>
    Strata Copilot
    PAN-OS 11.2.8 Addressed Issues
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS 11.2.8 Known and Addressed Issues
    4. PAN-OS 11.2.8 Addressed Issues
    Download PDF

    PAN-OS 11.2.8 Addressed Issues

    Table of Contents

    PAN-OS 11.2.8 Addressed Issues

    PAN-OS® 11.2.8 addressed issues.
    Issue ID
    Description
    PAN-297240
    Fixed an issue where attempting to generate reports in a WildFire FIPS Private Cloud or WF-500 deployment returned 401 errors.
    PAN-296592
    Fixed an issue where a 404 error occurred when attempting to download a sample file.
    PAN-295049
    Fixed an issue where the logrcvr process stopped responding due to memory allocation errors during Redis communication.
    PAN-294488
    Fixed an issue where certificate data was missing in decryption logs for No decrypt policy rules and TLS1.2 traffic after upgrading, and the Subject Common Name, Issuer Common Name, Certificate Start Date, Certificate End Date, Certificate Serial Number, and Certificate Fingerprint fields were blank in the decryption logs.
    PAN-294436
    Fixed an issue where polling failed for ethernet interfaces due to the physical port counters read from the MAC being 0.
    PAN-294320
    Fixed an issue where the mprelay process repeatedly restarted.
    PAN-293842
    Fixed an issue where the hybrid-SWG service proxy stopped working after upgrading to PAN-OS 11.1.6-h13 due to the firewall failing to establish the listening interface.
    PAN-293673
    Fixed an issue where the firewall stopped all tasks due to an OOM condition caused by a scheduled log export using FTP to an external FTP server.
    PAN-293484
    Fixed an issue where, after upgrading the firewall having an IKE gateway that uses an aggregate ethernet interface in DHCP client mode, the IPSec tunnels went down with the error failed to find a socket for retransmission.
    PAN-293287
    (Panorama virtual appliances in FIPS mode only) Fixed an issue where plugin installs failed with the error invalid image after manually uploading the plugin package from the Customer Support Portal (CSP).
    PAN-292503
    Fixed an issue on the firewall where the source and destination NAT IP addresses did not display in traffic and threat logs.
    PAN-292344
    Fixed an issue where the firewall rebooted multiple times after an upgrade if the config contained an EDL (External Dynamic List) that didn't have an associated certificate profile.
    PAN-292202
    Fixed an issue where the system logs repeatedly displayed the alert Clearing snmpd.log due to log overflow due to the SNMP counters rolling over.
    PAN-291973
    Fixed an issue where the Advanced Routing Engine stopped responding when a route-map was configured to match on a metric with a value of 0.
    PAN-291631
    (VM-Series firewalls on Amazon Web Services (AWS) only) Fixed an issue where the firewall frequently rebooted.
    PAN-291593
    (Firewalls in active/passive HA configurations only) Fixed an issue where, when the passive firewall was down and the idmr process was reset, the firewall generated the system log User-ID manager was reset. Commit is not required to reinitialize User-ID, even though the idmr process restart was not successful.
    PAN-291499
    ( VM-Series firewalls on Amazon Web Services (AWS) envirobments only) Fixed an issue where newly deployed firewalls were unable to connect to the Palo Alto Networks Software License Server (SLS) until after a reboot, license fetch, or management server restart.
    PAN-291456
    Fixed an issue where the custom completer for device groups and templates received the device group name and template name from the running configuration instead of the candidate configuration.
    PAN-291306
    Fixed an issue on the Panorama web interface where you were unable to override the primary or secondary DNS server address in the template stack.
    PAN-291288
    Fixed an issue where the firewall rebooted unexpectedly due to a pan_task process restart related to page allocation failures.
    PAN-291283
    Fixed an issue on Panorama where a memory leak associated with the configd process occurred during commits, which caused the configd process to restart and the commit to fail.
    PAN-291273
    Fixed an issue where a PA-VM-Flex firewall in an air-gapped environment failed to install the license when bootstrapping after a factory reset when the ISO image contained a PAN-OS image.
    PAN-291124
    (Firewalls with multi-vsys enabled only) Fixed an issue where an XML API call to get the running Security policy rules returned only the first Security policy rules.
    PAN-291094
    Fixed an issue the firewall experienced packet descriptor on chip and buffer spikes, which led to dropped traffic due to an unidentified traffic pattern.
    PAN-291060
    Fixed an issue where commits failed due to the configured connected gateway IPv6 address in the NAT64 policy exceeding the 31 character limit.
    PAN-290998
    (Firewalls on Microsoft Azure environments only) Fixed an issue where management plane CPU usage was unexpectedly high for netsec firewall.
    PAN-290996
    Fixed an issue where SNMP walks returned a value of 0 for the CPS (Connections Per Second) per vsys on firewalls after upgrading to PAN-OS 11.1.6-h3, even when active connections were present.
    PAN-290923
    (Panorama virtual appliances only) Fixed an issue on the web interface where you were unable to export the Threat Map.
    PAN-290900
    Fixed an issue where Panorama in FIPS-CC mode failed to push IKEv2 Post-Quantum Pre-Shared Key (PQ PPK) configurations to firewalls that were not in FIPS-CC mode.
    PAN-290702
    Fixed an issue where Log Quotas incorrectly displayed a value that was higher than possible.
    PAN-290694
    Fixed an issue on the Panorama web interface where you were unable to push shared objects to devices if an HA failover occurred during a configuration push.
    PAN-290691
    Added the CLI command set system setting ctd h323_rtp_predict timeout to increase the maximum timeout limit from 3600 seconds to 65535 seconds.
    PAN-290449
    Fixed an issue where, when multiple scheduled vulnerability reports were were sent in the same email, only the first attached report was displayed.
    PAN-290241
    Fixed an issue where the useridd process became unresponsive, which caused User ID CLI commands to time out.
    PAN-290191
    Fixed an issue where BGP learned routes were not advertised when Legacy Routing was used and an export policy rule was configured to match the next hop of the learned route.
    PAN-290157
    Fixed an issue on Panorama where the configd process stopped responding when filtering in the Config Audit window, which caused Panorama to restart unexpectedly.
    PAN-290088
    Fixed an issue where a memory leak occurred related to the configd process when pushing configurations from Panorama to a firewall. This occurred when the configurations contained shared policy rules.
    PAN-290074
    Fixed an issue where IPv6 URLs were incorrectly categorized as private-ip-addresses even if the URL had a valid category. This occurred because the firewall did not check for IPv6 addresses when determining if an IP address was private.
    PAN-289895
    Fixed an issue where, when SSL decryption was enabled, traffic matching a deny rule was incorrectly allowed until the SSL handshake was complete.
    PAN-289859
    (Panorama virtual appliances only) Fixed an issue where Panorama failed to mount logging disks larger than 2TB due to a partitioning error.
    PAN-289826
    Fixed an issue on Panorama where a selective push of policy rule changes to a firewall caused the firewall to lose its Security policy rules.
    PAN-289803
    Fixed an issue on the firewall where AIPOs and ADEM licenses failed when SD-WAN or GlobalProtect licenses were not present.
    PAN-289763
    (PA-5400f firewalls only) Fixed an issue where SD-WAN SaaS monitoring did not work with URL monitoring.
    PAN-289714
    (Prisma Access only) Fixed an issue where persistent commit failures occurred due to a missing transformation script when downgrading from PAN-OS 10.2.0 to PAN-OS 10.1.0.
    PAN-289652
    Fixed an issue related to external URL lists where pushing configuration changes from Panorama failed.
    PAN-289573
    Fixed an issue on Panorama where the web interface became unresponsive when attempting to edit the Allow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access setting in a GlobalProtect portal configuration after adding 40 or more FQDN entries.
