Fixed an issue on Panorama where edits made to an existing data filtering profile resulted in matching traffic not being detected by Enterprise DLP.

(

PA-220 and PA-220R firewalls and PA-800 Series firewalls only

) Fixed an issue where management connectivity to the firewall was lost due to the expiration of the DHCP lease, which caused the IP configuration on the management port to be purged in PAN-OS 10.2.0. To upgrade, download PAN-OS 10.2.0 (no installation), then download and install PAN-OS 10.2.0-h1.

A fix was made to address an OpenSSL infinite loop vulnerability in the PAN-OS software (CVE-2022-0778).

(

FIPS-CC enabled firewalls only

) Fixed an issue where the firewall was unable to connect to log collectors after an upgrade due to missing cipher suites.

Fixed an issue where the firewall onboard packet processor used by the PAN-OS content-inspection (CTD) engine can generate high dataplane resource usage when overwhelmed by a session with an unusually high number of packets. This can result in

resource-unavailable

messages due to the content inspection queue filling up. Factors related to the likelihood of an occurrence include enablement of content-inspection based features that are configured in such a way that might process thousands of packets in rapid succession (such as SMB file transfers). This can cause poor performance for the affected session and other sessions using the same packet processor. PA-3000 series and VM-Series firewalls are not impacted.

Fixed an issue where Panorama was unable to distribute antivirus signature updates to firewalls with an Advanced Threat Prevention license only.

Fixed an issue where existing traffic sessions were not synced after restarting the active dataplane when it became passive.

(

VM-Series firewalls only

) Fixed an issue that caused the pan_task process to stop responding with floating point exception (FPE) when there was a module of 0 on the queue number.

Fixed an issue that prevented antivirus signature update packages that are normally available to install from displaying properly on the firewall when the Advanced Threat Prevention license is present on a firewall without a Threat Prevention license.

Fixed an issue where Device Group and Template administrator roles didn't support a context switch between the Panorama and firewall web interfaces.

Fixed an issue on Panorama where you were unable to successfully downgrade to a PAN-OS 10.1 release unless you uninstalled the ZTP Plugin 2.0.

Fixed an issue where, after upgrading a CN-Series firewall from a PAN-OS 10.1 release to PAN-OS 10.2.0, show session commands did not return output.

Fixed an issue where, when Advanced Routing was enabled on the firewall, an OSPFv3 interface configured with the p2mp link type caused commits to fail.

Fixed an issue where, after a successful upgrade to PAN-OS 10.2, logging into the firewall or Panorama web interface from the same internet browser window or session from which the firewall or Panorama was upgraded did not work.

Fixed an issue where, when pre-generated license key files were manually uploaded via the web interface, they weren't properly recognized by PAN-OS and didn't display a serial number or initiate a reboot.

Fixed an intermittent issue where web pages and web page contents did not properly load when cloud inline categorization was enabled.

Fixed an issue where a firewall import to Panorama running a PAN-OS 10.1 release or a PAN-OS 10.2 release resulted in corrupted private information when the master key was not used.

Fixed an issue on Panorama where a selective push pushed an incorrect configuration to the managed firewalls, which caused the firewalls to display as out of sync. This issue occurred if the Panorama-pushed version for the

Shared Policy and Template

configuration were 20 or more versions older than the current local running configuration on Panorama.

(

VM-Series firewalls in Microsoft Azure environments only

) Fixed a Data Plane Development Kit (DPDK) issue where interfaces remained in a link-down state after an Azure hot plug event. This issue occurred due to a hot plug of Accelerated Networking interfaces on the Azure backend caused by host updates, which led to Virtual Function unregister/Register messages on the VM side.

Fixed an issue where individual configuration objects were not viewable after committing selective configuration changes on a multi-vsys firewall.

Fixed an issue where, after logging in, Panorama displayed a 500 error page after five minutes of logging for dynamic group template admin types with access to approximately 115 managed devices or 120 dynamic groups.

Fixed an issue where log queries that included WildFire submission logs returned more slowly than expected.

(

PA-440 Series firewalls only

) Fixed an issue where the firewall's maximum tunnel limit was incorrect.

(

PA-3400 Series firewalls only

) Fixed an issue where the firewall management interface incorrectly displayed 10G port speed as an option even though 10G speed is not supported and can't be configured.

Fixed an issue where the firewall sent fewer logs to the system log server than expected. With this fix, the firewall accommodates a larger send queue for syslog forwarding to TCP syslog receivers.

Fixed an issue where processing corrupted IoT messages caused the

wificlient

process to restart.

Fixed an issue on Panorama where you were unable to select a template variable in

Templates > Device > Log Forwarding Card > Log Forwarding Card Interface > Network > IP address location

.

Fixed an issue where, after clicking

WildFire Analysis Report

, the web interface failed to display the report with the following error message:

refused to connect

.

Fixed an issue on Panorama where ZTP Plugin 2.0 was not available for download before upgrading Panorama to PAN-OS 10.2.

Fixed an issue where the WildFire analysis report was not viewable from the firewall WildFire submission log entry page.

Fixed an issue where Panorama Global Search reported

No Matches found

while still returning results for matching entries on large configurations.

Fixed an issue with DNS cache depletion that caused continuous DNS retries.

Fixed an issue where the CN-NGFW (DP) folder on the CN-MGMT pod eventually consumed a large amount of space in the /var/log/pan because the old registered stale next-generation firewall logs were not being cleared.

Fixed an issue where the CTD loop count wasn't accurately incremented.

Fixed an issue where Panorama serial-number-based redistribution agents did not redistribute HIP reports.

Fixed an issue where, after upgrading to a PAN-OS 8.1 release, the port on the firewall stayed up, but the port on the connected device reported down. This occurred because, on force mode, autoneg was disabled by default. With this fix, autoneg is enabled by default on force mode.

Fixed an issue on Panorama where a selective push to managed firewalls failed after renaming an existing device group, template, or template stack that was already pushed to the managed firewalls and you selectively committed specific configuration objects from the renamed device group, template, or template stack.

A validation error was added to inform an administrator when a policy field contained the value

any

.

Fixed an issue where the URL filtering logs generated by traffic analyzed by Advanced URL filtering cloud inline categorization didn't display the URL name.

Fixed an intermittent issue where Panorama did not show new logs from firewalls.

Fixed an issue where the log collector continuously disconnected from Panorama due to high latency and a high number of packets in Send-Q.

(

M-300 and M-700 appliances only

) Fixed an issue where the Activity (ACT) LEDs on the RJ-45 ports did not blink when processing network traffic.

Fixed an intermittent issue where, when Security profiles were attached to a policy, files that were downloaded across TLS sessions decrypted by the firewall were malformed.