PAN-OS 10.2.17 Addressed Issues
Focus
Focus

PAN-OS 10.2.17 Addressed Issues

Table of Contents

PAN-OS 10.2.17 Addressed Issues

PAN-OSĀ® 10.2.17 addressed issues.
Issue ID
Description
PAN-304021
Fixed an issue where PA-3420 firewalls experienced unexpected reboots due to the all_task_7 process crashing with signal 6, leading to a non-functional state.
PAN-301580
Fixed an issue where the CRL file was not updated as scheduled, causing PAN-OS to treat the CRL as expired. This resulted in the firewall displaying an Unknown CRL verification result, which could disconnect the firewall from Panorama or impact other features that rely on CRL checks, such as SSL decryption or GlobalProtect connections.
PAN-300906
Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to missing XML-related functions for inline-cloud-proxy.
PAN-299228
Fixed an issue where a session process consumed excessive CPU resources, even when Data Loss Prevention (DLP) was not enabled. This occurred due to the active threat list being iterated twice when active threats were present in the session.
PAN-298907
Fixed an issue on PA-VM in AWS where, in a two-arm deployment integrated with Gateway Load Balancer (GWLB), the firewall did not preserve the GENEVE source port for internet traffic, resulting in increased latency. The fix ensures the firewall preserves the outer UDP source port of GENEVE encapsulation when sending traffic back to GWLB.
PAN-298505
Fixed an issue where, after upgrading an HA pair of PA-7050 firewalls, the vsys ID changed in sequence, causing autocommit failures with validation errors. This occurred when the multi-vsys firewall had virtual systems created and pushed from Panorama, and the vsys ID was not in a correct sequence because the unused vsys was deleted from Panorama and pushed to devices.
PAN-297963
Fixed an issue where PA-400 Series firewalls were not properly caching DNS responses for FQDN objects. The firewall was observed to repeatedly send DNS requests for the same FQDN objects every 10-15 seconds, even after receiving valid responses, despite the minimum FQDN refresh interval being set to a much higher value. This resulted in excessive DNS queries originating from the firewall's management interface.
PAN-297349
Fixed an issue where the MIB ID returned an incorrect value via SNMP.
PAN-296635
Fixed an issue where the reportd process on passive Panorama management servers leaked memory due to scheduled report handling from the Strata Logging Service (SLS). This memory leak occurred daily, consuming available memory until the process was restarted.
PAN-296519
Fixed an issue where a stream receiving a reconnect signal with an associated error in Wifclient caused the entire pool to close, which resulted in a complete disconnection.
PAN-296478
Fixed an issue where, after upgrading to PAN-OS 10.2.13-h10, GlobalProtect Clientless VPN on PA-3250 firewalls failed to execute JavaScript links, resulting in an authorization error. This occurred because the firewall was incorrectly injecting text into URLs when JavaScript buttons or dropdown menus were clicked within the Clientless VPN portal.
PAN-296452
Fixed an issue where, when Panorama managed Prisma Access, filtering GlobalProtect logs by IPv6 subnets displayed all logs, including IPv4 logs.
PAN-295957
Fixed an issue where, after upgrading the firewall, the Direct Internet Access (DIA) Any Path probing feature stopped functioning, causing traffic to not failover to the hub when the local internet connection failed. This issue affects branch firewalls in a hub-and-spoke setup.
PAN-295400
Fixed an issue where the CRL file was not updated as scheduled, causing PAN-OS to treat the CRL as expired. This resulted in the firewall displaying an Unknown CRL verification result, which could disconnect the firewall from Panorama or impact other features that rely on CRL checks, such as SSL decryption or GlobalProtect connections.
PAN-295342
Fixed an issue where the pan_comm process stopped responding due to insufficient time allocated to read file descriptors when processing long messages.
PAN-294770
(Firewalls in active/passive HA configurations) Fixed an issue on firewalls where, after failover, certain subnets were missing from the Link State Database, which prevented OSPF routes from being immediately learned due to a Type-7 to Type-5 LSA translation conflict in the ABR when the same LSA was advertised by two peers in the NSSA area.
PAN-294488
Fixed an issue where certificate data was missing in decryption logs for No decrypt policy rules and TLS1.2 traffic after upgrading, and the Subject Common Name, Issuer Common Name, Certificate Start Date, Certificate End Date, Certificate Serial Number, and Certificate Fingerprint fields were blank in the decryption logs.
PAN-294115
Fixed an Issue where commits failed with the error invalid IPv6 x:x - must be global/link-local unicast when the management IPv6 address had a specific value.
PAN-293879
Fixed an issue on the firewall where the VM monitor source remained in the Getting All status, which prevented dynamic address groups from updating IP addresses for new EC2 instances. This issue occurred due to a race condition where two threads that simultaneously retrieved IP address tag information from AWS VM monitoring sources became stuck while reading the XML file.
PAN-293848
Fixed an issue where Panorama failed to push the default value of None for the secondary NTP server address to managed firewalls, resulting in a commit validation error. This occurred even when configuring the secondary NTP server address as None in Panorama's web interface, and affected both newly deployed and long-standing production firewalls after upgrading.
