Fixed an issue where commits failed due to the configured connected gateway IPv6 address in the NAT64 policy exceeding the 31 character limit.

Fixed an issue where, when ACE was enabled, traffic from cloud applications randomly matched an incorrect cloud-apps policy rule.

Fixed an issue where the option to sort sequence numbers was missing from Filters prefix list in the advanced routing filters.

Fixed an issue where retrieving filenames from OneDrive resulted in a cache miss.

Fixed an intermittent issue where gateway logout events were not logged when the GlobalProtect client was unable to send a logout notification, which resulted in the inactivity logout timer not triggering a gateway logout event. This caused user sessions to remain active beyond the configured inactivity timeout.

Fixed an issue where mTLS decryption bypass did not work when the decryption profile was configured with the maximum TLS version as TLS 1.3.

(Prisma Access only) Fixed an issue where URL log ingestion decreased after an upgrade, and secondary connections were lost.

Fixed an issue where custom reports showed incomplete data when exported in CSV format from Panorama.

Fixed an issue where the firewall removed the TCP timestamp from client hello messages that did not fit in a single packet, which resulted in connection issues.

Fixed an issue where the web interface did not display a message to commit prior changes before attempting a partial configuration load.

Fixed an issue where the popup window did not appear as expected for Clientless VPN users.

Fixed an issue where processes stopped responding when HTTPS Forward traffic was run.

Fixed an issue where accessing a URL from the browser returned the error message ERR_RESPONSE_HEADERS_TRUNCATED when the firewall was configured with TLS 1.3.

Fixed an issue where the CLI did not display a message to commit prior changes before loading a partial configuration.

Fixed an issue where the configuration audit displayed inaccurate information after partially loading the configuration via the CLI, which caused the audit to flag the configuration as deleted or changed.

Fixed an issue where authentication to GlobalProtect failed with the error message User not in allowed list.

Fixed an issue where deleting the NTP server address caused a commit validation error. This occurred when the configuration included both primary and secondary NTP servers and the secondary server was removed.

Fixed an issue where Prisma Access cap700 instances did not insert HTTP headers when accessing certain Google domains if the 32 byte pool size was low.

Fixed an issue where the firewall generated the following error message in the snmpd logs: pan_get_keystr_from_cryptod

(pan_snmpinterface.c:181): Key X2F1dGhfa2V5 import from cryptod failed.

(Panorama appliances on Microsoft Azure environments only) Fixed an issue where user to IP address mapping was missing for some users connected to specific Prisma Access gateways, which caused the collection layer Azure firewall to not form the mapping.

Fixed an issue where the firewall was unable to decrypt SSL traffic when using forward proxy and HSM with an ECDSA signing certificate.

Fixed a memory leak issue related to the configd process that occurred when running consecutive commits for multiple days.

Fixed an issue where GlobalProtect clients failed to connect with the error message The device or feature requires a GlobalProtect subscription license.

Fixed an issue where IP address tags were removed from firewalls after a management server or useridd process restart. This occurred when a Panorama serial-number based configuration was used for User-ID redistribution.

Fixed an issue where PDF summary and email reports displayed IPv6 addresses instead of IPv4 addresses.

Fixed an issue on the web interface where, when all rules were highlighted when a read-only admin user clicked the Highlight Unused Rules checkbox.

Fixed an issue where the IP address-to-user mapping timeout was triggered and the Inactivity TTL was refreshed unexpectedly

Fixed an issue on Panorama where, after you enabled multihop in a BFD profile, you were unable to disable it via the web interface.

(PA-7080 appliances with LPCs only) Fixed an issue where syslog forwarding over TCP stopped after upgrading.

Fixed an issue where servers were not accessible through an active SSL GlobalProtect VPN tunnel until a new connection was established or the session was cleared on the firewall.

Fixed an issue where secondary IP addresses with a /32 prefix configured on Layer 3 interfaces were not reachable in FRR mode.

A fix was made to address CVE-2025-0125.

Fixed an issue where the firewall web interface was blank after logging in.

Fixed an issue where CSV or PDF exports of zones did not contain all zones.

Fixed an issue where the firewall was unable to match HIP data with the correct anti-malware object for Windows Defender.

Fixed an issue where Panorama administrators with the type Dynamic were unable to create, modify, or delete BGP Dampening profiles.

Fixed an issue where the CLI command show running security-policy timed out when the Security policy was large.

Fixed an issue where ikemgr process unexpectedly stopped due to a memory mapping in an incorrect location.

(PA-450 firewalls only) Fixed an issue where specific routes were not advertised when BGP Aggregate was configured with the advertise filter.

Fixed an issue on the firewall where changes were incorrectly applied after a reboot or a restart of the configd process.

Fixed an issue where stale BGP routes were advertised to peers even when they were not present in the local RIB table.

Fixed an issue on the Panorama web interface where no content was displayed after logging in.

Fixed an issue where selective push operations failed with the following error message: SelPush:Base config is invalid! invalid configuration. Schema verification failed. This occurred when a policy rule was moved from the post-rule base to the pre-rule base.

Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.

Fixed an issue where the pan_task process restarted due to configd and devsrvr process memory requirements.

Fixed an issue where ARP entries were unable to be completed for subinterfaces with SNAT configured.

Fixed an issue with the Panorama Virtual Appliance where, after the mgmtsrvr restarted on the passive appliance, stale IP address tags were pushed to the connected firewalls with the message clear all registered ip addresses.

Fixed an issue where logs were intermittently missing on the log collector due to missing aliases for some indices.

Fixed an issue where the firewall stopped responding when FIPS mode was enabled.

Fixed an issue where the useridd process ran out of memory and restarted when the number of user or user groups exceeded the threshold.

(PA-220 firewalls only) Fixed an issue where disk space usage was significantly higher than expected after upgrading.

Fixed an issue where you were unable to create duplicate entries in Advanced Routing AS path prepend in the BGP filter route map.

Fixed an issue where Captive Portal redirects failed with a 500 Internal error when the captive portal token was disabled.

Fixed an issue where the useridd and distd process restarted, which resulted in missing mappings.

Fixed an issue on the web interface where the Security policy rule hit count remained at 0 for some rules even though the traffic logs showed live hits.

Fixed an issue where TLS 1.3 connections failed if the server sent a certificate request after sending its certificate.