Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to session-distribution commands in dagger files handling.

Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to missing XML-related functions for inline-cloud-proxy and session-distribution commands in dagger files handling.

Fixed an issue where a local commit on a firewall breaks template stack overrides, preventing the enabling of LACP (Link Aggregation Control Protocol). After a local commit, the LACP enable check was unexpectedly unchecked, causing an outage. Attempting to re-enable LACP through the web interface was unsuccessful, requiring manual removal of the LACP configuration from the Panorama CLI.

Fixed an issue on multi-vsys firewalls where a host was not removed from the quarantine list after receiving a redistribution message from Panorama. This occurred when Panorama was configured to redistribute quarantine messages to a firewall cluster, and the GlobalProtect configuration and redistribution were built out in a vsys other than vsys1.

(PA-7500 and PA-5450 firewalls in FIPS-CC mode) Fixed an issue where the affected firewalls would boot into maintenance mode when a reboot was initiated from the web interface. This was due to a device reboot triggering a power down to all slots, leading to maintenance mode. A hard reboot would allow the firewall to boot normally.

(VM-Series firewalls in active/passive configurations only) Fixed an issue where, after an HA failover event, the newly active firewall DHCP client interfaces failed to obtain IP addresses automatically. This occurred because the DHCP client processes did not initiate the necessary DHCP discover or renew requests

Fixed an issue where, when the Network Packet Broker feature was enabled, forward TLS (non-decrypted) traffic was not working as expected when there were segmented client hellos and a no-decrypt rule existed. This issue occurred when Zone Protection profiles were configured for trust/untrust zones but not attached to NPB zones.

Fixed an issue where the firewall generate false positive threat logs during updates to a large domain list (EDL) when a DNS lookup for a domain being added or removed occurred during the update process. This resulted in a threat log being generated for a different, unrelated domain that remained on the list.

Fixed an issue where, after upgrading an HA pair of PA-7050 firewalls, the vsys ID changed in sequence, causing autocommit failures with validation errors. This occurred when the multi-vsys firewall had virtual systems created and pushed from Panorama, and the vsys ID was not in a correct sequence because the unused vsys was deleted from Panorama and pushed to devices.

Fixed an issue where a dataplane crash occurred when traffic matched Inline Cloud Analysis pre-filtering signatures, even when Inline Cloud Analysis features were not enabled.

Fixed an issue where, during a refresh of a large External Dynamic List (EDL), traffic that matched a domain on the list was incorrectly identified as a different domain, which resulted in false positive threat logs.

Fixed an issue on Panorama where reassociating a vsys from one device group to another in a multi-vsys environment resulted in another vsys from the same firewall being removed from the original device group. This resulted in the device being moved into the no device groups attached group, a superuser was required to manually reattach the device.

Fixed an issue where, after upgrading to an affected PAN-OS release, the Visible Virtual Systems field started to reference the vsys name instead of the vsys ID, which caused inter-vsys routing to fail. This occurred when a vsys display name matched one of the vsys IDs.

Fixed an issue where the firewall experienced high management CPU usage and repeatedly rebooted when attempting to retrieve SMART data.

Fixed an issue where, after upgrading Panorama and Log Collectors, Traffic and Threat logs were not forwarded to a Splunk server over UDP.

Fixed an issue where Panorama failed to push the default value of None for the secondary NTP server address to managed firewalls, resulting in a commit validation error. This occurred even when configuring the secondary NTP server address as None in Panorama's web interface, and affected both newly deployed and long-standing production firewalls after upgrading.

Fixed an issue where EAL logs for traffic matching the intrazone-default Security policy rule were not forwarded to the IoT Security portal.

Fixed an issue where attempting to generate reports in a WildFire FIPS Private Cloud or WF-500 deployment returned 401 errors.

(FIPS CC mode enabled only) Fixed an issue where Panorama on GCP rebooted every hour after upgrading to an affected release.

