PAN-OS Release Notes

Version 4.1.6
This release note provides important information about Palo Alto Networks PAN-OS software. Please refer to the Addressed Issues section for details on what has been fixed in this release and the Documentation Errata section for issues found in the documentation. Also review the Known Issues and the Upgrade/Downgrade Procedures sections thoroughly prior to installation.

Contents
PAN-OS 4.1 New Features .............................................................................................................................2 Changes to Default Behavior .........................................................................................................................6 Upgrade/Downgrade Procedures ..................................................................................................................6 Associated Software Versions .......................................................................................................................9 Addressed issues ........................................................................................................................................ 11 Documentation Errata ................................................................................................................................. 21 Related Documentation ............................................................................................................................... 23 Requesting Support ..................................................................................................................................... 23

PAN-OS Release Notes, version 4.1.6 rev A

PAN-OS 4.1 New Features

This section provides details about the features introduced in the PAN-OS 4.1.0 base release. Note: Maintenance releases (where only the third digit in the release number changes, e.g. 4.1.0 to 4.1.1) do not include any new features.

APPLICATION IDENTIFICATION FEATURES

H.323 ALG Enhancements The H.323 VoIP application-level gateway (ALG) has been enhanced to support dynamic prediction of media sessions (pinhole opening) based on the signaling data, as well as payload modification when performing address translation on the traffic allowing NAT/PAT traversal for H.323 VoIP traffic. URL Category in Match Criteria URL Categories can now be used as a matching criterion in the Security, QoS, and Captive Portal policies. This feature will simplify security policy creation when enforcing specific web-filtering policies by users and domain groups. QoS policies can be created to rate-limit traffic associated with specific URL categories. Captive Portal policies can be created to conditionally authenticate users based on the URL category of the website a user visits.

USER IDENTIFICATION FEATURES

User-ID Agent Consolidation The User-ID functionalities of User-ID Agent for Active Directory and User-ID Agent for LDAP have been consolidated into the new unified UserID Agent that incorporates support for Active Directory, eDirectory, and the XML-API. Active Directory Support Enhancements Several enhancements have been made to the User-ID capability relative to Active Directory environments: o Multi-domain/Forest support o Domain Controller auto discovery o PAN-OS-based group mapping configuration Exchange Server Event Log Monitoring The new User-ID Agent can be configured to monitor logon events on Microsoft Exchange Server associated with Microsoft Exchange compatible client applications. This will allow the mapping of users that potentially do not authenticate to a Domain Controller but are authenticating to Exchange. NTLM Authentication Enhancements Captive Portal NTLM authentication can now be configured to leverage multiple User-ID Agents to verify NTLM responses received from client browsers. In addition, if NTLM authentication fails, the user is now redirected to an explicit logon page instead of being presented with an error messag`e. Agent Status in Web Interface A new Connected column has been added to the User-ID Agent and Terminal Server Agent tables to show the status of the connection to the agents.

PAN-OS Release Notes, version 4.1.6 rev A

[2]

CONTENT INSPECTION FEATURES

Rule-based Vulnerability Protection Profiles The anti-spyware and vulnerability protection profiles have been enhanced to allow granular rule creation for adding signatures to the profile. These rules will apply to all existing and new signatures when they are added via content updates. Instead of selecting between simple and custom profiles, rules will be used in conjunction with an exception list which can change any individual signature behavior/action. WildFire The file blocking profile action list has been enhanced to include a "forward" action, which will copy and forward files matching the policy to the WildFire cloud-based malware detection service. WildFire currently supports Windows PE files (executable files), and will run submitted files in a cloud-based sandbox environment to analyze the sample for malicious behavior. An administrator can view reports of submitted samples through the WildFire web portal at wildfire.paloaltonetworks.com, and can configure automated email reports.

NETWORKING FEATURES
Multicast Routing Allows the firewall to route multicast streams using PIM Sparse Mode (PIM-SM) and PIM Source-Specific Multicast (PIM-SSM). The firewall can also act as an IGMP querier for hosts that are on the same network as the interface on which IGMP is configured. PIM and IGMP may be enabled on layer 3 interfaces. IGMP v1, v2, and v3 are supported. DHCP Client Allows a layer 3 interface to act as a DHCP client and receive a dynamically assigned IP address. DNS Setting Propagation Allows the firewall to propagate DNS server and other settings from a DHCP client or PPPoE client interface into a DHCP server configuration. These settings may also be propagated to GlobalProtect gateway configurations. NAT within Virtual Wire Allows the firewall to perform network address translation when deployed in virtual wire mode. SHA-2 VPN Support Extends the list of supported authentication algorithms to include SHA-2. NAT-T NAT traversal is now supported for site-to-site tunnels on all Palo Alto Networks devices.

