Fixed an issue on Panorama where, after you disabled the shared optimization feature, a full configuration push to multi-vsys devices caused a validation error.

Fixed an issue where, after upgrading to an affected PAN-OS release, the Visible Virtual System field referenced the vsys name instead of the vsys ID, which caused inter-vsys routing to fail. This occurred when a vsys display name matched one of the vsys IDs. If you're using a multivsys environment, you must upgrade your firewalls to a fixed PAN-OS version. The best practice is to upgrade both the firewalls and Panorama to a fixed PAN-OS version.

If you don't upgrade Panorama to a fixed version, you'll encounter PAN-245064, where a commit on a multivsys firewall fails with the message vsys name should end with a number vsys is invalid after you Export or push device config bundle from Panorama.

After you upgrade Panorama to a fixed version, you'll encounter PAN-214177, which causes an Export or Push device config bundle from Panorama to the firewall to fail. The workaround for PAN-214177 is to first push only the template configuration and then push the device group configurations.

Fixed an issue where the MIB ID returned an incorrect value via SNMP.

(Firewalls in active/passive HA configurations) Fixed an issue on firewalls where, after failover, certain subnets were missing from the Link State Database, which prevented OSPF routes from being immediately learned due to a Type-7 to Type-5 LSA translation conflict in the ABR when the same LSA was advertised by two peers in the NSSA area.

Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.

(CN-Series firewalls only) Fixed an issue where the firewall generated incomplete or corrupted tech support files (TSF) due to high disk usage on the management plane.

Fixed an issue where during a commit, the firewall experienced an out-of-memory (OOM) condition due to a memory leak and displayed an error message. This issue caused the device to stop responding and reboot unexpectedly.

Fixed an issue where the firewall rebooted unexpectedly due to a pan_task process restart related to page allocation failures.

Fixed an issue on Panorama where a new virtual system (vsys) was automatically created with the name of a device group.

Fixed an issue where on the firewall where the routed process stopped responding after changing the MTU or any link state parameters when OSPF and PIM were enabled on the same interface.

Fixed an issue where the error message Scan ERR: Internal Err 1002 was generated unexpectedly when WIF shared memory use was high.

Fixed an issue where the firewall double-freed shared memory when the shared memory usage reached 100% when sending large payloads. This occurred when DLP, Advanced Advanced Threat Protection (ATP), Advanced WildFire (AWF), or Advanced URL Filtering were enabled.

Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.

Fixed an issue where the firewall did not automatically recover after a machine check exception (MCE) occurred.

Fixed a cumulative memory leak in the devsrvr process that occurred whenever the CLI command show running application statistics was issued. This memory leak would gradually consume system memory and produce an OOM condition, causing the firewall to reboot.

Fixed an issue where clients did not receive a valid response when searching a website due to a compression error.

Fixed an issue where firewalls that were connected to the same Cloud Identity Engine displayed inconsistent group membership information, with some firewalls showing only a subset of users belonging to a group.

Fixed an issue where the firewall dropped client hello packets when decryption was enabled, which prevented access to certain websites. This occurred when the client hello packet was truncated, the accumulation proxy assumed that the first packet contains at least 5 bytes, or out-of-order packets were waiting in L4 TCP.

Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the firewall did not see server-to-client (s2c) packets of the TLS handshake.

To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.

(VM-Series firewalls with multiple NICs only) Fixed an issue were the queue count in the task dump displayed an incorrect number of queues for SR-IOV interfaces due to the queue mapping logic incorrectly using a non-multi-NIC function.

Fixed an issue where IPv6 BGP peering established between virtual routers even without dataplane connectivity. This occurred because the firewall used the kernel for lookups instead of the dataplane.

Fixed an issue where Panorama did not display license information for Cloud NGFW firewalls under (Device Deployment > Licenses) due to the inability to perform batch-license refreshes.

Fixed an issue where the Panorama web interface was slower than expected due to high CPU utilization on the mongodb process.

Fixed an issue where the configd process stopped responding during certificate verification.

Fixed an issue on the firewall web interface where the Next Hop value was not displayed in the static route configuration, the admin-dist values were empty, and the path-monitor parameters were not listed in the management server web interface when the firewall was configured in FRR mode.

Fixed an issue where the debug log receiver statistics CLI command did not display entries for hipmatch logs.