Fixed an issue where decryption exclusion lists were not working for untrusted certificates, and SSL sessions were still being decrypted even after adding them to the exclusion list. This occurred because the firewall was not adding sessions to the exclude cache until after receiving a non-RFC alert (BadCertificate) from the server. The fix ensures that the first session is added to the exclude cache, allowing subsequent sessions to skip decryption. This issue affects firewalls configured as clients in server-client communication.

Fixed an issue where static routes remained active in the FIB and RIB even when the associated physical port interface was down, which resulted in traffic being incorrectly routed through a non-operational interface.

Fixed an issue where, after upgrading Panorama and Log Collectors, tunnel logs were not visible in Panorama or Splunk even though traffic and threat logs were received.

Fixed an issue where SD-WAN did not generate system logs with timestamps and reasons for degradation of Direct Internet Access paths.

Fixed an issue on the firewall where the useridd process continuously increased its memory consumption, which resulted in an OOM condition that caused the firewall to restart.

Fixed an issue where, after onboarding a firewall to Panorama, IPsec tunnels displayed IKEv2 in Panorama, even though the tunnels were configured with IKEv1 locally on the firewall.

Fixed an issue where firewalls with the Send handshake messages to CTD for inspection setting enabled caused incorrect security policy rules to be matched. Specifically, traffic not identified as openai-base or openai-chatgpt applications was incorrectly matched by the ALLOW-OPEN-AI-FULL-ACCESS-URLS-ALERTS rule. Additionally, the expected response page for blocked URLs was not displayed.

(Firewalls in active/passive HA configurations) Fixed an issue on firewalls where, after failover, certain subnets were missing from the Link State Database, which prevented OSPF routes from being immediately learned due to a Type-7 to Type-5 LSA translation conflict in the ABR when the same LSA was advertised by two peers in the NSSA area.

Fixed an issue where firewalls and Panorama management servers were unable to view or download WildFire reports from a WF-500 appliance, resulting in a 401 error in the report tab.

Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.

Fixed an issue where the firewall repeatedly reported an unreachable syslog server as back online when the server remained unavailable. This resulted in misleading alternating connection status messages in the system logs.

Fixed an issue where PA-460 firewalls experienced out-of-memory (OOM) conditions, leading to device crashes and reboots.

Fixed an issue on Panorama appliances and Log Collectors where, after an upgrade, Elasticsearch intermittently entered into a Red state before automatically recovering.

Fixed an issue where the GlobalProtect host ID field was intermittently blank in traffic logs on Prisma Access, even when the user was connected and had the correct host ID information. This occurred when the IP address to host ID entry expired and the entry was re-insterted without the dataplane flag being set.

Fixed an issue where the firewall rebooted unexpectedly due to a pan_task process restart related to page allocation failures.

(PA-7500 firewalls only) Fixed an issue where PA-7500 firewalls experienced silent traffic drops. During migration from PA-7050 to PA-7500 firewalls connected in series, intermittent connection losses occurred for some applications. Traffic leaving the PA-7050 was not received or processed by the PA-7500, even with direct connections and replaced cables/SFPs. Global counters did not indicate any drops on the PA-7500.

(Panorama virtual appliances only) Fixed an issue where Panorama failed to mount logging disks larger than 2TB due to a partitioning error.

(VM-Series firewalls only) Added the CLI command no-refresh-discard-session to address an issue where the discarded session time to live (TTL) did not refresh at the default value.

Fixed an issue where a memory leak occurred on the reportd process when a WildFire update was initiated while device telemetry data collection was in progress. This resulted in an OOM condition.

Fixed an issue where, after upgrading Panorama in a High Availability (HA) pair, the configuration logs stopped synchronizing from the primary Panorama to the secondary Panorama. This issue occurred because the log forwarding flag was permanently disabled due to the connection state not being active when the log-fwd-ctrl message was received.

Fixed an issue on the firewall where the logrcvr process stopped responding.

Fixed an issue where, after an EDL certificate update or repository migration, authentication failures caused the firewall to not fall back to the last successfully cached EDL entries, which led to policy rules that referenced the EDL to not be enforced.

