PAN-OS 11.2.5 Addressed Issues

Fixed an issue where upgrading Panorama and pushing configurations to the firewall caused an IKE version mismatch, which resulted in IPSec tunnel failure with the peer device.

Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading.

Fixed an issue where the endpoint ID was not populated in logs when the least significant word of the Geneve header was 0.

Fixed an issue on firewalls in HA configurations where, when using the Cloud Identity Engine (CIE), the firewall experienced consistent memory leaks on the active firewall, which caused unexpected failovers.

Fixed an issue where configuration pushes from Panorama to the firewall failed due to an OOXML commit error.

Fixed an issue where the userid process stopped responding due to memory was being reset to NULL when it was freed.

Fixed an issue where early TLS data was not handled correctly by the accumulation proxy.

Fixed an issue where indices were not opened after a query.

Fixed an issue where the Panorama web interface was slower than expected when querying for device tags.

Fixed an issue where ElasticSearch was not set up after an upgrade.

Fixed an issue where whitespace was added before the timestamp in syslog logs forwarded from Panorama.

Fixed an issue where the firewall stopped responding when receiving a high number of logs.

Fixed an issue where the wifclient might crash during server cert verification for MICA gRPC connections and cause the dataplane to restart when using a cloud-based ML detection engine (MICA). On certain platforms, this caused the firewall to reboot periodically.

Fixed an issue where the firewall stopped responding due to a NULL pointer dereference when path monitoring failed.

Fixed an issue where Panorama was slower than expected when using a high number of device group tags in a non-shared context.

Fixed an issue where IP address tags were removed from firewalls after a management server or userid process restart. This occurred when a Panorama serial-number based configuration was used for User-ID redistribution.

Fixed an issue where traffic was dropped when the accumulation proxy was enabled and header insertion modified packets.

Fixed an issue where the firewall was unable to generate a TSF file due to a full root partition.

Fixed an issue on the firewall where the PAN-DB URL Filtering license displayed as Valid even when the firewall did not have the license, which caused traffic to drop.

Fixed an issue where Managed Devices > Summary displayed incorrect subcolumns.

Fixed an issue where the firewall stopped responding during session setup for ECMP hit-count updates.

Fixed an issue where Panorama administrators were unable to select Edit Selection when pushing changes to devices if they logged in using TACACS authentication.

Fixed an issue on firewalls in active/passive HA configurations where, after a failover, irrelevant routing FIB entries were seen in the routing table on the newly active firewall.

Fixed an issue where URL filtering response pages were not displayed for sites that were blocked as a result of SSL/TLS handshake inspection.

Fixed an issue where commits remained at 98%, which resulted in the BGP connection flapping.

Fixed an issue where BFD sessions did not come up even when BGP peering was established.

Fixed an issue where UserID stopped working when the show object registered user CLI command was used with start-point and limit options.

Fixed an issue where all_task processes stopped responding on the remote network firewall, which caused tunnels to go down and the pan_task CPU usage to approach 100%.

Fixed an issue where a port was able to be connected from outside the network. With this fix, the port is restricted to the local interface.

Fixed an issue on Panorama where Elasticsearch repeatedly restarted.

Fixed an issue where multicast streams were unstable with ECMP and dropped every 30 seconds.

Fixed an issue on the Panorama web interface where you were unable to click OK after selecting an install package type and file from the dropdown and selecting a firewall.

Fixed an issue where filtering BGP routes by peer name in Advanced Routing Engine (ARE) did not display the correct routes.

Fixed an issue on Panorama where a cyclic nested address group configuration caused the configd process to stop responding after a commit.

Fixed an issue where unexpected path monitor failures caused the firewall to stop responding.

Fixed an issue where administrators were unable to edit or add virtual router configurations when a filter was applied to the viewer.

Fixed an issue where the number of hints values were not updated even when there were no hint files on the system.

Fixed an issue where Hybrid-SWG explicit proxy connections failed when the number of destination domains exceeded 1024.

Fixed an issue where BFD sessions took longer than expected to establish after an HA failover due to BGP.

Fixed an issue where the restart option for IPSec tunnels was greyed out (Network > IPSec Tunnels > IKE Info).

Fixed an issue on the firewall where a configuration policy push caused both active and passive firewalls to go down when a high number of spyware profiles and vulnerability profiles were pushed to the dataplane.

Fixed an issue where administrator sessions were logged out with an ERR_CONNECTION_REFUSED error on the browser.

