>
    Strata Copilot
    PAN-OS 11.1.11 Addressed Issues
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS 11.1.11 Known and Addressed Issues
    4. PAN-OS 11.1.11 Addressed Issues
    Download PDF

    PAN-OS 11.1.11 Addressed Issues

    Table of Contents

    PAN-OS 11.1.11 Addressed Issues

    PAN-OS® 11.1.11 addressed issues.
    Issue ID
    Description
    PAN-298241
    Fixed an issue where the NAT IP address pool was exhausted, which led to intermittent connectivity issues with call applications and outbound call failures. This occurred due to the firewall not properly releasing NAT dynamic ports back to the address pool.
    PAN-297240
    Fixed an issue where attempting to generate reports in a WildFire FIPS Private Cloud or WF-500 deployment returned 401 errors.
    PAN-296992
    Fixed an issue where Panorama managed firewalls with no defined log collector group continually attempted to establish a logging connection to Panorama, which resulted in excessive system log messages.
    PAN-296977
    Fixed an issue where the web interface became unresponsive when attempting to view Ethernet interface details after applying a filter in Network > Interfaces.
    PAN-296478
    Fixed an issue where, after upgrading to PAN-OS 10.2.13-h10, GlobalProtect Clientless VPN on PA-3250 firewalls failed to execute JavaScript links, resulting in an authorization error. This occurred because the firewall was incorrectly injecting text into URLs when JavaScript buttons or dropdown menus were clicked within the Clientless VPN portal.
    PAN-296443
    (PA-5450 firewalls only) Fixed an issue where the firewall had a lower maximum capacity for DIPP translated IP addresses than the PA-5260, which caused configuration commit errors during migration. With this fix, the maximum capacity on PA-5450 firewalls has been increased to 8000.
    PAN-295944
    Fixed an issue where static routes remained active in the FIB and RIB even when the associated physical port interface was down, which resulted in traffic being incorrectly routed through a non-operational interface.
    PAN-295644
    Fixed an issue where Strata Logging Service (SLS) log forwarding streams intermittently displayed as inactive.
    PAN-295560
    Fixed an issue where, after upgrading Panorama and Log Collectors, tunnel logs were not visible in Panorama or Splunk even though traffic and threat logs were received.
    PAN-295385
    Fixed an issue where syslog forwarding dropped due to FQDN resolution failures.
    PAN-295342
    Fixed an issue where the pan_comm process stopped responding due to insufficient time allocated to read file descriptors when processing long messages.
    PAN-295257
    Fixed an issue where, after onboarding a firewall to Panorama, IPsec tunnels displayed IKEv2 in Panorama, even though the tunnels were configured with IKEv1 locally on the firewall.
    PAN-295049
    Fixed an issue where the logrcvr process stopped responding due to memory allocation errors during Redis communication.
    PAN-294524
    Fixed an issue where firewalls and Panorama management servers were unable to view or download WildFire reports from a WF-500 appliance, resulting in a 401 error in the report tab.
    PAN-294436
    Fixed an issue where polling failed for ethernet interfaces due to the physical port counters read from the MAC being 0.
    PAN-294179
    Fixed an issue on Panorama where commit versions did not display correct data in the config audit page even after a refresh.
    PAN-293985
    Fixed an issue with the Panorama web interface where admin users were unable to log in and received the error message 504: Gateway Timeout.
    PAN-293877
    (Firewalls with Hub vsys (virtual system) configurations enabled only) Fixed an issue where, when using the Hub vsys feature to redistribute Host Information Profiles (HIP) to a non-Hub vsys, HIP policy enforcement failed intermittently on the active secondary firewall. This occurred when traffic destined for specific non-Hub vsys was routed to the active secondary, and the HIP query was not triggered due to an incorrect check for the HIP mask in the Hub vsys.
    PAN-293842
    Fixed an issue where the hybrid-SWG service proxy stopped working after upgrading to PAN-OS 11.1.6-h13 due to the firewall failing to establish the listening interface.
    PAN-293840
    Fixed an issue on the Panorama web interface where SNMP settings configured in Panorama templates were incorrectly displayed as locally configured.
    PAN-293673
    Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.
    PAN-293440
    Fixed an issue where setting the logdb-quota for the desum log type to 0 caused the /opt/panlogs partition to reach capacity.
    PAN-293287
    (Panorama virtual appliances in FIPS mode only) Fixed an issue where plugin installs failed with the error invalid image after manually uploading the plugin package from the Customer Support Portal (CSP).
    PAN-292980
    Fixed an issue on the web interface where the Connected status for a User-ID agent in a non-User-ID Hub vsys displayed as blank if the same agent was also configured in a User-ID Hub vsys.
    PAN-292770
    Fixed an issue where, after reinstalling the device certificate, delayed telemetry data was displayed in AIOPS.
    PAN-292242
    Fixed an issue on M-200 and logging appliances where traffic logs were intermittently truncated when forwarded using a TCP syslog configuration. This issue occurred during the log forwarding stage due to intermittent syslog drops caused by exceeding the forwarding queue capacity.
    PAN-292202
    Fixed an issue where the system logs repeatedly displayed the alert Clearing snmpd.log due to log overflow due to the SNMP counters rolling over.
    PAN-291940
    Fixed an issue where the firewall established multiple TCP connections to a syslog server, which caused logs to be dropped. This occurred because the firewall established a new TCP session for each transfer and the sessions were not closed, which resulted in a continuous increase in connections over time.
    PAN-291781
    Fixed an issue on Panorama where the CLI command show ntp displayed the error message server error: op command for client dagger timed out as client is not available even when connectivity to the NTP server was active.
    PAN-291499
    ( VM-Series firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where newly deployed firewalls were unable to connect to the Strata Logging Service (SLS) until after a reboot, license fetch, or management server restart.
    PAN-291456
    Fixed an issue where the custom completer for device groups and templates received the device group name and template name from the running configuration instead of the candidate configuration.
    PAN-291306
    Fixed an issue on the Panorama web interface where you were unable to override the primary or secondary DNS server address in the template stack.
    PAN-291288
    Fixed an issue where the firewall rebooted unexpectedly due to a pan_task process restart related to page allocation failures.
    PAN-291247
    Fixed an issue where checksum values changed when downloading files through TFTP on firewalls using subinterfaces.
    PAN-291094
    Fixed an issue the firewall experienced packet descriptor on chip and buffer spikes, which led to dropped traffic due to an unidentified traffic pattern.
    PAN-290996
    Fixed an issue where SNMP walks returned a value of 0 for the CPS (Connections Per Second) per vsys on firewalls after upgrading to PAN-OS 11.1.6-h3, even when active connections were present.
    PAN-290900
    Fixed an issue where Panorama in FIPS-CC mode failed to push IKEv2 Post-Quantum Pre-Shared Key (PQ PPK) configurations to firewalls that were not in FIPS-CC mode.
