Fixed an issue where GlobalProtect users were unable to connect after upgrading to PAN-OS 10.2.4 due to an incorrect client authentication configuration being selected.

Fixed an issue where SSH tunnels were unstable due to ciphers used as part of the high availability SSH configuration.

Fixed an issue where the

debug dataplane pow status

CLI command did not display extended NIC statistics.

(

PA-5200 Series and PA-7000 Series firewalls only

) Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.

Fixed an issue where SSL traffic failed with the error message:

Error: General TLS protocol error

.

Fixed an issue where the distributord process stopped responding.

(

PA-5450 firewalls only

) Fixed a low frequency DPC restart issue.

(

VM-Series firewalls in Microsoft Azure environments only

) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.

Fixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the

Monitor

tab.

Fixed an issue where improper SNI detection caused incorrect URL categorization.

Fixed an issue where temporary files remained under

/opt/pancfg/tmp/sw-images/

even after manually uploading the content or AV file to the firewall.

Fixed an issue where the

Apps seen

value was not reflected on Panorama.

Fixed an issue where an internal management plane NIC caused a kernel panic when doing a transmit due to the driver reinitializing under certain failure or change conditions on the same interface during transmit.

Fixed an issue where you were unable to choose the manual GlobalProtect gateway.

Fixed an issue where logs were not visible after restarting the log collector.

Fixed an issue where system warning logs were written every 24 hours.

Fixed an issue where the GlobalProtect client connection remained at the prelogin stage when Kerberos SSO failed and was unable to fall back to the realm authentication.

Fixed an issue where, during a reboot, an unexpected error message was displayed that the syslog configuration file format was too old.

Fixed an issue where GlobalProtect authentication failed when authentication was SAML with CAS and the portal was resolved with IPv6.

Fixed an issue where a device group push operation from Panorama failed with the following error on managed firewalls:

vsys <vsys1> plugins unexpected here vsys is invalid Commit failed

.

Fixed an issue where root partition frequently filled up and the following error message was displayed:

Disk usage for / exceeds limit, xx percent in use, cleaning filesystem

.

Fixed an issue where a transformation migration script error caused a commit failure with the error message

user-id-agent unexpected here

. This occurred after upgrading the firewall from a PAN-OS 9.1 release to a PAN-OS 10.0 release.

Fixed an issue where tag names did not correctly display special characters.

(

VM-Series, PA-400 Series, PA-1400, PA-3400, and PA-5400 Series firewalls only

) Fixed an issue where Bidirectional Forwarding Detection (BFD) packets experienced a delay in processing, which caused the BFD connection to flap.

Fixed an issue where the

Threat ID/Name

detail in Threat logs was not included in syslog messages sent to Splunk.

Fixed an issue where the all_pktproc process stopped responding during Layer 7 processing.

Fixed an issue where, after making changes in a template, the

Commit and Push

option was grayed out.

Fixed an issue where logs were not displayed in Elasticsearch under ingestion load.

Fixed an issue where the ElasticSearch status frequently changed to red or yellow after a PAN-OS upgrade.

Fixed an issue where the firewall generated incorrect VSA attribute codes when radius was configured with EAP-based authentication protocols.

Fixed an issue where scheduled configuration exports and SCP server connection testing failed.

Fixed an issue where ikemgr stopped responding due to receiving

CREATE_CHILD

messages with a malformed SA payload.

Fixed an issue with hardware destination MAC filtering on the Log Processing Card (LPC) that caused the logging card interface to be susceptible to unicast flooding.

Fixed an issue where the firewall changed the time zone automatically instead of retrieving the correct time zone from the NTP server.

(

PA-3400 and PA-1400 Series firewalls only

) Fixed an issue where packet drops occurred due to slow servicing of internal hardware queries.

Fixed an issue where a configuration push to a new firewall did not work and displayed validation errors.

Fixed an issue with ciphers used for SSH tunnels where packet lengths were too large, which made the SSH tunnel unstable.

(

PA-400 Series firewalls only

) Fixed an issue where shut down commands rebooted the system instead of correctly triggering a shutdown.

Fixed an issue caused by out of order TCP segments where the TCP retransmission failed when the TCP segment had the FIN flag and the TCP data was truncated.

(

VM-Series firewalls on Google Cloud Platform environments only

) Fixed an issue where firewalls failed to load the virtual machine information source configuration.