PAN-293707
Fixed an issue where the iotd process failed to install DPI Cloud server FQDN due to a configuration parsing failure caused by the configuration XML memory buffer not being NULL terminated. This resulted in the accumulation of EAL logs and DLP forwarding being stopped.
PAN-293673
Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.
PAN-293511
Fixed an issue where renaming a BGP filtering profile in Panorama did not update the corresponding BGP peer group in the virtual router, leading to commit failures.
PAN-292980
Fixed an issue on the web interface where the Connected status for a User-ID agent in a non-User-ID Hub vsys displayed as blank if the same agent was also configured in a User-ID Hub vsys.
PAN-292770
Fixed an issue where, after reinstalling the device certificate, delayed telemetry data was displayed in AIOPS.
PAN-292539
(CN-Series firewalls only) Fixed an issue where the firewall generated incomplete or corrupted tech support files (TSF) due to high disk usage on the management plane.
PAN-292393
Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.
PAN-292344
Fixed an issue where, when upgrading from PAN-OS 10.2.9-h1 to PAN-OS 10.2.13-h5, the firewall rebooted repeatedly and entered maintenance mode.
PAN-292202
Fixed an issue where the system logs repeatedly displayed the alert Clearing snmpd.log due to log overflow due to the SNMP counters rolling over.
PAN-291973
Fixed an issue where the Advanced Routing Engine stopped responding when a route-map was configured to match on a metric with a value of 0.
PAN-291945
Fixed an issue on PA-5220 firewalls where denied traffic logs incorrectly displayed a byte count of 0. This occurred because the bytes_sent value was stored in the most significant bits of u_bytes_sent, resulting in a zero value when a small value was assigned to u_bytes_sent.
PAN-291824
Fixed an issue where the firewall_action was incorrectly set to '1' in DNS Security request telemetry, causing a mismatch between the DNS Security dashboard in AIOps and the threat logs on the firewall. This resulted in inaccurate reporting of allowed DNS requests for Malware, C2, Dynamic DNS, Parked, and Proxy categories in AIOps.
PAN-291716
Fixed an issue where PA-460 firewalls experienced out-of-memory (OOM) conditions, leading to device crashes and reboots.
PAN-291631
(VM-Series firewalls only) Fixed an issue where the firewall frequently rebooted.
PAN-291593
(Firewalls in active/passive HA configurations only) Fixed an issue where, when the passive firewall was down and the idmr process was reset, the firewall generated the system log User-ID manager was reset. Commit is not required to reinitialize User-ID, even though the idmr process restart was not successful.
PAN-291499
( VM-Series firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where newly deployed firewalls were unable to connect to the Strata Logging Service (SLS) until after a reboot, license fetch, or management server restart.
PAN-291456
Fixed an issue where the custom completer for device groups and templates received the device group name and template name from the running configuration instead of the candidate configuration.
PAN-291288
Fixed an issue where the firewall rebooted unexpectedly due to a pan_task process restart related to page allocation failures.
PAN-291174
Fixed an issue where Real Time Streaming Protocol (RTSP) video streams did not work when connected through GlobalProtect due to the firewall blocking 200 OK responses. This occurred because of incorrect NAT translations for the 200 OK message from the server.
PAN-291124
(Firewalls with multi-vsys enabled only) Fixed an issue where an XML API call to get the running Security policies returned only the first Security policy.
PAN-290996
Fixed an issue where SNMP walks returned a value of 0 for the CPS (Connections Per Second) per vsys on firewalls after upgrading to PAN-OS 11.1.6-h3, even when active connections were present.
PAN-290803
(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where firewall failed to bootstrap with a custom image, and VM-Series plugin information was not displayed in the system information.
PAN-290449
Fixed an issue where, when multiple scheduled vulnerability reports were sent in the same email, only the first attached report was displayed.
PAN-290455
Fixed an issue where the Pprof path was missing in the logrcvr script, which prevented the conversion and decoding of addresses in the resulting stack when running Pprof against Logrcvr.
PAN-290191
Fixed an issue where BGP learned routes were not advertised when Legacy Routing was used and an export policy was configured to match the next hop of the learned route.
PAN-290117
(Firewalls in active/passive HA configurations only) Fixed an issue with high dataplane CPU utilization on both active and passive firewalls.
PAN-290088
Fixed an issue where a memory leak occurred related to the configd process when pushing configurations from Panorama to a firewall. This occurred when the configurations contained shared policy rules.
PAN-290074
Fixed an issue where IPv6 URLs were incorrectly categorized as private-ip-addresses even if the URL had a valid category. This occurred because the firewall did not check for IPv6 addresses when determining if an IP address was private.
PAN-289895
Fixed an issue where, when SSL decryption was enabled, traffic matching a deny rule was incorrectly allowed until the SSL handshake was complete.
PAN-289763
(PA-5400f firewalls only) Fixed an issue where SD-WAN SaaS monitoring did not work with URL monitoring.
PAN-289714
(Prisma Access only) Fixed an issue where persistent commit failures occurred due to a missing transformation script when downgrading from PAN-OS 10.2.0 to PAN-OS 10.1.0.
