PAN-OS 11.1.6-h17 Addressed Issues
Focus
Focus

PAN-OS 11.1.6-h17 Addressed Issues

Table of Contents

PAN-OS 11.1.6-h17 Addressed Issues

PAN-OS 11.1.6-h17 addressed issues.
Issue ID
Description
PAN-298241
Fixed an issue where the NAT IP address pool was exhausted, which led to intermittent connectivity issues with call applications and outbound call failures. This occurred due to the firewall not properly releasing NAT dynamic ports back to the address pool.
PAN-296519
Fixed an issue where a stream receiving a reconnect signal with an associated error in Wifclient caused the entire pool to close, which resulted in a complete disconnection.
PAN-295644
Fixed an issue where Cloud Data Lake (CDL) log forwarding streams intermittently displayed as inactive.
PAN-295385
Fixed an issue where syslog forwarding dropped due to FQDN resolution failures.
PAN-295342
Fixed an issue where the pan_comm process stopped responding due to insufficient time allocated to read file descriptors when processing long messages.
PAN-295049
Fixed an issue where the logrcvr process stopped responding due to memory allocation errors during Redis communication.
PAN-294488
Fixed an issue where certificate data was missing in decryption logs for No decrypt policy rules and TLS1.2 traffic after upgrading, and the Subject Common Name, Issuer Common Name, Certificate Start Date, Certificate End Date, Certificate Serial Number, and Certificate Fingerprint fields were blank in the decryption logs.
PAN-294436
Fixed an issue where polling failed for ethernet interfaces due to the physical port counters read from the MAC being 0.
PAN-294179
Fixed an issue on Panorama where commit versions did not display correct data in the config audit page even after a refresh.
PAN-293985
Fixed an issue with the Panorama web interface where admin users were unable to log in and received the error message 504: Gateway Timeout.
PAN-293877
(Firewalls with Hub vsys (virtual system) configurations enabled only) Fixed an issue where, when using the Hub vsys feature to redistribute Host Information Profiles (HIP) to a non-Hub vsys, HIP policy enforcement failed intermittently on the active secondary firewall. This occurred when traffic destined for specific non-Hub vsys was routed to the active secondary, and the HIP query was not triggered due to an incorrect check for the HIP mask in the Hub vsys.
PAN-293842
Fixed an issue where the hybrid-SWG service proxy stopped working after upgrading to PAN-OS 11.1.6-h13 due to the firewall failing to establish the listening interface.
PAN-293673
Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.
PAN-293511
Fixed an issue where renaming a BGP filtering profile in Panorama does not update the corresponding BGP peer group in the virtual router, leading to commit failures.
PAN-292242
Fixed an issue on M-200 and logging appliances where traffic logs were intermittently truncated when forwarded using a TCP syslog configuration. This issue occurred during the log forwarding stage due to intermittent syslog drops caused by exceeding the forwarding queue capacity.
PAN-292228
Fixed an issue where, after configuring dual stack GlobalProtect with both IPv4 and IPv6 address pools, IPv6 return traffic was dropped with the error message flow-basic error; packet dropped, tunnel resolution failure.
PAN-292202
Fixed an issue where the system logs repeatedly displayed the alert Clearing snmpd.log due to log overflow due to the SNMP counters rolling over.
PAN-291940
Fixed an issue where the firewall established multiple TCP connections to a syslog server, which caused logs to be dropped. This occurred because the firewall established a new TCP session for each transfer and the sessions were not closed, which resulted in a continuous increase in connections over time.
PAN-291792
(PA-7050 firewalls on vwire instances only) Fixed an issue where Bidirectional Forwarding Detection (BFD) echo packets were dropped due to the firewall dropping packets with the same source and destination IP addresses.
PAN-291785
Fixed an issue where the all_task process stopped responding.
PAN-291631
(VM-Series firewalls on Amazon Web Services (AWS) only) Fixed an issue where the firewall frequently rebooted.
PAN-291456
Fixed an issue where the custom completer for device groups and templates received the device group name and template name from the running configuration instead of the candidate configuration.
PAN-291283
Fixed an issue on Panorama where a memory leak associated with the configd process occurred during commits, which caused the configd process to restart and the commit to fail.
PAN-290919
(VM-Series firewalls only) Fixed an issue where file download speeds and performance was slower than expected for Prisma Access mobile users when SSL decryption was enabled.
To use this fix, run the CLI command debug dataplane set ssl-decrypt fptcp-rto min <100-500>.
PAN-290691
Added the CLI command set system setting ctd h323_rtp_predict timeout to increase the maximum timeout limit from 3600 seconds to 65535 seconds.
PAN-290449
Fixed an issue where, when multiple scheduled vulnerability reports were sent in the same email, only the first attached report was displayed.
