Known or Addressed
PAN-OS
Bug ID
Description (Database last updated 07-01-2025)
Known
10.1.0
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.0
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.0
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.0
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.0
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less that the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.0
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.0
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.0
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.0
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.0
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.0
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.0
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.0
PAN-264281
When upgrading a ZTP firewall from PAN-OS 10.1 to PAN-OS 11.1 or later versions, if you use the To SW Version column to specify the target PAN-OS version, the upgrade process downloads and installs the intermediary base version containing an expired root certificate. This causes the ZTP firewall to lose connection with Panorama
Workaround: Follow the standard upgrade process from Panorama, which you use for non-ZTP firewalls, to upgrade to the target PAN-OS version that contains the valid root certificate.
Known
10.1.0
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.0
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.0
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.0
PAN-223488
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.0
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.0
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.0
PAN-217307
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.0
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.0
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.0
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor.
Known
10.1.0
PAN-208325
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
The following NextGen firewalls are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.1.0
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
10.1.0
PAN-206268
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.1.0
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.0
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.1.0
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.0
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.1.0
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.0
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.0
PAN-194519
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.1.0
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.0
PAN-193336
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Known
10.1.0
PAN-192403
This issue is now resolved. See PAN-OS 10.1.6-h3 Addressed Issues .
( PA-5450 firewall only ) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.0
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.0
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.0
PAN-186913
On the Panorama management server, Validate Device Group ( Commit Commit and Push erroneously issues a CommitAll operation instead of a ValidateAll operation when multiple device groups are included in the push and results in no configuration validation.
Known
10.1.0
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.
Known
10.1.0
PAN-185966
The debug skip-cert-renewal-check-syslog yes command is not available on Log Collector CLI to stop the Dedicated Log Collector from trying to renew the device certificate and displaying the following error:
No valid device certificate found
Known
10.1.0
PAN-180661
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.1.0
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.0
PAN-185286
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.1.0
PAN-178194
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
A UI issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.0
PAN-177363
Dedicated Log Collector system and config logs cannot be ingested and are dropped when they are forwarded to a Panorama management server in Management Only mode, resulting in Dedicated Log Collector system and config logs not being viewable on Panorama in Management Only mode.
Known
10.1.0
PAN-175717
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues
Firewalls managed by a Panorama management server enter maintenance mode if:
  • Panorama is running PAN-OS 10.2 and managed firewalls are downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release.
  • Panorama is upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls are running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Workaround: When downgrading managed firewalls, downgrade to PAN-OS 10.1.5 first and then continue on your downgrade path. When upgrading Panorama, upgrade to PAN-OS 10.1.5 first and then continue on your upgrade path.
Known
10.1.0
PAN-175685
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
( PA-7000 Series and PA-5450 firewall only ) When the MPC (Management Processor Card) or SMC (Switch Management Card) is removed from one chassis and placed in another, PAN-OS will incorrectly cache and display the chassis serial number of the former chassis.
Known
10.1.0
PAN-175149
For the PA-220 firewall, and the PA-800 and PA-7000 Series firewalls, the ACC and scheduled reports ( Monitor Manage Manage Custom Reports ) erroneously display the IPv6 address instead of the IPv4 address.
Known
10.1.0
PAN-174254
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
Gateway Load Balancer (GWLB) inspection is disabled on the VM-Series firewall for AWS after a reboot.
Workaround: Enable GWLB inspection.
Known
10.1.0
PAN-174094
This issue has been resolved. See PAN-OS 10.1.1 Addressed Issues .
SaaS Policy Recommendation does not work on firewalls because the SaaS Security Inline policy recommendation license check fails. When this occurs, the bottom ribbon on Device Policy Recommendation SaaS displays the message SaaS Security license is required for feature to function in red text.
On Panorama, the SaaS Inline Security column in Panorama Device Deployment Licenses shows that the SaaS Security Inline license is not present on the managed firewall.
Workaround : If Panorama manages the firewall, use Panorama to import SaaS policy recommendations and then push them to the firewall.
Known
10.1.0
PAN-174004
On the Panorama management server, local or Dedicated Log Collector mode cannot successfully join an ElasticSearch cluster when added to a Collector Group ( Panorama Collector Groups ) if the SSH key length for a Log Collector in the cluster is greater than 2048 characters.
Known
10.1.0
PAN-173509
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
Superuser administrators with read-only privileges ( Device Administrators and Panorama Administrators ) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands: 
admin> show system setting hardware-acl-blocking-enable
admin> show system setting hardware-acl-blocking-duration
Known
10.1.0
PAN-172515
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
If you downgrade from PAN-OS 10.1 to an earlier version and you have configured the Cloud Authentication Service in an Authentication profile, the firewall does not remove the Cloud Authentication Service from the Authentication profile, displays the authentication method as None, and any subsequent commits are not successful.
Workaround: Delete the Authentication profile that is configured for the Cloud Authentication Service then commit your changes.
Known
10.1.0
PAN-172492
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
You can create and commit a log forwarding profile ( Objects Log Forwarding ) with an invalid Filter .
Known
10.1.0
PAN-172454
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
If the firewall communicates with the Cloud Identity Engine before you install the device certificate on the firewall or Panorama, all subsequent queries to the Cloud Identity Engine fail.
Workaround : Use the debug software restart process dscd to restart the connection to the Cloud Identity Engine.
Known
10.1.0
PAN-172419
This issue has been resolved. See PAN-OS 10.1.1 Addressed Issues .
Hot-swapping or hot-plugging a transceiver in the HSCI-A or HSCI-B port on the PA-5450 firewall may cause the device to reboot unexpectedly.
Known
10.1.0
PAN-172386
This issue has been resolved. See PAN-OS 10.1.1 Addressed Issues .
A Passive PA-5450 firewall in an Active/Passive HA pair will continue to process traffic even if its port(s) are in a Disabled state when the ports do not link up initially due to local or remote faults.
Known
10.1.0
PAN-172276
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
Changing the port speed on a PA-400 Series firewall from auto-negotiate to 1G may cause the dataplane port to flap intermittently and result in a loss of traffic.
Known
10.1.0
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.0
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.0
PAN-172091
If you have configured a virtual system as a User-ID hub and a firewall that receives IP address-to-username mapping from the hub has a security policy that includes a QoS policy rule, the firewall does not match the user to the QoS policy rule if the traffic attempts to access a virtual system that is not the hub.
Known
10.1.0
PAN-172208
This issue is now resolved. See PAN-OS 10.1.3 Addressed Issues .
The PA-5450 firewall may reload in rare conditions while handling high stress SSL traffic when CPU utilization reaches 100% or packet broker capacity exceeds 40%.
Known
10.1.0
PAN-172171
In an HA Active/Passive configuration using Auto mode, a Passive PA-5450 firewall under traffic stress can get stuck in maintenance mode after receiving the slot7-path_monitor Path monitor failure service failure.
Workaround: Use Active/Passive Shutdown mode instead of Auto mode.
Known
10.1.0
PAN-172132
This issue is now resolved by PAN-189643. See PAN-OS 10.1.6 Addressed Issues .
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.0
PAN-172067
When you configure a HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.0
PAN-172061
A process (allpktproc) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.0
PAN-164707
This issue is now resolved. See PAN-OS 10.1.1 Addressed Issues .
For PA-7000 Series Legacy firewalls, you are unable to view logs ( Monitor ) on the web interface or in the CLI ( show log <logtype> )
Workaround: Log in to the firewall CLI and restart the vldmgr process. 
admin> debug software restart process vldmgr
Known
10.1.0
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.0
PAN-171898
This issue has been resolved. See PAN-OS 10.1.1 Addressed Issues .
PA-5450 firewalls may not get full 10G throughput when traffic is sent from 100G/40G interfaces to 10G interfaces.
Known
10.1.0
PAN-171839
The Enable Bonjour Reflector option under Network Interfaces Layer 3 Interface IPv4 is not supported on the PA-5450 firewall.
Known
10.1.0
PAN-171750
This issue has been resolved. See PAN-OS 10.1.1 Addressed Issues .
The PA-5450 firewall's HSCI interface does not recognize a hot-swapped 40G or 100G transceiver.
Workaround: Power down the firewall before removing and installing a 40G or 100G transceiver. After the transceiver is installed, power on the firewall.
Known
10.1.0
PAN-171744
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
No data is displayed for the Forward Error Correction (FEC) plot for SD-WAN application performance ( Panorama SD-WAN Monitoring ).
Known
10.1.0
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.0
PAN-171714
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
If you use the NetBIOS format ( domain\user ) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.0
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.0
PAN-171703
On the Panorama management server, the GlobalProtect Activity widget ( ACC GlobalProtect Activity ) and GlobalProtect logs ( Monitor Logs GlobalProtect ) do not display if a Device Group is selected.
Workaround: Select the All device group to view the GlobalProtect Activity widget and GlobalProtect logs.
Known
10.1.0
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.0
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.0
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.0
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.0
PAN-171127
This issue is now resolved. See PAN-OS 10.1.4 Addressed Issues
On the Panorama management server, custom reports ( Monitor Manage Custom Reports ) for the Device Application Statistics and Device Traffic Summary databases display null for the Application fields.
Known
10.1.0
PAN-171069
Local Log Collectors for Panorama management servers in active/passive high availability (HA) configuration cannot be added to the same Collector Group ( Panorama Collector Groups ).
Workaround: Before you upgrade your Panorama servers to PAN-OS 10.1.0, configure HA ( Panorama High Availability ), add the local Log Collectors of the HA peers to the same Collector Group, and upgrade to PAN 10.1.0.
Known
10.1.0
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.0
PAN-170473
This issue has been resolved. See PAN-OS 10.1.1 Addressed Issues .
SSL traffic is not decrypted on inbound inspection when the private key is using a hardware security module (HSM).
Known
10.1.0
PAN-170462
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports ( Monitor Reports Application Reports ) or in the Application column of the Application Usage widget in ACC Network Activity .
Known
10.1.0
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.0
PAN-170174
This issue has been resolved. See PAN-OS 10.1.1 Addressed Issues .
A CN-NGFW pod might incorrectly restart multiple times after bring up due to eth0 being unavailable when kubelet runs network checks on eth0. The following error is seen in the DP node journalctl logs: "failed to read pod IP from plugin/docker: networkPlugin cni failed on the status hook for pod "pan-ngfw-dep-<>_kube-system": unexpected address output".
Workaround : Redeploy the CN-NGFW pod
Known
10.1.0
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.0
PAN-169433
On the Panorama management server, clicking Run Now for a custom report ( Monitor Manage Custom Reports ) with 32 or more filters in the Query Builder returns the result No matching records
Known
10.1.0
PAN-168920
This issue has been resolved. See PAN-OS 10.1.1 Addressed Issues .
On a PA-5450 firewall, QoS does not honor the guaranteed bandwidth for classes set to a Priority of real-time.
Known
10.1.0
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.0
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.0
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.0
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.0
PAN-166464
This issue is now resolved. See PAN-OS 10.1.6-h6 Addressed Issues .
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.0
PAN-166398
This issue is now resolved. See PAN-OS 10.1.1 Addressed Issues .
On PA-5450 Next-Generation firewalls, when you configure path or latency monitoring on the Health Monitor tab in the Packet Broker profile ( Objects Packet Broker ), after a firewall restart, the path health monitor may be disabled due to a configuration synchronization issue, so the firewall may not be aware of path failures.
Workaround: Change the health monitoring configuration and commit the change to prevent this issue from occurring.
Known
10.1.0
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.0
PAN-165225
There is an issue where hwpredict is enabled by default, and you have to disable it via the CLI.
Known
10.1.0
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.0
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.0
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Product (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.0
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.0
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.0
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.0
PAN-163676
Next-Gen Firewalls are unable to connect to a syslog server when the certificates required to connect to the syslog server are part of a Certificate Profile ( Device Certificate Management Certificate Profile ) if the Use OCSP setting is enabled to check the revocation status of certificates.
Workaround: Enable Use CRL to check the revocation status of certificates in the Certificate Profile.
Known
10.1.0
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.0
PAN-162164
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround: Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.0
PAN-162088
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, content updates ( Panorama Dynamic Updates ) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you Install a content update and enable Sync to HA Peer .
Known
10.1.0
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.0
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.0
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.0
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.0
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.0
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.0
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.0
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.0
PAN-154053
This issue has been resolved. See PAN-OS 10.1.1 Addressed Issues .
If two or more PA-5450 fan assemblies fail, the firewall shuts down without providing a console or CLI error message about the fan failure.
Known
10.1.0
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.0
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.0
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.0
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.0
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.0
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.0
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.0
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.0
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.0
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.0
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.0
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.0
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.0
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.0
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.0
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.0
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.0
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.0
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.0
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.0
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.0
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.0
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.0
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.0
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.0
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.0
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.0
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.0
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.0
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.0
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.0
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.0
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.0
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.0
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.0
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.0
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.0
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.0
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.0
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.0
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.0
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.0
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.0
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.0
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.0
PAN-109759
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
10.1.0
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.0
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.0
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.0
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.0
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.0
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.0
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.0
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.0
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.0
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.0
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.0
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.0
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.0
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.0
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.0
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.0
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.0
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.0
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.0
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.0
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.0
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.0
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.0
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.0
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.0
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.0
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.0
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.0
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.0
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.0
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.0
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.0
APL-14490
Fixed an issue where the option to toggle log ingestion or storage for devices in the Strata Logging Service app did not function.
Addressed
10.1.0
PAN-164564
Fixed an issue where stats API attempted to get stats from an unavailable port.
Addressed
10.1.0
PAN-146573
( PA-7000 Series firewalls only ) Fixed an issue where firewalls configured with a large number of interfaces experienced impacted performance and timeouts when performing SNMP queries.
Addressed
10.1.0
PAN-142099
Fixed an issue for Panorama to allow changing MTU for mgmt interface.
Known
10.1.1
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.1
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.1
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.1
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.1
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.1
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.1
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.1
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.1
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.1
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.1
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.1
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.1
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.1
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.1
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.1
PAN-223488
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.1
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.1
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.1
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.1
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.1
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.1
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor.
Known
10.1.1
PAN-208325
The following NextGen firewalls are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.1.1
PAN-206268
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.1.1
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.1
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.1.1
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.1
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.1.1
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.1
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.1
PAN-194519
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.1.1
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.1
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Known
10.1.1
PAN-192403
This issue is now resolved. See PAN-OS 10.1.6-h3 Addressed Issues .
( PA-5450 firewall only ) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.1
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.1
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.1
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.1
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.
Known
10.1.1
PAN-185286
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.1.1
PAN-181116
After upgrading to PAN-OS 10.1, some GlobalProtect tunnels fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Known
10.1.1
PAN-180661
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.1.1
PAN-178194
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
A UI issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.1
PAN-178190
Traffic, threat, and URL logs are not viewable from the firewall web interface ( Monitor Logs ) and CLI after upgrade to PAN-OS 10.1.1.
Known
10.1.1
PAN-175717
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
Firewalls managed by a Panorama management server enter maintenance mode if:
  • Panorama is running PAN-OS 10.2 and managed firewalls are downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release.
  • Panorama is upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls are running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Workaround: When downgrading managed firewalls, downgrade to PAN-OS 10.1.5 first and then continue on your downgrade path. When upgrading Panorama, upgrade to PAN-OS 10.1.5 first and then continue on your upgrade path.
Known
10.1.1
PAN-175685
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
( PA-7000 Series and PA-5450 firewall only ) When the MPC (Management Processor Card) or SMC (Switch Management Card) is removed from one chassis and placed in another, PAN-OS will incorrectly cache and display the chassis serial number of the former chassis.
Known
10.1.1
PAN-175149
( PA-800 and PA-7000 Series firewalls and the PA-220 firewall only ) Fixed an issue where ACC and scheduled reports ( Monitor Manage Manage Custom Reports ) incorrectly displayed the IPv6 address instead of the IPv4 address.
Known
10.1.1
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.1
PAN-174254
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
Gateway Load Balancer (GWLB) inspection is disabled on the VM-Series firewall for AWS after a reboot.
Workaround: Enable GWLB inspection.
Known
10.1.1
PAN-173509
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
Superuser administrators with read-only privileges ( Device Administrators and Panorama Administrators ) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands: 
admin> show system setting hardware-acl-blocking-enable
admin> show system setting hardware-acl-blocking-duration
Known
10.1.1
PAN-172515
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
If you downgrade from PAN-OS 10.1 to an earlier version and you have configured the Cloud Authentication Service in an Authentication profile, the firewall does not remove the Cloud Authentication Service from the Authentication profile, displays the authentication method as None, and any subsequent commits are not successful.
Workaround: Delete the Authentication profile that is configured for the Cloud Authentication Service then commit your changes.
Known
10.1.1
PAN-172492
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
You can create and commit a log forwarding profile ( Objects Log Forwarding ) with an invalid Filter .
Known
10.1.1
PAN-172454
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
If the firewall communicates with the Cloud Identity Engine before you install the device certificate on the firewall or Panorama, all subsequent queries to the Cloud Identity Engine fail.
Workaround : Use the debug software restart process dscd to restart the connection to the Cloud Identity Engine.
Known
10.1.1
PAN-172276
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
Changing the port speed on a PA-400 Series firewall from auto-negotiate to 1G may cause the dataplane port to flap intermittently and result in a loss of traffic.
Known
10.1.1
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.1
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.1
PAN-172091
If you have configured a virtual system as a User-ID hub and a firewall that receives IP address-to-username mapping from the hub has a security policy that includes a QoS policy rule, the firewall does not match the user to the QoS policy rule if the traffic attempts to access a virtual system that is not the hub.
Known
10.1.1
PAN-172208
This issue is now resolved. See PAN-OS 10.1.3 Addressed Issues .
The PA-5450 firewall may reload in rare conditions while handling high stress SSL traffic when CPU utilization reaches 100% or packet broker capacity exceeds 40%.
Known
10.1.1
PAN-172171
This issue is now resolved by PAN-189643. See PAN-OS 10.1.6 Addressed Issues .
In an HA Active/Passive configuration using Auto mode, a Passive PA-5450 firewall under traffic stress can get stuck in maintenance mode after receiving the slot7-path_monitor Path monitor failure service failure.
Workaround: Use Active/Passive Shutdown mode instead of Auto mode.
Known
10.1.1
PAN-172132
This issue is now resolved by PAN-189643. See PAN-OS 10.1.6 Addressed Issues .
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.1
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.1
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.1
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.1
PAN-171839
The Enable Bonjour Reflector option under Network Interfaces Layer 3 Interface IPv4 is not supported on the PA-5450 firewall.
Known
10.1.1
PAN-171744
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues .
No data is displayed for the Forward Error Correction (FEC) plot for SD-WAN application performance ( Panorama SD-WAN Monitoring ).
Known
10.1.1
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.1
PAN-171714
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
If you use the NetBIOS format ( domain\user ) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.1
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.1
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.1
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.1
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.1
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.1
PAN-171127
This issue is now resolved. See PAN-OS 10.1.4 Addressed Issues
On the Panorama management server, custom reports ( Monitor Manage Custom Reports ) for the Device Application Statistics and Device Traffic Summary databases display null for the Application fields.
Known
10.1.1
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.1
PAN-170462
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports ( Monitor Reports Application Reports ) or in the Application column of the Application Usage widget in ACC Network Activity .
Known
10.1.1
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.1
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.1
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.1
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.1
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.1
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.1
PAN-166464
This issue is now resolved. See PAN-OS 10.1.6-h6 Addressed Issues .
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.1
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.1
PAN-165225
There is an issue where hwpredict is enabled by default, and you have to disable it via the CLI.
Known
10.1.1
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.1
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.1
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.1
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.1
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.1
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.1
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.1
PAN-162164
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround: Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.1
PAN-162088
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, content updates ( Panorama Dynamic Updates ) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you Install a content update and enable Sync to HA Peer .
Known
10.1.1
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.1
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.1
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.1
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.1
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.1
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.1
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.1
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.1
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.1
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.1
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.1
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.1
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.1
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.1
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.1
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.1
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.1
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.1
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.1
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.1
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.1
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.1
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.1
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.1
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.1
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.1
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.1
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.1
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.1
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.1
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.1
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.1
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.1
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.1
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.1
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.1
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.1
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.1
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.1
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.1
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.1
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.1
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.1
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.1
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.1
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.1
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.1
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.1
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.1
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.1
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.1
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.1
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.1
PAN-109759
This issue is now resolved. See PAN-OS 10.1.2 Addressed Issues
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
Known
10.1.1
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.1
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.1
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.1
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.1
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.1
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.1
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.1
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.1
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.1
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.1
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.1
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.1
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.1
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.1
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.1
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.1
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.1
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.1
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.1
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.1
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.1
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.1
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.1
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.1
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.1
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.1
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.1
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.1
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.1
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.1
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.1
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.1
WF500-5568
Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.
Addressed
10.1.1
WF500-5559
Fixed an issue where an intermittent error while analyzing signed PE samples on the WildFire appliance might have caused analysis failures.
Addressed
10.1.1
PAN-174094
Fixed an issue where SaaS Policy Recommendation didn’t work on firewalls because the SaaS Security Inline policy recommendation license check failed.
Addressed
10.1.1
PAN-172419
Fixed an issue where hot-swapping or hot-plugging a transceiver in the HSCI-A or HSCI-B port on the PA-5450 firewall caused the firewall to reboot unexpectedly.
Addressed
10.1.1
PAN-172386
( Passive PA-5450 firewalls in an HA active/passive configuration only ) Fixed an issue where, when the ports do not link up initially due to local or remote faults, the firewall continued to process traffic even when its port(s) were in a Disabled state.
Addressed
10.1.1
PAN-172063
Fixed an issue where the outbound/inbound interface was not populated for session logs that were forwarded to Panorama.
Addressed
10.1.1
PAN-171898
( PA-5450 firewalls only ) Fixed an issue where firewalls did not get full 10G throughput when traffic was sent from 100G or 40G interfaces to 10G interfaces.
Addressed
10.1.1
PAN-171750
( PA-5450 firewalls only ) Fixed an issue where the HSCI interface didn’t recognize a hot-swapped 40G or 100G transceiver.
Addressed
10.1.1
PAN-171703
Fixed an issue where GlobalProtect Activity did not display when a device group was selected.
Addressed
10.1.1
PAN-171290
Fixed an issue where Panorama deployed in Google Cloud Platform (GCP) failed to the renew management server DHCP IP.
Addressed
10.1.1
PAN-170936
Fixed an issue where the firewall egressed offloaded frames out of order after an explicit commit ( Commit on the firewall or Commit All Changes on Panorama) or an implicit comment such as an Antivirus update, Dynamic Update, or WildFire update.
Note This issue persists for a network-related configuration and commit.
Addressed
10.1.1
PAN-170825
Fixed an issue where, when a partial Preview Change job failed, a process ( configd ) stopped responding.
Addressed
10.1.1
PAN-170740
Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.
Addressed
10.1.1
PAN-170610
Fixed an issue where SD-WAN SaaS monitoring traffic was incorrectly dropped by a Security policy that included a deny rule.
Addressed
10.1.1
PAN-170473
Fixed an issue where SSL traffic wasn’t decrypted on inbound inspection when the private key used a hardware security module (HSM).
Addressed
10.1.1
PAN-170314
Fixed an issue where PAN-DB URL cloud updates failed because a process ( devsrvr ) did not fetch serial numbers, which prevented the PAN_DB URL cloud from connecting after first deployment.
Addressed
10.1.1
PAN-170174
Fixed an issue where a CN-NGFW pod repeatedly restarted due to eth0 being unavailable when kubelet ran network checks on eth0. The following error displayed in the dataplane node journalctl logs: f ailed to read pod IP from plugin/docker: networkPlugin cni failed on the status hook for pod "pan-ngfw-dep-<>_kube-system": unexpected address output .
Addressed
10.1.1
PAN-169064
Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.
Addressed
10.1.1
PAN-168646
Fixed an issue where Elasticsearch didn't start up in a new Log Collector deployment or downgrade because the Log Collector could not register the service.
Addressed
10.1.1
PAN-168920
( PA-5450 firewalls only ) Fixed an issue where QoS didn’t honor the guaranteed bandwidth for classes set to a Priority of real-time.
Addressed
10.1.1
PAN-168418
Fixed an issue where, when an MLAV URL with an exception list was configured and forward proxy was enabled, a process ( all_pktproc ) repeatedly restarted, which resulted in the firewall rebooting.
Addressed
10.1.1
PAN-167989
Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.
Addressed
10.1.1
PAN-166398
( PA-5450 firewalls only ) Fixed an issue where, when you configured path or latency monitoring on the Health Monitor tab in the packet broker profile ( Objects Packet Broker ), the path health monitor was disabled due to a configuration synchronization issue after a reboot.
Addressed
10.1.1
PAN-165025
Fixed an issue where, when default interzone and intrazone Security policy rules were overwritten, the rules did not display hit counts.
Addressed
10.1.1
PAN-164707
( PA-7000 Series firewalls only ) Fixed an issue where logs were not viewable via the web interface in the Monitor tab or via the CLI.
Addressed
10.1.1
PAN-164392
Fixed an issue where an out-of-memory (OOM) condition occurred due to a memory leak related to a process ( logrcvr ).
Addressed
10.1.1
PAN-163800
Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.
Addressed
10.1.1
PAN-162442
Fixed an issue in HA active/active configurations where deleting an interface not associated with a virtual router did not sync the configuration change.
Addressed
10.1.1
PAN-158932
Fixed an issue where an increase was observed on spyware_state , which caused latency.
Addressed
10.1.1
PAN-158649
Fixed an issue where commits to the Prisma Access Remote networks from Panorama were failing when the management server on the cloud firewall failed to exit cleanly and reported the following error: pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT)
Addressed
10.1.1
PAN-157715
Fixed an intermittent issue where SMB file transfer operations failed due to packet drops that were caused by the Content and Threat Detection (CTD) queue filling up quickly. This fix introduces a new CLI command which, when enabled, prevent these failures: set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable] .
Addressed
10.1.1
PAN-156388
Fixed an issue where a process ( useridd ) stopped responding while attempting to remove all HIP reports on the disk.
Addressed
10.1.1
PAN-154053
Fixed an issue where, when two or more PA-5450 fan assemblies failed, the firewall shut down without providing a console or CLI error message about the fan failure.
Known
10.1.2
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.2
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.2
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.2
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.2
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.2
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.2
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.2
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.2
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.2
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.2
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.2
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.2
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.2
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.2
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.2
PAN-223488
This issue is now resolved. See
PAN-OS 10.1.12 Addressed Issues .
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.2
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.2
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.2
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.2
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.2
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.2
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor.
Known
10.1.2
PAN-208325
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
The following NextGen firewalls are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.1.2
PAN-206268
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.1.2
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.2
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.1.2
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.2
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.1.2
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.2
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.2
PAN-194519
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.1.2
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.2
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Known
10.1.2
PAN-192403
This issue is now resolved. See PAN-OS 10.1.6-h3 Addressed Issues .
( PA-5450 firewall only ) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.2
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.2
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.2
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.2
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.
Known
10.1.2
PAN-185286
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.1.2
PAN-181116
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
After upgrading to PAN-OS 10.1, some GlobalProtect tunnels fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Known
10.1.2
PAN-180661
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.1.2
PAN-178194
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
A UI issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.2
PAN-178190
Traffic, threat, and URL logs are not viewable from the firewall web interface ( Monitor Logs ) and CLI after upgrade to PAN-OS 10.1.2.
Known
10.1.2
PAN-177455
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.1.2 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.1.2
PAN-175717
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues
Firewalls managed by a Panorama management server enter maintenance mode if:
  • Panorama is running PAN-OS 10.2 and managed firewalls are downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release.
  • Panorama is upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls are running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Workaround: When downgrading managed firewalls, downgrade to PAN-OS 10.1.5 first and then continue on your downgrade path. When upgrading Panorama, upgrade to PAN-OS 10.1.5 first and then continue on your upgrade path.
Known
10.1.2
PAN-175149
( PA-800 and PA-7000 Series firewalls and the PA-220 firewall only ) Fixed an issue where ACC and scheduled reports ( Monitor Manage Manage Custom Reports ) incorrectly displayed the IPv6 address instead of the IPv4 address.
Known
10.1.2
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.2
PAN-174201
This issue is now resolved. See PAN-OS 10.1.3 Addressed Issues .
The vldmgr process stops responding after upgrading to PAN-OS 10.1.0 if logs are in the burst list.
Known
10.1.2
PAN-173509
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
Superuser administrators with read-only privileges ( Device Administrators and Panorama Administrators ) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands: 
admin> show system setting hardware-acl-blocking-enable
admin> show system setting hardware-acl-blocking-duration
Known
10.1.2
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.2
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.2
PAN-172091
If you have configured a virtual system as a User-ID hub and a firewall that receives IP address-to-username mapping from the hub has a security policy that includes a QoS policy rule, the firewall does not match the user to the QoS policy rule if the traffic attempts to access a virtual system that is not the hub.
Known
10.1.2
PAN-172208
This issue is now resolved. See PAN-OS 10.1.3 Addressed Issues .
The PA-5450 firewall may reload in rare conditions while handling high stress SSL traffic when CPU utilization reaches 100% or packet broker capacity exceeds 40%.
Known
10.1.2
PAN-172171
This issue is now resolved. See PAN-OS 10.1.3 Addressed Issues .
In an HA Active/Passive configuration using Auto mode, a Passive PA-5450 firewall under traffic stress can get stuck in maintenance mode after receiving the slot7-path_monitor Path monitor failure service failure.
Workaround: Use Active/Passive Shutdown mode instead of Auto mode.
Known
10.1.2
PAN-172132
This issue is now resolved by PAN-189643. See PAN-OS 10.1.6 Addressed Issues .
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.2
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.2
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.2
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.2
PAN-171839
The Enable Bonjour Reflector option under Network Interfaces Layer 3 Interface IPv4 is not supported on the PA-5450 firewall.
Known
10.1.2
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.2
PAN-171714
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
If you use the NetBIOS format ( domain\user ) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.2
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.2
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.2
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.2
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.2
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.2
PAN-171127
This issue is now resolved. See PAN-OS 10.1.4 Addressed Issues
On the Panorama management server, custom reports ( Monitor Manage Custom Reports ) for the Device Application Statistics and Device Traffic Summary databases display null for the Application fields.
Known
10.1.2
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.2
PAN-170462
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports ( Monitor Reports Application Reports ) or in the Application column of the Application Usage widget in ACC Network Activity .
Known
10.1.2
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.2
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.2
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.2
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.2
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.2
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.2
PAN-166464
This issue is now resolved. See PAN-OS 10.1.6-h6 Addressed Issues .
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.2
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.2
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.2
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.2
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.2
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.2
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.2
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.2
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.2
PAN-162164
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround: Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.2
PAN-162088
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, content updates ( Panorama Dynamic Updates ) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you Install a content update and enable Sync to HA Peer .
Known
10.1.2
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.2
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.2
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.2
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.2
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.2
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.2
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.2
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.2
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.2
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.2
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.2
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.2
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.2
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.2
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.2
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.2
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.2
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.2
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.2
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.2
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.2
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.2
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.2
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.2
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.2
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.2
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.2
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.2
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.2
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.2
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.2
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.2
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.2
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.2
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.2
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.2
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.2
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.2
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.2
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.2
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.2
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.2
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.2
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.2
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.2
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.2
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.2
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.2
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.2
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.2
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.2
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.2
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.2
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.2
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.2
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.2
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.2
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.2
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.2
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.2
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.2
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.2
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.2
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.2
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.2
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.2
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.2
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.2
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.2
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.2
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.2
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.2
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.2
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.2
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.2
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.2
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.2
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.2
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.2
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.2
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.2
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.2
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.2
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.2
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.2
PAN-175685
( PA-7000 Series and PA-5450 firewalls only ) Fixed an issue where PAN-OS displayed the incorrect chassis serial number when an MPC (Management Processor Card) or SMC (Switch Management Card) was moved from one chassis to another.
Addressed
10.1.2
PAN-174448
Fixed an issue where Zero-Touch Provisioning (ZTP) configuration wasn't removed after disabling it, which resulted in predefined configurations to be loaded after a reboot.
Addressed
10.1.2
PAN-174326
A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator to execute arbitrary OS commands to escalate privileges ( CVE-2021-3050 ).
Addressed
10.1.2
PAN-174254
( VM-Series firewalls deployed in Amazon Web Services (AWS) only ) Fixed an issue where Gateway Load Balancer (GWLB) inspection incorrectly displayed as false after a reboot.
Addressed
10.1.2
PAN-174244
Fixed an issue where a sudden increase in URL data approached the maximum cache capacity of the firewall.
Addressed
10.1.2
PAN-174049
Fixed an issue where a process ( authd ) used old Thermite certificate post renewals, which caused authentication failures when using the Cloud Authentication service.
Addressed
10.1.2
PAN-173903
Fixed an issue where clicking a hyperlink on a web page caused the web browser to download a file instead.
Addressed
10.1.2
PAN-172518
Fixed an issue where a race condition occurred and caused a process ( useridd ) to restart.
Addressed
10.1.2
PAN-172515
Fixed an issue where, when downgrading from PAN-OS 10.1 to an earlier version, with Cloud Authentication Service configured in an Authentication profile, the firewall did not remove the Cloud Authentication Service from the Authentication profile and displayed the authentication method as None , and subsequent commits failed.
Addressed
10.1.2
PAN-172490
Fixed an issue on firewalls in HA configuration where HA-2 links continuously flapped on HSCI interfaces after upgrading to PAN-OS 8.1.19.
Addressed
10.1.2
PAN-172454
Fixed an issue where, when the firewall communicated with the Cloud Identity Engine before the device certificate was installed on the firewall or Panorama, subsequent queries to the Cloud Identity Engine failed.
Addressed
10.1.2
PAN-172295
Fixed an issue where a HIP database cache loop caused high CPU utilization on a process ( useridd ) and caused IP address-to-user mapping redistribution failure.
Addressed
10.1.2
PAN-172276
( PA-400 Series firewalls only ) Fixed an intermittent issue where changing the port speed from auto-negotiate to 1G caused the dataplane port to flap, which resulted in lost traffic.
Addressed
10.1.2
PAN-172125
Fixed an intermittent issue where processing HIP messages in the ( useridd ) process caused a memory leak.
Addressed
10.1.2
PAN-171878
Fixed an issue with SD-WAN path selection logic that caused an all_pktproc dataplane to stop responding.
Addressed
10.1.2
PAN-171744
Fixed an issue where no data was displayed for the Forward Error Correction (FEC) plot for SD-WAN application performance ( Panorama SD-WAN Monitoring ).
Addressed
10.1.2
PAN-171442
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing and cross-zone load balancing enabled where packets were forwarded to the incorrect GWLB interface.
Addressed
10.1.2
PAN-171203
Fixed an issue in an HA configuration where, when one firewall was active and its peer was in a suspended state, the suspended firewall continued to send traffic, which triggered the detection of duplicate MAC addresses.
Addressed
10.1.2
PAN-170681
Fixed an issue where the data redistribution agent and the data redistribution client failed to connect due to the agent not sending a SSL Server hello response.
Addressed
10.1.2
PAN-170103
Fixed an issue where a process ( ikemgr ) stopped responding while making configuration changes. This issue occurred if Site-to-Site IPSec was using certification-based authentication.
Addressed
10.1.2
PAN-169566
Fixed an issue where configuration files were not exported using the scheduled Secure Copy (SCP).
Addressed
10.1.2
PAN-168903
Fixed an issue where deleting licenses on the firewall incorrectly set the GlobalProtect gateway license node to false . The firewall displayed the following error message during a GlobalProtect application connection: Could not connect to the gateway. The device or feature requires a GlobalProtect subscription license , even though the gateway firewall had a valid gateway license.
Addressed
10.1.2
PAN-168718
Fixed an issue where, when a client or server received partial application data, the record was partially processed by legacy code. This caused decryption to fail when a decryption profile protocol was set to a maximum of TLSv1.3.
Addressed
10.1.2
PAN-167115
Fixed an issue where, after upgrading to 10.0.3, admin sessions on Panorama were not logged out after the idle timeout expired.
Addressed
10.1.2
PAN-167099
Fixed a configuration management issue that resulted in a process ( ikemgr ) failing to recognize changes in subsequent commits.
Addressed
10.1.2
PAN-109759
Fixed an issue where the firewall did not generate a notification for the GlobalProtect client when the firewall denied unencrypted TLS sessions due to an authentication policy match.
Addressed
10.1.2
PAN-165225
Fixed an issue where hwpredict was enabled by default.
Addressed
10.1.2
PAN-161745
Fixed an issue where the time-to-live (TTL) value received from the DNS server reset to 0 on DNS secure TCP transactions when anti-spyware profiles were used, which caused DNS dynamic updates to fail.
Addressed
10.1.2
PAN-158958
Fixed an issue where the debug sslmgr view crl command failed when an ampersand (&) character was included in the URL for the certificate revocation list (CRL).
Addressed
10.1.2
PAN-157518
Fixed an issue where using tags to target a device group in a Security policy rule did not work, and the rule was displayed in all device groups ( Preview Rules ).
Addressed
10.1.2
PAN-157027
Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
Addressed
10.1.2
PAN-154905
( Panorama appliances on PAN-OS 10.0 releases only ) Fixed an issue with Security policy rule configuration where, in the Source and Destination tabs, the Query Traffic setting was not available for Address Groups.
Addressed
10.1.2
PAN-138727
A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges ( CVE-2021-3054 ).
Addressed
10.1.2
PAN-136961
Fixed an issue where during QoS config generation the Aggregate Ethernet (AE) subnets were incorrectly calculated cumulatively across all AEs instead of calculating just the total subnets of an AE.
Known
10.1.3
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.3
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.3
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.3
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.3
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.3
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.3
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.3
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.3
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.3
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.3
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.3
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.3
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.3
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.3
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.3
PAN-223488
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.3
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.3
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.3
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.3
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.3
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.3
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.3
PAN-208325
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
The following NextGen firewalls are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.1.3
PAN-206268
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.1.3
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.3
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.1.3
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.3
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.1.3
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.3
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.3
PAN-194519
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.1.3
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.3
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.3
PAN-192403
This issue is now resolved. See PAN-OS 10.1.6-h3 Addressed Issues .
( PA-5450 firewall only ) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.3
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.3
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.3
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.3
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS 3.0.2.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.1.3
PAN-186282
Panorama deployed in active/passive high availability does not display dynamic address group match criteria received from AWS by the Panorama plugin for AWS 3.0.2.
Known
10.1.3
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.
Known
10.1.3
PAN-185286
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.1.3
PAN-182048
Shared device groups on Panorama do not learn IP address information received from AWS by the Panorama plugin for AWS 3.0.2.
Workaround : When configuring a dynamic address group, specify an individual device group instead of selecting Shared .
Known
10.1.3
PAN-182010
On the Panorama management server, a managed firewall running any PAN-OS 10.1 version cannot reconnect to Panorama if the managed firewall was originally added to Panorama management using the device registration authentication key ( Panorama Device Registration Auth Key ) and has the device certificate ( Device Setup Management Device Certificate ) installed at the time of reconnect.
Known
10.1.3
PAN-181116
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
After upgrading to PAN-OS 10.1, some GlobalProtect tunnels fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Known
10.1.3
PAN-180661
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.1.3
PAN-178194
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
A UI issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.3
PAN-177455
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.1.2 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.1.3
PAN-176983
This issue is now resolved. See PAN-OS 10.1.4 Addressed Issues .
On the Panorama management server running PAN-OS 10.1.3 or later release, adding a firewall running PAN-OS 10.1.3 or later release to Panorama management is supported only from the firewall CLI.
Workaround: Add the device registration authentication key from the firewall CLI.
  1. Log in to the Panorama web interface .
  2. Add a firewall to Panorama and configure the device registration authentication key.
    Do not add the device registration authentication key created on Panorama when configuring the Panorama IP settings on the firewall web interface.
  3. Log in to the firewall CLI .
  4. Add the device registration authentication key. 
    admin> request authkey set <auth key>
Known
10.1.3
PAN-175717
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
Firewalls managed by a Panorama management server enter maintenance mode if:
  • Panorama is running PAN-OS 10.2 and managed firewalls are downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release.
  • Panorama is upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls are running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Workaround: When downgrading managed firewalls, downgrade to PAN-OS 10.1.5 first and then continue on your downgrade path. When upgrading Panorama, upgrade to PAN-OS 10.1.5 first and then continue on your upgrade path.
Known
10.1.3
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.3
PAN-173509
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
Superuser administrators with read-only privileges ( Device Administrators and Panorama Administrators ) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands: 
admin> show system setting hardware-acl-blocking-enable
admin> show system setting hardware-acl-blocking-duration
Known
10.1.3
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.3
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.3
PAN-172132
This issue is now resolved by PAN-189643. See PAN-OS 10.1.6 Addressed Issues .
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.3
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.3
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.3
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.3
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.3
PAN-171714
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
If you use the NetBIOS format ( domain\user ) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.3
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.3
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.3
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.3
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.3
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.3
PAN-171127
This issue is now resolved. See PAN-OS 10.1.4 Addressed Issues
On the Panorama management server, custom reports ( Monitor Manage Custom Reports ) for the Device Application Statistics and Device Traffic Summary databases display null for the Application fields.
Known
10.1.3
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.3
PAN-170462
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports ( Monitor Reports Application Reports ) or in the Application column of the Application Usage widget in ACC Network Activity .
Known
10.1.3
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.3
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.3
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.3
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.3
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.3
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.3
PAN-166464
This issue is now resolved. See PAN-OS 10.1.6-h6 Addressed Issues .
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.3
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.3
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.3
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.3
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.3
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.3
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.3
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.3
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.3
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.3
PAN-162164
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround: Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.3
PAN-162088
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, content updates ( Panorama Dynamic Updates ) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you Install a content update and enable Sync to HA Peer .
Known
10.1.3
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.3
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.3
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.3
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.3
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.3
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.3
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.3
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.3
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.3
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.3
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.3
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.3
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.3
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.3
PAN-151198
On the Panorama management server, read-only Panorama administrators ( Panorama Administrators ) can load managed firewall configuration Backups ( Panorama Managed Devices Summary ).
Known
10.1.3
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.3
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.3
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.3
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.3
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.3
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.3
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.3
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.3
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.3
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.3
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.3
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.3
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.3
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.3
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.3
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.3
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.3
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.3
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.3
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.3
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.3
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.3
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.3
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.3
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.3
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.3
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.3
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.3
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.3
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.3
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.3
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.3
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.3
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.3
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.3
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.3
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.3
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.3
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.3
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.3
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.3
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.3
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.3
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.3
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.3
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.3
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.3
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.3
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.3
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.3
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.3
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.3
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.3
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.3
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.3
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.3
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.3
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.3
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.3
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.3
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.3
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.3
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.3
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.3
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.3
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.3
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.3
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.3
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.3
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.3
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.3-h4
PAN-272809
A fix was made to address CVE-2024-9474 .
Addressed
10.1.3-h3
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.3-h3
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.3-h3
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.3-h3
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.3-h3
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.3-h2
PAN-202450
Fixed an issue where the device-client-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.3-h2
PAN-198372
Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.3-h1
Issue ID
Description
Addressed
10.1.3-h1
PAN-182010
Fixed an issue on Panorama where a managed firewall running a PAN-OS 10.1 version did not reconnect to Panorama. This issue occurred when a managed firewall was added to Panorama management using the device registration authentication key and also had the device certificate installed at the time of the reconnect.
Addressed
10.1.3
—
Fixed a Denial-of-Service (DoS) vulnerability in the GlobalProtect portal and gateway ( CVE-2021-3063 ).
Addressed
10.1.3
PAN-179112
Enhancements were added to improve system stability and debuggability.
Addressed
10.1.3
PAN-178190
Fixed an issue where the firewall incorrectly set the disk quota cfg.diskquota.traffic to 0 after upgrading to a PAN-OS 10.0 release. With this fix, the log disk quota will be retained correctly after upgrade.
Addressed
10.1.3
PAN-177941
Fixed an issue where the bcm.log and brdagent_stdout.log-<datestamp> files filled up the root disk space.
Addressed
10.1.3
PAN-177892
Fixed a memory leak issue where panio failed to start, which resulted in dp-monitor failing to capture the complete panio output.
Addressed
10.1.3
PAN-177881
Fixed an issue where VLAN tags were not properly processed in Layer 2 switching mode between interfaces with different tags.
Addressed
10.1.3
PAN-176862
( VM-Series firewalls only ) Fixed an issue where the firewall didn't attempt to connect to a log collector when the management IP address used DHCP.
Addressed
10.1.3
PAN-176661
Fixed an issue in Simple Certificate Enrollment Protocol (SCEP) ( CVE-2021-3060 ).
Addressed
10.1.3
PAN-176655 and PAN-158334
A fix was made to address an OS command injection vulnerability in the PAN-OS CLI that enabled an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges ( CVE-2021-3061 ).
Addressed
10.1.3
PAN-176653
A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator with permissions to use XML API to execute arbitrary OS commands to escalate privileges ( CVE-2021-3058 ).
Addressed
10.1.3
PAN-176618
A fix was made to address an OS command injection vulnerability in PAN-OS that existed when performing dynamic updates ( CVE-2021-3059 ).
Addressed
10.1.3
PAN-176433
Fixed an issue where the Zero Touch Provisioning (ZTP) plugin on Panorama was unable to sync with the ZTP service and displayed the following error message: Failed to fetch sync status .
Addressed
10.1.3
PAN-176277
Fixed a timing issue that impacted tunnel renegotiation and monitoring.
Addressed
10.1.3
PAN-176026
Fixed an issue where connections from firewalls running PAN-OS 10.1.0 to a Panorama appliance running PAN-OS 10.1.0 broke unexpectedly.
Addressed
10.1.3
PAN-175652
Fixed an issue where SSL decryption failed for websites when they were accessed from Google Chrome version 92 or higher.
Addressed
10.1.3
PAN-174843
Fixed an issue where a process ( logd ) stopped responding.
Addressed
10.1.3
PAN-174671
Fixed an issue with incorrect measurement of packet buffer protection latency.
Addressed
10.1.3
PAN-174587
Fixed an issue where, in the case of multiple AWS Partner Network (APN) connections, the GPRS Tunneling Protocol (GTPv2) Create Session Requests were sent to the firewall within a short interval, which caused the firewall to create the GTP-sessions incorrectly.
Addressed
10.1.3
PAN-174448
Fixed an issue where ZTP configurations weren't removed after disabling them, which resulted in predefined configurations to be loaded after a reboot.
Addressed
10.1.3
PAN-174201
Fixed an issue where, when logs were in the burst list, the vldmgr process stopped responding after upgrading to PAN-OS 10.1.0.
Addressed
10.1.3
PAN-174200
Fixed an issue where a role-based admin user was unable to edit, add, or view interfaces if dashboard permissions were disabled.
Addressed
10.1.3
PAN-173828
( PA-7000 Series firewalls with 20GQ Network Processing Cards (NPCs) only ) Fixed an issue on high availabilities active/passive configurations where data ports on the passive firewall sent out packets, which caused a MAC flap on upstream firewalls.
Addressed
10.1.3
PAN-173157
Fixed an issue with the HA1 monitor hold timer where the configured value was not assigned to the HA1 backup interface, which used the default hold timer (3000 milliseconds), which resulted in failover events taking longer than expected.
Addressed
10.1.3
PAN-173076
( Panorama appliances in FIPS mode only ) Fixed an issue where the FIPS Panorama / FIPS firewall schema didn't prune non-FIPS options from the Clientless VPN.
Addressed
10.1.3
PAN-172580
Fixed an intermittent issue where commits failed after a commit validation and were modified for custom URL category objects.
Addressed
10.1.3
PAN-172208
( PA-5450 firewalls only ) Fixed a rare issue where the firewall reloaded while handling high stress SSL traffic when CPU utilization reached 100% or the packet broker capacity exceeded 40%.
Addressed
10.1.3
PAN-172171
Fixed an issue where a Passive PA-5450 firewall in an Active/Passive HA configuration using Auto mode would get stuck in maintenance mode after receiving the slot7-path_monitor Path monitor failure system failure.
Addressed
10.1.3
PAN-172091
Fixed an issue where, when you configured a virtual system (vsys) as a User-ID hub, and a firewall that receives IP address-to-username mapping from the hub had a Security policy that includes a QoS policy rule, the firewall did not match the user to the QoS policy rule if the traffic attempted to access a vsys that was not the hub.
Addressed
10.1.3
PAN-170574
( Panorama appliances on Microsoft Azure and Amazon Web Services (AWS) only ) Fixed an issue where Panorama sent 127.0.0.1 as the NAS-IP-Address in RADIUS messages.
Addressed
10.1.3
PAN-170466
Fixed an memory reference issue related to the devsrvr process that caused the process to stop responding.
Addressed
10.1.3
PAN-169793
Fixed an issue where using cookies to authenticate MacOS users didn't work due to the client agent not providing the phpsessionid set from the sent GlobalProtect messages during the connection. As a result, the firewall was unable to find and include the portal authentication cookie in the response message.
Addressed
10.1.3
PAN-169687
Fixed an issue where SNMP returned an improper status for an unsupported interface type.
Addressed
10.1.3
PAN-169105
Fixed an issue on the Panorama web interface where a Network File System (NFS) storage partition displayed the incorrect storage size.
Addressed
10.1.3
PAN-168261
Fixed a cosmetic issue where the WildFire submission log displayed the sha256 of the original email link.
Addressed
10.1.3
PAN-167849
Fixed an issue where URL-Filtering incorrectly identified the firewall serial number in the certificate Common Name field as the IP address.
Addressed
10.1.3
PAN-167266
Fixed an issue on multi-dataplane firewalls with high CPU use on dataplane 0 that caused an internal loop of forward/host sessions on the firewall.
Addressed
10.1.3
PAN-166978
Fixed an issue where the URL-Filtering cloud connection failed with the following error message: bind failed with errno 97 .
Addressed
10.1.3
PAN-166202
Fixed an issue with an extra character in HTTP Strict Transport Security (HSTS) regression tests when accessing the GlobalProtect gateway.
Addressed
10.1.3
PAN-165433
Fixed an intermittent issue where Strata Logging Service failed to reconnect after a disconnect if a management IP address used for logging had an IP address assignment type of DHCP.
Addressed
10.1.3
PAN-163448
Fixed an issue when using ixgb drivers with SR-IOV and DPDK that caused OSPF multicast traffic to be filtered by the physical function driver.
Addressed
10.1.3
PAN-162936
Fixed an issue where the all_pktproc process stopped responding on GTP-U session traffic when attempting to send out packets held in software buffers.
Addressed
10.1.3
PAN-162374
Fixed an issue where the firewall rebooted unexpectedly and displayed the following message: Reboot SYSTEM REBOOT Masterd Initiated .
Addressed
10.1.3
PAN-161940
Fixed an issue where the firewall did not honor the peer RX interval timeout in a Bidirectional Forwarding Detection (BFD) INIT state.
Addressed
10.1.3
PAN-157962
Fixed an issue where IPv6 prefixes were advertised via IPv4 BGP peering when MP-BGP was not enabled.
Known
10.1.4
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.4
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.4
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.4
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.4
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.4
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.4
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.4
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.4
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.4
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.4
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.4
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.4
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.4
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.4
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.4
PAN-223488
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.4
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.4
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.4
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.4
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.4
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.4
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.4
PAN-208325
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
The following NextGen firewalls are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.1.4
PAN-206268
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.1.4
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.4
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.1.4
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.4
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.1.4
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.4
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.4
PAN-194519
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.1.4
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.4
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.4
PAN-192403
This issue is now resolved. See PAN-OS 10.1.6-h3 Addressed Issues .
( PA-5450 firewall only ) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.4
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.4
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.4
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.4
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.
Known
10.1.4
PAN-185286
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.1.4
PAN-181116
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
After upgrading to PAN-OS 10.1, some GlobalProtect tunnels fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Known
10.1.4
PAN-180661
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.1.4
PAN-178194
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
A UI issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.4
PAN-177455
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.1.2 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.1.4
PAN-175717
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
Firewalls managed by a Panorama management server enter maintenance mode if:
  • Panorama is running PAN-OS 10.2 and managed firewalls are downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release.
  • Panorama is upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls are running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Workaround: When downgrading managed firewalls, downgrade to PAN-OS 10.1.5 first and then continue on your downgrade path. When upgrading Panorama, upgrade to PAN-OS 10.1.5 first and then continue on your upgrade path.
Known
10.1.4
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.4
PAN-173509
This issue is now resolved. See PAN-OS 10.1.5 Addressed Issues .
Superuser administrators with read-only privileges ( Device Administrators and Panorama Administrators ) are unable to view the hardware ACL blocking setting and duration in the CLI using the commands: 
admin> show system setting hardware-acl-blocking-enable
admin> show system setting hardware-acl-blocking-duration
Known
10.1.4
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.4
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.4
PAN-172132
This issue is now resolved by PAN-189643. See PAN-OS 10.1.6 Addressed Issues .
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.4
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.4
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.4
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.4
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.4
PAN-171714
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
If you use the NetBIOS format ( domain\user ) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.4
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.4
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.4
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.4
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.4
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.4
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.4
PAN-170462
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports ( Monitor Reports Application Reports ) or in the Application column of the Application Usage widget in ACC Network Activity .
Known
10.1.4
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.4
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.4
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.4
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.4
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.4
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.4
PAN-166464
This issue is now resolved. See PAN-OS 10.1.6-h6 Addressed Issues .
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.4
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.4
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.4
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.4
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.4
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.4
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.4
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.4
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.4
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.4
PAN-162164
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround: Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.4
PAN-162088
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, content updates ( Panorama Dynamic Updates ) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you Install a content update and enable Sync to HA Peer .
