(VM-Series firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where a newly bootstrapped firewall required a management server restart, relicensing, or license push from Panorama to invoke the device certificate.

Fixed an issue where establishing log forwarding connections to the Strata Logging Service (SLS) took longer than expected, which resulted in delayed log visibility on SLS.

Fixed an issue where the /opt/pancfg/mgmt/ssl/private/ directory on Palo Alto Networks devices with TPM support became 100% utilized due to an accumulation of undeleted .pub_pem files. This occurred because executing the show device-certificate status CLI command initiated a process that generated these files but failed to remove them, which prevented the fetching of new device certificates.

(VM-Series firewalls only) Fixed an issue where the dataplane restarted due to a segmentation fault.

Fixed an issue where PIM multicast routing failed on appliances with advanced routing enabled.

Fixed an issue where the firewalls restarted due to a function lacking a NULL-pointer sanity check.

Fixed an issue where the firewall was unable to activate GlobalProtect client software and displayed SW LIMIT messages related to max-profiles and unsupported major and minor versions in the downgrade list, which prevented successful software installation.

Fixed an issue where config-lock was not displayed on the web interface.

Fixed an issue where the show advanced-routing resource CLI command failed to execute successfully when invoked through the XML API and returned an error message.

(Panorama appliances and Log Collectors only) Fixed an issue where logs from multiple devices were not visible on Panorama even though the Elasticsearch health status on the dedicated Log Collectors appeared green.

Fixed an issue where GRE tunnels took significantly longer to establish when the hold timer was configured to a value of 10 or higher, which resulted in a tunnel requiring more successful keepalive packets than expected to transition to an Up state.

(Panorama managed firewalls in HA configurations only) Fixed an issue where firewalls incorrectly updated the modified date and MD5 hash of policy rules during an HA sync commit job or a subsequent local commit, even when no changes were made to the policy rules.

Fixed an issue where PA Explicit proxy blocked ICMP packets from flowing towards Envoy for Geneve due to the router not camping MSS when the MTU was lower in the path.

Fixed an issue on Panorama where, while configuring an an Application Filter with Generative AI tags, the web interface did not retain application exclusions that were added across multiple pages until you clicked OK.

(VM-Series firewalls only) Fixed an issue where enabling TLS1.3 in a decryption profile prevented access to websites.

(Firewalls with FIPS-CC enabled only) Fixed an issue where, when attempting to make changes to the GlobalProtect portal, an error message was displayed and configuration updates failed.

Fixed an issue where an AI Runtime Security Firewall rebooted when processing Cursor traffic.

(VM-Series firewalls only) Fixed an issue where files from SSL decrypted sessions were incorrectly forwarded to the WildFire cloud for analysis even when Allow Forwarding of Decryption Content was disabled.

Fixed an issue where on PA-5420 firewalls, configuring security rules with a number of static IMSI/IMEI/NSSAI entries exceeding 5,000 resulted in a commit failure. This occurred because the firewall incorrectly reported the maximum supported static IMSI/IMEI/NSSAI IDs as 5,000 (as seen in the cfg.mobile-nw-id.max-static-entries system state variable), instead of the documented limit of 100,000 for the platform.

Fixed an issue where the scroll bar did not appear when editing Destination Addresses for Policy Based forwarding policy rules.

Fixed an issue where the logrcvr process stopped responding on DPCs, which prevented logs from being forwarded.

Fixed an issue where management plane system resources configuration size exceeded 28 MB for over 4 hours, and the following error message was displayed: Configuration size reaching device capacity limit.

Fixed an issue where you were unable to delete a HIP object with OR in the name, even though you were able to successfully create and commit the object.

Fixed an issue where log ingestion stopped on the Elasticsearch cluster when the number of open shards was significantly higher than the number of data nodes.

Fixed an issue where, after upgrading to an affected release, the firewall did not add mTLS websites that required client certificate authentication via DN list to the ssl-decrypt exclude-cache list.

(Panorama appliances only) Fixed an issue where traffic log queries using the device_name filter returned no results, and complex log queries that included negation operators produced incorrect outputs.

Fixed an issue where traffic logs for Remote Networks displayed the source zone as trust instead of the remote network name.

Fixed an issue on Prisma Access Remote Network firewalls where high CPU utilization caused slowness and command timeouts.

Fixed an issue where the Elasticsearch Close Indices process closed more indices than expected and dropped the number of open shards below the minimum of 800 per Elasticsearch instance. This occurred because the process did not correctly account for the number of Elasticsearch instances when calculating the maximum number of allowed open shards.

Fixed an issue where traffic was blocked due to a mismatch between the URL category specified in the Security policy rule and the URL filter profile when custom URL categories with the same FQDN were configured.

Fixed an issue where the firewall rebooted due to the all_task process restarting.

Fixed an issue where, when Advanced DNS Security was enabled and experienced unusually high loads, DNS resolution failures occurred with the error resources-unavailable.

(PA-7050 firewalls in HA configurations only) Fixed an issue where the firewall reached 100% disk utilization due to the logrcvr process repeatedly restarting and dumping core files due to a blocked hints processing thread, which caused a failover.

Fixed an issue where the firewall failed to send SNMPv3 traps when the SNMP destination was configured with an FQDN that resolved to multiple IP address through DNS load balancing.

(VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where, after resizing the VM, the HA2 link became unstable. Frequent keep-alive failures occurred, and HA2 keep-alive packets were simultaneously transmitted to multiple destination MAC addresses and the peer firewall's interface MAC). This issue occurred on firewalls with Accelerated Networking enabled.

(Firewalls in active/active HA configurations only) Fixed an issue where the BFD session went down and did not recover even though the BGP remained in an established state, which caused the firewall to cease route learning and advertisement with the peer, even though BGP keep-alives were exchanged correctly.

Fixed an issue where a leak in decryption counters caused resource exhaustion, which led to a GlobalProtect service outage.

Fixed an issue where the Strata Cloud Manager (SCM) web interface failed to fetch External Dynamic List (EDL) details from Prisma Access and displayed the error message Could not fetch the EDL main info. This occurred because the XML query returned an external list authentication failed response when the EDL entry lacked a valid certificate.

Fixed an issue where, after replacing the MPC (Management Processor Card) on a firewall, the logdb process incorrectly wrote logs to the root partition instead of the /opt/panlogs partition, which led to high root partition usage and a non-functional state.

Fixed an issue where Panorama incorrectly generated system logs indicating a lost connection to its peer after an upgrade even when High Availability was not configured.

Fixed an issue on Panorama where enabling Post-Quantum Pre-Shared Key (PPK) within an IKE Gateway profile that was configured as a part of a template stack failed or was inconsistent when attempted via the web interface, even when the keys were properly configured.

VM-Series firewalls only) Fixed an issue where insufficient i-node space was available on the sysroot0 partition.

(Firewalls in HA configurations only) Fixed an issue where traffic passing through AE layer 2 interfaces was interrupted during HA failovers.

Fixed an issue where BGP peering sessions between a hub firewall and a satellite firewall over GlobalProtect LSVPN failed to connect.

Fixed an issue for Panorama management servers where commit push failed when customer_info status was a failure received from the orchestrator, which prevented the system from processing and validating the specified telemetry region correctly during the commit.

Fixed an issue where SNMP interface speed reporting incorrectly identified 5Gbps interfaces as 1Gbps interfaces during an SNMP walk.

Fixed an issue where static DNS entries that were configured on the firewall failed to resolve for client machines when DNS over TLS (DoT) was enabled on the firewall DNS proxy for both client and server settings.

Fixed an issue where traffic was unexpectedly blocked due to a misconfiguration with an empty or invalid application filter. The firewall incorrectly interpreted the empty filter as match all cloud-apps, which caused the traffic to be denied.

Fixed an issue on the firewall where, after upgrading, the system log displayed the error message Last config fetch FAILED. A commit is required for userid functionality to work.

Fixed an issue where the root partition on the firewall or Panorama management server filled up due to a file leak in the logging process.

Fixed an issue where after changing Panorama to logger mode, commits failed due to the panorama-admin role assigned to plugin management configuration users.

Fixed an issue where the firewall stopped responding, which led to service outages.

Fixed two issues that impacted TLSv1.2 or earlier sessions when the traffic matched a decryption policy rule with the no-decrypt action:

(VM-Series firewalls on AWS environments only) Fixed an issue where, after upgrading the firewall to an affected release, GlobalProtect clients did not connect with IPSec and instead connected using SSL due to traffic flow being disabled when checking for health check packets.

(Panorama appliances in FIPS-CC mode only) Fixed interdevice TLS communication failures that occurred with RSA and RSA-PSS signature algorithms across multiple layer 7 application services.

