Fixed an issue where PA-3420 firewalls experienced unexpected reboots due to the all_task_7 process crashing with signal 6, leading to a non-functional state.

Fixed an issue where the CRL file was not updated as scheduled, causing PAN-OS to treat the CRL as expired. This resulted in the firewall displaying an Unknown CRL verification result, which could disconnect the firewall from Panorama or impact other features that rely on CRL checks, such as SSL decryption or GlobalProtect connections.

Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to missing XML-related functions for inline-cloud-proxy.

Fixed an issue where a session process consumed excessive CPU resources, even when Data Loss Prevention (DLP) was not enabled. This occurred due to the active threat list being iterated twice when active threats were present in the session.

Fixed an issue on PA-VM in AWS where, in a two-arm deployment integrated with Gateway Load Balancer (GWLB), the firewall did not preserve the GENEVE source port for internet traffic, resulting in increased latency. The fix ensures the firewall preserves the outer UDP source port of GENEVE encapsulation when sending traffic back to GWLB.

Fixed an issue where, after upgrading an HA pair of PA-7050 firewalls, the vsys ID changed in sequence, causing autocommit failures with validation errors. This occurred when the multi-vsys firewall had virtual systems created and pushed from Panorama, and the vsys ID was not in a correct sequence because the unused vsys was deleted from Panorama and pushed to devices.

Fixed an issue where PA-400 Series firewalls were not properly caching DNS responses for FQDN objects. The firewall was observed to repeatedly send DNS requests for the same FQDN objects every 10-15 seconds, even after receiving valid responses, despite the minimum FQDN refresh interval being set to a much higher value. This resulted in excessive DNS queries originating from the firewall's management interface.

Fixed an issue where the MIB ID returned an incorrect value via SNMP.

Fixed an issue where the reportd process on passive Panorama management servers leaked memory due to scheduled report handling from the Strata Logging Service (SLS). This memory leak occurred daily, consuming available memory until the process was restarted.

Fixed an issue where a stream receiving a reconnect signal with an associated error in Wifclient caused the entire pool to close, which resulted in a complete disconnection.

Fixed an issue where, after upgrading to PAN-OS 10.2.13-h10, GlobalProtect Clientless VPN on PA-3250 firewalls failed to execute JavaScript links, resulting in an authorization error. This occurred because the firewall was incorrectly injecting text into URLs when JavaScript buttons or dropdown menus were clicked within the Clientless VPN portal.

Fixed an issue where, after upgrading the firewall, the Direct Internet Access (DIA) Any Path probing feature stopped functioning, causing traffic to not failover to the hub when the local internet connection failed. This issue affects branch firewalls in a hub-and-spoke setup.

Fixed an issue where the CRL file was not updated as scheduled, causing PAN-OS to treat the CRL as expired. This resulted in the firewall displaying an Unknown CRL verification result, which could disconnect the firewall from Panorama or impact other features that rely on CRL checks, such as SSL decryption or GlobalProtect connections.

Fixed an issue where the pan_comm process stopped responding due to insufficient time allocated to read file descriptors when processing long messages.

(Firewalls in active/passive HA configurations) Fixed an issue on firewalls where, after failover, certain subnets were missing from the Link State Database, which prevented OSPF routes from being immediately learned due to a Type-7 to Type-5 LSA translation conflict in the ABR when the same LSA was advertised by two peers in the NSSA area.

Fixed an issue where certificate data was missing in decryption logs for No decrypt policy rules and TLS1.2 traffic after upgrading, and the Subject Common Name, Issuer Common Name, Certificate Start Date, Certificate End Date, Certificate Serial Number, and Certificate Fingerprint fields were blank in the decryption logs.

Fixed an Issue where commits failed with the error invalid IPv6 x:x - must be global/link-local unicast when the management IPv6 address had a specific value.

Fixed an issue on the firewall where the VM monitor source remained in the Getting All status, which prevented dynamic address groups from updating IP addresses for new EC2 instances. This issue occurred due to a race condition where two threads that simultaneously retrieved IP address tag information from AWS VM monitoring sources became stuck while reading the XML file.

Fixed an issue where Panorama failed to push the default value of None for the secondary NTP server address to managed firewalls, resulting in a commit validation error. This occurred even when configuring the secondary NTP server address as None in Panorama's web interface, and affected both newly deployed and long-standing production firewalls after upgrading.

Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.

