PAN-OS 10.2.14 Addressed Issues

Fixed an issue where large IPv6 packets were reassembled incorrectly on the firewall when the packets arrived fragmented over an IPv4 tunnel.

Fixed an issue where SMTP packets were not sent out when the Client Hello arrived at the firewall in multiple out-of-order segments and the traffic was not subject to SSL decryption.

Fixed an issue where processes stopped responding when HTTPS Forward traffic was run.

Fixed an issue where scheduled SaaS application usage reports were generated incorrectly, and the login page was displayed instead of the report content.

Fixed an issue where the configuration audit displayed inaccurate information after partially loading the configuration via the CLI, which caused the audit to flag the configuration as deleted or changed.

Fixed an issue where the show system resources follow CLI command was not available.

Fixed an issue where the Migration Configuration dialog box displayed an incorrect number of virtual routers when enabling Advanced Routing from Panorama.

Fixed an issue where daily scheduled reports were not generated and emailed.

Fixed an issue where the firewall stopped responding after upgrading to PAN-OS 11.0.2 with lockless-qos enabled.

Fixed an issue where the GlobalProtect client displayed an error message when you clicked Check Now and Preferred Releases and Base Releases were unchecked (Device > Software).

(Panorama virtual appliances only) Fixed an issue where Panorama stopped responding when running reports.

Fixed an issue where DNS Security intermittently logs malicious domain URLs as Alert instead of taking a Sinkhole action, even when configured to Sinkhole malicious DNS domains.

Fixed an issue where a DPC on slot 3 failed intermittently due to the pktlog_forwarding process restarting, which resulted in an unexpected HA failover.

Fixed an issue where Wildfire signature generation was enabled on all nodes in a cluster instead of only the active node.

Fixed an issue where the firewall did not perform certificate expiry validation during a commit, which resulted in successful authentication even when an intermediate certificate had expired.

Added a CLI debug command to increase the queue size to address file transfer errors.

(Firewalls in HA configurations only) Fixed an issue where the firewall did not fail over when the active firewall experienced data plane issues.

Fixed an issue where the devsrvr process restarted after a failed commit due to an invalid memory access.

Fixed an issue on PA-5450 in FIPSCC mode where a firewall rebooted into maintenance mode when it was manually rebooted from the web interface.

Fixed an issue where the Logging Service License Status displayed as red even though a valid license was installed on the firewall.

(M-600 Appliances only) Fixed an issue where the web interface was slow when logging in and filtering for policies due to deep search operations taking longer than expected.

Fixed an issue where SNMP scans to a firewall timed out after upgrading to a PAN-OS 10.2 release.

Fixed an issue where the firewall generated the following error message in the snmpd logs: pan_get_keystr_from_cryptod(pan_snmpinterface.c:181): Key X2F1dGhfa2V5 import from cryptod failed.

Fixed an issue where the displayed group name differed depending on whether the group was configured locally on the firewall or through Panorama.

Fixed an issue where the firewall rebooted due to an out-of-bounds memory access that occurred as a result of the SIP content length value being split across packets.

Fixed an issue where logs in the cloud database displayed in the Not-Resolved category but not in the local database.

Fixed an issue where restarting the firewall did not initiate an autocommit job, which caused the firewall to stop responding and the HA interface to go down.

Fixed an issue where the Panorama web interface was slower than expected due to excessive polling of the MonitorDirect.getTasks API by the Task Manager.

Fixed an issue on the web interface where the negate option was visible when you clicked on the rule name, but not when you viewed the target options from the rulebase attribute.

Fixed an issue where 25G port links did not come up due to a change in the handling of 25G DAC modules.

Fixed an issue where commits from Panorama to VM-Series firewalls on Microsoft Azure environments failed.

Fixed an issue where the firewall generated BGP update packets larger than 1500 bytes when the interface MTU was 1500 bytes and jumbo frames were enabled globally.

Fixed an issue where non-captive portal traffic was not visible under Traffic Logs when the traffic was denied by an authentication rule and the session was discarded.

Fixed an issue on the web interface where the URL Filtering change category feature did not work.

Fixed an issue where device telemetry did not generate logs after upgrading the firewall.

Fixed an issue where informational logs caused the distributord process log file to be frequently overwritten.

Fixed an issue where session rematch caused ACE cloud application traffic to match the wrong policy.

Fixed an issue where plugin_api_server could experience a memory leak when using OpenConfig for telemetry.

