Fixed an issue where using the lscan/hyperscan feature with custom signatures caused a shared resource pool to be depleted, which resulted in a dataplane restart.

Fixed an issue where a file system integrity check failed in FIPS-CC mode, which caused the appliance to enter maintenance mode.

Fixed an issue where a sudden increase in URL-cloud data challenged the cache capacity of the device.

Fixed an issue where an interface placed in a pre-defined zone was removed by the SD-WAN plugin after a commit to the firewall.

Fixed a discrepancy between flag values on Panorama and the firewall for the same traffic log entry.

Fixed an issue on Panorama where the

ACC

tab was blank.

Fixed an issue where the IP address-to-tag mappings for dynamic address groups and FQDN objects were not retained if there was a content update for IoT.

Fixed an issue where NULL users in

panGlobalProtectGetConfig

were not checked for before calling strcmp().

Fixed an intermittent issue on Panorama where context switching to and from the managed firewall web interface caused the Panorama administrator to be logged out.

An enhancement was made to provide an option to increase Data Plane Development Kit (DPDK) ring size and DPDK queue number for VM-Series firewalls deployed on ESXi.

Fixed an issue where auto-commits failed for VM-Series firewalls bootstrapped with new content installation during bootstrap. The firewalls displayed the following error message:

Details:Error: Undefined application <application-name>

.

Fixed an issue where port flaps and a delay in interface state changes occurred with commits.

Fixed an issue where the IPSec encapsulation sequence was not properly synced to the dataplanes on a high availability (HA) active/passive cluster.

Fixed an issue where the firewall treated external dynamic list entries with nested carets as invalid.

Fixed a capacity issue caused by high operational activity and large configurations on Panorama. This fix increased the virtual memory limit on the configd process to 32GB.

Fixed an issue where the firewall displayed the URL Filtering Safe Search Block Page on the specific site only, even when the traffic was matched to a specific rule that did not have any URL filtering policies.

Fixed an issue where the proxy configuration did not get honored, which caused certificate revocation list (CRL) checks from the firewall to fail.

Fixed an issue in DPDK code that cause a system restart on a process (brdagent).

Fixed an issue where traffic logs were not shown due to a thread timeout that was causing the reading of the logs from the dataplane to slow.

Fixed an issue where the firewalls did not generate traffic logs for implicitly allowed applications.

Fixed an issue where PAN-OS software images that were manually uploaded to Panorama failed to be deployed on managed firewalls using the Panorama device deployment feature.

Fixed an issue where the per-minute resource monitor was three minutes behind.

Fixed a commit failure issue that occurred when IPv6 IP-pool range was configured on the gateway but IPv6 was not enabled on the interface.

Fixed an issue on the firewall where a GlobalProtect username authenticated via Kerberos was unnecessarily normalized to SAMAccountName format.

Fixed an issue on Panorama deployed on Amazon Web Services (AWS) where the Log Collector disk was on Admin disabled state when changing the instance type from m4 to m5.

(

PA-7080 Series firewalls only

) Fixed an issue where firewalls deployed with PA-7000 100G Network Processing Cards (NPCs) and legacy cards using the older system management controller with over 2500 IPSec tunnels commit successfully, but the NPCs fail and display as down.

Fixed an issue where the MLAV cloud server rejected the connection from the firewall when the Threat Prevention license was not installed on the firewall.

Fixed an issue for VM-Series firewalls deployed on Azure where a process (pan_comm) restarted if DPDK was on.

Fixed an issue where using XML API to download packet captures (pcap) did not work if the pcap file was larger than 8MB.

Fixed an issue where the GlobalProtect gateway failed with the following error message:

gateway does not exist

.

Fixed an issue where packet buffer unavailability caused host-bound sessions to remain in an opening state in the dataplane.

Fixed an issue where the following error message appeared:

Error: pan_tdb_load_sml_dfa_serialize(pan_tdb_ser.c:2424): pan_util_file_to_buf /opt/pancfg/mgmt/content//cache/common//sml_dfa.cache.ser error

, even though the cache file got regenerated if it was missing.

