Fixed an issue where the proxy-protocol debug level was set to verbose on Prisma Access instances, even when it was not explicitly configured, which caused excessive logging by the pan_task process.

Fixed an issue where a stream receiving a reconnect signal with an associated error in Wifclient caused the entire pool to close, which resulted in a complete disconnection.

Fixed an issue where, after upgrading to PAN-OS 10.2.13-h10, GlobalProtect Clientless VPN on PA-3250 firewalls failed to execute JavaScript links, resulting in an authorization error. This occurred because the firewall was incorrectly injecting text into URLs when JavaScript buttons or dropdown menus were clicked within the Clientless VPN portal.

Fixed an issue where the throughput data on the Switch Card Module (SCM) was not accurately reported. This issue affected Standard SC USABN and USABN-2 when using Direct-IO deployment.

Fixed an issue where cookie surrogate cache entries remained unresolved after an idmgr process reset due to the request not being retransmitted. This occurred because the timestamp in the cache entry was refreshed even when the UID was 0, which prevented the retransmission of the request if the initial response was not received.

Fixed an issue where a memory leak occurred related to the configd process when pushing configurations from Panorama to a firewall. This occurred when the configurations contained shared policy rules.

Fixed an issue on Panorama where a new virtual system (vsys) was automatically created with the name of a device group.

Fixed an issue where sessions timed out sooner than expected due to the pan_proxy_accumulation _restore_timeout not initiating when the accumulationsession_init failed.

Fixed an issue where a large number of logs caused the logrcvr process to stop responding.

A fix was made to address CVE-2025-0133.

Fixed an issue where the Prisma Access gateway experienced process restarts and system reboots.

Fixed an issue where the firewall became unresponsive when the show user user- ids user all CLI command was executed repeatedly on large scale LDAP group mappings, and you were unable to connect to the gateways with the error message The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.

Fixed an issue where, after an upgrade, the SNMP polled values for IF-MIB::ifInErrors displayed a high number of errors that did not match the values in the CLI show interface command.

Fixed an issue where clients did not receive a valid response when searching a website due to a compression error.

Fixed an issue where the firewall dropped client hello packets when decryption was enabled, which prevented access to certain websites. This occurred when the client hello packet was truncated, the accumulation proxy assumed that the first packet contains at least 5 bytes, or out-of-order packets were waiting in L4 TCP.

Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the firewall did not see server-to-client (s2c) packets of the TLS handshake.

To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.

Fixed an issue where a GlobalProtect gateway stopped responding when handling HTTP/1.1 traffic with web inspection enabled.

Fixed an issue where the GlobalProtect client displayed an error message when you clicked Check Now and Preferred Releases and Base Releases were unchecked (Device > Software).

Fixed an issue where a DPC on slot 3 failed intermittently due to the pktlog_forwarding process restarting, which resulted in an unexpected HA failover.

Fixed an issue where logs in the cloud database displayed in the Not-Resolved category but not in the local database.

Fixed an issue where Advanced Services, App-ID Cloud Engine (ACE), and Enhanced Application Log stopped working due to incorrect memory usage accounting, which caused memory usage to remain at 99% after an extended period of time.

A fix was made to address CVE-2025-4230.

Fixed an issue where unexpected path monitor failures caused the firewall to stop responding.

Fixed an issue where Auto Quarantine did not work when simplified logging was enabled.

Fixed an issue where the dataplane stopped responding and the firewall unexpectedly rebooted due to multiple process restarts.

Fixed an issue where traffic was dropped when Data Loss Prevention or Advanced URL Filtering were enabled. This occurred when the payload size was greater than 3.5 KB.

Fixed an issue where the firewall dropped GRE keepalive packets that were encapsulated under another GRE tunnel.

Fixed an issue where the firewall displayed an OCSP/CRL check failure when accessing websites.

Fixed an issue where the URL filtering response page for Continue and Override did not work with IPv6 Router Advertisement (RA) or Multicast Listener Query (MLQ) for IPv6-to-IPv6 and IPv6- to-IPv4 traffic.

Fixed an issue that blocked auto-discovery of the ICD Cloud server for the configured Enforcer URL.

Fixed an issue on the web interface where templates incorrectly showed that telemetry was enabled when it was not enabled. With this fix, the telemetry setting is not displayed in the template on the web interface.

(PA-4000 and PA-5000 Series firewalls) Fixed an issue where, when SSL decryption was enabled, you were unable to interact with the login button on some websites due to a content length mismatch error. This occurred because the firewall incorrectly flagged the final packet in the replay as send original when it contained only a gzip end marker and no data.

Fixed an issue where the error message import of <issuecert> failed. Please check the validity of the key pair and try again for unmatched keys for EC certificates.

Fixed an issue where GlobalProtect clients experienced slow SMB-V3 download throughput when passing through a Prisma IPSec tunnel and the firewall and the SMB-V3 session owner dataplane was the same as the IPSec-ESP tunnel on the multi-dataplane firewall.

Fixed an issue on Panorama where admin users with the Custom Panorama Admin role were unable to add, edit, or delete route filters under Routing Profiles.

Fixed an issue where the configd process stopped responding during certificate verification.

Fixed an issue where the dnsproxyd process stopped responding during stability tests.

Fixed an issue on the firewall web interface where the Next Hop value was not displayed in the static route configuration, the admin-dist values were empty, and the path-monitor parameters were not listed in the management server web interface when the firewall was configured in FRR mode.