Fixed an issue where establishing log forwarding connections to the Strata Logging Service (SLS) took longer than expected, which resulted in delayed log visibility on SLS.

VM-Series firewalls only) Fixed an issue where the dataplane restarted due to a segmentation fault.

Fixed an issue where the firewalls restarted due to a function lacking a NULL-pointer sanity check.

Fixed an issue where autocommits failed after an upgrade due to configuration memory allocation issues and 100% policy rule cache usage when both DNS Rewrite and URL Custom Category Match were configured.

Fixed an issue where config-lock was not displayed on the web interface.

Fixed an issue where, when the request shutdown system CLI command was executed, the firewall experienced a kernel panic and automatically rebooted instead of shutting down.

(Panorama managed firewalls in HA configurations only) Fixed an issue where firewalls incorrectly updated the modified date and MD5 hash of policy rules during an HA sync commit job or a subsequent local commit, even when no changes were made to the policy rules.

Fixed an issue on Panorama where, while configuring an an Application Filter with Generative AI tags, the web interface did not retain application exclusions that were added across multiple pages until you clicked OK.

Fixed an issue where SNMP returned an incorrect down status for HSCI and logging interfaces even when the interfaces were up, and counters for the interfaces displayed only zero values.

Fixed an issue where IPv6 Routed HA did not function correctly when the HA1 (control link) was configured with an IPv6 routed connection.

(VM-Series firewalls only) Fixed an issue where files from SSL decrypted sessions were incorrectly forwarded to the WildFire cloud for analysis even when Allow Forwarding of Decryption Content was disabled.

Fixed an issue where on PA-5420 firewalls, configuring security rules with a number of static IMSI/IMEI/NSSAI entries exceeding 5,000 resulted in a commit failure. This occurred because the firewall incorrectly reported the maximum supported static IMSI/IMEI/NSSAI IDs as 5,000 (as seen in the cfg.mobile-nw-id.max-static-entries system state variable), instead of the documented limit of 100,000 for the platform.

Fixed an issue where the scroll bar did not appear when editing Destination Addresses for Policy Based forwarding policy rules.

Fixed an issue where the logrcvr process stopped responding on DPCs, which prevented logs from being forwarded.

Fixed an issue where you were unable to delete a HIP object with OR in the name, even though you were able to successfully create and commit the object.

Fixed an issue where log ingestion stopped on the Elasticsearch cluster when the number of open shards was significantly higher than the number of data nodes.

(Panorama appliances only) Fixed an issue where traffic log queries using the device_name filter returned no results, and complex log queries that included negation operators produced incorrect outputs.

Fixed an issue on Prisma Access Remote Network firewalls where high CPU utilization caused slowness and command timeouts.

Fixed an issue where the Elasticsearch Close Indices process closed more indices than expected and dropped the number of open shards below the minimum of 800 per Elasticsearch instance. This occurred because the process did not correctly account for the number of Elasticsearch instances when calculating the maximum number of allowed open shards.

Fixed an issue where traffic was blocked due to a mismatch between the URL category specified in the Security policy rule and the URL filter profile when custom URL categories with the same FQDN were configured.

Fixed an issue where, when you selected a signature policy rule in the Anti-Spyware profile and clicked Find Matching Signatures, the automatically created filter was incorrect and prevented matching signatures from being displayed.

Fixed an issue where, after a successful commit and push from Panorama, the management interface SSH profile configuration was missing or empty on Log Collectors.

(VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where, after resizing the VM, the HA2 link became unstable. Frequent keep-alive failures occurred, and HA2 keep-alive packets were simultaneously transmitted to multiple destination MAC addresses and the peer firewall's interface MAC). This issue occurred on firewalls with Accelerated Networking enabled.

(Firewalls in active/active HA configurations only) Fixed an issue where the BFD session went down and did not recover even though the BGP remained in an established state, which caused the firewall to cease route learning and advertisement with the peer, even though BGP keep-alives were exchanged correctly.

Fixed an issue where a leak in decryption counters caused resource exhaustion, which led to a GlobalProtect service outage.

Fixed an issue where, after replacing the MPC (Management Processor Card) on a firewall, the logdb process incorrectly wrote logs to the root partition instead of the /opt/panlogs partition, which led to high root partition usage and a non-functional state.

Fixed an issue where Panorama incorrectly generated system logs indicating a lost connection to its peer after an upgrade even when High Availability was not configured.

Fixed an issue on Panorama where enabling Post-Quantum Pre-Shared Key (PPK) within an IKE Gateway profile that was configured as a part of a template stack failed or was inconsistent when attempted via the web interface, even when the keys were properly configured.

VM-Series firewalls only) Fixed an issue where insufficient i-node space was available on the sysroot0 partition.

(Firewalls in HA configurations only) Fixed an issue where traffic passing through AE layer 2 interfaces was interrupted during HA failovers.

Fixed an issue where BGP peering sessions between a hub firewall and a satellite firewall over GlobalProtect LSVPN failed to connect.

Fixed a commit failure issue that occurred after migrating from Legacy to Advanced routing on firewalls where an OSPF authentication profile was configured to use a 16-character MD5 key with key-ID 10.

Fixed an issue for Panorama management servers where commit push failed when customer_info status was a failure received from the orchestrator, which prevented the system from processing and validating the specified telemetry region correctly during the commit.

Fixed an issue where SNMP interface speed reporting incorrectly identified 5Gbps interfaces as 1Gbps interfaces during an SNMP walk.

Fixed an issue where static DNS entries that were configured on the firewall failed to resolve for client machines when DNS over TLS (DoT) was enabled on the firewall DNS proxy for both client and server settings.

Fixed an issue where traffic was unexpectedly blocked due to a misconfiguration with an empty or invalid application filter. The firewall incorrectly interpreted the empty filter as match all cloud-apps, which caused the traffic to be denied.

Fixed an issue on the firewall where, after upgrading, the system log displayed the error message Last config fetch FAILED. A commit is required for userid functionality to work.

Fixed an issue where the root partition on the firewall or Panorama management server filled up due to a file leak in the logging process.

Fixed an issue where the firewall stopped responding, which led to service outages.

(VM-Series firewalls on AWS environments only) Fixed an issue where, after upgrading the firewall to an affected release, GlobalProtect clients did not connect with IPSec and instead connected using SSL due to traffic flow being disabled when checking for health check packets.

Fixed an issue where the TLS handshake did not complete and the session did not go through. This occurred if the HTTP header insertion applied to an HTTP CONNECT request passing through the firewall, the scan-handshake feature was enabled, the session matched a decryption policy rule with the decrypt action, and if the TLS client hello was in a single packet and TLS 1.2 or below.

Fixed an issue on the firewall where the sslmgr process memory utilization continually increased due to memory fragmentation.

Fixed an issue where creating device groups in bulk via XML API took significantly more time and the web interface stopped responding.

