Strata Logging Service (SLS) log-forwarding streams intermittently show as inactive. When checking the status of log-forwarding connections, one or more streams are reported as inactive. Restarting the log-receiver process temporarily resolves the issue, but the streams become inactive again after approximately 1-2 hours. This intermittent inactivity results in log loss.

After you disable the shared optimization feature in Panorama, ensure that you perform a full configuration push to all managed multi-vsys devices to re-establish a baseline. Failure to include every device group associated with the multi-vsys device during this push may result in incomplete or inconsistent configurations across virtual systems.

After upgrading to an affected release, SNMP monitoring systems such as SolarWinds may report 100% usage for hardware packet buffers on PA-3400 Series and PA-5450 firewalls, even when the firewall is idle and packet buffer utilization is normal. The packet buffer utilization oid is fixed to not show incorrect values.

On Log Collectors, the Elasticsearch process might fluctuate between green and red states, causing log collection interruptions. This issue occurs when the number of shards exceeds the supported threshold of 1,000 shards per Elasticsearch instance.

After upgrading multi-vsys firewalls, the sequence of the virtual system IDs (vsys ID) changes causing auto-commit failures with validation errors. This occurs when the multi-vsys firewall has virtual systems managed by Panorama, and the vsys ID sequence breaks when unused virtual systems are deleted and the changes are pushed to the firewall.

The PA-1410 firewalls experience a spike in the management plane CPU utilization when the monitor-dp process attempts to retrieve the power cycle count from the NVMe drive’s SMART data. This condition leads to repeated reboots of the device, requiring a hard reset for recovery.

A configd memory leak occurs post commit (during Panorama connectivity check), potentially leading to OOM (out of memory condition) and device reboot.

Upgrading to an affected release causes the firewall to reboot multiple times if the config contains an EDL (External Dynamic List) that doesn't have an associated certificate profile.

Upon upgrade, the ElasticSearch health status intermittently transitions to the Red status for sometime, and then auto-recovers back to Green. During the Red status periods, the cluster logs are unavailable. This occurs due to disk write operations being excessively slow, failing to meet the minimum time threshold required to save the cluster state.

When pushing configurations from Panorama to a firewall, a memory leak might occur in the firewall's configd process, particularly when the configurations contain shared policies. Each configuration push causes the configd process to consume additional memory that is not released after the commit completes.

When performing a partial Commit and Push on Panorama, there is a risk that unintended configuration changes might be pushed to a firewall.

This issue is more likely to occur in the following scenarios:

• When you run Commit and Push operations as a single action.
• When you trigger multiple parallel commit-all jobs at the same time.
• Device groups and templates have different configuration synchronization versions.

Workaround: Perform one of the following steps:

When you use custom certificates for the connection between Panorama and a log collector, the automated renewal for the predefined ElasticSearch certificates gets disrupted.

Workaround: Remove the custom certificates before the ElasticSearch certificates expire. This allows the system to correctly identify and renew the predefined ElasticSearch certificates. After the renewal is complete, re-install the custom certificates.

When exporting and importing the CSV file, the hash values of pre-shared key (PSK) variables set at template and template stack levels inconsistently change, resulting in both variables displaying the same hash value.

When applying filters or searching for logs in the PanoramaMonitorLogssection, you might experience slow performance.

Service routes configured for a data plane interface might incorrectly route traffic through the management plane interface instead. This issue impacts Syslog and CRL status traffic when the service route lacks a specific destination custom service route.

The system MAC address of the aggregate interface is the same on both the active and the passive devices, causing some packets to be sent incorrectly to the passive device. This is causing the AE interface on the active firewall to not come up.

When Panorama is not internet-connected and you try to upload images to the managed firewalls by using the Validate option, the upload fails with the following error: Failed to create multi-upload job. No valid software deploy targets found.

When upgrading Panorama from PAN-OS 10.2 or PAN-OS 11.0 to PAN-OS 11.1 or a later release, Panorama fails to upgrade if it is operating within a Collector Group. The following error appears:Error: Traceback (most recent call last):File "/opt/panrepo/releases/<PANOS release version>/validate"... (min ([dts['min'] for dts in 10g_type_intv_dir.values() if dts|'min']])-strftime ('%Y-%m-%d'),

Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.

GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE.

The Panorama web interface intermittently displays logs or fails to display logs completely.

The firewall using the Advanced Routing Engine loses PIM Hello messages after a two-day steady state run.

The firewall using the Advanced Routing Engine has inconsistent formatting of multicast output from the CLI command: show ip igmp sources json.

When the firewall is using the Advanced Routing Engine and OSPFv3 is configured, the interface and area information fails to appear in the CLI or the user interface. Additionally, you shouldn't use the CLI command show advanced-routing ospf interface because it disrupts traffic.

DHCP request is not sent when the service route is configured.

TLSv1.3 hybridized Kyber support in the latest versions of Chrome and Edge browsers results in dropped Client Hello packets when SSL/TLS handshake inspection is enabled.

Workaround: Disable SSL/TLS handshake inspection.

A firewall that uses the Advanced Routing Engine fails to add a local route to the Routing Information Base (RIB); it is able to add connected routes to the RIB. However the firewall adds both connected and local routes to the Forwarding Information Base (FIB). This results in a mismatch between the RIB and FIB.

A firewall using the Advanced Routing Engine fails to come up and fails to display OSPFv3 neighbor information.

If you change the service route of gp-ip-mgmt in Device > Setup > Services > Service Features > gp-ip-mgmt and Commit, the change won’t take effect. gp-ip-mgmt continues to use the last committed service route.

Workaround: After you change the service route interface for gp-ip-mgmt, navigate to either a GlobalProtect portal or gateway, click OK to save the configuration, and Commit the changes. This commit will include the service route change.

On a firewall that uses the Advanced Routing Engine and has BGP enabled, the BGP process crashes with SIGSEGV signal when the local interface and the peer IP address change.

The Advanced DNS Security trial license and trial license information cannot be activated and viewed, respectively, on a managed firewall (with expired or active status) from Panorama. These tasks can only be performed on the firewall.

The firewall using the Advanced Routing Engine doesn't properly display the interface name in the CLI command: show advanced-routing ospf neighbor brief yes.

When Advanced Routing is enabled, IP multicast is not supported. An upcoming version will provide support for this feature. Customers who have multicast configured or who plan to deploy multicast routing should not upgrade to 11.2.0. Additionally, when Advanced Routing is enabled, the BGP dampening configuration isn't applied to any peers or peer group; the configuration is preserved but has no effect on BGP. Customers can use BGP even if they have applied a Dampening profile to a specific set of peers. The issue doesn't affect any other BGP features.

The firewall using the Advanced Routing Engine fails to display output for the CLI command: show advanced-routing bgp peer received-routes.

On the Panorama management server, a user with an Admin Role is unable to modify or add filters to profiles under PanoramaNetworkRoutingRouting ProfilesFilters, despite having the necessary read and write privileges.

When the firewall is running PAN-OS 11.2.0 and Advanced Routing is enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay agent doesn't work.

If you change the configuration of a firewall acting as a PPPoEv4 or PPPoEv6 client, old routes from the Forwarding Information Base (FIB) and route table for an inherited configuration with dynamic-identifier or client remain visible. Old routes also remain visible for an inherited interface when you execute the CLI command, show interface all.

Workaround: Unconfigure and configure the Inherited Interface.