Fixed an issue where the firewall dropped the AAAA DNS server response and caused delays in traffic from Ubuntu or Linux clients when DNS Security was enabled.

Fixed an issue where the firewall did not trigger a kernel core dump as a large core when the CPLD (Complex Programmable Logic Device) sent a Non-Maskable Interrupt (NMI) to the CPU.

Fixed an issue where TLS 1.3 decryption failed with a bad record MAC error when the firewall was configured to decrypt and inspect TLS traffic.

Fixed an issue where, after an accumulation proxy changed to no-decrypt or no proxy, only the Client Hello was sent to Content Threat Detection.

Fixed an issue on the firewall that caused the following error message to be displayed: frr_ns0: failed to stop child frr_ns0_ospf6d.

A CLI counter was added to indicate a full suppression queue.

(Firewalls in active/active HA configurations only) Fixed an issue with SSL inbound decryption on firewalls on a vwire setup with asymmetric routing.

To use this fix, enter the CLI command set system setting ssl-decrypt ha-vwire-mac-learn global yes on both firewalls in an HA pair.

Fixed an issue where pushing changes to a prefix list used for BGP from Panorama affected OSPF routes.

Fixed an issue where dynamic update downloads failed when IPv6 firewalling was enabled on the firewall and both IPv4 and IPv6 were configured on the management interface.

Fixed an issue where searching for the GlobalProtect client version browser in Panorama logs returned no results.

Fixed an issue where Device Telemetry failed due to an issue with the encoding of characters in the log file path.

Fixed an issue where the *all_task * process stopped responding with a SIGABRT.

Fixed an issue where the firewall displayed an incorrect maximum translated IP capacity when using DIPP NAT policy rules.

(7000-Series firewalls in HA configurations only) Fixed an issue where the firewall failed over into a non-functional state, and the LFC LED was blinking on the passive firewall.

Fixed an issue where SNMP polling timed out on firewalls with aggregate ethernet (AE) interfaces.

Fixed a memory leak issue related to the configd process that occurred when running consecutive commits for mulitple days.

Fixed an issue where the show system statistics application CLI command failed.

Fixed an issue where the firewall didn't restart after applying an air-gapped license if the firewall capacity was the same as the license capacity.

(Firewalls in active/passive HA configurations only) Fixed an issue where OSPF failed to establish after a failover from the active firewall to the passive firewall.

Fixed an issue where the userid process stopped responding due to memory was being reset to NULL when it was freed.

Fixed an issue where the firewall allowed cleartext web-browsing traffic on port 443 when the Security policy rule was configured to allow application: web-browsing with service: application-default.

Fixed an issue where the firewall failed to forward logs to a SNMP trap server if the SNMP manager IP address was unable to be resolved.

Fixed an issue where the Panorama management server changed its certificate authority (CA) unexpectedly, which caused managed firewalls to disconnect.

Fixed an issue where Panorama did not display the management IP address of devices onboard via ZTP.

(VM-Series firewalls in Amazon Web Services (AWS) environments only) Fixed an issue template values were missing in newly spun firewalls in auto scale deployments without an explicit push with forced template values from Panorama.

Fixed an issue where the firewall attempted to connect to the AppID cloud using gRPC even when App-ID Cloud Engine was disabled.

Fixed an issue where the followig critical error displayed repeatedly: /mnt/cdrom is mounted as Read-Only.

Fixed an issue where half-closed TCP sessions did not refresh the session timeout when continuously receiving data after setting the cfg.session.tcp-no-refresh-fin-rst option toTrue.

Fixed an issue where Panorama did not check for a NULL pointer when querying logs, which caused logs to not display on the web interface.

Fixed an issue where the mib ID returned an incorrect value via SNMP.

Fixed an issue where the mib ID returned an incorrect value via SNMP.

Fixed an issue where the firewall stopped responding when receiving a high number of logs.

Fixed an issue where the firewall rebooted unexpectedly when configuring the GlobalProtect portal and gateway from Panorama.

Fixed an issue where the CSV export of disabled applications included duplicate entries, which caused the count of disabled applications to be higher in the CSV export than on the web interface.

Fixed an issue where the firewall redirected the user to the first application instead of the portal page with a list of applications when multiple applications were configured for GlobalProtect clientless VPN along with any user match.

