Fixed an issue where TCP traffic stopped working from Prisma Access clients to TCP services behind the Service Connection (SC) after a dataplane upgrade.

Fixed an issue where the firewall did not detect evasions due to TCP checksum offloading not being enabled.

Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to session-distribution commands in dagger files handling.

Fixed an issue where, after manuallly creating a device telemetry bundle, the hour_cli_output.txt file within the bundle had a file size of 0 bytes. This occurred when checking the bundle content after enabling device telemetry and setting the device telemetry upload endpoint.

Fixed an issue where, when a firewall was managed by Strata Cloud Manager and configured to use a proxy server for external connections, the management server did not use the configured settings to connect to the Cloud Management service.

Fixed an issue where XML API commands failed with a Method not found (policy_xml) error in dagger.log. The issue was due to missing XML-related functions for inline-cloud-proxy.

Fixed an issue where a local commit on a firewall breaks template stack overrides, preventing the enabling of LACP (Link Aggregation Control Protocol). After a local commit, the LACP enable check was unexpectedly unchecked, causing an outage. Attempting to re-enable LACP through the web interface was unsuccessful, requiring manual removal of the LACP configuration from the Panorama CLI.

(PA-7500 and PA-5450 firewalls in FIPS-CC mode) Fixed an issue where the affected firewalls would boot into maintenance mode when a reboot was initiated from the web interface. This was due to a device reboot triggering a power down to all slots, leading to maintenance mode. A hard reboot would allow the firewall to boot normally.

(VM-Series firewalls in active/passive configurations only) Fixed an issue where, after an HA failover event, the newly active firewall DHCP client interfaces failed to obtain IP addresses automatically. This occurred because the DHCP client processes did not initiate the necessary DHCP discover or renew requests

(PA-400 Series firewalls in HA configurations only) Fixed an issue where ports went down after an HA failover.

Fixed an issue where the firewall generated false positive threat logs during updates to a large domain list (EDL) when a DNS lookup for a domain being added or removed occurred during the update process. This resulted in a threat log being generated for a different, unrelated domain that remained on the list.

Fixed an issue where, after upgrading an HA pair of PA-7050 firewalls, the vsys ID changed in sequence, causing autocommit failures with validation errors. This occurred when the multi-vsys firewall had virtual systems created and pushed from Panorama, and the vsys ID was not in a correct sequence because the unused vsys was deleted from Panorama and pushed to devices.

Fixed an issue where Data Loss Prevention (DLP) inspection of chunked transfer encoding over TLS resulted in incomplete file downloads on Outlook Web App (OWA) due to the WIF page size limit, which led to corrupted or incomplete PDF attachments.

Fixed an issue where the NAT IP address pool was exhausted, which led to intermittent connectivity issues with call applications and outbound call failures. This occurred due to the firewall not properly releasing NAT dynamic ports back to the address pool.

Fixed an issue where the firewall experienced extended boot times after a reboot due to the configd process needing to rebuild the ACE catalog after detecting discrepancies that were caused by duplicate application checking between the ACE catalog and content.

Fixed an issue where Panorama was unable to push the Trusted Root CA configuration to Log Collectors via a Collector Group push due to the Log Collector not supporting the trusted-root-CA configuration.

Fixed an issue where, during a refresh of a large External Dynamic List (EDL), traffic that matched a domain on the list was incorrectly identified as a different domain, which resulted in false positive threat logs.

Fixed an issue where, after upgrading to an affected PAN-OS release, the Visible Virtual System field referenced the vsys name instead of the vsys ID, which caused inter-vsys routing to fail. This occurred when a vsys display name matched one of the vsys IDs. If you're using a multivsys environment, you must upgrade your firewalls to a fixed PAN-OS version. The best practice is to upgrade both the firewalls and Panorama to a fixed PAN-OS version.

(Firewalls in active/active HA configurations only) Fixed an issue where return packets from a phone gateway looped between the HA pair instead of being encapsulated into the GlobalProtect tunnel. This occurred when the inner session and the outer IPSec tunnel terminated on different nodes, which led to excessive retries and packet drops.

