(

FIPS-CC enabled firewalls only

) Fixed an issue where the firewall was unable to connect to log collectors after an upgrade due to missing cipher suites.

Fixed an issue where the firewall onboard packet processor used by the PAN-OS content-inspection (CTD) engine can generate high dataplane resource usage when overwhelmed by a session with an unusually high number of packets. This can result in

resource-unavailable

messages due to the content inspection queue filling up. Factors related to the likelihood of an occurrence include enablement of content-inspection based features that are configured in such a way that might process thousands of packets in rapid succession (such as SMB file transfers). This can cause poor performance for the affected session and other sessions using the same packet processor. PA-3000 series and VM-Series firewalls are not impacted.

Fixed an issue on Panorama where a deadlock in the configd process caused both the web interface and the CLI to be inaccessible.

Fixed an issue with the dnsproxyd process that caused the firewall to unexpectedly reboot.

Fixed an issue where tunnel-monitoring interface was incorrectly shown as up instead of down.

Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when

Strict IP Address Check

was enabled in the zone protection profile (

Packet Based Attack > IP Drop

) and the packet's source IP address was the same as the egress interface address.

Fixed an issue where the firewall sent fewer logs to the system log server than expected. With this fix, the firewall accommodates a larger send queue for syslog forwarding to TCP syslog receivers.

Fixed an issue on FIPS-enabled devices where modifying any configuration of an existing GlobalProtect portal failed with the following error message:

Operation failed : Malformed request

.

(

PA-5220 firewalls only

) Fixed an issue where the firewall generated pause frames, which caused network latency.

Fixed an issue where, after clicking

WildFire Analysis Report

, the web interface failed to display the report with the following error message:

refused to connect

.

Fixed an issue with SCEP certificate enrollment where the incorrect Registration Authority (RA) certificate was chosen to encrypt the enrollment request.

(

Panorama appliances in HA configurations only

) Fixed an issue where, when using Prisma Access multitenancy, the passive appliance didn't correctly update the tenant information after the tenant was deleted on the active appliance.

Fixed an issue with DNS cache depletion that caused continuous DNS retries.

Fixed an issue where the

bcm.log

and

brdagent_stdout.log-<datestamp>

files filled up the root disk space.

Fixed an issue where, when SIP traffic traversing the firewall was sent with a high Quality of Service (QoS) differentiated service code (DSCP) value, the DSCP value was reset to the default setting (CS0) for the first data packet.

Fixed an issue where decrypting large packets introduced congestion during content inspection, which caused processes to stop responding due to missed heartbeats.

(

Firewalls in HA configurations only

) Fixed an issue where the HA1 heartbeat backup flapped with the following error message:

Unable to send icmp packet:(errno: 105) No buffer space available

.

Fixed an issue that occurred after upgrading to a PAN-OS 9.0 or later release where commits to the firewall configuration failed with the following error message:

statistics-service is invalid

.

(

PA-3200 Series firewalls only

) Fixed an issue where multiple processes stopped responding, which caused the firewall to reboot.

Fixed an issue where the following operational mode commands were not reboot persistent:

Fixed an issue where a deadlock on

CONFIG_LOCK

caused both the web interface and CLI commands to time out until the mgmtsrvr process was restarted.

Fixed an issue where changing SSL connection validation settings for system logs caused the mgmtsrvr process to stop responding.

Fixed an issue where PDF summary reports were empty when they were generated by a user in a custom admin role.

(

M-200 and M-500 appliances only

) Fixed a capacity issue that was caused by high operational activity and large configurations. This fix increases the virtual memory limit on the configd process to 32GB.

(

PA-220 Series firewalls only

) Fixed an issue where the `runtime-state` parameter was missing in the CLI command `request high-availability sync-to-remote`.

Fixed an issue on Panorama where a commit push to managed firewalls failed with

sctp-init is invalid

error even though SCTP settings were not configured in the corresponding template.

Fixed an issue where a race-condition check returned a false negative, which caused a process (all_task) to stop responding and generate a core file.

Fixed an issue on Panorama where long FQDN queries did not resolve due to the character limit being 64 characters.

Fixed an issue where a commit-all or push to the firewall from Panorama failed with the following error message:

client routed requesting last config in the middle of a commit/validate. Aborting current commit/validate

.

(

Firewalls in active/passive high availability configurations only

) Fixed a routing table mis-sync issue where routes were missing on the passive firewall when GRE tunnels with keepalives were configured.

Fixed an issue where the session browser did not display results when filtered for IPv6 addresses with more than 31 characters.