PAN-OS 12.1.8 Addressed Issues
Focus
Focus
Next-Generation Firewall

PAN-OS 12.1.8 Addressed Issues

Table of Contents

PAN-OS 12.1.8 Addressed Issues

Lists the addressed issues in PAN-OS 12.1.8.
The following table lists the addressed issues in PAN-OS 12.1.8.
Issue ID
Description
PAN-327009
Fixed an issue where the all_task process stopped responding.
PAN-326677
Fixed an issue where a selective push from Panorama to the firewall was successful even when applying rename operation failed in selective push, which resulted in configurations on the firewall being deleted. With this fix, the selective push will fail when applying rename operation fails.
PAN-325903
Fixed an issue where, after upgrading Panorama, a custom admin role with Object Level Changes disabled did not automatically populate out-of-sync firewalls in the push scope.
PAN-325890
Fixed an issue where licenses were not installed after bootstrapping a VM-Series firewall in an air-gapped environment.
PAN-325120
Fixed an issue on PA-415, PA-415-5G, PA-445, PA-455, and PA-455-5G platforms where certain PAN-OS versions caused intermittent connectivity failures on the Eth1/1 data port and loss of power on PoE ports.
PAN-324966
Fixed an issue on the web interface where you were unable to view new or modified App-IDs under Review Policy or Review Apps.
PAN-324370
Fixed an issue where IDE traffic did not function as expected when both HTTP head insertion and DLP inspection were enabled.
PAN-324275
Fixed an issue where requesting logging service forwarding certification information via the CLI did not work.
PAN-324014
Fixed an issue where logging disks were reported with a byte size of zero in the system status even when they were properly mounted.
PAN-323974
Fixed an issue where you were unable to add logging drives to the firewall, and validation errors occurred when pushing configurations from Panorama.
PAN-323862
Fixed an issue where SAML re-authentication failed when both IP address-to-user mapping and session cookies expired simultatneously.
PAN-323825
(Panorama appliances in Microsoft Azure environments only) Fixed an issue where Panorama continuously displayed disk-related read/write errors in the console logs.
PAN-323809
Fixed an issue where attempting to generate a ticket for the GlobalProtect portal caused Panorama to restart unexpectedly with the error message tpl is invalid.
PAN-323485
Fixed an issue where multicast radio RTP based traffic was dropped after an upgrade when the firewall performed Cloud Inline inspection, which led to an exceeded session queue for Cloud Threat Detection.
PAN-323243
Fixed an issue where the configd process stopped responding occurred when a Security policy rule was updated or refreshed in the web interface.
PAN-322815
(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where the firewall entered maintenance mode after enabling FIPS-CC mode and rebooted.
PAN-322681
Fixed an issue where the PDF Summary Reports were not generated correctly after upgrading to an affected release.
PAN-322630
Fixed an issue where IKE gateways were not visible within Panorama Templates under Network Profiles from a custom administrator role after upgrading to an affected PAN-OS release.
PAN-322402
Fixed an issue where ACC reports for a duration of seven or more days did not fully load or displayed partial information.
PAN-322390
Fixed an issue where the Enhanced Application Logging status in the Logging Service Status dashboard displayed as gray and indicated 0/0 connections, even though EAL logs were successfully forwarded to Cortex XDR.
PAN-322325
(PA-3400, PA-5400, PA-5500, and PA-5500l platforms with dedicated log interfaces only) Fixed an issue where email forwarding failed silently when the SMTP gateway was reachable only via the log-interface, even when test emails were forwarded successfully.
PAN-321937
Fixed an issue where an expired SD-WAN license caused SD-WAN tunnels to become unavailable, which resulted in traffic interruptions. With this fix, the device provides logs and commit messages about expired licenses.
PAN-321816
Fixed an issue where processes stopped responding unexpectedly.
PAN-321699
Fixed an issue where device telemetry intermittently failed to send files, which resulted in critical alerts in system files.
PAN-321527
(PA-7500 firewalls in HA cluster configurations only) Fixed an issue where, when one firewall suspended operations, the other firewall also suspended operations instead of initiating a failover, which resulted in a complete traffic outage.
PAN-321516
Fixed an issue where the dataplane restarted due to a race condition in the dataplane cache infrastructure.
PAN-321340
(Firewalls in FIPS mode only) Fixed an issue where GlobalProtect unexpectedly prompted for RADIUS authentication instead of client certificate authentication due to an OSCP validation error and subsequent CRL verification failure, which led to certificates being marked as invalid.
PAN-321222
Fixed an issue where you were unable to create an HTTP server profile an API key certificate was configured. This occurred because the generated API key exceeded the maximum character limit.
PAN-321150
Fixed an issue where the interface remained down after an upgrade.
PAN-321084
(VM-Series firewalls on ESXi platforms only) Fixed an issue where enabling link monitoring caused the brdagent process to stop responding, which caused system instability, interface outages, split-brain conditions in HA pairs, and a reboot during failover.
PAN-321081
Fixed an issue where Log Quotas incorrectly displayed a value that was higher than possible.
PAN-320598
Fixed an issue where internal and external DNS names did not resolve when connected to a GlobalProtect gateway.