Fixed an issue where the firewall did not initiate scheduled log uploads to the FTP server.

Fixed an issue with firewalls in active/passive HA configurations where the passive firewall MAC flapping occurred when the passive firewall was rebooted.

Fixed an issue where the Panorama web interface became unresponsive and displayed the error message

504 Gateway Not Reachable

.

(

PA-5400 Series firewalls with DPC (Data Processing Cards) only

) Fixed an issue with slot 2 DPCs where URL Filtering did not work as expected after upgrading to PAN-OS 10.1.9.

Fixed an intermittent issue where an LACP flap occurred when the LACP transmission rate was set to

Fast

.

Fixed an issue where the logrcvr stopped forwarding logs to the syslog server after a restart or crash.

Fixed an issue where multiple User-ID alerts were generated every 10 minutes.

Fixed an issue where allow list checks in an authentication profile did not work if the group Distinguished Name contains the ampersand ( & ) character.

(

VM-Series firewalls in Microsoft Azure environments only

) Fixed an issue where the brdagent process stopped responding due to missed heartbeats, which caused the firewall to reboot. This occurred when the brdagent process and DPDK-managed ports became out of sync after the Azure infrastructure triggered a hotplug event.

Fixed an issue where the reportd process stopped responding after upgrading an M-200 appliance to PAN-OS 10.2.4.

Fixed an issue where a custom Antispyware profile did not open and displayed the following error message:

The server is not responding. Please wait and try your operation again later

.

Fixed an issue where, when custom signatures used a certain syntax, false positives were generated on devices on a PAN-OS 10.0 release.

Fixed an issue on Panorama where

No Default Selections

under

Push to Devices

was intermittently deselected after performing a commit operation.

(

PA-400 Series firewalls in HA configurations only

) Fixed an issue where an HA switchover took longer than expected to bring up ports on the newly active firewall.

Fixed an issue that caused the firewall's fan speed to increase while it was idle.

Fixed an issue where, when upgrading from a PAN-OS 9.1 release to a PAN-OS 10.0 release, commits failed with the error message:

hip profiles unexpected here

.

Fixed an issue where wifclient stopped responding due to shared memory corruption.

Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.

Fixed an issue where, after upgrading to PAN-OS 10.1, the log forwarding rate toward the syslog server was reduced. With this fix, the overall log forwarding rate has also been improved.

Fixed an issue where changes to Zone Protection profiles made via XML API were not reflected in the zone protection configuration.

Fixed an issue where API Get requests for

/config

timed out due to insufficient buffer size.

Fixed an issue where, after a multidynamic group push, Security policy rules with the target device tag were added to a firewall that did not have the tag.

Fixed a memory-related issue where the

MEMORY_POOL

address was mapped incorrectly.

Fixed an issue where 100G ports did not come up with BIDI QSFP modules.

(

PA-5400 Series firewalls only

) Fixed an issue where the inner VLAN tag for Q-in-Q traffic was stripped when forwarding.

Fixed an issue where the dataplane stopped responding unexpectedly with the error message

comm exited with signal of 10

.

Fixed an issue on Panorama where push scope rendering caused the

Commit and Push

or

Push to Devices

operation window to hang for several minutes.

Fixed a memory leak related to the logdb process.

Fixed an issue where firewall copper ports flapped intermittently when device telemetry was enabled.

Fixed an issue where SNMP queries were not replied to due to an internal process timeout.

Fixed an issue where retrieving WildFire Analysis reports when choosing WildFire log entries under

Detailed Log View

displayed the error

Fetching WildFire server xxx report failed!

Fixed an issue where a memory leak related to the useridd process resulted in an OOM condition, which caused the process to stop responding.

Fixed an issue where FIN and RESET packets were sent in reverse order.

Fixed an issue where, after exporting custom reports to CSV format, the letter

b

appeared at the beginning of each column.

Fixed an issue where superreaders were able to execute the

request restart system

CLI command.

Fixed an issue where, when using an ECMP

weighted-round-robin

algorithm, traffic was not redistributed among the links proportionally as expected from the configuration.

Fixed an issue where the VPN responder stopped responding when it received a CREATE_CHILD message with no security association (SA) payload.

(

PA-400 Series firewalls

) Fixed an issue where the firewall required an explicit allow rule to forward broadcast traffic.

Fixed an issue where, when an incorrect log filter was configured, the commit did not fail.