    PAN-289532
    Fixed an issue where, when the Advanced Routing Engine was enabled, PIM (Protocol Independent Multicast) neighborship was not established concurrently on multiple interfaces.
    PAN-289406
    Fixed an issue where, when redistributing User-ID information between firewalls, the receiving firewall incorrectly received and stored duplicate Host Information Profile (HIP) profiles. This occurred when a GlobalProtect gateway redistributed User-ID and HIP information through an intermediate firewall.
    PAN-289405
    (VM-Series firewalls only) Added the CLI command no-refresh-discard-session to address an issue where the discarded session time to live (TTL) did not refresh at the default value.
    PAN-289383
    Fixed an issue where the MPLS interface eth1/6 went down and remained down, even after replacing the SFP with a supported one and adjusting duplex and speed settings.
    PAN-289320
    Fixed an issue where External Dynamic List (EDL) entries for predefined lists were not visible in Panorama when logged in with a SuperUser Read-Only role.
    PAN-289304
    (PA-7500 firewalls only) Fixed an issue where SNMP polling failed due to the snmpd process becoming unresponsive to incoming requests, which resulted in high CPU usage.
    PAN-289301
    Fixed an issue on the Panorama web interface where a template name or device group name displayed invalid text.
    PAN-289268
    Fixed an issue where internet access through Secure Web Gateway (SWG) proxy nodes did not work when the default internet access policy rule source user was not known-user.
    PAN-289239
    Fixed an issue on Panorama where a new virtual system (vsys) was automatically created with the name of a device group.
    PAN-289226
    (Firewalls in HA active/passive configurations only) Fixed an issue where the firewalls experienced high dataplane CPU use when NAT64 was enabled. This occurred due to NAT64 traffic not being offloaded and unnecessary HA session updates being sent for every NAT64 packet.
    PAN-289109
    Fixed an issue where the Panorama web interface was slower than expected during configuration operations and a configuration lock time out occurred during a commit.
    PAN-288988
    Fixed an issue on Panorama where, after logging in to the web interface as the ZTP installer administrator, the web interface was blank.
    PAN-288939
    Fixed an issue where the logrcvr process stopped responding due to an invalid SSL context being used for socket communication, which caused commits to fail.
    PAN-288893
    (Firewalls in multi-vsys configurations only) Fixed an issue where HTTP/2 traffic failed due when one virtual system (vsys) had a decryption policy rule enabled and another vsys had a no-decrypt policy rule for the same session.
    PAN-288731
    Fixed an issue where the firewall incorrectly allowed traffic for certain applications when no decryption policy rule was configured.
    PAN-288726
    Fixed an issue where the useridd process stopped responding due to a Security policy rule ID being set to 0, which caused the last configuration retrieval to fail.
    PAN-288693
    Fixed an issue where importing a device configuration into Panorama failed with a validation error if the configuration included a shared gateway with shared address objects.
    PAN-288617
    Fixed an issue where the firewall attempted to connect to wildfire.paloaltonetworks.com when a user downloaded a WildFire PDF report from the CSP/WF portal even if the user was not behind the firewall.
    PAN-288529
    Fixed an issue where the firewall failed to forward critical system logs to Strata Logging Service due to a reboot.
    PAN-288432
    Fixed an issue where, when Advanced Routing Engine was enabled firewalls configured with multiple logical routers, static routes were preferred over eBGP routes even though the static routes had a higher administrative distance.
    PAN-288427
    Fixed an issue on Panorama where commit jobs were not queued and the system reported that the useridd was not connected.
    PAN-288426
    (M-600 Panorama appliances in Log Collector mode in a Log Collector group only) Fixed an issue where the reportd and logd processes stopped responding, which resulted in the Panorama server not receiving logs from firewalls configured under the Log Collector group.
    PAN-288158
    (VM-Series firewalls only) Fixed an issue where the firewall became inaccessible via the web interface and SSH and remained in an initializing state.
    PAN-288140
    Fixed an issue where the debug dataplane sync ippool CLI command output incorrectly included reserved ports.
    PAN-288097
    (Firewalls in HA configurations only) Fixed an issue where on the firewall where the routed process stopped responding after changing the MTU or any link state parameters when OSPF and PIM were enabled on the same interface.
    PAN-287978
    Fixed an issue where a directly connected interface or aggregate interface did not appear in the routing table, which caused ping failures to the directly connected interface.
    PAN-287921
    (VM-Series firewalls only) Fixed an issue where the maximum registered IP address for was incorrectly set to 100,000 instead of the expected 500,000.
    PAN-287842
    Fixed an issue where the comm process stopped responding due to missing heartbeats, which resulted in a system alert and HA communication loss on slot1.
    PAN-287838
    (Panorama appliances only) Fixed an issue on the web interface where resetting the rule hit counter for multiple policy rules failed with the error message Failed to reset rule-hit job.
    PAN-287765
    Fixed an issue where SAML authentication failed, which caused the GlobalProtect client to repeatedly attempted to reconnect.
    PAN-287734
    Fixed an issue where the error message Scan ERR: Internal Err 1002 was generated unexpectedly when WIF shared memory use was high.
    PAN-287688
    Fixed an issue where the firewall failed to connect to the Palo Alto Networks update server when using a customized service route with the source interface as MGT.
    PAN-287621
    Added debug logs for an issue where a slow IP address pool NAT leak occurred when persistent NAT was enabled, which led to NAT IP pool exhaustion.
    PAN-287611
    Fixed an issue where, after upgrading, the firewall incorrectly calculated the UDP checksum for RTP traffic after NAT and Security policy application, which led to dropped packets and silent calls in applications.
    PAN-287601
    Fixed an issue on Panorama where commits took longer than expected.
    PAN-287584
    Fixed an issue on the web interface where the address object pop up window only displayed a maximum of four address objects in the policy rule even after expanding the window.
    PAN-287558
    Fixed an issue on the firewall where the QSFP-40G-SR-BD transceiver was incorrectly flagged as an unsupported SFP.
    PAN-287548
    Fixed an issue where Security policy rules that had the same parameters were not detected as shadow rules on commit.
    PAN-287423
    Fixed an issue where content loading issues occurred on IPv6 websites due to the firewall incorrectly setting the IPv6 header flow label to 0.
    PAN-287394
    (CN-Series firewalls only) Fixed an issue where the firewall generated critical system log alerts every 3 minutes.
    PAN-287314
    Fixed an issue with firewalls in active/passive HA configurations where an OOM condition occurred and caused a failover due to a memory leak associated with the logrcvr process.
    PAN-287272
    Fixed an issue on the firewall were fan alarms were incorrectly generated constantly.
    PAN-287154
    Fixed an issue on the firewall where the show advanced-routing bgp loc-rib-detail CLI command incorrectly displayed no BGP route when multiple BGP peers were enabled. With this fix, the CLI command requires a peer name to be specified to display local RIB details.
    PAN-287133
    Fixed an issue on the Panorama web interface where assigning a policy rule to a group at the top or bottom of the list changed the order of other policy rules.
    PAN-287056
    Fixed an issue where BGP export policy rules with next-hop matching failed to block the advertisement of static routes, and the firewall incorrectly matched the egress interface IP address instead of the original next-hop IP address of the static route, which caused the deny rule to fail.
    PAN-287035
    Fixed an issue where, when an application stopped responding, a large file was created in the /opt/panlogs directory, which caused the partition to fill up.
    PAN-287023
    Fixed an issue where a large number of logs caused the logrcvr process to stop responding.
    PAN-286931
    Fixed an issue where syslog forwarding in PAN-OS 11.1 and later releases did not support service routes when performing certificate validation over TLS.