PAN-289803
Fixed an issue on the firewall where AIPOs and ADEM licenses failed when SD-WAN or GlobalProtect licenses were not present.
PAN-289406
Fixed an issue where, when redistributing User-ID information between firewalls, the receiving firewall incorrectly received and stored duplicate Host Information Profile (HIP) profiles. This occurred when a GlobalProtect gateway redistributed User-ID and HIP information through an intermediate firewall.
PAN-289383
Fixed an issue where the MPLS interface eth1/6 went down and remained down, even after replacing the SFP with a supported one and adjusting duplex and speed settings.
PAN-289109
Fixed an issue where the Panorama web interface was slower than expected during configuration operations and a configuration lock time out occurred during a commit.
PAN-288988
Fixed an issue on Panorama where, after logging in to the web interface as the ZTP installer administrator, the web interface was blank.
PAN-288432
Fixed an issue where, when Advanced Routing Engine was enabled firewalls configured with multiple logical routers, static routes were preferred over eBGP routes even though the static routes had a higher administrative distance.
PAN-288426
(M-600 Panorama appliances in Log Collector mode in a Log Collector group only) Fixed an issue where the reportd and logd processes stopped responding, which resulted in the Panorama server not receiving logs from firewalls configured under the Log Collector group.
PAN-288363
Fixed an issue where the MIB ID returned an incorrect value via SNMP.
PAN-287842
Fixed an issue where the comm process stopped responding due to missing heartbeats, which resulted in a system alert and HA communication loss on slot1.
PAN-287688
Fixed an issue where the firewall failed to connect to the Palo Alto Networks update server when using a customized service route with the source interface as MGT.
PAN-287601
Fixed an issue on Panorama where commits took longer than expected.
PAN-287387
Fixed an issue on Panorama where API jobs failed with the error message Server error: Timed out while getting config lock. This occurred due to slow set request performance when setting a large number of address objects in a single set call.
PAN-286931
Fixed an issue where syslog forwarding in PAN-OS 11.1 and later releases did not support service routes when performing certificate validation over TLS.
PAN-286899
Fixed an issue where the device-group-tags CLI command used an unnecessary configuration read lock.
PAN-286615
Fixed an issue where the firewall double-freed shared memory when the shared memory usage reached 100% when sending large payloads. This occurred when DLP, Advanced Advanced Threat Protection (ATP), Advanced WildFire (AWF), or Advanced URL Filtering were enabled.
PAN-286475
Fixed an issue where the option to sort sequence numbers was missing from Filters prefix list in the advanced routing filters.
PAN-286299
Fixed an issue on firewalls running PAN-OS 11.1 releases where, after being offboarded from Panorama, the firewall XML configuration file retained template information from the previous Panorama configuration. As a result, when the firewall and its configuration were imported to another Panorama appliance, all configurations in the Network and Device tab became read-only.
PAN-286231
Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.
PAN-285436
Fixed an issue where a selective push from Panorama caused the firewall Security policy rules to be removed on firewalls associated with the device group. This occurred when the base configuration version chosen for the selective push preceded the device configuration import operation, which caused the imported configuration to not be included in the pushed configuration.
PAN-285285
Fixed an issue where commits remained at 98% completion when static route configuration cleanup was in progress.
PAN-284117
(Panorama appliances in Log Collector mode only) Fixed an issue where the vm_agent process restarted after an upgrade.
PAN-283813
Fixed an issue on Panorama where the web interface performance was slower than usual when retrieving read-only configurations from Panorama.
PAN-283522
Fixed an issue where the SAML single log out (SLO) URL was not correctly displayed in the web interface after it was changed in the SAML profile.
PAN-283165
Fixed an issue where the Panorama web interface was slower than expected after a period of inactivity due to the Panorama management server unnecessarily reading the running-config.xml file.
PAN-281776
Fixed an issue on the Panorama web interface where the error message PPPoEv6 Client Interface cannot be enabled with DHCPv6 client was generated when overriding aggregate interfaces even when no DHCPv6 or PPPoE was configured.
PAN-281721
Fixed an issue where the firewall generated high-severity system alerts indicating that the configuration size exceeded the maximum recommended size, even when the configuration size was within the expected limits.
PAN-281488
Fixed an issue where searching configuration logs for an audit_uuid did not return a result if the rule was created with a clone operation.
PAN-281096
Fixed an issue on HA clusters where, when link and path monitoring was configured and the failover condition was set to all, disconnecting and reconnecting monitored ethernet ports caused the firewall to switch to a nonfunctional role, which resulted in all interfaces except the HA interface going down.
