymappedtoa

usernamewhenconfiguringmappingwithgroupmappingprofilesthatarepushedina
Panoramatemplate.

PAN-40079 (66887) TheVMSeriesfirewallonKVM,forallsupportedLinuxdistributions,doesnotsupportthe

BroadcomnetworkadaptersforPCIpassthroughfunctionality.

PAN-40075 (66879) TheVMSeriesfirewallonKVMrunningonUbuntu12.04LTSdoesnotsupportPCI

passthroughfunctionality.

PAN-39728 (66233) TheURLloggingrateisreducedwhenHTTPheaderloggingisenabledintheURLFiltering

profile(Objects>Security Profiles>URL Filtering>URL Filtering profile>Settings).

PAN-39636 (66059) RegardlessoftheTime FrameyouspecifyforascheduledcustomreportonaPanorama

MSeriesappliance,theearliestpossiblestartdateforthereportdataiseffectivelythe
datewhenyouconfiguredthereport.Forexample,ifyouconfigurethereportonthe15th
ofthemonthandsettheTime FrametoLast 30 Days,thereportthatPanoramagenerates
onthe16thwillincludeonlydatafromthe15thonward.Thisissueappliesonlyto
scheduledreports;ondemandreportsincludealldatawithinthespecifiedTime Frame.
Workaround:Togenerateanondemandreport,clickRun Nowwhenyouconfigurethe
customreport.

PAN-39501 (65824) UnusedNATIPaddresspoolsarenotclearedafterasinglecommit,soacommitfailsifthe

totalcacheofunusedpools,existingusedpools,andnewpoolsexceedthememorylimit.
Workaround:Commitasecondtime,whichclearstheoldpoolallocation.

PAN-38584 (63962) ConfigurationspushedfromPanorama6.1andlaterreleasestofirewallsrunningPANOS

6.0.3orearlierreleaseswillfailtocommitduetoanunexpectedRule Typeerror.This
issueiscausedbythenewRule Typesettinginsecuritypolicyrulesthatwasnotincluded
intheupgradetransformand,therefore,thenewruletypesarenotrecognizedondevices
runningPANOS6.0.3orearlierreleases.
Workaround:OnlyupgradePanoramatoversion6.1orlaterreleasesifyouarealso
planningtoupgradeallmanagedfirewallstoaPANOS6.0.4orlaterreleasebefore
pushingconfigurationtofirewalls.

PAN-38255 (63186) IfyouperformafactoryresetonaPanoramavirtualapplianceandconfiguretheserial

number,loggingdoesnotworkuntilyourebootPanoramaorexecutethedebug
software restart management-serverCLIcommand.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 35
KnownIssues PANOS7.0ReleaseInformation

IssueID Description

PAN-37511 (60851) DuetoalimitationrelatedtotheEthernetchipdrivingtheSFP+ports,PA5050and

PA5060firewallswillnotperformlinkfaultsignalingasstandardizedwhenafiberinthe
fiberpairiscutordisconnected.

PAN-37177 (59856) AfterdeployingtheVMSeriesfirewall,whenthefirewallconnectstoPanorama,youmust

issueaPanoramacommittoensurethatPanoramarecognizesthefirewallasamanaged
device.IfyourebootPanoramawithoutcommittingthechanges,thefirewallwillnot
connectbacktoPanorama;althoughthedevicegroupwilldisplaythelistofdevices,the
devicewillnotdisplayinPanorama>Managed Devices.
Further,ifPanoramaisconfiguredinanHAconfiguration,theVMSeriesfirewallisnot
addedtothepassivePanoramapeeruntiltheactivePanoramapeersynchronizesthe
configuration.Duringthistime,thepassivePanoramapeerwilllogacriticalmessage:
vm-cfg: failed to process registration from svm device. vm-state: active.
ThismessageisloggeduntilyoucommitthechangesontheactivePanorama,whichthen
initiatessynchronizationbetweenthePanoramaHApeersandtheVMSeriesfirewallis
addedtothepassivePanoramapeer.
Workaround:Toreestablishtheconnectiontothemanageddevices,commityour
changestoPanorama(clickCommitandselectCommitTypePanorama).IncaseofanHA
setup,thecommitwillinitiatethesynchronizationoftherunningconfigurationbetween
thePanoramapeers.

PAN-37044 (59573) LivemigrationoftheVMSeriesfirewallisnotsupportedwhenyouenableSSLdecryption

usingtheSSLforwardproxymethod.UseSSLinboundinspectionifyouneedsupportfor
livemigration.

PAN-36730 (58839) WhendeletingtheVMSeriesdeployment,allVMsaredeletedsuccessfully;however,

sometimesafewinstancesstillremaininthedatastore.
Workaround:ManuallydeletetheVMSeriesfirewallsfromthedatastore.

PAN-36433 (58260) IfanHAfailoveroccursonPanoramaatthetimethattheNSXManagerisdeployingthe

VMSeriesNSXeditionfirewall,thelicensingprocessfailswiththeerror:vm-cfg: failed
to process registration from svm device. vm-state: active.
Workaround:DeletetheunlicensedinstanceoftheVMSeriesfirewalloneachESXihost
andthenredeploythePaloAltoNetworksnextgenerationfirewallservicefromtheNSX
Manager.

PAN-36409 (58202) WhenviewingtheSessionBrowser(Monitor>Session Browser),usingtheglobalrefresh

option(toprightcorner)toupdatethelistofsessionscausestheFiltermenutodisplay
incorrectlyandclearsanypreviouslyselectedfilters.
Workaround:Tomaintainandapplyselectedfilterstoanupdatedlistofsessions,clickthe
greenarrowtotherightoftheFiltersfieldinsteadoftheglobal(orbrowser)refresh
option.

PAN-31832 (49742) Thefollowingissuesapplywhenconfiguringafirewalltouseahardwaresecuritymodule

(HSM):
ThalesnShieldConnectThefirewallrequiresatleastfourminutestodetectthatan
HSMhasbeendisconnected,causingSSLfunctionalitytobeunavailableduringthe
delay.
SafeNetNetworkWhenlosingconnectivitytoeitherorbothHSMsinanHA
configuration,thedisplayofinformationfromthe show ha-statusandshow hsm info
commandsisblockedfor20seconds.

PAN-31593 (49322) AfteryouconfigureaPanoramaMSeriesapplianceforHAandsynchronizethe

configuration,theLogCollectorofthepassivepeercannotconnecttotheactivepeeruntil
yourebootthepassivepeer.

36 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0ReleaseInformation KnownIssues

IssueID Description

PAN-29441 (45464) ThePanoramavirtualappliancedoesnotwritesummarylogsfortrafficandthreatsas

expectedafteryouenterthe clear log command.
Workaround:Reboot Panoramamanagementserver(Panorama>Setup>Operations)
toenablesummarylogs.

PAN-25743 (40436) FirewallsrunningPANOS6.1andlaterreleasesdonotupdateFQDNentriesunlessyou

enabletheDNSproxyCacheoption(Network>DNS Proxy><DNSProxyconfig>>
Advanced).

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 37
KnownIssues PANOS7.0ReleaseInformation

38 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.15AddressedIssues
ThefollowingtablelistsissuesthatareaddressedinthePANOS7.0.15release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewinformation
abouthowtoUpgradetoPANOS7.0.

StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.

IssueID Description

PAN-74188 Fixedanissuewhereconflictingnexthopentriesintheegressroutingtablecaused
thefirewalltoincorrectlyroutetrafficthatmatchedPolicyBasedForwarding(PBF)
policyrulesconfiguredtoEnforce Symmetric Return.

PAN-73914 AsecurityrelatedfixwasmadetoaddressOpenSSLvulnerabilities
(CVE20173731).

PAN-73045 FixedanissuewhereHAfailoverandfailbackeventsterminatedsessionsthat
startedbeforethefailover.

PAN-72769 AsecurityrelatedfixwasmadetopreventbruteforceattacksontheGlobalProtect
externalinterface(CVE20177945).

PAN-70674 Asecurityrelatedfixwasmadetopreventcrosssitescripting(XSS)attacksthrough
theGlobalProtectexternalinterface(CVE20177409).

PAN-70541 Asecurityrelatedfixwasmadetoaddressaninformationdisclosureissuethatwas
causedbyafirewallthatdidnotproperlyvalidatecertainpermissionswhen
administratorsaccessedthewebinterfaceoverthemanagement(MGT)interface
(CVE20177644).

PAN-69801 FixedanissuewherefirewallsthathadanHAactive/activeconfigurationandwhere
theprimarypeerwasinatentativeHAstatedidnotsynchronizesessionupdate
messagesbetweenthepeers,whichresultedindroppedsessionpacketsaftera
sessionagedout(within30seconds).

PAN-62015 FixedanissueonPA7000Seriesfirewallswhere,whencreatingthekeyforaGRE
packet,thefirewalldidnotusethesamedefaultvaluesforthesourceanddestination
portsinthehardwareandsoftware,whichslowedthefirewallperformance.

PAN-60376 Fixedanissuewheretheauthenticationprocess(authd)stoppedrespondingand
causedthefirewalltorebootafterthefirewallreceivedastaleresponsetoan
authenticationrequestbeforeselectingCHAPorPAPastheprotocolfor
authenticatingtoaRADIUSserver.

PAN-58589 Fixedanissuewherethedataplanerestartedwhenanoutofmemorycondition
occurredonaprocess(pan_comm).

PAN-57520 FixedanissuewherefirewallsstoppedconnectingtoPanoramawhentherootCA
servercertificateonPanoramaexpired.Withthisfix,Panoramareplacestheoriginal
certificatewithanewcertificatethatexpiresin2024.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 39
 PANOS7.0.15AddressedIssues

IssueID Description

PAN-53116 FixedanissueonfirewallswithLACPenabledwhereacommitorLACPflapping
causedamemoryleakinthedataplane.

FPGA-232 FixedanissueonPA5000SeriesfirewallswherepacketsbecamestuckintheFPGA,
whichresultedinpacketlossand,onHAfirewallswithpathmonitoringconfigured,
triggeredafailover.

40 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.14AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.14release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.

IssueID Description

PAN-71892 FixedanissuewhereanLDAPprofiledidnotusetheconfiguredport;theprofileused
thedefaultport,instead.

PAN-71073 FixedanissuewhereacommitassociatedwithadynamicupdatecausedanHA
failoverwhenthepathmonitoringtargetIPaddressagedoutorwhenthefirst
pathmonitoringhealthcheckfailed.

PAN-68431 FixedanissuewherefirewallsandPanoramafailedtosendSNMPv3trapsifyou
configuredtheserviceroutetoforwardthetrapsoveradataplaneinterface.

PAN-68074 AsecurityrelatedfixwasmadetoaddressCVE20165195(PANSA20170003).

PAN-67090 Fixedanissuewherethewebinterfacedisplayedanobsoleteflagforthenationof
Myanmar.

PAN-62319 FixedanissuewheremulticastentrieswerepointingtothewrongIPaddressfora
rendezvouspoint(RP)becausearecycledinterfaceIDallocatedforPIMregister
encapsulationretainedanoldtunnelinterfacethatpointedtothewrongRP.

PAN-59654 FixedanissuewherecommitsfailedonthefirewallafterupgradingfromaPANOS
6.1releaseduetoincorrectsettingsfortheHexaTechVPNapplicationonthe
firewall.Withthisfix,upgradingfromaPANOS6.1releasetoaPANOS7.0.14or
laterreleasedoesnotcausecommitfailuresrelatedtothesesettings.

PAN-58496 Fixedanissuewherecustomreportsusingthreatsummarywerenotpopulated.

PAN-56684 FixedanissuewhereDNSproxystaticentriesstoppedworkingwhentherewere
duplicateentriesintheconfiguration.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 41
 PANOS7.0.14AddressedIssues

42 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.13AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.13release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.

IssueID Description

PAN-72616 FixedanissueonPA7000Seriesfirewallswheresessionsweredroppedwiththe
flow_bind_pending_fullmessagewhenusingEthernetIP(etherip)protocol97,
whichresultedinunstableconnectionsanddelayedresponses.

PAN-70428 Asecurityrelatedfixwasmadetopreventinappropriateinformationdisclosureto
authenticatedusers(CVE20175583/PANSA20170005).

PAN-70312 Fixedanissuewhereattemptstodownloadthreatpacketcaptures(pcaps)fromthe
threatlogsfailedwiththeerrorFile not found,duetoamissingTimeGenerated
column.

PAN-68072 FixedanissueonVMSeriesfirewallswhererebootingorconfiguringanewL3
interfacecausedtheIPrangeconfiguredonadisabledinterfacetobeincorrectly
installedintheFIBandroutingtableifyoudisabledtheinterfacefromthevSwitch.

PAN-68062 Fixedanissuewherethefirewallfailedtoapplythecorrectactionifthevulnerability
profilehadaverylonglistofCVEs.Withthisfix,thefirewallisabletosupportupto
64CVEspervulnerabilityrule.IfthenumberofCVEsintheruleismorethan64,the
firewallprovidesawarningonconfigurationcommit.

PAN-67944 Fixedanissuewhereaprocess(all_pktproc)stoppedrespondingbecausearace
conditionoccurredwhenclosingsessions.

PAN-66838 AsecurityrelatedfixwasmadetoaddressaCrossSiteScripting(XSS)vulnerability
onthemanagementwebinterface(CVE20175584/PANSA20170004).

PAN-64638 FixedanissuewherethefirewallfailedtosendaRADIUSaccessrequestafter
changingthemanagementinterfacesIPaddress.

PAN-63204 FixedanissuewherethefirewallincorrectlyassignedanexpiredUserIDIPmapping
for30secondsaftertheoriginalmappinghadexpired.

PAN-62822 FixedanissuewherethefirewalldroppedRTPtrafficmatchingapredictsession
whenavideocallinitiatedfromtheexternalsideofasharedgateway.Withthisfix,
whenapredictsessiongoesacrossadifferentvsysorasharedgateway,thefirewall
usestheegressinterface'svsystolookupthedestinationzoneinsteadofthe
session'svsys.

PAN-62074 FixedanissuewheretheUserIDagentincorrectlyreadtheIPaddressinthesecurity
logsforKerberosloginevents.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 43
 PANOS7.0.13AddressedIssues

IssueID Description

PAN-61837 FixedanissueonPA3000SeriesandPA5000Seriesfirewallswherethedataplane
stoppedrespondingwhenasessioncrossedvsysboundariesandcouldnotfindthe
correctegressport.Thisissueoccurredwhenzoneprotectionwasenabledwitha
SYN Cookiesaction(Network > Zone Protection > Flood Protection).

PAN-60662 Fixedanissueondeviceswherecommitsfailedduetoissueswithaprocess(authd).

PAN-60591 Fixedanissuewhereacustomroleadministratorwithcommitprivilegescouldnot
commitconfigurationsusingtheXMLAPI.

PAN-59204 FixedanissuewherethefirewalldidnotcreateanIPSecNATTsessionafteratunnel
rekeyuntilitoriginatedatunnelkeepalive.Whenthisissueoccurred,thefirewall
droppedNATTtrafficpackets.

PAN-57338 Fixedanissuewhereaslowfiledescriptorleakbetweentwoprocesses(mgmtsrvrand
pan_log_receiver)causedthelogreceivertostoprespondinganddegraded
managementserverperformance.Thisissueoccurredafteralongdeviceuptimeof
morethan380days.

PAN-56839 Fixedanissuewherethedataplanestoppedrespondingwhenachangetothe
aggregateEthernet(AE)linkconfigurationwascommitted,resultinginanunexpected
pathmonitoringcondition.

PAN-56700 FixedanissuewheretheSNMPOIDifHCOutOctetsdidnotcontaintheexpected
data.

PAN-48095 FixedanissuewherethePanoramadynamicupdatescheduleignoredthecurrently
installeddynamicupdateversion,andinstalledunnecessarydynamicupdates.

44 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.12AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.12release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.

IssueID Description

PAN-69485 FixedanissuewhereUserIDgroupmappingdidnotretaingroupsretrievedfrom
ActiveDirectory(AD)serversiftherewereanyinvalidgroupsinthegroupmapping
includelist.

PAN-68045 FixedanissueonPA7000SeriesfirewallswhereforwardingtoWildFirefaileddue
toanincorrectcalculationoffilesize.

PAN-67986 FixedanissuewherethedataplanerestartedduetoacorruptionintheQoSqueue
pointer.

PAN-67587 Fixedarareconditionwhereadataplaneprocess(all_pktproc)stoppedresponding.

PAN-67231 FixedanissueonPA5000SeriesandPA3000Seriesfirewallswherethedataplane
restartedwhenprocessingtrafficthathadanincorrectlysetIPv4Reservedflag.

PAN-66540 FixedanissuewherethemanagementinterfaceandHAinterfacesflappedduring
installationofasoftwareupgrade,whichcausedHAfailoverorsplitbrain.

PAN-64662 Fixedanissuewherelatencyintermittentlyspikedover3msforIPsectraffic.With
thisfix,theconditionsthatcontributedtolatencyspikesareaddressed.

PAN-64368 FixedanissueonPA7000SeriesfirewallswhereapplyingaQualityofService(QoS)
profiletoanAggregatedEthernet(AE)interfacecausedthereportedmaximum
egressfortheAEinterfacetodifferfromthesumoftheegressvaluesofthe
individualinterfacesintheaggregate.Withthisfix,QoSstatisticscorrectlyreportthe
configuredQoSvalueofanAEinterface.

PAN-64263 Fixedanissuewhereforwardproxydecryptionfailediftheservercertificaterecord
sizeexceeded16KB.

PAN-63796 FixedanissueonPA7000Seriesfirewallswhereinternalloopingoftunnelcreation
packetscausedhighdataplaneCPUusage.

PAN-63142 FixedanissueonfirewallswherethedataplanerestartedwhenprocessingIPv6
trafficthatmatchedapredictsession.

PAN-61534 FixedanissueonthewebinterfacewhereattemptingtoaddmultipleIPaddressesto
securitypolicies(Policies > Security)failedwiththeerrorrange separator(-)
not found -> Destination is invalid.

PAN-61367 FixedanissuewherethefirewallfailedtosendaTCPreset(RST)totheclientside
andserversidedeviceswhenanapplicationhadaReset bothdenyactioninits
securitypolicy.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 45
 PANOS7.0.12AddressedIssues

IssueID Description

PAN-61146 FixedanissuewherechangingorrefreshinganFQDNconfigurationwithalarge
numberofIPaddressentries(morethan32IPv4andIPv6entries)inasingleFQDN
objectcausedthefirewallorPanoramatostopresponding.

PAN-60751 FixedanissuewherecommitfailedwhenanIKEv2dynamicpeerhadthesame
proposalasanIKEv2staticpeerwiththesametunnelsourceinterface.Withthisfix,
auserisallowedtocreateonedynamicIKEv2peerwiththesameproposalasastatic
peer,withbothpeerssharingthesametunnelinterface.

PAN-60681 FixedanissuewherePanoramadidnotcorrectlyverifyDevicegroupobjectswhen
pushingconfigurationswithalargenumberofobjectstofirewalls,whichcaused
commitfailureswithobjectvalidationerrors.

PAN-60222 FixedanissuewherePanoramaallowedyoutoconfigureadecryptiontypeonNo
Decryptpolicies.WhenPanoramapushedthesepoliciestofirewalls,itsetthe
decryptiontypetothedefaultvalueSSL Forward Proxy.Withthisfix,whenyou
selectNo Decryptasapolicyruleaction,Panoramadisablesconfigurationofthe
decryptiontype.

PAN-60182 InresponsetoanissuewhereLACPflappedintermittentlyduetonegotiation
failures,priorityforLACPprocessingisenhancedtomitigateflapping,andadditional
debugoptionsareaddedtohelpisolatenegotiationfailures.

PAN-59411 Fixedanissueonfirewallswhereaprocess(logrcvr)stoppedresponding.Withthisfix,
theprocessusesthecorrectbuffersizetopreventthefault.

PAN-58516 FixedanissueonPA500andPA2000Seriesfirewallswherecorruptionofan
instructioncachecausedthefirewalltorestart.Thisissueoccurredafterthefirewall
wasincontinuousoperationwithoutarestartforhundredsofdays.

PAN-58341 FixedanissuewherePanoramachangedLDAPgroupmappingsto<ssl>no</ssl>,
whichpreventedendusersfromconnectingwhenthesemappingswerepushedto
devices.ThisissueoccurredwhenupgradingfromaPANOS6.1releasetoa
PANOS7.0release.

PAN-57946 FixedanissueontheM100appliancewhereaconfigurationforasubnetinthe
permittedIPaddressesofinterfaceEth1orEth2failedtotakeeffect.

PAN-57819 FixedanissuewheredisablingandimportinglocalcopiesofPanoramapoliciesand
objectsresultedinexclusionofLogForwardingprofileimportsonmultiplevirtual
systems(multivsys).

PAN-57787 FixedanissueonPanoramawhere,ifyouusedtheCLIreplacecommandtoreplace
adeviceserialnumber,Panoramaupdatedthemanageddeviceserialnumberbutdid
notupdatetheserialnumberinthedeploymentscheduleandincustomreports.

PAN-57715 Fixedanissuewherethefirewalldidnotsendallofthesupportedalgorithmsinthe
signaturealgorithmextensionofclient hellowhennegotiatingconnectionswith
someSSLsitesaccessedfromversion50oftheChromebrowser,whichcausedthose
connectionattemptstofail.

PAN-57593 FixedanissuewhereadecryptionpolicystoppeddecryptingSSLtrafficifyou
enabledWait for URLonSSLdecryption.

46 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.12AddressedIssues

IssueID Description

PAN-57145 Fixedanissuewhere,ifthefirewallperformedIPandportNATinthepathofa
GlobaProtectLargeScaleVPN(LSVPN)IPSectunnel,arekeycausedthefirewall
sidetotemporarilychangebacktothedefaultportnumberforthenewtunnel,and
theintermediateNATdevicedroppedtrafficuntiltheoldtunneltimedoutorwas
deletedmanually.Withthisfix,whenarekeyhappens,thefirewallsearchesand
appliesthecorrectportnumbertothenewtunnelimmediatelytopreventtraffic
drops.

PAN-57121 FixedanissuewhereaVMSeriesfirewallthatwasinFIPSCCmodecouldnot
connecttoaPanoramaserverthatwasinnormalmode.

PAN-56918 Fixedanissuewherefirewallsdidnotrecognizemalwarethathadbeen
Base64encodedinazippedRTFfileduringanSMTPsession.

PAN-56569 FixedanissuewherethetophalfoftextlinesfailedtodisplaycorrectlyinthePDF
versionoftheAppScopeThreatMonitorReport(Monitor > App Scope > Threat
Monitor).

PAN-56009 FixedanissueonfirewallsinstalledinanHAactive/activeconfigurationwhere
outoforderjumbopacketscausedthedataplanetorestart,whichresultedina
failover.

PAN-55958 FixedanissuewherethefirewalldidnotproperlyprocessactiveFTPdatasessionsif
theFTPclientreusedwithinashortperiodoftimethedestinationportnumber
thatwasnegotiatedintheFTPcontrolsession.

PAN-55881 FixedanissueonPA5000Seriesfirewallswherethedataplanerestartedinresponse
toanoutofmemorycondition.Thisissueoccurredwhenadataplaneprocess
stoppedresponding,andtheinformationcollectionprocedurethatfollowsaprocess
failurerequiredmorememorythanwhatwasavailable.Withthisfix,theinformation
collectionproceduredoesnotrunwhenalowmemoryconditionispresent.

PAN-55737 FixedanissueonPA200firewallswhere,afterthefirewallrebootedandbeforeNTP
synchronizationoccurred,thefirewallreportedareboottimewithoutatimezone
calculationtoPanorama.

PAN-55243 Fixedanissuewhereanadministratorwithreadonlyprivilegewasunabletoexport
CorrelatedEventslogsinCSVformat.

PAN-55190 FixedanissuewherefirewallsfailedtoresolvedURLsonthedataplane.Thisissue
occurredwhenanoutofmemoryerrorcausedfaultsintheURLcache.Withthisfix,
firewallshandleoutofmemoryerrorscorrectly,allowingproperresolutionofURLs.

PAN-55045 FixedanissuewhereaddingobjectssuchastagstoPanoramausingtheXMLAPI
resultedinthoseobjectsnotbeingvisibleunderPolicies,Addresses,orServices.

PAN-54423 FixedanissuewherethefirewallfailedtomaketheCLIconfigurationset
authentication radius-vsa-on client-source-ippersistentacrosssystemrestart.

PAN-54279 FixedanissuewheretheFTPfiletransferofalargenumberofsmallfilesfailed
becausethefirewalldidnotinstalltheFTPdatachannelsessioninatimelymanner.

PAN-53885 Fixedanissuewherenonsuperuseradministratorscouldnotseeexemptprofilesand
securitypolicyruleswhenviewingthreatdetailsinathreatlog.

PAN-52274 FixedanissuewheretheUserIDprocess(useridd)stoppedrespondingduetoan
issueinaninternallibrary,whichcausedthefirewalltoreboot

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 47
 PANOS7.0.12AddressedIssues

IssueID Description

PAN-52177 FixedanissueonPA7000Seriesfirewallswhereanewlyinstalledandenabled
NetworkProcessingCard(NPC)didnothaveacorrectlyprogrammedforwarding
table,whichcausedthefirewalltodroppacketsuntiltheforwardingtablewas
manuallyflushed.Withthefix,thefirewallcorrectlyprogramstheforwardingtable
uponslotstartup.

PAN-52007 FixedanissuewhereQoSstatisticsforaspecificinterfacewereemptyafteradevice
reboot.

PAN-49890 FixedanissuewhereexportingcustomreportstoCSV,XML,andPDFfailed.

48 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.11AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.11release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

StartingwithPANOS7.0.11,allunresolvedknownissuesandanynewlyaddressedissuesintheserelease
notesareidentifiedusingnewissueIDnumbersthatincludeaproductspecificprefix.Issuesaddressedin
earlierreleasesandanyassociatedknownissuedescriptionscontinuetousetheiroriginalissueID.

