(WF-500 appliances only) Fixed an issue where files were incorrectly detected as malicious.

Fixed an issue where testing the same file sample using a PowerShell script returned different verdicts in Private Cloud and Public Cloud.

Fixed an issue where an elink parser did not work.

(Firewalls in active/passive HA configurations only) Fixed an issue where, when redistribution agent connections to the passive firewall failed, excessive system alerts for the failed connection were generated. With this fix, system alerts are logged every 5 hours instead of 10 minutes.

Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.

(PA-3200 Series firewalls only) Fixed an issue where, after upgrading to or from PAN-OS 10.1.9 or PAN-OS 10.1.9-h1, offloaded application traffic sessions disconnected even when a session was active. This occurred due to the application default session timeout value being exceeded.

Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.

Fixed an issue where an expired Trusted Root CA was used to sign the forward proxy leaf certificate during SSL Decryption.

Fixed an issue where the packet descriptor leaked over time with GRE tunnels and keepalives.

Fixed an issue where false negatives occurred for some script samples.

Fixed an issue where an elink parser did not work.

Fixed an issue where the logrcvr process stopped responding.

Fixed an issue on the firewall related to the gp_broker configuration transform that led to longer commit times.

(PA-5440, PA-5430, PA-5420, and PA-5410 firewalls only) Fixed an issue where firewalls in active/active HA configurations experienced packet drop when running asymmetric traffic.

Fixed an issue where the authd process stopped responding during a cleanup of authentication server context.

Fixed an issue where memory allocation failure caused dataplane processes to restart. This issue occurred when decryption was enabled and the device was under heavy L7 usage.

Fixed an issue where, when using multi-factor authentication (MFA) with RADIUS OTP, the challenge message Enter Your Microsoft verification code did not appear when accessing the GlobalProtect portal via browser.

Fixed an issue where the logrcvr process stopped responding with MICA HTTP2 traffic.

Fixed an issue where there were duplicate IPSec Security Associations (SAs) for the same tunnel, gateway, or proxy ID.

Fixed an issue where missed heartbeats caused the Data Processing Card (DPC) and its corresponding Network Processing Card (NPC) to restart due to internal packet path monitoring failure.

Fixed an issue where the Data Processing Card remained in a Starting state after a restart.

(M-600 and M-700 appliances only) Fixed an issue where the Elasticsearch shard count grew continuously without limit.

Fixed an issue where the pan_task process stopped responding due to software packet buffer 3 trailer corruption, which caused the firewall to restart.

Fixed an issue where the all_task process repeatedly restarted due to missed heartbeats.

Fixed an issue where botnet reports were not generated on the firewall.

Fixed an issue where the value for shared objects used in policy rules were not displayed on multi-vsys firewalls when pushed from Panorama.

Fixed an issue where the firewall did not send device telemetry files to Strata Logging Service with the error message Send File to Strata Logging Service Receiver Failed.

(PA-5200 Series firewalls only) Fixed an issue where upgrading to PAN-OS 10.1.7, an internal loop caused an increase in the packets received per second.

Fixed an issue where system logs generated by Panorama for commit operations showed the severity as High instead of Informational.

Fixed an issue where the useridd process stopped responding when add and delete member parameters in an incremental sync query were empty.

Fixed an issue where a selective push from Panorama to multiple firewalls failed due to a missing configuration file, which caused a communication error.

Fixed an issue where, after upgrading to PAN-OS 10.2.3, HA peers received conflicting ARP messages that indicated a duplicate IP address.

Fixed a memory space issue where the content and threat detection (CTD) process flow cleanup during inline cloud analysis did not work.

Fixed an issue where the feature bits function reused shared memory, which resulted in a memory allocation error and caused the dataplane to go down.

Fixed an issue where IP addresses in the X-Forwarded-For (XFF) field were not logged when the IP address contained an associated port number.

Fixed an issue where packets were fragmented when SD-WAN VPN tunnel was configured on aggregate ethernet interfaces and sub-interfaces.

(PA-5400 Series only) Fixed an issue where packets were not transmitted from the firewall if its fragments were received on different slots. This occurred when aggregate ethernet (AE) members in an AE interface were placed on a different slot.

(PA-7000 Series firewalls only) Fixed an issue where auto-tagging in log forwarding did not work.

Fixed an issue where the all_task process stopped responding when freeing the HTTP2 stream, which caused the dataplane to go down.

Fixed an issue where domain information wasn't populated in IP address-to-username matching after a successful GlobalProtect authentication using an authentication override cookie.

Fixed an issue where port pause frame settings did not work as expected and incorrect pause frames occurred.

Additional debug information was added to capture internal details during traffic congestion.

(PA-5200 Series firewalls only) The CLI command debug dataplane set pow no-desched yes/no was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.

Fixed an issue where the licensed-device-capacity was reduced when multiple device management license key files were present.

Fixed an issue where NAT policies were not visible on the CLI if they contained more than 32 characters.

Fixed an issue when traffic failed to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.

Fixed an issue where malformed hints sent from the firewall caused the logd process to stop responding on Panorama, which caused a system reboot into maintenance mode.

(VM-Series firewalls on Microsoft Azure environments only) Fixed an issue where the PAN-DB engine did not start when using a VM-Series firewall Flex based CPU.

Fixed an issue on Panorama in Management Only mode where the logdb database incorrectly collected traffic, threat, GTP, decryption, and corresponding summary logs.

Fixed an issue where platforms with RAID disk checks were performed weekly, which caused logs to incorrectly state that RAID was rebuilding.

Fixed an issue on Panorama where log migration did not complete after an upgrade.

Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.

Fixed an issue where the ocsp-next-update-time CLI command did not execute for leaf certificates with certificate chains that did not specify OCSP or CRL URLs. As a result, the next update time was 60 minutes even if a different time was set.

Fixed a Clientless VPN issue where JSON stringify caused issues with the application rewrite.

Fixed an issue where a selective push to firewalls failed if the firewalls were enabled with multiple vsys and the push scope contained shared objects in device groups.

Fixed an issue on Panorama where log migration did not complete as expected.

(PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue where Log Admin Activity was not visible on the web interface.

Fixed an issue where file streams were opened or closed twice due to a race condition which caused Linux to stop responding.

Fixed an issue where URL cloud connections were unable to resolve the proxy server hostname.

Fixed an issue with firewalls in HA configurations where ARP and IPv6 multicast packets were transmitted from the passive firewall.

Fixed an issue where the pan_task process stopped responding when processing client certificate requests from the server in TLS1.3.

Fixed an issue where a selective push did not include the Share Unused Address and Service Objects with Devices option on Panorama, which caused the firewall to not receive the objects during the configuration push.

Fixed an issue on Octeon based platforms where fragmented VLAN tagged packets dropped on an aggregate interface.

Fixed an issue where, even after disabling Telemetry, Telemetry system logs were still generated.

A commit option was enabled for Device Group and Template administrators after a password change.

(PA-800 Series firewalls only) Fixed an issue where PAN-SFP-SX transceivers used on ports 5 to 8 did not renegotiate with peer ports after a reload.

Fixed an issue on PAN-OS 10.2.3 where ports 41-44 remained down when the PAN-QSFP28-DAC-5M cable was connected.

(M-700 Appliances only) A CLI command was added to check the status of each physical port of a bond1 interface.

Fixed an issue where GlobalProtect client certificate authentication failed on a gateway when the gateway was placed behind a NAT.

Fixed an issue where a segmentation fault occurred due to the useridd process being restarted.

Fixed an issue where cfg.lcaas-region was not reset when it was empty, which caused Strata Logging Service onboarding to fail.

Fixed an issue when a scheduled multi-device group push occurred, the configd process stopped responding, which caused the push to fail.

Fixed a timeout issue in the Intel ixgbe driver that resulted in internal path monitoring failure.

(VM-Series firewalls in AWS environments only) Fixed an issue where a newly bootstrapped firewalls did not forward logs to Panorama.

(PA-5280 firewalls only) Fixed an issue where memory allocation errors caused decryption failures that disrupted traffic with SSL forward proxy enabled.

Fixed an issue where authentication sequences were not populated in the drop down when selecting authentication profiles during administrator creation in a template.

(PA-3400 Series firewalls only) Fixed an issue where the default log rate value was too low, and the maximum configurable log rate was capped incorrectly, which caused the firewall to not generate more than 6826 logs per second.

(PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only) Fixed an issue where the logrcvr process did not send the system-start SNMP trap during startup.

Fixed an issue where the pan_comm process stopped responding when a content update and a cloud application update occurred at the same time.

(PA-7000 Series firewalls with NPCs (Network Processing Cards) only) Improved debugging capability for an issue where the firewall restarted due to heartbeat failures and then failed with the following error message: Power not OK.

Fixed an issue on firewalls in active/active HA configurations where, after upgrading to PAN-OS 10.1.6-h6, the active primary firewall did not send HIP reports to the active secondary firewall.

Fixed an issue where the firewall was unable to boot up on older Intel CPUs.

Fixed an issue where the show dos-protection rule command displayed a character limit error.

(PA-3400 Series firewalls only) Fixed an issue where the l7_misc memory pool was undersized and caused connectivity loss when the limit was reached.

Fixed an issue where logs from unaffected log collector groups were not displayed when a log collector was down.

Fixed an issue where RAID rebuilds occurred even with healthy disks and a clean shutdown.

(PA-5450 firewalls only) Added debug commands for an issue where a MAC address flap occurred on a neighbor firewall when connecting both MGT-A and MGT-B interfaces.

Fixed an issue where logs did not display Host-ID details for GlobalProtect users despite having a quarantine Security policy rule. This occurred due to a missed local cache lookup.

Fixed an issue on Panorama where a WildFire scheduled update for managed devices triggered multiple UploadInstall jobs per minute.

(PA-3200 Series and PA-7000 Series firewalls only) Fixed an issue where the CPLD watchdog timeout caused the firewall to reboot unexpectedly.

Fixed an issue where the cloud plugin configuration was automatically deleted from Panorama after a reboot or a configd process restart.

Fixed an issue where the fan tray fault LED light was on even though no alarm was reported in the system environment.

(VM-Series firewalls on Microsoft Hyper-V only) Fixed an issue where the firewall did not receive any traffic on Layer 3 sub-interfaces from the trunk port.

Fixed an issue where running reports or queries under a user group caused the reportd process to stop responding.

Fixed an issue where the pan_com process stopped responding due to aggressive commits.

Fixed an issue where WildFire submissions failed if the file name contained special characters.

Fixed an issue where SD-WAN adaptive SaaS path monitoring did not work correctly during a next hop link down failure.

Fixed an issue in the Run Now section of custom reports where Threat/Content Name displayed in hypertext, and hovering over the text with the mouse displayed the message undefined.

Fixed an issue where there was an IP address conflict after a reboot due to a transaction ID collision.

Fixed a rare issue that caused the dataplane to restart unexpectedly.

Fixed an issue where a commit operation remained at 55% for longer than expected if more than 7,500 Security policy rules were configured.