Fixed an issue where renaming a BGP filtering profile in Panorama did not update the corresponding BGP peer group in the virtual router, leading to commit failures.

Fixed an issue on the web interface where the Connected status for a User-ID agent in a non-User-ID Hub vsys displayed as blank if the same agent was also configured in a User-ID Hub vsys.

Fixed an issue where, after reinstalling the device certificate, delayed telemetry data was displayed in AIOPS.

(CN-Series firewalls only) Fixed an issue where the firewall generated incomplete or corrupted tech support files (TSF) due to high disk usage on the management plane.

Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.

Fixed an issue where the system logs repeatedly displayed the alert Clearing snmpd.log due to log overflow due to the SNMP counters rolling over.

Fixed an issue where the Advanced Routing Engine stopped responding when a route-map was configured to match on a metric with a value of 0.

Fixed an issue on PA-5220 firewalls where denied traffic logs incorrectly displayed a byte count of 0. This occurred because the bytes_sent value was stored in the most significant bits of u_bytes_sent, resulting in a zero value when a small value was assigned to u_bytes_sent.

Fixed an issue where the firewall_action was incorrectly set to '1' in DNS Security request telemetry, causing a mismatch between the DNS Security dashboard in AIOps and the threat logs on the firewall. This resulted in inaccurate reporting of allowed DNS requests for Malware, C2, Dynamic DNS, Parked, and Proxy categories in AIOps.

Fixed an issue where PA-460 firewalls experienced out-of-memory (OOM) conditions, leading to device crashes and reboots.

(VM-Series firewalls only) Fixed an issue where the firewall frequently rebooted.

(Firewalls in active/passive HA configurations only) Fixed an issue where, when the passive firewall was down and the idmr process was reset, the firewall generated the system log User-ID manager was reset. Commit is not required to reinitialize User-ID, even though the idmr process restart was not successful.

( VM-Series firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where newly deployed firewalls were unable to connect to the Strata Logging Service (SLS) until after a reboot, license fetch, or management server restart.

Fixed an issue where the custom completer for device groups and templates received the device group name and template name from the running configuration instead of the candidate configuration.

Fixed an issue where the firewall rebooted unexpectedly due to a pan_task process restart related to page allocation failures.

Fixed an issue where Real Time Streaming Protocol (RTSP) video streams did not work when connected through GlobalProtect due to the firewall blocking 200 OK responses. This occurred because of incorrect NAT translations for the 200 OK message from the server.

(Firewalls with multi-vsys enabled only) Fixed an issue where an XML API call to get the running Security policies returned only the first Security policy.

Fixed an issue where SNMP walks returned a value of 0 for the CPS (Connections Per Second) per vsys on firewalls after upgrading to PAN-OS 11.1.6-h3, even when active connections were present.

(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where firewall failed to bootstrap with a custom image, and VM-Series plugin information was not displayed in the system information.

Fixed an issue where, when multiple scheduled vulnerability reports were sent in the same email, only the first attached report was displayed.

Fixed an issue where BGP learned routes were not advertised when Legacy Routing was used and an export policy was configured to match the next hop of the learned route.

(Firewalls in active/passive HA configurations only) Fixed an issue with high dataplane CPU utilization on both active and passive firewalls.

Fixed an issue where a memory leak occurred related to the configd process when pushing configurations from Panorama to a firewall. This occurred when the configurations contained shared policy rules.

Fixed an issue where IPv6 URLs were incorrectly categorized as private-ip-addresses even if the URL had a valid category. This occurred because the firewall did not check for IPv6 addresses when determining if an IP address was private.

Fixed an issue where, when SSL decryption was enabled, traffic matching a deny rule was incorrectly allowed until the SSL handshake was complete.

(PA-5400f firewalls only) Fixed an issue where SD-WAN SaaS monitoring did not work with URL monitoring.

(Prisma Access only) Fixed an issue where persistent commit failures occurred due to a missing transformation script when downgrading from PAN-OS 10.2.0 to PAN-OS 10.1.0.

Fixed an issue where the authd process crashed intermittently on VM-Series firewalls due to authentication sequence failures. The crashes occurred during memory management operations within a library while releasing memory to its central cache.

Fixed an issue on Panorama where the web interface became unresponsive when attempting to edit the Allow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access setting in a GlobalProtect portal configuration after adding 40 or more FQDN entries.

(VM-Series firewalls only) Added the CLI command no-refresh-discard-session to address an issue where the discarded session time to live (TTL) did not refresh at the default value.