PAN-320420
Fixed an issue where the show running resource-monitor ingress-backlogs API call returned an unexpected error instead of the expected resource monitoring information.
PAN-320290
Fixed an issue where ACC reports did not display data under the Area and Column graphs. This occurred when the report included dates prior to March 8.
PAN-320245
(PA-7500 Series firewalls in vwire mode only) Fixed an issue where Oracle application traffic was intermittently not processed even though connected devices sent the traffic, which led to service distruptions.
PAN-319798
(Panorama virtual appliances in AWS environments only) Fixed an issue where logging disks failed to mount or reported an unknown file system type.
PAN-319793
Fixed an issue where, after upgrading to PAN-OS 12.1.5, GlobalProtect Clientless VPN failed to access JavaScripts.
PAN-319557
Fixed an issue where graphical counters did not display correctly in the control plane or dataplane monitor logs.
PAN-319481
Fixed an issue on Panorama where system logs did not display the firewall serial numbers when Panorama retrieved logs from the SLS.
PAN-319419
(Firewalls in active/passive HA configurations only) Fixed an issue where active firewalls were unable to send device telemetry data to CDL.
PAN-319335
Fixed an issue where the firewall did not follow configured management proxy settings for OCSP and CRL queries, and instead reverted to default configurations after a process restart.
PAN-319288
Fixed an issue where a DPC in Slot 4 restarted repeatedly, which caused internal path monitoring failures and a failover event.
PAN-319266
(Cloud IPS only) Increased scale limit for zone mappings.
PAN-319228
Fixed an issue where External Dynamic List (EDL) refresh and commit operations remained in a pending state, which prevented any subsequent operations from completing.
PAN-319136
Fixed an issue where the firewall generated high-severity system log alerts due to a certificate trust issue during SSL handshakes.
PAN-318990
(GlobalProtect dual-profile MacOS/Windows deployments only) Fixed an issue where GlobalProtect commit warnings incorrectly flagged SAML default browser mismatches between authentication profiles and agent configurations.
PAN-318949
Fixed an issue where irrelevant error messages related to IoT devices filled the logrcvr logs.
PAN-318784
Fixed an issue where the firewall stopped processing traffic and all VPN tunnels went down even when the firewall remained in an active state, and the CLI became unresponsive.
PAN-318619
Fixed an issue where Geneve ingress traffic did not use the correct public IP address for return traffic.
PAN-318567
Fixed an issue where the OpenConfig plugin stopped working after a configuration update.
PAN-318288
Fixed an issue where traffic initiated from Microsoft Azure to an on-premises firewall was not decrypted, which caused the firewall to drop the traffic. This occurred due to the firewall incorrectly identifying SPI values.
PAN-318275
(VM-Series firewalls only) Fixed an issue where the firewall became unresponsive and did not automatically reboot, which led to prolonged outages. With this fix, the Linux kernel configuration will trigger a system panic and reboot.
PAN-318120
Fixed an issue where SSL traffic was silently dropped when traffic was processed by a Security policy with an Anti-Spyware profile that had Inline cloud Analysis enabled for SSL C2 Detector with an action other than allow or alert.
PAN-318106
Fixed an issue where SCM did not update device telemetry for the firewall after upgrading to an affected release.
PAN-318030
VM-Series firewalls in Hyper-V only) Fixed an issue where the throughput was reported to be twice as high as the actual traffic rate.
PAN-317867
Fixed an issue where Panorama became inaccessible and a manual reboot was required to restore access. This occurred due rapid increase in memory usage on the reportd process, which led to OOM events.
PAN-317858
Added a CLI command to address an issue where ethernet trailer padding was not removed during IPv4-to-IPv6 packet translation. This occurred when the original packet contained ethernet trailers and the translated packet exceeded the minimum MTU.
PAN-317772
Added a fix to improve performance in lossy network conditions.
PAN-317755
Fixed an issue on Panorama where selective push operations failed when plugin configurations included access-domain or log-collector references.
PAN-317749
Fixed an issue where the commit scope preview for a vsys incorrectly displayed configuration changes made in other vsys, even when the commit only applied changes to the intended vsys.
PAN-317614
Fixed an issue where high throughput and increased packet rates caused high dataplane CPU usage.
PAN-317600
(Firewalls in HA configurations only) Fixed an issue where autocommit operations took longer than expected to complete when the firewalls were configured with multiple vsys and EDLs. This occurred because the firewalls were unable to reach the DNS server during the autocommit process.
PAN-317583
Fixed an issue with intermittent ICMP ping drops and packet loss in traffic flows between a hub and branch after upgrading to an affected PAN-OS release due to incorrect SD-WAN path monitor state.
PAN-317548
Fixed an issue where an IMA violation occurred when Panorama accessed GRUB during the installation process, which caused upgrades from PAN-OS 12.1.4 to PAN-OS 12.1.5 to fail.
PAN-317466
Fixed an issue where SIP sessions stopped progressing after the firewall received fragmented packets, fragmented at header field.
PAN-317372
Fixed an issue where custom administrators received an access denied error when attempting to view specific policy rule details from the Rule Shadow tab after a push from Panorama, even when the administrator had permissions to view Security policy rules.