Fixed an issue where you were unable to add a new application in a selected policy rule.

Fixed an issue where the reportd process stopped responding while querying logs (Monitor > Logs > <logtype>).

Fixed an issue where Elasticsearch did not start properly when a newly installed Panorama virtual appliance powered on for the first time, which caused the Panorama virtual appliance to not query logs forwarded from the managed firewall to a Log Collector.

Fixed an issue where promoted sessions were not synced with all cluster members in an HA cluster.

Fixed an issue where, when a session hit policy based forwarding with symmetric return enabled was not offloaded, the firewall received excessive return-mac update messages, which resulted in resource contention and traffic disruption.

Fixed an issue on Panorama where the web interface was not accessible and displayed the error 504 Gateway Not Reachable due to the mgmtsrvr process not responding.

Fixed an issue where the dot1q VLAN tag was missing in ARP reply packets.

Fixed an issue where logging in via the web interface or CLI did not work until an auto-commit was complete.

Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.

Fixed an issue where selective configuration pushes failed due to schema validation when both the device group and template stack had the same name.

Fixed an issue on Panorama where you were unable to context switch from one managed firewall to another.

Fixed an issue where, when a firewall acting as a DHCP client received a new DHCP IP address, the firewall did not release old DHCP IP addresses from the IP address stack.

Fixed an issue where, when accessing a web application via the GlobalProtect Clientless VPN, the web application landing page continuously reloaded.

(PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only) Fixed an issue where the firewall did not forward logs to the log collector.

Fixed an issue where searching threat logs (Monitor > Logs > Threat) using the partial hash parameter did not work, which resulted in an invalid operator error.

Fixed an issue related to the logd process that caused high memory consumption.

Fixed an issue where Panorama became unresponsive, and when refreshed, the error 504 Gateway not Reachable was displayed.

(PA-5440, PA-5430, PA-5420 and PA-5410 firewalls only) Fixed an issue where, when moving interfaces from one aggregate group to another while the interface's link state was down, traffic was not properly routed through the aggregate group until after a second commit.

Fixed an issue where the quarantine device list did not display due to the maximum memory being reached.

Fixed an issue where, when View Rulebase as Groups was enabled, the Tags field did not display a scroll down arrow for navigation.

Fixed an issue where URL categorization failed and the firewall displayed the URL category as not-resolved for all traffic and the following error message was displayed in the device server logs Error(43): A libcurl function was given a bad argument.

Fixed an issue where browser sessions stopped responding for device group template admin users with access domains that had many device groups or templates.

Fixed an issue where a newly created vsys (virtual system) in a template was not able to be pushed from Panorama to the firewall.

(Firewalls in FIPS-CC mode only) Fixed an issue where the firewall went into maintenance mode due to downloading a corrupted software image, which resulted in the error message FIPS-CC failure. Image File Authentication Error.

Fixed an issue with firewalls in HA configurations where host information profile (HIP) sync did not work between peer firewalls.

Fixed an issue where legitimate syn+ack packets were dropped after an invalid syn+ack packet was ingressed.

(Panorama appliances in FIPS-CC mode only) Fixed an issue where a leaf certificate was unable to be imported into a template stack.

Fixed an issue where administrators were unable to change the password of a local database for users configured as a local admin user via an authentication profile.

Fixed an issue where dynamic updates were completed even when configuration commits failed, which caused the all_task process to stop responding.

Fixed an issue where, when SSL/TLS Handshake Inspection was enabled, SSL/TLS sessions were incorrectly reset if a Security policy rule with no Security profiles configured was matched.

Fixed an issue where GlobalProtect authentication failed for SAML username with a special character.

Fixed an issue with Content and Threat Detection allocation storage space where performing a commit failed with a CUSTOM_UPDATE_BLOCK error message.

Fixed an issue where, when the User-ID agent had collector name/secret configured, the configuration was mandatory on clients on PAN-OS 10.0 and later releases.

Fixed an intermittent issue where forward session installs were delayed, which resulted in latencies.

Fixed an issue where the rasmgr process restarted due to a null reference.

Fixed an issue where services failed due to the RAID rebuild not being completed on time.

Fixed an issue where the certificate for an External Dynamic List (EDL) incorrectly changed from invalid to valid, which caused the EDL file to be removed.

Fixed an issue where configuring the firewall to connect with Panorama using an auth key and creating the auth key without adding the managed firewall to Panorama first, the auth key was incorrectly decreased incrementally.

(Firewalls in FIPS-CC mode only) Fixed an issue where the firewall unexpectedly rebooted when downloading a new PAN-OS software image.

(PA-5450 firewalls only) Fixed an issue where HSCI ports did not come up when QSFP DAC cables were used.

Fixed an issue where the request high-availability session-reestablish command was not available for API.

Fixed an issue where processing route-table entries did not work as expected.

Fixed an issue where an incorrect URL list limit displayed during a commit.

(PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only) Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.

Fixed an issue where the factor completion time for login events learned through XML API displayed as 1969/12/31 19:00:00.

Fixed an issue where expanding Global Find results displayed only the top level and second level of a searched item.

An enhancement was made to collect CPLD register data after a path monitor failure.

An enhancement was made to improve path monitor data collection by verifying the status of the control network.

Fixed an issue where the Device Telemetry configuration for a region was unable to be set or edited via the web interface.

Fixed an issue where Retrieve Framed-IP-Address attribute from the authentication server fails generating GlobalProtect connection failure with the error Assign private IP address failed.

Fixed an issue where the device-client-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.

