Fixed an issue where selective push operations did not work when more than one admin user simultaneously performed changes and partial commits on Panorama.

Fixed an issue where the configd process stopped responding when performing multidevice group pushes via XML API.

Fixed an issue where failover was not triggered when multiple processes stopped responding.

Fixed an issue where the returned values to SNMP requests for data port statistics were incorrect.

Fixed an issue where the managed collectors health status on Panorama displayed as empty.

Fixed a memory limitation with mapping subinterfaces to VPCE endpoints for GCP IPS, Amazon Web Services (AWS) integration with GWLB, and NSX service chain mapping.

Fixed an issue on Panorama appliances in active/passive HA configurations where managed devices displayed as out-of-sync on the passive appliance when peer configuration changes were made to the SD-WAN configuration on the active peer.

Fixed an issue where a custom based non-Superuser was unable to push to firewalls.

Fixed an issue where selective push did not work.

Fixed an issue where scheduled email reports failed if the @ symbol before the mail client was missing.

Fixed an issue where the all-task process repeatedly restarted during memory allocation failures.

(PA-410 firewalls only) Fixed an issue where system and configuration logs sent from the firewall to Panorama contained the serial number field instead of the firewall device name.

Fixed an issue where creating more than one address object in the same XML API request resulted in a commit error.

Fixed an issue where configuration commits were successful even when dynamic peer IKE gateways configured on the same interface and IP address that did not have the same IKE Crypto profile.

Fixed a kernel panic caused by a third-party issue

Fixed an issue where fan speed increased significantly after upgrading the firewall.

Fixed an issue where the vldmgr process incorrectly restarted during an Elasticsearch restart.

Fixed an issue where authentication failed on web-based GlobalProtect portal.

Fixed an issue where configuration changes made in Panorama and pushed to the firewall were not reflected on the firewall.

Fixed an issue where, when explicit proxy was configured on the firewall, websites loaded more slowly than expected or did not load due to DNS using TCP.

Fixed an issue where Panorama went into maintenance mode due to a GlobalProtect quota configuration that was under the minimum required quota.

Fixed an issue where SNMP scans to the firewall took longer than expected and intermittently timed out.

Fixed an issue where the SWG proxy did not accept new connections.

Fixed an issue where ARP entries were unable to be completed for subinterfaces with SNAT configured.

Extended the root certificate for WildFire appliances to December 31, 2032.

Fixed an issue where the following Prisma Access SWG proxy upstream error was displayed when you attempted to access the proxy: disconnect / reset before headers: reset reason: overflow.

Fixed an issue where the web interface was slower than expected when logging in, committing, and pushing changes after upgrading to PAN-OS 10.2.7.

Fixed a memory corruption issue where multiple processes stopped responding.

Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured.

Fixed an issue where the HA3 link status remained down when updating the HA3 interface configuration when the AE interface was up.

Fixed an issue where DNS resolution failure from the LFC resulted in WildFire public cloud connectivity failure.

Fixed an issue where log collectors stopped responding when gathering reports from Panorama.

Fixed an issue where the routed process created excessive logs in the log file.

Fixed an issue where Config Push Scheduler > Admin scope changed to an admin ID instead of a 0 value, which caused a scheduled configuration push to work as a Selective push instead of a Full push.

Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.

Fixed an issue with firewalls in active/passive HA configurations where the passive firewall displayed the error message Unable to read QSFP Module ID when the passive link state was set to shutdown.

Fixed an issue where firewalls generated link-change system logs for SFP ports even when no cable was connected to the ports.

Fixed an issue where, when deleting CTD entries, the all_pktproc process stopped responding which resulted in dataplane failure.

Fixed an issue where the Traffic log displayed 0 bytes for denied sessions.

Fixed an issue where Panorama stopped redistributing IP address-to-username mappings when packet loss occurred between the distributor and the client.

(PA-1420 firewalls only) Fixed an issue where the all_task process stopped responding, which caused the firewall to become unresponsive.

Fixed an issue on firewalls in HA configurations where unexpected failovers occurred.

Fixed an issue where the configd process stopped responding due to a deadlock related to rule-hit-count.

Fixed an issue where, after a configuration push from Panorama to managed firewalls, the status displayed as None and the push took longer than expected.

Fixed an issue where the brdagent process stopped responding due to a sudden increase in logging to the bcm.log.

