Fixed an issue were the all_task process repeatedly restarted due to memory pool corruption when processing fragmented DNS over HTTPs (DoH) JSON queries. This occurred due to incorrect buffer length calculations during memory deallocation when the query name field spanned multiple packets.

Fixed an issue where TLS connection failure occurred when traffic was over TLS1.2 or below, header insertion was enabled on the firewall, send TLS handshake to CTD was enabled, and traffic hit a decryption policy rule configured with the no-decrypt action.

Fixed an issue where the TLS handshake did not complete and the session did not go through. This occurred if the HTTP header insertion applied to an HTTP CONNECT request passing through the firewall, the scan-handshake feature was enabled, the session matched a decryption policy rule with the decrypt action, and if the TLS client hello was in a single packet and TLS 1.2 or below.

Fixed an issue where the pan_task process stopped responding while processing DoH JSON format traffic with DoH Security enabled, which caused missing cross-packet bytes in the decoded DNS query type field, and the dataplane went down.

Fixed an issue where the Logging Service License Status displays a license failure when the license status transitions from valid to expired and then back to valid even when the connection to the Security Logging Service (SLS) was working.

Fixed an issue where, after unregistering an IP tag and registering a different IP tag for the same IP address via XML API, the dynamic address group membership was not updated on the dataplane, which resulted in Security policy rules being enforced incorrectly.

Fixed an issue on the Panorama web interface where you were unable to disable Lifesize (Templates > Network > Network Profiles > IPSec Crypto).

Fixed an issue where the show system resources CLI command displayed incorrect CPU usage values that did not add up to 100%.

Fixed an issue on Panorama where a memory leak occurred related to the reportd process due to retaining memory that was temporarily used for report generation instead of releasing the memory for reuse, which resulted in continuous accumulation and memory exhaustion.

Fixed an issue where firewalls incorrectly returned the message API Error: Success with the error code 403 instead of the correct message API Error: Invalid Credential, when Cisco-ISE server is being used for MSCHAP-PEAP Radius auth.

Fixed an issue where the all_task process stopped responding after a commit, which cause the dataplane to reboot repeatedly.

(Firewalls in active/active HA configurations only) Fixed an issue where adding a 26th floating IP address to an aggregate ethernet interface in one vsys caused IPSec tunnels on another vsys to stop working due to rekeying. This occurred due to the routed process not detecting the unchanged virtual address, uninstalling it, and then reinstalling it, which ended the ikemgr connection on the virtual address.

Fixed an issue on Panorama where the override icon in Agent Config did not change to the revert icon after reverting a configuration change in a template-stack.

Fixed an issue where WildFire logs intermittently displayed an incorrect block action for file transfers, even when the WildFire verdict was benign, no threats were detected, and the file downloaded successfully.

Fixed an issue where websites were incorrectly categorized with high severity alerts (Monitoring > URL Filtering) even though they were assessed as low risk. This occurred due to session information being unavailable during logging.

Fixed an issue on Log Collectors where the Elasticsearch process fluctuated intermittently between green and red states, which led to interruptions in log collection. This issue occurred when the number of shards exceeded the cluster's maximum supported threshold of greater than 1000 shards per Elasticsearch instance.

Fixed an issue where the web server did not specify the content type in the header for font files, which could allow a browser to misinterpret the content and potentially lead to cross-site scripting (XSS) vulnerabilities.

Fixed an issue where BFD echo packets were dropped on Vwire interfaces due to being incorrectly detected as a land attack when the source and destination ports of the BFD packets were different.

(Firewalls in HA configurations only) Fixed an issue where the all_task process stopped responding and caused the passive firewall to reboot.

Fixed an issue on the Panorama web interface where a custom administrator with device group and template permissions was unable to upgrade devices to non-preferred releases due to the options to uncheck base and preferred releases not being displayed.

(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where the firewall unexpectedly rebooted due to repeated varrcvr process restarts.

Fixed an issue where the Elasticsearch cluster status displayed as red due to unassigned shards, which prevented logs from updating.

Fixed an issue where using the IKEv2 multiplier setting for VPN re-authentication resulted in the firewall not re-authenticating at the expected intervals when both sides initiated rekeying. The internal re-authentication counter incremented when the local side triggered the rekey, but not when the peer side triggered it.

Fixed an issue where DNS queries stalled or repeatedly time out due to multiple DNS responses with different CNAME values causing evasion false positive alerts.