Fixed an issue where the logrcvr process cache was not in sync with the mapping on the firewall.

Fixed an issue on Panorama where the Hostkey displayed as

undefined

if an SSH Service Profile Hostkey configured in a template from the template stack was overridden.

(

PA-5200 Series firewalls only

) Fixed an issue where unplugging a PAN-SFP-CG transceiver from an interface with its link speed setting set to 1000 caused the firewall to incorrectly read that interface as up.

Fixed an issue where Single Log-out (SLO) was not correctly triggered from the firewall toward the client, which caused the client to not initiate the SLO request toward the identity provider (IdP). This resulted in the IdP not making the SLO callback to the firewall to remove the user.

Fixed an issue where an SD-WAN object was not displayed under a child device group.

Fixed an issue where the sysdagent process stopped responding, which caused interfaces and the subsequent connections behind them to fail.

Fixed an issue where Panorama did not show the target under the

Entities

column.

Fixed an issue where the firewall stopped responding when executing an SD-WAN debug CLI command.

Fixed an issue on Panorama where different threat names were used when querying a threat under

Threat Monitor

(

Monitor > App Scope

) and the ACC. This resulted in the ACC displaying no data after clicking a threat name in

Threat Monitor

and filtering it in the global filters.

Fixed an issue where the

pan_task

stopped responding briefly during a commit due to a contention with

brdagent

updating the configuration.

Fixed an issue where attempting to change the disk-usage cleanup threshold to 90 resulted in the error message

Server error : op command for client dagger timed out as client is not available

.

Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent

Dynamic IP And Port

.

(

PA-5200 Series and PA-7080 firewalls only

) Fixed an issue where commits took longer than expected when more than 45,000 Security policy rules were configured.

Fixed an issue where firewall HA clusters in active/active configurations with Advanced Routing enabled did not relay to ping requests sent to a virtual IP address.

Fixed an issue on log collectors where root partition reached 100% utilization.

Fixed an issue where large OSPF control packets were fragmented, which caused the neighborship to fail.

Fixed an issue on Panorama that caused recently committed changes to not be displayed when previewing the changes to push to device groups.

Fixed an issue where renaming a Zone Protection profile failed with the error message

Obj does not exist.

Fixed an issue where, when viewing a WildFire Analysis report via the web interface, the

detailed log view

was not accessible if the browser window was resized.

Fixed an issue where a local commit on Panorama remained at 99% for longer than expected before completing.

Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent

Dynamic IP And Port

.

Fixed a memory leak issue related to SSL crypto operations that resulted in failed commits.

Fixed an issue where the

show session packet-buffer-protection buffer-latency

CLI command randomly displayed incorrect values.

Fixed an issue where dataplane processes stopped responding when handling HTTP/2 streams.

Fixed an issue where the firewall restarted after initiating a mgmtsrvr process restart.

(

Panorama virtual appliances only

) Fixed an issue where DHCP assigned interfaces did not send

ICMP unreachable - Fragmentation needed

messages when the received packets were higher than the maximum transmission unit (MTU).

(

Panorama appliances in Legacy Mode only

) Fixed an issue where

Blocked Browsing Summary by Website

in the user activity report contained scrambled characters.

Fixed an issue where SSL proxy traffic was dropped when DoS zone protection was enabled.

Fixed a memory leak issue related to the slotd process.

Fixed an issue where fragmented UDP packets were dropped.

Fixed an issue where configuration changes related to the SSH service profile were not reflected when pushed from Panorama. With this fix, the deletion of ciphers, MAC, and kex fields of SSH server profiles and HA profiles won't clear the values under template stacks and will retain the values configured from templates.

Fixed an issue where firewalls disconnected from Cortex Data Lake after renewing the device certificate.

Fixed an issue where applications were not displayed after authenticating into the clientless VPN.

Fixed an issue on Panorama where Security policy rules with a

Tag

target did not appear in the pre-rule list of a Dynamic Address Group that was part of the tag.

Fixed an issue where Panorama commits failed due to an invalid community value error.

Fixed an issue where Panorama was unable to convert to PAN-OS 9.1 syntax for WF-500 appliances.

Fixed an issue where high latency occurred on PA-850-ZTP when SSL decryption was enabled.

Fixed an issue where application PCAP was not generated when Security policy rules were used as a filter.

Fixed an issue where the firewall did not send the source IP address of the user to the RADIUS server with the

set authentication radius-vsa-on client-source-ip

CLI command.