Fixed an issue where you were not prompted for login credentials when you disconnected and connected back to the GlobalProtect portal when SAML authentication was selected along with single sign-on (SSO) and Single Log Out (SLO).

Fixed an issue where uploads from tunnels, including GlobalProtect, were slower than expected when the inner and outer sessions were on different dataplanes.

Fixed an issue where Threat logs from different Security zones were aggregated into one log.

Enhanced wifclient cloud connectivity redundancy.

Fixed an issue where disk space became full even after clearing old logs and content images.

(VM-Series firewalls only) Fixed an issue where the firewall sent packets to its own interface after configuring NAT64.

Fixed an issue where, when a Layer 2 interface that was a member of a VLAN was down, all traffic transmitted over the VLAN was dropped.

Fixed an issue with the firewall web interface where local SSL decryption exclusion cache entries were not visible.

Fixed an issue where the firewall displayed incorrect interface transfer rates when running the CLI command show system state filter-pretty sys.s1.px with a filter.

Fixed an issue where the ikemgr process crashed due to an IKEv1 timing issue, which caused commits to fail with the following error message: Client ikemgr requesting last config in the middle of a commit/validate, aborting current commit.

Fixed an issue where a Security policy that referenced more than 30 HIP Profiles caused buffer overflow, which caused other Security policies with HIP Profiles to misidentified users and traffic was denied.

Fixed an issue where the firewall incorrectly blocked URLs even when they matched the custom category.

Fixed an issue on multi-core firewalls where the firewall displayed packets out of order when capturing packets on the transmit stage.

(PA-5450 firewalls only) Fixed an issue where the NAT private pool was not used properly when enabling slot 6 DPC.

Fixed an issue where enabling Jumbo frames resulted in software packet buffer depletion.

Fixed an issue with push and commit and push operations where the user was not correctly bound to the scope, which caused all device groups to be selected for a selective push.

(VM-100 firewalls only) Fixed an issue where commits failed due to the configuration memory limit.

Fixed an issue where commits failed due to large inbound inspection certificates that exceeded the buffer size of 4,096 bytes.

Fixed an issue where device group and template administrators with access to a specific virtual system were able to see logs for all virtual systems via Context Switch.

Fixed an issue on Panorama where managed device templates and device groups took longer than expected to display in the Push to Devices window.

Fixed an issue where the X-Forwarded-For (XFF) IP address value was not displayed in Traffic logs.

Fixed an issue where the exclude-cache reason was incorrectly presented as TLS13_UNSUPPORTED instead of SSL_CLIENT_CERT.

(PA-5450 firewalls only) Fixed an issue where the Data Processing Card (DPC) restarted due to path monitor failure after QSFP28 disconnected from the Network Processing Card (NPC).

Fixed an issue where GENEVE encapsulated packets coming from a GFE Proxy mapped to an incorrect Security policy rule.

Fixed an issue where you were able to cancel the same commit repeatedly, which displayed the error message Cannot stop job <job> at this time.

Fixed an issue on firewalls in active/passive HA configurations where the passive firewall was unable to retrieve SDB data for locally inserted SFP transceivers.

Fixed an issue where critical disk usage for /opt/pancfg increased continuously and the system logs displayed the following message: Disk usage for /opt/pancfg exceeds limit, <value> percent in use.

Fixed an issue where the AddrObjRefresh job failed when the useridd process restarted.

(PA-5450 firewalls only) Fixed an issue where the interface on QSFP28 ports did not go down when the Tx cable was removed from the QSFP28 module.

(PA-5200 Series firewalls only) Fixed an issue where the First Packet Processor (FPP) did not acknowledge a query to find the owner for fragmented packets, tunnel packets, and other scenarios when the packet slot and dataplane owner was unknown.

Fixed an issue where, when SSH service profiles for management access were set to None, the reported output was incorrect.

Fixed an issue where DNS response packets were malformed when an antispyware Security Profile was enabled.

Fixed an issue where you were unable to set the Dynamic Updates schedule threshold to an empty value.

Fixed an issue where traffic returning from a third-party Security chain was dropped.

(PA-1400 Series firewalls only) Fixed an issue where, when an HSCI interface was used as an HA2 interface, HA2 packets were intermittently dropped on the passive firewall, which caused the HA2 connection to flap due to missing HA2 keepalive messages.

Fixed an issue where the firewall CLI output for GlobalProtect log quota settings did not match the settings configured on the Panorama web interface.