PAN-289706
Fixed an issue where the authd process crashed intermittently on VM-Series firewalls due to authentication sequence failures. The crashes occurred during memory management operations within a library while releasing memory to its central cache.
PAN-289573
Fixed an issue on Panorama where the web interface became unresponsive when attempting to edit the Allow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access setting in a GlobalProtect portal configuration after adding 40 or more FQDN entries.
PAN-289405
(VM-Series firewalls only) Added the CLI command no-refresh-discard-session to address an issue where the discarded session time to live (TTL) did not refresh at the default value.
PAN-289320
Fixed an issue where External Dynamic List (EDL) entries for predefined lists were not visible in Panorama when logged in with a SuperUser Read-Only role.
PAN-289301
Fixed an issue on the Panorama web interface where a template name or device group name displayed invalid text.
PAN-289268
Fixed an issue where internet access through Secure Web Gateway (SWG) proxy nodes did not work when the default internet access policy rule source user was not known-user.
PAN-289239
Fixed an issue on Panorama where a new virtual system (vsys) was automatically created with the name of a device group.
PAN-289226
(Firewalls in HA active/passive configurations only) Fixed an issue where the firewalls experienced high dataplane CPU use when NAT64 was enabled. This occurred due to NAT64 traffic not being offloaded and unnecessary HA session updates being sent for every NAT64 packet.
PAN-288929
Fixed an issue where the preferred_wnd value provided by CTD (Content Threat Detection) was disregarded due to TCP bandwidth estimation, which prevented the window from closing.
PAN-288893
(Firewalls in multi-vsys configurations only) Fixed an issue where HTTP/2 traffic failed due when one virtual system (vsys) had a decryption policy rule enabled and another vsys had a no-decrypt policy rule for the same session.
PAN-288768
Fixed an issue where the PA-5450 firewall did not set the Restart Bit (R-bit) in the BGP OPEN message when graceful restart was enabled. This caused BGP sessions with Cisco Nexus devices to fail to restart, which resulted in the TCP connection being closed.
PAN-288731
Fixed an issue where the firewall incorrectly allowed traffic for certain applications when no decryption policy rule was configured.
PAN-288726
Fixed an issue where the useridd process stopped responding due to a Security policy rule ID being set to 0, which caused the last configuration retrieval to fail.
PAN-288598
Fixed an issue where Panorama exported the serial number of a managed collector instead of the collector name when exporting a PDF or CSV file.
PAN-288432
Fixed an issue where, when Advanced Routing Engine was enabled firewalls configured with multiple logical routers, static routes were preferred over eBGP routes even though the static routes had a higher administrative distance.
PAN-288427
Fixed an issue on Panorama where commit jobs were not queued and the system reported that the useridd was not connected.
PAN-288363
Fixed an issue where the MIB ID returned an incorrect value via SNMP.
PAN-288254
Fixed an issue where the dataplane CPU usage percentage was displayed as lower than it was on the firewall web interface, SCM, and other monitoring tools.
PAN-288158
(VM-Series firewalls only) Fixed an issue where the firewall became inaccessible via the web interface and SSH and remained in an initializing state.
PAN-287936
Fixed an issue where the Panorama web interface incorrectly displayed the checkbox as enabled for SHA1.
PAN-287921
(VM-Series firewalls only) Fixed an issue where the maximum registered IP address for was incorrectly set to 100,000 instead of the expected 500,000.
PAN-287842
Fixed an issue where the comm process stopped responding due to missing heartbeats, which resulted in a system alert and HA communication loss on slot1.
PAN-287838
(Panorama appliances only) Fixed an issue on the web interface where resetting the rule hit counter for multiple policy rules failed with the error message Failed to reset rule-hit job.
PAN-287818
Fixed an issue where sessions timed out sooner than expected due to the pan_proxy_accumulation_restore_timeout not initiating when the accumulation session_init failed.
PAN-287734
Fixed an issue where the error message Scan ERR: Internal Err 1002 was generated unexpectedly when WIF shared memory use was high.
PAN-287601
Fixed an issue on Panorama where commits took longer than expected.
PAN-287392
Fixed the issue on the web interface where ACC graphs displayed No data to display when a filter was applied to Source IP or Destination IP.
PAN-287314
Fixed an issue with firewalls in active/passive HA configurations where an OOM condition occurred and caused a failover due to a memory leak associated with the logrcvr process.
PAN-287154
Fixed an issue on the firewall where the show advanced-routing bgp loc-rib-detail CLI command incorrectly displayed no BGP route" when multiple BGP peers were enabled. With this fix, the CLI command requires a peer name to be specified to display local RIB details.
PAN-287086
Fixed an issue where PA-3420 firewalls experienced unexpected reboots due to the all_task_7 process crashing with signal 6, leading to a non-functional state.
PAN-287056
Fixed an issue where BGP export policy rules with next-hop matching failed to block the advertisement of static routes, and the firewall incorrectly matched the egress interface IP address instead of the original next-hop IP address of the static route, which caused the deny rule to fail.
PAN-287035
Fixed an issue where, when an application stopped responding, a large file was created in the /opt/panlogs directory, which caused the partition to fill up.