Fixed an issue where read-only superusers were unable to see the Commit All job status, warnings, or errors for Panorama device groups.

Fixed an issue where stats dump files did not display all necessary reports.

(VM-Series firewalls only) Fixed an issue where an automatic site license activation for a PAYG license did not register in the Customer Support Portal.

Fixed an issue where, due to a tunnel content inspection (TCI) policy match, IPSec traffic did not pass through the firewall when NAT was performed on the traffic.

Fixed an SD-WAN link issue that occurred when Aggregate Ethernet without a member interface was configured as an SD-WAN interface.

Fixed an issue where the comm process stopped responding due to an OOM condition.

Fixed an issue where firewalls stopped responding after an upgrade due to configuration corruption.

Fixed an issue on the web interface where the language setting is not retained.

(PA-220 firewalls only) Fixed an issue where ECDSA fingerprints were not displayed.

A debug command was introduced to control Gzip encoding for the GlobalProtect Clientless VPN application.

(PA-3400 Series firewalls only) Fixed an issue where the management interface could not be assigned as an HA port.

Fixed an issue where NAT policy rules were deleted on managed devices after a successful push from Panorama to multiple device groups. This occurred when NAT policy rules had device_tags selected in the target section.

Fixed an issue where some Security profiles consumed a large amount of memory, which reduced the number of supported Security profiles below the stated maximum for a platform.

Fixed an internal path monitoring failure issue that caused the dataplane to go down.

Fixed an issue where the Device Quarantine list was not redistributed or updated on Panorama and Prisma Access in a full mesh topology.

Fixed an issue where the SD-WAN interface Maximum Transmission Unit (MTU) led to incorrect fragmentation of IPSec traffic.

Fixed an issue where GlobalProtect HIP match failed for Mac users due to invalid characters being present in the subject alternative attributes in the certificate on the HIP report.

Fixed an issue where INIT SCTP packets were dropped after being processed by the CTD, and silent drops occurred even with SCTP no-drop function enabled.

Fixed an issue with GlobalProtect where attempting to authenticate with the GlobalProtect gateway returned a 502 error code.

Fixed an issue where the firewall generated system log alerts if the raid for a system or log disk was corrupted.

Fixed an issue with Saas Application Usage reports where Applications with Risky Characteristics displayed only two applications per section.

Fixed an issue where the all_task stopped responding with a segmentation fault due to an invalid interface port.

Fixed an issue where the all_task process stopped responding after adding customer hyperscan signatures.

Fixed an issue where the App Pcaps directory size was incorrectly detected which caused commit errors.

Fixed an issue where the useridd process stopped responding due to an invalid vsys_id request.

Fixed an issue where LSVPN satellite authentication cookies were not synced across high availability LSVPN portals.

Fixed an issue with Panorama managed log collector statistics where the oldest logs displayed on the primary Panorama appliance and the secondary Panorama appliance did not match.

The CLI command debug dataplane set pow no-desched yes was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.

Fixed an issue where IGMP packets were offloaded with frequent IGMP Join and Leave messages from the client.

Fixed an issue with firewalls in active/passive HA configurations where GRE tunnels went down due to recursive routing when the passive firewall was booting up. When the passive firewall became active and no recursive routing was configured, the GRE tunnel remained down.

(PA-3440 firewalls only) Fixed an issue where the default NAT DIPP pool oversubscription was set to 2 instead of 4.

(M-600 Appliances in Management-only mode only) Fixed an issue where XML API queries failed due to the configuration size being larger than expected.

Fixed an issue where SCEP certificate import did not work on the firewall when the certificate name contained a period ( . ).

Fixed an issue with firewalls in active/passive HA configurations where the user counts in the management plane were not synchronized between the active and the passive firewall.

Fixed an issue where disabling strict-username-check did not apply to admin users authenticating with SAML.

Fixed an issue where the Elapsed seconds field incorrectly displayed as 0 for DHCP packets coming from the firewall.

Fixed an issue where the firewall did not initiate scheduled log reports.

Fixed a memory leak issue on Panorama related to the logd process that caused an out-of-memory (OOM) condition.

Fixed an issue where Elasticsearch displayed red due to frequent tunnel check failures between HA clusters.

Fixed an issue where decryption logs were not displayed under Manage Custom Reports for custom Panorama admin users.

Fixed an issue on the firewall web interface that prevented applications from loading under any policy or in any location where application IDs were able to be refreshed.

Fixed an issue where the firewall reported General TLS Protocol Error for TLSv1.3 when the firewall closed a TCP connection to the server via a FIN packet without waiting for the handshake to complete.

Fixed an issue on Panorama where Virtual Routers (Network > Virtual Routers) was not available when configuring a custom Panorama admin role (Panorama > Admin Roles).

Fixed an issue where the reportd process stopped responding on log collectors during query and report operations due to a race condition between request handling threads.

Fixed an issue where the Include/Exclude IPs filter under Data Redistribution did not consistently filter IP addresses correctly.

Fixed an issue where the dataplane frequently restarted due to high memory usage on wifclient.

Fixed an issue with firewalls in HA configurations where both firewalls responded with gARP messages after a switchover.

(VM-Series firewalls in ESXI environments only) Fixed an issue where the number of used packet buffers was not calculated properly, and packet buffers displayed as a higher value than the correct value, which triggered PBP Alerts. This occurred when the driver name was not compatible with new DPDK versions.

Fixed a sync issue with firewalls in active/active HA configurations.

Fixed an issue where uploading certificates using a custom admin role did not work as expected after a context switch.

