Fixed an issue where the NAT IP address pool was exhausted, which led to intermittent connectivity issues with call applications and outbound call failures. This occurred due to the firewall not properly releasing NAT dynamic ports back to the address pool.

Fixed an issue where attempting to generate reports in a WildFire FIPS Private Cloud or WF-500 deployment returned 401 errors.

Fixed an issue where Panorama managed firewalls with no defined log collector group continually attempted to establish a logging connection to Panorama, which resulted in excessive system log messages.

Fixed an issue where the web interface became unresponsive when attempting to view Ethernet interface details after applying a filter in Network > Interfaces.

Fixed an issue where, after upgrading to PAN-OS 10.2.13-h10, GlobalProtect Clientless VPN on PA-3250 firewalls failed to execute JavaScript links, resulting in an authorization error. This occurred because the firewall was incorrectly injecting text into URLs when JavaScript buttons or dropdown menus were clicked within the Clientless VPN portal.

(PA-5450 firewalls only) Fixed an issue where the firewall had a lower maximum capacity for DIPP translated IP addresses than the PA-5260, which caused configuration commit errors during migration. With this fix, the maximum capacity on PA-5450 firewalls has been increased to 8000.

Fixed an issue where static routes remained active in the FIB and RIB even when the associated physical port interface was down, which resulted in traffic being incorrectly routed through a non-operational interface.

Fixed an issue where Strata Logging Service (SLS) log forwarding streams intermittently displayed as inactive.

Fixed an issue where, after upgrading Panorama and Log Collectors, tunnel logs were not visible in Panorama or Splunk even though traffic and threat logs were received.

Fixed an issue where syslog forwarding dropped due to FQDN resolution failures.

Fixed an issue where the pan_comm process stopped responding due to insufficient time allocated to read file descriptors when processing long messages.

Fixed an issue where, after onboarding a firewall to Panorama, IPsec tunnels displayed IKEv2 in Panorama, even though the tunnels were configured with IKEv1 locally on the firewall.

Fixed an issue where the logrcvr process stopped responding due to memory allocation errors during Redis communication.

Fixed an issue where firewalls and Panorama management servers were unable to view or download WildFire reports from a WF-500 appliance, resulting in a 401 error in the report tab.

Fixed an issue where polling failed for ethernet interfaces due to the physical port counters read from the MAC being 0.

Fixed an issue on Panorama where commit versions did not display correct data in the config audit page even after a refresh.

Fixed an issue with the Panorama web interface where admin users were unable to log in and received the error message 504: Gateway Timeout.

(Firewalls with Hub vsys (virtual system) configurations enabled only) Fixed an issue where, when using the Hub vsys feature to redistribute Host Information Profiles (HIP) to a non-Hub vsys, HIP policy enforcement failed intermittently on the active secondary firewall. This occurred when traffic destined for specific non-Hub vsys was routed to the active secondary, and the HIP query was not triggered due to an incorrect check for the HIP mask in the Hub vsys.

Fixed an issue where the hybrid-SWG service proxy stopped working after upgrading to PAN-OS 11.1.6-h13 due to the firewall failing to establish the listening interface.

Fixed an issue on the Panorama web interface where SNMP settings configured in Panorama templates were incorrectly displayed as locally configured.

Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.

Fixed an issue where setting the logdb-quota for the desum log type to 0 caused the /opt/panlogs partition to reach capacity.

(Panorama virtual appliances in FIPS mode only) Fixed an issue where plugin installs failed with the error invalid image after manually uploading the plugin package from the Customer Support Portal (CSP).

Fixed an issue on the web interface where the Connected status for a User-ID agent in a non-User-ID Hub vsys displayed as blank if the same agent was also configured in a User-ID Hub vsys.

Fixed an issue where, after reinstalling the device certificate, delayed telemetry data was displayed in AIOPS.

Fixed an issue on M-200 and logging appliances where traffic logs were intermittently truncated when forwarded using a TCP syslog configuration. This issue occurred during the log forwarding stage due to intermittent syslog drops caused by exceeding the forwarding queue capacity.

Fixed an issue where the system logs repeatedly displayed the alert Clearing snmpd.log due to log overflow due to the SNMP counters rolling over.

Fixed an issue where the firewall established multiple TCP connections to a syslog server, which caused logs to be dropped. This occurred because the firewall established a new TCP session for each transfer and the sessions were not closed, which resulted in a continuous increase in connections over time.

Fixed an issue on Panorama where the CLI command show ntp displayed the error message server error: op command for client dagger timed out as client is not available even when connectivity to the NTP server was active.

( VM-Series firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where newly deployed firewalls were unable to connect to the Strata Logging Service (SLS) until after a reboot, license fetch, or management server restart.

Fixed an issue where the custom completer for device groups and templates received the device group name and template name from the running configuration instead of the candidate configuration.

Fixed an issue on the Panorama web interface where you were unable to override the primary or secondary DNS server address in the template stack.

Fixed an issue where the firewall rebooted unexpectedly due to a pan_task process restart related to page allocation failures.

Fixed an issue where checksum values changed when downloading files through TFTP on firewalls using subinterfaces.

Fixed an issue the firewall experienced packet descriptor on chip and buffer spikes, which led to dropped traffic due to an unidentified traffic pattern.

Fixed an issue where SNMP walks returned a value of 0 for the CPS (Connections Per Second) per vsys on firewalls after upgrading to PAN-OS 11.1.6-h3, even when active connections were present.

Fixed an issue where Panorama in FIPS-CC mode failed to push IKEv2 Post-Quantum Pre-Shared Key (PQ PPK) configurations to firewalls that were not in FIPS-CC mode.

Fixed an issue where Log Quotas incorrectly displayed a value that was higher than possible.

