(Panorama appliances in FIPS-CC mode only) Fixed interdevice TLS communication failures that occurred with RSA and RSA-PSS signature algorithms across multiple layer 7 application services.

Fixed an issue where, after unregistering an IP tag and registering a different IP tag for the same IP address via XML API, the dynamic address group membership was not updated on the dataplane, which resulted in Security policy rules being enforced incorrectly.

Fixed an issue where, when configuring Safenet HSMs in HA and authentication HSM manually, the second HSM server failed to authenticate due to the firewall overwriting the first HSM server's certificate with the second HSM server's certificate.

Fixed an issue on Panorama where a memory leak occurred related to the reportd process due to retaining memory that was temporarily used for report generation instead of releasing the memory for reuse, which resulted in continuous accumulation and memory exhaustion.

Fixed an issue where using the IKEv2 multiplier setting for VPN re-authentication resulted in the firewall not re-authenticating at the expected intervals when both sides initiated rekeying. The internal re-authentication counter incremented when the local side triggered the rekey, but not when the peer side triggered it.

Fixed an issue where Panorama was unable to push the Trusted Root CA configuration to Log Collectors via a Collector Group push due to the Log Collector not supporting the trusted-root-CA configuration.

Fixed an issue where the firewall became unresponsive after an upgrade due to the fsck command scanning drive partitions in parallel with the root partition, which caused the process to take an extended amount of time.

Fixed an issue where exporting custom reports resulted in empty CSV files.

Fixed an issue where GlobalProtect HIP data file download and installation failed with the error message An error occurred while processing request. Please try again after some time or contact support or No ETAG from response due to a script exiting prematurely.

Fixed an issue where, after a web server returned a 401 or 403 error, the firewall was unable to decrypt HTTP/2 traffic, and the firewall rejected all subsequent streams from the client.

Fixed an issue with firewalls enabled with Security profiles where certain traffic conditions caused high dataplane CPU utilization and packet buffer exhaustion, which caused LACP flapping conditions.

(VM-Series firewalls only) Fixed an issue where the firewall became inaccessible via the web interface and SSH and remained in an initializing state.

Fixed an issue where on the firewall where the routed process stopped responding after changing the MTU or any link state parameters when OSPF and PIM were enabled on the same interface.

Fixed an issue where the LFC failed to validate Certificate Revocation Lists (CRL) for SSL syslog connections, which caused a failure to forward logs to external syslog servers.

Fixed an issue where all_pktproc process repeatedly restarted, which caused dataplane failure and loss of connectivity, including PAN-DB URL resolution. This occurred after a commit push from Panorama and resulted in the firewall becoming non-functional due to internal path monitoring failure and configuration memory exhaustion.

Fixed an issue where the number of registered IP Tags on Panorama did not match the number of registered IP Tags on the managed firewalls due to a change in file format between PAN-OS releases.

Fixed an issue where Panorama did not display license information for Cloud NGFW firewalls under (Device Deployment > Licenses) due to the inability to perform batch-license refreshes.

Fixed an issue where User-ID mappings were not correctly redistributed from Panorama to firewalls, causing some users to be identified as unknown, which prevented access to resources based on AD group membership.

Fixed an issue where the firewall incorrectly assembled SIP NOTIFY and REFER messages when processing SIP TCP packets that contained a partial content-body from a previous SIP message and a complete header and content-body from the next SIP message.

Fixed an issue where selective push operations from Panorama to managed firewalls failed with the error message Failed to generate selective push configuration. Schema validation failed. Please try a full push.