IssueID Description

PAN-66677 FixedanissueonPA5000Seriesfirewallswheretrafficloopedinfinitelybetween
dataplanes,whichcausedalossoftheaffectedtrafficandaspikeinCPU
consumption.

PAN-66250 Fixedanissueonlogcollectorswhereadeadlockoccurredforinterlogcollector
connections,whichcausedconnectivityissuesbetweenlogcollectorsandfrom
firewallstologcollectors.Thisissuealsocausedlocalbufferingoflogsonthefirewall.
Withthisfix,logcollectorconnectionprocessinghasbeenmodifiedtoeliminatethis
deadlock.

PAN-66210 Fixedanissuewhereadataplaneprocessfailedtorestartduetoamissingorcorrupt
file,whichcausedthenetworkprocessingcard(NPC)torestart.

PAN-64360 Fixedanissuewherethefirewallfailedtopopulatetheemailsender,recipientand
subjectinformationforWildFirereports.

PAN-63073 Securityrelatedfixesweremadetopreventdenialofserviceattacksagainsttheweb
managementinterface(PANSA20160035).

PAN-62782 Fixedanissuewhere,ifanLDAPrefreshqueryterminatedbeforecompletion,the
firewalldeletedusersbelongingtothedomainusergroupintheactivedirectory(AD).

PAN-62385 Fixedanissuewhere,ifthefirewalllostconnectivitywithanLDAPserverorifyou
appliedaninvalidqueryfilter,andthesedisruptionsoccurredduringaUserIDgroup
mappingupdate,thefirewalldeletedexistingusergroupmappings.Withthisfix,
disruptionsduringaUserIDgroupmappingupdatewillcausethefirewalltostop
addingnewusergroupmappings,andthefirewallwillnotdeleteexistingusergroup
mappings.

PAN-61815 FixedarareissuewhereVMSeriesfirewallsstoppedgeneratingtraffic,threatorURL
logs,orlosttheabilitytoresolvetheURLcategory.

PAN-61554 Fixedanissueonfirewallswhereamemoryleakinaprocess(authd)causedall
authenticationstothefirewalltofail.

PAN-61468 AsecurityrelatedfixwasmadetoaddressCVE20166210(PANSA20160036).

PAN-61104 Asecurityrelatedfixwasmadetoaddressalocalprivilegeescalationissue
(PANSA20160034).

PAN-61046 Asecurityrelatedfixwasmadetoaddressacrosssiterequestforgeryissue
(PANSA20160032).s

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 49
 PANOS7.0.11AddressedIssues

IssueID Description

PAN-58673 FixedanissuewherethefirewalldidnotuseasecondLDAPserverforauthentication
ifthefirstLDAPserverwasunreachable.

PAN-58418 FixedanissuewherePanoramacouldnotsynctotheNSXmanagerafterarebootor
afailover,whichcausedaserviceoutage.Withthisfix,syncworksasexpected.

PAN-58410 FixedanissueonVMSeriesfirewallsinanHAconfigurationwhere,afterafailover
occurred,aninterfaceontheactivefirewalldisplayeditsstatusas
ukn/ukn/down(autoneg).

PAN-58086 Fixedanissueonfirewallswhereaprocess(devsrvr)restartedifyoucommitteda
configurationthatusedmorethan64vendorIDsinasinglevulnerabilityprotection
rule.Withthisfix,ifyoucommitaconfigurationwithmorethen64vendorIDsina
singlerule,youreceiveawarningthatyouhaveexceededthemaximumnumberof
IDs,andtheprocessrestartdoesnotoccur.

PAN-57855 Fixedanissuewherethefirewallstoppedforwardinglogsanddiscardedlogseven
whentheincomingloggingratewaslow.Withthisfix,theprocessingoflogsis
optimizedtoincreaseprematching,andCPUloadisreducedtopreventthequeue
frombecomingfullanddiscardinglogs.

PAN-57323 FixedanissuewhereVPNtrafficwentintoadiscardstatebecausethefirewall
allowedpacketstobesentthroughthetunnelpriortothecompletionoftheIKE
Phase2rekeyprocess.

PAN-57055 FixedanissueonVMSeriesfirewallswheretrafficprocessingsloweddownfortwo
tothreeminutesafterthefirewallreceivedaburstofpacketsontheHA2datalink.

PAN-56978 FixedanissuewhereaVMwareNSXeditionfirewallhadincorrectaddressgroup
objectspushedviaPanoramaupdates.

PAN-56973 Fixedanissueonfirewallswhereemailsconfiguredtousethepervirtualsystem
(vsys)SMTPservicerouteweresentusingtheglobalSMTPserviceroutesettings.
Withthisfix,emailsusetheconfiguredvirtualsystemSMTPserviceroute.

PAN-56775 Fixedanissueonfirewallswhere,ifyouconfiguredthefirewalltoperformamonthly
updateoftheexternalblocklist(EBL),thefirewallincorrectlyinitiatedanEBLrefresh
jobeverysecond.

PAN-56650 Fixedanissuewherealogcollectorfailedtosendthesystemlogtotheactive
PanoramapeerinanHAactive/passivePanoramaconfigurationaftertheactivepeer
restarted.

PAN-56616 Fixedanissuewherethefirewalltruncatedusergroupnameswhenthename
exceeded150characters.Withthisfix,thefirewallpreservesthecompletegroup
nameeveniftheusergroupnameexceeds150characters,uptoamaximumof255
characters.

PAN-56438 FixedanissueonfirewallswheretheinternalvalueforblocktimeintheDenialof
Service(DoS)tableexceededtheconfiguredblocktime.Thisissueoccurredon
firewallsinstalledinanHAconfiguration.

PAN-56332 FixedanissuewherecommitsonPanoramafailedbecauseaprocess(cord)stopped
responding.

50 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.11AddressedIssues

IssueID Description

PAN-56280 Fixedanissuewherethefirewalldisplayedthestatusofa10GSFP+virtualwire
interfaceas10000/full/upwhentheconfiguredstateoftheinterfacewas
auto/auto/down.ThisissueoccurredwhenLink State Pass ThroughinNetwork>
Virtual Wireswasenabled.

PAN-56221 Asecurityrelatedfixwasmadetoaddressacrosssitescripting(XSS)conditioninthe
webinterface(PANSA20160033).

PAN-56200 Fixedanissuewherethefirewallallowedaccesstothesearchengine'scached
versionofawebpageeventhoughthepagebelongedtoaURLcategoryblockedby
apolicy.

PAN-56034 FixedanissuewhereWildFireplatformsexperiencednonresponsiveprocessesand
suddenrestartsundercertainclientstrafficconditions.

PAN-55651 Fixedanissueonfirewallswhere,regardlessoftheconfiguredmetric,OSPF
preferredType2externalmetricsoverType1externalmetrics.

PAN-55560 Fixedanissueonfirewallswhereamemoryconditioncausedthedataplanetorestart
withthemessageDataplane is down: too many dataplane processes exited.

PAN-55237 AsecurityrelatedfixwasmadetoaddressanXPathinjectionvulnerabilityintheweb
interface(PANSA20160037).

PAN-55199 Fixedanissuewhere,ifyouusedSNMPtocheckthestatusofatunnelinterface,the
firewallprovidedincorrectinformation.

PAN-54696 Fixedanissueonfirewallswhereincorrecthandlingofselectiveacknowledgment
(SACK)packetscausedadecreaseindownloadspeedsonSSLdecryptedtraffic.

PAN-53039 FixedanissueonfirewallswheretheSNMPifOperStatusOIDdidnotreflectstate
changesoftheaggregateEthernet(AE)interfacesinanLACPtrunkconfiguration.

PAN-52901 Fixedanissuewherethedataplanerestartedanddataplaneprocessesstopped
respondingwhenpassingSSHtrafficusingSSHdecryption.

PAN-52379 AsecurityrelatedfixwasmadetoaddressCVE20155364and20155366
(PANSA20160025).

PAN-52183 FixedanissuewherePanoramamanagementserversrunningPANOS7.0oralater
PANOSreleasefailedtodisplayordownloadreportsreceivedfromfirewallsrunning
PANOS6.1orearlierreleases.

PAN-52164 FixedanissuewhereTrafficlogsreportedcumulativebytesforsessionswithTCP
portreuse,whichcausedcustomreportstoincorrectlyreportthebytecount.

PAN-49397 Fixedanissueonfirewallswhereaprocess(varrcvr)stoppedrespondingwhenyou
requestedWildFirestatisticsafterreceivinganunexpectedresponsecodefromthe
WildFireCloud,suchasanerrorresponsecodeduringqueryorupload.

PAN-48508 FixedanissuewherethepassivePanoramaserverinanHAconfigurationdidnot
displayapplicationdataintheApplicationCommandCenter(ACC)orinAppScope.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 51
 PANOS7.0.11AddressedIssues

52 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.10AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.10release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

IssueID Description

102600 Fixedanissueonfirewallswhere,ifyouconfiguredGlobalProtecttouse
certificatebasedauthentication,usersonChromebookendpointsreceivedprompts
tologonusingusernameandpassword.

101406 FixedanissueonfirewallswhereCPUutilizationonthedataplanewashigherthan
expected.

101089 FixedanissuewhereafirewallincorrectlyappliedSSLdecryptiontotrafficina
customURLcategory.Thisissueoccurredwhenthefirewallinspectedtraffic
betweentheclientandanexplicitHTTPproxy,andtheclienthellomessagedidnot
containservernameinformation(SNI).

100129 FixedanissueonfirewallsinanHAactivepassivepairwhereHAconfigurationsync
failed.Thisissueoccurredwhenconfigurationsyncfromtheactivefirewallhappened
whilethepassivefirewallwasinastatewherealocalcommitfailed.Withthisfix,
configurationsyncfromtheactivefirewalloverwritestheconfigurationonthe
passivefirewall,andconfigurationsyncsucceeds.

100115 Fixedanissueonfirewallswherethedataplanerestartedwhileprocessingachainof
tunnelpackets.

99918 Fixedanissueonfirewallswhereaprocess(devsrvr)restartedrepeatedlyduetoa
problemwiththeinternalURLcachestructure.

99818 Fixedanissuewherethefirewalldidnotprovideablockedpageresponseifyou
accessedablockedapplicationoverHTTPS.

PAN-60568 AsecurityrelatedchangewasmadetoaddressaversiondisclosureinGlobalProtect
99786 (PANSA20160026).

99057 Fixedanissueonfirewallswhere,ifyouconfiguredvirtualrouterswithOSPFType5
externalrouteswithnonzeroforwardaddresses,theroutingtablesofsomevirtual
routersdidnotcontaintheroutes.Withthisfix,OSPFType5externalroutesinstall
asexpectedinthevirtualrouters.

98684 FixedanissueonVMSeriesfirewallswhere,ifpathmonitoringforHAusedIPv6
addressing,thefirewallusedthewrongIPv6addressandpathmonitoringchecking
failed.

98602 FixedanissuewherethePanoramamanagementserverhadamemoryincreasedue
tosyncingofWildFirereportsfromPanoramatologcollectors.

98388 FixedanissuewherethefirewallbroughtdownatunnelthatterminatedatanIKE
gatewayconfiguredfordynamicIPaddressingwhentheIPaddressofthegateway
changed.Withthisfix,thefirewalldoesnotbringdownatunneliftheIKEgateway
dynamicIPaddresschanges.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 53
 PANOS7.0.10AddressedIssues

IssueID Description

98188 FixedanissueonfirewallswhereHAfailoverdidnotoccurimmediatelyafterthe
controlplanefailedontheactivefirewall.

97466 FixedanissueonfirewallswhereaTCPreassemblyfailureforareusedTCPsession
preventedusersfromaccessingWindowsServer2012sitesandapplications.

97282 FixedanissueonPA7000Seriesfirewallswhereaslotstoppedrespondingduetoa
memorycondition.

97063 FixedanissueonfirewallswhereUserIDgroupmappingstoppedworkingduetoa
racecondition.

96800 Fixedanissueonfirewallswhere,ifyoumonitoredserverstatusfromtheuser
interface,theconnectionstateappearedtotogglebetweentheconnectedand
disconnectedstateseventhoughtheserverremainedconnected.Thisissueoccurred
forserverswithagentlessusermappingwhenyouselectedEnable SessioninDevice
>User Identification>User Mapping>Palo Alto Networks User-ID Agent Setup>
Server Monitor.

96155 FixedanissueonVMSeriesfirewallswherethepassivefirewallinterfaceinanHA
pairwentdown,evenwithPassiveLinkStatesettoautointheHAconfiguration.

96082 FixedanissuewherethefirewallrespondedtoMicrosoftnetworkloadbalancing
(MSNLB)multicastpacketsbyincorrectlysendingthemulticastaddressasthe
sourceaddress.

PAN-57659 Asecurityrelatedfixwasmadetoaddressacrosssitescriptingconditionintheweb
95895 interface(PANSA20160031).

95864 FixedanissuewheretheGlobalProtectportaldidnotnegotiateencryption
algorithmscorrectly,whichcausederrorsonrecentreleasesofbrowserswithnewly
availablestrictercheckingenabled.Afterthisfix,theportalnegotiatesthecorrect
algorithmstoeliminatebrowsererrors.

95797 FixedanissueonPanoramawhere,ifyouselectedGroup HA Peers,previously

selectedindividualfirewallsbecameunselected,leavingonlythemostrecently
selectedfirewallsaspartofthegroupingconfiguration.

95604 FixedanissuewherefirewallsconfiguredwithOSPFv3adjacencyandAH
authenticationheaderprofilesfailedtoestablishfulladjacencybecausethe
fragmentedOSPFv3packetsfailedtheAHauthenticationcheck.

95034 Fixedanissueonfirewallswhere,ifyouusedtheXMLAPItoredistributeUserID
mappinginformation,andthemappingusedatimeoutvalueofNEVER,thefirewall
incorrectlychangedthetimeoutvalueto3600.

94853 FixedanissuewherePanoramaincorrectlyremovedtheLDAPdomainfieldwhenit
pushedatemplateconfigurationtoafirewallrunningaPANOS6.xrelease.This
issueoccurredinaconfigurationwhenPanoramausedaPANOS7.xreleaseand
firewallsusedamixtureofPANOS6.xandPANOS7.xreleases.

94615 Fixedanissueon7000SeriesfirewallswherethedesignatedLogCardinterfacedid
nottransmitagratuitousARPuponfailover,whichcausedconnectivityissueswith
neighboringdevices.

94435 FixedanissuewhereafirewallfailedtolearnofOSPFneighborsthatwereon
interfacesconfiguredwithamaximumtransmissionunit(MTU)of9216becausethe
OSPFdatabaseexchangefailedforjumbopackets.

54 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.10AddressedIssues

IssueID Description

94282 FixedanissueonPA7000SeriesfirewallsconfiguredasHApairswhere,afterthe
activefirewallfailedovertobecomethepassivefirewall,thenewlypassivefirewall
restartedwiththeerrormessage:internal packet path monitoring failure.
Withthisfix,thefirewallwillnotrestartafterbecomingpassive.

94166 Fixedanissueonfirewallswhere,ifyouconfiguredaNetflowprofileunderavirtual
system(vsys),youcouldnotassigntheNetflowprofiletoasubinterfacepartofsame
vsys.

94136 FixedanissuewhereaPA200firewallreportedanantivirusupdatejobassuccessful
whentheupdatedownloadedwithoutinstalling.Withthisfix,alargertimeoutvalue
allowstheinstallationtocomplete.

94115 Fixedanissueonfirewallswhere,ifyouimplementedanauthorizationprofilefor
OSPFwithMD5authenticationonafirewallconfiguredforFIPSCCmode,the
dataplanerestarted.

93770 FixedanissuewherethefirewallinterpretedatruncatedexternaldynamiclistIP
address(suchas8.8.8.8/)as0.0.0.0/0andblockedalltraffic.Withthisfix,thefirewall
ignoresincorrectlyformattedIPaddressentries.

93394 FixedanissueonfirewallswherethedataplanerestartedwhenprocessingSSL
packetswithanoversizedLayer2header.

92934 FixedanissuewhereafirewallconfiguredforDHCPrelay(withmultipleDHCPrelays
orincertainfirewallvirtualsystemconfigurations)rebroadcastaDHCPpacketonthe
sameinterfacethatreceivedthepacket,whichcausedabroadcaststorm.Withthis
fix,thefirewalldropsduplicatebroadcastsinsteadofretransmittingthem.

92912 FixedanissueonPanoramawhereanadministratorreceivedaFile not found

errorwhenattemptingtoviewathreatpacketcapture(pcap).

92701 FixedanissuewherePanoramadisplayedanunauthorized requestmessagetoa

devicegroupandtemplateadministratorwhentheadministratorattemptedtoview
shareddevicegrouppolicies.

92621 Fixedanissuewhereforwardedthreatlogsusedinconsistentformattingbetween
theRequestfieldandthePanOSRefererfield.Withthisfix,thePanOSRefererfield
usesdoublequotesforconsistencywiththeRequestfield.

92523 Fixedanissuewhere,forfirewallsinanHAactive/activeconfiguration,anOracle
redirectspredictsessionsynchronizedtothepeerdevicebecamestuckinthe
OpeningStatebecausetheparentsessionwasnotinstalledonthepeerdevice.
Withthisfix,thefirewallensurestheparentsessionisinstalledonthepeerdevice
andtheOracleredirectspredictsessiontransitionstoactivestatetoallowfor
successfulOracleclienttoservercommunication.

91474 FixedanissuethatpreventedafirewallinCommonCriteriaEvaluationAssurance
Level4(EAL4)modefromconnectingtoPanoramaHApairunitsinCommonCriteria
(CC)mode.

91086 FixedanissuewherethefirewallexperiencedBGPdisconnectionsbecausethe
firewallfailedtosendkeepalivemessagestoneighborswithinspecifiedtimers.

90596 FixedanissueonPA5000SeriesfirewallswheretheFPGAdidnotinitialize.With
thisfix,theFPGAisautomaticallyreprogrammedafteraninitializationfailuresothat
itcanattemptmultiplereinitializationsbeforetriggeringabootfailure.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 55
 PANOS7.0.10AddressedIssues

IssueID Description

90508 SecurityrelatedfixesweremadetoaddressCVE20160777andCVE20160778
(PANSA20160011).

90145 FixedanissuewherethesystemloginPanoramadidnotcontaincompleteusername
andjobIDinformation.Withthisfix,PanoramadisplaystheusernameandjobID
correctly,butfirewallscontinuetoshowpanoramaastheusernameinsystemlogs
forcommitallconfigurations.

89891 FixedanissuewhereThreatlogsforwardedfromthefirewallhadanextracolon
whenusingTCPforthetransportprotocol.Withthisfix,theformatofforwardedlogs
overTCPandUDPisconsistent.

89284 FixedareportingissuewherethenonstandardportACCwidgetsdisplayed
inaccurateinfo.Thisissueoccurredwhentrafficonthefirewallranonstandardports
matchingcustomapplicationspushedbyPanorama.

88841 Fixedanissueonfirewallswhereaprocess(routed)stoppedresponding.

88651 Fixedanissuewhereaprocess(useridd)stoppedrespondingwhentherunningconfig
wasmissingtheportnumberassociationsfortheTerminalServices(TS)Agent.

88194 FixedanissuewherePanoramadidnotlogiftheForceTemplateValuesoptionwas
inthecheckedstatewhenapplyingaTemplateorDeviceGroupcommit.Withthis
fix,thePanoramalogswillindicateiftheForceTemplateValuesoptionisinthe
checkedstatewhendoingaTemplateorDeviceGroupcommit.

87870 FixedanissuewhereanOSPFroutewithaloweradministrativedistancethanthe
staticrouteshouldbecomethepreferredroutebutwasnotinstalledandusedas
expected;thefirewallcontinuedtousethestaticrouteinstead.

87727 Fixedanissuewhereavirtualsystemcustomroleadministratorcouldnotadd
usertoIPmappingsusingtheXMLAPI.

87052 FixedanissuewherefirewallscouldnotuseanEUregionAWSvirtualprivatecloud
asaVMinformationsource.Thisissueoccurredbecausethefirewallusedsignature
version2tosignAPIrequestswhiletheEUregionAmazonMachineImage(AMI)
usedsignatureversion4.Withthisfix,thefirewallusesthesupportedsignature
version.

85361 Fixedanissuewhere,ifyouusedtheCLItoinputmorethan126addressesinan
addressgroupor126URLsinanallowlist,thefirewalldidnotapplythe
configuration.

83569 FixedanissuewheremultipleQoSchangeswhileunderaheavyloadcausedthe
dataplanetorestart.

82165 FixedanissuewhereafirewallconfiguredtoblockURLcategoriesoverHTTPSdid
notsendaFIN/ACKtothebrowsertoclosetheconnectionaftersendingablock
page.ThisissueoccurredforfirewallsconfiguredtoperformNAT.

81451 FixedanissueonPanoramawheredevicegroupandtemplateadministratorswere
unabletochangetheirownpasswords.

81178 Fixedanissuewhere,ifyoufilteredtheURLlogs,thereturnedresultsdidnotinclude
expectedmatches.

79472 FixedanissuewherePanoramatruncatedsystemlogsto180characters.

56 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.9AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.9release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

IssueID Description

99505 FixedanissueonfirewallswherelongclientIDscausedtheDHCPservicetostop
responding,leadingtoafirewallrestart.

98510 Fixedanissuewhereexportedlogfilesdidnotcorrectlyescapecertaincharacters,
suchascommas(,),backslashes(\),andequaltooperators(=).

98327 FixedanissueonfirewallswhereanFQDNrefreshoracontentupdatetriggeredan
unexpectedconfigurationcommitafteryouappliedaprecommitvalidation.With
thisfix,anFQDNrefreshoracontentupdatewillnottriggeraconfigurationcommit.

98112 FixedanissuewithfirewallsinanHAactive/activeconfigurationwheresession
timeoutsforsometrafficwereunexpectedlyrefreshedafteracommitorHAsync
attempt.

97763 FixedanissuewhereaPA200firewallfailedtodownloadaPANOSsoftware
updateduetoanincorrectdiskspacecalculation.

97571 Fixedanissueonfirewallswhereeusingpreviousportinformation(tcpreuse)for
newsessionscausedtrafficinthosesessionstobedropped.

97247 FixedanissuewhereaPA200firewallfailedtodownloadacontentupdatedueto
diskspaceissuesafterafailedantivirusupdateinstallation.Withthisfix,thefirewall
will,aspartoftheupdateinstallationprocess,cleanupalltemporaryfilesevenifthe
updateinstallationfails.

97099 Fixedanissuewhere,afterimportingtheconfigurationfromaPanoramaM100
devicetoaPanoramaM500device,theexistingsecurityprofilesandlogforwarding
profilescouldnotbeselected.

95622 SecurityrelatedfixesweremadetoaddressissuesidentifiedintheMay3,2016
OpenSSLsecurityadvisory(PANSA20160020).

95462 FixedanissueonPA5000andPA7000Seriesfirewallswherethedataplane
repeatedlystoppedresponding.

95133 Fixedanissuewherefirewallincorrectlyappliedpolicybasedforwarding(PBF)to
sessionscreatedviaprediction(suchasftpdatasessions).

94765 FixedanissuewhereNATtranslationdidnotworkasexpectedwhenthe
administratordeletedavirtualsystem(vsys)fromafirewallwithmultiplevirtual
systems(multivsys)andNATrulesconfiguredwithoutfirstdeletingNATrules
associatedwiththevsys.Withthisfix,whentheadministratordeletesavsys,the
firewallautomaticallydeletesNATrulesassociatedwiththatvsys.

94573 Fixedanissuewhere,underspecificconditions,afirewalldroppedincoming
PSH+ACKsegmentsfromtheserver.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 57
 PANOS7.0.9AddressedIssues

IssueID Description

94569 FixedanissuewhereintegratedWildFirereportfromWF500didnotdisplay
correctlywhenusingInternetExplorer11.

94165 FixedanissuewherethefirewallgeneratedWildFireSubmissionslogswithan
incorrectemailsubjectandsenderinformationwhensendingmorethanoneemailto
arecipientinaPOP3session.

93961 Fixedanissuewhereaprocess(configdormgmtsrvr)restartedduetotheuseof
specialcharacters,suchasabracketcharacter[or]inasearchfield(for
example,intheAddresssection).

93865 FixedanissueonanM100applianceinLogCollectormodewherelocallycreated
proxyconfigurationswerelostwhenacommitwasperformedfromPanorama.With
thisfix,locallycreatedproxyconfigurationspersistafteraPanoramacommit.

93855 FixedanissuewheretheDNSproxytemplateobjectthatwaspushedfromPanorama
didnotoverridethatobjectonthefirewallasexpected.

93783 Fixedanissueonfirewallswhereautocommitfailedifanadministratorconfiguredan
IPSectunnelusingthemanualkeymethod.

93778 FixedarareissuewhereabindrequestfromthefirewalltotheLDAPserverfailed.

93667 FixedanissueonfirewallswheretheGlobalProtectendpointincorrectlyfailedthe
HostInformationProfile(HIP)evaluationwhenthereisanemptymissingpatchtag
intheHIPReportandtheChecksettingforpatchmanagementinHIPObjectscriteria
wassettohas-all(Objects>GlobalProtect>HIP Objects>Patch Management>
Criteria).

93540 Fixedanissuewhereareadonlysuperusercouldnotexportathreatpacketcapture
(PCAP)filefromtheGUI,whichdisplayedaFile not foundmessage.

93531 Fixedanissueonfirewallswhere,ifyouexportedtoCSVformatfromtwoormore
customscheduledreports,theexportprocessproducedthesamefileforboth
reports.

