(Firewalls in FIPS mode only) Fixed an issue where GlobalProtect unexpectedly prompted for RADIUS authentication instead of client certificate authentication due to an OSCP validation error and subsequent CRL verification failure, which led to certificates being marked as invalid.

Fixed an issue where a DPC in Slot 4 restarted repeatedly, which caused internal path monitoring failures and a failover event.

Fixed an issue where processes restarted and the firewall unexpectedly rebooted when you configured a Security policy rule with Source Device > quarantine.

Fixed an issue on Panorama where selective push operations failed when plugin configurations included access-domain or log-collector references.

Fixed an issue where SIP sessions stopped progressing after the firewall received fragmented packets, fragmented at header field.

Fixed an issue where a race condition between the session ager and packet processing resulted in memory corruption and caused the pan_task process to stop responding, which resulted in the firewall becoming unresponsive

Fixed an issue where GlobalProtect throughput was reduced after an upgrade.

Fixed an issue where, when a push operation from Panorama to the firewall failed, accounting logs stopped forwarding.

(PA-7500 firewalls only) Fixed an issue where internal path monitoring logs incorrectly reported internal path monitoring failures when they did not occur.

(Firewalls in active/passive HA configurations only) Fixed an issue where, after a failover, routing information within OSPF protocol was not correctly translated or propagated, which affected network path convergence and FRR capabilities.

Fixed an issue where a memory leak occurred related to the reportd process when custom reports were run via API.

Fixed an issue where Panorama pushed commits took longer than expected to complete without displaying an error message when committing due to slow cloud-app compilation.

Fixed an issue where the reportd process stopped responding, which caused the firewall to reboot.

Fixed an issue where the ABR failed to translate and advertise the default route (0.0.0.0/0) from an OSPF NSSA area into the OSPF backbone area as a Type-5 LSA.

Fixed an issue where software packet buffers were completely utilized when performing a Data Loss Prevention longevity test.

(Firewalls with FIPS-CC enabled only) Fixed an issue where, when attempting to make changes to the GlobalProtect portal, an error message was displayed and configuration updates failed.

(Firewalls in active/passive configurations only) Fixed an issue where NTP status intermittently showed as rejected on the active firewall, which prevented the firewalls from synchronizing time.

Fixed an issue on Prisma Access Remote Network firewalls where high CPU utilization caused slowness and command timeouts.

Fixed an issue where the firewall was unable to send device telemetry files to Cortex Data Lake due to the firewall receiving an invalid upload token.

Fixed an issue where firewall components became unresponsive during sustained operation.

Fixed an issue where the firewall incorrectly reported the speed of 25G interfaces as 1G when queried using SNMP for the ifHighSpeed OID.

Fixed an issue where the timestamp value in SNMPv3 trap headers was incorrect.

To use this fix, run the CLI command debug log-receiver enginetime-from-snmptime yes.

Fixed an issue where firewalls in a cluster experienced approximately 50% packet loss on IPSec NATT tunnels when tunnel acceleration was enabled.

Fixed an issue where firewalls that were connected to the same Cloud Identity Engine displayed inconsistent group membership information, with some firewalls showing only a subset of users belonging to a group. This occurred due to a full or incremental group sync failure.

This fix introduces a retry mechanism for failed group queries to the Cloud Identity Engine. To use this feature, run the following CLI commands.

To enable the retry mechanism: debug user-id dscd retry-enable on.

To set the retry time: debug user-id dscd retry-time set-time <1-10>. The default value is 5 seconds.

To set the number of retry attempts: debug user-id dscd retry attempts set-attempts <3-10>. The default value is 5 attempts.

To disable the retry mechanism: debug user-id dscd retry-enable off.

Additionally, a system log is now generated when a group sync fails, and you are able to monitor the group sync status with the following CLI commands:

Fixed an issue where the management CPU was high, which caused the web interface to be slower than expected.