(

VM-Series firewalls only

) Fixed an issue where the HTTP service failed to come up on DHCP dataplane interfaces after rebooting the firewall, which resulted in health-check failure on HTTP/80 with a 503 error code on the public load balancer.

Fixed an issue on Panorama where VM-Series firewalls in HA configurations hosted on Amazon Web Services (AWS) were not displayed under

Deploy Master Key

.

Fixed an issue where high latency was observed when accessing internal web applications, which interrupted development activities related to the web server.

Fixed an issue on the firewall where the configuration log always displayed commit-all operations as successful even when the commit failed.

A debug command was added to address an issue with firewalls in high availability configurations.

(

CN-Series firewalls only

) Fixed an issue where the dataplane stopped responding after a container restart.

Fixed an issue where, when traffic and Threat logs exceeded the threshold of 90% total allowed size, alarms were not generated for other log types.

Fixed an issue where certificate-based authentication for administrators were unable to log in to the Panorama or firewall web interface and received the following error message:

Bad Request - Your browser sent a request that this server could not understand

.

Fixed an issue where cloned rules pushed from Panorama were not shown on the managed firewall.

Fixed an issue where dataplane ports responded to ICMP requests fewer than 64 bytes with nonzero padding bytes in the ICMP response.

Fixed an issue where link-local address communication for IPv6, BFD, and OSPFv3 neighbors was dropped when IP address spoofing check was enabled in a Zone Protection profile.

Fixed an issue where Panorama was unable to retrieve IP address-to-username mapping from a firewall on a PAN-OS 8.1 release.

Fixed an issue with firewalls in active/passive HA configurations where the passive firewall created an incorrect SCTP association due to the HA sync messages from the active firewall having an incorrect value.

The Palo Alto Networks QoS implementation now supports a new QoS mode called lockless QoS for PA-3400, PA-5410, PA-5420, PA-5430, and PA-5440 firewalls. For firewalls with higher bandwidth QoS requirements, the lockless QoS dedicates cores to the QoS function that improves QoS performance, resulting in improved throughput and latency.

Fixed an issue where the GlobalProtect

logdb

quota was not displayed in the

show system logdb quota

output.

Fixed an issue on the firewall where log filtering did not work as expected.

Fixed an issue where the firewall was unable to handle GRE packets for Point-to-Point Tunneling Protocol (PPTP) connections.

Fixed an issue where a Panorama in Management Only mode was unable to display logs from log collectors due to missing schema files.

Fixed an issue where, when a client sent a TCP/FIN packet, the firewall displayed the end reason as

aged-out

instead of

tcp-fin

.

Fixed an issue where authentication failed when the service route for RADIUS traffic was configured as

use default

for IPv4 addresses and included the dataplane interface as the destination route.

Fixed an issue with email formatting where, when a scheduled email contained two or more attachments, only one attachment was visible.

Fixed an issue where telemetry regions were not visible on Panorama.

(

PA-5400 Series, PA-3400 Series, and PA-400 Series only

) Fixed an issue where the firewall was unable to automatically renew the device certificate.

Fixed an issue where user-group names were unable to be configured as the source user via the

test security-policy-match

command.

Fixed an issue on the firewall where the modified date and time was incorrectly updated after a commit operation, PAN-OS upgrade, or reboot.

Fixed an issue with firewalls in active/passive HA configurations where, after rebooting the passive firewall, interfaces were briefly shown as powered up, and then shown as down or shutdown.

Fixed an issue where REST API requests did not work for GlobalProtect gateway tunnels.

Fixed an issue where the ACC report did not display data when querying the filter for the fields

Source

and

Destination IP

.

(

PA-7000 Series firewalls with SMC-B only

) Fixed an issue where the details of configuration changes were not included in configuration logs on the syslog server.

Fixed an issue where WildFire Analysis reports were not visible when the WF-500 appliance was on private cloud.

Fixed an issue where Large Scale VPN (LSVPN) Portal authentication failed with the error

invalid http response. return error(Authentication failed; Retry authentication

when the satellite connected to more than one portal.

Fixed an issue where the

show system info

and

show system ztp status

CLI commands displayed a different Zero Touch Provisioning (ZTP) status if a firewall upgrade was initiated from Panorama before the initial commit push succeeded.