Fixed an issue where External Dynamic List (EDL) entries for predefined lists were not visible in Panorama when logged in with a SuperUser Read-Only role.

Fixed an issue on the Panorama web interface where a template name or device group name displayed invalid text.

Fixed an issue where internet access through Secure Web Gateway (SWG) proxy nodes did not work when the default internet access policy rule source user was not known-user.

Fixed an issue on Panorama where a new virtual system (vsys) was automatically created with the name of a device group.

(Firewalls in HA active/passive configurations only) Fixed an issue where the firewalls experienced high dataplane CPU use when NAT64 was enabled. This occurred due to NAT64 traffic not being offloaded and unnecessary HA session updates being sent for every NAT64 packet.

Fixed an issue where the preferred_wnd value provided by CTD (Content Threat Detection) was disregarded due to TCP bandwidth estimation, which prevented the window from closing.

(Firewalls in multi-vsys configurations only) Fixed an issue where HTTP/2 traffic failed due when one virtual system (vsys) had a decryption policy rule enabled and another vsys had a no-decrypt policy rule for the same session.

Fixed an issue where the PA-5450 firewall did not set the Restart Bit (R-bit) in the BGP OPEN message when graceful restart was enabled. This caused BGP sessions with Cisco Nexus devices to fail to restart, which resulted in the TCP connection being closed.

Fixed an issue where the firewall incorrectly allowed traffic for certain applications when no decryption policy rule was configured.

Fixed an issue where the useridd process stopped responding due to a Security policy rule ID being set to 0, which caused the last configuration retrieval to fail.

Fixed an issue where Panorama exported the serial number of a managed collector instead of the collector name when exporting a PDF or CSV file.

Fixed an issue where, when Advanced Routing Engine was enabled firewalls configured with multiple logical routers, static routes were preferred over eBGP routes even though the static routes had a higher administrative distance.

Fixed an issue on Panorama where commit jobs were not queued and the system reported that the useridd was not connected.

Fixed an issue where the MIB ID returned an incorrect value via SNMP.

Fixed an issue where the dataplane CPU usage percentage was displayed as lower than it was on the firewall web interface, SCM, and other monitoring tools.

(VM-Series firewalls only) Fixed an issue where the firewall became inaccessible via the web interface and SSH and remained in an initializing state.

Fixed an issue where the Panorama web interface incorrectly displayed the checkbox as enabled for SHA1.

(VM-Series firewalls only) Fixed an issue where the maximum registered IP address for was incorrectly set to 100,000 instead of the expected 500,000.

Fixed an issue where the comm process stopped responding due to missing heartbeats, which resulted in a system alert and HA communication loss on slot1.

(Panorama appliances only) Fixed an issue on the web interface where resetting the rule hit counter for multiple policy rules failed with the error message Failed to reset rule-hit job.

Fixed an issue where sessions timed out sooner than expected due to the pan_proxy_accumulation_restore_timeout not initiating when the accumulation session_init failed.

Fixed an issue where the error message Scan ERR: Internal Err 1002 was generated unexpectedly when WIF shared memory use was high.

Fixed an issue on Panorama where commits took longer than expected.

Fixed the issue on the web interface where ACC graphs displayed No data to display when a filter was applied to Source IP or Destination IP.

Fixed an issue with firewalls in active/passive HA configurations where an OOM condition occurred and caused a failover due to a memory leak associated with the logrcvr process.

Fixed an issue on the firewall where the show advanced-routing bgp loc-rib-detail CLI command incorrectly displayed no BGP route" when multiple BGP peers were enabled. With this fix, the CLI command requires a peer name to be specified to display local RIB details.

Fixed an issue where PA-3420 firewalls experienced unexpected reboots due to the all_task_7 process crashing with signal 6, leading to a non-functional state.

Fixed an issue where BGP export policy rules with next-hop matching failed to block the advertisement of static routes, and the firewall incorrectly matched the egress interface IP address instead of the original next-hop IP address of the static route, which caused the deny rule to fail.

Fixed an issue where, when an application stopped responding, a large file was created in the /opt/panlogs directory, which caused the partition to fill up.

Fixed an issue where a large number of logs caused the logrcvr process to stop responding.

Fixed an issue where user-to-IP address mappings were not available on the dataplane for User-ID, which prevented the enforcement of user-based Security policy rules. This was due to the firewall not validating the timestamp of mappings received from certain User Identification Agent (UIA) agents before adding them to the dataplane.

