(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where the firewall entered maintenance mode after enabling FIPS-CC mode and rebooted.

Fixed an issue where the PDF Summary Reports were not generated correctly after upgrading to an affected release.

Fixed an issue where IKE gateways were not visible within Panorama Templates under Network Profiles from a custom administrator role after upgrading to an affected PAN-OS release.

Fixed an issue where the firewall did not detect evasions due to TCP checksum offloading not being enabled.

Fixed an issue where traffic initiated from Microsoft Azure to an on-premises firewall was not decrypted, which caused the firewall to drop the traffic. This occurred due to the firewall incorrectly identifying SPI values.

(VM-Series firewalls only) Fixed an issue where the firewall became unresponsive and did not automatically reboot, which led to prolonged outages. With this fix, the Linux kernel configuration will trigger a system panic and reboot.

Added a fix to improve performance in lossy network conditions.

Fixed an issue with intermittent ICMP ping drops and packet loss in traffic flows between a hub and branch after upgrading to an affected PAN-OS release due to incorrect SD-WAN path monitor state.

Fixed an issue where an IMA violation occurred when Panorama accessed GRUB during the installation process, which caused upgrades from PAN-OS 12.1.4 to PAN-OS 12.1.5 to fail.

Fixed an issue where SIP sessions stopped progressing after the firewall received fragmented packets, fragmented at header field.

(VM-Series firewalls on ESXi with Intel E810 NICs using PCI passthrough) Fixed an issue where the brdagent process became unresponsive during data port initialization, which resulted in system instability, interface outages, HA split-brain conditions, and unexpected reboots during failover.

Fixed an issue on firewalls in DHCP Client mode where, after upgrading to an affected release, the SNMP process unexpectedly restarted after a commit, which led to false interface flap notifications on SNMP managers.

Fixed an issue on the Panorama web interface where you were able to enable IPv6 for IKE gateways and IPSec tunnels even when IPv6 WAN was disabled, which resulted in an invalid configuration. To utilize this fix, upgrade to the latest Panorama plugin.

Fixed an issue where GlobalProtect users intermittently received incorrect private IP addresses after connecting to a gateway behind a Network Load Balancer (NLB).

Fixed an issue where, after upgrading to an affected release, HCE profiles exceeded the maximum character length when generated automatically, which caused subsequent commit operations to fail with a validation error. This occurred when HIP objects were associated with HIP profiles prior to the upgrade.

Fixed an issue where HIP redistribution to remote network nodes from external gateways resulted in a large amount of error messages in User-ID logs.

Fixed an issue to address TCP proxy fast recovery behavior to follow RFC 5681.

Fixed an issue where the Maximum Segment Size (MSS) rewrite functionality for packets ingressing through SD-WAN interfaces on firewalls was not optimized.

Fixed an issue where, after an upgrade, IoT Devices > Asset Inventory did not display device data even though the system reported a total count of devices.

Fixed an issue where configured RIPv2 timer parameters were not applied when the profile was configured with custom update, expire, and delete values, and the system continued to use the default timer settings, which caused unexpected route removal and network disconnections.

Fixed an issue where the management interface became unresponsive when attempting to untag an IP address via the web interface.

Fixed an issue where the logrcvr process stopped responding for traffic containing multiple XFF headers when URL XFF header logging was enabled along with additional XFF header logging, which caused subsequent commits to fail.

Added a CLI command to enable and disable AHO software offload optimization.

Fixed an issue where SSL traffic was dropped on SD-WAN DIA interfaces with member having different MTU.

Fixed an issue where the firewall did not decapsulate GENEVE packets when DNS Security retransmitted a DNS query after receiving a verdict from the cloud.

Fixed an issue where the /opt/pancfg/mgmt/ssl/private/ directory on Palo Alto Networks devices with TPM support became 100% utilized due to an accumulation of undeleted .pub_pem files. This occurred because executing the show device-certificate status CLI command initiated a process that generated these files but failed to remove them, which prevented the fetching of new device certificates.

Fixed an issue where Panorama pushed commits took longer than expected to complete without displaying an error message when committing due to slow cloud-app compilation.

Fixed an issue where correlation logs were not forwarded via syslog or email.

Fixed an issue where Captive Portal authentication redirects failed for HTTPS traffic when a user attempted to access internal HTTPS websites via URL, which led to ERR_CONNECTION_RESET error messages in the browser with SSL decryption and CTD handshake inspection enabled.

Fixed an issue where autocommits failed after an upgrade due to configuration memory allocation issues and 100% policy rule cache usage when both DNS Rewrite and URL Custom Category Match were configured.

Fixed an issue where the all_task process stopped responding and caused the firewall to reboot unexpectedly.

Fixed an issue where firewalls experienced snmpd log flooding with messages such as update_ifTable_utilization_rates(pan_interfacecache.c:1720): Last time is 0 for dedicated-ha2., which caused the snmpd log to overflow and be cleared every five minutes. This occurred because the snmpd process attempted to calculate interface utilization rates without first verifying if the interface had valid sysd configuration data, as the code incorrectly assumed all interfaces in the MIB would possess valid sysd data.

Fixed an issue where packets were dropped on SD-WAN interfaces when a proxy was enabled due to an MTU inconsistency where the firewall failed to rewrite the maximum segment size in SYN/ACK packets based on the SD-WAN virtual interface MTU.

Note: This fix does not apply when the traffic egress interface is SD-WAN Direct Internet Access (DIA) interface and proxy is enabled.

(PA-7000 Series firewalls with an LFC in HA configurations only) Fixed an issue where the firewall reached 100% disk utilization due to the logrcvr process repeatedly restarting and dumping core files due to a blocked hints processing thread, which caused a failover.

Fixed an issue where the firewall did not redistribute its application routes to BGP peers. This occurred in multi-mesh deployments with the multi-cloud networking feature enabled.

Fixed an issue where multiple processes restarted which caused the firewall to become unstable when processing traffic.

(Log Collectors in HA configurations only) Fixed an issue where log collectors displayed a disconnected inter-log collector status.

Fixed an issue where the pan_comm process stopped after multiple content versions were installed and the memory limits were reached.

Fixed an issue where the reportd process on passive Panorama management servers leaked memory due to scheduled report handling from the Strata Logging Service (SLS). This memory leak occurred daily, consuming available memory until the process was restarted.

Fixed an issue where memory leaks on the configd process occurred due to a hash insert operation failing during connection management and SSL connections.

Fixed an issue where the LogDB incorrectly reported that the database quota for extpcap logs was reached.

Fixed an issue where policy rule imports were blocked when any was in the source device column, which prevented the use of inbound policy rule recommendations. Additionally, when the source profile name was missing for inbound behaviors, a default policy rule name was not able to be generated.

Fixed an issue where firewalls in a cluster experienced approximately 50% packet loss on IPSec NATT tunnels when tunnel acceleration was enabled.

Fixed an issue where SAML authentication for GlobalProtect failed when the GlobalProtect portal was accessed externally on a non-standard port.

Fixed an issue where manual SCP exports from firewalls in FIPS mode were successful to SCP servers that were not FIPS-compliant. This occurred because the manual SCP process did not enforce FIPS security checks.

Fixed an issue where daily email reports generated from the custom report did not display the report details in PDF or CSV files.