Fixed an issue where the TLS handshake did not complete and the session did not go through. This occurred if the HTTP header insertion applied to an HTTP CONNECT request passing through the firewall, the scan-handshake feature was enabled, the session matched a decryption policy rule with the decrypt action, and if the TLS client hello was in a single packet and TLS 1.2 or below.

Fixed an issue on the firewall where the sslmgr process memory utilization continually increased due to memory fragmentation.

Fixed an issue where creating device groups in bulk via XML API took significantly more time and the web interface stopped responding.

(PA-3400 and PA-5400 Series firewalls only) Fixed an issue where the firewall dataplane frequently restarted when lockless QoS was enabled

Fixed an issue on Panorama where the CLI output for the running configuration intermittently inserted set template stack commands within certificate hash data.

Fixed an issue where firewalls with Memory Integrity Checking Architecture enabled rebooted unexpectedly due to accessing an invalid memory address. This occurred because the forwarding data structure index exceeded its designed limit.

Fixed an issue where GlobalProtect gateway authentication failed due to the firewall incorrectly bypassing SAML.

Fixed an issue where LSVPN (Large Scale VPN) satellites failed to authenticate to the gateway because the portal was providing a zeroized certificate.

Fixed an issue where DLP logs displayed an incorrect file type when the firewall did not set the file type field.

Fixed an issue where the firewall's service route functionality was impacted due to a missing service route support code.

Fixed an issue where Panorama was unable to forward logs to a syslog server over TLSv1.3 when configured with SSL on a custom port. The connection was established, but logs were not forwarded due to a failure in the CRL check.

Fixed an issue where the Logging Service License Status displayed a license failure when the license status transitioned from valid to expired and then back to valid even when the connection to the Security Logging Service (SLS) was working.

Fixed an issue where, after creating a logical interface with an assigned IP address and adding it to a virtual router, the connected route for the interface did not appear in the show routing route CLI command output. This occurred even when the interface was up and learning ARP entries.

Fixed an issue on Panorama where the first letter of a custom URL category was not displayed in generated reports.

Fixed an issue where the timing of GlobalProtect lifetime expiry or inactivity logout notifications used for GlobalProtect SSL tunnels could cause the pan_task process to stop responding and the dataplane to restart.

Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the Client Hello was split into multiple segments and arrived out of order.

Fixed an issue where commits involving routing related network configuration changes experienced slower than usual completion times or remaining at 20% completion.

Fixed an issue where multiple firewalls experienced high management CPU utilization after upgrading to an affected release due to repeated index regeneration occurring every 15 minutes, which caused periodic CPU spikes above 90%.

Fixed an issue on Panorama where, after you disabled the shared optimization feature, a full configuration push to multi-vsys devices caused a validation error.

(Panorama appliances and Panorama virtual appliances only) Fixed an issue where the configd process restarted when committing and pushing configuration for a new WildFire cluster.

Fixed an issue where OSPF and BGP outages occurred due to an all_task process restart during clientless VPN content rewrite processing.

Fixed an issue where the Cloud User-ID connection timed out because the firewall took too long to process the OCSP response.

Fixed an issue on Panorama where device group users were able to view and commit configuration changes that had been created by Superusers but not yet committed, even with access domains configured.

Fixed an issue where BGP aggregate routes were not created and discard routes were not installed in the routing table.

Fixed an issue where the firewall entered a non-functional state due to segmentation fault within the all_pktproc process that was caused by a session that involved http2 cleartext traffic.

Fixed an issue where traffic logs did not populate the Source EDL or Destination EDL fields when traffic matched a Security policy rule that used predefined external dynamic lists.

Fixed an issue where, after unregistering an IP tag and registering a different IP tag for the same IP address via XML API, the dynamic address group membership was not updated on the dataplane, which resulted in Security policy rules being enforced incorrectly.

Fixed an issue on the web interface where you were unable to test the SCP server connection for Scheduled Log Exports, and the error message key is invalid was displayed.

Fixed an issue on the Panorama web interface where you were unable to disable Lifesize (Templates > Network > Network Profiles > IPSec Crypto).

Fixed an issue on Panorama where, after upgrading to an affected release, a partial commit via the API did not push configuration changes to managed firewalls, and a full commit was required to synchronize the configuration.

Fixed an issue where a large number of GlobalProtect users experienced failed gateway pre-logins with the error Failed to create SAML SSO request during peak login times.

Fixed an issue where TCP traffic stopped working from Prisma Access clients to TCP services behind the Service Connection (SC) after a dataplane upgrade to PAN-OS 10.2.10-h26.

Fixed an issue where the firewall did not detect evasions due to TCP checksum offloading not being enabled.

Fixed an issue where traffic was incorrectly identified as unknown-tcp/unknown-udp due to App-ID resource leak and eventually dropped.

Fixed an issue where, when configuring Safenet HSMs in HA and authentication HSM manually, the second HSM server failed to authenticate due to the firewall overwriting the first HSM server's certificate with the second HSM server's certificate.

Fixed an issue where intermittent session-table resets on the AIRS VM triggered packet drops, which led to packet loss in egress response traffic.

Fixed an issue where Panorama and managed devices incorrectly displayed warning messages that indicated that an Advanced DNS Security license and an Advanced Threat Prevention license were required, even when a traditional DNS Security license was installed.

Fixed an issue where scheduled software upgrades from the Software Change Management (SCM) server to the firewall failed with a timeout error during download.

Fixed an issue where configuring a service route on a loopback interface caused intermittent connectivity issues and disrupted traffic due to the firewall being unable to resolve domain names.

Fixed an issue on Panorama where selective pushes failed when a scheduled job was deleted from the Panorama configuration.

Fixed an issue where inter-dataplane forwarding did not work for sessions ingressing on Slot 2, which resulted in intermittent ping failures to interfaces on Network Card 2 when traffic was forwarded to Slot 3.

Note: With this fix, after a slot restart, the global counter will still show dot1q errors for a short period.

Fixed an issue on the firewall where configuring spyware and vulnerability profiles in Security policy rules caused a memory leak in the devsrvr process with each configuration commit.

Fixed an issue where third-party clients were unable to connect to the GlobalProtect gateway after a successful login when the username was entered in the domain\username format.

Fixed an issue on the firewall where SolarWinds monitoring systems reported 100% usage for Slot1 Data Processor-0 Hardware Packet Buffers due to an inaccurate reported packet buffer.

Fixed an issue where, after committing a configuration change, the firewall experienced traffic issues, pan_task crashes, and LACP interface failures.

Fixed an issue where, after manuallly creating a device telemetry bundle, the hour_cli_output.txt file within the bundle had a file size of 0 bytes. This occurred when checking the bundle content after enabling device telemetry and setting the device telemetry upload endpoint.

Fixed an issue where the firewall failed to fetch the device certificate during initial installation.

Fixed an issue where Panorama appliances in FIPS-CC mode did not push the configured values for max-session-count and max-session-time to managed firewalls that were not in FIPS mode.

Fixed an issue on the firewall where the DNS cache capacity was set to an incorrect value, which caused the firewall to repeatedly send DNS requests for FQDN objects even after receiving valid responses. This resulted in the firewall not storing DNS responses in the cache for more than 10-15 seconds despite the minimum FQDN refresh interval being set to a higher value.

Fixed an issue where the show system resources CLI command displayed incorrect CPU usage values that did not add up to 100%.

Fixed an issue where the session timer for a custom application did not transition from the initial 3-way handshake timer to the application timeout when out-of-order 3-way handshake packets were detected.

Fixed an issue on Panorama where a memory leak occurred related to the reportd process due to retaining memory that was temporarily used for report generation instead of releasing the memory for reuse, which resulted in continuous accumulation and memory exhaustion.

Fixed an issue where, after committing changes on Panorama, a shared post-rule moved to the end of the post shared rulebase on the managed device instead of remaining at the top.

Fixed an issue where, after upgrading Panorama, the Push to Devices option did not display selected devices, and the OK and Cancel buttons did not function as expected. Selecting Push to Devices did not populate any results, and clicking OK after selecting a device under Edit selections did not work. Despite this, selecting Push or Validate Device Group Push still pushed to the previously canceled, non-displayed devices.

Fixed an issue where the set auth radius-require-msg-authentic yes and show auth radius-require-msg-authentic CLI commands were unavailable on Log Collectors.

Fixed an issue where Panorama did not display decryption logs after a certain date due to the decryption index being purged.

(Firewalls in HA configurations only) Fixed an issue where network traffic was disrupted due to the all_pktproc process repeatedly restarting, which caused an HA failover.

Fixed an issue where IPv6 IPsec WAN support was not available in Prisma Access.

Fixed an issue where API key generation failed after renewing an expired API certificate, and the system continued to use the expired certificate.