GLOBALPROTECT FEATURES
Unification of NetConnect and GlobalProtect The feature set of NetConnect has been integrated into GlobalProtect. GlobalProtect in its base functionality now replaces NetConnect. The advanced functionalities of GlobalProtect, such as Host Information Profiles as well as multi-gateway support remain licensed features while single gateway configurations with no HIP capability will be available without a license.

PAN-OS Release Notes, version 4.1.6 rev A

[3]

Mac OS X Support GlobalProtect is now available for Mac OS 10.6 and 10.7 on 32 and 64 bit platforms. Apple iOS Support Apple iOS devices can now establish IPSec connections using the native iOS IPSec client to a GlobalProtect gateway. Client Override Enhancements A challenge-response based feature has been been added to allow for more flexible and controlled user overrides in GlobalProtect. Additionally, an administrator can specify the maximum number overrides a user can perform before a connection to a gateway is required. User/Group-based Portal Configurations The GlobalProtect Portal now supports multiple agent configurations on a per-user or user-group basis within one portal configuration. Gateway Selection Priority The mechanism in which GlobalProtect Agent selects the best available gateway has been improved with a priority rating for each external gateway. The gateway priority, from 1-5 in which 1 is the highest priority, allows administrators to influence which gateway will be chosen under normal operations. Response Page Enhancements New response pages have been added to GlobalProtect to allow administrators to define a custom welcome and help pages as well as rich pages in response to specific HIP object matches. Agent UI Control A new option has been added that allows administrators to change the visible UI options of GlobalProtect agent.

NETCONNECT SSL-VPN FEATURES

NetConnect functionality has been merged with GlobalProtect. With PAN-OS 4.1, the NetConnect agent and portal components are migrated to GlobalProtect. To cover the NetConnect functionality, basic GlobalProtect functionality is now available to all customers with no license. A GlobalProtect Portal license is still required for multigateway deployments and a GlobalProtect Gateway subscription is required for host profiling capability. Refer to the GlobalProtect section for all new features related to NetConnect functionality.

MANAGEMENT FEATURES
Report Translation Capability to customize the language used in report headers. The supported languages are Chinese (Traditional and Simplified) and Japanese. Granular Commit Operations When performing a Commit operation, an admin now has the ability to specify which area of the configuration to commit. This allows an admin to commit policy related changes without committing in-process networking and device configuration changes. Additionally, in Panorama, the admin is now given a choice of whether to combine the Panorama configurations with the current running configuration on the device or with the candidate configuration on the device.

PAN-OS Release Notes, version 4.1.6 rev A

[4]

Detailed Configuration Logging The configuration logs have been extended to include before and after fields to display the details of every configuration change. These details can also be included when forwarding logs to external systems. Customizable Logos The various company logos in the web interface and reports can be customized. Log Database Enhancements Several performance and scalability improvements have been made to the log database including data compression, seamless format migration, indexing optimizations, and data summarization for query optimization. Web Interface Updates The interface update that began in PAN-OS 4.0 is now complete. All areas of the web interface now leverage the same dynamic framework. In addition, performance optimizations have been done to improve tab switching and content loading performance. Netflow The system can generate and export Netflow Version 9 records with unidirectional IP traffic flow information to an outside collector. Netflow exporting can be enabled on any ingress interface in the system. Separate template records are defined for IPv4, IPv4 with NAT, and IPv6 traffic, and PAN-OS specific fields for App-ID and User-ID can be optionally exported. This feature is available on all platforms except the PA-4000 series. Structured SNMP Trap MIB A new MIB module has been added to define all SNMP traps generated by the system. Each system log in the system is now defined as an independent SNMP trap with an Object ID (OID) of its own, and individual fields in a log are defined as a variable binding (varbind) list. XML-based REST API Enhancements The REST API for both PAN-OS and Panorama has been expanded to support all operational commands, several new configuration commands, commit operations, and packet-capture (PCAP) exports. Examples of supported operational commands include setting, showing, or clearing runtime parameters, saving and loading configurations to disk, retrieving interface or system information, etc. The newly supported configuration commands include get, rename, clone, and move. SSH Key-based Authentication Key-based authentication of administrators for CLI access via SSH has been added. This will enable easy programmatic access to the device via automated scripts, without requiring a password to be entered. Each admin account contains an option to turn on public key authentication for SSH and to import a public key.