Fixed an issue where the wifclient stopped responding during server certificate verification for MICA gRPC connections and caused the dataplane to restart when using a cloud-based ML detection engine (MICA). On certain platforms, this caused the firewall to reboot periodically.

Fixed an issue where traffic was blocked by a URL filtering profile even though the Security policy rule did not have a URL filtering profile configured.

Fixed an issue related to external dynamic lists that caused commit times on the firewall to be higher than expected.

Fixed a CPS counter query issue that caused SNMP polling timeouts on the firewall.

Fixed an issue where IP address tags were removed from firewalls after a management server or useridd process restart. This occurred when a Panorama serial-number based configuration was used for User-ID redistribution.

Fixed an issue that caused the firewall to reboot due to the wifclient exiting multiple times when using IoT Security.

Fixed an issue where a large number of logs caused the logrcvr process to stop responding.

Fixed an issue where traffic was dropped when the accumulation proxy was enabled and header insertion modified packets.

Fixed an issue where PDF summary and email reports displayed IPv6 addresses instead of IPv4 addresses.

Fixed an issue where the XML API call to clear rule hit count using device group syntax failed with an error.

Fixed an issue where traffic did not match the correct security policy when using an application-filter that references a cloud application. This occurred when a high number of cloud applications were attached with a custom tag.

Fixed an issue where the firewall displayed 0 bytes received for GlobalProtect SSL sessions in the traffic logs.

Fixed an issue where the web interface was slower than expected when logging in and filtering for policies.

Fixed an issue where the firewall was unable to connect to a syslog server that used a TLS certificate without a subject key identifier.

Fixed an issue where the Push Scope was not automatically displayed when you selected Commit and Pushes Changes Made by.

Fixed an issue where autocommits failed if the management IPv6 gateway was the same as the dataplane interface IP address.

Fixed an issue where GlobalProtect clients intermittently failed to connect to the gateway with the error message could not connect to gateway.

Fixed an issue where uploading files that were 5GB or larger to Google Drive or Youtube failed when a decryption policy rule for http2 was enabled

Fixed an issue where tagging devices in Panorama did not work as expected.

Fixed an issue on firewalls in active/passive HA configurations where, after a failover, irrelevant routing FIB entries were seen in the routing table on the newly active firewall.

Fixed an issue where URL filtering response pages were not displayed for sites that were blocked as a result of SSL/TLS handshake inspection.

Fixed an issue where after migrating to a new platform, DLP verdicts were not displayed in the Cloud Manager or logs.

Fixed an issue where commits failed with a validation error when you changed the encryption level and re-encryption option on a Panorama managed firewall.

Fixed an issue where commits remained at 98%, which resulted in the BGP connection flapping.

Fixed an issue where the snmpd.log.old file continuously increased, which caused the root partition to become full.

Fixed an issue where Panorama did not display the Source Dynamic Address Group.

Fixed an issue where WildFire submission logs incorrectly reported allowed malicious samples even when they were blocked by threat prevention profiles.

Fixed an issue where the all_task process stopped responding, which caused the firewall to stop processing traffic.

Fixed an issue where the firewall did not send User-ID redistribution messages to Panorama when the firewall had multiple virtual systems configured and one of the virtual systems had a display name that was the same as the existing vsys name.

Fixed an issue where the replay database size increased significantly due to local and special configurations not being purged after commits.

Fixed an issue where the firewall generated AAAA DNS queries when IPv6 firewalling was disabled.

Fixed an issue on the Panorama web interface where you were unable to click OK after selecting an install package type and file from the dropdown and selecting a firewall.

Fixed an issue where the GlobalProtect gateway did not handle IP address changes of the inner gateway when the NGPA new protocol was enabled.

Fixed an issue where unexpected path monitor failures caused the firewall to stop responding.

Fixed an issue where administrators were unable to edit or add virtual router configurations when a filter was applied to the viewer.

Fixed an issue where users were unable connect to the portal due to Certificate Revocation List (CRL) checks due to the downloaded CRL file being expired, which caused the CRL cache to be bypassed.

Fixed an issue where selective pushes did not work as expected when the device group was renamed by a different admin user.

Fixed an issue where the number of hints values were not updated even when there were no hint files on the system.

Fixed an issue where OSPFv3 Link State (LS) update packets (type 9) were not fragmented properly, which caused the OSPF header to have an incorrect checksum when sent from the firewall. This occurred when the update packet size exceeded 1514 byte, which resulted in the peer device rejecting the packet and the neighbor relationship going down.