(Panorama virtual appliances only) Fixed an issue where Panorama was inaccessible with the error message Timed out while getting config lock.

Fixed an issue where firewalls incorrectly returned the message API Error: Success with the error code 403 instead of the correct message API Error: Invalid Credential, when Cisco-ISE server was used for MSCHAP-PEAP Radius auth.

Fixed an issue on the firewall where a path monitoring failure occurred and caused the dataplane to restart.

Fixed an issue where the firewall displayed as disconnected in the SLS due to the serial number not being retrieved

Fixed an issue on Panorama where daily scheduled report emails for custom reports were delivered with no content and instead incorrectly displayed the message No matching data found. With this fix, the content is displayed correctly.

Fixed an issue where the all_task process stopped responding after a commit, which cause the dataplane to reboot repeatedly.

Fixed an issue where the web interface made calls to retrieve cloud authentication service regions even when creating a non-cloud authentication service profile.

(Firewalls in active/active HA configurations only) Fixed an issue where adding a 26th floating IP address to an aggregate ethernet interface in one vsys caused IPSec tunnels on another vsys to stop working due to rekeying. This occurred due to the routed process not detecting the unchanged virtual address, uninstalling it, and then reinstalling it, which ended the ikemgr connection on the virtual address.

Fixed an issue where network values were not displayed in Panorama with the error message There is no value for the selected item. This was due to the device group passing vsysName in Panorama.

(Firewalls in HA configurations only) Fixed an issue where the passive firewall incorrectly triggered PBP alerts even with low packet rates.

Fixed an issue on Panorama where enabling Advanced Routing in a template did not work.

Fixed an issue where Microsoft Defender for Cloud detected cleartext SSH private keys in the /var/appweb and /etc/appweb directories on PA-VM firewalls deployed in Azure.

Fixed an issue where Panorama stopped responding when deploying dynamic updates to managed devices.

Fixed an issue where websites were incorrectly categorized with high severity alerts (Monitoring > URL Filtering) even though they were assessed as low risk. This occurred due to session information being unavailable during logging.

Fixed an issue where, when a firewall was managed by Strata Cloud Manager and configured to use a proxy server for external connections, the management server did not use the configured settings to connect to the Cloud Management service.

Fixed an issue on Log Collectors where the Elasticsearch process fluctuated intermittently between green and red states, which led to interruptions in log collection. This issue occurred when the number of shards exceeded the cluster's maximum supported threshold of greater than 1000 shards per Elasticsearch instance.

Fixed an issue where the show cloud-auth-service-regions CLI command took longer than expected to complete due to timeouts while fetching Cloud Authentication Service (CAS) regions.

Fixed an issue where BGP stopped responding with the error message Too many open files when pushing 1000 eBGP (External BGP) neighbor configurations. With this fix, the number of file descriptors for the BGP process is increased from 1024 to 8192.

Fixed an issue where direct application URLs for Clientless VPN did not work on one device in a high availability (HA) pair because the RelayState in the SAML assertion was not encoded by the firewall.

Fixed an issue where DNS traffic sessions prematurely terminated with the message resources-unavailable. This occurred due to IPv4 fragmented DNS responses causing the Advanced DNS Security module to incorrectly pack the DNS payload multiple times when forwarding to the cloud for inspection.

Fixed an issue on the firewall where, after upgrading Panorama, OSPF adjacencies remained in the exchange start state, which resulted in an incomplete routing table.

Fixed an issue on Panorama where the debug system reset-ztp CLI command was unavailable.

Fixed an issue where the web server did not specify the content type in the header for font files, which could allow a browser to misinterpret the content and potentially lead to cross-site scripting (XSS) vulnerabilities.

Fixed an issue where Panorama failed to perform a selective push to a managed device when device tags were added or modified on the policy rules. The selective push failed with the error message Failed to generate selective push configuration. Schema validation failed. Please try a full push.

Fixed an issue where BFD echo packets were dropped on Vwire interfaces due to being incorrectly detected as a land attack when the source and destination ports of the BFD packets were different.

(Firewalls in HA configurations only) Fixed an issue where the all_task process stopped responding and caused the passive firewall to reboot.

Fixed an issue on the Panorama web interface where a custom administrator with device group and template permissions was unable to upgrade devices to non-preferred releases due to the options to uncheck base and preferred releases not being displayed.

Fixed an issue where DNS Security logs incorrectly displayed a sinkhole action for benign DNS categories due to the firewall saving the drop or sinkhole action in session flags without discarding the session.

Fixed an issue on the Panorama web interface where Enable pushing device monitoring data to Panorama was always checked, regardless of the actual configuration.

Fixed an issue where the XML API returned the error Access to this vsys is unauthorized when generating a report for a specific vsys, even when the administrator had access to that vsys. This was due to the API session not correctly populating the vsysvector field with the user's allowed vsys.

Fixed an issue where Kubernetes pod health checks failed when the pan-fw annotation was added. When the annotation was present, health check traffic from the host's public IP address range to the pod CIDR range was tunneled to the firewall by the pan-cni, which resulted in asymmetric flows and no response from the pod endpoints.

Fixed an issue on Panorama where API queries for correlated category logs incorrectly returned a count of 0.

Fixed an issue where the GlobalProtect portal used an outdated bootstrap version for clientless VPN.

Fixed an issue on Panorama where, after downgrading to an affected release, the commit-all operation failed due to a missing downgrade script.

Fixed an issue where the syslog connection was handled by the syslog forwarding thread.

Fixed an issue where Panorama management servers failed to forward syslog messages via TLS to a syslog server when DNS resolution for IPv6 addresses failed, and the system did not automatically fall back to IPv4.

Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to missing XML-related functions for inline-cloud-proxy.

Fixed an issue where firewalls experienced multiple reboots due to the pan_task process restarting with a SIGSEGV signal. This occurred because the client-to-firewall side assumed TLS 1.3 for the firewall-server side.

Fixed an issue where the static default route remained active even when the path or SaaS monitor was down when SD-WAN was used for local internet breakout. This was due to missing validation handling in the FRR routed code for link up/down status.

Fixed an issue where traffic reports that were generated with destination/source and destination/source hostnames were not displayed in IPv4 format.

Fixed an issue on the Panorama and firewall web interface where Applications pages became unresponsive after activating the SaaS Inline license.

(VM-Series firewalls only) Fixed an issue where the firewall stopped responding due to an out-of-bounds read when parsing TLS 1.3 clientHello messages with large TLS clientHello extensions where the supported_versions extension fell outside the first TCP segment.

(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where the firewall unexpectedly rebooted due to repeated varrcvr process restarts.

Fixed an issue where the Elasticsearch cluster status displayed as red due to unassigned shards, which prevented logs from updating.

(Firewalls in HA configurations only) Fixed an issue where the HA1-A interface reported an incorrect SNMP down value even when the interface was physically up on the active firewall.

Fixed an issue where using the IKEv2 multiplier setting for VPN re-authentication resulted in the firewall not re-authenticating at the expected intervals when both sides initiated rekeying. The internal re-authentication counter incremented when the local side triggered the rekey, but not when the peer side triggered it.

Fixed an issue where Data Processing Cards (DPCs) installed in slots 5 and 6 remained stuck in a starting state with the error Signal detected for port xeS5-DP0 but Link Down alerts, which resulted in device instability.

Fixed an issue where, on firewalls configured as an Area Border Router (ABR) with a backbone area (0.0.0.0) and a stub area, external Type-5 Link State Advertisement (LSA) routes were not installed in the routing table.

Fixed an issue where the GlobalProtect portal exposed the internal IP address of the gateway when accessed via the SAML20/SP/ACS endpoint.

Fixed an issue where DNS queries stalled or repeatedly time out due to multiple DNS responses with different CNAME values causing evasion false positive alerts.

Fixed an issue where the Elasticsearch cluster health status displayed as red on dedicated log collectors due to an expired Elasticsearch CC certificate, which prevented log visibility from Panorama.

Fixed an issue on multi-vsys firewalls where a host was not removed from the quarantine list after receiving a redistribution message from Panorama. This occurred when Panorama was configured to redistribute quarantine messages to a firewall cluster, and the GlobalProtect configuration and redistribution were built out in a vsys other than vsys1.

(PA-7500 and PA-5450 firewalls in FIPS-CC mode) Fixed an issue where the affected firewalls would boot into maintenance mode when a reboot was initiated from the web interface. This was due to a device reboot triggering a power down to all slots, leading to maintenance mode. A hard reboot would allow the firewall to boot normally.