    PAN-286922
    Fixed an issue where user-to-IP address mappings were not available on the dataplane for User-ID, which prevented the enforcement of user-based Security policy rules. This was due to the firewall not validating the timestamp of mappings received from certain User Identification Agent (UIA) agents before adding them to the dataplane.
    PAN-286899
    Fixed an issue where the device-group-tags CLI command used an unnecessary configuration read lock.
    PAN-286832
    (VM-Series firewalls only AWS environments only) Fixed an issue where the firewall did not send ICMP unreachable - Fragmentation Needed message when it received packets larger than the MTU.
    PAN-286818
    Fixed an issue where closing an SSH session to a Panorama using Ctrl+D did not generate a log message in the system logs, and the session remained in an idle state for 60 minutes before being automatically terminated.
    PAN-286789
    (Panorama virtual appliances in HA configurations on Microsoft Azure environments only) Fixed an issue where plugin versions displayed when hovering over the Green Match icon were inconsistent even though the web interface reported the versions as matching.
    PAN-286734
    (PA-5450 firewalls only) Added uplink counters to enhance debug capability for traffic drops.
    PAN-286673
    (Panorama appliances only) Fixed an issue where the Require SSL/TLS secured connection in the LDAP profile within the template stack did not take effect after overriding the configuration. This occurred even when the setting was enabled multiple times.
    PAN-286669
    (PA-5410 and PA-5430 firewalls only) Fixed an issue where SFP28 25G ports using S28-25G-LR transceivers did not come up after an upgrade when Forward Error Connection (FEC) was disabled on the ports.
    PAN-286576
    Fixed an issue where the all_pktproc process restarted, which caused heartbeat failures to occur and a slot to go down due to path monitor failure.
    PAN-286534
    Fixed an issue where a multi-vsys firewall was unable to retrieve address groups and address objects pushed from Panorama as shared objects when using the REST API.
    PAN-286492
    Fixed an issue on Panorama where logs were not forwarded to syslog servers due to missing CLI options to configure the syslog queue size and threads.
    PAN-286475
    Fixed an issue where the option to sort sequence numbers was missing from Filters prefix list in the advanced routing filters.
    PAN-286443
    Fixed an issue where, after an upgrade, the firewall was unable to be managed via HTTPS or SSH.
    PAN-286306
    Fixed an issue where, when getting transceiver information from ESCC for SFP 25G modules, the transceiver code was incorrectly updated with Unknown instead of 25GBase-SR.
    PAN-286299
    Fixed an issue on firewalls running PAN-OS 11.1 releases where, after being offboarded from Panorama, the firewall XML configuration file retained template information from the previous Panorama configuration. As a result, when the firewall and its configuration were imported to another Panorama appliance, all configurations in the Network and Device tab became read-only.
    PAN-286231
    Fixed an issue where a simultaneous selective push from Panorama to multiple firewalls with different base configurations resulted in configuration corruption, which caused the firewall to go down.
    PAN-286180
    (Firewalls in HA configurations only) Fixed an issue where, after a failover, an SSH decryption caused a mismatch in the host key, which resulted in a warning message. This issue occurred because the SSH tunnel keys were not synchronized between the active and passive firewalls.
    PAN-286037
    Fixed an issue where the firewall stopped processing traffic.
    PAN-286034
    Fixed an issue where the XML API returned an error when attempting to view debug log receiver statistics.
    PAN-285834
    Fixed an issue on Panorama where Policy recommendation displayed Unable to read data for certain profiles due to a large response size.
    PAN-285818
    Fixed an issue where a tool was needed to display leaked NAT port numbers without requiring a forced synchronization.
    PAN-285759
    Fixed an issue where the configd process stopped responding during a selective push after a move and rename operation when the configuration was performed via the CLI.
    PAN-285680
    Fixed an issue where firewalls entered a boot loop after receiving a HSM configuration template push from Panorama.
    PAN-285623
    Fixed an issue where the configd process restarted and generated a core file during an HA sync commit job. This occurred when the firewall was in the HA passive state.
    PAN-285615
    Fixed an issue where, when the firewall acted as an IKEv2 responder with fragmentation enabled, the firewall did not send the Notify message type 16430 “IKEV2_FRAGMENTATION_SUPPORTED” in the IKE_SA_INIT exchange. This prevented the remote peer from fragmenting subsequent IKEv2 messages.
    PAN-285591
    Fixed an issue where the Panorama web interface did not display a warning message when a collector group was configured with a 2 node cluster.
    PAN-285436
    Fixed an issue where a selective push from Panorama caused the firewall Security policy rules to be removed on firewalls associated with the device group. This occurred when the base configuration version chosen for the selective push preceded the device config import operation, which caused the imported configuration to not be included in the pushed configuration.
    PAN-285325
    Fixed an issue on Panorama where tags were not automatically populated in the Security policy rule when searching by name in the tag field.
    PAN-285298
    Fixed an issue where the firewall became unresponsive when the show user user-ids user all CLI command was executed repeatedly on large scale LDAP group mappings, and you were unable to connect to the gateways with the error message The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
    PAN-285285
    Fixed an issue where commits remained at 98% completion when static route configuration cleanup was in progress.
    PAN-284907
    Fixed an issue where the Panorama web interface displayed No Data when viewing configuration logs to see changes before and after a configuration change.
    PAN-284878
    (Firewalls in active/passive HA configurations only) Fixed an issue where commits failed due the useridd process restarting.
    PAN-284866
    Fixed an issue where the LFC failed to validate Certificate Revocation Lists (CRL) for SSL syslog connections, which caused a failure to forward logs to external syslog servers.
    PAN-284840
    (PA-5220 firewalls only) Fixed an issue where custom reports were delayed when sent via email instead of being sent at the scheduled time.
    PAN-284717
    Fixed an issue where a PBF (Policy Based Forwarding) policy rule using an AE (Aggregate Ethernet) interface configured with DHCP as the egress interface incorrectly transitioned to an active state after a commit operation, even when the DHCP lease had expired and the interface had no assigned IP address.
    PAN-284527
    Fixed an issue where, when a firewall had more than 4,400 logical interfaces, commits failed with the error message Error pre-installing config failed to handle CONFIG_COMMIT.
    PAN-284441
    Fixed an issue where, after upgrading the firewall, GlobalProtect connections failed with the error message Network Connection is unreachable.
    PAN-284380
    Fixed an issue where committing a custom report in Panorama incorrectly generated a pending push to devices.
    PAN-284283
    Fixed an issue on Palo Alto Networks firewalls running PAN-OS 11.1.6 where the CLI command traceroute ipv4 yes host <host> failed with a missing argument error message.
    PAN-284184
    (VM-Series firewalls with Advanced Routing Engine enabled only) Fixed an issue where the frr_ns2_bgpd process repeatedly restarted after committing a configuration that included the same route-map in both the exist and non-exist clauses of a conditional advertisement or when the same route-map was used in both the Advertise-out and conditional exist out map configurations.
    PAN-284176
    Fixed an issue where QoS throughput limits were not enforced correctly on aggregate ethernet interfaces. As a result, when QoS was enabled on aggregate interfaces, the subnet index was not handled correctly, which caused traffic shaping to be misdirected.
    PAN-284090
    Fixed an issue where GlobalProtect (GP) portal authentication for satellites using RADIUS authentication failed due to the authentication timeout value being set to 0.
    PAN-284069
    Fixed an issue where, after an upgrade, the total number of logout records in the HIP database incorrectly displayed as zero.
    PAN-284067
    Fixed a cumulative memory leak in the devsrvr process that occurred whenever the CLI command show running application statistics was issued. This memory leak would gradually consume system memory and produce an out-of-memory (OOM) condition, causing the firewall to reboot.