(PA-5450 firewalls only) Fixed an issue where a large number of invalid source MAC addresses were shown in drop-stage packet captures.

Fixed an intermittent issue where the OCSP query failed.

Fixed an issue where the logrcvr process stopped responding due to a corrupt log in the forwarding pipeline.

Fixed an issue where the logrcvr process stopped when running the hints-max CLI command.

(PA-220 firewalls only) Fixed an issue where an unused plugin incorrectly used memory.

Fixed an issue where no DHCP option list was defined when using GlobalProtect.

Fixed an issue where flex memory leak caused decryption failure and commit failure with the error message Error preparing global objects failed to handle CONFIG_UPDATE_START.

Fixed an issue on the web interface where device groups with a large number of managed firewalls displayed the Policy page more slowly than expected.

(Firewalls in HA configurations only) Fixed an issue where a split brain condition occurred on both firewalls after booting up any firewall, and an HA switchover occurred after booting up a firewall with a higher HA priority even when no preemptive option was enabled on the firewall.

Fixed an issue where FEC support was not enabled by default for PAN-25G-SFP28-LR modules.

(PA-7050 firewalls with SMC-B only) Fixed an issue where the management interface was reported as up even when MGT-A and MGT-B were both down.

Fixed an issue where the firewall truncated the payload of a TCP Out of Order segment with a FIN flag.

Fixed an issue where SAML authentication failed with the error message Failed to verify signature against certificate when ds:KeyName was in the IdP metadata.

Fixed an issue where URL logs were duplicated on Cortex Data Lake.

Fixed an issue where the firewall was unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.

Fixed an issue where the routed process stopped responding when committing routing-related changes if Advanced routing was enabled.

Fixed an issue where migrating from an Enterprise License Agreement (ELA) to a Flexible VM-Series License failed with a deactivation error message.

Fixed an issue where the print PDF option did not work (Panorama > Managed Devices > Health).

Fixed an issue where custom response pages for the GlobalProtect login page did not load and displayed a 404 Not Found error.

Fixed an issue where the firewall was unable to form OSPFv3 adjacency when using an ESP authentication profile.

(PA-7050 firewalls only) Fixed an issue related to brdagent process errors.

Fixed an issue where the reportd process stopped responding.

Fixed an issue where Device History was not visible under Managed Devices Summary.

Fixed an issue where the brdagent process stopped responding after an upgrade due to initialization failure.

Fixed an issue where the Management Processor Card (MPC) stopped responding.

Fixed an issue where Octets in NetFlow records were always reported to be 0 despite having a nonzero packet count.

Fixed an issue where half closed SSL decryption sessions stayed active, which caused software packet buffer depletion.

Fixed an issue on the web interface where the screen was blank after logging in to Panorama.

Fixed an issue where the new management IP address on the interface did not take effect.

Fixed an issue where GlobalProtect did not automatically connect to an internal gateway after an endpoint was woken.

Fixed an issue where clientless VPN portal users were unable to access clientless applications due to an SSL renegotiation being triggered.

Fixed an issue where multiple license status checks caused an internal process to stop responding.

Fixed an issue where the CLI command show bonjour interface did not display any output.

(PA-7000 firewalls only) Fixed an issue where the GTP logs forwarded from the firewall to the log collector did not include the pcap.

Fixed an issue on firewalls in active/passive HA configurations where sessions did not fail over from the active firewall to the passive firewall when upgrading PAN-OS.

Fixed an issue where objects in the running configuration appeared to be deleted under the push scope preview.

Fixed an issue where a large number of Panorama management server cookies were created in the Redis database when the Cloud-Service plugin sent an authentication request every second, and logging in to or using Panorama was slower than expected.

Fixed an issue where commits took longer than expected.

Fixed an issue where the zebra process stopped responding due to memory corruption.

Fixed an issue where the all_task process stopped responding due to high wifclient memory usage, which caused the firewall to reboot.

Fixed an issue where IP address checksums were calculated incorrectly.

Fixed an issue where memory corruption caused the comm process to stop responding.

Fixed an issue where commits failed with the error message Management server failed to send phase 1 to client logrcvr.

Fixed an issue where excess WIF process memory use caused processes to restart due to OOM conditions.

Fixed an issue where shared application filters that had application object overrides were overwritten by predefined applications.