PAN-OS Release Notes, version 4.1.6 rev A

[5]

Changes to Default Behavior

The following are changes to the default behavior made in 4.1.0: In PAN-OS 4.0 and earlier, TCP window checking can be disabled using the following command: set deviceconfig settings tcp drop-out-of-wnd no. In PAN-OS 4.1, the configuration option has been changed to: set deviceconfig settings tcp asymmetric-path bypass. When upgrading to 4.1, this configuration option is not automatically migrated and is configured only through the CLI, so this option will be ignored after the upgrade. If this option is required, enter the new (4.1) command and commit the configuration. User-ID Agent client probing now uses WMI as the default instead of NetBIOS. Panorama Administrator Access Control When managing administrator accounts in Panorama, granting role based access to a Device Group no longer implies permissions to each device and virtual system on a context switch. You can now set granular access to each device under Panorama management by going to the Administrators account and selecting the device and virtual system under the Device Context tab. When the administrator logs in, they will only be able to do a Context switch to the device and virtual system to which they have access. This same functionality also applies to Access Domain in which an external authentication server such as Radius can be used to control access. Current administrator accounts that have a defined list of device groups will be migrated to have the same permissions when switching context. You will now see those devices and virtual systems selected in the Device Context tab, which will allow you to apply more granular permissions if needed.

Upgrade/Downgrade Procedures
The following lists information related to the upgrade/downgrade procedures of the firewall as well as details related to how certain features are migrated. Upgrading PAN-OS Important In order to upgrade to PAN-OS 4.1, the device must be running PAN-OS 4.0.0 or later. Attempts to upgrade to PAN-OS 4.1 from earlier releases will be blocked.

Use the following steps to perform a software upgrade to this release: 1. Ensure the device is connected to a reliable power source as a loss of power during the upgrade could make the device unusable. 2. Save a config backup by clicking Save named config snapshot. This can be used to restore the configuration in the event of a migration failure.
PAN-OS Release Notes, version 4.1.6 rev A [6]

3. Navigate to the Device tab in the web interface and click the Software link. 4. Click Refresh to retrieve the currently available releases that can be installed. 5. Locate the latest release and download it to the device by clicking the Download link in the row corresponding to that latest release. 6. Once downloaded, click the Install link to perform the upgrade. The device must be running content update 257 or later in order to upgrade to PANOS 4.1. Use the following steps to perform a dynamic content update, which consists of App-ID updates as well as threat updates depending on subscription licenses. The device must be registered for the following steps to work. Please go to https://support.paloaltonetworks.com to register your device.
UH

Navigate to the Device tab in the web interface and click the Dynamic Updates link. Click Refresh to retrieve the currently available updates that can be installed. Download the latest update to the device by clicking the Download link in the row corresponding to the latest update. Once downloaded, click the Install link to perform the update.

Downgrading PAN-OS In the event the device needs to be downgraded, the following procedure should be followed: Important: In a feature release (where the first or second digit in the PAN-OS version changes, example PAN-OS 4.0 to 4.1), the configuration may be migrated to accommodate new features, so you should not downgrade unless you also restore the configuration for that release, as mentioned in the steps that follow. Maintenance releases, where the third digit in the release changes (3.1.0 to 3.1.1), can be downgraded without having to restore the configuration. Unmatched software and configurations can result in failed downgrades or even force the system into maintenance mode. If you have a problem with a downgrade, you may need to enter maintenance mode and reset the device to factory default and then restore the configuration from the original config file that was exported prior to the upgrade. 1. Save a backup of the current configuration file by navigating to the Device > Setup > Operations tab and click Export named configuration snapshot, select runningconfig.xml and click Ok to save the configuration file. This backup can be used to restore the configuration if you have problems with the downgrade and you need to do a factory reset.

PAN-OS Release Notes, version 4.1.6 rev A

[7]

2. Navigate to Device > Software and you will see the software page that lists all PANOS versions that can be downloaded, or that have already been downloaded. 3. To downgrade to an older maintenance release, click Install in the Action column for the desired release. If the version you want to use shows Download, click the Download link to retrieve the software package and then click Install. Note: If you are downgrading to an earlier major release, navigate to the page that shows that release. When you click the Install link, you will see a pop-up that shows an autosave configuration (as of 4.1). This saved configuration is created when you upgrade to a feature release and should be used when downgrading to restore PANOS to the configuration that was present before the upgrade to the feature release. For example, if you upgrade from 4.0 to 4.1, the autosave config is created and can be used to downgrade back to 4.0. If you upgrade from PAN-OS 3.1 to 4.0, the autosave is not created, so you will need to do a factory reset and restore your configuration manually. 4. After PAN-OS has been downgraded, click Ok to reboot the device to activate the new version. Rule-based Vulnerability Protection Profiles Backward Compatibility When upgrading Panorama or PAN-OS to 4.1, simple style vulnerability protection and anti-spyware profiles are automatically converted to rules of equivalent meaning. Custom style profiles are converted to exceptions that specify signaturespecific actions, with no rules required. NetConnect to GlobalProtect Migration When upgrading to PAN-OS 4.1 on a firewall that is configured with NetConnect, the feature set of NetConnect will be integrated into GlobalProtect. It is important that you carefully plan your rollout of the GlobalProtect client to existing NetConnect clients to ensure uninterrupted service for your remote users. You should be aware of the following changes after the upgrade: When upgrading your firewall to 4.1, NetConnect will be replaced by GlobalProtect and the NetConnect configuration will automatically migrate to a single portal/single gateway GlobalProtect configuration. In the WebUI, the NetConnect side menu in the Network tab will be replaced with GlobalProtect. GlobalProtect users will automatically be upgraded to the new GlobalProtect client when they connect to the upgraded portal. NetConnect clients that connect to the upgraded firewall will be upgraded to the GlobalProtect client and the NetConnect client will be removed.

