Fixed an issue where the Panorama Log Collectors did not receive some firewall logs and took longer than expected to receive all logs when a Collector Group had spaces in its name.

Fixed an issue where PA-7000 Series firewalls rebooted continuously because the brdagent process stopped responding during bootup due to HSCI interface initialization.

Fixed an issue on the Panorama™ virtual appliance where the NFS mount failed during system bootup.

Fixed an issue where the Panorama management server did not push default Security policy rule settings (PoliciesSecurityDefault Rules) to firewalls when the settings were inherited from a parent device group.

Fixed an issue where firewalls rebooted continuously because the routed process stopped responding after the Panorama management server pushed invalid configurations to the firewalls. With this fix, Panorama performs an additional sanity check during push operations that causes the operations to stop with errors instead of making routed unresponsive.

Fixed an issue where the firewall intermittently dropped traffic after failing to decrypt it due to proxy memory depletion.

Fixed an issue where, after an administrator with the read-only superuser role changed his or her password and then an administrator with the superuser role performed a partial commit, neither administrator could authenticate to the firewall.

Fixed an issue on firewalls in an active/active high availability (HA) configuration where the primary firewall, with a floating IP address bound to it, sent ARP probes containing the MAC address of the secondary firewall instead of the primary. Sending ARP probes with the incorrect MAC address caused the secondary firewall to drop traffic.

Fixed an issue where firewalls in an HA configuration did not map IP addresses to the usernames of GlobalProtect™ end users because the User-ID™ manager (idmgr) on the active firewall continuously reset after reaching its maximum capacity for User-ID information (such as user mappings and group mappings).

Fixed an issue on VM-Series firewalls in an HA configuration where HA path monitoring failed and triggered failover.

Fixed an issue where the firewall failed to generate reports based on URL Filtering logs due to a syntax error when the logs contained single quotation mark characters (').

Fixed an issue where a Panorama management server in an HA configuration became unresponsive after initiating HA synchronization.

Fixed an issue on the Panorama management server where the web interface displayed a 502 badgateway error and the configd process stopped responding after you selected the more option for a dynamic address group in a Security policy rule (PoliciesSecurity<rule_type><rule>Source/Destination).

Fixed an issue where FQDN refresh operations produced a Not Resolved error because the DNS proxy engine incorrectly stopped converting ASCII encoded characters at the second-last character instead of the last character.

As an enhancement to PA-5200 Series firewalls, you can now disable or enable (default) L4 checksum checking by running the new set system setting layer4-checksum {disable | enable} CLI command and then rebooting the firewall. Disabling the checking enables the firewall to allow packets it would otherwise drop when some wireless access points add a VSS-monitoring Ethernet trailer (6 bytes) to HTTP request packets.

Fixed an issue where firewall performance degraded because ICMP ping packets associated with static route monitoring caused a hardware buffer leak.

Fixed an issue where session offloading failed because offloaded packets related to Policy-Based Forwarding (PBF) used the incorrect PBF return MAC address.

Fixed an issue where firewalls did not refresh FQDN objects during the initial boot-up phase of the bootstrapping process.

Fixed an issue where firewalls that had ECMP and session offloading enabled sent offloaded traffic to the incorrect next hop.

Fixed an issue where root partition utilization approached the maximum capacity because the firewall did not remove WildFire® download logs that were due for removal.

Fixed an issue where SNMP managers did not display object identifiers (OIDs) for the Ethernet1/3, Ethernet1/4, and Ethernet1/5 interfaces of M-500 appliances.

Fixed an issue where a Panorama management server in an HA configuration generated group mapping synchronization errors because the passive HA peer did not verify whether the Enable reporting and filtering on groups option was disabled (PanoramaSetupManagement: Panorama Settings).

As an enhancement for GlobalProtect gateways, you can now add up to 100 DNS suffixes instead of 10 for resolving the unqualified hostnames of GlobalProtect clients (NetworkGlobalProtectGateways<gateway>AgentNetwork Services).

Fixed an issue where running the clear session all filter source CLI command eleven or more times simultaneously caused Bidirectional Forwarding Detection (BFD) flapping.

Fixed an issue where the firewall dataplane slowed significantly and, in some cases, stopped responding if you used nested wildcards (*) with "." or "/" as delimiters in the URLs of a custom URL category (ObjectsCustom ObjectsURL Category) or in the Allow List of a URL Filtering profile (ObjectsSecurity ProfilesURL Filtering<URL-filtering-profile>Overrides). With this fix, the firewall does not allow you to use nested wildcards in such cases. For details, see how Nested Wildcard in URLs May Severely Affect Performance.

Fixed an issue where the Panorama management server displayed more policy rules than were applicable to the targeted Device when you selected to Preview Rules.

