Fixed an issue where SNMP walks returned a value of 0 for the CPS (Connections Per Second) per vsys on firewalls after upgrading to PAN-OS 11.1.6-h3, even when active connections were present.

(PA-7500 firewalls only) Fixed an issue where SNMP polling failed due to the snmpd process becoming unresponsive to incoming requests, which resulted in high CPU usage.

(PA-7500 Series, PA-5410, PA-5420, PA-5430, PA-5440, PA-5445, PA-3400 Series, PA-1400 Series, PA-400 Series, VM-Series, and CN-Series firewalls only) Fixed a race condition issue related to predict processing, which resulted in a dataplane restart and traffic loss.

Fixed an issue where the pan_task process stopped responding when the firewall attempted to forward files to the WildFire public cloud, which caused the dataplane to experience heartbeat failures.

Fixed an issue where, when getting transceiver information from ESCC for SFP 25G modules, the transceiver code was incorrectly updated with Unknown instead of 25GBase-SR.

Fixed an issue where, when the firewall received an unexpected termination request for SSL sessions, the dataplane experienced a slow buffer resource leak.

Fixed an issue where high memory consumption occurred on the logrcvr process.

(Panorama appliances in active/passive HA configurations on Microsoft Azure environments only) Fixed an issue on Panorama that caused firewalls to disconnect unexpectedly.

Fixed an issue where a routed process memory leak occurred when advanced routing was enabled.

(VM-Series firewalls on Amazon Web Services (AWS) GWLB environments only) Fixed an issue where the firewall CPU usage reached 100% after upgrading to PAN-OS 11.1.6-h1.

Fixed an issue where mTLS decryption bypass did not work when the decryption profile was configured with the maximum TLS version as TLS 1.3.

Fixed an issue where, after an upgrade, the SNMP polled values for IF-MIB::ifInErrors displayed a high number of errors that did not match the values in the CLI show interface command.

(Firewalls in HA configurations only) Fixed an issue where, after an upgrade, the mac receive error counter in receive incoming errors increased, which resulted in SNMP alerts.

(PA-3400 Series firewalls only) Fixed an issue where the firewall unexpectedly rebooted and entered maintenance mode due to a ctd-agent out-of-memory (OOM) condition. This occurred during advanced services load testing and a high volume of IoT EAL log forwarding.

(Panorama appliances and Log Collectors only) Fixed an issue where a VLD memory leak caused increased memory use, which resulted in OOM errors.

Fixed an issue where large IPv6 packets were reassembled incorrectly on the firewall when the packets arrived fragmented over an IPv4 tunnel.

Fixed an issue where configuring Secure Web Gateway (SWG) in no-auth mode led to latency when no decryption policy rules or No-decrypt policy rules were present.

Fixed an issue on Panorama where Security policy rules were removed from device groups when you cloned or edited Security policy rules that used more than 63 characters.

Fixed the support limitation for the Panorama M-600 and M-700 appliances.

Fixed an issue where, when exporting and importing CSV files, the hash values of pre-shared key variables set at template and template stack levels changed inconsistently, which resulted in both variables displaying the same hash value.

Fixed an issue where the index size limit was incorrectly calculated and indices rolled over earlier than expected, which resulted in high memory and OOM errors.

($$PA-5420 firewalls$$) Fixed an issue where the firewall management server memory usage continuously increased.

Fixed an issue where the routed process memory usage continuously increased when Advanced Routing was enabled.

Fixed an issue where the logrcvr process stopped responding.

Fixed an issue where the firewall removed the TCP timestamp from client hello messages that did not fit in a single packet, which resulted in connection issues.

Fixed an issue where the web interface did not display a message to commit prior changes before attempting a partial configuration load.

Fixed an issue on the web interface were you were unable to scroll up or down to view source zones in a NAT policy rule.

Fixed an issue where navigating Panorama > Monitor > Logs was slower than expected.

Fixed an issue where the firewall lost the pre-shared key configuration assigned from a PSK variable when an unrelated device group configuration was loaded.

(PA-1400 Series firewalls only) Fixed an issue on the web interface where Enable Bonjour Reflector was not displayed (Network > Interfaces > Ethernet Interface).

Fixed an issue where SMTP packets were not sent out when the Client Hello arrived at the firewall in multiple out-of-order segments and the traffic was not subject to SSL decryption.