93508 Fixedanissuewhereaprocess(logrcvr)stoppedrespondingandrestartedrepeatedly
afteranupgradetocontentreleaseversion571,whichcausedthefirewalltoreboot.
Contentreleaseversion572mitigatedthisissuebutthisfixensuresthatfirewalls
runningPANOS7.0.9andlaterreleases(orPANOS7.1.2andlaterreleases)willnot
beaffectedbythisissue.

93449 FixedanissuewheretheAPIbrowserdisplayedtheincorrectXMLAPIsyntaxforthe
show arp allcommand.

92863 Fixedanissuewhereaprocess(mgmtsrvr)stoppedrespondingandcreatedcorefiles
duringfirewallstartup.

92752 FixedanissuewherePanoramaexportedanincompleteCSVfilebecauseacustom
reportnamecontainedaspace.

92684 Fixedanissueonfirewallswhereaprocess(l3svc)stoppedrespondingwhen
processingalargenumberofuserauthenticationrequests.

92677 FixedanissuewheretheComodoRSAcertificateauthority(CA)wasnotincludedin
thedefaulttrustedrootonthefirewall,whichcausedSSLdecryptiontofailonsites
usingthisastheirCA.

58 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.9AddressedIssues

IssueID Description

92610 FixedanissueonPA200firewallswherethefirewallstalledduringbootupafteran
upgradefromPANOS6.1.12oranearlierPANOS6.1releasetoaPANOS7.0or
laterrelease.

92472 Fixedanissuewhere,duringtheconnectionofasatellitetotheGlobalProtect
gateway,theOnlineCertificateStatusProtocol(OCSP)verificationforthe
GlobalProtectcertificatefailedbecausetheOCSPresponsedidnotcontainthe
signaturecertificate.

92466 FixedanissueonPanoramawhereyoucouldnotenablethesettingremove tcp

timestampinazoneprotectionprofilepushedviaatemplatefromPanorama7.0.x
todevicesrunningaPANOS6.1release.Withthisfix,Panoramawillbeabletopush
theremove tcp timestampconfigurationtodevicesrunningaPANOS6.1release.

PAN-55259 AsecurityrelatedfixwasmadetoaddressmultipleNTPvulnerabilities
92106 (PANSA20160019).

91998 Fixedanissuewheretheset application dump on ruleCLIcommanddidnot

workforSecuritypolicyrulespushedtofirewallsfromPanorama.

91785 FixedanissuewhereaPanoramaprocess(configd)stoppedrespondingwhentrying
toaddtagstomultiplefirewalls(Panorama > Managed Devices)atthesametime.

91522 Fixedanissuewhereaclonedapplicationnamecouldnotbeeditedafteritwas
clonedfromaShared/DeviceGrouplocationtoaSharedlocation.Withthisfix,the
clonedapplicationnamesareeditable.

91379 Fixedanissuewhereanoutofsequencepacketwaspassedthroughthefirewall.

91269 Fixedanissuewherethefirewallrestartedthedataplaneafteraprocessstopped
responding.

91156 FixedanissueonPanoramawhereperforminglogqueriesandreportsresultedin
incorrectreportingofmultiplePanoramaloggedinadministratorsonPA7000Series
firewalls.

91034 FixedanissueontheWildFireplatformwhere,ifthesnmp.logfilewasover5MB,the
SNMPdaemon(snmpd)processclearedthelogfileandrestarted.

90933 Fixedanissuewherethefirewallgeneratedsuperfluouslogs(fortrafficthatdidnot
matchtheconfiguredfilters)afteryouenableddataplanedebugging.Withthisfix,
thefirewallwillcorrectlyfilterthelogs,butsomesuperfluouslogswillbeobserved.

90691 FixedanissueonfirewallsrunningaPANOS7.0orlaterreleasewheretheweb
interfacebecameinaccessible(502 bad gatewayerror)whensendingahighrate
ofconcurrentUserIDXMLAPIPOSTrequests.

90677 Fixedanissueonfirewallswheretheflow_mgmtprocessstoppedresponding,which
causedthedataplanetorestart.

90618 FixedanissueonPanoramawherecreatinganexemptionforathreatnamefromthe
Threatlogcausedthewebinterfacetodisplaytheexemptionmultipletimes
dependingonthenumberofsubdevicegroups.Afterthefix,theinterfacecorrectly
displaysonlyoneprofilename.

90252 FixedanissuewherefirewallsdeployedinanActive/Activeconfigurationdropped
DNStrafficpacketswithacorrespondingincrementinthesession_state_error
counter.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 59
 PANOS7.0.9AddressedIssues

IssueID Description

90141 ImprovedoutputofthecommandrequestbatchlicenseinfoonPanoramatoinclude
licenseexpirationtimes.

90106 Fixedanissuewhereaprocessrestartedunexpectedlyduetothereuseofaprocess
ID(PID).ThePIDwasassociatedwithanoldSSHsessionthatthefirewallintended
toterminatebecausetheSSHsessionhadtimedoutbutwasneverclosedproperly,
whichinadvertentlyresultedinarestartoftheprocesscurrentlyassociatedwiththat
PID.

89984 Asecurityrelatedfixwasmadetoaddressastackoverflowcondition
(PANSA20160024).

89620 FixedanissuewhereSSLinbounddecryptionfailedwhenaclientsentaClientHello
withTLS1.2whiletheserversupportedonlyTLS1.0.

89264 FixedanissuewhereDNSresolutionfailedwhenmessagecompressionwasdisabled
ontheDNSserver,whichresultedincasemismatchbetweenCNAMEqueryand
answervaluesinDNSserverreplies.Withthisfix,thefirewallignorescaseinCNAME
valuessothatqueryandanswervaluesmatchandDNSrequestsresolvesuccessfully.

88585 FixedanissuewhereDNSproxyrulesdidn'tconsistentlymatchadomainnamewith
thecorrectprimaryIPaddresses.Withthisfix,matchinglogicfavorsresultsthatdo
notincludewildcards.

88225 FixedanissuewherethefirewallcouldnotregisterwiththeWildFirepubliccloud
duetoaproblemwiththelogcachesizebecomingtoolarge.Withthisfix,alimitation
mechanismisaddedtocontrolthelogcachesize.

87414 Fixedacosmeticissuewherethetrafficlogtypewasdisplayedintheseverity
columnoftheLogForwardingprofile.

87223 Fixedanissuewhereaprocess(mprelay)stoppedrespondingduetoaracecondition
relatedtotheageoutlogicforMFIBentries.

87154 FixedanissuewherefirewallsstoppedforwardingdatatotheWildFirecloud.With
thisfix,iftheconnectiontotheWildFirecloudfails,thefirewallattemptsto
reconnectaftertheinitialfailureandresumesforwardingwhensuccessfully
reconnected.

86990 Fixedanissueonafirewallwhereaprocess(sslvpn)repeatedlyrestartedduetoan
internalthreadsynchronizationissue.

86979 FixedanissuewhereanincompleteIPSectunnelconfiguration(onewithoutanIKE
gatewayspecified)causedthefirewallserverprocesstostopresponding.

85015 FixedanissuewheretheAPIdidnotlistCorrelated Eventsassupportedlog

types.Withthisfix,thetype=log parameterintheAPIincludeslog-type=corr,
log-type=corr-detail,andlog-type=corr-categassupportedlogtypes.
Formoreinformation,refertoRetrieveLogs(API).

83086 Fixedanissuewheretheoutputoftheshow dos-protection <zone-name>

blocked sourcecommanddidn'tdisplaythecorrectdatafortherequestedzone.

83008 FixedanissuewhereVMSeriesfirewallsexperiencedpacketloss.Withthisfix,an
internalbufferisincreasedinsizetopreventthepacketloss.

60 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.9AddressedIssues

IssueID Description

82613 FixedanissuewherefirewallsdownloadedmultipleCertificateRevocationLists
(CRLs)becausetheCRLverificationprocessdidnotsupportcertainextensiontypes
inthelist.Withthisfix,ifthefirewallencountersaCRLwiththeextensionIssuing
Distribution PointitwillreturnthestatusofthecertificateasUnknown.

81750 FixedanissueonPA200firewallswherefilesinthe/tmppartitioncausedalowdisk
spacecondition.Withthisfix,somefilesin/tmparerelocatedtootherpartitionsto
improvediskspaceallocation.

80628 FixedanissuewhereWildFirecontentupdatesshowedtimestampswithfuture
dates.

69900 FixesintroducedinPANOS7.0.0areenhancedinthisrelease.Withthisfixinthe
PANOS7.0.9release,thetechsupportfilecontainsafilteredversionofthe
php.debug.logfile,whichwasexcludedfromthepreviousfix.

44888 Fixedanissueonfirewallswhere,ifyouenabledSYNcookies,droppingtheoriginal
SYNpacketandsendingSYNACKbacktotheclientincorrectlytriggeredan
incrementintheflow_dos_rule_dropcounter.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 61
 PANOS7.0.9AddressedIssues

62 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.8AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.8release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

IssueID Description

97313 FixedanissuewherethemanagementplaneofPanoramaM100andM500
appliancesstoppedrespondingwhenrenamingobjectsorsecuritypoliciesdueto
memorycorruption.

96792 FixedanissuewherecommitsfailedduetoamemoryleakrelatedtoHAsyncofthe
candidateconfigurationthatcausedthepassivePanoramapeertostopresponding.

94757 FixedarareissueonfirewallswhereSecuritypolicyrulesincludedemptydynamic
blocklists(0.0.0.0/0)afteraCommitfromPanoramawithForce Template Values
enabled.

93729 FixedanissuewhereSSHdecryptioncausedadataplanememoryleakandrestart.

93072 Asecurityrelatedchangewasmadetoaddressanissueinthepolicyconfiguration
dialog(PANSA20160014).

92763 Fixedanissuewherecommitsfailedduetoavalidationerrorthatoccurredwhen
PanoramapushedAuthenticationSequenceprofilesthatincludedavirtualsystem
thatwasnotmigratedproperlyduringanupgradefromaPanorama6.1releasetoa
Panorama7.0orlaterrelease.

92391 FixedanissuewherefirewallTrafficlogsdisplayedunusuallylargebytecountsfor
sessionspassingthroughproxyservers.

92293 AsecurityrelatedfixwasmadetoaddressCVE20161712(PANSA20160012).

91900 FixedanissuewhereaPanoramavalidateoperationfollowedbyanFQDNrefresh
causedthevalidatedconfigurationchangetocommittothefirewall.

PAN-55122 AsecurityrelatedfixwasmadetoaddressCVE20157547(PANSA20160021).
91886

91876 FixedanissuewherethepassivefirewallinaVMSeriesESXiconfigurationwas
processingandforwardingtraffic.

91799 FixedanissuewereaPA7050firewalldidnotdisplaylogsasexpectedandcaused
aprocess(logrcvr)tostopresponding.

91728 AsecurityrelatedfixwasmadetoaddressaDenialofServiceconditionrelatedto
theAPI(PANSA20160008).

91724 Fixedanissuewhereanautocommitofanincrementalantivirusupdatefailedaftera
reloadduetoacorruptvirussignaturesfileandafailedincrementalinstallation.With
thisfix,incrementalcontentinstallationhasenhancedprotectionstoprevent
autocommitfailures,andwilllogadditionalinformationtoassistwith
troubleshooting.

91653 FixedanissuewhereSSLdecryptiondidnotworkasexpectedforresumedsessions.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 63
 PANOS7.0.8AddressedIssues

IssueID Description

91643 FixedarareissuewheretrafficthattriggeredanSSLdecryptURLproxyaction
causedaprocess(all_task)torestart.

91497 FixedanissuewherestalenexthopMACentriespersistedonthesessionoffload
processorafteryoumodifiedasubinterfaceconfiguration,whichcausedSSH
connectionstofail.Withthisfix,themanagementplanecachenolongerduplicates
nexthopMACentries,whichpreventsthestaleentriesthatcausedSSHconnections
tofail.

91336 Fixedanissuewherethepacketprocessorstoppedrespondingwhenproxypackets
wereswitchedtothefastpathgrouponthedataplane.

90982 FixedanissuewhereupgradingfromaPANOS6.1releasetoPANOS7.0.3ora
laterPANOS7.0releasecausedtheGlobalProtectportalorgatewayandSSL
decryptionprocessestostopresponding.ThisissueoccurredbecauseSSL/TLS
ServiceProfiles(introducedinPANOS7.0)werenotcreatedsuccessfullyifyoudid
notenablemultiplevirtualsystem(multivsys)functionalityonthefirewall.Withthis
fix,SSL/TLSServiceprofilesarenowsuccessfullycreatedonnonmultivsys
platformswhenupgradingtoPANOS7.0.8orlaterreleasesortoPANOS7.1
releases.

90857 FixedanissuewithaPanoramapassivepeerinanHAconfigurationwhere
administratorswereunabletoconfiguretheDynamicUpdatesschedulefor
ApplicationsandThreatsupdates.

90856 Fixedanissuewherethedialogforcreatingcertificatesandthedialogforediting
certificateshaddifferentcharacterlimitsforthecertificatename.Withthisfix,the
certificatenamefieldinbothdialogsallowsupto63characters.

90842 FixedanissuewherethefirewallreceivedanunencryptedemptyISAKMPpacketin
quickmodethatcausedaprocess(ikemgr)tostopresponding.

90794 Fixedanissuewherealogfile(/var/log/wtmp)inflatedandconsumedthe
availablediskspace.Withthisfix,PANOSsoftwareusesalogrotationfunctionto
preventlogfilesfromconsumingmorediskspacethannecessary.

90680 FixedanissueonPA500firewallswherecertainprocesses(l3svcandsslvpn)stopped
respondingafterthefirewallattemptedadynamicupdate.

90635 Asecurityrelatedfixwasmadetoaddressacrosssitescriptingconditioninthe
ApplicationCommandCenter(ACC)(PANSA20160009).

90553 FixedanissuewhereDataFilteringandWildFireSubmissionslogsfornonNAT
sessionscontainedincorrectorinvalidNATinformation.

90326 FixedanissueonPA7000Seriesfirewallswherebotnetreportswerenotcreated
consistentlyduetoalogcleanupjobthatranjustpriortowhenthebotnetreports
weregenerated,whichonsomedaysresultedinemptyornobotnetreports.With
thisfix,thebotnetlogcleanupjobtakesplaceafterthedailygenerationofbotnet
reportssothatdailyreportsarecreatedandpopulatedasexpected.

90256 FixedanissuewheredecryptedSSHsessionswerenotmirroredtothedecrypt
mirrorinterfaceasexpected.

90249 FixedanissuewhereupgradingfromaPANOS6.1orearlierreleaseprevented
administratorsfromoverridingLDAPgroupmappingsthatwerepushedfrom
Panorama.

64 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.8AddressedIssues

IssueID Description

90044 FixedanissuewherelogforwardinginPanoramafailedwhenusingsyslogoverTCP.

89979 FixedanissuewheretheAggregateEthernet(AE)interfaceportinvirtualwiremode
withlinkstatepassthroughenabledcameupafteracommit;althoughitspeerAE
interfaceportwasdown.Withthisfix,theotherAEinterfaceportwillcomeupafter
thecommitandisthenbroughtdowninapproximately10seconds.Thiscausesboth
AEinterfacestostaydownuntilthefirstAEinterfacerecovers.

89917 FixedanintermittentissuewhereoneormoreinterfacesonaVMSeriesfirewall
deployedintheAmazonWebServices(AWS)cloudcouldnotobtainIPaddresses
fromaDHCPserverafterbootingup.

89910 FixedanissuewhereallLLDPpacketsweresentwiththesourceMACaddressofthe
MGTinterfaceinsteadofthedataplaneinterfacefromwhichtheyweretransmitted.
Withthisfix,LLDPpacketsareencapsulatedwiththesourceMACaddressofthe
interfacethattransmittedthepacket.

89743 Fixedanissuewherecommitsfailedduetoprocesses(configdandmgmtsrvr)that
stoppedresponding.Thisissuewascausedbymemorycorruptionrelatedtothe
schedulingofWildFiredynamicupdates.

89551 FixedanissuewhereUserActivityReportsdeliveredviatheEmailSchedulerdidnot
includeusernamesthatcontainedGermancharacters.

88646 FixedanissuewherepredictedFTPsessionswerenotestablishedasexpectedfrom
theparentFTPsession.

88346 FixedanissuewhereafirewallwassendingBGPpacketswiththewrongMD5
authenticationvalue.

88327 FixedanissuewhereseveralvalidcountrycodesweremissingintheCertificate
Attributessectionwhengeneratingacertificatefromthewebinterface.

88157 Fixedanissuewithreducedthroughputfortrafficoriginatingonthefirewalland
traversingaVPNtunnel.

87851 Fixedanissuewherehighratesoffragmentedpacketscausedthefirewallto
experienceaspikeinpacketbuffer,descriptor,andCPUusage.

87741 FixedanissueonPA3000Seriesfirewallswherethedataplanerestartedafteran
upgrade.

87179 Fixedanissuewhereavirtualsystem(vsys)inaPanoramatemplatewasassigned
duplicatevsysnumbersduringcommittothefirewall.

PAN-52038 AsecurityrelatedfixwasmadetoaddressCVE20157547(PANSA20160029).
86767

86623 FixedanissuewhereafirewallinanHAactive/passiveconfigurationdroppedFTP
PORTcommandpacketsafterafailover.

86123 FixedanissuewhereanM100applianceinanHApairhadaprocess(configd)
repeatedlyrestart,causingHAsynctofail.

85160 Fixedanissuewhereafirewalllostmembersofadomaingroupafterafailoverfrom
theprimarytothesecondaryLDAPserverwhenthelastmodifiedtimestampforthe
groupwasnotthesameonbothservers.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 65
 PANOS7.0.8AddressedIssues

IssueID Description

84115 Fixedanissuewherevirtualsystemadministrators(fullaccessorreadonly)were
unabletoaccesssettingsundertheNetworktab(Panel for undefined not
registeredwasdisplayed,instead).

83239 FixedanissuewhereinboundSSLdecryptiondidnotworkasexpectedwhenyou
enabledSYNcookies.

PAN-48954 SecurityrelatedfixesweremadetoaddressissuesidentifiedintheMarch19,2015
81411 andJune11,2015OpenSSLsecurityadvisories(PANSA20160028).

80953 FixedanissueonfirewallsinanHAactive/activeconfigurationthatincludedvirtual
wireinterfaceswherepacketsdidnotadheretovirtualwireforwardingpathsand
causedMACaddressflappingonneighbor.

77822 FixedanissueonaVMSeriesNSXeditionfirewallthatsentDynamicAddressGroup
informationonlytotheprimaryvirtualsystem(VSYS1)ontheintegratedphysical
firewallatthedatacenterperimeter.Withthisfix,aVMSeriesNSXeditionfirewall
configuredtoNotifyDeviceGroupsendsDynamicAddressGroupupdatestoall
virtualsystemsonaphysicalfirewallrunningPANOS7.0.8oralaterPANOS7.0
release.

66 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.7AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.7release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.

IssueID Description

94912 FixedanissueinPANOS7.0.6whereWF500appliancesreturnedfalsepositive
resultsprimarilyforMicrosoftWord(.docx)files.

93775 Fixedanissuewherepacketdiagnosticsfailedduetoanunnecessarilylargedebug
logrelatedtoHA3packetforwarding.

93644 FixedanissueonPA3000Seriesfirewallswhereprocessingjumboframesthatwere
largerthan7,000bytesduringaperiodofheavytrafficcausedtheFPGAtostop
responding.Withthisfix,theFPGAthresholdsareadjustedtocorrectlyhandleupto
9KBjumboframes.

93612 Asecurityrelatedfixwasmadetoaddressaprivilegeescalationissue
(PANSA20160015).

93228 FixedanissueonPA7050firewallsinanHAactive/activeconfigurationwhere
jumboframesthatincludedtheDF(donotfragment)bitweredroppedwhencrossing
dedicatedHA3ports.

92413 Asecurityrelatedchangewasmadetoaddressaboundarycheckthatcauseda
servicedisruptionofthecaptiveportal(PANSA20160013).

91771 FixedanissuewhereafirewalldidnotsendTCPpacketsoutduringthetransmit
stageinthesameorderasthosepacketswerereceived.

91443 FixedanissuewhereaPanoramaM100appliancepurgedlogsduetoanincorrect
quotasize.

91079 FixedanissueonaVMSeriesfirewallwhereanungracefulrebootcausedDynamic
IPaddressinformationtogetoutofsync.

91075 FixedanissuewheretheLSVPNtunnelinterfacefailedtopasstrafficafterupgrading
aGlobalProtectLSVPNsatellitetoaPANOS7.0releasewhiletheGlobalProtect
LSVPNgatewaywasstillrunningaPANOS6.1orearlierrelease.Additionally,the
tunnelinterfaceflappedifyouenabledtunnelmonitoring.Theseissuesoccurreddue
tochangestotheencryptionalgorithmnameswhenintroducingSuiteBciphersin
PANOS7.0.Withthisfix,GlobalProtectLSVPNsatellitesrunningPANOS7.0.7(or
PANOS7.1)orlaterreleasessuccessfullyrecognizetheoldnamesusedinPANOS
6.1andearlierreleasessothatLSVPNtunnelsareestablishedandpasstrafficas
expected.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 67
 PANOS7.0.7AddressedIssues

IssueID Description

90433 FixedanissuewhereoverridesofthedefaultrulesintheSharedpolicytook
precedenceovertheoverridesofdefaultrulesinadevicegroup.Withthisfix,
overrideprecedencenowbehavesasdesigned(overridesofdefaultrulesinthe
lowestleveldevicegrouptakeprecedenceoverthosesettingsinthehigherlevel
devicegroupsandShared).

90194 FixedanissuewherefirewallswithoutanyWildFirepublicsignatures(hadnever
downloadedanyoroldsignatureshadbeendeleted)didnotproperlyleverage
WildFireprivatecloudsignatureswhenmonitoringtraffic.

90158 FixedanissueonPA7000Seriesfirewallswhereaggregateoutboundtrafficwas
incorrectlylimitedbythechassisswitchfabricswitchingcapacity.

90070 Fixedanissuewhereamemoryleakassociatedwiththeauthenticationprocess
(authd)causedintermittentaccessandauthenticationissues.

90029 FixedanissuewhereaGlobalProtectgatewayrejectedthesamerouteslearnedfrom
differentLSVPNsatelliteswhentheroutesweredestinedforadifferentvirtual
router.

89761 Fixedanissuewhereascheduledlogexportfailedtoexportthelogsifthepassword
intheconfigurationcontainedthedollarsign("$")character.

89588 FixedanissuewherepacketsthathadtoberetransmittedduringSSLdecryption
werenothandledcorrectly,whichresultedinadepletedsoftwarepacketbuffer.

89503 Fixedanissuewhereusergroupmappingswerenotproperlypopulatedintothe
dataplaneafterafirewallreboot.

89413 FixedanissuewherePanoramatemplatecommitsfailedwhenthenamesofseveral
certificatesintheDefaultTrustedCertificateAuthoritieslistchanged.Thisoccurred
whenPanoramawasrunningaPANOS7.0releaseandpushedatemplatetoa
firewallrunningaPANOS6.1orearlierrelease.

89385 FixedanissuewithfirewallsinanHAactive/activeconfigurationwheresession
timeoutsforsometrafficwereunexpectedlyrefreshedafteracommitorHAsync
attempt.
Thisfixintroducedaknownissue:PAN59037(97806).

89296 FixedanissuewhereacommitfailedafterrenamingaPanoramasharedobjectthat
wasalreadyreferencedintherulesonalocalfirewall.

89108 FixedanissuewhereafirewalldidnotadvertiseprefixestosomeBGPpeerswhen
expected.

88689 Fixedanissuewhereamemoryleakassociatedwiththeauthenticationprocess
(authd)causedcommitattemptstofail.

88450 FixedanissuewhereLayer3interfaceswithoutdefinedIPaddresses,zones,or
virtualroutersdroppedLLDPpackets,whichpreventedthefirewallfromobtaining
anddisplayingneighborinformation.

88421 FixedanissuewhereWildFirereportsweregeneratedforfilesalreadyblockedbythe
AntivirusprofileSMTPdecoder.

88325 FixedanissuewhereaPA500firewallrunningaPANOS7.0.1orlaterreleaseand
withDNSProxyenabledfailedtoconnecttoUserIDagentsusingFQDN.

68 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.7AddressedIssues

IssueID Description

88313 Fixedanissuewherereadonlydeviceadministratorswereunabletoviewlogsonthe
ACCtab.

87911 Fixedanissuewherescheduleddynamicupdatestomanagedfirewallsstopped
functioningaftermigratingthePanoramaVMtoanM500appliance.

87880 FixedanissuewheretheXMLAPIrequesttotestSecuritypolicywasnotproperly
targetedtoaspecifiedvirtualsystem(vsys),whichmadetherequestapplicableonly
tothedefaultvsys.Withthisfix,theXMLAPIrequesttotestSecuritypolicyisable
toretrieveresultsforanypreviouslytargetedvsys.

87833 FixedanissuewhereWildFireupdatescausedtheinterfacetoflap.

87729 FixedanissuewherethedataplaneonthepassivefirewallinasyncedHA
configurationrestartedduetoaDecryptionprofilethatdidn'thaveanyassociated
Decryptionpolicyrules,whichresultedinSSLproxysessionsthatweredroppedon
thepassivefirewallwhentheactivefirewallbecamesuspendedduringafailover.

87594 FixedanissueonMSeriesappliancesthatcausedthe show ntp CLIcommandto

timeout.

87094 FixedanissuewherecommittingapolicyonPanoramathatcontainedinterfacesthat
weremanuallydefinedgeneratedtheerror: [interface name] is not an allowed
keyword.

86977 FixedanissuewhereLDAPsessionssourcedfromPanorama,afirewall,oranM100
appliancewerekeptopenandnotactivelyrefreshed,whichcausedsessionsto
timeoutwhentheytraversedthepeerfirewall(orthedataplaneonthesamefirewall)
and,ultimately,causedauthenticationattemptstofailwhenrequestscouldnolonger
reachtheLDAPserver.Withthisfix,akeepalivemechanismisaddedthatis
triggeredafter15minutesofsessioninactivityandthatallowsamaximumoffive
failedprobesbeforedroppingaconnection(probesoccurin60secondintervals).

