Fixed an issue where Panorama incorrectly generated system logs indicating a lost connection to its peer after an upgrade even when High Availability was not configured.

Fixed an issue where the Logging Service License Status displays a license failure when the license status transitions from valid to expired and then back to valid even when the connection to the Security Logging Service (SLS) was working.

Fixed an issue where the timing of GlobalProtect lifetime expiry or inactivity logout notifications used for GlobalProtect SSL tunnels could cause the pan_task process to stop responding and the dataplane to restart.

Fixed an issue where traffic is incorrectly identified as unknown-tcp/unknown-udp due to App-ID resource leak and eventually dropped.

Fixed an issue where the firewall displayed as disconnected in the SLS due to the serial number not being retrieved

(Firewalls in HA configurations only) Fixed an issue where the passive firewall incorrectly triggered PBP alerts even with low packet rates.

Fixed an issue where Panorama stopped responding when deploying dynamic updates to managed devices.

Fixed an issue on Panorama where the debug system reset-ztp CLI command was unavailable.

Fixed an issue where firewalls experienced multiple reboots due to the pan_task process restarting with a SIGSEGV signal. This occurred because the client-to-firewall side assumed TLS 1.3 for the firewall-server side.

Fixed an issue where the firewall was unable to connect to the Subscription License Service (SLS) due to a public and private key pair mismatch with the device certificate.

Fixed an issue on PA-VM in AWS where, in a two-arm deployment integrated with Gateway Load Balancer (GWLB), the firewall did not preserve the GENEVE source port for internet traffic, resulting in increased latency. The fix ensures the firewall preserves the outer UDP source port of GENEVE encapsulation when sending traffic back to GWLB.

(PA-5220 firewalls only) Fixed an issue where the ikemgr process crashed intermittently, causing IPSec tunnels to go down randomly. The fix ensures that the IKE security association data structures are accessed in a thread-safe manner. This prevents the ikemgr process from referencing an invalid memory pointer during teardown operations and provides stability.

Fixed an issue where the firewall did not accept address groups in the filter condition of a Log Forwarding Match list.

Fixed an issue where the useridd process became unresponsive, which caused User-ID CLI commands to time out.

Fixed an issue related to external URL lists where pushing configuration changes from Panorama failed.

(VM-Series firewalls only) Fixed an issue where the maximum registered IP address for was incorrectly set to 100,000 instead of the expected 500,000.

Fixed an issue on Panorama where commits took longer than expected due to the show object dynamic-address-group all CLI command holding the devicetable lock for an extended period.

Fixed an issue where the firewall displayed the following error message: critical userid registe 0 fail to integrate the update of registered ip addresses since 2 seconds ago; critical system log alerts observed.

Fixed an issue where the firewall was unable to parse the URL path and host when the host header was located in a different packet, which resulted in the firewall not logging the URL path in the first packet. The fix is disabled by default. The following CLI commands can be used to enable/disable the feature:

• set system setting ctd url-crosspkt-host-path-caching enable
• set system setting ctd url-crosspkt-host-path-caching disable
• set system setting ctd url-crosspkt-host-path-caching default