(VM-Series firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where a newly bootstrapped firewall required a management server restart, relicensing, or license push from Panorama to invoke the device certificate.

Added an enable and disable CLI command to address an issue where the firewall experienced increased packet drops and slower performance after an upgrade due to high burst traffic.

Fixed an issue where the firewall experienced increased packet drops and slower performance after an upgrade due to high burst traffic.

Fixed an issue where establishing log forwarding connections to the Strata Logging Service (SLS) took longer than expected, which resulted in delayed log visibility on SLS.

Fixed an issue where traffic was disrupted during IPSec rekey operations due to a 2 second delay in sending the DELETE message for the previous Security Association (SA) to the peer gateway after a new SA was negotiated.

(PA-1400 Series firewalls in HA configurations only) Fixed an issue where a split-brain condition occurred and HA1/HA2 links went down while upgrading when the HA configuration used dataplane interfaces for HA1 and a combination of HSCI and Ethernet interfaces for HA2.

(VM-Series firewalls only) Fixed an issue where the dataplane restarted due to a segmentation fault.

Fixed an issue where the firewalls restarted due to a function lacking a NULL-pointer sanity check.

(Firewalls in HA conditions only) Fixed an issue where a memory leak occurred related to the ospfd process, which caused RAM usage to continuously increase on active devices in an HA cluster until the device stopped responding, even after an HA failover.

(Panorama appliances and Log Collectors only) Fixed an issue where logs from multiple devices were not visible on Panorama even though the Elasticsearch health status on the dedicated Log Collectors appeared green.

Fixed an issue where management plane system resources configuration size exceeded 28 MB for over 4 hours, and the following error message was displayed: Configuration size reaching device capacity limit.

(Panorama appliances only) Fixed an issue where traffic log queries using the device_name filter returned no results, and complex log queries that included negation operators produced incorrect outputs.

Fixed an issue where the Elasticsearch Close Indices process closed more indices than expected and dropped the number of open shards below the minimum of 800 per Elasticsearch instance. This occurred because the process did not correctly account for the number of Elasticsearch instances when calculating the maximum number of allowed open shards.

(Panorama managed firewalls only) Fixed an issue where the firewall intermittently failed to maintain active log forwarding streams to Cortex Data Lake even when duplicate logging and enhanced application logging were enabled.

(Firewalls in HA configurations only) Fixed an issue where traffic passing through AE layer 2 interfaces was interrupted during HA failovers.

Fixed an issue where BGP peering sessions between a hub firewall and a satellite firewall over GlobalProtect LSVPN failed to connect.

Fixed an issue where the firewall stopped responding, which led to service outages.

Fixed an issue where a reboot loop occurred when OSPF interfaces were configured with a link type of point-to-point.

Fixed an issue where DLP logs displayed an incorrect file type when the firewall did not set the file type field.

Fixed an issue where OSPF and BGP outages occurred due to an all_task process restart during clientless VPN content rewrite processing.

Fixed an issue where the Cloud User-ID connection timed out because the firewall took too long to process the OCSP response.

Fixed an issue where the firewall entered a non-functional state due to segmentation fault within the all_pktproc process that was caused by a session that involved http2 cleartext traffic.

Fixed an issue on Panorama where, after upgrading to an affected release, a partial commit via the API did not push configuration changes to managed firewalls, and a full commit was required to synchronize the configuration.

Fixed an issue where traffic was incorrectly identified as unknown-tcp/unknown-udp due to App-ID resource leak and eventually dropped.

Fixed an issue where inter-dataplane forwarding did not work for sessions ingressing on Slot 2, which resulted in intermittent ping failures to interfaces on Network Card 2 when traffic was forwarded to Slot 3.

Note: With this fix, after a slot restart, the global counter will still show dot1q errors for a short period.

(Firewalls in active/passive HA configurations only) Fixed an issue where, when the HA configuration had multiple logical routers, static or connected routes redistributed into OSPF aged out in the LSDB, which caused the routes to be removed on peer OSPF neighbors.

Fixed an issue where, when the firewall was unable to establish an SCM connection due to the discovery service returning a 404 error when the device was not yet known to the service, the firewall did not retry the attempt as expected.

Fixed an issue where Data Processing Cards (DPCs) installed in slots 5 and 6 remained stuck in a starting state with the error Signal detected for port xeS5-DP0 but Link Down alerts, which resulted in device instability.

Fixed an issue where API calls to commit changes on Panorama intermittently failed when using the XML API with refresh=no, which caused changes to not be applied to the partial-commit configuration.

Fixed an issue where OSCP HTTP POST requests were not formatted correctly, which caused failures with strict responders.

Optimized the commit workflow to reduce the size of the effective configuration, resulting in lower memory consumption.

Fixed an issue where the firewall rebooted due to the useridd process repeatedly restarting during an IP-port data type writes to the redis from multiple sources such as TSA or XML in a scale environment.

Addressed a memory leak issue under sc3 and automatic commit recovery (ACR) code path.

Fixed an issue where a memory leak related to the configd process occurred.

Fixed an issue where, when all interfaces configured for SD-WAN SaaS Application path monitoring failed, the firewall stopped forwarding traffic even if the ISP links and default gateway probing were still active.

Fixed an issue where the authd process stopped handling RADIUS authentication requests and required a restart.

Fixed an issue the firewall experienced packet descriptor on chip and buffer spikes, which led to dropped traffic due to an unidentified traffic pattern.

Fixed an issue where multiple memory leaks occurred related to the configd process.

Fixed an issue where traffic logs incorrectly displayed the action as allow for traffic matching a Security policy rule configured with the action set to deny. This issue occurred due to the child session being used for policy rule lookup when a configuration update triggered a rematch if the FTP-data application was not in the rule.

(VM-Series firewalls with multiple NICs only) Fixed an issue were the queue count in the task dump displayed an incorrect number of queues for SR-IOV interfaces due to the queue mapping logic incorrectly using a non-multi-NIC function.

Fixed an issue where DNS Security threat logs were not displayed on the firewall when packet capture was enabled and the domain name length was 62 characters.

(Firewalls in HA configurations only) Fixed an issue where the configd process restarted during a configuration push from Panorama, which caused the active firewall to lose management access for 20-30 minutes.

(VM-Series firewalls in AWS environments only) Fixed an issue where HA failover mode incorrectly changed from interface move to secondary IP move after a reboot.

(VM-Series firewalls only) Fixed an issue where the task-queue dump CLI command returned incorrect information in multi-nic mode.

Fixed an issue where the distributord process restarted on firewalls in multi-vsys environments with User-ID configured and Panorama as a redistribution client. This occurred when a large volume of IP address-to-user mappings were learned.

(PA-7000 Series firewalls only) Fixed an issue where an incorrect ASIC configuration caused silent packet drops or application slowness when receiving a mix of jumbo and non-jumbo packets.

Fixed an issue where, when Panorama was upgraded but log collectors were on an earlier version, logs from a log collector group were not viewable on a Panorama.

Fixed an issue where memory leaks occurred when checking for, downloading, or installing dynamic updates.

Fixed an issue on the firewall web interface where Logical Router did not load after an FRR stack upgrade.