Fixed an issue where the escd process caused a memory leak when session resiliency was enabled on the firewall.

Fixed an issue where some URLs were not blocked when added to the URL Category.

Fixed an issue on the Panorama web interface where the OK button on the GlobalProtect gateway configuration dialog box was not clickable.

Fixed an issue where the restart option for IPSec tunnels was greyed out when you attempted to restart the tunnel from Network > IPSec Tunnels > IKE Info.

Fixed an issue where you were unable to download PDFs when connected via a Clientless VPN.

Fixed an issue where the flow process restarted with the error message SIGABRT __GI_raise __GI_abort __libc_message malloc_printer.

Fixed an issue where DNS queries for uppercase internal domain (SRV record) timed out when DNS Security was enabled.

Fixed an issue where multiple segments of HTTP proxy connect messages were not handled correctly by proxy.

Fixed an issue where Import GlobalProtect Client Package did not work after clicking OK after selecting a valid package under Device > GlobalProtect Client > Upload).

Fixed an issue where a kernel race condition caused the firewall to reboot with a kernel panic.

Fixed an issue where the firewall created multiple connections to a syslog server and remained in the FINWAIT1 state, which caused logs to drop while being forwarded to the syslog server.

Fixed an issue on the Panorama web interface where it took longer than expected to edit Security policy rules.

Fixed an issue on Panorama where the configd process stopped responding when viewing IP addresses on dynamic address groups with a large number of IP addresses.

(PA-3440 firewalls only) Fixed an issue where the firewall was unable to validate or commit a configuration when it was imported from another firewall model.

Fixed an issue where OSPF adjacencies failed to come up when using a subinterface ID with more than 3 digits on Ethernet ports 1/10 and higher.

(PA-220 firewalls only) Fixed an issue where Device > Setup was not displayed on the web interface.

Fixed an issue where Preview Changes did not display configuration changes in Commit and push > Push Scope.

Fixed an issue where HTTP POST requests were blocked for URLs that had the block-continue category configured.

Fixed an issue where the CLI and XML API values for the show system environment command did not match.

(PA-5400 Series firewalls only) Fixed an issue where the firewall sent correlated event logs to the syslog server using the management interface instead of the log interface.

Fixed an issue on the firewall where, when a NAT transversal IPSec tunnel was terminated, and the NAT rule that was applied to the NAT-T IPSec tunnel was on the same firewall, traffic flowing through the tunnel was not correctly translated.

Fixed an issue where log collectors had a low incoming log rate.

(PA-440 firewalls only) Fixed an issue where a firewall running PAN-OS 11.1.2-h3 only displayed the Auto option for the interface duplex setting.

(VM-Series firewalls only) Fixed an issue where the firewall received no-license packet buffers instead of memory based packet buffer numbers.

Fixed an issue where disk space that was used by file descriptors was not freed, which caused the root partition to become full and Panorama to be inaccessible.

(PA-850 firewalls only) Fixed an issue where the firewall stopped responding and rebooted after upgrading to PAN-OS 11.1.4.

Fixed an issue where commits from Panorama to Panorama virtual appliances failed with the error message Internal error during commit processing. Commit/Validate failed after upgrading Panorama.

Fixed an issue where Microsoft Outlook did not work as expected when the GlobalProtect clientless VPN was configured.

Fixed an issue where the management interface flapped when IPv6 was disabled and DHCPv6 was enabled.

(PA-5440 and PA-5445 firewalls only) Fixed an issue where interrupts were generated at a certain packet rate, and dataplane processes missed heartbeats, which caused the dataplane to go down.

Fixed an issue where Netflow User ID information was truncated to 31 characters.

(PA-455 firewalls in HA configurations only) Fixed an issue where the HA LED light on the front panel did not turn on even when HA was enabled.

Fixed an issue where commits failed from a Panorama appliance with a default master key to a firewall with a master key configured and a VM Information source configured.

Fixed an issue where changes made by a custom role Panorama administrator did not display in the push scope for other custom role administrators when a full commit was performed.

Fixed an issue on the web interface where cloning region objects did not work.

Fixed an issue on firewalls in HA configurations where OSPF neighbors were not established after an HA failover.

Fixed an issue where a partial configuration load failed for configuration files that contained regenerate-hostkeys.

Fixed an issue where the firewall displayed incorrect statistics for mac_transmit_err and send_deffered on PA-440 appliances running PAN-OS 10.1.9-h3.