PAN-287034
Fixed an issue where sequence numbers were skipped for all types of logs on the firewall due to audit logs being generated but not written to disk when Audit Tracking was enabled.
PAN-287023
Fixed an issue where a large number of logs caused the logrcvr process to stop responding.
PAN-286922
Fixed an issue where user-to-IP address mappings were not available on the dataplane for User-ID, which prevented the enforcement of user-based Security policy rules. This was due to the firewall not validating the timestamp of mappings received from certain User Identification Agent (UIA) agents before adding them to the dataplane.
PAN-286899
Fixed an issue where the device-group-tags CLI command used an unnecessary configuration read lock.
PAN-286832
(VM-Series firewalls only AWS environments only) Fixed an issue where the firewall did not send ICMP unreachable - Fragmentation Needed message when it received packets larger than the MTU.
PAN-286818
Fixed an issue where closing an SSH session to a Panorama using Ctrl+D did not generate a log message in the system logs, and the session remained in an idle state for 60 minutes before being automatically terminated.
PAN-286735
Fixed an issue where the firewall did not automatically enable the telemetry feature.
PAN-286734
(PA-5450 firewalls only) Added uplink counters to enhance debug capability for traffic drops.
PAN-286615
Fixed an issue where the firewall double-freed shared memory when the shared memory usage reached 100% when sending large payloads. This occurred when DLP, Advanced Advanced Threat Protection (ATP), Advanced WildFire (AWF), or Advanced URL Filtering were enabled.
PAN-286555
Fixed an issue where PA-VM-Flex firewalls bootstrapped in an air-gapped environment did not display premium partner and threat prevention licenses.
PAN-286534
Fixed an issue where a multi-vsys firewall was unable to retrieve address groups and address objects pushed from Panorama as shared objects when using the REST API.
PAN-286492
Fixed an issue on Panorama where logs were not forwarded to syslog servers due to missing CLI options to configure the syslog queue size and threads.
PAN-286306
Fixed an issue where, when getting transceiver information from ESCC for SFP 25G modules, the transceiver code was incorrectly updated with Unknown instead of 25GBase-SR.
PAN-286299
Fixed an issue on firewalls running PAN-OS 11.1 releases where, after being offboarded from Panorama, the firewall XML configuration file retained template information from the previous Panorama configuration. As a result, when the firewall and its configuration were imported to another Panorama appliance, all configurations in the Network and Device tabs became read-only.
PAN-286297
Fixed an issue where the firewall did not respond to ARP requests when a subinterface was configured with source address translation using the Translated Address option.
PAN-286296
Fixed an issue where the Prisma Access gateway experienced process restarts and system reboots.
PAN-286231
Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.
PAN-286180
(Firewalls in HA configurations only) Fixed an issue where, after a failover, an SSH decryption caused a mismatch in the host key, which resulted in a warning message. This issue occurred because the SSH tunnel keys were not synchronized between the active and passive firewalls.
PAN-286094
Fixed an issue where the firewall did not forward logs to SLS when using a proxy server configuration due to an OCSP validation failure.
PAN-285623
Fixed an issue where the configd process restarted and generated a core file during an HA sync commit job. This occurred when the firewall was in the HA passive state.
PAN-285298
Fixed an issue where the firewall became unresponsive when the show user user-ids user all CLI command was executed repeatedly on large scale LDAP group mappings, and you were unable to connect to the gateways with the error message The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
PAN-285285
Fixed an issue where commits remained at 98% completion when static route configuration cleanup was in progress.
PAN-284968
Fixed an issue where the dnsproxy process stopped responding when enabling the AutoVPN feature from the Software-Defined Cloud Management (SD-WAN) console.
PAN-284907
Fixed an issue where the Panorama web interface displayed No Data when viewing configuration logs to see changes before and after a configuration change.
PAN-284801
Fixed an issue where the OpenConfig plugin was automatically installed on VM Panorama and firewalls after upgrading.
PAN-284717
Fixed an issue where a PBF (Policy Based Forwarding) policy rule using an AE (Aggregate Ethernet) interface configured with DHCP as the egress interface incorrectly transitioned to an active state after a commit operation, even when the DHCP lease had expired and the interface had no assigned IP address.
PAN-284380
Fixed an issue where committing a custom report in Panorama incorrectly generated a pending push to devices.
PAN-284184
(VM-Series firewalls with Advanced Routing Engine enabled only) Fixed an issue where where the frr_ns2_bgpd process repeatedly restarted after committing a configuration that included the same route-map in both the exist and non-exist clauses of a conditional advertisement or when the same route-map was used in both the Advertise-out and conditional exist out map configurations.
PAN-284117
(Panorama appliances in Log Collector mode only) Fixed an issue where the vm_agent process restarted after an upgrade.
PAN-284090
Fixed an issue where GlobalProtect (GP) portal authentication for satellites using RADIUS authentication failed due to the authentication timeout value being set to 0.
PAN-284073
Fixed an issue on the firewall that caused commits to fail and the web interface to become inaccessible.
PAN-284003
Fixed an issue where clients did not receive a valid response when when searching a website due to a compression error.