Fixed an issue where the device-group-tags CLI command used an unnecessary configuration read lock.

(VM-Series firewalls only AWS environments only) Fixed an issue where the firewall did not send ICMP unreachable - Fragmentation Needed message when it received packets larger than the MTU.

Fixed an issue where closing an SSH session to a Panorama using Ctrl+D did not generate a log message in the system logs, and the session remained in an idle state for 60 minutes before being automatically terminated.

Fixed an issue where the firewall did not automatically enable the telemetry feature.

(PA-5450 firewalls only) Added uplink counters to enhance debug capability for traffic drops.

Fixed an issue where the firewall double-freed shared memory when the shared memory usage reached 100% when sending large payloads. This occurred when DLP, Advanced Advanced Threat Protection (ATP), Advanced WildFire (AWF), or Advanced URL Filtering were enabled.

Fixed an issue where PA-VM-Flex firewalls bootstrapped in an air-gapped environment did not display premium partner and threat prevention licenses.

Fixed an issue where a multi-vsys firewall was unable to retrieve address groups and address objects pushed from Panorama as shared objects when using the REST API.

Fixed an issue on Panorama where logs were not forwarded to syslog servers due to missing CLI options to configure the syslog queue size and threads.

Fixed an issue where, when getting transceiver information from ESCC for SFP 25G modules, the transceiver code was incorrectly updated with Unknown instead of 25GBase-SR.

Fixed an issue on firewalls running PAN-OS 11.1 releases where, after being offboarded from Panorama, the firewall XML configuration file retained template information from the previous Panorama configuration. As a result, when the firewall and its configuration were imported to another Panorama appliance, all configurations in the Network and Device tabs became read-only.

Fixed an issue where the firewall did not respond to ARP requests when a subinterface was configured with source address translation using the Translated Address option.

Fixed an issue where the Prisma Access gateway experienced process restarts and system reboots.

Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.

(Firewalls in HA configurations only) Fixed an issue where, after a failover, an SSH decryption caused a mismatch in the host key, which resulted in a warning message. This issue occurred because the SSH tunnel keys were not synchronized between the active and passive firewalls.

Fixed an issue where the firewall did not forward logs to SLS when using a proxy server configuration due to an OCSP validation failure.

Fixed an issue where the configd process restarted and generated a core file during an HA sync commit job. This occurred when the firewall was in the HA passive state.

Fixed an issue where the firewall became unresponsive when the show user user-ids user all CLI command was executed repeatedly on large scale LDAP group mappings, and you were unable to connect to the gateways with the error message The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.

Fixed an issue where commits remained at 98% completion when static route configuration cleanup was in progress.

Fixed an issue where the dnsproxy process stopped responding when enabling the AutoVPN feature from the Software-Defined Cloud Management (SD-WAN) console.

Fixed an issue where the Panorama web interface displayed No Data when viewing configuration logs to see changes before and after a configuration change.

Fixed an issue where a PBF (Policy Based Forwarding) policy rule using an AE (Aggregate Ethernet) interface configured with DHCP as the egress interface incorrectly transitioned to an active state after a commit operation, even when the DHCP lease had expired and the interface had no assigned IP address.

Fixed an issue where committing a custom report in Panorama incorrectly generated a pending push to devices.

(VM-Series firewalls with Advanced Routing Engine enabled only) Fixed an issue where where the frr_ns2_bgpd process repeatedly restarted after committing a configuration that included the same route-map in both the exist and non-exist clauses of a conditional advertisement or when the same route-map was used in both the Advertise-out and conditional exist out map configurations.

(Panorama appliances in Log Collector mode only) Fixed an issue where the vm_agent process restarted after an upgrade.

Fixed an issue where GlobalProtect (GP) portal authentication for satellites using RADIUS authentication failed due to the authentication timeout value being set to 0.

Fixed an issue on the firewall that caused commits to fail and the web interface to become inaccessible.

Fixed an issue where clients did not receive a valid response when when searching a website due to a compression error.

Fixed an issue where DNS Security Category exceptions created with DNS category UTID were not ignored.

(Prisma Access only) Fixed an issue where URL log ingestion decreased after an upgrade, and secondary connections were lost.

Fixed an issue on the web interface where the IP Tag Quota(%) value displayed as 2 even when changed.

Fixed an issue where threat logs displayed logs from the N/A threat category when a random string was used for the category-of-threatid filter in threat logs.