Fixed an issue where the Elasticsearch cluster health status displayed as red on dedicated log collectors due to an expired Elasticsearch CC certificate, which prevented log visibility from Panorama.

Fixed an issue where, when the Network Packet Broker feature was enabled, forward TLS (non-decrypted) traffic was not working as expected when there were segmented client hellos and a no-decrypt rule existed. This issue occurred when Zone Protection profiles were configured for trust/untrust zones but not attached to NPB zones.

Fixed an issue where PAN-OS logrotate did not rotate large log files until the cron.daily process ran, which resulted in the root partition filling up.

Fixed an issue where a session process consumed excessive CPU resources, even when Data Loss Prevention (DLP) was not enabled. This occurred due to the active threat list being iterated twice when active threats were present in the session.

Fixed an issue on the firewall where, after upgrading, autocommits repeatedly failed until after a second reboot due to a timing issue between content loading on the management plane card (MPC) and the log receiver startup.

Fixed an issue where the bytes number overflowed for a specific application, which caused Network Monitor graphs to display an unexpectedly large volume of traffic.

Fixed an issue on PA-VM in AWS where, in a two-arm deployment integrated with Gateway Load Balancer (GWLB), the firewall did not preserve the GENEVE source port for internet traffic, resulting in increased latency. The fix ensures the firewall preserves the outer UDP source port of GENEVE encapsulation when sending traffic back to GWLB.

Fixed an issue where an Application Override policy rule was not applied using an IPv4 source IP address with IPv6 enabled and Network > Zones > Pre-NAT Identification enabled.

(Panorama appliances in HA configurations on Microsoft Azure environments only) Fixed an issue on the web interface where the plugin versions that were displayed when hovering the cursor over the Green Match icon were inconsistent even though the Panorama web interface reported the versions as matching.

Fixed an issue where traffic loss occurred when two aggregate ethernet interfaces were configured as vwire with only one member link active in the aggregate ethernet interface, which occurred due to an incorrect logic in active port map of AE interfaces.

Fixed an issue where Panorama administrators defined in a SAML Identity Provider (IdP) were unable to authenticate if their username exceeded 32 characters, and the system logs displayed the failed authentication attempt with a truncated username.

Fixed an issue where the useridd process stopped responding after an upgrade, which led to high packet buffer congestion and an OOM condition.

Fixed an issue where Panorama was unable to push the Trusted Root CA configuration to Log Collectors via a Collector Group push due to the Log Collector not supporting the trusted-root-CA configuration.

Fixed an issue where PA-400 Series firewalls were not properly caching DNS responses for FQDN objects. The firewall was observed to repeatedly send DNS requests for the same FQDN objects every 10-15 seconds, even after receiving valid responses, despite the minimum FQDN refresh interval being set to a much higher value. This resulted in excessive DNS queries originating from the firewall's management interface.

Fixed an issue where, after upgrading to an affected PAN-OS release, the Visible Virtual System field referenced the vsys name instead of the vsys ID, which caused inter-vsys routing to fail. This occurred when a vsys display name matched one of the vsys IDs. If you're using a multivsys environment, you must upgrade your firewalls to a fixed PAN-OS version. The best practice is to upgrade both the firewalls and Panorama to a fixed PAN-OS version.

If you don't upgrade Panorama to a fixed version, you'll encounter PAN-245064, where a commit on a multivsys firewall fails with the message vsys name should end with a number vsys is invalid after you Export or push device config bundle from 11.1.1 Panorama.

After you upgrade Panorama to a fixed version, you'll encounter PAN-214177, which causes an Export or Push device config bundle from Panorama to the firewall to fail. The workaround for PAN-214177 is to first push only the template configuration and then push the device group configurations.

Fixed an issue on the web interface where the TLS Version was misspelled as TLS Vesrion (Device > Server Profiles > Email).

Fixed an issue where, after a failover event, a static default route redistributed into BGP was not advertised to peers until the redistribution profile was removed and re-added.

(Firewalls in active/active HA configurations only) Fixed an issue where return packets from a phone gateway looped between the HA pair instead of being encapsulated into the GlobalProtect tunnel. This occurred when the inner session and the outer IPSec tunnel terminated on different nodes, which led to excessive retries and packet drops.

(VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where the firewall repeatedly restarted due to high packet rates on the synthetic path in DPDK mode.

Fixed an issue where exporting custom reports resulted in empty CSV files.