Fixed an issue where, after upgrading the firewall, certain websites weren't accessible when the accumulation proxy was enabled. The proxy did not use the same DF bit state as the original traffic, causing it to be fragmented and dropped elsewhere in the network.

Fixed an issue where firewalls configured in vwire mode modified DSCP values from AF11 to CS0 on traffic passing through the firewall, even when QoS policy rules and DSCP rewrite settings were not configured.

Fixed an issue where Panorama did not use the configured proxy settings to check WildFire private cloud content and instead connected directly to the WildFire device using the management interface. This occurred even when Use Proxy Settings for Private Cloud was enabled.

Fixed an issue where IPv6 traffic was affected after upgrading the firewall.With SSL decryption enabled and a decryption policy configured for the traffic, the firewall dropped packets due to receiving a Packet Too Big ICMP message. This occurred because the PathMTU information update was incorrect for the TCB (pan-server) when the firewall was acting as a server. Additionally, the flow label under the IPv6 header was set to zero while the packet was being transmitted out of the firewall.

Fixed an issue where content loading issues occurred on IPv6 websites due to the firewall incorrectly setting the IPv6 header flow label to 0.

Fixed an issue with firewalls in active/passive HA configurations where an OOM condition occurred and caused a failover due to a memory leak associated with the logrcvr process.

Fixed an issue where the log receiver process crashed on PA-7050 firewalls due to system log processing threads becoming blocked when the queue was full. This resulted in a heartbeat failure.

Fixed an issue on Panorama where Kerberos superusers were unable to edit policy rules because the target device tab was grayed out.

Fixed an issue where ENA (Elastic Network Adapter) extended statistics (conntrack allowance metric) were unavailable in DPDK 22.11.x. This metric is now available through AWS Cloudwatch.

Fixed an issue where the firewall experienced high disk space utilization, which caused the firewall to become non-functional.

Enhanced the CLI command request legacy reset to delete the legacy certificate files that were being used to connect with the secondary Panorama appliance.

Fixed an issue where firewalls became unstable and stopped responding, which resulted in an OOM condition.

(VM-Series firewalls on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments only) Fixed an issue where the firewall did not display the correct source user in traffic logs and session details.

Fixed an issue where moving an address object from a device group to shared and renaming it did not reflect in the address group, which caused commits to fail.

Fixed an issue where WildFire reports were not fully displayed and were not downloadable due to static resources not being found.

Resolved multiple issues affecting IPSec tunnels using NAT Traversal (NAT-T) when a Dynamic NAT policy was configured (including Dynamic NAT or DIPP). During rekey events, tunnels could go down or flap due to incorrect session handling. This issue impacted both cluster and standalone deployments.

(Panorama appliances on Microsoft Azure environments only) Fixed an issue where user to IP address mapping was missing for some users connected to specific Prisma Access gateways, which caused the collection layer Azure firewall to not form the mapping.

(PA-5450 firewalls only) Fixed an issue where the DPC on slot 3 intermittently stopped responding due an all_pktproc restart.

Fixed an issue where the firewall did not send an ICMP error packet to Envoy when the MSS was exceeded.

Fixed an issue where the reported process stopped responding with a SIGSEGV at schedule_report_es_response.

Fixed an issue where the firewall did not refresh the external dynamic list due to the first entry in the list being removed from the global external list and breaking out of the loop.

Fixed an issue where a dataplane crash occurred in Inline Cloud Analysis action lookup because there were no vulnerability or antispyware profiles in the security policy rule.

Fixed an issue where the firewall displayed the incorrect rule name when a threat log was generated for Inline Cloud Analyzed CMD Injection Traffic Detection.

Fixed an issue where the firewall did not establish a syslog connection to the probe VM syslog server in ADEM Regressions.

(Panorama appliances in Panorama mode and Log Collector mode only) Fixed an issue where autocommits took longer than expected to complete.

Fixed an issue where the firewall closed the SSL connection to the user ID agent.

Fixed an issue where commits failed with the error message Error: Error unserializing profile objects. This occurred due to memory allocation issues when a large number of scan profiles were configured.