(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where firewall failed to bootstrap with a custom image, and VM-Series plugin information was not displayed in the system information.

(PA-455 firewalls in active/passive high availability (HA) configurations only) Fixed an issue where, after an upgrade, the TCP session for syslog forwarding did not resume after the syslog server service was disabled and then re-enabled, which caused logs to be dropped. This occurred when the syslog server was down for more than 16 minutes.

(PA-7500 Series, PA-5410, PA-5420, PA-5430, PA-5440, PA-5445, PA-3400 Series, PA-1400 Series, PA-400 Series, VM-Series, and CN-Series firewalls only) Fixed a race condition issue related to predict processing, which resulted in a dataplane restart and traffic loss.

Fixed an issue where traffic from cloud applications intermittently matched an incorrect cloud-apps policy rule when ACE (App-ID Cloud Engine) was enabled.

Fixed an issue where sessions timed out sooner than expected due to the pan_proxy_accumulation_restore_timeout not initiating when the accumulation session_init failed.

Fixed an issue where the pan_task process stopped responding when the firewall attempted to forward files to the WildFire public cloud, which caused the dataplane to experience heartbeat failures.

Fixed an issue where only failed Kerberos authentication events were logged in auth.log, and successful authentication events were not logged.

Fixed an issue where ECMP incorrectly balanced sessions across links based on the configured metric, which led to an imbalance in traffic distribution and resulted in traffic assignment shifting disproportionately to routes with lower metrics.

Fixed an issue where GlobalProtect User-ID mappings were lost after 5 minutes, which caused users to not match User-ID source-based policy rules. This occurred due to a mismatch between the GlobalProtect gateway connection settings and the device behavior and when the inactivity-logout setting was deleted and set to a different value.

Fixed an issue where the all_task process stopped responding, which caused the firewall to reboot unexpectedly, and traffic failures occurred.

(Panorama appliances in active/passive HA configurations on Microsoft Azure environments only) Fixed an issue on Panorama that caused firewalls to disconnect unexpectedly.

Fixed an issue where a routed process memory leak occurred when advanced routing was enabled.

(VM-Series firewalls on Amazon Web Services (AWS) GWLB environments only) Fixed an issue where the firewall CPU usage reached 100% after upgrading to PAN-OS 11.1.6-h1.

Fixed an issue where, after an upgrade, the SNMP polled values for IF-MIB::ifInErrors displayed a high number of errors that did not match the values in the CLI show interface command.

Fixed an issue on Panorama where the web interface performance was slower than usual when retrieving read-only configurations from Panorama.

(Firewalls in HA configurations only) Fixed an issue where, after an upgrade, the mac receive error counter in receive incoming errors increased, which resulted in SNMP alerts.

(Prisma Access only) Fixed an issue where URL log ingestion decreased after an upgrade, and secondary connections were lost.

Fixed an issue where selective pushes to managed devices failed when the User ID Master Device was configured.

Fixed an issue where traffic was delayed significantly when it used No Authentication Explicit Proxy and matched a decryption policy rule.

Fixed an issue where custom reports showed incomplete data when exported in CSV format from Panorama.

Fixed an issue where a firewall was only able to display a maximum of 14 permitted IP addresses from a Panorama Template Variable.

(Panorama appliances and Log Collectors only) Fixed an issue where a VLD memory leak caused increased memory use, which resulted in OOM errors.

Fixed an issue where the Panorama web interface was slower than expected.

Fixed an issue where, when attempting to modify an Anti-Spyware profile via the web interface under a shared location, clicking the OK button displayed a console exception error.

Fixed an issue where, when exporting and importing CSV files, the hash values of pre-shared key variables set at template and template stack levels changed inconsistently, which resulted in both variables displaying the same hash value.

Fixed an issue where OSPF redistributed connected routes beyond the intended loopback IP address.

Fixed an issue where the index size limit was incorrectly calculated and indices rolled over earlier than expected, which resulted in high memory and OOM errors.

Fixed an issue where the logd process repeatedly restarted when the SD-WAN site name was over 31 characters and contained certain XML escape characters.

(Panorama appliances only) Fixed an issue where log exports were slower than expected or failed when filtering logs after an upgrade, which resulted in timeouts or delays in displaying logs on the web interface.

(PA-5420 firewalls) Fixed an issue where the firewall management server memory usage continuously increased.

Fixed an issue where the routed process memory usage continuously increased when Advanced Routing was enabled.

Fixed an issue where the logrcvr process stopped responding.

