Fixed an issue where the firewall was unable to retrieve correct groups from the LDAP server.

Fixed an issue with memory management when processing large certificates using TLSv1.3.

Fixed an issue on Panorama where configuration lock timeout errors were observed during normal operational commands by increasing thread stack size on Panorama.

(

PA-7050 firewalls only

) Fixed an issue with OOM conditions which caused slot restarts due to

pan_cmd

consuming more than 300 MB.

Fixed an issue where the

ACC

displayed an incorrect DNS-base application traffic byte count.

Fixed an issue where a memory overrun caused the all_task process to stop responding.

Fixed an issue where routes were not updated in the forwarding table.

A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.

Fixed an issue on Panorama where the configd process repeatedly restarted when attempting to make configuration changes.

Fixed an issue where duplicate predict sessions didn't release NAT resources.

Fixed an issue where SSH tunnels were unstable due to ciphers used as part of the high availability SSH configuration.

Added a CLI command to view Cortex Data Lake queue usage.

Fixed an issue in multi-vsys environments where, when Panorama was on a PAN-OS 10.2 release and the firewall was on a PAN-OS 10.1 release, commits failed on the firewall when inbound inspection mode was configured in the decryption policy rule.

Fixed an issue where all_pktproc stopped responding when network packet broker or decryption broker chains failed.

Fixed an issue where the mprelay process stopped responding, which caused a slot restart when another slot rebooted.

(

PA-5200 Series and PA-7000 Series firewalls only

) Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.

(

M-600 Appliances only

) Fixed an issue where closed ElasticSearch shards were not deleted, which resulted in shard purging not working as expected.

Fixed an issue where, if the number of group queries exceeded the Okta rate limit threshold, the firewall cleared the cache for the groups.

Fixed an issue where SSL traffic failed with the error message:

Error: General TLS protocol error

.

Fixed an issue where the distributord process stopped responding.

Fixed an issue where managed firewalls did not reflect changes pushed by users who were not in a superuser role.

Fixed an issue where viewing the latest logs took longer than expected due to log indexer failures.

(

VM-Series firewalls on Microsoft Azure and Amazon Web Services (AWS) environments

) Added support for high availability (HA) link monitoring and path monitoring.

Fixed an issue where the firewall intermittently recorded a reconnection message to the authentication server as an error, even if no disconnection occurred.

Fixed an issue where the

show transceiver <interface>

CLI command showed the RX and TX powers as 0.00 mW.

(

VM-Series firewalls in Microsoft Azure environments only

) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.

Fixed an issue where improper SNI detection caused incorrect URL categorization.

Fixed an issue where a User Principal Name (UPN) was incorrectly required in the pre-logon machine certificate.

Fixed an issue where the

Apps seen

value was not reflected on Panorama.

Fixed an issue where a static route for a branch or hub over the respective virtual interface was not installed in the routing table even when the tunnel to the branch or hub was active.

Fixed an issue where the tunnel monitor was unable to remain up when zone protection with Strict IP was enabled and NAT Traversal was applied.

Fixed an issue where Email server profiles (

Device > Server Profiles > Email and Panorama > Server Profiles > Email

) to forward logs as email notifications were not forwarded in a readable format.

Fixed an issue where an internal management plane NIC caused a kernel panic when doing a transmit due to the driver reinitializing under certain failure or change conditions on the same interface during transmit.

Fixed an issue where you were unable to choose the manual GlobalProtect gateway.

Fixed an issue where logs were not visible after restarting the log collector.

Fixed an issue where system warning logs were written every 24 hours.

Fixed an issue where the GlobalProtect client connection remained at the prelogin stage when Kerberos SSO failed and was unable to fall back to the realm authentication.

Fixed an issue where, during a reboot, an unexpected error message was displayed that the syslog configuration file format was too old.

(

PA-7080 firewalls only

) Fixed an issue where autocommitting changes after rebooting the Log Forwarding Card (LFC) caused the logrcvr process to fail to read the configuration file.

Fixed an issue where configured botnet reports (

Monitor > Botnet

) were not generated.

Fixed an issue where the configuration log displayed incorrect information after a multidevice group

Validate-all

operation.

Fixed an issue where root partition frequently filled up and the following error message was displayed:

Disk usage for / exceeds limit, xx percent in use, cleaning filesystem

.

Fixed an issue where firewalls that forwarded logs to a syslog server over TLS (

Objects > Log Forwarding

) used the default Palo Alto Networks certificate instead of the configured custom certificate.

Fixed an issue where, when a multidynamic group validate job was pushed on the firewall, logs displayed

Panorama push

instead of

ValidateAll push

.

Fixed an issue where the

Threat ID/Name

detail in Threat logs was not included in syslog messages sent to Splunk.

Fixed an issue where the task manager displayed only limited data.

Fixed an issue where, after making changes in a template, the

Commit and Push

option was grayed out.

Fixed an issue in FIPS mode where, when importing a certificate with a new private key, and the certificate used the name of an existing certificate on the Panorama, the following error message was displayed:

Mismatched public and private keys

.