(Firewalls in active/passive HA configurations only) Fixed an issue where the firewall didn't synchronize IPSec SAs (security associations) to the passive firewall if the tunnel was not initially established by the active firewall.

Fixed an issue where processes stopped responding when HTTPS Forward traffic was run.

Fixed an issue where the CLI did not display a message to commit prior changes before loading a partial configuration.

Fixed an issue where a GlobalProtect gateway stopped responding when handling HTTP/1.1 traffic with web inspection enabled.

Fixed an issue where the configuration audit displayed inaccurate information after partially loading the configuration via the CLI, which caused the audit to flag the configuration as deleted or changed.

Fixed an issue where the firewall sent logs with connection succeeded to the syslog server every time a connection was established, which resulted in excessive logs.

Fixed an issue where the system MAC address of the aggregate interface was the same on the active firewall and the passive firewall after an upgrade.

Fixed an issue where the show system resources follow CLI command was not available.

(VM-Series firewalls only) Fixed an issue where unexpected failovers occurred on firewalls running PAN-OS 11.2.2-h2.

Fixed an issue where the logrcvr process discarded logs due to a full queue.

Fixed an memory leak issue related to TLS inbound decryption.

Fixed an issue where importing a firewall with a large number of address objects into Panorama did not work and remained at 99% completion.

Fixed an issue where the Panorama web interface was slower than expected and Elasticsearch CPU usage was high.

Fixed an issue where Panorama stopped forwarding logs to a Syslog server after upgrading to PAN-OS 11.1.5-h1.

Fixed an issue where the dscd process stopped responding when Endpoint Serial Number was enabled, which resulted in the Active Directory returning a list of serial numbers for a specific firewall from the Cloud Identity Engine.

Fixed an issue where DNS Security intermittently logs malicious domain URLs as Alert instead of taking a Sinkhole action, even when configured to Sinkhole malicious DNS domains.

(M-600 appliances only) Fixed an issue where the Elasticsearch cluster certificate (CC) status displayed with a past expiration date, which caused all shards to be unassigned.

Fixed an issue where the firewall might reboot when traffic matches with certain Advanced features (such as Advanced Threat Prevention and Advanced URL Filtering with properly configured URL Filtering/Anti-Spyware/Vulnerability security profiles) and Shared Pool Type 32 becomes depleted.

Fixed an issue where the detailed log view in Panorama did not display all packet details for traffic logs received from the cloud.

Fixed an issue where empty traffic logdb folders were generated for each day even when traffic logs were not received by the logrcvr process.

(Firewalls in HA configurations only) Fixed an issue where the firewall did not fail over when the active firewall experienced data plane issues.

Fixed an issue where the devsrvr process restarted after a failed commit due to an invalid memory access.

(PA-1400 Series firewalls, PA-3400 Series firewalls, and PA-5400 Series firewalls only) Fixed an issue where, when the pan_task process restarted, control plane packets were dropped, which could impact LACP and pings to host interfaces.

Fixed an issue where the firewall generated the following error message in the snmpd logs: pan_get_keystr_from_cryptod(pan_snmpinterface.c:181): Key X2F1dGhfa2V5 import from cryptod failed.

Fixed an issue where the firewall rebooted due to an out-of-bounds memory access that occurred as a result of the SIP content length value being split across packets.

Fixed an issue where restarting the firewall did not initiate an autocommit job, which caused the firewall to stop responding and the HA interface to go down.

Fixed an issue where traffic failed when Inline cloud analysis (Advanced Threat Prevention) was enabled in the Anti-Spyware profile with the action set to anything other than allow or alert and the maximum latency condition was reached.

A fix was made to address CVE-2025-0130.

Fixed an issue where GlobalProtect clients experienced slow file transfer download throughput when passing through an IPSec tunnel.

Fixed an issue on the web interface where the negate option was visible when you clicked on the rule name, but not when you viewed the target options from the rulebase attribute.

Fixed an issue where traffic logs did not display correctly when filters were applied.

Fixed an issue where 25G port links did not come up due to a change in the handling of 25G DAC modules.

Fixed an intermittent issue where SSL decryption failed.

Fixed an issue where SNMP monitoring of tunnel interfaces displayed zero values for received bytes and packets.

(PA-440 firewalls only) Fixed an issue where the firewall entered an unstable state after committing changes or onboarding to Panorama.