86821 Fixedanissuewheretheserverprocess(devsrvr)stoppedrespondingwhen
attemptingtoaccessaURLwithmultiplenestedchildren,whichcausedthe
dataplanetorestart.

86686 SecurityrelatedfixesweremadetoaddressissuesreportedintheOctober2015
NTP4.2.8p4SecurityVulnerabilityAnnouncement.

86313 Fixedanissuewherethe failed to handle CONFIG_COMMIT errorwasdisplayed

duringacommit.

86202 Fixedanissuewherethemanagementplanestoppedrespondingifyoumodifiedan
objectreferencedinalargenumberofrules.

86189 FixedanissuewherethefirewalldidnotsendSNMPv3trapsthatusedanIPv6server
address.

86122 FixedanissuewhereanLACPAggregateEthernet(AE)interfaceusingSFPcopper
portsremaineddownafteradataplanerestart.

85344 FixedanissuewherescheduleddynamicupdateinstallationcausedtheHAlinkto
flap.

85265 FixedanissueintheXMLAPIthatpreventedareadonlysuperuserfrom
downloadingcustompacketcaptures.

84997 FixedanissueonPA7000Seriesfirewallswherethefirstautocommitattemptfailed.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 69
 PANOS7.0.7AddressedIssues

IssueID Description

84461 FixedaPanoramaissuewherethevirtualmemoryforaprocess(configd)exceededits
allocation,whichcausedcommitandHAsyncattemptstofail.

84146 FixedanissueinPANOS7.0releaseswherethesourceanddestinationfieldwasno
longerincludedasexpectedinerrormessagesthatweretriggeredwhenrequeststo
deleteaddressobjectsfailed.Withthisfix,thesourceanddestinationinformationis
againincludedintheerrormessage.

84027 FixedanissuewhereafirewallallowedsomeHTTPGETpacketstopassthrough
evenwhentheURLFilteringprofilewasconfiguredtoblockpacketsinthisURL
category.

83564 FixedanissuewhereacertificateCommonName(CN)containingUTF8characters
causedcommitrequeststofailbecausethedecodedCNstringexceededthe
64characterlimit.

82918 FixedanissuewherereenteringanLDAPbindpasswordthroughtheCLIusinga
hashvalue(insteadofaregularpassword)wasrejectedforhavingtoomany
characters.

77460 FixedanissueonafirewallwithanexpiredBrightCloudlicensewherethespecified
vendorwasunexpectedlyandautomaticallychangedfromBrightCloudtoPANDB
whenanyfeatureauthcodewaspushedfromPanoramatothefirewall.

76661 Fixedanissuewherevoltagealarmsweretriggeredincorrectly(voltagewaswithin
theappropriaterange).

74443 AsecurityrelatedfixwasmadetoaddressCVE20150235.

73082 Fixedanissuewhereafirewallprocess(all_pktproc)stoppedrespondingduetoan
issuewithNATpoolallocation.

70 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.6AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.6release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowto
upgradeafirewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyour
firewallorappliance,youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyou
upgradetoPANOS7.0.3oralaterrelease.

ForWF500appliances,thePANOS7.0.7maintenancereleaseaddressesanissuethatwasintroducedin
PANOS7.0.6thatcausesfrequentfalsepositiveverdictsforMicrosoftOfficedocuments.Youareadvisedto
upgradeWF500appliancesto7.0.7orlaterreleasesandareadvisednottoinstallthe7.0.6image.

IssueID Description

92671 Fixedanissuewheretrafficthatwasoffloadedtohardwarewasnotforwarded
properly.ThisoccurredonPA3050andPA3060firewallsandprimarilywithSSL
traffic.

90992 FixedanintermittentissuewheretheinitialGlobalProtectclientconnectiontoa
GlobalProtectportalorgatewayfailedwiththeerror: Valid client certificate
is required.ThisoccurredwhenthecertificateprofileusedCRL/OCSPtocheck
certificatevalidityandwasduetoaproblemwiththecertificatenotbeingavailable
inthedataplanecache.Subsequentconnectionsworkedbecausethecertificatewas
addedtothecacheduringtheinitialconnectionattempt.

90904 FixedapacketdropissueonPA7000SeriesfirewallsinHAconfigurationsrunning
aPANOS7.0.3throughPANOS7.0.5release.ThisoccurredduetoaMACaddress
lookupissueoninterfacesinanAggregateEthernet(AE)interfacegroupthatwere
partofaVLAN.

89881 FixedanissuewheretheUserIDagenttruncatedNetBIOSnameswithmorethan
14characters.Asaresult,userswithdomainnameslongerthan14characterswere
notgrantedaccess.

89880 AddedanewCLIoperationalcommand(set authentication radius-auth-type

<auto|chap|pap>)forMSeriesappliancesinPanoramamodetoaddressan
incompatibilityissuebetweenPANOSandsomeRADIUSservers.Withthisfix,you
canmanuallyoverridetheautomaticselectionmechanismandchoosebetween
CHAPandPAP.

89317 Fixedanissuewhereimproperdatapatternorderingoccurredafteranadministrator
deleteddatapatternsfromanexistingDataFilteringprofile,whichsubsequently
causedanerror(rule is already in use)whenattemptingtoaddanewdata
pattern.Withthisfix,youcanaddordeletedatapatternsinanyorder.

88794 Fixedanissuewhereonetimepassword(OTP)RADIUSauthenticationfailedwhen
thedomainselectionfieldwasusedintheauthenticationprofile.

88696 Fixedanissuewhere,undercertainconditions,aprocess(mpreplay)frequently
restartedduetoexcessiveinternalmessaging.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 71
 PANOS7.0.6AddressedIssues

IssueID Description

88570 FixedanissuewhereaNeighborSolicitation(NS)packetusedtorefreshIPv6
neighbortableswassentoutthroughaVLANinterfacewithoutaVLANtag.TheNS
packetwastaggedcorrectlywhentheneighborentrywasinitiallycreatedbutthe
packetusedtorefreshthetablewassentwithoutthetag,whichcausedthetable
updatetofailwhentheneighbordidnotreceiveanappropriatelytaggedresponse.

88168 FixedanissuewhereVMSeriesfirewallsrunningonan8coreplatformchangedthe
passivefirewalltoactivewhenasocketerroroccurred.Thesocketremainedclosed
untilaninterfacerelatedchangewasmade.

88125 FixedanissuewhereTCPsegmentsforDNSqueriesweredroppedwhenthe
segmentsweresmallerthan12bytes.

87482 Asecurityrelatedchangewasmadetomanagementplaneaccountrestrictionsto
avoidservicedisruption.

87285 FixedanissuewhereaUserActivityReportPDFforthelast30daysgeneratedan
errorwhenthereportcontainedmorethan100,000lines.

87257 Fixedanissuethatcausedadataplanerestartwhenthefirewallwasconfiguredasa
DHCPrelayandreceivedDHCPrequestsfromathirdpartyDHCPserverorclient
thatexceededthepayloadlengthspecifiedinRFC2132.

87158 Fixedanissuewheresomepacketswereduplicatedintheegressstage.Thisoccurred
onmultidataplanefirewallswhentrafficflowedfromvirtualsystemtovirtualsystem
orfromvirtualsystemtoasharedgateway.Anupdatehasbeenmadetoprevent
packetduplication.

86980 Fixedanintermittentissuewherecommitsfailedduetoinvalidfilepermission
warningsrelatedtoSSHauthentication.

86970 FixedanissuewheredecryptiononthefirewalldidnotfunctionwhenusingChrome
tobrowsecertainwebsitesbecauseChromeeliminatedinsecurefallbacktoTLS1.0.

86916 FixedanissuewheretrafficburstsenteringaPA3000Seriesfirewallcaused
shorttermpacketlosseventhoughtheoveralldataplaneutilizationremainedlow.
Thisissuewastypicallyobservedwhentwofirewallinterfacesonthesamefirewall
wereconnectedtoeachother.Withthisfix,internalthresholdsweremodifiedto
preventpacketlossintheseconditions.

86671 FixedanissuewherePanoramadidnotrecognizethreatIDsgeneratedbyaWF500
appliance,whichpreventedyoufromconfiguringanexemptionforthesethreatsin
Panoramathatcouldbepushedtomanagedfirewalls.

86633 FixedanissuewherethewebinterfaceindicatedthatanewDHCPrelayconfigured
intheCLIwasenabledeventhoughtherelaywasnot,yet,enabledfromtheCLI.

86321 FixedanissuewhereSSHdecryptioncausedadataplanememoryleakandrestart.

86251 Fixedanissuewhereanadministratorwasunabletoretrievelogpartitionutilization
usingSNMPafteraddingadditionalvirtualdiskspaceonPanorama.

85913 FixedanissuewhereanadministratorwasunabletoaddmorethanoneXAuth
GlobalProtectgatewayonthesameinterface.

85880 Enhancedthesyslogvariablelisttoinclude cef-number-of-severity.

72 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.6AddressedIssues

IssueID Description

85110 FixedanissuewherethefirewallsentgratuitousARP(GARP)packetsforaninterface
IPaddressusedinadestinationNATrulefromallinterfacesinthezonewherethat
interfacebelonged.Withthisfix,theGARPpacketsaresentonlyfromtheinterface
thatownstheIPaddress.

84949 FixedanissuewhereM100appliancesinanHAactive/activeconfiguration
forwardedlogsonlytoonesyslogserver,eventhoughtwosyslogserverswere
defined.Thisissueoccurredonlyontheprimarysecondaryapplianceandwasdueto
anHAsyncissue.

84665 FixedanissuewheretheCommiticonincorrectlyindicatedpendingconfiguration
changesafteranApplicationsandThreatsupdate.

84641 FixedanissuewheresomeDNSrequestswereforwardedtothewrongDNSserver
theonepreviouslybutnolongerconfiguredonthefirewall.

84339 Fixedanissuewhereasinglesessionconsumedthemajorityofthepacketbuffer
resources.Withthisfix,youcanuseinformationintheoutputoftheshow running
resource-monitor ingress-backlogscommandtoIdentifySessionsThatUsean
ExcessivePercentageofthePacketBufferandthenusetherequest
session-discardCLIoperationalcommandtomanuallydiscardsessionsasneeded.
Thesecommandsareonlyavailableonfirewallsthatsupporthardwareoffload.

84236 FixedanissuewherespecialcharactersintheSNMPv3Usersfieldcausedencryption
tofailandcausedthefirewalltorestart.

83722 FixedanissuewheredestinationbasedserviceroutesdidnotworkforRADIUS
authenticationservers.

83702 FixedanissueonPA7000SeriesfirewallsrunningPANOS7.0.2andlaterreleases
whereWildFireAnalysisreportsdidnotdisplayintheWildFire Analysis Reporttab
(Monitor > Logs > WildFire Submissions > Detailed Log View).

83361 FixedanissuewheretheDoSclassificationcounterstoppedatanabnormallyhigh
value.ThiscausedfloodtypefalsepositivesintheThreatlogs,causingthefirewallto
appearasifitreachedmaximumsessioncapacity.

83135 FixedanissuewheretheinitialredirectfailedforsomeSSLsites.(TheerrorBad
Record MACappearedaftertheuserclickedcontinuebuttheusercouldthen
refreshthepagetosuccessfullyenterthewebsite.)

83100 FixedanissuewherePanoramaHAsynchronizationfailedwhenattemptingto
upgradetoaPANOS7.0.1throughPANOS7.0.5h2release.

82756 FixedanissuewherecustomreportswerenotsentoutbytheEmailScheduler.

82443 Fixedanissuewhereunwantedcharactersweredisplayedontheloginpageaftera
failedlogin.

80721 FixedanissuewheretheXMLAPIcommand show dos-protection rule

statistics (usedtoretrieveDoSprotectionstatistics)returnedanerror:invalid
command option.

80507 FixedanissueinPanoramawhereThreatandContentnamesforcertainthreatsdid
notappearinACCreports,predefinedreports,andspywarereports.Thisissue
occurredonlyonPA7000SeriesfirewallsmanagedbyPanoramaandonlyduringan
Antivirusupdate.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 73
 PANOS7.0.6AddressedIssues

IssueID Description

79729 FixedanissuewithfirewallsinanHAconfigurationwhereacommitoperation
abortedforalldaemonsandthentheDHCPdaemonstoppedresponding.This
occurredwhenthe set deviceconfig high-availability group {group-name}
configuration-synchronization enabled option wassetto no.

78090 FixedanissuewheretheUserIDprocessstoppedrespondingonbothpeersinanHA
active/passiveconfiguration.Thisissueoccurredafteranupgradeandwasduetoa
problemwiththeLDAPlibrary.

74333 FixedanissuewhereincrementalupdatesfornewandupdatedregisteredIP
addresseswerefailingwhenregistrationeventswereoccurringthroughtheXML
API.Withthisfix,integratingtheupdatesforregisteredIPaddressesnolongerfails
whenusingtheXMLAPI(oneitherstandalonefirewallsandappliancesorthosein
HAconfigurations).

74 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.5h2AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.5h2release.Foranoverviewof
newfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.

IssueID Description

89750 Asecurityrelatedfixwasmadetoaddressastackunderflowcondition.

89706 AsecurityrelatedfixwasmadetopreventsomeCLIcommandsfromimproperly
executingcode.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 75
 PANOS7.0.5h2AddressedIssues

76 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.5AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.5release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.

IssueID Description

89752 Asecurityrelatedfixwasmadetoaddressabufferoverflowcondition.

89717 Asecurityrelatedfixwasmadetoensuretheappropriateresponsetospecialrequests
receivedthroughtheAPIinterface.

88550 FixedanissueonfirewallsrunninginCommonCriteria(CC)modewhereseedingusingan
OpenSSLdeterministicrandombitgenerator(DRBG)causedaprocess(cryptod)tostop
respondingandresultedincommitfailures.

88439 FixedanissueonaPA3000Seriesfirewallwhereadataplaneconstantlyrestarteddueto
ahardwarecontentmatchingmemoryissue.

88382 Fixedanissueinahighavailability(HA)active/activeconfigurationwithunexpectedly
short(20second)timeoutsthatoccurredwhenanHA2sessionsyncmessagefailed.This
issuewasduetoanARPproblembetweendataplanesintheHAconfigurationwhenthe
HA2backupwasinuseandusingeitherIPorUDPtransportmode.Withthisfix,
unexpectedlyshortsessiontimeoutsnolongeroccurduetothisissue.

88191 Asecurityrelatedfixwasmadetoaddressinformationleakageinsystemslogthat
impactedthewebinterface(PANSA20160016).

87565 Fixedanissuewhereafirewalldidnotforwardcorrelationeventstothesyslogserver.

87170 Fixedanissuewhereafirewalldidnotfiltergroupsusingthefiltersappliedinsearch
parameters;instead,thefirewallignoredfiltersanddisplayedallgroupsinsearchresults.

86947 Fixedarareissuewhereanactivefirewallinahighavailability(HA)configuration
incorrectlysyncedtotheconfigurationfromthepassivefirewallwhenasecondcommit
wasperformedontheactivefirewallbeforeapreviouscommitwascompleted.

86723 Fixedanissuewhereadataplanerestartedwhenclienttoservertrafficexceeded4GB
andincludedHTTPGETorPOSTrequeststhathadthesourceIPaddressintheOrigin
header.

86664 FixedanissuewithIKEv2thatcausedachildsecurityassociation(SA)toinstallincorrectly
onafirewallwhenthetunnelwasconnectedtothirdpartyequipmentusingPFS.

86390 Fixedanissuewhereavirtualsystem(vsys)createdinaPanoramatemplatedidnotdisplay
whereexpectedwhenthefirsttwocharactersofthevsysnamewas"sg"(suchas"sg01").
Withthisfix,Panoramanolongerallowsyoutocreateavsyswithanamethatbeginswith
"sg"inaPanoramatemplate.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 77
 PANOS7.0.5AddressedIssues

IssueID Description

86319 Fixedanissuewhereaprocess(routed)onthefirewallstoppedrespondingandresultedin
highCPUusagewhenapplyingaBGPautonomoussystem(AS)pathfilter.

86312 Fixedanissuewherethe last update timeneverexceeded1secondaftermakinga

changetotheupdateintervalofagroupmappingservice.

86193 Fixedanissueinahighavailability(HA)configurationwhereLDAPgroupmappingsdidnot
properlyrefreshafterafirewallbecametheactivepeeragainaftergoingthroughthe
passivestate.Thiswasduetoavariablethatwasnotinitializedproperlyandwasthenused
inanerrorcase.Withthisfix,LDAPvariablesareproperlyinitializedtoavoidthisLDAP
groupmappingissue.

86136 FixedanissuewheretheGlobalProtectgatewaysentanaccessrequestpacketwith
malformeddatainsidetheFramedIPAddressfieldtotheRADIUSserver.

86126 Fixedanissuewhereauserwithacustomrolebasedadministrativeaccountcouldn't
previewruleslistedasCombinedrules.

86091 Fixedanissuewhereacommittoconfigureatunnelinterfacethatusedastringinsteadof
anintegercausedaprocess(routed)onthefirewalltostopresponding.

86075 FixedanissueonaPA3060firewallwherethesizeoftheSMLVMEmlInfosoftwarepool
waslessthanexpected.Withthisfix,thesizeoftheSMLVMEmlInfosoftwarepoolis
increasedtotheexpectedvalue.

85888 FixedanissuewherePanoramaignoredthesessiontimeoutvalueandautomatically
refreshedadministratorswhowerestillloggedintothePanoramaapplianceevenwhen
thosesessionswereinactiveforaperiodlongerthantheconfiguredtimeout.

85879 Fixedanissuewhereafirewallinahighavailability(HA)configurationgeneratedafalse
positiveevent(Running configuration not synchronized after retries)75
secondsaftereachHAsync.Withthisfix,thiserrorisreturnedonlyforcommitsthattake
longerthan45minutestocomplete.

85878 InresponsetoanissuewhereDNSqueriessometimescausedaLogCollectortoruntoo
slowlyandcauseddelaysinlogprocessing,the debug management-server
report-namelookup disable CLIcommandisaddedtodisableDNSlookupsfor
reportingpurposes.

85863 Fixedanissuewheremulticasttrafficsentoveravirtualwire(vwire)withMulticast
Firewallingdisabled(Network > Virtual Wires > <vwire>)causedhighCPUandpacket
bufferdepletion.

85821 Fixedanissuewhereadataplanestoppedrespondingduetomemorycorruption.

85754 FixedanissuewhereaVMSeriesdiskwascorruptedandwentintomaintenancemode
afterprocessingmutatedtrafficfromthirdpartysignaturedetectionsoftware.

85687 Fixedanissuewherethesystemlogentriesdisplayed logged in via Web from

127.0.0.1 foradministratorswhologgedinviaXMLAPI.Withthisfix,thesystemlog
displaysthecorrectIPaddressforadministratorswhologgedinviaXMLAPI.

85675 Fixedanintermittentissuewhereaprocess(mprelay)restartedand,aftermultiplerestarts,
causedthefirewalltorestart.Thisissuewasassociatedwiththeprocessingofaddand
deleteeventsforIPv4ARPandIPv6neighborupdates.Withthisfix,IPv4ARPandIPv6
neighborupdatesnolongercausethemprelayprocessorfirewalltorestart.

78 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.5AddressedIssues

IssueID Description

85611 Fixedanissuewherethe number of fib entries for device FIBcounterwas

inaccuratewithECMPenabled.Withthisfix,thefirewallmaintainsanaccuratecountof
entriesintheFIBtableforthe number of fib entries for device FIBcounter.

85484 FixedanintermittentissuewheretheGlobalProtectportalusedthecookieinsteadofthe
authenticationinformationprovidedbytheGlobalProtectclient,whichcaused
authenticationtofail.Withthisfix,ifaclientconnectsusingacookie,theGlobalProtect
portalignoresthecookieinfavoroftheauthenticationinformationprovidedbythe
GlobalProtectclientsothatauthenticationissuccessful.

85358 FixedanissuewhereSSLdecryptionsessionswerenotclearedafterexecutingthe clear

session all filter ssl-decrypt yes CLIcommand(oranyothersessionclearing
commandthatusedthe ssl-decrypt yes filter).Withthisfix,SSLdecryptsessionsare
clearedasexpectedwhenexecutingsessionclearingcommandsthatincludethe
ssl-decrypt yes filter.

85245 Fixedanissuewhereavirtualsystem(vsys)configurationremainedinthefirewall
configurationevenafterthevsyswasdeleted.Thiscausedcommitstofailwhen
attemptingtoaddanewvsysusingthesameIDasthevsysthatwasnotsuccessfully
deleted.

85193 Fixedanissueinahighavailability(HA)configurationwheremultipleoverlappingqueries
resultedinaraceconditionthatcausedHAsyncjobstofail.

84963 FixedanissueinPanoramatemplateswhereadministratorscouldmarkacertificateas
ForwardTrustorForwardUntrustbutforwardingdidnottakeplaceasexpectedwhenthe
templatewasconfiguredtoapplyonlytoonevirtualsystem(singlevsysmode).Withthis
fix,markingacertificateasForwardTrustorForwardUntrustworksasexpectedeven
whenthetemplateisinsinglevsysmode.

84908 FixedanissuewheretheloggedsessionendreasonfordecryptedSSLsessionsalways
displayedas aged out regardlesswhetherthatwastheactualTCPsessionendreason.
Withthisfix,thesessionendreasonnowdisplayscorrectlyfordecryptedSSLsessions.

84729 FixedanissueonMSeriesappliancesandwithPA7000SeriesLogProcessingcards
whereoutputofthe show system logdb-quota CLIcommanddidn'tmatchthevalues
inLoggingandReportingSettingsinthewebinterface(Device > Setup > Management >
Logging and Reporting Settings > Log (Card) Storage)duetoadiscrepancyinspace
calculation.Withthisfix,thevaluesinthewebinterfaceaccuratelyreflectavailable
storagespaceandmatchtheoutputfromthe show system logdb-quota CLIcommand.

84552 Fixedanissuewherethe debug user-id reset ts-agent/user-id-agent CLI

commanddidnotworkasexpected.

84538 FixedanissuewhereadataplanerestartedunexpectedlyonafirewallwithSSLdecryption
enabled.ThisoccurredduringtheSSLhandshakewhenthefirewallreceivedaHello
packetfromtheserverthathadahigherSSLprotocolversionthantheHellopacket
receivedfromtheclient.

84496 FixedanissueonPA7000Seriesfirewallswhereexcessiveorprolongedlogqueries
causedamemoryleakontheLogProcessingCard(LPC).

84239 FixedanissuewhereareadonlySuperuserwasabletoperformacommitwhenusing
XMLAPI(butnotviathewebinterface).Withthisfix,readonlySuperuserscannotuse
XMLAPItoperformcommits.

83764 Fixedanissuewhereusingwebinterfacecertificateauthenticationcausedloginfailures.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 79
 PANOS7.0.5AddressedIssues

IssueID Description

83731 FixedanissueinavirtualwireconfigurationwhereafirewallincorrectlymodifiedtheMAC
addressfortrafficwhendecryptionwasenabled.Withthisfix,thefirewallnolonger
modifiestheMACaddressoftraffic.

83454 FixedanissuewithIPv6trafficthathadanextensionheaderandcausedjitterwhen
passingthroughaPA7000Seriesfirewallinahighavailability(HA)active/active
configuration.

83362 FixedanissuewhereacommitfailedwhenasubinterfacethatwaspushedfromPanorama
lostitsreferencetoitsassociatedVLANafterthesubinterfaceconfigurationonthe
firewallwasoverriddenandthenrevertedinthetemplate.Withthisfix,afteraninterface
isreverted,subinterfacesdonotlosetheirmappingtoVLANs.

83337 Fixedanissuewherefirewallsgeneratedmultiplecoredumpsafterarebootwhen
incomingpacketswereforwardedtothedataplanewhileanautocommitwasstill
processing.Withthisfix,packetsarenotforwardedtothedataplaneuntilaninprocess
autocommitiscomplete.

83145 FixedanissueonaPA7000Seriesfirewallwhereaninterfaceintapmodeunexpectedly
transmittedtrafficthatwasreceivedonthatinterface.

82916 FixedanissuewherethetrustedCAstoreonthefirewallwasmissingtheQuoVadisroot
CA2androotCA3G3certificates.Withthisfix,boththeseQuoVadiscertificatesare
includedinthetrustedCAlist.

82873 FixedanissuewithmissingfieldsandinconsistenciesintheSyslogformatforCorrelated
Eventsthatwereexportedtoasyslogserver.

82862 Fixedanissuewherethedeviceserverprocess(devsrvr)restartedunexpectedlywhen
Panoramapushedatemplatethatcontainedacertificatewithacorruptpublickey.

82667 FixedanissuewherethePANOSintegratedUserIDagentfailedtoconnecttoa
monitoredserverwhentheUserIDagentwasconfiguredtousetheFQDNinsteadofthe
IPaddressfortheserver.

82358 Fixedanissuewhere,whenusingLDAPauthentication,aGlobalProtectclientincorrectly
showeda Password expired messageevenwhenthepasswordhadnotexpired.

81812 Fixedanissuewhereafirewalldidnotaccuratelycheckcertificaterevocationstatusvia
OCSPbecausetheOCSPrequestdidnotincludetheHOSTheaderoption.Withthisfix,
thefirewallusestheHOSTheaderoptionasexpectedandsuccessfullyretrievesthe
revocationstatusofthecertificateinresponsetoOCSPrequests.

