PAN-OS 11.1.6-h14 Addressed Issues
Focus
Focus

PAN-OS 11.1.6-h14 Addressed Issues

Table of Contents

PAN-OS 11.1.6-h14 Addressed Issues

PAN-OS 11.1.6-h14 addressed issues.
Issue ID
Description
PAN-290996
Fixed an issue where SNMP walks returned a value of 0 for the CPS (Connections Per Second) per vsys on firewalls after upgrading to PAN-OS 11.1.6-h3, even when active connections were present.
PAN-290803
(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where firewall failed to bootstrap with a custom image, and VM-Series plugin information was not displayed in the system information.
PAN-290239
(PA-455 firewalls in active/passive HA configurations only) Fixed an issue where, after an upgrade, the TCP session for syslog forwarding did not resume after the syslog server service was disabled and then re-enabled, which caused logs to be dropped. This occurred when the syslog server was down for more than 16 minutes.
PAN-290088
Fixed an issue where a memory leak occurred related to the configd process when pushing configurations from Panorama to a firewall. This occurred when the configurations contained shared policy rules.
PAN-289102
(PA-7500 Series, PA-5410, PA-5420, PA-5430, PA-5440, PA-5445, PA-3400 Series, PA-1400 Series, PA-400 Series, VM-Series, and CN-Series firewalls only) Fixed a race condition issue related to predict processing, which resulted in a dataplane restart and traffic loss.
PAN-288893
(Firewalls in multi-vsys configurations only) Fixed an issue where HTTP/2 traffic failed due when one virtual system (vsys) had a decryption policy rule enabled and another vsys had a no-decrypt policy rule for the same session.
PAN-287818
Fixed an issue where sessions timed out sooner than expected due to the pan_proxy_accumulation_restore_timeout not initiating when the accumulation session_init failed.
PAN-287734
Fixed an issue where Scan ERR: Internal Err 1002 messages were unexpectedly generated when WIF shared memory use was high.
PAN-287621
Added debug logs for an issue where a slow IP address pool NAT leak occurred when persistent NAT was enabled, which led to NAT IP pool exhaustion.
PAN-287056
Fixed an issue where BGP export policy rules with next-hop matching failed to block the advertisement of static routes, and the firewall incorrectly matched the egress interface IP address instead of the original next-hop IP address of the static route, which caused the deny rule to fail.
PAN-287023
Fixed an issue where a large number of logs caused the logrcvr process to stop responding.
PAN-287002
A fix was made to address CVE-2025-0133.
PAN-286857
Fixed an issue where only failed Kerberos authentication events were logged in auth.log, and successful authentication events were not logged.
PAN-286848
Fixed an issue where ECMP incorrectly balanced sessions across links based on the configured metric, which led to an imbalance in traffic distribution and resulted in traffic assignment shifting disproportionately to routes with lower metrics.
PAN-286443
Fixed an issue where, after an upgrade, the firewall was unable to be managed via HTTPS or SSH.
PAN-286306
Fixed an issue where, when getting transceiver information from ESCC for SFP 25G modules, the transceiver code was incorrectly updated with Unknown instead of 25GBase-SR.
PAN-285894
Fixed an issue where the all_task process stopped responding, which caused the firewall to reboot unexpectedly, and traffic failures occurred.
PAN-285818
Fixed an issue where a tool was needed to display leaked NAT port numbers without requiring a forced synchronization.
PAN-284908
Fixed an issue where retrieving filenames from OneDrive resulted in a cache miss.
PAN-284073
Fixed an issue on the firewall that caused commits to fail and the web interface to become inaccessible.
PAN-284067
Fixed an issue where the devsrvr process experienced out of memory (OOM) conditions due to the show running application statistics CLI command, which caused the firewall to reboot.
PAN-284003
Fixed an issue where clients did not receive a valid response when when searching a website due to a compression error.
PAN-283979
Fixed an issue where the firewall became non-functional due to high root partition use.
PAN-283936
(Panorama appliances only) Fixed an issue where the configd process intermittently restarted, which caused Panorama to be temporarily unavailable.
PAN-283331
Fixed an issue where selective pushes to managed devices failed when the User ID Master Device was configured.
PAN-282359
Fixed an issue where the Panorama web interface was slower than expected.
PAN-282277
Fixed an issue where an OOM condition on the logrcvr process caused interface flapping, and the interface unexpectedly went down and then recovered without intervention.
PAN-281509
(Panorama appliances only) Fixed an issue where log exports were slower than expected or failed when filtering logs after an upgrade, which resulted in timeouts or delays in displaying logs on the web interface.
PAN-280532
Fixed an issue where, after disabling and re-enabling the external syslog server, the TCP session was not resumed, which caused all logs that were forwarded to the syslog server to be dropped.
PAN-280101
Fixed an issue where set and edit commands took longer than expected when adding address objects with a large number of dynamic groups due to the completion cache being enabled. With this fix, the completion cache is disabled by default.
PAN-279500