Fixed an issue where the GlobalProtect client did not display the dialog box for an MFA verification code.

(Firewalls in HA configuration only) Fixed an issue where link-down events did not occur after an HA failover.

(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where, when Accelerated Networking was enabled, traffic was dropped because of the 'flow_parse_ip_hdr' counter related to an Nvidia driver issue.

Fixed an issue where GlobalProtect clients randomly fell back to the SSL tunnel as the gateway dropped the initial three keepalive packets.

Fixed an issue where the firewall incorrectly logged the XFF IP in threat logs when a single HTTP header was used.

(Firewalls in active/active HA configurations only) Fixed an issue where packet loss occurred when dataport was used for HA3 for asymmetrically routed traffic during commits and a virtual wire was configured .

Fixed an issue where the firewall dropped the Real Time Transport Protocol (RTP) session for the second SIP call on Persistent-DIPP connections when the source port of the client device was reset.

Fixed an issue on the firewall where DPDK allocated twice the amount of memory as requested for pre-allocation.

(PA-5410 firewalls in active/passive HA configurations only) Fixed an issue where the reportd process restarted, which caused the firewall to reboot.

(Firewalls in active/active HA configuration only) Fixed an issue where the firewall displayed the HA2 status as down when the HSCI port was used for both HA2 and HA3.

Fixed an issue on Panorama where importing a certificate for a template stack configuration incorrectly prompted for a passphrase as a required field.

Fixed an issue where the firewall did not autocommit after a reboot when the cellular interface was configured as a local interface for the IPSec Satellite and the IP address was allocated dynamically.

Fixed an issue where GlobalProtect users were unable to switch gateways after upgrading to GlobalProtect version 6.2.3.

A CLI command was introduced to address an issue where TCP packets were out of order.

Fixed an issue where servers were not accessible through an active SSL GlobalProtect VPN tunnel until a new connection was established or the session was cleared on the firewall.

Fixed an issue on the Panorama web interface where the progress bar did not complete when importing a vulnerability profile configuration through an XML file.

Fixed an issue where the firewall did not send a client certificate after a TLS Certificate Request when establishing a secure syslog connection.

Fixed an issue where the firewall displayed inaccurate throughput utilization stats in NetFlow analyzer tools.

Fixed an issue on firewalls in HA configurations where a network loop was detected by switches after suspending HA on the active firewall.

Fixed an issue where the management plane CPU usage was not calculated correctly on firewalls with integrated an dataplane and management plane.

(PA-440 firewalls only) Fixed an issue where the system clock reset to the epoch date and time after 8 to 12 weeks of shelf life or no power.

Fixed an issue on Panorama where UpdateLicDB was triggered every few minutes when firewalls with PAYG licenses were onboarded.

Fixed an issue where the firewall did not include the NAS-ID and NAS-IP attributes in the RADIUS Access-Request message when using PEAP-MSCHAPv2 authentication.

Fixed an issue for fixed model licenses to support new content size requirements by reducing the total sessions supported to be equivalent to their flex memory counterpart

Fixed an issue where selective push operations failed with the error message: Failed to generate selective push configuration. Schema validation failed. Please try a full push.

Fixed an issue where BGP Aggregate Advertise filters did not work as expected when the summary option was enabled, and only summarized routes were advertised.

Fixed an issue where GlobalProtect on macOS clients did not connect when using a client certificate and the X.509 policy was set to Use System Default.

Fixed an issue where the management plane DNS cache size was lower than expected.

Fixed an issue where secondary IP addresses with a /32 prefix configured on Layer 3 interfaces were not reachable in FRR mode.

Fixed an issue where the firewall consumed a large amount of memory when forwarding raw logs.

Fixed an issue where the firewall generated a devsrvr core file when processes were restarted.

Fixed an issue where the firewalls behind an Amazon Web Services (AWS) Gateway Load Balancer (GWLB) stopped responding when processing GENEVE packets with the reserved bit set.

Fixed an issue on Panorama where traffic log details were not displayed under detailed log view.

(PA-7000b firewalls only) Fixed an issue where Luna Network Hardware Security Modules (HSM) did not work after an upgrade or downgrade.

(Panorama appliances in HA clusters only) Fixed an issue where, after replacing a secondary Panorama appliance in a Panorama HA cluster, the ElasticSearch cluster was unable to establish SSL tunnels due to SSLHandshakeException errors.