PAN-317215
(VM-Series firewalls on ESXi with Intel E810 NICs using PCI passthrough) Fixed an issue where the brdagent process became unresponsive during data port initialization, which resulted in system instability, interface outages, HA split-brain conditions, and unexpected reboots during failover.
PAN-317177
Fixed an issue on firewalls in DHCP Client mode where, after upgrading to an affected release, the SNMP process unexpectedly restarted after a commit, which led to false interface flap notifications on SNMP managers.
PAN-317133
Fixed an issue where you were unable to generate a ticket for the GlobalProtect portal.
PAN-317068
Fixed an issue on the Panorama web interface where you were able to enable IPv6 for IKE gateways and IPSec tunnels even when IPv6 WAN was disabled, which resulted in an invalid configuration. To utilize this fix, upgrade to the latest Panorama plugin.
PAN-316978
Fixed an issue where system log error messages were displayed after every firewall reboot, even when the firewall functioned correctly after the reboot.
PAN-316937
Fixed an issue where GlobalProtect users intermittently received incorrect private IP addresses after connecting to a gateway behind a Network Load Balancer (NLB).
PAN-316911
(VM-Series firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where a newly bootstrapped firewall required a management server restart, relicensing, or license push from Panorama to invoke the device certificate.
PAN-316856
Fixed an issue where an error message displayed when attempting to delete the Logging Service certificate or view the Logging Service customer information.
PAN-316761
Fixed an issue where reportd process timeout errors occurred during a manual management server restart.
PAN-316740
Fixed an issue where, after upgrading to an affected release, HCE profiles exceeded the maximum character length when generated automatically, which caused subsequent commit operations to fail with a validation error. This occurred when HIP objects were associated with HIP profiles prior to the upgrade.
PAN-316718
Fixed an issue where the firewall stopped forwarding logs or generating system and configuration logs to Panorama after restarting the mgmtsrvr process.
PAN-316631
Fixed an issue BGP sessions experienced short disruptions across all peers, interfaces, and slots when a multicast event persisted longer than the NGP negotiated hold timers.
PAN-316605
Fixed an issue where HIP redistribution to remote network nodes from external gateways resulted in a large amount of error messages in User-ID logs.
PAN-316556
Fixed an issue where a race condition between the session ager and packet processing resulted in memory corruption and caused the pan_task process to stop responding, which resulted in the firewall becoming unresponsive
PAN-316435
Fixed an issue where the firewall restarted unexpectedly due to an OOM condition after upgrading to an affected release.
PAN-316433
Fixed an issue on the web interface where the last digit of entries in policy rule descriptions were truncated.
PAN-316263
Fixed an issue where an incorrect validation error was displayed, falsely indicating that IKE Gateway and IPSec tunnel names can begin with a numeral
PAN-316120
Fixed an issue where, after Advanced Routing was enabled, the firewall advertised routes to internal BGP neighbors with the original external BGP next-hop address.
PAN-316106
(Panorama appliances in Log Collector mode only) Fixed an issue where commit validation failed after an upgrade when the previous configuration included a shared-optimization setting.
PAN-316070
Fixed an issue where a BGP peer automatically established a BGP connection after manually adding it via the CLI when Advanced Routing was enabled.
PAN-315965
Fixed an issue to address TCP proxy fast recovery behavior to follow RFC 5681.
PAN-315964
Fixed an issue on the web interface where you were unable to sort an AS path list by its sequencing number (**Network > Routing > Routing Profiles > Filters > Filters AS Path Access List*).
PAN-315958
(PA-1410 firewalls only) Fixed an issue where the SaaS Quality Profile HTTP/HTTPS monitoring feature failed to send probes due to the firewall being unable to determine the correct egress interface and source IP address for the monitoring probes.
PAN-315913
Fixed an issue where, after a User-ID restart on a redistribution firewall, some expiring IP tag entries became permanent instead of aging out as intended, which affected Dynamic Address Group policy rule enforcement.
PAN-315912
Fixed an issue where the Maximum Segment Size (MSS) rewrite functionality for packets ingressing through SD-WAN interfaces on firewalls was not optimized.
PAN-315424
Fixed an issue where the BGP peer filter match condition incorrectly identified neighbors in the Advanced routing Engine, which led to incorrect Logical Preference assignments and illogical path selections. This occurred when a BGP Inbound Route Map was configured to prioritize a path from a specific peer by setting its Local Reference.
PAN-315337
Fixed an issue where GlobalProtect throughput was reduced after an upgrade.
PAN-315326
(PA-7500 firewalls only) Fixed an issue where zone protection threshold values per dataplane were unexpectedly low.
PAN-315314
Fixed an issue where, when a push operation from Panorama to the firewall failed, accounting logs stopped forwarding.
PAN-315176
Added an enable and disable CLI command to address an issue where the firewall experienced increased packet drops and slower performance after an upgrade due to high burst traffic.
PAN-315160
(PA-7500 firewalls only) Fixed an issue where internal path monitoring logs incorrectly reported internal path monitoring failures when they did not occur.
PAN-315134
Fixed an issue where, after an upgrade, IoT Devices > Asset Inventory did not display device data even though the system reported a total count of devices.