Resolved failed authentication for Radius and TLS where shared secret was striped for FIPS mode

Fixed an issue where, when many NAT policy rules were configured, the pan_comm process stopped responding after a configuration commit due to a high number of debug messages.

Fixed an issue where system logs for syslog activities were categorized as general under Type and EVENT columns.

Fixed an intermittent issue where downloading threat pcap via XML API failed with the following error message: /opt/pancfg/session/pan/user_tmp/XXXXX/YYYYY.pcap does not exist.

Fixed an issue where renaming a device group and then performing a partial commit led to the device group hierarchy being incorrectly changed.

Fixed an issue where configuration changes caused a previously valid interface ID to become invalid due to HA switchovers delaying the configuration push.

Fixed an issue where the logd process stopped responding if some devices in a collector group were on a PAN-OS 10.1 device and others were on a PAN-OS 10.0 release. This issue affected the devices on a PAN-OS 10.0 release.

Fixed an issue when both URL and Advanced URL licenses were installed, the expiry date was not correctly checked.

(PA-5280 firewalls only) Fixed an issue where memory allocation failures caused increased decryption failures.

Fixed an issue where decrypted SSH sessions were interrupted with a decryption error.

Added an alternate health endpoint to direct health probes on the firewall (https://firewall/unauth/php/health.php) to address an issue where /php/login.php performance was slow when large amounts of traffic were being processed.

Fixed an issue where data did not load when filtering by Threat Name (ACC > Threat Activity).

Fixed an issue where the SaaS PDF report incorrectly displayed the sanctioned application tag count as 1.

Fixed an issue where the useridd process stopped responding when booting up the firewall.

Fixed an issue where, when viewing traffic or threat logs from the Application Command Center (ACC) or Monitor tabs, performing a reverse DNS lookup caused the dnsproxy process to restart if DNS server settings were not configured.

Fixed an issue where VXLAN keepalive packets were dropped randomly.

A CLI command was added to address an issue where long-lived sessions were aging out even when there was ongoing traffic.

Fixed an issue where the logd process stopped responding due to forwarded threat logs, which caused Panorama to reboot into maintenance mode.

Fixed an intermittent issue where XML API IP address tag registration failed on firewalls in a multi-vsys environment.

Fixed an issue where, when path monitoring for a static route was configured with a new Ping Interval value, the value was not used as intended.

Fixed an issue where Strata Logging Service flaps occurred for long durations which caused a memory leak related to the mgmtsrvr process.

Fixed an intermittent issue on Panorama where the distributord process stopped responding.

Fixed an issue where the useridd process generated false positive critical errors.

Fixed an issue where disabling the enc-algo-aes-128-gcm cipher did not work when using an SSL/TLS profile.

Fixed an issue where the connection to the PAN-DB server failed with following error message: Failed to send req type[3], curl error: Couldn't resolve host name.

Fixed an issue where repeated configuration pushes from Panorama resulted in a management server memory leak.

Fixed an issue where the dataplane stopped responding, which caused internal path monitoring failure.

Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall reset SSL connections that used policy-based forwarding.

Fixed an issue in the User Activity Report where output fields started with the letter b.

Fixed an issue where making GlobalProtect gateway configuration changes resulted in a HIP notification error.

Fixed an issue on Panorama where, when attempting to view the Monitor page, the error invalid term was displayed.

Fixed an issue where traffic that was subject to network packet broker inspection entered a looping state due to incorrect session offload.

Fixed an issue where template configuration for the User-ID agent was not reflected on the template stack on Panorama appliances on PAN-OS 10.2.1.

Fixed an issue where the audit comment archive for Security rule changes output had overlapping formats.

Fixed an intermittent issue where, if SSL/TLS Handshake Inspection was enabled, multiple processes stopped responding when the firewall was processing packets.

Fixed an issue where incorrect user details were displayed under the USER DETAIL drop-down (ACC > Network activity > User activity).

Fixed an issue where, when the total number of in-used HIP profiles was greater than 32, traffic from the GlobalProtect Agent did not hit the expected Security policy rule configured with the HIP profile even though a HIP match log was generated.

Fixed an issue where LSVPN did not support IPv6 addresses on the satellite firewall.

Fixed a memory leak issue related to the distributord process.

Fixed an issue where, when the firewall accepted ICMP redirect messages on the management interface, the firewall did not clear the route from the cache.

Fixed an issue where exporting a Security policy rule that contained Korean language characters to CSV format resulted in the policy description being in a non-readable format.

Fixed an issue where logout events without a username caused high CPU usage.

Fixed an issue where you could not directly edit Services and Address objects from the Policies tab.

Fixed an issue where Preview Changes on Panorama Push to Devices incorrectly displayed changes to encrypted entries.

Fixed an issue where the firewall did not properly measure the Panorama connection keepalive timer, which caused a Panorama HA failover to take longer than expected.

(PA-3400 Series firewalls and PA-5410, PA-5420, and PA-5430 firewalls only) Addressed an issue to improve network latency,

Fixed an issue where the Cisco TrustSEc plugin triggered a flood of redundant register/unregister messages due to a failed IP address tag database search.

Fixed an issue where the useridd process restarted repeatedly which let to an OOM condition.

Fixed an issue where IP address tag policy updates were delayed.

Fixed an issue where, when a decryption profile was configured with TLSv1.2 or later, web pages utilizing TLS1.0 were blocked with an incorrect ERR_TIME_OUT message instead of an ERR_CONNECTION_RESET message.

Fixed an issue where enabling strict IP address checks in a Zone Protection profile caused GRE tunnel packets to be dropped.

Fixed an issue where extraneous logs displayed in the Traffic log when Security policy settings were changed.