    PAN-290702
    Fixed an issue where Log Quotas incorrectly displayed a value that was higher than possible.
    PAN-290694
    Fixed an issue on the Panorama web interface where you were unable to push shared objects to devices if an HA failover occurred during a configuration push.
    PAN-290691
    Added the CLI command set system setting ctd h323_rtp_predict timeout to increase the maximum timeout limit from 3600 seconds to 65535 seconds.
    PAN-290449
    Fixed an issue where, when multiple scheduled vulnerability reports were were sent in the same email, only the first attached report was displayed.
    PAN-290241
    Fixed an issue where the useridd process became unresponsive, which caused User ID CLI commands to time out.
    PAN-290239
    (PA-455 firewalls in active/passive HA configurations only) Fixed an issue where, after an upgrade, the TCP session for syslog forwarding did not resume after the syslog server service was disabled and then re-enabled, which caused logs to be dropped. This occurred when the syslog server was down for more than 16 minutes.
    PAN-290235
    Fixed an issue where the dscd process crashed continuously on MIPS platforms (for example, PA-850 firewalls) due to a runtime error related to an invalid memory address or nil pointer dereference. This was caused by a golang library upgrade in CIE that is incompatible with the MIPS platform.
    PAN-290191
    Fixed an issue where BGP learned routes were not advertised when Legacy Routing was used and an export policy was configured to match the next hop of the learned route.
    PAN-290157
    Fixed an issue on Panorama where the configd process stopped responding when filtering in the Config Audit window, which caused Panorama to restart unexpectedly.
    PAN-290088
    Fixed an issue where a memory leak occurred related to the configd process when pushing configurations from Panorama to a firewall. This occurred when the configurations contained shared policy rules.
    PAN-290074
    Fixed an issue where IPv6 URLs were incorrectly categorized as private-ip-addresses even if the URL had a valid category. This occurred because the firewall did not check for IPv6 addresses when determining if an IP address was private.
    PAN-289859
    (Panorama virtual appliances only) Fixed an issue where Panorama failed to mount logging disks larger than 2TB due to a partitioning error.
    PAN-289826
    Fixed an issue on Panorama where a selective push of policy rule changes to a firewall caused the firewall to lose its Security policy rules.
    PAN-289803
    Fixed an issue on the firewall where AIPOs and ADEM licenses failed when SD-WAN or GlobalProtect licenses were not present.
    PAN-289763
    (PA-5400f firewalls only) Fixed an issue where SD-WAN SaaS monitoring did not work with URL monitoring.
    PAN-289736
    Fixed an issue where partial-revert operations were taking a long time, causing config lock timeout issues and resulting in frequent error messages being displayed: Timed out while getting config lock. Please try again.
    PAN-289652
    Fixed an issue related to external URL lists where pushing configuration changes from Panorama failed.
    PAN-289573
    Fixed an issue on Panorama where the web interface became unresponsive when attempting to edit the Allow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access setting in a GlobalProtect portal configuration after adding 40 or more FQDN entries.
    PAN-289541
    Fixed an issue where the bandwidth graphs (Link Monitoring) in Panorama for SD-WAN environments displayed incorrect values.
    PAN-289532
    Fixed an issue where, when the Advanced Routing Engine was enabled, PIM (Protocol Independent Multicast) neighborship was not established concurrently on multiple interfaces.
    PAN-289406
    Fixed an issue where, when redistributing User-ID information between firewalls, the receiving firewall incorrectly received and stored duplicate Host Information Profile (HIP) profiles. This occurred when a GlobalProtect gateway redistributed User-ID and HIP information through an intermediate firewall.
    PAN-289405
    (VM-Series firewalls only) Added the CLI command no-refresh-discard-session to address an issue where the discarded session time to live (TTL) did not refresh at the default value.
    PAN-289383
    Fixed an issue where the MPLS interface eth1/6 went down and remained down, even after replacing the SFP with a supported one and adjusting duplex and speed settings.
    PAN-289381
    (VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where the firewall required a reboot after enabling the Gateway Load Balancer (GWLB) feature.
    PAN-289320
    Fixed an issue where External Dynamic List (EDL) entries for predefined lists were not visible in Panorama when logged in with a SuperUser Read-Only role.
    PAN-289304
    (PA-7500 firewalls only) Fixed an issue where SNMP polling failed due to the snmpd process becoming unresponsive to incoming requests, which resulted in high CPU usage.
    PAN-289301
    Fixed an issue on the Panorama web interface where a template name or device group name displayed invalid text.
    PAN-289249
    Fixed an issue where a memory leak occurred on the reportd process when a WildFire update was initiated while device telemetry data collection was in progress. This resulted in an OOM condition.
    PAN-289239
    Fixed an issue on Panorama where a new virtual system (vsys) was automatically created with the name of a device group.
    PAN-289109
    Fixed an issue where the Panorama web interface was slower than expected during configuration operations and a configuration lock time out occurred during a commit.
    PAN-289102
    (PA-7500 Series, PA-5410, PA-5420, PA-5430, PA-5440, PA-5445, PA-3400 Series, PA-1400 Series, PA-400 Series, VM-Series, and CN-Series firewalls only) Fixed a race condition issue related to predict processing, which resulted in a dataplane restart and traffic loss.
    PAN-288988
    Fixed an issue on Panorama where, after logging in to the web interface as the ZTP installer administrator, the web interface was blank.
    PAN-288930
    Fixed an issue where traffic from cloud applications intermittently matched an incorrect cloud-apps policy rule when ACE (App-ID Cloud Engine) was enabled.
    PAN-288929
    Fixed an issue where the preferred_wnd value provided by CTD (Content Threat Detection) was disregarded due to TCP bandwidth estimation, which prevented the window from closing.
    PAN-288893
    (Firewalls in multi-vsys configurations only) Fixed an issue where HTTP/2 traffic failed due when one virtual system (vsys) had a decryption policy rule enabled and another vsys had a no-decrypt policy rule for the same session.
    PAN-288761
    Fixed an issue on the firewall where the logrcvr process stopped responding.
    PAN-288731
    Fixed an issue where the firewall incorrectly allowed traffic for certain applications when no decryption policy rule was configured.
    PAN-288726
    Fixed an issue where the useridd process stopped responding due to a Security policy rule ID being set to 0, which caused the last configuration retrieval to fail.
    PAN-288598
    Fixed an issue where Panorama exported the serial number of a managed collector instead of the collector name when exporting a PDF or CSV file.
    PAN-288529
    Fixed an issue where the firewall failed to forward critical system logs to Strata Logging Service due to a reboot.
    PAN-288427
    Fixed an issue on Panorama where commit jobs were not queued and the system reported that the useridd was not connected.
    PAN-288426
    (M-600 Panorama appliances in Log Collector mode in a Log Collector group only) Fixed an issue where the reportd and logd processes stopped responding, which resulted in the Panorama server not receiving logs from firewalls configured under the Log Collector group.