Fixed an issue on the Panorama web interface where you were unable to push shared objects to devices if an HA failover occurred during a configuration push.

Added the CLI command set system setting ctd h323_rtp_predict timeout to increase the maximum timeout limit from 3600 seconds to 65535 seconds.

Fixed an issue where, when multiple scheduled vulnerability reports were were sent in the same email, only the first attached report was displayed.

Fixed an issue where the useridd process became unresponsive, which caused User ID CLI commands to time out.

(PA-455 firewalls in active/passive HA configurations only) Fixed an issue where, after an upgrade, the TCP session for syslog forwarding did not resume after the syslog server service was disabled and then re-enabled, which caused logs to be dropped. This occurred when the syslog server was down for more than 16 minutes.

Fixed an issue where BGP learned routes were not advertised when Legacy Routing was used and an export policy was configured to match the next hop of the learned route.

Fixed an issue on Panorama where the configd process stopped responding when filtering in the Config Audit window, which caused Panorama to restart unexpectedly.

Fixed an issue where IPv6 URLs were incorrectly categorized as private-ip-addresses even if the URL had a valid category. This occurred because the firewall did not check for IPv6 addresses when determining if an IP address was private.

(Panorama virtual appliances only) Fixed an issue where Panorama failed to mount logging disks larger than 2TB due to a partitioning error.

Fixed an issue on Panorama where a selective push of policy rule changes to a firewall caused the firewall to lose its Security policy rules.

Fixed an issue on the firewall where AIPOs and ADEM licenses failed when SD-WAN or GlobalProtect licenses were not present.

(PA-5400f firewalls only) Fixed an issue where SD-WAN SaaS monitoring did not work with URL monitoring.

Fixed an issue where partial-revert operations were taking a long time, causing config lock timeout issues and resulting in frequent error messages being displayed: Timed out while getting config lock. Please try again.

Fixed an issue related to external URL lists where pushing configuration changes from Panorama failed.

Fixed an issue on Panorama where the web interface became unresponsive when attempting to edit the Allow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access setting in a GlobalProtect portal configuration after adding 40 or more FQDN entries.

Fixed an issue where the bandwidth graphs (Link Monitoring) in Panorama for SD-WAN environments displayed incorrect values.

Fixed an issue where, when the Advanced Routing Engine was enabled, PIM (Protocol Independent Multicast) neighborship was not established concurrently on multiple interfaces.

Fixed an issue where, when redistributing User-ID information between firewalls, the receiving firewall incorrectly received and stored duplicate Host Information Profile (HIP) profiles. This occurred when a GlobalProtect gateway redistributed User-ID and HIP information through an intermediate firewall.

(VM-Series firewalls only) Added the CLI command no-refresh-discard-session to address an issue where the discarded session time to live (TTL) did not refresh at the default value.

Fixed an issue where the MPLS interface eth1/6 went down and remained down, even after replacing the SFP with a supported one and adjusting duplex and speed settings.

(VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where the firewall required a reboot after enabling the Gateway Load Balancer (GWLB) feature.

Fixed an issue where External Dynamic List (EDL) entries for predefined lists were not visible in Panorama when logged in with a SuperUser Read-Only role.

(PA-7500 firewalls only) Fixed an issue where SNMP polling failed due to the snmpd process becoming unresponsive to incoming requests, which resulted in high CPU usage.

Fixed an issue on the Panorama web interface where a template name or device group name displayed invalid text.

Fixed an issue where a memory leak occurred on the reportd process when a WildFire update was initiated while device telemetry data collection was in progress. This resulted in an OOM condition.

Fixed an issue on Panorama where a new virtual system (vsys) was automatically created with the name of a device group.

Fixed an issue where the Panorama web interface was slower than expected during configuration operations and a configuration lock time out occurred during a commit.

(PA-7500 Series, PA-5410, PA-5420, PA-5430, PA-5440, PA-5445, PA-3400 Series, PA-1400 Series, PA-400 Series, VM-Series, and CN-Series firewalls only) Fixed a race condition issue related to predict processing, which resulted in a dataplane restart and traffic loss.

Fixed an issue on Panorama where, after logging in to the web interface as the ZTP installer administrator, the web interface was blank.

Fixed an issue where traffic from cloud applications intermittently matched an incorrect cloud-apps policy rule when ACE (App-ID Cloud Engine) was enabled.

Fixed an issue where the preferred_wnd value provided by CTD (Content Threat Detection) was disregarded due to TCP bandwidth estimation, which prevented the window from closing.

(Firewalls in multi-vsys configurations only) Fixed an issue where HTTP/2 traffic failed due when one virtual system (vsys) had a decryption policy rule enabled and another vsys had a no-decrypt policy rule for the same session.

Fixed an issue on the firewall where the logrcvr process stopped responding.

Fixed an issue where the firewall incorrectly allowed traffic for certain applications when no decryption policy rule was configured.

Fixed an issue where the useridd process stopped responding due to a Security policy rule ID being set to 0, which caused the last configuration retrieval to fail.

Fixed an issue where Panorama exported the serial number of a managed collector instead of the collector name when exporting a PDF or CSV file.

Fixed an issue where the firewall failed to forward critical system logs to Strata Logging Service due to a reboot.

Fixed an issue on Panorama where commit jobs were not queued and the system reported that the useridd was not connected.

(M-600 Panorama appliances in Log Collector mode in a Log Collector group only) Fixed an issue where the reportd and logd processes stopped responding, which resulted in the Panorama server not receiving logs from firewalls configured under the Log Collector group.

Fixed an issue where data interfaces unexpectedly went down and then up after an HA failover, which caused intermittent traffic disruption.

Fixed an issue where the MIB ID returned an incorrect value via SNMP.