PAN-315005
Fixed an issue where configured RIPv2 timer parameters were not applied when the profile was configured with custom update, expire, and delete values, and the system continued to use the default timer settings, which caused unexpected route removal and network disconnections.
PAN-314873
Fixed an issue where the firewall intermittently stopped forwarding traffic to the internet.
PAN-314823
Fixed an issue where the management interface became unresponsive when attempting to untag an IP address via the web interface.
PAN-314818
Fixed an issue where the firewall dropped IPv6 packets after enabling Strict IP Check under Zone Protection in an SD-WAN configuration.
PAN-314764
Fixed an issue where a shared object appeared in the push scope during every push to devices even when it was not applicable to the committed changes.
PAN-314752
Fixed an issue on Panorama where, after removing a scheduled configuration push, Panorama still initiated the push at its previously scheduled time.
PAN-314724
Fixed an issue where the OpenConfig plugin was unavailable for installation after installing PAN-OS due to the plugin package not being included in the PAN-OS software bundle.
PAN-314712
(PA-7500 Series firewalls only) Fixed an issue where the source IP Dynamic Address Group mappings were intermittently not displayed under Monitor > Traffic logs. This occurred even when dynamic address groups were updated via XML API without an expiry time and no unregister requests were observed.
PAN-314630
Fixed an issue where the firewall repeatedly rebooted and entered maintenance mode, and a factory reset was required.
PAN-314623
(Firewalls in active/passive HA configurations only) Fixed an issue where, after a failover, routing information within OSPF protocol was not correctly translated or propagated, which affected network path convergence and FRR capabilities.
PAN-314512
Fixed an issue where the GlobalProtect portal became inaccessible when the dataplane was configured with a DHCP assigned IP address.
PAN-314477
Fixed an issue where committing configuration changes failed due to the routed process not responding.
PAN-314435
Fixed an issue on the Panorama web interface where custom application tags for cloud applications were not consistently displayed in the Application Filter or application details even though the tags were configured via CLI and successfully enforced traffic blocking policy rules.
PAN-314398
(PA-7500 firewalls in a cluster configuration only) Fixed an issue where the firewall was unable to establish a TCP connection to CDL endpoints, which prevented forwarding of traffic, system, configuration, and threat logs to the CDL.
PAN-314385
(Firewalls in active/passive HA clusters only) Fixed an issue where high dataplane CPU usage occurred and traffic offloading decreased when a failover occurred from the active firewall to the passive firewall, and then back to the active firewall.
PAN-314372
Fixed an issue where, when SSL Inbound Decryption was enabled, the inbound SMTP email delivery to an internal mail server failed due to the firewall silently dropping application packets containing SMTP commands after successful decryption.
PAN-314365
Fixed an issue where the logrcvr process stopped responding for traffic containing multiple XFF headers when URL XFF header logging was enabled along with additional XFF header logging, which caused subsequent commits to fail.
PAN-314319
Added a CLI command to enable and disable AHO software offload optimization.
PAN-314300
Fixed an issue where the firewall continued to send LLDP learned information via SNMP for an interface even after disabling LLDP on that interface. This occurred when a third-party tool polled SNMP and it received outdated topology information.
PAN-314223
Fixed an issue where the Panorama web interface did not display all Security policy rules when using a Chromium-based browser, and you were unable to scroll to the bottom of the page to view the complete list.
PAN-314201
Fixed an issue on PAN-OS 12.1 releases where intermittent traffic drops occurred over IPSec VPN tunnels to third-party firewalls during the IPSec rekey due to the firewall failing to inform the peer to delete the old SA after moving to the new one.
PAN-314147
Fixed an issue where SSL traffic was dropped on SD-WAN DIA interfaces with member having different MTU.
PAN-314142
Fixed an issue where establishing log forwarding connections to the Strata Logging Service (SLS) took longer than expected, which resulted in delayed log visibility on SLS.
PAN-314126
Fixed an issue where session rematch did not properly apply updated Security policy rules to existing traffic flows after committing changes, which caused traffic to still be allowed when a new Security policy was set to Deny.
PAN-314020
Fixed an issue where the firewall did not decapsulate GENEVE packets when DNS Security retransmitted a DNS query after receiving a verdict from the cloud.
PAN-314018
(VM-Series firewalls in AWS environments only) Fixed an issue where the decrypt mirror port did not function expected, which prevented decrypted traffic from reaching the intended destination collector.
PAN-313976
Fixed an issue on Panorama where traffic, URL, and unified log entries were duplicated, which led to inaccurate Security logging after applying a time filter for the previous 6 hours.
PAN-313828
Fixed an issue where the firewall did not forward traffic due to memory issues on a forwarding component.
PAN-313827
Fixed an issue where a memory leak occurred related to the reportd process when custom reports were run via API.
PAN-313787
Fixed an issue where some system log filters with the eventid operator for a BGP event did not work.
PAN-313779
(PA-7500 Series only) Fixed an issue where the request high-availability session-reestablish CLI command did not work due to encryption not being supported on HA1 and HA1-backup interfaces.
PAN-313700
Fixed an issue where an unexpected reboot occurred when Inline Cloud Analysis was enabled in an Anti-Spyware and Vulnerability profile.