PAN-OS Release Notes, version 4.1.6 rev A

[8]

Note: In order for a NetConnect client to upgrade to GlobalProtect, users will need administrative privileges on their system. You can choose to upgrade the client agent transparently, or you can prompt the user. If the Agent Configuration is set to prompt, the user will be prompted to select a 32bit or 64-bit version of the client. After the GlobalProtect client installs, a VPN connection will be established using the new GlobalProtect client. To control the client install method, go to the WebUI on your firewall, select the Network tab > GlobalProtect, then click your portal name. In the Agent tab, you will see options for the Agent UI and under Agent Configuration you will see Client Upgrade with options for prompt or transparent. Basic GlobalProtect functionality does not require a license. For additional functionality, the portal license is required for multi-gateway deployment and the gateway subscription license is required for host profiling.

For more information, refer to the GlobalProtect Features section in this release note and the Palo Alto Networks Administrators Guide. User-ID Agent Upgrade After installing PAN-OS 4.1, you will need perform the following steps before upgrading to the new User-ID Agent: Note: The new 4.1.0 User-ID Agent replaces the old Pan Agent service and User-ID Agent. 1. Add your directory server information in the Device tab > Server Profiles > LDAP configuration. 2. In the Device tab > User Identification > Group Mappings Settings tab, add the LDAP server that you configured in the previous step. 3. Upgrade to the new User-ID Agent.

Associated Software Versions

Software Panorama User-ID Agent (AD) User-ID Agent (LDAP) Terminal Server Agent NetConnect Minimum Supported Version with PAN-OS 4.1 4.1.0 3.1.0 3.1.0 3.0.0 1.1.0

PAN-OS Release Notes, version 4.1.6 rev A

[9]

Software GlobalProtect Client

Minimum Supported Version with PAN-OS 4.1 1.0.0

PAN-OS Release Notes, version 4.1.6 rev A

[10]

Addressed issues
The section contains addressed issues for this release and earlier releases.

ADDRESSED ISSUES 4.1.6

The following issues have been addressed in the 4.1.6 release: 39853 GlobalProtect client installation file not being downloaded properly to remote access clients. Partial file download occurring, causing installation to fail when the client attempts to install. 39844 IPSec VPN tunnel not coming up when Palo Alto Networks firewall initiates a connection to a Cisco ASA device. 39769 Performance issues occurring in an active/active configuration due to an issue with session lookup when non UDP/TCP traffic goes to a closed state. 39721/39603 PA-5000 series devices with inter-VSYS, tunnel, or a shared gateway configured experiencing some traffic loss. 38755 Delayed failover occurring in an HA configuration with active 1GB and 10GB interfaces configured. When both interfaces send an interrupt simultaneously, the process is not handled properly and a delay occurs.

ADDRESSED ISSUES 4.1.5

The following issues have been addressed in the 4.1.5 release: 38598 Fragmented IPv6 frames causing dataplane issues due to buffer problems with this type of traffic. 38494 Performance issue occurring due to the log database becoming full and when space was cleared, traffic was not resumed properly. 38045 Custom report in Panorama that specifies a range of last 30 days looks ok when generated manually, but the schedule report sent via email is only showing one day. Issue with the web interface which allowed you to specify a day range, but day ranges were not supported in schedule reports. Update made to allow day ranges for this type of report generation. 38034 Intermittent commit errors occurring due to the firewall not using memory properly when calculating shadow rules when rules contain a large amount of addresses

PAN-OS Release Notes, version 4.1.6 rev A

[11]