(PA-1410 Firewalls only) Fixed an issue where the firewall experienced high management CPU usage and repeatedly rebooted when attempting to retrieve SMART data.

Fixed an issue where email alerts sent from the firewall were marked as spam due to the EHLO header containing only the firewall hostname and not the fully qualified domain name (FQDN).

Fixed an issue where the reportd process on passive Panorama management servers leaked memory due to scheduled report handling from the Strata Logging Service (SLS). This memory leak occurred daily, consuming available memory until the process was restarted.

Fixed an issue where, when a PBF policy rule with a monitoring profile was configured, the intermediate firewall dropped the PBF monitoring traffic, which caused the PBF rule to remain disabled on the local firewall.

Fixed an issue where EAL logs were not forwarded to the IoT Security dashboard when the proxy server password contained special characters.

Fixed an issue on the Panorama web interface where previewing changes after a commit to shared objects were not accurately displayed in the push scope.

(Firewalls in active/active HA configurations only) Fixed an issue where adding a 26th floating IP address to an aggregate interface on one vsys caused IPSec tunnels in another vsys to stop working due to rekeying issues.

Fixed an issue where the firewall did not accept address groups in the filter condition of a Log Forwarding Match list.

Fixed an issue where commit operations failed during phase 1 when configuring a non-default value for the Graceful Restart Hello Delay due to an FRR parse error if the configured value was between 1 and 9.

Fixed an issue on IKEv1 tunnels where, if the peer IKE gateway was unreachable, the IKE Phase-1 Security association (SA) was not cleared by DPD until Phase-2 rekeying occurred or until it was manually cleared via the CLI because the DPDs were not sent accurately according to the configured interval due to a miscalculation of the DPD timer. This resulted in the tunnel taking longer than expected to recover.

Fixed an issue where GlobalProtect HIP data file download and installation failed with the error message An error occurred while processing request. Please try again after some time or contact support or No ETAG from response due to a script exiting prematurely.

Fixed an issue where SD-WAN did not generate system logs with timestamps and reasons for degradation of Direct Internet Access paths.

Fixed an issue on the firewall where the useridd process continuously increased its memory consumption, which resulted in an OOM condition that caused the firewall to restart.

(Firewalls in active/passive HA configurations) Fixed an issue on firewalls where, after failover, certain subnets were missing from the Link State Database, which prevented OSPF routes from being immediately learned due to a Type-7 to Type-5 LSA translation conflict in the ABR when the same LSA was advertised by two peers in the NSSA area.

Fixed an issue on Panorama where a configd SIGSEGV crash occurred when renaming objects within policy rules, objects, or zones.

Fixed an issue where the firewall rebooted unexpectedly due to the useridd process restarting and causing an HA failover. This occurred due to the configd process timing out when running the CLI command show user user-id-agent config all.

Fixed an issue where the firewall removed all Infrastructure and Audit logs, as well as logdb and search engine quotas, when the configured retention period was reached instead of only removing logs older than the configured retention period.

Fixed an issue on the firewall where the VM monitor source remained in the Getting All status, which prevented dynamic address groups from updating IP addresses for new EC2 instances. This issue occurred due to a race condition where two threads that simultaneously retrieved IP address tag information from AWS VM monitoring sources became stuck while reading the XML file.

Fixed an issue where EAL logs for traffic matching the intrazone-default security rule were not forwarded to the IoT Security portal.

Fixed an issue on Panorama where Global Find returned incomplete and inconsistent search results.

Fixed an issue where the interval of IKEv1 Dead Peer Detection (DPD) R-U-THERE packets did not correspond to the configured value in the IKE Gateway profile due to using the value configured for retry instead.

Fixed an issue on Panorama where a full push to device groups was initiated instead of a selective push when using Commit and Push Changes Made By in the commit and push.

Fixed an issue where the default route (0.0.0.0/0) advertised via the Originate Default Route in BGP AFI profiles did not appear in the output of the show advanced-routing bgp peer advertised-routes CLI command, even though it was being sent to the BGP peer.

Fixed an issue where the firewall repeatedly reported an unreachable syslog server as back online when the server remained unavailable. This resulted in misleading alternating connection status messages in the system logs.

Fixed an issue on the firewall where the PDT process experienced a memory leak due to frequent dumping of fabric traffic statistics, which resulted in high CPU utilization and instability.

Fixed an issue on Panorama where deleting objects resulted in errors indicating references in Security policy rules.