PAN-283864
Fixed an issue where DNS Security Category exceptions created with DNS category UTID were not ignored.
PAN-283644
(Prisma Access only) Fixed an issue where URL log ingestion decreased after an upgrade, and secondary connections were lost.
PAN-283613
Fixed an issue on the web interface where the IP Tag Quota(%) value displayed as 2 even when changed.
PAN-283333
Fixed an issue where threat logs displayed logs from the N/A threat category when a random string was used for the category-of-threatid filter in threat logs.
PAN-283316
Fixed an issue where a software download job reported a completion timestamp that occurred before the software loading process was finished.
PAN-283304
Fixed an issue where the OSPFv3 area nssa default-information-originate CLI command was not applied due to a configuration error in the backend advanced-routing stack.
PAN-283206
Fixed an issue where configuring an HTTP profile to send Webhook alerts to Microsoft Teams failed with a 400 Bad request error when clicking Send Test Log .
PAN-282961
Fixed an issue where the firewall rebooted unexpectedly after a commit due to a memory leak related to the rasmgr process and displayed the error message Management server failed to send phase 1 to client l2ctrld before rebooting.
PAN-282578
Fixed an issue where ping commands from both the management plane and dataplane interfaces incorrectly prioritized IPv6 addresses over IPv4 addresses, even when IPv6 was disabled. This caused connectivity issues when pinging FQDNs that resolved to IPv6 addresses.
PAN-282571
Fixed an issue where the Border Gateway Protocol (BGP) established time was displayed inaccurately due to a 32-bit counter wrapping issue.
PAN-282554
Fixed an issue where GlobalProtect clients on macOS devices failed to connect when device name used newline character.
PAN-282533
Fixed an issue where firewalls in air-gapped environments attempted to connect to a Google IP address for Machine Learning AV (MLAV) functionality, even when MLAV was not licensed or configured.
PAN-282277
Fixed an issue where an OOM condition on the logrcvr process caused interface flapping, and the interface unexpectedly went down and then recovered without intervention.
PAN-281882
Fixed an issue where OSPF redistributed connected routes beyond the intended loopback IP address.
PAN-281725
Fixed an issue where, after upgrading to a higher version of PAN-OS 10.2, the devsrvr process crashed during autocommit on both PA-Series and VM-Series firewalls. This occurred specifically when parsing an SSL/TLS service profile for a captive portal that was missing the max-version configuration, leading to a null pointer dereference. The firewall would attempt four autocommits, all of which would fail with a Client device registered in the middle of a commit/validate error before the devsrvr process crashed and the firewall rebooted into maintenance mode.
PAN-281681
Fixed a rare issue where the logrcvr process stopped responding, which caused the devsrvr process to restart.
PAN-281540
Fixed an issue where the logd process repeatedly restarted when the SD-WAN site name was over 31 characters and contained certain XML escape characters.
PAN-281509
(Panorama appliances only) Fixed an issue where log exports were slower than expected or failed when filtering logs after an upgrade, which resulted in timeouts or delays in displaying logs on the web interface.
PAN-281488
Fixed an issue where searching configuration logs for an audit_uuid did not return a result if the rule was created with a clone operation.
PAN-281294
Fixed an issue where, after an authd process restart, the username, password, and source IP address displayed in plain text on the console when attempting to log in via the web interface.
PAN-281269
(PA-5420 firewalls) Fixed an issue where the firewall management server memory usage continuously increased.
PAN-281264
Fixed an issue where the routed process memory usage continuously increased when Advanced Routing was enabled.
PAN-281198
Fixed an issue on Panorama managed firewalls where, when the service route configuration was set to VLAN as the source, attempting to import the variable CSV into the template resulted in the validation error Failed to parse variable configuration file. This issue occurred because the system incorrectly validated the VLAN interface name in the service route configuration within the template.
PAN-281017
Fixed an issue where shared objects were displayed in the Push Scope after pushing the configuration from Panorama to managed firewalls.
PAN-280725
Fixed an issue where all_pktproc process repeatedly restarted, which caused dataplane failure and loss of connectivity, including PAN-DB URL resolution. This occurred after a commit push from Panorama and resulted in the firewall becoming non-functional due to internal path monitoring failure and configuration memory exhaustion.
PAN-280700
Fixed an Issue where commits failed with the error invalid IPv6 x:x - must be global/link-local unicast when the management IPv6 address had a specific value.
PAN-280695
Fixed an issue where all data interfaces went down due to a Forward Error Correction (FEC) mode mismatch. The firewall defaulted to FEC Auto mode, while the peer Cisco switch was configured for FC-FEC.
PAN-280536
Fixed an issue where firewalls that were connected to the same Cloud Identity Engine displayed inconsistent group membership information, with some firewalls showing only a subset of users belonging to a group.
PAN-280013
Fixed an issue where User-ID custom reports were unable to exclude IP address 0.0.0.0 when using the filter ip notin 0.0.0.0.
PAN-279901
An issue was fixed where the firewall dropped fragmented TLS ClientHello packets, which blocked access to certain websites. This occurred because the packets arrived truncated, in varying sizes and orders, and the firewall's heuristics failed to handle them correctly.
