Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.

Fixed an issue where an intermittent error while analyzing signed PE samples on the WildFire appliance might have caused analysis failures.

(WF-500 appliance only) Fixed an issue where cloud inquiries were logged under the SD-WAN subtype.

Fixed an issue where the User-ID connection limit was reached even when only a few User-ID agents were connected to the service.

Fixed an issue where a race condition occurred and caused a process (useridd) to restart.

Fixed an intermittent issue where processing HIP messages in the (useridd) process caused a memory leak.

Fixed an issue with SD-WAN path selection logic that caused a dataplane to stop responding.

Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing and cross-zone load balancing enabled where packets were forwarded to the incorrect GWLB interface.

Fixed an issue in a high availability (HA) configuration where, when one firewall was active and its peer was in a suspended state, the suspended firewall continued to send traffic, which triggered the detection of duplicate MAC addresses.

Fixed an issue memory usage consumption issue on a process (useridd).

Fixed an issue in Telemetry settings where the OK button was disabled when Telemetry Region was set to None.

Fixed an issue where, when a partial Preview Change job failed, a process (configd) stopped responding.

Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.

Fixed an issue where the data redistribution agent and the data redistribution client failed to connect due to the agent not sending a SSL Server hello response.

Fixed an issue where SD-WAN SaaS monitoring traffic was incorrectly dropped by a Security policy that included a deny rule.

Fixed an issue where PAN-DB URL cloud updates failed because a process (devsrvr) did not fetch serial numbers, which prevented the PAN_DB URL cloud from connecting after first deployment.

Fixed an intermittent issue where packet pointer corruption occurred, which resulted in a dataplane restart.

Fixed an intermittent issue where traffic falsely matched a converted Suricata rule.

Fixed a rare issue where generating a tech support file caused the useridd process to stop responding.

Fixed an issue where, after a pan_comm process restart, the configuration wasn't synced between the management and the dataplane pod.

Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.

Fixed an issue where, when a maximum session count was configured, the SD-WAN plugin caused commit failures on Panorama.

Fixed an issue where, when a client or server received partial application data, the record was partially processed by legacy code. This caused decryption to fail when a decryption profile protocol was set to a maximum of TLSv1.3.

Fixed an issue on Panorama where, after an upgrade to a PAN-OS 10.0 release version, a configuration pushed to firewalls running on PAN-OS 9.1 failed during an autocommit with the following error message: Need to config WMI account and password for querying Microsoft directory servers.

Fixed an issue where, when an MLAV URL with an exception list was configured and forward proxy was enabled, a process (all_pktproc) repeatedly restarted, which resulted in the firewall rebooting.

Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.

Fixed an issue related to a process (all_pktproc) that occurred in long-lived sessions that spanned two content upgrades.

Fixed an issue where users connecting to the US East gateway encountered a delay in DNS responses.

Fixed an issue where large External Dynamic Lists (EDLs) caused commit issues due to a hard limit being reached.

Fixed an issue where commits failed and generated pan_comm SIGSEGV CORE files.

(VM-Series firewalls on Microsoft Azure only) Fixed an issue where, when a second disk was added, /opt/panlogs was mounted on an incorrect partition.

Fixed a configuration management issue that resulted in a process (ikemgr) failing to recognize changes in subsequent commits.

Fixed an issue where a configd process memory corruption occurred when Panorama was exposed to multiple XML API calls on Dynamic Address Groups updates.

Fixed an issue where session failed due to resource unavailability.

Fixed an issue where a process (configd) restarted when browsing policies on Panorama.

In 10.0.x Query Traffic log option is missing for Address groups under source and destination in the security policy tab

(PA-7000 Series firewalls with NPCs only) Fixed an issue where path monitoring failure occurred while hot inserting a 100G NPC (network processing card) into the firewall.

Fixed an issue where an unavailable certificate revocation list (CRL) from the server side caused an infinite loop on a process (sslmgr), which resulted in it not responding for other tasks.

