Fixed an issue where the NAT IP address pool was exhausted, which led to intermittent connectivity issues with call applications and outbound call failures. This occurred due to the firewall not properly releasing NAT dynamic ports back to the address pool.

Fixed an issue where Panorama managed firewalls with no defined log collector group continually attempted to establish a logging connection to Panorama, which resulted in excessive system log messages.

Fixed an issue where a stream receiving a reconnect signal with an associated error in Wifclient caused the entire pool to close, which resulted in a complete disconnection.

Fixed an issue where Cloud Data Lake (CDL) log forwarding streams intermittently displayed as inactive.

Fixed an issue where syslog forwarding dropped due to FQDN resolution failures.

Fixed an issue where the pan_comm process stopped responding due to insufficient time allocated to read file descriptors when processing long messages.

Fixed an issue where the logrcvr process stopped responding due to memory allocation errors during Redis communication.

Fixed an issue where certificate data was missing in decryption logs for No decrypt policy rules and TLS1.2 traffic after upgrading, and the Subject Common Name, Issuer Common Name, Certificate Start Date, Certificate End Date, Certificate Serial Number, and Certificate Fingerprint fields were blank in the decryption logs.

Fixed an issue where polling failed for ethernet interfaces due to the physical port counters read from the MAC being 0.

Fixed an issue on Panorama where commit versions did not display correct data in the config audit page even after a refresh.

(Firewalls with Hub vsys (virtual system) configurations enabled only) Fixed an issue where, when using the Hub vsys feature to redistribute Host Information Profiles (HIP) to a non-Hub vsys, HIP policy enforcement failed intermittently on the active secondary firewall. This occurred when traffic destined for specific non-Hub vsys was routed to the active secondary, and the HIP query was not triggered due to an incorrect check for the HIP mask in the Hub vsys.

Fixed an issue where the hybrid-SWG service proxy stopped working after upgrading to PAN-OS 11.1.6-h13 due to the firewall failing to establish the listening interface.

Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.

Fixed an issue where renaming a BGP filtering profile in Panorama does not update the corresponding BGP peer group in the virtual router, leading to commit failures.

Fixed an issue on M-200 and logging appliances where traffic logs were intermittently truncated when forwarded using a TCP syslog configuration. This issue occurred during the log forwarding stage due to intermittent syslog drops caused by exceeding the forwarding queue capacity.

Fixed an issue where, after configuring dual stack GlobalProtect with both IPv4 and IPv6 address pools, IPv6 return traffic was dropped with the error message flow-basic error; packet dropped, tunnel resolution failure.

Fixed an issue where the system logs repeatedly displayed the alert Clearing snmpd.log due to log overflow due to the SNMP counters rolling over.

Fixed an issue where the firewall established multiple TCP connections to a syslog server, which caused logs to be dropped. This occurred because the firewall established a new TCP session for each transfer and the sessions were not closed, which resulted in a continuous increase in connections over time.

(PA-7050 firewalls on vwire instances only) Fixed an issue where Bidirectional Forwarding Detection (BFD) echo packets were dropped due to the firewall dropping packets with the same source and destination IP addresses.

Fixed an issue where the all_task process stopped responding.

(VM-Series firewalls on Amazon Web Services (AWS) only) Fixed an issue where the firewall frequently rebooted.

Fixed an issue where the custom completer for device groups and templates received the device group name and template name from the running configuration instead of the candidate configuration.

Fixed an issue on Panorama where a memory leak associated with the configd process occurred during commits, which caused the configd process to restart and the commit to fail.

(VM-Series firewalls only) Fixed an issue where file download speeds and performance was slower than expected for Prisma Access mobile users when SSL decryption was enabled.

To use this fix, run the CLI command debug dataplane set ssl-decrypt fptcp-rto min <100-500>.

Added the CLI command set system setting ctd h323_rtp_predict timeout to increase the maximum timeout limit from 3600 seconds to 65535 seconds.

Fixed an issue where, when multiple scheduled vulnerability reports were sent in the same email, only the first attached report was displayed.

Fixed an issue on the firewall where AIPOs and ADEM licenses failed when SD-WAN or GlobalProtect licenses were not present.

Fixed an issue where, when redistributing User-ID information between firewalls, the receiving firewall incorrectly received and stored duplicate Host Information Profile (HIP) profiles. This occurred when a GlobalProtect gateway redistributed User-ID and HIP information through an intermediate firewall.

Fixed an issue where the MPLS interface eth1/6 went down and remained down, even after replacing the SFP with a supported one and adjusting duplex and speed settings.

(Firewalls in HA active/passive configurations only) Fixed an issue where the firewalls experienced high dataplane CPU use when NAT64 was enabled. This occurred due to NAT64 traffic not being offloaded and unnecessary HA session updates being sent for every NAT64 packet.

Fixed an issue where the Panorama web interface was slower than expected during configuration operations and a configuration lock time out occurred during a commit.

Fixed an issue on Panorama where, after logging in to the web interface as the ZTP installer administrator, the web interface was blank.

Fixed an issue where, when Advanced Routing Engine was enabled firewalls configured with multiple logical routers, static routes were preferred over eBGP routes even though the static routes had a higher administrative distance.

(M-600 Panorama appliances in Log Collector mode in a Log Collector group only) Fixed an issue where the reportd and logd processes stopped responding, which resulted in the Panorama server not receiving logs from firewalls configured under the Log Collector group.

Fixed an issue where the comm process stopped responding due to missing heartbeats, which resulted in a system alert and HA communication loss on slot1.

Fixed an issue where the firewall failed to connect to the Palo Alto Networks update server when using a customized service route with the source interface as MGT.

Fixed an issue where, after upgrading, the firewall incorrectly calculated the UDP checksum for RTP traffic after NAT and Security policy application, which led to dropped packets and silent calls in applications.