Fixed an issue where manually inputting lowercase protocol values to

Test Security Policy Match

resulted in a blank error window displaying on the web interface. With this fix, values cannot be manually input.

Fixed an issue where a content update caused the Panorama XML cache build to fail. This resulted references of the used objects on Panorama being removed, which caused commits on the managed firewalls to fail.

Fixed an issue where the firewall dropped GPRS tunneling protocol (GTPv2-x) Create Session Response packets with the following error message:

bad port 84b

.

Fixed an intermittent issue where Panorama did not retrieve firewall logs from Cortex Data Lake.

Fixed an issue where the firewall added a redundant

0\r\n

packet while processing Clientless VPN traffic.

Fixed an issue where multiple all_pktproc processes stopped responding, which caused the dataplane to restart.

Fixed an issue where the following error message:

globalprotectgateway-invalid-license

daily even when the firewall did not use GlobalProtect features that required a license.

(

Japanese language only

) Fixed an issue where the

NAT From Address

attribute in the

Add Log Filter (Monitor > Logs - Traffic)

popup window was mistranslated.

Fixed an issue where the syntax on GlobalProtect DNS suffixes was not validated.

Fixed an issue where the firewall restarted if X-Forwarded-For (XFF) parsing was enabled either for Security policy lookup or User-ID.

Fixed an issue where certain GTP-U sessions that could not complete installation still occupied the flow table, which led to higher-than-expected session table usage.

Fixed an issue where a process (genindex.sh) caused the management plane CPU usage to remain high for a longer period of time than expected.

Fixed a memory leak issue where a process (dnsproxy) did not properly release memory after usage.

Fixed an issue where the Policy Optimizer for some device groups showed incorrect data with a

-

character in the rule usage column.

Fixed an issue with URL Filtering where websites that were previously in the malicious category but have since been cleared remained in the malicious category in the dataplane cache. These websites were moved to the benign category only after you manually cleared the cache.

Fixed an issue where the session browser did not display results when filtered for IPv6 addresses with more than 31 characters.

Fixed an intermittent issue in firewalls where configuring group-mapping without an include list resulted in zero or a partial number of Domain Users group members.

Fixed an issue where remote users were able to save log filters, which created a local user with the same username. With this fix, remote users cannot save a log filter.

Fixed an issue where the Panorama web interface showed the SD-WAN license status as red despite having the correct batch license information for the managed firewalls.

Fixed a permission issue where a Panorama administrator was unable to download or install dynamic updates (

Panorama > Device Deployment

).

Fixed an issue where the number of items under

Add match criteria

for Dynamic Address Groups did not update after setting a search filter string.

Fixed an issue where it was possible via the CLI to create a Security policy rule with the

any

and

application-default

options simultaneously configured.

Fixed an intermittent issue where memory was not fully freed after a Panorama commitAll completion on the firewall.

Fixed an issue where configuration changes for collector group device log forwarding were not logged in Panorama configuration logs.

Fixed an issue where, when an out-of-order stream of TCP packets was subjected to HTTP header insertion, the packets were duplicated.

Fixed an issue where packets were dropped unexpectedly due to errors parsing the IP version field.

Fixed an issue where logs sent from the firewall to Panorama were delayed, and the current log summary database was inaccurate because the delayed logs were included.

Fixed an issue where using the ampersand (&) character in URLs submitted via XML API caused an error.

Fixed an issue where the dynamic address group learned in the parent dynamic group was not pushed to the child dynamic address group if the child dynamic address group was not configured with

notify groups

under the respective plugin.

When using the CLI command

debug dau settings device-group recursive yes/no

, clear previous dynamic address group entries from the Panorama database using the CLI command

debug dau clear database device-group <dynamic address group name>

for all dynamic address groups under the hierarchy for the dynamic address group configured in the monitoring definition. Also, do a full sync from the plugins configured using the command

request plugins <plugin-name> sync

.