PAN-313623
Fixed an issue where the /opt/pancfg/mgmt/ssl/private/ directory on Palo Alto Networks devices with TPM support became 100% utilized due to an accumulation of undeleted .pub_pem files. This occurred because executing the show device-certificate status CLI command initiated a process that generated these files but failed to remove them, which prevented the fetching of new device certificates.
PAN-313606
Fixed an issue where Panorama pushed commits took longer than expected to complete without displaying an error message when committing due to slow cloud-app compilation.
PAN-313575
Fixed an issue where 10G connections on built-in RJ45 interfaces (ethernet1/1 through ethernet1/5) intermittently experienced interface flapping when connected to Cisco switchports.
PAN-313572
VM-Series firewalls only) Fixed an issue where the dataplane restarted due to a segmentation fault.
PAN-313523
Fixed an issue where generating a tech support file caused GlobalProtect users to be forcibly logged out.
PAN-313494
Fixed an issue where ARP entries remained in a complete state with a TTL of 0 on the active-secondary node, which prevented affected devices from reliably communicating when traffic routes routed through that node.
PAN-313443
Fixed an issue where firewalls acting as an accumulation proxy sent a server hello with an earlier TCP timestamp value than a preceding ACK packet, which prevented successful session establishment. This occurred when the client hello messages were split across multiple network segments.
To use this fix, run the CLI command debug dataplane set ssl-decrypt accumulate-client-hello ts-relay yes.
PAN-313258
Fixed an issue where PIM multicast routing failed on appliances with advanced routing enabled.
PAN-313216
Fixed an issue where firewalls with Prisma Access incorrectly displayed some traffic as unsanctioned in traffic logs for cloud applications that were tagged as sanctioned.
PAN-313193
Firewalls in Layer 2 mode only) Fixed an issue where the new sessions were not able to be established due to the firewall intermittently dropping valid MAC address entries for specific VLANs when a manual switchover sent a high volume of traffic to the firewall.
PAN-313048
Fixed an issue where the BGP default route was lost from the forwarding table during a failover, which caused a temporary service interruption.
PAN-313036
Fixed an issue where the firewall dataplane continuously accumulated packets in the ctd_pkt_queue and packet buffers, which caused resource exhaustion and prematurely terminated sessions.
PAN-312706
Fixed an issue where the firewalls restarted due to a function lacking a NULL-pointer sanity check.
PAN-312697
Fixed an issue where firewalls intermittently failed to send all logs to the SLS.
PAN-312618
Fixed an issue where the firewall was unable to activate GlobalProtect client software and displayed SW LIMIT messages related to max-profiles and unsupported major and minor versions in the downgrade list, which prevented successful software installation.
PAN-312514
Fixed an issue where correlation logs were not forwarded via syslog or email.
PAN-312354
Fixed an issue where Captive Portal authentication redirects failed for HTTPS traffic when a user attempted to access internal HTTPS websites via URL, which led to ERR_CONNECTION_RESET error messages in the browser with SSL decryption and CTD handshake inspection enabled.
PAN-312277
Fixed an issue where, after manually restarting the mgmtsrvr process caused the firewall to stop generating or forwarding system and configuration logs to Panorama, and a reboot was required to restore logging functionality.
PAN-312267
Fixed an issue where the firewall lost its MAC entry which caused IPv6 traffic sessions to become unresponsive or drop. This occurred when PBF rules were configured with symmetric return and no-pbf.
PAN-312156
Fixed an issue where firewalls did not correctly apply SD-WAN policy rules, which caused traffic to be incorrectly routed via local breakout instead of VPN backhaul.
PAN-311938
Fixed an issue where autocommits failed after an upgrade due to configuration memory allocation issues and 100% policy rule cache usage when both DNS Rewrite and URL Custom Category Match were configured.
PAN-311658
Fixed an issue where the reportd process stopped responding, which caused the firewall to reboot.
PAN-311512
Fixed an issue where HIP (Host Information Profile) reports were blocked on GlobalProtect when Authentication Cookie Usage Restrictions was enabled and the Prisma Access Agent protocol was in use. This occurred because the system failed to correctly process HIP messages that were relayed via IPSec tunnels with a Virtual IP as the source, leading to their rejection.
PAN-311456
Enhanced the SCP-based export script by adding comprehensive logging to identify and diagnose the root cause for failed or incomplete traffic log exports.
PAN-311449
Fixed an issue where global search did not return comprehensive results after an upgrade and only displayed top-level objects.
PAN-311419
Fixed an issue where the recommended filter for identifying traffic from unidentified users in traffic logs reported an incorrectly low number of results.
PAN-311412
Fixed an issue where the show advanced-routing resource CLI command failed to execute successfully when invoked through the XML API and returned an error message.
PAN-311352
Fixed an issue in SD-WAN deployments where DIA traffic was disrupted when DIA AnyPath was enabled during path transitions from the SD-WAN VIF to the physical interface. With this fix, the drop the packet even on zone change configuration is not needed to prevent interrupted DIA traffic during path switching.
PAN-311285
Fixed an issue where a memory leak occurred related to the ospfd process, which caused RAM usage to continuously increase until the device stopped responding.
PAN-311261
Fixed an issue where the firewall generated duplicate URL Filtering logs due to an error condition when the new XFF feature was enabled.