Fixed an issue related to the IPv6 character limit for the source address in static route path monitoring.

Fixed an issue where the error message Failed to establish GRPC connection to UrlCat service: failed to start grpc connection was displayed in the system log when the Advanced URL Filtering license was applied but not configured.

Fixed an issue where selective pushes on Panorama removed a previously pushed configuration from the firewalls.

Fixed an issue where the GlobalProtect app was unable to connect to a portal or gateway and GlobalProtect Clientless VPN users were unable to access applications if authentication took more than 20 seconds.

Fixed an issue on Panorama where PDF Summary Reports (Monitor > PDF Reports > Manage PDF Summary) displayed no data and were blank when predefined widgets were included in the summary report.

Fixed an issue where SCEP certificate generation failed when a service route was used to reach the SCEP server.

Fixed an issue with high availability (HA) sync failure when performing a partial commit after creating a Security policy via REST API.

Fixed an issue where traffic did not match Security policy rules with the destination as FQDN and instead hit the default deny rule.

Fixed an issue where an excessive tab displayed *Device > Setup** when using Simplified Chinese.

Fixed an issue where macOS X-Auth clients disconnected prematurely from the GlobalProtect gateway during a Phase 2 re-key event.

Fixed an issue where, when the GlobalProtect app was installed on iOS endpoints and the gateway was configured to accept cookies, the app remained in the Connecting stage after authentication, and the GlobalProtect log displayed the error message User is not in allow list. This occurred when the app was restarted or when the app attempted to reconnect after disconnection.

Fixed an issue where the firewall generated numerous logrcvr error messages related to NetFlow.

Fixed an issue where previewing changes for selective admins took longer than expected or displayed the error message commands succeeded with no output.

Fixed an issue where selective push failed on Panorama after deleting shared objects that were referenced in multi-device group environments with the error message: Schema validation failed. Please try a full push.

Fixed an issue where content push operations failed for a URL category Scanning Activity.

Fixed an issue where the CLI command show system disk details was not available.

Fixed an issue on the firewall where SNMP incorrectly reported high packet descriptor usage.

Fixed an issue on Panorama related to Shared configuration objects where configuration pushes to multi-vsys firewalls failed.

Fixed an issue where the Log Forwarding Card (LFC) did not honor the negotiated MSS on the logging connection.

Fixed an issue with firewalls in HA configurations where HA configuration syncs did not complete or logging data was missing until firewall processes were manually restarted or the firewalls were rebooted.

Fixed an issue where performing a commit operation failed and the following error message was displayed: failed to handle CUSTOM_UPDATE.

Fixed an issue on Panorama where Commit and Push was grayed out when making changes to a template or device group.

Fixed an issue where GlobalProtect quarantine-delete logs were incorrectly shown on passive firewalls.

(PA-5450 firewalls only) Fixed an issue where the firewall rebooted unexpectedly when a Network Card was on Slot 2 instead of a DPC.

Fixed an issue where the devsrvr process stopped responding when Zone Protection had more than 255 profiles.

Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.

Fixed an issue where the CLI command settings for set system setting logging max-log-rate did not persist after a mgmtsrvr process restart.

Fixed an issue where the session end reason was incorrectly logged as decrypt-cert-validation for allowed sessions when the decryption profile was configured for a no-decrypt policy.

Fixed an issue where the Power Supplies was not present in the show system environmentals CLI command output.

Fixed a high memory usage issue with the mongodb process that caused an OOM condition.

Fixed an issue where the devsrvr process caused delays when Dynamic Address Groups with large entry lists were being processed during a commit, which caused commits to take longer than expected.

Fixed an issue where IPv6 addresses in XFF were displayed in Traffic logs.

(PA-3440 firewalls only) Fixed an issue where you were unable to set the link speed as 25Gbps from the drop-down in the template for Ethernet ports 1/23 through 1/26.

Fixed an issue where the distributord process repeatedly stopped responding.

Fixed an issue where a memory leak caused decryption failures when SSL Forward Proxy was configured.

Fixed an issue where excessive network path monitoring messages were generated in the system logs.

Fixed an issue where a memory leak related to the distributord process occurred when connections flapped for IP address-to-username mapping redistribution.

Fixed an issue where cookie authentication did not work for GlobalProtect when an authentication override domain was configured in the SAML authentication profile.

Fixed an issue on Panorama where the reportd process unexpectedly stopped responding.

