Fixed an issue where configuration changes made in Panorama and pushed to the firewall were not reflected on the firewall.

Fixed an issue where the web interface was slower than expected when logging in, committing, and pushing changes after upgrading to PAN-OS 10.2.7.

Fixed the following device certificate issues:

The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message
OTP is not valid
.
Firewalls disconnected from Cortex Data Lake after renewing the device certificate.
The device certificate was not correctly generated on the log forwarding card (LFC).
WildFire cloud logs did not log thermite certificate usage status.

Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.

Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.

Fixed an issue where tabs in the

ACC

such as

Network Activity

Threat Activity

and

Blocked Activity

did not display data when you applied a

Time

filter of

Last 15 Minutes

,

Last Hour

,

Last 6 Hours

, or

Last 12 Hours

, and the data that was displayed with the

Last 24 Hours

filter was not accurate. Reports that were run against summary logs also did not display accurate results.

Fixed an issue where the ikemgr process crashed due to an IKEv1 timing issue, which caused commits to fail with the following error message:

Client ikemgr requesting last config in the middle of a commit/validate, aborting current commit

.

Fixed an issue where the

AddrObjRefresh

job failed when the useridd process restarted.

Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.

(

PA-220 firewalls only

) Fixed an issue where an unused plugin incorrectly used memory.

(

Panorama appliances in FIPS-CC mode only

) Fixed an issue where the Elasticsearch cluster did not come up, and the

show log-collector-es-cluster health

CLI command displayed the status as red. This caused log ingestion issues for Panorama appliances in Panorama mode or Log Collector mode.

When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.

Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.

Fixed an issue where cookie authentication did not work for GlobalProtect when an authentication override domain was configured in the SAML authentication profile.

(

PA-220 Series firewalls only

) Fixed an issue where multiple dataplane processes stopped responding after an upgrade.

Fixed an issue where data was not thread safe and led to concurrent read/write issues that caused GPSVC to stop working unexpectedly.

Fixed an issue with Virtual Wire links on firewalls in active/active HA configurations where the forwarding path was not preserved in HTTP/2 cleartext traffic with asymmetric routing.

Fixed an issue where content updates failed with the error message

Unable to get key pancontent-8.0.pass from cryptod. Error -9

.

Fixed an issue in FIPS mode where, when importing a certificate with a new private key, and the certificate used the name of an existing certificate on the Panorama, the following error message was displayed:

Mismatched public and private keys

.

(

PA-7000 Series firewalls only

) Fixed an issue where internal path monitoring failed due to a heartbeat miss.

Fixed an intermittent issue where HTTP/2 traffic caused buffer depletion.

(

Panorama managed firewalls in active/active HA configurations only

) Fixed an issue where the HA (high availability) status displayed as

Out of Sync

(

Panorama > Managed Devices > Health

) if local firewall configurations were made on one of the HA peers. This caused the next HA configuration sync to overwrite the local firewall configuration made on the HA peer.

Fixed an issue where the

userID-Agent

and

TS-Agent

certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.

Fixed an issue where user authentication failed in multi-vsys environments with the error message

User is not in allowlist

when an authentication profile was created in a shared configuration space.

Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.

Fixed an issue where the logrcvr process stopped responding after upgrading to PAN-OS 10.1.