(VM-Series firewalls in active/passive configurations only) Fixed an issue where, after an HA failover event, the newly active firewall DHCP client interfaces failed to obtain IP addresses automatically. This occurred because the DHCP client processes did not initiate the necessary DHCP discover or renew requests

Fixed an issue where Router Advertisements for IPv6 were not sent at the configured time intervals.

Fixed an issue where the firewall was unable to connect to the Subscription License Service (SLS) due to a public and private key pair mismatch with the device certificate.

Fixed an issue where excessive dataplane debug logs were generated due to the pan_task process restarting, even without any dataplane debug logs or captures being enabled by the administrator.

Fixed an issue where the firewall repeatedly sent DNS requests for FQDN objects despite even after receiving valid responses.

Fixed an issue where API calls to commit changes on Panorama intermittently failed when using the XML API with refresh=no, which caused changes to not be applied to the partial-commit configuration.

Fixed an issue where the MFA timestamp was not redistributed between standalone firewalls behind an Azure load balancer after upgrading, which resulted in users being prompted to reauthenticate multiple times.

Fixed an issue where, when the Network Packet Broker feature was enabled, forward TLS (non-decrypted) traffic was not working as expected when there were segmented client hellos and a no-decrypt rule existed. This issue occurred when Zone Protection profiles were configured for trust/untrust zones but not attached to NPB zones.

Fixed an issue where the show system setting ssl-decrypt certificate CLI command did not display certificates when XML output was enabled.

Fixed an issue where PAN-OS logrotate did not rotate large log files until the cron.daily process ran, which resulted in the root partition filling up.

Fixed an issue where the firewall's SSL proxy sent an empty HTTP2 SETTINGS message to the client before confirming server support, which caused some clients to incorrectly assume HTTP/2 support and not fall back to HTTP/1.1. Additionally, the firewall dropped HTTP1.1 400 Bad Request frames from the server, which prevented the client from correctly detecting the lack of HTTP/2 support.

Fixed an issue where a session process consumed excessive CPU resources, even when Data Loss Prevention (DLP) was not enabled. This occurred due to the active threat list being iterated twice when active threats were present in the session.

Fixed an issue on the firewall where, after upgrading, autocommits repeatedly failed until after a second reboot due to a timing issue between content loading on the management plane card (MPC) and the log receiver startup.

Fixed an issue where the bytes number overflowed for a specific application, which caused Network Monitor graphs to display an unexpectedly large volume of traffic.

(Panorama virtual appliances in Management Mode only) Fixed an issue where a maximum configuration size of 120 was incorrectly enforced instead of 150 MB.

Fixed an issue where OSCP HTTP POST requests were not formatted correctly, which caused failures with strict responders.

(Firewalls in HA configurations only) Fixed an issue where, after upgrading the ESXi host to version 8.0.3, the firewall interface went down on the active firewall due to a behavior change in ESXi 8.

Fixed an issue on PA-VM in AWS where, in a two-arm deployment integrated with Gateway Load Balancer (GWLB), the firewall did not preserve the GENEVE source port for internet traffic, resulting in increased latency. The fix ensures the firewall preserves the outer UDP source port of GENEVE encapsulation when sending traffic back to GWLB.

(PA-400 Series firewalls in HA configurations only) Fixed an issue where ports went down after an HA failover.

Fixed an issue where the /pancfg partition on the Azure Cloud NGFW reached 100% utilization, which caused commit failures.

Fixed an issue where an Application Override policy rule was not applied using an IPv4 source IP address with IPv6 enabled and Network > Zones > Pre-NAT Identification enabled.

Fixed an issue where the firewall generated false positive threat logs during updates to a large domain list (EDL) when a DNS lookup for a domain being added or removed occurred during the update process. This resulted in a threat log being generated for a different, unrelated domain that remained on the list.

Optimized the commit workflow to reduce the size of the effective configuration, resulting in lower memory consumption.

(Panorama appliances in HA configurations on Microsoft Azure environments only) Fixed an issue on the web interface where the plugin versions that were displayed when hovering the cursor over the Green Match icon were inconsistent even though the Panorama web interface reported the versions as matching.

Fixed an issue on the firewall where the source and destination NAT IP addresses did not display in traffic and threat logs.

Fixed an issue where traffic loss occurred when two aggregate ethernet interfaces were configured as vwire with only one member link active in the aggregate ethernet interface, which occurred due to an incorrect logic in active port map of AE interfaces.

Fixed an issue where Panorama administrators defined in a SAML Identity Provider (IdP) were unable to authenticate if their username exceeded 32 characters, and the system logs displayed the failed authentication attempt with a truncated username.

Fixed an issue where Data Loss Prevention (DLP) inspection of chunked transfer encoding over TLS resulted in incomplete file downloads on Outlook Web App (OWA) due to the WIF page size limit, which led to corrupted or incomplete PDF attachments.

Fixed an issue where the NAT IP address pool was exhausted, which led to intermittent connectivity issues with call applications and outbound call failures. This occurred due to the firewall not properly releasing NAT dynamic ports back to the address pool.

Fixed an issue where the firewall experienced recurring kernel segfaults related to multiple processes, which led to a SIGSEGV error.

Fixed an issue where the useridd process stopped responding after an upgrade, which led to high packet buffer congestion and an OOM condition.

Fixed an issue where the firewall experienced extended boot times after a reboot due to the configd process needing to rebuild the ACE catalog after detecting discrepancies that were caused by duplicate application checking between the ACE catalog and content.

Fixed an issue where a dataplane crash occurred when traffic matched Inline Cloud Analysis prefiltering signatures, even when Inline Cloud Analysis features were not enabled.

Fixed an issue where PA-400 Series firewalls were not properly caching DNS responses for FQDN objects. The firewall was observed to repeatedly send DNS requests for the same FQDN objects every 10-15 seconds, even after receiving valid responses, despite the minimum FQDN refresh interval being set to a much higher value. This resulted in excessive DNS queries originating from the firewall's management interface.

Fixed an issue where the firewall was unable to send device telemetry files to Cortex Data Lake due to the firewall receiving an invalid upload token.

Fixed an issue on Panorama where exporting managed device information that included a PA-450R-5G appliance resulted in the Cellular Firmware field being exported into multiple cells.

Fixed an issue where, during a refresh of a large External Dynamic List (EDL), traffic that matched a domain on the list was incorrectly identified as a different domain, which resulted in false positive threat logs.

Fixed an issue on Panorama where the policy review feature in Dynamic Updates failed to display Security policy rules when the device group was set to All.

Fixed an issue on Panorama where reassociating a vsys from one device group to another in a multi-vsys environment resulted in another vsys from the same firewall being removed from the original device group. This resulted in the device being moved into the no device groups attached group, a superuser was required to manually reattach the device.

Fixed an issue where, after upgrading to an affected PAN-OS release, the Visible Virtual System field referenced the vsys name instead of the vsys ID, which caused inter-vsys routing to fail. This occurred when a vsys display name matched one of the vsys IDs. If you're using a multivsys environment, you must upgrade your firewalls to a fixed PAN-OS version. The best practice is to upgrade both the firewalls and Panorama to a fixed PAN-OS version.

If you don't upgrade Panorama to a fixed version, you'll encounter PAN-245064, where a commit on a multivsys firewall fails with the message vsys name should end with a number vsys is invalid after you Export or push device config bundle from 11.1.1 Panorama.

After you upgrade Panorama to a fixed version, you'll encounter PAN-214177, which causes an Export or Push device config bundle from Panorama to the firewall to fail. The workaround for PAN-214177 is to first push only the template configuration and then push the device group configurations.

Fixed an issue on the web interface where the TLS Version was misspelled as TLS Vesrion (Device > Server Profiles > Email).

Fixed an issue where the firewall incorrectly categorized some URLs as not-resolved due to a conflict with Top Level Domain (TLD) data handling in the PAN-DB URL cloud. This affected URLs under domains marked as TLDs, which the firewall incorrectly assumed did not have any category.

Fixed an issue where the redistribution agent status was blank on the web interface on both the firewall and Panorama, even though the CLI showed the agent as connected.

Fixed an issue where a long-lived session with many Machine Learning (ML) model triggers caused a memory leak of feature states associated with the ML model runs. This resulted in Spyware_State failure increases, allocation max outs, and impaired policy matching.

Fixed an issue where the firewall became unresponsive after an upgrade due to the fsck command scanning drive partitions in parallel with the root partition, which caused the process to take an extended amount of time.

Fixed an issue where the CLI command debug user-id refresh user-id agent all failed with the error message Invalid agent name. Agent name should be 1 to 31 characters long.

(Panorama managed firewalls in HA configurations only) Fixed an issue where the HA-Link-Monitor configuration pushed from Panorama was converted to a local configuration on the peer device after an HA sync, which caused subsequent Panorama pushes of link monitor changes to be flagged as overwritten, and a forced template push or manual clearing of the configuration on the firewall was required.