Fixed an issue on Panorama where commits took longer than expected.

Fixed an issue on the firewall where the show advanced-routing bgp loc-rib-detail CLI command incorrectly displayed no BGP route when multiple BGP peers were enabled. With this fix, the CLI command requires a peer name to be specified to display local RIB details.

Fixed an issue where syslog forwarding in PAN-OS 11.1 and later releases did not support service routes when performing certificate validation over TLS.

Fixed an issue where the device-group-tags CLI command used an unnecessary configuration read lock.

Fixed an issue where the firewall double-freed shared memory when the shared memory usage reached 100% when sending large payloads. This occurred when DLP, Advanced Advanced Threat Protection (ATP), Advanced WildFire (AWF), or Advanced URL Filtering were enabled.

Fixed an issue on firewalls running PAN-OS 11.1 releases where, after being offboarded from Panorama, the firewall XML configuration file retained template information from the previous Panorama configuration. As a result, when the firewall and its configuration were imported to another Panorama appliance, all configurations in the Network and Device tab became read-only.

Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.

Fixed an issue where a selective push from Panorama caused the firewall Security policy rules to be removed on firewalls associated with the device group. This occurred when the base configuration version chosen for the selective push preceded the device configuration import operation, which caused the imported configuration to not be included in the pushed configuration.

Fixed an issue where fragmented SSL hello packets were reordered when going out of the SC/ZTT towards the datacenter.

Fixed an issue where the firewall consumed excessive CPU while processing traffic for a workload running on a GKE cluster, which caused reduced throughput.

Fixed an issue where selective push operations did not push certificate changes to the firewall.

Fixed an issue on Palo Alto Networks firewalls running PAN-OS 11.1.6 where the CLI command traceroute ipv4 yes host <host> failed with a missing argument error message.

(Panorama appliances in Log Collector mode only) Fixed an issue where the vm_agent process restarted after an upgrade.

Fixed an issue where the Elasticsearch cluster did not start after deploying dedicated log collectors in a multi-collector environment.

Fixed an issue where ping commands from both the management plane and dataplane interfaces incorrectly prioritized IPv6 addresses over IPv4 addresses, even when IPv6 was disabled. This caused connectivity issues when pinging FQDNs that resolved to IPv6 addresses.

Fixed an issue where the firewall generated high-severity system alerts indicating that the configuration size exceeded the maximum recommended size, even when the configuration size was within the expected limits.

Fixed an issue where searching configuration logs for an audit_uuid did not return a result if the rule was created with a clone operation.

Fixed an issue on HA clusters where, when link and path monitoring was configured and the failover condition was set to all, disconnecting and reconnecting monitored ethernet ports caused the firewall to switch to a nonfunctional role, which resulted in all interfaces except the HA interface going down.

Fixed an issue where the firewall dropped client hello packets when decryption was enabled, which prevented access to certain websites. This occurred when the client hello packet was truncated, the accumulation proxy assumed that the first packet contains at least 5 bytes, or out-of-order packets were waiting in L4 TCP.

Fixed an issue where NAT pool leaks occurred during a test when RTSP traffic hit NAT rules.

Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to unexpectedly restart.

Fixed an issue where service routes configured to use a data plane interface incorrectly used the management plane interface for traffic transmission. This issue affected syslog and CRL status traffic when a custom service route was not configured.

Fixed an issue where the firewall used an unnecessary configuration lock when running operational commands.

Fixed an issue on Panorama where you were unable to delete a shared object due to the rulebase incorrectly referencing the shared object instead of the device group-specific object when the name was used.

To use this fix, delete the original shared object after cloning it to a device group with the same name.

Fixed an issue where a dataplane restart was not triggered as expected when internal packet path monitoring failure occurred.

Fixed an issue on Panorama where the request batch license info CLI command displayed entries for devices that were no longer attached to Panorama.

Fixed an issue where, when the zone protection option anycast-source was enabled, IPv6 traffic with an interface ID of 0 was dropped even if the subnet was not locally configured on the firewall.

Fixed an issue on the firewall where you were unable to configure more than 500 DHCP relay servers even though the supported limit was 4096.

Fixed an issue where the firewall failed to connect to the update server with a customized service route when the source interface was set to MGT and the source address was set as IPv4.

Fixed an issue where URL filtering response pages were not displayed for sites that were blocked as a result of SSL/TLS handshake inspection.

Fixed an issue where the firewall dropped inbount RTP traffic after using Webex Screen Sharing due to the firewall removing the NAT cache when the predict timed out, which caused a new NAT to be established that conflicted with existing sessions. To use this fix, run the CLI command set system setting ctd h323_rtp_predict timeout <120-3600> to increase the timeout limit.

Fixed an issue where the firewall displayed incorrect policy cache usage and configuration memory usage during a commit, which caused the configuration commit to fail with a CONFIG_UPDATE_START error. This occurred when a large number of External Dynamic Lists (EDLs), shared addresses, and policy rules were configured.

Fixed an issue where imported certificates were not visible on firewalls with multi-vsys disabled.

Fixed an issue where GlobalProtect traffic destined for the internet did not follow the path-based forwarding (PBF) rule and was sent out the wrong interface.

(PA-5200 firewalls only) Fixed an issue where the all_pktproc process stopped responding when the firewall was under a heavy traffic load.

Fixed an issue where firewalls did not use the Application Command and Response (ACR) functionality for cloud management, which caused connections to cloud management to drop after a commit.

Fixed an issue with firewalls with SD-WAN policy rules and GlobalProtect gateway configurations where enabling GlobalProtect on a loopback interface caused an issue where IPSec tunnel traffic from the gateway to the client dropped intermittently.