Fixed an issue on firewalls configured as DHCP servers and deployed in an HA configuration where, after HA failover, commits failed and the following error message displayed: Managementserver failed to send phase 1 to client dhcpd.

Fixed an issue where firewalls that had tunnel inspection enabled for GTP-U traffic did not generate END entries in Tunnel Inspection logs after the GTP-U sessions cleared.

As an enhancement to improve security for GlobalProtect deployments, the GlobalProtect portal now includes the following HTTP security headers in responses to end user login requests: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.

Fixed an issue on firewalls with multiple virtual systems where SSL decryption failed when you installed the Forward Trust Certificate in a specific virtual system instead of in the Shared location.

Fixed an issue on PA-7000 Series and PA-5200 Series firewalls with NetFlow monitoring configured where dataplanes restarted because too many processes stopped responding.

Fixed an issue where switching firewalls to FIPS-CC mode set the Base DN to None and disabled the Verify Server Certificate for SSL sessions option for LDAP server profiles that you viewed or edited in the web interface (DeviceServer ProfilesLDAP).

Fixed an issue where the Panorama management server stopped communicating with firewalls when the incoming log rate from firewalls exceeded the capacity of the Panorama buffers.

Fixed an issue where, after the Panorama management server pushed configurations to a firewall, the firewall restarted because its cordd process stopped responding.

Fixed an issue where firewalls in an active/active HA configuration enforced user-based policies inconsistently because port-to-username mappings did not synchronize between the primary and secondary HA peers.

Fixed an issue where the firewall rebooted repeatedly because the User-ID process (useridd) stopped responding after you committed a mobile device management (MDM) configuration that failed to connect the firewall to the MDM (NetworkGlobalProtectMDM).

Fixed an issue where pushing a custom application named http or smb (ObjectsApplications) from the Panorama management server to firewalls interfered with antivirus detection on the firewalls.

Fixed an issue where the firewall intermittently misidentified the App-ID for SSL applications. This issue occurred when a server hosted multiple applications on the same port, and the firewall identified traffic for an application using this port on the server and then inaccurately recorded other applications on this server-port combination as the previously identified application. The fix requires running the set application use-appid-cache-ssl-sni no CLI command to disable the SSL-based App-ID cache.

Fixed an issue where, on a firewall configured to collect username-to-group mappings from multiple LDAP servers over SSL/TLS-secured connections (DeviceServer ProfilesLDAP), the firewall rebooted because the User-ID process (useridd) restarted several times during initialization.

Fixed an issue on PA-7000 Series firewalls where the logrcvr process had a memory leak.

Fixed an issue on the Panorama management server where, after you pushed device group settings without template settings to managed firewalls, Panorama excluded template files when you used the scp export device-state CLI command to export configurations.

Fixed an issue where the VM-500 firewall stopped generating GTP logs when the session table reached 75% utilization.

Fixed an issue where the WF-500 appliance sent ICMP unreachable messages from the VM Interface to the Management interface.

Fixed an issue where SaaS Application Usage reports did not Include logs from the Selected Zone that you specified when configuring the report (MonitoringPDF ReportsSaaS Application Usage).

Fixed an issue where firewalls generated System logs with cipher decrypt-final failure messages after switching from normal operational mode to FIPS-CC mode.

Fixed an issue where a Panorama virtual appliance in Legacy mode that was deployed in an HA configuration did not receive logs forwarded from PA-7000 Series and PA-5200 Series firewalls.

Fixed an issue on the Panorama management server where the Task Manager closed when you set the Show drop-down to All jobs after a CommitCommit and Push operation generated errors and warnings.

Fixed an issue where commits failed because the routed process did not delete DHCP-assigned IP addresses that you removed from firewall interfaces.

Fixed an issue where the Panorama web interface displayed serial numbers instead of device names when you scheduled an update to install on firewalls or Log Collectors, set the Type to Applications and Threats, and set the Recurrence to Hourly or Every 30 mins (PanoramaDevice DeploymentDynamic UpdatesSchedules<schedule>).

Fixed an issue where Android endpoints could not establish VPN tunnels to GlobalProtect gateways that you configured to Enable X-Auth Support (NetworkGlobalProtectGateways<gateway>Agent<agent>Tunnel Settings). With this fix, GlobalProtect gateways use SHA1 first in the order of HMAC algorithms used for authenticating endpoints that use X-Auth.

Fixed an issue where the firewall rebooted because the User-ID process (useridd) stopped responding after you performed clone or shutdown operations on VMware vCenter.

Fixed an issue where, after you downgraded from PAN-OS® 8.0 to PAN-OS 7.1, firewalls without direct internet access did not display software images in the web interface (DeviceSoftware) or CLI regardless of whether you downloaded the images from the Palo Alto Networks® Update Server (at an earlier time when the firewalls had internet access) or manually uploaded the images from another system.

