Added a CLI command to adjust the local pool cache size of the detector_threat process to address an issue where the local-reuse memory pool borrowed from the global pool, which impacted performance during session deletion.

Fixed an issue where a session process consumed excessive CPU resources, even when Data Loss Prevention (DLP) was not enabled. This occurred due to the active threat list being iterated twice when active threats were present in the session.

Fixed an issue on PA-VM in AWS where, in a two-arm deployment integrated with Gateway Load Balancer (GWLB), the firewall did not preserve the GENEVE source port for internet traffic, resulting in increased latency. The fix ensures the firewall preserves the outer UDP source port of GENEVE encapsulation when sending traffic back to GWLB.

Fixed an issue where, after upgrading an HA pair of PA-7050 firewalls, the vsys ID changed in sequence, causing autocommit failures with validation errors. This occurred when the multi-vsys firewall had virtual systems created and pushed from Panorama, and the vsys ID was not in a correct sequence because the unused vsys was deleted from Panorama and pushed to devices.

Fixed an issue where, after upgrading to an affected PAN-OS release, the Visible Virtual System field referenced the vsys name instead of the vsys ID, which caused inter-vsys routing to fail. This occurred when a vsys display name matched one of the vsys IDs. If you're using a multivsys environment, you must upgrade your firewalls to a fixed PAN-OS version. The best practice is to upgrade both the firewalls and Panorama to a fixed PAN-OS version.

If you don't upgrade Panorama to a fixed version, you'll encounter PAN-245064, where a commit on a multivsys firewall fails with the message vsys name should end with a number vsys is invalid after you Export or push device config bundle from 11.1.1 Panorama.

After you upgrade Panorama to a fixed version, you'll encounter PAN-214177, which causes an Export or Push device config bundle from Panorama to the firewall to fail. The workaround for PAN-214177 is to first push only the template configuration and then push the device group configurations.

Fixed an issue where a stream receiving a reconnect signal with an associated error in Wifclient caused the entire pool to close, which resulted in a complete disconnection.

Fixed an issue where, after upgrading to PAN-OS 10.2.13-h10, GlobalProtect Clientless VPN on PA-3250 firewalls failed to execute JavaScript links, resulting in an authorization error. This occurred because the firewall was incorrectly injecting text into URLs when JavaScript buttons or dropdown menus were clicked within the Clientless VPN portal.

Fixed an issue where scheduled custom reports generated through Panorama were blank (Monitor > Reports) due to a malformed JSON response from the reportd process.

Fixed an issue where the pan_comm process stopped responding due to insufficient time allocated to read file descriptors when processing long messages.

Fixed an issue on the firewall where the VM monitor source remained in the Getting All status, which prevented dynamic address groups from updating IP addresses for new EC2 instances. This issue occurred due to a race condition where two threads that simultaneously retrieved IP address tag information from AWS VM monitoring sources became stuck while reading the XML file.

Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.

(CN-Series firewalls only) Fixed an issue where the firewall generated incomplete or corrupted tech support files (TSF) due to high disk usage on the management plane.

Fixed an issue where Real Time Streaming Protocol (RTSP) video streams did not work when connected through GlobalProtect due to the firewall blocking 200 OK responses. This occurred because of incorrect NAT translations for the 200 OK message from the server.

Fixed an issue where administrators were unable to gather path monitoring failure information when troubleshooting high dataplane CPU utilization.

Fixed an issue where SNMP walks returned a value of 0 for the CPS (Connections Per Second) per vsys on firewalls after upgrading to PAN-OS 11.1.6-h3, even when active connections were present.

Fixed an issue with firewalls enabled with Security profiles where certain traffic conditions caused high dataplane CPU utilization and packet buffer exhaustion, which caused LACP flapping conditions.

Fixed an issue where a memory leak occurred related to the configd process when pushing configurations from Panorama to a firewall. This occurred when the configurations contained shared policy rules.

Fixed an issue on Panorama where a new virtual system (vsys) was automatically created with the name of a device group.

(VM-Series firewalls) only Fixed an issue where the firewall became inaccessible via the web interface and SSH and remained in an initializing state.

Fixed an issue where the comm process stopped responding due to missing heartbeats, which resulted in a system alert and HA communication loss on slot1.

Fixed an issue where sessions timed out sooner than expected due to the pan_proxy_accumulation _restore_timeout not initiating when the accumulationsession_init failed.