Fixed an issue where log queries that included a username did not return with any output.

Fixed an issue in an HA active/active configuration where an administrative shutdown message was not sent to the BGP peer when the firewall went into a suspended state, which delayed convergence.

Fixed an issue where the multi-factor authentication (MFA) Challenge message did not display during login when the GlobalProtect portal was accessed by the web browser.

Fixed an issue where the handover handling between LTE and 3G on S5 and S8 to Gn/Gp was not working properly and led to stateful inspection failures.

Fixed an issue where, when default interzone and intrazone Security policy rules were overwritten, the rules did not display hit counts.

Fixed an issue where tunnel monitoring in the Large Scale VPN (LSVPN) displayed as down in both the CLI and the web interface due to incorrect dataplane ownership.

Fixed an issue where DHCP leases were not properly synchronized between HA peers after a device or dhcpd process restart. With this fix, the DHCP lease details display correctly on both the active and the passive device.

Fixed an issue on Panorama where a commit failed with the following error message: Local-AS number does not fit in 2-byte AS format, even though the AS format was set to 4 bytes.

(VM-Series firewalls only) Fixed an issue where the firewall rebooted into maintenance mode after installing a capacity license in FIPS-CC mode.

Fixed an issue where an out-of-memory (OOM) condition occurred due to a memory leak related to a process (logrcvr).

Fixed an issue where, when using the CLI or API, configurations for policy rule services or applications that either used custom settings and default settings together, or used multiple default settings together, successfully commit instead of failing or displaying a warning.

Note To use this fix, you must delete previous application or service settings in the configuration.

Fixed a memory issue for Large Scale VPN with multiple dataplane systems.

Fixed an issue where the firewall truncated the application name when doing a NetFlow export to the NetFlow analyzer.

Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.

Fixed an issue where, after upgrading to a PAN-OS 10.0 release version, a commit failed due to an admin-role-related validation error that displayed the following message: device unexpected here.

Fixed an issue where the login banner was not aligned properly when it contained multiple sequential whitespaces.

Fixed an issue where, when the GlobalProtect client sent UDP/4501 traffic that was destined for the GlobalProtect gateway inside the GlobalProtect tunnel, the firewall still processed the traffic, which caused routing loops.

Fixed an issue where a core dump occurred on a process (flow_ctrl) after a commit if a policy-based forwarding (PBF) rule referenced an interface that had a DHCP IP address assignment.

Fixed an issue where predict session didn't update the associated rules when Security policies shifted after a commit.

The following CLI commands were added to enable the customer to set the dataplane utilization limit. The default setting is the recommended value of 500; a value of 0 removes dataplane CTD limits: -debug dataplane show ctd wildfire max -debug dataplane set ctd wildfire max <0-5000>

Fixed an issue in Panorama where an administrator with the role of Panorama administrator did not have the option to download or install GlobalProtect clients (Panorama > Device Deployment > GlobalProtect).

Fixed an issue where the metadata from the firewall's authentication profile was unable to export. This issue occurred when the authentication profile and the SAML Identity Provider sever profile were created with VSYS in the Locationand were pushed from Panorama template stack values. To utilize this fix, you must upgrade both Panorama and the firewall.

Fixed an issue where the Multiprotocol Label Switching (MPLS) interface wasn't monitored when private traffic wasn't VPN encapsulated.

Fixed an intermittent issue where importing a new firewalls configuration into Panorama failed due to conflicting virtual system (vsys) names, even when the Device Group Name Prefix was used to make the name unique.

Fixed an issue where Panorama repeatedly displayed the following error message: HA Failover: updates not received from all sources: Pending plugins.

Fixed an issue where tunnel traffic was dropped intermittently when Quality of Service (QoS) Profile was assigned but the profile had no limits defined.

Fixed an issue where, after selecting a PAN-OS release to upgrade to in Device Association > To SW Version, the upgrade failed after connecting to Panorama.