Fixed an issue where the firewall dropped certain GTPv1 Update PDP Context packets.

Fixed an issue where Panorama admin users with read-only privileges were able to manage backups and load configurations on the firewall.

Fixed an issue where logs weren't able to be migrated from PA-5200 Series firewalls manually via the CLI.

Fixed an issue where the SYN-ACK packet matched stale entries in the session flow table and was dropped on the firewall with the following error message:

Inactive flow state 0

.

Fixed an issue where certificate domains were not used for GlobalProtect portal

getconfig

actions, which resulted in a process (useridd) returning the wrong user group. This caused the wrong client configuration to be matched.

Fixed an issue where upgrading the capacity license on a VM-Series HA pair resulted in both firewalls going into a non-functional state instead of only the higher capacity license firewall.

(

PA-5200 Series and PA-7000 Series firewalls only

) Fixed an intermittent issue where the firewall dropped packets when two or more GTP packets on the same GTP tunnel were very close to each other.

Fixed an issue where the firewall silently dropped GTPv2-C Delete Session Response packets.

Fixed an issue where the firewall dropped GTP packets with Delete Bearer messages for EBI 6 if they were received within two seconds of receiving the Delete Bearer messages for EBI 5.

Fixed an issue where a process (useridd) stopped responding when a User-ID agent was configured using the HA peer's management IP address.

Fixed an issue that caused a process (mprelay) to stop responding when committing changes in the Netflow Server Profile configuration (

Device > Server Profiles > Netflow

).

Fixed an issue where authentication logs with the subtype SAML were not forwarded to the syslog server.

Fixed a memory leak issue with a unified query that caused a process (mprelay) to restart due to an out-of-memory (OOM) condition.

Fixed an issue where the firewall did not translate IP addresses in Layer 7 payloads as per NAT translation for Oracle Application Server traffic.

A fix was made to address a reflect cross-site scripting (XSS) vulnerability in the PAN-OS web interface that enabled an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performed arbitrary actions in the web interface as the targeted authenticated administrator (CVE-2021-3052).

Fixed an issue where the output for

show user ip-user-mapping-mp all

, when called via XML API, was written to a file instead of returned via the API.

Fixed an issue on the firewall where GlobalProtect Clientless VPN portal landing page customization for the

navbar_bg_color

variable did not take effect.

Fixed an issue where Elasticsearch restarted unexpectedly when it ran out of memory. This was due to the

vm.max-map-count

value being set incorrectly in the newer version of Elasticsearch (starting from PAN-OS 9.0). With this fix, the value is set correctly.

Fixed an issue warnings did not generate for shadowed IP range addresses with /32 mask based IP addresses.

Fixed an issue on the firewall where configuring auto-tagging based on URL filtering logs resulted in tags being added to source IP addresses and not matching the log forwarding filter match criteria.

Fixed an issue where FIB entries were unexpectedly removed due to miscommunication between internal processes.

Fixed an intermittent issue where the GlobalProtect portal stopped responding with a 502 Bad Gateway response page when trying to access the portal URL using a web browser.

Fixed an issue in a virtual wire deployment configured with

Link State Pass Through

enabled where, when one member port went down, the peer port took longer than expected to change the status to

Down

.

Fixed an issue where firewalls stopped refreshing IP tag information when configured with the

VM Information Sources

feature with a VMWare vCenter Server.

Fixed an issue where a custom report query from Panorama, which includes new fields not supported in prior releases, triggered a restart of a process (reportd) when Panorama was connected to log collectors running an earlier PAN-OS release.

Fixed an issue where HSCI-A and HSCI-B displayed

AdminStatus

as down regardless of whether

OperStatus

was

Up

or

Down

.

Fixed an issue where lookup of a security rule with a custom URL category on a multi-virtual system (vsys) failed when

vsys<id>+

was not in the beginning the category name.

Fixed a buffer overflow issue on the management server, which forced the administrator to log out on the web interface.