(PA-800 Series firewalls only Fixed an issue where the GlobalProtect SSL tunnel failed.

Fixed an issue where the show running ippool CLI command output displayed incorrect used and available NAT IP address pools on DIPP NAT policy rules in multidataplane firewalls.

Fixed an issue on the firewall where, when Advanced Routing was enabled, PIM join messages were not sent to the RN due to a missing OIF.

(PA-7000 Series firewalls with Log Forwarding Cards (LFC) only) Fixed an issue where multiple OOM conditions occurred which caused a system restart.

(PA-5450 firewalls only) Fixed an issue where the all_pktproc process stopped responding when the firewall was on PAN-OS 10.1.9-h3 or a later release.

Fixed an issue where SSL decryption for HTTP/2 sessions failed when enabling Send handshake messages to CTD for inspection (Device > Setup > Session > Decryption Settings > SSL Decryption Settings).

Fixed an issue where Panorama was unbale to query any logs if the Elasticsearch health status for any log collector was degraded.

Fixed an issue where the file transfer of large zipped and compressed files had the App-ID unknown-tcp.

Fixed an issue on the web interface where the system clock for Mexico_city was displayed in CDT instead of CST on the management dashboard.

Fixed an issue where selective pushes failed with the error message Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push.

Fixed an issue on Panorama where host IDs manually added to the device quarantine list were unexpectedly removed.

Fixed an issue where fragmented TCP traffic was dropped due to an IP address ID conflict over the SD-WAN tunnel.

Fixed an issue where the CLI command debug log-card-interface pint slot <x> host <host> did not return any information when attempting to ping the Log Forwarding Card (LFC).

(PA-5410, PA-5420, and PA-5430 firewalls only) Fixed an issue where Filter drop-downs, Forward Method, and Correlation log settings (Device > Log Settings > Correlation) were not displayed.

A CLI command was introduced to address an issue where SNMP monitoring performance was slower than expected, which resulted in snmpwalk timeouts.

Fixed an issue where you were unable to context switch from Panorama to the managed device.

Fixed an issue where the same user connected to multiple SSL VPN connections and one of the sessions stopped working.

Fixed an issue with network packet broker sessions where the broker session and primary session timeouts were out of sync, which caused traffic drops if the broker session timed out when the primary session was still active.

Fixed an issue where duplicate entries were not detected during commits, which caused routing engine failure.

Fixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the Monitor tab.

Fixed an issue where users were unable to log in to the GlobalProtect app using SAML authentication after upgrading to PAN-OS 10.2.3-h4, and the GlobalProtect logs displayed the following error message: Username from SAML SSO response is different from the input.

Fixed an issue where selective pushes did not work after upgrading to PAN-OS 10.2.4.

Fixed a memory leak issue where the packet buffer count continuously increased and the firewall required a restart to clear the buffers.

(PA-800 Series firewalls only) Fixed an issue where the firewall rebooted due to I2C errors when unsupported optics were inserted in ports 5-8.

Fixed an issue where BGP aggregate routes were not created and discard routes were not installed in the routing table.

Fixed an issue where previewing changes before pushing to devices displayed a pop-up with the message: Command succeeded with no output.

(M-600 Appliances only) Fixed an issue where ElasticSearch processes did not restart when the appliance was rebooted, which caused the managed collector ES health status to be downgraded.

(Panorama appliances in FIPS-CC mode only) Fixed an issue where scheduled email reports did not contain PDF attachments.

(VM-Series firewalls only) Fixed an issue where large packets were dropped from the dataplane to the management plane, which caused OSPF neighborship to fail.

Fixed an issue where the CLI command show logging-status did not correctly display the last log created and forwarded timestamps.

Fixed an issue on the firewall where scheduled antivirus updates failed when external dynamic lists were configured on the firewall.

Fixed an issue where the correct device filter did not apply when filtering Targets and Target/Tags (Device Group > Policies).

Fixed an issue where, after enabling Advanced Routing Engine, the backup default route was not installed in the FIB table if static path monitoring went down.

(PA-5450 and PA-400 firewalls only) Fixed an issue where the request shutdown system CLI command did not completely shut down the system.

Fixed an issue where certificate-based logins to Panorama via the web interface failed.

Fixed an issue where you were unable to export SAML metadata when configuring SAML authentication.