Fixed an issue where the all_task_1 process crashed on the firewall when the wif service wasn't available because the wif detection ID was not in the current service table.

(VM-Series firewalls only) Fixed an issue where the firewall rebooted unexpectedly due to a negative decoded length.

Fixed an issue where pushing a new object from Panorama to a Cloud NGFW Device Group unexpectedly removed existing Panorama-pushed policy rules, even though the Push Preview did not show any deletions, which led to traffic disruptions.

(Firewalls in active/active HA configurations only) Fixed an issue where return packets from a phone gateway looped between the HA pair instead of being encapsulated into the GlobalProtect tunnel. This occurred when the inner session and the outer IPSec tunnel terminated on different nodes, which led to excessive retries and packet drops.

(Panorama virtual appliances only) Fixed an issue where scheduled configuration exports failed with an invalid key error when connecting to a SCP server using non-default SCP port. Also, additional CLIs were added to delete the known-hosts file.

(VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where the firewall repeatedly restarted due to high packet rates on the synthetic path in DPDK mode.

(PA-5220 firewalls only) Fixed an issue where the ikemgr process crashed intermittently, which caused IPSec tunnels to go down randomly. With this fix, the IKE Security association data structures are accessed in a thread-safe manner, and the ikemgr process does not reference an invalid memory pointer during teardown operations.

Fixed an issue where exporting custom reports resulted in empty CSV files.

Fixed an issue where the web interface became unresponsive when attempting to view Ethernet interface details after applying a filter in Network > Interfaces.

(PA-1410 Firewalls only) Fixed an issue where the firewall experienced high management CPU usage and repeatedly rebooted when attempting to retrieve SMART data.

Fixed an issue where email alerts sent from the firewall were marked as spam due to the EHLO header containing only the firewall hostname and not the fully qualified domain name (FQDN).

Fixed an issue where the firewall rebooted due to the useridd process repeatedly restarting during an IP-port data type writes to the redis from multiple sources such as TSA or XML in a scale environment.

Fixed an issue where Prisma Access gateways did not pass usernames to the WildFire portal, which caused the Recipient User ID to display as unknown on wildfire.paloaltonetworks.com, even when the username was present in the gateway logs.

Fixed an issue where the reportd process on passive Panorama management servers leaked memory due to scheduled report handling from the Strata Logging Service (SLS). This memory leak occurred daily, consuming available memory until the process was restarted.

Fixed an issue where, when a PBF policy rule with a monitoring profile was configured, the intermediate firewall dropped the PBF monitoring traffic, which caused the PBF rule to remain disabled on the local firewall.

Fixed an issue where EAL logs were not forwarded to the IoT Security dashboard when the proxy server password contained special characters.

Fixed an issue on the firewall where BGP peers disconnected when more than 500 BGP neighbors were configured in a single Logical Router

(Firewalls with FIPS-CC mode enabled only) Fixed an issue where Panorama on GCP lost access to management interface after an hour of uptime.

Fixed an issue where, after upgrading to PAN-OS 10.2.13-h10, GlobalProtect Clientless VPN on PA-3250 firewalls failed to execute JavaScript links, resulting in an authorization error. This occurred because the firewall was incorrectly injecting text into URLs when JavaScript buttons or dropdown menus were clicked within the Clientless VPN portal.

Fixed an issue where decryption exclusion lists were not working for untrusted certificates, and SSL sessions were still being decrypted even after adding them to the exclusion list. This occurred because the firewall was not adding sessions to the exclude cache until after receiving a non-RFC alert (BadCertificate) from the server. The fix ensures that the first session is added to the exclude cache, allowing subsequent sessions to skip decryption. This issue affects firewalls configured as clients in server-client communication.

Fixed an issue where, when Panorama manages Prisma Access, filtering GlobalProtect logs by IPv6 subnets displays all logs, including IPv4 logs.

(PA-5450 firewalls only) Fixed an issue where the firewall had a lower maximum capacity for DIPP translated IP addresses than the PA-5260, which caused configuration commit errors during migration. With this fix, the maximum capacity on PA-5450 firewalls has been increased to 8000.

Fixed an issue on the Panorama web interface where previewing changes after a commit to shared objects were not accurately displayed in the push scope.

Fixed an issue where, on hardware platforms with the SaaS inline license, Additional Header Logging (AHL) hash table creation proceeded even when the feature was disabled through the CLI, potentially leading to crashes.

(Firewalls in active/active HA configurations only) Fixed an issue where adding a 26th floating IP address to an aggregate interface on one vsys caused IPSec tunnels in another vsys to stop working due to rekeying issues.

Fixed an issue where the firewall did not accept address groups in the filter condition of a Log Forwarding Match list.

Fixed an issue where the firewall incorrectly routed external Type-5 Link State Advertisements (LSAs) within a stub area when the firewall was configured as an Area Border Router (ABR) in a stub area and learned about an external prefix from another ABR connected to the backbone area.

(Firewalls in active/active HA configurations only) Added a log enhancement to capture an issue where, when a commit operation was in progress, newly deployed IP address tags that used the XML API were not immediately reflected in address group resolution, which delayed IP address mapping to address groups and caused traffic to be incorrectly allowed or denied.

Fixed an issue where, in an SD-WAN Branch Multi-VR environment, ping traffic initiated from the firewall's internal interface resulted in improper zone mapping during session setup, which resulted in the firewall being unable to reach the internet. This occurred due to the ingress zone being incorrectly used as the egress zone.

Fixed an issue where commit operations failed during phase 1 when configuring a non-default value for the Graceful Restart Hello Delay due to an FRR parse error if the configured value was between 1 and 9.

Fixed an issue where multicast output interfaces (OIFs) were missing for up to 5 minutes after an HA failover or routing process restart, which impacted new multicast sessions. This occurred due to an age-out process triggered by unicast graceful restart conditions.

Fixed an issue on firewalls in active/passive HA configurations where CLI outputs incorrectly included XML formatting.

Fixed an issue where static routes remained active in the FIB and RIB even when the associated physical port interface was down, which resulted in traffic being incorrectly routed through a non-operational interface.

Fixed an issue where DNS resolution failed on Linux machines running GlobalProtect client version 6.2.6 when connected with DNS Security enabled. This occurred because the firewall incorrectly discarded DNS packets when processing multiple DNS requests or responses over the same session, even when no malicious verdict was received.

Fixed an issue where the firewall generated two URL logs for a single session.

Fixed an issue on IKEv1 tunnels where, if the peer IKE gateway was unreachable, the IKE Phase-1 Security association (SA) was not cleared by DPD until Phase-2 rekeying occurred or until it was manually cleared via the CLI because the DPDs were not sent accurately according to the configured interval due to a miscalculation of the DPD timer. This resulted in the tunnel taking longer than expected to recover.

Fixed an issue where the throughput data on the Switch Card Module (SCM) was not accurately reported. This issue affected Standard SC USABN and USABN-2 when using Direct-IO deployment.

Addressed a memory leak issue under sc3 and automatic commit recovery (ACR) code path.

Fixed an issue where a memory leak related to the configd process occurred.

Fixed an issue where the firewall intermittently failed to forward VXLAN GARP packets, which led to connectivity issues for wireless clients in environments that used VXLAN tunnels for wireless access points.

(VM-Series firewalls in HA configurations only) Fixed an issue where Panorama displayed incorrect packet buffer values on the web interface and the CLI.

Fixed an issue where configuring an OSPFv2 NSSA area range caused OSPF-learned routes to become unreachable due to the incorrect installation of a discard route when the NSSA range prefix matched an existing OSPF route.

Fixed an issue where Panorama displayed the URL instead of the file name for vulnerability threat logs fetched from the Logging Service.

Fixed an issue where Strata Logging Service (SLS) log forwarding streams intermittently displayed as inactive.

Fixed an issue where, after committing changes to a Certificate Profile or other global configurations without any making changes to the virtual system (vsys), the Data Redistribution include/exclude lists were ignored on the firewall. This resulted in the firewall receiving and processing User-ID information from all sources.

Fixed an issue where GlobalProtect HIP data file download and installation failed with the error message An error occurred while processing request. Please try again after some time or contact support or No ETAG from response due to a script exiting prematurely.

Fixed an issue where, after upgrading Panorama and Log Collectors, tunnel logs were not visible in Panorama or Splunk even though traffic and threat logs were received.

Fixed an issue where SD-WAN did not generate system logs with timestamps and reasons for degradation of Direct Internet Access paths.

Fixed an issue on the firewall where the useridd process continuously increased its memory consumption, which resulted in an OOM condition that caused the firewall to restart.