(PA-3400 and PA-5400 Series firewalls only) Fixed an issue where the firewall dataplane frequently restarted when lockless QoS was enabled

Fixed an issue on Panorama where the CLI output for the running configuration intermittently inserted set template stack commands within certificate hash data.

Fixed an issue on the firewall where the output of the CLI commands show running persistent-dipp-client pool and show running persistent-dipp-pool ip-utilization displayed incorrect information or errors. This occurred due to the command output including data from the network control dataplane.

Fixed an issue where firewalls with Memory Integrity Checking Architecture enabled rebooted unexpectedly due to accessing an invalid memory address. This occurred because the forwarding data structure index exceeded its designed limit.

Fixed an issue where GlobalProtect gateway authentication failed due to the firewall incorrectly bypassing SAML.

Fixed an issue where LSVPN (Large Scale VPN) satellites failed to authenticate to the gateway because the portal was providing a zeroized certificate.

Fixed an issue where DLP logs displayed an incorrect file type when the firewall did not set the file type field.

Fixed an issue where the firewall's service route functionality was impacted due to a missing service route support code.

Fixed an issue where Panorama was unable to forward logs to a syslog server over TLSv1.3 when configured with SSL on a custom port. The connection was established, but logs were not forwarded due to a failure in the CRL check.

Fixed an issue on the web interface where checkboxes displayed as text fields for Post-Quantum Cryptography (PQC) settings and Preferred Session Settings, which prevented users from enabling PQC features via the web interface.

Fixed an issue where the Logging Service License Status displayed a license failure when the license status transitioned from valid to expired and then back to valid even when the connection to the Security Logging Service (SLS) was working.

Fixed an issue where, after creating a logical interface with an assigned IP address and adding it to a virtual router, the connected route for the interface did not appear in the show routing route CLI command output. This occurred even when the interface was up and learning ARP entries.

Fixed an issue on Panorama where the first letter of a custom URL category was not displayed in generated reports.

Fixed an issue where the timing of GlobalProtect lifetime expiry or inactivity logout notifications used for GlobalProtect SSL tunnels could cause the pan_task process to stop responding and the dataplane to restart.

Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the Client Hello was split into multiple segments and arrived out of order.

Fixed an issue where commits involving routing related network configuration changes experienced slower than usual completion times or remaining at 20% completion.

Fixed an issue where multiple firewalls experienced high management CPU utilization after upgrading to an affected release due to repeated index regeneration occurring every 15 minutes, which caused periodic CPU spikes above 90%.

Fixed an issue on Panorama where, after you disabled the shared optimization feature, a full configuration push to multi-vsys devices caused a validation error.

(Panorama appliances and Panorama virtual appliances only) Fixed an issue where the configd process restarted when committing and pushing configuration for a new WildFire cluster.

Fixed an issue where the Cloud User-ID connection timed out because the firewall took too long to process the OCSP response.

Fixed an issue where BGP aggregate routes were not created and discard routes were not installed in the routing table.

Fixed an issue where the firewall entered a non-functional state due to segmentation fault within the all_pktproc process that was caused by a session that involved http2 cleartext traffic

Fixed an issue where traffic logs did not populate the Source EDL or Destination EDL fields when traffic matched a Security policy rule that used predefined external dynamic lists.

Fixed an issue where, after unregistering an IP tag and registering a different IP tag for the same IP address via XML API, the dynamic address group membership was not updated on the dataplane, which resulted in Security policy rules being enforced incorrectly.

Fixed an issue on the web interface where you were unable to test the SCP server connection for Scheduled Log Exports, and the error message key is invalid was displayed.

Fixed an issue on the Panorama web interface where you were unable to disable Lifesize (Templates > Network > Network Profiles > IPSec Crypto).

Fixed an issue on Panorama where, after upgrading to an affected release, a partial commit via the API did not push configuration changes to managed firewalls, and a full commit was required to synchronize the configuration.

Fixed an issue where the web interface became unresponsive when you attempted to modify Security policy rule items if the source-hip or destination-hip settings were not already configured, and the web interface did not display a relevant error message.

Fixed an issue where a large number of GlobalProtect users experienced failed gateway pre-logins with the error Failed to create SAML SSO request during peak login times.

Fixed an issue where traffic was incorrectly identified as unknown-tcp/unknown-udp due to App-ID resource leak and eventually dropped.

Fixed an issue where, when configuring Safenet HSMs in HA and authentication HSM manually, the second HSM server failed to authenticate due to the firewall overwriting the first HSM server's certificate with the second HSM server's certificate.

Fixed an issue where intermittent session-table resets on the AIRS VM triggered packet drops, which led to packet loss in egress response traffic.

Fixed an issue where Panorama and managed devices incorrectly displayed warning messages that indicated that an Advanced DNS Security license and an Advanced Threat Prevention license were required, even when a traditional DNS Security license was installed.

Fixed an issue where configuring a service route on a loopback interface caused intermittent connectivity issues and disrupted traffic due to the firewall being unable to resolve domain names.

Fixed an issue where inter-dataplane forwarding did not work for sessions ingressing on Slot 2, which resulted in intermittent ping failures to interfaces on Network Card 2 when traffic was forwarded to Slot 3.

Note: With this fix, after a slot restart, the global counter will still show dot1q errors for a short period.

Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to session-distribution commands in dagger files handling.

Fixed an issue on the firewall where configuring spyware and vulnerability profiles in Security policy rules caused a memory leak in the devsrvr process with each configuration commit.

Fixed an issue where GlobalProtect users were incorrectly dropped by the default Security policy rule after upgrading to PAN-OS 12.1.2 when IPv6 firewalling was disabled. This occurred due to policy rules configured with geographic regions matching traffic incorrectly.

Fixed an issue on the firewall where SolarWinds monitoring systems reported 100% usage for Slot1 Data Processor-0 Hardware Packet Buffers due to an inaccurate reported packet buffer.

Fixed an issue where PA-455 firewalls running PAN-OS 11.2.4-h7 intermittently failed to generate system logs and trigger an HA failover when a link-monitored interface was unplugged, despite the interface's status being reflected as down on the GUI.

Fixed an issue where, after committing a configuration change, the firewall experienced traffic issues, pan_task crashes, and LACP interface failures.

Fixed an issue where Panorama appliances in FIPS-CC mode did not push the configured values for max-session-count and max-session-time to managed firewalls that were not in FIPS mode.

Fixed an issue on the firewall where the DNS cache capacity was set to an incorrect value, which caused the firewall to repeatedly send DNS requests for FQDN objects even after receiving valid responses. This resulted in the firewall not storing DNS responses in the cache for more than 10-15 seconds despite the minimum FQDN refresh interval being set to a higher value.

Fixed an issue where the show system resources CLI command displayed incorrect CPU usage values that did not add up to 100%.

Fixed an issue where the session timer for a custom application did not transition from the initial 3-way handshake timer to the application timeout when out-of-order 3-way handshake packets were detected.