Fixed an issue where you were unable to filter data filtering logs with Threat ID/NAME for custom data patterns created over Panorama.

Fixed an issue where enabling syslog-ng debugs from the root caused 100% disk utilization.

Fixed an issue with the firewall where adding Parent-App under Application Filter for Security policy rules did not add dependent applications.

Fixed an issue where BGP routes were installed in the routing table even when the option to install routes was disabled in the configuration.

Fixed an issue where the all_pktproc process stopped responding during Layer 7 processing.

(M-Series appliances only) Fixed an issue where the management interface flapped due to low memory reserved for kernel space.

Fixed an issue where the ctd_dns_wait_pkt_drop counter increase was greater than expected.

Fixed an issue where spaces in a certificate name caused imports to fail.

Fixed an issue where, when a port on the NPC was configured for log forwarding, the ingress traffic on the card was sent for processing to the LPC, and the LPC card was reloaded when the ingress volume of traffic was high.

Fixed an issue where a HIP mask was reused when an existing IP address user mapping was updated by a new IP address user mapping that had a different username but the same IP address.

Fixed an issue where SaaS PR was reimported to the shared location and policy objects were not updated with new updates coming from the SaaS cloud.

Fixed an issue where Security zones under Interfaces displayed as none for dynamic group and template admin users in a read-only admin role.

Fixed an issue on Panorama where the HA virtual address was not created for firewalls in active/active HA configurations.

Fixed an issue where scheduled configuration exports and SCP server connection testing failed.

Fixed an issue where the device telemetry region was not updated on the firewall when pushed from the Panorama template stack.

Fixed an issue where the firewall did not receive dynamic address updates pushed from Panorama during initial registration to Panorama.

Fixed an issue where Panorama was slower than expected when WildFire deployment was scheduled every minute to a large number of devices.

Fixed an issue where the firewall transmitted packets with an incorrect source MAC address during commit operations.

(PA-7000 Series firewalls only) Fixed an issue where internal path monitoring failed due to a heartbeat miss.

Fixed an issue where uploading a certificate in a manual configuration option for SafenetHSM failed.

Fixed an issue on Panorama where certificates created on Panorama were not pushed to the firewall with a selective push.

Fixed an issue where supported Bi-DI transceivers were not recognized which caused ports to not come up.

Fixed an issue where the useridd process stopped responding after a restart when HIP redistribution was enabled.

Fixed an issue where inbound DHCP packets received by a DHCP client interface that were not addressed to itself were silently dropped instead of forwarded.

Fixed a rare issue where URLs were not accessible when the header length was greater than 16,000 over HTTP/2.

Fixed an intermittent issue where HTTP/2 traffic caused buffer depletion.

Fixed an issue where the DNS proxy log included an excessive number of the following error message: Warning: pan_dnsproxy_log_resolve_fail: Failed to resolve domain name ** AAAA after trying all attempts to name servers

Fixed an issue where predict session conversion failed for RTP and RTCP traffic.

Fixed an issue where the firewall did not clear port reused sessions for GlobalProtect traffic with proxy fast-session-delete enabled.

Fixed an issue where syncs between Panorama and the Cloud Identity Engine (CIE) caused intermittent slowness when using the web interface due to a large number of groups in the CIE directory.

Fixed an issue where, when log queries in the yyyy/mm/dd format displayed extra digits for the day and an error was not generated.

Fixed an issue where commits took longer than expected when the DLP plugin was configured.

Fixed an issue where fetching device certificates failed for internal DNS servers with the error message ERROR Error: Could not resolve host: certificate.paloaltonetworks.com.

Fixed an issue where the sysd node was updated at incorrect times.

Fixed an issue where the shard count reached up to 10% over the limit rather than staying under the limit.

A CLI command was added to configure the FEC for PA-5450 breakout ports.

Fixed an issue on firewalls in HA configurations where the primary firewall went into a nonfunctional state due to a timeout in the pan_comm logs during the policy-based forwarding (PBF) parse, which caused an HA failover.

Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.

Fixed an issue with the web interface where the latest logs took longer than expected to display under Monitor.

Fixed an issue where RTP packets traversing intervsys were dropped on the outgoing vsys.

Fixed an issue where, when a firewall had more than 1,200 logical interfaces, commits failed with the error message: Error pre-installing config failed to handle CONFIG_COMMIT.

Fixed an issue where users were able to add configurations via XML API even when a config lock was in place.