To enable this fix, run: debug dataplane set ssl-decrypt accumulate-client-hello disjoined yes
PAN-279647
Fixed an issue where threat names were displayed differently on the web interface and the exported CSV file.
PAN-279584
Fixed an issue where, during software deployment from Panorama to multiple firewalls, some firewalls did not automatically reboot after the upgrade, even when Reboot device after install was selected. This was due to the Panorama timing out before the software deployment completed on the affected firewalls, which prevented the reboot request from being sent.
PAN-279500
Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the firewall did not see server-to-client (s2c) packets of the TLS handshake.
To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.
PAN-279195
Fixed an issue on Panorama where Device Health displayed the device memory as 0%.
PAN-279191
Fixed an issue where a GlobalProtect gateway stopped responding when handling HTTP/1.1 traffic with web inspection enabled.
PAN-278981
Fixed an issue where DNS domain resolutions experienced intermittent delays due to the firewall not connecting to the DNS Security cloud.
To use this fix, enable DNS monitoring on the dataplane via the CLI command debug dnsproxyd enable-rtsig-health-monitor yes.
To show the current setting, run the CLI command debug dnsproxyd enable-rtsig-health-monitor show. If the cfg.general.dns-rtsig-monitor-interval shows a non-zero value, DNS monitoring is enabled.
PAN-278812
Fixed an issue where authentication to GlobalProtect failed with the error message User not in allowed list.
PAN-278288
Fixed an issue where IPv6 BGP peering established between virtual routers even without dataplane connectivity. This occurred because the firewall used the kernel for lookups instead of the dataplane.
PAN-277987
(VM-Series firewalls in AWS environments only) Fixed an issue where HA failover mode incorrectly changed from interface move to secondary IP move after a reboot.
PAN-277971
Fixed an issue where the PA-5220 firewall reports inaccurate NetFlow statistics for DNS flows after upgrading to PAN-OS 10.2.13.
PAN-277629
Fixed an issue where the firewall did not match the correct policy for SSL forward decrypted HTTP/2 traffic when upgrading from PAN-OS 10.2.9-h1 to PAN-OS 11.2.3.
PAN-277162
Fixed an issue where random characters were added to the proxy_authorization in HTTP messages when the firewall accessed certain services through a configured proxy server. This caused proxy server authentication to intermittently fail.
PAN-277135
Fixed an issue where the firewall stopped responding when a DNS client closed or reset a TCP connection while the firewall was sending a response.
PAN-277086
Fixed an issue where the CLI output in JSON format displayed incorrect bracket patterns.
PAN-277034
Fixed an issue where WildFire reports were not fully displayed and were not downloadable due to static resources not being found.
PAN-277018
Fixed an issue where FTP data connections did not work for EPRT with Source IP + Port translation enabled on the firewall.
PAN-276961
Fixed an issue where adding an SD-WAN interface profile to an overridden interface on a template stack failed with an sdwan-interface-profile is invalid error.
PAN-276936
Fixed an issue where the CLI command syntax was incorrect when configuring the deviceconfig values from the Template Stack.
PAN-276862
Fixed an issue on Panorama where the logd process stopped responding unexpectedly.
PAN-276607
Fixed an issue where GlobalProtect users experienced DNS resolution timeouts when using Prisma Access.
PAN-276484
Fixed an issue where Panorama did not display license information for Cloud NGFW firewalls under (Device Deployment > Licenses) due to the inability to perform batch-license refreshes.
PAN-276276
(PA-450 firewalls only) Fixed an issue where, after an upgrade, data that was excluded using the query builder in a custom report was still visible in the report, and the logs displayed errors related to invalid threat names being queried.
PAN-276000
(Firewalls in HA configurations only) Fixed an issue where the confgid process and mgmtsrvr process restarted daily when processing a show rule-hit-count CLI command when retrieving Security policy rules for vsys1.
PAN-275272
Fixed an issue where a dataplane restart was not triggered as expected when internal packet path monitoring failure occurred.
PAN-275026
Fixed an issue where you were unable to to adjust the frequency of the Advanced Cloud Explorer (ACE) cloud fetch via the CLI.
PAN-274207
Fixed an issue where Global Search did not redirect correctly to routing profiles when searching for their names.
PAN-274086
Fixed an issue where the firewall incorrectly assembled SIP NOTIFY and REFER messages when processing SIP TCP packets that contained a partial content-body from a previous SIP message and a complete header and content-body from the next SIP message.
PAN-274064
Fixed an issue on Panorama where the request batch license info CLI command displayed entries for devices that were no longer attached to Panorama.
PAN-274038
Fixed an issue where you were unable to use the s_encrypted field in custom reports for the Panorama threat log database.
PAN-273991
Fixed an issue where the transmit power for a cable that was used on port 44 displayed as N/A.
PAN-273028
Fixed an issue where manual SCP exports from firewalls in FIPS mode were successful to SCP servers that were not FIPS-compliant. This occurred because the manual SCP process did not enforce FIPS security checks.