Fixed an issue where, when a new tunnel interface was added to PIM (Network > Logical Router > multicast > pim > interfaces), commits were successful, but the new tunnel interface was not successfully added under PIM.

Fixed an issue on Panorama where a memory leak occurred related to the reportd process due to retaining memory that was temporarily used for report generation instead of releasing the memory for reuse, which resulted in continuous accumulation and memory exhaustion.

Fixed an issue where, after committing changes on Panorama, a shared post-rule moved to the end of the post shared rulebase on the managed device instead of remaining at the top.

Fixed an issue where the set auth radius-require-msg-authentic yes and show auth radius-require-msg-authentic CLI commands were unavailable on Log Collectors.

Fixed an issue where the firewall did not forward STP frames on Layer 2 VLAN interfaces, which prevented the construction of loop-free topologies with connected switches.

Fixed an issue where Panorama did not display decryption logs after a certain date due to the decryption index being purged.

(Firewalls in HA configurations only) Fixed an issue where network traffic was disrupted due to the all_pktproc process repeatedly restarting, which caused an HA failover.

Fixed an issue where, with Sender Side Loop Detection enabled, BGP WITHDRAWAL updates were not sent to peers after a route was removed, which caused stale routes to persist in the BGP table of neighboring firewalls.

Fixed an issue where API key generation failed after renewing an expired API certificate, and the system continued to use the expired certificate.

Fixed an issue where firewalls incorrectly returned the message API Error: Success with the error code 403 instead of the correct message API Error: Invalid Credential, when Cisco-ISE server is being used for MSCHAP-PEAP Radius auth.

Fixed an issue on the firewall where a path monitoring failure occurred and caused the dataplane to restart.

Fixed an issue where the firewall displayed as disconnected in the SLS due to the serial number not being retrieved

Fixed an issue where the firewall rebooted unexpectedly due to a missed null pointer check when certification verification was enabled in a no-decrypt case. This occurred when either block sessions with untrusted issuers or block sessions with expired certificates was enabled in the decryption profile.

Fixed an issue on Panorama where daily scheduled report emails for custom reports were delivered with no content and instead incorrectly displayed the message No matching data found. With this fix, the content is displayed correctly.

Fixed an issue where on PA-7500 firewalls, SNMP incorrectly reported the administrative and operational status of High Speed Chassis Interconnect (HSCI) interfaces and the operational status of logging interfaces as down, even when the interfaces were physically up. Additionally, interface counters for these interfaces displayed all zeroes.

Fixed an issue where the web interface made calls to retrieve cloud authentication service regions even when creating a non-cloud authentication service profile.

Fixed an issue where the dataplane stopped responding when cleaning up expired sessions currently in MICA ATP hold mode.

(Firewalls in active/active HA configurations only) Fixed an issue where adding a 26th floating IP address to an aggregate ethernet interface in one vsys caused IPSec tunnels on another vsys to stop working due to rekeying. This occurred due to the routed process not detecting the unchanged virtual address, uninstalling it, and then reinstalling it, which ended the ikemgr connection on the virtual address.

Fixed an issue where network values were not displayed in Panorama with the error message There is no value for the selected item. This was due to the device group passing vsysName in Panorama.

Fixed an issue on Panorama where the override icon in Agent Config did not change to the revert icon after reverting a configuration change in a template-stack.

(Firewalls in HA configurations only) Fixed an issue where the passive firewall incorrectly triggered PBP alerts even with low packet rates.

Fixed an issue on Panorama where enabling Advanced Routing in a template did not work.

Fixed an issue where Panorama stopped responding when deploying dynamic updates to managed devices.

Fixed an issue where websites were incorrectly categorized with high severity alerts (Monitoring > URL Filtering) even though they were assessed as low risk. This occurred due to session information being unavailable during logging.

Fixed an issue where the show cloud-auth-service-regions CLI command took longer than expected to complete due to timeouts while fetching Cloud Authentication Service (CAS) regions.

Fixed an issue where BGP stopped responding with the error message Too many open files when pushing 1000 eBGP (External BGP) neighbor configurations. With this fix, the number of file descriptors for the BGP process is increased from 1024 to 8192.

Fixed an issue where DNS traffic sessions prematurely terminated with the message resources-unavailable. This occurred due to IPv4 fragmented DNS responses causing the Advanced DNS Security module to incorrectly pack the DNS payload multiple times when forwarding to the cloud for inspection.

Fixed an issue on the firewall where, after upgrading Panorama, OSPF adjacencies remained in the exchange start state, which resulted in an incomplete routing table.

Fixed an issue where the DNS cache capacity was insufficient for environments with a large number of FQDN address objects, which caused the firewall to repeatedly send DNS requests for the same FQDN objects even after it received valid responses.

Fixed an issue on Panorama where the debug system reset-ztp CLI command was unavailable.

Fixed an issue where the web server did not specify the content type in the header for font files, which could allow a browser to misinterpret the content and potentially lead to cross-site scripting (XSS) vulnerabilities.

Fixed an issue where Panorama failed to perform a selective push to a managed device when device tags were added or modified on the policy rules. The selective push failed with the error message Failed to generate selective push configuration. Schema validation failed. Please try a full push.

Fixed an issue where BFD echo packets were dropped on Vwire interfaces due to being incorrectly detected as a land attack when the source and destination ports of the BFD packets were different.

(Firewalls in HA configurations only) Fixed an issue where the all_task process stopped responding and caused the passive firewall to reboot.

Fixed an issue on the Panorama web interface where a custom administrator with device group and template permissions was unable to upgrade devices to non-preferred releases due to the options to uncheck base and preferred releases not being displayed.

Fixed an issue where DNS Security logs incorrectly displayed a sinkhole action for benign DNS categories due to the firewall saving the drop or sinkhole action in session flags without discarding the session.

Fixed an issue on the Panorama web interface where Enable pushing device monitoring data to Panorama was always checked, regardless of the actual configuration.

Fixed an issue where the XML API returned the error Access to this vsys is unauthorized when generating a report for a specific vsys, even when the administrator had access to that vsys. This was due to the API session not correctly populating the vsysvector field with the user's allowed vsys.

Fixed an issue where Kubernetes pod health checks failed when the pan-fw annotation was added. When the annotation was present, health check traffic from the host's public IP address range to the pod CIDR range was tunneled to the firewall by the pan-cni, which resulted in asymmetric flows and no response from the pod endpoints.

Fixed an issue on Panorama where API queries for correlated category logs incorrectly returned a count of 0.

Fixed an issue where the syslog connection was handled by the syslog forwarding thread.

Fixed an issue where Panorama management servers failed to forward syslog messages via TLS to a syslog server when DNS resolution for IPv6 addresses failed, and the system did not automatically fall back to IPv4.

Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to missing XML-related functions for inline-cloud-proxy.