Fixed an issue on Panorama where the default version of IKE gateway was not set to IKEv2 only mode, which caused VPN establishment issues if the firewall recognized a new configuration as IKEv1.

Fixed an issue on the firewall where a configuration policy push caused both active and passive firewalls to go down when a high number of spyware profiles and vulnerability profiles were pushed to the dataplane.

Fixed an issue where some URLs were not blocked when added to the URL Category.

Fixed an issue where the all_task process stopped responding, which caused the dataplane to go down.

Fixed an issue where the config lock icon was not visible for a custom role-based admin when a Superuser admin had acquired the config lock.

Fixed an issue where you were unable to download PDFs when connected via a Clientless VPN.

Fixed an issue where the flow process restarted with the error message SIGABRT __GI_raise __GI_abort __libc_message malloc_printer.

Fixed an issue where Import GlobalProtect Client Package did not work after clicking OK after selecting a valid package under Device > GlobalProtect Client > Upload).

Fixed an issue where a kernel race condition caused the firewall to reboot with a kernel panic.

Fixed an issue where changes made to device groups with the same prefix name were not visible in the commit scope.

Fixed an issue where the firewall did not shut down completely.

(PA-7080 appliances with LPCs only) Fixed an issue where syslog forwarding over TCP stopped after upgrading.

Fixed an issue where the Log Forwarding for Security Services feature did not correctly filter policy rules with log forwarding profiles.

(PA-3440 firewalls only) Fixed an issue where the firewall was unable to validate or commit a configuration when it was imported from another firewall model.

Fixed an issue where the firewall showed the status of SFP+ interfaces as not up, or up but not configured, when a PAN-SFP-PLUS-SR cable was connected.

Fixed an issue where a selective push was blocked when a configuration load was done.

Fixed an issue where Preview Changes did not display configuration changes in Commit and push > Push Scope.

Fixed an issue where the configd process restarted when pushing configurations to multiple device groups via XML API, which caused the push to fail.

Fixed an issue where HTTP POST requests were blocked for URLs that had the block-continue category configured.

(VM-Series firewalls only) Fixed an issue where the all_task process stopped responding and a reboot was required.

Fixed an issue where the CLI and XML API values for the show system environment command did not match.

(PA-5400 Series firewalls only) Fixed an issue where the firewall sent correlated event logs to the syslog server using the management interface instead of the log interface.

Fixed an issue where the firewall stopped responding after the all_task process stopped responding.

Fixed an issue where AAAA DNS queries went out even when IPv6 firewalling was disabled.

PA-440 firewalls only) Fixed an issue where the firewall was unable to create more than 6 GlobalProtect gateways.

Fixed an issue where Prisma Access gateways consistently stopped responding with process restarts.

Fixed an issue where multiple DNS responses with different CNAME values caused evasion false positive alerts.

Fixed an issue where the dataplane stopped responding and the firewall unexpectedly rebooted due to multiple process restarts.

Fixed an issue where management plane CPU usage increased after upgrading when there was a full-mesh User-ID redistribution configuration between multiple firewalls.

Fixed an issue where the logrcvr process stopped responding due to a memory leak and buffer overrun.

Fixed an issue where commits from Panorama to Panorama virtual appliances failed with the error message Internal error during commit processing. Commit/Validate failed after upgrading Panorama.

Fixed an issue where the request logdb migrate-to-panorama start end-time <start-time> <type> CLI command did not work as expected, and you were unable to resend logs from a firewall to Panorama or a log collector.

Fixed an issue where the firewall was unable to mount a disk partition due to a corrupted filesystem.

Fixed an issue on the web interface where cloning region objects did not work.

Fixed an issue on the firewall where cfg.developer.tasks had a default configuration of True, which capped dataplane CPU performance at 50% in production.

(Panorama appliances only) Fixed an issue where the configd process experienced continuous high CPU utilization and repeatedly restarted.

Fixed an issue where application traffic transactions that reused TCP ports did not work with decryption.

Fixed an issue where imported certificates were not visible on firewalls with multi-vsys disabled.

Fixed an issue on firewalls in HA configurations where OSPF neighbors were not established after an HA failover.

(Firewalls in active/active HA configurations only) Fixed an issue where non-tunneled internal GlobalProtect gateway client information was not synced between firewall peers when using a floating IP address.

