(

PA-5400 Series firewalls with DPC (Data Processing Cards) only

) Fixed an issue with slot 2 DPCs where URL Filtering did not work as expected after upgrading to PAN-OS 10.1.9.

Fixed an intermittent issue where an LACP flap occurred when the LACP transmission rate was set to

Fast

.

Fixed an issue where, after upgrading Panorama to PAN-OS 10.1.9, multiple User-ID alerts were generated every 10 minutes.

Fixed an issue with firewalls in active/active HA configurations where GlobalProtect disconnected when the original suspected active-primary firewall became active-secondary.

Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.

Fixed an issue where false negatives occurred for some script samples.

Fixed an issue where the logrcvr process stopped responding.

(

PA-5200 Series firewalls only

) Fixed an issue where unplugging a PAN-SFP-CG transceiver from an interface with its link speed setting set to 1000 caused the firewall to incorrectly read that interface as up.

Fixed an issue where attempting to change the disk-usage cleanup threshold to 90 resulted in the error message

Server error : op command for client dagger timed out as client is not available

.

Fixed an issue on log collectors where the root partition reached 100% utilization.

Fixed an issue where large OSPF control packets were fragmented, which caused the neighborship to fail.

Fixed an issue where, when viewing a WildFire Analysis report via the web interface, the

detailed log view

was not accessible if the browser window was resized.

Fixed a memory leak issue related to SSL crypto operations that resulted in failed commits.

Fixed an issue where the

show session packet-buffer-protection buffer-latency

CLI command randomly displayed incorrect values.

Fixed an issue where missed heartbeats caused the Data Processing Card (DPC) and its corresponding Network Processing Card (NPC) to restart due to internal packet path monitoring failure.

Fixed an issue on Panorama where users with custom admin roles were incorrectly unable to view SSH profiles even when it was permitted in the custom role.

(

Panorama appliances in Legacy Mode only

) Fixed an issue where

Blocked Browsing Summary by Website

in the user activity report contained scrambled characters.

Fixed an issue where the Data Processing Card remained in a

Starting

state after a restart.

Fixed an issue where fragmented UDP packets were dropped.

Fixed an issue where firewalls disconnected from Cortex Data Lake due to a missing key file after renewing the device certificate.

Fixed an issue with firewalls on active/passive HA configurations GlobalProtect where users were disconnected after HA failover.

Fixed an issue on Panorama where Security policy rules with a

Tag

target did not appear in the pre-rule list of a Dynamic Address Group that was part of the tag.

Fixed an issue on Panorama where VM-Series firewalls in HA configurations hosted on Amazon Web Services (AWS) were not displayed under

Deploy Master Key

.

Fixed an issue where the

Templates

list was not displayed under the

Location

drop-down for commit or configuration locks.

A debug command was added to address an issue with firewalls in high availability configurations.

(

CN-Series firewalls only

) Fixed an issue where the dataplane stopped responding after a container restart.

Fixed an issue where, when traffic and threat logs exceeded the threshold of 90% total allowed size, alarms were not generated for other log types.

Fixed an issue where dataplane ports responded to ICMP requests fewer than 64 bytes with nonzero padding bytes in the ICMP response.

Fixed an issue where link-local address communication for IPv6, BFD, and OSPFv3 neighbors was dropped when IP address spoofing check was enabled in a Zone Protection profile.

Fixed an issue where Panorama was unable to retrieve IP address-to-username mapping from a firewall on a PAN-OS 8.1 release.

Fixed an issue with firewalls in active/passive HA configurations where the passive firewall created an incorrect SCTP association due to the HA sync messages from the active firewall having an incorrect value.

Fixed an issue where the GlobalProtect

logdb

quota was not displayed in the

show system logdb quota

output.

Fixed an issue on the web interface where the

Session Expire Time

displayed a past date if the device time was in December.

Fixed an issue on the firewall where log filtering did not work as expected.

Fixed an issue where a Panorama in Management Only mode was unable to display logs from log collectors due to missing schema files.

(

PA-7000 Series firewalls only

) Fixed an issue where autotagging in log forwarding did not work.

Fixed an issue where, when a client sent a TCP/FIN packet, the firewall displayed the end reason as

aged-out

instead of

tcp-fin

.

Fixed an issue where the all_task process stopped responding when freeing the HTTP/2 stream, which caused the dataplane to go down.

Fixed an issue where authentication failed when the service route for RADIUS traffic was configured as

use default

for IPv4 addresses and included the dataplane interface as the destination route.

Fixed an issue where API calls did not display tunnel info.