Fixed an issue where the firewall removed the TCP timestamp from client hello messages that did not fit in a single packet, which resulted in connection issues.

Fixed an issue where, after disabling and re-enabling the external syslog server, the TCP session was not resumed, which caused all logs that were forwarded to the syslog server to be dropped.

Fixed an issue where the web interface did not display a message to commit prior changes before attempting a partial configuration load.

Fixed an issue on the web interface were you were unable to scroll up or down to view source zones in a NAT policy rule.

Fixed an issue with an SNMPv3 EngineBoots value discrepancy that prevented to SNMP server from logging.

Fixed an issue where the firewall lost the pre-shared key configuration assigned from a PSK variable when an unrelated device group configuration was loaded.

(Firewalls in active/passive HA configurations only) Fixed an issue where the firewall didn't synchronize IPSec SAs (security associations) to the passive firewall if the tunnel was not initially established by the active firewall.

To use this fix, run the following CLI command: debug dataplane set ssl-decrypt accumulate-client-hello asym-disable yes.

Fixed an issue where accessing a URL from the browser returned the error message ERR_RESPONSE_HEADERS_TRUNCATED when the firewall was configured with TLS 1.3.

Fixed an issue where, when Restrict Certificate Extensions was enabled on decryption profiles, the basic constraints extension was overwritten incorrectly.

Fixed an issue where the CLI did not display a message to commit prior changes before loading a partial configuration.

Fixed an issue where the configuration audit displayed inaccurate information after partially loading the configuration via the CLI, which caused the audit to flag the configuration as deleted or changed.

Fixed an issue where the firewall sent logs with connection succeeded to the syslog server every time a connection was established, which resulted in excessive logs.

Fixed an issue where DNS domain resolutions experienced intermittent delays due to the firewall not connecting to the DNS Security cloud.

To use this fix, enable DNS monitoring on the dataplane via the CLI command debug dnsproxyd enable-rtsig-health-monitor yes.

To show the current setting, run the CLI command debug dnsproxyd enable-rtsig-health-monitor show. If the cfg.general.dns-rtsig-monitor-interval shows a non-zero value, DNS monitoring is enabled.

Fixed an issue where authentication to GlobalProtect failed with the error message User not in allowed list.

Fixed an issue on Panorama where a scheduled report with SLS data had an invalid translated-query.

Fixed an issue where the firewall removed the Authentication Key Identifier (AKID) from the certificate during SSL decryption, which caused Python 3.13 to fail with a certificate verification error.

Fixed an issue where the eproxy. process stopped responding when running a long duration test using IXload with hybrid SWG SAML authentication bypass for HTTPS payloads, which caused the proxy to become unreachable.

Fixed an issue where the logrcvr process discarded logs due to a full queue.

Fixed an issue with intermittent access and slower than expected loading times when accessing websites. This occurred when Anti-Spyware inline cloud analysis was enabled and the SSL Command and Control action was not either allow or alert and server hello packets were out of order.

Fixed an issue where a device group import resulted in a Security policy rule being created with Application set to none.

Fixed an issue where daily scheduled reports were not generated and emailed.

Fixed an issue where web-advertisement traffic was not immediately blocked which resulted in pages loading indefinitely.

Fixed an issue where Panorama became unresponsive while performing a dynamic address update without a lock.

(PA-450 firewalls only) Fixed an issue where, after an upgrade, data that was excluded using the query builder in a custom report was still visible in the report, and the logs displayed errors related to invalid threat names being queried.

Fixed an issue where importing a firewall with a large number of address objects into Panorama did not work and remained at 99% completion.

Added support for bootstrapping Panorama virtual appliances on ESXi.

Fixed an issue where Panorama stopped forwarding logs to a syslog server after upgrading to PAN-OS 11.1.5-h1.

Fixed an issue where the dscd process stopped responding when Endpoint Serial Number was enabled, which resulted in the **Active Directory* returning a list of serial numbers for a specific firewall from the Cloud Identity Engine.

Fixed an issue where HTTP 503 server errors occurred while browsing websites due to slow Secure Web Gateway (SWG) bypass rule lookup.

Fixed an issue where DNS Security intermittently logs malicious domain URLs as Alert instead of taking a Sinkhole action, even when configured to Sinkhole malicious DNS domains.

(VM-Series firewalls only) Fixed an issue where, after an upgrade, the firewall was unable to send logs to the Strata Logging Service (SLS) when using a specific proxy server, and the SSL connection status displayed as failed when attempting to forward logs through the web proxy.