    PAN-288381
    Fixed an issue where data interfaces unexpectedly went down and then up after an HA failover, which caused intermittent traffic disruption.
    PAN-288363
    Fixed an issue where the MIB ID returned an incorrect value via SNMP.
    PAN-288254
    Fixed an issue where the dataplane CPU usage percentage was displayed as lower than it was on the firewall web interface, SCM, and other monitoring tools.
    PAN-288158
    (VM-Series firewalls only) Fixed an issue where the firewall became inaccessible via the web interface and SSH and remained in an initializing state.
    PAN-288140
    Fixed an issue where the debug dataplane sync ippool CLI command output incorrectly included reserved ports..
    PAN-288097
    (Firewalls in HA configurations only) Fixed an issue where on the firewall where the routed process stopped responding after changing the MTU or any link state parameters when OSPF and PIM were enabled on the same interface.
    PAN-287936
    Fixed an issue where the Panorama web interface incorrectly displayed the checkbox as enabled for SHA1.
    PAN-287921
    (VM-Series firewalls only) Fixed an issue where the maximum registered IP address for was incorrectly set to 100,000 instead of the expected 500,000.
    PAN-287842
    Fixed an issue where the comm process stopped responding due to missing heartbeats, which resulted in a system alert and HA communication loss on slot1.
    PAN-287838
    (Panorama appliances only) Fixed an issue on the web interface where resetting the rule hit counter for multiple policy rules failed with the error message Failed to reset rule-hit job.
    PAN-287818
    Fixed an issue where sessions timed out sooner than expected due to the pan_proxy_accumulation_restore_timeout not initiating when the accumulation session_init failed.
    PAN-287782
    Fixed an issue where firewalls configured in vwire mode modified DSCP values from AF11 to CS0 on traffic passing through the firewall, even when QoS policy rules and DSCP rewrite settings were not configured.
    PAN-287765
    Fixed an issue where SAML authentication failed, which caused the GlobalProtect client to repeatedly attempted to reconnect.
    PAN-287688
    Fixed an issue where the firewall failed to connect to the Palo Alto Networks update server when using a customized service route with the source interface as MGT.
    PAN-287621
    Added debug logs for an issue where a slow IP address pool NAT leak occurred when persistent NAT was enabled, which led to NAT IP pool exhaustion.
    PAN-287601
    Fixed an issue on Panorama where commits took longer than expected.
    PAN-287558
    Fixed an issue on the firewall where the QSFP-40G-SR-BD transceiver was incorrectly flagged as an unsupported SFP.
    PAN-287548
    Fixed an issue where Security policy rules that had the same parameters were not detected as shadow rules on commit.
    PAN-287423
    Fixed an issue where content loading issues occurred on IPv6 websites due to the firewall incorrectly setting the IPv6 header flow label to 0.
    PAN-287394
    (CN-Series firewalls only) Fixed an issue where the firewall generated critical system log alerts every 3 minutes.
    PAN-287392
    Fixed the issue on the web interface where ACC graphs displayed No data to display when a filter was applied to Source IP or Destination IP.
    PAN-287387
    Fixed an issue on Panorama where API jobs failed with the error message Server error: Timed out while getting config lock. This occurred due to slow set request performance when setting a large number of address objects in a single set call.
    PAN-287314
    Fixed an issue with firewalls in active/passive HA configurations where an OOM condition occurred and caused a failover due to a memory leak associated with the logrcvr process.
    PAN-287272
    Fixed an issue on the firewall were fan alarms were incorrectly generated constantly.
    PAN-287154
    Fixed an issue on the firewall where the show advanced-routing bgp loc-rib-detail CLI command incorrectly displayed no BGP route" when multiple BGP peers were enabled. With this fix, the CLI command requires a peer name to be specified to display local RIB details.
    PAN-287133
    Fixed an issue on the Panorama web interface where assigning a policy rule to a group at the top or bottom of the list changed the order of other policy rules.
    PAN-287056
    Fixed an issue where BGP export policy rules with next-hop matching failed to block the advertisement of static routes, and the firewall incorrectly matched the egress interface IP address instead of the original next-hop IP address of the static route, which caused the deny rule to fail.
    PAN-287035
    Fixed an issue where, when an application stopped responding, a large file was created in the /opt/panlogs directory, which caused the partition to fill up.
    PAN-287023
    Fixed an issue where a large number of logs caused the logrcvr process to stop responding.
    PAN-286931
    Fixed an issue where syslog forwarding in PAN-OS 11.1 and later releases did not support service routes when performing certificate validation over TLS.
    PAN-286922
    Fixed an issue where user-to-IP address mappings were not available on the dataplane for User-ID, which prevented the enforcement of user-based Security policy rules. This was due to the firewall not validating the timestamp of mappings received from certain User Identification Agent (UIA) agents before adding them to the dataplane.
    PAN-286899
    Fixed an issue where the device-group-tags CLI command used an unnecessary configuration read lock.
    PAN-286857
    Fixed an issue where only failed Kerberos authentication events were logged in auth.log, and successful authentication events were not logged.
    PAN-286848
    Fixed an issue where ECMP incorrectly balanced sessions across links based on the configured metric, which led to an imbalance in traffic distribution and resulted in traffic assignment shifting disproportionately to routes with lower metrics.
    PAN-286832
    (VM-Series firewalls only AWS environments only) Fixed an issue where the firewall did not send ICMP unreachable - Fragmentation Needed message when it received packets larger than the MTU.
    PAN-286818
    Fixed an issue where closing an SSH session to a Panorama using Ctrl+D did not generate a log message in the system logs, and the session remained in an idle state for 60 minutes before being automatically terminated.
    PAN-286789
    (Panorama virtual appliances in HA configurations on Microsoft Azure environments only) Fixed an issue where plugin versions displayed when hovering over the Green Match icon were inconsistent even though the web interface reported the versions as matching.
    PAN-286735
    Fixed an issue where the firewall did not automatically enable the telemetry feature.
    PAN-286734
    (PA-5450 firewalls only) Added uplink counters to enhance debug capability for traffic drops.
    PAN-286673
    (Panorama appliances only) Fixed an issue where the Require SSL/TLS secured connection in the LDAP profile within the template stack did not take effect after overriding the configuration. This occurred even when the setting was enabled multiple times.
    PAN-286669
    (PA-5410 and PA-5430 firewalls only) Fixed an issue where SFP28 25G ports using S28-25G-LR transceivers did not come up after an upgrade when Forward Error Connection (FEC) was disabled on the ports.
    PAN-286576
    Fixed an issue where the all_pktproc process restarted, which caused heartbeat failures to occur and a slot to go down due to path monitor failure.
    PAN-286550
    Fixed an issue where you were unable to delete the default trust and untrust zones after adding the firewall to an NGFW cluster.
