Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.

(PA-5450 firewalls only) Fixed an issue where the class of service (CoS) priority bit was not modified, causing access points to lose connectivity to the wireless controller when traffic was routed through the firewall.

(PA-7500 Series firewalls in a cluster configuration only) Fixed an issue where users were able to enable or disable certain configurations.

(PA-455 firewalls in active/passive HA configurations only) Fixed an issue where, after an upgrade, the TCP session for syslog forwarding did not resume after the syslog server service was disabled and then re-enabled, which caused logs to be dropped. This occurred when the syslog server was down for more than 16 minutes.

Fixed an issue where a memory leak occurred related to the configd process when pushing configurations from Panorama to a firewall. This occurred when the configurations contained shared policy rules.

(PA-7500 firewalls only) Fixed an issue where SNMP polling failed due to the snmpd process becoming unresponsive to incoming requests, which resulted in high CPU usage.

Fixed a race condition issue related to predict processing on multi-core platforms, which resulted in a dataplane restart and traffic loss.

Fixed an issue where traffic from cloud applications intermittently matched an incorrect cloud-apps policy rule when ACE (App-ID Cloud Engine) was enabled.

(Firewalls in multi-vsys configurations only) Fixed an issue where HTTP/2 traffic failed due when one virtual system (vsys) had a decryption policy rule enabled and another vsys had a no-decrypt policy rule for the same session.

Fixed an issue where the MIB ID returned an incorrect value via SNMP.

(Panorama appliances only) Fixed an issue on the web interface where resetting the rule hit counter for multiple policy rules failed with the error message Failed to reset rule-hit job.

Fixed an issue where sessions timed out sooner than expected due to the pan_proxy_accumulation_ restore_timeout not initiating when the accumulation session_init failed.

Fixed an issue where Scan ERR: Internal Err 1002 messages were unexpectedly generated when WIF shared memory use was high.

Added debug logs for an issue where a slow IP address pool NAT leak occurred when persistent NAT was enabled, which led to NAT IP pool exhaustion.

Fixed an issue on the web interface where the address object pop up window only displayed a maximum of four address objects in the policy rule even after expanding the window.

Fixed an issue where BGP export policy rules with next-hop matching failed to block the advertisement of static routes, and the firewall incorrectly matched the egress interface IP address instead of the original next-hop IP address of the static route, which caused the deny rule to fail.

Fixed an issue where a large number of logs caused the logrcvr process to stop responding.

Fixed an issue where only failed Kerberos authentication events were logged in auth.log, and successful authentication events were not logged.

Fixed an issue where ECMP incorrectly balanced sessions across links based on the configured metric, which led to an imbalance in traffic distribution and resulted in traffic assignment shifting disproportionately to routes with lower metrics.

Fixed an issue where, after an upgrade, the firewall was unable to be managed via HTTPS or SSH.

Fixed an issue where, when getting transceiver information from ESCC for SFP 25G modules, the transceiver code was incorrectly updated with Unknown instead of 25GBase-SR.

Fixed an issue where the all_task process stopped responding, which caused the firewall to reboot unexpectedly, and traffic failures occurred.

Fixed an issue where a tool was needed to display leaked NAT port numbers without requiring a forced synchronization.

Fixed an issue where retrieving filenames from OneDrive resulted in a cache miss.

Fixed an issue where the devsrvr process experienced OOM conditions due to the show running application statistics CLI command, which caused the firewall to reboot.

Fixed an issue where clients did not receive a valid response when when searching a website due to a compression error.

Fixed an issue where the firewall became non-functional due to high root partition use.

Fixed an issue on Panorama where the web interface performance was slower than usual when retrieving read-only configurations from Panorama.

Fixed an issue where a firewall was only able to display a maximum of 14 permitted IP addresses from a Panorama Template Variable.

Fixed an issue where an OOM condition on the logrcvr process caused interface flapping, and the interface unexpectedly went down and then recovered without intervention.

(Panorama appliances only) Fixed an issue where log exports were slower than expected or failed when filtering logs after an upgrade, which resulted in timeouts or delays in displaying logs on the web interface.

