Fixed an issue where the firewall experienced increased packet drops and slower performance after an upgrade due to high burst traffic.

(VM-Series firewalls only) Fixed an issue where the dataplane restarted due to a segmentation fault.

Fixed an issue where config-lock was not displayed on the web interface.

(Panorama managed firewalls in HA configurations only) Fixed an issue where firewalls incorrectly updated the modified date and MD5 hash of policy rules during an HA sync commit job or a subsequent local commit, even when no changes were made to the policy rules.

Fixed an issue where the Elasticsearch Close Indices process closed more indices than expected and dropped the number of open shards below the minimum of 800 per Elasticsearch instance. This occurred because the process did not correctly account for the number of Elasticsearch instances when calculating the maximum number of allowed open shards.

(VM-Series firewalls on AWS environments only) Fixed an issue where, after upgrading the firewall to an affected release, GlobalProtect clients did not connect with IPSec and instead connected using SSL due to traffic flow being disabled when checking for health check packets.

(Panorama appliances and Panorama virtual appliances only) Fixed an issue where the configd process restarted when committing and pushing configuration for a new WildFire cluster.

Fixed an issue where OSPF and BGP outages occurred due to an all_task process restart during clientless VPN content rewrite processing.

Fixed an issue where the Cloud User-ID connection timed out because the firewall took too long to process the OCSP response.

Fixed an issue where the firewall entered a non-functional state due to segmentation fault within the all_pktproc process that was caused by a session that involved http2 cleartext traffic

Fixed an issue where inter-dataplane forwarding did not work for sessions ingressing on Slot 2, which resulted in intermittent ping failures to interfaces on Network Card 2 when traffic was forwarded to Slot 3. Note: With this fix, after a slot restart, the global counter will still show dot1q errors for a short period.

(Panorama managed firewalls in HA configurations only) Fixed an issue where the HA-Link-Monitor configuration pushed from Panorama was converted to a local configuration on the peer device after an HA sync, which caused subsequent Panorama pushes of link monitor changes to be flagged as overwritten, and a forced template push or manual clearing of the configuration on the firewall was required.

Fixed an issue where, when SD-WAN SaaS Application path monitoring failed for all interfaces, the firewall stopped forwarding traffic even if the ISP links and default gateway probing were still active.

(VM-Series firewalls with multiple NICs only) Fixed an issue were the queue count in the task dump displayed an incorrect number of queues for SR-IOV interfaces due to the queue mapping logic incorrectly using a non-multi-NIC function.

Fixed an issue where DNS Security threat logs were not displayed on the firewall when packet capture was enabled and the domain name length was 62 characters.

(VM-Series firewalls only) Fixed an issue where the task-queue dump CLI command returned incorrect information in multi-nic mode.