    PAN-284003
    Fixed an issue where clients did not receive a valid response when searching a website due to a compression error.
    PAN-283979
    Fixed an issue where the firewall became non-functional due to high root partition use.
    PAN-283954
    Fixed an issue where the configd process stopped responding due to a circular reference between address groups.
    PAN-283936
    (Panorama appliances only) Fixed an issue where the configd process intermittently restarted, which caused Panorama to be temporarily unavailable.
    PAN-283864
    Fixed an issue where DNS Security Category exceptions created with DNS category UTID were not ignored.
    PAN-283741
    Fixed an issue where HTTP/2 child streams were blocked by strict-ip-check zone protection when traffic passed through a transparent proxy.
    PAN-283613
    Fixed an issue on the web interface where the IP Tag Quota(%) value displayed as 2 even when changed.
    PAN-283575
    Fixed an issue where iPerf file transfers between a client and server were slower than expected when the firewall was involved in the traffic flow due to cfg.uplink-buffer-resize not being enabled by default.
    PAN-283563
    Fixed an issue where the GlobalProtect gateway firewall intermittently failed to assign an IP address to GlobalProtect clients from the DHCP server, even after successfully receiving a DHCP offer. This occurred when the DHCP retry and timeout settings were overwritten due to parsing results being stored in the same variable, which caused the last gateway configuration to take effect.
    PAN-283544
    Fixed an issue where a failover event caused packet loss due to a delay in the child error indication.
    PAN-283524
    Fixed an issue where commits failed when a certificate with a cryptographic setting of RSA 4096 was used in the Syslog Service Profile due to the firewall being unable to decrypt the private key due to an incorrectly hardcoded private key length.
    PAN-283522
    Fixed an issue where the SAML single log out (SLO) URL was not correctly displayed in the web interface after it was changed in the SAML profile.
    PAN-283333
    Fixed an issue where threat logs displayed logs from the N/A threat category when a random string was used for the category-of-threatid filter in threat logs.
    PAN-283316
    Fixed an issue where a software download job reported a completion timestamp that occurred before the software loading process was finished.
    PAN-283304
    Fixed an issue where the OSPFv3 area nssa default-information-originate CLI command was not applied due to a configuration error in the backend advanced-routing stack.
    PAN-283206
    Fixed an issue where configuring an HTTP profile to send Webhook alerts to Microsoft Teams failed with a 400 Bad request error when clicking Send Test Log.
    PAN-283168
    Fixed an issue related to syslog forwarding that caused the logrcvr process stopped responding.
    PAN-283165
    Fixed an issue where the Panorama web interface was slower than expected after a period of inactivity due to the Panorama management server unnecessarily reading the running-config.xml file.
    PAN-283138
    Fixed an issue where the reportd process stopped responding when exporting CSV files when decryption logs were included in the unified logs.
    PAN-283004
    Fixed an issue where the firewall bypassed Content Threat Detection (CTD) for sessions with STARTTLS large client hello out-of-order with No Decrypt.
    PAN-282607
    Fixed an issue where the DHCP process stopped responding when the firewall was configured as a DHCP relay agent.
    PAN-282578
    Fixed an issue where ping commands from both the management plane and dataplane interfaces incorrectly prioritized IPv6 addresses over IPv4 addresses, even when IPv6 was disabled. This caused connectivity issues when pinging FQDNs that resolved to IPv6 addresses.
    PAN-282571
    Fixed an issue where the Border Gateway Protocol (BGP) established time was displayed inaccurately due to a 32-bit counter wrapping issue.
    PAN-282533
    Fixed an issue where firewalls in air-gapped environments attempted to connect to a Google IP address for Machine Learning AV (MLAV) functionality, even when MLAV was not licensed or configured.
    PAN-282454
    Fixed an issue where, when you added the Virtual System Name column under Unified Logs, the column did not remain visible in the table if you closed and re-opened the tab.
    PAN-282277
    Fixed an issue where an OOM condition on the logrcvr process caused interface flapping, and the interface unexpectedly went down and then recovered without intervention.
    PAN-281797
    Fixed an issue where firewalls became unstable and stopped responding, which resulted in an OOM condition.
    PAN-281776
    Fixed an issue on the Panorama web interface where the error message PPPoEv6 Client Interface cannot be enabled with DHCPv6 client was generated when overriding aggregate interfaces even when no DHCPv6 or PPPoE was configured.
    PAN-281596
    Fixed an issue where, when the firewall was configured as an explicit proxy, connections were intermittently dropped.
    PAN-281576
    Fixed an issue where SNMP traps messages were not sent after system startup.
    PAN-281488
    Fixed an issue where searching configuration logs for an audit_uuid did not return a result if the rule was created with a clone operation.
    PAN-281294
    Fixed an issue where, after an authd process restart, the username, password, and source IP address displayed in plain text on the console when attempting to log in via the web interface.
    PAN-281198
    Fixed an issue on Panorama managed firewalls where, when the service route configuration was set to VLAN as the source, attempting to import the variable CSV into the template resulted in the validation error Failed to parse variable configuration file. This issue occurred because the system incorrectly validated the VLAN interface name in the service route configuration within the template.
    PAN-281096
    Fixed an issue on HA clusters where, when link and path monitoring was configured and the failover condition was set to all, disconnecting and reconnecting monitored ethernet ports caused the firewall to switch to a nonfunctional role, which resulted in all interfaces except the HA interface going down.
    PAN-281017
    Fixed an issue where shared objects were displayed in the Push Scope after pushing the configuration from Panorama to managed firewalls.
    PAN-280910
    Fixed an issue on firewalls with Advanced Routing Engine enabled where BGP route maps were not correctly configured for IPv6 next-hop selection. The firewall rejected the IPv6 configuration provided as the next hop due to an incorrect command sent to FRR (Free Range Routing).
    PAN-280901
    Fixed an issue where DHCP Based IP Address Assignment for Global protect failed when the management interface was configured to receive its own IP address from DHCP.
    PAN-280695
    Fixed an issue where all data interfaces went down due to a Forward Error Correction (FEC) mode mismatch. The firewall defaulted to FEC Auto mode, while the peer Cisco switch was configured for FC-FEC.
    PAN-280409
    Fixed an issue where the popup window did not appear as expected for Clientless VPN users.
    PAN-280302
    Fixed an issue where the show session cache CLI command was unavailable on VM-Series firewalls with VM license types smaller than VM-200 when session resiliency was enabled.
    PAN-280101
    Fixed an issue where set and edit commands took longer than expected when adding address objects with a large number of dynamic groups due to the completion cache being enabled. With this fix, the completion cache is disabled by default.
    PAN-280099
    Fixed an issue in the URL filtering logs where the columns and the displayed contents did not match.
    PAN-280013
    Fixed an issue where User-ID custom reports were unable to exclude IP address 0.0.0.0 when using the filter ip notin 0.0.0.0.
    PAN-279829
    Fixed an issue where NAT pool leaks occurred during a test when RTSP traffic hit NAT rules.
    PAN-279706
    (M-600 appliances only)) Fixed an issue where Panorama did not update all panreplay database entries after performing a commit and full push to all devices.
    PAN-279690
    Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to unexpectedly restart.
    PAN-279647
    Fixed an issue where threat names were displayed differently on the web interface and the exported CSV file.
    PAN-279584
    Fixed an issue where, during software deployment from Panorama to multiple firewalls, some firewalls did not automatically reboot after the upgrade, even when Reboot device after install was selected. This was due to the Panorama timing out before the software deployment completed on the affected firewalls, which prevented the reboot request from being sent.