Fixed an issue where the firewall did not display the converted configurations before a commit and reboot, and the commit failed when attempting to migrate from MS to FRR mode.

Fixed an issue where the firewall configuration process restarted during an External Dynamic List refresh or a commit and push operation.

Fixed an issue where the firewall displayed incorrect statistics for mac_transmit_err and send_deffered on PA-440 appliances running PAN-OS 10.1.9-h3.

Fixed an issue where the firewall unexpectedly rebooted when replacing or inserting SFPs from an old firewall into a new RMA firewall.

Fixed an issue where frequent brdagent errors occurred.

(VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where the firewall displayed 0 for the physical port counters read from MAC.

Fixed an issue where multiple smartctl processes entered a d state due to failure to read from the kernel partition, which resulted in high CPU and management impact.

Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to become unavailable.

(Firewalls in active/active HA configurations only) Fixed an issue where packet loss occurred when dataport was used for HA3 for asymmetrically routed traffic during commits and a virtual wire was configured .

(PA-5410 firewalls in active/passive HA configurations only) Fixed an issue where the reportd process restarted, which caused the firewall to reboot.

Fixed an issue where the firewall dropped a retransmitted SYN packet when using the TCP Fast Open option.

Fixed an issue where the firewall delayed video file transfers over SMB when Exclude Video Traffic from the Tunnel feature was enabled and no applications were added to the list.

Fixed an issue where the firewall consumed excessive CPU while processing traffic for a workload running on a GKE cluster, which caused reduced throughput.

Fixed an issue where the dsdc process stopped responding after receiving an unexpected API return value.

Fixed an issue where the firewall was unable to load application metadata from the chunk files. This occurred when the application metadata entry was larger than the buffer used to read it, which resulted in an incomplete entry that caused commit failures.

Fixed an issue where Panorama template changes to the zone and virtual router were not pushed to managed firewalls when the template stack default virtual system was set to None.

Fixed an issue where task-debug logs remained on the debug level even after running the debug dataplane packet-diag set log off CLI command, which caused high dataplane CPU utilization.

Fixed an issue on Panorama where UpdateLicDB was triggered every few minutes when firewalls with PAYG licenses were onboarded.

Fixed an issue where the firewall did not include the NAS-ID and NAS-IP attributes in the RADIUS Access-Request message when using PEAP-MSCHAPv2 authentication.

Fixed an issue where Panorama was unable to generate PDF reports when the footer contained a GIF image.

(PA-5410, PA-5420, PA-5430, PA-5440 and PA-5445 firewalls only) Fixed an issue related to the all_pktproc process where DPC slot 3 stopped responding.

Fixed an issue where the firewall sent Threat logs and URL logs to an external syslog server without Security profile settings when Enhanced Application Logging was enabled.

Fixed an issue where BGP Aggregate Advertise filters did not work as expected when the summary option was enabled, and only summarized routes were advertised.

Fixed an issue where the firewall consumed a large amount of memory when forwarding raw logs.

Fixed an issue where the firewall generated a devsrvr core file when processes were restarted.

Fixed an issue where Device Telemetry Regions did not show up with the latest content due to content files not being parsed for the region list when Telemetry was turned off.

Fixed an issue where commits failed when you set Use Management interface for all and MGMT was configured for Data Services.

(M-600 Appliances only) Fixed an issue where log collectors in a cluster stopped responding when running high load tests.

(VM-Series firewalls across all public and private clouds) Fixed an issue where the firewall experienced high dataplane CPU usage when SSL Decryption was enabled.

Fixed an issue where the firewall dropped GRE keepalive packets that were encapsulated under another GRE tunnel.

Fixed an issue where Wildfire content installation failed for WF-500B clusters when deployed from Panorama using the deployment schedule.

Fixed an issue where the URL Filtering settings on a firewall displayed an override icon even when no settings were overridden. This occurred due to the hold-client-request field did not have a default value and was set to False.

Fixed an issue on the web interface where Correlation Log Detail > Match Evidence did not populate.

Fixed an issue where WildFire Analysis reports were not generated and the following error message was displayed: Error 500: Internal Server Error.

Fixed an issue where the firewall displayed an OCSP/CRL check failure when accessing websites.

Fixed an issue on the Panorama web interface where products in HIP objects were not displayed correctly.

Fixed an issue where ICD virtual memory continuously increased due to an increase in unknown IP addresses, which resulted in high management plane CPU utilization.

