Fixed an issue where the logrcvr process stopped responding on DPCs, which prevented logs from being forwarded.

Fixed an issue where Panorama incorrectly generated system logs indicating a lost connection to its peer after an upgrade even when High Availability was not configured.

Fixed an issue where the Logging Service License Status displays a license failure when the license status transitions from valid to expired and then back to valid even when the connection to the Security Logging Service (SLS) was working.

Fixed an issue where the timing of GlobalProtect lifetime expiry or inactivity logout notifications used for GlobalProtect SSL tunnels could cause the pan_task process to stop responding and the dataplane to restart.

Fixed an issue where BGP aggregate routes were not created and discard routes were not installed in the routing table.

Fixed an issue where traffic is incorrectly identified as unknown-tcp/unknown-udp due to App-ID resource leak and eventually dropped.

Fixed an issue where, after committing a configuration change, the firewall experienced traffic issues, pan_task crashes, and LACP interface failures.

Fixed an issue where, after manuallly creating a device telemetry bundle, the hour_cli_output.txt file within the bundle had a file size of 0 bytes. This occurred when checking the bundle content after enabling device telemetry and setting the device telemetry upload endpoint.

Fixed an issue where the firewall displayed as disconnected in the SLS due to the serial number not being retrieved

(Firewalls in HA configurations only) Fixed an issue where the passive firewall incorrectly triggered PBP alerts even with low packet rates.

Fixed an issue where Microsoft Defender for Cloud detected cleartext SSH private keys in the /var/appweb and /etc/appweb directories on PA-VM firewalls deployed in Azure.

Fixed an issue on Panorama where the debug system reset-ztp CLI command was unavailable.

Fixed an issue where firewalls experienced multiple reboots due to the pan_task process restarting with a SIGSEGV signal. This occurred because the client-to-firewall side assumed TLS 1.3 for the firewall-server side.

Fixed an issue where the firewall was unable to connect to the Subscription License Service (SLS) due to a public and private key pair mismatch with the device certificate.

Fixed an issue where the MFA timestamp was not redistributed between standalone firewalls behind an Azure load balancer after upgrading, which resulted in users being prompted to reauthenticate multiple times.

Fixed an issue on PA-VM in AWS where, in a two-arm deployment integrated with Gateway Load Balancer (GWLB), the firewall did not preserve the GENEVE source port for internet traffic, resulting in increased latency. The fix ensures the firewall preserves the outer UDP source port of GENEVE encapsulation when sending traffic back to GWLB.

(PA-5220 firewalls only) Fixed an issue where the ikemgr process crashed intermittently, causing IPSec tunnels to go down randomly. The fix ensures that the IKE security association data structures are accessed in a thread-safe manner. This prevents the ikemgr process from referencing an invalid memory pointer during teardown operations and provides stability.

Fixed an issue where the firewall did not accept address groups in the filter condition of a Log Forwarding Match list.

Fixed an issue where Panorama did not display data in the Feature Adoption tab in Strata Cloud Manager due to the system creating and deleting a CLI user for each interval instead of reusing a permanent CLI user for telemetry.

Fixed an issue where the devsrvr process periodically exceeded its virtual memory limit and restarted, which led to intermittent outages.

Fixed an issue where the useridd process became unresponsive, which caused User-ID CLI commands to time out.

Fixed an issue where the dscd process crashed continuously on MIPS platforms (for example, PA-850 firewalls) due to a runtime error related to an invalid memory address or nil pointer dereference. This was caused by a golang library upgrade in CIE that is incompatible with the MIPS platform.

Fixed an issue related to external URL lists where pushing configuration changes from Panorama failed.

(VM-Series firewalls only) Fixed an issue where the maximum registered IP address for was incorrectly set to 100,000 instead of the expected 500,000.

Fixed an issue where traffic logs incorrectly displayed the action as allow for traffic matching a Security policy rule configured with the action set to deny. This issue occurred due to the child session being used for policy rule lookup when a configuration update triggered a rematch if the FTP-data application was not in the rule.

Fixed an issue with intermittent access and slower than expected loading times when accessing websites. This occurred when Anti-Spyware inline cloud analysis was enabled and the SSL Command and Control action was not either allow or alert and server hello packets were out of order.

Fixed an issue where the mib ID returned an incorrect value via SNMP.

Fixed an issue where, when QoS was enabled on aggregate interfaces, the maximum aggregate interface throughput was capped, which limited network traffic. This occurred even with default QoS settings and no configured egress max-bandwidth.

Fixed an issue where SNMP walk reported incorrect interface speeds.

Fixed an issue where the firewall was unable to parse the URL path and host when the host header was located in a different packet, which resulted in the firewall not logging the URL path in the first packet. The fix is disabled by default. The following CLI commands can be used to enable/disable the feature:

• set system setting ctd url-crosspkt-host-path-caching enable
• set system setting ctd url-crosspkt-host-path-caching disable
• set system setting ctd url-crosspkt-host-path-caching default