Fixed an issue where a software download job reported a completion timestamp that occurred before the software loading process was finished.

Fixed an issue where the OSPFv3 area nssa default-information-originate CLI command was not applied due to a configuration error in the backend advanced-routing stack.

Fixed an issue where configuring an HTTP profile to send Webhook alerts to Microsoft Teams failed with a 400 Bad request error when clicking Send Test Log .

Fixed an issue where ping commands from both the management plane and dataplane interfaces incorrectly prioritized IPv6 addresses over IPv4 addresses, even when IPv6 was disabled. This caused connectivity issues when pinging FQDNs that resolved to IPv6 addresses.

Fixed an issue where the Border Gateway Protocol (BGP) established time was displayed inaccurately due to a 32-bit counter wrapping issue.

Fixed an issue where GlobalProtect clients on macOS devices failed to connect when device name used newline character.

Fixed an issue where firewalls in air-gapped environments attempted to connect to a Google IP address for Machine Learning AV (MLAV) functionality, even when MLAV was not licensed or configured.

Fixed an issue where an OOM condition on the logrcvr process caused interface flapping, and the interface unexpectedly went down and then recovered without intervention.

Fixed an issue where OSPF redistributed connected routes beyond the intended loopback IP address.

Fixed an issue where, after upgrading to a higher version of PAN-OS 10.2, the devsrvr process crashed during autocommit on both PA-Series and VM-Series firewalls. This occurred specifically when parsing an SSL/TLS service profile for a captive portal that was missing the max-version configuration, leading to a null pointer dereference. The firewall would attempt four autocommits, all of which would fail with a Client device registered in the middle of a commit/validate error before the devsrvr process crashed and the firewall rebooted into maintenance mode.

Fixed a rare issue where the logrcvr process stopped responding, which caused the devsrvr process to restart.

Fixed an issue where the logd process repeatedly restarted when the SD-WAN site name was over 31 characters and contained certain XML escape characters.

(Panorama appliances only) Fixed an issue where log exports were slower than expected or failed when filtering logs after an upgrade, which resulted in timeouts or delays in displaying logs on the web interface.

Fixed an issue where searching configuration logs for an audit_uuid did not return a result if the rule was created with a clone operation.

Fixed an issue where, after an authd process restart, the username, password, and source IP address displayed in plain text on the console when attempting to log in via the web interface.

(PA-5420 firewalls) Fixed an issue where the firewall management server memory usage continuously increased.

Fixed an issue where the routed process memory usage continuously increased when Advanced Routing was enabled.

Fixed an issue on Panorama managed firewalls where, when the service route configuration was set to VLAN as the source, attempting to import the variable CSV into the template resulted in the validation error Failed to parse variable configuration file. This issue occurred because the system incorrectly validated the VLAN interface name in the service route configuration within the template.

Fixed an issue where shared objects were displayed in the Push Scope after pushing the configuration from Panorama to managed firewalls.

Fixed an issue where all_pktproc process repeatedly restarted, which caused dataplane failure and loss of connectivity, including PAN-DB URL resolution. This occurred after a commit push from Panorama and resulted in the firewall becoming non-functional due to internal path monitoring failure and configuration memory exhaustion.

Fixed an Issue where commits failed with the error invalid IPv6 x:x - must be global/link-local unicast when the management IPv6 address had a specific value.

Fixed an issue where all data interfaces went down due to a Forward Error Correction (FEC) mode mismatch. The firewall defaulted to FEC Auto mode, while the peer Cisco switch was configured for FC-FEC.

Fixed an issue where firewalls that were connected to the same Cloud Identity Engine displayed inconsistent group membership information, with some firewalls showing only a subset of users belonging to a group.

Fixed an issue where User-ID custom reports were unable to exclude IP address 0.0.0.0 when using the filter ip notin 0.0.0.0.

An issue was fixed where the firewall dropped fragmented TLS ClientHello packets, which blocked access to certain websites. This occurred because the packets arrived truncated, in varying sizes and orders, and the firewall's heuristics failed to handle them correctly.

To enable this fix, run: debug dataplane set ssl-decrypt accumulate-client-hello disjoined yes

Fixed an issue where threat names were displayed differently on the web interface and the exported CSV file.

Fixed an issue where, during software deployment from Panorama to multiple firewalls, some firewalls did not automatically reboot after the upgrade, even when Reboot device after install was selected. This was due to the Panorama timing out before the software deployment completed on the affected firewalls, which prevented the reboot request from being sent.

Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the firewall did not see server-to-client (s2c) packets of the TLS handshake.

To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.

Fixed an issue on Panorama where Device Health displayed the device memory as 0%.

Fixed an issue where a GlobalProtect gateway stopped responding when handling HTTP/1.1 traffic with web inspection enabled.

Fixed an issue where DNS domain resolutions experienced intermittent delays due to the firewall not connecting to the DNS Security cloud.

To use this fix, enable DNS monitoring on the dataplane via the CLI command debug dnsproxyd enable-rtsig-health-monitor yes.

To show the current setting, run the CLI command debug dnsproxyd enable-rtsig-health-monitor show. If the cfg.general.dns-rtsig-monitor-interval shows a non-zero value, DNS monitoring is enabled.

Fixed an issue where authentication to GlobalProtect failed with the error message User not in allowed list.

Fixed an issue where IPv6 BGP peering established between virtual routers even without dataplane connectivity. This occurred because the firewall used the kernel for lookups instead of the dataplane.

(VM-Series firewalls in AWS environments only) Fixed an issue where HA failover mode incorrectly changed from interface move to secondary IP move after a reboot.

Fixed an issue where the PA-5220 firewall reports inaccurate NetFlow statistics for DNS flows after upgrading to PAN-OS 10.2.13.

Fixed an issue where the firewall did not match the correct policy for SSL forward decrypted HTTP/2 traffic when upgrading from PAN-OS 10.2.9-h1 to PAN-OS 11.2.3.

Fixed an issue where random characters were added to the proxy_authorization in HTTP messages when the firewall accessed certain services through a configured proxy server. This caused proxy server authentication to intermittently fail.

Fixed an issue where the firewall stopped responding when a DNS client closed or reset a TCP connection while the firewall was sending a response.

Fixed an issue where the CLI output in JSON format displayed incorrect bracket patterns.

Fixed an issue where WildFire reports were not fully displayed and were not downloadable due to static resources not being found.

Fixed an issue where FTP data connections did not work for EPRT with Source IP + Port translation enabled on the firewall.

Fixed an issue where adding an SD-WAN interface profile to an overridden interface on a template stack failed with an sdwan-interface-profile is invalid error.

Fixed an issue where the CLI command syntax was incorrect when configuring the deviceconfig values from the Template Stack.

Fixed an issue on Panorama where the logd process stopped responding unexpectedly.

Fixed an issue where GlobalProtect users experienced DNS resolution timeouts when using Prisma Access.

Fixed an issue where Panorama did not display license information for Cloud NGFW firewalls under (Device Deployment > Licenses) due to the inability to perform batch-license refreshes.

(PA-450 firewalls only) Fixed an issue where, after an upgrade, data that was excluded using the query builder in a custom report was still visible in the report, and the logs displayed errors related to invalid threat names being queried.

(Firewalls in HA configurations only) Fixed an issue where the confgid process and mgmtsrvr process restarted daily when processing a show rule-hit-count CLI command when retrieving Security policy rules for vsys1.

Fixed an issue where a dataplane restart was not triggered as expected when internal packet path monitoring failure occurred.

Fixed an issue where you were unable to to adjust the frequency of the Advanced Cloud Explorer (ACE) cloud fetch via the CLI.

Fixed an issue where Global Search did not redirect correctly to routing profiles when searching for their names.

Fixed an issue where the firewall incorrectly assembled SIP NOTIFY and REFER messages when processing SIP TCP packets that contained a partial content-body from a previous SIP message and a complete header and content-body from the next SIP message.

Fixed an issue on Panorama where the request batch license info CLI command displayed entries for devices that were no longer attached to Panorama.

Fixed an issue where you were unable to use the s_encrypted field in custom reports for the Panorama threat log database.

Fixed an issue where the transmit power for a cable that was used on port 44 displayed as N/A.

Fixed an issue where manual SCP exports from firewalls in FIPS mode were successful to SCP servers that were not FIPS-compliant. This occurred because the manual SCP process did not enforce FIPS security checks.

Fixed an issue where the configuration version did not increment in the Audit Comment Archive after making changes to the Security policy rule with an audit comment and performing a commit. As a result, all subsequent changes were grouped under the same configuration version, which prevented the comparison of changes in the Rule Changes field of the Security policy rule.

Fixed an issue on Panorama where commits took longer than expected due to the show object dynamic-address-group all CLI command holding the devicetable lock for an extended period.