(2000+ in this case). 38010 LDAP bind error occurring in User-ID group mapping when a parenthesis ( is used in any part of the bindDN string due to this character not being supported. Update made to include all characters that can be used in bindDN in LDAP. 38002 GlobalProtect client configured on an iPad using the native VPN client and connecting to the firewall via IPSec VPN caused dataplane issues when the iPad did multiple successive connects and disconnects. 37970 When the & symbol is use in an Active Directory OU and the AD groups are picked up by the User-ID agent, when the group is expanded on the firewall, a malformed error appears. Update made to better handle special characters in the web interface for this type of operation. 37967 PA-4020 pair in HA active/passive mode experienced dataplane issues due to a problem handling oversize packets being sent from certain hosts. 37904 When a firewall managed by Panorama has more than seven virtual systems and you view shared policies for that device in Device Groups, you only see the first seven virtual systems. Update made to show all virtual systems without having to click a More link. 37903 Management server on the firewall stopped responding when a threat summary reports and ACC reports were being generated at the same time, causing issues with memory. 37890 Android device using the native VPN client to establish an IPSec VPN to the firewall using PSK auth is causing IKE manager problems because the firewall only supports IKE/XAuth. Although the Android device is not currently supported, updates were made to prevent issues with the IKE manager process in this scenario. 37886 When doing a context switch from Panorama 4.1 to managed devices running 4.0, in some instances policies and objects are not appearing on the managed device. The issue is intermittent and logging off and back on resolved the problem. Updates made to prevent session key problems that were occurring. 37671 When an Android device uses its native VPN client to connect to a GlobalProtect gateway using X-Auth and the gateway is configured with a DNS suffix, the suffix is not being picked up when the device establishes a VPN.

PAN-OS Release Notes, version 4.1.6 rev A

[12]

37661 Inter-VLAN communication failing due to a problem with ARP not automatically picking up the MAC addresses on interfaces in different VLANs. 37646 The Chrome browser not being detected properly by Captive Portal with NTLM authentication configured. 37608 Threat logs not being forwarded to the syslog server, although other logs worked fine. Issue due to a problem with the log forwarding queue for threat logs. 37465 When upgrading from Panorama 4.0.7 to 4.1.2 and then pushing Anti-spyware and vulnerability profiles to 4.0.7 devices in device groups, the profiles lost the action settings. Issue due to changes made in the action field between the releases and the process to convert the fields did not work properly. 37449 User-ID process causing the management plane to spike due to a conflict with the port used in the User-ID agent XML API configuration. 37076 HA active/passive pair failed due to the PAN-OS web server restarting multiple times. Update put in place to improve visibility of failed processes and to log this type of error as critical. 37008 The display output of the show routing route destination address command is showing incorrect data due to an issue where only the first byte of the IP address was being compared. 36910 Threat prevention stopped working after upgrading from 3.1 to 4.1.2 due to a problem handling profiles that contained exceptions, but no rules. 36844 Performance issues are occurring on hosts going through an HA active/active pair in virtual wire mode due to problems handling session synchronization particularly when the HA2 and HA3 ports were connected using different link speeds. 36831 On PA-5000 Series devices, the traffic log byte counts are showing up as doubled due to an issue with the Netflow counter. 36767 SMTP traffic being misidentified due to an issue with content update 289. 36730 After upgrading an HA active/passive pair from PAN-OS 4.1.1 to 4.1.2, the HA1 and HA2 ports started flapping due to an issue with multicast and layer 2 interfaces.

PAN-OS Release Notes, version 4.1.6 rev A

[13]

36663 Android device is able to connect to the GlobalProtect gateway, but when disconnected it cannot reconnect due to a problem with sessions not clearing properly 36588 Captive portal authentication failing after a commit due to an issue with the firewall not properly decrypting the LDAP bind password. 36423 When configuring a custom log format for Host Information Profile (HIP) match events, the default format is still used. Issue due to a problem with how the custom log configuration was being saved. 36265 When forwarding configuration logs from a device running PAN-OS 3.0 or 3.1 to a Panorama 4.1 device, traffic log file are corrupt due to an issue with compatibility between these releases. Issue was fixed in 4.0 and is now fixed in 4.1.5. 36186 Memory allocation issues caused problems with commits when high levels of SSL traffic traversed the device with SSL decryption enabled. 36148 Problem submitting a virtual router configuration with a large amount of static routes when using Firefox over HTTPS. Issue due to Firefox sending larger packet sizes than other browsers, which the firewall could not process because of a limited buffer size. 35812 The option to enable OSPF and RIP on untagged subinterface was being allowed in the web interface even though this configuration is not supported. 35001 On the PA-5000 Series devices, when viewing PDF summary reports the Risk Trend table is empty due to an issue with how this data is aggregated on devices with multiple dataplanes. 34183 Downed L3 aggregate interfaces are still populating routing tables, causing incorrect route updates to occur. Issue due to a problem were aggregated subinterfaces are remaining active. 21247 Slow response (up to 5 minutes) in Panorama when doing a context switch to a managed firewall that is under heavy load due to an issue caching static device files.