    PAN-286534
    Fixed an issue where a multi-vsys firewall was unable to retrieve address groups and address objects pushed from Panorama as shared objects when using the REST API.
    PAN-286492
    Fixed an issue on Panorama where logs were not forwarded to syslog servers due to missing CLI options to configure the syslog queue size and threads.
    PAN-286443
    Fixed an issue where, after an upgrade, the firewall was unable to be managed via HTTPS or SSH.
    PAN-286306
    Fixed an issue where, when getting transceiver information from ESCC for SFP 25G modules, the transceiver code was incorrectly updated with Unknown instead of 25GBase-SR.
    PAN-286299
    Fixed an issue on firewalls running PAN-OS 11.1 releases where, after being offboarded from Panorama, the firewall XML configuration file retained template information from the previous Panorama configuration. As a result, when the firewall and its configuration were imported to another Panorama appliance, all configurations in the Network and Device tab became read-only.
    PAN-286231
    Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.
    PAN-286180
    (Firewalls in HA configurations only) Fixed an issue where, after a failover, an SSH decryption caused a mismatch in the host key, which resulted in a warning message. This issue occurred because the SSH tunnel keys were not synchronized between the active and passive firewalls.
    PAN-286037
    Fixed an issue where the firewall stopped processing traffic.
    PAN-286034
    Fixed an issue where the XML API returned an error when attempting to view debug log receiver statistics.
    PAN-285894
    Fixed an issue where the all_task process stopped responding, which caused the firewall to reboot unexpectedly, and traffic failures occurred.
    PAN-285834
    Fixed an issue on Panorama where Policy recommendation displayed Unable to read data for certain profiles due to a large response size.
    PAN-285818
    Fixed an issue where a tool was needed to display leaked NAT port numbers without requiring a forced synchronization.
    PAN-285803
    Fixed an issue where, when a virtual system (vsys) was configured as a hub on multi-vsys devices, the non-hub vsys was unable to retrieve HIP reports. As a result, traffic was not allowed when it hit the non-HUB vsys.
    PAN-285759
    Fixed an issue where the configd process stopped responding during a selective push after a move and rename operation when the configuration was performed via the CLI.
    PAN-285680
    Fixed an issue where firewalls entered a boot loop after receiving a HSM configuration template push from Panorama.
    PAN-285623
    Fixed an issue where the configd process restarted and generated a core file during an HA sync commit job. This occurred when the firewall was in the HA passive state.
    PAN-285591
    Fixed an issue where the Panorama web interface did not display a warning message when a collector group was configured with a 2 node cluster.
    PAN-285590
    (VM-Series firewalls on Amazon Web Services (AWS) GWLB environments only) Fixed an issue where the firewall CPU usage reached 100% after upgrading to PAN-OS 11.1.6-h1.
    PAN-285436
    Fixed an issue where a selective push from Panorama caused the firewall security policy rules to be removed on firewalls associated with the device group. This occurred when the base configuration version chosen for the selective push preceded the device config import operation, which caused the imported configuration to not be included in the pushed configuration.
    PAN-285298
    Fixed an issue where the firewall became unresponsive when the show user user-ids user all CLI command was executed repeatedly on large scale LDAP group mappings, and you were unable to connect to the gateways with the error message The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
    PAN-285285
    Fixed an issue where commits remained at 98% completion when static route configuration cleanup was in progress.
    PAN-285117
    Fixed an issue on Panorama where Browse for Agent Video Traffic under GlobalProtect Gateway configurations returned an Invalid Sequence error due to an invalid XPath within the Panorama template and template stack.
    PAN-284968
    Fixed an issue where the dnsproxy process stopped responding when enabling the AutoVPN feature from the Software-Defined Cloud Management (SD-WAN) console.
    PAN-284907
    Fixed an issue where the Panorama web interface displayed No Data when viewing configuration logs to see changes before and after a configuration change.
    PAN-284878
    (Firewalls in active/passive HA configurations only) Fixed an issue where commits failed due the useridd process restarting.
    PAN-284872
    Fixed an issue where ENA (Elastic Network Adapter) extended statistics (conntrack allowance metric) were unavailable in DPDK 22.11.x. This metric is now available through AWS Cloudwatch.
    PAN-284717
    Fixed an issue where a PBF (Policy Based Forwarding) policy rule using an AE (Aggregate Ethernet) interface configured with DHCP as the egress interface incorrectly transitioned to an active state after a commit operation, even when the DHCP lease had expired and the interface had no assigned IP address.
    PAN-284527
    Fixed an issue where, when a firewall had more than 4,400 logical interfaces, commits failed with the error message Error pre-installing config failed to handle CONFIG_COMMIT.
    PAN-284283
    Fixed an issue on Palo Alto Networks firewalls running PAN-OS 11.1.6 where the CLI command traceroute ipv4 yes host <host> failed with a missing argument error message.
    PAN-284176
    Fixed an issue where QoS throughput limits were not enforced correctly on aggregate ethernet interfaces. As a result, when QoS was enabled on aggregate interfaces, the subnet index was not handled correctly, which caused traffic shaping to be misdirected.
    PAN-284117
    (Panorama appliances in Log Collector mode only) Fixed an issue where the vm_agent process restarted after an upgrade.
    PAN-284090
    Fixed an issue where GlobalProtect (GP) portal authentication for satellites using RADIUS authentication failed due to the authentication timeout value being set to 0.
    PAN-284069
    Fixed an issue where, after an upgrade, the total number of logout records in the HIP database incorrectly displayed as zero.
    PAN-284067
    Fixed an issue where the devsrvr process experienced OOM conditions due to the show running application statistics CLI command, which caused the firewall to reboot.
    PAN-284036
    (PA-450R and PA-450R-5G firewalls only) Fixed an issue where the maximum temperature threshold and shutdown threshold were not set correctly.
    PAN-284003
    Fixed an issue where clients did not receive a valid response when when searching a website due to a compression error.
    PAN-283936
    (Panorama appliances only) Fixed an issue where the configd process intermittently restarted, which caused Panorama to be temporarily unavailable.
    PAN-283864
    Fixed an issue where DNS Security Category exceptions created with DNS category UTID were not ignored.
    PAN-283813
    Fixed an issue on Panorama where the web interface performance was slower than usual when retrieving read-only configurations from Panorama.
    PAN-283741
    Fixed an issue where HTTP/2 child streams were blocked by strict-ip-check zone protection when traffic passed through a transparent proxy.
    PAN-283613
    Fixed an issue on the web interface where the IP Tag Quota(%) value displayed as 2 even when changed.
    PAN-283575
    Fixed an issue where iPerf file transfers between a client and server were slower than expected when the firewall was involved in the traffic flow due to cfg.uplink-buffer-resize not being enabled by default.
    PAN-283544
    Fixed an issue where a failover event caused packet loss due to a delay in the child error indication.