(Panorama appliances on Microsoft Azure environments only) Fixed an issue where user to IP address mapping was missing for some users connected to specific Prisma Access gateways, which caused the collection layer Azure firewall to not form the mapping.

Fixed an issue where the dnsproxy process crashed due to memory corruption caused by a race condition when the allow list downloading was impacted by config change.

Fixed an issue where the firewall did not increase the metric of the default route when redistributed into OSPF when the firewall was configured as an NSSA ABR.

Fixed an issue where DNS requests to malware sites were not blocked as expected, and the dns-security-categories log-level and action displayed default values instead of unavailable.

(PA-7000 Series firewalls, PA-5200 firewalls, and PA-5400f firewalls in FIPS mode only) Fixed an issue where decrypted traffic repeatedly failed and frequent reboots were required.

Fixed an issue where PublicCloud Server certificate validation failed. Dest Addr: (null), Reason: self signed certificate in certificate chain generated as a high alert in the system log every 5 minutes.

Fixed an issue where the character ( + ) in the authentication message prompt displayed incorrectly as #43; on the GlobalProtect client after upgrading to a PAN-OS 10.2 release.

Fixed an issue where the byte size reported in traffic logs differed from the byte size reported in Enhanced Application Logs (EAL) logs.

Fixed an issue where performing a factory reset caused the firewall to enter a continuous boot loop due to a failure in generating the global.xml configuration file.

Fixed an issue where committing changes to Advanced Routing and redistribution profiles failed while pushing the configuration from SCM.

Fixed an issue where the GlobalProtect client did not automatically initiate a Kerberos SSO connection after logging in to Windows.

Fixed an issue where API calls to Panorama failed with the error Server error : Timed out while getting config lock. Please try again.

Fixed an issue where the firewall dropped non-SYN TCP packets even when the Reject non-SYN TCP option was set to No when a session rematch was triggered.

Fixed an issue where the devsrvr process stopped responding, which caused the firewall to restart repeatedly.

Fixed an issue where the show user ip-user-mapping all option detail XML API command did not show the complete output.

Fixed an issue where BGP aggregate routes with the AS-SET option enabled had incorrect AS paths.

(VM-Series firewalls only) Fixed an issue where the aggressive clean-up threshold for disk space was set to 95% in system monitor.

Fixed an issue where the domain-edl column was empty in the threat log even when a threat was detected as a DNS alert.

Fixed an issue where an OOM condition occurred, which caused processes to stop responding.

Fixed an issue where the routed process stopped responding due to accessing freed memory from a hash table when the route vectors were resized. This occurred when a large number of static routes were configured.

Fixed an issue where, when using WildFire Private Cloud, the system log displayed the error message tls-X509-validation.

Fixed an issue where users were unable to log in to Panorama and the following error message was displayed: Timed out while getting config lock. Please try again. This occurred when pushing configurations to a large number of devices.

Fixed an issue where the execute show transceiver-detail all XML API command returned an incorrect value for the low temperature alarm threshold.

Fixed an issue where the Panorama web interface was slower than expected due to high CPU utilization on the mongodb process.

Fixed an issue where the reportd process stopped responding with a SIGSEGV at schedule_report_es_response.

Fixed an issue where the firewall dropped inbount RTP traffic after using Webex Screen Sharing due to the firewall removing the NAT cache when the predict timed out, which caused a new NAT to be established that conflicted with existing sessions. To use this fix, run the CLI command set system setting ctd h323_rtp_predict timeout <120-3600> to increase the timeout limit.

Fixed an issue where virtual machine interfaces displayed unknown for speed and duplex in the CLI and web interface.

(PA-5450 firewalls only) Fixed an issue where the useridd process repeatedly restarted.

Fixed an issue where URLs did not work due to certificate revocation list (CRL) requests failing.

(PA-7000B Series firewalls with NPCs only) Fixed an issue where the gearbox on the NPC took multiple retries to get the NIF link up.

(VM-Series firewalls on Kernel-based Virtual Machine (KVM) only) Fixed an issue where the firewall entered maintenance mode after an auto-commit when sending an ARP packet through the loopback interface using an IPv6 address.

Fixed an issue where Auto Quarantine did not work when simplified logging was enabled.

Fixed an issue where the routed process core failed the automation run.

Fixed an issue where the firewall rebooted unexpectedly due to a memory leak in the all_task process.

Fixed an issue where exporting managed device information from Panorama in CSV format included extraneous characters.