Fixed an issue on Panorama where the web interface was slower than expected or unresponsive when monitoring definitions were added in the Kubernetes plugin.

Fixed an issue where the firewall displayed truncated zone names in the Block IP List log when a zone name contained more than 14 characters.

Fixed an issue where WildFire Analysis reports were not generated and the following error message was displayed: Error 500: Internal Server Error.

Fixed an issue where the firewall displayed the SFP ports as PowerDown when the SFP transceiver was removed and reinserted or the port was shut down and brought back up on the peer device.

Fixed an issue on Panorama where upgrades failed with validation errors.

Fixed an issue where policy rule configurations pushed from Panorama were not reflected on the firewall if the rule had 63 characters.

Fixed an issue where virtual wire ports did not go down when moving from an active state to a suspended state.

Fixed an issue on the Panorama web interface where products in HIP objects were not displayed correctly.

(Firewalls in HA configurations only) Fixed an issue where HA path monitoring did not work as expected when using vwire.

Fixed an issue on the Panorama web interface where Security policy rules loaded more slowly than expected.

Fixed an issue on Panorama Template where the virtual wire subinterface page did not display all fields and the OK button did not work.

Fixed an issue where the firewall dropped the SYN-ACK when using the TCP Fast Open option.

Fixed an issue on Panorama where Test Security Policy Match failed when the From or To zone fields were populated.

Fixed an issue where the firewall stopped responding when it received RADIUS traffic and user equipment (UE) traffic at the same time on a Network Processing Card (NPC)

Fixed an issue where show commands were hidden for superusers in read-only roles.

Fixed an issue where the firewall returned a 404 error for all sites accessed through the clientless VPN portal.

(VM-Series firewalls only) Fixed an issue where observed warning message during commit completion & critical system log when configuration size exceeded the maximum recommended configuration size.

Fixed an issue where CSV or PDF exports of zones did not contain all zones.

(Firewalls in active/passive HA configurations only) Fixed an issue where firewalls entered a non-functional state and displayed the error message Dataplane down: path monitor failure during the fail-over.

"Fixed an issue on the web interface where Match Evidence log details for Monitor > Correlated events did not populate."

Fixed an issue where a custom portal login page was not displayed correctly in the GlobalProtect portal when using a customized portal landing page.

Fixed an issue on the Panorama interface where Traffic and Unified event details loaded more slowly than expected.

Fixed an issue where the memory usage reported by SNMP did not match the memory usage reported by the top command.

Fixed an issue where Panorama was unable to push firmware updates to a VM-Series firewall with a PAYG license.

Fixed an issue where DHCPv6 relay was not working in Advanced Routing mode when the firewall was configured as a DHCP relay agent.

Fixed an issue where, when you cloned an admin role or an LDAP server profile and then changed the name of the clone, the configuration change was not reflected on the managed firewall after pushing the configuration from Panorama.

(Firewalls in active/passive HA configurations only) Fixed an issue where GTP sessions remained as allocated sessions on the passive firewall even when there were no active sessions.

Fixed an issue where, after replacing a Panorama appliance or log collector, the secondary Panorama appliance or log collector displayed a disconnected status for the inter-log collector connection.

Fixed an issue where persistent DIPP NAT entries were deleted even when being used during an active session.

Fixed an issue where a memory leak in the sslmgr process caused the firewall to restart.

Fixed an issue on the firewall where CLI commands returned Server error: op command for client dagger timed out as client is not available.

Fixed an issue where the firewall booted into maintenance mode when there was no connectivity to the specified hardware security module (HSM).

Fixed an issue where GlobalProtect user-to-IP address mapping was removed even though the tunnel for the specific user was up and traffic was being passed.

(PA-5400 Series firewalls only) Fixed an issue where you were unable to use SNMP polling o monitor the status of power supply units.

Fixed an issue where the Panorama management server stopped responding.

Fixed an issue where excessive Timed out while getting config lock error messages were generated when making bulk changes via XML API.

Fixed an issue where GlobalProtect logs showed the public IPv4 address in the private IPv4 address field for logs generated during portal/gateway negotiation.

(PA-7050 firewalls with DPC and 100G NPCs only) Fixed an issue on the firewall where you were unable to change the flow key type from tag to tuple.

Fixed an issue on Panorama where unused objects were pushed to the firewall, which caused the push operations to intermittently fail.