Fixed an issue where the dataplane CPU usage percentage was displayed as lower than it was on the firewall web interface, SCM, and other monitoring tools.

(VM-Series firewalls only) Fixed an issue where the firewall became inaccessible via the web interface and SSH and remained in an initializing state.

Fixed an issue where the debug dataplane sync ippool CLI command output incorrectly included reserved ports..

(Firewalls in HA configurations only) Fixed an issue where on the firewall where the routed process stopped responding after changing the MTU or any link state parameters when OSPF and PIM were enabled on the same interface.

Fixed an issue where the Panorama web interface incorrectly displayed the checkbox as enabled for SHA1.

(VM-Series firewalls only) Fixed an issue where the maximum registered IP address for was incorrectly set to 100,000 instead of the expected 500,000.

Fixed an issue where the comm process stopped responding due to missing heartbeats, which resulted in a system alert and HA communication loss on slot1.

(Panorama appliances only) Fixed an issue on the web interface where resetting the rule hit counter for multiple policy rules failed with the error message Failed to reset rule-hit job.

Fixed an issue where sessions timed out sooner than expected due to the pan_proxy_accumulation_restore_timeout not initiating when the accumulation session_init failed.

Fixed an issue where firewalls configured in vwire mode modified DSCP values from AF11 to CS0 on traffic passing through the firewall, even when QoS policy rules and DSCP rewrite settings were not configured.

Fixed an issue where SAML authentication failed, which caused the GlobalProtect client to repeatedly attempted to reconnect.

Fixed an issue where the firewall failed to connect to the Palo Alto Networks update server when using a customized service route with the source interface as MGT.

Added debug logs for an issue where a slow IP address pool NAT leak occurred when persistent NAT was enabled, which led to NAT IP pool exhaustion.

Fixed an issue on Panorama where commits took longer than expected.

Fixed an issue on the firewall where the QSFP-40G-SR-BD transceiver was incorrectly flagged as an unsupported SFP.

Fixed an issue where Security policy rules that had the same parameters were not detected as shadow rules on commit.

Fixed an issue where content loading issues occurred on IPv6 websites due to the firewall incorrectly setting the IPv6 header flow label to 0.

(CN-Series firewalls only) Fixed an issue where the firewall generated critical system log alerts every 3 minutes.

Fixed the issue on the web interface where ACC graphs displayed No data to display when a filter was applied to Source IP or Destination IP.

Fixed an issue on Panorama where API jobs failed with the error message Server error: Timed out while getting config lock. This occurred due to slow set request performance when setting a large number of address objects in a single set call.

Fixed an issue with firewalls in active/passive HA configurations where an OOM condition occurred and caused a failover due to a memory leak associated with the logrcvr process.

Fixed an issue on the firewall were fan alarms were incorrectly generated constantly.

Fixed an issue on the firewall where the show advanced-routing bgp loc-rib-detail CLI command incorrectly displayed no BGP route" when multiple BGP peers were enabled. With this fix, the CLI command requires a peer name to be specified to display local RIB details.

Fixed an issue on the Panorama web interface where assigning a policy rule to a group at the top or bottom of the list changed the order of other policy rules.

Fixed an issue where BGP export policy rules with next-hop matching failed to block the advertisement of static routes, and the firewall incorrectly matched the egress interface IP address instead of the original next-hop IP address of the static route, which caused the deny rule to fail.

Fixed an issue where, when an application stopped responding, a large file was created in the /opt/panlogs directory, which caused the partition to fill up.

Fixed an issue where a large number of logs caused the logrcvr process to stop responding.

Fixed an issue where syslog forwarding in PAN-OS 11.1 and later releases did not support service routes when performing certificate validation over TLS.

Fixed an issue where user-to-IP address mappings were not available on the dataplane for User-ID, which prevented the enforcement of user-based Security policy rules. This was due to the firewall not validating the timestamp of mappings received from certain User Identification Agent (UIA) agents before adding them to the dataplane.

Fixed an issue where the device-group-tags CLI command used an unnecessary configuration read lock.

Fixed an issue where only failed Kerberos authentication events were logged in auth.log, and successful authentication events were not logged.

Fixed an issue where ECMP incorrectly balanced sessions across links based on the configured metric, which led to an imbalance in traffic distribution and resulted in traffic assignment shifting disproportionately to routes with lower metrics.

(VM-Series firewalls only AWS environments only) Fixed an issue where the firewall did not send ICMP unreachable - Fragmentation Needed message when it received packets larger than the MTU.

Fixed an issue where closing an SSH session to a Panorama using Ctrl+D did not generate a log message in the system logs, and the session remained in an idle state for 60 minutes before being automatically terminated.

(Panorama virtual appliances in HA configurations on Microsoft Azure environments only) Fixed an issue where plugin versions displayed when hovering over the Green Match icon were inconsistent even though the web interface reported the versions as matching.

Fixed an issue where the firewall did not automatically enable the telemetry feature.

(PA-5450 firewalls only) Added uplink counters to enhance debug capability for traffic drops.

(Panorama appliances only) Fixed an issue where the Require SSL/TLS secured connection in the LDAP profile within the template stack did not take effect after overriding the configuration. This occurred even when the setting was enabled multiple times.

(PA-5410 and PA-5430 firewalls only) Fixed an issue where SFP28 25G ports using S28-25G-LR transceivers did not come up after an upgrade when Forward Error Connection (FEC) was disabled on the ports.

Fixed an issue where the all_pktproc process restarted, which caused heartbeat failures to occur and a slot to go down due to path monitor failure.

Fixed an issue where you were unable to delete the default trust and untrust zones after adding the firewall to an NGFW cluster.

Fixed an issue where a multi-vsys firewall was unable to retrieve address groups and address objects pushed from Panorama as shared objects when using the REST API.