Fixed an issue where DNS queries failed from source port 4789 with a NAT configuration.

Fixed an issue where certificates with whitespaces in the name or common name (CN) were not able to be imported.

Fixed an issue where you were unable to customize the risk value in Risk-of-app.

(PA-5450 firewalls only) Fixed an issue where a firewall configured with a Policy-Based Forwarding policy flapped when a commit was performed, even when the next hop was reachable.

Fixed an issue where the comm process stopped responding when a show command was executed in two sessions.

Fixed an issue on the firewall where using special characters in a password caused authentication to fail when connecting to the GlobalProtect portal with GlobalProtect satellite configured.

Fixed an issue on Panorama where logs did not populate when one log collector in a log collector group was down.

Fixed an issue where the Adjust Columns options for Panorama traffic logs did not correctly auto-adjust the columns.

Fixed an issue where commits failed when an AS path regular expression that included the ( _ ) character was specified in the virtual router BGP configuration export rule.

Fixed an issue where daily PDF summary reports were not generated when the Application Report was selected.

Fixed an issue where scheduled custom reports based on firewall data did not display any information.

Fixed an issue where SNMP reported the panVsysActiveTcpCps and panVsysActiveUdpCps value to be 0.

Fixed an issue where, when generating a stats dump file for a managed device from Panorama (Panorama > Support > Stats Dump File), the file did not display any data.

Fixed an issue where syslog traffic that was sent from the management interface to the syslog server even when a destination IP address service route was configured.

Fixed an issue where clientless VPN applications were not displayed in the GlobalProtect portal page.

Fixed an issue where the AppScope Summary report and PDF report export function did not work as expected.

Fixed an issue with Panorama appliances in HA configurations where a passive Panorama appliance generated CMS Redistribution Client is connected to global collector messages.

Fixed an issue with firewalls in HA configurations where ping responses from the target IP addresses were much delayed after a configuration push.

Fixed an issue where, after renaming an object, configuration pushes from Panorama failed with the commit error object name is not an allowed keyword.

Fixed an issue where the firewall system log received a large amount of error messages when attempting a connection between the firewall and Panorama.

(Firewalls in active/passive HA configurations only) Fixed an issue where, when redistribution agent connections to the passive firewall failed, excessive system alerts for the failed connection were generated. With this fix, system alerts are logged every 5 hours instead of 10 minutes.

Fixed an issue where high volume DNS Security traffic caused the firewall to reboot.

Fixed an issue where Panorama did not attach and email scheduled reports (Monitor > PDF > Reports > Email Scheduler) when the size of the email attachments was large.

Fixed an issue where proxy ARP responded on the wrong interface when the same subnet was in two virtual routers.

(PA-7000s Series firewalls with LFCs only) Fixed an issue where the IP address of the LFC displayed as unknown.

Fixed an issue where the log collector did not forward correlation logs to the syslog server.

Fixed an issue where the CLI command show applications list did not return any outputs.

Fixed an issue where generating reports via XML API failed when the serial number was set as target in the query.

Fixed an issue where scheduled configuration backups to the SCP server failed with error message No ECDSA host key is known.

Fixed an issue where path monitor displayed as deleted when it was disabled, which caused a preview change in the summary for static routes.

Fixed an issue with SIP ALG where improper NAT was applied when Destination NAT ran out of IP addresses.

Fixed an issue where the packet broker session timeout value did not match the master sessions timeout value after the firewall received a TCP FIN or RST packet. The fix ensures that Broker session times out within 1 second after the master session timed out.

Fixed an issue where the dataplane CPU usage was higher than expected due to packet looping in the broker session when the network packet broker was enabled.

Fixed an issue on Panorama where a commit push to managed firewalls failed when objects were added as source address exclusions in a Security policy and Share Unused Address and Service Objects with Devices was unchecked.

(PA-5200 Series firewalls only) Fixed an issue where the firewall unexpectedly rebooted with the log message Heartbeat failed previously.

Fixed an issue where Managed Devices > Summary did not reflect new tag values after an update.

(PA-220 Firewalls only) Fixed an issue where system log configurations did not work as expected due to insufficient process timeout after a logrcvr process restart.

Fixed an issue where the ikemgr process stopped responding due to a timing issue, which caused VPN tunnels to go down.

Fixed an issue on Panorama where the push scope was delayed for commit and push operations.

Fixed an issue where internal routes were added to the routing table even after disabling dynamic routing protocols.

Fixed a memory leak issue in the mgmtsrvr process that resulted in an OOM condition.

(Firewalls in multi-vsys environments only) Fixed an issue where IP tag addresses were not synced to all virtual systems (vsys) when they were pushed to the firewall from Panorama via XML API.

Fixed an issue where air gapped firewalls and Panorama appliances performed excessive validity checks to updates.paloaltonetworks.com, which caused software installs to fail.

Fixed an issue where log retention settings Multi Disk did not display correct values on the firewall web interface when the settings were configured using a Panorama template or template stack.

Fixed an issue where the source user name was displayed in traffic logs even when Show User Names In Logs and Reports was disabled for a custom admin role.

Fixed an issue where root partition utilization reached 100% due to mdb old logs not being purged as expected.

Fixed an issue where the logrcvr process stopped responding after a content update on the firewall.

Fixed an issue where, when using syslog-ng forwarding via SSL, with a Base Common Name (CN) and multiple Subject Alternative Names (SANs) were listed in the certificate.

Fixed an issue where PBP Drops (8507) threat logs were incorrectly logged as SCTP Init Flood (8506).

