Fixed an issue where the pan_task process stopped responding while processing DoH JSON format traffic with DoH Security enabled, which caused missing cross-packet bytes in the decoded DNS query type field, and the dataplane went down.

Fixed an issue on the firewall where performing a private data reset caused device telemetry to stop working. This issue also occurred after performing a factory reset and then running the CLI command set system ztp disable.

Fixed an issue where the firewall did not detect evasions due to TCP checksum offloading not being enabled.

Resolved an issue in which intermittent session-table resets on the AIRS VM triggered packet drops, leading to packet loss in egress response traffic

Fixed an issue where GlobalProtect users were incorrectly dropped by the default Security policy rule after upgrading to PAN-OS 12.1.2 when IPv6 firewalling was disabled. This occurred due to policy rules configured with geographic regions matching traffic incorrectly.

Fixed an issue where, after manuallly creating a device telemetry bundle, the hour_cli_output.txt file within the bundle had a file size of 0 bytes. This occurred when checking the bundle content after enabling device telemetry and setting the device telemetry upload endpoint.

Fixed an issue where the firewall did not forward STP frames on Layer 2 VLAN interfaces, which prevented the construction of loop-free topologies with connected switches.

Fixed an issue on Log Collectors where the Elasticsearch process fluctuated intermittently between green and red states, which led to interruptions in log collection. This issue occurred when the number of shards exceeded the cluster's maximum supported threshold of greater than 1000 shards per Elasticsearch instance.

Fixed an issue where the DNS cache capacity was insufficient for environments with a large number of FQDN address objects, which caused the firewall to repeatedly send DNS requests for the same FQDN objects even after it received valid responses.

Fixed an issue where firewalls experienced multiple reboots due to the pan_task process restarting with a SIGSEGV signal. This occurred because the client-to-firewall side assumed TLS 1.3 for the firewall-server side.

(Panorama virtual appliances only) Fixed an issue where maintenance mode was not accessible to do Factory Reset or switch to FIPSCC mode.

Fixed an issue where a local commit on a firewall breaks template stack overrides, preventing the enabling of LACP (Link Aggregation Control Protocol). After a local commit, the LACP enable check was unexpectedly unchecked, causing an outage. Attempting to re-enable LACP through the web interface was unsuccessful, requiring manual removal of the LACP configuration from the Panorama CLI.

Fixed an issue on multi-vsys firewalls where a host was not removed from the quarantine list after receiving a redistribution message from Panorama. This occurred when Panorama was configured to redistribute quarantine messages to a firewall cluster, and the GlobalProtect configuration and redistribution were built out in a vsys other than vsys1.

Fixed an issue where the firewall repeatedly rebooted when downgrading to an affected release.

Fixed an issue on the firewall where, after upgrading, autocommits repeatedly failed until after a second reboot due to a timing issue between content loading on the management plane card (MPC) and the log receiver startup.

Fixed an issue where an Application Override policy rule was not applied using an IPv4 source IP address with IPv6 enabled and Network > Zones > Pre-NAT Identification enabled.

Fixed an issue where the firewall generated false positive threat logs during updates to a large domain list (EDL) when a DNS lookup for a domain being added or removed occurred during the update process. This resulted in a threat log being generated for a different, unrelated domain that remained on the list.

Fixed an issue where WildFire clusters operating in FIPS-CC mode were not supported in earlier PAN-OS 12.1 releases.

Fixed an issue where a dataplane crash occurred when traffic matched Inline Cloud Analysis prefiltering signatures, even when Inline Cloud Analysis features were not enabled.

Fixed an issue where, during a refresh of a large External Dynamic List (EDL), traffic that matched a domain on the list was incorrectly identified as a different domain, which resulted in false positive threat logs.

Fixed an issue where a long-lived session with many Machine Learning (ML) model triggers caused a memory leak of feature states associated with the ML model runs. This resulted in Spyware_State failure increases, allocation max outs, and impaired policy matching.

Fixed an issue where exporting custom reports resulted in empty CSV files.

Fixed an issue where the reportd process on passive Panorama management servers leaked memory due to scheduled report handling from the Strata Logging Service (SLS). This memory leak occurred daily, consuming available memory until the process was restarted.

Fixed an issue where, after upgrading to PAN-OS 10.2.13-h10, GlobalProtect Clientless VPN on PA-3250 firewalls failed to execute JavaScript links, resulting in an authorization error. This occurred because the firewall was incorrectly injecting text into URLs when JavaScript buttons or dropdown menus were clicked within the Clientless VPN portal.

Fixed an issue where decryption exclusion lists were not working for untrusted certificates, and SSL sessions were still being decrypted even after adding them to the exclusion list. This occurred because the firewall was not adding sessions to the exclude cache until after receiving a non-RFC alert (BadCertificate) from the server. The fix ensures that the first session is added to the exclude cache, allowing subsequent sessions to skip decryption. This issue affects firewalls configured as clients in server-client communication.

Fixed an issue where, after upgrading Panorama and Log Collectors from PAN-OS 10.2.9 to PAN-OS 11.1.6-h6, Traffic and Threat logs were not forwarded to a Splunk server over UDP.

Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.

Fixed an issue where during a commit, the firewall experienced an out-of-memory (OOM) condition due to a memory leak and displayed an error message. This issue caused the device to stop responding and reboot unexpectedly.

Fixed an issue on Panorama appliances and Log Collectors where, after an upgrade, Elasticsearch intermittently entered into a Red state before automatically recovering.

Fixed an issue with firewalls enabled with Security profiles where certain traffic conditions caused high dataplane CPU utilization and packet buffer exhaustion, which caused LACP flapping conditions.

(VM-Series firewalls on Microsoft Azure environments in HA configurations only) Fixed an issue where, when an interface was configured with IPv6, the firewall displayed the message Unknown error during validation after the client secret expired, which caused DNS resolution to fail when resolving FQDNs and HA failovers to occur.

Fixed an issue where PA-7500 firewalls experienced silent traffic drops. During migration from PA-7050 to PA-7500 firewalls connected in series, intermittent connection losses occurred for some applications. Traffic leaving the PA-7050 was not received or processed by the PA-7500, even with direct connections and replaced cables/SFPs. Global counters did not indicate any drops on the PA-7500.

Fixed an issue where Panorama exported the serial number of a managed collector instead of the collector name when exporting a PDF or CSV file.

Fixed an issue on Panorama where API jobs failed with the error message Server error: Timed out while getting config lock. This occurred due to slow set request performance when setting a large number of address objects in a single set call.

Fixed an issue where custom reports showed incomplete data when exported in CSV format from Panorama.

Fixed an issue where the Logging Service License Status displayed as red even though a valid license was installed on the firewall.

Fixed an issue where, when Panorama was upgraded but log collectors were on an earlier version, logs from a log collector group were not viewable on a Panorama.