Fixed an issue where NAT policies were not visible on the CLI if they contained more than 32 characters.

Fixed an issue on Panorama where Security policy rules incorrectly displayed as disabled.

Fixed an issue where user-group names were unable to be configured as the source user via the

test security-policy-match

command.

Fixed an issue where, when attempting to replace an existing certificate, importing a new certificate with the same name as the existing certificate failed due to mismatched public and private keys.

Fixed an issue where changes to the syslog server configuration were not applied without first restarting the management server.

Fixed an issue on the firewall where the modified date and time was incorrectly updated after a commit operation, PAN-OS upgrade, or reboot.

Fixed an issue when traffic failed to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.

Fixed an issue where REST API requests did not work for GlobalProtect gateway tunnels.

(

PA-7000 Series firewalls with SMC-B only

) Fixed an issue where the details of configuration changes were not included in configuration logs on the syslog server.

Fixed an issue where Large Scale VPN (LSVPN) Portal authentication failed with the error

invalid http response. return error(Authentication failed; Retry authentication

when the satellite connected to more than one portal.

Fixed a Clientless VPN issue where JSON stringifies caused issues with the application rewrite.

Fixed an issue with firewalls in active/active HA configurations where the virtual floating IP address configuration under a Panorama template was overridden and displayed

From Template Override: undefined

as a source.

Fixed an issue where

Panorama > Setup > Interfaces

was not accessible for users with custom admin roles even when the interface option was selected for the custom admin roles.

Fixed an issue where the shard count displayed by the

show log-collector-es-cluster health

CLI command was higher than the recommended limit. The recommended limit can be calculated with the formula 20*heap-memory*no-of-data-nodes.

Fixed an issue on Octeon based platforms where fragmented VLAN tagged packets dropped on an aggregate interface.

Fixed an issue where the

ikemgr

process stopped responding, which caused IPSec tunnels to go down.

Fixed an issue where HIP report flip and HIP check failed when a user was part of multiple user groups with different domains.

Fixed an issue where an authentication key field, even though not supported, was enabled under the

Device

tab on Panorama.

Fixed an issue where scheduled configuration pushes with

Include Device and Network Templates

selected did not work.

(

PA-7000 Series firewalls with NPCs (Network Processing Cards) only

) Improved debugging capability for an issue where the firewall restarted due to heartbeat failures and then failed with the following error message:

Power not OK

.

Fixed an issue where logs from unaffected log collector groups were not displayed when a log collector was down.

Fixed an issue where RAID rebuilds occurred even with healthy disks and a clean shutdown.

Fixed an issue where logs did not display

Host-ID

details for GlobalProtect users despite having a quarantine Security policy rule. This occurred due to a missed local cache lookup.

Fixed an issue on Panorama where a WildFire scheduled update for managed devices triggered multiple

UploadInstall

jobs per minute.

Fixed an issue where the stats dump file generated by Panorama for a device firewall differed from the stats dump file generated by the managed device.

Fixed an issue where the pan_com process stopped responding due to aggressive commits.

Fixed an issue where connections to Cortex Data Lake were initialized from the firewall even when Cortex Data Lake forwarding was disabled.

Fixed an issue in the

Run Now

section of custom reports where

Threat/Content Name

displayed in hypertext, and hovering over the text with the mouse displayed the message undefined.

Fixed an issue where DNS Security categories were able to be deleted from spyware profiles.

Fixed an issue where the firewall changed sequence numbers for reused sessions.

(

PA-5200 Series firewalls only

) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt:

Could not chdir to home directory /opt/pancfg/home/user: Permission denied

.

Fixed an issue where logs were unable to be generated due to old logs not getting purged and

/opt/panlogs

reaching over 100% usage.

(

WF-500 appliances only

) Fixed an issue where, after an upgrade to a PAN-OS 10.1 release, SNMP traps were not sent to the SNMP server. This occurred due to SNMP trap server settings not being enabled.

Fixed an issue where, when the firewall received a 513 error from the WildFire cloud, the firewall attempted to repeatedly send the same file.

Fixed an issue where administrators were unable to change the password of a local database for users configured as a local admin user via an authentication profile.

Fixed an issue where enabling

event-specific traps

(

Device

Setup

Operations

Miscellaneous

SNMP Setup

), the new deviating device system logs included incorrect information.

Fixed an issue where services failed due to the RAID rebuild not being completed on time.

(

PA-5450 firewalls only

) Fixed an issue where HSCI ports did not come up when QSFP DAC cables were used.

Fixed an issue on Panorama where global find did not return results for existing universally unique identifiers (UUID).