Fixed an issue on Panorama where logs were not forwarded to syslog servers due to missing CLI options to configure the syslog queue size and threads.

Fixed an issue where, after an upgrade, the firewall was unable to be managed via HTTPS or SSH.

Fixed an issue where, when getting transceiver information from ESCC for SFP 25G modules, the transceiver code was incorrectly updated with Unknown instead of 25GBase-SR.

Fixed an issue on firewalls running PAN-OS 11.1 releases where, after being offboarded from Panorama, the firewall XML configuration file retained template information from the previous Panorama configuration. As a result, when the firewall and its configuration were imported to another Panorama appliance, all configurations in the Network and Device tab became read-only.

Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.

(Firewalls in HA configurations only) Fixed an issue where, after a failover, an SSH decryption caused a mismatch in the host key, which resulted in a warning message. This issue occurred because the SSH tunnel keys were not synchronized between the active and passive firewalls.

Fixed an issue where the firewall stopped processing traffic.

Fixed an issue where the XML API returned an error when attempting to view debug log receiver statistics.

Fixed an issue where the all_task process stopped responding, which caused the firewall to reboot unexpectedly, and traffic failures occurred.

Fixed an issue on Panorama where Policy recommendation displayed Unable to read data for certain profiles due to a large response size.

Fixed an issue where a tool was needed to display leaked NAT port numbers without requiring a forced synchronization.

Fixed an issue where, when a virtual system (vsys) was configured as a hub on multi-vsys devices, the non-hub vsys was unable to retrieve HIP reports. As a result, traffic was not allowed when it hit the non-HUB vsys.

Fixed an issue where the configd process stopped responding during a selective push after a move and rename operation when the configuration was performed via the CLI.

Fixed an issue where firewalls entered a boot loop after receiving a HSM configuration template push from Panorama.

Fixed an issue where the configd process restarted and generated a core file during an HA sync commit job. This occurred when the firewall was in the HA passive state.

Fixed an issue where the Panorama web interface did not display a warning message when a collector group was configured with a 2 node cluster.

(VM-Series firewalls on Amazon Web Services (AWS) GWLB environments only) Fixed an issue where the firewall CPU usage reached 100% after upgrading to PAN-OS 11.1.6-h1.

Fixed an issue where a selective push from Panorama caused the firewall security policy rules to be removed on firewalls associated with the device group. This occurred when the base configuration version chosen for the selective push preceded the device config import operation, which caused the imported configuration to not be included in the pushed configuration.

Fixed an issue where the firewall became unresponsive when the show user user-ids user all CLI command was executed repeatedly on large scale LDAP group mappings, and you were unable to connect to the gateways with the error message The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.

Fixed an issue where commits remained at 98% completion when static route configuration cleanup was in progress.

Fixed an issue on Panorama where Browse for Agent Video Traffic under GlobalProtect Gateway configurations returned an Invalid Sequence error due to an invalid XPath within the Panorama template and template stack.

Fixed an issue where the dnsproxy process stopped responding when enabling the AutoVPN feature from the Software-Defined Cloud Management (SD-WAN) console.

Fixed an issue where the Panorama web interface displayed No Data when viewing configuration logs to see changes before and after a configuration change.

(Firewalls in active/passive HA configurations only) Fixed an issue where commits failed due the useridd process restarting.

Fixed an issue where ENA (Elastic Network Adapter) extended statistics (conntrack allowance metric) were unavailable in DPDK 22.11.x. This metric is now available through AWS Cloudwatch.

Fixed an issue where a PBF (Policy Based Forwarding) policy rule using an AE (Aggregate Ethernet) interface configured with DHCP as the egress interface incorrectly transitioned to an active state after a commit operation, even when the DHCP lease had expired and the interface had no assigned IP address.

Fixed an issue where, when a firewall had more than 4,400 logical interfaces, commits failed with the error message Error pre-installing config failed to handle CONFIG_COMMIT.

Fixed an issue on Palo Alto Networks firewalls running PAN-OS 11.1.6 where the CLI command traceroute ipv4 yes host <host> failed with a missing argument error message.

Fixed an issue where QoS throughput limits were not enforced correctly on aggregate ethernet interfaces. As a result, when QoS was enabled on aggregate interfaces, the subnet index was not handled correctly, which caused traffic shaping to be misdirected.

(Panorama appliances in Log Collector mode only) Fixed an issue where the vm_agent process restarted after an upgrade.

Fixed an issue where GlobalProtect (GP) portal authentication for satellites using RADIUS authentication failed due to the authentication timeout value being set to 0.

Fixed an issue where, after an upgrade, the total number of logout records in the HIP database incorrectly displayed as zero.

Fixed an issue where the devsrvr process experienced OOM conditions due to the show running application statistics CLI command, which caused the firewall to reboot.

(PA-450R and PA-450R-5G firewalls only) Fixed an issue where the maximum temperature threshold and shutdown threshold were not set correctly.

Fixed an issue where clients did not receive a valid response when when searching a website due to a compression error.

(Panorama appliances only) Fixed an issue where the configd process intermittently restarted, which caused Panorama to be temporarily unavailable.

Fixed an issue where DNS Security Category exceptions created with DNS category UTID were not ignored.

Fixed an issue on Panorama where the web interface performance was slower than usual when retrieving read-only configurations from Panorama.

Fixed an issue where HTTP/2 child streams were blocked by strict-ip-check zone protection when traffic passed through a transparent proxy.

Fixed an issue on the web interface where the IP Tag Quota(%) value displayed as 2 even when changed.

Fixed an issue where iPerf file transfers between a client and server were slower than expected when the firewall was involved in the traffic flow due to cfg.uplink-buffer-resize not being enabled by default.

Fixed an issue where a failover event caused packet loss due to a delay in the child error indication.