PAN-311250
(Panorama appliances and Log Collectors only) Fixed an issue where logs from multiple devices were not visible on Panorama even though the Elasticsearch health status on the dedicated Log Collectors appeared green.
PAN-311248
Fixed an issue where the ABR failed to translate and advertise the default route (0.0.0.0/0) from an OSPF NSSA area into the OSPF backbone area as a Type-5 LSA.
PAN-311218
Fixed an issue on Panorama where a system health check Security policy rule was applied to any zones instead of Public or Private.
PAN-311205
Fixed an issue where XML queries failed when you attempted to compare configuration versions.
PAN-311166
Fixed an issue where the firewall rebooted unexpectedly to the all_task_1 process repeatedly restarting.
PAN-311113
Fixed an issue where the firewall was unable to clear sessions using the CLI command clear session all filter rule when the specified rule name exceeded 32 characters, even though the limit is 63 characters.
PAN-311098
Fixed an issue where firewalls entered a nonfunctional state due to L7 running out of resources due to a high volume of traffic.
PAN-311074
Fixed an issue where GRE tunnels took significantly longer to establish when the hold timer was configured to a value of 10 or higher, which resulted in a tunnel requiring more successful keepalive packets than expected to transition to an Up state.
PAN-311040
Fixed an issue where the all_task process stopped responding and caused the firewall to reboot unexpectedly.
PAN-310851
Fixed an issue where firewalls experienced snmpd log flooding with messages such as update_ifTable_utilization_rates(pan_interfacecache.c:1720): Last time is 0 for dedicated-ha2., which caused the snmpd log to overflow and be cleared every five minutes. This occurred because the snmpd process attempted to calculate interface utilization rates without first verifying if the interface had valid sysd configuration data, as the code incorrectly assumed all interfaces in the MIB would possess valid sysd data.
PAN-310743
Fixed an issue where you were unable to change an administrator's authentication profile to None.
PAN-310526
Fixed an issue where you were unable to download cellular firmware through Panorama.
PAN-310473
Fixed an issue where committing configuration changes to an Advanced Logical router caused a 20-30 second loss of management access in the firewall when IPv4 and IPv6 default static routes were configured with identical attributes including interface, next-hop, and metrics, which triggered an unnecessary routing table refresh.
PAN-310472
Fixed an issue on the web interface where checkboxes for default information originate and ABR in OSPF NSSA configurations were automatically enabled which resulted in unexpected configuration changes.
PAN-310452
Fixed an issue where a configuration setting was not reset to its default value after an upgrade, which caused pre-checks and post-checks to fail.
PAN-310362
Fixed an issue where IPv6 Routed HA did not function correctly when the HA1 (control link) was configured with an IPv6 routed connection.
PAN-310267
Fixed an issue where a process stopped responding during Go garbage collection (GC).
PAN-310240
Fixed an issue where software packet buffers were completely utilized when performing a Data Loss Prevention longevity test.
PAN-309960
Fixed an issue where a memory leak related to the useridd process on the passive device led to an OOM condition.
PAN-309944
Fixed an issue where an error message was incorrectly displayed instead of a debug message.
PAN-309927
Fixed an issue on Panorama where the multi-clone XML API operation reported a successful configuration change even when the specific device group did not exist.
PAN-309828
Fixed an issue where, after a firewall serial number was updated via Panorama, a subsequent policy rule push from Panorama incorrectly deleted target policy rules from managed firewalls with the updated serial numbers.
PAN-309676
Fixed an issue on Panorama where a database component unexpectedly stopped when Panorama was deployed using an .ova file or upgraded/downgraded to an affected PAN-OS version. This occurred due to a required directory not being created during the initial provisioning workflow. With this fix, the necessary directory is created automatically during deployment.
PAN-309493
Fixed an issue where the URL cloud connection was impacted, which caused a traffic outage.
PAN-309300
Fixed an issue where management plane system resources configuration size exceeded 28 MB for over 4 hours, and the following error message was displayed: Configuration size reaching device capacity limit.
PAN-308928
Fixed an issue where OSPF routes did not install correctly when you performed a traffic switch between firewalls with the Advanced Routing Engine enabled, which led to routing instability.
PAN-308876
Fixed an issue where upgrades to managed firewalls from Panorama failed.
PAN-308775
(Firewalls in active/passive configurations only) Fixed an issue where NTP status intermittently showed as rejected on the active firewall, which prevented the firewalls from synchronizing time.
PAN-308732
(Multi-vsys firewalls only) Fixed an issue where GlobalProtect clients were unable to use custom source region objects for gateway selection criteria due to region objects defined in Panorama not being correctly recognized or displayed in the GlobalProtect Portal configuration.
PAN-308711
Fixed an issue where superusers with read-only privileges on Panorama were unable to execute show device-certificate CLI commands.
PAN-308651
Fixed an issue on the firewall web interface where the TLSv1.3_Default certificate setting and SSL/TLS profile were not displayed."
PAN-308563
Fixed an issue where multiple pan_task processes attempted to clear the packet queue of the same session.
PAN-308507
(Panorama managed firewalls only) Fixed an issue where the firewall intermittently failed to maintain active log forwarding streams to Strata Logging Service (SLS) even when duplicate logging and enhanced application logging were enabled.