    PAN-283524
    Fixed an issue where commits failed when a certificate with a cryptographic setting of RSA 4096 was used in the Syslog Service Profile due to the firewall being unable to decrypt the private key due to an incorrectly hardcoded private key length.
    PAN-283316
    Fixed an issue where a software download job reported a completion timestamp that occurred before the software loading process was finished.
    PAN-283311
    Fixed an issue where log forwarding to all syslog servers failed if one syslog server that used TLS as the protocol became unreachable.
    PAN-283206
    Fixed an issue where configuring an HTTP profile to send Webhook alerts to Microsoft Teams failed with a 400 Bad request error when clicking Send Test Log .
    PAN-283138
    Fixed an issue where the reportd process stopped responding when exporting CSV files when decryption logs were included in the unified logs.
    PAN-283053
    Fixed an issue where the firewall experienced high disk space utilization, which caused the firewall to become non-functional.
    PAN-283004
    Fixed an issue where the firewall bypassed Content Threat Detection (CTD) for sessions with STARTTLS large client hello out-of-order with No Decrypt.
    PAN-282956
    Fixed an issue on firewalls running PAN-OS 11.1 and later PAN-OS releases where the portal and gateway configuration view did not display rows and columns.
    PAN-282854
    Fixed an issue where the Elasticsearch cluster did not start after deploying dedicated log collectors in a multi-collector environment.
    PAN-282607
    Fixed an issue where the DHCP process stopped responding when the firewall was configured as a DHCP relay agent.
    PAN-282578
    Fixed an issue where ping commands from both the management plane and dataplane interfaces incorrectly prioritized IPv6 addresses over IPv4 addresses, even when IPv6 was disabled. This caused connectivity issues when pinging FQDNs that resolved to IPv6 addresses.
    PAN-282571
    Fixed an issue where the Border Gateway Protocol (BGP) established time was displayed inaccurately due to a 32-bit counter wrapping issue.
    PAN-282554
    Fixed an issue where GlobalProtect clients on macOS devices failed to connect when device name used newline character.
    PAN-282394
    Fixed an issue where a firewall was only able to display a maximum of 14 permitted IP addresses from a Panorama Template Variable.
    PAN-282240
    Fixed an issue where, when attempting to modify an Anti-Spyware profile via the web interface under a shared location, clicking the OK button displayed a console exception error.
    PAN-281797
    Fixed an issue where firewalls became unstable and stopped responding, which resulted in an OOM condition.
    PAN-281721
    Fixed an issue where the firewall generated high-severity system alerts indicating that the configuration size exceeded the maximum recommended size, even when the configuration size was within the expected limits.
    PAN-281681
    Fixed a rare issue where the logrcvr process stopped responding, which caused the devsrvr process to restart.
    PAN-281596
    Fixed an issue where, when the firewall was configured as an explicit proxy, connections were intermittently dropped.
    PAN-281576
    Fixed an issue where SNMP traps messages were not sent after system startup.
    PAN-281488
    Fixed an issue where searching configuration logs for an audit_uuid did not return a result if the rule was created with a clone operation.
    PAN-281294
    Fixed an issue where, after an authd process restart, the username, password, and source IP address displayed in plain text on the console when attempting to log in via the web interface.
    PAN-281198
    Fixed an issue on Panorama managed firewalls where, when the service route configuration was set to VLAN as the source, attempting to import the variable CSV into the template resulted in the validation error Failed to parse variable configuration file. This issue occurred because the system incorrectly validated the VLAN interface name in the service route configuration within the template.
    PAN-281096
    Fixed an issue on HA clusters where, when link and path monitoring was configured and the failover condition was set to all, disconnecting and reconnecting monitored ethernet ports caused the firewall to switch to a nonfunctional role, which resulted in all interfaces except the HA interface going down.
    PAN-280910
    Fixed an issue on firewalls with Advanced Routing Engine enabled where BGP route maps were not correctly configured for IPv6 next-hop selection. The firewall rejected the IPv6 configuration provided as the next hop due to an incorrect command sent to FRR (Free Range Routing).
    PAN-280725
    Fixed an issue where all_pktproc process repeatedly restarted, which caused dataplane failure and loss of connectivity, including PAN-DB URL resolution. This occurred after a commit push from Panorama and resulted in the firewall becoming non-functional due to internal path monitoring failure and configuration memory exhaustion.
    PAN-280695
    Fixed an issue where all data interfaces went down due to a Forward Error Correction (FEC) mode mismatch. The firewall defaulted to FEC Auto mode, while the peer Cisco switch was configured for FC-FEC.
    PAN-280554
    Fixed an issue on the web interface where the Enable local inline categorization option in URL Filtering profiles incorrectly appeared as enabled by default.
    PAN-280409
    Fixed an issue where the popup window did not appear as expected for Clientless VPN users.
    PAN-280302
    Fixed an issue where the show session cache CLI command was unavailable on VM-Series firewalls with VM license types smaller than VM-200 when session resiliency was enabled.
    PAN-280101
    Fixed an issue where set and edit commands took longer than expected when adding address objects with a large number of dynamic groups due to the completion cache being enabled. With this fix, the completion cache is disabled by default.
    PAN-280099
    Fixed an issue in the URL filtering logs where the columns and the displayed contents did not match.
    PAN-280013
    Fixed an issue where User-ID custom reports were unable to exclude IP address 0.0.0.0 when using the filter ip notin 0.0.0.0.
    PAN-279901
    An issue was fixed where the firewall dropped fragmented TLS ClientHello packets, which blocked access to certain websites. This occurred because the packets arrived truncated, in varying sizes and orders, and the firewall's heuristics failed to handle them correctly.
    To enable this fix, run: debug dataplane set ssl-decrypt accumulate-client-hello disjoined yes
    PAN-279829
    Fixed an issue where NAT pool leaks occurred during a test when RTSP traffic hit NAT rules.
    PAN-279699
    Fixed an issue on M-600 line cards where the /var/log/messages file flooded with i40e 0000:81:00.1: ARQ: Unknown event 0x0000 ignored messages, causing the root partition to fill up and prevent PAN-OS upgrades.
    PAN-279584
    Fixed an issue where, during software deployment from Panorama to multiple firewalls, some firewalls did not automatically reboot after the upgrade, even when Reboot device after install was selected. This was due to the Panorama timing out before the software deployment completed on the affected firewalls, which prevented the reboot request from being sent.
    PAN-279500
    Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the firewall did not see server-to-client (s2c) packets of the TLS handshake.
    To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.
    PAN-279495
    Fixed an issue where accessing a URL from the browser returned the error message ERR_RESPONSE_HEADERS_TRUNCATED when the firewall was configured with TLS 1.3.
    PAN-279415
    Fixed an issue where service routes configured to use a data plane interface incorrectly used the management plane interface for traffic transmission. This issue affected syslog and CRL status traffic when a custom service route was not configured.