Known
10.1.4
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.4
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.4
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.4
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.4
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.4
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.4
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.4
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.4
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.4
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.4
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.4
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.4
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.4
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.4
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.4
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.4
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.4
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.4
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.4
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.4
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.4
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.4
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.4
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.4
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.4
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.4
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.4
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.4
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.4
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.4
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.4
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.4
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.4
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.4
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.4
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.4
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.4
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.4
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.4
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.4
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.4
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.4
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.4
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.4
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.4
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.4
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.4
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.4
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.4
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.4
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.4
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.4
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.4
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.4
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.4
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.4
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.4
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.4
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.4
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.4
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.4
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.4
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.4
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.4
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.4
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.4
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.4
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.4
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.4
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.4
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.4
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.4
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.4
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.4
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.4
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.4
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.4
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.4
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.4
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.4
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.4
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.4
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.4
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.4
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.4-h6
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.4-h6
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.4-h6
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.4-h6
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.4-h6
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.4-h4
Issue ID
Description
Addressed
10.1.4-h4
PAN-187438
( PA-5400 Series firewalls only ) Fixed an issue where HSCI interfaces didn’t come up when using BiDi transceivers.
Addressed
10.1.4-h4
PAN-185750
Updated an issue to eliminate failed pan_comm software issues that caused the dataplane to restart unexpectedly.
Addressed
10.1.4-h4
PAN-181116
Fixed an issue where, after upgrading to a PAN-OS 10.1 release, GlobalProtect tunnels fell back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Addressed
10.1.4-h2
Issue ID
Description
Addressed
10.1.4-h2
PAN-184445
Fixed an issue where, after upgrading Panorama and enabling Share Unused Address and Service Objects with Devices , address objects using tags to dynamic address groups were removed after a full commit.
Addressed
10.1.4-h2
PAN-178381
Fixed an issue on Panorama where logs didn't display under the Monitor tab and the Elasticsearch process did not work after upgrading to a PAN-OS 10.1 release.
Addressed
10.1.4
PAN-183767
Fixed an issue where downloading Dynamic Updates files failed when connected to the static update server at us-static.updates.paloaltonetworks.com .
Addressed
10.1.4
PAN-183274
( PA-400 Series firewalls only ) Fixed a rare issue where abnormal power downs occurred.
Addressed
10.1.4
PAN-181309
Fixed an issue where Panorama was inaccessible due to the configd process not responding.
Addressed
10.1.4
PAN-180511
( PA-400 Series and PA-5400 Series firewalls only ) Fixed an issue where technical support file generation restarted the firewall.
Addressed
10.1.4
PAN-180402
Fixed an issue where a null tunnel configuration pointer caused a process ( tund ) to stop responding.
Addressed
10.1.4
PAN-178953
Fixed an issue with the GlobalProtect Clientless VPN where, when an application sent a negative max age value on a cookie, part of the cookie was retained by PAN-OS and used for the subsequent connection on the user session.
Addressed
10.1.4
PAN-178190
Fixed an issue where the firewall incorrectly set the disk quota cfg.diskquota.traffic to 0 after upgrading to a PAN-OS 10.0 release. With this fix, the log disk quota will be retained correctly after upgrade.
Addressed
10.1.4
PAN-178047
( CN-Series firewalls only ) Fixed an issue where propagating IP address tag mappings to the firewall took longer than expected, which resulted in traffic not matching Security policy rules with Dynamic Address Groups.
Addressed
10.1.4
PAN-177119
Fixed an issue with the GlobalProtect gateway where SMS-message-based multi-factor authentication (MFA) did not display a prompt to enter the authentication code.
Addressed
10.1.4
PAN-176983
( Panorama management server on PAN-OS 10.1.3 or a later release only ) Fixed an issue where adding a firewall on PAN-OS 10.1.3 or a later release to Panorama management was only supported from the firewall CLI.
Addressed
10.1.4
PAN-176392
( PA-7000 Series firewall only ) Fixed a an issue where persistent sessions did not properly age out when removing a Data Processing Card (DPC).
Addressed
10.1.4
PAN-176341
Fixed an issue where a delay to detect when an interface was down after a cable pull caused traffic to be black-holed to the downed link for 10 or more seconds.
Addressed
10.1.4
PAN-176283
( PA-7000 Series firewalls with Data Processing Cards (DPCs) only ) Fixed an issue where packet loss occurred when quality of service was enabled on an aggregate interface.
Addressed
10.1.4
PAN-176118
Fixed an issue where firewalls configured with a mixed mode of interfaces stopped processing Layer-3-tagged traffic.
Addressed
10.1.4
PAN-176054
Fixed an intermittent issue where users did not have access to resources due to a HIP check failure that was caused by the HIP data not being synced between the management plane and the dataplane.
Addressed
10.1.4
PAN-175923
Fixed an issue where a process ( tund ) stopped responding when enabling IPSec tunnel monitoring.
Addressed
10.1.4
PAN-174886
Fixed an issue where scheduled customer reports displayed as empty when the configured destination was an address group.
Addressed
10.1.4
PAN-174345
Fixed an issue where a process all_pktproc stopped responding after upgrading the firewall.
Addressed
10.1.4
PAN-174055
Fixed an issue where SNMP readings reported as 0 for dataplane interface packet statistics for Amazon Web Services (AWS) m5n.4xlarge instance types. This issue occurred because the physical port counters read from MAC addresses were reported as 0.
Addressed
10.1.4
PAN-173978
Fixed an issue where the Elasticsearch process continuously restarted if zero-length files were present.
Addressed
10.1.4
PAN-173973
( PA-7000 Series firewalls only ) Fixed an issue where flaps occurred when Link State Pass Through was enabled.
Addressed
10.1.4
PAN-173216
Fixed an issue where the firewall incorrectly handled HTML pages when accessed via the GlobalProtect Clientless VPN.
Addressed
10.1.4
PAN-172464
Fixed an issue where unicast DHCP discover or request packets were silently dropped.
Addressed
10.1.4
PAN-172200
Fixed an issue where a process ( configd ) restarted due to memory corruption in the show dynamic-address-group CLI command during commits, commit and push operations, and high availability Panorama syncs.
Addressed
10.1.4
PAN-172179
( PA-7000b firewalls only ) Fixed an issue where, when GTP-U tunnel acceleration was enabled but Mobile Network Protection was not enabled on the corresponding policy, GPRS tunneling protocol (GTP-U) traffic was dropped.
Addressed
10.1.4
PAN-171696
( PA-800 and PA-400 Series firewalls and PA-220 firewalls only ) Fixed an issue where the management plane CPU was incorrectly reported to be high.
Addressed
10.1.4
PAN-171380
Fixed an issue where loading configuration versions in Panorama added unnecessary IDs to the configuration.
Addressed
10.1.4
PAN-171174
Console debug output was enhanced to address issues that led to a loss of SSH and web interface access.
Addressed
10.1.4
PAN-171127
Fixed an issue on Panorama where custom reports ( Monitor Manage Custom Reports ) for Device Application Statistics and Device Traffic Summary databases displayed null for the Application field.
Addressed
10.1.4
PAN-171104
Fixed an issue where a race-condition check returned a false negative, which caused a process ( all_task ) to stop responding and generate a core file.
Addressed
10.1.4
PAN-170997
Fixed an issue where FQDN service routes were not installed after a system reboot.
Addressed
10.1.4
PAN-169300
Debug logs were added to troubleshoot WildFire submission issues.
Addressed
10.1.4
PAN-169173
Fixed an issue where, if you continuously performed partial commits of a configuration with a high number of Dynamic Address Groups, Panorama became unresponsive and commits were slower than expected.
Addressed
10.1.4
PAN-165235
Fixed an issue where the handover handling between LTE and 3G on S5 and S8 to Gn/Gp was not working properly and led to stateful inspection failures.
Addressed
10.1.4
PAN-164450
Fixed an intermittent issue where the firewall dropped GTPv2 Create Session Response packets with the cause Partially Accepted .
Addressed
10.1.4
PAN-164335
Fixed an issue that caused false positives on GTPv2 vulnerability signatures.
Addressed
10.1.4
PAN-163692
Fixed an issue where the firewall did not create new GTP-C sessions when a Create Session Request message was retransmitted and a completely new Create Session Response message was returned.
Addressed
10.1.4
PAN-163261
Fixed an intermittent issue where the firewall dropped GTPv2 Modify Bearer Request packets with the following error message: Abnormal GTPv2-C message with missing mandatory IE .
Addressed
10.1.4
PAN-161496
Fixed an issue when calculating the incremental checksum after a post-NAT translation where the arguments to pan_in_cksm32_diff overflowed the 32-bit integer.
Known
10.1.5
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.5
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.5
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.5
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.5
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.5
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.5
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.5
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.5
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.5
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.5
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.5
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.5
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.5
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.5
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.5
PAN-223488
This issue is now resolved. PAN-OS 10.1.12 Addressed Issues .
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.5
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.5
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.5
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.5
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.5
PAN-215679
After installing the VM-Series firewall on Azure Stack HCI or Hyper-V, the memory usage increases to 70%.
Known
10.1.5
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.5
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.5
PAN-208325
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
The following NextGen firewalls are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.1.5
PAN-206268
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.1.5
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.5
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.1.5
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.5
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.1.5
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.5
PAN-197097
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.1.5
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.5
PAN-196309
( PA-5450 firewall only ) In PAN-OS 10.1.5-h1, a firewall configured with a Policy-Based Forwarding policy flaps when a commit is performed, even when the next hop is reachable.
Known
10.1.5
PAN-194519
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.1.5
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.5
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.5
PAN-192403
This issue is now resolved. See PAN-OS 10.1.6-h3 Addressed Issues .
( PA-5450 firewall only ) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.5
PAN-191558
This issue is now resolved. See PAN-OS 10.1.6-h3 Addressed Issues .
After an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item.
Known
10.1.5
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.5
PAN-189057
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server, Panorama enters a non-functional state due to php.debug.log life taking up too much space.
Workaround: Disable the debug flag for Panorama.
  1. Log in to the Panorama web interface .
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable) Debug or Clear Debug .
  4. ( HA configuration ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.1.5
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.5
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.5
PAN-185286
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.1.5
PAN-180661
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.1.5
PAN-178194
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
A UI issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.5
PAN-177455
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
PAN-OS 10.1.2 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.1.2 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.1.5
PAN-175022
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
The PAN-OS web interface table of contents do not display or the help contents reload continuously.
Known
10.1.5
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.5
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.5
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.5
PAN-172132
This issue is now resolved by PAN-189643. See PAN-OS 10.1.6 Addressed Issues .
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.1.5
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.5
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.5
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.5
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.5
PAN-171714
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
If you use the NetBIOS format ( domain\user ) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.5
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.5
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.5
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.5
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.5
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.5
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.5
PAN-170462
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
SaaS applications downloaded from the App-ID Cloud Engine (ACE) do not appear in daily application reports ( Monitor Reports Application Reports ) or in the Application column of the Application Usage widget in ACC Network Activity .
Known
10.1.5
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.5
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.5
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.5
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.5
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.5
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.5
PAN-166464
This issue is now resolved. See PAN-OS 10.1.6-h6 Addressed Issues .
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.5
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.5
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.5
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.5
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.5
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.5
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.5
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.5
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.5
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.5
PAN-162164
This issue is now resolved. See PAN-OS 10.1.6 Addressed Issues .
When upgrading a multi-dataplane firewall from PAN-OS 10.0 to 10.1, if the configuration includes the DHCP Broadcast Session option enabled, the commit fails. Auto-commit is not affected.
Workaround: Load the configuration from running config (load config from running-config.xml) and perform a commit.
Known
10.1.5
PAN-162088
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, content updates ( Panorama Dynamic Updates ) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you Install a content update and enable Sync to HA Peer .
Known
10.1.5
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.5
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.5
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.5
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.5
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.5
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.5
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.5
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.5
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.5
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.5
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.5
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.5
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.5
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.5
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.5
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.5
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.5
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.5
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.5
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.5
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.5
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.5
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.5
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.5
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.5
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.5
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.5
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.5
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.5
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.5
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.5
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.5
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.5
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.5
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.5
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.5
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.5
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.5
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.5
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.5
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.5
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.5
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.5
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.5
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.5
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.5
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.5
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.5
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.5
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.5
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.5
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.5
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.5
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.5
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.5
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.5
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.5
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.5
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.5
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.5
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.5
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.5
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.5
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.5
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.5
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.5
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.5
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.5
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.5
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.5
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.5
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.5
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.5
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.5
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.5
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.5
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.5
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.5
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.5
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.5
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.5
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.5
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.5
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.5
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.5-h4
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.5-h4
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.5-h4
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.5-h4
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.5-h4
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.5-h3
PAN-202450
Fixed an issue where the device-client-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.5-h3
PAN-198372
Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.5-h2
Issue ID
Description
Addressed
10.1.5-h2
PAN-191629
( PA-5450 firewalls only ) Fixed an issue where the hourly summary log was limited to 100,001 lines when summarized, which resulted in inconsistent report results when using summary logs.
Addressed
10.1.5-h2
PAN-190660
Fixed an issue where the vld process stopped responding when Elasticsearch had no data.
Addressed
10.1.5-h2
PAN-190644
Fixed an issue where Elasticsearch removed indices earlier than the configured retention period.
Addressed
10.1.5-h2
PAN-190409
( PA-5450 and PA-3200 Series firewalls that use an FE101 processor only ) Fixed an issue where packets in the same session were forwarded through a different member of an aggregate ethernet group when the session was offloaded. The fix is that you can use the following CLI command to change the default tag setting to the tuple setting:
admin@firewall> set session lag-flow-key-type ?
> tag tag
> tuple tuple
tag is the default behavior (tag based on the CPU, tuple based on the FE).
tuple is the new behavior, where both CPU and FE use the same selection algorithm.
Use the following command to display the algorithm:
admin@firewall> show session lag-flow-key-type
dp0: tuple based on fe100
dp1: tuple based on fe100
Addressed
10.1.5-h2
PAN-189375
Fixed an issue where, when migrating the firewall, the firewall dropped packets when trying to re-use the TCP session.
Addressed
10.1.5-h2
PAN-188097
Fixed an issue where the firewall stopped allocating new sessions with increments in the counter session_alloc_failure. This was caused by GPRS tunneling protocol (GTP-U) tunnel session aging processing issue.
Addressed
10.1.5-h2
PAN-183529
( PA-5450 firewalls only ) Fixed an issue where upgrading the firewall caused corrupted log records to be created, which caused the logrcvr process to fail. This resulted in the auto-commit process required to bring up the firewall after a reboot to fail and, subsequently, the firewall to become unresponsive.
Addressed
10.1.5-h2
PAN-181277
Fixed an issue where VPN tunnels in SD-WAN flapped due to duplicate tunnel IDs.
Addressed
10.1.5-h1
Issue ID
Description
Addressed
10.1.5-h1
PAN-190175 and PAN-190223
A fix was made to address an OpenSSL infinite loop vulnerability in the PAN-OS software ( CVE-2022-0778 ).
Addressed
10.1.5-h1
PAN-189643
Fixed an issue where, when QoS was enabled on an IPSec tunnel, traffic failed due to applying the wrong tunnel QoS ID.
Addressed
10.1.5-h1
PAN-178450 and PAN-177905
Fixed an issue where icons weren't displayed for clientless VPN applications.
Addressed
10.1.5
PAN-189769
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing enabled where, when a single firewall was the backend of multiple GWLBs, packets were re-encapsulated with an incorrect source IP address.
Addressed
10.1.5
PAN-189665
( FIPS-CC enabled firewalls only ) Fixed an issue where the firewall was unable to connect to log collectors after an upgrade due to missing cipher suites.
Addressed
10.1.5
PAN-189468
Fixed an issue where the firewall onboard packet processor used by the PAN-OS content-inspection (CTD) engine can generate high dataplane resource usage when overwhelmed by a session with an unusually high number of packets. This can result in resource-unavailable messages due to the content inspection queue filling up. Factors related to the likelihood of an occurrence include enablement of content-inspection based features that are configured in such a way that might process thousands of packets in rapid succession (such as SMB file transfers). This can cause poor performance for the affected session and other sessions using the same packet processor. PA-3000 series and VM-Series firewalls are not impacted.
Addressed
10.1.5
PAN-189230
( VM-Series firewalls only ) Fixed an issue that caused the pan_task process to stop responding with floating point exception (FPE) when there was a module of 0 on the queue number.
Addressed
10.1.5
PAN-188883
Fixed an issue where, when pre-generated license key files were manually uploaded via the web interface, they weren't properly recognized by PAN-OS and didn't display a serial number or initiate a reboot.
Addressed
10.1.5
PAN-187894
( VM-Series firewalls only ) Fixed an issue with vm_license_response.log that consumed a large portion of the root partition.
Addressed
10.1.5
PAN-187769
( VM-Series firewalls in Microsoft Azure environments only ) Fixed a Data Plane Development Kit (DPDK) issue where interfaces remained in a link-down state after an Azure hot plug event. This issue occurred due to a hot plug of Accelerated Networking interfaces on the Azure backend caused by host updates, which led to Virtual Function unregister/Register messages on the VM side.
Addressed
10.1.5
PAN-187438
( PA-5400 Series firewalls only ) Fixed an issue where HSCI interfaces didn’t come up when using BiDi transceivers.
Addressed
10.1.5
PAN-186785
Fixed an issue where, after logging in, Panorama displayed a 500 error page after five minutes of logging for dynamic group template admin types with access to approximately 115 managed devices or 120 dynamic groups.
Addressed
10.1.5
PAN-186725
Fixed an issue where index creation failed when Elasticsearch attempted to create a new index with a duplicate index name.
Addressed
10.1.5
PAN-186646
( PA-5400 Series firewalls only ) Fixed an issue where traffic flow through IKE NATT IPSec S2S tunnels broke on tunnel rekey with multiple data processing cards (DPC).
Addressed
10.1.5
PAN-186516
Fixed an issue where log queries that included WildFire submission logs returned more slowly than expected.
Addressed
10.1.5
PAN-186402
( PA-440 Series firewalls only ) Fixed an issue where the firewall's maximum tunnel limit was incorrect.
Addressed
10.1.5
PAN-185750
Updated an issue to eliminate failed pan_comm software issues that caused the dataplane to restart unexpectedly
Addressed
10.1.5
PAN-185726
Fixed an issue where the dataplane exited during IPSec encapsulation and decapsulation offload operations.
Addressed
10.1.5
PAN-185695
( PA-5400 Series firewalls only ) Fixed an issue where up to 75% traffic loss occurred on GlobalProtect tunnels with multiple DPCs.
Addressed
10.1.5
PAN-185359
Fixed an issue where you were unable to reference shared address objects as a BGP peer address ( Virtual Router > BGP > Peer Group > Peer Address ).
Addressed
10.1.5
PAN-185164
Fixed an issue where processing corrupted IoT messages caused the wificlient process to restart.
Addressed
10.1.5
PAN-185163
Fixed an issue where the distributord process hit the FD limit, which caused User-ID redistribution to not function properly.
Addressed
10.1.5
PAN-184761
Fixed an issue where Security policies were deleted on managed devices upon a successful push from Panorama to multiple device groups. This occurred when the Security policies had device_tags selected in the target section.
Addressed
10.1.5
PAN-184445
Fixed an issue where, after upgrading the Panorama, tagged address objects used in dynamic address groups were removed after a full commit and push. This issue occurred when the setting Share Unused Address and Service Objects with Devices was left unchecked.
Addressed
10.1.5
PAN-184432
Fixed an issue where the logrcvr process stopped responding due to a heartbeat failure that was caused by sysd nodes being stuck on logdb_writers for system, configuration, and alarm logs.
Addressed
10.1.5
PAN-184224
Fixed an issue on Panorama where you were unable to select a template variable in Templates > Device > Log Forwarding Card > Log Forwarding Card Interface > Network > IP address location .
Addressed
10.1.5
PAN-184076
Fixed an issue on the firewall web interface where logs were delayed when querying for logs.
Addressed
10.1.5
PAN-184047
Fixed an issue where Terminal Service agent (TS agent) connections with a certificate profile and the certificate chain on the TS agent failed. This occurred because common name validation and key usage checks were being performed in the root or intermediate certificate.
Addressed
10.1.5
PAN-183774
Fixed an memory leak issue in the mgmtsrvr process, which resulted in an out-of-memory (OOM) condition and high availability (HA) failover.
Addressed
10.1.5
PAN-183428
Fixed an issue where, when exporting or pushing a device configuration bundle from Panorama, a validation error occurred with GlobalProtect gateway inactivity logout time.
Addressed
10.1.5
PAN-183239
Fixed an issue where the firewall randomly disconnected from the WildFire URL cloud.
Addressed
10.1.5
PAN-183112
Fixed an issue where the threat log type ml-virus wasn't forwarded to Panorama or to external servers.
Addressed
10.1.5
PAN-182954
( PA-7000 Series firewalls with Log Processing Cards (LPC) only ) Fixed an issue where excessive threat ID lookups caused logs to be lost.
Addressed
10.1.5
PAN-182903
Fixed an issue where SD-WAN failover on a hub or branch in full mesh took longer than expected.
Addressed
10.1.5
PAN-182732
Fixed an issue where the GlobalProtect gateway inactivity timer wasn't refreshed even though traffic was passing through the tunnel.
Addressed
10.1.5
PAN-182634
( PA-400 Series firewalls only ) Fixed an issue where the firewall detected a Power Supply Unit (PSU) failure for the opposite side when disconnecting a PSU from the device. This issue occurred when redundant PSUs were connected.
Addressed
10.1.5
PAN-181839
Fixed an issue where Panorama Global Search reported No Matches found while still returning results for matching entries on large configurations.
Addressed
10.1.5
PAN-181802
Fixed an issue where a memory utilization condition resulted in the web interface responding more slowly than expected and management server restarting.
Addressed
10.1.5
PAN-181706
Fixed an issue where the logrcvr process stopped responding after upgrading to PAN-OS 10.1.
Addressed
10.1.5
PAN-181579
Fixed an issue with the GlobalProtect gateway where the time-to-live (TTL) limit expired faster than real-time limit. As a result, a reconnection was required before the expected lifetime expiration.
Addressed
10.1.5
PAN-181558
Fixed an issue where the stats dump file was not generated properly.
Addressed
10.1.5
PAN-181360
Fixed an issue where staggering scheduled dynamic updates from Panorama to firewalls only worked for the first scheduled group and failed for the remaining groups of the same type.
Addressed
10.1.5
PAN-181116
Fixed memory corruption issues in PAN-OS 10.1.3 and 10.1.4 that caused the pan_comm process to stop responding and the dataplane to restart. These issues also caused GlobalProtect tunnels to fall back to SSL instead of IPSec due to the inadvertent encapsulation of the ICMP keepalive response from the firewall.
Addressed
10.1.5
PAN-181039
Fixed an issue with DNS cache depletion that caused continuous DNS retries.
Addressed
10.1.5
PAN-180916
Fixed an issue where DNS security caused the TTL value of the pointer record (PTR) to be overwritten with a value of 30 seconds.
Addressed
10.1.5
PAN-180760
Fixed an issue where users were unable to SSH to the firewall and encountered the following error message: Could not chdir to home directory /opt/pancfg/home/user: Permission denied .
Addressed
10.1.5
PAN-180095
Fixed an issue where Panorama serial-number-based redistribution agents did not redistribute HIP reports.
Addressed
10.1.5
PAN-179982
Fixed an issue where an OOM condition occurred due to quarantine list redistribution.
Addressed
10.1.5
PAN-179976
Fixed an issue where the WildFire Inline Machine Learning (ML) did not detect mlav-test-pe-file.exe when traffic was decrypted.
Addressed
10.1.5
PAN-179899
Fixed an issue where updating the master key did not update the SD-WAN preshared key (PSK).
Addressed
10.1.5
PAN-179886
Fixed an issue where new tunnels were unable to be established for Elasticsearch due to faulty logic that prevented old tunnels to be removed when a node went down.
Addressed
10.1.5
PAN-179413
Fixed an issue where GRE tunnels flapped during commit jobs.
Addressed
10.1.5
PAN-179321
A validation error was added to inform an administrator when a policy field contained the value any .
Addressed
10.1.5
PAN-179274
Fixed an issue on high availability configurations where, after upgrading to PAN-OS 9.1.10, PAN-OS 10.0.6, or PAN-OS 10.1.0, the HA1 and HA1-Backup link stayed down. This issue occurred when the peer firewall IP address was in a different subnet.
Addressed
10.1.5
PAN-179260
Fixed an issue where admins and other Superusers were unable to remove a commit lock that was taken by another admin user with the format <domain/user>. As a result, deleting the commit lock failed.
Addressed
10.1.5
PAN-179164
Fixed an issue where a web-proxy port number was added to the destination URL when captive portal authentication was run.
Addressed
10.1.5
PAN-179059
Fixed an issue where you were unable to delete dynamic address groups one at a time using XML API.
Addressed
10.1.5
PAN-178947
Fixed an issue where the useridd process stopped responding when a NULL reference attempted to be dereferenced. This issue occurred to IP address users being added.
Addressed
10.1.5
PAN-178860
Fixed an issue where quarantined devices appeared in the CLI but not the web interface.
Addressed
10.1.5
PAN-178672
Fixed an issue where a process ( useridd ) stopped responding due to buffer overflow.
Addressed
10.1.5
PAN-178615
Fixed an issue where restarting the management server created an invalid reference in the device server, which caused subsequent commits to fail.
Addressed
10.1.5
PAN-177981
( PA-5450 firewalls only ) Fixed an issue where High Speed Log Forwarding was enabled when attempting to view local logs.
Addressed
10.1.5
PAN-177956
Fixed an issue where the CLI output of show location ip <ip address> returned unknown.
Addressed
10.1.5
PAN-177907
Fixed an issue where, after rebooting the firewall, FQDN address objects referred in rules in a virtual system (vsys) did not resolve when the vsys used a custom DNS proxy.
Addressed
10.1.5
PAN-177878
Fixed an issue where a role-based admin with Operational Requests enabled under the XML API section was unable to set the License Deactivation API key.
Addressed
10.1.5
PAN-177874
Fixed an issue where a process ( devsrvr ) stopped responding due to an unexpected returned value.
Addressed
10.1.5
PAN-177626
Fixed an issue where aggressive situations caused on-chip descriptor exhaustion.
Addressed
10.1.5
PAN-177551
A fix was made to address a vulnerability that enabled an authenticated network-based administrator to upload a specifically created configuration that disrupted system processes and was able to execute arbitrary code with root privileges when the configuration was committed ( CVE-2022-0024 ).
Addressed
10.1.5
PAN-177363
Fixed an issue where, when system logs and configuration logs on a dedicated log detector system were forwarded to a Panorama management server in Management Only mode, the logs were not ingested and were dropped. This caused the dedicated log detector system to not be viewable on a Panorama appliance in Management Only mode.
Addressed
10.1.5
PAN-177351
Fixed an issue where configurations failed when downgrading from PAN-OS 10.1.1 and later versions to PAN-OS 10.0.0 using the autosaveconfig.xml file.
Addressed
10.1.5
PAN-177187
Fixed an issue where reports using the decryption summary database and Panorama as data sources returned no results.
Addressed
10.1.5
PAN-177170
Fixed an issue on Panorama where a log collector group commit deleted the proxy settings configured on dedicated log collectors.
Addressed
10.1.5
PAN-177072
Fixed an intermittent issue where Panorama did not show new logs from firewalls.
Addressed
10.1.5
PAN-177060
Fixed an issue where, when the address object in the parent device group was renamed, and the address object was overridden in the child device group and called in a Security policy, the object in the Security policy was renamed as well.
Addressed
10.1.5
PAN-177054
Fixed an issue where, when you disabled a NAT rule, the Destination Translation value none displayed in blue and was still able to be modified to a different value.
Addressed
10.1.5
PAN-176997
Fixed an issue where log collectors generated Failed to check IoT content upgrade system logs even when no IoT license was installed.
Addressed
10.1.5
PAN-176889
Fixed an issue where the log collector continuously disconnected from Panorama due to high latency and a high number of packets in Send-Q.
Addressed
10.1.5
PAN-176746
Fixed an intermittent issue where traffic was lost when performing a failover in an HA active/passive setup.
Addressed
10.1.5
PAN-176376
Fixed an issue where importing a firewall configuration to Panorama failed if Import device's shared objects into Panorama's shared context (device group specific objects will be created if unique) was unchecked.
Addressed
10.1.5
PAN-176348
Fixed an issue where scheduled email alerts were not forwarded to all recipients in the override list.
Addressed
10.1.5
PAN-176280
Fixed an intermittent issue on Panorama where querying logs via the web interface or API did not return results.
Addressed
10.1.5
PAN-176262
Fixed an issue where the firewall didn't resolve specific domain names with multiple nested Canonical Name (CNAME) records when caching was enabled.
Addressed
10.1.5
PAN-176116
Fixed an issue where the header did not match the correct policy when IPv6 addresses were set in XFF header.
Addressed
10.1.5
PAN-176032
Fixed an issue where a process ( authd ) process stopped responding, which caused authentication to fail.
Addressed
10.1.5
PAN-176030
Fixed an issue where alerts related to syslog connections were not generated in the system logs.
Addressed
10.1.5
PAN-175717
Fixed an issue where firewalls managed by a Panorama management server entered maintenance mode if:
  • Panorama was running PAN-OS 10.2 and managed firewalls were downgraded from PAN-OS 10.2 to PAN-OS 10.1.4 or earlier PAN-OS release
  • Panorama was upgraded from PAN-OS 10.1 to PAN-OS 10.2 and managed firewalls were running PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
Addressed
10.1.5
PAN-175716
Fixed an issue where sorting address groups by name, address, or location did not work on a device group that was part of a nested device group.
Addressed
10.1.5
PAN-175628
( PA-5200 Series firewalls only ) Fixed an issue where the firewall was unable to monitor AUX1 and AUX2 interfaces through SNMP.
Addressed
10.1.5
PAN-175570
Fixed an issue where log forwarding profiles did not show up in the dropdown under Zones .
Addressed
10.1.5
PAN-175509
Fixed an issue where a deadlock on CONFIG_LOCK caused both the web interface and CLI commands to time out until the mgmtsrvr process was restarted.
Addressed
10.1.5
PAN-175403
( VM-Series firewalls only ) Fixed an issue where the firewall did not display any logs except for system logs.
Addressed
10.1.5
PAN-175399
Fixed an issue where enabling Use proxy to fetch logs from Strata Logging Service caused Panorama to not show logs when queried.
Addressed
10.1.5
PAN-175307
Fixed an issue where Panorama commits were slower than expected and the configd process stopped responding due to a memory leak.
Addressed
10.1.5
PAN-175259
Fixed an issue where a Security policy configured with App-ID and set to web-browsing and application-default service allowed clear-text web-browsing on tcp/443.
Addressed
10.1.5
PAN-175161
Fixed an issue where changing SSL connection validation settings for system logs caused the mgmtsrvr process to stop responding.
Addressed
10.1.5
PAN-175141
Fixed an intermittent issue where IP address-to-username mappings were not created on a redistribution client if a logout and login message shared the same timestamp.
Addressed
10.1.5
PAN-174998
( M-200 and M-500 appliances only ) Fixed a capacity issue that was caused by high operational activity and large configurations. This fix increases the virtual memory limit on the configd process to 32GB.
Addressed
10.1.5
PAN-174894
Fixed an issue where, when the TTL value for symmetric MAC entries weren't updated to other dataplanes and HA peers, timeouts occurred for traffic using policy-based forwarding (PBF) with symmetric returns.
Addressed
10.1.5
PAN-174864
Fixed an issue on the Panorama interface where Deploying Master Key to low-end devices resulted in a Failed to communicate message, even when the new master key was updated on the end device. This issue occurred because a master key deployment had insufficient time to process due to a connection timeout.
Addressed
10.1.5
PAN-174709
Fixed an OOM condition that occurred due to multiple parallel jobs being created by the scheduled log export feature.
Addressed
10.1.5
PAN-174680
Fixed an issue where, when adding new configurations, Panorama didn't display a list of suggested template variables when typing in a relevant field.
Addressed
10.1.5
PAN-174607
Fixed an intermittent issue where, when Security profiles were attached to a policy, files that were downloaded across TLS sessions decrypted by the firewall were malformed.
Addressed
10.1.5
PAN-174604
Fixed an issue where the email subject of scheduled reports was enclosed in single quotation marks.
Addressed
10.1.5
PAN-174564
( VM-Series firewalls on a Kernel-based Virtual Machine (KVM) running on Proxmox Hypervisor only ) Fixed an issue where SSH traffic was identified as unknown-TCP .
Addressed
10.1.5
PAN-174347
Fixed an issue where sequence numbers were calculated incorrectly for traffic that was subject to Session Initiation Protocol (SIP) application-level gateway (ALG) when SIP TCP Clear Text Proxy was disabled.
Addressed
10.1.5
PAN-174011
Fixed an issue where Panorama failed to update shared policies during partial commits when a new device group was created but not yet committed.
Addressed
10.1.5
PAN-173893
Fixed a memory leak issue related to the ( useridd ) process that occurred when group mapping was enabled.
Addressed
10.1.5
PAN-173753
Fixed an issue where a bar or point on a Network Monitor graph had to be clicked more than once to properly redirect to the corresponding ACC report.
Addressed
10.1.5
PAN-173689
Fixed an issue where the dataplane restarted due to running out of memory in the policy cache.
Addressed
10.1.5
PAN-173545
Fixed an issue where exporting a device summary to CSV failed and displayed the following error message: Error while exporting .
Addressed
10.1.5
PAN-173509
Fixed an issue where Superuser administrators with read-only privileges ( Device > Administrators and Panorama > Administrators ) were unable to view the hardware ACL blocking setting and duration in the CLI using the following commands: 
  • show system setting hardware-acl-blocking-enable
  • show system setting hardware-acl-blocking-duration
Addressed
10.1.5
PAN-173267
Fixed an issue where log queries on Panorama appliances returned with no output and the error message Schema file does not exist displayed in the reported process log.
Addressed
10.1.5
PAN-173179
Fixed an issue where the rem_addr field in Terminal Access Controller Access-Control System (TACACS+) authentication displayed the management or service route IP address of the firewall instead of the source IP address of the user.
Addressed
10.1.5
PAN-172837
Fixed an intermittent issue where the firewall didn't generate block URL logs for URLs even though the websites were blocked in the client device.
Addressed
10.1.5
PAN-172748
( VM-Series firewalls only ) Fixed an issue where a process ( all_task ) stopped responding.
Addressed
10.1.5
PAN-172404
Fixed an issue where the semi-colon (;) was not recognized as token separator while doing regex for URL category matching even though it is mentioned in the documentation.
Addressed
10.1.5
PAN-172396
Fixed a memory leak issue related to the useridd process.
Addressed
10.1.5
PAN-172316
Fixed an issue where the internal interface flow control that caused the monitoring process to incorrectly determine the interface to be malfunctioning.
Addressed
10.1.5
PAN-172295
Fixed an issue where a HIP database cache loop caused high CPU utilization on a process ( useridd ) and caused IP address-to-user mapping redistribution failure.
Addressed
10.1.5
PAN-172243
Fixed an issue where NetFlow traffic triggered a packet buffer leak.
Addressed
10.1.5
PAN-172056
( VM-Series firewalls only ) The logging rate limit was improved to prevent log loss.
Addressed
10.1.5
PAN-171869
Fixed an issue where HIP profile objects in security policies and authentication policies were still visible in the CLI even after replacing them with source HIP and destination HIP objects.
Addressed
10.1.5
PAN-171367
Fixed an issue in active/active HA configurations where sessions disconnected during an upgrade from a PAN-OS 9.0 release to a PAN-OS 9.1 release.
Addressed
10.1.5
PAN-171345
Fixed an issue where firewalls experienced high packet descriptor usage due to internal communication associated with WildFire.
Addressed
10.1.5
PAN-171181
Fixed an issue where the IPSec tunnel configuration didn't load when a double quotation mark was added to the comment section of the IPSec tunnel General tab.
Addressed
10.1.5
PAN-170952
Fixed script issues that caused diagnostic data to not be collected after path monitor failure.
Addressed
10.1.5
PAN-170595
Fixed an issue with Content and Threat Detection where traffic patterns created a bus error, which caused the all_pktproc process to stop responding and the dataplane to restart.
Addressed
10.1.5
PAN-170297
Fixed an issue where ACC > Threat activity did not include the threat name after upgrading to a PAN-OS 10.0 release.
Addressed
10.1.5
PAN-169917
Fixed an issue on Panorama where AUX interface IP addresses did not populate when configuring service routes.
Addressed
10.1.5
PAN-169796
Fixed an issue where the high availability path group destination IP address was removed after pushing a PAN-OS 10 release template from Panorama to a firewall running a PAN-OS 9 release.
Addressed
10.1.5
PAN-169433
Fixed an issue on Panorama where clicking Run Now for a custom report with 32 or more filters in the Query Builder returned the following message: No matching records .
Addressed
10.1.5
PAN-168921
Fixed an issue on firewalls in HA active/active configurations where traffic with complete packets showed up as incomplete and was disconnected due to a non-session owner closing the session prematurely.
Addressed
10.1.5
PAN-168890
A CLI command was added to address an issue where a configured proxy server for a service route was automatically applied to the email server service route.
Addressed
10.1.5
PAN-168662
Fixed an issue on Panorama where multiple copies of logs were displayed for a single session.
Addressed
10.1.5
PAN-168635
Fixed an issue on the firewall where, when attempting to change the master key, the existing master key was not validated first. As a result, all firewall keys were corrupted.
Addressed
10.1.5
PAN-168286
Fixed a memory leak issue in the mgmtsrvr process that was caused by failed commit all operations.
Addressed
10.1.5
PAN-168189
Fixed an issue where, even when there was active multicast traffic, the firewall sent Protocol Independent Multicast (PIM) prune messages.
Addressed
10.1.5
PAN-167858
Fixed an issue where a DNS Security inspection identified a TCP DNS request that had two requests in one segment as a malformed packet and dropped the packet.
Addressed
10.1.5
PAN-167259
Fixed an issue where, after manually uploading WildFire images, the dropdown did not display any available files to choose from.
Addressed
10.1.5
PAN-166368
Fixed an issue on Panorama where long FQDN queries did not resolve due to the character limit being 64 characters.
Addressed
10.1.5
PAN-165147
Fixed an issue where, when there was a high volume of traffic for sessions with Application Block Pages enabled, other regular packets were dropped.
Addressed
10.1.5
PAN-164871
( VM-Series firewalls only ) Fixed an intermittent issue where deactivating the firewall via XML API using manual mode failed. This occurred because the size of the license token file was incorrect.
Addressed
10.1.5
PAN-164631
Fixed an issue where the stats dump report was empty.
Addressed
10.1.5
PAN-163831
Fixed an issue where IPv6 addresses were displayed instead of IPv4 in custom reports.
Addressed
10.1.5
PAN-163245
Fixed an issue where a commit-all or push to the firewall from Panorama failed with the following error message: client routed requesting last config in the middle of a commit/validate. Aborting current commit/validate .
Addressed
10.1.5
PAN-162047
( Firewalls in HA active/passive configurations only ) Fixed a routing table mis-sync issue where routes were missing on the passive firewall when GRE tunnels with keepalives were configured.
Addressed
10.1.5
PAN-161297
Fixed an interoperability issue with other vendors when IKEv2 used SHA2-based certificate authentication.
Addressed
10.1.5
PAN-161111
Fixed an issue where TLS 1.3 Forward Proxy Decryption failed with a malloc failure error. This issue was caused by the server certificate being very large.
Addressed
10.1.5
PAN-161031
Fixed an issue where authentication via LDAP server failed in FIPS-CC mode when the LDAP server profile was configured with the root certificate chain and Verify server certificate for SSL sessions options enabled.
Addressed
10.1.5
PAN-159835
Fixed an issue where, after an upgrade, the following error message was displayed: Not enough space to load content to SHM .
Addressed
10.1.5
PAN-158639
Fixed an issue on Panorama where logs that were forwarded to a collector group did not appear, and the log collector displayed the following error message: es.init-status not ready in logjobq .
Addressed
10.1.5
PAN-158541
Fixed an OOM condition on the dataplane on FIPS-mode firewall decryption that used DHE ciphers.
Addressed
10.1.5
PAN-158369
Fixed an issue where applications did not work via the Clientless VPN when they were configured on a vlan interface
Addressed
10.1.5
PAN-156289
Fixed an issue where the default severities for Content Update errors were inaccurate.
Addressed
10.1.5
PAN-151692
Fixed a permission issue where a Panorama administrator was unable to download or install dynamic updates ( Panorama > Device Deployment ).
Addressed
10.1.5
PAN-151302
( PA-7000 Series firewalls with LFCs only ) Fixed an issue where the logging rate for the LFC was not displayed in Panorama > Managed Devices > Health .
Addressed
10.1.5
PAN-146734
Fixed an issue where, when a Panorama-pushed configuration was referenced in a local configuration, commits failed after updating the master key on the firewall, which resulted in the following error message: Invalid candidate configuration. Master key change aborted... .
Addressed
10.1.5
PAN-145833
( PA-3200 Series firewalls only ) Fixed an issue where the firewall stopped recording dataplane diagnostic data in dp-monitor.log after a few hours of uptime.
Addressed
10.1.5
PAN-141454
Fixed an issue where the output of the CLI command show running resource-monitor ingress-backlogs displayed an incorrect total utilization value.
Known
10.1.6
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.6
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.6
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.6
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.6
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.6
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.6
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.6
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.6
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.6
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.6
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.6
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.6
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.6
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.6
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.6
PAN-223488
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
On the M-600 appliance, closed ElasticSearch shards are not deleted from the M-600 appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.6
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.6
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.6
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.6
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.6
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.6
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.6
PAN-208325
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
The following NextGen firewalls are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.1.6
PAN-206268
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.1.6
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.6
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.1.6
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.6
PAN-201627
This issue is now resolved. See PAN-OS 10.1.8 Addressed Issues .
( PAN-OS 10.1.6-h4 and later PAN-OS 10.1.6 hotfixes ) For next-generation firewall deployments where SD-WAN is configured, the dataplane could restart if all SD-WAN member links are down due to an out-of-memory condition. This could also happen during a device reboot when all SD-WAN tunnels are down.
Workaround: Downgrade to PAN-OS 10.1.6-h3 or earlier, or upgrade to the latest PAN-OS 10.2 release.
Known
10.1.6
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.1.6
PAN-198187
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
For firewalls managed by a Panorama management server, System logs ( Monitor System ) may not display the Commit Description if you push ( Commit Push to Devices ) to multiple device groups from Panorama.
Known
10.1.6
PAN-198174
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the Resolve Hostname feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround: Provide a DNS server setting for the firewall ( Device DNS Setup Services ). If you cannot reference a valid DNS server, you can add a dummy address.
Known
10.1.6
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.6
PAN-197097
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.1.6
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.6
PAN-194519
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.1.6
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.6
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.6
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.6
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.6
PAN-192403
This issue is now resolved. See PAN-OS 10.1.6-h3 Addressed Issues .
( PA-5450 firewall only ) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.1.6
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.6
PAN-189057
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server, Panorama enters a non-functional state due to php.debug.log life taking up too much space.
Workaround: Disable the debug flag for Panorama.
  1. Log in to the Panorama web interface .
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable) Debug or Clear Debug .
  4. ( HA configuration ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.1.6
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.6
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.6
PAN-185286
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.1.6
PAN-178194
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
A UI issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.1.6
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.6
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.6
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.6
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.6
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.6
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.6
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.6
PAN-171714
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
If you use the NetBIOS format ( domain\user ) for the IP address-to-username mapping and the firewall receives the group mapping information from the Cloud Identity Engine, the firewall does not successfully match the user to the correct group.
Known
10.1.6
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.6
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.6
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.6
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.6
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.6
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.6
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.6
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.6
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.6
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.6
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.6
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.6
PAN-166464
This issue is now resolved. See PAN-OS 10.1.6-h6 Addressed Issues .
PAN-OS reports the PA-5450 fan numbers incorrectly by listing them in the opposite order. This does not affect fan operation. For further information, contact Customer Support.
Known
10.1.6
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.6
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.6
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.6
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.6
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.6
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.6
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.6
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.6
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.6
PAN-162088
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, content updates ( Panorama Dynamic Updates ) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you Install a content update and enable Sync to HA Peer .
Known
10.1.6
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.6
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.6
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.6
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.6
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.6
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.6
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.6
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.6
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.6
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.6
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.6
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.6
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.6
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.6
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.6
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.6
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.6
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.6
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.6
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.6
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.6
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.6
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.6
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.6
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.6
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.6
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.6
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.6
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.6
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.6
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.6
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.6
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.6
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.6
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.6
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.6
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.6
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.6
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.6
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.6
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.6
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.6
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.6
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.6
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.6
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.6
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.6
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.6
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.6
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.6
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.6
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.6
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.6
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.6
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.6
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.6
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.6
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.6
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.6
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.6
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.6
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.6
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.6
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.6
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.6
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.6
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.6
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.6
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.6
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.6
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.6
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.6
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.6
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.6
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.6
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.6
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.6
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.6
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.6
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.6
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.6
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.6
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.6
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.6
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.6-h9
PAN-272809
A fix was made to address CVE-2024-9474 .
Addressed
10.1.6-h8
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.6-h8
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.6-h8
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.6-h8
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.6-h8
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.6-h7
PAN-202450
Fixed an issue where the device-client-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.6-h7
PAN-198372
Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.6-h6
PAN-196993
Fixed an issue where an incorrect regex key was generated to invalidate the completions cache, which caused the configd process to stop responding.
Addressed
10.1.6-h6
PAN-195181
Added enhancements to improve the load on the pan_comm process during SNMP polling.
Addressed
10.1.6-h6
PAN-194826
( WF-500 and WF-500-B appliances only ) Fixed an issue where log system forwarding did not work over a TLS connection.
Addressed
10.1.6-h6
PAN-194776
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing enabled where intra-zone packets were re-encapsulated with the incorrect source/destination MAC address.
Addressed
10.1.6-h6
PAN-194721
Fixed an issue where path monitor failure occurred, which caused slots to go down.
Addressed
10.1.6-h6
PAN-194694
Fixed an issue where multiple SNMP requests being made to the firewall caused in the pan_comm process to stop responding.
Addressed
10.1.6-h6
PAN-194645
( PA-5400 Series firewalls only ) Fixed an issue where the Data Processing Card status was incorrectly shown as config=None
Addressed
10.1.6-h6
PAN-194601
Fixed an issue that caused the all_task process to stop responding.
Addressed
10.1.6-h6
PAN-194406
Fixed an issue where the MTU from SD-WAN interfaces was recalculated after a configuration push from Panorama or a local commit, which caused traffic disruption.
Addressed
10.1.6-h6
PAN-194097
Fixed an issue on firewalls in high availability (HA) active/passive configurations where _ha_d_session_msgbuf overflowed on the passive firewall during an upgrade, which caused the firewall to enter a non-functional state.
Addressed
10.1.6-h6
PAN-193732
( PA-5400 Series firewalls only ) Fixed an issue where the firewall incorrectly handled internal transactions.
Addressed
10.1.6-h6
PAN-193184
Fixed an issue where IP-user-mapping disappeared when login/logout events occurred at the same timestamp.
Addressed
10.1.6-h6
PAN-193132
( PA-220 firewalls only ) Fixed an issue where a commit and push from Panorama caused high dataplane CPU utilization.
Addressed
10.1.6-h6
PAN-192999
A fix was made to address CVE-2022-0028 .
Addressed
10.1.6-h6
PAN-192758
( PA-7000 Series firewalls only ) Fixed an issue where files failed to upload to the Wildfire public cloud.
Addressed
10.1.6-h6
PAN-192673
( PA-7050-SMC-B firewalls only ) Fixed an issue where the LFC (log forwarding card) syslog-ng service failed to start after an upgrade.
Addressed
10.1.6-h6
PAN-192551
( PA-5400 Series firewalls only ) Fixed an issue where the firewall incorrectly processed path monitoring packets, which caused a slot restart.
Addressed
10.1.6-h6
PAN-192052
Fixed an issue where, when next hop MAC address entries weren't found on the offload processor for active traffic, update messages flooded the firewall, which caused resource contention and traffic disruption.
Addressed
10.1.6-h6
PAN-182951
Fixed an issue where commits remained at 98% for an hour and then failed.
Addressed
10.1.6-h6
PAN-173469
Fixed an intermittent issue where websites were blocked and categorized as not resolved.
Addressed
10.1.6-h3
PAN-194408
Fixed an issue where, when policy rules had the apps that implicitly depended on web browsing configured with the service application default , traffic did not match the rule correctly.
Addressed
10.1.6-h3
PAN-194325
( PA-5450 firewalls only ) Fixed an issue where the logging interface configuration was not correctly written to the syslog-ng configuration file.
Addressed
10.1.6-h3
PAN-192880
Fixed an issue where, when the firewall was configured for jumbo frames, an internal interface was not set with the correct MTU, which caused byte frames larger than 1500 to be dropped when a DF bit was set.
Addressed
10.1.6-h3
PAN-192403
( PA-5450 firewalls only ) Fixed an issue on the web interface where, when configuring the management interface and logging interface in the same subnetwork, a commit warning was not displayed even though the configuration caused routing and connectivity issues.
Addressed
10.1.6-h3
PAN-191558
Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item.
Addressed
10.1.6-h3
PAN-191257
Fixed an issue on the firewall where the useridd process stopped responding after a commit from Panorama. This occurred due to a timing issue where a HIP query from the dataplane was initiated before the process had finished initialization.
Addressed
10.1.6-h3
PAN-190811
( PA-5450 firewalls only ) Fixed an issue where logs were forwarded through the management interface instead of the configured log interface to be used for forwarding.
Addressed
10.1.6-h3
PAN-190292
Fixed an issue where you could not configure a log interface as a service route ( Device Setup Services Service Route )
Addressed
10.1.6-h3
PAN-189762
Fixed an issue where a predict session didn't match with the traffic when both source NAT and destination NAT were enabled.
Addressed
10.1.6-h3
PAN-188833
Fixed an issue where shared address objects used as a source or destination in policies were cloned but not freed back after configuration commits.
Addressed
10.1.6-h3
PAN-187126
Fixed an issue where enabling DPDK mode on the dataplane interfaces of a Microsoft Azure instance caused the brdagent process to stop responding.
Addressed
10.1.6-h3
PAN-186075
( VM-Series firewalls only ) Fixed an issue where the firewall rebooted after receiving large packets while in DPDK mode on Azure virtual machines running CX4 (MLx5) drivers.
Addressed
10.1.6-h3
PAN-186024
Fixed an issue where URL category match did not work for External Dynamic List URLS due to a leak related to the devsrvr process.
Addressed
10.1.6-h3
PAN-183166
Fixed an issue where system, configuration, and alarm logs were queued up on the logrcvr process and were not forwarded out or written to disk until an autocommit was passed.
Addressed
10.1.6
WF500-5509
( WF-500 appliance only ) Fixed an issue where cloud inquiries were logged under the SD-WAN subtype.
Addressed
10.1.6
PAN-193579
Fixed an issue where new logs viewed from the CLI (show log <log_type>) and new syslogs forwarded to a syslog server contained additional, erroneous entries.
Addressed
10.1.6
PAN-192930
Fixed an issue where, when the default port was not TCP/443, implicitly used SSL applications were blocked by the Security policy as an SSL application and did not shift to the correct application.
Addressed
10.1.6
PAN-191629
( PA-5450 firewalls only ) Fixed an issue where the hourly summary log was limited to 100,001 lines when summarized, which resulted in inconsistent report results when using summary logs.
Addressed
10.1.6
PAN-191470
Fixed an issue on Panorama where encrypted passwords were sent to firewalls on PAN-OS 10.1 releases during a multi-device group push, which caused client-based External Dynamic Lists (EDL) to fail.
Addressed
10.1.6
PAN-191466
Fixed an issue where you were unable to use the web interface to override IPsec tunnels pushed from Panorama
Addressed
10.1.6
PAN-191222
Fixed an issue where Panorama became inaccessible when after a push to the collector group.
Addressed
10.1.6
PAN-190728
Fixed an issue in an active/passive high availability (HA) configurations with link or path monitoring enabled where the aggregate ethernet interface went down before member interfaces went down.
Addressed
10.1.6
PAN-190675
Fixed an IoT cloud connectivity issue with the firewall dataplane when the Data Services service route was used and the egress interface had VLAN tagging.
Addressed
10.1.6
PAN-190660
Fixed an issue where the vld process stopped responding when Elasticsearch had no data.
Addressed
10.1.6
PAN-190644
Fixed an issue where Elasticsearch removed indices earlier than the configured retention period.
Addressed
10.1.6
PAN-190409
( PA-5450 and PA-3200 Series firewalls that use an FE101 processor only ) Fixed an issue where packets in the same session were forwarded through a different member of an aggregate ethernet group when the session was offloaded. The fix is that you can use the following CLI command to change the default tag setting to the tuple setting:
admin@firewall> set session lag-flow-key-type ?
> tag tag
> tuple tuple
tag is the default behavior (tag based on the CPU, tuple based on the FE).
tuple is the new behavior, where both CPU and FE use the same selection algorithm.
Use the following command to display the algorithm:
admin@firewall> show session lag-flow-key-type
dp0: tuple based on fe100
dp1: tuple based on fe100
Addressed
10.1.6
PAN-189982
Fixed an issue where, when inputting tags, the scrollbar in the dialog box for the tag field obscured the down arrow.
Addressed
10.1.6
PAN-189643
Fixed an issue where, when Quality of Service (QoS) was enabled on an IPSec tunnel, traffic failed due to applying the wrong tunnel QoS ID.
Addressed
10.1.6
PAN-189182
Fixed an issue where the change summary didn't work after upgrading the Panorama appliance.
Addressed
10.1.6
PAN-189010
Fixed an issue on Panorama where a deadlock in the configd process caused both the web interface and the CLI to be inaccessible.
Addressed
10.1.6
PAN-188872
Fixed an out-of-memory (OOM) condition caused by a memory leak issue on the useridd process.
Addressed
10.1.6
PAN-188776
( PA-5200 Series firewalls only ) Fixed an issue where the AUX-2 port required a reboot to link up after factory resetting the firewall.
Addressed
10.1.6
PAN-188336
Fixed an issue with the dnsproxyd process that caused the firewall to unexpectedly reboot.
Addressed
10.1.6
PAN-188303
Fixed an issue where the serial number displayed as unknown after running the show system state CLI command.
Addressed
10.1.6
PAN-188272
( PA-5200 Series and PA-7000 Series firewalls only ) Fixed an issue where Support UTF-8 For Log Output wasn't visible on the web interface.