Fixed an issue where the firewall did not display VPC endpoints when there was a large amount of VPC endpoints to interface mappings.

Fixed an issue where the firewall dropped the AAAA DNS server response and caused delays in traffic from Ubuntu or Linux clients when DNS Security was enabled.

Fixed an issue where the firewall unexpectedly stopped responding and rebooted when DoH was enabled for DNS Security and multiple DoH transactions were sent in a single HTTP/1 connection.

Fixed an issue where the push scope did not populate when attempting to push a policy to a device group.

(Firewalls in HA configurations only) Fixed an issue where the all_task process stopped responding, which caused the passive firewall to repeatedly reboot.

Fixed an issue where Advanced Services, App-ID Cloud Engine (ACE), and Enhanced Application Log stopped working due to incorrect memory usage accounting, which caused memory usage to remain at 99% after an extended period of time.

Fixed an issue where User-ID connections were lost after an HA failover.

Fixed an issue where DNS requests to malware sites were not blocked as expected, and the dns-security-categories log-level and action displayed default values instead of unavailable.

(PA-7000 Series firewalls, PA-5200 firewalls, and PA-5400f firewalls in FIPS mode only) Fixed an issue where decrypted traffic repeatedly failed and frequent reboots were required.

A fix was made to address CVE-2025-0116.

Fixed an issue where the all_task process stopped responding with a SIGABRT.

Fixed an issue where the GlobalProtect client did not automatically initiate a Kerberos SSO connection after logging in to Windows.

Fixed a memory leak issue related to the configd process that occurred when running consecutive commits for multiple days.

Fixed an issue where API calls to Panorama failed with the error Server error : Timed out while getting config lock. Please try again.

Fixed an issue where socket files created in the /tmp directory were not cleared.

Fixed an issue where the firewall failed to forward logs to a SNMP trap server if the SNMP manager IP address was unable to be resolved.

Fixed an issue where the Panorama management server changed its certificate authority (CA) unexpectedly, which caused managed firewalls to disconnect.

Fixed an issue where the following critical error displayed repeatedly: /mnt/cdrom is mounted as Read-Only.

Fixed an issue where the scheduled report generation script did not return debug information.

Fixed an issue where the firewall redirected the user to the first application instead of the portal page with a list of applications when multiple applications were configured for GlobalProtect clientless VPN along with any user match.

(Firewalls with DPDK enabled in Azure, GCP, AWS, and KVM environments only) Fixed an issue where, after an upgrade to PAN-OS 11.1.4, the mac receive error counter increased without an error even though traffic was not impacted.

Fixed an issue where the varrcvr process stopped responding.

Fixed an issue where traffic was blocked by a URL filtering profile even though the Security policy rule did not have a URL filtering profile configured.

Fixed an issue related to external dynamic lists that caused commit times on the firewall to be higher than expected.

Fixed an issue where IP address tags were removed from firewalls after a management server or useridd process restart. This occurred when a Panorama serial-number based configuration was used for User-ID redistribution.

Fixed an issue where a large number of logs caused the logrcvr process to stop responding.

Fixed an intermittent issue where the firewall failed to process FTP traffic after upgrading to PAN-OS 10.1.14.

Fixed an issue where traffic did not match the correct security policy when using an application-filter that referenced a cloud application. This occurred when a high number of cloud applications were attached with a custom tag.

Fixed an issue on the web interface where, when all rules were highlighted when a read-only admin user clicked the Highlight Unused Rules checkbox.

Fixed an issue where autocommits failed if the management IPv6 gateway was the same as the dataplane interface IP address.

Fixed an issue where tagging devices in Panorama did not work as expected.

Fixed an issue on firewalls in active/passive HA configurations where, after a failover, irrelevant routing FIB entries were seen in the routing table on the newly active firewall.

Fixed an issue where after migrating to a new platform, DLP verdicts were not displayed in the Cloud Manager or logs.

Fixed an issue where the firewall rebooted unexpectedly due to the all_task process restarting with an OOM condition due to a memory leak on the reportd process.

Fixed an issue where WildFire submission logs incorrectly reported allowed malicious samples even when they were blocked by threat prevention profiles.

Fixed an issue where large file downloads or uploads failed or remained in an incomplete state when using DLP HTTP2 mirror mode.