Fixed an issue where logs were not displayed in Elasticsearch under ingestion load.

Fixed an issue where the ElasticSearch status frequently changed to red or yellow after a PAN-OS upgrade.

Fixed an issue where ikemgr stopped responding due to receiving

CREATE_CHILD

messages with a malformed SA payload.

Fixed an issue where selective pushes to template stack and multi device group pushes caused a buildup of resident memory, which caused the configd process to stop responding.

Fixed an issue where the firewall changed the time zone automatically instead of retrieving the correct time zone from the NTP server.

Fixed an issue where TCP keepalive packets from the client to the server weren't forwarded when SSL decryption was enabled.

Fixed an issue where a commit and push operation from Panorama to managed firewalls did not complete or took longer to complete than expected.

Fixed an issue where the slot-1 data processor showed the status as down during an SNMP query.

Fixed an issue with ciphers used for SSH tunnels where packet lengths were too large, which made the SSH tunnel unstable.

Fixed an issue where the

Virtual Routers

(

Network > Virtual Routers

) setting was not available when configuring a custom admin role (

Device > Admin Roles

).

(

PA-400 Series firewalls only

) Fixed an issue where shutdown commands rebooted the system instead of correctly triggering a shutdown.

(

VM-Series firewalls and Panorama virtual appliances in Microsoft Azure environments only

) Fixed an issue where management interface Speed/Duplex was reported as unknown.

Fixed an issue where superusers with read-only privileges were unable to view SCEP object configurations.

Fixed an issue where the logrcvr stopped forwarding logs to the syslog server after a restart.

Fixed an issue where the configd process stopped responding after a selective push to multiple device groups failed.

Fixed an issue where allow list checks in an authentication profile did not work if the group Distinguished Name contains the ampersand ( & ) character.

Fixed an issue where the devsrvr process stopped responding at

pan_cloud_agent_get_curl_connection()

and the URL cloud could not be connected.

Fixed an issue where, when custom signatures used a certain syntax, false positives were generated on devices on a PAN-OS 10.0 release.

(

Panorama managed firewalls in active/active HA configurations only

) Fixed an issue where the HA status displayed as

Out of Sync

(

Panorama > Managed Devices > Health

) if local firewall configurations were made on one of the HA peers. This caused the next HA configuration sync to overwrite the local firewall configuration made on the HA peer.

Fixed an issue where, when upgrading from a PAN-OS 9.1 release to a PAN-OS 10.0 release, commits failed with the error message:

hip profiles unexpected here

.

Fixed an issue where, after a high availability failover, IKE SA negotiation failed with the error message

INVALID_SPI

, which resulted in temporary loss of traffic over some proxy IDs.

Fixed an issue where, after a multidynamic group push, Security policy rules with the target device tag were added to a firewall that did not have the tag.

(

PA-5400 Series firewalls only

) Fixed an issue where the inner VLAN tag for Q-in-Q traffic was stripped when forwarding.

Fixed an issue where the dataplane stopped responding unexpectedly with the error message

comm exited with signal of 10

.

Fixed an issue on Panorama where push scope rendering caused the

Commit and Push

or

Push to Devices

operation window to hang for several minutes.

Fixed an issue where firewall copper ports flapped intermittently when device telemetry was enabled.

Fixed an issue where

Application Filter

names were not random, and they matched or included internal protocol names.

Fixed an issue where SNMP queries were not replied to due to an internal process timeout.

Fixed an issue where a memory leak related to the useridd process resulted in an OOM condition, which caused the process to stop responding.

Fixed an issue where FIN and RESET packets were sent in reverse order.

Fixed an issue where IKE re-key negotiation failed with a third-party vendor and the firewall acting as the initiator received a response with the VENDOR_ID payload and the error message

unexpected critical payload (type 43)

.

Fixed an issue where, after exporting custom reports to CSV format, the letter

b

appeared at the beginning of each column.

Fixed an issue where the firewall interface did not go down even after the peer link/switch port went down.

Fixed an issue where the logrcvr process cache was not in sync with the mapping on the firewall.

Fixed an issue where Single Log-out (SLO) was not correctly triggered from the firewall toward the client, which caused the client to not initiate the SLO request toward the identity provider (IdP). This resulted in the IdP not making the SLO callback to the firewall to remove the user.

Fixed an issue where an SD-WAN object was not displayed under a child device group.

Fixed an issue where executing the

show report directory-listing

CLI command resulted in no output after upgrading to a PAN-OS 10.1 release.

Fixed an issue where the firewall stopped responding when executing an SD-WAN debug CLI command.

Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent

Dynamic IP And Port

.

(

PA-5200 Series and PA-7080 firewalls only

) Fixed an issue where commits took longer than expected when more than 45,000 Security policy rules were configured.

Fixed an issue where packet capture was logged for an unknown application session when packet capture logging was disabled.

Fixed an issue where Advanced Threat Prevention caused SSL delays when no URL licenses were present.

