PAN-OS 11.1.16 Addressed Issues
Focus
Focus

PAN-OS 11.1.16 Addressed Issues

Table of Contents

PAN-OS 11.1.16 Addressed Issues

Lists the addressed issues in PAN-OS 11.1.16.
The following table lists the addressed issues in PAN-OS 11.1.16.
Issue ID
Description
PAN-327009
Fixed an issue where the all_task process stopped responding.
PAN-326677
Fixed an issue where a selective push from Panorama to the firewall was successful even when applying rename operation failed in selective push, which resulted in configurations on the firewall being deleted. With this fix, the selective push will fail when applying rename operation fails.
PAN-326354
Fixed an issue where the sslmgr process stopped responding when attempting to display the OSCP host cache.
PAN-324370
Fixed an issue where IDE traffic did not function as expected when both HTTP head insertion and DLP inspection were enabled.
PAN-323485
Fixed an issue where multicast radio RTP based traffic was dropped after an upgrade when the firewall performed Cloud Inline inspection, which led to an exceeded session queue for Cloud Threat Detection.
PAN-321816
Fixed an issue where processes stopped responding unexpectedly.
PAN-321699
Fixed an issue where device telemetry intermittently failed to send files, which resulted in critical alerts in system files.
PAN-321527
(PA-7500 firewalls in HA cluster configurations only) Fixed an issue where, when one firewall suspended operations, the other firewall also suspended operations instead of initiating a failover, which resulted in a complete traffic outage.
PAN-321516
Fixed an issue where the dataplane restarted due to a race condition in the dataplane cache infrastructure.
PAN-321340
(Firewalls in FIPS mode only) Fixed an issue where GlobalProtect unexpectedly prompted for RADIUS authentication instead of client certificate authentication due to an OSCP validation error and subsequent CRL verification failure, which led to certificates being marked as invalid.
PAN-321060
Fixed an issue where an ethernet interface remained in a down state after repeated automated enable/disable cycles and required manual intervention, which resulted in backup outages.
PAN-320598
Fixed an issue where internal and external DNS names did not resolve when connected to a GlobalProtect gateway.
PAN-320245
(PA-7500 Series firewalls in vwire mode only) Fixed an issue where Oracle application traffic was intermittently not processed even though connected devices sent the traffic, which led to service distruptions.
PAN-319793
Fixed an issue where, after upgrading to PAN-OS 12.1.5, GlobalProtect Clientless VPN failed to access JavaScripts.
PAN-319504
Fixed an issue where telemetry data was not sent to the cloud due to the firewall being unable to resolve the destination server's FQDN even when a proxy server was configured. With this fix, the firewall properly sends telemetry data through the configured proxy server without requiring direct public DNS resolution for the telemetry server's FQDN.
PAN-319419
(Firewalls in active/passive HA configurations only) Fixed an issue where active firewalls were unable to send device telemetry data to CDL.
PAN-319352
Fixed an issue where the firewall rebooted unexpectedly without any configuration or power changes.
PAN-319343
(Prisma Access Gateways only) Fixed an issue where the global management plane stopped responding, which caused SSH and HTML disconnections, HIP database lookup failures, and significantly slower SCM commits. This occurred when egress IP allow listing was enabled in SCM and changes were made to EDLs.
PAN-319288
Fixed an issue where a DPC in Slot 4 restarted repeatedly, which caused internal path monitoring failures and a failover event.
PAN-319228
Fixed an issue where External Dynamic List (EDL) refresh and commit operations remained in a pending state, which prevented any subsequent operations from completing.
PAN-318580
Fixed an issue where processes restarted and the firewall unexpectedly rebooted when you configured a Security policy rule with Source Device > quarantine.
PAN-318382
(Firewalls in HA configurations only) Fixed an issue where the secondary firewall remained at an Initial state after an upgrade.
PAN-318120
Fixed an issue where SSL traffic was silently dropped when traffic was processed by a Security policy with an Anti-Spyware profile that had Inline cloud Analysis enabled for SSL C2 Detector with an action other than allow or alert.
PAN-318106
Fixed an issue where SCM did not update device telemetry for the firewall after upgrading to an affected release.
PAN-317755
Fixed an issue on Panorama where selective push operations failed when plugin configurations included access-domain or log-collector references.
PAN-317648
(PA-5450 firewalls and PA-7000 Series firewalls with 100G NPCs only) Fixed an issue where intermittent packet loss occurred when traversing the dataplane after upgrading the firewall. This occurred when a dataplane HA interface was configured in an environment where Slot 1 was unpopulated , which resulted in a wildcard entry being created within the QMAP table.
PAN-317614
Fixed an issue where high throughput and increased packet rates caused high dataplane CPU usage.
PAN-316435
Fixed an issue where the firewall restarted unexpectedly due to an OOM condition after upgrading to an affected release.
PAN-316120