Fixed an issue where the CLI command outputs incorrectly included XML formatting tags.

Fixed an issue where syslog forwarding dropped due to FQDN resolution failures.

Fixed an issue where the pan_comm process stopped responding due to insufficient time allocated to read file descriptors when processing long messages.

Fixed an issue where, after onboarding a firewall to Panorama, IPsec tunnels displayed IKEv2 in Panorama, even though the tunnels were configured with IKEv1 locally on the firewall.

Fixed an issue where the useridd process stopped responding because the client was unavailable.

Fixed an issue where the source user field was intermittently missing in traffic logs, even when the IP address-to-user mapping was available. This occurred due to a race condition where the log generation process preceded the creation of the IP address-to-user mapping.

Fixed an issue where, after upgrading Panorama and Log Collectors from PAN-OS 10.2.9 to PAN-OS 11.1.6-h6, Traffic and Threat logs were not forwarded to a Splunk server over UDP.

(Panorama appliances only) Fixed an issue where a custom administrator role with the permission Network > QoS (Read Only) was unable to create a QoS profile, even when the Policies > QoS (Enabled) and Network Profiles > QoS Profile (Enabled) permissions were also set.

Fixed an issue where, when you used a syslog forwarding profile with the CEF format, an additional string was appended to the end of the log message when viewing the log entry from the Universal Forwarder directory.

(Panorama appliances only) Fixed an issue where, when performing device software deployment to dedicated log collectors, the Validate option did not display the required software versions. Additionally, attempting to download images to multiple log collectors simultaneously failed.

Fixed an issue where firewalls with the Send handshake messages to CTD for inspection setting enabled caused incorrect security policy rules to be matched during the TLS handshake. Additionally, the expected response page for blocked URLs was not displayed.

(Firewalls in active/passive HA configurations) Fixed an issue on firewalls where, after failover, certain subnets were missing from the Link State Database, which prevented OSPF routes from being immediately learned due to a Type-7 to Type-5 LSA translation conflict in the ABR when the same LSA was advertised by two peers in the NSSA area.

Fixed an issue where firewalls and Panorama management servers were unable to view or download WildFire reports from a WF-500 appliance, resulting in a 401 error in the report tab.

Fixed an issue where, when SD-WAN SaaS Application path monitoring failed for all interfaces, the firewall stopped forwarding traffic even if the ISP links and default gateway probing were still active.

Fixed an issue on Panorama where a configd SIGSEGV crash occurred when renaming objects within policy rules, objects, or zones.

Fixed an issue where BGP did not generate a system log when the number of prefixes received from a peer exceeded the configured threshold, even with the Address Family Identifier and Peer Group settings configured to trigger a warning.

Fixed an issue where viewing, refreshing, and comparing config versions in Config Audit caused the configd process to stop responding. If the page loaded successfully, some commit versions displayed incorrect or missing data.

Fixed an issue where the firewall rebooted unexpectedly due to the useridd process restarting and causing an HA failover. This occurred due to the configd process timing out when running the CLI command show user user-id-agent config all.

Fixed an issue where the firewall removed all Infrastructure and Audit logs, as well as logdb and search engine quotas, when the configured retention period was reached instead of only removing logs older than the configured retention period.

Fixed an issue with the Panorama web interface where admin users were unable to log in and received the error message 504: Gateway Timeout.

Fixed an issue where the cellular interface LED indicator incorrectly displayed a green light when the cellular interface was down due to a failed packet data session.

Fixed an issue on the firewall where the VM monitor source remained in the Getting All status, which prevented dynamic address groups from updating IP addresses for new EC2 instances. This issue occurred due to a race condition where two threads that simultaneously retrieved IP address tag information from AWS VM monitoring sources became stuck while reading the XML file.

(Firewalls with Hub vsys (virtual system) configurations enabled only) Fixed an issue where, when using the Hub vsys feature to redistribute Host Information Profiles (HIP) to a non-Hub vsys, HIP policy enforcement failed intermittently on the active secondary firewall. This occurred when traffic destined for specific non-Hub vsys was routed to the active secondary, and the HIP query was not triggered due to an incorrect check for the HIP mask in the Hub vsys.

Fixed an issue where the file URL was not displayed on SCM LogViewer when a file was downloaded. This issue affected logs with a subtype of 'file'.

Fixed an issue where Panorama failed to push the default value of None for the secondary NTP server address to managed firewalls, resulting in a commit validation error. This occurred even when configuring the secondary NTP server address as None in Panorama's web interface, and affected both newly deployed and long-standing production firewalls after upgrading.

Fixed an issue where EAL logs for traffic matching the intrazone-default security rule were not forwarded to the IoT Security portal.

Fixed an issue where packets with bad TCP checksums were transmitted even when the Strict TCP/IP checksum option was enabled.

Fixed an issue where the configd process stopped responding when a partial revert operation was performed on a newly added rule in a rulebase that was empty in the running configuration.

Fixed an issue where the iotd process failed to install DPI Cloud server FQDN due to a configuration parsing failure, caused by the configuration XML memory buffer not being NULL terminated. This resulted in the accumulation of EAL logs and DLP forwarding being stopped.

Fixed an issue where importing a device state file was incorrectly allowed during an existing commit job.

Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.

(Firewalls in HA configurations only) Fixed an issue where the configd process stopped responding during an External Dynamic List (EDL) refresh.

Fixed an issue on Panorama where Global Find returned incomplete and inconsistent search results.

Fixed an issue where users with a custom role-based administrator role were unable to download the GlobalProtect client application via the web interface even when the GlobalProtect Client option was enabled in the admin role profile.

Fixed an issue where, in KVM environments, traffic did not work as expected on Mellanox CX5 interfaces during multinic runs.

Fixed an issue where renaming a BGP filtering profile in Panorama does not update the corresponding BGP peer group in the virtual router, leading to commit failures.

Fixed an issue where setting the logdb-quota for the desum log type to 0 caused the /opt/panlogs partition to reach capacity.

Fixed an issue where the interval of IKEv1 Dead Peer Detection (DPD) R-U-THERE packets did not correspond to the configured value in the IKE Gateway profile due to using the value configured for retry instead.

Fixed an issue on Panorama where a full push to device groups was initiated instead of a selective push when using Commit and Push Changes Made By in the commit and push.

Fixed an issue where the reported throughput and packet rate were higher than the actual interface traffic due to a double counting error.

Fixed an issue on Panorama where Push was disabled during a Selective Push operation.

Fixed an issue on the web interface where the Connected status for a User-ID agent in a non-User-ID Hub vsys displayed as blank if the same agent was also configured in a User-ID Hub vsys.

Fixed an issue where a command injection vulnerability could occur due to improper input sanitization.

(Panorama appliances only) Fixed an issue where the software deployment validation process did not display the required software version for dedicated log collectors (DLCs), and downloading software images to multiple DLCs failed.

(CN-Series firewalls only) Fixed an issue where the firewall generated incomplete or corrupted tech support files (TSF) due to high disk usage on the management plane.

Fixed an issue where HA configuration synchronization failed between HA firewalls due to an empty interface node present only in the passive firewall's running-config.xml file.

Fixed an issue where the default route (0.0.0.0/0) advertised via the Originate Default Route in BGP AFI profiles did not appear in the output of the show advanced-routing bgp peer advertised-routes CLI command, even though it was being sent to the BGP peer.

Fixed an issue where Panorama did not display data in the Feature Adoption tab in Strata Cloud Manager due to the system creating and deleting a CLI user for each interval instead of reusing a permanent CLI user for telemetry.

Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.

(Firewalls in active/passive HA configurations only) Fixed an issue where network outages of approximately 30 seconds occurred after a failover due to a delay in establishing the BGP connection between the new active firewall and one of its peers and a second delay in advertising prefixes learned from the firewall to another peer.

Fixed an issue on M-200 and logging appliances where traffic logs were intermittently truncated when forwarded using a TCP syslog configuration. This issue occurred during the log forwarding stage due to intermittent syslog drops caused by exceeding the forwarding queue capacity.

Fixed an issue where, after configuring dual stack GlobalProtect with both IPv4 and IPv6 address pools, IPv6 return traffic was dropped with the error message flow-basic error; packet dropped, tunnel resolution failure.

(Panorama appliances only) Fixed an issue where the data on scheduled SaaS Application Usage Reports was different than the data on on-demand reports generated via Run Now.

Fixed an issue on the Panorama web interface where cloud applications were not displayed under Objects > Applications after a new content upgrade and Cloud App Catalog download, and were only visible in application groups, security policy rules, and the CLI.

Fixed an issue where SSH/SFTP traffic was intermittently blocked by URL filtering due to the firewall incorrectly applying URL categories from previous sessions.