Fixed an issue where attempting to commit a configuration that was invalid because different interfaces had overlapping subnetworks produced a commit error message that indicated duplicate IP addresses instead of the actual error condition.

Fixed an issue where VM-Series firewalls on NSX failed to install content updates retrieved from the Panorama management server.

Fixed an issue where PA-220 firewalls did not provide an SNMP object identifier (OID) for system disk usage.

Fixed an issue on the Panorama management server where configuring a PanoramaScheduled Config Export based on FTP but with some fields unpopulated caused Panorama to use its default local host certificate instead of the SSL/TLS Service Profile for administrative access to the web interface (PanoramaSetupManagement).

Fixed an issue where the test vpn ipsec-sa tunnel<tunnel-name>:<proxy-id-name> CLI command failed when the tunnel Name and Proxy ID values collectively exceeded 32 characters (NetworkIPSec Tunnels<tunnel>Proxy IDs). With this fix, the firewall allows 64 characters for the combined Name and Proxy ID values.

Fixed an issue on VM-Series firewalls in Data Plane Development Kit (DPDK) mode where the all_task, mprelay, and pan_dha processes stopped responding.

Fixed an issue where the show predefined xpath /predefined/threats CLI command did not displays threat identifiers.

Fixed an issue where the Panorama management server did not display logs from PA-5000 Series or PA-7000 Series firewalls, did not display scheduled reports that included IP address fields, and did not email those reports.

Fixed an issue on PA-200, PA-220, and PA-800 Series firewalls where specifying a Life Time for a master key (DeviceMaster Key and Diagnostics) caused the key expiration and reminder dates to have incorrect values.

Fixed an issue where the tftp export stats-dump CLI command failed to generate a Stats Dump file and displayed the following error: Failed to redirect error to /var/log/pan/report_gen.log(Permission denied).

Fixed an issue on M-Series appliances, PA-7000 Series firewalls, and PA-5000 Series firewalls where the disk-failed, disk-faulty, and pair-disappeared RAID events had only a medium severity level in System logs. With this fix, these events have a critical severity level.

Fixed an issue where administrators with the device administrator role did not have the role privileges required to run the scp import software CLI command.

Fixed an issue where a Panorama management server deployed behind a NAT device could not manage firewalls running PAN-OS 8.0. With this fix, you must run a new operational mode CLI command on a Panorama management server that is behind a NAT device, runs PAN-OS 8.0 or a later release, and manages firewalls running PAN-OS 8.0 or a later release. The CLI command is set dlsrvr server <FQDN>, where <FQDN> is the FQDN of the Panorama Management interface.

Fixed an issue where endpoints could not authenticate to a GlobalProtect portal through client certificate authentication due to an incorrect certificate status when the portal used a Certificate Profile that specified Online Certificate Status Protocol (OCSP) to validate certificates (NetworkGlobalProtectPortals<portal>Authentication).

Fixed an issue on a Panorama management server in an HA configuration where, in rare cases, the virtual machine (VM) auth key disappeared after you rebooted the active HA peer.

Fixed an issue where the show system state filter-pretty sw.dev.interface.config CLI command did not display the MAC address (hwaddr) or maximum transmission unit (mtu) for aggregate Ethernet interfaces.

As an enhancement to enable comparing SNMP output with CLI output for the rate of interface connections established per second (CPS), the show counter interface CLI command displays the following new counters: TCP CPS, UDP CPS, and other CPS (for all non-TCP and non-UDP connections).

Fixed an issue where the firewall displayed error messages such as the following after bootup even though bootup succeeded: Error: sysd_construct_sync_importer(sysd_sync.c:328):sysd_sync_register() failed: (111) Unknown error code.

Fixed an issue where the GlobalProtect portal did not comply with HTTP Strict Transport Security (HSTS) when redirecting users from HTTP to HTTPS upon accessing the portal login page. With this fix, HSTS is enabled to secure the redirect to HTTPS, the portal requires a valid server certificate, the endpoint browser displays a warning to users with invalid client certificates who access the login page using an IP address instead of an FQDN, and you cannot use the same FQDN for both the login page and firewall Management interface.

Fixed an issue where VM-Series firewalls on NSX prevented client-server TCP sessions from closing at the correct time when you configured a reset Action in Security policy rules (PoliciesSecurity<rule>Actions).

Fixed an issue where firewalls in an active/active HA configuration sent packets out of order.

Fixed an issue where you could not set the QoS Egress Max to more than 16,000 Mbps for an aggregate Ethernet interface (NetworkQoS<interface>Physical Interface). With this fix, you can set the QoS Egress Max to a maximum of 60,000 Mbps.

Fixed an issue where VM-Series firewalls did not apply NAT translation to the ports in the via and contact headers of Session Initiation Protocol (SIP) sessions after you enabled Dynamic IP and Port (DIPP) NAT.