Fixed an issue where traffic reports that were generated with destination/source and destination/source hostnames were not displayed in IPv4 format.

Fixed an issue on the Panorama and firewall web interface where Applications pages became unresponsive after activating the SaaS Inline license.

(VM-Series firewalls only) Fixed an issue where the firewall stopped responding due to an out-of-bounds read when parsing TLS 1.3 clientHello messages with large TLS clientHello extensions where the supported_versions extension fell outside the first TCP segment.

(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where the firewall unexpectedly rebooted due to repeated varrcvr process restarts.

Fixed an issue where the Elasticsearch cluster status displayed as red due to unassigned shards, which prevented logs from updating.

(PA-7500 firewalls only) Fixed an issue where the firewall incorrectly reported the speed of 400G interfaces as 1G when queried using SNMP

(Firewalls in HA configurations only) Fixed an issue where the HA1-A interface reported an incorrect SNMP down value even when the interface was physically up on the active firewall.

Fixed an issue where using the IKEv2 multiplier setting for VPN re-authentication resulted in the firewall not re-authenticating at the expected intervals when both sides initiated rekeying. The internal re-authentication counter incremented when the local side triggered the rekey, but not when the peer side triggered it.

Fixed an issue where Data Processing Cards (DPCs) installed in slots 5 and 6 remained stuck in a starting state with the error Signal detected for port xeS5-DP0 but Link Down alerts, which resulted in device instability.

Fixed an issue where, on firewalls configured as an Area Border Router (ABR) with a backbone area (0.0.0.0) and a stub area, external Type-5 Link State Advertisement (LSA) routes were not installed in the routing table.

Fixed an issue where the firewall dropped packets due to the incoming flow being hashed to a flow bucket that was full.

Fixed an issue where, when SD-WAN Direct Internet Access was configured and traffic traversed the cellular interface without a NAT policy rule, intermittent cellular modem connectivity issues occurred, which caused the firewall to disconnect and reconnect to the cellular network.

To use this fix, run the CLI command set session teardown-upon-fwd-zonechange yes.

Fixed an issue where the GlobalProtect portal exposed the internal IP address of the gateway when accessed via the SAML20/SP/ACS endpoint.

Fixed an issue where DNS queries stalled or repeatedly time out due to multiple DNS responses with different CNAME values causing evasion false positive alerts.

Fixed an issue where the firewall experienced high disk utilization in the /opt/pancfg/mgmt/content-preview directory due to older content data not being automatically removed when an error occurred during the process.

Fixed an issue where the Elasticsearch cluster health status displayed as red on dedicated log collectors due to an expired Elasticsearch CC certificate, which prevented log visibility from Panorama.

Fixed an issue where unintended ARP packets were sent out from the dataplane interface when the service route setting for DNS was configured to use that interface.

(PA-7500 and PA-5450 firewalls in FIPS-CC mode) Fixed an issue where the affected firewalls would boot into maintenance mode when a reboot was initiated from the web interface. This was due to a device reboot triggering a power down to all slots, leading to maintenance mode. A hard reboot would allow the firewall to boot normally.

(VM-Series firewalls in active/passive configurations only) Fixed an issue where, after an HA failover event, the newly active firewall DHCP client interfaces failed to obtain IP addresses automatically. This occurred because the DHCP client processes did not initiate the necessary DHCP discover or renew requests

Fixed an issue where Router Advertisements for IPv6 were not sent at the configured time intervals.

Fixed an issue where the firewall was unable to connect to the Subscription License Service (SLS) due to a public and private key pair mismatch with the device certificate.

Fixed an issue where excessive dataplane debug logs were generated due to the pan_task process restarting, even without any dataplane debug logs or captures being enabled by the administrator.

Fixed an issue where the firewall repeatedly sent DNS requests for FQDN objects despite even after receiving valid responses.

Fixed an issue where API calls to commit changes on Panorama intermittently failed when using the XML API with refresh=no, which caused changes to not be applied to the partial-commit configuration.

(Panorama appliances in Management Only mode only) Fixed an issue where the firewall incorrectly allowed access to the web interface on a blocked port. Additionally, after configuring a custom certificate, Panorama continued to present the self-signed certificate on the blocked port.

Fixed an issue where the MFA timestamp was not redistributed between standalone firewalls behind an Azure load balancer after upgrading, which resulted in users being prompted to reauthenticate multiple times.

Fixed an issue where, when the Network Packet Broker feature was enabled, forward TLS (non-decrypted) traffic was not working as expected when there were segmented client hellos and a no-decrypt rule existed. This issue occurred when Zone Protection profiles were configured for trust/untrust zones but not attached to NPB zones.

Fixed an issue where the show system setting ssl-decrypt certificate CLI command did not display certificates when XML output was enabled.

Fixed an issue where PAN-OS logrotate did not rotate large log files until the cron.daily process ran, which resulted in the root partition filling up.

Fixed an issue where the firewall's SSL proxy sent an empty HTTP2 SETTINGS message to the client before confirming server support, which caused some clients to incorrectly assume HTTP/2 support and not fall back to HTTP/1.1. Additionally, the firewall dropped HTTP1.1 400 Bad Request frames from the server, which prevented the client from correctly detecting the lack of HTTP/2 support.

Fixed an issue where a session process consumed excessive CPU resources, even when Data Loss Prevention (DLP) was not enabled. This occurred due to the active threat list being iterated twice when active threats were present in the session.

Fixed an issue where the bytes number overflowed for a specific application, which caused Network Monitor graphs to display an unexpectedly large volume of traffic.

(Panorama virtual appliances in Management Mode only) Fixed an issue where a maximum configuration size of 120 was incorrectly enforced instead of 150 MB.

Fixed an issue where OSCP HTTP POST requests were not formatted correctly, which caused failures with strict responders.

(Firewalls in HA configurations only) Fixed an issue where, after upgrading the ESXi host to version 8.0.3, the firewall interface went down on the active firewall due to a behavior change in ESXi 8.

Fixed an issue on PA-VM in AWS where, in a two-arm deployment integrated with Gateway Load Balancer (GWLB), the firewall did not preserve the GENEVE source port for internet traffic, resulting in increased latency. The fix ensures the firewall preserves the outer UDP source port of GENEVE encapsulation when sending traffic back to GWLB.

(PA-400 Series firewalls in HA configurations only) Fixed an issue where ports went down after an HA failover.

Optimized the commit workflow to reduce the size of the effective configuration, resulting in lower memory consumption.

Fixed an issue where WildFire clusters operating in FIPS-CC/ Non FIPS-CC mode were not supported in earlier PAN-OS 12.1 releases.

(Panorama appliances in HA configurations on Microsoft Azure environments only) Fixed an issue on the web interface where the plugin versions that were displayed when hovering the cursor over the Green Match icon were inconsistent even though the Panorama web interface reported the versions as matching.