Fixed an issue where commits failed when a certificate with a cryptographic setting of RSA 4096 was used in the Syslog Service Profile due to the firewall being unable to decrypt the private key due to an incorrectly hardcoded private key length.

Fixed an issue where a software download job reported a completion timestamp that occurred before the software loading process was finished.

Fixed an issue where log forwarding to all syslog servers failed if one syslog server that used TLS as the protocol became unreachable.

Fixed an issue where configuring an HTTP profile to send Webhook alerts to Microsoft Teams failed with a 400 Bad request error when clicking Send Test Log .

Fixed an issue where the reportd process stopped responding when exporting CSV files when decryption logs were included in the unified logs.

Fixed an issue where the firewall experienced high disk space utilization, which caused the firewall to become non-functional.

Fixed an issue where the firewall bypassed Content Threat Detection (CTD) for sessions with STARTTLS large client hello out-of-order with No Decrypt.

Fixed an issue on firewalls running PAN-OS 11.1 and later PAN-OS releases where the portal and gateway configuration view did not display rows and columns.

Fixed an issue where the Elasticsearch cluster did not start after deploying dedicated log collectors in a multi-collector environment.

Fixed an issue where the DHCP process stopped responding when the firewall was configured as a DHCP relay agent.

Fixed an issue where ping commands from both the management plane and dataplane interfaces incorrectly prioritized IPv6 addresses over IPv4 addresses, even when IPv6 was disabled. This caused connectivity issues when pinging FQDNs that resolved to IPv6 addresses.

Fixed an issue where the Border Gateway Protocol (BGP) established time was displayed inaccurately due to a 32-bit counter wrapping issue.

Fixed an issue where GlobalProtect clients on macOS devices failed to connect when device name used newline character.

Fixed an issue where a firewall was only able to display a maximum of 14 permitted IP addresses from a Panorama Template Variable.

Fixed an issue where, when attempting to modify an Anti-Spyware profile via the web interface under a shared location, clicking the OK button displayed a console exception error.

Fixed an issue where firewalls became unstable and stopped responding, which resulted in an OOM condition.

Fixed an issue where the firewall generated high-severity system alerts indicating that the configuration size exceeded the maximum recommended size, even when the configuration size was within the expected limits.

Fixed a rare issue where the logrcvr process stopped responding, which caused the devsrvr process to restart.

Fixed an issue where, when the firewall was configured as an explicit proxy, connections were intermittently dropped.

Fixed an issue where SNMP traps messages were not sent after system startup.

Fixed an issue where searching configuration logs for an audit_uuid did not return a result if the rule was created with a clone operation.

Fixed an issue where, after an authd process restart, the username, password, and source IP address displayed in plain text on the console when attempting to log in via the web interface.

Fixed an issue on Panorama managed firewalls where, when the service route configuration was set to VLAN as the source, attempting to import the variable CSV into the template resulted in the validation error Failed to parse variable configuration file. This issue occurred because the system incorrectly validated the VLAN interface name in the service route configuration within the template.

Fixed an issue on HA clusters where, when link and path monitoring was configured and the failover condition was set to all, disconnecting and reconnecting monitored ethernet ports caused the firewall to switch to a nonfunctional role, which resulted in all interfaces except the HA interface going down.

Fixed an issue on firewalls with Advanced Routing Engine enabled where BGP route maps were not correctly configured for IPv6 next-hop selection. The firewall rejected the IPv6 configuration provided as the next hop due to an incorrect command sent to FRR (Free Range Routing).

Fixed an issue where all_pktproc process repeatedly restarted, which caused dataplane failure and loss of connectivity, including PAN-DB URL resolution. This occurred after a commit push from Panorama and resulted in the firewall becoming non-functional due to internal path monitoring failure and configuration memory exhaustion.

Fixed an issue where all data interfaces went down due to a Forward Error Correction (FEC) mode mismatch. The firewall defaulted to FEC Auto mode, while the peer Cisco switch was configured for FC-FEC.

Fixed an issue on the web interface where the Enable local inline categorization option in URL Filtering profiles incorrectly appeared as enabled by default.

Fixed an issue where the popup window did not appear as expected for Clientless VPN users.

Fixed an issue where the show session cache CLI command was unavailable on VM-Series firewalls with VM license types smaller than VM-200 when session resiliency was enabled.

Fixed an issue where set and edit commands took longer than expected when adding address objects with a large number of dynamic groups due to the completion cache being enabled. With this fix, the completion cache is disabled by default.

Fixed an issue in the URL filtering logs where the columns and the displayed contents did not match.

Fixed an issue where User-ID custom reports were unable to exclude IP address 0.0.0.0 when using the filter ip notin 0.0.0.0.

Fixed an issue where the firewall dropped client hello packets when decryption was enabled, which prevented access to certain websites. This occurred when the client hello packet was truncated, the accumulation proxy assumed that the first packet contains at least 5 bytes, or out-of-order packets were waiting in L4 TCP.

Fixed an issue where NAT pool leaks occurred during a test when RTSP traffic hit NAT rules.

Fixed an issue on M-600 line cards where the /var/log/messages file flooded with i40e 0000:81:00.1: ARQ: Unknown event 0x0000 ignored messages, causing the root partition to fill up and prevent PAN-OS upgrades.

Fixed an issue where, during software deployment from Panorama to multiple firewalls, some firewalls did not automatically reboot after the upgrade, even when Reboot device after install was selected. This was due to the Panorama timing out before the software deployment completed on the affected firewalls, which prevented the reboot request from being sent.

Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the firewall did not see server-to-client (s2c) packets of the TLS handshake.

To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.

Fixed an issue where accessing a URL from the browser returned the error message ERR_RESPONSE_HEADERS_TRUNCATED when the firewall was configured with TLS 1.3.