Fixed an issue on PA-5220 firewalls where denied traffic logs incorrectly displayed a byte count of 0. This occurred because the bytes_sent value was stored in the most significant bits of u_bytes_sent, resulting in a zero value when a small value was assigned to u_bytes_sent.

Fixed an issue where the firewall established multiple TCP connections to a syslog server, which caused logs to be dropped. This occurred because the firewall established a new TCP session for each transfer and the sessions were not closed, which resulted in a continuous increase in connections over time.

Fixed an issue on the firewall where the PDT process experienced a memory leak due to frequent dumping of fabric traffic statistics, which resulted in high CPU utilization and instability.

Fixed an issue on Panorama where deleting objects resulted in errors indicating references in Security policy rules.

(PA-7050 firewalls on vwire instances only) Fixed an issue where Bidirectional Forwarding Detection (BFD) echo packets were dropped due to the firewall dropping packets with the same source and destination IP addresses.

Fixed an issue on Panorama where the CLI command show ntp displayed the error message server error: op command for client dagger timed out as client is not available even when connectivity to the NTP server was active.

Fixed an issue where during a commit, the firewall experienced an out-of-memory (OOM) condition due to a memory leak and displayed an error message. This issue caused the device to stop responding and reboot unexpectedly.

Fixed an issue on Panorama appliances and Log Collectors where, after an upgrade, Elasticsearch intermittently entered into a Red state before automatically recovering.

Fixed an issue where the GlobalProtect host ID field was intermittently blank in traffic logs on Prisma Access, even when the user was connected and had the correct host ID information. This occurred when the IP address to host ID entry expired and the entry was re-inserted without the dataplane flag being set.

Fixed an issue where the firewall rebooted unexpectedly due to an OOM condition.

Fixed an issue where cookie surrogate cache entries remained unresolved after an idmgr process reset due to the request not being retransmitted. This occurred because the timestamp in the cache entry was refreshed even when the UID was 0, which prevented the retransmission of the request if the initial response was not received.

Fixed an issue where checksum values changed when downloading files through TFTP on firewalls using subinterfaces.

Fixed an issue where Real Time Streaming Protocol (RTSP) video streams did not work when connected through GlobalProtect due to the firewall blocking 200 OK responses. This occurred because of incorrect NAT translations for the 200 OK message from the server.

Fixed an issue where the devsrvr process periodically exceeded its virtual memory limit and restarted, which led to intermittent outages.

Fixed an issue where, after a web server returned a 401 or 403 error, the firewall was unable to decrypt HTTP/2 traffic, and the firewall rejected all subsequent streams from the client.

Fixed an issue where the web server used a low HTTP Strict Transport Security (HSTS) max-age value of 86400 seconds for the log.query.expression.js.php page.

Fixed an issue where the proxy hid the Cache-Control header, which prevented context switching.

Fixed an issue where multiple memory leaks occurred related to the configd process.

Fixed an issue where the Agent User Override Key was incorrectly available for configuration on Panorama management servers when running in FIPS-CC mode.

Fixed an issue where the debug dataplane nat sync-ippool command may not accurately account for all allocated ports or display/sync leaks when multiple NAT rules use the same IP pool. This could result in inaccurate reporting of leaked ports. The fix modifies the implementation to directly compare the original pool against the temporary pool across all vsys.

Fixed an issue where modifying an interface IP address on an existing vsys caused a default vsys1 to be created, which led to commit failures due to the maximum supported number of vsys being reached.

Fixed an issue on Panorama and Panorama managed firewalls where template settings reverted during a device group push when Include Device and Network Templates was checked, even if no changes were made to the template. This caused the SAML IDP server profile certificate to revert to an older, invalid certificate, and resulted in GlobalProtect users being unable to authenticate via SAML.

Fixed an issue with firewalls enabled with Security profiles where certain traffic conditions caused high dataplane CPU utilization and packet buffer exhaustion, which caused LACP flapping conditions.

(Panorama managed firewalls in HA configurations only) Fixed an issue where the firewall did not enforce serial number validation during HA deployment or replacement, which resulted in pairs being established even when the serial numbers configured on Panorama did not not match the serial number of the devices.

(VM-Series firewalls on Microsoft Azure environments in HA configurations only) Fixed an issue where, when an interface was configured with IPv6, the firewall displayed the message Unknown error during validation after the client secret expired, which caused DNS resolution to fail when resolving FQDNs and HA failovers to occur.

Fixed an issue where, when multiple scheduled vulnerability reports were sent in the same email, only the first attached report was displayed.

Fixed an issue on Panorama where the configd process stopped responding when filtering in the Config Audit window, which caused Panorama to restart unexpectedly.

Fixed an issue where websites did not load when accumulation proxy was enabled.

Fixed an issue where policy rule imports were blocked when any was in the source device column, which prevented the use of inbound policy rule recommendations. Additionally, when the source profile name was missing for inbound behaviors, a default policy rule name was not able to be generated.

Fixed an issue where partial-revert operations were taking a long time, causing config lock timeout issues and resulting in frequent error messages being displayed: Timed out while getting config lock. Please try again.

Fixed an issue where the firewall web interface continuously loaded and not display any output when viewing the Route Table or FIB table (More Runtime Stats). This issue occurred when L3 configurations were added to ethernet and AE interfaces.

Fixed an issue where the authd process crashed intermittently on VM-Series firewalls due to authentication sequence failures. The crashes occurred during memory management operations within a library while releasing memory to its central cache.

Fixed an issue on Panorama managed firewalls where the source user, source device vendor, source MAC address, and OS version information were not visible in traffic logs and SCM when the user and device access control lists were empty.

Fixed an issue where a memory leak occurred on the reportd process when a WildFire update was initiated while device telemetry data collection was in progress. This resulted in an OOM condition.

Fixed an issue where, after upgrading Panorama in a High Availability (HA) pair, the configuration logs stopped synchronizing from the primary Panorama to the secondary Panorama. This issue occurred because the log forwarding flag was permanently disabled due to the connection state not being active when the log-fwd-ctrl message was received.

Fixed an issue on the Panorama web interface where the search bar suddenly was not displayed, or the filter/clear filter icon moved to the left of the search bar.

Fixed an issue where custom administrators with visibility into specific vsys logs were able to view logs for all vsys.

Fixed an issue where, after an EDL certificate update or repository migration, authentication failures caused the firewall to not fall back to the last successfully cached EDL entries, which led to policy rules that referenced the EDL to not be enforced.

Fixed an issue where data interfaces unexpectedly went down and then up after an HA failover, which caused intermittent traffic disruption.

Addressed a stack buffer overflow memory leak under plugin management code path.

Fixed an issue where the debug data-plane sync ippool CLI command did not work for Per Destination IP Pool (PDIPP) and caused a memory leak.

Fixed an issue where the firewall incorrectly identified ports as leaking when the session was not active even though the ports were allocated.

Fixed an issue where, after upgrading firewalls to PAN-OS 11.1.6-h1, certain websites weren't accessible when the accumulation proxy was enabled. The proxy did not use the same DF bit state as the original traffic, causing it to be fragmented and dropped elsewhere in the network.

Fixed an issue where firewalls configured in vwire mode modified DSCP values from AF11 to CS0 on traffic passing through the firewall, even when QoS policy rules and DSCP rewrite settings were not configured.

Fixed an issue on Panorama where, after uninstalling a plugin, commit validation failed with the error message interface '-' is not a valid reference due to cloud service plugin configuration errors.

Fixed an issue where Panorama did not use the configured proxy settings to check WildFire private cloud content and instead connected directly to the WildFire device using the management interface. This occurred even when Use Proxy Settings for Private Cloud was enabled.

Fixed an issue where the prefix value for a BGP neighbor caused the firewall to leak routes to a different BGP peer.

(Firewalls in active/passive HA configurations only) Fixed an issue where the firewall did not process and transmit HA path monitoring probes received from another HA cluster when the firewall acted as a gateway for internal monitoring IP addresses used in the HA path monitoring group, which caused HA flapping due to path monitoring failures.

Fixed the issue on the web interface where ACC graphs displayed No data to display when a filter was applied to Source IP or Destination IP.

Fixed an issue on Panorama where API jobs failed with the error message Server error: Timed out while getting config lock. This occurred due to slow set request performance when setting a large number of address objects in a single set call.

Fixed an issue on the firewall CLI where autocomplete did not work for zones in the clear session all CLI command. Additionally, the CLI was unable to clear sessions for a specific IP subnet.

Fixed an issue where PA-3420 firewalls experienced unexpected reboots due to the all_task_7 process crashing with signal 6, leading to a non-functional state.

Fixed an issue where sequence numbers were skipped for all types of logs on the firewall due to audit logs being generated but not written to disk when Audit Tracking was enabled.