Addressed
10.1.6
PAN-188097
Fixed an issue where the firewall stopped allocating new sessions with increments in the counter session_alloc_failure. This was caused by GPRS tunneling protocol (GTP-U) tunnel session aging processing issue.
Addressed
10.1.6
PAN-188009
Fixed an issue where a firewall import to Panorama running a PAN-OS 10.1 release or a PAN-OS 10.2 release resulted in corrupted private information when the master key was not used.
Addressed
10.1.6
PAN-188005
Fixed an issue where the var/off file consumed more space than expected, which caused 100% root partition.
Addressed
10.1.6
PAN-187829
Fixed an issue where the web_backend and httpd processes leaked descriptors, which caused activities that depended on the processes, such as logging in to the web interface, to fail.
Addressed
10.1.6
PAN-187630
Fixed an issue where the all_task process stopped responding with a stack trace that contained the function pan_agent_userpolicy_cache_find .
Addressed
10.1.6
PAN-187558
Fixed an issue where the following error message flooded the system log: Incremental update to DP failed .
Addressed
10.1.6
PAN-186750
Fixed an issue where, after upgrading to a PAN-OS 10.1 release, SaaS reports generated on Panorama did not display Applications at a glance and most charts were missing data on the right side of the chart.
Addressed
10.1.6
PAN-186262
Fixed an issue where Panorama appliances in Panorama or Log Collector mode became unresponsive while Elasticsearch accumulated internal connections related to logging processes.
Addressed
10.1.6
PAN-186143
Fixed an issue where no local changes could be made on a Zero Touch Provisioning (ZTP) enabled device after an upgrade to a PAN-OS 10.1 release.
Addressed
10.1.6
PAN-185616
Fixed an issue where the firewall sent fewer logs to the system log server than expected. With this fix, the firewall accommodates a larger send queue for syslog forwarding to TCP syslog receivers.
Addressed
10.1.6
PAN-185558
Fixed an issue where Panorama log migration failed when old logs migrated to a newer format. This was due to older indices failing to close.
Addressed
10.1.6
PAN-185440
Fixed an issue where iOS devices incorrectly displayed as jailbroken under HIP match logs.
Addressed
10.1.6
PAN-185416
( PA-220 firewalls only ) Fixed an issue where the firewall repeatedly rebooted every few hours.
Addressed
10.1.6
PAN-184979
Fixed an issue in multi-vsys environments where the DNS service route always used the management interface even when the dataplane interface was
Addressed
10.1.6
PAN-184621
Fixed an issue on FIPS-enabled devices where modifying any configuration of an existing GlobalProtect portal failed with the following error message: Operation failed : Malformed request .
Addressed
10.1.6
PAN-184291
Fixed an issue where the GlobalProtect portal generated a cookie with a domain as NULL instead of empty-domain, which caused users to be identified incorrectly.
Addressed
10.1.6
PAN-184071
Fixed an issue where tech support files were not generated.
Addressed
10.1.6
PAN-183788
Fixed an issue with SCEP certificate enrollment where the incorrect Registration Authority (RA) certificate was chosen to encrypt the enrollment request.
Addressed
10.1.6
PAN-183579
Fixed an issue where SD-WAN path monitoring failed over the interface directly connected to the ISP due to an unsupported ICMP probe format.
Addressed
10.1.6
PAN-183529
( PA-5450 firewalls only ) Fixed an issue where upgrading the firewall caused corrupted log records to be created, which caused the logrcvr process to fail. This resulted in the auto-commit process required to bring up the firewall after a reboot to fail and, subsequently, the firewall to become unresponsive.
Addressed
10.1.6
PAN-183339
Fixed an issue where line breaks in a description were not visible.
Addressed
10.1.6
PAN-183327
( Firewalls in HA configurations only ) Fixed an issue where policy based forwarding (PBF) sessions between virtual systems (vsys) weren't pushed to the high availability peer.
Addressed
10.1.6
PAN-183322
( Firewalls in Hyper-V environments only ) Fixed an issue where, when upgrading PAN-OS 10.0.5 to PAN-OS 10.0.6 or later, the default Maximum Transmission Unit (MTU) is restored to 1500 from 1496.
Addressed
10.1.6
PAN-181604
Fixed an issue where audit comment archive configuration logs (between commits) were lost after each upgrade.
Addressed
10.1.6
PAN-181568
Fixed an issue where high dataplane CPU occurred when DNS Security was enabled on a firewall with many DNS sessions but less overall traffic.
Addressed
10.1.6
PAN-181277
Fixed an issue where VPN tunnels in SD-WAN flapped due to duplicate tunnel IDs.
Addressed
10.1.6
PAN-181262
Fixed an issue where, when the data loss prevention (DLP) plugin was installed, the Panorama web interface froze after previewing changes.
Addressed
10.1.6
PAN-181245
Fixed an internal path monitoring failure issue that caused the dataplane to go down.
Addressed
10.1.6
PAN-181215
Fixed an issue where the authd process didn't receive authentication requests due to internal socket errors.
Addressed
10.1.6
PAN-181031
Fixed an issue where the CN-NGFW (DP) folder on the CN-MGMT pod eventually consumed a large amount of space in the /var/log/pan because the old registered stale next-generation firewall logs were not being cleared.
Addressed
10.1.6
PAN-180934
Fixed an issue where, when decrypting at TLS1.3, websites failed to load due to the firewall incorrectly handling payload padding from the server.
Addressed
10.1.6
PAN-180661
Fixed an issue on Panorama where pushing an unsupported Minimum Password Complexity ( Device > Setup > Management ) to a managed firewall incorrectly displayed a commit timeout as the reason the commit failed.
Addressed
10.1.6
PAN-180396
Fixed an issue where Panorama displayed an error when generating a ticket to disable GlobalProtect for Prisma Access.
Addressed
10.1.6
PAN-180338
Fixed an issue where the CTD loop count wasn't accurately incremented.
Addressed
10.1.6
PAN-180125
Fixed an issue where either Elasticsearch es-1 or es-2 didn't start after rebooting the log collector.
Addressed
10.1.6
PAN-179184
Fixed an issue where Security Assertion Markup Language (SAML) authentication failed when multiple single sign-on (SSO) requests were sent at the same time from SSL VPN to the authd process on the firewall.
Addressed
10.1.6
PAN-178975
Fixed an issue where the local log collector was out of sync and displayed a public IP address mismatch for the management interface.
Addressed
10.1.6
PAN-178862
Fixed an issue where bootstrapped firewalls didn't associate with the configured template stack if the stack name had more than 31 characters.
Addressed
10.1.6
PAN-178450
Fixed an issue where icons weren't displayed for clientless VPN applications.
Addressed
10.1.6
PAN-177762
Fixed an issue where wifclient in PAN-OS 10.0 and later releases caused processing delays, on-chip descriptor spikes, and buffer usage.
Addressed
10.1.6
PAN-177671
Fixed an issue where, when SIP traffic traversing the firewall was sent with a high QoS differentiated service code (DSCP) value, the DSCP value was reset to the default setting (CS0) for the first data packet.
Addressed
10.1.6
PAN-177455
( PA-7000 Series firewalls with HA clustering enabled and using HA4 communication links only ) Fixed an issue where loading PAN-OS 10.2.0 on the firewall caused the PA-7000 100G NPC (Network Processing Card) to go offline. As a result, the firewall failed to boot normally and entered maintenance.
Addressed
10.1.6
PAN-177409
Fixed an issue where, when the quarantine feature was enabled, every hostid lookup created a new entry in the cache memory instead of having a single cache entry for each IP address, which led to memory exhaustion.
Addressed
10.1.6
PAN-177063
Fixed an issue where decrypting large packets introduced congestion during content inspection, which caused processes to stop responding due to missed heartbeats.
Addressed
10.1.6
PAN-176437
( PA-3200 Series firewalls only ) Fixed an issue where multiple processes stopped responding, which caused the firewall to reboot.
Addressed
10.1.6
PAN-175186
Fixed an issue where performing a commit-all operation with the API type op instead of commit resulted in Panorama returning the incorrect error message Use type [commit-all] instead of the correct error message to use the type commit .
Addressed
10.1.6
PAN-175022
Fixed an issue where the PAN-OS web interface table of contents did not display or the help contents reloaded continuously.
Addressed
10.1.6
PAN-175016
Fixed an issue where PDF summary reports were empty when they were generated by a user in a custom admin role.
Addressed
10.1.6
PAN-174660
Fixed an issue where the devsrvr process stopped responding after a local or Panorama pushed commit. This occurred when a single NAT policy contained more than 64 address objects.
Addressed
10.1.6
PAN-174514
( VM-Series firewalls on Amazon Web Services (AWS) with Gateway Load Balancer (GWLB) enabled only ) Fixed an issue where the firewall didn't block access with a response page when accessing a blocked URL category.
Addressed
10.1.6
PAN-174161
Fixed an issue in Panorama that occurred when attempting to disable override on an object from a child device group did not work after cloning and renaming the object.
Addressed
10.1.6
PAN-173453
Fixed an issue where multiple heartbeat failures occurred, which resulted in high availability failover.
Addressed
10.1.6
PAN-172768
Fixed an issue where HIP report generation caused a memory leak on a process ( useridd ).
Addressed
10.1.6
PAN-172766
Fixed an issue on Panorama where a commit push to managed firewalls failed with sctp-init is invalid error even though SCTP settings were not configured in the corresponding template.
Addressed
10.1.6
PAN-170462
Fixed an issue where Saas applications downloaded from the App-ID Cloud Engine (ACE) didn't appear in daily application reports ( Monitor Reports Application Reports ) or in the Application column of the Application Usage widget in ( ACC Network Activity .
Addressed
10.1.6
PAN-168400
Fixed an issue where, after installing Cloud Services plugin 10.2, the Plugin cloud_services status ( Dashboard > High Availability ) displayed as Mismatch .
Addressed
10.1.6
PAN-168339
Fixed an issue where replacing SSL certificates for inbound management traffic did not work when Block Private Key Export was enabled.
Addressed
10.1.6
PAN-165660
Fixed an issue where, in scenarios with Fragmented Session Initiation Protocol (SIP), where the first packet arrived out of order, bypassing App-ID and Content and Threat Detection (CTD). With this fix, the out-of-order packet is transmitted after it has been queued and processed by APP-ID and CTD.
Addressed
10.1.6
PAN-163174
Fixed an issue on the firewall where, after a commit, GlobalProtect users saw SAML authentication failure due to an improper certificate revocation check.
Addressed
10.1.6
PAN-162444
Fixed an issue where the system state reported incorrect or missing capacity numbers for FQDN address objects.
Addressed
10.1.6
PAN-162164
Fixed an issue where, when upgrading a multi-dataplane firewall from a PAN-OS 10.0 to a PAN-OS 10.1 release, the commit failed if the DHCP Broadcast Session option was enabled in the configuration.
Addressed
10.1.6
PAN-159702
Fixed an issue where FQDN refresh did not work with the error No name servers found! , and no subsequent retries occur.
Addressed
10.1.6
PAN-155730
Fixed an issue where corrupted log index files were not automatically removed.
Addressed
10.1.6
PAN-142701
Fixed an issue where the firewall did not delete Stateless SCTP sessions after receiving an SCTP Abort packet.
Known
10.1.7
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.7
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.7
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.7
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.7
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.7
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.7
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.7
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.7
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.7
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.7
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.7
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.7
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.7
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.7
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.7
PAN-223488
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
Closed ElasticSearch shards are not deleted from the Panorama M-Series and virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.7
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.7
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.7
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.7
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.7
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.7
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.7
PAN-208325
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
The following NextGen firewalls are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.1.7
PAN-208189
This issue is now resolved. See PAN-OS 10.1.9-h3 Addressed Issues and PAN-OS 10.1.10 Addressed Issues .
Traffic fails to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Known
10.1.7
PAN-206268
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.1.7
PAN-206243
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.7
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.1.7
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.7
PAN-201627
This issue is now resolved. See PAN-OS 10.1.8 Addressed Issues .
For next-generation firewall deployments where SD-WAN is configured, the dataplane could restart if all SD-WAN member links are down due to an out-of-memory condition. This could also happen during a device reboot when all SD-WAN tunnels are down.
Workaround: Downgrade to PAN-OS 10.1.6-h3 or earlier, or upgrade to the latest PAN-OS 10.2 release.
Known
10.1.7
PAN-199099
This issue is now resolved. See PAN-OS 10.1.8 Addressed Issues .
When decryption is enabled, Safari and Google Chrome browsers on Mac computers running macOS Monterey or later reject the server certificates firewalls present. The browsers cannot validate the chain of trust for the certificates because the Authority Key Identifier (AKID) of the server certificates and the Subject Key Identifier (SKID) of the forward trust certificate do not match.
Workaround: Use a forward trust certificate that does not contain AKID or SKID extensions.
Known
10.1.7
PAN-198174
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the Resolve Hostname feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround: Provide a DNS server setting for the firewall ( Device DNS Setup Services ). If you cannot reference a valid DNS server, you can add a dummy address.
Known
10.1.7
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.7
PAN-197097
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.1.7
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.7
PAN-194519
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.1.7
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.7
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.7
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.7
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.7
PAN-190727
This issue is now resolved. See PAN-OS 10.1.7 Addressed Issues .
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.1.7
PAN-189057
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server, Panorama enters a non-functional state due to php.debug.log life taking up too much space.
Workaround: Disable the debug flag for Panorama.
  1. Log in to the Panorama web interface .
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable) Debug or Clear Debug .
  4. ( HA configuration ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.1.7
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.7
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.7
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.7
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.7
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.7
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.7
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.7
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.7
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.7
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.7
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.7
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.7
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.7
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.7
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.7
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.7
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.7
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.7
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.7
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.7
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.7
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.7
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.7
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.7
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.7
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.7
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.7
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.7
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.7
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.7
PAN-162088
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, content updates ( Panorama Dynamic Updates ) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you Install a content update and enable Sync to HA Peer .
Known
10.1.7
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.7
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.7
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.7
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.7
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.7
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.7
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.7
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.7
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.7
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.7
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.7
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.7
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.7
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.7
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.7
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.7
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.7
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.7
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.7
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.7
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.7
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.7
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.7
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.7
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.7
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.7
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.7
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.7
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.7
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.7
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.7
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.7
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.7
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.7
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.7
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.7
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.7
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.7
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.7
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.7
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.7
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.7
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.7
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.7
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.7
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.7
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.7
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.7
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.7
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.7
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.7
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.7
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.7
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.7
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.7
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.7
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.7
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.7
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.7
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.7
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.7
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.7
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.7
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.7
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.7
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.7
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.7
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.7
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.7
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.7
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.7
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.7
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.7
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.7
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.7
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.7
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.7
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.7
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.7
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.7
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.7
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.7
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.7
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.7
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.7-h1
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.7-h1
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.7-h1
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.7-h1
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.7-h1
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.7
PAN-200771
Fixed an issue where syslog-ng was unable to start due to a design change in the syslog configuration file.
Addressed
10.1.7
PAN-199654
Fixed an issue where ACC reports did not work for custom RBAC users when more than 12 access domains were associated with the username.
Addressed
10.1.7
PAN-199311
Fixed an issue where the Log Forwarding Card (LFC) failed to forward logs to the syslog server.
Addressed
10.1.7
PAN-198509
Fixed an issue where commits failed due to insufficient CFG memory.
Addressed
10.1.7
PAN-198332
( PA-5400 Series only ) Fixed an issue where swapping Network Processing Cards (NPCs) caused high root partition use.
Addressed
10.1.7
PAN-198244
Fixed an issue where using the load config partial CLI command to x-paths removed address object entries from address groups.
Addressed
10.1.7
PAN-197484
( PA-5400 Series firewalls ) Fixed an issue where the firewall forwarded packets to the incorrect aggregate ethernet interface when Policy Based Forwarding (PBF) was used.
Addressed
10.1.7
PAN-197244
Fixed an issue on firewalls with Forward Proxy enabled where the all_pktproc process stopped responding due to missed heartbeats.
Addressed
10.1.7
PAN-196993
Fixed an issue where an incorrect regex key was generated to invalidate the completions cache, which caused the configd process to stop responding.
Addressed
10.1.7
PAN-196953
( PA-5450 firewalls only ) Fixed an issue where jumbo frames were dropped.
Addressed
10.1.7
PAN-196445
Fixed an issue where restarting the NPC or the Data Processing Card (DPC) did not bring up all the network interfaces.
Addressed
10.1.7
PAN-196227
Fixed an issue where the logd process stopped responding, which caused Panorama to reboot into maintenance mode.
Addressed
10.1.7
PAN-196005
( PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only ) Fixed an issue where GlobalProtect IPSec tunnels disconnected at half the inactivity logout timer value.
Addressed
10.1.7
PAN-195707
Fixed an issue on Panorama appliances configured as log collectors where Panorama repeatedly rebooted into maintenance mode.
Addressed
10.1.7
PAN-195628
Fixed an issue that caused the pan_task process to miss heartbeats and stop responding.
Addressed
10.1.7
PAN-195625
Fixed an issue where authd frequently created SSL sessions, which resulted in an out-of-memory (OOM) condition.
Addressed
10.1.7
PAN-195360
Fixed an issue with firewalls in Microsoft Azure environments where BGP flapping occurred due to the firewall incorrectly treating capability from BGP peering as unsupported.
Addressed
10.1.7
PAN-195223
Fixed an issue where the all_pktproc process restarted when receiving a GTPv2 Modify Bearer Request packet if the Serving GPRS Support Node (SGSN) used the same key as the Serving Gateway (SGW).
Addressed
10.1.7
PAN-195181
Added enhancements to improve the load on the pan_comm process during SNMP polling.
Addressed
10.1.7
PAN-194958
Fixed an issue where using the show routing protocol bgp loc-rib-detail CLI command caused the CLI to stop responding.
Addressed
10.1.7
PAN-194826
( WF-500 and WF-500-B appliances only ) Fixed an issue where log system forwarding did not work over a TLS connection.
Addressed
10.1.7
PAN-194776
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing enabled where intra-zone packets were re-encapsulated with the incorrect source/destination MAC address.
Addressed
10.1.7
PAN-194601
Fixed an issue that caused the all_task process to stop responding.
Addressed
10.1.7
PAN-194481
Fixed an issue in ESXi where the bootstrapped VM-Series firewalls with the Software Licensing Plugin had :xxx appended to their hostnames.
Addressed
10.1.7
PAN-194472
A CLI command was added to address an issue where packets were discarded due to the QoS queue limit being reached. This command enables you to modify the QoS queue size to accommodate more users.
Addressed
10.1.7
PAN-194408
Fixed an issue where, when policy rules had the apps that implicitly depended on web browsing configured with the service application default , traffic did not match the rule correctly.
Addressed
10.1.7
PAN-194406
Fixed an issue where the MTU from SD-WAN interfaces was recalculated after a configuration push from Panorama or a local commit, which caused traffic disruption.
Addressed
10.1.7
PAN-193981
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the firewall stopped monitoring high availability (HA) failure and floating IP addresses did not get moved to the newly active firewall.
Addressed
10.1.7
PAN-193765
Fixed an issue where commits failed the following error displayed in the configd log: Unable to populate ids into candidate config: Error: Error populating id for ‘sg2+DMZ to FirstAM Scanner-1‘ .
Addressed
10.1.7
PAN-193763
Fixed an issue on the firewall where the dataplane CPU spiked, which caused traffic to be affected during commits or content updates.
Addressed
10.1.7
PAN-193707
Fixed an issue where SAML authentication failed during commits with the following error message: revocation status could not be verified (reason: ) .
Addressed
10.1.7
PAN-193483
( VM-Series firewalls only ) Fixed an issue where, during Layer-7 packet inspection where traffic was being inspected for threat signature and data patterns, multiple processes stopped responding.
Addressed
10.1.7
PAN-193392
Fixed an issue where RTP packets dropped due to conflicting duplicate flows.
Addressed
10.1.7
PAN-193175
Fixed an issue where PBP Drops (8507) threat logs were incorrectly logged as SCTP Init Flood (8506) .
Addressed
10.1.7
PAN-193132
( PA-220 firewalls only ) Fixed an issue where a commit and push from Panorama caused high dataplane CPU utilization.
Addressed
10.1.7
PAN-192944
Fixed an issue where the logrcvr process caused an OOM condition.
Addressed
10.1.7
PAN-192758
( PA-7000 Series firewalls only ) Fixed an issue where files failed to upload to the WildFire public cloud.
Addressed
10.1.7
PAN-192726
Fixed an issue where the firewall dropped TCP traffic inside IPSec tunnels.
Addressed
10.1.7
PAN-192725
Fixed an issue where the firewall failed to forward logs to Panorama when configured with IPv6 addressing only.
Addressed
10.1.7
PAN-192666
( VM-Series firewalls only ) Fixed an issue where uploading certificates via API failed within the first 30 minutes of a bootstrap.
Addressed
10.1.7
PAN-192551
( PA-5400 Series firewalls only ) Fixed an issue where the firewall incorrectly processed path monitoring packets, which caused a slot restart.
Addressed
10.1.7
PAN-192404
Fixed an issue where ARP broadcasts occurring in the same time interval and network segment as HA path monitoring pings triggered an ARP cache request, which prevented the firewall from sending ICMP echo requests to the monitored destination IP address and caused an HA path monitoring failover.
Addressed
10.1.7
PAN-192330
( Bootstrapped VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the firewall did not automatically receive the Strata Logging Service license.
Addressed
10.1.7
PAN-192089
Fixed an issue on the web interface where the IPSec tunnel did not gray out after disabling it.
Addressed
10.1.7
PAN-191867
Fixed an issue where CPU stalls resulted in a slot restart.
Addressed
10.1.7
PAN-191847
Fixed an issue where the Panorama appliance was unable to generate scheduled custom reports due to the large number of files stored in the opt/pancfg/mgmt/custom-reports directory.
Addressed
10.1.7
PAN-191726
Fixed an issue where an SCP export of the device state from the firewall added single quotes ( ' ) to the filename.
Addressed
10.1.7
PAN-191558
Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item.
Addressed
10.1.7
PAN-191381
Fixed an issue where multicast packets were dropped due to a large timeout value in the multicast FIB.
Addressed
10.1.7
PAN-191288
Fixed an issue where the firewall restarted due to a dnsproxy process crash.
Addressed
10.1.7
PAN-191269
Fixed an issue where the NAT pool leaked for passive mode FTP predict sessions.
Addressed
10.1.7
PAN-191218
( PA-5400 Series firewalls only ) Fixed an issue where the session log storage quota could not be changed via the web interface.
Addressed
10.1.7
PAN-191163
Fixed an issue where the logrcvr process stopped responding when processing threat logs with HTTP2 and data capture flagged.
Addressed
10.1.7
PAN-191022
Fixed an issue where a full routing table caused many dataplane messages, which resulted in packet buffer congestion and packet drops.
Addressed
10.1.7
PAN-190811
( PA-5450 firewalls only ) Fixed an issue where logs were forwarded through the management interface instead of the configured log interface to be used for forwarding.
Addressed
10.1.7
PAN-190727
( PA-5450 firewall only ) Fixed an issue where documentation for configuring the log interface was unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Addressed
10.1.7
PAN-190493
Fixed an issue where decrypted VLAN traffic on Virtual Wire (V-Wire) changed to VLAN ID 0.
Addressed
10.1.7
PAN-190492
Fixed an issue where the Panorama log collector group level SSH settings were not migrated to the new format when upgrading from a PAN-OS 9.1 release to a PAN-OS 10.0 release.
Addressed
10.1.7
PAN-190448
Fixed an issue in ACC reports where IPv6 addresses were displayed instead of IPv4 addresses.
Addressed
10.1.7
PAN-190292
Fixed an issue where you could not configure a log interface as a service route Device > Setup > Services > Service Route
Addressed
10.1.7
PAN-190225
Fixed an issue on Panorama appliances in active/passive HA configurations where the passive appliance was unable to connect to the active appliance after resetting the secure connection state.
Addressed
10.1.7
PAN-189867
Fixed an issue where, when logging in to the GlobalProtect gateway, the authentication cookie was not reused.
Addressed
10.1.7
PAN-189861
Fixed an issue on firewalls in HA configurations where intermittent system alerts on the active firewall caused the pan_comm process to restart continuously.
Addressed
10.1.7
PAN-189762
Fixed an issue where a predict session didn't match with the traffic when both source NAT and destination NAT were enabled.
Addressed
10.1.7
PAN-189414
Fixed an issue where TCP packets were dropped during the first zone transfer when DNS security was enabled.
Addressed
10.1.7
PAN-189304
Fixed an issue where the Panorama appliance didn't display logs or generate reports for a device group containing MIPs platform that forwarded logs to Strata Logging Service .
Addressed
10.1.7
PAN-189225
Fixed an issue where BGP routes were lost or uninstalled after disabling jumbo frames on the firewall.
Addressed
10.1.7
PAN-189206
Fixed an issue where Device Group and Template administrator roles didn't support a context switch between the Panorama and firewall web interfaces.
Addressed
10.1.7
PAN-189114
Fixed an issue where the dataplane went down, which caused an HA failover.
Addressed
10.1.7
PAN-188942
Fixed an issue where, when modifying a DNS proxy configuration, the server port number was transparently changed to port 1080 if an administrator changed only the server IP address.
Addressed
10.1.7
PAN-188867
Fixed an issue where the firewall dropped packets when the session payload was too large.
Addressed
10.1.7
PAN-188338
Fixed an issue where canceling a commit caused the commit process to remain at 70% and the firewall had to be rebooted.
Addressed
10.1.7
PAN-188096
( VM-Series firewalls only ) Fixed an issue where, on firewalls licensed with Software NGFW Credit (VM-FLEX-4 and higher), HA clustering was unable to be established.
Addressed
10.1.7
PAN-187890
Fixed an issue where the Strata Logging Service connection incorrectly displayed as disconnected when a service route was in use.
Addressed
10.1.7
PAN-187805
Fixed an issue where a process ( all_pktproc ) stopped responding and the dataplane restarted during certificate construction or destruction.
Addressed
10.1.7
PAN-187755
Fixed an issue where the maximum session timeout was not applied to the administrator as expected.
Addressed
10.1.7
PAN-187151
Fixed an issue where tunnel-monitoring interface was incorrectly shown as up instead of down.
Addressed
10.1.7
PAN-186995
Fixed an issue where the command to show IP address tags for Dynamic Address Groups displayed the error start-point should be equal to or between 1 and 100000 even when the maximum registered IP address limit was greater than 100,000. With this fix, the show command will display IP address tags up to the correct maximum limit.
Addressed
10.1.7
PAN-186957
Fixed an issue where, in SAML Metadata Export , a drop-down did not appear in the input field when IP or Hostname was selected for Type .
Addressed
10.1.7
PAN-186891
Fixed an issue where NetFlow packets contained incorrect octet counts.
Addressed
10.1.7
PAN-186807
Fixed an issue where RAID rebuild occurred after a reboot due to the RAID array not being populated during the firewall bootup.
Addressed
10.1.7
PAN-186658
Fixed an issue where Panorama console sessions were not cleared on the firewall after the idle-timeout value expired.
Addressed
10.1.7
PAN-186584
Fixed an issue where SNMPv3 CPU use didn't match the firewall output for show running resource-monitor on single dataplane firewalls.
Addressed
10.1.7
PAN-186418
Fixed an issue where Panorama displayed a discrepancy in RAM configured on the VMware host.
Addressed
10.1.7
PAN-186075
( VM-Series firewalls only ) Fixed an issue where the firewall rebooted after receiving large packets while in DPDK mode on Azure virtual machines running CX4 (MLx5) drivers.
Addressed
10.1.7
PAN-185789
Fixed an issue where the show ntp CLI command resulted in a Rejected status for NTP servers that used auto-key authentication.
Addressed
10.1.7
PAN-185787
Fixed an issue where logging in to the Panorama web interface did not work and the following error message displayed: Timed out while getting config lock. Please try again .
Addressed
10.1.7
PAN-185286
( PA-5400 Series firewalls only ) Fixed an issue on Panorama where device health resources did not populate.
Addressed
10.1.7
PAN-184902
Fixed an issue where the logd process stopped responding on Panorama and wasn't able to receive logs from the firewall due to the event manager returning a null pointer.
Addressed
10.1.7
PAN-184845
Fixed an issue where Address Resolution Protocol (ARP) packets dropped due to ARP throttle.
Addressed
10.1.7
PAN-184771
Fixed an issue where the threat category in a schedule report incorrectly displayed as unknown.
Addressed
10.1.7
PAN-184702
( M-700 appliances in Log Collector mode only ) Fixed an issue on the Panorama management server where the Panorama appliance failed to connect to Panorama when added as a managed log collector.
Addressed
10.1.7
PAN-184342
Fixed an issue where the firewall dropped the second TCP packet as non-syn TCP if it was SYN/ACK/PSH due to the incorrect expectation that the second packet would be SYN/ACK.
Addressed
10.1.7
PAN-184068
( PA-5200 series firewalls only ) Fixed an issue where the firewall generated pause frames, which caused network latency.
Addressed
10.1.7
PAN-183949
Fixed an issue on the firewall where a script to send XML API queries to update the block list caused the sslmgr process to restart.
Addressed
10.1.7
PAN-183888
Fixed an issue on Panorama appliances with PA-5400 Series managed firewalls where Monitor > Traffic did not display logs.
Addressed
10.1.7
PAN-183826
Fixed an issue where, after clicking WildFire Analysis Report , the web interface failed to display the report with the following error message: refused to connect .
Addressed
10.1.7
PAN-183664
( VM-Series firewalls only ) Fixed an issue where set core operations failed during Software NGFW FLEX licensing.
Addressed
10.1.7
PAN-183603
( M-200 and M-600 appliances in Log Collector mode only ) Fixed a disk issue that occurred after an upgrade to PAN-OS 10.2 which prevented the ElasticSearch process from starting, which resulted in the dedicated log collector being unable to write new logs to logging disks.
Addressed
10.1.7
PAN-183270
Fixed an issue where a bootstrapped firewall connected only to the first log collector in a log collector group.
Addressed
10.1.7
PAN-183184
Fixed an issue where enabling SSL decryption with a Hardware Security Model (HSM) caused a dataplane restart.
Addressed
10.1.7
PAN-183166
Fixed an issue where system, configuration, and alarm logs were queued up on the logrcvr process and were not forwarded out or written to disk until an autocommit was passed.
Addressed
10.1.7
PAN-182951
Fixed an issue where commits remained at 98% for an hour and then failed.
Addressed
10.1.7
PAN-182539
Fixed an issue with Panorama appliances in HA configurations where dedicated log collectors did not send local system or configuration logs to both Panorama appliances.
Addressed
10.1.7
PAN-182212
Fixed an issue where SNMP reported the panVsysActiveTcpCps and panVsysActiveUdpCps value to be 0.
Addressed
10.1.7
PAN-182173
( Panorama appliances in HA configurations only ) Fixed an issue where, when using Prisma Access multitenancy, the passive appliance didn't correctly update the tenant information after the tenant was deleted on the active appliance.
Addressed
10.1.7
PAN-182087
Fixed an issue where commit failures occurred due to validity checks performed against self-signing certificates not evaluating Authentication Key Identifier and Subject Key Identifier fields.
Addressed
10.1.7
PAN-180863
Fixed an issue where the authentication key was mandatory on the firewall to remove Panorama server details.
Addressed
10.1.7
PAN-179750
A CLI command was added to set the virtual memory limit in dedicated log collectors.
Addressed
10.1.7
PAN-179543
Fixed an issue where the flow_mgmt process stopped responding when attempting to clear the session table, which caused the dataplane to restart.
Addressed
10.1.7
PAN-179295
Fixed an issue where report generation did not work as expected due to missed parameters being passed during inter-daemon communication.
Addressed
10.1.7
PAN-178243
Fixed an issue where Shared Gateway was not visible in the Virtual System drop down when configuring a Layer3 aggregate subinterface.
Addressed
10.1.7
PAN-178194
Fixed an issue with the web interface where, when only the Advanced URL Filtering license was activated, the message License required for URL filtering to function was incorrectly displayed and the URL Filtering Profile > Inline ML section was disabled.
Addressed
10.1.7
PAN-177861
Fixed an issue with User ID redistribution where a system log with severity of High was generated each time a commit was performed. This issue occurred due to all UIA agent connections being reset after each commit.
Addressed
10.1.7
PAN-177482
Fixed an issue where ACC > App Scope > Threat Monitor showed NO DATA TO DISPLAY .
Addressed
10.1.7
PAN-176703
Fixed an issue that occurred after upgrading to a PAN-OS 9.0 or later release where commits to the firewall configuration failed with the following error message: statistics-service is invalid .
Addressed
10.1.7
PAN-175236
Fixed an issue in the template stack where you were unable to add routes under GlobalProtect > Gateway > Satellite > Network Settings .
Addressed
10.1.7
PAN-174809
Fixed an issue where a process ( all_pktproc ) restarted.
Addressed
10.1.7
PAN-174489
Fixed a source user mismatch issue that occurred when the same name was set as the actual domain for the overriding domain.
Addressed
10.1.7
PAN-173373
( VM-Series firewalls in NSX-T deployments only ) Fixed an issue where deployments dropped packets with the counter pan_netx_send_pkt error .
Addressed
10.1.7
PAN-172834
Fixed a memory leak issue related to the useridd process that occurred when processing IP-address-to-username mappings.
Addressed
10.1.7
PAN-172501
Fixed an issue where you were unable to revert HA mode settings to the default values from the web interface.
Addressed
10.1.7
PAN-171714
Fixed an issue where, when NetBIOS format (domain\user) was used for the IP address-to-username mapping and the firewall received the group mapping information from the Cloud Identity Engine, the firewall did not match the user to the correct group.
Addressed
10.1.7
PAN-171690
Fixed an issue where logs were not displayed in GlobalProtect Deployment Activity with the message No data to display even though they were displayed in the Monitor tab.
Addressed
10.1.7
PAN-171497
Fixed an issue where, after a local user group was updated by adding or removing users, the local user group was removed from groupdb .
Addressed
10.1.7
PAN-171159
Fixed a memory leak on the configd process on Panorama caused during multi-clone operations for rules.
Addressed
10.1.7
PAN-169153
Fixed an issue where LDAP connections over TLS failed with untrusted certificates error even though Verify Server Certificate for SSL sessions option was not selected.
Addressed
10.1.7
PAN-168005
Fixed an issue where GlobalProtect was unable to connect to the gateway and displayed the error message Could not connect to the gateway. The device or features requires a GlobalProtect subscription license even though the gateway firewall had a valid gateway license.
Addressed
10.1.7
PAN-163906
Fixed an issue where commits failed due to a non-configuration error.
Addressed
10.1.7
PAN-163828
Fixed an issue where path MTU discovery did not work when the MTU was not configured manually on the tunnel interface.
Addressed
10.1.7
PAN-163261
Fixed an intermittent issue where the firewall dropped GTPv2 Modify Bearer Request packets with the following error message: Abnormal GTPv2-C message with missing mandatory IE .
Addressed
10.1.7
PAN-160238
Fixed an issue where intermittent VXLAN packet drops occurred if the TCI was not configured for inspecting VXLAN traffic. This issue occurred when traffic was migrated from a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or later.
Addressed
10.1.7
PAN-157215
Fixed an issue that occurred when two FQDNs were resolved to the same IP address and were configured as the same src/dst of the same rule. If one FQDN was later resolved to a different IP address, the IP address resolved for the second FQDN was also changed, which caused traffic with the original IP address to hit the incorrect rule.
Addressed
10.1.7
PAN-151469
Fixed an issue where packets were dropped unexpectedly due to errors parsing the IP version field.
Known
10.1.8
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.8
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.8
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.8
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.8
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.8
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.8
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.8
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.8
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.8
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.8
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.8
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.8
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.8
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.8
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.8
PAN-223488
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
Closed ElasticSearch shards are not deleted from a Panorama M-Series or virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.8
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.8
PAN-219644
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.1.8
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.8
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.8
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.8
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.8
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.1.8
PAN-208325
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
The following NextGen firewalls are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.1.8
PAN-208189
This issue is now resolved. See PAN-OS 10.1.9-h3 Addressed Issues and PAN-OS 10.1.10 Addressed Issues .
Traffic fails to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Known
10.1.8
PAN-206268
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.1.8
PAN-206243
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.1.8
PAN-205187
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.1.8
PAN-202339
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
The VM-Series firewall on AWS might display reduced throughput of SSL traffic.
Known
10.1.8
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.8
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.1.8
PAN-198174
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the Resolve Hostname feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround: Provide a DNS server setting for the firewall ( Device DNS Setup Services ). If you cannot reference a valid DNS server, you can add a dummy address.
Known
10.1.8
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.8
PAN-197097
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.1.8
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.8
PAN-194519
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.1.8
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.8
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.8
PAN-194202
( PA-5450 firewall only ) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.8
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.8
PAN-189057
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server, Panorama enters a non-functional state due to php.debug.log life taking up too much space.
Workaround: Disable the debug flag for Panorama.
  1. Log in to the Panorama web interface .
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable) Debug or Clear Debug .
  4. ( HA configuration ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.1.8
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.8
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.8
PAN-179888
On the Panorama management server, the number of managed firewall ( Panorama Managed Devices Health ) Power Supplies displays an incorrect count of power supplies.
Known
10.1.8
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.8
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.8
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.8
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.8
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.8
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.8
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.8
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.8
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.8
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.8
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.8
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.8
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.8
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.8
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.8
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.8
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.8
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.8
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.8
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.8
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.8
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.8
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.8
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.8
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.8
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.8
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.8
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.8
PAN-162088
This issue is now resolved. See PAN-OS 10.1.9 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, content updates ( Panorama Dynamic Updates ) manually uploaded to the active HA peer are not synchronized to the passive HA peer when you Install a content update and enable Sync to HA Peer .
Known
10.1.8
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.8
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.8
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.8
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.8
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.8
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.8
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.8
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.8
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.8
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.8
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.8
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.8
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.8
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.8
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.8
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.8
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.8
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.8
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.8
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.8
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.8
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.8
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.8
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.8
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.8
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.8
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.8
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.8
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.8
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.8
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.8
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.8
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.8
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.8
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.8
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.8
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.8
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.8
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.8
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.8
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.8
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.8
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.8
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.8
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.8
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.8
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.8
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.8
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.8
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.8
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.8
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.8
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.8
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.8
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.8
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.8
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.8
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.8
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.8
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.8
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.8
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.8
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.8
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.8
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.8
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.8
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.8
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.8
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.8
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.8
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.8
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.8
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.8
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.8
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.8
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.8
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.8
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.8
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.8
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.8
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.8
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.8
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.8
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.8
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.8-h8
PAN-272809
A fix was made to address CVE-2024-9474 .
Addressed
10.1.8-h7
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.8-h7
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.8-h7
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.8-h7
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.8-h7
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.8-h6
PAN-202450
Fixed an issue where the device-client-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.8-h6
PAN-198372
Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.8-h2
PAN-208724
Fixed an issue where port pause frame settings did not work as expected and incorrect pause frames occurred.
Addressed
10.1.8-h2
PAN-208718
Additional debug information was added to capture internal details during traffic congestion.
Addressed
10.1.8-h2
PAN-206658
Fixed a timeout issue in the Intel ixgbe driver that resulted in internal path monitoring failure.
Addressed
10.1.8-h2
PAN-206251
( PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only ) Fixed an issue where the logrcvr process did not send the system-start SNMP trap during startup.
Addressed
10.1.8-h2
PAN-205735
Fixed an issue where the mgmtsrvr process stopped responding, which caused the Panorama web interface to become inaccessible and return a 504 Gateway Not Reachable page.
Addressed
10.1.8-h2
PAN-205030
Fixed an issue where, when a session hit policy based forwarding with symmetric return enabled was not offloaded, the firewall received excessive return-mac update messages, which resulted in resource contention and traffic disruption.
Addressed
10.1.8-h2
PAN-204335
Fixed an issue where Panorama became unresponsive, and when refreshed, the error 504 Gateway not Reachable was displayed.
Addressed
10.1.8-h2
PAN-203851
Fixed an issue with firewalls in high availability (HA) configurations where host information profile (HIP) sync did not work between the active primary firewall and the active secondary firewall.
Addressed
10.1.8-h2
PAN-203653
Fixed an issue where dynamic updates were completed even when configuration commits failed, which caused the all_task process to stop responding.
Addressed
10.1.8-h2
PAN-203453
Fixed an issue on Panorama where the log query failed due to a high number of User-ID redistribution messages.
Addressed
10.1.8-h2
PAN-203402
Fixed an intermittent issue where forward session installs were delayed, which resulted in latencies.
Addressed
10.1.8-h2
PAN-203244
Fixed a path monitoring issue that caused traffic degradation.
Addressed
10.1.8-h2
PAN-202783
( PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only ) Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
Addressed
10.1.8-h2
PAN-202544
An enhancement was made to collect CPLD register data after a path monitor failure.
Addressed
10.1.8-h2
PAN-202543
An enhancement was made to improve path monitor data collection by verifying the status of the control network.
Addressed
10.1.8-h2
PAN-202535
Fixed an issue where the Device Telemetry configuration for a region was unable to be set or edited via the web interface.
Addressed
10.1.8-h2
PAN-202361
Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.
Addressed
10.1.8-h2
PAN-202101
Fixed an issue where firewalls stopped responding after an upgrade due to configuration corruption.
Addressed
10.1.8-h2
PAN-202012
A debug command was introduced to control Gzip encoding for the GlobalProtect Clientless VPN application.
Addressed
10.1.8-h2
PAN-201900
Fixed an internal path monitoring failure issue that caused the dataplane to go down.
Addressed
10.1.8-h2
PAN-201858
Fixed an issue where the SD-WAN interface Maximum Transmission Unit (MTU) led to incorrect fragmentation of IPSec traffic.
Addressed
10.1.8-h2
PAN-201627
Fixed an issue in next-generation firewall deployments where, when SD-WAN was configured, the dataplane restarted if all SD-WAN member links were down due to an out-of-memory (OOM) condition or during a reboot when all SD-WAN tunnels were down.
Addressed
10.1.8-h2
PAN-198718
( PA-5280 firewalls only ) Fixed an issue where memory allocation failures caused increased decryption failures.
Addressed
10.1.8-h2
PAN-197582
Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall reset SSL connections that used policy-based forwarding.
Addressed
10.1.8-h2
PAN-196261
Fixed an issue where inter-lc disconnected once every minute in the system logs.
Addressed
10.1.8-h2
PAN-194704
Fixed an issue with SIP ALG where improper NAT was applied when Destination NAT ran out of IP addresses.
Addressed
10.1.8-h2
PAN-194068
( PA-5200 Series firewalls only ) Fixed an issue where the firewall unexpectedly rebooted with the log message Heartbeat failed previously .
Addressed
10.1.8-h2
PAN-193928
Fixed an intermittent issue where GlobalProtect logs were not visible under device groups ( Mobile_User_Device_Group ).
Addressed
10.1.8-h2
PAN-192456
Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding.
Addressed
10.1.8-h2
PAN-191408
Fixed an issue where the firewall did not correctly receive dynamic address group information from Panorama after a reboot or initial connection.
Addressed
10.1.8-h2
PAN-184766
( PA-5450 firewalls only ) Fixed an issue where the control packets for BGP, OSPF, and Bidirectional Forwarding Detection (BFD) were not assigned a QoS value of 5.
Addressed
10.1.8-h2
PAN-183757
( PA-5200 Series and PA-7000 Series firewalls only ) Fixed an issue where uneven distribution of sessions caused packet latency.
Addressed
10.1.8-h2
PAN-172452
Fixed an issue where the log file did not include all logs.
Addressed
10.1.8-h2
PAN-171143
Fixed an issue where tech support files didn't collected DP3 logs.
Addressed
10.1.8-h2
PAN-167288
Fixed an issue with the pan_task process that caused the queue to build up.
Addressed
10.1.8
PAN-204830
Fixed an issue where logging in via the web interface or CLI did not work until an auto-commit was complete.
Addressed
10.1.8
PAN-203598
Fixed an issue where, when tunnel content inspection was enabled for VXLAN, ARP over VXLAN packets were dropped.
Addressed
10.1.8
PAN-201872
Fixed an issue where SMB performance caused overall network latency after an upgrade.
Addressed
10.1.8
PAN-201818
Fixed an issue where INIT SCTP packets were dropped after being processed by the CTD, and silent drops occurred even with SCTP no-drop function enabled.
Addressed
10.1.8
PAN-201627
Fixed an issue in next-generation firewall deployments where, when SD-WAN was configured, the dataplane restarted if all SD-WAN member links were down due to an out-of-memory (OOM) condition or during a reboot when all SD-WAN tunnels were down.
Addressed
10.1.8
PAN-201357
The CLI command debug dataplane set pow no-desched yes was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
10.1.8
PAN-199726
Fixed an issue with firewalls in HA configurations where both firewalls responded with gARP messages after a switchover.
Addressed
10.1.8
PAN-199570
Fixed an issue where uploading certificates using a custom admin role did not work as expected after a context switch.
Addressed
10.1.8
PAN-199099
Fixed an issue where, when decryption was enabled, Safari and Google Chrome browsers on Apple Mac computers rejected the server certificate created by the firewall because the Authority Key Identifier was copied from the original server certificate and did not match the Subject Key Identifier on the forward trust certificate.
Addressed
10.1.8
PAN-198871
Fixed an issue when both URL and Advanced URL licenses were installed, the expiry date was not correctly checked.
Addressed
10.1.8
PAN-198733
( PA-5450 firewalls only ) Fixed an issue where tcpdump was hardcoded to eth0 instead of bond0.
Addressed
10.1.8
PAN-198266
Fixed an issue where, when predicts for UDP packets were created, a configuration change occurred that triggered a new policy lookup, which caused the dataplane stopped responding when converting the predict. This resulted in a dataplane restart.
Addressed
10.1.8
PAN-198078
Fixed an issue where VXLAN keepalive packets were dropped randomly.
Addressed
10.1.8
PAN-197576
Fixed an issue where commits pushed from Panorama caused a memory leak related to the mgmtsrvr process.
Addressed
10.1.8
PAN-197386
Fixed an issue where traffic that was subject to network packet broker inspection entered a looping state due to incorrect session offload.
Addressed
10.1.8
PAN-196704
Fixed an issue where Preview Changes on Panorama Push to Devices incorrectly displayed changes to encrypted entries.
Addressed
10.1.8
PAN-196583
Fixed an issue where the Cisco TrustSEc plugin triggered a flood of redundant register/unregister messages due to a failed IP address tag database search.
Addressed
10.1.8
PAN-196558
Fixed an issue where IP address tag policy updates were delayed.
Addressed
10.1.8
PAN-196131
Fixed an issue where the comm process stopped responding when a show command was executed in two sessions.
Addressed
10.1.8
PAN-195107
( PA-7000s Series firewalls with LFCs only ) Fixed an issue where the IP address of the LFC displayed as unknown .
Addressed
10.1.8
PAN-194795
Fixed an issue where a dataplane 1 VCCIO voltage fluctuation triggered the chassis master alarm.
Addressed
10.1.8
PAN-194615
Fixed an issue where the packet broker session timeout value did not match the master sessions timeout value after the firewall received a TCP FIN or RST packet. The fix ensures that Broker session times out within 1 second after the master session timed out.
Addressed
10.1.8
PAN-194441
Fixed an issue where the dataplane CPU usage was higher than expected due to packet looping in the broker session when the network packet broker was enabled.
Addressed
10.1.8
PAN-189720
Fixed an issue where commits failed when downgrading a Panorama appliance running a PAN-OS 10.1 release to a PAN-OS 10.0 release.
Addressed
10.1.8
PAN-189429
Fixed a memory leak that occurred when enabling XFF (x-forwarded-for) logging in a Security policy.
Addressed
10.1.8
PAN-189270
Fixed an issue that caused a memory leak on the reportd process.
Addressed
10.1.8
PAN-188118
Fixed an issue with firewalls in FIPS mode that prevented device telemetry from connecting.
Addressed
10.1.8
PAN-181759
( Firewalls in active/active HA configurations only ) Fixed an issue where firewall configuration files were not synced.
Addressed
10.1.8
PAN-180039
Fixed an issue in 10.0.9, where executing the CLI command show transceiver-detail all resulted in the following error message: An error occurred. See dagger.log for information. .
Addressed
10.1.8
PAN-178613
( PA-400 Series firewalls only ) Fixed an issue where multiple restarts related to the all_task process occurred.
Known
10.1.9
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.9
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.9
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.9
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.9
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.9
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.9
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.9
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.9
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.9
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround: Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.9
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.9
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.9
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.9
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.9
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.9
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.9
PAN-223488
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
Closed ElasticSearch shards are not deleted from a Panorama M-Series or virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.9
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.9
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.9
PAN-219644
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.1.9
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.9
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.9
PAN-216314
This issue is now resolved. See PAN-OS 10.1.9-h3 Addressed Issues .
Upon upgrade or downgrade to or from PAN-OS 10.1.9 or 10.1.9-h1, offloaded application traffic sessions may disconnect after a period of time even if a session is active. The disconnect occurs after the application's default session timeout value is exceeded. This behavior affects only PAN-OS 10.1.9 and 10.1.9-h1. If you are on PAN-OS 10.1.9 and 10.1.9-h1, please use the following workaround. If you have already upgraded or downgraded to another PAN-OS version, use the following workaround in that version.
Workaround: Run the CLI command debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0 to set the value to zero (0).
Known
10.1.9
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.9
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.9
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor.
Known
10.1.9
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround: Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.9
PAN-208325
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
The following NextGen firewalls are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.1.9
PAN-208189
This issue is now resolved. See PAN-OS 10.1.9-h3 Addressed Issues and PAN-OS 10.1.10 Addressed Issues .
Traffic fails to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Known
10.1.9
PAN-206268
This issue is now resolved. See PAN-OS 10.1.10 Addressed Issues .
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.1.9
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.1.9
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.1.9
PAN-199557
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.1.9
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.9
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.9
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.9
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.9
PAN-194202
( PA-5450 firewall only ) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.9
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.9
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.9
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.9
PAN-179888
On the Panorama management server, the number of managed firewall ( Panorama Managed Devices Health ) Power Supplies displays an incorrect count of power supplies.
Known
10.1.9
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.9
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.9
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.9
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.9
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.9
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.9
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.9
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.9
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.9
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.9
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.9
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.9
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.9
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.9
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.9
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.9
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.9
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.9
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.9
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.9
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.9
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.9
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.9
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.9
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.9
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.9
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.9
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.9
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.9
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.9
PAN-160633
This issue is now resolved. See PAN-OS 10.1.10-h2 Addressed Issues .
( PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only ) The dataplane restarts repeatedly due to internal path monitoring failures until a power cycle.
Known
10.1.9
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.9
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.9
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.9
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.9
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.9
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.9
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.9
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.9
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.9
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.9
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.9
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.9
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.9
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.9
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.9
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.9
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.9
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.9
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.9
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.9
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.9
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.9
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.9
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.9
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.9
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.9
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.9
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.9
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.9
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.9
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.9
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.9
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.9
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.9
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.9
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.9
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.9
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.9
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.9
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.9
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.9
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.9
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.9
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.9
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.9
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.9
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.9
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.9
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.9
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.9
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.9
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.9
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.9
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.9
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.9
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.9
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.9
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.9
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.9
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.9
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.9
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.9
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.9
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.9
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.9
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.9
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.9
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.9
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.9
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.9
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.9
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.9
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.9
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.9
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.9
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.9
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.9
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.9
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.9
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.9
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.9
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.9
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.9-h14
PAN-272809
A fix was made to address CVE-2024-9474 .
Addressed
10.1.9-h14
PAN-259910
Fixed an issue where the firewall reported the same value over consecutive SNMP polls when asynchronous mode was enabled.
Addressed
10.1.9-h14
PAN-257197
Fixed an issue where ifType and ifSpeed were not populated in asynchronous mode of SNMP operations.
Addressed
10.1.9-h14
PAN-256181
Fixed an issue where the management interface and front panel port interface statistics were not populated in asynchronous mode of SNMP operations.
Addressed
10.1.9-h14
PAN-252517
Fixed an issue where SNMP failed to respond to multiple Object Identifier (OID) queries in a single SNMP GET request.
Addressed
10.1.9-h14
PAN-220767
Fixed an issue where, at the beginning of a session, out of order packets with a TCP payload were truncated with a non-zero trailer.
Addressed
10.1.9-h14
PAN-208240
Fixed an issue where, when attempting to replace an existing certificate, importing a new certificate with the same name as the existing certificate failed due to mismatched public and private keys.
Addressed
10.1.9-h8
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.9-h8
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.9-h8
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.9-h8
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.9-h8
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.9-h6
PAN-222712
( PA-5450 firewalls only ) Fixed a low frequency DPC restart issue.
Addressed
10.1.9-h3
PAN-217431
( PA-5400 Series firewalls with DPC (Data Processing Cards) only ) Fixed an issue with slot 2 DPCs where URL filtering did not work as expected after upgrading to PAN-OS 10.1.9.
Addressed
10.1.9-h3
PAN-216710
Fixed an issue with firewalls in active/active high availability configurations where GlobalProtect disconnected when the original suspected Active-Primary firewall became Active-Secondary.
Addressed
10.1.9-h3
PAN-216656
Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.
Addressed
10.1.9-h3
PAN-216314
( PA-3200 Series firewalls only ) Fixed an issue where, after upgrading to or from PAN-OS 10.1.9 or PAN-OS 10.1.9-h1, offloaded application traffic sessions disconnected even when a session was active. This occurred due to the application default session timeout value being exceeded.
Addressed
10.1.9-h3
PAN-216036
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to enter a nonfunctional state.
Addressed
10.1.9-h3
PAN-215488
Fixed an issue where an expired Trusted Root CA was used to sign the forward proxy leaf certificate during SSL Decryption.
Addressed
10.1.9-h3
PAN-215461
Fixed an issue where the packet descriptor leaked over time with GRE tunnels and keepalives.
Addressed
10.1.9-h3
PAN-214331
Fixed an issue on Panorama where the configd process stopped responding when a content update for a managed firewall was run using the scheduler.
Addressed
10.1.9-h3
PAN-211870
Fixed an issue where path monitoring failure occurred, which caused high availability failover.