Fixed an issue where service routes configured to use a data plane interface incorrectly used the management plane interface for traffic transmission. This issue affected syslog and CRL status traffic when a custom service route was not configured.

Fixed an issue where the firewall used an unnecessary configuration lock when running operational commands.

Fixed an issue where changes made to the management interface permitted IP address list in a global template were not pushed to the template stack or firewalls.

Fixed an issue where, after an upgrade, GlobalProtect attempted to use the embedded browser instead of the default browser for gateway authentication even when it was configured to use the default browser.

Fixed an issue where authentication to GlobalProtect failed with the error message User not in allowed list.

Fixed an issue where commits failed after a long time during the Strata Cloud Manager onboarding process.

(Firewalls in HA configurations only) Fixed an issue where the configd process restarted during a configuration push from Panorama, which caused the active firewall to lose management access for 20-30 minutes.

Fixed an issue where the OCSP Signing purpose was not included in the Extended Key Usage field when a certificate was generated on the firewall with the OCSP responder called in the certificate. This caused the GlobalProtect connection to fail with the error Missing OCSP signing purpose in the ExtendedKeyUsage.

(VM-Series firewalls on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments only) Fixed an issue where the firewall did not display the correct source user in traffic logs and session details.

Fixed an issue where IPv6 BGP peering established between virtual routers even without dataplane connectivity. This occurred because the firewall used the kernel for lookups instead of the dataplane.

Fixed an issue on Panorama where custom reports displayed an incorrect log count with critical severity when the report filter was built with and without explicitly specifying severity as critical.

Fixed an issue where the firewall removed the Authentication Key Identifier (AKID) from the certificate during SSL decryption, which caused Python 3.13 to fail with a certificate verification error.

Fixed an issue where the number of registered IP Tags on Panorama did not match the number of registered IP Tags on the managed firewalls due to a change in file format between PAN-OS releases.

(VM-Series firewalls in AWS environments only) Fixed an issue where HA failover mode incorrectly changed from interface move to secondary IP move after a reboot.

Fixed an issue where the eproxy. process stopped responding when running a long duration test using IXload with hybrid SWG SAML authentication bypass for HTTPS payloads, which caused the proxy to become unreachable.

Fixed an issue where Panorama failed to upgrade due to duplicate path-monitor names configured across different static routes within the same virtual router or logical router.

Fixed an issue where moving an address object from a device group to shared and renaming it did not reflect in the address group, which caused commits to fail.

Fixed an issue with intermittent access and slower than expected loading times when accessing websites. This occurred when Anti-Spyware inline cloud analysis was enabled and the SSL Command and Control action was not either allow* or **alert and server hello packets were out of order.

Fixed an issue on Panorama where you were unabled to delete a shared object due to the rulebase incorrectly referencing the shared object instead of the device group-specific object when the name was used.

To use this fix, delete the original shared object after cloning it to a device group with the same name.

Fixed an issue where random characters were added to the proxy_authorization in HTTP messages when the firewall accessed certain services through a configured proxy server. This caused proxy server authentication to intermittently fail.

Fixed an issue where the CLI output in JSON format displayed incorrect bracket patterns.

Fixed an issue where WildFire reports were not fully displayed and were not downloadable due to static resources not being found.

Fixed an issue where the firewall stopped responding after upgrading to PAN-OS 11.0.2 with lockless-qos enabled.

Fixed an issue where adding an SD-WAN interface profile to an overridden interface on a template stack failed with an sdwan-interface-profile is invalid error.

Fixed an issue where the CLI command syntax was incorrect when configuring the deviceconfig values from the Template Stack.

Fixed an issue where the firewall unexpectedly rebooted when the show dns-proxy ddns interface name all CLI command was executed with the error Server error: op command for client dnsproxyd timed out as client is not available.

Fixed an issue where Panorama became unresponsive while performing a dynamic address update without a lock.

Fixed an issue where Panorama did not display license information for Cloud NGFW firewalls under (Device Deployment > Licenses) due to the inability to perform batch-license refreshes.

Fixed an issue where User-ID mappings were not correctly redistributed from Panorama to firewalls, causing some users to be identified as unknown, which prevented access to resources based on AD group membership.

Fixed an issue on the web interface where the Response Page action column was not accessible.

Fixed an issue where a warning message that pending changes were holding a commit lock failed to pop up before rebooting the firewall. This occurred when the upgrade was initiated directly on the firewall.

Fixed an issue on Panorama managed firewalls where SAML identity provider and Clientless Apps objects did not have override or revert options.

(Firewalls in HA configurations only) Fixed an issue where the confgid process and mgmtsrvr process restarted daily when processing a show rule-hit-count CLI command when retrieving Security policy rules for vsys1.

(Panorama appliances only) Fixed an issue where sequence numbers were lost when forwarded from Panorama, which resulted in missing or lost logs.

Fixed an issue where a dataplane restart was not triggered as expected when internal packet path monitoring failure occurred.

Fixed an issue where HTTP 503 server errors occurred while browsing websites due to slow Secure Web Gateway (SWG) bypass rule lookup.

(VM-Series firewalls only) Fixed an issue where, after an upgrade, the firewall was unable to send logs to the Strata Logging Service (SLS) when using a specific proxy server, and the SSL connection status displayed as failed when attempting to forward logs through the web proxy.

Fixed an issue where you were unable to to adjust the frequency of the Advanced Cloud Explorer (ACE) cloud fetch via the CLI.

Fixed an issue where a DPC on slot 3 failed intermittently due to the pktlog_forwarding process restarting, which resulted in an unexpected HA failover.

Fixed an issue where push operations from Panorama failed on passive firewalls when an application was removed from a Security policy rule and the policy rule was referenced in a device group.