81743 FixedanissuewhereURLcategorizationfailedforsomeURLsduetoanissuewith
messagebuffersize.

81425 FixedanissuewhereIPSecrenegotiationwasnotinitiatedasexpectedafteraPPPoE
interfacereceivedanewIPaddress.

81424 Fixedanissuewherethe From columnintheoutputofthe show admins commandwas

Console insteadofthecorrectIPaddresswhenconnectedtotheCLIviatelnetorSSH.

81062 Fixedanissuewheretheemailactionforscheduledreportstimedoutduetoreportsthat
tooktoolongtogenerate.Withthisfix,theemailtimeoutisincreasedandreport
generationisenhancedtoavoidthisissue.

80 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.5AddressedIssues

IssueID Description

80415 FixedanissuewhereafirewallwasnotpresentingtheCaptivePortalresponsepageto
users.ThisoccurredwhentheURLcategorywasmarked not-resolved,suchaswhen
cloudserverswereunavailable.

79596 FixedanintermittentissueonPA5000Seriesfirewallswherethedataplanestopped
responding.Withthisfix,thereareadditionalsanitychecksandloggingtoavoidthisissue.

73177 FixedanissuewhereredistributedNotSoStubbyArea(NSSA)type7routesconverted
toNSSAtype5routeswerenotflushedfromtheOSPFdatabasequicklyenoughafterthe
redistributingNSSArouterwentdown.Withthisfix,theOSPFisflushedwithinthe
expectedperiodoftimesothatroutesthatgodownarenotadvertisedasstillavailable.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 81
 PANOS7.0.5AddressedIssues

82 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.4AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.4release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.

IssueID Description

88869 FixedaperformancedegradationissueonaVMSeriesfirewallwith8coreswhenthreat
scanningwasenabledwhenattemptingtoprocesslargetransactionspecificSSLtraffic
types.Additionally,thisfixaddressedanintermittentissuewheretheGlobalProtectMSI
filefailedtodownloadafterauserauthenticatedtotheportalpage.

87422 Fixedanissuewheremulticasttrafficwasdroppedwhenthesourcestartedsendinggroup
trafficbecausetherewasnot,yet,acorrespondingmulticastrouteorFIBentryonthe
firewall.Withthisfix,themulticastrouteisupdatedmorequicklyandpacketsare
enqueuedinsteadofdroppedwhilethefirewallwaitsfortheupdatedrouteinformation.

87410 FixedanissuewhereanAPIcalltoadd,delete,ormodifyaURLentryfailedwhentheURL
includedasingle(')ordouble(")quotecharacterasanXMLattribute.Withthisfixto
complywithXMLXpath1.0,APIinstructionsarecompletedsuccessfullyevenwhen
actingonaURLthatincludesasingleordoublequoteusedasanXMLattribute.

87385 FixedanissuewhereallthewidgetsontheACCtabofamanagedfirewall(andwhen
exportedinaPDFfile)display Report Error whenyouaccessthefirewallthrougha
contextswitchfromPanorama(whethervirtualorMSeriesappliance).

87280 FixedanissuewherethenumberofSSLfreememorychunkswasdepletedto0,which
causedadisruptioninSSLdecryptionrelatedtraffic.

87231 FixedanissuewhereaPA7000Seriesfirewalldidnotloadbalanceegresstrafficon
AggregateEthernet(AE)interfacesasexpected.

87078 Fixedanissuewherethemanagementserverstoppedrespondingwheretherewasahigh
loggingrate,whichcausedtheLogCollectortodisconnectfromPanorama.

86938 TheclientcertificateusedbyPANOSandPanoramatoauthenticatetothePANDB
cloudservice,theWildFirecloudservice,andtoWF500appliancesexpiredonJanuary
21,2016.Theexpirationresultsinanoutageoftheseservices.Toavoidanoutage,either
upgradetocontentreleaseversion550(oralaterversion)orupgradePANOSand
PanoramainstancesrunningaPANOSorPanorama7.0releasetoPANOS(orPanorama)
7.0.4oralaterrelease.

86895 FixedanissueonMSeriesandWF500applianceswheretheEthernet1/2interface
unexpectedlybroadcastedDHCPdiscoverpacketswiththeinternalBMCIPMILANMAC
addressasthesourceMACaddresswhentheinternalBMCIPMILANwasconfiguredto
useDHCPasthesourceaddress.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 83
 PANOS7.0.4AddressedIssues

IssueID Description

86803 FixedanintermittentissuewheretheidletimerforGlobalProtectIPSectunnelseitherdid
notexpireappropriately(suchaswhenthetunnelwastorndown)orexpiredatthe
configuredidletimeexpirationevenwhenauserwasactivelyusingtheconnection.With
thisfix,theGlobalProtectIPSectunnelidletimerbehavesasexpected.

86467 FixedanissueinPANOS7.0.3wherefirewallsdidnotcheckforsuperuseraccountsthat
werepushedthroughaPanoramatemplate,whichcausedanupgradeprocesserrorwhen
allsuperuseraccountswerepushedthroughaPanoramatemplate(firewallsmusthaveat
leastonesuperuseraccountintheconfiguration).Withthisfix,firewallscorrectly
recognizesuperuseraccountsthatarepushedthroughaPanoramatemplate.

86212 AddedanewCLIoperationalcommand(set authentication radius-auth-type

<auto|chap|pap>)toaddressanincompatibilityissuebetweenPANOSandsome
RADIUSservers.Withthisfix,youcanmanuallyoverridetheautomaticselection
mechanismintroducedwithChallengeHandshakeAuthenticationProtocol(CHAP)
supportinPANOS7.0toselecteitherCHAPorPasswordAuthenticationProtocol(PAP)
asneeded.

85801 FixedanissuewhereafirewallthatwasforwardinglogstomultiplePanorama
managementserversandLogCollectorsstoppedforwardinglogstoanyapplianceafteran
administratorsuspendedlogforwardingontheactiveprimaryPanoramaserver.Withthis
fix,thefirewallcontinuestoforwardlogstoallPanoramamanagementserversandLog
Collectorsexceptanyapplianceforwhichanadministratorspecificallysuspendslog
forwarding.

85721 FixedanissuewherefirewallswithaspecificOCZDenevaharddisk(model
DENCSTE251M21)configuredinaRAIDandrunningPANOS7.0.1orlaterreleases
experiencedRAIDerrors.

85514 Fixedanissuewhereacommitrequestfailedduetoprocesses(configdandmongod)with
highmemoryusage.

85364 FixedanissuewhereHTTPandHTTPOnlineCertificateStatusProtocol(OCSP)
managementserviceswereenabledonlyforthefirstIPaddressonaninterfacewith
multipleIPaddresses.Withthisfix,whenHTTPandHTTPOCSPmanagementservices
areenabledonaninterface,servicesareenabledforallIPaddressesassociatedwiththat
interface.

85285 Fixedanissuewhereoutputfromthe show ntp commanddidnotalwaysdisplaythe

correctNTPstatus.Primarily,thisissueoccurredwhentherewasonlyoneNTPserver
configuredand,evenwhencorrectlyconnectedtotheNTPserver,theoutputofthe show
ntp status commanddisplayedas rejected.Withthisfix,outputfromthe show ntp
commandcorrectlydisplaysNTPstatusas synchronized afterthefirewallsuccessfully
connectstoanNTPserver.

85166 FixedanissueonaPA7000Seriesfirewallwherethefirstpacketinasessionwas
droppedwhenitarrivedbeforethefirewallfreedupaprevioussessionthatusedthesame
5tuple.Withthisfix,thefirewalltreatstheprevioussessionasaninactiveflowand
successfullycreatesthenewsession.

85091 Fixedanissueonafirewallwheresoftwarepacketbufferswerebeingdepleted.Withthis
fix,thefirewallwilldynamicallyadjusttheTCPreceivewindowbasedonpeertrafficto
avoidsoftwarepacketbufferdepletion.Additionally,thereisafixforamemoryleakin
errorhandlingofSSLForwardProxymodeandthesizeofthesoftwarebufferpoolsis
increased.

84 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.4AddressedIssues

IssueID Description

84851 Fixedanissuewherethevirtualsystem(vsys)IDonthefirewallwascomputedincorrectly
whenPanoramapushedatemplatewithForce template valueenabledandcontaining
virtualsysteminformationtothefirewall.

84811 FixedanissueonaVMSeriesfirewall(KVMonCentos7/Redhat)whereaprocess
(vmuuid)displayedasemptyafterboot.Withthisfix,thevmuuidprocessisdisplayed
correctly.

84678 FixedanissuewiththewaythemanagementplaneperformedupdatesthroughHTTPand
HTTPScalls,suchasforblocklistandcontentupdates.

84595 FixedanissuewithHTTPrequestsgeneratedbythefirewallwhenretrievingcustom
DynamicBlockLists.

84495 Fixedanissuewhere,insomecases,generatingoutputforthe show running url-cache

all CLIcommandcausedashortdelayincommunicationwiththedataplane.Withthis
fix,toavoidthiscommunicationdelay,theoutputofthe show running url-cache all
commandisnolongerincludedwhengeneratingthetechsupportfile.

84494 FixedanissuewherethesessionendreasonforasinglethreatIDwasreporteddifferently
dependingonwhichdecoderwasused.Withthisfix,onlyonesessionendreason(threat)
isreportedforallblockedSMTPtrafficregardlesswhichdecoderisused.

84465 FixedanissuewheretheexternalinterfaceonanLSVPNsatellitewasunabletoestablish
anLSVPNconnectiontotheactiveprimaryfirewallinanHAactive/activeconfiguration
thatwasactingastheGlobalProtectportalorgatewaywhentheexternalinterfaceofthe
satellitewasconfiguredasaDHCPclient.(ThisfailureoccurredeventhoughanLSVPN
connectionwassuccessfullyestablishedwiththeactivesecondaryfirewall.)Withthisfix,
theLSVPNsatellite(withtheexternalinterfaceconfiguredasaDHCPclient)successfully
establishesanLSVPNconnectiontobothfirewalls(activeprimaryandactivesecondary)
afterareboot.

84454 Fixedanissuewhereattemptstoloadapartialconfigurationforadevicegroupfroman
XMLfileresultedinanerrormessage.Withthisfix,youcansuccessfullyloadapartial
configurationforadevicegroupandmergeitwithanexistingdevicegroup.

84433 Fixedanissuewhereawebpagewouldnotloadsuccessfullywithoutrefreshingthe
browsermultipletimeswhenOpenCertificateStatusProtocol(OCSP)validationwas
enabled.Thisoccurredwhenablockpagemessagewaspresentedwithinonesecondof
theattempttoloadanHTTPSsitewhiledecryptionwasenabledonthefirewallwiththe
OCSPvalidationtimeoutsetto60seconds.

84167 FixedanissuewhereafirewallincorrectlyreorderedcertainTCPtrafficduringtransmit
stage.

84008 FixedanissuewhereanLSVPNIPSectunnelwentdownwhenthehardkeylifetime
expiredduringarekey.Withthisfix,thesoftkeylifetimeisadjustedsothatthehardkey
lifetimedoesnotexpirebeforetherekeyfinishes.

83907 Fixedanissuewhereadministratorscouldnotdisablecountersinsystemlogsusingthe
debug dataplane packet-diag set log counter <counter-name> CLIcommand
whenthosecountershadnameslongerthan31characters.

83902 FixedanissuewheremonitoringanSNMPOID(.1.3.6.1.2.1.25.2.3.1.5.41)fordiskspace
resultedinincorrectvaluesonvolumesover2TBinsize.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 85
 PANOS7.0.4AddressedIssues

IssueID Description

83898 FixedanissueonPanoramaMSeriesandvirtualapplianceswhereexportingareportas
acommaseparatedvalue(CSV)file(Monitor > Reports)failedandresultedinaweb
interfaceerror(Error enqueuing export job).

83889 FixedanissuewhereaPA7000SeriesfirewallincorrectlydroppednonTCPand
nonUDPfragmentedtraffic,suchasEtherIPtraffic.

83844 FixedanissuewhereamemoryleakcausedaPA200firewalltoreboot.

83657 FixedanissuewherePanoramadidnotproperlypushdeviceortemplateconfigurations
forNTP,sendhostnameinsyslog,orWildFiresettingstoadevice.

83592 FixedanissuewheretheUserIDprocess(useridd)wentintoarebootloopandcausedthe
passivefirewallinahighavailability(HA)configurationtorestart.Thiswasduetobulkand
incrementalupdatesofterminalservicesusers.

83253 FixedanissuewherevideocallsfailedwhenH.245(openlogicalchannelack)packets
referencedapreNATaddress.

82913 FixedanissuewhereToSheaderswerenotsetcorrectlyinEncapsulatingSecurityPayload
(ESP)packetsacrossVPNtunnels.

82865 FixedanissuewithaPA5000Seriesfirewallwheresessionsownedbydataplane1(DP1)
orDP2didnotdisplayintheoutputwhenexecutingthe show session commandon
DP0.

82710 Fixedanissuewhereunexpecteddataplanerestartsoccurredduetooutofmemoryerrors
andhighresourceusageonpacketdescriptorswhenSSLForwardProxywasenabled.This
fixalsoaddressesadataplaneprocessmemoryleak.

82621 FixedanintermittentissueonaPA7000Seriesfirewallwheretrafficwasdroppedwhen
theloginterfaceanddataplaneinterfaceswerebothconfiguredonthesameNetwork
ProcessingCard(NPC).

82605 Fixedanissuewherepolicybasedforwarding(PBF)withEnforce Symmetric Return

enabled(Policies > Policy Based Forwarding > pbfrule > Forwarding)causedoffloaded
PBFsessionstofailwhenattemptingtoegressthefirewall.

82424 FixedanissueonaPA5000Seriesfirewallwherepacketsweredroppedorthedataplane
stoppedrespondingwhenreceivingspecificingressoregresstrafficassociatedwith
offloadedsessions.Withthisfix,afieldprogrammablegatearray(FPGA)changewas
madetoaddresstheseissues.

82138 FixedanissuewhereWildFirereportswerenotdisplayedonthewebinterfacewhen
proxysettingswereconfiguredforthemanagementinterface.

82118 FixedanissueontheQoS Statisticspanel(Network > QoS)wheredatawasdisplayedonly

onthebandwidthtab;allothertabs(Applications,Source Users,Destination Users,
Security Rules,andQoS Rules)wereempty.

82095 Fixedanissuewhereacommitrequestdidnotfinishprocessingduetoaprocess(routed)
thatstoppedresponding.

81996 FixedanissuewhereaHIPProfiledidnotsyncbetweentheactiveandpassivefirewalls
inahighavailability(HA)configuration,whichcausedtheHIPProfiletonolongerbein
effectafterafailover.Withthisfix,theHIPProfileiscorrectlysyncedbetweentheactive
andpassivefirewallsandremainsineffectafterafailover.

86 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.4AddressedIssues

IssueID Description

81949 FixedanissuewhereDynamicAddressGroupspushedfromPanoramatoafirewallwere
notdisplayedintheoutputofCLI show commands.

81830 FixedanissuewhereSSLForwardProxydidnotincludetheappropriateTLS1.2extension
(SignatureAlgorithms)inClientHellomessages,whichpreventedsuccessful
interoperabilitywithsomeMicrosoftwebsites.

81333 Fixedanissuewheremanagedfirewallsandapplianceswereunabletoconnectto
Panoramausingthemasterkeyafterafactoryreset(orRMA).

81241 FixedarareissuewhereNATtrafficwasdroppedafterafailedcommitattempt.

80631 Fixedanissueinahighavailability(HA)configurationwheretheportsonthepassive
firewalldidnotcomeupwhenthepassivelinkstatewassettoauto(Device > High
Availability > General >ActivePassiveSettings).

79917 FixedanissueonaPA3000Seriesfirewallwherethedataplanestoppedresponding
whenreceivingspecificingressoregresstrafficassociatedwithoffloadedsessions.With
thisfix,afieldprogrammablegatearray(FPGA)changewasmadetoaddressthisissue.

79531 Fixedanissuewhereanerrorwasdisplayed(No Data to Display)intheThreatMonitor

window(Monitor > App Scope > Threat Monitor)whenselectingtheShow Filesfilter.

78624 FixedanissuewheretheactivesecondaryfirewallinanHAactive/activeconfiguration
wasincorrectlyrespondingtoARPrequestsfortheIPaddressusedinthedestinationNAT
rulewithbindingtotheactiveprimaryfirewall.

78482 FixedanissuewhereVMInformationSourcesbypassedproxysettings.

78317 FixedanissuewherethemanagementplaneinanHAactive/passiveconfiguration
restartedduetoadataplaneprocess(mprelay)thatstoppedrespondingwhenit
experiencedmemorycorruptionandencounteredunexpectedbehaviorfromtheFIB
pointer.

77236 Fixedanissuewhereimportingacertificatemorethanoncewithdifferentnamescaused
thedataplanetostoprespondingwhenthecertificatewasusedforSSLInbound
inspection.

76269 FixedanissuewhereanactiveprimaryM100applianceinanHAconfigurationwas
unabletoestablishaconnectionwiththepassivesecondaryoractivesecondaryHApeer
forlogcollection.

76197 FixedanissuewherefirewallTrafficlogsdisplayedunusuallylargebytecountsfor
http-proxy and httpy-video countersduetofrequentapplicationshiftsbetween
thoseapplicationtypepacketswithinasingleproxysession.

76103 FixedanissuewhereaddingathreatexceptiontoaVulnerabilityProtectionprofile
(Objects > Security Profiles > Vulnerability Protection >profile> Exceptions)resultedin
anerror(Schema node for Xpath was not found).

73187 FixedanissuewheretheWildFireAnalysisreport(Monitor > WildFire Submissions >

Detailed Log View > WildFire Analysis Report)didnotdisplayonversions9or10of
InternetExplorerduetoascripterror.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 87
 PANOS7.0.4AddressedIssues

IssueID Description

70719 InresponsetoanissuewhereadataplanerestartedduetoanincorrectflowID,PANOS
6.1.4andlaterreleasesincludedadditionalcheckstohelppreventthedataplanefrom
restartingduetothisissue.InPANOS7.0.3,thosePANOS6.1.4modificationswere
furthermodifiedtoprovideamorecompletesolutionthatavoidsinadvertentlydropping
IPv4trafficaffectedbythisissue;inPANOS7.0.4,thesolutionincludesanadditionalfix
toavoidinadvertentlydroppingIPv6trafficrelatedtothisissue.

66285 FixedanissuewherethewebinterfacecertificatedidnotproperlysyncbetweenHA
peers,whichledtoaraceconditionthatcausedacommitrequesttofail.

88 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.3AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.3release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

BeforeyouupgradetoPANOS7.0.3oralaterPANOS7.0release,reviewtheinformationabouthowtoupgradea
firewalltoPANOS7.0.Additionally,ifvirtualsystem(vsys)configurationisnotenabledonyourfirewallorappliance,
youmustrebootyourfirewallorapplianceafteryouinstallPANOS7.0.1andbeforeyouupgradetoPANOS7.0.3
oralaterrelease.

IssueID Description

85065 FixedaCLIinputparsingissuethatcausedaprocessonthemanagementplanetostop
respondingwhenprocessingunexpectedinput.

84711 FixedanintermittentissuewheresomepacketsincorrectlymatchedSecuritypolicyrules,
whichresultedinAppIDpolicylookuperrorsanddiscardingofpackets.

84599 FixedanissueinPANOS7.0releaseswhereaprocess(dhcpd)didnotcorrectlyhandle
DHCPpaddingOption0whenreceivingDHCPrequestfromtheDHCPclient.This
preventedthefirewallthatwasactingastheDHCPserverfromallocatingandcommitting
theofferedIPaddresstotheDHCPclient,whichcausedthefirewalltobestuckinoffered
state.Withthisfix,theDHCPprocesscorrectlyhandlesDHCPpaddingOption0and
successfullycommitsIPaddressesofferedtoDHCPclients.

84246 FixedanissuewhereaPA7050firewallrunningPANOS7.0assignedthesameMAC
addresstoallinterfacesontwodifferentPA7050chassiswhenthechassisbaseMAC
addressesdifferedonlyinthe10thbit.WiththisfixinPANOS7.0.3,twosuchdifferent
PA7050chassisareassigneddifferentinterfaceMACaddressesasexpected.

84094 Fixedanissuewhereauseractivityreport(Monitor > PDF Reports > User Activity Report)

containednostatisticsforuserswithadomain+usernamestringlengththatexceeded32
characters.

84046 FixedanissuewhereSSLdecryptionfailedwhenacertificatewasrejectedduetoamissing
oremptybasicConstraintsextension.Withthisfix,anexceptionisaddedtoallowa
missingoremptybasicConstraintsextensionforselfsignednonCAcertificates,and
thefollowingbehaviorswillbeappliedtoCAswithregardtobasicConstraints
extensions:
IftheCAhasanextensionbasicConstraints=CA:TRUE,thenallowtheCA.
IftheCAhasanextensionbasicConstraints=CA:FALSE,thenblocktheCA,but
allowdevicetrustedCAs,includingdefaultCAsandimportedCAs.
IftheCAhasdoesnothaveabasicConstraintsextension,thenblocktheCA,but
allowdevicetrustedCAs,includingdefaultCAsandimportedCAs,andallowselfsigned
CAs.

84012 Fixedanissuewhereaprocess(ikemgr)stoppedrespondingduetoamissingIKEprofile.

83907 Fixedanissuewherethe debug dataplane packet-diag set log counter

<counter-name> CLIcommanddidnotacceptcounternameslongerthan31characters,
whichpreventedadministratorsfromaddingsuchcountersforlogginginsystemlogs.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 89
 PANOS7.0.3AddressedIssues

IssueID Description

83867 Fixedarareissuewhereoneoftheinternaldatabaseswascorruptedafteranimproper
shutdown(poweroff)ofthefirewall.Whenthishappened,thefirewallwasunableto
automaticallyrestartandwouldnotstartupproperlythereafter.

83819 FixedanissueonanM100appliancerunningPanorama7.0whereacustomreportfailed
torunwhensettingtheDatabase(Monitor > Manage Custom Reports)toSummary
Databases > Remote Device Data > ThreatandselectingSeverityfromthelistofAvailable
ColumnswhenanyremotefirewallusedforcustomreportingwasrunningaPANOS6.1
orearlierrelease.

83637 FixedanissuewherepacketprocessingonaVMSeriesfirewallcausedthefirewalltostop
forwardingtraffic.

83574 Fixedarareissuewhere,insomescenariossuchaswhenafirewallisrestartedandIPSec
securityassociations(SAs)arenotestablishedwhenaremoteVPNpeerisunreachable
thetunnelinterfaceconfiguredwithIPSectunnelmonitoringispresentintheroutingtable
andstatusis Up.

83519 AsecurityrelatedfixwasmadetoaddressCVE20155600.

83293 FixedanissueinPanoramawhereSNMPv3settingswereremovedandcouldnotbe
updatedwhenmodifyinganexistingSNMPv3devicetemplate.

83288 FixedanissuewhereautocommitfailedwhentheGlobalProtectgatewayorCaptivePortal
certificatewaspushedthroughPanoramaafterupgradingafirewallfromaPANOS6.1
releasetoPANOS7.0.2.

83256 FixedanissuewherethefirewalldidnotblockunsupportedellipticcurveDiffieHellman
(ECDH)exchangeciphersuitesduringSSLforwardproxyevenwhenBlock sessions with
unsupported cipher suiteswasenabled(Objects > Decryption Profile > <decryptprofile>
> SSL Decryption > SSL Forward Proxy).

83149 Fixedanissuewhereamissingnode(user)intheunlockcommandprevented
administratorsfromusingthePanoramawebinterfacetounlockalockedLDAPuser.

83142 FixedanissuewheretriggeringaDHCPreleasedidnotcleartheoriginalsettingsfora
DHCPclientthatwasin renew state.

83113 Fixedanissuewhereattemptstoregeneratemetadatacausedaprocess
(update_vld_itvl_idx)tostoprespondingwhenencounteringacorruptlogfile(alogfilethat
containedinvaliddata).Withthisfix,themetadataregenerationprocessskipslogfilesthat
containinvaliddatasothatregenerationtaskissuccessfullycompleted.

83102 AddedfunctionalitytoallowcommitstosucceedevenwhenthereisnoNetwork
ProcessingCard(NPC)installed,yet,orwhentheNPCisnotsupportedorrecognizedinthe
currentPANOSrelease.Withthisfix,youcaninstallPA7000Seriescardsthatarenot
supportedinthePANOSversionshippedwithorrunningonthefirewallandthenupgrade
totheappropriatePANOSversion.

83041 Fixedanissuewhereadjustmentstothewidthofcolumnsinthewebinterfacearenot
saved,causingcolumnstoreverttoprevioussettingswhenyouviewadifferenttab.With
thisfix,changestothewidthofcolumnsinthewebinterfaceareretaineduntilchanged
again.

83004 FixedanissuewhereaZoneProtectionprofilewithstrictIPcheckingenabledresultedin
incorrectlydroppedpackets.Thesedropswerecausedbyanimpropercheckofwhether
thesourceIPaddresswasabroadcastaddress.

90 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues

IssueID Description

83001 FixedanissueonanM100appliancewhereavailabledisksizewasreportedas0bytes
duringanupgrade.ThisincorrectlycausedoldlogstobepurgedfromtheotherLog
Collectorsinthegroupinanattempttoadheretotheconfiguredlogquotaforthegroup.
Additionally,Panorama6.1.8andPanorama7.0.3(andlaterreleases)onanM100
appliancewithzerodiskspacedisplaysanerrorwhenattemptingtocommittoCollector
Group(Failed to commit collector config)orawarningwhenattemptingtocommit
toPanorama(Disk <disk-ID> on log collector <log-collector-id> in group
<group-ID> has a size of zero bytes).

82887 Fixedanissuewhereauthenticationattemptsagainstalocalauthenticationprofilewithin
anauthenticationsequencefailedwhenthelocalprofilewasnotthefirstprofileinthe
sequence.