Fixed a memory leak issue related to a process (reportd) where memory was not freed after an ElasticSearch request.

Fixed an issue where only one medium-severity system log was generated if either the EDL file wasn't updated at the remote end or the downloaded file wasn't a text file.

Fixed an issue where system logs incorrectly displayed as Critical.

Fixed an issue where intermittent virtual extensible LAN (VXLAN) packet drops occurred if the TCI was not configured for inspecting VXLAN traffic. This issue occurred when traffic was migrated from a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or later.

Fixed an intermittent issue where, when a race condition occurred, a process (rasmgr) stopped responding, which caused GlobalProtect user authentication failure.

Fixed an issue in Panorama where a process (configd) stopped responding due to a race condition in the mongodb process.

Fixed an issue where a local commit in the Panorama management server caused the status to get out of sync on the managed WildFire appliance.

Fixed an issue where importing PAN-TRAPS.my to the SNMP manager caused the following error to display: Registration failed, registration failed, because there are unreferenced definition names in the MIB file.

Fixed an issue where a Japanese keyword search displayed garbled characters during SAML authentication.

Fixed an issue where, when the CLI command oscp-exclude-nonce-yes was enabled for a certificate profile, a nonce value was still included in the Online Certificate Status Protocol (OCSP) request.

Fixed an issue where you were unable to select the configured QoS profile under the template stack.

(VM-Series firewalls only) Fixed an issue where the Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format incorrectly returned errors despite being able to successfully pull the CRL to verify that the syslog server certificate was still valid.

Fixed an memory leak issue related to a process (mgmtsrvr), which was caused by a certificate loading operation.

Fixed an issue where a .txt file was corrupted, which caused the web interface to not display the requested information.

Fixed an issue where, when a new tag was created, a custom application with the same name was also created.

Fixed an issue where an increase was observed on spyware_state, which caused latency.

Fixed a memory leak issue in the management server process.

Fixed an issue where commits to the Prisma Access Remote networks from Panorama were failing when the management server on the cloud firewall failed to exit cleanly and reported the following error: pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT)

Fixed an issue on Panorama where logs that were forwarded to a collector group did not appear, and the log collector displayed the following error message: es.init-status not ready in logjobq.

(PA-3200 Series firewalls only) Fixed an issue where, for SNMPv2-MIB:sysServices, snmpwalk returned the following error message: No Such Instance currently exists at this OID.

Fixed a buffer overflow issue related to the useridd process.

Fixed an issue where warnings displayed during a commit or validate when BGP peers used in an import/export rule were disabled.

Fixed an issue where the policy-based forwarding (PBF) monitor was failing on the tunnel interface when QoS was enabled.

(PA-7000 Series firewalls only) Fixed an issue where TFTP traffic with a high packet rate was not offloaded even after hitting an application override policy with a custom application.

Fixed an issue where HIP reports were not visible on the web interface due to a domain override configuration.

(VM-Series firewalls with multiple DHCP interfaces only) Fixed an issue where leases renewed more quickly than needed, which caused unnecessary SPF recalculations.

Fixed an issue where false system alarms for the IP tag log database exceeded the alarm threshold value.

Fixed an issue where the To field of an email was truncated in threat logs when the field of the original email exceeded 512 bytes.

Fixed an issue where DNS Proxy rules that contained uppercase characters were not normalized to lowercase, which prevented the rules from being matched.

Fixed an intermittent issue where SMB file transfer operations failed due to packet drops that were caused by the Content and Threat Detection (CTD) queue filling up quickly. This fix introduces a new CLI command which, when enabled, prevents these failures: set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable].

Fixed an intermittent issue where the firewall dropped GTP-U traffic with the message TEID=0x00000000.

Fixed an issue where device deployment from Panorama to the firewalls failed with the error message Failed to get DLSRVR client key. This issue occurred only on firewalls where the request system-private-data-reset CLI command had been issued in the past.