Fixed an issue where set and edit commands took longer than expected when adding address objects with a large number of dynamic groups due to the completion cache being enabled. With this fix, the completion cache is disabled by default.

(M-600 appliances only) Fixed an issue where Panorama did not update all panreplay database entries after performing a commit and full push to all devices.

Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the firewall did not see server-to-client (s2c) packets of the TLS handshake.

To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.

Fixed an issue where, after an upgrade, GlobalProtect attempted to use the embedded browser instead of the default browser for gateway authentication even when it was configured to use the default browser.

Fixed an issue where authentication to GlobalProtect failed with the error message User not in allowed list.

Fixed an issue where the firewall removed the Authentication Key Identifier (AKID) from the certificate during SSL decryption, which caused Python 3.13 to fail with a certificate verification error.

Fixed an issue where the eproxy process stopped responding when running a long duration test using IXload with hybrid SWG SAML authentication bypass for HTTPS payloads, which caused the proxy to become unreachable.

Fixed an issue where deleting the NTP server address caused a commit validation error. This occurred when the configuration included both primary and secondary NTP servers and the secondary server was removed.

Fixed an issue where a device group import resulted in a Security policy rule being created with Application set to none.

Fixed an issue where web-advertisement traffic was not immediately blocked which resulted in pages loading indefinitely.

Fixed an issue where Panorama became unresponsive while performing a dynamic address update without a lock.

(Panorama appliances only) Fixed an issue where sequence numbers were lost when forwarded from Panorama, which resulted in missing or lost logs.

Fixed an issue where HTTP 503 server errors occurred while browsing websites due to slow Secure Web Gateway (SWG) bypass rule lookup.

(VM-Series firewalls only) Fixed an issue where, after an upgrade, the firewall was unable to send logs to the Strata Logging Service (SLS) when using a specific proxy server, and the SSL connection status displayed as failed when attempting to forward logs through the web proxy.

Fixed an issue where a DPC on slot 3 failed intermittently due to the pktlog_forwarding process restarting, which resulted in an unexpected HA failover.

Fixed an issue where SNMP scans to a firewall timed out after upgrading to a PAN-OS 10.2 release.

Fixed an issue where informational logs caused the distributord process log file to be frequently overwritten.

Fixed an issue where session rematch caused ACE cloud application traffic to match the wrong policy.

Fixed an issue where auto-negotiation advertised and negotiated 10/100 half and full duplex.

Fixed an issue where the firewall was unable to decrypt SSL traffic when using forward proxy and HSM with an ECDSA signing certificate.

(Firewalls in active/active HA configurations only) Fixed an issue with SSL inbound decryption on firewalls on a vwire setup with asymmetric routing.

To use this fix, enter the CLI command set system setting ssl-decrypt ha-vwire-mac-learn global yes on both firewalls in an HA pair.

Fixed an issue where commits to service connection firewalls from Panorama failed.

Fixed an issue where the routed process stopped responding due to accessing freed memory from a hash table when the route vectors were resized. This occurred when a large number of static routes were configured.

Fixed an issue where users were unable to log in to Panorama and the following error message was displayed: Timed out while getting config lock. Please try again. This occurred when pushing configurations to a large number of devices.

Fixed an issue where the Priority Code Point (PCP) bits in the VLAN header were not reset to 0 when a packet was received from one Layer 3 tagged interface and forwarded to another, which resulted in dropped packets.

To use this fix, run the CLI command set force-vlan-pcp-reset yes and reboot the firewall.

Fixed an issue where Prisma Access gateway downloads were slower than expected.

Fixed an issue where the all_task process stopped responding, which caused the firewall to stop processing traffic.

Fixed an issue where a selective push was blocked when a configuration load was done.

(Panorama appliances in HA configurations only) Fixed an issue where Panorama became unresponsive and displayed a 504 gateway timeout error when accessing the web interface or the CLI.

(PA-7500 Series firewalls in a cluster configuration only) Fixed an issue where users were able to enable or disable certain configurations.

(PA-5450 firewalls only) Fixed an issue where the class of service (CoS) priority bit was not modified, causing access points to lose connectivity to the wireless controller when traffic was routed through the firewall.

Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.