Fixed an issue on the firewall where the source and destination NAT IP addresses did not display in traffic and threat logs.

Fixed an issue where traffic loss occurred when two aggregate ethernet interfaces were configured as vwire with only one member link active in the aggregate ethernet interface, which occurred due to an incorrect logic in active port map of AE interfaces.

Fixed an issue where Panorama administrators defined in a SAML Identity Provider (IdP) were unable to authenticate if their username exceeded 32 characters, and the system logs displayed the failed authentication attempt with a truncated username.

Fixed an issue where Data Loss Prevention (DLP) inspection of chunked transfer encoding over TLS resulted in incomplete file downloads on Outlook Web App (OWA) due to the WIF page size limit, which led to corrupted or incomplete PDF attachments.

Fixed an issue where the firewall experienced recurring kernel segfaults related to multiple processes, which led to a SIGSEGV error.

Fixed an issue where the useridd process stopped responding after an upgrade, which led to high packet buffer congestion and an OOM condition.

Fixed an issue where the firewall experienced extended boot times after a reboot due to the configd process needing to rebuild the ACE catalog after detecting discrepancies that were caused by duplicate application checking between the ACE catalog and content.

Fixed an issue where Panorama was unable to push the Trusted Root CA configuration to Log Collectors via a Collector Group push due to the Log Collector not supporting the trusted-root-CA configuration.

Fixed an issue where a dataplane crash occurred when traffic matched Inline Cloud Analysis prefiltering signatures, even when Inline Cloud Analysis features were not enabled.

Fixed an issue where PA-400 Series firewalls were not properly caching DNS responses for FQDN objects. The firewall was observed to repeatedly send DNS requests for the same FQDN objects every 10-15 seconds, even after receiving valid responses, despite the minimum FQDN refresh interval being set to a much higher value. This resulted in excessive DNS queries originating from the firewall's management interface.

Fixed an issue where the firewall was unable to send device telemetry files to Cortex Data Lake due to the firewall receiving an invalid upload token.

Fixed an issue on Panorama where the policy review feature in Dynamic Updates failed to display Security policy rules when the device group was set to All.

Fixed an issue on Panorama where reassociating a vsys from one device group to another in a multi-vsys environment resulted in another vsys from the same firewall being removed from the original device group. This resulted in the device being moved into the no device groups attached group, a superuser was required to manually reattach the device.

Fixed an issue on the web interface where the TLS Version was misspelled as TLS Version (Device > Server Profiles > Email).

Fixed an issue where the firewall incorrectly categorized some URLs as not-resolved due to a conflict with Top Level Domain (TLD) data handling in the PAN-DB URL cloud. This affected URLs under domains marked as TLDs, which the firewall incorrectly assumed did not have any category.

Fixed an issue on PA-7500 firewalls running in a cluster where sub-interfaces were not discoverable via SNMP, which prevented proper monitoring and statistics collection for sub-interfaces using SNMP-based tools.

Fixed an issue where the redistribution agent status was blank on the web interface on both the firewall and Panorama, even though the CLI showed the agent as connected.

Fixed an issue where the firewall became unresponsive after an upgrade due to the fsck command scanning drive partitions in parallel with the root partition, which caused the process to take an extended amount of time.

Fixed an issue where the CLI command debug user-id refresh user-id agent all failed with the error message Invalid agent name. Agent name should be 1 to 31 characters long.

(Panorama managed firewalls in HA configurations only) Fixed an issue where the HA-Link-Monitor configuration pushed from Panorama was converted to a local configuration on the peer device after an HA sync, which caused subsequent Panorama pushes of link monitor changes to be flagged as overwritten, and a forced template push or manual clearing of the configuration on the firewall was required.

(Firewalls in active/active HA configurations only) Fixed an issue where return packets from a phone gateway looped between the HA pair instead of being encapsulated into the GlobalProtect tunnel. This occurred when the inner session and the outer IPSec tunnel terminated on different nodes, which led to excessive retries and packet drops.

(Panorama virtual appliances only) Fixed an issue where scheduled configuration exports failed with an invalid key error when connecting to a SCP server using non-default SCP port. Also, additional CLIs were added to delete the known-hosts file.

(PA-5220 firewalls only) Fixed an issue where the ikemgr process crashed intermittently, which caused IPSec tunnels to go down randomly. With this fix, the IKE Security association data structures are accessed in a thread-safe manner, and the ikemgr process does not reference an invalid memory pointer during teardown operations.

Fixed an issue where the web interface became unresponsive when attempting to view Ethernet interface details after applying a filter in Network > Interfaces.

(PA-1410 Firewalls only) Fixed an issue where the firewall experienced high management CPU usage and repeatedly rebooted when attempting to retrieve SMART data.

Fixed an issue where email alerts sent from the firewall were marked as spam due to the EHLO header containing only the firewall hostname and not the fully qualified domain name (FQDN).

Fixed an issue where the firewall rebooted due to the useridd process repeatedly restarting during an IP-port data type writes to the redis from multiple sources such as TSA or XML in a scale environment.

Fixed an issue where Prisma Access gateways did not pass usernames to the WildFire portal, which caused the Recipient User ID to display as unknown on wildfire.paloaltonetworks.com, even when the username was present in the gateway logs.

Fixed an issue where, when a PBF policy rule with a monitoring profile was configured, the intermediate firewall dropped the PBF monitoring traffic, which caused the PBF rule to remain disabled on the local firewall.

Fixed an issue where EAL logs were not forwarded to the IoT Security dashboard when the proxy server password contained special characters.

Fixed an issue on the firewall where BGP peers disconnected when more than 500 BGP neighbors were configured in a single Logical Router

Fixed an issue where a stream receiving a reconnect signal with an associated error in Wifclient caused the entire pool to close, which resulted in a complete disconnection.

(PA-5450 firewalls only) Fixed an issue where the firewall had a lower maximum capacity for DIPP translated IP addresses than the PA-5260, which caused configuration commit errors during migration. With this fix, the maximum capacity on PA-5450 firewalls has been increased to 8000.

Fixed an issue on the Panorama web interface where previewing changes after a commit to shared objects were not accurately displayed in the push scope.

Fixed an issue where, on hardware platforms with the SaaS inline license, Additional Header Logging (AHL) hash table creation proceeded even when the feature was disabled through the CLI, potentially leading to crashes.

(Firewalls in active/active HA configurations only) Fixed an issue where adding a 26th floating IP address to an aggregate interface on one vsys caused IPSec tunnels in another vsys to stop working due to rekeying issues.

Fixed an issue where the firewall did not accept address groups in the filter condition of a Log Forwarding Match list.

Fixed an issue where the firewall incorrectly routed external Type-5 Link State Advertisements (LSAs) within a stub area when the firewall was configured as an Area Border Router (ABR) in a stub area and learned about an external prefix from another ABR connected to the backbone area.