PAN-308461
Fixed an issue where the CLI command request system software download to-version <version> failed to download multiple software images due with a Download terminated due to timeout error message.
PAN-308444
Fixed an issue where pushing multiple policy rules failed when the policy rules contained a large number of dynamic address object groups or user groups.
PAN-308418
Fixed an issue where, when Advanced DNS Security was enabled and experienced unusually high loads, DNS resolution failures occurred with the error resources-unavailable.
PAN-308377
(PA-7000 Series firewalls with an LFC in HA configurations only) Fixed an issue where the firewall reached 100% disk utilization due to the logrcvr process repeatedly restarting and dumping core files due to a blocked hints processing thread, which caused a failover.
PAN-308261
Fixed an issue where the firewall failed to send SNMPv3 traps when the SNMP destination was configured with an FQDN that resolved to multiple IP address through DNS load balancing.
PAN-307937
Fixed an issue on the web interface where the global filter set in ACC > Threat Activity did not apply when you navigated to the Network Activity tab.
PAN-307773
Fixed an issue on Panorama where enabling Post-Quantum Pre-Shared Key (PPK) within an IKE Gateway profile that was configured as a part of a template stack failed or was inconsistent when attempted via the web interface, even when the keys were properly configured.
PAN-307717
Fixed an issue on Panorama where administrators were unable to override SNMP setup configurations within device groups due to the configured override not being retained.
PAN-307618
Added a debug CLI command to address where remote networks for Prisma Access tenants randomly dropped monitoring packets from peer devices, which caused tunnels to be marked as down. This occurred when a CPU core suddenly experienced high utilization.
To utilize this fix, run debug dataplane set ssl-decrypt use-new-peek-window yes.
PAN-307491
Fixed an issue where the firewall entered maintenance mode after a reboot when ZTP was enabled.
PAN-307470
Fixed an issue where an External Dynamic List (EDL) fetch with an invalid certificate was skipped on newly provisioned GlobalProtect gateway instances.
PAN-306533
Fixed an issue where system logging for NTP events was delayed by approximately 15 minutes.
PAN-306356
Fixed an issue where the logrcvr process on a firewall stopped responding due to a document node being unexpectedly freed.
PAN-306217
Fixed an issue on Panorama where scheduled reports with specific queries did not include any data.
PAN-305950
Fixed an issue where, when attempting to install software upgrades on managed firewalls via Device Deployments, Panorama incorrectly reported that the firewalls did not have valid support licenses.
PAN-305619
Fixed an issue where HTTP management access appeared to fail and incorrectly displayed the error message Error 503: Service Unavailable even though it functioned correctly as allowed. This occurred when an interface was configured with an address object.
PAN-305369
Fixed an issue where the firewall dropped packets due to an invalid interface when attempting to ping the next-hop gateway from a VLAN interface due to the firewall incorrectly resolving the ARP for the gateway on an unintended interface.
PAN-305240
Fixed an issue where User-ID redistribution clients experienced delays in establishing initial communication with the redistribution server, which caused connection timeouts.
PAN-304718
Fixed an issue where OSPF and BGP outages occurred due to an all_task process restart during clientless VPN content rewrite processing.
PAN-304360
Fixed an issue where the firewall did not redistribute its application routes to BGP peers. This occurred in multi-mesh deployments with the multi-cloud networking feature enabled.
PAN-303662
Fixed an issue where PA-455 firewalls running PAN-OS 11.2.4-h7 intermittently failed to generate system logs and trigger an HA failover when a link-monitored interface was unplugged, despite the interface's status being reflected as down on the GUI.
PAN-303173
(Firewalls in Advanced Routing mode only) Fixed an issue where OSPF sessions using MD5 authentication experienced intermittent flapping due to out-of-order packets.
PAN-302855
Fixed an issue where multiple processes restarted which caused the firewall to become unstable when processing traffic.
PAN-302834
Fixed an issue where Panorama did not display decryption logs after a certain date due to the decryption index being purged.
PAN-302512
(Log Collectors in HA configurations only) Fixed an issue where log collectors displayed a disconnected inter-log collector status.
PAN-302387
Fixed an issue where on PA-7500 firewalls, SNMP incorrectly reported the administrative and operational status of High Speed Chassis Interconnect (HSCI) interfaces as down, even when the interfaces were physically up. Additionally, interface counters for these interfaces displayed all zeroes.
PAN-302150
(Panorama appliances only) Fixed an issue where you were unable to successfully configure log collector groups due to the master node settings not populating automatically.
PAN-301513
Fixed an issue on Panorama managed multi-vsys firewalls where, when the shared-to-shared feature was enabled, shared objects reverted to an older configuration after a selective push to a vsys.
PAN-300617
Fixed an issue where the Elasticsearch cluster status displayed as red due to unassigned shards, which prevented logs from updating.
PAN-300615
Fixed an issue where the pan_comm process stopped after multiple content versions were installed and the memory limits were reached.
PAN-300445
Fixed an issue where the firewall downloaded an Antivirus package but did not automatically install it.