PAN-273010
Fixed an issue where the configuration version did not increment in the Audit Comment Archive after making changes to the Security policy rule with an audit comment and performing a commit. As a result, all subsequent changes were grouped under the same configuration version, which prevented the comparison of changes in the Rule Changes field of the Security policy rule.
PAN-272731
Fixed an issue on Panorama where commits took longer than expected due to the show object dynamic-address-group all CLI command holding the devicetable lock for an extended period.
PAN-272539
(Panorama appliances on Microsoft Azure environments only) Fixed an issue where user to IP address mapping was missing for some users connected to specific Prisma Access gateways, which caused the collection layer Azure firewall to not form the mapping.
PAN-272245
Fixed an issue where the dnsproxy process crashed due to memory corruption caused by a race condition when the allow list downloading was impacted by config change.
PAN-271637
Fixed an issue where the firewall did not increase the metric of the default route when redistributed into OSPF when the firewall was configured as an NSSA ABR.
PAN-271560
Fixed an issue where DNS requests to malware sites were not blocked as expected, and the dns-security-categories log-level and action displayed default values instead of unavailable.
PAN-271498
(PA-7000 Series firewalls, PA-5200 firewalls, and PA-5400f firewalls in FIPS mode only) Fixed an issue where decrypted traffic repeatedly failed and frequent reboots were required.
PAN-271440
Fixed an issue where PublicCloud Server certificate validation failed. Dest Addr: (null), Reason: self signed certificate in certificate chain generated as a high alert in the system log every 5 minutes.
PAN-271412
Fixed an issue where the character ( + ) in the authentication message prompt displayed incorrectly as #43; on the GlobalProtect client after upgrading to a PAN-OS 10.2 release.
PAN-271345
Fixed an issue where the byte size reported in traffic logs differed from the byte size reported in Enhanced Application Logs (EAL) logs.
PAN-271204
Fixed an issue where performing a factory reset caused the firewall to enter a continuous boot loop due to a failure in generating the global.xml configuration file.
PAN-271181
Fixed an issue where committing changes to Advanced Routing and redistribution profiles failed while pushing the configuration from SCM.
PAN-271151
Fixed an issue where the GlobalProtect client did not automatically initiate a Kerberos SSO connection after logging in to Windows.
PAN-270744
Fixed an issue where API calls to Panorama failed with the error Server error : Timed out while getting config lock. Please try again.
PAN-269843
Fixed an issue where the firewall dropped non-SYN TCP packets even when the Reject non-SYN TCP option was set to No when a session rematch was triggered.
PAN-269812
Fixed an issue where the devsrvr process stopped responding, which caused the firewall to restart repeatedly.
PAN-269445
Fixed an issue where the show user ip-user-mapping all option detail XML API command did not show the complete output.
PAN-269342
Fixed an issue where BGP aggregate routes with the AS-SET option enabled had incorrect AS paths.
PAN-269191
(VM-Series firewalls only) Fixed an issue where the aggressive clean-up threshold for disk space was set to 95% in system monitor.
PAN-269176
Fixed an issue where the domain-edl column was empty in the threat log even when a threat was detected as a DNS alert.
PAN-269155
Fixed an issue where an OOM condition occurred, which caused processes to stop responding.
PAN-269057
Fixed an issue where the routed process stopped responding due to accessing freed memory from a hash table when the route vectors were resized. This occurred when a large number of static routes were configured.
PAN-269051
Fixed an issue where, when using WildFire Private Cloud, the system log displayed the error message tls-X509-validation.
PAN-268787
Fixed an issue where users were unable to log in to Panorama and the following error message was displayed: Timed out while getting config lock. Please try again. This occurred when pushing configurations to a large number of devices.
PAN-268425
Fixed an issue where the execute show transceiver-detail all XML API command returned an incorrect value for the low temperature alarm threshold.
PAN-267614
Fixed an issue where the Panorama web interface was slower than expected due to high CPU utilization on the mongodb process.
PAN-267450
Fixed an issue where the reportd process stopped responding with a SIGSEGV at schedule_report_es_response.
PAN-267330
Fixed an issue where the firewall dropped inbount RTP traffic after using Webex Screen Sharing due to the firewall removing the NAT cache when the predict timed out, which caused a new NAT to be established that conflicted with existing sessions. To use this fix, run the CLI command set system setting ctd h323_rtp_predict timeout <120-3600> to increase the timeout limit.
PAN-266776
Fixed an issue where virtual machine interfaces displayed unknown for speed and duplex in the CLI and web interface.
PAN-266569
(PA-5450 firewalls only) Fixed an issue where the useridd process repeatedly restarted.
PAN-266116
Fixed an issue where URLs did not work due to certificate revocation list (CRL) requests failing.
PAN-265140
(PA-7000B Series firewalls with NPCs only) Fixed an issue where the gearbox on the NPC took multiple retries to get the NIF link up.
PAN-264982
(VM-Series firewalls on Kernel-based Virtual Machine (KVM) only) Fixed an issue where the firewall entered maintenance mode after an auto-commit when sending an ARP packet through the loopback interface using an IPv6 address.
PAN-264725
Fixed an issue where Auto Quarantine did not work when simplified logging was enabled.
PAN-264131
Fixed an issue where the routed process core failed the automation run.