Fixed an issue where the firewall did not perform certificate expiry validation during a commit, which resulted in successful authentication even when an intermediate certificate had expired.

Added a CLI debug command to increase the queue size to address file transfer errors.

Fixed an issue where the Logging Service License Status displayed as red even though a valid license was installed on the firewall.

Fixed an issue where the firewall did not properly update incremental update data maintained at the management plane when an IP address was part of both a Dynamic Address Group and an External Dynamic List (EDL). This resulted in the firewall not matching the expected Security policy rule and threat signature.

Fixed an issue where the firewall incorrectly assembled SIP NOTIFY and REFER messages when processing SIP TCP packets that contained a partial content-body from a previous SIP message and a complete header and content-body from the next SIP message.

Fixed an issue on Panorama where the request batch license info CLI command displayed entries for devices that were no longer attached to Panorama.

Fixed an issue where the Panorama interface template did not include the Forward Error Correction (FEC) setting.

Fixed an issue where SNMP scans to a firewall timed out after upgrading to a PAN-OS 10.2 release.

Fixed an issue where the displayed group name differed depending on whether the group was configured locally on the firewall or through Panorama.

Fixed an issue where the configuration version did not increment in the Audit Comment Archive after making changes to the Security policy rule with an audit comment and performing a commit. As a result, all subsequent changes were grouped under the same configuration version, which prevented the comparison of changes in the Rule Changes field of the Security policy rule.

(PA-5400 firewalls only) Fixed an issue where frequent BGP/BFD flaps occurred and HA2 keep-alives went down.

Fixed an issue on Panorama where commits took longer than expected due to the show object dynamic-address-group all CLI command holding the devicetable lock for an extended period.

(Panorama appliances on Microsoft Azure environments only) Fixed an issue where user to IP address mapping was missing for some users connected to specific Prisma Access gateways, which caused the collection layer Azure firewall to not form the mapping.

Fixed an issue where GlobalProtect cookie authentication failed with the error User is not in allow list.

Fixed an issue where the DNS exception displayed 0 instead of no result in the anti-spyware profile when no threat ID was available for a DNS security category.

Fixed an issue where informational logs caused the distributord process log file to be frequently overwritten.

Fixed an issue where session rematch caused ACE cloud application traffic to match the wrong policy.

Fixed an issue where auto-negotiation advertised and negotiated 10/100 half and full duplex.

(PA-5450 firewalls only) Fixed an issue where the DPC on slot 3 intermittently stopped responding due an all_pktproc restart.

Fixed an issue where PublicCloud Server certificate validation failed. Dest Addr: (null), Reason: self signed certificate in certificate chain generated as a high alert in the system log every 5 minutes.

Fixed an issue where the byte size reported in traffic logs differed from the byte size reported in Enhanced Application Logs (EAL) logs.

(VM-Series firewalls on Amazon Web Services (AWS) environments with GWLB integrated only) Fixed an issue where DNS queries timed out when overlay routing was enabled.

Fixed an issue where performing a factory reset caused the firewall to enter a continuous boot loop due to a failure in generating the global.xml configuration file.

Fixed an issue where the firewall displayed an incorrect maximum translated IP capacity when using DIPP NAT policy rules.

Fixed an issue on the web interface where you were unable to add Threat IDs to Signature Exceptions.

Fixed an issue where the firewall allowed cleartext web-browsing traffic on port 443 when the Security policy rule was configured to allow application: web-browsing with service: application-default.

Fixed an issue where the firewall dropped non-SYN TCP packets even when the Reject non-SYN TCP option was set to No when a session rematch was triggered.

Fixed an issue where the devsrvr process stopped responding, which caused the firewall to restart repeatedly.

Fixed an issue on the firewall where you were unable to configure more than 500 DHCP relay servers even though the supported limit was 4096.

Fixed an issue where the mib ID returned an incorrect value via SNMP.

Fixed an issue where the show user ip-user-mapping all option detail XML API command did not show the complete output.

Fixed an issue where the CSV export of disabled applications included duplicate entries, which caused the count of disabled applications to be higher in the CSV export than on the web interface.

Fixed an issue where the routed process stopped responding due to accessing freed memory from a hash table when the route vectors were resized. This occurred when a large number of static routes were configured.

Fixed an issue where, when using WildFire Private Cloud, the system log displayed the error message tls-X509-validation.

Fixed an issue where users were unable to log in to Panorama and the following error message was displayed: Timed out while getting config lock. Please try again. This occurred when pushing configurations to a large number of devices.

Fixed an issue where the firewall failed to connect to the update server with a customized service route when the source interface was set to MGT and the source address was set as IPv4.

Fixed an issue where the firewall was unable to connect to a syslog server that used a TLS certificate without a subject key identifier.

Fixed an issue where the Push Scope was not automatically displayed when you selected Commit and Pushes Changes Made by.

Fixed an issue where URL filtering response pages were not displayed for sites that were blocked as a result of SSL/TLS handshake inspection.

Fixed an issue where the firewall dropped inbount RTP traffic after using Webex Screen Sharing due to the firewall removing the NAT cache when the predict timed out, which caused a new NAT to be established that conflicted with existing sessions. To use this fix, run the CLI command set system setting ctd h323_rtp_predict timeout <120-3600> to increase the timeout limit.

Fixed an issue where the firewall generated AAAA DNS queries when IPv6 firewalling was disabled.

Fixed an issue where virtual machine interfaces displayed unknown for speed and duplex in the CLI and web interface.

(PA-5450 firewalls only) Fixed an issue where the useridd process repeatedly restarted.

Fixed an issue where OSPFv3 Link State (LS) update packets (type 9) were not fragmented properly, which caused the OSPF header to have an incorrect checksum when sent from the firewall. This occurred when the update packet size exceeded 1514 byte, which resulted in the peer device rejecting the packet and the neighbor relationship going down.