Fixed an issue where the Safe Search Block Page was visible for a few seconds when browsing HTTP2 websites, which resulted in latency when browsing.

Fixed an issue that prevented Panorama from pushing dynamic content to VM-Series firewalls configured with a pay-as-you-go (PAYG) license.

Fixed an issue where a process (useridd) restarted after calling

gethostbyname()

, which returned NULL pointer. The returned value was not checked, and an attempt to dereference NULL pointer caused segmentation failure.

Fixed an issue where the

clear log acc

CLI command did not remove URL summary logs.

Fixed an issue on VM-Series firewalls deployed on Google Cloud Platform (GCP) where traffic was backhauled after a reboot when the policy-based forwarding (PBF) enforced symmetric return with a next hop feature was enabled and interface IP addresses were learned via DHCP.

Fixed an issue where, when using certificate profiles configured under specific vsys, the GlobalProtect

Machine Certification Check

and

HIP Object

fail during a client certificate check.

Fixed an issue where the firewall incorrectly created GTP-U sessions from Create Session Request and Create Session Response packets.

Fixed an issue where Panorama stopped showing new logs when

url_category_list

was in the URL payload format of the HTTP(S) server profile used to forward URL logs from the Panorama Log Collector.

Fixed an issue where the last commit state did not change to

config sent to device

when pushing a device group configuration in the

Managed Device > Summary

page on Panorama.

Fixed an issue where traffic didn't hit the intended Security policy if SSL forward proxy was enabled and service was set to

application-default

.

Fixed an issue where

ValidateAll

jobs were incorrectly logged as

CommitAll

in the configuration log of the firewall.

Fixed an issue where a process (useridd) stopped responding to requests.

Fixed an issue with the Panorama web interface where, when all device groups and templates were selected, a load configuration operation failed. This was caused by the XML cache rebuilding for each device group and template iteration.

Fixed an issue where TCP connections got stuck between the firewall and the Log Collector if some packets were dropped on the path between the two appliances.

(

FPP offload based hardware model only

) Fixed an issue where, when UDP traffic that was received on a tunnel had back-to-back client-to-server packets, random packets dropped.

Fixed an issue where some Panorama management connections did not adhere to the SSL/TLS Service Profile specified in Secure Communication Settings.

Fixed an issue where GlobalProtect™ IPSec connections flapped when the peer address to the gateway changed due to NAT.

Fixed an issue where enhanced application logging was not supported for devices connected to Cortex Data Lake through a proxy server.

Fixed an issue where enabling or disabling redundancy did not take effect.

An update was made to change the following system log message:

DO NOT CHOOSE WMI in Active-Directory FOR YOUR USE CASE IF SEE THIS LOG AGAIN IN <number> SECONDS

to

Please change server monitor(log server) Transport Protocol from WMI to WinRM for better performance

. This update also reduces the severity from

High

to

Informational

.

Fixed an issue where the firewall sent Bidirectional Forwarding Detection (BFD) packets with the final bit always set to

on

. With this fix, the final bit is cleared after the first response.

(

PA-800 Series firewalls only

) Fixed an issue where the deployment of the Master Key through the web interface failed.

Fixed an issue where service session timeout override was not used for custom applications and the default value was chosen instead.

Fixed an issue where the following settings were not pushed from Panorama to the firewall:

Minimum Length

,

Failed Attempts

, and

Lockout Time

(

Template > Device > Setup > Management

).

Fixed an issue on the firewall where, with SSL forward proxy feature enabled, random file downloads over a decrypted session would stall or hang in the middle.

(

PA-3200 Series firewalls only

) Fixed an issue where you were unable to disable auto negotiation on small form-factor pluggable (SFP) ports.

Fixed an issue where templates on the secondary Panorama appliance were out of sync with the primary Panorama appliance due to an empty content-preview node.

Fixed an issue on the firewall web interface where the

Secure Communication Settings

configuration didn't display a green cog widget to indicate that the configuration was pushed from Panorama.