Fixed an issue where external dynamic list (EDL) objects lost IP addresses and returned 0.0.0.0 when two or more EDL objects used in a security policy referenced the same source URL.

Fixed an issue on firewalls in an HA active/passive configuration where, if you enabled LACP pre-negotiation, the egress interface on the passive firewall transmitted packets that should have been filtered, which caused packet loss when neighboring switches incorrectly forwarded traffic to the passive firewall. With this fix, the passive firewall correctly filters egress traffic.

Fixed an issue where User-ID group mapping did not retain groups retrieved from Active Directory (AD) servers if there were any invalid groups in the group-mapping include list.

Fixed an issue where the web interface displayed 24 ports instead of 14 ports for the PA-7000-20GQXM-NPC network processing card.

Fixed an issue on PA-7000 Series firewalls where forwarding to WildFire failed due to an incorrect calculation of file size.

Fixed an issue where the dataplane restarted due to a corruption in the QoS queue pointer.

Fixed a rare condition where a dataplane process (all_pktproc) stopped responding.

Fixed an issue in PAN-OS 7.1.6 where SSL sessions were discarded if the server certificate chain size exceeded 23KB.

Fixed an issue where the management interface and HA interfaces flapped during installation of a software upgrade, which caused HA failover or split brain.

Fixed an issue on firewalls in active/active configuration where a newly created BFD profile disappeared after you performed a commit operation on either of the peers.

Fixed an issue where latency intermittently spiked over 3ms for IPSec traffic. With this fix, the conditions that contributed to latency spikes are addressed.

Fixed an issue where a memory leak occurred on a process (authd) after each commit, which caused restarts of another process (mgmtsrvr) and affected access to the web interface.

Fixed an issue on Panorama virtual appliances where a process (configd) experienced high memory usage and stopped responding, which caused commits to fail.

Fixed an issue where Panorama did not update the names of log forwarding profiles and zone protection profiles in a template stack after renaming, which caused failures when pushing the configuration to devices.

Fixed an issue where the CLI command test custom-url did not return the correct custom category.

Fixed an issue where TCP sequence numbering shifted when the firewall performed a decrypted session tear down in the case of a fatal alert.

Fixed an issue on PA-7000 Series firewalls where internal looping of tunnel creation packets caused high dataplane CPU usage.

Fixed an issue on Panorama where traffic logs retrieved by XML API query displayed IP addresses with subnet notation instead of full IP addresses. This issue occurred when the administrator using the query had a custom privacy configuration in the web interface that had

Show Full IP Addresses

disabled.

Fixed an issue where policy-based forwarding (PBF) symmetric return traffic enforcement failed intermittently because return MAC address entries aged-out prematurely. With this fix, the firewall enforces symmetric return even when PBF return MAC entries age out.

Fixed an issue where the management server process stopped responding when a

Commit All

job was initiated from Panorama, which prevented managed devices from reporting the commit job status back to Panorama. As a result, the commit job appeared stalled in Panorama even after commits were successfully completed on the managed devices.

Fixed an issue where the Global Find window was grayed-out and non-functional if you accessed it from the Browse link when configuring an address object in a security policy.

Fixed an issue where a User-ID redistribution loop caused high management plane CPU usage. This issue occurred when the User-ID redistribution configuration included three or more firewalls, and the firewall encountered the same IP address and timestamp for different users.

Fixed an issue where the firewall incorrectly identified BGP traffic as traceroute traffic, causing the wrong policy to be applied to the traffic.

Fixed an issue where locally created certificates had duplicate serial numbers because the firewall did not check the serial numbers of existing certificates signed by the same CA when generating new certificates.

Fixed an issue where the firewall failed to send a TCP reset (RST) to the client-side and server-side devices when an application had a reset-both deny action in its security policy.

Fixed an issue where Panorama allowed you to configure a decryption type on No Decrypt policies. When Panorama pushed these policies to firewalls, it set the decryption type to the default value SSL Forward Proxy. With this fix, when you select No Decrypt as a policy rule action, Panorama disables configuration of the decryption type.

In response to an issue where LACP flapped intermittently due to negotiation failures, priority for LACP processing is enhanced to mitigate flapping, and additional debug options are added to help isolate negotiation failures.

Fixed an issue where purged software packages appeared in the list of uploaded software packages. With this fix, the software list will no longer display purged software packages.

Fixed an issue where Online Certificate Status Protocol (OCSP) verification failed when using non-CA certificates. With this fix, you can configure a non-CA certificate as an OCSP Verify certificate (Device > Certificate Management > Certificates Profile > Add). Note that if you use a non-CA certificate and then downgrade to a PAN-OS release that does not include this fix, auto-commits will work, but manual commits will fail.

Fixed an issue where IPSec VPN tunnels failed to establish if you used dynamic VPNs and mixed IKEv1 and IKEv2 on the static device.

Fixed an issue where the hostname obtained from a Panorama template for a firewall reverted to the default hostname. This issue occurred after the management server process on the firewall (mgmtsrvr) restarted following an event such as a PAN-OS update or firewall restart.

Fixed an issue where PDF exports of custom reports generated using Run Now did not display hostnames obtained from reverse DNS lookup.

Fixed an issue where IPSec tunnels flapped randomly because a race condition between two processes (mprelay and pan_task) caused duplicate tunnel monitoring ICMP packets with the same sequence numbers to be sent, which disrupted IPSec tunnel state.

Fixed an issue where the management server process (mgmtsrvr) had an out-of-memory condition and restarted, causing a loss of uncommitted changes.

Fixed an issue on Panorama in an HA configuration where synchronization failed after a commit with the message, Committing mgt settings failed. Could not read merged running config from file. This issue occurred when WildFire updates created a race condition with HA synchronization.

Fixed an issue where the top half of text lines failed to display correctly in the PDF version of the App Scope Threat Monitor Report (Monitor > App Scope > Threat Monitor).

Fixed an issue where a custom role administrator who had threat log viewing privileges disabled could view threat logs in the Unified log view.