Fixed an issue where the firewall incorrectly displayed the error message IoT Security license is required for feature to function even when the firewall had a valid Enterprise IoT security license.

Fixed an issue where show commands were hidden for superusers in read-only roles.

Fixed an issue on Panorama where the Task Manager took longer than expected to display managed firewall report tasks.

Fixed an issue where the logrcvr component for SASE and MCW displayed incorrect zones in the traffic flow.

Fixed an issue where GlobalProtect traffic destined for the internet did not follow the path-based forwarding (PBF) rule and was sent out the wrong interface.

(PA-5400 Series firewalls only) Fixed an issue where the mp-monitor logs did not print disk SMART data.

Fixed an issue where the firewall dropped DNS traffic when using DNS Security.

Fixed an issue where CSV or PDF exports of zones did not contain all zones.

(Firewalls in active/passive HA configurations only) Fixed an issue where firewalls entered a non-functional state and displayed the error message Dataplane down: path monitor failure during the fail-over.

Fixed an issue where the logrcvr process stopped responding while processing session logs for forwarding to the LFC.

Fixed an issue where scheduled email reports were sent without PDF attachments if the firewall was in FIPS-CC mode.

Fixed an issue where content updates were processed incorrectly, which caused a mismatch between a Threat ID's signature and its corresponding action.

Fixed an issue where Panorama was unable to push firmware updates to a VM-Series firewall with a PAYG license.

Fixed an issue in Panorama where shared address objects used in the GlobalProtect configuration agents were not considered as used and not pushed to Firewall that causes commit-all failure error

(VM-Series firewalls only) Fixed an issue where firewalls with a DNS server IP address received by DHCP from Amazon Web Services (AWS) had a delay in resolving FQDNs after a reboot.

Fixed an issue where the GlobalProtect client would disconnect consistently due to keep-alive timeouts when using an SSL-only tunnel.

Fixed an issue on the firewall where enabling flow basic caused the firewall to stop responding due to a masterd process restart.

Fixed an issue where GlobalProtect displayed incorrect source region mapping in the Strata Logging Service.

Fixed an issue where a memory leak in the sslmgr process caused the firewall to restart.

(PA-5200 firewalls only) Fixed an issue where the all_pktproc process stopped responding when the firewall was under a heavy traffic load.

Fixed an issue where errors related to applications in Content-preview caused commit failures.

Fixed an issue where the firewall was unable to match HIP data with the correct anti-malware object for Windows Defender.

Fixed an intermittent issue where file downloads from websites failed when decrypting HTTP/2 traffic.

Fixed an issue where the show session cache all CLI command failed with the error message Server error : An error occured. See dagger.log for information.

Fixed an issue where the Panorama web interface did not display the push scope data for custom admin users when performing a partial commit and push.

Fixed an issue where GlobalProtect user-to-IP address mapping was removed even though the tunnel for the specific user was up and traffic was being passed.

Fixed an issue on Panorama where the device health summary for firewalls showed 1/1 in the power supply and fan columns instead of the actual number.

Fixed an issue where a core file was created on the Log Forwarding Card due to a third-party software issue.

Fixed an issue where the show pbf rule name <name> CLI command failed.

Fixed an issue where modifying the IPSec lifesize setting was not reflected when using Proxy-ID between two VM-Series firewalls.

(Panorama appliances in Panorama mode and Log Collector mode only) Fixed an issue where autocommits took longer than expected to complete.

Fixed an issue where a User Activity Report was not generated by Run Now or not emailed through the Email Schedule when the locale setting was not English.

Fixed an issue on Panorama where unused objects were pushed to the firewall, which caused the push operations to intermittently fail.

(Firewalls in active/passive HA configurations only) Fixed an issue where dataplane packet capture filter configuration failed on the active firewall with the error op command for client dagger timed out as client is not available.

Fixed an issue where the firewall did not display the Intrazone-Default Security policy rule hit count in the web interface when the rule was overridden by a Panorama configuration.

(PA-3200 Series firewalls only) Fixed an issue where interfaces running at 10 Gbps did not display the speed and duplex information in the CLI or displayed only as auto.

Fixed an issue where multiple SSHD process restarts triggered a firewall reboot when the login banner and SSH host keys were updated at the same time.