(PA-5250 firewalls only) Fixed an issue where IPv6 pings experienced a high number of dropped packets when forwarded to another dataplane, which resulted in ping failures. This occurred when initiating a ping to the link local address of the firewall and the packet drop percentage depended on the number of dataplanes.

Fixed an issue where a DPC on slot 3 failed intermittently due to the pktlog_forwarding process restarting, which resulted in an unexpected HA failover.

Fixed an issue where the detailed log view in Panorama did not display all packet details for traffic logs received from the cloud.

Fixed an issue where Wildfire signature generation was enabled on all nodes in a cluster instead of only the active node.

Fixed an issue where push operations from Panorama failed on passive firewalls when an application was removed from a Security policy rule and the policy rule was referenced in a device group.

Fixed an issue where empty traffic logdb folders were generated for each day even when trafcfic logs were not received by the logrcvr process.

Fixed an issue where the QSPF transceiver interface displayed an incorrect range figure on the temperature alarm.

Fixed an issue where the root partition reached 100% which caused the system to become non-functional and failover even when aggressive cleaning was enabled.

Fixed an issue where the firewall rebooted continuously after upgrading to PAN-OS 11.1.5-h1 when a tunnel session was established in a Gateway Load Balancing (GWLB) scenario and no data packet was associated with the packet.

Fixed an issue where SNMP scans to a firewall timed out after upgrading to a PAN-OS 10.2 release.

Fixed an issue where the firewall rebooted due to an out-of-bounds memory access that occurred as a result of the SIP content length value being split across packets.

Fixed an issue where packets were dropped initially when a SYN cookie with activation threshold 0 was enabled.

Fixed an issue where logs in the cloud database displayed in the Not-Resolved category but not in the local database.

Fixed an issue where restarting the firewall did not initiate an autocommit job, which caused the firewall to stop responding and the HA interface to go down.

Fixed an issue where GlobalProtect clients on macOS devices were prompted to enter their username and password for Kerberos SSO authentication.

Fixed an issue where the Panorama web interface was slower than expected due to excessive polling of the MonitorDirect.getTasks API by the Task Manager.

Fixed an issue where GlobalProtect clients experienced slow file transfer download throughput when passing through an IPSec tunnel.

Fixed an issue where SNMP monitoring of tunnel interfaces displayed zero values for received bytes and packets.

(PA-440 firewalls only) Fixed an issue where the firewall entered an unstable state after committing changes or onboarding to Panorama.

Fixed an issue where the firewall did not display VPC endpoints when there was a large amount of VPC endpoints to interface mappings.

(Panorama appliances on Microsoft Azure environments only) Fixed an issue where user to IP address mapping was missing for some users connected to specific Prisma Access gateways, which caused the collection layer Azure firewall to not form the mapping.

Fixed an issue where informational logs caused the distributord process log file to be frequently overwritten.

Fixed an issue where session rematch caused ACE cloud application traffic to match the wrong policy.

Fixed an issue where User-ID connections were lost after an HA failover.

Fixed an issue where DNS requests to malware sites were not blocked as expected, and the dns-security-categories log-level and action displayed default values instead of unavailable.

(PA-7000 Series firewalls, PA-5200 firewalls, and PA-5400f firewalls in FIPS mode only) Fixed an issue where decrypted traffic repeatedly failed and frequent reboots were required.

(Firewalls in active/active HA configurations only) Fixed an issue with SSL inbound decryption on firewalls on a vwire setup with asymmetric routing.

To use this fix, enter the CLI command set system setting ssl-decrypt ha-vwire-mac-learn global yes on both firewalls in an HA pair.

Fixed an issue where Device Telemetry failed due to an issue with the encoding of characters in the log file path.

Fixed an issue where the all_task process stopped responding with a SIGABRT.

Fixed an issue where the GlobalProtect client did not automatically initiate a Kerberos SSO connection after logging in to Windows.

Fixed a memory leak issue related to the configd process that occurred when running consecutive commits for multiple days.

Fixed an issue where API calls to Panorama failed with the error Server error : Timed out while getting config lock. Please try again.

Fixed an issue where socket files created in the /tmp directory were not cleared.

Fixed an issue where the Panorama management server changed its certificate authority (CA) unexpectedly, which caused managed firewalls to disconnect.

Fixed an issue where Panorama did not display the management IP address of devices onboarded via ZTP.

Fixed an issue where commits to service connection firewalls from Panorama failed.

