PAN-OS 10.2.13-h16 Addressed Issues
Focus
Focus

PAN-OS 10.2.13-h16 Addressed Issues

Table of Contents

PAN-OS 10.2.13-h16 Addressed Issues

Addressed issues for the PAN-OS 10.2.13-h16 general available hotfix release.
Issue IDDescription
PAN-298907
Fixed an issue on PA-VM in AWS where, in a two-arm deployment integrated with Gateway Load Balancer (GWLB), the firewall did not preserve the GENEVE source port for internet traffic, resulting in increased latency. The fix ensures the firewall preserves the outer UDP source port of GENEVE encapsulation when sending traffic back to GWLB.
PAN-298505
Fixed an issue where, after upgrading an HA pair of PA-7050 firewalls, the vsys ID changed in sequence, causing autocommit failures with validation errors. This occurred when the multi-vsys firewall had virtual systems created and pushed from Panorama, and the vsys ID was not in a correct sequence because the unused vsys was deleted from Panorama and pushed to devices.
PAN-296519
Fixed an issue where a stream receiving a reconnect signal with an associated error in Wifclient caused the entire pool to close, which resulted in a complete disconnection.
PAN-296478
Fixed an issue where, after upgrading to PAN-OS 10.2.13-h10, GlobalProtect Clientless VPN on PA-3250 firewalls failed to execute JavaScript links, resulting in an authorization error. This occurred because the firewall was incorrectly injecting text into URLs when JavaScript buttons or dropdown menus were clicked within the Clientless VPN portal.
PAN-296261
Fixed an issue where scheduled custom reports generated through Panorama were blank (Monitor > Reports) due to a malformed JSON response from the reportd process.
PAN-295342
Fixed an issue where the pan_comm process stopped responding due to insufficient time allocated to read file descriptors when processing long messages.
PAN-293879
Fixed an issue on the firewall where the VM monitor source remained in the Getting All status, which prevented dynamic address groups from updating IP addresses for new EC2 instances. This issue occurred due to a race condition where two threads that simultaneously retrieved IP address tag information from AWS VM monitoring sources became stuck while reading the XML file.
PAN-293673
Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.
PAN-292539
(CN-Series firewalls only) Fixed an issue where the firewall generated incomplete or corrupted tech support files (TSF) due to high disk usage on the management plane.
PAN-291174
Fixed an issue where Real Time Streaming Protocol (RTSP) video streams did not work when connected through GlobalProtect due to the firewall blocking 200 OK responses. This occurred because of incorrect NAT translations for the 200 OK message from the server.
PAN-290996
Fixed an issue where SNMP walks returned a value of 0 for the CPS (Connections Per Second) per vsys on firewalls after upgrading to PAN-OS 11.1.6-h3, even when active connections were present.
PAN-290088
Fixed an issue where a memory leak occurred related to the configd process when pushing configurations from Panorama to a firewall. This occurred when the configurations contained shared policy rules.
PAN-289239
Fixed an issue on Panorama where a new virtual system (vsys) was automatically created with the name of a device group.
PAN-288158
(VM-Series firewalls) only Fixed an issue where the firewall became inaccessible via the web interface and SSH and remained in an initializing state.
PAN-287842
Fixed an issue where the comm process stopped responding due to missing heartbeats, which resulted in a system alert and HA communication loss on slot1.
PAN-287818
Fixed an issue where sessions timed out sooner than expected due to the pan_proxy_accumulation _restore_timeout not initiating when the accumulationsession_init failed.
PAN-287734
Fixed an issue where the error message Scan ERR: Internal Err 1002 was generated unexpectedly when WIF shared memory use was high.
PAN-287035
Fixed an issue where, when an application stopped responding, a large file was created in the /opt/panlogs directory, which caused the partition to fill up.
PAN-287023
Fixed an issue where a large number of logs caused the logrcvr process to stop responding.
PAN-286615
Fixed an issue where the firewall double-freed shared memory when the shared memory usage reached 100% when sending large payloads. This occurred when DLP, Advanced Advanced Threat Protection (ATP), Advanced WildFire (AWF), or Advanced URL Filtering were enabled.
PAN-284003
Fixed an issue where clients did not receive a valid response when when searching a website due to a compression error.