Fixed an issue where TLS connections failed to establish in asymmetric routing environments if the firewall did not see server-to-client (s2c) packets of the TLS handshake.
To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.
PAN-278836
Fixed an issue where, after an upgrade, GlobalProtect attempted to use the embedded browser instead of the default browser for gateway authentication even when it was configured to use the default browser.
PAN-278812
Fixed an issue where authentication to GlobalProtect failed with the error message User not in allowed list.
PAN-278190
Fixed an issue on Panorama where a scheduled report with SLS data had an invalid translated-query.
PAN-278150
Fixed an issue where the firewall removed the Authentication Key Identifier (AKID) from the certificate during SSL decryption, which caused Python 3.13 to fail with a certificate verification error.
PAN-277751
Fixed an issue where a policy-based forwarding (PBF) rule with an action of no-pbf and a service of TCP-22 did not match traffic after upgrading to PAN-OS 11.1.5-h1. As a result, traffic was matched by a lower rule with a service of any and an action of forward.
PAN-276920
Fixed an issue where web-advertisement traffic was not immediately blocked which resulted in pages loading indefinitely.
PAN-276862
Fixed an issue on Panorama where the logd process stopped responding unexpectedly.
PAN-276616
Fixed an issue on the firewall where half-duplex settings on Ethernet was not visible.
PAN-276276
(PA-450 firewalls only) Fixed an issue where, after an upgrade, data that was excluded using the query builder in a custom report was still visible in the report, and the logs displayed errors related to invalid threat names being queried.
PAN-275133
Fixed an issue where HTTP 503 server errors occurred while browsing websites due to slow Secure Web Gateway (SWG) bypass rule lookup.
PAN-275047
(VM-Series firewalls only) Fixed an issue where, after an upgrade, the firewall was unable to send logs to the Strata Logging Service (SLS) when using a specific proxy server, and the SSL connection status displayed as failed when attempting to forward logs through the web proxy.
PAN-273964
Fixed an issue where SNMP scans to a firewall timed out after upgrading to a PAN-OS 10.2 release.
PAN-273727
Fixed an issue where the firewall skipped the DNS policy rule of a domain external dynamic list (EDL) during an EDL refresh.
To use this fix, run the following CLI command and commit: set deviceconfig setting ctd custom-edl-domains-continuous-reload yes/no
PAN-271810
Fixed an issue where auto-negotiation advertised and negotiated 10/100 half and full duplex.
PAN-271490
Fixed an issue on the firewall that caused the following error message to be displayed: frr_ns0: failed to stop child frr_ns0_ospf6d.
PAN-271432
Fixed an issue where the firewall was unable to decrypt SSL traffic when using forward proxy and HSM with an ECDSA signing certificate.
PAN-271215
A fix was made to address CVE-2025-4230.
PAN-269700
Fixed an issue where commits to service connection firewalls from Panorama failed.
PAN-269057
Fixed an issue where the routed process stopped responding due to accessing freed memory from a hash table when the route vectors were resized. This occurred when a large number of static routes were configured.
PAN-268922
(PA-3220 firewalls in high availability (HA) configurations only) Fixed an intermittent issue where the firewalls went out of sync after a configuration push from Panorama.
PAN-268787
Fixed an issue where users were unable to log in to Panorama and the following error message was displayed: Timed out while getting config lock. Please try again. This occurred when pushing configurations to a large number of devices.
PAN-268708
Fixed an issue where PDF summary and email reports displayed IPv6 addresses instead of IPv4 addresses.
PAN-268680
Fixed an issue where the configd process stopped responding when a configuration merge operation changed.
PAN-267759
Fixed an issue where Prisma Access gateway downloads were slower than expected.
PAN-267614
Fixed an issue where the Panorama web interface was slower than expected due to high CPU utilization on the mongodb process.
PAN-267328
Fixed an issue where the all_task process stopped responding, which caused the firewall to stop processing traffic.
PAN-267045
Fixed an issue on the firewall where ICMP ping loss occurred after installing a Network Processing Card (NPC) in slot 7.
PAN-265549
A fix was made to address CVE-2025-0137.
PAN-265014
Fixed an issue where changes made to device groups with the same prefix name were not visible in the commit scope.
PAN-264845
Fixed an issue where the Log Forwarding for Security Services feature did not correctly filter policy rules with log forwarding profiles.
PAN-263749
Fixed an issue where disk space that was used by file descriptors was not freed, which caused the root partition to become full and Panorama to be inaccessible.
PAN-260564
Fixed an issue on firewalls in HA configurations where a network loop was detected by switches after suspending HA on the active firewall.
PAN-260279
Fixed an issue where selective push operations failed with the error message: Failed to generate selective push configuration. Schema validation failed. Please try a full push.
PAN-255020
Fixed an issue where the Panorama web interface did not display the push scope data for custom admin users when performing a partial commit and push.
PAN-226184
Fixed an issue where push operations from Panorama were slow due to the rasmgr process taking longer than expected.