Addressed
10.1.9-h3
PAN-211519
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent Dynamic IP And Port .
Addressed
10.1.9-h3
PAN-208189
Fixed an issue when traffic failed to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Addressed
10.1.9-h3
PAN-207455
Fixed an issue where the pan_task process stopped responding when processing client certificate requests from the server in TLS1.3.
Addressed
10.1.9-h1
PAN-213661
Fixed an issue where memory allocation failure caused dataplane processes to restart. This issue occurred when decryption was enabled and the device is under heavy L7 usage.
Addressed
10.1.9-h1
PAN-211242
Fixed an issue where missed heartbeats caused the Data Processing Card (DPC) and its corresponding Network Processing Card (NPC) to restart due to internal packet path monitoring failure.
Addressed
10.1.9-h1
PAN-210327
( PA-5200 Series firewalls only ) Fixed an issue where upgrading to PAN-OS 10.1.7, an internal loop caused an increase in the packets received per second.
Addressed
10.1.9-h1
PAN-209069
Fixed an issue where IP addresses in the X-Forwarded-For (XFF) field were not logged when the IP address contained an associated port number.
Addressed
10.1.9-h1
PAN-209021
Fixed an issue where packets were fragmented when SD-WAN VPN tunnel was configured on aggregate ethernet interfaces and sub-interfaces.
Addressed
10.1.9-h1
PAN-208987
( PA-5400 Series only ) Fixed an issue where packets were not transmitted from the firewall if its fragments were received on different slots. This occurred when aggregate ethernet (AE) members in an AE interface were placed on a different slot.
Addressed
10.1.9-h1
PAN-207740
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.1.9-h1
PAN-207400
Fixed an issue on Octeon based dplatforms where fragmented VLAN tagged packets dropped on an aggregate interface.
Addressed
10.1.9-h1
PAN-205255
Fixed a rare issue that caused the dataplane to restart unexpectedly.
Addressed
10.1.9-h1
PAN-203137
( PA-5450 firewalls only ) Fixed an issue where HSCI ports did not come up when QSFP DAC cables were used.
Addressed
10.1.9-h1
PAN-186412
Fixed an issue where invalid packet-ptr was seen in work entries.
Addressed
10.1.9
WIF-707
Fixed an issue where, when connections from the firewall to the cloud took longer than expected, the connection timed out. With this fix, the timeout was extended to accommodate slower networks.
Addressed
10.1.9
PAN-210561
Fixed an issue where the all_task process repeatedly restarted due to missed heartbeats.
Addressed
10.1.9
PAN-210331
Fixed an issue where the firewall did not send device telemetry files to Cortex Data Lake with the error message Send File to CDL Receiver Failed .
Addressed
10.1.9
PAN-210080
Fixed an issue where the useridd process stopped responding when add and delete member parameters in an incremental sync query were empty.
Addressed
10.1.9
PAN-209226
Fixed an issue where the feature bits function reused shared memory, which resulted in a memory allocation error and caused the dataplane to go down.
Addressed
10.1.9
PAN-209036
Fixed an issue where the dataplane restarted, which led to slot failures occurring and a core file being generated.
Addressed
10.1.9
PAN-208724
Fixed an issue where port pause frame settings did not work as expected and incorrect pause frames occurred.
Addressed
10.1.9
PAN-208718
Additional debug information was added to capture internal details during traffic congestion.
Addressed
10.1.9
PAN-208711
( PA-5200 Series firewalls only )The CLI command debug dataplane set pow no-desched yes/no was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
10.1.9
PAN-208537
Fixed an issue where the licensed-device-capacity was reduced when multiple device management license key files were present.
Addressed
10.1.9
PAN-208343
Fixed an issue where telemetry regions were not visible on Panorama.
Addressed
10.1.9
PAN-208157
Fixed an issue where malformed hints sent from the firewall caused the logd process to stop responding on Panorama, which caused a system reboot into maintenance mode.
Addressed
10.1.9
PAN-208037
Fixed an issue where NAT64 traffic using the reserved prefix 64:ff9b::/96 was incorrectly dropped when strict-ip-check was enabled under zone protection.
Addressed
10.1.9
PAN-207983
Fixed an issue on Panorama in Management Only mode where the logdb database incorrectly collected traffic, threat, GTP, decryption, and corresponding summary logs.
Addressed
10.1.9
PAN-207940
Fixed an issue where platforms with RAID disk checks were performed weekly, which caused logs to incorrectly state that RAID was rebuilding.
Addressed
10.1.9
PAN-207891
Fixed an issue on Panorama where log migration did not complete after an upgrade.
Addressed
10.1.9
PAN-207738
Fixed an issue where the ocsp-next-update-time CLI command did not execute for leaf certificates with certificate chains that did not specify OCSP or CRL URLs. As a result, the next update time was 60 minutes even if a different time was set.
Addressed
10.1.9
PAN-207623
Fixed an issue on Panorama where log migration did not complete as expected.
Addressed
10.1.9
PAN-207610
( PA-5200 Series and PA-7000 Series firewalls only ) Fixed an issue where Log Admin Activity was not visible on the web interface.
Addressed
10.1.9
PAN-207601
Fixed an issue where URL cloud connections were unable to resolve the proxy server hostname.
Addressed
10.1.9
PAN-207390
Fixed an issue where, even after disabling Telemetry, Telemetry system logs were still generated.
Addressed
10.1.9
PAN-207260
Fixed an issue where commit operations performed by a Device Group and Template administrator reverted the passwords of other users in the same role.
Addressed
10.1.9
PAN-207045
( PA-800 Series firewalls only ) Fixed an issue where PAN-SFP-SX transceivers used on ports 5 to 8 did not renegotiate with peer ports after a reload.
Addressed
10.1.9
PAN-206858
Fixed an issue where a segmentation fault occurred due to the useridd process being restarted.
Addressed
10.1.9
PAN-206755
Fixed an issue when a scheduled multi-device group push occurred, the configd process stopped responding, which caused the push to fail.
Addressed
10.1.9
PAN-206684
( PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only ) Fixed an issue where, after upgrading the firewall from a PAN-OS 10.0 release to a PAN-OS 10.1 release, the firewall did not duplicate logs to local log collectors or to Strata Logging Service when a device certificate was already installed.
Addressed
10.1.9
PAN-206658
Fixed a timeout issue in the Intel ixgbe driver that resulted in internal path monitoring failure.
Addressed
10.1.9
PAN-206629
( VM-Series firewalls in AWS environments only ) Fixed an issue where a newly bootstrapped firewalls did not forward logs to Panorama.
Addressed
10.1.9
PAN-206393
( PA-5280 firewalls only ) Fixed an issue where memory allocation errors caused decryption failures that disrupted traffic with SSL forward proxy enabled.
Addressed
10.1.9
PAN-206251
( PA-7000 Series firewalls with LFCs only ) Fixed an issue where the logrcvr process did not send the system-start SNMP trap during startup.
Addressed
10.1.9
PAN-206233
Fixed an issue where the pan_comm process stopped responding when a content update and a cloud application update occurred at the same time.
Addressed
10.1.9
PAN-206077
Fixed an issue on firewalls in active/active high availability (HA) configurations where, after upgrading to PAN-OS 10.1.6-h6, the active primary firewall did not send HIP reports to the active secondary firewall.
Addressed
10.1.9
PAN-206017
Fixed an issue where the show dos-protection rule command displayed a character limit error.
Addressed
10.1.9
PAN-205877
( PA-5450 firewalls only ) Added debug commands for an issue where a MAC address flap occurred on a neighbor firewall when connecting both MGT-A and MGT-B interfaces.
Addressed
10.1.9
PAN-205805
Fixed an issue where Generic routing encapsulation (GRE) traffic was only allowed in one direction when tunnel content inspection (TCI) was enabled.
Addressed
10.1.9
PAN-205729
( PA-3200 Series and PA-7000 Series firewalls only ) Fixed an issue where the CPLD watchdog timeout caused the firewall to reboot unexpectedly.
Addressed
10.1.9
PAN-205699
Fixed an issue where the cloud plugin configuration was automatically deleted from Panorama after a reboot or a configd process restart.
Addressed
10.1.9
PAN-205590
Fixed an issue where the fan tray fault LED light was on even though no alarm was reported in the system environment.
Addressed
10.1.9
PAN-205453
Fixed an issue where running reports or queries under a user group caused the reportd process to stop responding.
Addressed
10.1.9
PAN-205396
Fixed an issue where SD-WAN adaptive SaaS path monitoring did not work correctly during a next hop link down failure.
Addressed
10.1.9
PAN-205260
Fixed an issue where there was an IP address conflict after a reboot due to a transaction ID collision.
Addressed
10.1.9
PAN-205231
Fixed an issue where a commit operation remained at 55% for longer than expected if more than 7,500 Security policy rules were configured.
Addressed
10.1.9
PAN-205222
Fixed an issue where you were unable to add a new application in a selected policy rule.
Addressed
10.1.9
PAN-205211
Fixed an issue where the reportd process stopped responding while querying logs ( Monitor > Logs > <logtype> ).
Addressed
10.1.9
PAN-205123
Fixed an issue where the pan_task process stopped responding due to a timing issue during ECDSA processing.
Addressed
10.1.9
PAN-205096
Fixed an issue where promoted sessions were not synced with all cluster members in an HA cluster.
Addressed
10.1.9
PAN-205030
Fixed an issue where, when a session hit policy based forwarding with symmetric return enabled was not offloaded, the firewall received excessive return-mac update messages, which resulted in resource contention and traffic disruption.
Addressed
10.1.9
PAN-204952
Fixed an issue where the GlobalProtect portal continued to generate new authentication cookies even when a user had already authenticated with a valid cookie.
Addressed
10.1.9
PAN-204892
Fixed an issue on Panorama where the web interface was not accessible and displayed the error 504 Gateway Not Reachable due to the mgmtsrvr process not responding.
Addressed
10.1.9
PAN-204749
Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
Addressed
10.1.9
PAN-204582
Fixed an issue where, when a firewall acting as a DHCP client received a new DHCP IP address, the firewall did not release old DHCP IP addresses from the IP address stack.
Addressed
10.1.9
PAN-204581
Fixed an issue where, when accessing a web application via the GlobalProtect Clientless VPN, the web application landing page continuously reloaded.
Addressed
10.1.9
PAN-204575
( PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only ) Fixed an issue where the firewall did not forward logs to the log collector.
Addressed
10.1.9
PAN-204482
Fixed an issue where searching threat logs ( Monitor > Logs > Threat ) using the partial hash parameter did not work, which resulted in an invalid operator error.
Addressed
10.1.9
PAN-204456
Fixed an issue related to the logd process that caused high memory consumption.
Addressed
10.1.9
PAN-204271
Fixed an issue where the quarantine device list did not display due to the maximum memory being reached.
Addressed
10.1.9
PAN-204238
Fixed an issue where, when View Rulebase as Groups was enabled, the Tags field did not display a scroll down arrow for navigation.
Addressed
10.1.9
PAN-204216
Fixed an issue where URL categorization failed and the firewall displayed the URL category as not-resolved for all traffic and the following error message was displayed in the device server logs Error(43): A libcurl function was given a bad argument .
Addressed
10.1.9
PAN-204118
Fixed an issue where browser sessions stopped responding for device group template admin users with access domains that had many device groups or templates.
Addressed
10.1.9
PAN-204068
Fixed an issue where a newly created vsys (virtual system) in a template was not able to be pushed from Panorama to the firewall.
Addressed
10.1.9
PAN-203984
Fixed an issue where the logrcvr process restarted after the firewall was power cycled or rebooted.
Addressed
10.1.9
PAN-203964
( Firewalls in FIPS-CC mode only ) Fixed an issue where the firewall went into maintenance mode due to downloading a corrupted software image, which resulted in the error message FIPS-CC failure. Image File Authentication Error .
Addressed
10.1.9
PAN-203851
Fixed an issue with firewalls in HA configurations where host information profile (HIP) sync did not work between peer firewalls.
Addressed
10.1.9
PAN-203796
Fixed an issue where legitimate syn+ack packets were dropped after an invalid syn+ack packet was ingressed.
Addressed
10.1.9
PAN-203681
( Panorama appliances in FIPS-CC mode only ) Fixed an issue where a leaf certificate was unable to be imported into a template stack.
Addressed
10.1.9
PAN-203618
Fixed an issue where, when SSL/TLS Handshake Inspection was enabled, SSL/TLS sessions were incorrectly reset if a Security policy rule with no Security profiles configured was matched.
Addressed
10.1.9
PAN-203563
Fixed an issue with Content and Threat Detection allocation storage space where performing a commit failed with a CUSTOM_UPDATE_BLOCK error message.
Addressed
10.1.9
PAN-203453
Fixed an issue on Panorama where the log query failed due to a high number of User-ID redistribution messages.
Addressed
10.1.9
PAN-203430
Fixed an issue where, when the User-ID agent had collector name/secret configured, the configuration was mandatory on clients on PAN-OS 10.0 and later releases.
Addressed
10.1.9
PAN-203362
Fixed an issue where the rasmgr process restarted due to a null reference.
Addressed
10.1.9
PAN-203330
Fixed an issue where the certificate for an External Dynamic List (EDL) incorrectly changed from invalid to valid, which caused the EDL file to be removed.
Addressed
10.1.9
PAN-203320
Fixed an issue where configuring the firewall to connect with Panorama using an auth key and creating the auth key without adding the managed firewall to Panorama first, the auth key was incorrectly decreased incrementally.
Addressed
10.1.9
PAN-203244
Fixed a path monitoring issue that caused traffic degradation.
Addressed
10.1.9
PAN-203147
( Firewalls in FIPS-CC mode only ) Fixed an issue where the firewall unexpectedly rebooted when downloading a new PAN-OS software image.
Addressed
10.1.9
PAN-202918
Fixed an issue where processing route-table entries did not work as expected.
Addressed
10.1.9
PAN-202722
Fixed an issue where the factor completion time for login events learned through XML API displayed as 1969/21/31 19:00:00 .
Addressed
10.1.9
PAN-202593
Fixed an issue where expanding Global Find results displayed only the top level and second level of a searched item.
Addressed
10.1.9
PAN-202544
An enhancement was made to collect CPLD register data after a path monitor failure.
Addressed
10.1.9
PAN-202543
An enhancement was made to improve path monitor data collection by verifying the status of the control network.
Addressed
10.1.9
PAN-202361
Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.
Addressed
10.1.9
PAN-202339
( VM-Series firewalls on Amazon Web Services (AWS) only ) Fixed an issue where the firewall displayed reduced throughput of SSL traffic.
Addressed
10.1.9
PAN-202295
Fixed an issue where read-only superusers were unable to see the Commit All job status, warnings, or errors for Panorama device groups.
Addressed
10.1.9
PAN-202282
Fixed an issue where stats dump files did not display all necessary reports.
Addressed
10.1.9
PAN-202264
( VM-Series firewalls only ) Fixed an issue where an automatic site license activation for a PAYG license did not register in the Customer Support Portal.
Addressed
10.1.9
PAN-202248
Fixed an issue where, due to a tunnel content inspection (TCI) policy match, IPSec traffic did not pass through the firewall when NAT was performed on the traffic.
Addressed
10.1.9
PAN-202247
Fixed an issue with firewalls in HA configurations where the firewall dropped IKE SA connections if the peer firewall received an INVALID_SPI message. This occurred even though no IKE SA was associated with the SPI in the received INVALID-SPI payload.
Addressed
10.1.9
PAN-202208
Fixed an issue where high CPU was experienced when requests from the dataplane to the management plane for username and User ID timed out.
Addressed
10.1.9
PAN-202194
Fixed an SD-WAN link issue that occurred when Aggregate Ethernet without a member interface was configured as an SD-WAN interface.
Addressed
10.1.9
PAN-202140
Fixed an issue where the comm process stopped responding due to an OOM condition.
Addressed
10.1.9
PAN-202101
Fixed an issue where firewalls stopped responding after an upgrade due to configuration corruption.
Addressed
10.1.9
PAN-202040
( PA-220 firewalls only ) Fixed an issue where ECDSA fingerprints were not displayed.
Addressed
10.1.9
PAN-202012
A debug command was introduced to control Gzip encoding for the GlobalProtect Clientless VPN application.
Addressed
10.1.9
PAN-201954
Fixed an issue where NAT policy rules were deleted on managed devices after a successful push from Panorama to multiple device groups. This occurred when NAT policy rules had device_tags selected in the target section.
Addressed
10.1.9
PAN-201910
PAN-OS security profiles might consume a large amount of memory depending on the profile configuration and quantity. In some cases, this might reduce the number of supported security profiles below the stated maximum for a given platform.
Addressed
10.1.9
PAN-201900
Fixed an internal path monitoring failure issue that caused the dataplane to go down.
Addressed
10.1.9
PAN-201701
Fixed an issue where the firewall generated system log alerts if the raid for a system or log disk was corrupted.
Addressed
10.1.9
PAN-201639
Fixed an issue with Saas Application Usage reports where Applications with Risky Characteristics displayed only two applications per section.
Addressed
10.1.9
PAN-201632
Fixed an issue where the all_task stopped responding with a segmentation fault due to an invalid interface port.
Addressed
10.1.9
PAN-201587
Fixed an issue where the App Pcaps directory size was incorrectly detected which caused commit errors.
Addressed
10.1.9
PAN-201580
Fixed an issue where the useridd process stopped responding due to an invalid vsys_id request.
Addressed
10.1.9
PAN-201360
Fixed an issue with Panorama managed log collector statistics where the oldest logs displayed on the primary Panorama appliance and the secondary Panorama appliance did not match.
Addressed
10.1.9
PAN-201189
Added the max-kb filter for the show session info CLI command to troubleshoot instances when the firewall went down due to software packet buffer depletion.
Addressed
10.1.9
PAN-201136
Fixed an issue where IGMP packets were offloaded with frequent IGMP Join and Leave messages from the client.
Addressed
10.1.9
PAN-200946
Fixed an issue with firewalls in active/passive HA configurations where GRE tunnels went down due to recursive routing when the passive firewall was booting up. When the passive firewall became active and no recursive routing was configured, the GRE tunnel remained down.
Addressed
10.1.9
PAN-200845
( M-600 Appliances in Management-only mode only ) Fixed an issue where XML API queries failed due to the configuration size being larger than expected.
Addressed
10.1.9
PAN-200822
Fixed an issue where reports were not generated in the docm file type.
Addressed
10.1.9
PAN-200775
( VM-Series firewalls only Microsoft Azure environments only ) Fixed an issue where negotiation and speed were not displayed on Ethernet interfaces.
Addressed
10.1.9
PAN-200463
Fixed an issue where disabling strict-username-check did not apply to admin users authenticating with SAML.
Addressed
10.1.9
PAN-200160
Fixed a memory leak issue on Panorama related to the logd process that caused an out-of-memory (OOM) condition.
Addressed
10.1.9
PAN-200116
Fixed an issue where Elasticsearch displayed RED due to frequent tunnel check failures between HA clusters.
Addressed
10.1.9
PAN-200102
Fixed an issue on the firewall web interface that prevented applications from loading under any policy or in any location where application IDs were able to be refreshed.
Addressed
10.1.9
PAN-200095
Fixed an issue where Panorama troubleshooting tests for log collector connectivity did not return results from log collectors running PAN-OS 10.1 releases.
Addressed
10.1.9
PAN-200035
Fixed an issue where the firewall reported General TLS Protocol Error for TLSv1.3 when the firewall closed a TCP connection to the server via a FIN packet without waiting for the handshake to complete.
Addressed
10.1.9
PAN-199807
Fixed an issue where the dataplane frequently restarted due to high memory usage on wifclient.
Addressed
10.1.9
PAN-199661
( VM-Series firewalls in ESXI environments only ) Fixed an issue where the number of used packet buffers was not calculated properly, and packet buffers displayed as a higher value than the correct value, which triggered PBP Alerts. This occurred when the driver name was not compatible with new DPDK versions.
Addressed
10.1.9
PAN-199612
Fixed a sync issue with firewalls in active/active HA configurations.
Addressed
10.1.9
PAN-199500
Fixed an issue where, when many NAT policy rules were configured, the pan_comm process stopped responding after a configuration commit due to a high number of debug messages.
Addressed
10.1.9
PAN-199410
Fixed an issue where system logs for syslog activities were categorized as general under Type and EVENT columns.
Addressed
10.1.9
PAN-199214
Fixed an intermittent issue where downloading threat pcap via XML API failed with the following error message: /opt/pancfg/session/pan/user_tmp/XXXXX/YYYYY.pcap does not exist .
Addressed
10.1.9
PAN-199141
Fixed an issue where renaming a device group and then performing a partial commit led to the device group hierarchy being incorrectly changed.
Addressed
10.1.9
PAN-199052
( PA-800 Series firewalls only ) Fixed an issue where commit operations took longer than expected. This fix improves the completion time for commit operations.
Addressed
10.1.9
PAN-198920
Fixed an issue where configuration changes caused a previously valid interface ID to become invalid due to HA switchovers delaying the configuration push.
Addressed
10.1.9
PAN-198889
Fixed an issue where the logd process stopped responding if some devices in a collector group were on a PAN-OS 10.1 device and others were on a PAN-OS 10.0 release. This issue affected the devices on a PAN-OS 10.0 release.
Addressed
10.1.9
PAN-198718
( PA-5280 firewalls only ) Fixed an issue where memory allocation failures caused increased decryption failures.
Addressed
10.1.9
PAN-198691
Added an alternate health endpoint to direct health probes on the firewall (https://firewall/unauth/php/health.php) to address an issue where /php/login.php performance was slow when large amounts of traffic were being processed.
Addressed
10.1.9
PAN-198575
Fixed an issue where data did not load when filtering by Threat Name ( ACC > Threat Activity ).
Addressed
10.1.9
PAN-198306
Fixed an issue where the useridd process stopped responding when booting up the firewall.
Addressed
10.1.9
PAN-198187
Fixed an issue where system logs ( Monitor > System ) did not display the commit description after performing a commit and push to multiple device groups from Panorama.
Addressed
10.1.9
PAN-198174
Fixed an issue where, when viewing traffic or threat logs from the Application Command Center (ACC) or Monitor tabs, performing a reverse DNS lookup caused the dnsproxy process to restart if DNS server settings were not configured.
Addressed
10.1.9
PAN-198050
Fixed an issue where Connection to update server is successful messages displayed even when connections failed.
Addressed
10.1.9
PAN-198038
A CLI command was added to address an issue where long-lived sessions were aging out even when there was ongoing traffic.
Addressed
10.1.9
PAN-197953
Fixed an issue where the logd process stopped responding due to forwarded threat logs, which caused Panorama to reboot into maintenance mode.
Addressed
10.1.9
PAN-197935
Fixed an intermittent issue where XML API IP address tag registration failed on firewalls in a multi-vsys environment.
Addressed
10.1.9
PAN-197919
Fixed an issue where, when path monitoring for a static route was configured with a new Ping Interval value, the value was not used as intended.
Addressed
10.1.9
PAN-197877
Fixed an intermittent issue on Panorama where the distributord process stopped responding.
Addressed
10.1.9
PAN-197872
Fixed an issue where the useridd process generated false positive critical errors.
Addressed
10.1.9
PAN-197859
Fixed an issue where firewalls running LSVPN with tunnel monitoring enabled where, after an upgrade to PAN-OS 9.1.14 or a later PAN-OS release, LSVPN tunnels flapped.
Addressed
10.1.9
PAN-197847
Fixed an issue where disabling the enc-algo-aes-128-gcm cipher did not work when using an SSL/TLS profile.
Addressed
10.1.9
PAN-197737
Fixed an issue where the connection to the PAN-DB server failed with following error message: Failed to send req type[3], curl error: Couldn't resolve host name .
Addressed
10.1.9
PAN-197729
Fixed an issue where repeated configuration pushes from Panorama resulted in a management server memory leak.
Addressed
10.1.9
PAN-197678
Fixed an issue where the dataplane stopped responding, which caused internal path monitoring failure.
Addressed
10.1.9
PAN-197649
Fixed an issue where failure logs for slot restarts caused by internal path monitoring contained no debug logs.
Addressed
10.1.9
PAN-197582
Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall reset SSL connections that used policy-based forwarding.
Addressed
10.1.9
PAN-197426
Fixed an issue on Panorama where, when attempting to view the Monitor page , the error invalid term was displayed.
Addressed
10.1.9
PAN-197383
Fixed an issue where, after upgrading to PAN-OS 10.2 release, the firewall ran a RAID rebuild for the log disk after ever every reboot.
Addressed
10.1.9
PAN-197298
Fixed an issue where the audit comment archive for Security rule changes output had overlapping formats.
Addressed
10.1.9
PAN-197219
Fixed an issue where the following error message was not sent from multi-factor authentication PingID and did not display in the browser: Your company has enhanced its VPN authentication with PingID. Please install the PingID app for iOS or Android, and use pairing key:<key>. To connect, type "ok" .
Addressed
10.1.9
PAN-197203
Fixed an intermittent issue where, if SSL/TLS Handshake Inspection was enabled, multiple processes stopped responding when the firewall was processing packets.
Addressed
10.1.9
PAN-197121
Fixed an issue where incorrect user details were displayed under the USER DETAIL drop-down ( ACC > Network activity > User activity ).
Addressed
10.1.9
PAN-197097
Fixed an issue where LSVPN did not support IPv6 addresses on the satellite firewall.
Addressed
10.1.9
PAN-196954
Fixed a memory leak issue related to the distributord process.
Addressed
10.1.9
PAN-196895
Fixed a timing issue with updating the cache when upgrading from a PAN-OS 10.0 release to a PAN-OS 10.1 release.
Addressed
10.1.9
PAN-196874
Fixed an issue where, when the firewall accepted ICMP redirect messages on the management interface, the firewall did not clear the route from the cache.
Addressed
10.1.9
PAN-196840
Fixed an issue where exporting a Security policy rule that contained Korean language characters to CSV format resulted in the policy description being in a non-readable format.
Addressed
10.1.9
PAN-196811
Fixed an issue where logout events without a username caused high CPU usage.
Addressed
10.1.9
PAN-196701
Fixed an issue where the firewall did not properly measure the Panorama connection keepalive timer, which caused a Panorama HA failover to take longer than expected.
Addressed
10.1.9
PAN-196566
Fixed an issue where the useridd process restarted repeatedly which let to an OOM condition.
Addressed
10.1.9
PAN-196559
Fixed an issue where LSVPN satellites continued to allow connections even when the certificate was revoked, the serial number was removed from the GlobalProtect portal, and the satellite was disconnected from the gateway.
Addressed
10.1.9
PAN-196474
Fixed an issue where, when a decryption profile was configured with TLSv1.2 or later, web pages utilizing TLS1.0 were blocked with an incorrect ERR_TIME_OUT message instead of an ERR_CONNECTION_RESET message.
Addressed
10.1.9
PAN-196467
Fixed an issue where enabling strict IP address checks in a Zone Protection profile caused GRE tunnel packets to be dropped.
Addressed
10.1.9
PAN-196457
Fixed an issue where extraneous logs displayed in the Traffic log when Security policy settings were changed.
Addressed
10.1.9
PAN-196452
Fixed an issue where DNS queries failed from source port 4789 with a NAT configuration.
Addressed
10.1.9
PAN-196410
Fixed an issue where you were unable to customize the risk value in Risk-of-app .
Addressed
10.1.9
PAN-196404
Fixed an issue where the firewall did not forward IPSec decrypted traffic to a third-party security chain device when the network packet broker feature was enabled.
Addressed
10.1.9
PAN-196398
( PA-7000 Series firewalls with Switch Management Cards (SMC-B) only ) Fixed an issue where the firewall did not capture data when the active management interface was MGT-B.
Addressed
10.1.9
PAN-196309
( PA-5450 firewalls only ) Fixed an issue where a firewall configured with a Policy-Based Forwarding policy flapped when a commit was performed, even when the next hop was reachable.
Addressed
10.1.9
PAN-196261
Fixed an issue where inter-lc disconnected messages were logged once every minute.
Addressed
10.1.9
PAN-196124
Fixed an issue where the log_index process ignored healthy logs and caused system logs to go missing.
Addressed
10.1.9
PAN-196105
Fixed an issue on the firewall where using special characters in a password caused authentication to fail when connecting to the GlobalProtect portal with GlobalProtect satellite configured.
Addressed
10.1.9
PAN-196050
Fixed an issue on Panorama where logs did not populate when one log collector in a log collector group was down.
Addressed
10.1.9
PAN-196001
Fixed an issue where the devsrvr process stopped responding, which caused FQDN objects to not resolve, and, as a result, caused traffic to hit the incorrect Security policy rule.
Addressed
10.1.9
PAN-195869
Fixed an issue where scheduled custom reports based on firewall data did not display any information.
Addressed
10.1.9
PAN-195828
Fixed an issue where SNMP reported the panVsysActiveTcpCps and panVsysActiveUdpCps value to be 0.
Addressed
10.1.9
PAN-195792
Fixed an issue where, when generating a stats dump file for a managed device from Panorama ( Panorama > Support > Stats Dump File ), the file did not display any data.
Addressed
10.1.9
PAN-195790
Fixed an issue where syslog traffic that was sent from the management interface to the syslog server even when a destination IP address service route was configured.
Addressed
10.1.9
PAN-195689
Fixed an issue where WildFire submission logs did not load on the firewall web interface.
Addressed
10.1.9
PAN-195669
Fixed an issue with Panorama appliances in HA configurations where a passive Panorama appliance generated CMS Redistribution Client is connected to global collector messages.
Addressed
10.1.9
PAN-195583
Fixed an issue where, after renaming an object, configuration pushes from Panorama failed with the commit error object name is not an allowed keyword .
Addressed
10.1.9
PAN-195526
Fixed an issue where the firewall system log received a large amount of error messages when attempting a connection between the firewall and Panorama.
Addressed
10.1.9
PAN-195374
( Firewalls in active/passive HA configurations only ) Fixed an issue where, when redistribution agent connections to the passive firewall failed, excessive system alerts for the failed connection were generated. With this fix, system alerts are logged every 5 hours instead of 10 minutes.
Addressed
10.1.9
PAN-195254
( PA-7000 Series firewalls only ) Fixed an issue where log queries from an M-Series Panorama appliance or Panorama virtual appliance in Management Only mode to the firewall failed after updating the firewall to a PAN-OS 10.1 release.
Addressed
10.1.9
PAN-195201
Fixed an issue where high volume DNS Security traffic caused the firewall to reboot.
Addressed
10.1.9
PAN-195200
Fixed an issue where Panorama did not attach and email scheduled reports ( Monitor PDF Reports Email Scheduler ) when the size of the email attachments was large.
Addressed
10.1.9
PAN-195114
Fixed an issue where proxy ARP responded on the wrong interface when the same subnet was in two virtual routers.
Addressed
10.1.9
PAN-195064
Fixed an issue where the log collector did not forward correlation logs to the syslog server.
Addressed
10.1.9
PAN-194912
Fixed an issue where the CLI command show applications list did not return any outputs.
Addressed
10.1.9
PAN-194812
Fixed an issue where generating reports via XML API failed when the serial number was set as target in the query.
Addressed
10.1.9
PAN-194744
Fixed an issue with log corruption, which caused te log_index process to continually restart.
Addressed
10.1.9
PAN-194737
Fixed an issue where path monitor displayed as deleted when it was disabled, which caused a preview change in the summary for static routes.
Addressed
10.1.9
PAN-194588
( PA-7000 Series firewalls with LFCs, PA-7050 firewalls with SMC-Bs, and PA-7080 firewalls only ) Fixed an issue where the logrcvr_statistics output was not recorded in mp-monitor.log.
Addressed
10.1.9
PAN-194456
Fixed an issue where the sysd process disconnected from the pan_dha process after an HA failover or reboot.
Addressed
10.1.9
PAN-194175
Fixed an issue on Panorama where a commit push to managed firewalls failed when objects were added as source address exclusions in a Security policy and Share Unused Address and Service Objects with Devices was unchecked.
Addressed
10.1.9
PAN-194093
Fixed an issue on the firewall where the dataplane unexpectedly restarted due to an issue with the all_pktproc process.
Addressed
10.1.9
PAN-194092
Added a debug command to address an issue where adding a new log collector to an existing collector group, the ACL was updated for the new log collector but not the existing ones.
Addressed
10.1.9
PAN-194068
( PA-5200 Series firewalls only ) Fixed an issue where the firewall unexpectedly rebooted with the log message Heartbeat failed previously .
Addressed
10.1.9
PAN-194043
Fixed an issue where Managed Devices > Summary did not reflect new tag values after an update.
Addressed
10.1.9
PAN-194031
( PA-220 Firewalls only ) Fixed an issue where system log configurations did not work as expected due to insufficient process timeout after a logrcvr process restart.
Addressed
10.1.9
PAN-194025
Fixed an issue where the ikemgr process stopped responding due to a timing issue, which caused VPN tunnels to go down.
Addressed
10.1.9
PAN-193928
Fixed an intermittent issue where GlobalProtect logs were not visible under device groups ( Mobile_User_Device_Group ).
Addressed
10.1.9
PAN-193831
Fixed an issue where internal routes were added to the routing table even after disabling dynamic routing protocols.
Addressed
10.1.9
PAN-193818
Fixed an issue where the firewall device server failed to resolve URL cloud FQDNs, which interrupted URL category lookup.
Addressed
10.1.9
PAN-193808
Fixed a memory leak issue in the mgmtsrvr process that resulted in an OOM condition.
Addressed
10.1.9
PAN-193744
( PA-3200 Series firewalls only ) Fixed an issue where, when the HA2 HSCI connection was down, the system log displayed Port HA1-b: down instead of Port HSCI: Down .
Addressed
10.1.9
PAN-193733
( Firewalls in multi-vsys environments only ) Fixed an issue where IP tag addresses were not synced to all virtual systems (vsys) when they were pushed to the firewall from Panorama via XML API.
Addressed
10.1.9
PAN-193619
Fixed an issue where air gapped firewalls and Panorama appliances performed excessive validity checks to updates.paloaltonetworks.com, which caused software installs to fail.
Addressed
10.1.9
PAN-193558
Fixed an issue where log retention settings Multi Disk did not display correct values on the firewall web interface when the settings were configured using a Panorama template or template stack.
Addressed
10.1.9
PAN-193396
Fixed an issue where the source user name was displayed in traffic logs even when Show User Names In Logs and Reports was disabled for a custom admin role.
Addressed
10.1.9
PAN-193323
Fixed an issue where root partition utilization reached 100% due to mdb old logs not being purged as expected.
Addressed
10.1.9
PAN-193281
Fixed an issue where the logrcvr process stopped responding after a content update on the firewall.
Addressed
10.1.9
PAN-193245
Fixed an issue where, when using syslog-ng forwarding via SSL, with a Base Common Name (CN) and multiple Subject Alternative Names (SANs) were listed in the certificate.
Addressed
10.1.9
PAN-193235
Fixed an issue where duplicate log entries were displayed on Panorama.
Addressed
10.1.9
PAN-193043
Fixed an issue with the where firewalls in Google Cloud Platforms (GCP) inserted the hostname as PA-VM in the syslog header instead of the DHCP assigned hostname when logs were being sent to the syslog server.
Addressed
10.1.9
PAN-192456
Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding.
Addressed
10.1.9
PAN-192431
Fixed an issue where unmanaged tags were set to NULL, which caused unmanaged devices to match the HIP rule for managed devices. As a result, you were unable to distinguish between managed and unmanaged devices.
Addressed
10.1.9
PAN-192296
Fixed an issue where, when you saved a SaaS application report as a PDF or sent it to print, the size of contents were shrinked and was smaller than expected.
Addressed
10.1.9
PAN-192244
Fixed an issue where scheduled log export jobs continued to run even after being deleted.
Addressed
10.1.9
PAN-192193
Fixed an issue where exporting a list of managed collectors via the Panorama web interface failed with the following error message: Export Error, Error while exporting
Addressed
10.1.9
PAN-192188
( PA-5450 firewalls only ) Fixed an issue where the show running resource-monitor ingress-backlogs CLI command failed with the following error message: Server error : Failed to intepret the DP response .
Addressed
10.1.9
PAN-192130
Fixed an issue where the GlobalProtect client remained in a connecting state when GlobalProtect Client VPN and SAML authentication were enabled.
Addressed
10.1.9
PAN-192092
Fixed an issue with firewalls in active/passive configurations only where the registered cookie from the satellite firewall to the passive firewall did not sync, which caused authentication between the satellite firewall and the GlobalProtect portal firewall to fail after a failover event.
Addressed
10.1.9
PAN-192076
Fixed an issue where OpenSSL memory initialization caused unexpected failovers.
Addressed
10.1.9
PAN-191997
Fixed an issue where log queries did not successfully filter the unknown category.
Addressed
10.1.9
PAN-191845
Fixed an issue where the firewall used a locally configured DNS server instead of a DHCP provided one.
Addressed
10.1.9
PAN-191652
Fixed an issue with Prisma Cloud where a commit push failed due to the error Error: failed to handle TDB_UPDATE_BLOCK> .
Addressed
10.1.9
PAN-191463
Fixed an issue where the firewall did not handle packets at Fastpath when the interface pointer was null.
Addressed
10.1.9
PAN-191390
( VM-Series firewalls only ) Fixed an issue where the management plane CPU was incorrectly calculated as high when logged in the mp-monitor.log.
Addressed
10.1.9
PAN-191235
Fixed an issue with firewalls in HA configurations where the passive firewall attempted to connect to a hardware security module (HSM) client when a service route was configured, which caused dynamic updates and software updates to fail.
Addressed
10.1.9
PAN-191048
Fixed an issue where Panorama did not push the password hash of the local admin password to managed WildFire appliances.
Addressed
10.1.9
PAN-191032
Fixed an issue on Panorama where Managed Devices displayed Unknown .
Addressed
10.1.9
PAN-190963
Fixed an issue on the firewall interface where Log Collector Status > Device connectivity displayed as error .
Addressed
10.1.9
PAN-190533
Fixed an issue where addresses and address groups were not displayed for users in Security admin roles.
Addressed
10.1.9
PAN-190502
Fixed an issue where the Policy filter and Policy optimizer filter were required to have the exact same syntax, including nested conditions with rules that contained more than one tag when filtering via the neq operator.
Addressed
10.1.9
PAN-190454
Fixed an issue where, while authenticating, the allow list check failed for vsys users when a SAML authentication profile was configured under shared location .
Addressed
10.1.9
PAN-190286
Fixed an issue in the web interface where non-superusers with administrator privileges were unable to see Log Processing Card (LPC) information.
Addressed
10.1.9
PAN-190266
Fixed an issue that stopped the all_task process to stop responding at the pan_sdwan_qualify_if_ini function.
Addressed
10.1.9
PAN-190055
( VM-Series firewalls only ) Fixed an issue where the firewall did not follow the set Jumbo MTU value.
Addressed
10.1.9
PAN-189960
Fixed an issue on Panorama where you were unable to view the last address object moved to the shared template list.
Addressed
10.1.9
PAN-189866
Fixed an issue with the web interface where group include lists used server profiles instead of LDAP proxy.
Addressed
10.1.9
PAN-189804
Fixed an issue where editing Panorama settings within a template or template stack an authentication was required, but adding an authentication key displayed an error.
Addressed
10.1.9
PAN-189783
Fixed an issue where container resource limits were not enforced for all processes when running inside a container.
Addressed
10.1.9
PAN-189755
Fixed an issue where the snmpd stopped responding which caused SNMPv3 polling outages.
Addressed
10.1.9
PAN-189723
Fixed an issue where you were unable to configure dynamic address groups to use more than 64,000 IP addresses in a Security policy rule.
Addressed
10.1.9
PAN-189719
Fixed an issue on Panorama where Test Server Connection failed in an HTTP server profile with the following error message: failed binding local connection end .
Addressed
10.1.9
PAN-189718
Fixed an issue where the number of sessions did not reach the expected maximum value with Security profiles.
Addressed
10.1.9
PAN-189518
Fixed an issue where incoming DNS packets with looped compression pointers caused the dnsproxyd process to stop responding.
Addressed
10.1.9
PAN-189379
Fixed an issue where FQDN based Security policy rules did not match correctly.
Addressed
10.1.9
PAN-189335
Fixed an issue where the varrcvr process restarted repeatedly, which caused the firewall to restart.
Addressed
10.1.9
PAN-189300
Fixed an issue where Panorama appliances in active/passive HA configurations reported the false positive system log Failed to sync vm-auth-key when a VM authentication key was generated on the active appliance.
Addressed
10.1.9
PAN-189298
Fixed an issue where existing traffic sessions were not synced after restarting the active dataplane when it became passive.
Addressed
10.1.9
PAN-189200
Fixed an issue where sinkholes did not occur for AWS Gateway Load Balancer dig queries.
Addressed
10.1.9
PAN-189027
Fixed an issue where the dataplane CPU utilization provided from the web interface or via SNMP was incorrect. This is observed across all platforms.
Addressed
10.1.9
PAN-188933
Fixed an issue where the UDP checksum wasn't correctly calculated for VXLAN traffic after applying NAT.
Addressed
10.1.9
PAN-188912
Fixed an issue where authentication failed due to a process responsible for handling authentication requests going into an irrecoverable state.
Addressed
10.1.9
PAN-188602
Fixed an issue where the all_task process stopped responding, which caused IPSec tunnels to peers to go down.
Addressed
10.1.9
PAN-188519
( VM-Series firewalls only ) Fixed an issue where, when manually deactivating the license, the admin user did not receive the option to download the token file and upload it to the Customer Support Portal (CSP) to deactivate the license.
Addressed
10.1.9
PAN-188506
Fixed an issue where the ctd_dns_malicious_fwd counter incorrectly increased incrementally.
Addressed
10.1.9
PAN-188348
Fixed an issue where encapsulating Security payload packets originating from the firewall were dropped when strict IP address check was enabled in a zone protection profile.
Addressed
10.1.9
PAN-188291
Fixed an issue where, when using Global Find on the web interface to search for a given Hostname Configuration (Device > Setup > Management) , clicking the search result directed you to the appropriate Hostname configuration, but did not change the respective Template field automatically.
Addressed
10.1.9
PAN-188036
Fixed an issue where SIP TCP sequence numbers were calculated incorrectly when SIP cleartext proxy was disabled.
Addressed
10.1.9
PAN-188035
( Firewalls and Panorama appliances in FIPS mode only ) Fixed an issue where, even when region lists were disabled, the following error message was displayed: Unable to retrieve region list either region list has not been set or data format is wrong .
Addressed
10.1.9
PAN-187985
Fixed an issue where you were unable to configure a QoS Profile as percentage for Clear Text Traffic.
Addressed
10.1.9
PAN-187761
Fixed an issue where, during HA failover, the now passive firewall continued to pass traffic after the active firewall had already taken over.
Addressed
10.1.9
PAN-187720
Fixed an issue where the firewall did not show master key validity information after the master key was updated and the firewall was restarted.
Addressed
10.1.9
PAN-187476
Fixed an issue where, when HIP redistribution was enabled, Panorama did not display part of the HIP information.
Addressed
10.1.9
PAN-187342
Fixed an issue where the Schedules button ( Device Deployment > Dynamic updates ) was grayed out for custom role-based admins.
Addressed
10.1.9
PAN-187279
Fixed an issue where not all quarantined devices were displayed as expected.
Addressed
10.1.9
PAN-187096
Fixed an issue where you were unable to sort through Addresses ( Device Group > Objects ).
Addressed
10.1.9
PAN-186487
Fixed an issue with snmpd.log overflow caused by continuous hourly repeating errors.
Addressed
10.1.9
PAN-186471
Fixed an issue where, when exporting to CSV in Global Find, the firewall truncated names of rules that contained over 40 characters.
Addressed
10.1.9
PAN-186447
Fixed an issue where Health ( Panorama > Managed Devices ) did not display environmental tabs and fan and power supply status was not visible.
Addressed
10.1.9
PAN-186433
Fixed an intermittent issue where decryption failed for clients sending TLSv1.3 Client Hello and CCS in two separate packets instead of one.
Addressed
10.1.9
PAN-186270
Fixed an issue where, when HA was enabled and a dynamic update schedule was configured, the configd process unexpectedly stopped responding during configuration commits.
Addressed
10.1.9
PAN-185928
Fixed an issue where external dynamic list auto refresh did not work when destination service route was enabled.
Addressed
10.1.9
PAN-185844
Fixed an issue where Decryption Log entries were associated with the wrong Security policy rule.
Addressed
10.1.9
PAN-185611
( PA-850 firewalls only ) Fixed an issue where the maximum number of aggregate interfaces was incorrectly set as 8 instead of 6.
Addressed
10.1.9
PAN-185591
Fixed an issue where, in multi-vsys systems, some policy rules were unable to be edited due to the Target field being unclickable.
Addressed
10.1.9
PAN-185466
Fixed an issue where WildFire submission did not work as expected.
Addressed
10.1.9
PAN-185394
( PA-7000 Series firewalls only ) Fixed an issue where not all changes to the template were reflected on the firewall.
Addressed
10.1.9
PAN-185390
Fixed an issue where the Block IP list option was incorrectly displayed on firewalls where it was not applicable.
Addressed
10.1.9
PAN-185283
Fixed an issue on Panorama where using the name-of-threatid contains log4j filter didn't produce expected results.
Addressed
10.1.9
PAN-185276
Fixed an issue where a debug command displayed different idmgr digest results.
Addressed
10.1.9
PAN-185249
Fixed an issue where Template Stack overrides ( Dynamic Updates Apps & Threats Schedule ) were not able to be reverted via the web interface.
Addressed
10.1.9
PAN-185234
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where, when accelerated networking was enabled, the packet buffer utilization was displayed as high even when no traffic was traversing the firewall.
Addressed
10.1.9
PAN-185200
Fixed an issue where the User-ID manager assigned an ID to an object with a DELETE command.
Addressed
10.1.9
PAN-185135
( VM-Series firewalls on Kernel-based Virtual Machine (KVM) only ) Fixed an issue where the physical port counters (including SNMP) on the dataplane interfaces increased when DPDK was enabled.
Addressed
10.1.9
PAN-184766
( PA-5450 firewalls only ) Fixed an issue where the control packets for BGP, OSPF, and Bidirectional Forwarding Detection (BFD) were not assigned a QoS value of 5.
Addressed
10.1.9
PAN-184744
Fixed an issue where the firewall did not decrypt SSL traffic due to a lack of internal resources allocated for decryption.
Addressed
10.1.9
PAN-184537
Fixed an issue where GlobalProtect requested for passwords that contained non ASCII characters (ö) to be reentered when refreshing the connection.
Addressed
10.1.9
PAN-184408
Fixed an issue where commits pushed from Panorama to the firewall failed due to the application status for an application being incorrectly considered an invalid reference.
Addressed
10.1.9
PAN-184181
Fixed an ESP encapsulation issue where, when IPv6 address proxy IDs were configured, encapsulation was handled incorrectly with a different proxy ID SPI in the same tunnel when the source IP address of the proxy was overlapped by the destination IP address.
Addressed
10.1.9
PAN-183981
Fixed an issue on the firewall where, when the GlobalProtect portal was not configured, the GlobalProtect landing page was still loaded with the message GlobalProtect portal does not exist . This issue occurred when using the exact GlobalProtect portal link: https://x.x.x.x/global-protect/login.esp
Addressed
10.1.9
PAN-183632
Fixed an issue where the firewall was unable to match HIP objects with code versions over 4 digits long.
Addressed
10.1.9
PAN-183629
Fixed an issue where Clientless-vpn max-users displayed the limit as 20 instead of 200.
Addressed
10.1.9
PAN-183524
Fixed an issue where GPRS tunneling protocol (GTPv2-c and GTP-U) traffic was identified with insufficient-data in the traffic logs.
Addressed
10.1.9
PAN-183375
Fixed an issue where traffic arriving on a tunnel with a bad IP header checksum was not dropped.
Addressed
10.1.9
PAN-183319
Fixed an issue on Panorama where commits remained at 99% due to multiple firewalls sending out CSR singing requests every 10 minutes.
Addressed
10.1.9
PAN-183287
Fixed an issue where firewall commits failed due to the commit-recovery connection check ending prematurely.
Addressed
10.1.9
PAN-183154
Fixed an issue where DNS exception failed when DNS queries contained a capital letter.
Addressed
10.1.9
PAN-183126
Fixed an issue on Panorama where you were able to attempt to push a number of active schedules to the firewall that was greater than the firewall's maximum capacity.
Addressed
10.1.9
PAN-182876
Fixed an issue where GlobalProtect connections failed via XML when special characters (<), (&), and (>) were present in the GlobalProtect portal configuration passcode.
Addressed
10.1.9
PAN-182845
Fixed an issue that caused devices to be removed from Panorama when one device was added by one user, but a Commit and Push operation was completed by a second user before the first user completed a Commit of the added device change.
Addressed
10.1.9
PAN-182486
Fixed an issue on the web interface where the same IP address was displayed for sub interfaces in a multi-vsys firewall.
Addressed
10.1.9
PAN-182449
Fixed an issue where Apple iPad users were unable to authenticate to the GlobalProtect portal using any browser, which resulted in Clientless VPN access issues.
Addressed
10.1.9
PAN-182244
Fixed an issue where Session Initiation Protocol (SIP) REGISTER packets did not get transmitted when application-level gateway (ALG) and SIP Proxy were enabled, which caused a SIP-registration issue in environments where TCP retransmission occurred.
Addressed
10.1.9
PAN-182167
Removed a duplicate save filter Icon in the Audit Comment Archive for Security Rule Audit Comments tab.
Addressed
10.1.9
PAN-181968
( PA-400 Series firewalls in active/passive HA configurations only ) Fixed an issue where, when HA failover occurred, link up on all ports took longer than expected, which caused traffic outages.
Addressed
10.1.9
PAN-181684
Fixed an issue where cluster definition for OpenShift was not able to be added if a custom certificate was used for an API endpoint.
Addressed
10.1.9
PAN-181376
Fixed an issue where the show session id CLI command displayed a negative packet count.
Addressed
10.1.9
PAN-181366
Fixed an issue where the firewall sent an incorrect IP address on ICMP sessions in NetFlow packets when NAT was applied to the target traffic.
Addressed
10.1.9
PAN-181334
Fixed an issue where users with custom admin roles and access domains were unable to view address objects or edit Security rules.
Addressed
10.1.9
PAN-181324
Fixed a memory issue related to the lpmgrd process that caused the firewall to enter a non-functional state.
Addressed
10.1.9
PAN-181129
Improved protection against unexpected packets and error handling for traffic identified as SIP.
Addressed
10.1.9
PAN-181034
Fixed an issue where, after changing the Decryption mirroring setting to Forwarded only in the decryption profile, Panorama did not save the setting.
Addressed
10.1.9
PAN-180948
Fixed an issue where an external dynamic list fetch failed with the error message Unable to fetch external dynamic list. Couldn't resolve host name. Using old copy for refresh .
Addressed
10.1.9
PAN-180690
Fixed an issue where the firewall dropped IPv6 Bi-Directional Forwarding (BFD) packets when IP Spoofing was enabled in a Zone Protection Profile.
Addressed
10.1.9
PAN-180147
Fixed an issue where the bcm.log and brdagent_stdout.log-<datestamp> files filled up the root disk space.
Addressed
10.1.9
PAN-180030
Fixed an issue where hyperlinks to threatvault for threat logs with DNS Security categories resulted in the following error message: No data is found based on your search, please search for something else .
Addressed
10.1.9
PAN-179952
Fixed an issue on Panorama where not all categories were displayed under Log settings .
Addressed
10.1.9
PAN-179826
Fixed an issue where the firewall incorrectly displayed the license error IoT Security license is required for feature to function even when the IoT Security, Does not Require Data Lake license was installed.
Addressed
10.1.9
PAN-179636
Fixed an issue where Authentication Server logs for various connections (including LDAP and Radius Server) were not displayed in the syslog when connections were up.
Addressed
10.1.9
PAN-179624
Fixed an issue where setting the password complexity to Require Password Change on First Login caused the user to be prompted with certificate authentication.
Addressed
10.1.9
PAN-179506
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where Panorama was unable to push software updates to the firewall.
Addressed
10.1.9
PAN-179467
Fixed an issue where Selective Audit ( Device > Log settings ) options were visible to a group of admin users if the firewall was not in FIPS-CC mode.
Addressed
10.1.9
PAN-179395
Fixed an issue where the firewall still populated the domain map even after clearing the domain map via the CLI after removing the group-mapping setting configuration.
Addressed
10.1.9
PAN-179258
Fixed an issue where system disk migration failed.
Addressed
10.1.9
PAN-179212
Fixed an issue where extraneous characters displayed at the end of a CSV report.
Addressed
10.1.9
PAN-179152
Fixed an issue where partial commit failures did not display an error message.
Addressed
10.1.9
PAN-178961
Fixed an issue where a process ( authd ) stopped responding due to incorrect context handling.
Addressed
10.1.9
PAN-178959
Fixed an issue where configuring BGP to Aggregate with Suppress Filters using From Peers did not work as expected.
Addressed
10.1.9
PAN-178951
Fixed an issue on the firewall where Agentless User-ID lost parent Security group information after the Security group name of the nested groups on Active Directory was changed.
Addressed
10.1.9
PAN-178802
Increased the default virtual memory limit for the mgmtsrvr process from 3.2GB to 16GB.
Addressed
10.1.9
PAN-178800
Fixed an issue where the reportd process stopped responding when URL Filtering Inline ML phishing logs were queried.
Addressed
10.1.9
PAN-178728
Fixed an issue where the dcsd process stopped responding when attempting to read the config to update its redis database.
Addressed
10.1.9
PAN-178594
Fixed an issue where the descriptions of options under the set syslogng ssl-conn-validation CLI command were not accurate.
Addressed
10.1.9
PAN-178407
Fixed an permissions issue where, when attempting to troubleshoot the syslog over TCP via the CLI, the following error message was displayed: Error: "/var/log/pan/syslog-ng.log: Permission denied .
Addressed
10.1.9
PAN-178363
Fixed an issue where a process ( mgmtsrvr ) wasn't restarted after the virtual memory limit was exceeded.