PAN-300423
Fixed an issue where Data Processing Cards (DPCs) installed in slots 5 and 6 remained stuck in a starting state with the error Signal detected for port xeS5-DP0 but Link Down alerts, which resulted in device instability.
PAN-298960
Fixed an issue where the firewall continuously rebooted when the useridd process repeatedly restarted.
PAN-298788
Fixed an issue where the /pancfg partition on the Azure Cloud NGFW reached 100% utilization, which caused commit failures.
PAN-298252
Fixed an issue where Data Loss Prevention (DLP) inspection of chunked transfer encoding over TLS resulted in incomplete file downloads on Outlook Web App (OWA) due to the WIF page size limit, which led to corrupted or incomplete PDF attachments.
PAN-297819
Fixed an issue where the firewall was unable to send device telemetry files to Cortex Data Lake due to the firewall receiving an invalid upload token.
PAN-296635
Fixed an issue where the reportd process on passive Panorama management servers leaked memory due to scheduled report handling from the Strata Logging Service (SLS). This memory leak occurred daily, consuming available memory until the process was restarted.
PAN-296246
Fixed an issue where policy cache corruption led to unexpected policy rule behavior or operational instability. This occurred when an internal system process restarted while a commit was in progress or when a commit operation failed.
PAN-295806
Fixed an issue where memory leaks on the configd process occurred due to a hash insert operation failing during connection management and SSL connections.
PAN-295082
Fixed an issue on the Panorama web interface where you were unable to delete or change a logical router for tunnel, SD-WAN, VLAN, or loopback interfaces under a template.
PAN-295047
Fixed an issue where the staticd process stopped responding.
PAN-294998
Fixed an issue where the LogDB incorrectly reported that the database quota for extpcap logs was reached.
PAN-294434
Fixed an issue where memory leaks occurred. These leaks were caused by two distinct scenarios: the failure to deallocate memory for a nodeset when a new nodeset was assigned to the same variable, and the failure to free a UUID hash table during error conditions.
PAN-293586
(Panorama virtual appliances only) Introduced a CLI command to increase the limit of user types from 1 million to 3.6 million.
PAN-292447
Fixed an issue where Panorama did not display data in the Feature Adoption tab in Strata Cloud Manager due to the system creating and deleting a CLI user for each interval instead of reusing a permanent CLI user for telemetry.
PAN-292220
Fixed an issue where the Status LED on PA-7500 SFCs did not work.
PAN-292191
Fixed an issue where the firewall dropped packets related to call recording and voice calls, which resulted in communication failures, retransmissions, and disconnected calls. This occurred when the firewall was positioned between a Private Branch Exchange and an AES server and users registered phones across different data centers.
PAN-291785
Fixed an issue where the all_task process stopped responding.
PAN-291284
Fixed an issue where single-session IPSec VPN traffic was distributed across multiple member interfaces of a Link Aggregation Group configured with LACP. This resulted in packet reordering and loss, which impacted VPN performance.
PAN-290712
(PA-7500 Firewalls in cluster mode only) Fixed an issue where the firewall incorrectly advertised BGP routes back to the external BGP peer, which resulted in routing inefficiency.
PAN-289578
Fixed an issue on Panorama managed firewalls where the source user, source device vendor, source MAC address, and OS version information were not visible in traffic logs and SCM when the user and device access control lists were empty.
PAN-289460
Fixed an issue where the timestamp value in SNMPv3 trap headers was incorrect.
To use this fix, run the CLI command debug log-receiver enginetime-from-snmptime yes.
PAN-287280
Fixed an issue where a configd crash occurred when the Policies > Security view was updated or refreshed in the web interface.
PAN-283704
Fixed an issue where the PAN-OS DoS protection feature by default blacklisted specific IP addresses, which caused outbound traffic domain resolution to fail for clusters.
PAN-282335
Fixed an issue where firewalls in a cluster experienced approximately 50% packet loss on IPSec NATT tunnels when tunnel acceleration was enabled.
PAN-280196
Fixed an issue in Prisma Access environments where the firewall matched a HIP object but not on the HIP profile that contained the object.
PAN-274622
Fixed an issue on the Panorama web interface where GlobalProtect client images were not exported via SCP.
PAN-273805
Fixed an issue where SAML authentication for GlobalProtect failed when the GlobalProtect portal was accessed externally on a non-standard port.
PAN-273028
Fixed an issue where manual SCP exports from firewalls in FIPS mode were successful to SCP servers that were not FIPS-compliant. This occurred because the manual SCP process did not enforce FIPS security checks.
PAN-272175
Fixed an issue where session rematch caused ACE cloud application traffic to match the wrong policy.
PAN-266843
Fixed an issue on airgapped firewalls where cloud connection errors flooded the system logs.
PAN-264762
Fixed an issue where the firewall showed the status of SFP+ interfaces as not up, or up but not configured, when a PAN-SFP-PLUS-SR cable was connected.
PAN-264349
Fixed an issue where the Management Processor Card (MPC) on modular firewalls became unresponsive when a disk drive entered a low-power state and failed to wake up.
PAN-260661
Fixed an issue where daily email reports generated from the custom report did not display the report details in PDF or CSV files.
PAN-250445
Fixed an issue where DLP logs accumulated in the logrcvr cache when using DLP in mirror mode.