    PAN-279415
    Fixed an issue where service routes configured to use a data plane interface incorrectly used the management plane interface for traffic transmission. This issue affected syslog and CRL status traffic when a custom service route was not configured.
    PAN-279366
    Fixed an issue where the firewall used an unnecessary configuration lock when running operational commands.
    PAN-279209
    Fixed an issue where changes made to the management interface permitted IP address list in a global template were not pushed to the template stack or firewalls.
    PAN-279195
    Fixed an issue on Panorama where Device Health displayed the device memory as 0%.
    PAN-278836
    Fixed an issue where, after an upgrade, GlobalProtect attempted to use the embedded browser instead of the default browser for gateway authentication even when it was configured to use the default browser.
    PAN-278628
    (Firewalls in HA configurations only) Fixed an issue where the configd process restarted during a configuration push from Panorama, which caused the active firewall to lose management access for 20-30 minutes.
    PAN-278507
    Fixed an issue where the OCSP Signing purpose was not included in the Extended Key Usage field when a certificate was generated on the firewall with the OCSP responder called in the certificate. This caused the GlobalProtect connection to fail with the error Missing OCSP signing purpose in the ExtendedKeyUsage.
    PAN-278364
    Fixed an issue where a stack overflow occurred when the DNS domain name length exceeded 255 characters.
    PAN-278288
    Fixed an issue where IPv6 BGP peering established between virtual routers even without dataplane connectivity. This occurred because the firewall used the kernel for lookups instead of the dataplane.
    PAN-278276
    Fixed an issue on Panorama where custom reports displayed an incorrect log count with critical severity when the report filter was built with and without explicitly specifying severity as critical.
    PAN-278126
    Fixed an issue where the number of registered IP Tags on Panorama did not match the number of registered IP Tags on the managed firewalls due to a change in file format between PAN-OS releases.
    PAN-277987
    (VM-Series firewalls in AWS environments only) Fixed an issue where HA failover mode incorrectly changed from interface move to secondary IP move after a reboot.
    PAN-277759
    Fixed an issue where Panorama failed to upgrade due to duplicate path-monitor names configured across different static routes within the same virtual router or logical router.
    PAN-277755
    Fixed an issue that caused the request system private-data-reset CLI command to fail.
    PAN-277682
    Fixed an issue where moving an address object from a device group to shared and renaming it did not reflect in the address group, which caused commits to fail.
    PAN-277617
    Fixed an issue where deleting the NTP server address caused a commit validation error. This occurred when the configuration included both primary and secondary NTP servers and the secondary server was removed.
    PAN-277306
    Fixed an issue where the XML API and REST API failed to run commands with an error.
    PAN-277162
    Fixed an issue where random characters were added to the proxy_authorization in HTTP messages when the firewall accessed certain services through a configured proxy server. This caused proxy server authentication to intermittently fail.
    PAN-277034
    Fixed an issue where WildFire reports were not fully displayed and were not downloadable due to static resources not being found.
    PAN-277018
    Fixed an issue where FTP data connections did not work for EPRT with Source IP + Port translation enabled on the firewall.
    PAN-277000
    Fixed an issue where the firewall stopped responding after upgrading to PAN-OS 11.0.2 with lockless-qos enabled.
    PAN-276961
    Fixed an issue where adding an SD-WAN interface profile to an overridden interface on a template stack failed with an sdwan-interface-profile is invalid error.
    PAN-276936
    Fixed an issue where the CLI command syntax was incorrect when configuring the deviceconfig values from the Template Stack.
    PAN-276862
    Fixed an issue on Panorama where the logd process stopped responding unexpectedly.
    PAN-276795
    Fixed an issue where the GlobalProtect client displayed an error message when you clicked Check Now and Preferred Releases and Base Releases were unchecked (Device > Software).
    PAN-276694
    Fixed an issue where the firewall unexpectedly rebooted when the show dns-proxy ddns interface name all CLI command was executed with the error Server error: op command for client dnsproxyd timed out as client is not available.
    PAN-276616
    Fixed an issue on the firewall where half-duplex settings on Ethernet were not visible.
    PAN-276599
    Fixed an issue where the password expiry prompt was not visible when logging in via the web interface.
    PAN-276491
    (Panorama virtual appliances only) Fixed an issue where Panorama stopped responding when running reports.
    PAN-276484
    Fixed an issue where Panorama did not display license information for Cloud NGFW firewalls under (Device Deployment > Licenses) due to the inability to perform batch-license refreshes.
    PAN-276412
    Fixed an issue where you were unable to download XML files from Panorama > Summary > Backups.
    PAN-276352
    Fixed an issue where multicast flows were dropped due to a missing sysd variable for maximum multicast routes.
    PAN-276321
    Fixed an issue where User-ID mappings were not correctly redistributed from Panorama to firewalls, causing some users to be identified as unknown, which prevented access to resources based on AD group membership.
    PAN-276144
    Fixed an issue on the web interface where the Response Page action column was not accessible.
    PAN-276033
    Fixed an issue on Panorama managed firewalls where SAML identity provider and Clientless Apps objects did not have override or revert options.
    PAN-276000
    (Firewalls in HA configurations only) Fixed an issue where the confgid process and mgmtsrvr process restarted daily when processing a show rule-hit-count CLI command when retrieving Security policy rules for vsys1.
    PAN-275653
    Fixed an issue where the Log Collector service did not start on a new Log Collector appliance added to a Log Collector group. As a result, the new Log Collector appliance did not appear in the cluster and the number of nodes in the cluster was incorrect.
    PAN-275601
    Fixed an issue where, when Panorama was not internet connected and you attempted to upload images to managed firewalls using the Validate option, the upload failed with the error Failed to create multi-upload job. No valid software deploy targets found.
    PAN-275451
    (Panorama appliances only) Fixed an issue where sequence numbers were lost when forwarded from Panorama, which resulted in missing or lost logs.
    PAN-275272
    Fixed an issue where a dataplane restart was not triggered as expected when internal packet path monitoring failure occurred.
    PAN-275089
    Fixed an issue where a devsrvr process restart caused commits to fail due to cloud app validation, which resulted in WildFire installs failing.
    PAN-275050
    Fixed an issue where the Japanese translation for the URL filtering option to add a trailing slash to entries and the device license status error was incorrect.
    PAN-275026
    Fixed an issue where you were unable to to adjust the frequency of the Advanced Cloud Explorer (ACE) cloud fetch via the CLI.
    PAN-274907
    Fixed an issue on Panorama where Config Audit Commit Date displayed the timestamp of the configuration edit instead of the commit time.
    PAN-274650
    Fixed an issue where the firewall did not perform certificate expiry validation during a commit, which resulted in successful authentication even when an intermediate certificate had expired.
    PAN-274622
    Fixed an issue on the Panorama web interface where GlobalProtect client images were not exported via SCP.
    PAN-274333
    Fixed an issue where the Logging Service License Status displayed as red even though a valid license was installed on the firewall.
    PAN-274292
    (M-600 Appliances only) Fixed an issue where the web interface was slow when logging in and filtering for policies due to deep search operations taking longer than expected.
    PAN-274213
    Fixed an issue where the firewall did not properly update incremental update data maintained at the management plane when an IP address was part of both a Dynamic Address Group and an External Dynamic List (EDL). This resulted in the firewall not matching the expected Security policy rule and threat signature.
    PAN-274207
    Fixed an issue where Global Search did not redirect correctly to routing profiles when searching for their names.
    PAN-274086
    Fixed an issue where the firewall incorrectly assembled SIP NOTIFY and REFER messages when processing SIP TCP packets that contained a partial content-body from a previous SIP message and a complete header and content-body from the next SIP message.
