Of course there are known issues in 3.1.4 too, check that document. Some of these probably impact you.
Addressed Issues in 3.1.4.
The following issues have been addressed in this release:
•  PA-2000 series devices may become unresponsive.
•  An admin with the device administrator role cannot create local users.
•  URL category does not show up properly when logs are forwarded via syslog or
•  If errors occur when generating a certificate in the UI, the window must be closed
and reopened to correct the issues and regenerate.
•  Changing the continue timeout in a URL profile does not immediately take effect.
•  An imported inbound inspection certificate with a long name cannot be
•  After a factory-reset, the default web certificate uses SHA256 which is not
compatible with Internet Explorer.
•  System instability may occur in some environments where a high volume of
Skype or P2P traffic is present.
•  In some cases, when doing inbound SSL decryption the eicar virus may not be
•  Deleting the reports that have been run for custom reports with spaces in the
name will fail.
•  If configuration synchronization between HA peers takes longer than 30 seconds
then synchronization will fail and passive device will incorrectly indicate that
configuration is in sync.
•  The IKE dead-peer detection mechanism may inappropriately detect failure,
causing tunnel connections to fail.
PAN-OS Release Notes, Version 3.1.4 rev A
•  Default route metrics are advertised incorrectly in OSPF stub networks.
•  The auto-commit process after bootup may fail when large certificates are present
in the configuration.
•  The source address portion of an application override rule does not take effect.
•  Users that get locked out of an SSL-VPN do not get displayed as locked.
•  When a commit is performed where the only change is to the management proxy
settings, the dataplane will restart.
•  When the dynamic URL categorization server is not reachable, all requests
needing cloud-based categorization will be delayed.
•  Read-only super users cannot access data filtering captures.
•  Only 10 QoS rules can be configured on a PA-500 device.
•  When using a single address object in an address group in the source translation
field of a NAT rule, the resulting source address is 0.0.0.0.
•  BrightCloud database updates fail when traversing a proxy.
•  Next-hop monitoring with policy-based forwarding does not function properly
when using VLAN interfaces.
•  Custom applications cannot be created with Panorama.
•  The system may improperly classify FTP traffic within a proxy session. Session
statistics for these sessions may also be incorrect. These two issues are addressed.
However, FTP data sessions within proxy tunnels will show up as unknown.
•  Occasionally user to IP mapping is corrupted and users are unnecessarily
presented with a captive portal login page.
•  Content updates may be partially synced to an HA peer even when syncing is
disabled, causing unpredictable content versions on the peer.
•  The text/html filetype inappropriately appears as a valid filetype within Panorama
when configuring file blocking profiles.
•  When creating a log forwarding profile with Panorama, the setting for
forwarding critical severity threat logs is not saved even though it was selected.
•  DHCP clients that request lease times longer than the configured maximum are
granted those times.
•  The system is not able to properly identify SNMP sessions when an SNMP
response is fragmented into more than 3 fragments.
PAN-OS Release Notes, Version 3.1.4 rev A
•  The request private-data-reset command clears out antivirus signatures even
though content updates are intended to remain.
•  URL admin override functionality does not work properly when a certificate is
•  Custom URL categories starting with a numeral do not show up properly in the
•  HTTP long chunk responses trigger anomalous threat detections.
•  Probability of a passive device incorrectly becoming active is increased during a
URL database update.
•  SSL-VPN users are not able to successfully authenticate via RADIUS in some
•  The port field of a service object is limited to 63 characters.
•  The system incorrectly discards lone IPv6 fragments.
•  System may be unable to correctly present block pages when blocked requests
exceed 100 pages per second.
•  SSL inbound inspection may fail when active SSL flows to the server exceeds
•  In some environments session rematch on a PA-4000 does not properly remove
sessions when a policy is changed and committed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!