Fixed an issue where the error message Failed to reload config files displayed in the system logs even when device telemetry was not enabled.

Fixed an issue where the bytes transmitted and packet transmitted counters for hardware interfaces incorrectly displayed as 0 after a restart of slot-1.

Fixed an issue where daily email reports generated from the custom report did not display the report details in PDF or CSV files.

Fixed an issue where Panorama pushed content to devices that did not have a Threat Prevention license.

Fixed an issue on the Panorama web interface where the Configuration tab did not accurately display changes made to URL filtering profiles.

Fixed an issue where IPv4 BGP routes were not included in the routing table or FIB of a virtual router when ECMP was configured with more than two next hops.

Fixed an issue where selective push operations from Panorama to managed firewalls failed with the error message Failed to generate selective push configuration. Schema validation failed. Please try a full push.

Fixed an issue on the Panorama web interface where the template sync status showed Out-of-Sync for managed devices after a combined commit-all operation. This occurred due to Panorama sending the default MD5 sum of the template to the firewall instead of the correct MD5 sum.

Enabled crash kernel to capture the PAN-OS state when a kernel panic occurred.

Fixed an issue on Panorama where a core file was generated by /usr/local/bin/logd during a restart.

Fixed an issue where the URL filtering response page for Continue and Override did not work with IPv6 Router Advertisement (RA) or Multicast Listener Query (MLQ) for IPv6-to-IPv6 and IPv6-to-IPv4 traffic.

Fixed an issue where frequent session failures occurred due to CTD resource exhaustion.

Fixed an issue where a static route was removed from the route table when path monitoring was enabled.

(Multi-vsys firewalls only) Fixed an issue where commits failed on the firewall after selecting Export or push device config bundle on Panorama and a force push was required.

Fixed an issue where multi-download operations failed.

(Panorama virtual appliances in Microsoft Azure environments only) Fixed an issue where where, when a VM-Series firewall was registered to Panorama, the Panorama server failed to re-attempt pushing Dynamic Address Groups updates to the firewall if the initial push failed due to a temporary disconnection, which resulted in blocked traffic.

Fixed an issue where the DHCP server stopped responding with the error IP address is already in use.

Fixed an issue where GlobalProtect clients experienced slow SMB-V3 download throughput when passing through a Prisma IPSec tunnel and the firewall and the SMB-V3 session owner dataplane was the same as the IPSec-ESP tunnel on the multi-dataplane firewall.

Fixed an issue where log usernames were truncated, which caused users to be identified improperly on predefined SaaS reports.

Fixed an issue on Panorama where admin users with the Custom Panorama Admin role were unable to add, edit, or delete route filters under Routing Profiles

Fixed an issue where deleting a route entry from Advanced Routing using the gRPC API could unintentionally delete other routes. Running multiple attempts with broad XPATH queries could potentially match and delete unintended route records.

Fixed an issue where the all_task process repeatedly restarted, which caused dataplane restarts on traffic disruption.

Fixed an issue where the configd process stopped responding during certificate verification.

Fixed an issue where no default route was installed on the firewall because a static IPv6 default gateway was specified on the management interface with a dynamic IPv6 address.

Fixed an issue where the CLI command to set the target virtual system accepted a non-existent virtual system name, and the CLI prompt incorrectly changed to the non-existent virtual system.

Fixed an issue where the firewall management plane could not display BGP peer details when using the CLI command show advanced-routing bgp peer detail logical-router <LR>. This was due to the bgp_frr.py script failing to parse the IPv6 address family section of the show ip bgp neighbors json output.

Fixed an issue where using XML API to create Security policy rules with an incorrectly set parameter caused the firewall dha and devsrvr processes to stop responding.

Fixed an issue where hardware interface counters read from the CPU did not incrementing for member interfaces after a Link Aggregation Control Protocol (LACP) bundle was formed in an aggregate ethernet interface.

Fixed an issue on the firewall web interface where the Next Hop value was not displayed in the static route configuration, the admin-dist values were empty, and the path-monitor parameters were not listed in the management server web interface when the firewall was configured in FRR mode.

Fixed an issue where the debug log receiver statistics CLI command did not display entries for hipmatch logs.

Fixed an issue with firewalls with SD-WAN policy rules and GlobalProtect gateway configurations where enabling GlobalProtect on a loopback interface caused an issue where IPSec tunnel traffic from the gateway to the client dropped intermittently.