ADDRESSED ISSUES 4.1.4

The following issues have been addressed in this release: 37728 - In an HA active/passive configuration, the dataplane occasionally stopped responding for a few seconds when URL database downloads occurs and re[14]

PAN-OS Release Notes, version 4.1.6 rev A

categorization is performed to update the URL DB cache entries. Issued due to a problem with updating the passive device URL cache and an update has been made to only send diffs to the passive device after the DB update. 37563 - When viewing the User-ID Agent or Terminal Services Agent table from the Device > User Identification pages, if more than 40 agents exist, all agents past the 40th item shows as offline, even though they are connected. Issue due to a problem with displaying more than 40 agents from the web interface. 37529 - Problem logging the correct email send time for traffic from certain email clients because the + symbol is not used when calculating the time zone offset value. The + symbol has been added to the time zone offset value (example- UTC+09:00). The minus - symbol already existed. 37484 - Firewall experiencing intermittent packet loss with an L2 connected router using virtual MAC addresses. Issue due to a problem where the firewall used the physical MAC of the connected router interface, instead of the virtual MAC, which caused ARP issues. 37298 - TCP RST packets sent from servers are being dropped as they traverse the firewall when TCP SYN cookie protection is enabled in a zone protection profile. Update applied to forward TCP RST instead of dropping them with this configuration. 37180 - If a security policy name ends with a space, a commit error is generated for that policy. Updated applied to trim leading and trailing spaces in policy names. 37095 - When using the CLI command clear dhcp lease interface interface-name expiredonly is used to clear all expired DHCP leases, active leases were also being cleared. 37091 - In an active/active HA configuration, the active-secondary device is not emailing scheduled reports. Issue due to the fact that report generation and email delivery was not enabled for active-secondary devices in the firewall software. 37005 - When configuring SNMPv3 and entering the Auth Password and then the Priv Password for encryption, the information is not accepted when using the web interface, but the CLI works fine. Web interface updated to fix password verification issues for SNMPv3. 37001 - ARP table size on PA-5050 and PA-5060 devices was only about 20k entries when it should be 32k. Fixed applied to increases the table size to 32k.

PAN-OS Release Notes, version 4.1.6 rev A

[15]

36977 - Expired DHCP leases are not being cleared properly and when clearing expired leases manually, all leases are cleared. Updates applied to fix the clear expired lease command and improvements made for handling of automatic clearing of expired leases. 36958 - In an HA active/active configuration with L3 virtual IP configured, when the active-primary is restarted, it becomes the active-secondary. If the new active-primary device is then rebooted and becomes active-secondary, traffic over the VIP is dropped for about 15-30 seconds as it rejoins the cluster. Issue due incorrect handling of gratuitous ARP requests for the floating IP. 36932 - The test URL command test url-resolve-path URL is showing some sites as category unknown, but the test url URL command on the same site is fine. Update made so both commands use the Dynamic DB to look up site categorization. 36893 - Running the CLI operational command show unused rules is incorrectly identifying some QoS rules as unused when they are actually in use and configured properly. The CLI does show the correct information, so the issue only occurred when viewing unused rules from the web interface. 36837 - HTTP redirects not working properly when SSL decryption is enabled on the firewall. Issue due to a buffer problem with certificate signing. 36823 - In certain multipurpose sites, where part of a site may contain shopping or auction type information, and other sections of the site may contain adult content, URL filtering was not correctly categorizing the adult section. Issue due to cache problems where URL paths and URL directories were not being handled properly, so not all sections of a site was being categorized properly. 36772 - Panorama using admin roles with access domains defined to read attributes from Radius was not correctly restricting permissions to managed device groups. Issue due to a problem where the admin role permissions were not being applied when the remote admin did a context switch to specific devices. 36736 - Radius admin authentication problems occurred in a nested domain configuration because the domain name was not being passed to the Radius server. 36733 - WildFire not uploading files to the WildFire servers due to a corrupt file being stuck in the upload queue, which prevented other files from being uploaded. Update applied to handle corrupt files, so the queue will continue processing.