Fixed an issue where newly added devices or existing deleted devices on the primary Panorama appliance were not updated on the secondary Panorama appliance if the secondary Panorama appliance experienced an HA sync commit failure.

Fixed an issue where Panorama did not forward logs to a syslog server over an SSL connection using CRL as a revocation verification method.

Fixed an issue where the firewall closed the SSL connection to the user ID agent.

(PA-450 firewalls only) Fixed an issue on the web interface where the DHCPv6 client was not available for VLAN interfaces.

Fixed an issue where the firewall rebooted into maintenance mode if the authentication process restarted repeatedly.

Fixed an issue where the selective push scope did not load the scope details when performing a commit and push operation when launched directly.

(VM-Series firewalls only) Fixed an issue where multiple processes exited due to an OOM condition and caused a network outage.

Fixed an issue on the web interface where templates incorrectly showed that telemetry was enabled when it was not enabled. With this fix, the telemetry setting is not displayed in the template on the web interface.

Fixed an issue where the traffic filter query operator did not work for sanctioned_state_of_app (Monitor > Logs > Traffic).

Fixed an issue where, when a dynamic address group with more than 500,000 addresses was created, the firewall displayed the error message pan_cfg_addresses_from_xmlhash failed.

Fixed an issue where the Policy page on the Panorama web interface was slower than expected when a device group had a large number of managed devices.

Fixed an issue where stale BGP routes were advertised to peers even when they were not present in the local RIB table.

Fixed an issue where SaaS quality profile probes were dropped on the SD-WAN hub.

Fixed an issue on Panorama DG where the address group object created with Disable Override property in Parent DG was overridden by child DG via CLI.

Fixed an issue where commits failed when you committed a configuration to advertise the default route (0.0.0.0/0) as a BGP network statement (Advanced Routing > BGP settings).

Fixed an issue that caused the dataplane to stop responding when running a packet diagnostic with Jumbo frames enabled.

(PA-5450 firewalls only) Fixed an issue on the web interface where unused log interfaces were incorrectly displayed on the dashboard as configured and down.

(PA-220 firewalls only) Fixed an issue where the firewall returned dedicated HA1 and HA2 even when the firewall did not have a dedicated HA port.

(Panorama Virtual Appliances only) Fixed an issue where the root partition became full.

Fixed an issue where the error message import of <issuecert> failed. Please check the validity of the key pair and try again for unmatched keys for EC certificates.

Fixed an intermittent issue where the OSPF ABR option was disabled when a static route was added.

Fixed an issue where a firewall with a copper SFP transceiver (PAN-SFP-CG) flapped during a commit.

Fixed an issue on Panorama where commits failed due to a timeout in the sysd process during decryption.

Fixed an issue where committing a configuration change on a Panorama managed firewall caused a short outage for GlobalProtect clients.

Fixed an issue where intermittent 500 errors occurred when making API calls to the firewall.

(PA-5220 firewalls only) Fixed an issue on the web interface where the displayed dataplane CPU usage was up to 20% less than the correct CPU usage.

Fixed an issue where the CLI command delete user-file ssh-known-hosts did not remove the SSH host keys.

Fixed an issue where authentication to the GlobalProtect gateway failed due to an invalid Satellite certificate.

Fixed an issue where the show commands for HSCI ports did not provide information about optics and light levels.

Fixed an issue where the firewall did not honor the peer Desired Minimum Tx Interval when in a BFD INIT state.

Fixed an issue where the Rule usage columns of overridden default policy rules on the Security policy page stopped responding.

Fixed an issue with the REST API syntax when creating a DHCP server configuration for an existing subinterface.

Fixed an issue where the BGP timer setting was in read-only mode for custom admin users when Advanced Routing was enabled.

Fixed an issue where the firewall did not have a heartbeat mechanism for the authd process, which caused the firewall to become unresponsive if the authd process stopped responding.

Fixed an issue where, when TLSv1.3 was used, an incorrect error message invalid padding was displayed instead of the expected error message Invalid server certificate.

(PA-5200 Series firewalls only) Fixed an issue where the firewall did not increment the flow_parse_ip_cksm counter when traffic with an IP address checksum error was received.

Fixed an issue where the client IP address was incorrect in the authentication logs for Captive Portal authentication events when the client used IPv6.

Fixed an issue where the CLI command device-telemetry reload-config-now did not work as expected on firewall.

Fixed an issue where GlobalProtect connections failed with the error message: Disconnect(Lifetime expired) called before the lifetime expired.