(PA-7000B Series firewalls with NPCs only) Fixed an issue where the gearbox on the NPC took multiple retries to get the NIF link up.

Fixed an issue where Auto Quarantine did not work when simplified logging was enabled.

Fixed an issue where a selective push was blocked when a configuration load was done.

Fixed an issue where AAAA DNS queries went out even when IPv6 firewalling was disabled.

PA-440 firewalls only) Fixed an issue where the firewall was unable to create more than 6 GlobalProtect gateways.

Fixed an issue where the firewall displayed incorrect policy cache usage and configuration memory usage during a commit, which caused the configuration commit to fail with a CONFIG_UPDATE_START error. This occurred when a large number of External Dynamic Lists (EDLs), shared addresses, and policy rules were configured.

Fixed an issue where the firewall consumed excessive CPU while processing traffic for a workload running on a GKE cluster, which caused reduced throughput.

Fixed an issue where the bytes transmitted and packet transmitted counters for hardware interfaces incorrectly displayed as 0 after a restart of slot-1.

Fixed an issue where Panorama template changes to the zone and virtual router were not pushed to managed firewalls when the template stack default virtual system was set to None.

Fixed an issue where task-debug logs remained on the debug level even after running the debug dataplane packet-diag set log off CLI command, which caused high dataplane CPU utilization.

Fixed an issue where Panorama was unable to generate PDF reports when the footer contained a GIF image.

Fixed an issue where a dataplane crash occurred in Inline Cloud Analysis action lookup because there were no vulnerability or antispyware profiles in the security policy rule.

(M-600 Appliances only) Fixed an issue where log collectors in a cluster stopped responding when running high load tests.

Fixed an issue where the firewall dropped GRE keepalive packets that were encapsulated under another GRE tunnel.

(Panorama appliances in HA configurations only) Fixed an issue where Panorama became unresponsive and displayed a 504 gateway timeout error when accessing the web interface or the CLI.

Fixed an issue where the URL Filtering settings on a firewall displayed an override icon even when no settings were overridden. This occurred due to the hold-client-request field did not have a default value and was set to False.

Fixed an issue where IPv4 BGP routes were not included in the routing table or FIB of a virtual router when ECMP was configured with more than two next hops.

Fixed an issue where not all IP-TAG logs were forwarded to Log Collectors.

Fixed an issue where the firewall displayed the incorrect rule name when a threat log was generated for Inline Cloud Analyzed CMD Injection Traffic Detection.

Fixed an issue where selective push operations from Panorama to managed firewalls failed with the error message Failed to generate selective push configuration. Schema validation failed. Please try a full push.

(PA-5400 Series firewalls only) Fixed an issue where the mp-monitor logs did not print disk SMART data.

Fixed an issue on the Panorama web interface where the template sync status showed Out-of-Sync for managed devices after a combined commit-all operation. This occurred due to Panorama sending the default MD5 sum of the template to the firewall instead of the correct MD5 sum.

Fixed an issue on Panorama where the ACC report for URL categories displayed inconsistent results for the same time range when run daily.

Fixed an issue where, when QoS was enabled on aggregate interfaces, the maximum aggregate interface throughput was capped, which limited network traffic. This occurred even with default QoS settings and no configured egress max-bandwidth.

Fixed an issue where commits failed when importing configurations to a device with a non-default master key.

Fixed an issue where the firewall did not establish a syslog connection to the probe VM syslog server in ADEM Regressions.

Fixed an issue where the show session cache all CLI command failed with the error message Server error : An error occured. See dagger.log for information.

Fixed an issue where autocommits failed due to an error unserializing the global object.

Fixed an issue where modifying the IPSec lifesize setting was not reflected when using Proxy-ID between two VM-Series firewalls.

(Panorama appliances in Panorama mode and Log Collector mode only) Fixed an issue where autocommits took longer than expected to complete.

(PA-7500 Series firewalls in a cluster configuration only) Fixed an issue where users were able to enable or disable certain configurations.

Fixed an issue where frequent session failures occurred due to CTD resource exhaustion.

Fixed an issue where the firewall closed the SSL connection to the user ID agent.

Fixed an issue where commits failed for policy rule changes if a large number of External Dynamic List (EDL) entries were present in a multi-vsys environment.

Fixed an issue on the Panorama web interface where you were unable to add static IPv6 address entries to a logical router in a cluster template stack.

Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.

Fixed an issue where SNMP walk reported incorrect interface speeds.

Fixed an issue where EW dynamic address groups were not created in Panorama when using NSX plugin 5.0.1 and NSX manager 4.1.0.

Fixed an issue where CIE validation checks on the firewall prevented configuration pushes from Panorama, which resulted in commit failures during new firewall deployment. This occurred when a template with an Authentication Profile with the Authentication Type as Cloud Authentication Service was pushed to a newly deployed firewall without internet access or without a device certificate.

Fixed an issue where the CLI command to set the target virtual system accepted a non-existent virtual system name, and the CLI prompt incorrectly changed to the non-existent virtual system.

Fixed an issue on Panorama where the GlobalProtect app version was displayed incorrectly in the ACC tab.

Fixed an issue where hardware interface counters read from the CPU did not incrementing for member interfaces after a Link Aggregation Control Protocol (LACP) bundle was formed in an aggregate ethernet interface.

Fixed an issue where firewalls did not use the Application Command and Response (ACR) functionality for cloud management, which caused connections to cloud management to drop after a commit.

Fixed an issue with firewalls with SD-WAN policy rules and GlobalProtect gateway configurations where enabling GlobalProtect on a loopback interface caused an issue where IPSec tunnel traffic from the gateway to the client dropped intermittently.