Fixed an issue with firewalls in active/active HA configurations where the virtual floating IP address configuration under a Panorama template was overridden and displayed

From Template Override: undefined

as a source.

Fixed an issue where system logs continuously generated the log message

Not enough space to load content to SHM

.

Fixed an issue where the MLAV allow list did not work for some types of traffic.

Fixed an issue where mprelay repeatedly restarted, which caused commits to remain at 70% before failing with the error message

A communication error happened during the configuration commit to the data plane, please try again

.

Fixed an issue where log forwarding filters involving negation did not work.

Fixed an issue where the

ikemgr

process stopped responding, which caused IPSec tunnels to go down.

Fixed an issue where HIP report flip and HIP check failed when a user was part of multiple user groups with different domains.

Fixed an issue where shared objects were seen under the push scope with every configuration push.

Fixed an issue where the

Include/Exclude IP

filter under

Data Distribution

did not work correctly.

Fixed an issue where a critical system log was generated when the boot drive for PA-7000 Series firewall Switch Management Cards (SMCs) failed.

Fixed an issue where scheduled configuration pushes with

Include Device and Network Templates

selected did not work.

Fixed an issue where the stats dump file generated by Panorama for a device firewall differed from the stats dump file generated by the managed device.

Fixed an issue where connections to Cortex Data Lake were initialized from the firewall even when Cortex Data Lake forwarding was disabled.

Fixed an issue where DNS Security categories were able to be deleted from spyware profiles.

(

PA-5200 Series firewalls only

) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt:

Could not chdir to home directory /opt/pancfg/home/user: Permission denied

.

Fixed an issue where logs were unable to be generated due to old logs not getting purged and

/opt/panlogs

reaching over 100% usage.

Fixed an issue where giving up FTP or SCP sessions for log export took longer than expected after a failure to export the log when one of the destination hosts designated in the scheduled log export was unresponsive.

(

WF-500 appliances only

) Fixed an issue where, after an upgrade to a PAN-OS 10.1 release, SNMP traps were not sent to the SNMP server. This occurred due to SNMP trap server settings not being enabled.

Fixed an issue where, when the firewall received a 513 error from the WildFire cloud, the firewall attempted to repeatedly send the same file.

(

PA-7000 Series firewalls with Log Processing Cards (LPCs) only

) Fixed an issue where performing a commit operation resulted in the following error messages:

log forwarding is setup for data but log-card interface is not setup

or

log forwarding is setup for traffic but log-card interface is not setup

.

(

PA-3400 and PA-5400 Series firewalls only

) Fixed an issue where the log type correlation was not configurable and displayed as

$.Format.Correlation

(

Device > Server Profile > syslog ><Profile-name> > Customer log format > log type

).

Fixed an issue where enabling

event-specific traps

(

Device > Setup > Operations > Miscellaneous > SNMP Setup

), the new deviating device system logs included incorrect information.

Fixed an issue where URL categorization was not recognized for URLs that contained more than 100 characters.

Fixed an issue where commit-all operations took longer than expected due to cURL failures and timeouts related to external dynamic list retrieval.

Fixed an issue where the WIF state was not cleaned up promptly after usage, which caused allocation failure. This fix increased the

wif_state

quota.

Fixed an issue on Panorama where global find did not return results for existing universally unique identifiers (UUID).

Fixed an issue where the system log message

dsc HA state is changed from 1 to 0

was generated with the severity

High

. With this fix, the severity was changed to

Info

.

Fixed an issue where the session ID was missing in the session details section of the

ingress-backlogs

XML API output.

Fixed an issue where the firewall stopped responding if it received an illegal packet with SRC port = 0 encapsulated within a VXLAN packet.

Fixed an issue where, after cloning a template, a certificate with the block private key option enabled was corrupted.

Fixed an issue with firewalls in HA configurations where HA setup generated the error

mismatch due to device update

during a content update even though the version was the same.

Fixed an issue with the web interface where the cursor disappeared under the

Policies

and

Objects

tabs on the search bar if the cursor was moved quickly.

Fixed an issue where the system log generated on GlobalProtect satellite did not provide the reason for failures to connect to the GlobalProtect portal or gateway.

Fixed an issue with client certificate generation on Panorama, which resulted in a firewall being unable to connect to a log collector.

Fixed an issue where, after a push from Panorama to one or more device groups in a multi-vsys environment, vulnerability profile exceptions were not seen on all firewalls.

