Fixed an issue on multi-vsys firewalls where a host was not removed from the quarantine list after receiving a redistribution message from Panorama. This occurred when Panorama was configured to redistribute quarantine messages to a firewall cluster, and the GlobalProtect configuration and redistribution were built out in a vsys other than vsys1.

Fixed an issue where, when the Network Packet Broker feature was enabled, forward TLS (non-decrypted) traffic was not working as expected when there were segmented client hellos and a no-decrypt rule existed. This issue occurred when Zone Protection profiles were configured for trust/untrust zones but not attached to NPB zones.

Fixed an issue on Panorama where reassociating a vsys from one device group to another in a multi-vsys environment resulted in another vsys from the same firewall being removed from the original device group. This resulted in the device being moved into the no device groups attached group, a superuser was required to manually reattach the device.

Fixed an issue where, after upgrading to an affected PAN-OS release, the Visible Virtual Systems field started to reference the vsys name instead of the vsys ID, which caused inter-vsys routing to fail. This occurred when a vsys display name matched one of the vsys IDs.

Fixed an issue where the firewall experienced high management CPU usage and repeatedly rebooted when attempting to retrieve SMART data.

Fixed an issue on the firewall where the useridd process continuously increased its memory consumption, which resulted in an OOM condition that caused the firewall to restart.

Fixed an issue where EAL logs for traffic matching the intrazone-default Security policy rule were not forwarded to the IoT Security portal.

Fixed an issue where the firewall repeatedly reported an unreachable syslog server as back online when the server remained unavailable. This resulted in misleading alternating connection status messages in the system logs.

Fixed an issue on Panorama appliances and Log Collectors where, after an upgrade, Elasticsearch intermittently entered into a Red state before automatically recovering.

Fixed an issue where the GlobalProtect host ID field was intermittently blank in traffic logs on Prisma Access, even when the user was connected and had the correct host ID information. This occurred when the IP address to host ID entry expired and the entry was re-insterted without the dataplane flag being set.

(VM-Series firewalls only) Added the CLI command no-refresh-discard-session to address an issue where the discarded session time to live (TTL) did not refresh at the default value.

Fixed an issue where, after upgrading Panorama in a High Availability (HA) pair, the configuration logs stopped synchronizing from the primary Panorama to the secondary Panorama. This issue occurred because the log forwarding flag was permanently disabled due to the connection state not being active when the log-fwd-ctrl message was received.

Fixed an issue where traffic from cloud applications intermittently matched an incorrect cloud-apps policy rule when ACE (App-ID Cloud Engine) was enabled.

Fixed an issue on the firewall where the logrcvr process stopped responding.

Fixed an issue where on the firewall where the routed process stopped responding after changing the MTU or any link state parameters when OSPF and PIM were enabled on the same interface.

Fixed an issue with firewalls in active/passive HA configurations where an OOM condition occurred and caused a failover due to a memory leak associated with the logrcvr process.

Fixed an issue on Panorama where Kerberos superusers were unable to edit policy rules because the target device tab was grayed out.

Fixed an issue where the configd process stopped responding due to a circular reference between address groups.

Enhanced the CLI command request legacy reset to delete the legacy certificate files that were being used to connect with the secondary Panorama appliance.

Fixed an issue where a DPC on slot 3 failed intermittently due to the pktlog_forwarding process restarting, which resulted in an unexpected HA failover.

(Panorama appliances on Microsoft Azure environments only) Fixed an issue where user to IP address mapping was missing for some users connected to specific Prisma Access gateways, which caused the collection layer Azure firewall to not form the mapping.

Fixed an issue where session rematch caused ACE cloud application traffic to match the wrong policy rule.

(PA-5450 firewalls only) Fixed an issue where the DPC on slot 3 intermittently stopped responding due an all_pktproc restart.

Fixed an issue where the firewall displayed the incorrect rule name when a threat log was generated for Inline Cloud Analyzed CMD Injection Traffic Detection.

Fixed an issue where the firewall closed the SSL connection to the user ID agent.