(Firewalls in active/active HA configurations only) Fixed an issue where, when a commit operation was in progress, newly deployed IP address tags that used the XML API were not immediately reflected in address group resolution, which delayed IP address mapping to address groups and caused traffic to be incorrectly allowed or denied.

Fixed an issue where commit operations failed during phase 1 when configuring a non-default value for the Graceful Restart Hello Delay due to an FRR parse error if the configured value was between 1 and 9.

Fixed an issue where multicast output interfaces (OIFs) were missing for up to 5 minutes after an HA failover or routing process restart, which impacted new multicast sessions. This occurred due to an age-out process triggered by unicast graceful restart conditions.

Fixed an issue on firewalls in active/passive HA configurations where CLI outputs incorrectly included XML formatting.

Fixed an issue where the output for some CLI commands incorrectly included XML formatting.

Fixed an issue where DNS resolution failed on Linux machines running GlobalProtect client version 6.2.6 when connected with DNS Security enabled. This occurred because the firewall incorrectly discarded DNS packets when processing multiple DNS requests or responses over the same session, even when no malicious verdict was received.

Fixed an issue where the firewall generated two URL logs for a single session.

Fixed an issue on IKEv1 tunnels where, if the peer IKE gateway was unreachable, the IKE Phase-1 Security association (SA) was not cleared by DPD until Phase-2 rekeying occurred or until it was manually cleared via the CLI because the DPDs were not sent accurately according to the configured interval due to a miscalculation of the DPD timer. This resulted in the tunnel taking longer than expected to recover.

Addressed a memory leak issue under sc3 and automatic commit recovery (ACR) code path.

Fixed an issue where a memory leak related to the configd process occurred.

Fixed an issue where the firewall intermittently failed to forward VXLAN GARP packets, which led to connectivity issues for wireless clients in environments that used VXLAN tunnels for wireless access points.

(VM-Series firewalls in HA configurations only) Fixed an issue where Panorama displayed incorrect packet buffer values on the web interface and the CLI.

Fixed an issue where configuring an OSPFv2 NSSA area range caused OSPF-learned routes to become unreachable due to the incorrect installation of a discard route when the NSSA range prefix matched an existing OSPF route.

Fixed an issue where Panorama displayed the URL instead of the file name for vulnerability threat logs fetched from the Logging Service.

Fixed an issue where Strata Logging Service (SLS) log forwarding streams intermittently displayed as inactive.

Fixed an issue where, after committing changes to a Certificate Profile or other global configurations without any making changes to the virtual system (vsys), the Data Redistribution include/exclude lists were ignored on the firewall. This resulted in the firewall receiving and processing User-ID information from all sources.

Fixed an issue where GlobalProtect HIP data file download and installation failed with the error message An error occurred while processing request. Please try again after some time or contact support or No ETAG from response due to a script exiting prematurely.

Fixed an issue on the firewall where the useridd process continuously increased its memory consumption, which resulted in an OOM condition that caused the firewall to restart.

Fixed an issue where the CLI command outputs incorrectly included XML formatting tags.

Fixed an issue where syslog forwarding dropped due to FQDN resolution failures.

Fixed an issue where, after onboarding a firewall to Panorama, IPsec tunnels displayed IKEv2 in Panorama, even though the tunnels were configured with IKEv1 locally on the firewall.

Fixed an issue where the useridd process stopped responding because the client was unavailable.

Fixed an issue where the source user field was intermittently missing in traffic logs, even when the IP address-to-user mapping was available. This occurred due to a race condition where the log generation process preceded the creation of the IP address-to-user mapping.

Fixed an issue where, after upgrading Panorama and Log Collectors from PAN-OS 10.2.9 to PAN-OS 11.1.6-h6, Traffic and Threat logs were not forwarded to a Splunk server over UDP.

(Panorama appliances only) Fixed an issue where a custom administrator role with the permission Network > QoS (Read Only) was unable to create a QoS profile, even when the Policies > QoS (Enabled) and Network Profiles > QoS Profile (Enabled) permissions were also set.

Fixed an issue where, when you used a syslog forwarding profile with the CEF format, an additional string was appended to the end of the log message when viewing the log entry from the Universal Forwarder directory.

Fixed an issue where firewalls with the Send handshake messages to CTD for inspection setting enabled caused incorrect security policy rules to be matched during the TLS handshake. Additionally, the expected response page for blocked URLs was not displayed.

(Firewalls in active/passive HA configurations) Fixed an issue on firewalls where, after failover, certain subnets were missing from the Link State Database, which prevented OSPF routes from being immediately learned due to a Type-7 to Type-5 LSA translation conflict in the ABR when the same LSA was advertised by two peers in the NSSA area.

Fixed an issue where firewalls and Panorama management servers were unable to view or download WildFire reports from a WF-500 appliance, resulting in a 401 error in the report tab.

Fixed an issue on Panorama where a configd SIGSEGV crash occurred when renaming objects within policy rules, objects, or zones.

Fixed an issue where BGP did not generate a system log when the number of prefixes received from a peer exceeded the configured threshold, even with the Address Family Identifier and Peer Group settings configured to trigger a warning.

Fixed an issue where viewing, refreshing, and comparing config versions in Config Audit caused the configd process to stop responding. If the page loaded successfully, some commit versions displayed incorrect or missing data.

Fixed an issue where the firewall rebooted unexpectedly due to the useridd process restarting and causing an HA failover. This occurred due to the configd process timing out when running the CLI command show user user-id-agent config all.

Fixed an issue where the firewall removed all Infrastructure and Audit logs, as well as logdb and search engine quotas, when the configured retention period was reached instead of only removing logs older than the configured retention period.

Fixed an issue on Panorama managed firewalls generated Failed in get_pwchange_required error messages in the authd logs for local administators.

Fixed an issue where the cellular interface LED indicator incorrectly displayed a green light when the cellular interface was down due to a failed packet data session.

Fixed an issue on the firewall where the VM monitor source remained in the Getting All status, which prevented dynamic address groups from updating IP addresses for new EC2 instances. This issue occurred due to a race condition where two threads that simultaneously retrieved IP address tag information from AWS VM monitoring sources became stuck while reading the XML file.

Fixed an issue where the file URL was not displayed on SCM LogViewer when a file was downloaded. This issue affected logs with a subtype of 'file'.

Fixed an issue where Panorama failed to push the default value of None for the secondary NTP server address to managed firewalls, resulting in a commit validation error. This occurred even when configuring the secondary NTP server address as None in Panorama's web interface, and affected both newly deployed and long-standing production firewalls after upgrading.

Fixed an issue where EAL logs for traffic matching the intrazone-default security rule were not forwarded to the IoT Security portal.

Fixed an issue on the Panorama web interface where SNMP settings configured in Panorama templates were incorrectly displayed as locally configured.

Fixed an issue where packets with bad TCP checksums were transmitted even when the Strict TCP/IP checksum option was enabled.

