Fixed an issue where the NAT IP address pool was exhausted, which led to intermittent connectivity issues with call applications and outbound call failures. This occurred due to the firewall not properly releasing NAT dynamic ports back to the address pool.

Fixed an issue where a stream receiving a reconnect signal with an associated error in Wifclient caused the entire pool to close, which resulted in a complete disconnection.

Fixed an issue where Cloud Data Lake (CDL) log forwarding streams intermittently displayed as inactive.

Fixed an issue where syslog forwarding dropped due to FQDN resolution failures.

Fixed an issue where the pan_comm process stopped responding due to insufficient time allocated to read file descriptors when processing long messages.

Fixed an issue where the logrcvr process stopped responding due to memory allocation errors during Redis communication.

Fixed an issue where certificate data was missing in decryption logs for No decrypt policy rules and TLS1.2 traffic after upgrading, and the Subject Common Name, Issuer Common Name, Certificate Start Date, Certificate End Date, Certificate Serial Number, and Certificate Fingerprint fields were blank in the decryption logs.

Fixed an issue where polling failed for ethernet interfaces due to the physical port counters read from the MAC being 0.

Fixed an issue on Panorama where commit versions did not display correct data in the config audit page even after a refresh.

Fixed an issue with the Panorama web interface where admin users were unable to log in and received the error message 504: Gateway Timeout.

(Firewalls with Hub vsys (virtual system) configurations enabled only) Fixed an issue where, when using the Hub vsys feature to redistribute Host Information Profiles (HIP) to a non-Hub vsys, HIP policy enforcement failed intermittently on the active secondary firewall. This occurred when traffic destined for specific non-Hub vsys was routed to the active secondary, and the HIP query was not triggered due to an incorrect check for the HIP mask in the Hub vsys.

Fixed an issue where the hybrid-SWG service proxy stopped working after upgrading to PAN-OS 11.1.6-h13 due to the firewall failing to establish the listening interface.

Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.

Fixed an issue where renaming a BGP filtering profile in Panorama does not update the corresponding BGP peer group in the virtual router, leading to commit failures.

Fixed an issue on M-200 and logging appliances where traffic logs were intermittently truncated when forwarded using a TCP syslog configuration. This issue occurred during the log forwarding stage due to intermittent syslog drops caused by exceeding the forwarding queue capacity.

Fixed an issue where, after configuring dual stack GlobalProtect with both IPv4 and IPv6 address pools, IPv6 return traffic was dropped with the error message flow-basic error; packet dropped, tunnel resolution failure.

Fixed an issue where the system logs repeatedly displayed the alert Clearing snmpd.log due to log overflow due to the SNMP counters rolling over.

Fixed an issue where the firewall established multiple TCP connections to a syslog server, which caused logs to be dropped. This occurred because the firewall established a new TCP session for each transfer and the sessions were not closed, which resulted in a continuous increase in connections over time.

(PA-7050 firewalls on vwire instances only) Fixed an issue where Bidirectional Forwarding Detection (BFD) echo packets were dropped due to the firewall dropping packets with the same source and destination IP addresses.

Fixed an issue where the all_task process stopped responding.

(VM-Series firewalls on Amazon Web Services (AWS) only) Fixed an issue where the firewall frequently rebooted.

Fixed an issue where the custom completer for device groups and templates received the device group name and template name from the running configuration instead of the candidate configuration.

Fixed an issue on Panorama where a memory leak associated with the configd process occurred during commits, which caused the configd process to restart and the commit to fail.

(VM-Series firewalls only) Fixed an issue where file download speeds and performance was slower than expected for Prisma Access mobile users when SSL decryption was enabled.

To use this fix, run the CLI command debug dataplane set ssl-decrypt fptcp-rto min <100-500>.

Added the CLI command set system setting ctd h323_rtp_predict timeout to increase the maximum timeout limit from 3600 seconds to 65535 seconds.

Fixed an issue where, when multiple scheduled vulnerability reports were sent in the same email, only the first attached report was displayed.

Fixed an issue on the firewall where AIPOs and ADEM licenses failed when SD-WAN or GlobalProtect licenses were not present.