Fixed an issue on Panorama appliances and Log Collectors where, after an upgrade, Elasticsearch intermittently entered into a Red state before automatically recovering.

Fixed an issue where the firewall incorrectly reported the speed of 25G interfaces as 1G when queried using SNMP for the ifHighSpeed OID.

Fixed an issue where the GlobalProtect host ID field was intermittently blank in traffic logs on Prisma Access, even when the user was connected and had the correct host ID information. This occurred when the IP address to host ID entry expired and the entry was re-insterted without the dataplane flag being set.

Fixed an issue where a PA-VM-Flex firewall in an air-gapped environment failed to install the license when bootstrapping after a factory reset when the ISO image contained a PAN-OS image.

Fixed an issue where, after a web server returned a 401 or 403 error, the firewall was unable to decrypt HTTP/2 traffic, and the firewall rejected all subsequent streams from the client.

Fixed an issue on Panorama and Panorama managed firewalls where template settings reverted during a device group push when Include Device and Network Templates was checked, even if no changes were made to the template. This caused the SAML IDP server profile certificate to revert to an older, invalid certificate, and resulted in GlobalProtect users being unable to authenticate via SAML.

Fixed an issue with firewalls enabled with Security profiles where certain traffic conditions caused high dataplane CPU utilization and packet buffer exhaustion, which caused LACP flapping conditions.

(VM-Series firewalls on Microsoft Azure environments in HA configurations only) Fixed an issue where, when an interface was configured with IPv6, the firewall displayed the message Unknown error during validation after the client secret expired, which caused DNS resolution to fail when resolving FQDNs and HA failovers to occur.

Fixed an issue on Panorama managed firewalls where the source user, source device vendor, source MAC address, and OS version information were not visible in traffic logs and SCM when the user and device access control lists were empty.

Fixed an issue where, after upgrading Panorama in a High Availability (HA) pair, the configuration logs stopped synchronizing from the primary Panorama to the secondary Panorama. This issue occurred because the log forwarding flag was permanently disabled due to the connection state not being active when the log-fwd-ctrl message was received.

Fixed an issue on the Panorama web interface where the search bar suddenly was not displayed, or the filter/clear filter icon moved to the left of the search bar.

Fixed an issue on Panorama where, after uninstalling a plugin, commit validation failed with the error message interface '-' is not a valid reference due to cloud service plugin configuration errors.

(Firewalls in active/passive HA configurations only) Fixed an issue where the firewall did not process and transmit HA path monitoring probes received from another HA cluster when the firewall acted as a gateway for internal monitoring IP addresses used in the HA path monitoring group, which caused HA flapping due to path monitoring failures.

Fixed an issue where PA-VM-Flex firewalls bootstrapped in an air-gapped environment did not display premium partner and threat prevention licenses.

Fixed an issue where the firewall did not respond to ARP requests when a subinterface was configured with source address translation using the Translated Address option.

Fixed an issue where the firewall rebooted unexpectedly after a commit due to a memory leak related to the rasmgr process and displayed the error message Management server failed to send phase 1 to client l2ctrld before rebooting.

Fixed an issue on Panorama where performing a selective revert of configuration changes resulted in all configuration changes being reverted.

Fixed an issue on Panorama where software images were not purged from the /opt/pancfg/mgmt/sw-images folder.

Resolved multiple issues affecting IPSec tunnels using NAT Traversal (NAT-T) when a Dynamic NAT policy was configured (including Dynamic NAT or DIPP). During rekey events, tunnels could go down or flap due to incorrect session handling. This issue impacted both cluster and standalone deployments.

(VM-Series firewalls only) Fixed an issue where the task-queue dump CLI command returned incorrect information in multi-nic mode.

Fixed an issue where Panorama and Cortex Data Lake (CDL) logs displayed incorrect interface names without node IDs for cluster firewalls.

(Firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where newly bootstrapped firewalls sent an incorrect, non-DHCP-assigned hostname to the SNMP server. This occurred because the SNMP process referred to a configuration file that was not updated due to a missing configuration commit.

Fixed an issue where, when Panorama was upgraded to PAN-OS 10.2.10, and log collectors were on PAN-OS 10.2.9-h1, logs from a log collector group were not viewable on a Panorama.

Fixed an issue where the firewall HA2 keep-alive went down multiple times without a specific reason.

Fixed an issue where, when FRR was enabled, routes that were advertised to eBGP peers incorrectly had the Community attribute set to graceful-shutdown.