82853 FixedanissuewhererolebasedadministratorswerenotallowedtoperformAPIcalls.

82849 FixedanissueonaPanoramavirtualapplianceusingaNetworkFileSystem(NFS)storage
partitionwherethefilesystemintegritycheckincorrectlyfailedfortheNFSdirectory,
whichcausedtheNFSmounttofailwhenrebootingPanoramaafteranupgradeto
Panorama7.0.

82838 FixedanissuewheretheUserIDprocess(useridd)stoppedrespondingwhenreading
configmessagesfromtheTerminalServices(TS)agent.

82778 Fixedanissuewherefailedauthenticationattemptswerenotclearedwhenthe
authenticationattemptwaseventuallysuccessful.Withthisfix,thefailedauthentication
attemptcounterforagivenuserisresetasexpectedaftereverysuccessfullogin.

82560 FixedanissuewhereapassiveVMSeriesfirewallinanHApairwithUse Hypervisor

Assigned MAC Addressenabled(Device > Management > Setup)wassendingGARP
requestswithoutanestablishedHA2connection.Withthisfix,apassiveVMSeriesfirewall
nolongersendstheseGARPrequestswhenyouenableUse Hypervisor Assigned MAC
AddresswithoutanHA2connection.

82534 FixedanissuewhereafirewallincorrectlyinjectedSSLmessagesintotrafficonport443.

82533 FixedanissuewheretheOCSPresponderfailedtocheckthevalidityofclientcertificates
andshowedstatusas unknown whenunabletolocatethecustomrootCAusedinthe
certificateprofilefortheGlobalProtectportalconfiguration.

82377 Fixedanissuewhere,inaLargeScaleVPN(LSVPN)configuration,aGlobalProtectgateway
incorrectlyinstalledthepreviouslyallocatedIPaddressfortheGlobalProtectsatelliteas
thenexthopfortheroutesadvertisedbysatellites.Withthisfix,theGlobalProtectgateway
removesanyoldIPaddressesallocatedtothesatelliteandcorrectlyinstallsthenewIP
addressallocatedtothesatelliteasthenexthopfortheroutesadvertisedbysatellites.

82338 Fixedanissuewhereonetimepassword(OTP)RADIUSauthenticationfailedwhen
configuredinthesameauthenticationsequenceasthedomainselection.Thisissuewas
causedbythefirewallincorrectlytruncatingtheRADIUSchallengestate.AlsofixedOTP
RADIUSauthenticationissueswherethebackslash(\)characterwasincorrectlyremoved
fromtheusernameentryandwhereanincorrectpasswordresultedinlongdelaysbefore
returningapassworderrormessage.

82326 FixedanissuewhereadditionallockedusersarenotdisplayedwhenyouclickMoreinthe
webinterface(Devices > Authentication-Sequence > Locked Users).

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 91
 PANOS7.0.3AddressedIssues

IssueID Description

82136 Fixedanissuewherepacketsthatmatchedapolicybasedforwarding(PBF)rulewith
ActionsettoNo PBF(Policies > Policy Based Forwarding > pbfrule> Forwarding)were
droppedwhenoffloadingwasenabled.Withthisfix,offloadedsessionsarepassedas
expectedevenwhenthetrafficmatchesaPBFrulewithForwardingsettoNo PBF.

82109 FixedanissueonaPA7000SeriesfirewallwherepassiveFTPSwithinbounddecryption
failedafterenteringpassivemode.Thisoccurredwhenpredictsessionsdidnotmergeas
expectedduetothepredictqueue.Withthisfix,proxyingressexecutesbeforethepredict
queuesothatalldatasessionsmergeasexpectedandFTPtransferissuccessfuloverTLS.

82099 Fixedanissuewheretheremotehost(From)IPaddressforthePanoramasessiondisplayed
inreverseorderdisplayedtheadministratorIPaddressintheLoggedinAdminswidget
ontheDashboard.

81944 FixedanissuewherepatchmanagementforaGlobalProtecthostinformationprofile(HIP)
checkfailedtoidentifymissingpatcheswhentheChecksettingforpatchmanagementin
HIPObjectscriteriawassettohas-all,has-any,orhas-none(Objects > GlobalProtect >
HIP Objects > Patch Management > Criteria).

81927 FixedanissuewhereafirewallstoppedsubmittingfilestoaWildFirecloud(publicor
private)whenaCPUprocess(varrcvr)stoppedresponding.Thisissueoccurredwhen
receivinganemailwithasubjectlinecontainingmorethan252characters.

81868 Fixedanissuewithapacketbuffer(FPTCP)leakandresolvedafew
dataplanetomanagementplaneconnectionissues,aswell.

81584 FixedanissueinPanorama7.0whereoutputfromthe show ntp commanddidnotalways

displaythecorrectNTPstatus.Primarily,thisissueoccurredwhentherewasonlyoneNTP
serverconfiguredand,evenwhencorrectlyconnectedtotheNTPserver,the show ntp
status displayedas rejected.Withthisfix,outputfromthe show ntp command
correctlydisplaysNTPstatusas synchronized.

81581 Fixedanissuewhereaprocess(useridd)wasunabletoaccommodatealargenumberofHIP
reportsduringHAsynchronization,whichcausedabnormallyhighCPUandmemory
utilizationonthefirewall.

81522 Fixedanissuewhereafirewallallowedcommitstosucceedevenwhentherewereno
superuseradministratoraccountsincludedintheconfiguration.Thiswouldcausethe
firewalltobeinaccessible(exceptwhenthefirewallwasmanagedbyPanorama,which
couldstillprovideaccesstothefirewallthroughPanoramacontextswitching).Withthisfix,
acommitsucceedsonlyifthereisatleastonelocalsuperuseraccountintheconfiguration;
ifnoneexist,thecommitfails.

81415 FixedanissueonPA7000Series,PA5000Series,PA3000Series,andPA500firewalls
whereanAggregateEthernet(AE)interfacewasunabletotransmitanARPrequestona
taggedsubinterfacetotheneighboringdevice.

81408 Fixedanissuewheresharedaddressobjectsthatarenotusedinsecuritypolicyruleswere
pushedtofirewallsevenwhenPanoramaSettings(Panorama > Setup > Management)was
configuredtonotShare Unused Address and Service Objects with Devices.

81383 Fixedanissuewherethe show routing route CLIcommandoutputwasmissingacomma

(",").Withthisfix,theoutputdisplayscorrectly.

81370 Fixedanissuewherethefirewallwasunabletoallocatealargememoryblock,which
causedsessionstofail.Thisfixensuresadequateresourcesareavailableforalargememory
blockwhenneeded.

92 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues

IssueID Description

81367 AsecurityrelatedfixwasmadetoaddressCVE20154024.

81301 Fixedanissueonafirewallwithdecryptionenabledwhereinsufficientbufferspace
resultedindiscardedSSLsessions.

81170 FixedanissuewheretheSNMPmanagerreturnedawarning(subtype-illegal)relatedto
panVsysEntryOBJECTTYPE(panVsysName)whenaddingthePANCOMMONMIB.my
MIBfile.Withthisfix,addingthecurrentversionofMIBfilestotheSNMPmanagerdoes
nottriggera subtype-illegal warning.

81079 Fixedanissuewhere,inaDynamicUpdatesschedulepopup(Device > Dynamic Updates

><Schedule>),hoveringovertheoverrideiconsdisplayedincorrectvaluesforthe
RecurrencesettingforantivirusandcontentupdateswhentheRecurrencesettingonthe
firewallwasoverriddenbyatemplatepush.Withthisfix,hoveringovertheRecurrence
valueoverrideiconforaDynamicUpdatescheduledisplaysthecorrectinformationeven
whentheRecurrencesettingwaspushedtothefirewallthroughatemplatepush.

81058 FixedanissueonPA7000SeriesfirewallswhereNATDynamicIPfallbackdidnotcorrectly
translateresources,whichresultedindroppedpackets.

80932 FixedanissuewherepasswordsfornonadministratorsenteredintheGlobalProtectlogin
windowweretruncatedto40characterswhenusingRADIUSauthentication.

80831 FixedanissuewhereSSLdecryptionfailedforsomesiteswhenthesizeofthecertificate
waslargerthan1.5KB.

80766 Fixedanissuewheredataplane0(DP0)onthepassivefirewallinahighavailability(HA)
configurationrestartedafterasessionwasestablishedontheactivefirewallinterfacewhen
thatsameinterfacedidnotalsoexistonthepassivefirewall.

80753 FixedanissueonaPA3060firewallwhereanetworkoutageoccurredwhenthenumber
ofactivesessionsreached100,000.Withthisfix,themaximumnumberofdetectorthreats
(dthreats)isincreasedtoavoidthisissue.

80702 Fixedanissueinahighavailability(HA)configurationwheretheARPtablesyncedwiththe
primarypeerbutwasrefreshedonlyondataplane0(DP0)ofthepassivepeer,which
causedARPentriestoexpireprematurelyonthepassivefirewallwhentheirTTLreached0.

80648 Fixedanissuewhereadevicegroupcommitfailedwhenusingthedestinationinterfacein
aNATruleconfiguredonPanorama.

80533 FixedanissuewhereadministratorscouldviewaddressesandusernamesintheApplication
CommandCenter(ACC)viewevenwhentheShow Full IP AddressesorShow User
Names In Logs And ReportsoptionwasdisabledfortheAdminRoleprofileassociatedwith
thoseadministrators(Device > Admin Roles ><AdminRoleProfile>> Web UI >Privacy
settings).

80463 FixedanissuewherealocalcommitonPanoramafailed(invalid reference)ona

templateortemplatestackwhenaLogForwardingprofilewasconfiguredtosendlogsto
syslog(Objects > Log Forwarding).

80397 FixedanissuewhereyoucouldcreateanewMonitorprofilewhencreatingapolicybased
forwarding(PBF)ruleonPanoramaevenwhenthetargettemplatewasunknown(thePBF
ruleispartofadevicegroupandtheMonitorprofileispartofatemplateconfiguration).
Withthisfix,youcannolongercreateanewMonitorprofilewhencreatingaPBFruleon
Panorama.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 93
 PANOS7.0.3AddressedIssues

IssueID Description

80389 FixedanissueonaPA5060firewallwhereinternalpacketpathmonitoringfailedwhen
underaheavyload.Withthisfix,internalpacketpathmonitoringisforwardedusinga
prioritysettingthatpreventsthesefailuresevenwhenexperiencinghightrafficconditions.

80086 Fixedanissuewereafirewalldisplayedanincorrectlocationforthesourceordestination
ontheTrafficMap.

79841 Fixedanissuewhere,incertaincircumstances,therewerediscrepanciesbetweena
scheduledreportandthatsamereportgeneratedusingtherun nowoption(Monitor >
Manage Custom Reports > <CustomReport>).

79746 FixedanissueonaPA2000SeriesfirewallwhereanAggregateEthernet(AE)interfacewas
unabletotransmitanARPrequestonataggedsubinterfacetotheneighboringdevice.

79328 FixedanissuewhereApplicationsandSecurityrulesinQoSstatisticsview(Network >

QoS > <interface>)werenotdisplayedwhentheingressinterfacewasconfiguredtouseL2
VLAN.

78848 Fixedarareissuewhereacommit(suchasanantivirusupdateorFQDNrefresh)caused
thefirewalltostopprocessingtraffic.Thisissueoccurredafterahighavailability(HA)
synchronizationeventwhentheautocommittriggeredbythesynchronizationeventwas
ignored.Withthisfix,aforcecommitrequestisautomaticallyandrepeatedlygenerated
untilsuccessful.

78773 Fixedanissuewherethe debug dataplane flow-control enable port and debug

dataplane flow-control disable port CLIcommandsfailedtomodifyflowcontrol
settingsasexpected.

78426 FixedanissuewhereaCPUprocess(pan_dhcpd)spikedwhenDHCPNAKpacketswere
receivedontheDHCPrelayinterface.

78210 Fixedanissueinahighavailability(HA)active/passiveconfigurationwherethemulticast
treefailedtoconvergenonoffloadedmulticasttrafficasquicklyasexpectedaftera
failover.Withthisfix,themulticasttreeconvergencetimeisreducedfornonoffloaded
multicasttrafficafteranHAactive/passivefailover.

78040 Fixedanissuewheretheoutputofthe show zone-protection zone CLIcommanddid

notcorrectlydisplayzoneprotectioninformationforadefinedvirtualsystem(VSYS).

77376 FixedanissuewhereagatewayConfigrefreshonasatellitedevice(Network > IPSec

Tunnels > Gateway Info(foragateway)> select<gateway> > Refresh GW Config)causeda
delayintunnelinstallationandresultedinconnectivityissuesforthedurationofthedelay.

77299 FixedanissuewhereWildFireanalysisreportsdidnotdisplayCoverageStatusforthe
samplewhenusingaFirefoxbrowserevenwhenasignaturewasgeneratedtoidentifythe
sample(Monitor > Logs > WildFire Submissions > Detailed Log View > WildFire Analysis
Report).Withthisfix,youcanviewthecorrectCoverageStatusforasamplewhenusinga
Firefoxbrowser.

76981 Fixedanissuewhereacertificatecontainingaspacecharacter(" ")intheCommonName

fieldofthecertificatefailedtoestablishasecuresyslogconnectionwiththesyslogserver.
Withthisfix,certificatesestablishsyslogconnectionsasexpectedevenwhencontaining
spacecharactersintheCommonName.

76811 FixedanissuewherepacketlosscouldoccurwithasymmetrictrafficwhentwoPA4060
firewallsweresetupaspeersinahighavailability(HA)active/activeconfiguration.This
issueoccurredwithVLANtaggedtrafficwhenjumboframesprocessingwasdisabledand
largenonjumboframespassedovertheHA3linkandbecamejumboframes.

94 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.3AddressedIssues

IssueID Description

76481 FixedanintermittentissuewhereaCategoryforasessionintheURLFilteringlogdidnot
matchtheactualcategorizationofthatsession.Withthisfix,thelogicforremovingexpired
orunresolvedURLcacheentriesisimprovedsothataCategoryintheURLFilteringlog
staysinsyncwiththeactualcategorizationofasession.

72115 WhenthewebinterfacewassettodisplayinanylanguageotherthanEnglish,service
routestospecifyhowthefirewallcommunicateswithotherserversordevicescouldnotbe
configured(Device > Setup > Services > Service Route Configuration).Thisissuehasbeen
fixedsothatserviceroutescanbeconfiguredandworkcorrectlywhenthewebinterface
issettoanylanguagepreference.

70719 InresponsetoanissuewhereadataplanerestartedduetoanincorrectflowID,PANOS
6.1.4andlaterreleasesincludedadditionalcheckstohelppreventthedataplanefrom
restartingduetothisissue.WiththisfixinPANOS7.0.3,thosePANOS6.1.4
modificationsarefurthermodifiedtoprovideamorecompletesolutionthatavoids
inadvertentlydroppingIPv4trafficaffectedbythisissue.

67254 FixedanissuewhereanXMLAPIcallforsystemRAIDfailedwithanattributeerrorfor
raid_handler object.

66607 FixedanissueonaPA200firewallwhereadministratorscouldconfigureafirewalldirectly
orusePanoramatopushexternalblocklists(EBLs)withatotalnumberofEBLlistsorIP
addressesthatexceededlimitationsanddidnotreceiveanerrormessage.(Lowend
platformssupportamaximumof10listsand50,000IPaddresses;highendplatforms
supportamaximumof30listsand150,000IPaddresses;thereisnoperlistmaximumfor
anyplatform.)Withthisfix,anerrormessageisdisplayedasexpectedwhenconfiguringa
PA200firewalldirectlyorthroughapushfromPanorama(orPANOSreleasedowngrade)
wherethenumberofEBLlistsorIPaddressesexceedsthelimitationsofthatfirewallorof
thecurrentPANOSrelease.

34340 Fixedanissuewherealargenumberofinformationallogsforthekeymanagerprocess
(keymgr)wereincludedinreportswhenlogsettingforkeymgrlogswassetto normal.With
thisfix,informationallogsforkeymgrareincludedonlywhenyouconfigureloggingfor
keymgrmessagestothedebugsettingusingthe debug keymgr on debug CLIcommand.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 95
 PANOS7.0.3AddressedIssues

96 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
 PANOS7.0.2AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.2release.Foranoverviewofnew
featuresintroducedinPANOS7.0andotherreleaseinformation,includingthelistofknownissues,see
PANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,reviewtheinformation
inUpgradetoPANOS7.0.

IssueID Description

82724 FixedanissuewhereoldregisteredIPaddressesinaDynamicAddressGrouponahigh
availability(HA)active/passivepairweredeletedfromthepassivefirewallwhenthat
firewallswitchedfromnonfunctionaltopassivestateandreceivedanincrementalupdate
ofregisteredIPaddressesfromtheactivefirewall.Thisfixalsoaddressedarelatedissuein
anHAactive/activeconfigurationwheretheactivesecondaryfirewallretainedoldIP
addressesintheDynamicAddressGroupafterswitchingtoafunctionalstatewhenthe
activesecondaryfirewallswitchedtononfunctionalstateandallIPaddressesinthe
DynamicAddressGroupbecameunregisteredontheactiveprimaryfirewall.

82717 Fixedanissuewhereadataplanestoppedrespondingafterarebootduetoaninitialization
issueonSFP+ports.

82675 FixedanissueonanM100appliancewhere,afteranupgradetoPANOS7.0.1,an
authenticationprocess(authd)stoppedrespondingwhentheLDAPbindingpassword
containedspecialcharacters.

82370 Fixedanintermittentissuewhereadataplaneprocess(mprelay)experiencedamemoryleak
thatcausedthevirtualmemorytoincreaseuntilittriggeredadataplanerestart.

82310 Inresponsetoafragmentationissue,viruspatternsaresplitintosmallerchunkstoreduce
thepossibilityofmemoryallocationfailure.

82087 Fixedanissuewhereafirewalldisplayedanalertforlowdiskspace.Withthisfix,the
/opt/contentdirectorywasremovedtoimprovethediskcleanupprocess.

82009 FixedanissuewhereadocumentfiletriggeredanattempttopinganIPaddress.

81981 FixedanissuewheretheLLDPSystemNamefielddisplayedthefirewallmodelnumberand
couldnotbemodifiedtodifferentiatefromothersimilarfirewalls.Withthisfix,thefirewall
populatestheLLDPSystemNamefieldusingtheconfigurablehostnamevalue.

81970 FixedanissuewheresomeActiveDirectory(AD)serverswereincorrectlydisplayinga
Password expires in x daysmessageevenafterselectingPassword never expireson
theADserver.Withthisfix,theADserverignoresthemaximumpasswordage
(maxPwdAge)valuewhenthePassword never expiresoptionisselected.

81955 FixedanissueonafirewallwherefileswerenotsenttoWildFireasexpectedwhenthefirst
8bytesofthefileweresplitacrossdifferentpacketsordecryptedbuffers.

81941 FixedanissuewhereadataplanerestartedwhenencounteringresumedSSLsessionsusing
inboundSSLdecryption.

81819 FixedanissuewheretheSystemlogreportedthatafirewallinahighavailability(HA)
active/activeconfigurationReceived conflicting ARP forthefloatingIPaddressofits
HApeer.Withthisfix,duplicateIPaddressdetectioncontinuestologconflictsfor
nonfloatingIPaddresses,aswellasduplicateaddressesdetectedforafloatingIPaddress
receivedfromanyotherdevicethatisnotamemberoftheHApair.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 97
 PANOS7.0.2AddressedIssues

IssueID Description

81816 RemovedsupportforSSLv3onPanoramaforconnectionstomanageddevices.

81797 FixedanissuewhereASCIIandspecialcharacterswerenotsupportedintheuseractivity
reportusernamefield.

81783 Fixedanissuewhereafirewallpickedthewrongdecryptioncipherwhenconfiguredwith
multipleIPSecCryptoprofilesforIKEv2negotiation.

81676 Fixedanissuewhereafirewallallowedadministratorstoconfiguresubinterfacewithusing
invalidnotation(suchasethernet1/1.1.1).

81577 FixedanissuewherecustomURLcategoriesassociatedwithaDecryptionpolicydidnot
matchtrafficdestinedforaproxyserver.

81572 FixedanissueonaPA7000SeriesfirewallthatdisplayedincorrecttimestampsinTraffic,
Threat,andURLFilteringlogs.

81535 Fixedanissuewherethegrouplistwasemptyafterpushingthegroupmapping
configurationfromPanoramatoamultivsysfirewallduringanattempttoconfigureusers
inaSecuritypolicyruleeventhoughthegroupmappingstatewassynchronized.

81510 FixedanissuewhereDeviceGroupandTemplateadministratorswereabletocreateand
modifySharedobjects.Withthisfix,DeviceGroupandTemplateadministratorsare
allowedtocreateandmodifyonlyobjectsspecifictothedevicegroupsandtemplatesto
whichtheyhaveaccessnotSharedobjects.

81500 FixedanissuewhereaVMSeriesfirewallinaVMwareNSXconfigurationrunningonan
ESXiserverrestartedwhenaprocess(all_task)stoppedresponding.

81485 FixedanissueonPA200andVMSeriesfirewallswherelocalobjectswerenotresolvedin
theTrafficlogafterselectingtheResolve hostnameoption(bottomoftheMonitor > Logs
> Traffictab).

81452 FixedanissuewhereswitchingcontextfromthePanoramawebinterfacetoamanaged
firewalldidnotindicatewhethertheadministratorwasloggedinoveranencryptedSSL
connection;theSystemlogmessagewasalwaysUser admin logged in via Panorama
from x.x.x.x using httpregardlesswhethertheconnectionwasencrypted.Withthis
fix,theSystemlognowspecificallyreportsUser admin logged in via Panorama from
x.x.x.x using http over an SSL connectionwhentheadministratorisconnected
throughanencryptedSSLconnectiontodifferentiatefromnonencryptedconnections.

81389 Fixedanissuewheretheoutputoftheshow admins allcommanddisplayedall

administratoraccountsonthefirewall,includingrootaccounts.Withthisfix,show admins
allcommandoutputdisplaysonlylocalandnonlocaladministratoraccounts.

81373 FixedanissuewhereWildFireAnalysisreportsforsamplesanalyzedinaWildFirecloud
(publicorprivate)werenotdisplayedintheWildFireSubmissionslog(Monitor > WildFire
Submissions)whenthefirewallwasconfiguredtocommunicatewiththeWildFirecloud
throughaproxyserver.

81312 FixedanissuewherefirewallDeviceadministratorswereunabletorunandviewoutputon
afirewallforthe show panorama-status CLIcommand.Withthisfix,Device
administrator,Deviceadministrator(readonly),Superuser,andSuperuser(readonly)
users(Device>Administrators><administrator>)canrunandviewoutputforthe show
panorama-status commandfromthefirewall.

81271 FixedanissuewherethesecondattempttoaccesssomewebsitesoverHTTPSfailedwhen
SSLForwardProxywasenabled.

98 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.
PANOS7.0.2AddressedIssues

IssueID Description

81264 FixedanissuewhereThreatlogsweregeneratedfor Threat Name - IP fragment

overlap, ID - 8705 afterupgradingtoaPANOS7.0release.

81219 FixedanissuewithstabilitywhenaddingLogCollectorstoaCollectorGroup.

81115 Fixedanissuewhereadministratorsexperiencedlongdelayswhenexecutinglogqueries
consistingofmultipleattributes.

81110 FixedasessionreuseissuewhereanincomingSYN/ACKpacketforanestablishedsession
causedafailureinTCPreassembly,whichresultedinadroppedpacketeventheReject
NonSYNTCPoptionwasdisabled(Network > Network Profiles > Zone Protection >
<ZoneProtectionprofile> > Packet Based Attack Protection > TCP Drop).Withthisfix,
initiatingsessionreusewithaSYN/ACKpacketissuccessfulregardlessoftheReject
NonSYNTCPsetting.

80993 FixedanissueinPANOS7.0(aswellasinPanorama5.1andlaterreleases)whereXMLAPI
POSTrequestsfailedwhenincludingaQUERY_STRINGbutnocontentlengthheader.
Withthisfix(inbothPANOSandPanorama7.0.2releases),POSTrequestswitha
QUERY_STRINGandamissingcontentlengthheaderaresuccessful.

80960 FixedanissuewhereattemptingtoTest SCP server connection(Device > Scheduled Log

Export)createdanunnecessaryConfiglockthatpreventedanyadditionalchangestothe
runningconfiguration.

80933 FixedarareissuewhereaPA7000Seriesfirewallexperiencedheartbeatfailuresonthe
HA1andHA1backuplinksthatcausedsplitbraininahighavailability(HA)configuration.

80924 FixedanissuewhereaGlobalProtectLargeScaleVPN(LSVPN)satelliteconfiguration
causedthesatellitefirewalltoProxyARPforthedefinedaccessroutesubnetsonalllogical
andphysicalinterfaces.

80896 Fixedanissuewheresomeactionsthatutilizethe/opt/pancfg/partition,suchasdynamic
updatesandcommits,werefailingwhenthatpartitionranoutofspaceduetoalarge
numberofHIPreportsreceivedfromUserIDXMLAPI.Withthisfix,HIPreportsareno
longersavedinthe/opt/pancfg/partitionofthefirewall.

80840 FixedanissuewheretheURLfilterdidnotcorrectlyparsethecommonname(CN)value
whenaMACaddresswasspecifiedastheCNvalueintheservercertificate.

80839 Fixedanissuewhere error isdisplayedforTorstatusintheCLIoutputforboththe show

wildfire status and test wildfire tor CLIcommands.

80767 InresponsetoaveryrareissuewheretheconfiguredNATpoolormethodwasnotutilized
asexpected,anenhancementwasmadetoTechSupportfilegenerationthatincludes
additionaldatatohelptroubleshoottheissue.

80720 Fixedanissuewhereafirewallexperiencedadataplanerestartwhenthepacketprocessing
daemonterminatedduetoadoublefreeconditionassociatedwithaspecificpacketbuffer
(fptcp).