PAN-286231
Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.
PAN-279901
Fixed an issue where the firewall dropped client hello packets when decryption was enabled, which prevented access to certain websites. This occurred when the client hello packet was truncated, the accumulation proxy assumed that the first packet contains at least 5 bytes, or out-of-order packets were waiting in L4 TCP.
PAN-279500
Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the firewall did not see server-to-client (s2c) packets of the TLS handshake.
To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.
PAN-278288
Fixed an issue where IPv6 BGP peering established between virtual routers even without dataplane connectivity. This occurred because the firewall used the kernel for lookups instead of the dataplane.
To use this fix, run the following CLI command: set system setting loopback-workaround enable
PAN-276795
Fixed an issue where the GlobalProtect client displayed an error message when you clicked Check Now and Preferred Releases and Base Releases were unchecked (Device > Software).
PAN-272812
Fixed an issue where SNMP monitoring of tunnel interfaces displayed zero values for received bytes and packets.
PAN-271701
Fixed an issue where Advanced Services, App-ID Cloud Engine (ACE), and Enhanced Application Log stopped working due to incorrect memory usage accounting, which caused memory usage to remain at 99% after an extended period of time.
PAN-266653
Fixed an issue where unexpected path monitor failures caused the firewall to stop responding.
PAN-267444
Fixed an issue where large file downloads or uploads failed or remained in an incomplete state when using DLP HTTP2 mirror mode.
PAN-266279
Fixed an issue on Panorama where the default version of IKE gateway was not set to IKEv2 only mode, which caused VPN establishment issues if the firewall recognized a new configuration as IKEv1.
PAN-261825
Fixed an issue where traffic was dropped when Data Loss Prevention or Advanced URL Filtering were enabled. This occurred when the payload size was greater than 3.5 KB.
PAN-259741
Fixed an issue where the firewall dropped GRE keepalive packets that were encapsulated under another GRE tunnel.
PAN-259076
Fixed an issue where the firewall displayed an OCSP/CRL check failure when accessing websites.
PAN-255860
(PA-5200 firewalls only) Fixed an issue where the all_pktproc process stopped responding when the firewall was under a heavy traffic load.
PAN-255619
Fixed an intermittent issue where file downloads from websites failed when decrypting HTTP/2 traffic.
PAN-253485
(Firewalls in active/passive HA configurations only) Fixed an issue where dataplane packet capture filter configuration failed on the active firewall with the error op command for client dagger timed out as client is not available.
PAN-250146
Fixed an issue on the web interface where templates incorrectly showed that telemetry was enabled when it was not enabled. With this fix, the telemetry setting is not displayed in the template on the web interface.
PAN-247575
Fixed an issue where the error message import of failed. Please check the validity of the key pair and try again for unmatched keys for EC certificates.
PAN-245064
(Multi-vsys firewalls only) Fixed an issue where commits failed on the firewall after selecting Export or push device config bundle on Panorama and a force push was required.
PAN-242602
Fixed an issue where GlobalProtect clients experienced slow SMB-V3 download throughput when passing through a Prisma IPSec tunnel and the firewall and the SMB-V3 session owner dataplane was the same as the IPSec-ESP tunnel on the multi-dataplane firewall.
PAN-241536
Fixed an issue on Panorama where admin users with the Custom Panorama Admin role were unable to add, edit, or delete route filters under Routing Profiles.
PAN-231386
Fixed an issue where the configd process stopped responding during certificate verification.
PAN-220293
Fixed an issue where the firewall management plane could not display BGP peer details when using the CLI command show advanced-routing bgp peer detail logical-router. This was due to the bgp_frr.py script failing to parse the IPv6 address family section of the show ip bgp neighbors json output.
PAN-202905
Fixed an issue on the firewall web interface where the Next Hop value was not displayed in the static route configuration, the admin-dist values were empty, and the path-monitor parameters were not listed in the management server web interface when the firewall was configured in FRR mode.