Addressed
10.1.9
PAN-178354
Fixed an issue where the error message You do not have permission to reboot device was incorrectly displayed to a TACAC user when attempting to install PAN-OS.
Addressed
10.1.9
PAN-178349
Fixed an issue where log forwarding did not work when the filter size was more than 1,024 characters in the log forwarding profile.
Addressed
10.1.9
PAN-178248
Fixed an issue where, when exporting the Applications list on PDF or CSV profile formats, the report displayed all tag values as undefined.
Addressed
10.1.9
PAN-178186
Fixed a commit issue where, when replacing an old firewall with a new firewall using the serial number, the change to the serial number was not reflected in the Security policy rule.
Addressed
10.1.9
PAN-177942
Fixed an issue where, when grouping HA peers, access domains that were configured using multi-vsys firewalls deselected devices or virtual systems that were in other configured access domains.
Addressed
10.1.9
PAN-177939
Fixed an issue where a certificate without a private key was able to be added to an SSL/TLS Service Profile, which caused the l3svc process to stop responding.
Addressed
10.1.9
PAN-177908
Fixed an issue where you were unable to configure region for source or destination IP addresses in a Security policy rule.
Addressed
10.1.9
PAN-177891
Fixed an issue where group-mapping information was not automatically refreshed at the refresh interval when LDAP proxy was configured.
Addressed
10.1.9
PAN-177853
Fixed an issue where the logd process on Panorama and the logrcvr process on the firewall stopped responding when a log forwarding profile had a filter that included the field sender and subject .
Addressed
10.1.9
PAN-177562
Fixed an issue where PDF reports were not translated to the configured local language.
Addressed
10.1.9
PAN-177201
Fixed an issue where, when a Panorama appliance on a PAN-OS 9.0 or later release pushed built-in external dynamic lists to a firewall on a PAN-OS 8.1 release, the external dynamic list was removed, but the rule was still pushed to the firewall. With this fix, Panorama will show a validation error when attempting to push a pre-defined external dynamic list to a firewall on a PAN-OS 8.1 release.
Addressed
10.1.9
PAN-177133
( Firewalls in HA configurations only ) Fixed an issue where the HA1 heartbeat backup flapped with the following error message: Unable to send icmp packet:(errno: 105) No buffer space available .
Addressed
10.1.9
PAN-176989
Fixed an issue where the CLI command to show SD-WAN tunnel members caused the firewall to stop responding.
Addressed
10.1.9
PAN-176471
Fixed an issue where adding applications without a description using XML API deleted the whole Panorama application list.
Addressed
10.1.9
PAN-176461
Fixed an issue where a process ( mdb ) stopped responding after downgrading from a PAN-OS 9.1 release to an earlier release due to discrepancies in the mongodb process version.
Note : To utilize this fix, first install a PAN-OS 9.0 release on the web interface, and then, prior to reboot, run the following CLI command: debug mongo clear instance mdb .
Addressed
10.1.9
PAN-176379
Fixed an issue where, when multiple routers were configured under a Panorama template, you were only able to select its own virtual router for next hop.
Addressed
10.1.9
PAN-175709
Fixed an issue where the dnsproxy process stopped responding when a DNS signature lookup request was received before the process was fully initialized.
Addressed
10.1.9
PAN-175142
Fixed an issue on Panorama where executing a debug command caused the logrcvr process to stop responding.
Addressed
10.1.9
PAN-175121
Fixed a rare issue where, when two nodes started IKE_SA negotiations at the same time, which resulted in duplicate IKE SAs.
Addressed
10.1.9
PAN-175069
Fixed an issue where commits failed when the IPv6 link-local address was configured for BGP peering as local and peer address.
Addressed
10.1.9
PAN-175061
Fixed an issue where filtering threat logs using any value under THREAT ID/NAME displayed the error Invalid term .
Addressed
10.1.9
PAN-174988
( PA-220 Series firewalls only ) Fixed an issue where the runtime-state parameter was missing in the CLI command request high-availability sync-to-remote .
Addressed
10.1.9
PAN-174953
Fixed an issue where the firewall didn't update URL categories from the management plane to the dataplane cache.
Addressed
10.1.9
PAN-174821
( PA-3220 firewalls only ) Fixed an issue where auto-negotiation was not disabled with force mode set to ON in the interface settings.
Addressed
10.1.9
PAN-174781
Fixed an issue where the firewall did not send an SMTP 541 error message to the email client after detecting a malicious file attachment.
Addressed
10.1.9
PAN-174702
Fixed an issue where Panorama pushed share-unused tagged objects to the firewall, which caused the device address object limit to be exceeded.
Addressed
10.1.9
PAN-174680
Fixed an issue where, when adding new configurations, Panorama didn't display a list of suggested template variables when typing in a relevant field.
Addressed
10.1.9
PAN-174592
Fixed an issue where the firewall did not check reserved fields in GTPv1 and GTPv2 headers as expected from the latest 3GPP Specifications.
Addressed
10.1.9
PAN-174525
Fixed an issue where the sslvpn process restarted repeatedly.
Addressed
10.1.9
PAN-174480
Fixed an issue where scheduled email reports were blocked by open-source content filters due to a violation of rfc2046.
Addressed
10.1.9
PAN-174462
Fixed an issue where the configd process stopped responding when creating Application filters with tags and adding the filter to a Security policy rule.
Addressed
10.1.9
PAN-174102
Fixed an issue where, when MLAV feature found malicious content, no action was applied even though it had increased the execution counters, displayed the score and verdict in the log, and showed no allow list hits,
Addressed
10.1.9
PAN-174064
Fixed an issue where downloading a GlobalProtect data file did not work and displayed a no global protect license error even when a valid license was present.
Addressed
10.1.9
PAN-174027
Fixed an issue on Panorama where attempting to rename mapping for address options caused a push to fail with the following error message: Error: Duplicate address name. .
Addressed
10.1.9
PAN-173813
A debug command was added to disable automatic implicit tail matching, which was the default.
Addressed
10.1.9
PAN-173810
Fixed an issue where the debug user-id dump ts-agent user-ids CLI command caused the useridd process to stop responding.
Addressed
10.1.9
PAN-173437
Fixed an issue where the firewall did not detect that the management port was down the first time after booting up the system.
Addressed
10.1.9
PAN-173207
Fixed an issue where radius authentication timed out when logging in due to the firewall sending authentication requests using a static IP address instead of a DCHP assigned IP address.
Addressed
10.1.9
PAN-173080
Fixed an issue where the User-ID connection limit was reached even when only a few User-ID agents were connected to the service.
Addressed
10.1.9
PAN-173031
Fixed an issue where users were promted twice for DUO SAML Authentication when authentication override cookies were enabled.
Addressed
10.1.9
PAN-172823
Fixed an issue where MD5 checksums were updated before the new customer EDLs were pushed to the dataplane.
Addressed
10.1.9
PAN-172780
Fixed an issue where user domain override was not reset when deleted from group mapping.
Addressed
10.1.9
PAN-172753
( PA-7000 Series firewalls only ) Fixed an issue where link-local internal packet handling between the management plane and the dataplane caused an Network Processing Card (NPC) slot to go down.
Addressed
10.1.9
PAN-172452
Fixed an issue where the log file did not include all logs.
Addressed
10.1.9
PAN-172357
( VM-Series firewalls in Oracle Cloud Infrastructure Government Cloud only ) Fixed an issue with firewalls in HA configurations where HA failover did not occur when firewalls were in FIPS mode.
Addressed
10.1.9
PAN-172324
Fixed an issue on the Panorama web interface where custom vulnerability signature IDs weren't populated in the drop-down when creating a custom combination signature.
Addressed
10.1.9
PAN-172308
Fixed an issue where generating packet captures did not work when the data filtering profile was configured to block HTML files via a POST request.
Addressed
10.1.9
PAN-172100
Fixed an issue with URL filtering where, after upgrading to a PAN-OS 9.1 release, the Continue button on a URL did not work and caused the website to be inaccessible, even though the predefined category of URL was configured to continue traffic. This occurred when URL traffic hit a rule where the custom category was set to None .
Addressed
10.1.9
PAN-171927
Fixed an issue where incorrect results were displayed when filtering logs in the Monitor tab.
Addressed
10.1.9
PAN-171569
Fixed an issue where HIP matches were not recognized in an SSL decryption policy rule.
Addressed
10.1.9
PAN-171337
Fixed an issue where connection per second (CPS) rates collected via SNMP were not correct.
Addressed
10.1.9
PAN-171300
Fixed an issue on Panorama where a password change in a template did not reset an expired password flag on the firewall, which caused the user to change their password when logging in to a firewall.
Addressed
10.1.9
PAN-171066
Fixed an issue with GlobalProtect where cookie based authentication for Internal Gateway failed with the following error messages: Invalid authentication cookie and Invalid User Name .
Addressed
10.1.9
PAN-170989
Fixed an issue with memory usage consumption related to the useridd process.
Addressed
10.1.9
PAN-170936
Fixed an issue where the firewall egressed offloaded frames out of order after an explicit commit ( Commit on the firewall or Commit All Changes on Panorama) or an implicit comment such as an Antivirus update, Dynamic Update, or WildFire update.
Note This issue persists for a network-related configuration and commit.
Addressed
10.1.9
PAN-170798
Fixed an issue where OSPF flaps occurred when a Layer 3 interface IPv4 was changed from DHCP Client to Static .
Addressed
10.1.9
PAN-170531
Fixed an issue where the web interface icons for service objects and service group objects were identical when used in a NAT policy rule.
Addressed
10.1.9
PAN-169899
Fixed an issue on firewalls with offload processors where the ECMP forced symmetric return feature didn't work for CRE traffic after the session was offloaded.
Addressed
10.1.9
PAN-169674
( Firewalls with Cavium Octeon processors only ) Fixed an issue where the all_pktproc process stopped responding when reassembling TCP packets.
Addressed
10.1.9
PAN-169521
Fixed an issue where QoS tagging unexpectedly behaved differently at different stages of packet processing.
Addressed
10.1.9
PAN-169456
Fixed an issue where, after renaming an authentication profile, system logs still showed the old profile name.
Addressed
10.1.9
PAN-169308
Fixed a commit issue when comparing numbers of rules where the bucket size of the application dependency hash table was too small.
Addressed
10.1.9
PAN-169122
Fixed an issue where medium priority correlation events were not generated when the irc-base repeat count value was greater than 10.
Addressed
10.1.9
PAN-168514
Fixed an issue where authentication failed when the destination service route was used to reach the authentication server.
Addressed
10.1.9
PAN-168480
Fixed an issue where the firewall did not switch to STP for multicast groups when IGMP receivers were stopped and restarted for the same set of groups within a short time period.
Addressed
10.1.9
PAN-167918
Fixed an issue where the GlobalProtect pre-log on VPN failed to establish or match pre-log on policies due to the domain name being prepended to pre-log on user.
Addressed
10.1.9
PAN-167850
Fixed an issue with firewalls in active/active HA configurations where IPSec packets were not forwarded to the HA peer owner of the tunnel, which caused packets to be dropped.
Addressed
10.1.9
PAN-167805
Fixed an intermittent issue where traffic ingressing through a VPN tunnel failed to match predict session, which resulted in child sessions failing.
Addressed
10.1.9
PAN-167087
Fixed an issue where the focus was not set on the free text field when requesting a token code on the Authentication Portal.
Addressed
10.1.9
PAN-166686
Fixed an issue where EDNS responses dropped when the original request was DNS.
Addressed
10.1.9
PAN-165951
( PA-3020 firewalls only ) Fixed an issue on the firewall where disk space was not cleared when multiple image files were present.
Addressed
10.1.9
PAN-163713
Fixed an issue where the alternate name was not getting copied to user-Fixed an issue where user-attributes for users in custom groups were incorrect, which caused username formats to not match the user.
Addressed
10.1.9
PAN-163043
Fixed an issue where, when exporting logs via the CLI, only 65,535 rows were exported even when 1,000,000 rows were configured.
Addressed
10.1.9
PAN-162088
( Panorama appliances in HA configurations only$$ ) Fixed an issue where content updates ( Panorama Dynamic Updates ) manually uploaded to the active HA peer were not synchronized to the passive HA peer when you installed a content updated and enabled Sync to HA peer .
Addressed
10.1.9
PAN-160419
Fixed an issue where the following error message displayed in the system log after restarting the firewall: dns-signature initialization from file storage failed, start with empty cache .
Addressed
10.1.9
PAN-157710
Fixed an issue where admin users with custom roles were unable to create VLANs.
Addressed
10.1.9
PAN-157199
( PA-220 firewalls only ) Fixed an issue where the GlobalProtect portal was not reachable with IPv6 addresses.
Addressed
10.1.9
PAN-156700
Fixed an issue where DNS Security logs did not display threat names or IDs when the domain name contained an uppercase letter.
Addressed
10.1.9
PAN-155902
Fixed an issue where the auto MTU value was incorrect, which caused unexpected latency issues for GlobalProtect users.
Addressed
10.1.9
PAN-155467
( VM-Series firewalls only ) Fixed an issue where IPSec decap dropped packets when NAT was configured locally on the firewall.
Addressed
10.1.9
PAN-154892
Fixed an issue on the firewall where Real Time Streaming Protocol (RTSP) flows that were subjected to Dynamic IP and Port (DIPP) NAT were not supported by the Application Layer Gateway (ALG).
Addressed
10.1.9
PAN-153308
Fixed an issue which caused the mouse cursor to remove focus from the search bar when hovering over a hyperlink inside of a cell menu (e.g., source zone, source address, destination zone, destination address, etc.).
Addressed
10.1.9
PAN-151273
Fixed an issue where the commit event was not recorded in the config logs during a Commit and Push on the Panorama management server.
Addressed
10.1.9
PAN-123446
Fixed an issue where an administrator with a Superuser role could not reset administrator credentials.
Addressed
10.1.9
PAN-78762
Fixed an issue where you were unable to reset a VPN tunnel via the firewall web interface ( Network > IPSec Tunnels > Tunnel Info > Restart ).
Known
10.1.10
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.10
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.10
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.10
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.10
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.10
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.10
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.10
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.10
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.10
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround: Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.10
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.10
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.10
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.10
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.10
PAN-228273
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.1.10
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.10
PAN-223488
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
Closed ElasticSearch shards are not deleted from a Panorama M-Series or virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.10
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.10
PAN-221126
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues
Email server profiles ( Device Server Profiles Email and Panorama Server Profiles Email ) to forward logs as email notifications are not forwarded in a readable format.
Workaround: Use a Custom Log Format to forward logs as email notifications in a readable format.
Known
10.1.10
PAN-221015
This issue is now resolved. See ` PAN-OS 10.1.12 Addressed Issues .
On M-600 appliances in Panorama or Log Collector mode, the es-1 and es-2 ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector ES health status ( Panorama Managed Collectors Health Status ) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>debug elasticsearch es-restart optional all
Known
10.1.10
PAN-219644
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.1.10
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.10
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.10
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.10
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.1.10
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.10
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.1.10
PAN-212889
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor.
Known
10.1.10
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround: Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.10
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.1.10
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.10
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.10
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.10
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.10
PAN-194202
( PA-5450 firewall only ) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.10
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.10
PAN-193004
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
The Panorama management server fails to delete old IP Tag data. This causes the /opt/pancfg partition to reach maximum capacity which impacts Panorama performance.
Known
10.1.10
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.10
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.10
PAN-179888
On the Panorama management server, the number of managed firewall ( Panorama Managed Devices Health ) Power Supplies displays an incorrect count of power supplies.
Known
10.1.10
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.10
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.10
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.10
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.10
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.10
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.10
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.10
PAN-171706
This issue is now resolved. See PAN-OS 10.1.11 Addressed Issues .
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.10
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.10
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.10
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.10
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.10
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.10
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.10
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.10
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.10
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.10
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.10
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.10
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.10
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.10
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.10
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.10
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.10
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.10
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.10
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.10
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.10
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.10
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.10
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.10
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.10
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.10
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.10
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.10
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.10
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.10
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.10
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.10
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.10
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.10
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.10
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.10
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.10
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.10
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.10
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.10
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.10
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.10
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.10
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.10
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.10
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.10
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.10
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.10
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.10
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.10
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.10
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.10
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.10
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.10
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.10
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.10
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.10
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.10
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.10
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.10
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.10
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.10
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.10
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.10
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.10
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.10
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.10
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.10
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.10
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.10
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.10
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.10
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.10
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.10
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.10
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.10
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.10
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.10
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.10
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.10
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.10
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.10
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.10
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.10
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.10
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.10
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.10
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.10
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.10
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.10
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.10
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.10
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.10
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.10
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.10
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.10
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.10
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.10
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.10
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.10
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.10
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.10
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.10
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.10
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.10
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.10-h9
PAN-272809
A fix was made to address CVE-2024-9474 .
Addressed
10.1.10-h9
PAN-267338
Fixed an issue where GlobalProtect logs were not available after a tunnel teardown between the satellite and the gateway.
Addressed
10.1.10-h9
PAN-167662
Fixed an issue where the rasmgr process stopped responding when it was processing a large number of messages.
Addressed
10.1.10-h5
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.10-h5
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.10-h5
PAN-236605
Fixed an issue where the configd process stopped responding due to a deadlock related to rule-hit-count.
Addressed
10.1.10-h5
PAN-234962
Fixed an issue on Panorama that caused commit operations to be slower than expected.
Addressed
10.1.10-h5
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.1.10-h5
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.1.10-h5
PAN-226418
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
Addressed
10.1.10-h5
PAN-225920
Fixed an issue where duplicate predict sessions didn't release NAT resources.
Addressed
10.1.10-h5
PAN-223852
Fixed an issue where all_pktproc stopped responding when network packet broker or decryption broker chains failed.
Addressed
10.1.10-h5
PAN-223741
Fixed an issue where the mprelay process stopped responding, which caused a slot restart when another slot rebooted.
Addressed
10.1.10-h5
PAN-220712
Fixed an issue where retransmitted DNS requests made by the firewall did not follow the Policy Based Forwarding (PBF) rule. With this fix, both original and retransmitted DNS requests follow the PBF rule.
Addressed
10.1.10-h5
PAN-219643
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the dataplane interface status went down due to a DPDK driver issue.
Addressed
10.1.10-h5
PAN-218555
Fixed an issue where the firewall did not receive dynamic address updates pushed from Panorama during initial registration to Panorama.
Addressed
10.1.10-h5
PAN-218404
Fixed an issue where ikemgr stopped responding due to receiving CREATE_CHILD messages with a malformed SA payload.
Addressed
10.1.10-h5
PAN-217484
Fixed an issue where the rasmgr process used 100% CPU due to a maximum duration timer not being set, which caused the GlobalProtect gateway to be unavailable.
Addressed
10.1.10-h5
PAN-217208
Fixed an issue where a memory leak related to the snmpd process caused an out-of-memory (OOM) condition or caused the process to restart when using SNMPv3.
Addressed
10.1.10-h5
PAN-216043
Fixed an issue where wifclient stopped responding due to shared memory corruption.
Addressed
10.1.10-h5
PAN-215767
Fixed an issue where, after a high availability failover, IKE SA negotiation failed with the error message INVALID_SPI , which resulted in temporary loss of traffic over some proxy IDs.
Addressed
10.1.10-h5
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.10-h2
PAN-225169
Added a CLI command to view Strata Logging Service queue usage.
Addressed
10.1.10-h2
PAN-223501
Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
Addressed
10.1.10-h2
PAN-222712
( PA-5450 firewalls only ) Fixed a low frequency DPC restart issue.
Addressed
10.1.10-h2
PAN-221984
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
Addressed
10.1.10-h2
PAN-219508
( VM-Series, PA-400 Series, PA-1400, PA-3400, and PA-5400 Series firewalls only ) Fixed an issue where Bidirectional Forwarding Detection (BFD) packets experienced a delay in processing, which caused the BFD connection to flap.
Addressed
10.1.10-h2
PAN-215436
Fixed an issue with the web interface where the latest logs took longer than expected to display under Monitor .
Addressed
10.1.10-h2
PAN-215317
Fixed an issue where the dataplane stopped responding unexpectedly with the error message comm exited with signal of 10 .
Addressed
10.1.10-h2
PAN-210875
Fixed an issue where the pan_task process stopped responding due to software packet buffer 3 trailer corruption, which caused the firewall to restart.
Addressed
10.1.10-h2
PAN-195439
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the dataplane interface status went down after a hotplug event triggered by Azure infrastructure.
Addressed
10.1.10-h2
PAN-184630
Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).
Addressed
10.1.10-h2
PAN-180082
Fixed an issue where errors in brdagent logs caused dataplane path monitoring failure.
Addressed
10.1.10-h2
PAN-160633
( PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only ) Fixed an issue where the dataplane restarted repeatedly due to an internal path monitoring failures until a power cycle.
Addressed
10.1.10-h1
PAN-223317
Fixed an issue where SSL traffic failed with the error message: Error: General TLS protocol error .
Addressed
10.1.10-h1
PAN-219659
Fixed an issue where root partition frequently filled up and the following error message was displayed: Disk usage for / exceeds limit, xx percent in use, cleaning filesystem .
Addressed
10.1.10-h1
PAN-218947
Fixed an issue where logs were not displayed in Elasticsearch under ingestion load.
Addressed
10.1.10-h1
PAN-218335
Fixed an issue with hardware destination MAC filtering on the Log Processing Card (LPC) that caused the logging card interface to be susceptible to unicast flooding.
Addressed
10.1.10-h1
PAN-218001
( PA-400 Series firewalls only ) Fixed an issue where shutdown commands rebooted the system instead of correctly triggering a shutdown.
Addressed
10.1.10-h1
PAN-217681
Fixed an issue caused by out of order TCP segments where the FIN flag and TCP data was truncated in a packet, which resulted in retransmission failure.
Addressed
10.1.10-h1
PAN-217477
Fixed an issue where the drop counter was incremented incorrectly. Drop counter calculations did not account for failures to send out logs from logrcvr/logd to syslog-ng.
Addressed
10.1.10-h1
PAN-217169
Fixed an issue where the logrcvr stopped forwarding logs to the syslog server after a restart or crash.
Addressed
10.1.10-h1
PAN-216984
Fixed an issue where internal path monitoring failed due to the sysdagent not responding.
Addressed
10.1.10-h1
PAN-215911
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.1.10-h1
PAN-215808
Fixed an issue where, after upgrading to PAN-OS 10.1, the log forwarding rate towards the syslog server was reduced. With this fix, the overall log-forwarding rate has also been improved.
Addressed
10.1.10-h1
PAN-215315
Fixed an issue where the dataplane stopped responding due to ager and inline packet processing occurring concurrently on different cores for the same session.
Addressed
10.1.10-h1
PAN-214990
Fixed an issue where firewall copper ports flapped intermittently when device telemetry was enabled.
Addressed
10.1.10-h1
PAN-214815
Fixed an issue where SNMP queries were not replied to due to an internal process timeout.
Addressed
10.1.10-h1
PAN-214187
Fixed an issue where superreaders were able to execute the request restart system CLI command.
Addressed
10.1.10-h1
PAN-214026
Fixed an issue where, when using an ECMP weighted-round-robin algorithm, traffic was not redistributed among the links proportionally as expected from the configuration.
Addressed
10.1.10-h1
PAN-212877
Fixed an issue where a race condition caused log flooding, which caused the firewall to go into an unresponsive state.
Addressed
10.1.10-h1
PAN-211887
Fixed an issue on Panorama that caused recently committed changes to not be displayed when previewing the changes to push to device groups.
Addressed
10.1.10-h1
PAN-210740
Fixed a memory leak issue related to the slotd process.
Addressed
10.1.10-h1
PAN-196116
A new CLI command debug log-receiver param-tuning syslog-threads to increase the number of processing threads for syslog forwarding up to 16 was added to address an issue where the syslog forwarding queue depth approached its limit and the drop count increased.
Addressed
10.1.10-h1
PAN-186579
Fixed an issue where, after a hardware failure, the system log did not include information about the failure.
Addressed
10.1.10-h1
PAN-181724
Fixed an issue where the Panorama or firewall page remained open after the session expired and you were unable to perform additional actions.
Addressed
10.1.10-h1
PAN-172853
Fixed an issue where Panorama appliances running a PAN-OS 10.0 release did not push the Security policy options no-hip and quarantine to firewalls running PAN-OS 9.1.
Addressed
10.1.10
PAN-217431
( PA-5400 Series firewalls with DPC (Data Processing Cards) only ) Fixed an issue with slot 2 DPCs where URL Filtering did not work as expected after upgrading to PAN-OS 10.1.9.
Addressed
10.1.10
PAN-217284
Fixed an intermittent issue where an LACP flap occurred when the LACP transmission rate was set to Fast .
Addressed
10.1.10
PAN-216996
Fixed an issue where, after upgrading Panorama to PAN-OS 10.1.9, multiple User-ID alerts were generated every 10 minutes.
Addressed
10.1.10
PAN-216710
Fixed an issue with firewalls in active/active HA configurations where GlobalProtect disconnected when the original suspected active-primary firewall became active-secondary.
Addressed
10.1.10
PAN-216656
Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.
Addressed
10.1.10
PAN-216366
Fixed an issue where, when custom signatures used a certain syntax, false positives were generated on devices on a PAN-OS 10.0 release.
Addressed
10.1.10
PAN-215503
Fixed a memory related issue where the MEMORY_POOL address was mapped incorrectly
Addressed
10.1.10
PAN-215125
Fixed an issue where false negatives occurred for some script samples.
Addressed
10.1.10
PAN-215023
( PA-400 Series firewalls only ) Fixed an issue where the firewall did not boot up successfully and an Amber LED light was shown.
Addressed
10.1.10
PAN-214624
Fixed an issue where the logrcvr process stopped responding.
Addressed
10.1.10
PAN-213463
( PA-5200 Series firewalls only ) Fixed an issue where unplugging a PAN-SFP-CG transceiver from an interface with its link speed setting set to 1000 caused the firewall to incorrectly read that interface as up.
Addressed
10.1.10
PAN-212848
Fixed an issue where attempting to change the disk-usage cleanup threshold to 90 resulted in the error message Server error : op command for client dagger timed out as client is not available .
Addressed
10.1.10
PAN-212530
Fixed an issue on log collectors where the root partition reached 100% utilization.
Addressed
10.1.10
PAN-211997
Fixed an issue where large OSPF control packets were fragmented, which caused the neighborship to fail.
Addressed
10.1.10
PAN-211602
Fixed an issue where, when viewing a WildFire Analysis report via the web interface, the detailed log view was not accessible if the browser window was resized.
Addressed
10.1.10
PAN-211441
Fixed a memory leak issue related to SSL crypto operations that resulted in failed commits.
Addressed
10.1.10
PAN-211422
Fixed an issue where the show session packet-buffer-protection buffer-latency CLI command randomly displayed incorrect values.
Addressed
10.1.10
PAN-211242
Fixed an issue where missed heartbeats caused the Data Processing Card (DPC) and its corresponding Network Processing Card (NPC) to restart due to internal packet path monitoring failure.
Addressed
10.1.10
PAN-211150
Fixed an issue on Panorama where users with custom admin roles were incorrectly unable to view SSH profiles even when it was permitted in the custom role.
Addressed
10.1.10
PAN-210921
( Panorama appliances in Legacy Mode only ) Fixed an issue where Blocked Browsing Summary by Website in the user activity report contained scrambled characters.
Addressed
10.1.10
PAN-210919
Fixed an issue where the Data Processing Card remained in a Starting state after a restart.
Addressed
10.1.10
PAN-210738
Fixed an issue where fragmented UDP packets were dropped.
Addressed
10.1.10
PAN-210661
Fixed an issue where firewalls disconnected from Strata Logging Service due to a missing key file after renewing the device certificate.
Addressed
10.1.10
PAN-210654
Fixed an issue with firewalls on active/passive HA configurations GlobalProtect where users were disconnected after HA failover.
Addressed
10.1.10
PAN-210563
Fixed an issue on Panorama where Security policy rules with a Tag target did not appear in the pre-rule list of a Dynamic Address Group that was part of the tag.
Addressed
10.1.10
PAN-210397
Fixed an issue on Panorama where VM-Series firewalls in HA configurations hosted on Amazon Web Services (AWS) were not displayed under Deploy Master Key .
Addressed
10.1.10
PAN-210236
Fixed an issue where the Templates list was not displayed under the Location drop-down for commit or configuration locks.
Addressed
10.1.10
PAN-210216
A debug command was added to address an issue with firewalls in high availability configurations.
Addressed
10.1.10
PAN-210158
( CN-Series firewalls only ) Fixed an issue where the dataplane stopped responding after a container restart.
Addressed
10.1.10
PAN-210000
Fixed an issue where, when traffic and threat logs exceeded the threshold of 90% total allowed size, alarms were not generated for other log types.
Addressed
10.1.10
PAN-209872
Fixed an issue where dataplane ports responded to ICMP requests fewer than 64 bytes with nonzero padding bytes in the ICMP response.
Addressed
10.1.10
PAN-209696
Fixed an issue where link-local address communication for IPv6, BFD, and OSPFv3 neighbors was dropped when IP address spoofing check was enabled in a Zone Protection profile.
Addressed
10.1.10
PAN-209683
Fixed an issue where Panorama was unable to retrieve IP address-to-username mapping from a firewall on a PAN-OS 8.1 release.
Addressed
10.1.10
PAN-209617
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall created an incorrect SCTP association due to the HA sync messages from the active firewall having an incorrect value.
Addressed
10.1.10
PAN-209501
Fixed an issue where the GlobalProtect logdb quota was not displayed in the show system logdb quota output.
Addressed
10.1.10
PAN-209491
Fixed an issue on the web interface where the Session Expire Time displayed a past date if the device time was in December.
Addressed
10.1.10
PAN-209375
Fixed an issue on the firewall where log filtering did not work as expected.
Addressed
10.1.10
PAN-209108
Fixed an issue where a Panorama in Management Only mode was unable to display logs from log collectors due to missing schema files.
Addressed
10.1.10
PAN-208930
( PA-7000 Series firewalls only ) Fixed an issue where autotagging in log forwarding did not work.
Addressed
10.1.10
PAN-208902
Fixed an issue where, when a client sent a TCP/FIN packet, the firewall displayed the end reason as aged-out instead of tcp-fin .
Addressed
10.1.10
PAN-208877
Fixed an issue where the all_task process stopped responding when freeing the HTTP/2 stream, which caused the dataplane to go down.
Addressed
10.1.10
PAN-208792
Fixed an issue where authentication failed when the service route for RADIUS traffic was configured as use default for IPv4 addresses and included the dataplane interface as the destination route.
Addressed
10.1.10
PAN-208526
Fixed an issue where API calls did not display tunnel info.
Addressed
10.1.10
PAN-208485
Fixed an issue where NAT policies were not visible on the CLI if they contained more than 32 characters.
Addressed
10.1.10
PAN-208438
Fixed an issue on Panorama where Security policy rules incorrectly displayed as disabled.
Addressed
10.1.10
PAN-208325
( PA-5400 Series, PA-3400 Series, PA-400 Series only, and PA-5450 firewalls only ) Fixed an issue where the firewall was unable to automatically renew the device certificate.
Addressed
10.1.10
PAN-208316
Fixed an issue where user-group names were unable to be configured as the source user via the test security-policy-match command.
Addressed
10.1.10
PAN-208240
Fixed an issue where, when attempting to replace an existing certificate, importing a new certificate with the same name as the existing certificate failed due to mismatched public and private keys.
Addressed
10.1.10
PAN-208210
Fixed an issue where changes to the syslog server configuration were not applied without first restarting the management server.
Addressed
10.1.10
PAN-208201
Fixed an issue on the firewall where the modified date and time was incorrectly updated after a commit operation, PAN-OS upgrade, or reboot.
Addressed
10.1.10
PAN-208189
Fixed an issue when traffic failed to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Addressed
10.1.10
PAN-208187
Fixed an issue where REST API requests did not work for GlobalProtect gateway tunnels.
Addressed
10.1.10
PAN-208039
( PA-7000 Series firewalls with SMC-B only ) Fixed an issue where the details of configuration changes were not included in configuration logs on the syslog server.
Addressed
10.1.10
PAN-207741
Fixed an issue where Large Scale VPN (LSVPN) Portal authentication failed with the error invalid http response. return error(Authentication failed; Retry authentication when the satellite connected to more than one portal.
Addressed
10.1.10
PAN-207663
Fixed a Clientless VPN issue where JSON stringifies caused issues with the application rewrite.
Addressed
10.1.10
PAN-207661
Fixed an issue with firewalls in active/active HA configurations where the virtual floating IP address configuration under a Panorama template was overridden and displayed From Template Override: undefined as a source.
Addressed
10.1.10
PAN-207577
Fixed an issue where Panorama > Setup > Interfaces was not accessible for users with custom admin roles even when the interface option was selected for the custom admin roles.
Addressed
10.1.10
PAN-207562
Fixed an issue where the shard count displayed by the show log-collector-es-cluster health CLI command was higher than the recommended limit. The recommended limit can be calculated with the formula 20*heap-memory*no-of-data-nodes.
Addressed
10.1.10
PAN-207400
Fixed an issue on Octeon based platforms where fragmented VLAN tagged packets dropped on an aggregate interface.
Addressed
10.1.10
PAN-206640
Fixed an issue where the ikemgr process stopped responding, which caused IPSec tunnels to go down.
Addressed
10.1.10
PAN-206396
Fixed an issue where HIP report flip and HIP check failed when a user was part of multiple user groups with different domains.
Addressed
10.1.10
PAN-206333
Fixed an issue where the Include/Exclude IP filter under Data Distribution did not work correctly.
Addressed
10.1.10
PAN-206268
Fixed an issue where an authentication key field, even though not supported, was enabled under the Device tab on Panorama.
Addressed
10.1.10
PAN-206221
Fixed an issue where scheduled configuration pushes with Include Device and Network Templates selected did not work.
Addressed
10.1.10
PAN-206128
( PA-7000 Series firewalls with NPCs (Network Processing Cards) only ) Improved debugging capability for an issue where the firewall restarted due to heartbeat failures and then failed with the following error message: Power not OK .
Addressed
10.1.10
PAN-205995
Fixed an issue where logs from unaffected log collector groups were not displayed when a log collector was down.
Addressed
10.1.10
PAN-205955
Fixed an issue where RAID rebuilds occurred even with healthy disks and a clean shutdown.
Addressed
10.1.10
PAN-205829
Fixed an issue where logs did not display Host-ID details for GlobalProtect users despite having a quarantine Security policy rule. This occurred due to a missed local cache lookup.
Addressed
10.1.10
PAN-205804
Fixed an issue on Panorama where a WildFire scheduled update for managed devices triggered multiple UploadInstall jobs per minute.
Addressed
10.1.10
PAN-205513
Fixed an issue where the stats dump file generated by Panorama for a device firewall differed from the stats dump file generated by the managed device.
Addressed
10.1.10
PAN-205451
Fixed an issue where the pan_com process stopped responding due to aggressive commits.
Addressed
10.1.10
PAN-205369
Fixed an issue where connections to Strata Logging Service were initialized from the firewall even when Strata Logging Service forwarding was disabled.
Addressed
10.1.10
PAN-205337
Fixed an issue in the Run Now section of custom reports where Threat/Content Name displayed in hypertext, and hovering over the text with the mouse displayed the message undefined .
Addressed
10.1.10
PAN-205086
Fixed an issue where DNS Security categories were able to be deleted from spyware profiles.
Addressed
10.1.10
PAN-204987
Fixed an issue where the firewall changed sequence numbers for reused sessions.
Addressed
10.1.10
PAN-204718
( PA-5200 Series firewalls only ) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt: Could not chdir to home directory /opt/pancfg/home/user: Permission denied .
Addressed
10.1.10
PAN-204683
Fixed an issue where logs were unable to be generated due to old logs not getting purged and /opt/panlogs reaching over 100% usage.
Addressed
10.1.10
PAN-204420
( WF-500 appliances only ) Fixed an issue where, after an upgrade to a PAN-OS 10.1 release, SNMP traps were not sent to the SNMP server. This occurred due to SNMP trap server settings not being enabled.
Addressed
10.1.10
PAN-204233
Fixed an issue where, when the firewall received a 513 error from the WildFire cloud, the firewall attempted to repeatedly send the same file.
Addressed
10.1.10
PAN-203663
Fixed an issue where administrators were unable to change the password of a local database for users configured as a local admin user via an authentication profile.
Addressed
10.1.10
PAN-203655
Fixed an issue where enabling event-specific traps ( Device Setup Operations Miscellaneous SNMP Setup ), the new deviating device system logs included incorrect information.
Addressed
10.1.10
PAN-203339
Fixed an issue where services failed due to the RAID rebuild not being completed on time.
Addressed
10.1.10
PAN-203137
( PA-5450 firewalls only ) Fixed an issue where HSCI ports did not come up when QSFP DAC cables were used.
Addressed
10.1.10
PAN-202981
Fixed an issue on Panorama where global find did not return results for existing universally unique identifiers (UUID).
Addressed
10.1.10
PAN-201855
Fixed an issue where, after cloning a template, a certificate with the block private key option enabled was corrupted.
Addressed
10.1.10
PAN-201839
Fixed an issue where GlobalProtect HIP matches failed for Mac users due to invalid characters being present in the subject alternative attributes in the certificate on the HIP report.
Addressed
10.1.10
PAN-201721
Fixed an issue with firewalls in HA configurations where HA setup generated the error mismatch due to device update during a content update even though the version was the same.
Addressed
10.1.10
PAN-201601
Fixed an issue where the all_task process stopped responding after adding customer hyperscan signatures.
Addressed
10.1.10
PAN-201561
Fixed an issue where LSVPN satellite authentication cookies were not synced across high availability LSVPN portals.
Addressed
10.1.10
PAN-201466
Fixed an issue where the system log generated on GlobalProtect satellite did not provide the reason for failures to connect to the GlobalProtect portal or gateway.
Addressed
10.1.10
PAN-201085
( PA-5450 firewalls only ) Fixed an issue where inserting the NPC and DPC on slot2 created excessive logs in the bcm.log file .
Addressed
10.1.10
PAN-200676
Fixed an issue with firewalls in active/passive HA configurations where the user counts in the management plane were not synchronized between the active and the passive firewall.
Addressed
10.1.10
PAN-200356
Fixed an issue where the Elapsed seconds field incorrectly displayed as 0 for DHCP packets coming from the firewall.
Addressed
10.1.10
PAN-199687
Fixed an issue where content updates failed when using prelicensed keys during the bootstrap process.
Addressed
10.1.10
PAN-199557
Fixed an issue on Panorama where virtual memory usage exceeded the set limit, which caused the configd process to restart.
Addressed
10.1.10
PAN-198693
Fixed an issue where decrypted SSH sessions were interrupted with a decryption error.
Addressed
10.1.10
PAN-198453
Fixed an issue where you were unable to resize the Description pop-up window ( Policies > Security > Prerules ).
Addressed
10.1.10
PAN-198333
Fixed an issue where the SaaS PDF report incorrectly displayed the sanctioned application tag count as 1.
Addressed
10.1.10
PAN-198043
Fixed a rare issue where a BuildXmlCache job failed on the firewall.
Addressed
10.1.10
PAN-197388
Fixed an issue where, when the firewall forwarded Threat logs via email, the email client truncated the sender and recipient email addresses when they were put between angle brackets (<, >).
Addressed
10.1.10
PAN-197115
Fixed an issue where, when the total number of in-used HIP Profiles was greater than 32, traffic from the GlobalProtect Agent did not hit the expected Security policy rule configured with the HIP Profile even though a HIP Match log was generated.
Addressed
10.1.10
PAN-196597
Fixed an issue where the dnsproxyd process stopped responding due to corruption.
Addressed
10.1.10
PAN-196417
( PA-7000 Series firewalls only ) Fixed an issue where firewalls experienced slow SNMP responses, which caused the SNMP server to time out before polling completion.
Addressed
10.1.10
PAN-196345
Fixed an issue where scheduled dynamic content updates failed to be retrieved by managed firewalls from Panorama when connectivity was slow.
Addressed
10.1.10
PAN-196003
Fixed an issue where the Adjust Columns options for Panorama Traffic logs did not correctly autoadjust the columns.
Addressed
10.1.10
PAN-195251
Fixed an issue where IPSec tunnel re-keying generated the critical log message tunnel-status-up .
Addressed
10.1.10
PAN-194805
Fixed an issue where scheduled configuration backups to the SCP server failed with the error message No ECDSA host key is known .
Addressed
10.1.10
PAN-193710
Fixed an issue where running the show interface CLI command caused the pan_comm process to stop responding during a configuration change.
Addressed
10.1.10
PAN-193521
Fixed an issue where Panorama > Device > Deployment > Software did not display software after running check now for managed devices.
Addressed
10.1.10
PAN-192739
Fixed an issue where the error message Machine Learning found virus was displayed in threat CSV logs as Threat ID/Name when WildFire Inline ML detected malware.
Addressed
10.1.10
PAN-192681
Fixed an issue where HIP database storage on the firewall reached full capacity due to the firewall not purging older HIP reports.
Addressed
10.1.10
PAN-192417
Fixed an issue where botnet reports were not generated on the firewall.
Addressed
10.1.10
PAN-190903
Fixed an issue where MAC addresses in threat capture were swapped between the source MAC and destination MAC addresses.
Addressed
10.1.10
PAN-189442
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to reboot.
Addressed
10.1.10
PAN-189395
( PA-400 Series firewalls only ) Fixed an issue where running a PAN-OS 10.2 release caused dataplane processes to restart unexpectedly.
Addressed
10.1.10
PAN-189441
Fixed an issue where the pan_comm process repeatedly restarted, which caused commits to fail.
Addressed
10.1.10
PAN-189423
Fixed an issue where exporting correlation logs generated an empty file.
Addressed
10.1.10
PAN-189196
Fixed an issue on the firewall where the DHCP server did not send DHCP NAK packets correctly when Served Addresses were configured.
Addressed
10.1.10
PAN-188403
Fixed an issue on the web interface where the interzone-default rule hit count was not displayed.
Addressed
10.1.10
PAN-187253
( PA-400 Series firewalls only ) Fixed an issue where the *all_task* process stopped repsonding.
Addressed
10.1.10
PAN-186956
Fixed an issue where SD-WAN DIA VIF did not become active if default gateways for the member interface did not respond to pings.
Addressed
10.1.10
PAN-186412
Fixed an issue where invalid packet-ptr was seen in work entries.
Addressed
10.1.10
PAN-186182
Fixed an issue where software buffer 3 was depleted when URL proxy was enabled and SSL sessions were decrypted to inject the block page. This issue occurred when an HTTP/2 block page was displayed for a large POST request.
Addressed
10.1.10
PAN-185770
Fixed an issue where the firewall displayed the error message Malformed Request when an email address included an ampersand ( & ) when configuring an Email server profile.
Addressed
10.1.10
PAN-182689
Fixed an issue where a signature from a previous WildFire package triggered malware detection even though the signature was no longer present in the current WildFire package.
Addressed
10.1.10
PAN-180655
Fixed an issue where FTP connections failed when SSL Inbound Inspection was enabled and a Security Profile was attached to the FTP connection allow policy rule.
Addressed
10.1.10
PAN-172977
Fixed an issue where session offloading did not occur on a tap interface under a high packet load.
Addressed
10.1.10
PAN-172806
Fixed an issue that the logrcvr process crashes during the firewall reboots.
Addressed
10.1.10
PAN-170414
Fixed an issue related to an OOM condition in the dataplane, which was caused by multiple panio commands using extra memory.
Addressed
10.1.10
PAN-168102
Fixed an issue where the API format to check heap usage of a node showed a JSON error.
Known
10.1.11
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.11
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.11
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.11
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.11
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.11
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.11
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.11
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.11
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.11
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround: Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.11
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.11
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.11
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.11
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.11
PAN-242784
This issue is now resolved. See PAN-OS 10.1.11-h5 Addressed Issues .
DNS resolution may fail if DNS server IP is obtained through DHCP.
Workaround: Configure the DNS server with a static IP or renew the DHCP IP when you see the issue.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.11
PAN-235741
This issue is now resolved. See PAN-OS 10.1.11-h5 Addressed Issues .
DNS resolution fails for firewall and Panorama plugins if the DNS Server IP address is obtained through DHCP.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.11
PAN-231658
DNS resolution fails when interfaces are configured as DHCP and a DNS server is provided via DHCP while also statically configured with DNS servers.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.11
PAN-230106
The firewall is unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.11
PAN-227435
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
( PA-410 firewalls only ) Upgrading a firewall to PAN-OS 10.1.11-h1 or PAN-OS 10.1.11-h4 causes the logrcvr process to hang or crash. This causes the auto-commit process to fail or remain at 0% .
Known
10.1.11
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.11
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.11
PAN-223488
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
Closed ElasticSearch shards are not deleted from a Panorama M-Series or virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.1.11
PAN-221015
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
On M-600 appliances in Panorama or Log Collector mode, the es-1 and es-2 ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector ES health status ( Panorama Managed Collectors Health Status ) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>debug elasticsearch es-restart optional all
Known
10.1.11
PAN-219644
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.1.11
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.11
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.11
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.11
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.11
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.1.11
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround: Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.11
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.1.11
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.11
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.11
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.11
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.11
PAN-194202
( PA-5450 firewall only ) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.11
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.11
PAN-193004
This issue is now resolved. See PAN-OS 10.1.12 Addressed Issues .
The Panorama management server fails to delete old IP Tag data. This causes the /opt/pancfg partition to reach maximum capacity which impacts Panorama performance.
Known
10.1.11
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.11
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.11
PAN-179888
On the Panorama management server, the number of managed firewall ( Panorama Managed Devices Health ) Power Supplies displays an incorrect count of power supplies.
Known
10.1.11
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.11
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.11
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.11
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.11
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.11
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.11
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.11
PAN-171706
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Known
10.1.11
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.11
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.11
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.11
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.11
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.11
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.11
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.11
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.11
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.11
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.11
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.11
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.11
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.11
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.11
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.11
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.11
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.11
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.11
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.11
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.11
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.11
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.11
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.11
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.11
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.11
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.11
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.11
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.11
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.11
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.11
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.11
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.11
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.11
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.11
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.11
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.11
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.11
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.11
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.11
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.11
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.11
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.11
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.11
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.11
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.11
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.11
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.11
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.11
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.11
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.11
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.11
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.11
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.11
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.11
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.11
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.11
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.11
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.11
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.11
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.11
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.11
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.11
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.11
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.11
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.11
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.11
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.11
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.11
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.11
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.11
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.11
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.11
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.11
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.11
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.11
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.11
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.11
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.11
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.11
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.11
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.11
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.11
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.11
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.11
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.11
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.11
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.11
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.11
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.11
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.11
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.11
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.11
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.11
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.11
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.11
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.11
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.11
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.11
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.11
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.11
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.11
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.11
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.11
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.11
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.11-h10
PAN-272809
A fix was made to address CVE-2024-9474 .
Addressed
10.1.11-h10
PAN-260796
Fixed an issue where servers were not accessible through an active SSL GlobalProtect VPN tunnel until a new connection was established or the session was cleared on the firewall.
Addressed
10.1.11-h10
PAN-254704
( LSVPN Portal firewalls in active/passive HA configurations only ) Fixed an issue where the satellite cookie key did not sync between LSVPN portal high availability (HA) firewalls, which resulted in re-authentication of satellites with the portal during an HA failover.
Addressed
10.1.11-h10
PAN-248748
Fixed an issue that caused the dataplane to stop responding when running a packet diagnostic with Jumbo frames enabled.
Addressed
10.1.11-h10
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
10.1.11-h10
PAN-239952
( Firewalls in active/passive HA configurations only ) Fixed an issue where HA sync messages from the active firewall took longer than expected to reach the passive firewall.
Addressed
10.1.11-h10
PAN-225969
Fixed an issue where some traffic was not correctly identified for data filtering.
Addressed
10.1.11-h10
PAN-217147
Fixed an issue where commits took longer than expected when a large number of Security policy rules were configured.
Addressed
10.1.11-h10
PAN-210260
Fixed an issue on firewalls in HA configurations where the peer satellite firewall was able to connect to the GlobalProtect portal without username and password authentication.
Addressed
10.1.11-h5
PAN-242784
Fixed an issue where DNS resolution failed on platforms that obtained DNS server IP addresses from DHCP.
Addressed
10.1.11-h5
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.11-h5
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.11-h5
PAN-235741
Fixed an issue where DNS resolution failed for firewall and Panorama plugins.
Addressed
10.1.11-h5
PAN-235585
Fixed an issue where, when custom signatures and predefined signatures shared the same literal pattern part, the custom signature caused an incorrect calculation for the length of the predefined signature, which resulted in App-ID not detected correctly.
Addressed
10.1.11-h5
PAN-234929
Fixed an issue where tabs in the ACC such as Network Activity Threat Activity and Blocked Activity did not display data when you applied a Time filter of Last 15 Minutes , Last Hour , Last 6 Hours , or Last 12 Hours , and the data that was displayed with the Last 24 Hours filter was not accurate. Reports that were run against summary logs also did not display accurate results.
Addressed
10.1.11-h5
PAN-234238
Fixed an issue where a Security policy that referenced more than 30 HIP profiles caused buffer overflow, which caused other Security policies with HIP profiles to misidentified users and traffic was denied.
Addressed
10.1.11-h5
PAN-232132
Fixed an issue where DNS response packets were malformed when an Anti-Spyware Security Profile was enabled.
Addressed
10.1.11-h5
PAN-231552
Fixed an issue where traffic returning from a third-party Security chain was dropped.
Addressed
10.1.11-h5
PAN-228877
( PA-5200 Series, PA-5400 Series, and PA-7000 Series only ) Fixed an issue with out-of-memory (OOM) conditions which caused slot restarts due to pan_cmd consuming more than 300MB.
Addressed
10.1.11-h5
PAN-227539
Fixed an issue where excess WIF process memory use caused processes to restart due to OOM conditions.
Addressed
10.1.11-h5
PAN-226792
Fixed an issue where the logrcvr process stored older content versions in the shared memory even when newer content updates were installed.
Addressed
10.1.11-h5
PAN-224954
Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.
Addressed
10.1.11-h5
PAN-222002
Fixed an issue where content updates failed with the error message Unable to get key pancontent-8.0.pass from cryptod. Error -9 .
Addressed
10.1.11-h5
PAN-221881
Fixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the Monitor tab.
Addressed
10.1.11-h5
PAN-220790
Fixed an issue where the reportd process stopped responding, which caused Panorama to restart.
Addressed
10.1.11-h5
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.11-h5
PAN-208400
Fixed an issue where pushing dynamic objects to the firewall did not send all Panorama objects that matched the dynamic object filter when Share Unused Address and Service Objects with Device was selected on Panorama.
Addressed
10.1.11-h4
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.1.11-h4
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.1.11-h4
PAN-235585
Fixed an issue where, when custom signatures and predefined signatures shared the same literal pattern part, the custom signature caused an incorrect calculation for the length of the predefined signature, which resulted in App-ID not detected correctly.
Addressed
10.1.11-h4
PAN-234929
Fixed an issue where tabs in the ACC such as Network Activity Threat Activity and Blocked Activity did not display data when you applied a Time filter of Last 15 Minutes , Last Hour , Last 6 Hours , or Last 12 Hours , and the data that was displayed with the Last 24 Hours filter was not accurate. Reports that were run against summary logs also did not display accurate results.
Addressed
10.1.11-h4
PAN-234238
Fixed an issue where a Security policy that referenced more than 30 HIP profiles caused buffer overflow, which caused other Security policies with HIP profiles to misidentified users and traffic was denied.
Addressed
10.1.11-h4
PAN-232132
Fixed an issue where DNS response packets were malformed when an Anti-Spyware Security Profile was enabled.
Addressed
10.1.11-h4
PAN-231658
Fixed an issue where DNS resolution failed when interfaces were configured as DHCP and a DNS server was provided via DHCP while also statically configured with DNS servers.
Addressed
10.1.11-h4
PAN-231552
Fixed an issue where traffic returning from a third-party Security chain was dropped.
Addressed
10.1.11-h4
PAN-230106
Fixed an issue where the firewall was unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
Addressed
10.1.11-h4
PAN-228877
( PA-7050 firewalls only ) Fixed an issue with out-of-memory (OOM) conditions which caused slot restarts due to pan_cmd consuming more than 300MB.
Addressed
10.1.11-h4
PAN-227539
Fixed an issue where excess WIF process memory use caused processes to restart due to OOM conditions.
Addressed
10.1.11-h4
PAN-226792
Fixed an issue where the logrcvr process stored older content versions in the shared memory even when newer content updates were installed.
Addressed
10.1.11-h4
PAN-224954
Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.
Addressed
10.1.11-h4
PAN-222002
Fixed an issue where content updates failed with the error message Unable to get key pancontent-8.0.pass from cryptod. Error -9 .
Addressed
10.1.11-h4
PAN-221881
Fixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the Monitor tab.
Addressed
10.1.11-h4
PAN-220790
Fixed an issue where the reportd process stopped responding, which caused Panorama to restart.
Addressed
10.1.11-h4
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.1.11-h4
PAN-208400
Fixed an issue where pushing dynamic objects to the firewall did not send all Panorama objects that matched the dynamic object filter when Share Unused Address and Service Objects with Device was selected on Panorama.
Addressed
10.1.11-h3
PAN-237871
( WF-500 appliances and PAN-DB private cloud deployments only ) Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.1.11-h1
PAN-235726
Fixed an issue on the web interface where a pop up window did not show a success message or close after a license was successfully upgraded or deactivated.
Addressed
10.1.11-h1
PAN-234962
Fixed an issue on Panorama that caused commit operations to be slower than expected.
Addressed
10.1.11-h1
PAN-233954
Fixed an issue where the firewall was unable to retrieve correct groups from the LDAP server.
Addressed
10.1.11-h1
PAN-233974
Fixed an issue where LACP interfaces went down after an upgrade.
Addressed
10.1.11-h1
PAN-232059
Fixed an issue with memory management when processing large certificates using TLSv1.3.
Addressed
10.1.11-h1
PAN-231291
Fixed an issue where SD-WAN Adaptive SaaS path monitor went down after an upgrade.
Addressed
10.1.11-h1
PAN-230039
Fixed an issue where migrating from an Enterprise License Agreement (ELA) to a Flexible VM-Series License failed with a deactivation error message.