Fixed an issue where using tags to target a device group in a Security policy rule did not work, and the rule was displayed in all device groups (Preview Rules).

(PA_5200 Series firewalls only) Fixed an issue where, after a factory reset, the firewall displayed the following error message: data_plane_X: Exited 1 times, must be manually recovered..

(ZTP firewalls only) Fixed an issue where the firewall failed to connect to Panorama when Zero Touch Provisioning (ZTP) was disabled.

Fixed an issue where a process (configd) stopped responding, which caused corruption.

(PA-5200 Series firewalls only) Fixed an intermittent issue where multicast packets traversing the firewall in VLAN configurations experienced higher drop rates than expected.

Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.

Fixed an issue where the firewall did not display unified logs.

Fixed a discrepancy in Panorama between application usage data and the application name in the ACC tab.

Fixed an issue where NetFlow updates were sent without honoring the configured active timeout value.

Fixed an issue where a process (useridd) stopped responding while attempting to remove all HIP reports on the disk.

Fixed an issue where zone protection and spoofed IP address protection didn't properly drop unroutable packets.

Fixed an issue where individual users were unable to populate the allowed user/user group field when configuring the GlobalProtect Clientless VPN.

Fixed an issue where the default log level for mprelay was set to INFO and caused commits to stop working on VM-Series firewalls in AWS using EBS backed volumes when route monitor was configured.

(Panorama appliances on PAN-OS 10.0 releases only) Fixed an issue with Security policy rule configuration where, in the Source and Destination tabs, the Query Traffic setting was not available for Address Groups.

Fixed an issue where a process (genindex.sh) caused high memory usage on the management plane. Due to the resulting out-of-memory (OOM) condition, multiple processes stopped responding.

Fixed an issue where the Radius EAP authentication stopped working and the authd process restarted.

Fixed an issue where the firewall was unable to detect end-user IP address spoofing on the GTP-U for a user data session when using an IPv6 address.

Fixed an issue where Panorama failed to push dynamic user groups to the managed firewalls.

Fixed an issue where the inactivity logout timeout did not reflect on the GlobalProtect mapping timeout.

Fixed an issue where the software QoS shaping queue processing was not properly applied on multicast traffic.

Fixed an issue where GlobalProtect logs did not populate on the destination syslog server in Log Event Extended Format (LEEF) and common event format (CEF).

Fixed an issue where the commit event was not recorded in the config logs during a Commit and Push on the Panorama management server.

Fixed an issue in the External Dynamic List (EDL) where printed log messages repeated until the end of the description field.

Fixed an issue where a process (mgmtsrvr) stopped responding when viewing logs in the web interface.

Fixed an issue where, even when tunnel interface was set to down, the following alert displayed: Tunnel GRE_Tunnels is going down(critical).

Fixed an issue on the firewall web interface where the Cortex Data Lake Logging Service Status pop-up window did not show correct information.

Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.

Fixed an issue where merged configurations were unable to be exported from Panorama-managed firewalls using the PAN-OS XML API.

Fixed a rare issue where, when aggregate ethernet (AE) groups were deleted and re-added, the AE interface no longer had an SDB node to send link the location to. As a result, the dataplane was unable to identify a connected route for the interface address.

Fixed an issue with the group-mapping mode credential detection feature that failed to block users when logging in using corporate credentials.

A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).

Fixed an issue on Panorama where a template configuration push was blocked when the managed firewall did not have a plugin referenced in the template configuration.

Fixed an issue where an incorrect Certificate Authority (CA) was used for communicating to the Zero Touch Provisioning (ZTP) service.

Fixed an issue where IKE Gateway configurations with different crypto profiles on the same IP address with dynamic peers failed with the following error message: IKEv1 gateway should use the same crypto profiles configured on the same interface or local IP address.

With this fix, you are able to configure IKE Gateways with different crypto profiles on the same IP address with dynamic peers when IKEv1 auto mode is applied.