    PAN-279366
    Fixed an issue where the firewall used an unnecessary configuration lock when running operational commands.
    PAN-279209
    Fixed an issue where changes made to the management interface permitted IP address list in a global template were not pushed to the template stack or firewalls.
    PAN-278836
    Fixed an issue where, after an upgrade, GlobalProtect attempted to use the embedded browser instead of the default browser for gateway authentication even when it was configured to use the default browser.
    PAN-278812
    Fixed an issue where authentication to GlobalProtect failed with the error message User not in allowed list.
    PAN-278630
    Fixed an issue where commits failed after a long time during the Strata Cloud Manager onboarding process.
    PAN-278628
    (Firewalls in HA configurations only) Fixed an issue where the configd process restarted during a configuration push from Panorama, which caused the active firewall to lose management access for 20-30 minutes.
    PAN-278507
    Fixed an issue where the OCSP Signing purpose was not included in the Extended Key Usage field when a certificate was generated on the firewall with the OCSP responder called in the certificate. This caused the GlobalProtect connection to fail with the error Missing OCSP signing purpose in the ExtendedKeyUsage.
    PAN-278322
    (VM-Series firewalls on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments only) Fixed an issue where the firewall did not display the correct source user in traffic logs and session details.
    PAN-278288
    Fixed an issue where IPv6 BGP peering established between virtual routers even without dataplane connectivity. This occurred because the firewall used the kernel for lookups instead of the dataplane.
    PAN-278276
    Fixed an issue on Panorama where custom reports displayed an incorrect log count with critical severity when the report filter was built with and without explicitly specifying severity as critical.
    PAN-278150
    Fixed an issue where the firewall removed the Authentication Key Identifier (AKID) from the certificate during SSL decryption, which caused Python 3.13 to fail with a certificate verification error.
    PAN-278126
    Fixed an issue where the number of registered IP Tags on Panorama did not match the number of registered IP Tags on the managed firewalls due to a change in file format between PAN-OS releases.
    PAN-277987
    (VM-Series firewalls in AWS environments only) Fixed an issue where HA failover mode incorrectly changed from interface move to secondary IP move after a reboot.
    PAN-277808
    Fixed an issue where the eproxy. process stopped responding when running a long duration test using IXload with hybrid SWG SAML authentication bypass for HTTPS payloads, which caused the proxy to become unreachable.
    PAN-277759
    Fixed an issue where Panorama failed to upgrade due to duplicate path-monitor names configured across different static routes within the same virtual router or logical router.
    PAN-277682
    Fixed an issue where moving an address object from a device group to shared and renaming it did not reflect in the address group, which caused commits to fail.
    PAN-277464
    Fixed an issue with intermittent access and slower than expected loading times when accessing websites. This occurred when Anti-Spyware inline cloud analysis was enabled and the SSL Command and Control action was not either allow* or **alert and server hello packets were out of order.
    PAN-277178
    Fixed an issue on Panorama where you were unable to delete a shared object due to the rulebase incorrectly referencing the shared object instead of the device group-specific object when the name was used.
    To use this fix, delete the original shared object after cloning it to a device group with the same name.
    PAN-277162
    Fixed an issue where random characters were added to the proxy_authorization in HTTP messages when the firewall accessed certain services through a configured proxy server. This caused proxy server authentication to intermittently fail.
    PAN-277086
    Fixed an issue where the CLI output in JSON format displayed incorrect bracket patterns.
    PAN-277034
    Fixed an issue where WildFire reports were not fully displayed and were not downloadable due to static resources not being found.
    PAN-277000
    Fixed an issue where the firewall stopped responding after upgrading to PAN-OS 11.0.2 with lockless-qos enabled.
    PAN-276961
    Fixed an issue where adding an SD-WAN interface profile to an overridden interface on a template stack failed with an sdwan-interface-profile is invalid error.
    PAN-276936
    Fixed an issue where the CLI command syntax was incorrect when configuring the deviceconfig values from the Template Stack.
    PAN-276920
    Fixed an issue where web-advertisement traffic was not immediately blocked which resulted in pages loading indefinitely.
    PAN-276694
    Fixed an issue where the firewall unexpectedly rebooted when the show dns-proxy ddns interface name all CLI command was executed with the error Server error: op command for client dnsproxyd timed out as client is not available.
    PAN-276678
    Fixed an issue where Panorama became unresponsive while performing a dynamic address update without a lock.
    PAN-276484
    Fixed an issue where Panorama did not display license information for Cloud NGFW firewalls under (Device Deployment > Licenses) due to the inability to perform batch-license refreshes.
    PAN-276321
    Fixed an issue where User-ID mappings were not correctly redistributed from Panorama to firewalls, causing some users to be identified as unknown, which prevented access to resources based on AD group membership.
    PAN-276144
    Fixed an issue on the web interface where the Response Page action column was not accessible.
    PAN-276075
    Fixed an issue where a warning message that pending changes were holding a commit lock failed to pop up before rebooting the firewall. This occurred when the upgrade was initiated directly on the firewall.
    PAN-276033
    Fixed an issue on Panorama managed firewalls where SAML identity provider and Clientless Apps objects did not have override or revert options.
    PAN-276000
    (Firewalls in HA configurations only) Fixed an issue where the confgid process and mgmtsrvr process restarted daily when processing a show rule-hit-count CLI command when retrieving Security policy rules for vsys1.
    PAN-275451
    (Panorama appliances only) Fixed an issue where sequence numbers were lost when forwarded from Panorama, which resulted in missing or lost logs.
    PAN-275272
    Fixed an issue where a dataplane restart was not triggered as expected when internal packet path monitoring failure occurred.
    PAN-275133
    Fixed an issue where HTTP 503 server errors occurred while browsing websites due to slow Secure Web Gateway (SWG) bypass rule lookup.
    PAN-275047
    (VM-Series firewalls only) Fixed an issue where, after an upgrade, the firewall was unable to send logs to the Strata Logging Service (SLS) when using a specific proxy server, and the SSL connection status displayed as failed when attempting to forward logs through the web proxy.
    PAN-275026
    Fixed an issue where you were unable to to adjust the frequency of the Advanced Cloud Explorer (ACE) cloud fetch via the CLI.
    PAN-274797
    Fixed an issue where a DPC on slot 3 failed intermittently due to the pktlog_forwarding process restarting, which resulted in an unexpected HA failover.
    PAN-274697
    Fixed an issue where push operations from Panorama failed on passive firewalls when an application was removed from a Security policy rule and the policy rule was referenced in a device group.
    PAN-274650
    Fixed an issue where the firewall did not perform certificate expiry validation during a commit, which resulted in successful authentication even when an intermediate certificate had expired.
    PAN-274611
    Added a CLI debug command to increase the queue size to address file transfer errors.