Fixed an issue where the firewall rebooted when a QSFP28 cable was removed from the port while the port was passing traffic.

(PA-5220 firewalls only) Fixed an issue where multicast streaming did not recover when multicast traffic was offloaded.

Fixed an issue where the default lag-flow-key-type was different between the dataplane and the forwarding engine.

Fixed an issue where Panorama displayed deviating device system logs for non-connected interfaces.

Fixed an issue where Panorama was unable to establish netstat connectivity with the syslog server when the password for an HTTPS server profile had more than 128 characters.

Fixed an issue where the application page was not launched directly after the login page when only one application was configured.

Fixed an issue on Panorama where local commits took longer than expected after an upgrade.

Fixed an issue where the LDAP server profile created was created with an empty password.

(Panorama appliances in Log Collector mode only) Fixed an issue where an unnamed core file was generated after a reboot.

Fixed an issue where the displayed NTP information was incorrect if the DNS servers timed out.

Fixed an issue where firewall sinkhole functionality was disrupted when a domain entry in an external dynamic list started with a period (.) character.

Fixed an issue where scheduled device group reports included data from other device groups.

Fixed an issue where the firewall took an incorrect action for overlapping custom and edl-url-categories in a policy rule.

Fixed an issue where syslog-ng restarted after commits when multiple syslog servers were configured.

Fixed an issue where Panorama management servers generated duplicate configuration logs.

Fixed an issue on firewalls in active/active HA configurations where SYN+ACK packets of asymmetric TCP sessions were dropped because of a session synchronization issue.

(Panorama managed CN-Series firewalls in HA configurations only) Fixed an issue where an error occurred while adding tags.

Fixed an issue on the firewall where enabling the SSL Decryption Opt-out caused all SSL sessions to fail.

Fixed an issue where HTTPS, SSH, and PING were enabled on the AUX port by default even when these administrative management services were not enabled on the interface.

Fixed an issue where GlobalProtect logs returned no data when using the filter ( private_ip eq 0.0.0.0 ).

Fixed an issue where the snmpd process stopped responding due to a double free during data collection on active sessions.

Fixed an issue where Push All Changes displayed changes that were already committed in the push scope for another device group after performing a selective commit and selective push to the first device group.

Fixed an issue where the firewall dropped DHCPv6 relay packets if there were duplicate link-local addresses on different sub-interfaces.

(PA-7500 Series firewalls only) Fixed an issue where the L3 subinterface was grayed out and displayed the status ethernet1/12.1082: unknown.

Fixed an issue where device tags for devices in a child device group were not available in the the parent shared device group.

Fixed an issue on Panorama where host IDs manually added to the device quarantine list were unexpectedly removed.

(PA-7000 Series firewalls only) Fixed an issue where Log Forward Cards (LFC) were incorrectly identified as distribution policies, which caused packet loss due to traffic, BFD, and other control packets being forwarded to the LFC.

(M-600 appliances only) Fixed an issue where the reportd process stopped responding.

Fixed an issue where managed DLCs were out of sync after changing the Panorama mode to Management Only mode.

Fixed an issue where the correct device filter did not apply when filtering Targets and Target/Tags (Device Group > Policies).

Fixed an issue where High Availability Path Monitoring did not work with Advanced Routing Mode when the type was set to Logical Router.

Fixed an issue where the configurations exported by a role-based admin user via the web interface were not sanitized.

Fixed an issue on Panorama where different threat names were used when querying a threat under Threat Monitor (Monitor > App Scope) and the ACC. This resulted in the ACC displaying no data after clicking a threat name in Threat Monitor and filtering it in the global filters.

Fixed an issue where sessions that were previously in sw-cut-through mode (software fast forwarding) and persisted after an HA failover were no longer subject to software fast forwarding, which led to increased dataplane CPU load after HA failover.

Fixed an issue where TLS 1.3 connections failed if the server sent a certificate request after sending its certificate.

Fixed an issue where the firewall logged duplicate events for portal-gen-cookie, gateway-gen-cookie, and gateway-auth when the authentication was successful.

Fixed an issue on the web interface where the language setting was not retained.

Fixed an issue where the firewall did not provision host ID entries when the number of open file descriptors (FDS) for redis_iotd reached the maximum allowed value.

Fixed an issue where the Source Translation section of the NAT rule did not provide an option to check the value for an object.