Fixed an issue where, after Advanced Routing was enabled, the firewall advertised routes to internal BGP neighbors with the original external BGP next-hop address.
PAN-315337
Fixed an issue where GlobalProtect throughput was reduced after an upgrade.
PAN-315326
(PA-7500 firewalls only) Fixed an issue where zone protection threshold values per dataplane were unexpectedly low.
PAN-315314
Fixed an issue where, when a push operation from Panorama to the firewall failed, accounting logs stopped forwarding.
PAN-315160
(PA-7500 firewalls only) Fixed an issue where internal path monitoring logs incorrectly reported internal path monitoring failures when they did not occur.
PAN-314776
Fixed an issue where the configd process stopped responding after pushing configuration changes from Panorama to the firewall.
PAN-314623
(Firewalls in active/passive HA configurations only) Fixed an issue where, after a failover, routing information within OSPF protocol was not correctly translated or propagated, which affected network path convergence and FRR capabilities.
PAN-314512
Fixed an issue where the GlobalProtect portal became inaccessible when the dataplane was configured with a DHCP assigned IP address.
PAN-314104
Fixed an issue where running BCM counter commands from the administrative shell did not consistently return output, and commands to modify queue sizes did not take effect.
PAN-313787
Fixed an issue where some system log filters with the eventid operator for a BGP event did not work.
PAN-313606
Fixed an issue where Panorama pushed commits took longer than expected to complete without displaying an error message when committing due to slow cloud-app compilation.
PAN-313575
Fixed an issue where 10G connections on built-in RJ45 interfaces (ethernet1/1 through ethernet1/5) intermittently experienced interface flapping when connected to Cisco switchports.
PAN-313523
Fixed an issue where generating a tech support file caused GlobalProtect users to be forcibly logged out.
PAN-313443
Fixed an issue where firewalls acting as an accumulation proxy sent a server hello with an earlier TCP timestamp value than a preceding ACK packet, which prevented successful session establishment. This occurred when the client hello messages were split across multiple network segments.
To use this fix, run the CLI command debug dataplane set ssl-decrypt accumulate-client-hello ts-relay yes.
PAN-313218
Added the following CLI commands to address QoS packet drops due to bursty traffic:
  • debug dataplane set qos-setting qos-param qlimit 300
  • debug dataplane set qos-setting qos-param red low 50 high 90
To utilize this fix, change the parameters, disable QoS, commit changes, enable QOS, and then re-commit changes.
PAN-313036
Fixed an issue where the firewall dataplane continuously accumulated packets in the ctd_pkt_queue and packet buffers, which caused resource exhaustion and prematurely terminated sessions.
PAN-312442
Fixed an issue where 403 errors occurred when performing "show config effective-running" API query after downgrading to an affected PAN-OS release.
PAN-312330
(Firewalls in active/passive HA configurations only) Fixed an issue where the Clientless VPN applications failed to load due to the firewall dataplane incorrectly processing session information.
PAN-312157
Fixed an issue where, during a commit, the firewall intermittently stopped sending SNMP messages, which caused interface counters to stop updating for brief periods of time.
PAN-311658
Fixed an issue where the reportd process stopped responding, which caused the firewall to reboot.
PAN-311419
Fixed an issue where the recommended filter for identifying traffic from unidentified users in traffic logs reported an incorrectly low number of results.
PAN-310240
Fixed an issue where software packet buffers were completely utilized when performing a Data Loss Prevention longevity test.
PAN-308876
Fixed an issue where upgrades to managed firewalls from Panorama failed.
PAN-308775
(Firewalls in active/passive configurations only) Fixed an issue where NTP status intermittently showed as rejected on the active firewall, which prevented the firewalls from synchronizing time.
PAN-308444
Fixed an issue where pushing multiple policy rules failed when the policy rules contained a large number of dynamic address object groups or user groups.
PAN-307190
Fixed an issue where LED indicators on combo ports remained off even when the network link was active.
PAN-304360
Fixed an issue where the firewall did not redistribute its application routes to BGP peers. This occurred in multi-mesh deployments with the multi-cloud networking feature enabled.
PAN-295082
Fixed an issue on the Panorama web interface where you were unable to delete or change a logical router for tunnel, SD-WAN, VLAN, or loopback interfaces under a template.
PAN-289460
Fixed an issue where the timestamp value in SNMPv3 trap headers was incorrect.
To use this fix, run the CLI command debug log-receiver enginetime-from-snmptime yes.
PAN-286386
Fixed an issue where GlobalProtect users were unable to connect
PAN-285327
Fixed an issue where a memory leak occurred when processing device and vsys tags.
PAN-267067
Fixed an issue where VXLAN traffic failed and packet loss occurred in networks sensors after upgrading to an affected release.
PAN-240066
Fixed a duplicate MAC address issue where an ethernet interface sent out Gratuitous ARP (GARP) messages for an IP address that was not configured on it.