PAN-279901
Fixed an issue where the firewall dropped client hello packets when decryption was enabled, which prevented access to certain websites. This occurred when the client hello packet was truncated, the accumulation proxy assumed that the first packet contains at least 5 bytes, or out-of-order packets were waiting in L4 TCP.
PAN-279829
Fixed an issue where NAT pool leaks occurred during a test when RTSP traffic hit NAT rules.
PAN-279706
(M-600 appliances only) Fixed an issue where Panorama did not update all `panreplay` database entries after performing a commit and full push to all devices.
PAN-279690
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to unexpectedly restart.
PAN-279415
Fixed an issue where service routes configured to use a data plane interface incorrectly used the management plane interface for traffic transmission. This issue affected syslog and CRL status traffic when a custom service route was not configured.
PAN-279400
Fixed an issue where, when Restrict Certificate Extensions was enabled on decryption profiles, the basic constraints extension was overwritten incorrectly.
PAN-279366
Fixed an issue where the firewall used an unnecessary configuration lock when running operational commands.
PAN-277234
Fixed an issue where a device group import resulted in a Security policy rule being created with Application set to none.
PAN-277178
Fixed an issue on Panorama where you were unable to delete a shared object due to the rulebase incorrectly referencing the shared object instead of the device group-specific object when the name was used.
To use this fix, delete the original shared object after cloning it to a device group with the same name.
PAN-276795
Fixed an issue where the GlobalProtect client displayed an error message when you clicked Check Now and Preferred Releases and Base Releases were unchecked (Device > Software).
PAN-275272
Fixed an issue where a dataplane restart was not triggered as expected when internal packet path monitoring failure occurred.
PAN-274064
Fixed an issue on Panorama where the request batch license info CLI command displayed entries for devices that were no longer attached to Panorama.
PAN-273153
Fixed an issue where the Panorama web interface was slower than expected due to excessive polling of the MonitorDirect.getTasks API by the Task Manager.
PAN-271438
Fixed an issue where the firewall calculated available memory incorrectly on CENTOS devices, which caused the firewall to display high memory usage alerts even when sufficient memory was available.
PAN-271425
(Firewalls in active/active HA configurations only) Fixed an issue with SSL inbound decryption on firewalls on a vwire setup with asymmetric routing.
To use this fix, enter the CLI command set system setting ssl-decrypt ha-vwire-mac-learn global yes on both firewalls in an HA pair.
PAN-269659
Fixed an issue on the firewall where you were unable to configure more than 500 DHCP relay servers even though the supported limit was 4096.
PAN-269155
Fixed an issue where an OOM condition occurred, which caused processes to stop responding.
PAN-268522
Fixed an issue where the firewall failed to connect to the update server with a customized service route when the source interface was set to MGT and the source address was set as IPv4.
PAN-268002
Fixed an issue where URL filtering response pages were not displayed for sites that were blocked as a result of SSL/TLS handshake inspection.
PAN-267330
Fixed an issue where the firewall dropped inbount RTP traffic after using Webex Screen Sharing due to the firewall removing the NAT cache when the predict timed out, which caused a new NAT to be established that conflicted with existing sessions. To use this fix, run the CLI command set system setting ctd h323_rtp_predict timeout <120-3600> to increase the timeout limit.
PAN-265782
Fixed an issue on Panorama where, after you enabled multihop in a BFD profile, you were unable to disable it via the web interface.
PAN-265111
Fixed an issue where fragmented SSL hello packets were reordered when going out of the SC/ZTT towards the datacenter.
PAN-263465
Fixed an issue where the logrcvr process stopped responding due to a memory leak and buffer overrun.
PAN-262599
Fixed an issue where the firewall displayed incorrect policy cache usage and configuration memory usage during a commit, which caused the configuration commit to fail with a CONFIG_UPDATE_START error. This occurred when a large number of External Dynamic Lists (EDLs), shared addresses, and policy rules were configured.
PAN-261677
Fixed an issue where multiple smartctl processes entered a d state due to failure to read from the kernel partition, which resulted in high CPU and management impact.
PAN-260827
Fixed an issue where the firewall consumed excessive CPU while processing traffic for a workload running on a GKE cluster, which caused reduced throughput.
PAN-260661
Fixed an issue where daily email reports generated from the custom report did not display the report details in PDF or CSV files.
PAN-256670
Fixed an issue where scheduled email reports were sent without PDF attachments if the firewall was in FIPS-CC mode.
PAN-255860
(PA-5200 firewalls only) Fixed an issue where the all_pktproc process stopped responding when the firewall was under a heavy traffic load.
PAN-251442
Fixed an issue where the firewall rebooted into maintenance mode if the authentication process restarted repeatedly.
PAN-251035
Fixed an issue where selective push operations did not push certificate changes to the firewall.
PAN-241230
Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.