Fixed an issue where, after cloning a template, a certificate with the block private key option enabled was corrupted.

Fixed an issue where GlobalProtect HIP matches failed for Mac users due to invalid characters being present in the subject alternative attributes in the certificate on the HIP report.

Fixed an issue with firewalls in HA configurations where HA setup generated the error

mismatch due to device update

during a content update even though the version was the same.

Fixed an issue where the all_task process stopped responding after adding customer hyperscan signatures.

Fixed an issue where LSVPN satellite authentication cookies were not synced across high availability LSVPN portals.

Fixed an issue where the system log generated on GlobalProtect satellite did not provide the reason for failures to connect to the GlobalProtect portal or gateway.

Fixed an issue with firewalls in active/passive HA configurations where the user counts in the management plane were not synchronized between the active and the passive firewall.

Fixed an issue where the

Elapsed seconds

field incorrectly displayed as 0 for DHCP packets coming from the firewall.

Fixed an issue where content updates failed when using prelicensed keys during the bootstrap process.

Fixed an issue on Panorama where virtual memory usage exceeded the set limit, which caused the configd process to restart.

Fixed an issue where decrypted SSH sessions were interrupted with a decryption error.

Fixed an issue where you were unable to resize the

Description

pop-up window (

Policies > Security > Prerules

).

Fixed an issue where the SaaS PDF report incorrectly displayed the sanctioned application tag count as 1.

Fixed a rare issue where a

BuildXmlCache

job failed on the firewall.

Fixed an issue where, when the firewall forwarded Threat logs via email, the email client truncated the sender and recipient email addresses when they were put between angle brackets (<, >).

Fixed an issue where, when the total number of in-used HIP Profiles was greater than 32, traffic from the GlobalProtect Agent did not hit the expected Security policy rule configured with the HIP Profile even though a HIP Match log was generated.

Fixed an issue where the dnsproxyd process stopped responding due to corruption.

(

PA-7000 Series firewalls only

) Fixed an issue where firewalls experienced slow SNMP responses, which caused the SNMP server to time out before polling completion.

Fixed an issue where scheduled dynamic content updates failed to be retrieved by managed firewalls from Panorama when connectivity was slow.

Fixed an issue where the

Adjust Columns

options for Panorama Traffic logs did not correctly autoadjust the columns.

Fixed an issue where IPSec tunnel re-keying generated the critical log message

tunnel-status-up

.

Fixed an issue where scheduled configuration backups to the SCP server failed with the error message

No ECDSA host key is known

.

Fixed an issue where running the

show interface

CLI command caused the pan_comm process to stop responding during a configuration change.

Fixed an issue where

Panorama > Device > Deployment > Software

did not display software after running

check now

for managed devices.

Fixed an issue where the error message

Machine Learning found virus

was displayed in threat CSV logs as

Threat ID/Name

when WildFire Inline ML detected malware.

Fixed an issue where HIP database storage on the firewall reached full capacity due to the firewall not purging older HIP reports.

Fixed an issue where botnet reports were not generated on the firewall.

Fixed an issue where MAC addresses in threat capture were swapped between the source MAC and destination MAC addresses.

Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to reboot.

Fixed an issue where the

pan_comm

process repeatedly restarted, which caused commits to fail.

Fixed an issue where exporting correlation logs generated an empty file.

Fixed an issue on the firewall where the DHCP server did not send DHCP NAK packets correctly when

Served Addresses

were configured.

Fixed an issue on the web interface where the interzone-default rule hit count was not displayed.

Fixed an issue where SD-WAN DIA VIF did not become active if default gateways for the member interface did not respond to pings.

Fixed an issue where invalid

packet-ptr

was seen in work entries.

Fixed an issue where software buffer 3 was depleted when URL proxy was enabled and SSL sessions were decrypted to inject the block page. This issue occurred when an HTTP/2 block page was displayed for a large POST request.

Fixed an issue where the firewall displayed the error message

Malformed Request

when an email address included an ampersand ( & ) when configuring an Email server profile.

Fixed an issue where a signature from a previous WildFire package triggered malware detection even though the signature was no longer present in the current WildFire package.

Fixed an issue where FTP connections failed when SSL Inbound Inspection was enabled and a Security Profile was attached to the FTP connection allow policy rule.

Fixed an issue where session offloading did not occur on a tap interface under a high packet load.

Fixed an issue that the logrcvr process crashes during the firewall reboots.

Fixed an issue related to an OOM condition in the dataplane, which was caused by multiple

panio

commands using extra memory.

Fixed an issue where the API format to check heap usage of a node showed a JSON error.