Fixed an issue where, if a decryption profile allowed TLS1.3, but the server only supported TLS1.2, and the cipher used by the first connection to the server was a CBC SHA2 cipher suite, the connection failed.

Fixed an issue where content updates failed when using prelicensed keys during the bootstrap process.

Fixed an issue on Panorama where virtual memory usage exceeded the set limit, which caused the configd process to restart.

Fixed an issue where you were unable to resize the

Description

pop-up window (

Policies > Security > Prerules

).

Fixed an issue where

Connection to update server is successful

messages displayed even when connections failed.

Fixed an issue where having multiple terminal service agents with the same hostname caused the firewall to reboot.

Fixed an issue on Panorama where the WildFire

Test-Configuration

feature did not work as expected.

Fixed an issue where, when the firewall forwarded Threat logs via email, the email client truncated the sender and recipient email addresses when they were put between angle brackets (<, >).

Fixed an issue where URL Filtering logs did not display matching entries when filtered by device name.

Fixed an issue where the interface option did not have a source address in the cURL command, which caused a DNS lookup error and resulted in DNS lookup failing for device Telemetry.

Fixed an issue where the dnsproxyd process stopped responding due to corruption.

(

PA-7000 Series firewalls only

) Fixed an issue where firewalls experienced slow SNMP responses, which caused the SNMP server to time out before polling completion.

Fixed an issue where scheduled dynamic content updates failed to be retrieved by managed firewalls from Panorama when connectivity was slow.

Fixed an issue where zip files did not download when applying Security inspection and the following error message displayed:

resources-unavailable

.

(

VM-Series firewalls in Microsoft Azure environments only

) Fixed an issue where the dataplane interface status went down after a hotplug event triggered by Azure infrastructure.

Fixed an issue where IPSec tunnel re-key generated the critical log message

tunnel-status-up

.

Fixed an issue where

Panorama > Device > Deployment > Software

did not display software after running

check now

for managed devices.

Fixed an issue where MAC addresses in threat capture were swapped between the source MAC and destination MAC addresses.

Fixed an issue where, after committing a configuration change, the

Task Manager

commit

Status

went directly from 0% to

Completed

instead of reflecting the accurate commit job process.

(

VM-Series firewalls only

) Fixed an issue where the firewall did not follow the set Jumbo MTU value.

Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to reboot.

Fixed an issue where exporting correlation logs generated an empty file.

Fixed an issue where traffic belonging to the same session was sent out from different ECMP enabled interfaces.

Fixed an issue where a user who did not have permissions of other access domains were able to view the commit and configuration lock.

Fixed an issue where SD-WAN DIA VIF did not become active if default gateways for member interfaces did not respond to pings.

Fixed an issue where software buffer 3 was depleted when URL proxy was enabled and SSL sessions were decrypted to inject the block page. This issue occurred when an HTTP/2 block page was displayed for a large POST request.

Fixed an issue where

Template Stack

overrides (

Dynamic Updates > App & Threats > Schedule

) were not able to be reverted via the web interface.

(

VM-Series firewalls on Kernel-based Virtual Machine (KVM) only

) Fixed an issue where the physical port counters (including SNMP) on the dataplane interfaces increased when DPDK was enabled.

Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).

Fixed an issue where, when the firewall received a large amount of user information, the firewall was unable to output IP address-to-username mapping information via XML API.

Additional error logs were added for an issue where, when multiple Panorama web interface sessions were opened, active lock did not show up on the web interface for any session.

Fixed an issue where errors in brdagent logs caused dataplane path monitoring failure.

(

VM-Series firewalls on Amazon Web Services environments only

) Fixed an issue where traffic sent from a GENEVE tunnel to the firewall was dropped if the firewall attempted to encapsulate traffic into an IPSec tunnel.

Fixed an issue where changing the password of a local database user did not work.

Fixed an issue where session offloading did not occur on a tap interface under a high packet load.

Fixed an issue where the CLI command

show rule-hit-count

did not provide all details of the rule from the device group.

Fixed an issue where scheduled log view reports in emails didn't match the monitor page query result for the same time interval.

Fixed an issue where the API format to check heap usage of a node showed a JSON error.

(

PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only

) Fixed an issue where the dataplane restarted repeatedly due to an internal path monitoring failure until a power cycle.

Fixed a permission issue where a Panorama administrator was unable to download or install Dynamic Updates (

Panorama > Device Deployment

).