Addressed
10.1.11-h1
PAN-227376
Fixed an issue where a memory overrun caused the all_task process to stop responding.
Addressed
10.1.11-h1
PAN-224060
( PA-220 Series firewalls only ) Fixed an issue where multiple dataplane processes stopped responding after an upgrade.
Addressed
10.1.11-h1
PAN-221190
( PA-800 Series firewalls only ) Fixed an issue where the firewall rebooted due to I2C errors when unsupported optics were inserted in ports 5-8.
Addressed
10.1.11-h1
PAN-220659
Fixed an issue on the firewall where scheduled Antivirus updates failed when external dynamic lists were configured on the firewall.
Addressed
10.1.11-h1
PAN-218057
( PA-7000 Series firewalls only ) Fixed an issue where internal path monitoring failed due to a heartbeat miss.
Addressed
10.1.11-h1
PAN-208567
Fixed an issue with email formatting where, when a scheduled email contained two or more attachments, only one attachment was visible.
Addressed
10.1.11-h1
PAN-204868
Fixed an issue where disk utilization was continuously high due to the log purger not sufficiently reducing the utilization level.
Addressed
10.1.11-h1
PAN-161373
Fixed an issue where the SYN action field did not change as expected and the value was set to SYN cookie.
Addressed
10.1.11
PAN-228820
A CLI command was added to address an issue where long-lived sessions were aging out even when there was ongoing traffic.
Addressed
10.1.11
PAN-227639
Fixed an issue where the ACC displayed an incorrect DNS-base application traffic byte count.
Addressed
10.1.11
PAN-227523
A fix was made to address customer and internal bugs ( CVE-2023-38802 ).
Addressed
10.1.11
PAN-226418
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
Addressed
10.1.11
PAN-225920
Fixed an issue where duplicate predict sessions didn't release NAT resources.
Addressed
10.1.11
PAN-225240
Fixed an issue where the OSPF neighbor state remained in exstart when the OSPF network had more than 40 routes.
Addressed
10.1.11
PAN-225183
Fixed an issue where SSH tunnels were unstable due to ciphers used as part of the high availability SSH configuration.
Addressed
10.1.11
PAN-225169
Added a CLI command to view Strata Logging Service queue usage.
Addressed
10.1.11
PAN-225082
Fixed an issue where GlobalProtect quarantine-delete logs were incorrectly shown on passive firewalls.
Addressed
10.1.11
PAN-223852
Fixed an issue where all_pktproc stopped responding when network packet broker or decryption broker chains failed.
Addressed
10.1.11
PAN-223787
( PA-400 Series and PA-1400 Series firewalls only ) Fixed an issue where commits failed with the error message Error unserializing profile objects failed to handle CONFIG_UPDATE_START .
Addressed
10.1.11
PAN-223741
Fixed an issue where the mprelay process stopped responding, which caused a slot restart when another slot rebooted.
Addressed
10.1.11
PAN-223501
Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
Addressed
10.1.11
PAN-223457
Fixed an issue where, if the number of group queries exceeded the Okta rate limit threshold, the firewall cleared the cache for the groups.
Addressed
10.1.11
PAN-223317
Fixed an issue where SSL traffic failed with the error message: Error: General TLS protocol error .
Addressed
10.1.11
PAN-223263
Fixed an issue on the web interface where the system clock for Mexico_city was displayed in CDT instead of CST on the management dashboard.
Addressed
10.1.11
PAN-222941
Fixed an issue where viewing the latest logs took longer than expected due to log indexer failures.
Addressed
10.1.11
PAN-222712
( PA-5450 firewalls only ) Fixed a low frequency DPC restart issue.
Addressed
10.1.11
PAN-222533
( VM-Series firewalls on Microsoft Azure and Amazon Web Services (AWS) environments ) Added support for high availability (HA) link monitoring and path monitoring.
Addressed
10.1.11
PAN-221984
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
Addressed
10.1.11
PAN-221577
Fixed an issue where a static route for a branch or hub over the respective virtual interface was not installed in the routing table even when the tunnel to the branch or hub was active.
Addressed
10.1.11
PAN-221208
Fixed an issue where the tunnel monitor was unable to remain up when Zone Protection with Strict IP was enabled and NAT Traversal was applied.
Addressed
10.1.11
PAN-221126
Fixed an issue where Email server profiles ( Device > Server Profiles > Email and Panorama > Server Profiles > Email ) to forward logs as email notifications were not forwarded in a readable format.
Addressed
10.1.11
PAN-220910
Fixed an issue where an internal management plane NIC caused a kernel panic when doing a transmit due to the driver reinitializing under certain failure or change conditions on the same interface during transmit.
Addressed
10.1.11
PAN-220626
Fixed an issue where system warning logs were written every 24 hours.
Addressed
10.1.11
PAN-220576
If you are using Panorama to manage firewalls with multiple virtual systems and the virtual system that is the User-ID hub uses an alias, the local commit on Panorama is successful but the commit to the firewall fails.
Addressed
10.1.11
PAN-220500
( PA-5450 and PA-400 firewalls only ) Fixed an issue where the request shutdown system CLI command did not completely shut down the system.
Addressed
10.1.11
PAN-220281
( PA-7080 firewalls only ) Fixed an issue where autocommitting changes after rebooting the log forwarding Card (LFC) caused the logrcvr process to fail to read the configuration file.
Addressed
10.1.11
PAN-219813
Fixed an issue where the configuration log displayed incorrect information after a multidevice group Validate-all operation.
Addressed
10.1.11
PAN-219690
Fixed an issue where GlobalProtect authentication failed when authentication was SAML with CAS and the portal was resolved with IPv6.
Addressed
10.1.11
PAN-219643
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the dataplane interface status went down due to a DPDK driver issue.
Addressed
10.1.11
PAN-219640
Fixed an issue where a transformation migration script error caused a commit failure with the error message user-id-agent unexpected here . This occurred after upgrading the firewall from a PAN-OS 9.1 release to a PAN-OS 10.0 release.
Addressed
10.1.11
PAN-219573
Fixed an issue where tag names did not correctly display special characters.
Addressed
10.1.11
PAN-219498
Fixed an issue where the Threat ID/Name detail in Threat logs was not included in syslog messages sent to Splunk.
Addressed
10.1.11
PAN-219300
Fixed an issue where the task manager displayed only limited data.
Addressed
10.1.11
PAN-218988
Fixed an issue in FIPS mode where, when importing a certificate with a new private key, and the certificate used the name of an existing certificate on the Panorama, the following error message was displayed: Mismatched public and private keys .
Addressed
10.1.11
PAN-218947
Fixed an issue where logs were not displayed in Elasticsearch under ingestion load.
Addressed
10.1.11
PAN-218644
Fixed an issue where the firewall generated incorrect VSA attribute codes when radius was configured with EAP-based authentication protocols.
Addressed
10.1.11
PAN-218404
Fixed an issue where ikemgr stopped responding due to receiving CREATE_CHILD messages with a malformed SA payload.
Addressed
10.1.11
PAN-218335
Fixed an issue with hardware destination MAC filtering on the Log Processing Card (LPC) that caused the logging card interface to be susceptible to unicast flooding.
Addressed
10.1.11
PAN-218318
Fixed an issue where the firewall changed the time zone automatically instead of retrieving the correct time zone from the NTP server.
Addressed
10.1.11
PAN-218107
Fixed an issue with ciphers used for SSH tunnels where packet lengths were too large, which made the SSH tunnel unstable.
Addressed
10.1.11
PAN-217650
( VM-Series firewalls and Panorama virtual appliances in Microsoft Azure environments only ) Fixed an issue where management interface Speed/Duplex was reported as unknown.
Addressed
10.1.11
PAN-217493
Fixed an issue where superusers with read-only privileges were unable to view SCEP object configurations.
Addressed
10.1.11
PAN-217477
Fixed an issue where the drop counter was incremented incorrectly. Drop counter calculations did not account for failures to send out logs from logrcvr/logd to syslog-ng.
Addressed
10.1.11
PAN-217465
Fixed an issue where the Panorama web interface became unresponsive and displayed the error message 504 Gateway Not Reachable .
Addressed
10.1.11
PAN-217208
Fixed an issue where a memory leak related to the snmpd process caused an out-of-memory (OOM) condition or caused the process to restart when using SNMPv3.
Addressed
10.1.11
PAN-217169
Fixed an issue where the logrcvr stopped forwarding logs to the syslog server after a restart or crash.
Addressed
10.1.11
PAN-217024
Fixed an issue where fetching device certificates failed for internal DNS servers with the error message ERROR Error: Could not resolve host: certificate.paloaltonetworks.com .
Addressed
10.1.11
PAN-216984
Fixed an issue where internal path monitoring failed due to the sysdagent not responding.
Addressed
10.1.11
PAN-216957
Fixed an issue where allow list checks in an authentication profile did not work if the group Distinguished Name contains the ampersand ( & ) character.
Addressed
10.1.11
PAN-216913
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the brdagent process stopped responding due to missed heartbeats, which caused the firewall to reboot. This occurred when the brdagent process and DPDK-managed ports became out of sync after the Azure infrastructure triggered a hotplug event.
Addressed
10.1.11
PAN-216775
Fixed an issue where the devsrvr process stopped responding at pan_cloud_agent_get_curl_connection() and the URL cloud could not be connected.
Addressed
10.1.11
PAN-216755
Fixed an issue where CRL checks failed which caused authentication failures.
Addressed
10.1.11
PAN-216662
Fixed an issue where a custom Antispyware profile did not open and displayed the following error message: The server is not responding. Please wait and try your operation again later .
Addressed
10.1.11
PAN-216214
( Panorama managed firewalls in active/active HA configurations only ) Fixed an issue where the HA status displayed as Out of Sync ( Panorama > Managed Devices > Health ) if local firewall configurations were made on one of the HA peers. This caused the next HA configuration sync to overwrite the local firewall configuration made on the HA peer.
Addressed
10.1.11
PAN-216170
( PA-400 Series firewalls in HA configurations only ) Fixed an issue where an HA switchover took longer than expected to bring up ports on the newly active firewall.
Addressed
10.1.11
PAN-216043
Fixed an issue where wifclient stopped responding due to shared memory corruption.
Addressed
10.1.11
PAN-215911
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.1.11
PAN-215899
Fixed an issue with Panorama appliances in HA configurations where configuration synchronization between the HA peers failed.
Addressed
10.1.11
PAN-215857
Fixed an issue where the option to reboot the entire firewall was visible to vsys admins.
Addressed
10.1.11
PAN-215808
Fixed an issue where, after upgrading to PAN-OS 10.1, the log forwarding rate toward the syslog server was reduced. With this fix, the overall log forwarding rate has also been improved.
Addressed
10.1.11
PAN-215780
Fixed an issue where changes to Zone Protection profiles made via XML API were not reflected in the zone protection configuration.
Addressed
10.1.11
PAN-215767
Fixed an issue where, after a high availability failover, IKE SA negotiation failed with the error message INVALID_SPI , which resulted in temporary loss of traffic over some proxy IDs.
Addressed
10.1.11
PAN-215655
Fixed an issue where, after a multidynamic group push, Security policy rules with the target device tag were added to a firewall that did not have the tag.
Addressed
10.1.11
PAN-215644
( VM-Series firewalls only ) Fixed an issue where the firewall displayed the error message tap0: Incorrect MTU 9000 requested, hw max 1500 when Jumbo Frames were active.
Addressed
10.1.11
PAN-215503
Fixed a memory-related issue where the MEMORY_POOL address was mapped incorrectly.
Addressed
10.1.11
PAN-215437
Fixed an issue where show commands for config-lock and commit-lock were not available for Panorama appliance in Log Collector mode.
Addressed
10.1.11
PAN-215436
Fixed an issue with the web interface where the latest logs took longer than expected to display under Monitor .
Addressed
10.1.11
PAN-215335
Fixed an issue where DHCP lease renewal failed due to a change in the firewall timestamp ( Device > Setup > Management ).
Addressed
10.1.11
PAN-215324
( PA-5400 Series firewalls with Jumbo Frames enabled only ) Fixed an issue with CPU throttling and buffer depletion.
Addressed
10.1.11
PAN-215317
Fixed an issue where the dataplane stopped responding unexpectedly with the error message comm exited with signal of 10 .
Addressed
10.1.11
PAN-215315
Fixed an issue where the dataplane stopped responding due to ager and inline packet processing occurring concurrently on different cores for the same session.
Addressed
10.1.11
PAN-215058
Fixed a memory leak related to the logdb process.
Addressed
10.1.11
PAN-214990
Fixed an issue where firewall copper ports flapped intermittently when device telemetry was enabled.
Addressed
10.1.11
PAN-214987
Fixed an issue where Application Filter names were not random, and they matched or included internal protocol names.
Addressed
10.1.11
PAN-214815
Fixed an issue where SNMP queries were not replied to due to an internal process timeout.
Addressed
10.1.11
PAN-214773
Fixed an issue where RTP packets traversing intervsys were dropped on the outgoing vsys.
Addressed
10.1.11
PAN-214753
Fixed an issue where retrieving WildFire Analysis reports when choosing WildFire log entries under Detailed Log View displayed the error Fetching WildFire server xxx report failed!
Addressed
10.1.11
PAN-214727
Fixed an issue where a memory leak related to the useridd process resulted in an OOM condition, which caused the process to stop responding.
Addressed
10.1.11
PAN-214669
Fixed an issue where FIN and RESET packets were sent in reverse order.
Addressed
10.1.11
PAN-214406
Fixed an issue with Elasticsearch where ES tunnels were not started and were forked incorrectly, which caused them to fail.
Addressed
10.1.11
PAN-214273
Fixed an issue where Elasticsearch logs were not cleared, which caused the root partition to fill up.
Addressed
10.1.11
PAN-214187
Fixed an issue where superreaders were able to execute the request restart system CLI command.
Addressed
10.1.11
PAN-214026
Fixed an issue where, when using an ECMP weighted-round-robin algorithm, traffic was not redistributed among the links proportionally as expected from the configuration.
Addressed
10.1.11
PAN-213956
Fixed an issue where the firewall interface did not go down even after the peer link/switch port went down.
Addressed
10.1.11
PAN-213949
Fixed an issue where the VPN responder stopped responding when it received a CREATE_CHILD message with no security association (SA) payload.
Addressed
10.1.11
PAN-213942
( PA-400 Series firewalls ) Fixed an issue where the firewall required an explicit allow rule to forward broadcast traffic.
Addressed
10.1.11
PAN-213931
Fixed an issue where the logrcvr process cache was not in sync with the mapping on the firewall.
Addressed
10.1.11
PAN-213256
Fixed an issue where schedule settings ( Panorama > Device Deployment > Dynamic Updates > Schedules ) did not correctly reflect the settings configured in a detailed view of specific entries.
Addressed
10.1.11
PAN-213162
Fixed an issue where an SD-WAN object was not displayed under a child device group.
Addressed
10.1.11
PAN-213112
Fixed an issue where executing the show report directory-listing CLI command resulted in no output after upgrading to a PAN-OS 10.1 release.
Addressed
10.1.11
PAN-213077
Fixed an issue where the sysdagent process stopped responding, which caused interfaces and the subsequent connections behind them to fail.
Addressed
10.1.11
PAN-212978
Fixed an issue where the firewall stopped responding when executing an SD-WAN debug CLI command.
Addressed
10.1.11
PAN-212889
Fixed an issue on Panorama where different threat names were used when querying a threat under Threat Monitor ( Monitor App Scope ) and the ACC. This resulted in the ACC displaying no data after clicking a threat name in Threat Monitor and filtering it in the global filters.
Addressed
10.1.11
PAN-212877
Fixed an issue where a race condition caused log flooding, which caused the firewall to go into an unresponsive state.
Addressed
10.1.11
PAN-212761
Fixed an issue where the all_pktproc process stopped responding, which caused the dataplane to go down and caused HA failover.
Addressed
10.1.11
PAN-212577
( PA-5200 Series and PA-7080 firewalls only ) Fixed an issue where commits took longer than expected when more than 45,000 Security policy rules were configured.
Addressed
10.1.11
PAN-211887
Fixed an issue on Panorama that caused recently committed changes to not be displayed when previewing the changes to push to device groups.
Addressed
10.1.11
PAN-210883
Fixed an issue where SSL proxy traffic was dropped when DoS zone protection was enabled.
Addressed
10.1.11
PAN-210879
Fixed an issue where Host-ID info is not populated in the Traffic logs for GlobalProtect users even with a set Quarantine Security Policy rule due to a missing local cache lookup.
Addressed
10.1.11
PAN-210875
Fixed an issue where the pan_task process stopped responding due to software packet buffer 3 trailer corruption, which caused the firewall to restart.
Addressed
10.1.11
PAN-210740
Fixed a memory leak issue related to the slotd process.
Addressed
10.1.11
PAN-210456
Fixed an issue where high latency occurred on PA-850-ZTP when SSL decryption was enabled.
Addressed
10.1.11
PAN-210364
Fixed an issue where high latency was observed when accessing internal web applications, which interrupted development activities related to the web server.
Addressed
10.1.11
PAN-208395
Fixed an issue where user authentication failed in multi-vsys environments with the error message User is not in allowlist when an authentication profile was created in a shared configuration space.
Addressed
10.1.11
PAN-208090
Fixed an issue where the ACC report did not display data when querying the filter for the fields Source and Destination IP .
Addressed
10.1.11
PAN-207700
Fixed an issue where the show system info and show system ztp status CLI commands displayed a different Zero Touch Provisioning (ZTP) status if a firewall upgrade was initiated from Panorama before the initial commit push succeeded.
Addressed
10.1.11
PAN-207604
Fixed an issue where system logs continuously generated the log message Not enough space to load content to SHM .
Addressed
10.1.11
PAN-207457
Fixed an issue where the MLAV allow list did not work for some types of traffic.
Addressed
10.1.11
PAN-207371
Fixed an issue where the external dynamic list order on the firewall was not updated after making an order change from Panorama.
Addressed
10.1.11
PAN-207092
Fixed an issue where logging in using default credentials after changing to FIPS-CC for NSX-T firewalls did not work.
Addressed
10.1.11
PAN-206765
Fixed an issue where log forwarding filters involving negation did not work.
Addressed
10.1.11
PAN-206041
( PA-7050 firewalls only ) Fixed an issue where the ikemgr process stopped responding.
Addressed
10.1.11
PAN-205015
Fixed an issue where not all users were included in the user group after an incremental sync between the firewall and the Cloud Identity Engine.
Addressed
10.1.11
PAN-204870
Fixed an issue where available memory gradually declined due to a leak in kernel unreclaimable memory.
Addressed
10.1.11
PAN-204530
Fixed an issue where giving up FTP or SCP sessions for log export took longer than expected after a failure to export the log when one of the destination hosts designated in the scheduled log export was unresponsive.
Addressed
10.1.11
PAN-203611
Fixed an issue where URL categorization was not recognized for URLs that contained more than 100 characters.
Addressed
10.1.11
PAN-202524
Fixed an issue where the session ID was missing in the session details section of the ingress-backlogs XML API output.
Addressed
10.1.11
PAN-202008
Fixed an issue where Traffic logs exported to CSV files contained inaccuracies and were not complete.
Addressed
10.1.11
PAN-200757
Fixed an issue with client certificate generation on Panorama, which resulted in a firewall being unable to connect to a log collector.
Addressed
10.1.11
PAN-200394
Fixed an issue where, after a push from Panorama to one or more device groups in a multi-vsys environment, vulnerability profile exceptions were not seen on all firewalls.
Addressed
10.1.11
PAN-195439
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the dataplane interface status went down after a hotplug event triggered by Azure infrastructure.
Addressed
10.1.11
PAN-193484
Fixed an issue where DNS failed if the domain name started with a period.
Addressed
10.1.11
PAN-189328
Fixed an issue where traffic belonging to the same session was sent out from different ECMP enabled interfaces.
Addressed
10.1.11
PAN-188093
( Firewalls in HA active/passive configurations only ) Fixed an issue where name_only entries caused URLs to not resolve on the active firewall.
Addressed
10.1.11
PAN-187989
Fixed an issue where a user who did not have permissions of other access domains were able to view the commit and configuration lock.
Addressed
10.1.11
PAN-186579
Fixed an issue where, after a hardware failure, the system log did not include information about the failure.
Addressed
10.1.11
PAN-184630
Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).
Addressed
10.1.11
PAN-180082
Fixed an issue where errors in brdagent logs caused dataplane path monitoring failure.
Addressed
10.1.11
PAN-179888
Fixed an issue on Panorama where the number of managed firewalls Power Supplies did not display a correct count.
Addressed
10.1.11
PAN-175669
Fixed an issue where DNS Security did not attempt to reach dns.service.paloaltonetworks.com when HTTP proxy with a custom port was configured.
Addressed
10.1.11
PAN-175121
Fixed a rare issue where, when two nodes started IKE_SA negotiations at the same time, which resulted in duplicate IKE SAs.
Addressed
10.1.11
PAN-172853
Fixed an issue where Panorama appliances running a PAN-OS 10.0 release did not push the Security policy options no-hip and quarantine to firewalls running PAN-OS 9.1.
Addressed
10.1.11
PAN-171706
Fixed an issue on where local commits on Panorama were successful, but commits to managed firewalls failed when the firewalls had multiple virtual systems and the virtual system that was the User-ID hub used an alias.
Addressed
10.1.11
PAN-169586
Fixed an issue where scheduled log view reports in emails didn't match the monitor page query result for the same time interval.
Addressed
10.1.11
PAN-160633
( PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only ) Fixed an issue where the dataplane restarted repeatedly due to an internal path monitoring failure until a power cycle.
Known
10.1.12
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.12
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.12
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.12
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.12
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.12
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.12
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.12
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.12
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.12
PLUG-14947
If you are using the Panorama plugin for Azure, do not upgrade to PAN-OS 10.1.12. When installed on 10.1.12, the Panorama plugin for Azure fails to connect to Azure.
Known
10.1.12
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround: Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.12
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.12
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.12
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.12
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.12
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
10.1.12
PAN-242784
This issue is now resolved. See PAN-OS 10.1.11-h5 Addressed Issues .
DNS resolution may fail if DNS server IP is obtained through DHCP.
Workaround: Configure the DNS server with a static IP or renew the DHCP IP when you see the issue.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.12
PAN-238769
FIPS-CC VM-Series only. Upgrading to PAN-OS 10.1.10-h2 or PAN-OS 10.1.11 changes all locally created Security policy actions to Deny.
Workaround: Before upgrading, save a backup of the current configuration. After upgrading, load the backup configuration to restore the security policy action settings.
Known
10.1.12
PAN-235741
This issue is now resolved. See PAN-OS 10.1.11-h5 Addressed Issues .
DNS resolution fails for firewall and Panorama plugins if the DNS Server IP address is obtained through DHCP.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.12
PAN-231658
DNS resolution fails when interfaces are configured as DHCP and a DNS server is provided via DHCP while also statically configured with DNS servers.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.12
PAN-230106
The firewall is unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.12
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.12
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.12
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.12
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.12
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.12
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.12
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.1.12
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround: Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.12
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.1.12
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.12
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.12
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.12
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.12
PAN-194202
( PA-5450 firewall only ) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.12
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.12
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.12
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.12
PAN-179888
On the Panorama management server, the number of managed firewall ( Panorama Managed Devices Health ) Power Supplies displays an incorrect count of power supplies.
Known
10.1.12
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.12
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.12
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.12
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.12
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.12
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.12
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.12
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.12
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.12
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.12
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.12
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.12
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.12
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.12
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.12
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.12
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.12
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.12
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.12
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.12
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.12
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.12
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.12
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.12
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.12
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.12
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.12
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.12
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.12
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.12
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.12
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.12
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.12
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.12
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.12
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.12
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.12
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.12
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.12
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.12
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.12
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.12
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.12
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.12
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.12
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.12
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.12
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.12
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.12
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.12
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.12
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.12
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.12
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.12
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.12
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.12
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.12
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.12
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.12
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.12
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.12
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.12
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.12
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.12
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.12
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.12
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.12
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.12
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.12
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.12
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.12
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.12
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.12
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.12
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.12
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.12
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.12
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.12
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.12
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.12
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.12
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.12
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.12
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.12
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.12
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.12
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.12
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.12
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.12
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.12
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.12
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.12
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.12
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.12
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.12
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.12
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.12
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.12
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.12
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.12
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.12
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.12
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.12
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.12
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.12
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.12
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.12
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.12
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.12
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.12
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.12
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.12-h3
PAN-272809
A fix was made to address CVE-2024-9474 .
Addressed
10.1.12-h3
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
10.1.12-h3
PAN-241018
( VM-Series firewalls in Microsoft Azure environments only ) Fixed a Dataplane Development Kit (DPDK) issue where interfaces remained in a link-down stage after an Azure hot plug event.
Addressed
10.1.12-h3
PAN-238949
Fixed a memory corruption issue where multiple processes stopped responding.
Addressed
10.1.12-h3
PAN-205482
Fixed an issue related to the configd process where Panorama displayed the error Server not responding when editing policies.
Addressed
10.1.12
PAN-239241
Extended the root certificate for WildFire appliances to December 31, 2032.
Addressed
10.1.12
PAN-238610
Fixed an issue with the Panorama Virtual Appliance where, after the mgmtsrvr restarted on the passive appliance, stale IP address tags were pushed to the connected firewalls with the message clear all registered ip addresses .
Addressed
10.1.12
PAN-237454
Fixed an issue where Panorama stopped redistributing IP address-to-username mappings when packet loss occurred between the distributor and the client.
Addressed
10.1.12
PAN-236605
Fixed an issue where the configd process stopped responding due to a deadlock related to rule-hit-count.
Addressed
10.1.12
PAN-236261
Fixed an issue where a proxy server was used for External Dynamic List communication even when the dataplane interface was configured through service routes.
Addressed
10.1.12
PAN-235741
Fixed an issue where DNS resolution failed for Panorama and firewall plugins if the DNS Server IP was obtained through DHCP.
Addressed
10.1.12
PAN-235737
Fixed an issue where the brdagent process stopped responding due to a sudden increase in logging to the bcm.log.
Addressed
10.1.12
PAN-235385
Enhanced wifclient cloud connectivity redundancy.
Addressed
10.1.12
PAN-233957
( PA-5450 firewalls only ) Fixed an issue where the NAT private pool was not used properly when enabling slot 6 DPC.
Addressed
10.1.12
PAN-233390
Fixed an issue where TLSv13 Client Authentication was not incorrectly presented with an decryption failure log.
Addressed
10.1.12
PAN-232800
Fixed an issue where critical disk usage for /opt/pancfg increased continuously and the system logs displayed the following message: Disk usage for /opt/pancfg exceeds limit, <value> percent in use .
Addressed
10.1.12
PAN-232358
( PA-5450 firewalls only ) Fixed an issue where the interface on QSFP28 ports did not go down when the Tx cable was removed from the QSFP28 module.
Addressed
10.1.12
PAN-231459
( PA-5450 firewalls only ) Fixed an issue where a large number of invalid source MAC addresses were shown in drop-stage packet captures.
Addressed
10.1.12
PAN-231291
Fixed an issue where SD-WAN Adaptive SaaS path monitor went down after an upgrade.
Addressed
10.1.12
PAN-230813
Fixed an issue where flex memory leak caused decryption failure and commit failure with the error message Error preparing global objects failed to handle CONFIG_UPDATE_START .
Addressed
10.1.12
PAN-230656
( Firewalls in HA configurations only ) Fixed an issue where a split brain condition occurred on both firewalls after booting up any firewall, and an HA switchover occurred after booting up a firewall with a higher HA priority even when no preemptive option was enabled on the firewall.
Addressed
10.1.12
PAN-230362
Fixed an issue where the firewall truncated the payload of a TCP Out of Order segment with a FIN flag.
Addressed
10.1.12
PAN-229691
Fixed an issue on Panorama where configuration lock timeout errors were observed during normal operational commands by increasing thread stack size on Panorama.
Addressed
10.1.12
PAN-229606
Fixed an issue where the brdagent process stopped responding after an upgrade due to initialization failure.
Addressed
10.1.12
PAN-229398
Fixed an issue where the Management Processor Card (MPC) stopped responding.
Addressed
10.1.12
PAN-229315
Fixed an issue where Octets in NetFlow records were always reported to be 0 despite having a non-zero packet count.
Addressed
10.1.12
PAN-229307
Fixed an issue where half closed SSL decryption sessions stayed active, which caused software packet buffer depletion.
Addressed
10.1.12
PAN-229080
Fixed an issue where the new management IP address on the interface did not take effect.
Addressed
10.1.12
PAN-228442
Fixed an issue on firewalls in active/passive HA configurations where sessions did not fail over from the active firewall to the passive firewall when upgrading PAN-OS.
Addressed
10.1.12
PAN-228386
Fixed an issue with session caching where the reportd process stopped responding due to null values.
Addressed
10.1.12
PAN-228043
Fixed an issue on firewalls on active/active HA configurations where packets dropped during commit operations when forwarding traffic via an HA3 link when an aggregate ethernet interface or data interface was used as an HA3 link.
Addressed
10.1.12
PAN-227804
Fixed an issue where memory corruption caused the comm process to stop responding.
Addressed
10.1.12
PAN-227774
Fixed an issue where commits failed with the error message Management server failed to send phase 1 to client logrcvr .
Addressed
10.1.12
PAN-227645
Fixed an issue where GlobalProtect authentication override cookies were not generated on GlobalProtect portal firewalls with configuration selection criteria enabled.
Addressed
10.1.12
PAN-227522
Fixed an issue where shared application filters that had application object overrides were overwritten by predefined applications.
Addressed
10.1.12
PAN-227435
Fixed an issue where the logrcvr process stopped responding and caused the autocommit process to fail or remain at 0%.
Addressed
10.1.12
PAN-227179
Fixed an issue where routes were not updated in the forwarding table.
Addressed
10.1.12
PAN-227058
Fixed an issue where traffic did not match Security policy rules with the destination as FQDN and instead hit the default deny rule.
Addressed
10.1.12
PAN-226935
Fixed an issue where autocommits failed due to duplicate application name entries.
Addressed
10.1.12
PAN-226860
Fixed an issue where macOS XAuth clients disconnected prematurely from the GlobalProtect gateway during a Phase 2 rekey event.
Addressed
10.1.12
PAN-225698
Fixed an issue on Panorama where a failover occurred and Panorama went into a nonfunctional state due to high root disk usage.
Addressed
10.1.12
PAN-225394
Fixed an issue on the firewall where SNMP incorrectly reported high packet descriptor usage.
Addressed
10.1.12
PAN-225110
Fixed an issue with firewalls in HA configurations where HA configuration syncs did not complete or logging data was missing until firewall process were manually restarted or the firewalls were rebooted.
Addressed
10.1.12
PAN-225094
Fixed an issue where performing a commit operation failed and the following error message was displayed: failed to handle CUSTOM_UPDATE .
Addressed
10.1.12
PAN-225013
( PA-5450 firewalls only ) Fixed an issue where the firewall rebooted unexpectedly when a Network Card was on Slot 2 instead of a DPC.
Addressed
10.1.12
PAN-224955
Fixed an issue where the devsrvr process stopped responding when Zone Protection had more than 255 profiles.
Addressed
10.1.12
PAN-224656
Fixed an issue where the devsrvr process caused delays when dynamic address groups with large entry lists were being processed during a commit, which caused commits to take longer than expected.
Addressed
10.1.12
PAN-224500
Fixed an issue where IPv6 addresses in XFF were displayed in traffic logs.
Addressed
10.1.12
PAN-224405
Fixed an issue where the distributord process repeatedly stopped responding.
Addressed
10.1.12
PAN-224354
Fixed an issue where a memory leak related to the distributord process occurred when connections flapped for IP address-to-username mapping redistribution.
Addressed
10.1.12
PAN-224036
( PA-5450 firewalls only ) Fixed an issue where a firewall with QoS configured was not able to send packets out of its interfaces after a reboot.
Addressed
10.1.12
PAN-223914
Fixed an issue on Panorama where the reportd process unexpectedly stopped responding.
Addressed
10.1.12
PAN-223855
Fixed an issue where the show running ippool CLI command output displayed incorrect used and available NAT IP address pools on DIPP NAT policies in multi-dataplane firewalls.
Addressed
10.1.12
PAN-223488
Fixed an issue where closed ElasticSearch shards were not deleted, which resulted in shard purging not working as expected.
Addressed
10.1.12
PAN-223271
Fixed an issue where the file transfer of large zipped and compressed files had the App-ID unknown-tcp .
Addressed
10.1.12
PAN-223270
Fixed an issue with Virtual Wire links on firewalls in active/active HA configurations where the forwarding path was not preserved in HTTP/2 cleartext traffic with asymmetric routing.
Addressed
10.1.12
PAN-223094
Fixed an issue where fragmented TCP traffic was dropped due to an IP address ID conflict over the SD-WAN tunnel.
Addressed
10.1.12
PAN-222418
Fixed an issue where the firewall intermittently recorded a reconnection message to the authentication server as an error, even if no disconnection occurred.
Addressed
10.1.12
PAN-222162
Fixed an issue where the show transceiver <interface> CLI command showed the RX and TX powers as 0.00 mW.
Addressed
10.1.12
PAN-221973
Fixed an issue where the same user connected to multiple SSL VPN connections and one of the sessions stopped working.
Addressed
10.1.12
PAN-221938
Fixed an issue with network packet broker sessions where the broker session and master session timeouts were out of sync, which caused traffic drops if the broker session timed out when the master session was still active.
Addressed
10.1.12
PAN-221896
Fixed an issue where decryption failed with the error message decrypt-error when processing consecutive packets with TLSv1.3.
Addressed
10.1.12
PAN-221708
Fixed an issue where temporary files remained under /opt/pancfg/tmp/sw-images/ even after manually uploading the content or AV file to the firewall.
Addressed
10.1.12
PAN-221316
Fixed an issue where the useridd process memory consumption increased significantly which caused the process to stop responding and the device to restart.
Addressed
10.1.12
PAN-221015
( M-600 Appliances only ) Fixed an issue where ElasticSearch processes did not restart when the appliance was rebooted, which caused the Managed Collector ES health status to be downgraded.
Addressed
10.1.12
PAN-220640
( PA-220 firewalls only ) Fixed an issue where the firewall CPU percentage was miscalculated, and the values that were displayed were incorrect.
Addressed
10.1.12
PAN-220619
Fixed an issue where the correct device filter did not apply when filtering Targets and Target/Tags ( Device Group > Policies ).
Addressed
10.1.12
PAN-219768
Fixed an issue where you were unable to filter Data Filtering logs with Thread ID/NAME for custom data patterns created over Panorama.
Addressed
10.1.12
PAN-219644
Fixed an issue where firewalls that forwarded logs to a syslog server over TLS ( Objects > Log Forwarding ) used the default Palo Alto Networks certificate instead of the configured custom certificate.
Addressed
10.1.12
PAN-219585
Fixed an issue where enabling syslog-ng debugs from the root caused 100% disk utilization.
Addressed
10.1.12
PAN-219415
Fixed an issue where BGP routes were installed in the routing table even when the option to install routes was disabled in the configuration.
Addressed
10.1.12
PAN-219351
Fixed an issue where the all_pktproc process stopped responding during L7 processing.
Addressed
10.1.12
PAN-219260
( M-Series appliances only ) Fixed an issue where the management interface flapped due to low memory reserved for kernel space.
Addressed
10.1.12
PAN-218659
Fixed an issue where Security zones under Interfaces displayed as none for dynamic group and template admin users in a read-only admin role.
Addressed
10.1.12
PAN-218620
Fixed an issue where scheduled configuration exports and SCP server connection testing failed.
Addressed
10.1.12
PAN-218611
Fixed an issue where the device telemetry region was not updated on the firewall when pushed from the Panorama template stack.
Addressed
10.1.12
PAN-218340
Fixed an issue where selective pushes to template stack and multi device group pushes caused a buildup of resident memory, which caused the configd process to stop responding.
Addressed
10.1.12
PAN-218331
Fixed an issue where you were unable to export or download packet captures from the firewall when context switching from Panorama.
Addressed
10.1.12
PAN-218267
Fixed an issue where a commit and push operation from Panorama to managed firewalls did not complete or took longer to complete than expected.
Addressed
10.1.12
PAN-218238
Fixed an issue where you were unable to create a file exception ( Monitor > Threat Log > Detailed Log view > Create Exception ), and the following error message was displayed: no antivirus profile corresponding to threat log .
Addressed
10.1.12
PAN-218119
Fixed an issue where the firewall transmitted packets with an incorrect source MAC address during commit operations.
Addressed
10.1.12
PAN-217831
Fixed an issue memory leak issue related to the logd process that occurred due to a sysd object not being released.
Addressed
10.1.12
PAN-217510
Fixed an issue where inbound DHCP packets received by a DHCP client interface that were not addressed to itself were silently dropped instead of forwarded.
Addressed
10.1.12
PAN-217295
Fixed an issue where the dataplane restarted while under heavy utilization due to an out-of-memory (OOM) condition.
Addressed
10.1.12
PAN-217293
Fixed a rare issue where URLs were not accessible when the header length was greater than 16,000 over HTTP/2.
Addressed
10.1.12
PAN-217289
Fixed an intermittent issue where HTTP/2 traffic caused buffer depletion.
Addressed
10.1.12
PAN-217272
Fixed an issue where the DNS proxy log included an excessive number of the follwing error message: Warning: pan_dnsproxy_log_resolve_fail: Failed to resolve domain name ** AAAA after trying all attempts to name servers
Addressed
10.1.12
PAN-217155
Fixed an issue where syncs between Panorama and the Cloud Identity Engine (CIE) caused intermittent slowness when using the web interface due to a large number of groups in the CIE directory.
Addressed
10.1.12
PAN-217123
Fixed an issue where, when log queries in the yyyy/mm/dd format displayed extra digits for the day and an error was not generated.
Addressed
10.1.12
PAN-217064
Fixed an issue where commits took longer than expected when the DLP plugin was configured.
Addressed
10.1.12
PAN-216647
Fixed an issue where the sysd node was updated at incorrect times.
Addressed
10.1.12
PAN-216230
Fixed an issue where the shard count reached up to 10% over the limit rather than staying under the limit.
Addressed
10.1.12
PAN-216101
Fixed an issue where a memory leak related to a process and LLDP packet processing caused an OOM condition on the firewall.
Addressed
10.1.12
PAN-215778
Fixed an issue where API Get requests for /config timed out due to insufficient buffer size.
Addressed
10.1.12
PAN-215670
Fixed an issue where local reports and scheduled reports displayed different data.
Addressed
10.1.12
PAN-215583
Fixed an issue on firewalls in HA configurations where the primary firewall went into a non-functional state due to a timeout in the pan_comm logs during the policy based forwarding (PBF) parse, which caused an HA failover.
Addressed
10.1.12
PAN-214942
Fixed an issue where SD-WAN UDP traffic failed over to a non-member path after a flap of an SD-WAN virtual interface.
Addressed
10.1.12
PAN-214068
Fixed an issue on Panorama where the web interface stopped responding when creating zones for shared gateways, and when the page was refreshed, the zone was not created.
Addressed
10.1.12
PAN-213746
Fixed an issue on Panorama where the Hostkey displayed as undefined if a SSH Service Profile Hostkey configured in a Template from the Template Stack was overridden.
Addressed
10.1.12
PAN-213491
Fixed an issue where the management CPU was high, which caused the web interface to be slower than expected.
Addressed
10.1.12
PAN-212932
Fixed an issue where the firewall went into a restart loop with the following error message: failed to get mgt settings candidate: configured traffic quota of 0 MB is less than the minimum 32 MB .
Addressed
10.1.12
PAN-212580
( PA-7050 firewalls only ) Fixed an issue where disk space filled up due to files under /opt/var/s8/lp/log/pan/ not being properly deleted.
Addressed
10.1.12
PAN-211945
Fixed an issue where URL Filtering system logs showed the error message CURL ERROR: bind failed with errno 124: Address family not supported by protocol even though the PAN-DB cloud was connected.
Addressed
10.1.12
PAN-211827
Fixed an issue where dynamic updates failed with the following error message: CONFIG_UPDATE_INC: Incremental update to DP failed please try to commit force the latest config .
Addressed
10.1.12
PAN-211821
Fixed an issue on firewalls in HA configurations where committing changes after disabling the QoS feature on multiple Aggregate Ethernet (AE) caused the dataplane to go down.
Addressed
10.1.12
PAN-211384
Fixed an issue where the size of the redisthost_1 in the Redis database continuously increased, which caused an OOM condition.
Addressed
10.1.12
PAN-211255
Fixed an issue third-party VPNC IPSec clients were disconnected after a few seconds for firewalls in active/active HA configurations.
Addressed
10.1.12
PAN-210429
( VM-Series firewalls only ) Fixed an issue where the HTTP service failed to come up on DHCP dataplane interfaces after rebooting the firewall, which resulted in health-check failure on HTTP/80 with a 503 error code on the public load balancer.
Addressed
10.1.12
PAN-208085
Fixed an issue where the BFD peers were deleted during a commit from Panorama. This occurred because the pan_comm thread became deadlocked due to the same sysd object was handled during the commit.
Addressed
10.1.12
PAN-207003
Fixed an issue where the logrcvr process netflow buffer was not reset which resulted in duplicate netflow records.
Addressed
10.1.12
PAN-206325
Fixed an issue where a renamed object was still referenced with the previous name in a Security policy rule, which caused commit failures when using edit API to create the rule.
Addressed
10.1.12
PAN-206278
Fixed an issue where a critical system log was generated when the boot drive for PA-7000 Series firewall Switch Management Cards (SMCs) failed.
Addressed
10.1.12
PAN-204808
( PA-400 Series, PA-1400 Series, PA-3400 Series, and PA-5400 Series firewalls only ) Fixed an issue where executing the CLI command show running resource-monitor ingress-backlogs displayed the error message Server error : Dataplane is not up or invalid target-dp(*.dp*) .
Addressed
10.1.12
PAN-204788
Fixed an issue where the configd process stopped responding when performing a Push to Devices operation when multiple device groups were selected.
Addressed
10.1.12
PAN-203791
( PA-3400 and PA-5400 Series firewalls only ) Fixed an issue where the log type correlation was not configurable and displayed as $.Format.Correlation ( Device > Server Profile > syslog ><Profile-name> > Customer log format > log type ).
Addressed
10.1.12
PAN-201269
Fixed an issue where commits failed with the error message IPv6 addresses are not allowed because IPv6-firewalling is disabled when Security policy rules had an address group with more than 1000 FQDN address objects.
Addressed
10.1.12
PAN-198190
( VM-Series firewalls only ) Fixed an issue where the MTU on the management interface could not be configured to a value greater than 1500.
Addressed
10.1.12
PAN-196956
Fixed an issue where URL filtering logs did not display matching entries when filtered by device name.
Addressed
10.1.12
PAN-194968
Fixed an issue on the web interface where Antivirus updates were not able to be downloaded and installed unless Apps and Threads updates were downloaded and installed first, and the Antivirus content list displayed as blank. The resulting error message from the update server was also not reflected in the web interface.
Addressed
10.1.12
PAN-193004
Fixed an issue where /opt/pancfg partition utilization reached 100%, which caused access to the Panorama web interface to fail.
Addressed
10.1.12
PAN-191632
Fixed an issue where console sessions were not cleared after the set idle timeout value.
Addressed
10.1.12
PAN-183297
Fixed an issue where, when the firewall received a large amount of user information, the firewall was unable to output IP address-to-username mapping information via XML API.
Addressed
10.1.12
PAN-175642
Fixed an issue where system logs to alert for support license expiry were not generated.
Addressed
10.1.12
PAN-173604
Fixed an issue where executing the CLI command debug management-server log-forwarding-stats caused the logrcvr process to stop responding.
Addressed
10.1.12
PAN-158034
Fixed an issue where traffic logs displayed incorrect policy matches for HTTP/2 stream connections during a commit.
Known
10.1.13
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.13
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.13
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.13
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.13
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.13
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.13
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.13
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.13
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.13
PLUG-14947
If you are using the Panorama plugin for Azure, do not upgrade to PAN-OS 10.1.12. When installed on 10.1.12, the Panorama plugin for Azure fails to connect to Azure.
Known
10.1.13
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround: Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.13
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.13
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.13
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.13
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.13
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
10.1.13
PAN-242784
This issue is now resolved. See PAN-OS 10.1.11-h5 Addressed Issues .
DNS resolution may fail if DNS server IP is obtained through DHCP.
Workaround: Configure the DNS server with a static IP or renew the DHCP IP when you see the issue.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.13
PAN-238769
FIPS-CC VM-Series only. Upgrading to PAN-OS 10.1.10-h2 or PAN-OS 10.1.11 changes all locally created Security policy actions to Deny.
Workaround: Before upgrading, save a backup of the current configuration. After upgrading, load the backup configuration to restore the security policy action settings.
Known
10.1.13
PAN-235741
This issue is now resolved. See PAN-OS 10.1.11-h5 Addressed Issues .
DNS resolution fails for firewall and Panorama plugins if the DNS Server IP address is obtained through DHCP.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.13
PAN-231658
DNS resolution fails when interfaces are configured as DHCP and a DNS server is provided via DHCP while also statically configured with DNS servers.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.13
PAN-230106
The firewall is unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.13
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.13
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.13
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.13
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.13
PAN-217307
This issue is now resolved. See PAN-OS 10.1.14 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.1.13
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.13
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.1.13
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround: Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.13
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.1.13
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.13
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.13
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.13
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.13
PAN-194202
( PA-5450 firewall only ) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.13
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.13
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.13
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.13
PAN-179888
On the Panorama management server, the number of managed firewall ( Panorama Managed Devices Health ) Power Supplies displays an incorrect count of power supplies.
Known
10.1.13
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.13
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.13
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.13
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.13
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.13
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.13
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.13
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.13
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.13
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.13
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.13
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.13
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.13
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.13
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.13
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.13
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.13
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.13
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.13
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.13
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.13
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.13
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.13
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.13
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.13
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.13
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.13
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.13
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.13
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.13
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.13
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.13
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.13
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.13
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.13
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.13
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.13
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.13
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.13
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.13
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.13
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.13
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.13
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.13
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.13
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.13
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.13
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.13
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.13
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.13
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.13
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.13
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.13
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.13
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.13
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.13
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.13
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.13
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.13
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.13
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.13
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.13
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.13
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.13
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.13
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.13
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.13
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.13
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.13
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.13
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.13
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.13
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.13
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.13
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.13
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.13
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.13
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.13
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.13
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.13
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.13
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.13
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.13
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.13
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.13
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.13
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.13
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.13
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.13
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.13
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.13
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.13
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.13
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.13
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.13
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.13
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.13
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.13
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.13
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.13
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.13
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.13
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.13
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.13
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.13
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.13
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.13
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.13
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.13
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.13
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.13
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.13-h5
PAN-272809
A fix was made to address CVE-2024-9474 .
Addressed
10.1.13-h5
PAN-262340
Fixed an issue where FQDN resolution failed for address objects, and all FQDN traffic was denied by the interzone-default policy rule.
Addressed
10.1.13-h5
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
10.1.13-h5
PAN-260842
A CLI command was introduced to address an issue where TCP packets were out of order.
Addressed
10.1.13-h5
PAN-230755
Fixed an issue where the devsrvr process intermittently restarted when processing traffic with a Cloud App ID.
Addressed
10.1.13-h5
PAN-216368
Fixed an issue where the configuration commit process on chassis based platforms did not recognize load failures on the dataplane.
Addressed
10.1.13-h1
PAN-248651
Fixed a GlobalProtect issue that prevented the firewall from sending authentication cookies.
Addressed
10.1.13-h1
PAN-248105
Fixed an issue where the GlobalProtect SSL VPN tunnel immediately disconnected due to a keep-alive timeout.
Addressed
10.1.13-h1
PAN-246960
Fixed an issue where firewalls failed to fetch content updates from the Wildfire Private Cloud due to an Unsupported protocol error.
Addressed
10.1.13-h1
PAN-246215
Fixed an issue where the sleep time for a suspended pan_task process caused configuration and policy updates to be blocked.
Addressed
10.1.13-h1
PAN-243463
Fixed an issue where high Enhanced Application Log traffic used excess system resources and caused processes to not work.
Addressed
10.1.13-h1
PAN-239354
Fixed an issue where DNS resolution was delayed when an Antispyware policy rule was applied to both client to firewall and firewall to internal DNS server legs of a connection.
Addressed
10.1.13-h1
PAN-225963
Fixed an issue where the IP address-to-user mapping was not correct.
Addressed
10.1.13-h1
PAN-220907
( VM-Series firewalls only ) Fixed an issue where large packets were dropped from the dataplane to the management plane, which caused OSPF neighborship to fail.
Addressed
10.1.13
PAN-245701
Fixed an issue where snmpwalk displayed data port statistics incorrectly.
Addressed
10.1.13
PAN-244548
Fixed an issue where ECMP sessions changed destination MAC addresses mid-session, which caused connections to be reset.
Addressed
10.1.13
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
10.1.13
PAN-239337
Fixed an issue where the log_index was suspended and currupted BDX files flooded the index_log.
Addressed
10.1.13
PAN-238769
( VM-Series firewalls in FIPS-CC mode only ) Fixed an issue where upgrading Panorama caused all locally created Security policy rule actions to Deny.
Addressed
10.1.13
PAN-233541
Fixed an issue where device group and template administrators with access to a specific virtual system were able to see logs for all virtual systems via Context Switch.
Addressed
10.1.13
PAN-233191
( PA-5450 firewalls only ) Fixed an issue where the Data Processing Card (DPC) restarted due to path monitor failure after QSFP28 disconnected from the Network Processing Card (NPC).
Addressed
10.1.13
PAN-228323
Fixed an issue where a large number of Panorama management server cookies were created in the Redis database when the Cloud-Service plugin sent an authentication request every second, and logging in to or using Panorama was slower than expected.
Addressed
10.1.13
PAN-226108
Fixed an issue where the masterd process was unable to start or stop the sysd process.
Addressed
10.1.13
PAN-222188
A CLI command was introducted to address an issue where SNMP monitoring performance was slower than expected, which resulted in snmpwalk timeouts.
Addressed
10.1.13
PAN-215430
Fixed an issue where Dynamic IP address NAT with SIP intermittently failed to convert RTP Predict sessions.
Addressed
10.1.13
PAN-212553
Fixed an issue where the ikemgr process stopped responding due to memory corruption, which caused VPN tunnels to go down.
Addressed
10.1.13
PAN-205482
Fixed an issue related to the configd process where Panorama displayed the error Server not responding when editing policies.
Known
10.1.14
—
If you use Panorama to retrieve logs from Strata Logging Service , new log fields (including for Device-ID, Decryption, and GlobalProtect) are not visible on the Panorama web interface.
Workaround: Enable duplicate logging to send the logs to Strata Logging Service and Panorama. This workaround does not support Panorama virtual appliances in Management Only mode .
Known
10.1.14
—
Upgrading a PA-220 firewall takes up to an hour or more.
Known
10.1.14
—
PA-220 firewalls are experiencing slower web interface and CLI performance times.
Known
10.1.14
—
Upgrading Panorama with a local Log Collector and Dedicated Log Collectors to PAN-OS 8.1 or a later PAN-OS release can take up to six hours to complete due to significant infrastructure changes. Ensure uninterrupted power to all appliances throughout the upgrade process.
Known
10.1.14
—
A critical System log is generated on the VM-Series firewall if the minimum memory requirement for the model is not available.
  • When the memory allocated is less than 4.5GB, you cannot upgrade the firewall. The following error message displays: Failed to install 9.0.0 with the following error: VM-50 in 9.0.0 requires 5.5GB memory, VM-50 Lite requires 4.5GB memory.Please configure this VM with enough memory before upgrading.
  • If the memory allocation is more than 4.5GB but less than the licensed capacity requirement for the model, it will default to the capacity associated with the VM-50.
    The System log message System capacity adjusted to VM-50 capacity due to insufficient memory for VM- <xxx> license , indicates that you must allocate the additional memory required for licensed capacity for the firewall model.
Known
10.1.14
APPORTAL-3313
Changes to an IoT Security subscription license take up to 24 hours to have effect on the IoT Security app.
Known
10.1.14
APPORTAL-3309
An IoT Security production license cannot be installed on a firewall that still has a valid IoT Security eval or trial license.
Workaround: Wait until the 30-day eval or trial license expires and then install the production license.
Known
10.1.14
APL-15000
When you move a firewall from one Strata Logging Service instance to another, it can take up to an hour for the firewall to begin sending logs to the new instance.
Known
10.1.14
APL-8269
For data retrieved from Strata Logging Service , the Threat Name column in Panorama ACC threat-activity appears blank.
Known
10.1.14
PLUG-14947
If you are using the Panorama plugin for Azure, do not upgrade to PAN-OS 10.1.12. When installed on 10.1.12, the Panorama plugin for Azure fails to connect to Azure.
Known
10.1.14
PLUG-12041
On an OpenShift cluster, MP pod may crash when the number of underlying threads exceeds beyond the per pod maximum limit of 1024.
Workaround: Increase the process ID (PID) limit to 2048 in worker nodes.
Known
10.1.14
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
Known
10.1.14
WF500-5559
An intermittent error while analyzing signed PE samples on the WildFire appliance might cause analysis failures.
Known
10.1.14
WF500-5471
After using the firewall CLI to add a WildFire appliance with an IPv6 address, the initial connection may fail.
Workaround: Retry connecting after you restart the web server with the following command: debug software restart process web-server .
Known
10.1.14
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.1.14
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
10.1.14
PAN-242784
This issue is now resolved. See PAN-OS 10.1.11-h5 Addressed Issues .
DNS resolution may fail if DNS server IP is obtained through DHCP.
Workaround: Configure the DNS server with a static IP or renew the DHCP IP when you see the issue.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.14
PAN-238769
FIPS-CC VM-Series only. Upgrading to PAN-OS 10.1.10-h2 or PAN-OS 10.1.11 changes all locally created Security policy actions to Deny.
Workaround: Before upgrading, save a backup of the current configuration. After upgrading, load the backup configuration to restore the security policy action settings.