    PAN-274064
    Fixed an issue on Panorama where the request batch license info CLI command displayed entries for devices that were no longer attached to Panorama.
    PAN-274038
    Fixed an issue where you were unable to use the s_encrypted field in custom reports for the Panorama threat log database.
    PAN-273991
    Fixed an issue where the transmit power for a cable that was used on port 44 displayed as N/A.
    PAN-273969
    Fixed an issue where the Panorama interface template did not include the Forward Error Correction (FEC) setting.
    PAN-273963
    Fixed an issue where GlobalProtect health information (HIP) did not display the certificate key usage.
    PAN-273947
    Fixed an issue where the displayed group name differed depending on whether the group was configured locally on the firewall or through Panorama.
    PAN-273805
    Fixed an issue where SAML authentication for GlobalProtect failed when the GlobalProtect portal was accessed externally on a non-standard port.
    PAN-273589
    Fixed an issue where firewalls configured with a VPN tunnel stopped responding when a configuration update was applied.
    PAN-273010
    Fixed an issue where the configuration version did not increment in the Audit Comment Archive after making changes to the Security policy rule with an audit comment and performing a commit. As a result, all subsequent changes were grouped under the same configuration version, which prevented the comparison of changes in the Rule Changes field of the Security policy rule.
    PAN-273008
    (PA-5400 firewalls only) Fixed an issue where frequent BGP/BFD flaps occurred and HA2 keep-alives went down.
    PAN-272998
    Fixed an issue where commits from Panorama to VM-Series firewalls on Microsoft Azure environments failed.
    PAN-272796
    Fixed an issue where you were unable to export the GlobalProtect client software version to the SCP server.
    PAN-272790
    Fixed an issue on the Panorama web interface where administrators were unable to export GlobalProtect client images and received an scp export failed error. This was due to the system attempting to retrieve the file from an incorrect directory.
    PAN-272743
    Fixed an issue where non-captive portal traffic was not visible under Traffic Logs when the traffic was denied by an authentication rule and the session was discarded.
    PAN-272726
    Fixed an issue on the web interface where the URL Filtering change category feature did not work.
    PAN-272505
    Fixed an issue where GlobalProtect cookie authentication failed with the error User is not in allow list.
    PAN-272469
    Fixed an issue where the DNS exception displayed 0 instead of no result in the anti-spyware profile when no threat ID was available for a DNS Security category.
    PAN-272408
    (PA-1420 firewalls only) Fixed an issue where the firewall reported unsupported SFPs when PAN-SFPPLUS10GBASE-T SFPs were used on ports Ethernet 1/21 and 1/22.
    PAN-272178
    Fixed an issue where the firewall displayed packet buffers between 18 and 19 even when there was little or no traffic.
    PAN-272172
    Fixed an issue where plugin_api_server could experience a memory leak when using OpenConfig for telemetry.
    PAN-271810
    Fixed an issue where auto-negotiation advertised and negotiated 10/100 half and full duplex.
    PAN-271637
    Fixed an issue where the firewall did not increase the metric of the default route when redistributed into OSPF when the firewall was configured as an NSSA ABR.
    PAN-271636
    (PA-1400 and PA-3400 Series firewalls only) Fixed an issue where the firewall displayed the error message Failed to parse pbf policy when you committed a configuration that included more than 8 Policy Based Forwarding (PBF) rules with symmetric return enabled.
    PAN-271490
    Fixed an issue on the firewall that caused the following error message to be displayed: frr_ns0: failed to stop child frr_ns0_ospf6d.
    PAN-271440
    Fixed an issue where PublicCloud Server certificate validation failed. Dest Addr: (null), Reason: self signed certificate in certificate chain generated as a high alert in the system log every 5 minutes.
    PAN-271438
    Fixed an issue where the firewall calculated available memory incorrectly on CENTOS devices, which caused the firewall to display high memory usage alerts even when sufficient memory was available.
    PAN-271436
    A CLI counter was added to indicate a full suppression queue.
    PAN-271412
    Fixed an issue where the character ( + ) in the authentication message prompt displayed incorrectly as #43; on the GlobalProtect client after upgrading to a PAN-OS 10.2 release.
    PAN-271301
    (VM-Series firewalls on Amazon Web Services (AWS) environments with GWLB integrated only) Fixed an issue where DNS queries timed out when overlay routing was enabled.
    PAN-271204
    Fixed an issue where performing a factory reset caused the firewall to enter a continuous boot loop due to a failure in generating the global.xml configuration file.
    PAN-271173
    Fixed an issue where the firewall displayed an incorrect maximum translated IP capacity when using DIPP NAT policy rules.
    PAN-271061
    Fixed an issue on the web interface where you were unable to add Threat IDs to Signature Exceptions.
    PAN-270747
    Fixed an issue where the show system statistics application CLI command failed.
    PAN-270554
    Fixed an issue where the GlobalProtect client (UWP) or metered hotspot connections triggered TLS resumption fo GlobalProtect portal authentication, which caused the portal authentication to fail with a valid cert required error.
    PAN-270493
    Fixed an issue where the Low free buffer limit output was not available.
    PAN-270323
    Fixed an issue where the firewall allowed cleartext web-browsing traffic on port 443 when the Security policy rule was configured to allow application: web-browsing with service: application-default.
    PAN-269913
    Fixed an issue threat reports were empty when generated from Panorama, but displayed correctly when generated from the firewall.
    PAN-269843
    Fixed an issue where the firewall dropped non-SYN TCP packets even when the Reject non-SYN TCP option was set to No when a session rematch was triggered.
    PAN-269716
    Fixed an issue where half-closed TCP sessions did not refresh the session timeout when continuously receiving data after setting the cfg.session.tcp-no-refresh-fin-rst option toTrue.
    PAN-269659
    Fixed an issue on the firewall where you were unable to configure more than 500 DHCP relay servers even though the supported limit was 4096.
    PAN-269535
    Fixed an issue where the mib ID returned an incorrect value via SNMP.
    PAN-269445
    Fixed an issue where the show user ip-user-mapping all option detail XML API command did not show the complete output.
    PAN-269342
    Fixed an issue where BGP aggregate routes with the AS-SET option enabled had incorrect AS paths.
    PAN-269303
    Fixed an issue where the CSV export of disabled applications included duplicate entries, which caused the count of disabled applications to be higher in the CSV export than on the web interface.
    PAN-269286
    Fixed an issue where the firewall did not query for an AAAA record when only IPv6 was enabled for the management interface.
    PAN-269228
    Fixed an issue where the all_task process stopped responding, which caused a split brain condition.
    PAN-269191
    (VM-Series firewalls only) Fixed an issue where the aggressive clean-up threshold for disk space was set to 95% in system monitor.
    PAN-269176
    Fixed an issue where the domain-edl column was empty in the threat log even when a threat was detected as a DNS alert.
    PAN-269155
    Fixed an issue where an OOM condition occurred, which caused processes to stop responding.
    PAN-269057
    Fixed an issue where the routed process stopped responding due to accessing freed memory from a hash table when the route vectors were resized. This occurred when a large number of static routes were configured.
    PAN-269051
    Fixed an issue where, when using WildFire Private Cloud, the system log displayed the error message tls-X509-validation.
    PAN-268922
    (PA-3220 firewalls in HA configurations only) Fixed an intermittent issue where the firewalls went out of sync after a configuration push from Panorama.
    PAN-268787
    Fixed an issue where users were unable to log in to Panorama and the following error message was displayed: Timed out while getting config lock. Please try again. This occurred when pushing configurations to a large number of devices.
    PAN-268680
    Fixed an issue where the configd process stopped responding when a configuration merge operation changed.