PAN-OS Release Notes, version 4.1.6 rev A

[16]

36728 - Problems occurring with the GlobalProtect configuration when a commit is performed and only the Include commit and Object configuration option is selected. Issue due to a problem handling this type of commit when GlobalProtect is configured. 36570 - On a PA-5000 Series device in HA mode, the HA2 data link interface was not working in UDP or IP mode due to an issue with the HA2 ARP resolution messages not being synched properly. 36538 - User-ID agent not able to connect to the firewall for several minutes during long commits due to issues building the application dependency hash table. 36378 - Custom anti-spyware and vulnerability profiles created in Panorama were not migrated properly after upgrading from 4.0 to 4.1. 36351 - Long commit times occurring (10+ minutes) due to an issue handling application groups when large numbers of categories and sub-categories exist in the configuration. 36298 - System log is showing unknown for the event commit installed, when it should show general. 36259 - When downloading files through the firewall from an SSL site and SSL decryption and forward proxy are enabled on the firewall, the traffic log is showing double the file size. Issue due to the system adding both the proxy packet byte count and packet count as the total file size. 36091 - Management plane not responding due to a problem with the email log forwarding process failing to deliver logs causing high memory issues. 36041 - Unable to commit the configuration due to issues with the authentication daemon trying to process group membership updates from the User-ID agent when an authentication profile uses all in the allow list. 35984 - On an HA active/passive configuration, the log indexer was being triggered for regular traffic and threat logs, causing too much memory to be used and then causing a reboot. Updates made to better control the log indexer during heavy traffic loads. 35982 - Not able to commit the configuration due to high memory issues, which is causing the commit to timeout before it can complete. Issued caused by the firewall not properly handling a 10GbE port that was flapping.

PAN-OS Release Notes, version 4.1.6 rev A

[17]

35889 - User-ID not responding due to an issue where the domain name was not being included when the system checked the state of the User-ID agent. 35745 - Receiving a commit error after importing certificates when the expiration date of the certificate is more than 20 years from the current date. 35716 - Receiving shadow rule warning when adding the service udp-1024-65535 to a group due to an issue where security policy parsing is recognizing this as a conflict with all lower rules using UDP and TCP ports. 35667 - PA-5050 with a DC power supply could not commit properly due to issues with the I2c bus. 35656 - Traffic logs were not being collected during heavy loads due to a problem that occurred when threat log forwarding was failing. 35601 - Issue completing downloads of some large applications from an Android device on a wireless network behind a firewall due to issues handling FIN and ACK responses properly. 35352 - On a PA-5000 Series device, sub-interfaces, tunnel, and VLAN interfaces were available for QoS source matching, but these types of interfaces cannot be used in this configuration, only physical Ethernet and aggregate interfaces are allowed. 35258 - When a user account in Active Directory has a different value for the userPrincipleName (UPN) name and the sAMAccountName, group mapping is not working correctly because the user to IP mapping process uses the sAMAccountName and user to group mapping process uses the UPN name. Update made so both processes use the sAMAccountName. 34826 - SSL decryption not working after upgrading from 3.1.6 to 4.0.7 due to an issue where traffic was being decrypted that should not have been decrypted, causing the proxy cache to fill up and cause memory issues. 34710 - On a PA-5000 Series device, host connections between a host on the L3 interface and a host on an L2 interface are dropping after a commit is initiated. Issue due to MAC ARP entries not updating properly between dataplanes. 33540 - Not able to select the interface IP address to be used as a floating IP in an HA active/active configuration when the interface IP is behind NAT. Only the translated IP

PAN-OS Release Notes, version 4.1.6 rev A

[18]

address could be selected. Issue fixed to allow the interface address to be selected.

33502 - When viewing the traffic log from the Monitor tab and setting a refresh of every 10 seconds, then setting to manual and then to a new refresh interval, the new interval does not work. Issue due to a log monitor refresh problem.
32781 - Sending a traceroute to a firewall over a tunnel interface returns 0.0.0.0 when the destination interface does not have an IP address assigned. Issue due to the firewall incorrectly returning ICMP/ICMP6 error messages when an interface address is not assigned to a tunnel interface on the remote side.

PAN-OS Release Notes, version 4.1.6 rev A

[19]