Fixed an issue with the where firewalls in Google Cloud Platforms (GCP) inserted the hostname as PA-VM in the syslog header instead of the DHCP assigned hostname when logs were being sent to the syslog server.

Fixed an issue where warning messages were generated during commits when configuration details of two profiles were identical.

Fixed an issue where HIP database storage on the firewall reached full capacity due to the firewall not purging older HIP reports.

Fixed an issue where log migration did not work when converting a Legacy mode Panorama appliance to Log Collector mode.

Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding.

Fixed an issue where botnet reports were not generated on the firewall.

Fixed an issue where, when you saved a SaaS application report as a PDF or sent it to print, the size of the report was smaller than expected.

Fixed an issue where scheduled log export jobs continued to run even after being deleted.

Fixed an issue where exporting a list of managed collectors via the Panorama web interface failed with the following error message: Export Error, Error while exporting

(PA-5450 firewalls only) Fixed an issue where the show running resource-monitor ingress-backlogs CLI command failed with the following error message: Server error : Failed to intepret the DP response.

Fixed an issue with firewalls in active/passive configurations only where the registered cookie from the satellite firewall to the passive firewall did not sync, which caused authentication between the satellite firewall and the GlobalProtect portal firewall to fail after a failover event.

Added debug logs for visibility into an OpenSSL memory initialization issue that caused unexpected failovers.

Fixed an issue where log queries did not successfully filter the unknown category.

Fixed an issue with Prisma Cloud where a commit push failed due to the error Error: failed to handle TDB_UPDATE_BLOCK.

Fixed an issue where the firewall did not handle packets at Fastpath when the interface pointer was null.

Fixed an issue where the firewall did not correctly receive dynamic address group information from Panorama after a reboot or initial connection.

(VM-Series firewalls only) Fixed an issue where the management plane CPU was incorrectly calculated as high when logged in the mp-monitor.log.

Fixed an intermittent issue where high latency was observed on the web interface and CLI due to high CPU usage related to the sadc process.

Fixed an issue with firewalls in HA configurations where the passive firewall attempted to connect to a hardware security module (HSM) client when a service route was configured, which caused dynamic updates and software updates to fail.

Fixed an issue on Panorama where Managed Devices displayed Unknown.

Fixed an issue where addresses and address groups were not displayed for users in Security admin roles.

Fixed an issue where the Policy filter and Policy optimizer filter were required to have the exact same syntax, including nested conditions with rules that contained more than one tag when filtering via the neq operator.

Fixed an issue where, while authenticating, the allow list check failed for vsys users when a SAML authentication profile was configured under shared location.

(PA-5450 and PA-3200 Series firewalls that use an FE101 processor only) Fixed an issue where packets in the same session were forwarded through a different member of an aggregate ethernet group when the session was offloaded. The fix is that you can use the following CLI command to change the default tag setting to the tuple setting:

tag is the default behavior (tag based on the CPU, tuple based on the FE).

tuple is the new behavior, where both CPU and FE use the same selection algorithm.

Use the following command to display the algorithm:

Fixed an issue that stopped the all_task process to stop responding at the pan_sdwan_qualify_if_ini function.

Fixed an issue on Panorama where you were unable to view the last address object moved to the shared template list.

Fixed an issue with the web interface where group include lists used server profiles instead of LDAP proxy.

Fixed an issue where container resource limits were not enforced for all processes when running inside a container.

Fixed an issue on Panorama where Test Server Connection failed in an HTTP server profile with the following error message: failed binding local connection end.

Fixed an issue where the number of sessions did not reach the expected maximum value with Security profiles.

Fixed an issue where GlobalProtect portal connections failed after random commits when multiple agent configurations were provisioned and configuration selection criteria using certificate profile was used.

Fixed an issue where, when QoS was enabled on an IPSec tunnel, traffic failed due to applying the wrong tunnel QoS ID.

Fixed an issue where incoming DNS packets with looped compression pointers caused the dnsproxyd process to stop responding.

Fixed an issue on Panorama where Export Panorama and devices config bundle (Panorama > Setup > Operations) failed with the following error message: Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied).

Fixed an issue where FQDN based Security policy rules did not match correctly.

Fixed an issue where, when migrating the firewall, the firewall dropped packets when trying to re-use the TCP session.

Fixed an issue where the varrcvr process restarted repeatedly, which caused the firewall to restart.

Fixed an issue where Panorama appliances in active/passive HA configurations reported the false positive system log Failed to sync vm-auth-key when a VM authentication key was generated on the active appliance.

Fixed an issue where sinkholes did not occur for AWS Gateway Load Balancer dig queries.

Fixed an issue where the dataplane CPU utilization provided from the web interface or via SNMP was incorrect.

Fixed an issue where the UDP checksum wasn't correctly calculated for VXLAN traffic after applying NAT.

Fixed an issue where authentication failed due to a process responsible for handling authentication requests going into an irrecoverable state.

(VM-Series firewalls only) Fixed an issue where, when manually deactivating the license, the admin user did not receive the option to download the token file and upload it to the Customer Support Portal (CSP) to deactivate the license.

Fixed an issue where the ctd_dns_malicious_fwd counter incorrectly increased incrementally.

Fixed an issue on the web interface where the interzone-default rule hit count was not displayed.

Fixed an issue where encapsulating Security payload packets originating from the firewall were dropped when strict IP address check was enabled in a zone protection profile.

Fixed an issue where, when using Global Find on the web interface to search for a given Hostname Configuration (Device > Setup > Management), clicking the search result directed you to the appropriate Hostname configuration, but did not change the respective Template field automatically.

