PAN-OS 11.1.12 Addressed Issues
Focus
Focus

PAN-OS 11.1.12 Addressed Issues

Table of Contents

PAN-OS 11.1.12 Addressed Issues

PAN-OSĀ® 11.1.12 addressed issues.
Issue ID
Description
PAN-303737
Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to session-distribution commands in dagger files handling.
PAN-300916
Fixed an issue where Panorama management servers failed to forward syslog messages via TLS to a syslog server when DNS resolution for IPv6 addresses failed, and the system did not automatically fall back to IPv4.
PAN-300906
Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to missing XML-related functions for inline-cloud-proxy.
PAN-300837
Fixed an issue where firewalls experienced multiple reboots due to the pan_task process restarting with a SIGSEGV signal. This occurred because the client-to-firewall side assumed TLS 1.3 for the firewall-server side.
PAN-300612
(PA-7500 firewalls only) Fixed an issue where the firewall incorrectly reported the speed of 400G interfaces as 1G when queried using SNMP
PAN-300096
Fixed an issue where a local commit on a firewall breaks template stack overrides, preventing the enabling of LACP (Link Aggregation Control Protocol). After a local commit, the LACP enable check was unexpectedly unchecked, causing an outage. Attempting to re-enable LACP through the web interface was unsuccessful, requiring manual removal of the LACP configuration from the Panorama CLI.
PAN-299815
Fixed an issue on multi-vsys firewalls where a host was not removed from the quarantine list after receiving a redistribution message from Panorama. This occurred when Panorama was configured to redistribute quarantine messages to a firewall cluster, and the GlobalProtect configuration and redistribution were built out in a vsys other than vsys1.
PAN-299785
(PA-7500 and PA-5450 firewalls in FIPS-CC mode) Fixed an issue where the affected firewalls would boot into maintenance mode when a reboot was initiated from the web interface. This was due to a device reboot triggering a power down to all slots, leading to maintenance mode. A hard reboot would allow the firewall to boot normally.
PAN-299772
(VM-Series firewalls in active/passive configurations only) Fixed an issue where, after an HA failover event, the newly active firewall DHCP client interfaces failed to obtain IP addresses automatically. This occurred because the DHCP client processes did not initiate the necessary DHCP discover or renew requests
PAN-298654
Fixed an issue where the firewall generated false positive threat logs during updates to a large domain list (EDL) when a DNS lookup for a domain being added or removed occurred during the update process. This resulted in a threat log being generated for a different, unrelated domain that remained on the list.
PAN-298505
Fixed an issue where, after upgrading an HA pair of PA-7050 firewalls, the vsys ID changed in sequence, causing autocommit failures with validation errors. This occurred when the multi-vsys firewall had virtual systems created and pushed from Panorama, and the vsys ID was not in a correct sequence because the unused vsys was deleted from Panorama and pushed to devices.
PAN-297972
Fixed an issue where a dataplane crash occurred when traffic matched Inline Cloud Analysis prefiltering signatures, even when Inline Cloud Analysis features were not enabled.
PAN-297797
Fixed an issue where, during a refresh of a large External Dynamic List (EDL), traffic that matched a domain on the list was incorrectly identified as a different domain, which resulted in false positive threat logs.
PAN-297759
Fixed an issue on PA-7500 firewalls running in a cluster where sub-interfaces were not discoverable via SNMP, which prevented proper monitoring and statistics collection for sub-interfaces using SNMP-based tools.
PAN-297708
Fixed an issue where a long-lived session with many Machine Learning (ML) model triggers caused a memory leak of feature states associated with the ML model runs. This resulted in Spyware_State failure increases, allocation max outs, and impaired policy matching.
PAN-297610
Fixed an issue where the firewall became unresponsive after an upgrade due to the fsck command scanning drive partitions in parallel with the root partition, which caused the process to take an extended amount of time.
PAN-296490
(FIPS CC mode enabled only) Fixed an issue where Panorama on GCP rebooted every hour after upgrading to 11.1.6-h10. Panorama will run for up to an hour and then crash.
PAN-296453
Fixed an issue where decryption exclusion lists were not working for untrusted certificates, and SSL sessions were still being decrypted even after adding them to the exclusion list. This occurred because the firewall was not adding sessions to the exclude cache until after receiving a non-RFC alert (BadCertificate) from the server. The fix ensures that the first session is added to the exclude cache, allowing subsequent sessions to skip decryption. This issue affects firewalls configured as clients in server-client communication.
PAN-295221