Fixed an issue where, when you upgraded log collectors via Panorama (Device Deployment), the software installation on the log collector remained at 0%.

Fixed an issue where the firewall did not respond to ARP requests when a subinterface was configured with source address translation using the Translated Address option.

Fixed an issue where the firewall web interface became unresponsive while adding a description that contained 1062 bytes of character data in a Security policy rule instead of displaying an error message when the description exceeded the maximum allowed length.

Fixed an issue where the firewall did not automatically recover after a machine check exception (MCE) occurred.

Fixed an issue where the wifclient was not configured to utilize the GOMEMLIMIT feature.

Fixed an issue on Panorama where Kerberos superusers were unable to edit policy rules because the target device tab was grayed out.

Fixed an issue where the OpenConfig plugin was automatically installed on VM Panorama and firewalls after upgrading.

Fixed an issue where proxied traffic was shown as decrypted even when no applicable decryption policy rule was configured. Additionally, the show session CLI command and the session browser web interface incorrectly displayed cleartext proxy sessions as decrypted.

Fixed an issue where the PAN-OS DoS protection feature by default blacklisted specific IP addresses, which caused outbound traffic domain resolution to fail for clusters.

Fixed an issue where log forwarding to all syslog servers failed if one syslog server that used TLS as the protocol became unreachable.

Fixed an issue where traffic logs incorrectly displayed the action as allow for traffic matching a Security policy rule configured with the action set to deny. This issue occurred due to the child session being used for policy rule lookup when a configuration update triggered a rematch if the FTP-data application was not in the rule.

(Firewalls in HA configurations only) Fixed an issue where the show wildfire status CLI command displayed an incorrect maximum file size of 4 KB for WildFire script uploads even though the configured value was different.

Fixed an issue where the firewall experienced high disk space utilization, which caused the firewall to become non-functional.

Fixed an issue where the firewall rebooted unexpectedly after a commit due to a memory leak related to the rasmgr process and displayed the error message Management server failed to send phase 1 to client l2ctrld before rebooting.

Fixed an issue on firewalls running PAN-OS 11.1 and later PAN-OS releases where the portal and gateway configuration view did not display rows and columns.

Fixed an issue on Panorama where performing a selective revert of configuration changes resulted in all configuration changes being reverted.

Fixed an issue where the firewall generated high-severity system alerts indicating that the configuration size exceeded the maximum recommended size, even when the configuration size was within the expected limits.

Fixed an issue where packet buffer depletion occurred due to the a high number of tcp_pkt_queued packets when Jumbo was enabled.

Fixed an issue on Panorama where the WildFire cloud URL contained an extra period character, which prevented the retrieval of WildFire analysis reports.

Fixed an issue where firewalls that were connected to the same Cloud Identity Engine displayed inconsistent group membership information, with some firewalls showing only a subset of users belonging to a group. This occurred due to a full or incremental group sync failure.

This fix introduces a retry mechanism for failed group queries to the Cloud Identity Engine. To use this feature, run the following CLI commands.

To enable the retry mechanism: debug user-id dscd retry-enable on.

To set the retry time: debug user-id dscd retry-time set-time <1-10>. The default value is 5 seconds.

To set the number of retry attempts: debug user-id dscd retry attempts set-attempts <3-10>. The default value is 5 attempts.

To disable the retry mechanism: debug user-id dscd retry-enable off.

Additionally, a system log is now generated when a group sync fails, and you are able to monitor the group sync status with the following CLI commands:

Fixed an issue on M-600 line cards where the /var/log/messages file flooded with i40e 0000:81:00.1: ARQ: Unknown event 0x0000 ignored messages, causing the root partition to fill up and prevent PAN-OS upgrades.

Fixed an issue where DNS Security threat logs were not displayed on the firewall when packet capture was enabled and the domain name length was 62 characters.

Fixed an issue on Panorama where software images were not purged from the /opt/pancfg/mgmt/sw-images folder.

Fixed an issue where the PA-5220 firewall reports inaccurate NetFlow statistics for DNS flows after upgrading to PAN-OS 10.2.13.

Fixed an issue on Panorama where you were unable to delete a shared object due to the rulebase incorrectly referencing the shared object instead of the device group-specific object when the name was used.

To use this fix, delete the original shared object after cloning it to a device group with the same name.

Resolved multiple issues affecting IPSec tunnels using NAT Traversal (NAT-T) when a Dynamic NAT policy was configured (including Dynamic NAT or DIPP). During rekey events, tunnels could go down or flap due to incorrect session handling. This issue impacted both cluster and standalone deployments.

Fixed an issue where the Japanese translation for the URL filtering option to add a trailing slash to entries and the device license status error was incorrect.

Fixed an issue where commits failed when Data Services was in a Service route configuration was configured with the MGMT interface.

Fixed an issue where the distributord process restarted on firewalls in multi-vsys environments with User-ID configured and Panorama as a redistribution client. This occurred when a large volume of IP address-to-user mappings were learned.

(PA-7000 Series firewalls only) Fixed an issue where an incorrect ASIC configuration caused silent packet drops or application slowness when receiving a mix of jumbo and non-jumbo packets.

Fixed an issue where manual SCP exports from firewalls in FIPS mode were successful to SCP servers that were not FIPS-compliant. This occurred because the manual SCP process did not enforce FIPS security checks.

Fixed an issue where Panorama and Cortex Data Lake (CDL) logs displayed incorrect interface names without node IDs for cluster firewalls.

Fixed an issue where the dnsproxy process stopped responding due to memory corruption caused by a race condition when the allow list downloading was impacted by a configuration change.

(PA-5450 firewalls only) Fixed an issue where the DPC on slot 3 intermittently stopped responding due an all_pktproc restart.

Fixed an issue where searching for the GlobalProtect client version browser in Panorama logs returned no results.

Fixed an issue where the routed process on Orion-ZTNA NGFW Connectors stopped responding when a destination FQDN path monitor configuration was present and the show routing path-monitor CLI command was executed due to the CLI command handler dereferencing a null pointer without proper validation.

(Firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where newly bootstrapped firewalls sent an incorrect, non-DHCP-assigned hostname to the SNMP server. This occurred because the SNMP process referred to a configuration file that was not updated due to a missing configuration commit.

Fixed an issue where the Panorama web interface was slower than expected due to high CPU utilization on the mongodb process.

Fixed an issue where the reportd process stopped responding with a SIGSEGV at schedule_report_es_response.

Fixed an issue on airgapped firewalls where cloud connection errors flooded the system logs.

Fixed an issue where the firewall repeatedly generated false critical alerts due to an Intel firmware issue.

Fixed an issue where the firewall showed the status of SFP+ interfaces as not up, or up but not configured, when a PAN-SFP-PLUS-SR cable was connected.

Fixed an issue where the firewall rebooted unexpectedly due to a memory leak in the all_task process.

Fixed an issue where, when Panorama was upgraded but log collectors were on an earlier version, logs from a log collector group were not viewable on a Panorama.

Fixed an issue where, when the DHCP server was enabled for GlobalProtect, the commit error message was not properly displayed when Any was selected as the source interface in the service router configuration (Device > Setup > Service > Service Router Configuration).

Fixed an issue where the devsrvr process restarted and created a core dump because two threads did not terminate correctly.

Fixed an issue where the threat name on the firewall report PDF was blank.

Fixed an issue where commits did not return an error message when an invalid Log Forwarding Filter was configured.

Added an improvement to automatically clean up idle HTTP connection pools to address an issue where idle connection pools accumulated when a circuit breaker limit was reached, which caused client requests to fail with a 503 no_healthy_upstream error.

Fixed an issue where the Elasticsearch client certificate was not auto renewed, which caused it to enter a Red state, and logs were not displayed in Panorama.

Fixed an issue where high SSL traffic depleted flex memory, which prevented the firewall from revalidating SSLVPN client CAs during configuration pushes.

Fixed an issue where the firewall API returned inconsistent responses to a failed call using a valid API key. With this fix, the firewall returns the error Session is invalid if the session is not available for the cookie.

Fixed an issue where the interface rate counter intermittently went to zero frequently.

Fixed an issue where, when creating an interface, an error occurred when you clicked OK without providing a value in the Tag field even though the field was not displayed as mandatory.

Fixed an issue where the firewall was unable to parse the URL path and host when the host header was located in a different packet, which resulted in the firewall not logging the URL path in the first packet.

The fix is disabled by default. The following CLI commands can be used to enable/disable the feature:

• set system setting ctd url-crosspkt-host-path-caching enable
• set system setting ctd url-crosspkt-host-path-caching disable
• set system setting ctd url-crosspkt-host-path-caching default