PAN-263691
Fixed an issue where the firewall rebooted unexpectedly due to a memory leak in the all_task process.
PAN-263504
Fixed an issue where exporting managed device information from Panorama in CSV format included extraneous characters.
PAN-262373
Fixed an issue where the error message Failed to reload config files displayed in the system logs even when device telemetry was not enabled.
PAN-260790
Fixed an issue where the bytes transmitted and packet transmitted counters for hardware interfaces incorrectly displayed as 0 after a restart of slot-1.
PAN-260661
Fixed an issue where daily email reports generated from the custom report did not display the report details in PDF or CSV files.
PAN-260186
Fixed an issue where Panorama pushed content to devices that did not have a Threat Prevention license.
PAN-259343
Fixed an issue on the Panorama web interface where the Configuration tab did not accurately display changes made to URL filtering profiles.
PAN-259284
Fixed an issue where IPv4 BGP routes were not included in the routing table or FIB of a virtual router when ECMP was configured with more than two next hops.
PAN-257616
Fixed an issue where selective push operations from Panorama to managed firewalls failed with the error message Failed to generate selective push configuration. Schema validation failed. Please try a full push.
PAN-257074
Fixed an issue on the Panorama web interface where the template sync status showed Out-of-Sync for managed devices after a combined commit-all operation. This occurred due to Panorama sending the default MD5 sum of the template to the firewall instead of the correct MD5 sum.
PAN-255790
Enabled crash kernel to capture the PAN-OS state when a kernel panic occurred.
PAN-254904
Fixed an issue on Panorama where a core file was generated by /usr/local/bin/logd during a restart.
PAN-252706
Fixed an issue where the URL filtering response page for Continue and Override did not work with IPv6 Router Advertisement (RA) or Multicast Listener Query (MLQ) for IPv6-to-IPv6 and IPv6-to-IPv4 traffic.
PAN-252699
Fixed an issue where frequent session failures occurred due to CTD resource exhaustion.
PAN-246945
Fixed an issue where a static route was removed from the route table when path monitoring was enabled.
PAN-245064
(Multi-vsys firewalls only) Fixed an issue where commits failed on the firewall after selecting Export or push device config bundle on Panorama and a force push was required.
PAN-244901
Fixed an issue where multi-download operations failed.
PAN-244628
(Panorama virtual appliances in Microsoft Azure environments only) Fixed an issue where where, when a VM-Series firewall was registered to Panorama, the Panorama server failed to re-attempt pushing Dynamic Address Groups updates to the firewall if the initial push failed due to a temporary disconnection, which resulted in blocked traffic.
PAN-243773
Fixed an issue where the DHCP server stopped responding with the error IP address is already in use.
PAN-242602
Fixed an issue where GlobalProtect clients experienced slow SMB-V3 download throughput when passing through a Prisma IPSec tunnel and the firewall and the SMB-V3 session owner dataplane was the same as the IPSec-ESP tunnel on the multi-dataplane firewall.
PAN-241887
Fixed an issue where log usernames were truncated, which caused users to be identified improperly on predefined SaaS reports.
PAN-241536
Fixed an issue on Panorama where admin users with the Custom Panorama Admin role were unable to add, edit, or delete route filters under Routing Profiles
PAN-239012
Fixed an issue where deleting a route entry from Advanced Routing using the gRPC API could unintentionally delete other routes. Running multiple attempts with broad XPATH queries could potentially match and delete unintended route records.
PAN-232802
Fixed an issue where the all_task process repeatedly restarted, which caused dataplane restarts on traffic disruption.
PAN-231386
Fixed an issue where the configd process stopped responding during certificate verification.
PAN-222938
Fixed an issue where no default route was installed on the firewall because a static IPv6 default gateway was specified on the management interface with a dynamic IPv6 address.
PAN-221137
Fixed an issue where the CLI command to set the target virtual system accepted a non-existent virtual system name, and the CLI prompt incorrectly changed to the non-existent virtual system.
PAN-220293
Fixed an issue where the firewall management plane could not display BGP peer details when using the CLI command show advanced-routing bgp peer detail logical-router <LR>. This was due to the bgp_frr.py script failing to parse the IPv6 address family section of the show ip bgp neighbors json output.
PAN-210828
Fixed an issue where using XML API to create Security policy rules with an incorrectly set parameter caused the firewall dha and devsrvr processes to stop responding.
PAN-210501
Fixed an issue where hardware interface counters read from the CPU did not incrementing for member interfaces after a Link Aggregation Control Protocol (LACP) bundle was formed in an aggregate ethernet interface.
PAN-202905
Fixed an issue on the firewall web interface where the Next Hop value was not displayed in the static route configuration, the admin-dist values were empty, and the path-monitor parameters were not listed in the management server web interface when the firewall was configured in FRR mode.
PAN-191026
Fixed an issue where the debug log receiver statistics CLI command did not display entries for hipmatch logs.
PAN-174038
Fixed an issue with firewalls with SD-WAN policy rules and GlobalProtect gateway configurations where enabling GlobalProtect on a loopback interface caused an issue where IPSec tunnel traffic from the gateway to the client dropped intermittently.