80687 FixedanissueonPA7000Series,PA5000Series,andPA3000Seriesfirewallswhere
softwarepacketbuffersweredepleted(althougheventuallyrecovered)whenreceiving
TCPpacketswithlargepayloads.Withthisfix,modificationstoprocessesforallocating
softwarebuffersandhandlingTCPcongestionensurethatsoftwarepacketbuffersdonot
getdepletedduetopacketswithlargepayloads.

80669 FixedanissueonfirewallsinCCEALmodewherethemanagementserverwouldrestart
whenthefirewallattemptedtosendanSNMPv3trap.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 99
 PANOS7.0.2AddressedIssues

IssueID Description

80624 Fixedanissuewhereadministratorsexperienceddelaysaccessingthefirewallweb
interfacewhenthefirewallreconnectedtoPanoramaandhadalargenumberoflogsto
send.

80592 Fixedanissuewherefirewallsinahighavailability(HA)active/passiveconfigurationdidnot
synctheDynamicAddressGroupwhenoneofthefirewallsstoppedfunctioningandthen
changedtoafunctionalstate.

80567 InresponsetoanissuewhereraceconditionsaffectingBlockIPtableoperations
inadvertentlycausedsomepacketstobemarkedas drop ip block withoutanyentryin
theBlockIPtable.

80532 FixedanissuewherefileswerenotbeingforwardedasexpectedtotheWildFirecloud
(publicorprivate)duetoaterminatedprocess(varrcvr).Thisissueoccurredwhenthe
SubjectfieldinforwardedemailscontainednonASCIIcharacters.

80404 FixedanissuewherePA2000Seriesfirewallsexperiencedconnectivityissueswhen
autonegotiatingduplexandspeedsettingsonthemanagementinterfaceconnectiontoa
thirdpartydevice.Withthisfix,anewdriverisaddedtoensurethatthemanagement
interfaceremainsaccessibleandtoprovideamorereliabletransitionwhenspeedsare
changed(suchasfrom1,000Mbpsoverfullduplex1000/Fullto100/Full)whenthereis
littleornotrafficflowingthroughthefirewall.Usethefollowingbestpractice
recommendationstoensuresuccessfultransitions:
Whenpossible,setboththePA2000Seriesfirewallandthethirdpartydeviceto
autonegotiatemode,whereeachsideselectsthehighestpossiblecommonmaximum
speedandduplexsetting.
Ifyoumustmanuallyconfigurethespeedandduplexsettingforeitherthefirewall
(Device > Setup > Management > Management Interface Settings)orthethirdparty
device,youshouldmanuallyconfigurethesamespeedandduplexsettingsonbothsides
sothattheyareinsync.Ifyoudonotmanuallyconfigurethesettingstobethesameat
bothendsoftheconnection,trafficflowwillbeimpactedbecausethePA2000Series
firewallcannotdeterminethecorrectduplexmodeandwilldefaulttohalfduplexmode,
whichcancauseaduplexmismatch.

Ifyoumanuallyconfigurebothsidesoftheconnection:
Donotsettheportonthethirdpartydeviceto1000Mbpsmastermode,asthis
willcompletelystoptrafficandtheportswillnotrecover(bothportstrytocontrol
thelinkandneitherissuccessful).
Donotattempttochangethespeedorduplexsettingwhiletrafficisflowing
throughtheconnection:pausetraffic,configurethetwopeerportsappropriately,
makesuretheportsaresettothesamespeedandduplexvalues,andthenresume
trafficflow.

80386 Fixedanissuewhereaconfigurationoverridefailedwhenpushingsystemlogsettingsto
firewallsfromPanoramaresultinginthefollowingerror: edit failed, may need to
override template object informational first.

80318 FixedanintermittentissueonaPA7000Seriesfirewallwheresomepacketsweredropped
duringtheinitialsessionsetupprocess.Thisissueoccurredwhentwopacketsinthesame
sessionweresentalmostsimultaneously,causingthesecondofthetwopacketstoget
dropped.

100 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.

PANOS7.0.2AddressedIssues

IssueID Description

80251 Fixedanissueonafirewallwhereadataplanerestartedwithmultiplecorefiles(all_pktproc,
flow_ctrl,andflow_mgmt)afterthefirewallreceivedpercentencodedHTTPrequestsfrom
aproxyserverwhenboththeparsingofXForwardedFor(XFF)attributesandstrippingof
XFFfromHTTPHeaderswereenabled(configuredwiththe set system setting ctd
CLIcommand).Withthisfix,youcanenablebothXFFactionswithoutcausingthe
dataplanetorestartwhenthefirewallreceivespercentencodedHTTPrequestfroma
proxyserver.

80187 Fixedanissuewherethe test authentication authentication-profile command

resultsinoutputthatusesthemanagementinterfaceasthesourceregardlesswhetheryou
configuredaserviceroutetoprovideadifferentsource.

80063 FixedanissueonanM100appliancewheretheconfigurationdaemon(configd)stopped
respondingwhenprocessinganullvalue.

79960 Fixedanissuewherethefirewallsentanextracarriagereturnlinefeed(CRLF)inHTTP/1.1
POSTpacketswhenrequestinganupdatefromtheBrightCloudURLdatabase.Thisissue
occurredwhenusingaproxyserver,whichcorrectlyrejectsthepacketsandreturns
HTTP/1.1400BadRequestmessagesduetotheextraCRLF(perRFC7230).

79929 Fixedanissuewhereaprocess(mprelay)stoppedrespondinganddidnotreceivearefresh
oftheconfigurationwhenitrestarted.

79925 Fixedanissuewherevirtualwire(vwire)pathmonitoringfailedandthefirewallstopped
sendingICMPpacketsoverthevwireinterfaceafterahighavailability(HA)failover.

79719 Fixedarareissuewhereadataplanerestartedwhenmultipleprocesses(flow_ctrland
mprelay)stoppedrespondingduetoasoftwarebufferleak.

79709 FixedanintermittentissuewhereZIPprocessingmaycausethedataplanetorestart.

79535 Fixedanissueinahighavailability(HA)configurationwherethemonitoreddestinationIP
addressforPathMonitoringdisplayedas up evenwhenunavailable,preventingthe
firewallfromdisplayingas tentative asexpected.Withthisfix,themonitoreddestination
IPaddresscorrectlyshowsas down whenunavailable,whichresultsinthefirewallcorrectly
changingstatusto tentative.

79504 FixedanissuewhereapassiveM100applianceinahighavailability(HA)configurationlost
itsdevicegroupandtemplateconfiguration.

79470 FixedanissuewherePanoramadidnotdisplayWildFireAnalysisreportscorrectlyinthe
WildFireSubmissionslogforWF500appliancesrunningPANOS6.1orearlierreleases.
YoucanfetchthesereportsusingasecurechannelonlyforWF500appliances
runningPANOS7.0.2orlaterreleases;asecurechannelisnotusedwhenfetching
reportsfromaWF500appliancerunningPANOS7.0.1orearlierreleases.

79382 FixedanissuewhereIPaddressregistrationthroughtheXMLAPIfailedtopopulatethe
DynamicAddressGroupfollowingan AddrObjRefresh jobfailureduringatemplate
commitfromPanoramawhentheForce Template Valuesoptionwaschecked,resultingin
an Error: Failed to parse security policy.

79347 Fixedanissuewhereafirewallstoppedrespondingandtriggeredadataplanerestartwhen
receivingincompleteandinsufficientparametersinAPIcalls.Withthisfix,checksarein
placetopreventthedataplanerestartwhenreceivingAPIrequestswithinvalidor
insufficientparameters.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 101

 PANOS7.0.2AddressedIssues

IssueID Description

79279 Fixedanissuethatcausedanerrortobedisplayed(ntp-servers unexpected here.

Discarding.)whenpushingadevicegroupconfigurationthroughtemplatesaftera
Panoramaupgrade.

79046 FixedanissueonanMSeriesappliancerunninginLogCollectormodewherelog
forwardingtoanexternalsyslogserverstoppedworkingafteraPanoramacommitwhen
forwardinglogsthroughTCPport514(default)insteadofUDPport514(Device > Server
Profiles > Syslog).Withthisfix,younolongerneedtoperformaCollectorGroupcommit
toresumelogforwardingafteraPanoramacommitwhenthesyslogserverisconfiguredto
useTCP.

78891 FixedanissuewheretheuseofregionbasedobjectsintheSecuritypolicycaused
consistentlyhighdataplaneCPUutilization.

78803 FixedanissueinPanoramawheretemplatesettingsthatwereglobaltoeveryvirtual
system(vsys)onafirewall(forexample,Systemlogsettings)wereunabletoreference
configurationelements(forexample,anEmailserverprofile)whenthatelementwasadded
toaspecificvsysinsteadoftotheSharedlocation.Withthisfix,Panoramacanpush
templateanddevicegroupsettingseventhosethatarenotorcan'tbepushedtoaspecific
vsysregardlesswhetherthosesettingsrefertoSharedelementsorelementsthatare
specifictoavsys.

78571 FixedanintermittentissuewhereafirewallreceivedaVirtualSystemslicensethatallowed
forahighernumberofvirtualsystemsthanthemaximumamountsupportedforthe
platform.Withthisfix,thelicensedvirtualsystemsactivatedonafirewallcannotbehigher
thanthemaximumamountofvirtualsystemssupportedonthefirewall.

78568 FixedanissuewherePA3000,PA5000,andPA7000Seriesfirewallsexperienceda
memoryleakassociatedwithimproperpurgingofold,replacedentriesintheARP/NDtable
whenthetablereachedcapacity.

78511 FixedanissuewheretheDHCPrelayagentincorrectlysetthegatewayIPaddress(giaddr)
valuetozero(insteadoftheIPaddressoftheingressinterfaceasdefinedinRFC1542)
whenrespondingtoDHCPrequests.

78084 Theoutputforthecommand show log collector serial number displayeddifferent

logdatawhenexecutedonaprimaryactivePanoramathantheoutputthatwasdisplayed
whenthecommandwasexecutedfromthesecondarypassivePanorama.Thisissueisfixed
sothattheoutputforthecommand show log collector serial number correctly
displaysthelatestlogdataformanagedLogCollectors.

78064 Fixedanintermittentissuewhereauthenticationfailedinatwophaseauthentication
processwhentheloginresponsecontainedcustomerdata.

77816 FixedanintermittentissuewheresomeWindows7GlobalProtectclientsusingtwofactor
authentication(LDAPandcertificate)lostconnectiontotheportalorgatewayandcould
notreconnectduetoafailedauthenticationwiththeerror Required client
certificate is not found evenwhenthecertificatewasavailable.

77775 Fixedanissuewhereavalidationerroroccurredwhenattemptingtomoveanobjectfrom
itscurrentdevicegrouptoadestinationdevicegroupthatwaslowerinthehierarchyeven
whenthepolicyrulesorobjectsthatreferencetheobjectbeingmovedwereinthesame
destinationorinadevicegroupthatshouldinherittheobject.

77103 FixedanissuewhereaSystemlogmessage(Failed to upgrade WildFire package to

version <unknown version>)displayedonthefirewallevenwhennoWildFirelicense
existedonthefirewall.

102 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.

PANOS7.0.2AddressedIssues

IssueID Description

76875 Fixedanissuewherethedataplanerebootedwhenaprocess(brdagent)wasterminatedby
thefirewallinresponsetoanoutofmemorycondition.Withthefix,dataplanerebootsare
nolongertriggeredbytheseoutofmemoryeventsbecausethefirewallnolonger
considersthebrdagentprocessforterminationwhenattemptingtoaddressan
outofmemoryevent.

76781 FixedanissuewhereafirewallincorrectlycalculatedpacketlengthandTCPsequencedue
toaonebytezerowindowprobepacketwhenthatpacketwassentfromonevsysto
another.

76631 FixedanissueonPA7000SeriesfirewallswheretheLogProcessingCard(LPC)failedto
resolvetheFQDNofthesyslogserver.Withthisfix,thefirewallwillreinitiatetheDNS
lookuprequestuntilthelookupsucceeds.

76561 FixedanissuewheretheDHCPrelayagentdroppedDHCPDISCOVERpacketsthatthe
agentcouldnotprocessduetomultipleBOOTPflags.Withthisfix,theDHCPrelayagent
recognizesthefirstBOOTPflaginaDHCPDISCOVERpacketandignoresanyadditional
BOOTPflagsthatmayexist(perRFC1542)sothatmultipleBOOTPflagsdonotcause
DHCPDISCOVERpacketstobedropped.

76238 AsecurityrelatedfixwasmadetoaddressCVE20151873.

75803 AddressedanissueregardinghowoftenpasswordAPIkeysareregenerated.

75344 Fixedanissuewhereamemoryprocessrestartedandcausedaninvalidmemoryreference;
theinvalidmemoryreferenceresultedinamanagementplanerestart.

74423 FixedanissuewhereafirewallrunningPANOS7.0.1wasincorrectlyusingtheURL
UpdatesserviceroutewhenfetchingaDynamicBlockListinsteadofusingtheservice
routeattachedtothePaloAltoUpdatesintheServiceRouteConfiguration(Device > Setup
> Services > Global).

73443 Fixedanintermittentissuethatresultedincorruptedforwardingentriesontheoffload
processor.

71331 FixedanissueonaPA500firewallwherethefirewallassignedaDHCPaddressforthe
management(MGT)interfaceevenaftertheadministratorconfiguredastaticIPaddressfor
thatport.Withthisfix,DHCPinitiationfortheMGTinterfaceisdisabled.

70887 FixedanissuewhereclickingtheMorelinktoviewtheregisteredIPaddressunderObject
> Address GroupsresultedinanerrorifthenameofaDynamicAddressGroupincludeda
space.Withthisfix,spacesinDynamicAddressGroupnamesnolongercauseanerror
whendisplayingtheIPaddress.

70302 FixedanissuewheretheautocommitprocessfailedafterupgradingaPA7050orPA5000
SeriesfirewalltoaPANOS6.1orPANOS7.0release.

69132 Fixedanissuewhereoccasionaldataplanerestartsoccurredduetoakernelmemory
allocationfailure.

64602 Inresponsetoanissuewhereafirewallgeneratedcorefilesforaprocess(pktproc)whena
dataplanestoppedresponding,anadditionalcheckandassociatederroroutputisaddedto
helptroubleshootanissuewhereanFPGArunningtheAhoCorasickalgorithmreturnsa
sessionindexmappedtoaNULLpointer.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 103

 PANOS7.0.2AddressedIssues

IssueID Description

64531 Fixedanissuewhereahighavailability(HA)failoveroccurredduetoinsufficientkernel
memoryonaPA5000Seriesfirewall.Withthisfix,PA5000Seriesfirewallsincludesome
cacheflushingeventsandincreasedkernelmemorytoensuresufficientkernelmemory
remainsavailableforpingrequestsandkeepalivemessagestoavoidtheseHAfailovers.

64266 Fixedarareissuewherecertainprocesses(l3svcandsslvpn)stoppedrespondingwhena
ContentupdateandFQDNrefreshoccurredsimultaneously.

104 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.

 PANOS7.0.1AddressedIssues
ThefollowingtableliststheissuesthatareaddressedinthePANOS7.0.1release.(AsthebasePANOS
7.0image,thisreleaseandthelistbelowalsoincludeallissuesinitiallyaddressedforPANOS7.0.0.)Foran
overviewofnewfeaturesintroducedinPANOS7.0andotherreleaseinformation,includingthelistof
knownissues,seePANOS7.0ReleaseInformation.Beforeyouupgradeordowngradetothisrelease,
reviewtheinformationinUpgradetoPANOS7.0.

IssueID Description

PAN-73605 FixedanissuewherethefirewalldidnotcorrectlyidentifytheURLcategoryofaweb
sessionwhentheHTTPheaderinformationwassplitacrossmultiplepacketsduetoa
sequenceofabnormallylargeHTTPcookies.

82299 FixedacriticalsecurityvulnerabilityforfirewallsandPanoramarunningPANOS7.0.0that
wereconfiguredtouseLDAPauthenticationforCaptivePortalorfordevicemanagement.
(ThisissuedoesnotaffectdevicesconfiguredtouseRADIUSorlocalauthentication.)

81374 FixedanissueonaPA200firewallwheretheMACaddressconfiguredforthe
managementinterfacewasinadvertentlychangedafteranupgradetoPANOS7.0.0.With
thisfix,themanagementinterfaceMACaddressconfiguredbeforeanupgraderemainsthe
sameaftertheupgrade.

81174 FixedanissuewhereanautocommitfailedafteranupgradetoPANOS7.0.0duetoafailed
IKECryptoprofileverificationwhentwoIKEgatewayswereconfiguredusingadynamic
peerinmainmodeonthesamelocalinterface.

81167 FixedanissuewheretheAppsonly(noThreats)versionofContentUpdatesfailedtoinstall
onadeviceregisteredwithstandardsupport.

81158 FixedanissuewhereanIPSectunnelfailedtonegotiateanewsessionanddroppedpackets
duringanSArekeyinIKEv2mode.

81024 FixedanissuewherePanorama7.0.0failedtoproperlypushDeviceGroupandService
GroupobjectstodevicesrunningPANOS6.1orearlierreleases.Withthisfix,Panorama
pushesDeviceGroupandServiceGroupobjectsasexpectedtodevicesrunningany
supportedPANOSrelease.

80903 FixedanissuewherePA7050firewallsrunningPANOS6.1orearlierreleasesdidnot
accuratelyhandlequeriesfromPanoramarunningPANOS7.0.0,whichresultedinthe
inabilitytodisplaydataintheApplicationCommandCenter(ACC)widgetsandprevented
logdatafromthePA7050firewallfrombeingincludedinreportsgeneratedonPanorama.
Withthisfix,PanoramaqueriestoPA7050firewallsaredisabledbydefaultsothatACC
widgetsdisplaycorrectlyforallotherdevicesyoumanagethroughPanorama.

80871 FixedanissuewhereWildFireanalysisreportswerenotdisplayedinDetailedLogView
(Monitor > WildFire Submissions > Detailed Log View > WildFire Analysis Report)for
WildFireSubmissionslogentrieswhenthefirewallwasconfiguredtouseaserviceroute
insteadofthemanagementinterfacetocommunicateeitherwithaWildFireprivatecloud
orwiththeWildFirepubliccloud.However,forfirewallsrunningPANOS7.0.1,toviewthe
integratedreportsfromwithinthewebinterfaceonthefirewall,youmustfirstconfigure
wildfire.paloaltonetworks.comastheWildFirepubliccloud;eitherintheweb
interface(Device > Setup > WildFire > General Settings)orusingtheset deviceconfig
setting wildfire public-cloud-server wildfire.paloaltonetworks.comCLI
command.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 105

 PANOS7.0.1AddressedIssues

IssueID Description

80849 FixedanissuewhereIPv4andIPv6trafficforwardingfailedwhensentthroughanLACP
AggregatedEthernet(AE)interfaceduetoanincorrectsystemMACaddress.

80799 FixedanissuewherefilesandemaillinkssentusingSimpleMailTransferProtocol(SMTP)
orPostOfficeProtocolversion3(POP3)werenotforwardedtotheWildFirepubliccloud
foranalysisunlessthefirewallwasalsoconfiguredtoforwardfilestoaWildFireprivate
cloud.Withthisfix,firewallsconnectedonlytotheWildFirepubliccloudappropriately
forwardtotheWildFirepubliccloudallfilesandemaillinksthataresentusingSMTPor
POP3.

80607 Fixedanissuewhereafirewallrebootedwhenanunusuallylargenumberoffragmented
packetspassedthroughthefirewallwhentheNAT64 IPv6 Minimum Network MTUsetting
wasconfiguredtoavalueotherthan1500(Device > Setup > Session > Session Settings),
whichtriggeredamemoryleak.Withthisfix,fragmentedpacketsnolongercausea
memoryleak.Additionally,anewcounterwastomonitorwhetherresourcesareavailable
forfragmentingpacketswhenneeded.

80561 FixedanissuewheresoftwareforwardingofLayer3multicasttrafficwithProtocol
IndependentMulticast(PIM)didnotfunctionproperly.

80408 Fixedanissuewhere,insomeenvironments,newcontentupdatescouldnolongerbe
accommodatedbythememoryonthefirewallthatisallottedforthesefilesduetoa
continuallyincreasingnumberofapplicationsintheupdates.Withthisfix,allocated
memoryforcontentupdatesisincreasedsothatcontinuedgrowthofcontentupdateswill
notpreventsuccessfuldownloadandinstallationofthoseupdates.

80398 Fixedanissuewhereadministratorswereunabletologinthroughthewebinterfacewhen
thefirewallwasconfiguredtoauthenticateadministratorsusingclientcertificatesandwas
configuredwithOnlineCertificateStatusProtocol(OCSP)verificationenabled.

80373 FixedanissuewhereattemptstoCloneobjectsorpoliciesinasharedgatewaylocationor
Moveobjectsorpoliciesfromavirtualsystemtoasharedgatewaylocationdidnotwork
correctly.

80323 Fixedanissuewherethelinkstatesforfirewallinterfacesdidnotcomeupwhenrebooting
thefirewallafterdisablinghighavailability(HA).

80286 FixedanissuewhereacommitfailedafteranupgradetoPANOS7.0.0whenDefaultsfor
anapplicationwassettoICMP Type(Objects > Applications > application > Advanced).
Withthisfix,commitsdonotfailafteranupgradetoPANOS7.0.1orlaterreleases
regardlessofthisDefaultssetting.

80268 FixedanissueonaPA7050firewallrunningPANOS7.0.0whereattemptstoswitchto
CommonCriteria(CC)modefailedwiththefollowingerror:Set CCEAL4 Mode Sysd
Error.ThisissueoccurredbecausetheCCmodeoperationattemptedtochangethe
operationalmodebeforethesystemprocess(sysd)wasfullyloaded.Thisoperationresulted
insettingthefirewalltothefactorydefaultconfigurationwithoutCCconfiguration
changes.

80266 FixedanissuewherePA200,PA500,andPA2050firewallsrunningPANOS7.0.0and
configuredtouseaservicerouteinsteadofthemanagement(MGT)interfacetoconnect
toanLDAPserverwereunabletoestablishaconnection,whichcausedallfirewall
functionsthatreliedonthatconnectiontofail.Withthisfix,firewallssuccessfullyconnect
throughaconfiguredserviceroutetoanLDAPserver.

79854 FixedanissuewherePanoramawasunabletodisplaySystemandConfiglogsforPA7000
Seriesfirewalls.

106 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.

PANOS7.0.1AddressedIssues

IssueID Description

79844 Fixedanissuewherelogssenttoalogcollectorgroupwerenotproperlysavedandcould
notbedisplayedwhenthatlogcollectorgroupcontainedaspaceinthename.Withthisfix,
logsaresavedanddisplayedcorrectlyevenwhenthereisaspaceinthelogcollectorgroup
name.

79522 Fixedanintermittentissuewhereafirewallwithhardwareoffloadenabledincludedan
incorrectIPchecksumvalueinoutgoingNATpackets,whichcausedsomepacketstobe
dropped.

79511 FixedanissueonPanoramawheredisablingtheShare Unused Address and Service

Objects with Devicesoption(Panorama > Setup > Management > Panorama Settings)
whennoSharedobjectswereconfiguredcausedaprocesstorestartduringacommit.

79478 Fixedanissuewherethefirewallconnecteddirectlytoadirectoryserverinsteadofthe
UserIDagentconfiguredasanLDAPproxy.Withthisfix,thefirewallcorrectlyusesthe
UserIDagentwhentheagentisconfiguredforuseasanLDAPproxy.

79463 FixedanissuewhereCPUmemoryonaPA7050firewallspikedwhenattemptingtoview
reportsintheApplicationCommandCenter(ACC).Thisissueoccurredwhentaskcreation
notificationswerenotprocessedproperlyand,asaresult,theLogCollectordidnot
terminatefailedrequestsasexpected.Withthisfix,taskcreationnotificationsare
processedappropriatelyandfailedtasksareproperlyterminated.

79443 Fixedanissueinthewebinterfacewhere,insomecases,thePHPsessioncookie
(PHPSESSID)wasnotmarkedassecure.

79401 VM1000HVfirewallsrunningoneightvCPUsdidnotsaveanddisplayTrafficandThreat
logs.Withthisfix,VM1000HVfirewallsproperlysaveanddisplaythelogs.Thisissuedid
notaffectVMSeriesfirewallsrunningontwoorfourvCPUs.

79367 FixedanissueinPANOSwhereGlobalProtectclientsexperienceddelaysand
intermittentlyfailedtoretrievethegatewayconfigurationforconnectingtoa
GlobalProtectgatewaywhenthefirewallwasinahighavailability(HA)configurationand
underaheavyload.ThisissueoccurredduetoanissuewiththesynchronizationofHIP
reportsbetweengatewaysonHApeerswhentherewasahighnumberof
nearsimultaneousGlobalProtectconnectionrequests.Withthisfix,thesyncprocessis
modifiedsothatGlobalProtectclientsareabletodownloadtheconfigurationandconnect
tothenetworkasexpectedevenwhenmultipleclientsareattemptingtoconnectatthe
sametime.

79335 FixedanissuewhereattemptingtofilterSystemlogsusingthelogfilter Type equal

globalprotect didnotwork.Aspacewasautomaticallyaddedtothelogfilter,causing
anerrortobedisplayed.

79291 FixedanissuewheretheBytescolumnresultsdisplayedwhenclickingRun Nowfora

customreport(Monitor > Manage Custom Reports)didnotmatchtheresultsdisplayedin
thatsamereportwhenemailedorexportedoutinPDFformat.

79278 Fixedanissuewheretheactivedeviceinahighavailability(HA)configurationfailedto
generatetechsupportfilesduetoabufferlimitationthatcouldnotaccommodatethe
outputfromsomecommands.Withthisfix,thecommandsthatpreventgenerationoftech
supportfileshavebeenremovedsothatreportsaregeneratedasexpected.

