Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to missing XML-related functions for inline-cloud-proxy and session-distribution commands in dagger files handling.

Fixed an issue where a local commit on a firewall breaks template stack overrides, preventing the enabling of LACP (Link Aggregation Control Protocol). After a local commit, the LACP enable check was unexpectedly unchecked, causing an outage. Attempting to re-enable LACP through the web interface was unsuccessful, requiring manual removal of the LACP configuration from the Panorama CLI.

Fixed an issue where a dataplane crash occurred when traffic matched Inline Cloud Analysis pre-filtering signatures, even when Inline Cloud Analysis features were not enabled.

Fixed an issue where attempting to generate reports in a WildFire FIPS Private Cloud or WF-500 deployment returned 401 errors.

(FIPS CC mode enabled only) Fixed an issue where Panorama on GCP reboots every hour after upgrading to 11.1.6-h10. Panorama will run for up to an hour and then crash.

Fixed an issue where decryption exclusion lists were not working for untrusted certificates, and SSL sessions were still being decrypted even after adding them to the exclusion list. This occurred because the firewall was not adding sessions to the exclude cache until after receiving a non-RFC alert (BadCertificate) from the server. The fix ensures that the first session is added to the exclude cache, allowing subsequent sessions to skip decryption. This issue affects firewalls configured as clients in server-client communication.

Fixed an issue where static routes remained active in the FIB and RIB even when the associated physical port interface was down, which resulted in traffic being incorrectly routed through a non-operational interface.

Fixed an issue where, after upgrading Panorama and Log Collectors, tunnel logs were not visible in Panorama or Splunk even though traffic and threat logs were received.

Fixed an issue where firewalls with the Send handshake messages to CTD for inspection setting enabled caused incorrect security policy rules to be matched. Specifically, traffic not identified as openai-base or openai-chatgpt applications was incorrectly matched by the ALLOW-OPEN-AI-FULL-ACCESS-URLS-ALERTS rule. Additionally, the expected response page for blocked URLs was not displayed.

Fixed an issue where firewalls and Panorama management servers were unable to view or download WildFire reports from a WF-500 appliance, resulting in a 401 error in the report tab.

Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.

Fixed an issue where Panorama was unable to retrieve userid logs from the firewall for subscribed user-ip-mappings after Panorama was rebooted.

Fixed an issue where the firewall rebooted unexpectedly due to a pan_task process restart related to page allocation failures.

Fixed an issue where a memory leak occurred on the reportd process when a WildFire update was initiated while device telemetry data collection was in progress. This resulted in an OOM condition.

Fixed an issue where, after upgrading firewalls to PAN-OS 11.1.6-h1, certain websites weren't accessible when the accumulation proxy was enabled. The proxy did not use the same DF bit state as the original traffic, causing it to be fragmented and dropped elsewhere in the network.

Fixed an issue where firewalls configured in vwire mode modified DSCP values from AF11 to CS0 on traffic passing through the firewall, even when QoS policy rules and DSCP rewrite settings were not configured.

Fixed an issue where IPv6 traffic was affected after upgrading the firewall to PAN-OS 11.1.6-h4 and later versions. With SSL decryption enabled and a decryption policy configured for the traffic, the firewall dropped packets due to receiving a Packet Too Big ICMP message. This occurred because the PathMTU information update was incorrect for the TCB (pan-server) when the firewall was acting as a server. Additionally, the flow label under the IPv6 header was set to zero while the packet was being transmitted out of the firewall.

Fixed an issue where content loading issues occurred on IPv6 websites due to the firewall incorrectly setting the IPv6 header flow label to 0.

Fixed an issue where the logrcvr process crashed on PA-7050 firewalls due to system log processing threads becoming blocked when the queue was full. This resulted in a heartbeat failure.

Fixed an issue where the firewall experienced high disk space utilization, which caused the firewall to become non-functional.

Fixed an issue where the Elasticsearch cluster did not start after deploying dedicated log collectors in a multi-collector environment.

Fixed an issue where the XML API and REST API failed to run commands and displayed an error.

Fixed an issue where the firewall stopped responding when a DNS client closed or reset a TCP connection while the firewall was sending a response.

Fixed an issue where WildFire reports were not fully displayed and were not downloadable due to static resources not being found.

Fixed an issue where the reportd process stopped responding with a SIGSEGV at schedule_report_es_response.

Fixed an issue where a dataplane crash occurred in Inline Cloud Analysis action lookup because there were no vulnerability or anti-spyware profiles in the security policy rule.

(Panorama appliances in Panorama mode and Log Collector mode only) Fixed an issue where autocommits took longer than expected to complete.