Fixed an issue where the firewall experienced high management CPU usage and repeatedly rebooted when attempting to retrieve SMART data.

(Firewalls with FIPS-CC mode enabled only) Fixed an issue where Panorama on GCP rebooted every hour after upgrading.

Fixed an issue where decryption exclusion lists were not working for untrusted certificates, and SSL sessions were still being decrypted even after adding them to the exclusion list. This occurred because the firewall was not adding sessions to the exclude cache until after receiving a non-RFC alert (BadCertificate) from the server. The fix ensures that the first session is added to the exclude cache, allowing subsequent sessions to skip decryption. This issue affects firewalls configured as clients in server-client communication.

Fixed an issue where Strata Logging Service (SLS) log forwarding streams intermittently displayed as inactive.

Fixed an issue where, after upgrading Panorama and Log Collectors, tunnel logs were not visible in Panorama or Splunk even though traffic and threat logs were received.

Fixed an issue where syslog forwarding dropped due to FQDN resolution failures.

Fixed an issue where, after onboarding a firewall to Panorama, IPsec tunnels displayed IKEv2 in Panorama, even though the tunnels were configured with IKEv1 locally on the firewall.

Fixed an issue where, after upgrading Panorama and Log Collectors, Traffic and Threat logs were not forwarded to a Splunk server over UDP.

Fixed an issue where firewalls with the Send handshake messages to CTD for inspection setting enabled caused incorrect security policy rules to be matched. Specifically, traffic not identified as openai-base or openai-chatgpt applications was incorrectly matched by the ALLOW-OPEN-AI-FULL-ACCESS-URLS-ALERTS rule. Additionally, the expected response page for blocked URLs was not displayed.

(Firewalls in active/passive HA configurations) Fixed an issue on firewalls where, after failover, certain subnets were missing from the Link State Database, which prevented OSPF routes from being immediately learned due to a Type-7 to Type-5 LSA translation conflict in the ABR when the same LSA was advertised by two peers in the NSSA area.

Fixed an issue where firewalls and Panorama management servers were unable to view or download WildFire reports from a WF-500 appliance, resulting in a 401 error in the report tab.

Fixed an issue where the firewall rebooted unexpectedly due to the useridd process restarting and causing an HA failover. This occurred due to the configd process timing out when running the CLI command show user user-id-agent config all.

Fixed an issue with the Panorama web interface where admin users were unable to log in and received the error message 504: Gateway Timeout.

(Firewalls with Hub vsys (virtual system) configurations enabled only) Fixed an issue where, when using the Hub vsys feature to redistribute Host Information Profiles (HIP) to a non-Hub vsys, HIP policy enforcement failed intermittently on the active secondary firewall. This occurred when traffic destined for specific non-Hub vsys was routed to the active secondary, and the HIP query was not triggered due to an incorrect check for the HIP mask in the Hub vsys.

Fixed an issue where Panorama failed to push the default value of None for the secondary NTP server address to managed firewalls, resulting in a commit validation error. This occurred even when configuring the secondary NTP server address as None in Panorama's web interface, and affected both newly deployed and long-standing production firewalls after upgrading.

Fixed an issue where renaming a BGP filtering profile in Panorama does not update the corresponding BGP peer group in the virtual router, leading to commit failures.

Fixed an issue where setting the logdb-quota for the desum log type to 0 caused the /opt/panlogs partition to reach capacity.

Fixed an issue where Panorama did not display data in the Feature Adoption tab in Strata Cloud Manager due to the system creating and deleting a CLI user for each interval instead of reusing a permanent CLI user for telemetry.

Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.

Fixed an issue where the firewall repeatedly reported an unreachable syslog server as back online when the server remained unavailable. This resulted in misleading alternating connection status messages in the system logs.

Fixed an issue on M-200 and logging appliances where traffic logs were intermittently truncated when forwarded using a TCP syslog configuration. This issue occurred during the log forwarding stage due to intermittent syslog drops caused by exceeding the forwarding queue capacity.

Fixed an issue where, after configuring dual stack GlobalProtect with both IPv4 and IPv6 address pools, IPv6 return traffic was dropped with the error message flow-basic error; packet dropped, tunnel resolution failure.