Fixed an issue where, after upgrading Panorama and Log Collectors from PAN-OS 10.2.9 to PAN-OS 11.1.6-h6, Traffic and Threat logs were not forwarded to a Splunk server over UDP.
PAN-294893
Fixed an issue where firewalls with the Send handshake messages to CTD for inspection setting enabled caused incorrect Security policy rules to be matched. Specifically, traffic not identified as openai-base or openai-chatgpt applications was incorrectly matched by the ALLOW-OPEN-AI-FULL-ACCESS-URLS-ALERTS rule. Additionally, the expected response page for blocked URLs was not displayed.
PAN-293848
Fixed an issue where Panorama failed to push the default value of None for the secondary NTP server address to managed firewalls, resulting in a commit validation error. This occurred even when configuring the secondary NTP server address as None in Panorama's web interface, and affected both newly deployed and long-standing production firewalls after upgrading.
PAN-292447
Fixed an issue where Panorama did not display data in the Feature Adoption tab in Strata Cloud Manager due to the system creating and deleting a CLI user for each interval instead of reusing a permanent CLI user for telemetry.
PAN-292393
Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.
PAN-291716
Fixed an issue where PA-460 firewalls experienced out-of-memory (OOM) conditions, leading to device crashes and reboots.
PAN-291174
Fixed an issue where Real Time Streaming Protocol (RTSP) video streams did not work when connected through GlobalProtect due to the firewall blocking 200 OK responses. This occurred because of incorrect NAT translations for the 200 OK message from the server.
PAN-291067
Fixed an issue where the devsrvr process periodically exceeded its virtual memory limit and restarted, which led to intermittent outages.
PAN-290453
Fixed an issue where PA-7500 firewalls experienced silent traffic drops. During migration from PA-7050 to PA-7500 firewalls connected in series, intermittent connection losses occurred for some applications. Traffic leaving the PA-7050 was not received or processed by the PA-7500, even with direct connections and replaced cables/SFPs. Global counters did not indicate any drops on the PA-7500.
PAN-289714
(Prisma Access only) Fixed an issue where persistent commit failures occurred due to a missing transformation script when downgrading from PAN-OS 10.2.0 to PAN-OS 10.1.0.
PAN-288388
Fixed an issue where, after an EDL certificate update or repository migration, authentication failures caused the firewall to not fall back to the last successfully cached EDL entries, which led to policy rules that referenced the EDL to not be enforced.
PAN-287803
Fixed an issue where, after upgrading firewalls to PAN-OS 11.1.6-h1, certain websites weren't accessible when the accumulation proxy was enabled. The proxy did not use the same DF bit state as the original traffic, causing it to be fragmented and dropped elsewhere in the network.
PAN-287693
Fixed an issue where Panorama did not use the configured proxy settings to check WildFire private cloud content and instead connected directly to the WildFire device using the management interface. This occurred even when Use Proxy Settings for Private Cloud was enabled.
PAN-287622
Fixed an issue where IPv6 traffic was affected after upgrading the firewall to PAN-OS 11.1.6-h4 and later versions. With SSL decryption enabled and a decryption policy configured for the traffic, the firewall dropped packets due to receiving a Packet Too Big ICMP message. This occurred because the PathMTU information update was incorrect for the TCB (pan-server) when the firewall was acting as a server. Additionally, the flow label under the IPv6 header was set to zero while the packet was being transmitted out of the firewall.
PAN-285648
Fixed an issue where the log receiver process crashed on PA-7050 firewalls due to system log processing threads becoming blocked when the queue was full. This resulted in a heartbeat failure.
PAN-285315
Fixed an issue on Panorama where the log forwarding queue depth was not accurately displayed in the logd.log files.
PAN-285169
Fixed an issue on Panorama where Kerberos superusers were unable to edit policy rules because the target device tab was grayed out.
PAN-272245
Fixed an issue where the dnsproxy process crashed due to memory corruption caused by a race condition when the allow list downloading was impacted by config change.
PAN-267704
Fixed an issue where the firewall did not send an ICMP error packet to Envoy when the MSS was exceeded.
PAN-267450
Fixed an issue where the reportd process stopped responding with a SIGSEGV at schedule_report_es_response.
PAN-262444
Fixed an issue where the firewall did not refresh the external dynamic list due to the first entry in the list being removed from the global external list and breaking out of the loop.
PAN-251646
Fixed an issue where commits failed with the error message Error: Error unserializing profile objects. This occurred due to memory allocation issues when a large number of scan profiles were configured.