Fixed a memory leak issue related to SSL crypto operations that resulted in failed commits.

Fixed an issue where dataplane processes stopped responding when handling HTTP/2 streams.

Fixed an issue where the size of the

redisthost_1

in the Redis database continuously increased, which caused an OOM condition.

Fixed an issue where applications were not displayed after authenticating into the clientless VPN.

Fixed an issue where Panorama was unable to convert to PAN-OS 9.1 syntax for WF-500 appliances.

Fixed an issue where high latency occurred on PA-850-ZTP when SSL decryption was enabled.

Fixed an issue where application packet capture (pcap) was not generated when Security policy rules were used as a filter.

(

VM-Series firewalls only

) Fixed an issue where the HTTP service failed to come up on DHCP dataplane interfaces after rebooting the firewall, which resulted in health-check failure on HTTP/80 with a 503 error code on the public load balancer.

Fixed an issue where high latency was observed when accessing internal web applications, which interrupted development activities related to the web server.

The Palo Alto Networks QoS implementation now supports a new QoS mode called lockless QoS for PA-3400, PA-5410, PA-5420, PA-5430, and PA-5440 firewalls. For firewalls with higher bandwidth QoS requirements, the lockless QoS dedicates cores to the QoS function that improves QoS performance, resulting in improved throughput and latency.

Fixed an issue on the firewall where log filtering did not work as expected.

Fixed an issue where generating certificates with SCEP did not work.

Fixed an issue where the firewall was unable to handle GRE packets for Point-to-Point Tunneling Protocol (PPTP) connections.

Fixed an issue where a Panorama in Management Only mode was unable to display logs from log collectors due to missing schema files.

Fixed an issue with email formatting where, when a scheduled email contained two or more attachments, only one attachment was visible.

Fixed an issue on Panorama where Security policy rules incorrectly displayed as disabled.

Fixed an issue where user authentication failed in multi-vsys environments with the error message

User is not in allowlist

when an authentication profile was created in a shared configuration space.

Fixed an issue where user-group names were unable to be configured as the source user via the

test security-policy-match

command.

Fixed an issue where, when attempting to replace an existing certificate, importing a new certificate with the same name as the existing certificate failed due to mismatched public and private keys.

Fixed an issue with firewalls in active/passive HA configurations where, after rebooting the passive firewall, interfaces were briefly shown as powered up, and then shown as down or shutdown.

Fixed an issue where the ACC report did not display data when querying the filter for the fields

Source

and

Destination IP

.

Fixed an issue where system logs continuously generated the log message

Not enough space to load content to SHM

.

Fixed an issue where

Panorama > Setup > Interfaces

was not accessible for users with custom admin roles even when the interface option was selected for the custom admin roles.

Fixed an issue where log forwarding filters involving negation did not work.

Fixed an issue where not all users were included in the user group after an incremental sync between the firewall and the Cloud Identity Engine.

Fixed an issue where disk utilization was continuously high due to the log purger not sufficiently reducing the utilization level.

(

PA-5200 Series firewalls only

) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt:

Could not chdir to home directory /opt/pancfg/home/user: Permission denied

.

Fixed an issue where URL categorization was not recognized for URLs that contained more than 100 characters.

Fixed an issue where the session ID was missing in the session details section of the

ingress-backlogs

XML API output.

Fixed an issue on the web interface where the language setting is not retained.

Fixed an issue where, if a decryption profile allowed TLSv1.3, but the server only supported TLSv1.2, and the cipher used by the first connection to the server was a CBC SHA2 cipher suite, the connection failed.

Fixed an issue where commits failed due to insufficient CFG memory.

Fixed an issue where you were unable to resize the

Description

pop-up window (

Policies > Security > Prerules

).

Fixed an issue where

Connection to update server is successful

messages displayed even when connections failed.

Fixed an issue where template configuration for the User-ID agent was not reflected on the template stack on Panorama appliances on PAN-OS 10.2.1.

Fixed an issue where scheduled dynamic content updates failed to be retrieved by managed firewalls from Panorama when connectivity was slow.

Fixed an issue where traffic belonging to the same session was sent out from different ECMP enabled interfaces.

Fixed an issue where a user who did not have permissions of other access domains were able to view the commit and configuration lock.

Fixed an issue where, when Authentication Portal Authentication was configured,

l3svc_ngx_error.log

and

l3svc_access.log

did not roll over after exceeding 10 megabytes, which caused the root partition to reach full utilization.

Fixed an issue where errors in brdagent logs caused dataplane path monitoring failure.

(

VM-Series firewalls on Amazon Web Services environments only

) Fixed an issue where traffic sent from a GENEVE tunnel to the firewall was dropped if the firewall attempted to encapsulate traffic into an IPSec tunnel.

Fixed an issue where scheduled log view reports in emails didn't match the monitor page query result for the same time interval.

(

PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only

) Fixed an issue where the dataplane restarted repeatedly due to an internal path monitoring failure until a power cycle.