Known
10.1.14
PAN-235741
This issue is now resolved. See PAN-OS 10.1.11-h5 Addressed Issues .
DNS resolution fails for firewall and Panorama plugins if the DNS Server IP address is obtained through DHCP.
This issue affects PAN-OS 10.1.11-h4 only.
Known
10.1.14
PAN-231658
DNS resolution fails when interfaces are configured as DHCP and a DNS server is provided via DHCP while also statically configured with DNS servers.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.14
PAN-230106
The firewall is unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
This issue affects PAN-OS 10.1.11-h5 only.
Known
10.1.14
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.1.14
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.1.14
PAN-219824
File system checks on the logging drive may take more time depending on the usage and file system content, resulting in autocommits taking longer to complete than expected.
Known
10.1.14
PAN-218521
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.1.14
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.1.14
PAN-212978
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.1.14
PAN-211728
For VM-Series firewalls leveraging SD-WAN and deployed on VMware ESXi running VMX-13, Auto-Commits fail after upgrade to PAN-OS 10.1.9 and display the error:
total SD-WAN interfaces 3 exceed the platform maximum 0
Workaround: Attach a serial console to the VM-Series firewall before upgrade to PAN-OS 10.1.9.
Known
10.1.14
PAN-204689
Upon upgrade to PAN-OS 10.1.9, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.1.14
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.1.14
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.1.14
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.1.14
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.1.6-h2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.1.14
PAN-194202
( PA-5450 firewall only ) If the management interface and Log Collector are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.1.14
PAN-193518
All logs ( Monitor Logs ) generated by a firewall running a PAN-OS 10.0 release are not accessible if you downgrade from PAN-OS 10.1 to PAN-OS 10.0, and then upgrade back to PAN-OS 10.1.
Workaround: If you need to downgrade from PAN-OS 10.1 to PAN-OS 10.0 and then back to PAN-OS 10.1, downgrade to PAN-OS 10.0.11 to ensure that all logs ingested while running a PAN-OS 10.0 release remain accessible after upgrade back to PAN-OS 10.1.
Known
10.1.14
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.1.14
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.1.14
PAN-179888
On the Panorama management server, the number of managed firewall ( Panorama Managed Devices Health ) Power Supplies displays an incorrect count of power supplies.
Known
10.1.14
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.1.14
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.1.14
PAN-172113
If you request a User Activity Report on Panorama and the vsys key value in the XML is an unsupported value, the resulting job becomes unresponsive at 10% and does not complete until you manually stop the job in the web interface.
Workaround: Change the vsys key to a valid device group, commit your changes, and run the User Activity Report again.
Known
10.1.14
PAN-172067
When you configure an HTTP server profile ( Device Server Profiles HTTP or Panorama Server Profiles HTTP ), the Username and Password fields are always required regardless of whether Tag Registration is enabled.
Workaround: When you configure an HTTP server profile, always enter a username and password to successfully create the HTTP server profile.
You must enter a username and password even if the HTTP server does not require it. The HTTP server ignores the username and password if they are not required for the firewall to connect.
Known
10.1.14
PAN-172061
A process ( all_pktproc ) can cause intermittent crashes on the Passive PA-5450 firewall in an Active/Passive HA pair. This issue may be seen during an upgrade or reload of the firewall with traffic and when clearing sessions.
Known
10.1.14
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.1.14
PAN-171723
If you use Panorama to push a configuration that uses App-ID Cloud Engine (ACE) App-IDs and then you downgrade the firewall from PAN-OS 10.1 to PAN-OS 10.0, the installation succeeds but after you reboot, the auto-commit fails.
Workaround: Remove all ACE application configurations before downgrading.
Known
10.1.14
PAN-171673
On the Panorama management server, the ACC returns inaccurate results when you filter for New App-ID in the Application usage widget.
Known
10.1.14
PAN-171635
If you have an on-premise Active Directory and there is an existing group mapping configuration on the firewall, if you migrate the group mapping to the Cloud Identity Engine, the firewall does not remove the existing group mapping even if the configuration is disabled and the firewall is rebooted, which may conflict with new mappings from the Cloud Identity Engine.
Workaround : Use the debug user-id clear domain-map command to remove the existing group mappings from the firewall.
Known
10.1.14
PAN-171224
On the Panorama management server, a custom report ( Monitor Managed Custom Reports ) with a high volume of unique data objects is not generated when you click Run Now .
Known
10.1.14
PAN-171145
If you edit or remove the value for the mail attribute in your on-premise Active Directory, the changes may not be immediately reflected on the firewall after it syncs with the Cloud Identity Engine.
Known
10.1.14
PAN-170923
In Policies Security Policy Optimizer New App Viewer , when you select a Security policy rule in the bottom portion of the screen, the application data in the application browser (top portion of screen) does not match the Apps Seen on the selected rule. In addition, filtering in the application browser based on Apps Seen does not work.
Known
10.1.14
PAN-170270
Using the CLI to power on a PA-5450 Networking Card (NC) in an Active HA firewall can cause its Passive peer to temporarily go down.
Known
10.1.14
PAN-169906
The CN-Series Firewall as a Kubernetes Service does not support AF_XDP when deployed in CentOS.
Known
10.1.14
PAN-168636
Connecting to the App-ID Cloud Engine (ACE) cloud using a management port with explicit proxy configured on it is not supported. Instead, use a data plane interface for the service route ( Prepare to Deploy App-ID Cloud Engine describes how to do this.)
Known
10.1.14
PAN-168113
On the Panorama management server, you are unable to configure a master key ( Device Master Key and Diagnostics ) for a managed firewall if an interface ( Network Interfaces Ethernet ) references a zone pushed from Panorama.
Workaround: Remove the referenced zone from the interface configuration to successfully configure a master key.
Known
10.1.14
PAN-167847
If you issue the command opof stats , then clear the results {opof stats -c}, the Active Sessions value is sometimes invalid. For example, you might see a negative number or an excessively large number.
Workaround: Re-run the opof stats command after the offload completes.
Known
10.1.14
PAN-167401
When a firewall or Panorama appliance configured with a proxy is upgraded to PAN-OS 10.0.3 or a later release, it fails to connect to edge service.
Known
10.1.14
PAN-165669
If you configure a group that the firewall retrieves from the Cloud Identity Engine as the user in value in a filter query, Panorama is unable to retrieve the group membership and as a result, is unable to display this data in logs and custom reports.
Known
10.1.14
PAN-164922
On the Panorama management server, a context switch to a managed firewall running a PAN-OS 8.1.0 to 8.1.19 release fails.
Known
10.1.14
PAN-164885
This issue is now resolved. See PAN-OS 10.1.14-h6 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.1.14
PAN-164841
A successful deployment of a Panorama virtual appliance on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is inaccessible when deploying using the PAN-OS 10.1.0-b6 release.
Known
10.1.14
PAN-164647
On the Panorama management server, activating a license ( Panorama Device Deployment Licenses ) on managed firewalls in a high availability (HA) configuration causes the Safari web browser to become unresponsive.
Workaround: Log in to the Panorama web interface from a web browser other than Safari to successfully activate a license on managed firewalls in an HA configuration.
Known
10.1.14
PAN-164618
The VM-Series firewall CLI and system logs display the license name VM-SERIES-X , while the user interface displays VM-FLEX-X (in both cases X is the number of vCPUs). In future releases the user interface will use the VM-SERIES-X format.
Known
10.1.14
PAN-164586
If you use a value other than mail for the user or group email attribute in the Cloud Identity Engine, it displays in user@domain format in the CLI output.
Known
10.1.14
PAN-163966
On the Panorama management server, the ACC and on demand reports ( Monitor Manage Custom Reports ) are unable to fetch Directory Sync group membership when the Source User Group filter query is applied, resulting in no data being displayed for the filter when Directory Sync is configured as the Source User for a policy rule.
Known
10.1.14
PAN-162836
On the VM-Series firewall, if you select Device Licenses Deactivate VM a popup window opens and you can choose Subscriptions or Support and press Continue to remove licenses and register the changes with the license server. When the license removal is complete the Deactivate VM window does not update its text to exclude deactivated licenses or close the window.
Workaround : Wait until the license deactivation is complete, and click Cancel to close the window.
Known
10.1.14
PAN-161666
The firewall includes any users configured in the Cloud Identity Engine in the count of groups. As a result, some CLI command output does not accurately display the number of groups the firewall has retrieved from the Cloud Identity Engine and counts users as groups in the No. of Groups in the command output. If the attempt to retrieve the user or group fails, the information for the user or group still displays in the CLI command output.
Known
10.1.14
PAN-161451
If you issue the command opof stats , there are occasional zero packet and byte counts coming from the DPDK counters. This occurs when a session is in the tcp-reuse state, and has no impact on the existing session.
Known
10.1.14
PAN-160238
If you migrate traffic from a firewall running a PAN-OS version earlier than 9.0 to a firewall running PAN-OS 9.0 or later, you experience intermittent VXLAN packet drops if TCI policy is not configured for inspecting VXLAN traffic flows.
Workaround: On the new firewall, create an app override for VXLAN outer headers as described in What is an Application Override? and the video tutorial How to Configure an Application Override Policy on the Palo Alto Networks Firewall .
PAN-OS version 9.0 can inspect both inner and outer VXLAN flows. If you want to inspect inner flows, you must define a tunnel content inspection (TCI) policy.
Known
10.1.14
PAN-157444
As a result of a telemetry handling update, the Source Zone field in the DNS analytics logs (viewable in the DNS Analytics tab within AutoFocus) might not display correct results.
Known
10.1.14
PAN-157327
On downgrade to PAN-OS 9.1, Enterprise Data Loss Prevention (DLP) filtering settings ( Device Setup DLP ) are not removed and cause commit errors for the downgraded firewall if you do not uninstall the Enterprise DLP plugin before downgrade.
Workaround: After you successfully downgrade a managed firewall to PAN-OS 9.1, commit and push from Panorama to remove the Enterprise DLP filtering settings and complete the downgrade.
  1. Downgrade your managed firewall to PAN-OS 9.1
  2. Log in to the firewall web interface and view the Tasks to verify all auto commits related to the downgrade have completed successfully.
  3. Log in to the Panorama web interface and Commit Commit and Push to your managed firewall downgraded to PAN-OS 9.1.
Known
10.1.14
PAN-157103
Multi-channel functionality may not be properly utilized on an VM-Series firewall deployed in VMware NSX-V after the service is first deployed.
Workaround : Execute the command debug dataplane pow status to view the number of channels being utilized by the dataplane. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       2   0   0   0   0   0     2
If multi-channel functionality is not working, disable your NSX-V security policy and reapply it. Then reboot the VM-Series firewall. When the firewall is back up, verify that multi-channel functionality is working by executing the command debug dataplane pow status . It should now show multiple channels being utilized. 
Per pan-task Netx statisticsCounter Name    1   2   3   4   5   6   Total---------------------------------------------ready_dvf       1   1   0   0   0   0     2
Known
10.1.14
PAN-156598
( Panorama only ) If you configure a standard custom vulnerability signature in a custom Vulnerability Protection profile in a shared device group, the shared profile custom signatures do not populate in the other device groups when you configure a combination custom vulnerability signature.
Workaround: Use the CLI to update the combination signature.
Known
10.1.14
PAN-154292
On the Panorama management server, downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release causes Panorama commit ( Commit Commit to Panorama ) failures if a custom report ( Monitor Manage Custom Reports ) is configured to Group By Session ID .
Workaround: After successful downgrade, reconfigure the Group By setting in the custom report.
Known
10.1.14
PAN-154034
On the Panorama management server, the Type column in the System logs ( Monitor Logs System ) for managed firewalls running a PAN-OS 9.1 release erroneously display iot as the type.
Known
10.1.14
PAN-154032
On the Panorama management server, downgrading to PAN-OS 9.1 with the Panorama plugin for Cisco TrustSec version 1.0.2 installed does not automatically transform the plugin to be compatible with PAN-OS 9.1
Workaround: After successful downgrade to PAN-OS 9.1, Remove Config ( Panorama Plugins ) of the Panorama plugin for Cisco TrustSec and then reconfigure the plugin.
Known
10.1.14
PAN-153803
On the Panorama management server, scheduled email PDF reports ( Monitor PDF Reports ) fail if a GIF image is used in the header or footer.
Known
10.1.14
PAN-153557
On the Panorama management server CLI, the overall report status for a report query is marked as Done despite reports generated from logs in the Strata Logging Service from the PODamericas Collector Group jobs are still in a Running state.
Known
10.1.14
PAN-153068
The Bonjour Reflector option is supported on up to 16 interfaces. If you enable it on more than 16 interfaces, the commit succeeds and the Bonjour Reflector option is enabled only for the first 16 interfaces and ignored for any additional interfaces.
Known
10.1.14
PAN-151238
There is a known issue where M-100 appliances are able to download and install a PAN-OS 10.0 release image even though the M-100 appliance is no longer supported after PAN-OS 9.1. (Refer to the hardware end-of-life dates .)
Known
10.1.14
PAN-151085
On a PA-7000 Series firewall chassis having multiple slots, when HA clustering is enabled on an active/active HA pair, the session table count for one of the peers can show a higher count than the actual number of active sessions on that peer. This behavior can be seen when the session is being set up on a non-cache slot (for example, when a session distribution policy is set to round-robin or session-load); it is caused by the additional cache lookup that happens when HA cluster participation is enabled.
Known
10.1.14
PAN-150801
Automatic quarantine of a device based on forwarding profile or log setting does not work on the PA-7000 Series firewalls.
Known
10.1.14
PAN-150515
After you install the device certificate on a new Panorama management server, Panorama is not able to connect to the IoT Security edge service.
Workaround: Restart Panorama to connect to the IoT Security edge service.
Known
10.1.14
PAN-150345
During updates to the Device Dictionary, the IoT Security service does not push new Device-ID attributes (such as new device profiles) to the firewall until a manual commit occurs.
Workaround: Perform a force commit to push the attributes in the content update to the firewall.
Known
10.1.14
PAN-150361
In an Active-Passive high availability (HA) configuration, an error displays if you create a device object on the passive device.
Workaround: Load the running configuration and perform a force commit to sync the devices.
Known
10.1.14
PAN-148971
If you enter a search term for Events that are related to IoT in the System logs and apply the filter, the page displays an Invalid term error.
Workaround: Specify iot as the Type Attribute to filter the logs and use the search term as the Description Attribute . For example: ( subtype eq iot ) and ( description contains 'gRPC connection' ) .
Known
10.1.14
PAN-148924
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
Known
10.1.14
PAN-146995
After downgrading a Panorama management server from PAN-OS 10.0 to PAN-OS 9.1, the VLD and logd processes may crash when Panorama reboots.
Workaround: Panorama automatically restarts the VLD and logd processes.
Known
10.1.14
PAN-146807
Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround : Perform a manual config sync on the device group that lost the IP tag mapping information.
Known
10.1.14
PAN-146485
On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration ( Panorama SD-WAN Devices ) does not display the branch template stack as out of sync .
Additionally, adding, deleting, or modifying the BGP configuration ( Panorama SD-WAN Devices ) does not display the hub and branch template stacks as out of sync . For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync , nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync .
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
Known
10.1.14
PAN-145460
CN-MGMT pods fail to connect to the Panorama management server when using the Kubernetes plugin.
Workaround: Commit the Panorama configuration after the CN-MGMT pod successfully registers with Panorama.
Known
10.1.14
PAN-144889
On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 plugin does not display the managed firewall templates ( Panorama Managed Devices Summary ) as Out of Sync .
Workaround : When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values ( Commit Push to Devices Edit Selections ).
Known
10.1.14
PAN-143132
Fetching the device certificate from the Palo Alto Networks Customer Support Portal (CSP) may fail and displays the following error in the CLI:
ERROR Failed to process S1C msg: Error
Workaround: Retrying fetching the device certificate from the Palo Alto Networks CSP.
Known
10.1.14
PAN-141630
Current performance limitation: single data plane use only. The PA-5200 Series and PA-7000 Series firewalls that support 5G network slice security, 5G equipment ID security, and 5G subscriber ID security use a single data plane only, which currently limits the firewall performance.
Known
10.1.14
PAN-140959
The Panorama management server allows you to downgrade Zero Touch Provisioning (ZTP) firewalls to PAN-OS 9.1.2 and earlier releases where ZTP functionality is not supported.
Known
10.1.14
PAN-140008
ElasticSearch is forced to restart when the masterd process misses too many heartbeat messages on the Panorama management server resulting in a delay in a log query and ingestion.
Known
10.1.14
PAN-136763
On the Panorama management server, managed firewalls display as disconnected when installing a PAN-OS software update ( Panorama Device Deployment Software ) but display as connected when you view your managed firewalls Summary ( Panorama Managed Devices Summary ) and from the CLI.
Workaround: Log out and log back in to the Panorama web interface.
Known
10.1.14
PAN-135742
There is an issue in HTTP2 session decryption where the App-ID in the decryption log is the App-ID of the parent session (which is web-browsing).
Known
10.1.14
PAN-134053
ACC does not filter WildFire logs from Dynamic User Groups.
Known
10.1.14
PAN-132598
The Panorama management server does not check for duplicate addresses in address groups ( Objects Address Groups ) and duplicate services in service groups ( Objects Service Groups ) when created from the CLI.
Known
10.1.14
PAN-130550
( PA-3200 Series, PA-5220, PA-5250, PA-5260, and PA-7000 Series firewalls ) For traffic between virtual systems (inter-vsys traffic), the firewall cannot perform source NAT using dynamic IP (DIP) address translation.
Workaround: Use source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys traffic.
Known
10.1.14
PAN-127813
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.
Known
10.1.14
PAN-127206
If you use the CLI to enable the cleartext option for the Include Username in HTTP Header Insertion Entries feature, the authentication request to the firewall may become unresponsive or time out.
Known
10.1.14
PAN-123277
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
Known
10.1.14
PAN-123040
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Known
10.1.14
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format: 2001:DB9:85A3:0:0:8A2E:370:2 .
Known
10.1.14
PAN-120423
PAN-OS 10.0.0 does not support the XML API for GlobalProtect logs.
Known
10.1.14
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround: Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the PAN-DB Server IP address ( Device Setup Content ID URL Filtering settings).
    2. Commit your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit your changes.
  • Restart the firewall ( devsrvr ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process: debug software restart process device-server
Known
10.1.14
PAN-116017
( Google Cloud Platform (GCP) only ) The firewall does not accept the DNS value from the initial configuration (init-cfg) file when you bootstrap the firewall.
Workaround: Add DNS value as part of the bootstrap.xml in the bootstrap folder and complete the bootstrap process.
Known
10.1.14
PAN-115816
( Microsoft Azure only ) There is an intermittent issue where an Ethernet (eth1) interface does not come up when you first boot up the firewall.
Workaround: Reboot the firewall.
Known
10.1.14
PAN-114495
Alibaba Cloud runs on a KVM hypervisor and supports two Virtio modes: DPDK (default) and MMAP. If you deploy a VM-Series firewall running PAN-OS 9.0 in DPDK packet mode and you then switch to MMAP packet mode, the VM-Series firewall duplicates packets that originate from or terminate on the firewall. As an example, if a load balancer or a server behind the firewall pings the VM-Series firewall after you switch from DPDK packet mode to MMAP packet mode, the firewall duplicates the ping packets.
Throughput traffic is not duplicated if you deploy the VM-Series firewall using MMAP packet mode.
Known
10.1.14
PAN-112694
( Firewalls with multiple virtual systems only ) If you configure dynamic DNS (DDNS) on a new interface (associated with vsys1 or another virtual system) and you then create a New Certificate Profile from the drop-down, you must set the location for the Certificate Profile to Shared. If you configure DDNS on an existing interface and then create a new Certificate Profile, we also recommend that you choose the Shared location instead of a specific virtual system. Alternatively, you can select a preexisting certificate profile instead of creating a new one.
Known
10.1.14
PAN-112456
You can temporarily submit a change request for a URL Category with three suggested categories; however, only two categories are supported. Do not add more than two suggested categories to a change request until we address this issue. If you submit more than two suggested categories, only the first two categories in the change request are evaluated.
Known
10.1.14
PAN-112135
You cannot unregister tags for a subnet or range in a dynamic address group from the web interface.
Workaround: Use an XML API request to unregister the tags for the subnet or range.
Known
10.1.14
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit ( Commit Commit to Panorama ) the reverted configuration to display the invalid configuration errors.
Known
10.1.14
PAN-111866
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
Known
10.1.14
PAN-111729
If you disable DPDK mode and enable it again, you must immediately reboot the firewall.
Known
10.1.14
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
Known
10.1.14
PAN-110794
DGA-based threats shown in the firewall threat log display the same name for all such instances.
Known
10.1.14
PAN-109526
The system log does not correctly display the URL for CRL files; instead, the URLs are displayed with encoded characters.
Known
10.1.14
PAN-104780
If you configure a HIP object to match only when a connecting endpoint is managed ( Objects GlobalProtect HIP Objects <hip-object> General Managed ), iOS and Android endpoints that are managed by AirWatch are unable to successfully match the HIP object and the HIP report incorrectly indicates that these endpoints are not managed. This issue occurs because GlobalProtect gateways cannot correctly identify the managed status of these endpoints.
Additionally, iOS endpoints that are managed by AirWatch are unable to match HIP objects based on the endpoint serial number because GlobalProtect gateways cannot identify the serial numbers of these endpoints; these serial numbers do not appear in the HIP report.
Known
10.1.14
PAN-103276
Adding a disk to a virtual appliance running Panorama 8.1 or a later release on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
Known
10.1.14
PAN-101688
( Panorama plugins ) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all .
Known
10.1.14
PAN-101537
After you configure and push address and address group objects in Shared and vsys-specific device groups from the Panorama management server to managed firewalls, executing the show log <log-type> direction equal <direction> <dst> | <src> in <object-name> command on a managed firewall only returns address and address group objects pushed form the Shared device group.
Workaround: Specify the vsys in the query string:
admin> set system target-vsys <vsys-name>
admin> show log <log-type> direction equal <direction> query equal ‘vsys eq <vsys-name> ’ <dst> | <src> in <object-name>
Known
10.1.14
PAN-98520
When booting or rebooting a PA-7000 Series Firewall with the SMC-B installed, the BIOS console output displays attempts to connect to the card's controller in the System Memory Speed section. The messages can be ignored.
Known
10.1.14
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List ) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
Known
10.1.14
PAN-97524
( Panorama management server only ) The Security Zone and Virtual System columns ( Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
Known
10.1.14
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
Known
10.1.14
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
Known
10.1.14
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings ( Device Password Profiles ) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
Known
10.1.14
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
Known
10.1.14
PAN-94093
HTTP Header Insertion does not work when jumbo frames are received out of order.
Known
10.1.14
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 9.0 releases ( Objects Security Profiles Vulnerability Protection <profile> Exceptions ). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
Known
10.1.14
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection ) and you try to add the profile to an existing Security Profile Group ( Objects Security Profile Groups ), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
Known
10.1.14
PAN-93532
When you configure a firewall running PAN-OS 9.0 as an nCipher HSM client, the web interface on the firewall displays the nCipher server status as Not Authenticated, even though the HSM state is up ( Device Setup HSM ).
Known
10.1.14
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
Known
10.1.14
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
Known
10.1.14
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-off load no CLI command.
Known
10.1.14
PAN-83236
The VM-Series firewall on Google Cloud Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address ( Device Setup Services ).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
Known
10.1.14
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto an nCipher nShield hardware security module (HSM).
Known
10.1.14
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile ( Device Server Profiles Kerberos ).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
Known
10.1.14
PAN-77125
PA-7000 Series, PA-5450, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session off load no CLI command.
Known
10.1.14
PAN-75457
In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
Known
10.1.14
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
Known
10.1.14
PAN-73401
When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller: 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller worker-list <worker-ip-address>
    ( <worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled. 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
yes
    or 
    admin@wf500(active-controller)# set
deviceconfig cluster mode controller service-advertisement dns-service
enabled
no
    Both commands result in Panorama reporting that the controller nodes are in sync.
Known
10.1.14
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
Known
10.1.14
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL , the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error ( Objects External Dynamic Lists ).
Known
10.1.14
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
Known
10.1.14
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report ( Monitor Manage Custom Reports ). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days , the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame .
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
Known
10.1.14
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
Known
10.1.14
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • nCipher nShield Connect —The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network —When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
Addressed
10.1.14-h8
PAN-273215
Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading.
Addressed
10.1.14-h8
PAN-268823
Fixed an issue where Monitor > Log Display did not display all logs when you applied
Addressed
10.1.14-h8
PAN-268339
Fixed an issue where syslog-ng failed to start due to the syslog-ng.config file being corrupted when upgrading from PAN-OS 10.2.9-h1 to PAN-OS 10.2.11.
Addressed
10.1.14-h8
PAN-264871
Fixed an issue on Panorama where the configd process stopped responding when viewing IP addresses on dynamic address groups with a large number of IP addresses.
Addressed
10.1.14-h8
PAN-262330
Fixed an issue where traffic logs were not forwarded to the syslog server.
Addressed
10.1.14-h8
PAN-260604
Fixed an issue where the firewall displayed inaccurate throughput utilization stats in NetFlow analyzer tools.
Addressed
10.1.14-h8
PAN-260512
Fixed an issue where accessing the IP address of the device address group objects from the user interface caused the configd process to stop responding.
Addressed
10.1.14-h8
PAN-259351
A fix was made to address CVE-2024-3393 .
Addressed
10.1.14-h8
PAN-230873
( PA-7000 Series firewalls in active/passive HA configurations only ) Fixed an issue where the passive firewall was unable to send configuration and system logs.
Addressed
10.1.14-h6
PAN-272809
A fix was made to address CVE-2024-9474 .
Addressed
10.1.14-h6
PAN-264883
( PA-7080 appliances with Log Forwarding Cards (LPCs) only ) Fixed an issue where syslog forwarding over TCP stopped after upgrading.
Addressed
10.1.14-h6
PAN-264249
Fixed an issue on the firewall where SNMP queries timed out when using SNMP.
Addressed
10.1.14-h6
PAN-263287
The PAN-COMMON-MIB.my file was updated to support new object identifiers (OID) to poll interface use via SNMP with table identifiers.
Addressed
10.1.14-h6
PAN-262340
Fixed an issue where FQDN resolution failed for address objects, and all FQDN traffic was denied by the interzone-default policy rule.
Addressed
10.1.14-h6
PAN-259910
Fixed an issue where the firewall reported the same value over consecutive SNMP polls when asynchronous mode was enabled.
Addressed
10.1.14-h6
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
10.1.14-h6
PAN-241044
Fixed an issue where traffic was denied by the interzone-default policy rule when a Security policy rule with an FQDN destination was configured.
Addressed
10.1.14-h6
PAN-230873
( PA-7000 Series firewalls in active/passive HA configurations only ) Fixed an issue where the passive firewall was unable to send configuration and system logs.
Addressed
10.1.14-h6
PAN-164885
Fixed an issue on Panorama where Commit and Push or Push to Devices operations failed when an external dynamic list was configured to check for updates every 5 minutes due to the commit and external dynamic fetch processes overlapping.
Addressed
10.1.14-h4
PAN-259480
Fixed an issue where the varrcvr process stopped responding after running out of memory due to how the process queued and dequeued files for WildFire file forwarding when a WildFire Analysis Security profile was enabled.
Addressed
10.1.14-h4
PAN-257957
( Firewalls and Panorama appliances in FIPS-CC mode only ) Fixed an issue where the authd process restarted if RADIUS PAP/CHAP authentication was used.
Addressed
10.1.14-h4
PAN-256136
Fixed an issue where traffic logs were not forwarded to an external system log server.
Addressed
10.1.14-h4
PAN-259480
Fixed an issue where the varrcvr process stopped responding after running out of memory due to how the process queued and dequeued files for WildFire file forwarding when a WildFire Analysis Security profile was enabled.
Addressed
10.1.14-h4
PAN-257462
Fixed an issue related to the varrcvr process where the management plane CPU was higher than expected.
Addressed
10.1.14-h4
PAN-254373
Fixed an issue where the firewall did not handle error code 500 responses from the WildFire cloud correctly.
Addressed
10.1.14-h4
PAN-233129
Fixed an issue where the firewall sent duplicate logs to syslog server when the log forwarding profile was configured with Shared enabled and was used in a Security policy rule.
Addressed
10.1.14-h4
PAN-226769
Fixed an issue where ElasticSearch used more memory than expected.
Addressed
10.1.14-h4
PAN-216368
Fixed an issue where the configuration commit process on chassis based platforms did not recognize load failures on the dataplane.
Addressed
10.1.14-h2
PAN-258702
( WF-500 appliances only ) Fixed an issue where the varrcvr process stopped responding when files were being forwarded to the WildFire cloud.
Addressed
10.1.14-h2
PAN-257197
Fixed an issue where ifType and ifSpeed were not populated in asynchronous mode of SNMP operations.
Addressed
10.1.14-h2
PAN-251847
Fixed an issue on log collectors where the incoming log rate was lower than expected.
Addressed
10.1.14-h2
PAN-255163
( CN-Series firewalls only ) Fixed an issue where the system database key that stored the configuration status of the dataplane pod was not updated frequently.
Addressed
10.1.14-h2
PAN-248130
Fixed an issue where the AND operation under a Dynamic Address Group comparison did not work after upgrading the AWS plugin to 3.0.1.
Addressed
10.1.14-h2
PAN-247257
Fixed an issue where the useridd process stopped responding, which caused the firewall to reboot.
Addressed
10.1.14
PAN-253317
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
10.1.14
PAN-251013
Fixed an issue on the web interface where the Virtual Router and Virtual System configurations for the template incorrectly showed as none .
Addressed
10.1.14
PAN-246420
( PA-5400 Series firewalls only ) Fixed an issue where the firewall rebooted unexpectedly during an upgrade.
Addressed
10.1.14
PAN-246155
Fixed an issue where the firewall dropped small fragmented ICMP messages with the discard-icmp-ping-zero-id counter when a Zone Protection profile was enabled.
Addressed
10.1.14
PAN-245157
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the firewall restarted after an HA failover when DPDK was enabled.
Addressed
10.1.14
PAN-245125
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where file descriptors were not closed due to invalid configurations.
Addressed
10.1.14
PAN-245041
Fixed an issue where the WF-500 appliance returned an error verdict for every sample in FIPS mode.
Addressed
10.1.14
PAN-242027
Fixed an issue where the all-task process repeatedly restarted during memory allocation failures.
Addressed
10.1.14
PAN-241888
Fixed an issue where DHCP lease renewal failed due to a change in the firewall timestamp ( Device > Setup > Management ).
Addressed
10.1.14
PAN-241230
Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.
Addressed
10.1.14
PAN-241018
( VM-Series firewalls in Microsoft Azure environments only ) Fixed a Data Plane Development Kit (DPDK) issue where interfaces remained in a link-down stage after an Azure hot plug event.
Addressed
10.1.14
PAN-240993
Fixed an issue where you were unable to revert a sort in task manager in the admin column.
Addressed
10.1.14
PAN-240786
Fixed an issue on firewalls in HA configurations where VXLAN sessions were allocated, but not installed or freed, which resulted in a constant high session table usage that was not synced between the firewalls. This resulted in a session count mismatch.
Addressed
10.1.14
PAN-240618
Fixed an issue where configuration commits were successful even when dynamic peer IKE gateways configured on the same interface and IP address that did not have the same IKE Crypto profile.
Addressed
10.1.14
PAN-240327
Fixed an issue where traffic on all branches was impacted when the SD-WAN MPLS link on one branch went down.
Addressed
10.1.14
PAN-240308
Fixed an issue where ElasticSearch did not work as expected when RAID-mounts were not fully ready after a reboot.
Addressed
10.1.14
PAN-239255
Fixed an issue where the firewall did not update the ARP cache timeout value after modifying the arp-cache-timeout setting.
Addressed
10.1.14
PAN-238705
( PA-400 Series firewalls only ) Fixed an issue where HA link-monitor did not work.
Addressed
10.1.14
PAN-238643
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured.
Addressed
10.1.14
PAN-238621
Fixed an issue where the HA3 link status remained down when updating the HA3 interface configuration when the AE interface was up.
Addressed
10.1.14
PAN-238592
( PA-3410 firewalls only ) Fixed an issue where the firewall did not boot up after upgrading due to a TPM lockout condition that persisted for over 24 hours.
Addressed
10.1.14
PAN-238508
Fixed an issue where the routed process created excessive logs in the log file.
Addressed
10.1.14
PAN-238355
Fixed an issue where, when a device group was not successfully renamed, unexpected configuration changes to the device group structure occurred.
Addressed
10.1.14
PAN-238249
Fixed an issue where static route path monitor packets from a multislot chassis were intercepted by the firewall performing Static NAT (SNAT).
Addressed
10.1.14
PAN-238183
Fixed an issue where Panorama displayed deviating device system logs for nonconnected interfaces.
Addressed
10.1.14
PAN-237657
Fixed an issue with 100% CPU utilization in the varrcvr process that occurred during an incremental WildFire update.
Addressed
10.1.14
PAN-237608
Fixed an issue where a NetFlow export truncated the source username.
Addressed
10.1.14
PAN-236233
Fixed an issue where SNMP reports displayed incorrect values for SSL Proxy sessions and SSL Proxy utilization.
Addressed
10.1.14
PAN-235840
Fixed an issue where, after a configuration push from Panorama to managed firewalls, the status displayed as None and the push took longer than expected.
Addressed
10.1.14
PAN-235557
Fixed an issue where uploads from tunnels, including GlobalProtect, were slower than expected when the inner and outer sessions were on different dataplanes.
Addressed
10.1.14
PAN-235531
Fixed an issue where GlobalProtect logs displayed incorrect vsys numbers on Panorama.
Addressed
10.1.14
PAN-235475
Fixed an issue where firewall sinkhole functionality was disrupted when a domain entry in an external dynamic list started with a period (.) character.
Addressed
10.1.14
PAN-235168
Fixed an issue where disk space became full even after clearing old logs and content images.
Addressed
10.1.14
PAN-234596
Fixed an issue on firewalls in active/passive HA configurations where the passive firewall incorrectly became active after a reboot.
Addressed
10.1.14
PAN-234169
Fixed an issue where downloading files failed or was slower than expected due to malware scanning even when the session was matched to a Security policy rule with no Anti-Virus profile attached.
Addressed
10.1.14
PAN-233965
Fixed an issue where the tund process stopped responding, which caused push operation to managed firewalls or making changes to local firewalls to fail.
Addressed
10.1.14
PAN-233692
Fixed an issue on Panorama where the configd process stopped, which caused performance issues.
Addressed
10.1.14
PAN-233689
( PA-7000 Series firewalls only ) Fixed an issue where the Log Forwarding Card (LFC) disk quota usage was reported as 0 MB for all log types.
Addressed
10.1.14
PAN-233603
( CN-Series firewalls only ) Fixed an issue where slot information was not correct after a slotd process restart on the management pod.
Addressed
10.1.14
PAN-231395
Fixed an intermittent issue where the OCSP query failed.
Addressed
10.1.14
PAN-231270
Fixed an issue where Panorama became unresponsive due to the useridd process not responding.
Addressed
10.1.14
PAN-231237
( Firewalls only in FIPS mode only ) Fixed an issue where the firewall repeatedly displayed the error message Cipher decrypt-final failure .
Addressed
10.1.14
PAN-229874
Fixed an issue where the firewall was unable to form OSPFv3 adjacency when using an ESP authentication profile.
Addressed
10.1.14
PAN-229873
( PA-7050 firewalls only ) Fixed an issue related to brdagent process errors.
Addressed
10.1.14
PAN-229832
Fixed an intermittent issue where MLAV and URL cloud connectivity were lost.
Addressed
10.1.14
PAN-228277
Fixed an issue where commits took longer than expected.
Addressed
10.1.14
PAN-224772
Fixed a high memory usage issue with the mongodb process that caused an OOM condition.
Addressed
10.1.14
PAN-224365
Fixed an issue where excessive network path monitoring messages were generated in the system logs.
Addressed
10.1.14
PAN-222500
Fixed an issue where an old configuration unexpectedly merged during a push from Panorama.
Addressed
10.1.14
PAN-220907
( VM-Series firewalls only ) Fixed an issue where large packets were dropped from the dataplane to the management plane, which caused OSPF neighborship to fail.
Addressed
10.1.14
PAN-220767
Fixed an issue where, at the beginning of a session, out of order packets with a TCP payload were truncated with a nonzero trailer.
Addressed
10.1.14
PAN-220490
Fixed an issue where the commit warning Missing pre-defined DNS security category was incorrectly displayed.
Addressed
10.1.14
PAN-219113
Fixed an issue where, when a port on the NPC was configured for log forwarding, the ingress traffic on the card was sent for processing to the LPC, and the LPC card was reloaded when the ingress volume of traffic was high.
Addressed
10.1.14
PAN-218136
Fixed an issue where the service route setting Palo Alto Networks Services was not applied to Threat Vault communication.
Addressed
10.1.14
PAN-217307
Fixed an issue where the log-start and log-end policy rule filters did not return reliable results when set to no or yes .
Addressed
10.1.14
PAN-217147
Fixed an issue where commits took longer than expected when a large number of Security policy rules were configured.
Addressed
10.1.14
PAN-216941
( M-700 Appliances in Log Collector mode only ) Fixed an issue where Panorama stopped processing and saving logs.
Addressed
10.1.14
PAN-215561
Fixed an issue where GlobalProtect authentication failed when new users were added to an existing local database group user list.
Addressed
10.1.14
PAN-214463
Fixed an issue where IKE re-key negotiation failed with a third-party vendor and the firewall acting as the initiator received a response with the VENDOR_ID payload and the error message unexpected critical payload (type 43) .
Addressed
10.1.14
PAN-213918
Fixed an issue where mlav-test-pe-file.exe was not detected by WildFire Inline ML.
Addressed
10.1.14
PAN-212606
Fixed an issue where the static gateway IKE-SA was established based on the peer ID even though the peer IP address matched a different object.
Addressed
10.1.14
PAN-211575
Fixed an issue where a local commit on Panorama remained at 99% for longer than expected before completing.
Addressed
10.1.14
PAN-210260
Fixed an issue on firewalls in HA configurations where the peer satellite firewall was able to connect to the GlobalProtect portal without username and password authentication.
Addressed
10.1.14
PAN-196395
( PA-5450 firewalls only ) Fixed an issue where the firewall accepted 12 Aggregate Ethernet interfaces, but you were unable to configure interfaces 9-12 via the web interface.
Addressed
10.1.14
PAN-194782
Fixed an issue on Panorama where, if you added a new local or nonlocal administrator account or an admin user to a template, authentication profiles were incorrectly referenced.
Addressed
10.1.14
PAN-182011
Fixed an issue where the httpd process stopped responding and generated a core after a commit.
Known
10.2.0
WIF-495
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
On the Panorama management server, edits made to an existing data filtering profile ( Objects > DLP > Data Filtering Profiles ) can result in matching traffic not being detected by Enterprise DLP.
Known
10.2.0
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.0
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.0
PAN-264281
When upgrading a ZTP firewall from PAN-OS 10.2 to PAN-OS 11.1 or later versions, if you use the To SW Version column to specify the target PAN-OS version, the upgrade process downloads and installs the intermediary base version containing an expired root certificate. This causes the ZTP firewall to lose connection with Panorama
Workaround: Follow the standard upgrade process from Panorama, which you use for non-ZTP firewalls, to upgrade to the target PAN-OS version that contains the valid root certificate.
Known
10.2.0
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.0
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.0
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
10.2.0
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
10.2.0
PAN-241536
On the Panorama management server, a user with an Admin Role is unable to modify or add filters to profiles under Panorama Network Routing Routing Profiles Filters , despite having the necessary read and write privileges.
Known
10.2.0
PAN-234408
Enterprise DLP cannot detect and block non-file based traffic for ChatGPT from traffic forwarded to the DLP cloud service from an NGFW.
Known
10.2.0
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.0
PAN-225337
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a Shared and vsys-specific device group configuration object with an indentical name. For example, a Shared address object called SharedAO1 and a vsys-specific address object also called SharedAO1 .
  2. Reference the Shared object in another Shared configuration. For example, reference the Shared address object ( SharedAO1 ) in a Shared address group called SharedAG1 .
  3. Use the Shared configuration object with the reference in a vsys-specific configuration. For example, reference the Shared address group ( SharedAG1 ) in a vsys-specific policy rule.
Workaround: Select Panorama Setup Management and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices —This options pushes all Shared objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the Shared objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the Shared SharedAO1 object was 10.1.1.1 and the device group specific SharedAO1 was 10.2.2.2 , the 10.1.1.1 IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the Shared objects in your configuration.
Known
10.2.0
PAN-223488
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
Closed ElasticSearch shards are not deleted from a Panorama M-Series or virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.0
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.0
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.0
PAN-222253
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server, policy rulebase reordering when you View Rulebase by Groups ( Policy <policy-rulebase> ) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.0
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.0
PAN-221015
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On M-600 appliances in Panorama or Log Collector mode, the es-1 and es-2 ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector ES health status ( Panorama Managed Collectors Health Status ) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>debug elasticsearch es-restart optional all
Known
10.2.0
PAN-219644
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.0
PAN-218521
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.0
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.0
PAN-215778
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On the M-600 appliance in Management Only mode, XML API Get requests for /config fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
10.2.0
PAN-215082
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
M-300 and M-700 appliances may generate erroneous system logs ( Monitor Logs System ) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.0
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.0
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.0
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.0
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.0
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.0
PAN-209937
Certificate-based authentication for administrator accounts may be unable to log into the Panorama or firewall web interface with the following error:
Bad Request - Your browser sent a request that this server could not understand
Known
10.2.0
PAN-208325
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.2.0
PAN-207629
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, selective push fails to managed firewalls if the managed firewalls are enabled with multiple vsys and the Push Scope contains shared objects in device groups.
Known
10.2.0
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
10.2.0
PAN-206268
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.2.0
PAN-206253
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
For PA-3400 Series firewalls, the default log rate is set too low and the max configurable log rate is incorrectly capped resulting in the firewall not generating more than 6,826 logs per second.
Known
10.2.0
PAN-206243
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.2.0
PAN-205187
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.2.0
PAN-204663
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, you are unable to Context Switch from one managed firewall to another.
Workaround: After you Context Switch to a managed firewall, you must first Context Switch back to Panorama before you can continue to Context Switch to a different managed firewall.
Known
10.2.0
PAN-201855
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.2.0
PAN-199557
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.2.0
PAN-197341
On the Panorama management server, if you create multiple device group Objects with the same name in the Shared device group and any additional device groups ( Panorama Device Groups ) under the same device group hierarchy that are used in one or more Policies , renaming the object with a shared name in any device group causes the object name to change in the policies where it is used. This issue applies only to device group objects that can be referenced in a Security policy rule.
For example:
  1. You create a parent device group DG-A and a child device group DG-B .
  2. You create address objects called AddressObjA in the Shared , DG-A and DG-B device groups and add AddressObjA to a Security policy rule under DG-A and DG-B .
  3. Later, you change the AddressObjA name in the Shared device group to AddressObjB .
Changing the name of the address object in the Shared device group causes the references in the Policy rule to use the renamed Shared object instead of the device group object.
Known
10.2.0
PAN-197097
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.2.0
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.0
PAN-196720
During the CN-Series firewall deployment on Oracle OKEplatform, when you delete the deployment by deleting yamls, the MP/DP pods are stuck in Terminating state.
Workaround: Delete the CN-Series DP pods, MP pods, and then the pan-cni yaml file in a sequential order.
Known
10.2.0
PAN-194826
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
( WF-500 appliance only ) System log forwarding does not work over a TLS connection.
Known
10.2.0
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.0
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.0
PAN-193251
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
If SAML is configured as the authentication method for GlobalProtect, authentication on the Portal page is not successful in the browser.
Workaround: Use the GlobalProtect app installed on the endpoint to authenticate.
Known
10.2.0
PAN-192403
( PA-5450 firewall only ) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.2.0
PAN-191570
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
The Traffic Activity and SSL/TLS widgets in the ACC erroneously display Report Error if there is no SSL data to display.
Known
10.2.0
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.0
PAN-190435
When you Commit a configuration change, the Task Manager commit Status goes directly from 0% to Completed and does accurately reflect the commit job progress.
Known
10.2.0
PAN-190311
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
( PA-220 and PA-220R firewalls and PA-800 Series firewalls only ) There is an issue where management connectivity to the firewall is lost due to the expiration of the DHCP lease, which causes the IP configuration on the management port to be purged.
Known
10.2.0
PAN-189425
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, Export Panorama and devices config bundle ( Panorama Setup Operations ) fails to export. When the export fails, you are redirected to a new window and the following error is displayed:
Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied)
Known
10.2.0
PAN-189395
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
Running any version of PAN-OS 10.2 on a PA-400 Series firewall can cause the dataplane process to restart unexpectedly and trigger a crash.
Known
10.2.0
PAN-189380
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
After you successfully upgrade a PA-3000 Series firewall to PAN-OS 10.2.0 or later release and Enterprise data loss prevention (DLP) plugin 3.0.0 or later release, the first configuration push from the Panorama management server causes the firewall dataplane to crash.
Workaround: Restart the firewall to restore dataplane functionality.
  1. Log in to the firewall CLI .
  2. Restart the firewall. 
    admin> request restart system
Known
10.2.0
PAN-189361
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
Panorama is unable to distribute antivirus signature updates to firewalls with only an Advanced Threat Prevention license. Firewalls with previously installed and active Threat Prevention license are unaffected.
Known
10.2.0
PAN-189298
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
On deploying the HA with 10.2.0-98 in Packet-mmap mode, the session sync for an existing session fails after restarting an active DP in Packet-mmap mode.
Known
10.2.0
PAN-189214
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
When the Advanced Threat Prevention license is present on a firewall without a Threat Prevention license, the antivirus signature update packages that are normally available to install under Device Dynamic Updates are not displayed.
Workaround: Use the request anti-virus upgrade {info | download | install} CLI commands to retrieve a list of available antivirus updates and the download and installation status, download specific antivirus packages, and to install antivirus packages.Optionally, you can schedule recurring automatic updates using the following CLI command: set deviceconfig system update-schedule anti-virus recurring .
Known
10.2.0
PAN-189206
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
Device Group and Template administrator roles don't support a context switch between the Panorama and firewall web interface.
Workaround: Use a Superuser or Panorama administrator role to context switch.
Known
10.2.0
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.0
PAN-189106
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
On the Panorama management server, you must uninstall the ZTP Plugin 2.0 before you can successfully downgrade to PAN-OS 10.1. After successful downgrade, you must reinstall the latest ZTP Plugin 1.0 version.
Workaround: Before you downgrade Panorama to PAN-OS 10.1, uninstall ZTP Plugin 2.0. After you successfully downgrade Panorama to PAN-OS 10.1, re-install ZTP Plugin 1.0 and re-enable ZTP functionality.
  1. Log in to the Panorama web interface .
  2. Uninstall the ZTP Plugin .
  3. Downgrade Panorama to PAN-OS 10.1.
  4. Log in to the Panorama web interface .
  5. Install the ZTP plugin .
  6. Select Panorama Zero Touch Provisioning and check (enable) ZTP .
Known
10.2.0
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.0
PAN-189057
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
On the Panorama management server, Panorama enters a non-functional state due to php.debug.log life taking up too much space.
Workaround: Disable the debug flag for Panorama.
  1. Log in to the Panorama web interface .
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable) Debug or Clear Debug .
  4. ( HA configuration ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.2.0
PAN-189032
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
When the firewall has Advanced Routing enabled, an OSPFv3 interface configured with the p2mp link type causes the commit to fail.
Known
10.2.0
PAN-188956
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
After successful upgrade to PAN-OS 10.2, logging in to the firewall or Panorama web interface from the same Internet browser window or session from which the firewall or Panorama was upgraded displays the following error:
Your login session has expired and you have been logged out for security reasons. Please log in again if you wish to continue.
Workaround: The following are different ways to log in to the firewall or Panorama web interface after upgrading to PAN-OS 10.2.
  • Close the browser and log in to the firewall or Panorama web interface from an entirely new browser session.
  • Clear your browser cache for the browser from which you upgraded the firewall or Panorama.
  • Log in to the firewall or Panorama web interface from the browser in Incognito mode.
    If you upgraded the firewall or Panorama from a browser in Incognito mode, close the browser and log in to the firewall or Panorama web interface from an entirely new browser session.
  • Log in to the firewall or Panorama web interface from a different browser than the one used to upgrade to PAN-OS.
Known
10.2.0
PAN-188904
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Certain web pages and web page contents might not properly load when cloud inline categorization is enabled on the firewall.
Known
10.2.0
PAN-188489
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
On the Panorama management server, dynamic content updates are not automatically pushed to VM-Series firewalls licensed using the Panorama Software Firewall License plugin when Automatically push content when software device registers to Panorama ( Panorama Templates Add Stack ) is enabled.
Known
10.2.0
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.0
PAN-188064
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
The SCP Server Profile configuration ( Devices Server Profiles SCP are not automatically deleted after downgrade from PAN-OS 10.2.0 to PAN-OS 10.1 or earlier release.
Known
10.2.0
PAN-188052
Devices in FIPS-CC mode are unable to connect to servers utilizing ECDSA-based host keys that impacts exporting logs ( Device Scheduled Log Export ), exporting configurations ( Device Scheduled Config Export ), or the scp export command in the CLI.
Workaround: Use RSA-based host keys on the destination server.
Known
10.2.0
PAN-187846
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
On the Panorama management server, a selective push ( Commit Push to Devices Push Changes Made By and Commit Commit and Push Commit and Push Changes Made By ) may push an incorrect configuration to managed firewalls causing the firewalls to display as Out of Sync if the Panorama pushed version for the Shared Policy and Template configuration ( Panorama Managed Devices Summary ) are 20 version or more older than the current local running configuration on Panorama.
To determine the current configuration version, select Panorama Config Audit and expand the Local Running config menu to review the list of Panorama configuration versions.
Workaround : Push a more recent configuration to your managed firewalls before performing a selective push.
Known
10.2.0
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.0
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.0
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.0
PAN-187429
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
On PA-3400 & PA-5400 series firewalls (minus the PA-5450), the CLI and SNMP MIB walk do not display the Model and Serial-number of the Fan tray and PSUs.
Known
10.2.0
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.0
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.0
PAN-187234
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
Certain web pages submitted for analysis by Advanced URL Filtering cloud inline categorization might experience high latency.
Known
10.2.0
PAN-186913
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
On the Panorama management server, Validate Device Group ( Commit Commit and Push erroneously issues a CommitAll operation instead of a ValidateAll operation when multiple device groups are included in the push and results in no configuration validation.
Workaround: Validate device group configurations using one of the following methods.
  • Select only one device group when you Validate Device Group for a Commit and Push to managed firewalls.
  • To validate multiple device groups, select Commit Commit to Panorama first. After the device group configuration is committed to Panorama, select Commit Push to Devices and Validate Device Group to validate multiple device groups.
Known
10.2.0
PAN-186886
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
Individual configuration objects cannot be viewed when you commit selective configuration changes ( Commit Commit Changes Made By ) on a multi-vsys firewall.
Known
10.2.0
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.0
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.0
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.
Known
10.2.0
PAN-186137
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
The management interface of the PA-3400 Series firewall incorrectly displays 10G port speed as an option. 10G speed is not supported on the PA-3400 Series firewall management port and cannot be configured.
Known
10.2.0
PAN-186134
On the Panorama management server, performing a Commit and Push ( Commit > Commit and Push ) may intermittently not push the committed configuration changes to managed firewalls.
Workaround: Select Commit > Push to Devices to push the committed configuration changes to your managed firewalls.
Known
10.2.0
PAN-185966
The debug skip-cert-renewal-check-syslog yes command is not available on Log Collector CLI to stop the Dedicated Log Collector from trying to renew the device certificate and displaying the following error:
No valid device certificate found
Known
10.2.0
PAN-185286
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.2.0
PAN-184708
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
10.2.0
PAN-184702
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
On the Panorama management server, an M-700 appliance in Log Collector mode fails to connect to Panorama when added as a managed collector ( Panorama > Managed Collectors ).
Workaround: Log in to the M-700 CLI and recover the Log Collector connectivity to Panorama .
Known
10.2.0
PAN-184474
When the firewall has Advanced Routing enabled, a static route stays active after the interface goes down.
Workaround : For firewalls that support Bidirectional Forwarding Detection (BFD), configure BFD for the static route.
Known
10.2.0
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.0
PAN-183567
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
On the Panorama management server, you must download and install the ZTP Plugin 2.0 after successful upgrade to PAN-OS 10.2. After upgrade to PAN-OS 10.2, the show plugins installed command does not display the ZTP plugin until you install ZTP Plugin 2.0.
Workaround: After Panorama successfully upgrades to PAN-OS 10.2, manually download and install the ZTP Plugin 2.0.
  1. Log in to the Panorama web interface .
  2. Select Panorama Plugins and search for the ztp plugin.
  3. Download and Install ZTP Plugin 2.0.
Known
10.2.0
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.0
PAN-182734
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
10.2.0
PAN-182492
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
The WildFire analysis report cannot be viewed from the firewall WildFire submission log entry page.
Workaround : You can retrieve the Wildfire analysis reports through the WildFire API or the WildFire portal.
Known
10.2.0
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.0
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.0
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.0
PAN-179420
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
On the Panorama management server, a selective push ( Commit Push to Devices Push Changes Made By and Commit Commit and Push Commit and Push Changes Made By to managed firewalls fails if you rename an existing device group, template, or template stack that was already pushed to your managed firewalls and you selectively committed specific configuration objects from the renamed device group, template, or template stack.
Workaround: After you rename the existing device group, template, or template stack, Push ( Commit Push to Devices all configuration changes for the named device group, template, or template stack.
Known
10.2.0
PAN-178195
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
The URL filtering logs generated by traffic analyzed by Advanced URL filtering cloud inline categorization does not display the name of the URL.
Known
10.2.0
PAN-177455
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.0
PAN-176693
This issue is now resolved. See PAN-OS 10.2.1 Addressed Issues .
The Activity (ACT) LEDs on the RJ-45 ports of the M-300 and M-700 appliances do not blink while processing network traffic.
