Fixed an issue where, after installing the device certificate on a new Panorama appliance, Panorama was unable to connect to the IoT Security edge service.

Fixed an issue where dataplane processes restarted when attempting to access websites that had the

NotBefore

attribute less than or equal to Unix Epoch Time in the server certificate with forward proxy enabled.

Fixed an issue where, when installing an IoT Security evaluation license on a firewall, the

Device Object

page in the firewall web interface incorrectly displayed a message that a license is required for the page to function, even though the page functions correctly.

Fixed an issue where the

panlogs

directory reached 100% utilization on the firewall due to early calculation of the .size file.

(

PA-7000b Series firewalls only

) Fixed a buffer overflow issue.

Fixed an issue where host information profile (HIP) details were not available on Panorama even when a HIP redistribution configuration was in place.

jQuery was updated to 3.5.1.

Fixed an issue where conversion from Panorama mode to logger mode was enabled even when an admin user named admin did not exist in the configuration, which caused access to the appliance to be lost.

Fixed an issue where memory usage on a process (useridd) was high, which caused the process to restart on the firewall acting as the User-ID redistribution agent. This issue occurred when multiple clients requested IP address-to-user mappings at the same time.

(

VM-Series firewalls only

) Fixed an issue where a memory leak occurred on a process (vm_agent) due to host synchronization check.

Fixed an issue where, after upgrading the passive firewall, the stream control transmission protocol (SCTP) sessions synced from the active firewall did not retain the rule information, and, after failover, SCTP stateful inspection did not work.

Fixed an issue where an inconsistent PAN-DB cloud connection caused the firewall to negotiate the incorrect version and decode the cloud responses with the incorrect format.

Fixed an issue where the high availability (HA) peer device did not preserve its import configuration when the mode was active/active and VR sync was disabled.

Fixed an issue where Panorama running 9.0.8 allowed a user with the admin role Device Group and Template to create templates and template stacks.

Fixed an issue where the multi-factor authentication (MFA) timestamp was not redistributed across the virtual system (vsys) when the IP address-to-user mapping type was

UIA

.

Fixed an issue where a process (varrcvr) stopped responding on the PA-7000 Series Log Forwarding Card (LFC) when it received a verdict from the WildFire cloud.

Fixed an issue where traffic matched an incorrect URL filtering profile due to a similarity in the MD5 hashes between the URL filtering profiles.

Fixed an issue on Panorama where shut down or restart requests did not work.

Fixed an issue where the firewall silently dropped TCP out-of-order packets.

Fixed an issue on Panorama where commits failed, referring to a portion of the configuration that was not changed.

Fixed an issue where a Panorama log query did not work for closed indices.

Fixed an issue where a service object with a destination port that is pushed from Panorama displays as

[object Object]

on the firewall.

Fixed an issue where the firewall failed to establish SFTP firewall-server connections when SSH decryption was enabled.

Fixed an issue where after the firewall connected and sent a registration message to the logging service, there was no registration response and the

log-fwd-ctrl

command was sent back to the firewall. As a result, the firewall stayed connected but was not registered and did not forward logs until the next commit triggered a reconnect.

Fixed an issue where the Elasticsearch cluster status displayed in yellow due to a missing replica serial number.

Fixed an issue where firewalls did not connect to AutoFocus with the following error message:

failed to get proxy info

.

Fixed an issue where a process (configd) restarted and administrators received one of the following error messages:

Timed out while getting config lock. Please try again

or

Please wait while the server reboots...

due to a database error.

Fixed an issue where a process (rasmgr) exited, which caused the firewall to reboot due to a null pointer dereference error when

usr_info

was null.

Fixed an issue where testing and confirming server connections from

Panorama > Server profiles > HTTP > Test Server Connection

did not work.

Fixed an issue where certain packets destined to untagged subinterfaces were silently dropped on multi-dataplane platforms.

Fixed an issue for S11 traffic where if the Modify Bearer Request message came after 30 seconds of Create Session Response message, the firewall dropped the Modify Bearer Request packet. This fix increases this time to 90 seconds.

Fixed an issue where HIP-related objects were missing transformation logic, which caused commit failures.

Fixed an issue where an external dynamic list (EDL) object could not be moved between a multi-vsys to a shared location.

Fixed an issue where the inner GPRS tunneling protocol (GTP-U) flows were installed using incorrect zones, which led to traffic issues if the firewall was in line for the S1-U interface.

Fixed an issue where a commit job failed due to a process (mgmtsrvr) exiting.

Fixed an issue where the firewall kept its connection to Cortex Data Lake even after the configuration had been disabled and the license was expired.

Fixed an issue where packets of the same session were forwarded through a different member of an Aggregate Ethernet (AE) group once the session was offloaded.

Fixed an issue where uploads for custom logos failed.

Fixed an issue where syslog connection failures were frequently reported in system logs.

Fixed an issue where selecting

Preview Changes

under a specific device group resulted in the following error message:

Parameter device group missing

.

Fixed an issue where reports for URLs were not generating the correct data output.

Fixed an issue where ECMP

strict-source-path

did not work with IPSec.

(

VM-Series firewalls on VMware ESXi only

) Fixed an issue where the firewall stays in a boot loop and enters maintenance mode after adding a 60GB disk.