Fixed an issue where importing a device state file was incorrectly allowed during an existing commit job.

Fixed an issue where users with a custom role-based administrator role were unable to download the GlobalProtect client application via the web interface even when the GlobalProtect Client option was enabled in the admin role profile.

Fixed an issue on Panorama where a full push to device groups was initiated instead of a selective push when using Commit and Push Changes Made By in the commit and push.

Fixed an issue where the reported throughput and packet rate were higher than the actual interface traffic due to a double counting error.

(Panorama appliances only) Fixed an issue where the web interface did not display the commit button for a custom administrator when changes were made to a template while a device group push was pending.

Fixed an issue where a command injection vulnerability could occur due to improper input sanitization.

(Panorama appliances only) Fixed an issue where the software deployment validation process did not display the required software version for dedicated log collectors (DLCs), and downloading software images to multiple DLCs failed.

Fixed an issue where HA configuration synchronization failed between HA firewalls due to an empty interface node present only in the passive firewall's running-config.xml file.

Fixed an issue where Panorama did not display data in the Feature Adoption tab in Strata Cloud Manager due to the system creating and deleting a CLI user for each interval instead of reusing a permanent CLI user for telemetry.

Fixed an issue where the authd process stopped handling RADIUS authentication requests and required a restart.

(Firewalls in active/passive HA configurations only) Fixed an issue where network outages of approximately 30 seconds occurred after a failover due to a delay in establishing the BGP connection between the new active firewall and one of its peers and a second delay in advertising prefixes learned from the firewall to another peer.

Fixed an issue on M-200 and logging appliances where traffic logs were intermittently truncated when forwarded using a TCP syslog configuration. This issue occurred during the log forwarding stage due to intermittent syslog drops caused by exceeding the forwarding queue capacity.

Fixed an issue where the Status LED on PA-7500 SFCs did not work.

(Panorama appliances only) Fixed an issue where the data on scheduled SaaS Application Usage Reports was different than the data on on-demand reports generated via Run Now.

Fixed an issue on the Panorama web interface where cloud applications were not displayed under Objects > Applications after a new content upgrade and Cloud App Catalog download, and were only visible in application groups, security policy rules, and the CLI.

Fixed an issue where SSH/SFTP traffic was intermittently blocked by URL filtering due to the firewall incorrectly applying URL categories from previous sessions.

Fixed an issue where the firewall established multiple TCP connections to a syslog server, which caused logs to be dropped. This occurred because the firewall established a new TCP session for each transfer and the sessions were not closed, which resulted in a continuous increase in connections over time.

Fixed an issue on the firewall where the PDT process experienced a memory leak due to frequent dumping of fabric traffic statistics, which resulted in high CPU utilization and instability.

(PA-7050 firewalls on vwire instances only) Fixed an issue where Bidirectional Forwarding Detection (BFD) echo packets were dropped due to the firewall dropping packets with the same source and destination IP addresses.

Fixed an issue where the software tag descriptor was always at 100, which led to resource unavailability errors and prevented users from obtaining DHCP IP addresses.

Fixed an issue where the firewall incorrectly reported the speed of 25G interfaces as 1G when queried using SNMP for the ifHighSpeed OID.

Fixed an issue where the firewall rebooted unexpectedly due to an OOM condition.

(VM-Series firewalls only) Fixed an issue where the firewall frequently rebooted.

Fixed an issue where a PA-VM-Flex firewall in an air-gapped environment failed to install the license when bootstrapping after a factory reset when the ISO image contained a PAN-OS image.

Fixed an issue where checksum values changed when downloading files through TFTP on firewalls using subinterfaces.

Fixed an issue where Real Time Streaming Protocol (RTSP) video streams did not work when connected through GlobalProtect due to the firewall blocking 200 OK responses. This occurred because of incorrect NAT translations for the 200 OK message from the server.

Fixed an issue where the devsrvr process periodically exceeded its virtual memory limit and restarted, which led to intermittent outages.

Fixed an issue where, after a web server returned a 401 or 403 error, the firewall was unable to decrypt HTTP/2 traffic, and the firewall rejected all subsequent streams from the client.

Fixed an issue where the web server used a low HTTP Strict Transport Security (HSTS) max-age value of 86400 seconds for the log.query.expression.js.php page.

Fixed an issue where the proxy hid the Cache-Control header, which prevented context switching.

Fixed an issue where multiple memory leaks occurred related to the configd process.

Fixed an issue where the Agent User Override Key was incorrectly available for configuration on Panorama management servers when running in FIPS-CC mode.

Fixed an issue where the debug dataplane nat sync-ippool command may not accurately account for all allocated ports or display/sync leaks when multiple NAT rules use the same IP pool. This could result in inaccurate reporting of leaked ports. The fix modifies the implementation to directly compare the original pool against the temporary pool across all vsys.

Fixed an issue where modifying an interface IP address on an existing vsys caused a default vsys1 to be created, which led to commit failures due to the maximum supported number of vsys being reached.

Fixed an issue on Panorama and Panorama managed firewalls where template settings reverted during a device group push when Include Device and Network Templates was checked, even if no changes were made to the template. This caused the SAML IDP server profile certificate to revert to an older, invalid certificate, and resulted in GlobalProtect users being unable to authenticate via SAML.

Fixed an issue where websites did not load when accumulation proxy was enabled.

Fixed an issue on Panorama where a selective push of policy rule changes to a firewall caused the firewall to lose its Security policy rules.

Fixed an issue where partial-revert operations were taking a long time, causing config lock timeout issues and resulting in frequent error messages being displayed: Timed out while getting config lock. Please try again.

Fixed an issue where the authd process crashed intermittently on VM-Series firewalls due to authentication sequence failures. The crashes occurred during memory management operations within a library while releasing memory to its central cache.

Fixed an issue on Panorama managed firewalls where the source user, source device vendor, source MAC address, and OS version information were not visible in traffic logs and SCM when the user and device access control lists were empty.

Fixed an issue where dataplane interfaces went down and configurations were lost after a reboot.

Fixed an issue where the MPLS interface eth1/6 went down and remained down, even after replacing the SFP with a supported one and adjusting duplex and speed settings.

Fixed an issue where, after upgrading Panorama in a High Availability (HA) pair, the configuration logs stopped synchronizing from the primary Panorama to the secondary Panorama. This issue occurred because the log forwarding flag was permanently disabled due to the connection state not being active when the log-fwd-ctrl message was received.

Fixed an issue on the Panorama web interface where the search bar suddenly was not displayed, or the filter/clear filter icon moved to the left of the search bar.

Fixed an issue where custom administrators with visibility into specific vsys logs were able to view logs for all vsys.

Fixed an issue where, after an EDL certificate update or repository migration, authentication failures caused the firewall to not fall back to the last successfully cached EDL entries, which led to policy rules that referenced the EDL to not be enforced.

Addressed a stack buffer overflow memory leak under plugin management code path.