Fixed an issue where, when redistributing User-ID information between firewalls, the receiving firewall incorrectly received and stored duplicate Host Information Profile (HIP) profiles. This occurred when a GlobalProtect gateway redistributed User-ID and HIP information through an intermediate firewall.

Fixed an issue where the MPLS interface eth1/6 went down and remained down, even after replacing the SFP with a supported one and adjusting duplex and speed settings.

Fixed an issue where the Panorama web interface was slower than expected during configuration operations and a configuration lock time out occurred during a commit.

Fixed an issue on Panorama where, after logging in to the web interface as the ZTP installer administrator, the web interface was blank.

Fixed an issue where, when Advanced Routing Engine was enabled firewalls configured with multiple logical routers, static routes were preferred over eBGP routes even though the static routes had a higher administrative distance.

(M-600 Panorama appliances in Log Collector mode in a Log Collector group only) Fixed an issue where the reportd and logd processes stopped responding, which resulted in the Panorama server not receiving logs from firewalls configured under the Log Collector group.

Fixed an issue where the MIB ID returned an incorrect value via SNMP.

Fixed an issue where the comm process stopped responding due to missing heartbeats, which resulted in a system alert and HA communication loss on slot1.

Fixed an issue where the firewall failed to connect to the Palo Alto Networks update server when using a customized service route with the source interface as MGT.

Fixed an issue on Panorama where commits took longer than expected.

Fixed an issue on Panorama where API jobs failed with the error message Server error: Timed out while getting config lock. This occurred due to slow set request performance when setting a large number of address objects in a single set call.

Fixed an issue where syslog forwarding in PAN-OS 11.1 and later releases did not support service routes when performing certificate validation over TLS.

Fixed an issue where the device-group-tags CLI command used an unnecessary configuration read lock.

Fixed an issue where the firewall double-freed shared memory when the shared memory usage reached 100% when sending large payloads. This occurred when DLP, Advanced Advanced Threat Protection (ATP), Advanced WildFire (AWF), or Advanced URL Filtering were enabled.

Fixed an issue where the option to sort sequence numbers was missing from Filters prefix list in the advanced routing filters.

Fixed an issue on firewalls running PAN-OS 11.1 releases where, after being offboarded from Panorama, the firewall XML configuration file retained template information from the previous Panorama configuration. As a result, when the firewall and its configuration were imported to another Panorama appliance, all configurations in the Network and Device tab became read-only.

Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.

Fixed an issue where a selective push from Panorama caused the firewall Security policy rules to be removed on firewalls associated with the device group. This occurred when the base configuration version chosen for the selective push preceded the device configuration import operation, which caused the imported configuration to not be included in the pushed configuration.

Fixed an issue where commits remained at 98% completion when static route configuration cleanup was in progress.

(Panorama appliances in Log Collector mode only) Fixed an issue where the vm_agent process restarted after an upgrade.

Fixed an issue on Panorama where the web interface performance was slower than usual when retrieving read-only configurations from Panorama.

Fixed an issue where the SAML single log out (SLO) URL was not correctly displayed in the web interface after it was changed in the SAML profile.

Fixed an issue where the Panorama web interface was slower than expected after a period of inactivity due to the Panorama management server unnecessarily reading the running-config.xml file.

Fixed an issue on the Panorama web interface where the error message PPPoEv6 Client Interface cannot be enabled with DHCPv6 client was generated when overriding aggregate interfaces even when no DHCPv6 or PPPoE was configured.

Fixed an issue where the firewall generated high-severity system alerts indicating that the configuration size exceeded the maximum recommended size, even when the configuration size was within the expected limits.

Fixed an issue where searching configuration logs for an audit_uuid did not return a result if the rule was created with a clone operation.

Fixed an issue on HA clusters where, when link and path monitoring was configured and the failover condition was set to all, disconnecting and reconnecting monitored ethernet ports caused the firewall to switch to a nonfunctional role, which resulted in all interfaces except the HA interface going down.

Fixed an issue where the firewall dropped client hello packets when decryption was enabled, which prevented access to certain websites. This occurred when the client hello packet was truncated, the accumulation proxy assumed that the first packet contains at least 5 bytes, or out-of-order packets were waiting in L4 TCP.