Fixed an issue on the Panorama web interface where cloud applications were not displayed under Objects > Applications after a new content upgrade and Cloud App Catalog download, and were only visible in application groups, security policy rules, and the CLI.

Fixed an issue where Prisma Access logs were not visible in the Security Logging Service (SLS) and Panorama.

(PA-7050 firewalls on vwire instances only) Fixed an issue where Bidirectional Forwarding Detection (BFD) echo packets were dropped due to the firewall dropping packets with the same source and destination IP addresses.

Fixed an issue where during a commit, the firewall experienced an out-of-memory (OOM) condition due to a memory leak and displayed an error message. This issue caused the device to stop responding and reboot unexpectedly.

Fixed an issue on Panorama appliances and Log Collectors where, after an upgrade, Elasticsearch intermittently entered into a Red state before automatically recovering.

Fixed an issue where the firewall incorrectly reported the speed of 25G interfaces as 1G when queried using SNMP for the ifHighSpeed OID.

Fixed an issue where the GlobalProtect host ID field was intermittently blank in traffic logs on Prisma Access, even when the user was connected and had the correct host ID information. This occurred when the IP address to host ID entry expired and the entry was re-insterted without the dataplane flag being set.

Fixed an issue where cookie surrogate cache entries remained unresolved after an idmgr process reset due to the request not being retransmitted. This occurred because the timestamp in the cache entry was refreshed even when the UID was 0, which prevented the retransmission of the request if the initial response was not received.

Fixed an issue where the devsrvr process periodically exceeded its virtual memory limit and restarted, which led to intermittent outages.

Fixed an issue with firewalls enabled with Security profiles where certain traffic conditions caused high dataplane CPU utilization and packet buffer exhaustion, which caused LACP flapping conditions.

Fixed an issue where the Pprof path was missing in the logrcvr script, which prevented the conversion and decoding of addresses in the resulting stack when running Pprof against Logrcvr.

Fixed an issue where return traffic was dropped on service connection firewalls due to routing failover and asymmetric return in service connection firewalls.

Fixed an issue where, after an EDL certificate update or repository migration, authentication failures caused the firewall to not fall back to the last successfully cached EDL entries, which led to policy rules that referenced the EDL to not be enforced.

Fixed an issue where, after upgrading the firewall, certain websites weren't accessible when the accumulation proxy was enabled. The proxy did not use the same DF bit state as the original traffic, causing it to be fragmented and dropped elsewhere in the network.

Fixed an issue where firewalls configured in vwire mode modified DSCP values from AF11 to CS0 on traffic passing through the firewall, even when QoS policy rules and DSCP rewrite settings were not configured.

Fixed an issue where Panorama did not use the configured proxy settings to check WildFire private cloud content and instead connected directly to the WildFire device using the management interface. This occurred even when Use Proxy Settings for Private Cloud was enabled.

Fixed an issue where IPv6 traffic was affected after upgrading the firewall to PAN-OS 11.1.6-h4 and later versions. With SSL decryption enabled and a decryption policy configured for the traffic, the firewall dropped packets due to receiving a Packet Too Big ICMP message. This occurred because the PathMTU information update was incorrect for the TCB (pan-server) when the firewall was acting as a server. Additionally, the flow label under the IPv6 header was set to zero while the packet was being transmitted out of the firewall.

Fixed an issue on Panorama where API jobs failed with the error message Server error: Timed out while getting config lock. This occurred due to slow set request performance when setting a large number of address objects in a single set call.

Fixed an issue on Panorama where Kerberos superusers were unable to edit policy rules because the target device tab was grayed out.

Fixed an issue where the firewall experienced high disk space utilization, which caused the firewall to become non-functional.

Fixed an issue where the firewall rebooted unexpectedly after a commit due to a memory leak related to the rasmgr process and displayed the error message Management server failed to send phase 1 to client l2ctrld before rebooting.

Fixed an issue on firewalls running PAN-OS 11.1 and later PAN-OS releases where the portal and gateway configuration view did not display rows and columns.

Fixed an issue where the reportd process stopped responding with a SIGSEGV at schedule_report_es_response.