Fixed an issue where the debug data-plane sync ippool CLI command did not work for Per Destination IP Pool (PDIPP) and caused a memory leak.

Fixed an issue where the firewall incorrectly identified ports as leaking when the session was not active even though the ports were allocated.

(Firewalls in active/passive HA configurations only) Fixed an issue where the firewall did not process and transmit HA path monitoring probes received from another HA cluster when the firewall acted as a gateway for internal monitoring IP addresses used in the HA path monitoring group, which caused HA flapping due to path monitoring failures.

Fixed an issue on Panorama where API jobs failed with the error message Server error: Timed out while getting config lock. This occurred due to slow set request performance when setting a large number of address objects in a single set call.

Fixed an issue where PA-3420 firewalls experienced unexpected reboots due to the all_task_7 process crashing with signal 6, leading to a non-functional state.

Fixed an issue where, when an application stopped responding, a large file was created in the /opt/panlogs directory, which caused the partition to fill up.

Fixed an issue where sequence numbers were skipped for all types of logs on the firewall due to audit logs being generated but not written to disk when Audit Tracking is enabled.

Fixed an issue where the firewall web interface became unresponsive while adding a description that contained 1062 bytes of character data in a Security policy rule instead of displaying an error message when the description exceeded the maximum allowed length.

Fixed an issue on Panorama managed firewalls where CLI commands to convert a LSVPN to Serial Number and IP address authentication were not applied if the GlobalProtect portal name contained a space.

Fixed an issue where proxy requests for certificate status (OCSP/CRL) from sslmgr contained incorrect values that caused unknown certificates to be blocked.

Fixed an issue where the firewall did not automatically recover after a machine check exception (MCE) occurred.

Fixed an issue where the wifclient was not configured to utilize the GOMEMLIMIT feature.

Fixed an issue on Panorama where Kerberos superusers were unable to edit policy rules because the target device tab was grayed out.

Fixed an issue where the PAN-OS DoS protection feature by default blacklisted specific IP addresses, which caused outbound traffic domain resolution to fail for clusters.

Fixed an issue where log forwarding to all syslog servers failed if one syslog server that used TLS as the protocol became unreachable.

Fixed an issue where traffic logs incorrectly displayed the action as allow for traffic matching a Security policy rule configured with the action set to deny. This issue occurred due to the child session being used for policy rule lookup when a configuration update triggered a rematch if the FTP-data application was not in the rule.

(Firewalls in HA configurations only) Fixed an issue where the show wildfire status CLI command displayed an incorrect maximum file size of 4 KB for WildFire script uploads even though the configured value was different.

Fixed an issue where the firewall experienced high disk space utilization, which caused the firewall to become non-functional.

Fixed an issue on firewalls running PAN-OS 11.1 and later PAN-OS releases where the portal and gateway configuration view did not display rows and columns.

Fixed an issue on Panorama where performing a selective revert of configuration changes resulted in all configuration changes being reverted.

Fixed an issue where the firewall generated high-severity system alerts indicating that the configuration size exceeded the maximum recommended size, even when the configuration size was within the expected limits.

Fixed an issue where packet buffer depletion occurred due to the a high number of tcp_pkt_queued packets when Jumbo was enabled.

Added an enhancement to the show interface cellular CLI command to display all required information.

Fixed an issue where firewalls that were connected to the same Cloud Identity Engine displayed inconsistent group membership information, with some firewalls showing only a subset of users belonging to a group. This occurred due to a full or incremental group sync failure.

This fix introduces a retry mechanism for failed group queries to the Cloud Identity Engine. To use this feature, run the following CLI commands.

To enable the retry mechanism: debug user-id dscd retry-enable on.

To set the retry time: debug user-id dscd retry-time set-time <1-10>. The default value is 5 seconds.

To set the number of retry attempts: debug user-id dscd retry attempts set-attempts <3-10>. The default value is 5 attempts.

To disable the retry mechanism: debug user-id dscd retry-enable off.

Additionally, a system log is now generated when a group sync fails, and you are able to monitor the group sync status with the following CLI commands:

Fixed an issue where IPv6 BGP peering established between virtual routers even without dataplane connectivity. This occurred because the firewall used the kernel for lookups instead of the dataplane. The CLI set system setting loopback-workaround enable is mandatory then for this lookup to be forced.

Fixed an issue on Panorama where you were unable to delete a shared object due to the rulebase incorrectly referencing the shared object instead of the device group-specific object when the name was used.

To use this fix, delete the original shared object after cloning it to a device group with the same name.

Fixed an issue where GlobalProtect clients on Windows endpoints sent an empty cookie to the gateway after a user logged out of the Windows machine or rebooted. This triggered a full re-authentication instead of using the existing authentication cookie, which resulted in the generation of a new authentication cookie upon each login.

Fixed an issue where the Japanese translation for the URL filtering option to add a trailing slash to entries and the device license status error was incorrect.

Fixed an issue where commits failed when Data Services was in a Service route configuration was configured with the MGMT interface.

Fixed an issue where the Logging Service License Status displayed as red even though a valid license was installed on the firewall.

Fixed an issue where the firewall did not log the correct NAT IP address and source zone for HTTP2 traffic with SSL decryption enabled on RNHP nodes.

(PA-7000 Series firewalls only) Fixed an issue where an incorrect ASIC configuration caused silent packet drops or application slowness when receiving a mix of jumbo and non-jumbo packets.

Fixed an issue where the firewall did not display VPC endpoints when there was a large amount of VPC endpoints to interface mappings.

Fixed an issue where session rematch caused ACE cloud application traffic to match the wrong policy.

(Firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where newly bootstrapped firewalls sent an incorrect, non-DHCP-assigned hostname to the SNMP server. This occurred because the SNMP process referred to a configuration file that was not updated due to a missing configuration commit.

Fixed an issue where the reportd process stopped responding with a SIGSEGV at schedule_report_es_response.

Fixed an issue where, when the DHCP server was enabled for GlobalProtect, the commit error message was not properly displayed when Any was selected as the source interface in the service router configuration (Device > Setup > Service > Service Router Configuration).

(PA-5400 Series firewalls only) Fixed an issue where the mp-monitor logs did not print disk SMART data.

Fixed an issue where high SSL traffic depleted flex memory, which prevented the firewall from revalidating SSLVPN client CAs during configuration pushes.

Fixed an issue where the firewall did not have a heartbeat mechanism for the authd process, which caused the firewall to become unresponsive if the authd process stopped responding.

Fixed an issue where the firewall was unable to parse the URL path and host when the host header was located in a different packet, which resulted in the firewall not logging the URL path in the first packet.

The fix is disabled by default. The following CLI commands can be used to enable/disable the feature:

• set system setting ctd url-crosspkt-host-path-caching enable
• set system setting ctd url-crosspkt-host-path-caching disable
• set system setting ctd url-crosspkt-host-path-caching default