    PAN-268606
    Fixed an issue where GlobalProtect users with client certificates received an authentication failure message without entering a password and clicking connect or login.
    PAN-268597
    Fixed an issue where the firewall displayed 0 bytes received for GlobalProtect SSL sessions in the traffic logs.
    PAN-268569
    Fixed an issue where the web interface was slower than expected when logging in and filtering for policies.
    PAN-268522
    Fixed an issue where the firewall failed to connect to the update server with a customized service route when the source interface was set to MGT and the source address was set as IPv4.
    PAN-268426
    Fixed an issue where the firewall was unable to connect to a syslog server that used a TLS certificate without a subject key identifier.
    PAN-268425
    Fixed an issue where the execute show transceiver-detail all XML API command returned an incorrect value for the low temperature alarm threshold.
    PAN-268313
    Fixed an issue where the Priority Code Point (PCP) bits in the VLAN header were not reset to 0 when a packet was received from one Layer 3 tagged interface and forwarded to another, which resulted in dropped packets.
    To use this fix, run the CLI command set force-vlan-pcp-reset yes and reboot the firewall.
    PAN-268032
    Fixed an issue where importing a device configuration into Panorama failed with a validation error if the configuration included a shared gateways containing NAT/PBF rules.
    To use this fix:
    1. Enable the configuration. Commit failures may occur if the device is not able to support the number of objects.
    2. Export and push the device group only.
    3. Push the template.
    Note: This fix is supported on PAN-OS 10.2 and later releases.
    PAN-267936
    Fixed an issue where commits failed with a validation error when you changed the encryption level and re-encryption option on a Panorama managed firewall.
    PAN-267912
    Fixed an issue on the Panorama web interface where Application and Category was not able to be selected under Test Policy Match.
    PAN-267830
    Fixed an issue where the snmpd.log.old file continuously increased, which caused the root partition to become full.
    PAN-267614
    Fixed an issue where the Panorama web interface was slower than expected due to high CPU utilization on the mongodb process.
    PAN-267426
    (Firewalls in HA configuration only) Fixed an issue where the Network pre-negotiation enabled page did not display on the firewall dashboard.
    PAN-267381
    Fixed an issue where the firewall failed to upload a macOSX file if the file had a MIME boundary.
    PAN-267330
    Fixed an issue where the firewall dropped inbount RTP traffic after using Webex Screen Sharing due to the firewall removing the NAT cache when the predict timed out, which caused a new NAT to be established that conflicted with existing sessions. To use this fix, run the CLI command set system setting ctd h323_rtp_predict timeout <120-3600> to increase the timeout limit.
    PAN-267328
    Fixed an issue where the all_task process stopped responding, which caused the firewall to stop processing traffic.
    PAN-267117
    (VM-Series firewalls only) Fixed an issue where BGP route refreshes occurred when a commit was performed if AS Set was enabled for BGP aggregate routes.
    PAN-267045
    Fixed an issue on the firewall where ICMP ping loss occurred after installing a Network Processing Card (NPC) in slot 7.
    PAN-266971
    Fixed an issue where the firewall generated AAAA DNS queries when IPv6 firewalling was disabled.
    PAN-266905
    Fixed an issue where sessions ended with the message decrypt error in the logs for traffic that matched a no-decrypt policy.
    PAN-266698
    Fixed an issue where an email was able to be transferred to the destination MTA even when the firewall detected a suspicious file with a reset-bot action when it was encrypted by STARTTLS.
    PAN-266688
    Fixed an issue on the firewall where traffic matched a custom signature even if the custom signature was removed from the configuration.
    PAN-266589
    Fixed an issue where the firewall was unable to generate a tech support file when management server debug was disabled.
    PAN-266302
    Fixed an issue where OSPFv3 Link State (LS) update packets (type 9) were not fragmented properly, which caused the OSPF header to have an incorrect checksum when sent from the firewall. This occurred when the update packet size exceeded 1514 byte, which resulted in the peer device rejecting the packet and the neighbor relationship going down.
    PAN-265926
    (PA-3400 Series firewalls only) Fixed an issue where the all_task process stopped responding, which caused the firewall to reboot.
    PAN-265916
    Fixed an issue where double-clicking the login button returned the error message Login session expired.
    PAN-265782
    Fixed an issue on Panorama where, after you enabled multihop in a BFD profile, you were unable to disable it via the web interface.
    PAN-265686
    Fixed an issue where the GlobalProtect portal logged passwords in cleartext.
    PAN-264912
    Fixed an issue where the firewall did not shut down completely.
    PAN-264742
    Fixed an issue on Panorama where the dynamic address group IP addresses of the Kubernetes plugin or Prisma Cloud plugin for Secure Developer Environment were not displayed.
    PAN-264666
    Fixed an issue where the configd process restarted when pushing configurations to multiple device groups via XML API, which caused the push to fail.
    PAN-264570
    Fixed an issue where the maximum session limit for a vsys was 4,194,290.
    PAN-264538
    (VM-Series firewalls only) Fixed an issue where the all_task process stopped responding and a reboot was required.
    PAN-264131
    Fixed an issue where the routed process core failed the automation run.
    PAN-264040
    Fixed an issue where AAAA DNS queries went out even when IPv6 firewalling was disabled.
    PAN-263699
    PA-440 firewalls only) Fixed an issue where the firewall was unable to create more than 6 GlobalProtect gateways.
    PAN-263674
    (VM-Series firewalls in HA configurations only) Fixed an issue where the firewall rebooted due to multiple HA failovers.
    PAN-263544
    Fixed an issue where management plane CPU usage increased after upgrading when there was a full-mesh User-ID redistribution configuration between multiple firewalls.
    PAN-263504
    Fixed an issue where exporting managed device information from Panorama in CSV format included extraneous characters.
    PAN-263270
    Fixed an issue where, after a commit was performed from Strata Cloud Manager, the SD-WAN configuration containing BGP routes did not display on the hub firewall.
    PAN-263052
    Fixed an issue where the request logdb migrate-to-panorama start end-time <start-time> <type> CLI command did not work as expected, and you were unable to resend logs from a firewall to Panorama or a log collector.
    PAN-262599
    Fixed an issue where the firewall displayed incorrect policy cache usage and configuration memory usage during a commit, which caused the configuration commit to fail with a CONFIG_UPDATE_START error. This occurred when a large number of External Dynamic Lists (EDLs), shared addresses, and policy rules were configured.
    PAN-262521
    Fixed an issue where imported certificates were not visible on firewalls with multi-vsys disabled.
    PAN-262278
    Fixed an issue where the service route setting for HTTP was not applied when the source interface IP address was set via an address object, which caused HTTP traffic to be sent from the management interface.
    PAN-262043
    Fixed an issue where Voice over WiFi (VoWiFi) stopped working after switching from a PA-5200 Series firewall to a PA-7500 Series firewall in NGFW clustering mode with NATT IPSec Passthrough and NAT policy enabled. To use this fix, enter the CLI command show tunnel-acceleration, disable tunnel acceleration, and reboot the PA-7500 Series firewall.
    PAN-261936
    Fixed an issue where WildFire submission logs were not displayed when filtered by Sender Address.
    PAN-261602
    Fixed an issue where GlobalProtect Decryption logs were not forwarded to Panorama.
    PAN-260879
    Fixed an issue where the Panorama port 28270 did not adhere to the restricted TLS version and ciphers set in the Secure Communication Settings.
    PAN-260790
    Fixed an issue where the bytes transmitted and packet transmitted counters for hardware interfaces incorrectly displayed as 0 after a restart of slot-1.
    PAN-260752
    Fixed an issue where the firewall did not support TLSv1.3 in the Clientless VPN, which caused the portal page to not load.