Fixed an issue where Panorama did not check for a NULL pointer when querying logs, which caused logs to not display on the web interface.

Fixed an issue where GlobalProtect clients failed to connect with the error message The device or feature requires a GlobalProtect subscription license.

Fixed an issue where the firewall redirected the user to the first application instead of the portal page with a list of applications when multiple applications were configured for GlobalProtect clientless VPN along with any user match.

(Firewalls with DPDK enabled in Azure, GCP, AWS, and KVM environments only) Fixed an issue where, after an upgrade to PAN-OS 11.1.4, the mac receive error counter increased without an error even though traffic was not impacted.

Fixed an issue where PDF summary and email reports displayed IPv6 addresses instead of IPv4 addresses.

Fixed an issue on the web interface where, when all rules were highlighted when a read-only admin user clicked the Highlight Unused Rules checkbox.

Fixed a Threat log PCAP ID overwrapping issue.

Fixed an issue with firewalls in active/passive HA configurations where the total user count in the registered users was different between the active and passive firewall.

Fixed an issue where autocommits failed if the management IPv6 gateway was the same as the dataplane interface IP address.

Fixed an issue where Prisma Access gateway downloads were slower than expected.

Fixed an issue where WildFire submission logs incorrectly reported allowed malicious samples even when they were blocked by threat prevention profiles.

Fixed an issue on the firewall where, when a high number of SD-WAN branch sites or interfaces were not connected, SD-WAN processes and tund processes stopped responding due to a high probing rate.

Fixed an issue where URLs did not work due to certificate revocation list (CRL) requests failing.

Fixed an issue where the firewall stopped responding due to a tund process or SD-WAN process restart.

Fixed an issue where the all_task process stopped responding, which caused the dataplane to go down.

(VM-Series firewalls on Kernel-based Virtual Machine (KVM) only) Fixed an issue where the firewall entered maintenance mode after an auto-commit when sending an ARP packet through the loopback interface using an IPv6 address.

Fixed an issue where a selective push was blocked when a configuration load was done.

(Panorama appliances only) Fixed an issue where the configd process experienced continuous high CPU utilization and repeatedly restarted.

Fixed an issue where the error message Failed to reload config files displayed in the system logs even when device telemetry was not enabled.

Fixed an issue where the firewall generated the error message Successfully generating a new set of config files in the system logs even when device telemetry was not enabled.

Fixed an issue where the firewall did not display the converted configurations before a commit and reboot, and the commit failed when attempting to migrate from MS to FRR mode.

Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to become unavailable.

Fixed an issue where a commit for a policy and configuration dump overlapped, which resulted in a null pointer exception.

Fixed an issue where the firewall delayed video file transfers over SMB when Exclude Video Traffic from the Tunnel feature was enabled and no applications were added to the list.

Fixed an issue where HA path monitoring using VWire did not work as expected after a reboot.

(Panorama appliances in HA configurations only) Fixed an issue where Panorama became unresponsive and displayed a 504 gateway timeout error when accessing the web interface or the CLI.

Fixed an issue where Wildfire content installation failed for WF-500B clusters when deployed from Panorama using the deployment schedule.

Fixed an issue where, when you attempted to select a redistribution profile when creating a BGP Redistribute policy rule, the firewall displayed an empty dropdown.

(PA-220 firewalls only) Fixed an issue where the root partition frequently reached 100%.

(Panorama appliances on AWS environments only Fixed an issue where IP addresses were not retrieved in Dynamic Address Groups when multiple AND operators were configured.

Fixed an issue where the firewall dropped DNS traffic when using DNS Security.

Fixed an issue where the firewall inconsistently blocked URLs due to intermittent URL category misidentification.

Fixed an issue where the logrcvr process stopped responding while processing session logs for forwarding to the LFC.

Fixed an issue where the firewall was unable to match HIP data with the correct anti-malware object for Windows Defender.

Fixed an issue on Panorama where a core file was generated by /usr/local/bin/logd during a restart.

Fixed an issue on Panorama where, when the Commit and Push button was clicked during a selective Commit and Push operation, the window stopped responding, which caused the operation to be delayed.

Fixed an issue where, after upgrading to PAN-OS 11.0.2-h3, the hardware pool DFLT became highly utilized, and the packet buffer gradually increased.

Fixed an issue where the firewall closed the SSL connection to the user ID agent.

Fixed an issue where Panorama stopped responding and rebooted repeatedly after an upgrade.

Fixed an issue where the policy optimizer feature did not add entries back to the mongodb database after removing them during an upgrade or downgrade.