Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to missing XML-related functions for inline-cloud-proxy and session-distribution commands in dagger files handling.

Fixed an issue where a local commit on a firewall breaks template stack overrides, preventing the enabling of LACP (Link Aggregation Control Protocol). After a local commit, the LACP enable check was unexpectedly unchecked, causing an outage. Attempting to re-enable LACP through the web interface was unsuccessful, requiring manual removal of the LACP configuration from the Panorama CLI.

(PA-7500 and PA-5450 firewalls in FIPS-CC mode) Fixed an issue where the affected firewalls would boot into maintenance mode when a reboot was initiated from the web interface. This was due to a device reboot triggering a power down to all slots, leading to maintenance mode. A hard reboot would allow the firewall to boot normally.

Fixed an issue where a dataplane crash occurred when traffic matched Inline Cloud Analysis pre-filtering signatures, even when Inline Cloud Analysis features were not enabled.

Fixed an issue where attempting to generate reports in a WildFire FIPS Private Cloud or WF-500 deployment returned 401 errors.

(FIPS CC mode enabled only) Fixed an issue where Panorama on GCP reboots every hour after upgrading to 11.1.6-h10. Panorama will run for up to an hour and then crash.

Fixed an issue where decryption exclusion lists were not working for untrusted certificates, and SSL sessions were still being decrypted even after adding them to the exclusion list. This occurred because the firewall was not adding sessions to the exclude cache until after receiving a non-RFC alert (BadCertificate) from the server. The fix ensures that the first session is added to the exclude cache, allowing subsequent sessions to skip decryption. This issue affects firewalls configured as clients in server-client communication.

Fixed an issue where static routes remained active in the FIB and RIB even when the associated physical port interface was down, which resulted in traffic being incorrectly routed through a non-operational interface.

Fixed an issue where, after upgrading Panorama and Log Collectors, tunnel logs were not visible in Panorama or Splunk even though traffic and threat logs were received.

Fixed an issue where, after onboarding a firewall to Panorama, IPsec tunnels displayed IKEv2 in Panorama, even though the tunnels were configured with IKEv1 locally on the firewall.

Fixed an issue where firewalls with the Send handshake messages to CTD for inspection setting enabled caused incorrect security policy rules to be matched. Specifically, traffic not identified as openai-base or openai-chatgpt applications was incorrectly matched by the ALLOW-OPEN-AI-FULL-ACCESS-URLS-ALERTS rule. Additionally, the expected response page for blocked URLs was not displayed.

(Firewalls in active/passive HA configurations) Fixed an issue on firewalls where, after failover, certain subnets were missing from the Link State Database, which prevented OSPF routes from being immediately learned due to a Type-7 to Type-5 LSA translation conflict in the ABR when the same LSA was advertised by two peers in the NSSA area.

Fixed an issue where firewalls and Panorama management servers were unable to view or download WildFire reports from a WF-500 appliance, resulting in a 401 error in the report tab.

Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.

Fixed an issue where PA-460 firewalls experienced out-of-memory (OOM) conditions, leading to device crashes and reboots.

Fixed an issue where the firewall rebooted unexpectedly due to a pan_task process restart related to page allocation failures.

(PA-7500 firewalls only) Fixed an issue where PA-7500 firewalls experienced silent traffic drops. During migration from PA-7050 to PA-7500 firewalls connected in series, intermittent connection losses occurred for some applications. Traffic leaving the PA-7050 was not received or processed by the PA-7500, even with direct connections and replaced cables/SFPs. Global counters did not indicate any drops on the PA-7500.

Fixed an issue where a memory leak occurred on the reportd process when a WildFire update was initiated while device telemetry data collection was in progress. This resulted in an OOM condition.

Fixed an issue where, after upgrading firewalls to PAN-OS 11.1.6-h1, certain websites weren't accessible when the accumulation proxy was enabled. The proxy did not use the same DF bit state as the original traffic, causing it to be fragmented and dropped elsewhere in the network.

Fixed an issue where firewalls configured in vwire mode modified DSCP values from AF11 to CS0 on traffic passing through the firewall, even when QoS policy rules and DSCP rewrite settings were not configured.

Fixed an issue where IPv6 traffic was affected after upgrading the firewall to PAN-OS 11.1.6-h4 and later versions. With SSL decryption enabled and a decryption policy configured for the traffic, the firewall dropped packets due to receiving a Packet Too Big ICMP message. This occurred because the PathMTU information update was incorrect for the TCB (pan-server) when the firewall was acting as a server. Additionally, the flow label under the IPv6 header was set to zero while the packet was being transmitted out of the firewall.

Fixed an issue where content loading issues occurred on IPv6 websites due to the firewall incorrectly setting the IPv6 header flow label to 0.

Fixed an issue where the log receiver process crashed on PA-7050 firewalls due to system log processing threads becoming blocked when the queue was full. This resulted in a heartbeat failure.

Fixed an issue where the firewall experienced high disk space utilization, which caused the firewall to become non-functional.

(VM-Series firewalls on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments only) Fixed an issue where the firewall did not display the correct source user in traffic logs and session details.

Fixed an issue where WildFire reports were not fully displayed and were not downloadable due to static resources not being found.

Fixed an issue where the reported process stopped responding with a SIGSEGV at schedule_report_es_response.

Fixed an issue where a dataplane crash occurred in Inline Cloud Analysis action lookup because there were no vulnerability or antispyware profiles in the security policy rule.

(Panorama appliances in Panorama mode and Log Collector mode only) Fixed an issue where autocommits took longer than expected to complete.