79260 FixedarareissueonaWF500appliancewhereanICMPpacketcontainingaFIN+ACK
packetwasincorrectlyforwardedoutthroughthemanagement(MGT)interface.Withthis
fix,ICMPpacketscontainingaFIN+ACKpacketaredropped,instead.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 107

 PANOS7.0.1AddressedIssues

IssueID Description

79104 FixedarareissueonaPA7000SeriesfirewallwheretheHA1andHA1backuplinks
experiencedheartbeatfailuresthatcausedsplitbraininahighavailability(HA)
configuration.

78798 FixedanissuewheretheURLfieldintheURLFilteringlogbecameblankorwaslogged
withoutahostname.

78652 FixedarareissuewhereafirewalldroppedURLrequestswhenthemanagementplane(MP)
URLtrie(datastructure)reached100%capacity.Withthisfix,whentheMPURLtrie
reaches90%capacity,URLsinthecachearecleareduntiltheMPURLtrieutilizesonly50%
ofcapacitysothatthetriecannotreachmaximumcapacityandcauserequeststobe
dropped.

78646 Fixedanissuewhereafirewallreplacedmultibytecharacterswithaperiodcharacter( . )
whenforwardinglogsoreventinformationtoSNMPtraps,toasyslogserver,through
email,orinscheduledlogexports.ThisissuealsooccurredwhenexportinglogstoCSV.
Withthisfix,multibytecharactersareforwardedandexportedcorrectlywithone
exception:inPANOS7.0.1,PA7000Seriesfirewallswillstillincorrectlyreplacemultibyte
characterswithperiodcharacterswhenexportinglogstoCSV.

78621 FixedanissuethatoccurredwhenChileadoptednewofficialtimesandtheofficialtimefor
ContinentalChilebecameUTC03:00.APA200firewallconfiguredtousetheChile
ContinentaltimeincorrectlycontinuedtodisplaytheofficialtimeasUTC04:00.

78556 FixedanissueinPanoramawhereusingtheoptiontoimportacertificatewhenconfiguring
aGlobalProtectgatewayorportaldidnotresultintheimportedcertificatebeingaddedto
thedropdown.TheimportedcertificatealsodidnotdisplayontheTemplates > Device >
Certificatespage.(However,theimportedcertificatediddisplaycorrectlyaftera
Panoramacommit.)Withthisfix,importedcertificatesaredisplayedimmediatelyonthe
webinterfacewhereexpected.

78448 Fixedanissuewhereacustomresponsepagecontaininganinvalidsubstringcausedthe
processforcommunicatingbetweenthedataplaneandmanagementplanes(mprelay)to
stoprespondingwhenattemptingtocommitconfigurationchanges.

78436 Fixedanissuewherethemanagementplanestoppedrespondingwhenmorethanone
processattemptedtomodifythedevicetableduringaconfigurationpushfrom
Panorama.Withthisfix,thedevicetableislockedandmodifiablebyonlyoneprocessat
atimetoavoidconflictingmodifications.

78413 FixedanissueonaPA7000Seriesfirewallwithmultiplevirtualsystemswhereamemory
leakwasobservedrelatedtotheFirstPacketProcessor(FPP)managementplaneprocess
whenrunningtheshow session meterCLIcommand.

78343 Fixedanissuethatoccurredwithdecryptionenabled,wheresomewebsiteswerenot
decryptedduetoanissuewithcertificateserialnumbers.

78304 Asecurityrelatedfixwasmadetoaddressacrosssiterequestforgery(CSRF)issueinthe
webinterface.

78289 Fixedanissuewherethereceive errorsinterfacecounterdisplayedvalueslargerthan

theactualnumberofpacketsthatshouldbecountedaserrors.Thisissueoccurredbecause
somepacketswerecountedtwice.Withthisfix,thereceive errorscounterdisplaysthe
correctvalue.

78197 HIPreportsforuserscannowberetrievedusingtheXMLAPI(inadditiontoviewingHIP
reportsusingtheCLI).

108 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.

PANOS7.0.1AddressedIssues

IssueID Description

78187 Fixedanintermittentissuewithasystemprocess(all_task)thatcausedadevicetorestart
unexpectedly.Thisfixincludesanadjustmenttoaninternaltimertoavoidtheserestarts.

78166 FixedanissuewheretheVirusTotallinkintheCoverageStatussectionofWildFire
AnalysisreportsdidnotcorrectlyopentheVirusTotalpage.

78155 AddressedanissuewheretwoDoSprotectionpolicyrulesthatwerenotoverlapping
incorrectlyresultedinawarningthatoneoftheruleswasshadowingtheotherrule.

77907 FixedanissuewherelogforwardingtoaLogCollectordidnotstopasexpectedwhen
executingtherequest log-fwd-ctrl device <s/n> action stopCLIcommandon
Panorama.Withthisfix,logforwardingtoaLogCollectorstopsasexpectedwhen
executingtherequest log-fwd-ctrl device <s/n> action stopcommandsolongas
boththefirewallandPanoramaarerunningPANOS7.0.1orlaterreleases.

77784 FixedanissueonPanoramawhereadministratorswereunabletofilterDeviceGroupsby
tagsinthecommitwindow.

77749 FixedanissuewhereclickingMoretoviewtheregisteredIPaddressunderPolicies >

Security > Object > Address Groupsresultedinanerror.

77721 FixedanissueonaPA200firewallwhereareboottookmuchlongerthanexpected(more
than20minutes).ThisissueoccurredwhentheContentUpdatesdatabasewascorrupted
andupdatesdidnotstoporpauseasexpectedtoallowthereboottotakeplace.Withthis
fix,thefirewallreinitializesthedatabaseifitiscorruptedtoallowtheContentUpdateand
systemreboottoproceedasexpected.

77477 FixedanissuewhereauserwasnolongerabletoconnecttoaVMSeriesfirewall
configuredasaGlobalProtectgatewayanddeployedinAmazonWebServices(AWS)after
theuserhadbeenconnectedforseveralhoursandtheusercouldnotreconnectuntilthe
gatewaywasrestarted.Withthisfix,usersnolongerlosetheirconnectiontothe
GlobalProtectgatewayiftheystayconnectedforseveralhours.

77413 FixedanissuewheretheauthenticationprocessfailedtoparsethebaseDistinguished
Name(DN)correctlywhenitcontainedaspace("")character.

77342 WhenusingtheXMLAPItoretrieveHAcontrollinkstatistics,thestatisticsretrievedwere
notthesameasthosedisplayedintheoutputfortheCLIoperationalcommandshow
high-availability and control-link statistics.

77307 FixedanissuewheretheCLIseemedunresponsiveafterrunningtheshow config diff

commandduetotheextendedperiodoftimeittooktoprocessandreturnresultsforadiff
containingalargenumberofconfigurationchanges.Withthisfix,theshow config diff
commandreturnsresultswithoutanysignificantdelay.

77163 Fixedanissuewherethe/var/log/securelogfileinflatedandconsumedavailabledisk
space.Withthisfix,PANOSusesalogrotationfunctionforthislogfiletoavoidconsuming
morediskspacethanisnecessary.

77140 FixedanissuewhereanerrorwasdisplayedwhenusingPanoramatochangeapassword
foramanagedfirewalladmin.

76847 FixedanissuewhereIKEphase2rekeywashappeningtoofrequentlyforanIPSec
sitetositeVPNconfiguredwithtunnelmonitoringonmultipleProxyIDswhenQoSwas
enabled.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 109

 PANOS7.0.1AddressedIssues

IssueID Description

76759 FixedanissuewhereanSSLscanofaWF500appliancereturnedSSLv3connectionsand
RC4cipherseventhoughtheWF500appliancenolongersupportsSSLv3.Withthisfix,
theWF500appliancereturnsonlyTLSv1connections.

76729 Fixedanissuewheretheresponsereturnedbythe request batch license info XML

APIrequestwasnotwrappedwith<response> <result>.

76688 FixedanissuewheretheIPv6sourceaddresswasnotdisplayedintheHostcolumnfor
Configlogs.Withthisfix,theIPv6sourceaddressisdisplayedintheHostcolumnas
expected(insteadof0.0.0.0).

76575 FixedanissueonaPA5000SeriesfirewallwhereanoccasionalinconsistencyintheIPv6
neighborcacheondifferentdataplanescausedIPv6trafficsenttocertainhoststoget
dropped.Withthisfix,thefirewallkeepstheIPv6neighborcacheinsyncbetween
dataplanessothatIPv6packetsarenotdropped.

76489 FixedanissuewherethreatupdatesdidnotinstallcorrectlyafteraddingaThreat
PreventionlicenseandinstallinganApplicationsandThreatscontentreleaseversion.This
occurredeventhoughtheoutputoftheshow system infoCLIcommandverifiedthatthe
ThreatPreventionlicensewasinstalled.

76282 FixedanissuewhereFQDNobjectswerenotresolvedwhenallthefollowingconditions
weretrue:
TheFQDNobjectwasbeingusedasataginaDynamicAddressGroup.
TheDynamicAddressGroupwasnotamemberofthesametag.
TheFQDNobjectwasnotattachedtoasecuritypolicyrule.
TheFQDNobjectwasnotincludedinaregularaddressgroupthatwasattachedtoa
securitypolicyrule.

76083 FixedanissuewherenoSystemlogsweregeneratedforfailedloginattemptsusingtheCLI
overanSSHconnection.Withthisfix,additionalSystemlogsnowprovidevisibilityfor
failedloginstothemanagementinterfaceevenifthoseattemptscomefromaCLIoveran
SSHconnection.

76079 FixedanissueonPA7000SeriesfirewallswhereTrafficlogsonAdvancedMezzanine
Cards(AMCs)couldnotberecoveredafterinstallingtheAMCsontoanewLogProcessing
Card(LPC).Withthisfix,anewCLIcommand(request metadata-regenerate slot
<slotnum>)isavailableforretrievinglogsfromtheoldAMCdisksafterinstallingthemina
newLPC.
Whenyouusethiscommand,youshouldensurethedeviceisnotprocessingtrafficuntil
theregenerationrequestiscomplete.Additionally,youcanignoretheerroneouserror
message(Failure communicating with given slot)thatdisplays60secondsafter
runningtherequest metadata-regeneratecommand:theregenerationprocesswill
continuetorunasexpectedandyouwillneedtowaitforittofinishbeforeresumingtraffic
flow.Itcantakeuptotwohours,orlonger,toregenerateallmetadatadependingonthe
numberoflogsrecovered.Todetermineifregenerationiscomplete,usethefollowingCLI
commandtolookfortheDone generating metadata for LD:xmessage:
less s8lp-log vld-<amcslotnum>-0.log

75881 FixedanissueonaPA5000Seriesfirewallwherethemanagementplaneanddataplane
restartedduetoaraceconditionthatoccurredwhentheEnforce Symmetric Return
optionwasenabledinthepolicybasedforwarding(PBF)rules(Policies > Policy Based
Forwarding > Forwarding).ThisraceconditioncausedinaccuratePBFreturn-mac ager
lists,whichcausedtherestarts.Withthisfix,thefirewallretrievesandchecksreturnMAC
entriestoavoidthisraceconditionandassociatedrestarts.

110 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.

PANOS7.0.1AddressedIssues

IssueID Description

75825 FixedarareissueonaPA5000Seriesfirewallwherearaceconditionoccurredbetween
dataplanes1and2(DP1andDP2)anddataplane0(DP0)thatincorrectlycausedaresetof
thetimeoutvalueforparentsessionsownedbyDP1andDP2whencreatingpredict
sessions,whichcausedthoseparentsessionstotimeoutprematurely.Withthisfix,the
timeoutforparentsessionsisnotchangedwhenthepredictsessionsarecreated.

75758 FixedanissuewherethedataplanerestartedonaPA5000Seriesfirewallinahigh
availability(HA)clusterduetocorruptionofARPpackets.

75744 Fixedanissuewhereadataplanestoppedrespondingafteracommitthatchangedthe
interfaceindexwhenhighavailability(HA)sessionpacketswerereferencingthatinterface
indexusinganinterfacepointer.

75677 FixedaPanoramaissuewhereclearingthesettingRequire SSL/TLS secured connection

foravsysspecificLDAPserverprofile(Templates > Device > Server Profiles > LDAP)
displayedanerror.

75404 Fixedanissuefortheshow logCLIcommand,whereyoucouldnotfilterthedisplayedlogs

byusernameiftheuser/srcuseroptionusedcharactersotherthananalphanumeric
character,underscore,dash,dot,forwardslash,orcolon.

75003 Fixedanissuewhereonlythefirst15charactersofazonenamewasdisplayedinlogs.
Completezonenamesarenowdisplayedinlogs.

74654 FixedanissueonanM100devicewhereanattempttodownloadContentUpdatesfailed
duetoalackofdiskspace.ThisissueoccurredwhencontinuousXMLAPIqueriesfilledthe
/opt/pancfgpartitionbecauseSTOPmessagesweregettingdroppedbetweenPanorama
andtheLogCollectorandquerieswerenotproperlyremovedwhennolongerneeded.
Withthisfix,STOPmessagesshouldnotbedropped.Additionally,incaseSTOPmessages
aredroppedforanyotherreason,atimeoutsettingforqueriesisinplacetoensurethat
stalequeriesareremovedfromdiskspacebeforecausingastoragespaceissue.

74609 FixedanissueonaPA5000SeriesfirewallwherePREDICTsessionswerehandledby
dataplane0(DP0)buttheSIPparentsessionswereonadifferentdataplane.Withthisfix,
youcanusetheset session filter-ip-proc-cpu dest-ip <IPaddr>CLIcommandto
specifyalldestinationSIPproxyIPaddressesinafilterlistonthefirewall.Youcanthenuse
thelisttoconfigurethefirewallsothatDP0receivesandhandlesanyinboundpacketthat
isdestinedforanyofthespecifiedSIPproxyIPaddresses.

74600 AsecurityrelatedfixwasmadetotheOpenSSLpackagetoaddressmultiplevulnerabilities
impactingtheOpenSSLlibraries.

74489 Fixedanissuewithregularexpressionwhereusingtheverticalbarorpipecharacter(|)
causederrors.

74315 FixedanissuewherecommentsaddedtoanAggregateEthernet(AE)interfacewerenot
savedalongwiththeAEinterfaceconfigurationandtheCommentfielddisplayedasempty
afterclosingtheconfigurationwindow.

73692 UpdatedanerrormessagethatoriginallynotedthatanAntiviruscontentdownloadfailed
becauseanAntiviruscontentdownloadwasinprogress.Theerrormessageisupdatedto
correctlystatethatthefailedAntiviruscontentdownloadwasduetoaWildFirecontent
downloadbeinginprogress.

73631 FixedanissuewhereseveralNTPsyncerrorsweredisplayedfollowingafirewallsoftware
upgrade.

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 111

 PANOS7.0.1AddressedIssues

IssueID Description

73317 FixedanissuewheretheSystemlogdisplayedanIPv4addressforafirewallthatwas
connectedtoanActiveDirectory(AD)serverthroughamanagementportusinganIPv6
address.Forexample:ldap cfg <group_name> connected to server <IPv6 address>,
initiated by: <IPv4 address>.Withthisfix,theappropriateIPaddressandformatis
displayedfortheinitiatingdeviceevenwhenconnectedusinganIPv6address.

73158 Theportrangeyoucanusetodefineportsforcustomapplicationshasbeenupdatedtobe
fromport065535.Theupdatematchestheportsyoucandefineforapplicationoverride
policyrules(also065535).Previously,youcouldnotdefineport0forcustom
applications.

73064 WhenafirewallwasconfiguredasaDHCPclient,itfailedtoreneworreleasethe
DHCPassignedIPaddresswhenthefirewallinterfacewasthenconnectedtoanewDHCP
server.

73058 FixedanissuewheresourceanddestinationfieldsinSNMPtrapswerenotpopulatedfor
trafficusingIPv6addresses.WiththisfixandRev.BofthePANOS6.1EnterpriseSNMP
MIBmodules,newIPversionneutralfieldswereadded(InetAddressandInetAddressType
inplaceoftheIpAddressfield)tofullysupportIPv6addresses.(TheIpAddressfieldis
retainedforbackwardcompatibilitybutisdeprecated;administratorsareexpectedto
transitiontothenewfields.)

72933 FixedanissuewherePanoramaadministratorswereunabletoviewtheBotnetreport
optionwhenswitchedtothefirewallcontext.

72806 TheGlobalProtectprelogonconnectmethoddidnotworkwhenacertificateprofilewas
configuredtouseasubjectalternativename(SAN)andthematchingdevicecertificatedid
notcontaintheSAN.

72756 Fixedanintermittentissuewherearaceconditioncausedbymultipleprocesses
asynchronouslyattemptingtoretrievethelastsavedconfigurationfilecausedCaptive
PortalortheFQDNrefreshjobtofail.

72719 FixedanissuewheretheTunnelMonitorThresholdvaluedisplayedforaGlobalProtect
satellitewasincorrectlydisplayedasaunitoftime(seconds).TheTunnelMonitor
Thresholdactuallyspecifiesthenumberofheartbeatstowaitforbeforethefirewalltakes
specifiedaction,andisnolongerdisplayedinseconds.

72544 AsecurityrelatedfixwasmadetoaddressCVE20148730.Foradditionalinformation,
refertothePANSA20140224securityadvisoryonthePaloAltoNetworksSecurity
Advisorieswebsiteathttps://securityadvisories.paloaltonetworks.com.

72371 WhenacustomQoSprofilewasenabledonaninterface,theQoSstatisticsforthecustom
profilewereinsteaddisplayedasthedefaultQoSprofilestatistics.Thisissuehasbeen
resolvedsoQoSstatisticsaredisplayedcorrectlywiththecorrespondingQoSprofile(and
foreachclassintheprofile).

72153 FixedanissuewherethefirstSYNpacketinaTCPconnectionthatpassedthroughtwo
virtualsystemsdidnotreachthedestinationserver.Thisoccurredwhen:
ThefirstvirtualsystemwasconfiguredwithDNAT.
ThesecondvirtualsystemwasconfiguredwithSNAT.
Sessionswereallocatedondifferentdataplanes(DPs),withthefirstsessiononDP0.

72075 WhenthefirewallwasconfiguredtoaccessanLDAPserverthroughadatainterface,the
firewallcouldnotconnecttotheLDAPserverifitwasalsoconfiguredtoaccessthe
UserIDagentusingadifferentdatainterface.

112 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.

PANOS7.0.1AddressedIssues

IssueID Description

71860 Addressedanissuewhereconfigurationchangeswerenotreflectedintheconfiguration
logsafterimportingSSHkeys.

71682 FixedanissueonaPA5000Seriesdevicewhereaportthatwasinusewassometimes
reusedwhendynamicporttranslationwasenabledwithNATandsessionswereinitiated
ondifferentdataplanes.Withthisfix,ActiveFTPsessionssucceedwithaNATpolicysetup.

71340 Fixedanissuewherefirewalladministratorswereunabletocloneanyofthethree
predefinedcommoncriteriaadminroles;attemptingtodosoresultedinanerror.

71250 FixedanissuewheredecryptionpolicieswithadestinationaddressandaURLcategory
definedasmatchingcriteriacausedcommitfailures.

71049 MadeanupdatetoensurethattheCLIcommandrequest system shutdown canonlybe

executedbyuserswithsuperuseraccessprivileges.

70537 AddedanewdebugCLIcommand(debug dataplane internal pdt pci list)toprovide

adumpoftheperipheralcomponentinterconnect(PCI)whenattemptingtoidentifythe
rootcauseforthedata_plane_X: Startup Script Failureerror.

70431 FixedanissuewhereacustomURLcategorywiththenameanycausedunexpected
results.Withthisfix,thenameanyisnolongerallowedwhencreatingacustomURL
category(Objects > Custom Objects > URL Category).

70335 FixedanissuewhereaccessroutesfromtheGlobalProtectgatewaycouldnotbeinstalled
onasatellitewhenthetunnelmonitorwasenabledforaLargeScaleVPN(LSVPN)andthe
tunnelmonitorwasinwait recovermode.

69961 FixedanissuewherePanoramaandafirewallrunningthesamereleaseversion,didnot
displaythesamedropdownselectionstoaddasmatchingcriteriatoasecuritypolicyrule.
Now,ifPanoramaandafirewallarerunningthesamereleaseversion,thesameobjectsare
displayedandcanbeaddedtoasecuritypolicyrule,regardlessofwhethertheruleisbeing
definedonPanoramaorafirewall.

69752 Fixedanissuewherethewebinterfacedidnotdisplayconcurrentlyloggedin
administratorsifthoseadministratorshadnotlocallyauthenticatedtothefirewall.

69685 UpdatesweremadetoexistingRussiantimezonesandnewRussiantimezoneswereadded
totheavailablelistofglobaltimezonesforadevice,toaccommodatethe2014changesto
Russiantimezones.

69419 Fixedanissuethatwasseenwithpredictsessionswhentraffictraversedafirewallinvirtual
wiremodetwice.

68508 FixedanissuewheretheDHCPserversentDHCPleaseoffersonthewronginterfaceafter
ahighavailability(HA)failoverduetointerfaceIDsbeingoutofsyncontheHApeers.

68484 IfthePanoramasettingtoShare Unused Address and Service Objects with Deviceswas

enabled,committingchangestoadevicegroupdidnotcorrectlypushobjectstomanaged
firewalls.

68178 WhenconfiguringathreatexceptionforanAntiSpywareorVulnerabilityProtection
profile,addinganIPaddressexemptiontotheexceptiondidnotworkiftheinputincluded
asubnet(forexample,XXX.XXX.XXX.XXX/32).OnlyIPaddressexemptionsenteredwithout
asubnetwereacceptedbythefirewall.ThisissueisfixedsothatyoucanaddanIPaddress
withasubnetasanexemptionwithinathreatexception(Objects > Vulnerability
Protect/Anti-Spyware > Exceptions).

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 113

 PANOS7.0.1AddressedIssues

IssueID Description

67713 Anadministratorwasallowedtodowngradethecontentversion(ApplicationsandThreats)
onthefirewalltoaversionthatwasnotsupportedwiththePANOSsoftwarerelease
versionrunningonthefirewall.Forexample,ifthefirewallwasrunningPANOS7.0and
theminimumcontentversionwas497,theadministratorwasincorrectlyableto
downgradetoaversionpriorto497.

66681 Resolvedadataplanerestartissueduetoraceconditions.

65959 AddedanenhancementtodisplaypredefinedURLcategoriesinadditiontocustom
URLcategoriesintheAllowCategoriescolumnforURLFilteringprofilerules(Objects >
Security Profiles > URL Filtering).

63652 FixedanissuewheresomefilesforwardedtoWildFirewerenotuploadedsuccessfullydue
toaCANCEL_OFFSET_NO_MATCHerror.Withthisfix,theoffset(causedbyabufferoverload)
isnolongeranissue.

63524 FixedanissuethatoccurredwhenperformingatemplatecommittoaPA200firewallon
Panorama.Theoperationfailedifyouchangedthevsys1displaynameonthefirewallusing
theset display-name <name>CLIcommand.

62276 FixedanissuewheretheApplicationCommandCenter(ACC)failedtoloadanywidgetsand
displayedthefollowingerror:The selected filters cannot be applied to any of
the acc reports.ThisissueoccurredwhennavigatingfromMonitor > Reports > HTTP
ApplicationstotheACC.

61259 RemovedwhitespaceprecedingaresponsethatwasdisplayedwhenusingtheXMLAPIto
submitafileforWildFireanalysis.

114 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.

 GettingHelp
Thefollowingtopicsprovideinformationonwheretofindmoreaboutourproductsandhowtorequest
support:
RelatedDocumentation
RequestingSupport

RelatedDocumentation

RefertothefollowingdocumentsontheTechnicalDocumentationportalat
https://www.paloaltonetworks.com/documentationformoreinformationonourproducts:
NewFeaturesGuideDetailedinformationonconfiguringthefeaturesintroducedinthisrelease.
PANOSAdministrator'sGuideProvidestheconceptsandsolutionstogetthemostoutofyourPalo
AltoNetworksnextgenerationfirewalls.Thisincludestakingyouthroughtheinitialconfigurationand
basicsetuponyourPaloAltoNetworksfirewalls.
PanoramaAdministrator'sGuideProvidesthebasicframeworktoquicklysetupthePanoramavirtual
applianceoranMSeriesapplianceforcentralizedadministrationofthePaloAltoNetworksfirewalls.
WildFireAdministrator'sGuideProvidesstepstosetupaPaloAltoNetworksfirewalltoforward
samplesforWildFireAnalysis,todeploytheWF500appliancetohostaWildFireprivateorhybrid
cloud,andtomonitorWildFireactivity.
VMSeriesDeploymentGuideProvidesdetailsondeployingandlicensingtheVMSeriesfirewallonall
supportedhypervisors.Itincludesexampleofsupportedtopologiesoneachhypervisor.
GlobalProtectAdministrator'sGuideTakesyouthroughtheconfigurationandmaintenanceofyour
GlobalProtectinfrastructure.
OnlineHelpSystemDetailed,contextsensitivehelpsystemintegratedwiththefirewallwebinterface.
CompatibilityMatrixDetailedreferencetodeterminesupportforPaloAltoNetworksfirewalls,
appliances,agents,andOSreleases.
OpenSourceSoftware(OSS)ListingsOSSlicensesusedwithPaloAltoNetworksproductsand
software:
PANOS7.0
Panorama7.0
WildFire7.0

PaloAltoNetworks,Inc. PANOS7.0ReleaseNotes 115

 GettingHelp

RequestingSupport

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopen
asupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:[email protected].

ContactInformation

CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport

PaloAltoNetworks,Inc.
www.paloaltonetworks.com
20152017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistof
ourtrademarkscanbefoundathttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarks
mentionedhereinmaybetrademarksoftheirrespectivecompanies.

RevisionDate:April28,2017

116 PANOS7.0ReleaseNotes PaloAltoNetworks,Inc.