Known Issues
The following lists known unresolved bugs in this release: 35352 QoS profile selection based on source subinterface is not supported on PA-5000 Series devices. 34703 Sub-interfaces in a shared gateway are not being assigned to the correct zone. This results in PBF, NAT, and DoS policies not matching any traffic that is destined for the zone that the sub-interface is in. 33914 In the Network tab under Global Protect > Portals/Gateways config windows, there is an IP Address field used for the IP of the interface for the device. You can populate this field by using the drop down for a statically assigned interface, or leave it blank for a dynamically assigned interface. In the WebUI you cannot click Ok to save the config if the IP Address field is blank. Workaround Use the CLI. 32908 If a client PC uses RDP to connect to a server running remote desktop services and the user logs into the remote server with a different username, when the User-ID agent queries the Active Directory server to gather user to IP mapping from the security logs, the second user name will be retrieved. Example, if "UserA" logs into a client PC and then logs into the remote server with "UserB", the security log on the Active Directory server will record UserA, but will then be updated with UserB. The username UserB is then picked up by the User-ID agent for the user to IP mapping information, which is not the intended user mapping. 30444 Exported Netflow data shows incorrect start time for some flows. 21601 NetConnect may not upgrade properly from 1.1.x to 1.2 without clearing the Java cache. 21489 NetConnect will not install with Java 1.5 or earlier. Java 1.6 or later is required. 13391 In some environments, the threat count on the top level of ACC does not match the counts on the lower levels. 10800 Connecting the PA-2000 series management port to a device that is hard set to full duplex will cause unpredictable behavior on the management port. Always set the port connected to the PA-2000 series management port to auto-negotiate. 7495 CLI allows the import of more keys than the system can use. 5145 Requesting an App-Scope graph for Source or Destination on a system with a very large number of sources or destinations can take 5-10 minutes to complete. 1985 Using a straight cable between HA2 ports with high traffic load can lead to packet loss. When connecting HA2, use a crossover Ethernet cable.
[20]

PAN-OS Release Notes, version 4.1.6 rev A

1475 Some non-browser based applications that use SSL do not function well with SSL decryption. If encountered, use an SSL Decryption rule to bypass the decryption function for these servers. 908 LLC SNAP/802.2 packets do not pass through the device.

Documentation Errata
The following lists outstanding issues related to the PAN-OS documentation. In the PAN-OS Command Line Interface Reference Guide, the syntax for set allowforward-decrypted-content command is not correct. It should be set setting ssl-decrypt allow-forwarded-decrypted-content. In the PAN-OS Command Line Interface Reference Guide, the definition for strip-x-fwdfor states the following Set whether to strip x-forwarded-for in the http header. To clarify, only the x-forwarded-for value is stripped. The firewall zeroes out the header value before forwarding the request, and the forwarded packets do not contain internal source IP information. In the Palo Alto Networks Administrators guide in the Panorama Overview section it states the following You can install Panorama on VMware Server or VMware ESX(i) 4.x or 3.5. This should state that you can install Panorama on VMware Server or VMware ESX(i) 3.5 or later. In the Palo Alto Networks Administrators guide on page 214 under Captive Portals, it states the following Captive portal rules work only for HTTP web traffic. As of this release (4.1), Captive Portal supports HTTP and HTTPS web traffic. In the Palo Alto Networks Administrators guide, the definition of Preemption Hold Time incorrectly states that the value that can be set is 1-60000 ms, the correct value is 1-60 minutes and the default is 1 minute. NAT traversal (NAT-T) is now supported for site-to-site tunnels in release 4.1.0, but was not mentioned in the 4.1.0 feature list of the release note. The following debug commands are no longer available in this release and should have been removed from the Command Line Interface Reference Guide: o debug device-server dump ts-agent o debug device-server dump user-group o debug device-server dump userid-agent In the PAN-OS Command Line Interface Reference Guide for release 4.1, the request tech-support command states that the Required Privilege Level is superuser, vsysadmin, deviceadmin. It should only state that a superuser can perform this operation.
[21]

PAN-OS Release Notes, version 4.1.6 rev A

This is not an error in documentation, but additional information related to OSPF that should have been mentioned in the Administrators Guide. PAN-OS uses a classification mechanism that assigns all multicast and broadcast packets to the base interface, so these packets cannot be assigned to a subinterface. Due to this process and the fact that OSPF uses multicast, OSPF is not supported on untagged subinterfaces.

PAN-OS Release Notes, version 4.1.6 rev A

[22]

Related Documentation
The following additional documentation is provided: Administrators GuideDescribes how to administer the Palo Alto Networks firewall using the devices web interface. The guide is intended for system administrators responsible for deploying, operating, and maintaining the firewall. PAN-OS Command Line Interface Reference GuideDetailed reference explaining how to access and use the command line interface (CLI) on the firewall. Hardware Reference GuidesDetailed reference containing the specifics of the various hardware platforms, including specifications, LED behaviors, and installation procedures. Online Help SystemDetailed, context-sensitive help system integrated with the firewalls web interface.

Requesting Support
For technical support, call 1-866-898-9087 or send email to support@paloaltonetworks.com. 2012, Palo Alto Networks. All rights reserved. PAN-OS, Palo Alto Networks are either trademarks or trade names of Palo Alto Networks. All other trademarks are the property of their respective owners.

PAN-OS Release Notes, version 4.1.6 rev A

[23]