Fixed an issue where Panorama port 9300 did not adhere to restricted TLS versions and ciphers.

Fixed an issue on Panorama where a cyclic nested address group configuration caused the configd process to stop responding after a commit.

Fixed an issue where partial commits failed when objects that were referenced in a high number of Security policy rules were renamed.

Fixed an issue where Hybrid-SWG explicit proxy connections failed when the number of destination domains exceeded 1024.

Fixed an issue where URLs did not work due to certificate revocation list (CRL) requests failing.

Fixed an issue where the firewall displayed incorrect MAC receive error counters for VMWare devices hosted in ESXi.

Fixed an issue where the firewall did not start Elasticsearch after a commit if Elasticsearch was not previously enabled and started.

Fixed an issue where the firewall sent a 503 response when a client connected to a web server when the firewall was configured as a web proxy and authentication bypass for Kerberos was enabled.

Fixed an issue where Microsoft Outlook did not work as expected when the GlobalProtect clientless VPN was configured.

Fixed an issue where the firewall did not display the converted configurations before a commit and reboot, and the commit failed when attempting to migrate from MS to FRR mode.

Fixed an issue where the firewall configuration process restarted during an External Dynamic List refresh or a commit and push operation.

Fixed an issue where traffic was dropped when Data Loss Prevention or Advanced URL Filtering were enabled. This occurred when the payload size was greater than 3.5 KB.

(VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where the firewall displayed 0 for the physical port counters read from MAC.

Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to become unavailable.

Fixed an issue where the show auth radius-require-msg-authentic command CLI displayed no output.

Fixed an issue where a commit for a policy and configuration dump overlapped, which resulted in a null pointer exception.

(PA-5410, PA-5420, PA-5430, PA-5440 and PA-5445 firewalls only) Fixed an issue related to the all_pktproc process where DPC slot 3 stopped responding.

Fixed an issue where the management plane DNS cache size was lower than expected.

Fixed an issue where Device Telemetry Regions did not show up with the latest content due to content files not being parsed for the region list when Telemetry was turned off.

Fixed an issue on the firewall where the dataplane restarted due to insufficient allocation of memory buffers.

Fixed an issue where GlobalProtect users were unable to connect when the option Block sessions if the certificate was not issued to the authenticating device was enabled in the certificate profile.

Fixed an issue where the firewall displayed an OCSP/CRL check failure when accessing websites.

Fixed an issue where, when you attempted to select a redistribution profile when creating a BGP Redistribute policy rule, the firewall displayed an empty dropdown.

Fixed an issue on Panorama where, when you removed Security profile groups from a Security policy rule via the CLI and committed the change, the Security policy rule was deleted.

Fixed an issue where the firewall might reboot unexpectedly due to the varrcvr process progressively using more memory when WildFire file forwarding is handling PE files.

Fixed an issue where the firewall dropped DNS traffic when using DNS Security.

Fixed an issue where the firewall inconsistently blocked URLs due to intermittent URL category misidentification.

Fixed an issue where the logrcvr process stopped responding while processing session logs for forwarding to the LFC.

(VM-Series firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where a newly bootstrapped firewall required a management server restart, relicensing, or license push from Panorama to invoke the device certificate.

Fixed an intermittent issue where file downloads from websites failed when decrypting HTTP/2 traffic.

Fixed an issue where an explicit proxy caused intermittent SSL handshake failures to SAP applications accessing public URLs.

(PA-7500 Series firewalls in a cluster configuration only) Fixed an issue where users were able to enable or disable certain configurations.

Fixed an issue where, after upgrading to PAN-OS 11.0.2-h3, the hardware pool DFLT became highly utilized, and the packet buffer gradually increased.

Fixed an issue where users matched incorrect Security policy rules with a HIP profile.

Fixed an issue where the firewall showed three different sets of name validation rules when generating, importing, or editing a certificate.

(Multi-vsys firewalls only) Fixed an issue where commits failed on the firewall after selecting Export or push device config bundle on Panorama and a force push was required.

Fixed an issue where the displayed NTP information was incorrect if the DNS servers timed out.

Fixed an issue where CPU base gateway auto-scaling failed, which caused performance issues.

Fixed an issue where the firewall took an incorrect action for overlapping custom and edl-url-categories in a policy rule.

Fixed an issue that caused the firewall fan speed to increase while it was idle.