Fixed an issue where NAT pool leaks occurred during a test when RTSP traffic hit NAT rules.

(M-600 appliances only) Fixed an issue where Panorama did not update all `panreplay` database entries after performing a commit and full push to all devices.

Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to unexpectedly restart.

Fixed an issue where service routes configured to use a data plane interface incorrectly used the management plane interface for traffic transmission. This issue affected syslog and CRL status traffic when a custom service route was not configured.

Fixed an issue where, when Restrict Certificate Extensions was enabled on decryption profiles, the basic constraints extension was overwritten incorrectly.

Fixed an issue where the firewall used an unnecessary configuration lock when running operational commands.

Fixed an issue where a device group import resulted in a Security policy rule being created with Application set to none.

Fixed an issue on Panorama where you were unable to delete a shared object due to the rulebase incorrectly referencing the shared object instead of the device group-specific object when the name was used.

To use this fix, delete the original shared object after cloning it to a device group with the same name.

Fixed an issue where the GlobalProtect client displayed an error message when you clicked Check Now and Preferred Releases and Base Releases were unchecked (Device > Software).

Fixed an issue where a dataplane restart was not triggered as expected when internal packet path monitoring failure occurred.

Fixed an issue on Panorama where the request batch license info CLI command displayed entries for devices that were no longer attached to Panorama.

Fixed an issue where the Panorama web interface was slower than expected due to excessive polling of the MonitorDirect.getTasks API by the Task Manager.

Fixed an issue where the firewall calculated available memory incorrectly on CENTOS devices, which caused the firewall to display high memory usage alerts even when sufficient memory was available.

(Firewalls in active/active HA configurations only) Fixed an issue with SSL inbound decryption on firewalls on a vwire setup with asymmetric routing.

To use this fix, enter the CLI command set system setting ssl-decrypt ha-vwire-mac-learn global yes on both firewalls in an HA pair.

Fixed an issue on the firewall where you were unable to configure more than 500 DHCP relay servers even though the supported limit was 4096.

Fixed an issue where an OOM condition occurred, which caused processes to stop responding.

Fixed an issue where the firewall failed to connect to the update server with a customized service route when the source interface was set to MGT and the source address was set as IPv4.

Fixed an issue where URL filtering response pages were not displayed for sites that were blocked as a result of SSL/TLS handshake inspection.

Fixed an issue where the firewall dropped inbount RTP traffic after using Webex Screen Sharing due to the firewall removing the NAT cache when the predict timed out, which caused a new NAT to be established that conflicted with existing sessions. To use this fix, run the CLI command set system setting ctd h323_rtp_predict timeout <120-3600> to increase the timeout limit.

Fixed an issue on Panorama where, after you enabled multihop in a BFD profile, you were unable to disable it via the web interface.

Fixed an issue where fragmented SSL hello packets were reordered when going out of the SC/ZTT towards the datacenter.

Fixed an issue where the logrcvr process stopped responding due to a memory leak and buffer overrun.

Fixed an issue where the firewall displayed incorrect policy cache usage and configuration memory usage during a commit, which caused the configuration commit to fail with a CONFIG_UPDATE_START error. This occurred when a large number of External Dynamic Lists (EDLs), shared addresses, and policy rules were configured.

Fixed an issue where multiple smartctl processes entered a d state due to failure to read from the kernel partition, which resulted in high CPU and management impact.

Fixed an issue where the firewall consumed excessive CPU while processing traffic for a workload running on a GKE cluster, which caused reduced throughput.

Fixed an issue where daily email reports generated from the custom report did not display the report details in PDF or CSV files.

Fixed an issue where scheduled email reports were sent without PDF attachments if the firewall was in FIPS-CC mode.

(PA-5200 firewalls only) Fixed an issue where the all_pktproc process stopped responding when the firewall was under a heavy traffic load.

Fixed an issue where the firewall rebooted into maintenance mode if the authentication process restarted repeatedly.

Fixed an issue where selective push operations did not push certificate changes to the firewall.

Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.