Fixed an issue where template configurations were not properly pushed to the firewall during an export or push of the device configuration bundle.

Fixed an issue where the VPN responder stopped responding when it received a CREATE_CHILD message with no security association (SA) payload.

Fixed an issue where mlav-test-pe-file.exe was not detected by WildFire Inline ML.

Fixed an issue where Request Categorization Change was not displayed under URL filtering logs when the Advanced URL Filtering license was applied.

Fixed an issue where, when using multi-factor authentication (MFA) with RADIUS OTP, the challenge message Enter Your Microsoft verification code did not appear when accessing the GlobalProtect portal via browser.

Fixed an issue where the firewall went into a restart loop with the following error message: failed to get mgt settings candidate: configured traffic quota of 0 MB is less than the minimum 32 MB.

Fixed an issue on the firewall where the WildFire file size limit value did not match on the web interface and the CLI.

(PA-7050 firewalls only) Fixed an issue where disk space filled up due to files under /opt/var/s8/lp/log/pan/ not being properly deleted.

Fixed an issue where firewall HA clusters in active/active configurations with Advanced Routing enabled did not relay to ping requests sent to a virtual IP address.

Fixed an issue where URL Filtering system logs showed the error message CURL ERROR: bind failed with errno 124: Address family not supported by protocol even though the PAN-DB cloud was connected.

Fixed an issue where Dynamic Updates failed with the following error message: CONFIG_UPDATE_INC: Incremental update to DP failed please try to commit force the latest config.

Fixed an issue on firewalls in HA configurations where committing changes after disabling the QoS feature on multiple Aggregate Ethernet (AE) interfaces caused the dataplane to go down.

Fixed an issue third-party VPNC IPSec clients were disconnected after a few seconds for firewalls in active/active HA configurations.

Fixed an issue where the routedd process stopped responding when executing the show static-route path-monitoring CLI command or when accessing the path monitoring records from the web interface (Network > Virtual Router > More Runtime Stats > Static Routing).

Fixed an issue where the BFD peers were deleted during a commit from Panorama. This occurred because the pan_comm thread became deadlocked due to the same sysd object was handled during the commit.

Fixed an issue on Panorama where, after selecting managed firewalls and creating a new tag, the managed firewalls were automatically unselected and any new tag that was created was applied to the managed firewalls for which you initially created the tag.

Fixed an issue where logging in using default credentials after changing to FIPS-CC for NSX-T firewalls did not work.

Fixed an issue where the logrcvr process NetFlow buffer was not reset which resulted in duplicate NetFlow records.

Fixed an issue where the LFC and NPC remained stuck during bootup.

(PA-7050 firewalls only) Fixed an issue where the ikemgr process stopped responding.

Fixed an issue where DNS Security cloud service unavailable logs did not indicate the service name, status code, or error message in the DNS proxy log.

Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.

Fixed an issue on the web interface where the language setting is not retained.

Fixed an issue where Traffic logs exported to CSV files contained inaccuracies and were not complete.

Fixed a rare issue where aBuildXmlCache job failed on the firewall.

Fixed a memory leak issue related to the distributord process.

Fixed an issue where exporting a Security policy rule that contained Korean language characters to CSV format resulted in the policy description being in a nonreadable format.

(PA-5450 firewalls only) Fixed an issue where the firewall accepted 12 Aggregate Ethernet interfaces, but you were unable to configure interfaces 9-12 via the web interface.

Fixed an issue where the CLI command show applications list did not return any outputs.

Fixed an issue on Panorama where *Commit Push** and Validate Push operations during a Push to Devices did not handle the configuration for shared objects, which resulted in an invalid configuration being pushed.

Fixed an issue where /opt/pancfg partition utilization reached 100%, which caused access to the Panorama web interface to fail.

(PA-5450 firewalls only) Fixed an issue where the show running resource-monitor ingress-backlogs CLI command failed with the following error message: Server error : Failed to intepret the DP response.

Fixed an issue where Template Stack overrides (Dynamic Updates > App & Threats > Schedule) were not able to be reverted via the web interface.

Additional error logs were added for an issue where, when multiple Panorama web interface sessions were opened, active lock did not show up on the web interface for any session.

Fixed an issue where the CLI command show rule-hit-count did not provide all details of the rule from the device group.

Fixed an issue where HIP matches were not recognized in an SSL decryption policy rule.