Fixed an issue where the error message Scan ERR: Internal Err 1002 was generated unexpectedly when WIF shared memory use was high.

Fixed an issue where, when an application stopped responding, a large file was created in the /opt/panlogs directory, which caused the partition to fill up.

Fixed an issue where a large number of logs caused the logrcvr process to stop responding.

Fixed an issue where the firewall double-freed shared memory when the shared memory usage reached 100% when sending large payloads. This occurred when DLP, Advanced Advanced Threat Protection (ATP), Advanced WildFire (AWF), or Advanced URL Filtering were enabled.

Fixed an issue where clients did not receive a valid response when when searching a website due to a compression error.

Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.

Fixed an issue where the firewall dropped client hello packets when decryption was enabled, which prevented access to certain websites. This occurred when the client hello packet was truncated, the accumulation proxy assumed that the first packet contains at least 5 bytes, or out-of-order packets were waiting in L4 TCP.

Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the firewall did not see server-to-client (s2c) packets of the TLS handshake.

To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.

Fixed an issue where a GlobalProtect gateway stopped responding when handling HTTP/1.1 traffic with web inspection enabled.

Fixed an issue where IPv6 BGP peering established between virtual routers even without dataplane connectivity. This occurred because the firewall used the kernel for lookups instead of the dataplane.

To use this fix, run the following CLI command: set system setting loopback-workaround enable

Fixed an issue where the GlobalProtect client displayed an error message when you clicked Check Now and Preferred Releases and Base Releases were unchecked (Device > Software).

Fixed an issue where SNMP monitoring of tunnel interfaces displayed zero values for received bytes and packets.

Fixed an issue where Advanced Services, App-ID Cloud Engine (ACE), and Enhanced Application Log stopped working due to incorrect memory usage accounting, which caused memory usage to remain at 99% after an extended period of time.

Fixed an issue where large file downloads or uploads failed or remained in an incomplete state when using DLP HTTP2 mirror mode.

Fixed an issue where unexpected path monitor failures caused the firewall to stop responding.

Fixed an issue on Panorama where the default version of IKE gateway was not set to IKEv2 only mode, which caused VPN establishment issues if the firewall recognized a new configuration as IKEv1.

Fixed an issue where traffic was dropped when Data Loss Prevention or Advanced URL Filtering were enabled. This occurred when the payload size was greater than 3.5 KB.

Fixed an issue where the firewall dropped GRE keepalive packets that were encapsulated under another GRE tunnel.

Fixed an issue where the firewall displayed an OCSP/CRL check failure when accessing websites.

(PA-5200 firewalls only) Fixed an issue where the all_pktproc process stopped responding when the firewall was under a heavy traffic load.

Fixed an intermittent issue where file downloads from websites failed when decrypting HTTP/2 traffic.

(Firewalls in active/passive HA configurations only) Fixed an issue where dataplane packet capture filter configuration failed on the active firewall with the error op command for client dagger timed out as client is not available.

Fixed an issue on the web interface where templates incorrectly showed that telemetry was enabled when it was not enabled. With this fix, the telemetry setting is not displayed in the template on the web interface.

Fixed an issue where the error message import of failed. Please check the validity of the key pair and try again for unmatched keys for EC certificates.

(Multi-vsys firewalls only) Fixed an issue where commits failed on the firewall after selecting Export or push device config bundle on Panorama and a force push was required.

Fixed an issue where GlobalProtect clients experienced slow SMB-V3 download throughput when passing through a Prisma IPSec tunnel and the firewall and the SMB-V3 session owner dataplane was the same as the IPSec-ESP tunnel on the multi-dataplane firewall.

Fixed an issue on Panorama where admin users with the Custom Panorama Admin role were unable to add, edit, or delete route filters under Routing Profiles.

Fixed an issue where the configd process stopped responding during certificate verification.

Fixed an issue where the firewall management plane could not display BGP peer details when using the CLI command show advanced-routing bgp peer detail logical-router. This was due to the bgp_frr.py script failing to parse the IPv6 address family section of the show ip bgp neighbors json output.

Fixed an issue on the firewall web interface where the Next Hop value was not displayed in the static route configuration, the admin-dist values were empty, and the path-monitor parameters were not listed in the management server web interface when the firewall was configured in FRR mode.