(PA-5200 Series and PA-7000 Series firewalls only) Fixed an issue where Support UTF-8 For Log Output wasn't visible on the web interface.

Fixed an issue with firewalls in FIPS mode that prevented device telemetry from connecting.

Fixed an issue where DNS Security logs did not display a threat category, threat name, or threat ID when domain names contained 64 or more characters.

(PA-5400 Series firewalls only) Fixed an issue where HSCI interfaces didn’t come up when using BiDi transceivers.

Fixed an issue where not all quarantined devices were displayed as expected.

Fixed an issue where the current date was incorrectly printed as the last license check date.

Fixed an issue where, when exporting to CSV in Global Find, the firewall truncated names of rules that contained over 40 characters.

Fixed an issue where invalid packet-ptr was seen in work entries.

Fixed an issue where commits from Panorama failed on the firewall due to the virtual router name character limit.

Fixed an issue where, when HA was enabled and a dynamic update schedule was configured, the configd process unexpectedly stopped responding during configuration commits.

Fixed an issue where the firewall displayed the error message Malformed Request when an email address included an ampersand ( & ) when configuring an email server profile.

Fixed an issue where WildFire submission did not work as expected.

(PA-7000 Series firewalls only) Fixed an issue where not all changes to the template were reflected on the firewall.

Fixed an issue where, when Captive Portal Authentication was configured, l3svc_ngx_error.log and l3svc_access.log did not roll over after exceeding 10 megabytes, which caused the root partition to reach full utilization.

(PA-7050 firewalls with Network Processing Cards (NPCs) only) Debug commands were added to address an issue where the firewall's NPC Slot2 failed and multiple dataplane processes stopped responding.

(VM-Series firewalls only) Fixed an issue where the packet buffer utilization was displayed as high even when no traffic was traversing the firewall.

Fixed an issue where the firewall did not decrypt SSL traffic due to a lack of internal resources allocated for decryption.

Fixed an issue where GTPv2-c and GTP-U traffic was identified with insufficient-data in the traffic logs.

Fixed an issue where traffic arriving on a tunnel with a bad IP address header checksum was not dropped.

Fixed an issue on Panorama where you were able to attempt to push a number of active schedules to the firewall that was greater than the firewall's maximum capacity.

Fixed an issue where certificate generation using SCEP did not take more than one organizational unit (OU).

Fixed an issue where the GlobalProtect gateway inactivity timer wasn't refreshed even though traffic was passing through the tunnel.

Removed a duplicate save filter Icon in the Audit Comment Archive for Security Rule Audit Comments tab.

(PA-400 Series firewalls in active/passive HA configurations only) Fixed an issue where, when HA failover occurred, link up on all ports took longer than expected, which caused traffic outages.

Fixed an issue where users with custom admin roles and access domains were unable to view address objects or edit Security rules.

Improved protection against unexpected packets and error handling for traffic identified as SIP.

Fixed an issue where an external dynamic list fetch failed with the error message Unable to fetch external dynamic list. Couldn't resolve host name. Using old copy for refresh.

Fixed an issue where the firewall dropped IPv6 Bi-Directional Forwarding (BFD) packets when IP Spoofing was enabled in a Zone Protection Profile.

Fixed an issue where exported PDF report of the ACC was the incorrect color after upgrading from a PAN-OS 10.1 or later release.

Fixed an issue on the firewall where Agentless User-ID lost parent Security group information after the Security group name of the nested groups on Active Directory was changed.

Fixed an issue where the dcsd process stopped responding when attempting to read the config to update its redis database.

Fixed an issue where, when grouping HA peers, access domains that were configured using multi-vsys firewalls deselected devices or virtual systems that were in other configured access domains.

Fixed an issue where PDF reports were not translated to the configured local language.

Fixed an issue where, when a Panorama appliance on a PAN-OS 9.0 or later release pushed built-in external dynamic lists to a firewall on a PAN-OS 8.1 release, the external dynamic list was removed, but the rule was still pushed to the firewall. With this fix, Panorama will show a validation error when attempting to push a pre-defined external dynamic list to a firewall on a PAN-OS 8.1 release.

Fixed an issue where the CLI command to show SD-WAN tunnel members caused the firewall to stop responding.

Fixed an issue where, when multiple routers were configured under a Panorama template, you were only able to select its own virtual router for next hop.

Fixed an issue on Panorama where the configd process stopped responding when adding, deleting or listing an authentication key.

Fixed an issue on Panorama where executing a debug command caused the logrcvr process to stop responding.

Fixed an issue where filtering threat logs using any value under THREAT ID/NAME displayed the error Invalid term.

Fixed an issue where the firewall didn't update URL categories from the management plane to the dataplane cache.

Fixed an issue where the firewall did not send an SMTP 541 error message to the email client after detecting a malicious file attachment.

Fixed an issue where, when adding new configurations, Panorama didn't display a list of suggested template variables when typing in a relevant field.

Fixed an issue on Panorama where attempting to rename mapping for address options caused a push to fail with the following error message: Error: Duplicate address name..

Fixed an issue where incorrect results were displayed when filtering logs in the Monitor tab.

Fixed an issue on Panorama where a password change in a template did not reset an expired password flag on the firewall, which caused the user to change their password when logging in to a firewall.

Fixed an issue related to an OOM condition in the dataplane, which was caused by multiple panio commands using extra memory.

(PA-220 firewalls only) Fixed an issue where the GlobalProtect portal was not reachable with IPv6 addresses.

Fixed an issue where the firewall did not delete Stateless SCTP sessions after receiving an SCTP Abort packet.