    PAN-260661
    Fixed an issue where daily email reports generated from the custom report did not display the report details in PDF or CSV files.
    PAN-260581
    Fixed an issue where Panorama template changes to the zone and virtual router were not pushed to managed firewalls when the template stack default virtual system was set to None.
    PAN-260540
    Fixed an issue where task-debug logs remained on the debug level even after running the debug dataplane packet-diag set log off CLI command, which caused high dataplane CPU utilization.
    PAN-260330
    Fixed an issue where Panorama was unable to generate PDF reports when the footer contained a GIF image.
    PAN-259998
    (M-600 Appliances only) Fixed an issue where log collectors in a cluster stopped responding when running high load tests.
    PAN-259741
    Fixed an issue where the firewall dropped GRE keepalive packets that were encapsulated under another GRE tunnel.
    PAN-259343
    Fixed an issue on the Panorama web interface where the Configuration tab did not accurately display changes made to URL filtering profiles.
    PAN-259284
    Fixed an issue where IPv4 BGP routes were not included in the routing table or FIB of a virtual router when ECMP was configured with more than two next hops.
    PAN-259091
    Fixed an issue where the CLI command show user ip-user-mapping-mp all displayed the total timeout value instead of the current timeout value when the set cli op-command-xml-output on CLI command was used.
    PAN-258912
    (PA-7000b firewalls only) Fixed an issue where the firewall web interface displayed an incorrect HSM client version when the client was upgraded to version 7.2.0.220.
    PAN-258456
    Fixed an issue where not all IP-TAG logs were forwarded to Log Collectors.
    PAN-258039
    Fixed an issue where the firewall displayed the incorrect rule name when a threat log was generated for Inline Cloud Analyzed CMD Injection Traffic Detection.
    PAN-257638
    Fixed an issue where the firewall dataplane stopped responding, which caused BGP flaps between hubs and branches.
    PAN-257616
    Fixed an issue where selective push operations from Panorama to managed firewalls failed with the error message Failed to generate selective push configuration. Schema validation failed. Please try a full push.
    PAN-257362
    Fixed an issue where GlobalProtect traffic destined for the internet did not follow the path-based forwarding (PBF) rule and was sent out the wrong interface.
    PAN-257195
    (PA-5400 Series firewalls only) Fixed an issue where the mp-monitor logs did not print disk SMART data.
    PAN-257074
    Fixed an issue on the Panorama web interface where the template sync status showed Out-of-Sync for managed devices after a combined commit-all operation. This occurred due to Panorama sending the default MD5 sum of the template to the firewall instead of the correct MD5 sum.
    PAN-256560
    Fixed an issue where exporting a Custom Report to CSV format did not display the full report if it contained non-ASCII characters.
    PAN-256552
    Fixed an issue where the logrcvr stopped responding, which caused the firewall to restart.
    PAN-256138
    (VM-Series firewalls only) Fixed an issue where firewalls with a DNS server IP address received by DHCP from Amazon Web Services (AWS) had a delay in resolving FQDNs after a reboot.
    PAN-255860
    (PA-5200 firewalls only) Fixed an issue where the all_pktproc process stopped responding when the firewall was under a heavy traffic load.
    PAN-255806
    Fixed an issue on Panorama where the ACC report for URL categories displayed inconsistent results for the same time range when run daily.
    PAN-255654
    Fixed an issue where, when QoS was enabled on aggregate interfaces, the maximum aggregate interface throughput was capped, which limited network traffic. This occurred even with default QoS settings and no configured egress max-bandwidth.
    PAN-255547
    Fixed an issue where commits failed when importing configurations to a device with a non-default master key.
    PAN-255282
    (PA-450 firewalls in HA configurations only) Fixed an issue where the firewall remained in an active state and all traffic stopped until a failover to the passive firewall was performed.
    PAN-255253
    Fixed an issue where the firewall did not establish a syslog connection to the probe VM syslog server in ADEM Regressions.
    PAN-255190
    Fixed an issue where the TCP timeout value was reflected incorrectly when using application override for a custom application in TAP mode.
    PAN-255025
    Fixed an issue where the show session cache all CLI command failed with the error message Server error : An error occured. See dagger.log for information.
    PAN-254946
    Fixed an issue where the firewall HA2 keep-alive went down multiple times without a specific reason.
    PAN-254875
    (PA-410 firewalls only) Fixed an issue where the firewall rebooted unexpectedly due to multiple all_task process restarts.
    PAN-254297
    Fixed an issue where the show pbf rule name <name> CLI command failed.
    PAN-253778
    (PA-7500 Series firewalls in a cluster configuration only) Fixed an issue where users were able to enable or disable certain configurations.
    PAN-253187
    (PA-5450 firewalls only) Fixed an issue where the class of service (CoS) priority bit was not modified, causing access points to lose connectivity to the wireless controller when traffic was routed through the firewall.
    PAN-252706
    Fixed an issue where the URL filtering response page for Continue and Override did not work with IPv6 Router Advertisement (RA) or Multicast Listener Query (MLQ) for IPv6-to-IPv6 and IPv6-to-IPv4 traffic.
    PAN-252699
    Fixed an issue where frequent session failures occurred due to CTD resource exhaustion.
    PAN-251442
    Fixed an issue where the firewall rebooted into maintenance mode if the authentication process restarted repeatedly.
    PAN-250048
    Fixed an issue where applications did not load via the Clientless VPN portal when the portal was hosted on an L3 VLAN interface.
    PAN-250043
    Fixed an issue where, on an NGFW cluster node, operations failed when QoS interfaces were configured with an egress max that exceeded 68,000 Mbps.
    PAN-249574
    Fixed an issue where selective pushes failed due to a missing log collector reference.
    PAN-249194
    Fixed an issue where SaaS quality profile probes were dropped on the SD-WAN hub.
    PAN-248148
    Jumbo frame feature support is enabled.
    PAN-247141
    Fixed an issue where DNS traffic did not match the intended SD-WAN policy rule when NAT was enabled.
    PAN-243335
    Fixed an issue on the Panorama web interface where you were unable to add static IPv6 address entries to a logical router in a cluster template stack.
    PAN-242777
    Fixed and issue where users previously reported limitations due to session count caps when utilizing Web Proxy features on PA-5400 Series Firewalls. To address these performance complaints and support higher traffic volumes, we have increased the maximum session capacity on specific PA-5400F series platforms, leveraging available system memory. This update ensures greater capacity and stability for high-volume environments.
    The supported session limits are:
    PlatformMax Sessions
    PA-541095K
    PA-542095K
    PA-543095K
    PA-5440225K
    PA-5445250K
    PAN-241953
    Fixed an issue where the firewall did not have a heartbeat mechanism for the authd process, which caused the firewall to become unresponsive if the authd process stopped responding.
    PAN-241694
    Fixed an issue where memory leaks related to the devsrvr process occurred when downloading and pushing updates from the App-ID Cloud Engine to the dataplane.
    PAN-241230
    Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.
    PAN-238208
    Fixed an issue where the firewall API returned inconsistent responses to a failed call using a valid API key. With this fix, the firewall returns the error Session is invalid if the session is not available for the cookie.
    PAN-234993
    Fixed an issue where CPU base gateway auto-scaling failed, which caused performance issues.
    PAN-221137
    Fixed an issue where the CLI command to set the target virtual system accepted a non-existent virtual system name, and the CLI prompt incorrectly changed to the non-existent virtual system.
    PAN-216770
    Fixed an issue where, when a firewall was managed by Strata Cloud Manager and configured to use a proxy server for external connections, the management server did not use the configured settings to connect to the Cloud Management service.

    © 2026 Palo Alto Networks, Inc. All rights reserved.