    PAN-274333
    Fixed an issue where the Logging Service License Status displayed as red even though a valid license was installed on the firewall.
    PAN-274213
    Fixed an issue where the firewall did not properly update incremental update data maintained at the management plane when an IP address was part of both a Dynamic Address Group and an External Dynamic List (EDL). This resulted in the firewall not matching the expected Security policy rule and threat signature.
    PAN-274086
    Fixed an issue where the firewall incorrectly assembled SIP NOTIFY and REFER messages when processing SIP TCP packets that contained a partial content-body from a previous SIP message and a complete header and content-body from the next SIP message.
    PAN-274064
    Fixed an issue on Panorama where the request batch license info CLI command displayed entries for devices that were no longer attached to Panorama.
    PAN-273969
    Fixed an issue where the Panorama interface template did not include the Forward Error Correction (FEC) setting.
    PAN-273964
    Fixed an issue where SNMP scans to a firewall timed out after upgrading to a PAN-OS 10.2 release.
    PAN-273947
    Fixed an issue where the displayed group name differed depending on whether the group was configured locally on the firewall or through Panorama.
    PAN-273010
    Fixed an issue where the configuration version did not increment in the Audit Comment Archive after making changes to the Security policy rule with an audit comment and performing a commit. As a result, all subsequent changes were grouped under the same configuration version, which prevented the comparison of changes in the Rule Changes field of the Security policy rule.
    PAN-273008
    (PA-5400 firewalls only) Fixed an issue where frequent BGP/BFD flaps occurred and HA2 keep-alives went down.
    PAN-272731
    Fixed an issue on Panorama where commits took longer than expected due to the show object dynamic-address-group all CLI command holding the devicetable lock for an extended period.
    PAN-272539
    (Panorama appliances on Microsoft Azure environments only) Fixed an issue where user to IP address mapping was missing for some users connected to specific Prisma Access gateways, which caused the collection layer Azure firewall to not form the mapping.
    PAN-272505
    Fixed an issue where GlobalProtect cookie authentication failed with the error User is not in allow list.
    PAN-272469
    Fixed an issue where the DNS exception displayed 0 instead of no result in the anti-spyware profile when no threat ID was available for a DNS security category.
    PAN-272395
    Fixed an issue where informational logs caused the distributord process log file to be frequently overwritten.
    PAN-272175
    Fixed an issue where session rematch caused ACE cloud application traffic to match the wrong policy.
    PAN-271810
    Fixed an issue where auto-negotiation advertised and negotiated 10/100 half and full duplex.
    PAN-271507
    (PA-5450 firewalls only) Fixed an issue where the DPC on slot 3 intermittently stopped responding due an all_pktproc restart.
    PAN-271440
    Fixed an issue where PublicCloud Server certificate validation failed. Dest Addr: (null), Reason: self signed certificate in certificate chain generated as a high alert in the system log every 5 minutes.
    PAN-271345
    Fixed an issue where the byte size reported in traffic logs differed from the byte size reported in Enhanced Application Logs (EAL) logs.
    PAN-271301
    (VM-Series firewalls on Amazon Web Services (AWS) environments with GWLB integrated only) Fixed an issue where DNS queries timed out when overlay routing was enabled.
    PAN-271204
    Fixed an issue where performing a factory reset caused the firewall to enter a continuous boot loop due to a failure in generating the global.xml configuration file.
    PAN-271173
    Fixed an issue where the firewall displayed an incorrect maximum translated IP capacity when using DIPP NAT policy rules.
    PAN-271061
    Fixed an issue on the web interface where you were unable to add Threat IDs to Signature Exceptions.
    PAN-270323
    Fixed an issue where the firewall allowed cleartext web-browsing traffic on port 443 when the Security policy rule was configured to allow application: web-browsing with service: application-default.
    PAN-269843
    Fixed an issue where the firewall dropped non-SYN TCP packets even when the Reject non-SYN TCP option was set to No when a session rematch was triggered.
    PAN-269812
    Fixed an issue where the devsrvr process stopped responding, which caused the firewall to restart repeatedly.
    PAN-269659
    Fixed an issue on the firewall where you were unable to configure more than 500 DHCP relay servers even though the supported limit was 4096.
    PAN-269535
    Fixed an issue where the mib ID returned an incorrect value via SNMP.
    PAN-269445
    Fixed an issue where the show user ip-user-mapping all option detail XML API command did not show the complete output.
    PAN-269303
    Fixed an issue where the CSV export of disabled applications included duplicate entries, which caused the count of disabled applications to be higher in the CSV export than on the web interface.
    PAN-269057
    Fixed an issue where the routed process stopped responding due to accessing freed memory from a hash table when the route vectors were resized. This occurred when a large number of static routes were configured.
    PAN-269051
    Fixed an issue where, when using WildFire Private Cloud, the system log displayed the error message tls-X509-validation.
    PAN-268787
    Fixed an issue where users were unable to log in to Panorama and the following error message was displayed: Timed out while getting config lock. Please try again. This occurred when pushing configurations to a large number of devices.
    PAN-268522
    Fixed an issue where the firewall failed to connect to the update server with a customized service route when the source interface was set to MGT and the source address was set as IPv4.
    PAN-268426
    Fixed an issue where the firewall was unable to connect to a syslog server that used a TLS certificate without a subject key identifier.
    PAN-268308
    Fixed an issue where the Push Scope was not automatically displayed when you selected Commit and Pushes Changes Made by.
    PAN-268002
    Fixed an issue where URL filtering response pages were not displayed for sites that were blocked as a result of SSL/TLS handshake inspection.
    PAN-267330
    Fixed an issue where the firewall dropped inbount RTP traffic after using Webex Screen Sharing due to the firewall removing the NAT cache when the predict timed out, which caused a new NAT to be established that conflicted with existing sessions. To use this fix, run the CLI command set system setting ctd h323_rtp_predict timeout <120-3600> to increase the timeout limit.
    PAN-266971
    Fixed an issue where the firewall generated AAAA DNS queries when IPv6 firewalling was disabled.
    PAN-266776
    Fixed an issue where virtual machine interfaces displayed unknown for speed and duplex in the CLI and web interface.
    PAN-266569
    (PA-5450 firewalls only) Fixed an issue where the useridd process repeatedly restarted.
    PAN-266302
    Fixed an issue where OSPFv3 Link State (LS) update packets (type 9) were not fragmented properly, which caused the OSPF header to have an incorrect checksum when sent from the firewall. This occurred when the update packet size exceeded 1514 byte, which resulted in the peer device rejecting the packet and the neighbor relationship going down.
    PAN-265140
    (PA-7000B Series firewalls with NPCs only) Fixed an issue where the gearbox on the NPC took multiple retries to get the NIF link up.
    PAN-264725
    Fixed an issue where Auto Quarantine did not work when simplified logging was enabled.
    PAN-264708
    Fixed an issue where a selective push was blocked when a configuration load was done.