Fixed an issue where ikemgr process unexpectedly stopped due to a memory mapping in an incorrect location.

(Firewalls in active/passive HA configurations only) Fixed an issue where dataplane packet capture filter configuration failed on the active firewall with the error op command for client dagger timed out as client is not available.

Fixed an issue where multiple SSHD process restarts triggered a firewall reboot when the login banner and SSH host keys were updated at the same time.

Fixed an issue where the LSVPN tunnel monitoring status displayed as No data available after re-key events.

Fixed an issue where the clientless VPN did not carry authentication to other tabs.

Fixed an issue where services with the reserved keyword application-default were allowed.

Fixed an issue where you were unable to select device groups in the push scope for user accounts.

Fixed an issue on the firewall where changes were incorrectly applied after a reboot or a restart of the configd process.

Fixed an issue where Panorama did not forward logs to a syslog server over an SSL connection using CRL as a revocation verification method.

Fixed an issue where, when the GlobalProtect portal was not configured, accessing the GlobalProtect gateway still loaded a portal malformed page.

Fixed an issue where the firewall stopped responding when processing authentication requests.

Fixed an issue where the firewall web interface displayed incorrect PPPoE configuration options under the subinterface of an Aggregate Ethernet interface.

(PA-5450 firewalls in active/active HA configurations only) Fixed an issue where firewall traffic was silently dropped when sent to the peer owner.

Fixed an issue where the task manager failed with a 504 error when a large number of previous jobs or tasks were present.

(VM-Series firewalls only) Fixed an issue where multiple processes exited due to an OOM condition and caused a network outage.

Fixed an issue where stale BGP routes were advertised to peers even when they were not present in the local RIB table.

Fixed an issue where an internal error message was displayed when you selected Exclude video traffic from the tunnel (Windows and macOS only).

Fixed an issue on Panorama where configuration locks were observed during a partial rulebase commit.

Fixed an issue where content upgrade installation failed with the error Error: can't find cert <cert> when using cloud interfaces.

Fixed an intermittent issue where the OSPF ABR option was disabled when a static route was added.

Fixed an issue where a firewall with a copper SFP transceiver (PAN-SFP-CG) flapped during a commit.

Fixed an issue on Panorama where commits failed due to a timeout in the sysd process during decryption.

Fixed an issue where, when you were connected to the VPN and enabled the client accelerator, you were disconnected from the VPN.

Fixed an issue on the Panorama web interface where tagging a new user failed the error message Tags addition failed.

Fixed an issue where intermittent 500 errors occurred when making API calls to the firewall.

Fixed an issue where the GlobalProtect VPN connection inactivity TTL value became negative, which caused the VPN to disconnect when the system time was changed back to the past time.

(PA-5450 firewalls only) Fixed an issue where the firewall dropped packets when attempting to reuse a TCP session.

Fixed an issue on Panorama where custom GlobalProtect reports displayed inaccurate values.

Fixed an issue where the web interface stopped responding when you searched for members in an address group that contained more than 500 members.

Fixed an issue where the Rule usage columns of overridden default policy rules on the Security policy page stopped responding.

Fixed an issue where GlobalProtect clients experienced slow SMB-V3 download throughput when passing through a Prisma IPSec tunnel and the firewall and the SMB-V3 session owner dataplane was the same as the IPSec-ESP tunnel on the multi-dataplane firewall.

(Panorama virtual appliances in Microsoft Azure environments only) Fixed an issue where a bootstrapped Panorama appliance did not automatically retrieve the CDL license, which resulted in the firewall not automatically sending logs to CDL.

Fixed an issue where, after a selective push of the configuration, a parent device group object with multiple child device groups was not shown in the device group's push scope.

Fixed an issue where IPSec transport mode failed when the firewall was the initiator.

Fixed an issue that caused the firewall's fan speed to increase while it was idle.

Fixed an issue where some commands did not have executable permissions.

Fixed an issue on Panorama where different threat names were used when querying a threat under Threat Monitor (Monitor > App Scope) and the ACC. This resulted in the ACC displaying no data after clicking a threat name in Threat Monitor and filtering it in the global filters.

Fixed an issue where renaming a device group and then performing a partial commit led to the device group hierarchy being incorrectly changed.

Fixed an issue where the management server access log file did not rotate, which caused the root partition to become full and led to system instability.

(PA-5410 firewalls only) Fixed an issue where the management interface went down and an error message displayed in the show interface management CLI command output.