    PAN-264040
    Fixed an issue where AAAA DNS queries went out even when IPv6 firewalling was disabled.
    PAN-263699
    PA-440 firewalls only) Fixed an issue where the firewall was unable to create more than 6 GlobalProtect gateways.
    PAN-262599
    Fixed an issue where the firewall displayed incorrect policy cache usage and configuration memory usage during a commit, which caused the configuration commit to fail with a CONFIG_UPDATE_START error. This occurred when a large number of External Dynamic Lists (EDLs), shared addresses, and policy rules were configured.
    PAN-260827
    Fixed an issue where the firewall consumed excessive CPU while processing traffic for a workload running on a GKE cluster, which caused reduced throughput.
    PAN-260790
    Fixed an issue where the bytes transmitted and packet transmitted counters for hardware interfaces incorrectly displayed as 0 after a restart of slot-1.
    PAN-260581
    Fixed an issue where Panorama template changes to the zone and virtual router were not pushed to managed firewalls when the template stack default virtual system was set to None.
    PAN-260540
    Fixed an issue where task-debug logs remained on the debug level even after running the debug dataplane packet-diag set log off CLI command, which caused high dataplane CPU utilization.
    PAN-260330
    Fixed an issue where Panorama was unable to generate PDF reports when the footer contained a GIF image.
    PAN-260185
    Fixed an issue where a dataplane crash occurred in Inline Cloud Analysis action lookup because there were no vulnerability or antispyware profiles in the security policy rule.
    PAN-259998
    (M-600 Appliances only) Fixed an issue where log collectors in a cluster stopped responding when running high load tests.
    PAN-259741
    Fixed an issue where the firewall dropped GRE keepalive packets that were encapsulated under another GRE tunnel.
    PAN-259727
    (Panorama appliances in HA configurations only) Fixed an issue where Panorama became unresponsive and displayed a 504 gateway timeout error when accessing the web interface or the CLI.
    PAN-259579
    Fixed an issue where the URL Filtering settings on a firewall displayed an override icon even when no settings were overridden. This occurred due to the hold-client-request field did not have a default value and was set to False.
    PAN-259284
    Fixed an issue where IPv4 BGP routes were not included in the routing table or FIB of a virtual router when ECMP was configured with more than two next hops.
    PAN-258456
    Fixed an issue where not all IP-TAG logs were forwarded to Log Collectors.
    PAN-258039
    Fixed an issue where the firewall displayed the incorrect rule name when a threat log was generated for Inline Cloud Analyzed CMD Injection Traffic Detection.
    PAN-257616
    Fixed an issue where selective push operations from Panorama to managed firewalls failed with the error message Failed to generate selective push configuration. Schema validation failed. Please try a full push.
    PAN-257195
    (PA-5400 Series firewalls only) Fixed an issue where the mp-monitor logs did not print disk SMART data.
    PAN-257074
    Fixed an issue on the Panorama web interface where the template sync status showed Out-of-Sync for managed devices after a combined commit-all operation. This occurred due to Panorama sending the default MD5 sum of the template to the firewall instead of the correct MD5 sum.
    PAN-255806
    Fixed an issue on Panorama where the ACC report for URL categories displayed inconsistent results for the same time range when run daily.
    PAN-255654
    Fixed an issue where, when QoS was enabled on aggregate interfaces, the maximum aggregate interface throughput was capped, which limited network traffic. This occurred even with default QoS settings and no configured egress max-bandwidth.
    PAN-255547
    Fixed an issue where commits failed when importing configurations to a device with a non-default master key.
    PAN-255253
    Fixed an issue where the firewall did not establish a syslog connection to the probe VM syslog server in ADEM Regressions.
    PAN-255025
    Fixed an issue where the show session cache all CLI command failed with the error message Server error : An error occured. See dagger.log for information.
    PAN-254152
    Fixed an issue where autocommits failed due to an error unserializing the global object.
    PAN-253965
    Fixed an issue where modifying the IPSec lifesize setting was not reflected when using Proxy-ID between two VM-Series firewalls.
    PAN-253963
    (Panorama appliances in Panorama mode and Log Collector mode only) Fixed an issue where autocommits took longer than expected to complete.
    PAN-253778
    (PA-7500 Series firewalls in a cluster configuration only) Fixed an issue where users were able to enable or disable certain configurations.
    PAN-252699
    Fixed an issue where frequent session failures occurred due to CTD resource exhaustion.
    PAN-251715
    Fixed an issue where the firewall closed the SSL connection to the user ID agent.
    PAN-248463
    Fixed an issue where commits failed for policy rule changes if a large number of External Dynamic List (EDL) entries were present in a multi-vsys environment.
    PAN-243335
    Fixed an issue on the Panorama web interface where you were unable to add static IPv6 address entries to a logical router in a cluster template stack.
    PAN-242777
    Fixed and issue where users previously reported limitations due to session count caps when utilizing Web Proxy features on PA-5400 Series Firewalls. To address these performance complaints and support higher traffic volumes, we have increased the maximum session capacity on specific PA-5400F series platforms, leveraging available system memory. This update ensures greater capacity and stability for high-volume environments.
    The supported session limits are:
    PlatformMax Sessions
    PA-541095K
    PA-542095K
    PA-543095K
    PA-5440225K
    PA-5445250K
    PAN-241230
    Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.
    PAN-236794
    Fixed an issue where SNMP walk reported incorrect interface speeds.
    PAN-228959
    Fixed an issue where EW dynamic address groups were not created in Panorama when using NSX plugin 5.0.1 and NSX manager 4.1.0.
    PAN-224020
    Fixed an issue where CIE validation checks on the firewall prevented configuration pushes from Panorama, which resulted in commit failures during new firewall deployment. This occurred when a template with an Authentication Profile with the Authentication Type as Cloud Authentication Service was pushed to a newly deployed firewall without internet access or without a device certificate.
    PAN-221137
    Fixed an issue where the CLI command to set the target virtual system accepted a non-existent virtual system name, and the CLI prompt incorrectly changed to the non-existent virtual system.
    PAN-215232
    Fixed an issue on Panorama where the GlobalProtect app version was displayed incorrectly in the ACC tab.
    PAN-210501
    Fixed an issue where hardware interface counters read from the CPU did not incrementing for member interfaces after a Link Aggregation Control Protocol (LACP) bundle was formed in an aggregate ethernet interface.
    PAN-201825
    Fixed an issue where firewalls did not use the Application Command and Response (ACR) functionality for cloud management, which caused connections to cloud management to drop after a commit.
    PAN-174038
    Fixed an issue with firewalls with SD-WAN policy rules and GlobalProtect gateway configurations where enabling GlobalProtect on a loopback interface caused an issue where IPSec tunnel traffic from the gateway to the client dropped intermittently.

    © 2026 Palo Alto Networks, Inc. All rights reserved.