Known
10.2.0
PAN-176156
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues
.
Executing show running resource-monitor with the ingress-backlogs option produces the following server error: Dataplane is not up or invalid target-dp(*.dp*) .
Known
10.2.0
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.0
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.0
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.0
PAN-172132
This issue is now resolved by PAN-189643. See PAN-OS 10.2.4 Addressed Issues .
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.2.0
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.2.0
PAN-171069
Local Log Collectors for Panorama management servers in active/passive high availability (HA) configuration cannot be added to the same Collector Group ( Panorama Collector Groups ).
Workaround: Before you upgrade your Panorama servers to PAN-OS 10.1.0, configure HA ( Panorama High Availability ), add the local Log Collectors of the HA peers to the same Collector Group, and upgrade to PAN 10.1.0.
Known
10.2.0
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.2.0
PAN-163676
Next-Gen Firewalls are unable to connect to a syslog server when the certificates required to connect to the syslog server are part of a Certificate Profile ( Device Certificate Management Certificate Profile ) if the Use OCSP setting is enabled to check the revocation status of certificates.
Workaround: Enable Use CRL to check the revocation status of certificates in the Certificate Profile.
Addressed
10.2.0-h4
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.0-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.0-h2
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.0-h2
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.0-h2
PAN-237871
( WF-500 appliances and PAN-DB private cloud deployments only ) Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.0-h2
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.0-h2
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.0-h2
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.0-h2
PAN-202450
Fixed an issue where the device-client-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.0-h2
PAN-198372
Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.0-h1
PAN-190311
( PA-220 and PA-220R firewalls and PA-800 Series firewalls only ) Fixed an issue where management connectivity to the firewall was lost due to the expiration of the DHCP lease, which caused the IP configuration on the management port to be purged in PAN-OS 10.2.0. To upgrade, download PAN-OS 10.2.0 (no installation), then download and install PAN-OS 10.2.0-h1.
Addressed
10.2.0
PAN-231823
A fix was made to address CVE-2024-5916 .
Addressed
10.2.0
PAN-186143
Fixed an issue where no local changes could be made on a ZTP-enabled device after an upgrade to PAN-OS 10.1.x.
Addressed
10.2.0
PAN-182634
( PA-400 series firewalls only ) Fixed an issue where the firewall detected a Power Supply Unit (PSU) failure for the opposite side when disconnecting a PSU from the device. This issue occurred when redundant PSUs were connected.
Addressed
10.2.0
PAN-178165
Fixed an issue where the CLI command set system setting ctd ctd-agent-assigned-cores 0 to change assigned cores for the ctd-agent failed.
Addressed
10.2.0
PAN-175950
Fixed an issue where IoT Security (without Strata Logging Service ) onboarding failed.
Known
10.2.1
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.1
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.1
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.1
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.1
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.1
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
10.2.1
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
10.2.1
PAN-234408
Enterprise DLP cannot detect and block non-file based traffic for ChatGPT from traffic forwarded to the DLP cloud service from an NGFW.
Known
10.2.1
PAN-228273
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.1
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.1
PAN-225337
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a Shared and vsys-specific device group configuration object with an indentical name. For example, a Shared address object called SharedAO1 and a vsys-specific address object also called SharedAO1 .
  2. Reference the Shared object in another Shared configuration. For example, reference the Shared address object ( SharedAO1 ) in a Shared address group called SharedAG1 .
  3. Use the Shared configuration object with the reference in a vsys-specific configuration. For example, reference the Shared address group ( SharedAG1 ) in a vsys-specific policy rule.
Workaround: Select Panorama Setup Management and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices —This options pushes all Shared objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the Shared objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the Shared SharedAO1 object was 10.1.1.1 and the device group specific SharedAO1 was 10.2.2.2 , the 10.1.1.1 IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the Shared objects in your configuration.
Known
10.2.1
PAN-223488
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
Closed ElasticSearch shards are not deleted from a Panorama M-Series or virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.1
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.1
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.1
PAN-222253
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server, policy rulebase reordering when you View Rulebase by Groups ( Policy <policy-rulebase> ) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.1
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.1
PAN-221015
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On M-600 appliances in Panorama or Log Collector mode, the es-1 and es-2 ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector ES health status ( Panorama Managed Collectors Health Status ) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>debug elasticsearch es-restart optional all
Known
10.2.1
PAN-219644
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.1
PAN-218521
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.1
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.1
PAN-215778
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On the M-600 appliance in Management Only mode, XML API Get requests for /config fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
10.2.1
PAN-215082
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
M-300 and M-700 appliances may generate erroneous system logs ( Monitor Logs System ) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.1
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.1
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.1
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.1
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.1
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.1
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.1
PAN-208325
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.2.1
PAN-207629
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, selective push fails to managed firewalls if the managed firewalls are enabled with multiple vsys and the Push Scope contains shared objects in device groups.
Known
10.2.1
PAN-206268
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.2.1
PAN-206253
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
For PA-3400 Series firewalls, the default log rate is set too low and the max configurable log rate is incorrectly capped resulting in the firewall not generating more than 6,826 logs per second.
Known
10.2.1
PAN-206243
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.2.1
PAN-205187
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.2.1
PAN-204663
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, you are unable to Context Switch from one managed firewall to another.
Workaround: After you Context Switch to a managed firewall, you must first Context Switch back to Panorama before you can continue to Context Switch to a different managed firewall.
Known
10.2.1
PAN-201855
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.2.1
PAN-199557
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.2.1
PAN-197097
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.2.1
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.1
PAN-194826
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
( WF-500 appliance only ) System log forwarding does not work over a TLS connection.
Known
10.2.1
PAN-194708
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
URL filtering logs ( Monitor Logs URL Filtering ) erroneously truncate a 16KB Header value and do not display the Header values that follow the truncated 16KB header.
For example, a URL filtering log has 5 Headers. The second Header has a 16KB value. In the URL filtering log, the first header and the value are displayed, second Header value is truncated, and remaining three headers are not displayed.
Known
10.2.1
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.1
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.1
PAN-193251
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
If SAML is configured as the authentication method for GlobalProtect, authentication on the Portal page is not successful in the browser.
Workaround: Use the GlobalProtect app installed on the endpoint to authenticate.
Known
10.2.1
PAN-192403
( PA-5450 firewall only ) There is no commit warning in the web interface when configuring the management interface and logging interface in the same subnetwork. Having both interfaces in the same subnetwork can cause routing and connectivity issues.
Known
10.2.1
PAN-190735
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
Certain webpages that use chunked-encoded data transfers might not load properly when analyzed by Advanced URL Filtering cloud inline categorization.
Known
10.2.1
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.1
PAN-190435
When you Commit a configuration change, the Task Manager commit Status goes directly from 0% to Completed and does accurately reflect the commit job progress.
Known
10.2.1
PAN-189425
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, Export Panorama and devices config bundle ( Panorama Setup Operations ) fails to export. When the export fails, you are redirected to a new window and the following error is displayed:
Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied)
Known
10.2.1
PAN-189395
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
Running any version of PAN-OS 10.2.1 on a PA-400 Series firewall can cause the dataplane process to restart unexpectedly and trigger a crash.
Known
10.2.1
PAN-189380
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
After you successfully upgrade a PA-3000 Series firewall to PAN-OS 10.2.0 or later release and Enterprise data loss prevention (DLP) plugin 3.0.0 or later release, the first configuration push from the Panorama management server causes the firewall dataplane to crash.
Workaround: Restart the firewall to restore dataplane functionality.
  1. Log in to the firewall CLI .
  2. Restart the firewall. 
    admin> request restart system
Known
10.2.1
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.1
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.1
PAN-189057
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
On the Panorama management server, Panorama enters a non-functional state due to php.debug.log life taking up too much space.
Workaround: Disable the debug flag for Panorama.
  1. Log in to the Panorama web interface .
  2. In the same browser you are logged into the Panorama web interface, enter the following URL.
    https://<panorama_ip>/debug
  3. Uncheck (disable) Debug or Clear Debug .
  4. ( HA configuration ) Repeat this step on each Panorama high availability (HA) peer if Panorama is in a HA configuration.
Known
10.2.1
PAN-188904
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Certain web pages and web page contents might not properly load when cloud inline categorization is enabled on the firewall.
Known
10.2.1
PAN-188489
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
On the Panorama management server, dynamic content updates are not automatically pushed to VM-Series firewalls licensed using the Panorama Software Firewall License plugin when Automatically push content when software device registers to Panorama ( Panorama Templates Add Stack ) is enabled.
Known
10.2.1
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.1
PAN-188064
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
The SCP Server Profile configuration ( Devices Server Profiles SCP are not automatically deleted after downgrade from PAN-OS 10.2.0 to PAN-OS 10.1 or earlier release.
Known
10.2.1
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.1
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.1
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.1
PAN-187429
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
On PA-3400 & PA-5400 series firewalls (minus the PA-5450), the CLI and SNMP MIB walk do not display the Model and Serial-number of the Fan tray and PSUs.
Known
10.2.1
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.1
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.1
PAN-187234
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
Certain web pages submitted for analysis by Advanced URL Filtering cloud inline categorization might experience high latency.
Known
10.2.1
PAN-186913
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
On the Panorama management server, Validate Device Group ( Commit Commit and Push erroneously issues a CommitAll operation instead of a ValidateAll operation when multiple device groups are included in the push and results in no configuration validation.
Workaround: Validate device group configurations using one of the following methods.
  • Select only one device group when you Validate Device Group for a Commit and Push to managed firewalls.
  • To validate multiple device groups, select Commit Commit to Panorama first. After the device group configuration is committed to Panorama, select Commit Push to Devices and Validate Device Group to validate multiple device groups.
Known
10.2.1
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.1
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.1
PAN-186262
The Panorama management server in Panorama or Log Collector mode may become unresponsive as Elasticsearch accumulates internal connections related to logging processes. The chances Panorama becomes unresponsive increases the longer Panorama remains powered on.
Workaround: Reboot Panorama if it becomes unresponsive.
Known
10.2.1
PAN-186134
On the Panorama management server, performing a Commit and Push ( Commit > Commit and Push ) may intermittently not push the committed configuration changes to managed firewalls.
Workaround: Select Commit > Push to Devices to push the committed configuration changes to your managed firewalls.
Known
10.2.1
PAN-185286
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.2.1
PAN-184708
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
10.2.1
PAN-184702
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
On the Panorama management server, an M-700 appliance in Log Collector mode fails to connect to Panorama when added as a managed collector ( Panorama > Managed Collectors ).
Workaround: Log in to the M-700 CLI and recover the Log Collector connectivity to Panorama .
Known
10.2.1
PAN-184474
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
When the firewall has Advanced Routing enabled, a static route stays active after the interface goes down.
Workaround : For firewalls that support Bidirectional Forwarding Detection (BFD), configure BFD for the static route.
Known
10.2.1
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.1
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.1
PAN-182734
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
10.2.1
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.1
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.1
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.1
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.1
PAN-178194
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.1
PAN-177455
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues .
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.1
PAN-176156
This issue is now resolved. See PAN-OS 10.2.2 Addressed Issues
Executing show running resource-monitor with the ingress-backlogs option produces the following server error: Dataplane is not up or invalid target-dp(*.dp*) .
Known
10.2.1
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.1
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.1
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.1
PAN-172132
This issue is now resolved by PAN-189643. See PAN-OS 10.2.4 Addressed Issues .
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.2.1
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.2.1
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.1-h3
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.1-h2
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.1-h1
PAN-239241
Extended the root certificate for WildFire appliances to December 31, 2032.
Addressed
10.2.1-h1
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.1-h1
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.1-h1
PAN-237871
( WF-500 appliances and PAN-DB private cloud deployments only ) Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.1-h1
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.1-h1
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.1-h1
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.1-h1
PAN-202450
Fixed an issue where the device-client-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.1-h1
PAN-198372
Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.1
WIF-495
Fixed an issue on Panorama where edits made to an existing data filtering profile resulted in matching traffic not being detected by Enterprise DLP.
Addressed
10.2.1
PAN-231823
A fix was made to address CVE-2024-5916 .
Addressed
10.2.1
PAN-190311
( PA-220 and PA-220R firewalls and PA-800 Series firewalls only ) Fixed an issue where management connectivity to the firewall was lost due to the expiration of the DHCP lease, which caused the IP configuration on the management port to be purged in PAN-OS 10.2.0. To upgrade, download PAN-OS 10.2.0 (no installation), then download and install PAN-OS 10.2.0-h1.
Addressed
10.2.1
PAN-190175 and PAN-190223
A fix was made to address an OpenSSL infinite loop vulnerability in the PAN-OS software ( CVE-2022-0778 ).
Addressed
10.2.1
PAN-189665
( FIPS-CC enabled firewalls only ) Fixed an issue where the firewall was unable to connect to log collectors after an upgrade due to missing cipher suites.
Addressed
10.2.1
PAN-189565
Fixed an issue after upgrading to PAN-OS 10.2 where the tund process stopped responding on multiple GlobalProtect clients.
Addressed
10.2.1
PAN-189468
Fixed an issue where the firewall onboard packet processor used by the PAN-OS content-inspection (CTD) engine can generate high dataplane resource usage when overwhelmed by a session with an unusually high number of packets. This can result in resource-unavailable messages due to the content inspection queue filling up. Factors related to the likelihood of an occurrence include enablement of content-inspection based features that are configured in such a way that might process thousands of packets in rapid succession (such as SMB file transfers). This can cause poor performance for the affected session and other sessions using the same packet processor. PA-3000 series and VM-Series firewalls are not impacted.
Addressed
10.2.1
PAN-189361
Fixed an issue where Panorama was unable to distribute antivirus signature updates to firewalls with an Advanced Threat Prevention license only.
Addressed
10.2.1
PAN-189298
Fixed an issue where existing traffic sessions were not synced after restarting the active dataplane when it became passive.
Addressed
10.2.1
PAN-189230
( VM-Series firewalls only ) Fixed an issue that caused the pan_task process to stop responding with floating point exception (FPE) when there was a module of 0 on the queue number.
Addressed
10.2.1
PAN-189214
Fixed an issue that prevented antivirus signature update packages that are normally available to install from displaying properly on the firewall when the Advanced Threat Prevention license is present on a firewall without a Threat Prevention license.
Addressed
10.2.1
PAN-189206
Fixed an issue where Device Group and Template administrator roles didn't support a context switch between the Panorama and firewall web interfaces.
Addressed
10.2.1
PAN-189106
Fixed an issue on Panorama where you were unable to successfully downgrade to a PAN-OS 10.1 release unless you uninstalled the ZTP Plugin 2.0.
Addressed
10.2.1
PAN-189094
Fixed an issue where, after upgrading a CN-Series firewall from a PAN-OS 10.1 release to PAN-OS 10.2.0, show session commands did not return output.
Addressed
10.2.1
PAN-189032
Fixed an issue where, when Advanced Routing was enabled on the firewall, an OSPFv3 interface configured with the p2mp link type caused commits to fail.
Addressed
10.2.1
PAN-188956
Fixed an issue where, after a successful upgrade to PAN-OS 10.2, logging into the firewall or Panorama web interface from the same internet browser window or session from which the firewall or Panorama was upgraded did not work.
Addressed
10.2.1
PAN-188883
Fixed an issue where, when pre-generated license key files were manually uploaded via the web interface, they weren't properly recognized by PAN-OS and didn't display a serial number or initiate a reboot.
Addressed
10.2.1
PAN-188828
Fixed an intermittent issue where web pages and web page contents did not properly load when cloud inline categorization was enabled.
Addressed
10.2.1
PAN-188009
Fixed an issue where a firewall import to Panorama running a PAN-OS 10.1 release or a PAN-OS 10.2 release resulted in corrupted private information when the master key was not used.
Addressed
10.2.1
PAN-187846
Fixed an issue on Panorama where a selective push pushed an incorrect configuration to the managed firewalls, which caused the firewalls to display as out of sync. This issue occurred if the Panorama-pushed version for the Shared Policy and Template configuration were 20 or more versions older than the current local running configuration on Panorama.
Addressed
10.2.1
PAN-187769
( VM-Series firewalls in Microsoft Azure environments only ) Fixed a Data Plane Development Kit (DPDK) issue where interfaces remained in a link-down state after an Azure hot plug event. This issue occurred due to a hot plug of Accelerated Networking interfaces on the Azure backend caused by host updates, which led to Virtual Function unregister/Register messages on the VM side.
Addressed
10.2.1
PAN-186886
Fixed an issue where individual configuration objects were not viewable after committing selective configuration changes on a multi-vsys firewall.
Addressed
10.2.1
PAN-186785
Fixed an issue where, after logging in, Panorama displayed a 500 error page after five minutes of logging for dynamic group template admin types with access to approximately 115 managed devices or 120 dynamic groups.
Addressed
10.2.1
PAN-186516
Fixed an issue where log queries that included WildFire submission logs returned more slowly than expected.
Addressed
10.2.1
PAN-186487
Fixed an issue with snmpd.log overflow caused by continuous hourly repeating errors.
Addressed
10.2.1
PAN-186402
( PA-440 Series firewalls only ) Fixed an issue where the firewall's maximum tunnel limit was incorrect.
Addressed
10.2.1
PAN-186137
( PA-3400 Series firewalls only ) Fixed an issue where the firewall management interface incorrectly displayed 10G port speed as an option even though 10G speed is not supported and can't be configured.
Addressed
10.2.1
PAN-185616
Fixed an issue where the firewall sent fewer logs to the system log server than expected. With this fix, the firewall accommodates a larger send queue for syslog forwarding to TCP syslog receivers.
Addressed
10.2.1
PAN-185164
Fixed an issue where processing corrupted IoT messages caused the wificlient process to restart.
Addressed
10.2.1
PAN-184224
Fixed an issue on Panorama where you were unable to select a template variable in Templates > Device > Log Forwarding Card > Log Forwarding Card Interface > Network > IP address location .
Addressed
10.2.1
PAN-183826
Fixed an issue where, after clicking WildFire Analysis Report , the web interface failed to display the report with the following error message: refused to connect .
Addressed
10.2.1
PAN-183567
Fixed an issue on Panorama where ZTP Plugin 2.0 was not available for download before upgrading Panorama to PAN-OS 10.2.
Addressed
10.2.1
PAN-182492
Fixed an issue where the WildFire analysis report was not viewable from the firewall WildFire submission log entry page.
Addressed
10.2.1
PAN-181839
Fixed an issue where Panorama Global Search reported No Matches found while still returning results for matching entries on large configurations.
Addressed
10.2.1
PAN-181039
Fixed an issue with DNS cache depletion that caused continuous DNS retries.
Addressed
10.2.1
PAN-181031
Fixed an issue where the CN-NGFW (DP) folder on the CN-MGMT pod eventually consumed a large amount of space in the /var/log/pan because the old registered stale next-generation firewall logs were not being cleared.
Addressed
10.2.1
PAN-180338
Fixed an issue where the CTD loop count wasn't accurately incremented.
Addressed
10.2.1
PAN-180095
Fixed an issue where Panorama serial-number-based redistribution agents did not redistribute HIP reports.
Addressed
10.2.1
PAN-179966
Fixed an issue where, after upgrading to a PAN-OS 8.1 release, the port on the firewall stayed up, but the port on the connected device reported down. This occurred because, on force mode, autoneg was disabled by default. With this fix, autoneg is enabled by default on force mode.
Addressed
10.2.1
PAN-179420
Fixed an issue on Panorama where a selective push to managed firewalls failed after renaming an existing device group, template, or template stack that was already pushed to the managed firewalls and you selectively committed specific configuration objects from the renamed device group, template, or template stack.
Addressed
10.2.1
PAN-179321
A validation error was added to inform an administrator when a policy field contained the value any .
Addressed
10.2.1
PAN-178195
Fixed an issue where the URL filtering logs generated by traffic analyzed by Advanced URL filtering cloud inline categorization didn't display the URL name.
Addressed
10.2.1
PAN-177072
Fixed an intermittent issue where Panorama did not show new logs from firewalls.
Addressed
10.2.1
PAN-176889
Fixed an issue where the log collector continuously disconnected from Panorama due to high latency and a high number of packets in Send-Q.
Addressed
10.2.1
PAN-176693
( M-300 and M-700 appliances only ) Fixed an issue where the Activity (ACT) LEDs on the RJ-45 ports did not blink when processing network traffic.
Addressed
10.2.1
PAN-174607
Fixed an intermittent issue where, when Security profiles were attached to a policy, files that were downloaded across TLS sessions decrypted by the firewall were malformed.
Addressed
10.2.1
PAN-145833
( PA-3200 Series firewalls only ) Fixed an issue where the firewall stopped recording dataplane diagnostic data in dp-monitor.log after a few hours of uptime.
Known
10.2.2
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.2
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.2
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.2
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.2
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.2
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.2
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.2
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.2
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.2
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
10.2.2
PAN-234408
Enterprise DLP cannot detect and block non-file based traffic for ChatGPT from traffic forwarded to the DLP cloud service from an NGFW.
Known
10.2.2
PAN-228273
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.2
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.2
PAN-225337
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a Shared and vsys-specific device group configuration object with an indentical name. For example, a Shared address object called SharedAO1 and a vsys-specific address object also called SharedAO1 .
  2. Reference the Shared object in another Shared configuration. For example, reference the Shared address object ( SharedAO1 ) in a Shared address group called SharedAG1 .
  3. Use the Shared configuration object with the reference in a vsys-specific configuration. For example, reference the Shared address group ( SharedAG1 ) in a vsys-specific policy rule.
Workaround: Select Panorama Setup Management and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices —This options pushes all Shared objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the Shared objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the Shared SharedAO1 object was 10.1.1.1 and the device group specific SharedAO1 was 10.2.2.2 , the 10.1.1.1 IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the Shared objects in your configuration.
Known
10.2.2
PAN-223488
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
Closed ElasticSearch shards are not deleted from the Panorama M-Series and virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.2
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.2
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.2
PAN-222253
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server, policy rulebase reordering when you View Rulebase by Groups ( Policy <policy-rulebase> ) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.2
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.2
PAN-221015
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On M-600 appliances in Panorama or Log Collector mode, the es-1 and es-2 ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector ES health status ( Panorama Managed Collectors Health Status ) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>debug elasticsearch es-restart optional all
Known
10.2.2
PAN-219644
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.2
PAN-218521
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.2
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.2
PAN-215778
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On the M-600 appliance in Management Only mode, XML API Get requests for /config fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
10.2.2
PAN-215082
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
M-300 and M-700 appliances may generate erroneous system logs ( Monitor Logs System ) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.2
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.2
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.2
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.2
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.2
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.2
PAN-210366
This issue is now resolved. See PAN-OS 10.2.4-h3 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, the primary HA peer may enter a primary-non-functional state and generate a system log ( Monitor Logs System ) with the following message:
High root partition usage: going to state Non-Functional
Known
10.2.2
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.2
PAN-208325
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.2.2
PAN-207629
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, selective push fails to managed firewalls if the managed firewalls are enabled with multiple vsys and the Push Scope contains shared objects in device groups.
Known
10.2.2
PAN-206268
On the Panorama management server, the Auth Key field was erroneously displayed when you configure the Panorama Settings ( Device Setup Management ) as part of a template or template stack configuration.
Known
10.2.2
PAN-206253
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
For PA-3400 Series firewalls, the default log rate is set too low and the max configurable log rate is incorrectly capped resulting in the firewall not generating more than 6,826 logs per second.
Known
10.2.2
PAN-206243
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.2.2
PAN-205187
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.2.2
PAN-204663
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, you are unable to Context Switch from one managed firewall to another.
Workaround: After you Context Switch to a managed firewall, you must first Context Switch back to Panorama before you can continue to Context Switch to a different managed firewall.
Known
10.2.2
PAN-201855
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.2.2
PAN-200019
PAN-OS 10.2.2-h1 and later releases .
On the Panorama management server, the Virtual Routers ( Network Virtual Routers ) setting is not available when configuring a custom Panorama admin role ( Panorama Admin Roles ).
Known
10.2.2
PAN-199557
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.2.2
PAN-199099
When decryption is enabled, Safari and Google Chrome browsers on Mac computers running macOS Monterey or later reject the server certificates firewalls present. The browsers cannot validate the chain of trust for the certificates because the Authority Key Identifier (AKID) of the server certificates and the Subject Key Identifier (SKID) of the forward trust certificate do not match.
Workaround: Use a forward trust certificate that does not contain AKID or SKID extensions.
Known
10.2.2
PAN-198174
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the Resolve Hostname feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround: Provide a DNS server setting for the firewall ( Device DNS Setup Services ). If you cannot reference a valid DNS server, you can add a dummy address.
Known
10.2.2
PAN-197097
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.2.2
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.2
PAN-196784
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
Palo Alto Networks® Next-Gen firewalls experience a logs per second (LPS) degradation after upgrade to PAN-OS 10.2.2.
Known
10.2.2
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.2
PAN-196146
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.2
PAN-195541
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
When a DNS request is submitted to the DNS Security service for inspection, the dataplane pan-task process (all_pktproc) might fail during the DNS request process, or when the dataplane cache is reset, or if the cache output is generated through the CLI, resulting in firewall crashes or the inability/reduced capability to process network traffic.
The following CLI commands can trigger a crash of the all_pktproc process: 
  • debug dataplane reset dns-cache all
  • debug dataplane show dns-cache print
  • show dns-proxy dns-signature cache
  • clear dns-proxy dns-signature cache
Known
10.2.2
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.2
PAN-194925
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, when making changes in the Service Connection and Remote Networks area, the configuration changes do not display in the Push Scope during a commit.
Workaround : For service connection changes, make sure that Service Setup is selected in the Push Scope before you commit. For remote network changes, make sure that Remote Networks is selected in the Push Scope before you commit.
Known
10.2.2
PAN-194859
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, after migrating from a single tenant to a multi-tenant Prisma Access deployment and making configuration changes, the Cloud Services plugin shows No pending changes to commit when you hover over the Commit tab, even though there are pending changes to commit.
Workaround : The status shown when hovering over the Commit tab is a cosmetic issue. Commit the pending changes, if required.
Known
10.2.2
PAN-194826
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
( WF-500 and WF-500-B appliance only ) System log forwarding does not work over a TLS connection.
Known
10.2.2
PAN-194708
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
URL filtering logs ( Monitor Logs URL Filtering ) erroneously truncate a 16KB Header value and do not display the Header values that follow the truncated 16KB header.
For example, a URL filtering log has 5 Headers. The second Header has a 16KB value. In the URL filtering log, the first header and the value are displayed, second Header value is truncated, and remaining three headers are not displayed.
Known
10.2.2
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.2
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.2
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.2
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.2
PAN-193251
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
If SAML is configured as the authentication method for GlobalProtect, authentication on the Portal page is not successful in the browser.
Workaround: Use the GlobalProtect app installed on the endpoint to authenticate.
Known
10.2.2
PAN-190735
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
Certain webpages that use chunked-encoded data transfers might not load properly when analyzed by Advanced URL Filtering cloud inline categorization.
Known
10.2.2
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.2
PAN-190435
When you Commit a configuration change, the Task Manager commit Status goes directly from 0% to Completed and does accurately reflect the commit job progress.
Known
10.2.2
PAN-189425
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, Export Panorama and devices config bundle ( Panorama Setup Operations ) fails to export. When the export fails, you are redirected to a new window and the following error is displayed:
Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied)
Known
10.2.2
PAN-189380
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
After you successfully upgrade a PA-3000 Series firewall to PAN-OS 10.2.0 or later release and Enterprise data loss prevention (DLP) plugin 3.0.0 or later release, the first configuration push from the Panorama management server causes the firewall dataplane to crash.
Workaround: Restart the firewall to restore dataplane functionality.
  1. Log in to the firewall CLI .
  2. Restart the firewall. 
    admin> request restart system
Known
10.2.2
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.2
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.2
PAN-188904
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Certain web pages and web page contents might not properly load when cloud inline categorization is enabled on the firewall.
Known
10.2.2
PAN-188489
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
On the Panorama management server, dynamic content updates are not automatically pushed to VM-Series firewalls licensed using the Panorama Software Firewall License plugin when Automatically push content when software device registers to Panorama ( Panorama Templates Add Stack ) is enabled.
Known
10.2.2
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.2
PAN-188064
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
The SCP Server Profile configuration ( Devices Server Profiles SCP are not automatically deleted after downgrade from PAN-OS 10.2.0 to PAN-OS 10.1 or earlier release.
Known
10.2.2
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.2
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.2
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.2
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.2
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.2
PAN-187234
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
Certain web pages submitted for analysis by Advanced URL Filtering cloud inline categorization might experience high latency.
Known
10.2.2
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.2
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.2
PAN-186134
On the Panorama management server, performing a Commit and Push ( Commit > Commit and Push ) may intermittently not push the committed configuration changes to managed firewalls.
Workaround: Select Commit > Push to Devices to push the committed configuration changes to your managed firewalls.
Known
10.2.2
PAN-185286
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.2.2
PAN-184708
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
10.2.2
PAN-184702
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
On the Panorama management server, an M-700 appliance in Log Collector mode fails to connect to Panorama when added as a managed collector ( Panorama > Managed Collectors ).
Workaround: Log in to the M-700 CLI and recover the Log Collector connectivity to Panorama .
Known
10.2.2
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.2
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.2
PAN-182734
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
10.2.2
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.2
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.2
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.2
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.2
PAN-178194
This issue is now resolved. See PAN-OS 10.2.3 Addressed Issues .
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.2
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.2
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.2
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.2
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.2
PAN-172132
This issue is now resolved by PAN-189643. See PAN-OS 10.2.4 Addressed Issues .
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.2.2
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.2.2
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.2-h6
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.2-h5
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.2-h4
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.2-h4
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.2.2-h4
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.2-h4
PAN-237871
( WF-500 appliances and PAN-DB private cloud deployments only ) Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.2-h4
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.2-h4
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.2-h4
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.2-h4
PAN-202450
Fixed an issue where the device-client-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.2-h4
PAN-198372
Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.2-h2
PAN-192999
A fix was made to address CVE-2022-0028 .
Addressed
10.2.2-h1
PAN-195517
Fixed an issue where CommitAll operations from Panorama to Prisma Access device groups failed due to missing configuration files.
Addressed
10.2.2-h1
PAN-194107
Fixed an issue where the expiry date for the Advanced Threat Protection license was incorrect for BND3 payg VM-Series firewalls on Amazon Web Services (AWS), Oracle Cloud Infrastructure (OCI), Google Cloud Platform (GCP), and Microsoft Azure.
Addressed
10.2.2-h1
PAN-186075
( VM-Series firewalls only ) Fixed an issue where the firewall rebooted after receiving large packets while in DPDK mode on Azure virtual machines running CX4 (MLx5) drivers.
Addressed
10.2.2
PAN-231823
A fix was made to address CVE-2024-5916 .
Addressed
10.2.2
PAN-193579
Fixed an issue where new logs viewed from the CLI (show log <log_type>) and new syslogs forwarded to a syslog server contained additional, erroneous entries.
Addressed
10.2.2
PAN-192930
Fixed an issue where, when the default port was not TCP/443, implicitly used SSL applications were blocked by the Security policy as an SSL application and did not shift to the correct application.
Addressed
10.2.2
PAN-192880
Fixed an issue where, when the firewall was configured for jumbo frames, an internal interface was not set with the correct MTU, which caused byte frames larger than 1500 to be dropped when a DF bit was set.
Addressed
10.2.2
PAN-192725
Fixed an issue where the firewall failed to forward logs to Panorama when configured with IPv6 addressing only.
Addressed
10.2.2
PAN-192089
Fixed an issue on the web interface where the IPSec tunnel did not gray out after disabling it.
Addressed
10.2.2
PAN-191629
( PA-5450 firewalls only ) Fixed an issue where the hourly summary log was limited to 100,001 lines when summarized, which resulted in inconsistent report results when using summary logs.
Addressed
10.2.2
PAN-191513
Fixed an issue on multi-vsys firewalls where the DLP cloud service continued to exclude an application added to a shared application group ( Objects Application Filters ) from non-file traffic inspection. This issue occurred when the application was removed from the application group or filter that was added to the App Exclusion List ( Objects DLP Data Filtering Profiles ).
Addressed
10.2.2
PAN-191470
Fixed an issue on Panorama where encrypted passwords were sent to firewalls on PAN-OS 10.1 releases during a multi-device group push, which caused client-based External Dynamic Lists (EDL) to fail.
Addressed
10.2.2
PAN-191466
Fixed an issue where you were unable to use the web interface to override IPsec tunnels pushed from Panorama
Addressed
10.2.2
PAN-191288
Fixed an issue where the firewall restarted due to a dnsproxy process crash.
Addressed
10.2.2
PAN-190811
( PA-5450 firewalls only ) Fixed an issue where logs were forwarded through the management interface instead of the configured log interface to be used for forwarding.
Addressed
10.2.2
PAN-190675
Fixed an IoT cloud connectivity issue with the firewall dataplane when the Data Services service route was used and the egress interface had VLAN tagging.
Addressed
10.2.2
PAN-190492
Fixed an issue where the Panorama log collector group level SSH settings were not migrated to the new format when upgrading from a PAN-OS 9.1 release to a PAN-OS 10.0 release.
Addressed
10.2.2
PAN-189429
Fixed a memory leak that occurred when enabling XFF (x-forwarded-for) logging in a Security policy.
Addressed
10.2.2
PAN-189395
( PA-400 Series firewalls only ) Fixed an issue where running a PAN-OS 10.2 release caused dataplane processes to restart unexpectedly.
Addressed
10.2.2
PAN-189010
Fixed an issue on Panorama where a deadlock in the configd process caused both the web interface and the CLI to be inaccessible.
Addressed
10.2.2
PAN-188872
Fixed an OOM condition caused by a memory leak issue on the useridd process.
Addressed
10.2.2
PAN-188833
Fixed an issue where shared address objects used as a source or destination in policies were cloned but not freed back after configuration commits.
Addressed
10.2.2
PAN-188097
Fixed an issue where the firewall stopped allocating new sessions with increments in the counter session_alloc_failure. This was caused by GPRS tunneling protocol (GTP-U) tunnel session aging processing issue.
Addressed
10.2.2
PAN-187558
Fixed an issue where the following error message flooded the system log: Incremental update to DP failed .
Addressed
10.2.2
PAN-187429
( PA-3400 Series firewalls and PA-5410, PA-5420, and PA-5430 firewalls only ) Fixed an issue where the CLI and SNMP MIB walk did not display the model and serial number of the fan tray and PSUs.
Addressed
10.2.2
PAN-187151
Fixed an issue where tunnel-monitoring interface was incorrectly shown as up instead of down.
Addressed
10.2.2
PAN-186913
Fixed an issue on Panorama where Validate Device Group ( Commit Commit and Push ) incorrectly issued a commit all operation instead of a validate all operation. This issue occurred when multiple device groups were included in the push.
Addressed
10.2.2
PAN-186750
Fixed an issue where, after upgrading to a PAN-OS 10.1 release, SaaS reports generated on Panorama did not display Applications at a glance and most charts were missing data on the right side of the chart.
Addressed
10.2.2
PAN-185844
Fixed an issue where Decryption Log entries were associated with the wrong Security policy rule.
Addressed
10.2.2
PAN-185558
Fixed an issue where Panorama log migration failed when old logs migrated to a newer format. This was due to older indices failing to close.
Addressed
10.2.2
PAN-184474
Fixed an issue where, when the firewall had Advanced Routing enabled, a static route remained active after an interface went down.
Addressed
10.2.2
PAN-183579
Fixed an issue where SD-WAN path monitoring failed over the interface directly connected to the ISP due to an unsupported ICMP probe format.
Addressed
10.2.2
PAN-183319
Fixed an issue on Panorama where commits remained at 99% due to multiple firewalls sending out CSR singing requests every 10 minutes.
Addressed
10.2.2
PAN-182087
Fixed an issue where commit failures occurred due to validity checks performed against self-signing certificates not evaluating Authentication Key Identifier and Subject Key Identifier fields were present.
Addressed
10.2.2
PAN-180396
Fixed an issue where Panorama displayed an error when generating a ticket to disable GlobalProtect for Prisma Access.
Addressed
10.2.2
PAN-180147
Fixed an issue where the bcm.log and brdagent_stdout.log-<datestamp> files filled up the root disk space.
Addressed
10.2.2
PAN-178450
Fixed an issue where icons weren't displayed for clientless VPN applications.
Addressed
10.2.2
PAN-177671
Fixed an issue where, when SIP traffic traversing the firewall was sent with a high Quality of Service (QoS) differentiated service code (DSCP) value, the DSCP value was reset to the default setting (CS0) for the first data packet.
Addressed
10.2.2
PAN-177455
(PA-7000 Series firewalls with HA clustering enabled and using HA4 communication links only ) Fixed an issue where loading PAN-OS 10.2.0 on the firewall caused the PA-7000 100G NPC (Network Processing Card) to go offline. As a result, the firewall failed to boot normally and entered maintenance.
Addressed
10.2.2
PAN-176156
Fixed an issue where executing the show running resource-monitor with the ingress-backlogs option enabled displayed the error message `Dataplane is not up or invalid target-dp(*.dp*)`.
Addressed
10.2.2
PAN-174345
Fixed an issue where a process all_pktproc stopped responding after upgrading the firewall.
Known
10.2.3
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.3
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.3
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.3
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.3
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.3
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.3
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.3
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.3
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.3
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
10.2.3
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
10.2.3
PAN-234408
Enterprise DLP cannot detect and block non-file based traffic for ChatGPT from traffic forwarded to the DLP cloud service from an NGFW.
Known
10.2.3
PAN-228273
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.3
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.3
PAN-225337
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a Shared and vsys-specific device group configuration object with an indentical name. For example, a Shared address object called SharedAO1 and a vsys-specific address object also called SharedAO1 .
  2. Reference the Shared object in another Shared configuration. For example, reference the Shared address object ( SharedAO1 ) in a Shared address group called SharedAG1 .
  3. Use the Shared configuration object with the reference in a vsys-specific configuration. For example, reference the Shared address group ( SharedAG1 ) in a vsys-specific policy rule.
Workaround: Select Panorama Setup Management and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices —This options pushes all Shared objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the Shared objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the Shared SharedAO1 object was 10.1.1.1 and the device group specific SharedAO1 was 10.2.2.2 , the 10.1.1.1 IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the Shared objects in your configuration.
Known
10.2.3
PAN-223488
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
Closed ElasticSearch shards are not deleted from the Panorama M-Series and virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.3
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.3
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.3
PAN-222253
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server, policy rulebase reordering when you View Rulebase by Groups ( Policy <policy-rulebase> ) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.3
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.3
PAN-221015
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On M-600 appliances in Panorama or Log Collector mode, the es-1 and es-2 ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector ES health status ( Panorama Managed Collectors Health Status ) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>debug elasticsearch es-restart optional all
Known
10.2.3
PAN-219644
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.3
PAN-218521
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.3
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.3
PAN-215778
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On the M-600 appliance in Management Only mode, XML API Get requests for /config fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
10.2.3
PAN-215082
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
M-300 and M-700 appliances may generate erroneous system logs ( Monitor Logs System ) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.3
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.3
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.3
PAN-212978
This issue is now resolved. See PAN-OS 10.2.4-h3 Addressed Issues .
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.2.3
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.3
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.3
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.3
PAN-210366
This issue is now resolved. See PAN-OS 10.2.4-h3 Addressed Issues .
On the Panorama management server in a high availability (HA) configuration, the primary HA peer may enter a primary-non-functional state and generate a system log ( Monitor Logs System ) with the following message:
High root partition usage: going to state Non-Functional
Known
10.2.3
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.3
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.3
PAN-208325
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.2.3
PAN-208189
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Traffic fails to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Known
10.2.3
PAN-207629
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, selective push fails to managed firewalls if the managed firewalls are enabled with multiple vsys and the Push Scope contains shared objects in device groups.
Known
10.2.3
PAN-206253
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
For PA-3400 Series firewalls, the default log rate is set too low and the max configurable log rate is incorrectly capped resulting in the firewall not generating more than 6,826 logs per second.
Known
10.2.3
PAN-206243
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
The PA-220 firewall reaches the maximum disk usage capacity multiple a day that requires a disk cleanup. A critical system log ( Monitor Logs System ) is generated each time the firewall reaches maximum disk usage capacity.
Known
10.2.3
PAN-206005
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
( PA-3400 Series firewalls only ) The I7_misc memory pool on this platform is undersized and can cause a loss of connectivity when reaching the limit of the memory pool. Certain features, like using a decryption profile with Strip ALPN disabled, can lead to depleting the memory pool and causing a connection loss.
Workaround: Disable HTTP2 by enabling Strip ALPN in the decryption profile or avoid usage of the I7_misc memory pool.
Known
10.2.3
PAN-205187
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
ElasticSearch may not start properly when a newly installed Panorama virtual appliance powers on for the first time, resulting in the Panorama virtual appliance being unable to query logs forwarded from the managed firewall to a Log Collector.
Workaround: Log in to the Panorama CLI and start the PAN-OS software. 
admin>request restart software
Known
10.2.3
PAN-204663
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, you are unable to Context Switch from one managed firewall to another.
Workaround: After you Context Switch to a managed firewall, you must first Context Switch back to Panorama before you can continue to Context Switch to a different managed firewall.
Known
10.2.3
PAN-201855
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.2.3
PAN-199557
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.2.3
PAN-198708
On the Panorama management server, the File Type field does not display any data when you view the Detailed Log View in the Data Filtering log ( Monitor Logs Data Filtering <select log> DLP ).
Known
10.2.3
PAN-198174
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
When viewing traffic or threat logs from the firewall ACC or Monitor, performing a reverse DNS lookup, for example, when resolving IP addresses to domain names using the Resolve Hostname feature, can cause the appliance to crash and restart if DNS server settings have not been configured.
Workaround: Provide a DNS server setting for the firewall ( Device DNS Setup Services ). If you cannot reference a valid DNS server, you can add a dummy address.
Known
10.2.3
PAN-197097
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Large Scale VPN (LSVPN) does not support IPv6 addresses on the satellite firewall.
Known
10.2.3
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.3
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.3
PAN-196146
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.3
PAN-195541
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
When a DNS request is submitted to the DNS Security service for inspection, the dataplane pan-task process (all_pktproc) might fail during the DNS request process, or when the dataplane cache is reset, or if the cache output is generated through the CLI, resulting in firewall crashes or the inability/reduced capability to process network traffic.
The following CLI commands can trigger a crash of the all_pktproc process: 
  • debug dataplane reset dns-cache all
  • debug dataplane show dns-cache print
  • show dns-proxy dns-signature cache
  • clear dns-proxy dns-signature cache
Known
10.2.3
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.3
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.3
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.3
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.3
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.3
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.3
PAN-190435
When you Commit a configuration change, the Task Manager commit Status goes directly from 0% to Completed and does accurately reflect the commit job progress.
Known
10.2.3
PAN-189425
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
On the Panorama management server, Export Panorama and devices config bundle ( Panorama Setup Operations ) fails to export. When the export fails, you are redirected to a new window and the following error is displayed:
Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied)
Known
10.2.3
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.3
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.3
PAN-188904
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Certain web pages and web page contents might not properly load when cloud inline categorization is enabled on the firewall.
Known
10.2.3
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.3
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.3
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.3
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.3
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.3
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.3
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.3
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.3
PAN-186134
On the Panorama management server, performing a Commit and Push ( Commit > Commit and Push ) may intermittently not push the committed configuration changes to managed firewalls.
Workaround: Select Commit > Push to Devices to push the committed configuration changes to your managed firewalls.
Known
10.2.3
PAN-185286
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.2.3
PAN-184708
This issue is now resolved. See PAN-OS 10.2.4 Addressed Issues .
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
10.2.3
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.3
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.3
PAN-182734
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
10.2.3
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.3
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.3
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.3
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.3
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.3
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.3
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.3
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.3
PAN-172132
This issue is now resolved by PAN-189643. See PAN-OS 10.2.4 Addressed Issues .
QoS fails to run on a tunnel interface (for example, tunnel.1).
Known
10.2.3
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.2.3
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.3-h14
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.3-h13
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.3-h12
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.3-h12
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.3-h12
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.3-h12
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.3-h12
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.3-h11
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.3-h11
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.3-h11
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.3-h11
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.3-h11
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.3-h9
PAN-202450
Fixed an issue where the device-client-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.3-h9
PAN-198372
Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.3-h4
PAN-210513
Fixed an issue where Captive Portal authentication via SAML did not work.
Addressed
10.2.3-h4
PAN-208737
Fixed an issue where domain information wasn't populated in IP address-to-username matching after a successful GlobalProtect authentication using an authentication override cookie.
Addressed
10.2.3-h4
PAN-208079
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where the PAN-DB engine did not start when using a VM-Series firewall Flex based CPU.
Addressed
10.2.3-h4
PAN-207562
Fixed an issue where the shard count displayed by the show log-collector-es-cluster health CLI command was higher than the recommended limit. The recommended limit can be calculated with the formula 20*heap-memory*no-of-data-nodes.
Addressed
10.2.3-h4
PAN-206963
( M-700 Appliances only ) A CLI command was added to check the status of each physical port of a bond1 interface.
Addressed
10.2.3-h4
PAN-206921
Fixed an issue where the GlobalProtect client pre-login was successful, but the certificate authentication failed.
Addressed
10.2.3-h4
PAN-206466
Fixed an issue where the push scope was displaying duplicate shared objects for each device group that were listed under the shared-object group.
Addressed
10.2.3-h4
PAN-206069
Fixed an issue where the firewall was unable to boot up on older Intel CPUs.
Addressed
10.2.3-h4
PAN-205698
Fixed an issue where GlobalProtect authentication did not work on Apple MacOS devices when the authentication method used was CIE with SAML Authentication.
Addressed
10.2.3-h4
PAN-204892
Fixed an issue on Panorama where the web interface was not accessible and displayed the error 504 Gateway Not Reachable due to the mgmtsrvr process not responding.
Addressed
10.2.3-h4
PAN-204838
Fixed an issue where the dot1q VLAN tag in ARP reply packets were not displayed.
Addressed
10.2.3-h4
PAN-204572
Fixed an issue where python scripts were not working as expected.
Addressed
10.2.3-h4
PAN-197339
Fixed an issue where template configuration for the User-ID agent was not reflected on the template stack on Panorama appliances on PAN-OS 10.2.1.
Addressed
10.2.3-h4
PAN-196954
Fixed a memory leak issue related to the distributord process.
Addressed
10.2.3-h4
PAN-195149
Fixed an issue where firewall administrators were unable to log in to the web interface when RADIUS two-factor authentication was used.
Addressed
10.2.3-h4
PAN-186270
Fixed an issue where, when high availability (HA) was enabled and a dynamic update schedule was configured, the configd process unexpectedly stopped responding during configuration commits.
Addressed
10.2.3-h2
PAN-205830
Fixed an issue with multi-vsys firewalls where custom applications and shared objects pushed from Panorama did not populate in their respective lists on the firewall.
Addressed
10.2.3-h2
PAN-205805
Fixed an issue where Generic routing encapsulation (GRE) traffic was only allowed in one direction when tunnel content inspection (TCI) was enabled.
Addressed
10.2.3-h2
PAN-205231
Fixed an issue where a commit operation remained at 55% for longer than expected if more than 7,500 Security policy rules were configured.
Addressed
10.2.3-h2
PAN-202795
Fixed an issue where file identification failed for files with minimal data with large headers.
Addressed
10.2.3-h2
PAN-202535
Fixed an issue where the Device Telemetry configuration for a region was unable to be set or edited via the web interface.
Addressed
10.2.3-h2
PAN-201872
Fixed an issue where SMB performance caused overall network latency after an upgrade.
Addressed
10.2.3-h2
PAN-201714
Fixed an issue with GlobalProtect where attempting to authenticate with the GlobalProtect gateway returned a 502 error code.
Addressed
10.2.3-h2
PAN-201357
The CLI command debug dataplane set pow no-desched yes was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
10.2.3-h2
PAN-200946
Fixed an issue with firewalls in active/passive HA configurations where GRE tunnels went down due to recursive routing when the passive firewall was booting up. When the passive firewall became active and no recursive routing was configured, the GRE tunnel remained down.
Addressed
10.2.3-h2
PAN-198718
( PA-5280 firewalls only ) Fixed an issue where memory allocation failures caused increased decryption failures.
Addressed
10.2.3-h2
PAN-196583
Fixed an issue where the Cisco TrustSEc plugin triggered a flood of redundant register/unregister messages due to a failed IP address tag database search.
Addressed
10.2.3-h2
PAN-195756
Fixed an issue that caused an API request timeout when parsing requests using large header buffers.
Addressed
10.2.3-h2
PAN-195713
Fixed an issue where clientless VPN applications were not displayed in the GlobalProtect portal page.
Addressed
10.2.3-h2
PAN-182732
Fixed an issue where the GlobalProtect gateway inactivity timer wasn't refreshed even though traffic was passing through the tunnel.
Addressed
10.2.3
PAN-231823
A fix was made to address CVE-2024-5916 .
Addressed
10.2.3
PAN-209275
Fixed an issue where Override cookie authentication into the GlobalProtect gateway failed when an allow list was configured under the authentication profile.
Addressed
10.2.3
PAN-201627
Fixed an issue in next-generation firewall deployments where, when SD-WAN was configured, the dataplane restarted if all SD-WAN member links were down due to an out-of-memory (OOM) condition or during a reboot when all SD-WAN tunnels were down.
Addressed
10.2.3
PAN-200771
Fixed an issue where syslog-ng was unable to start due to a design change in the syslog configuration file.
Addressed
10.2.3
PAN-199654
Fixed an issue where ACC reports did not work for custom RBAC users when more than 12 access domains were associated with the username.
Addressed
10.2.3
PAN-199311
Fixed an issue where the Log Forwarding Card (LFC) failed to forward logs to the syslog server.
Addressed
10.2.3
PAN-199099
Fixed an issue where, when decryption was enabled, Safari and Google Chrome browsers on Apple Mac computers rejected the server certificate created by the firewall because the Authority Key Identifier was copied from the original server certificate and did not match the Subject Key Identifier on the forward trust certificate.
Addressed
10.2.3
PAN-198733
( PA-5450 firewalls only ) Fixed an issue where dmin tcpdump was hardcoded to eth0 instead of bond0.
Addressed
10.2.3
PAN-198332
( PA-5400 Series only ) Fixed an issue where swapping Network Processing Cards (NPCs) caused high root partition use.
Addressed
10.2.3
PAN-198266
Fixed an issue where, when predicts for UDP packets were created, a configuration change occurred that triggered a new policy lookup, which caused the dataplane stopped responding when converting the predict. This resulted in a dataplane restart.
Addressed
10.2.3
PAN-198244
Fixed an issue where using the load config partial CLI command to x-paths removed address object entries from address groups.
Addressed
10.2.3
PAN-197576
Fixed an issue where commits pushed from Panorama caused a memory leak related to the mgmtsrvr process.
Addressed
10.2.3
PAN-197484
( PA-5400 Series firewalls ) Fixed an issue where the firewall forwarded packets to the incorrect aggregate ethernet interface when Policy Based Forwarding (PBF) was used.
Addressed
10.2.3
PAN-197383
Fixed an issue where, after upgrading to PAN-OS 10.2 release, the firewall ran a RAID rebuild for the log disk after ever every reboot.
Addressed
10.2.3
PAN-197244
Fixed an issue on firewalls with Forward Proxy enabled where the all_pktproc process stopped responding due to missed heartbeats.
Addressed
10.2.3
PAN-196993
Fixed an issue where an incorrect regex key was generated to invalidate the completions cache, which caused the configd process to stop responding.
Addressed
10.2.3
PAN-196953
( PA-5450 firewalls only ) Fixed an issue where jumbo frames were dropped.
Addressed
10.2.3
PAN-196445
Fixed an issue where restarting the Network Processing Card (NPC) or the Data Processing Card (DPC) did not bring up all the network interfaces.
Addressed
10.2.3
PAN-196398
( PA-7000 Series SMC-B firewalls only ) Fixed an issue where the firewall did not capture data when the active management interface was MGT-B.
Addressed
10.2.3
PAN-196227
Fixed an issue where the logd process stopped responding, which caused Panorama to reboot into maintenance mode.
Addressed
10.2.3
PAN-196005
( PA-3200 Series, PA-5200 Series, and PA-5400 Series firewalls only ) Fixed an issue where GlobalProtect IPSec tunnels disconnected at half the inactivity logout timer value.
Addressed
10.2.3
PAN-195707
Fixed an issue on Panorama appliances configured as log collectors where Panorama repeatedly rebooted into maintenance mode.
Addressed
10.2.3
PAN-195689
Fixed an issue where WildFire submission logs did not load on the firewall web interface.
Addressed
10.2.3
PAN-195628
Fixed an issue that caused the pan_task process to miss heartbeats and stop responding.
Addressed
10.2.3
PAN-195625
Fixed an issue where authd frequently created SSL sessions, which resulted in an OOM condition.
Addressed
10.2.3
PAN-195360
Fixed an issue with firewalls in Microsoft Azure environments where BGP flapping occurred due to the firewall incorrectly treating capability from BGP peering as unsupported.
Addressed
10.2.3
PAN-195223
Fixed an issue where the all_pktproc process restarted when receiving a GTPv2 Modify Bearer Request packet if the Serving GPRS Support Node (SGSN) used the same key as the Serving Gateway (SGW).
Addressed
10.2.3
PAN-195181
Added enhancements to improve the load on the pan_comm process during SNMP polling.
Addressed
10.2.3
PAN-194993
Fixed an issue that occurred when authenticating into GlobalProtect with authentication override cookies and SAML where, if the cookie was invalid, authentication did not fall back to SAML.
Addressed
10.2.3
PAN-194826
( WF-500 and WF-500-B appliances only ) Fixed an issue where log system forwarding did not work over a TLS connection.
Addressed
10.2.3
PAN-194782
Fixed an issue on Panorama where, if you added a new local or non-local administrator account or an admin user to a template, authentication profiles were incorrectly referenced.
Addressed
10.2.3
PAN-194708
Fixed an issue where URL filtering logs ( Monitor Logs URL Filtering ) incorrectly truncated a 16KB Header value and did not display the Header values that followed the truncated 16KB header.
Addressed
10.2.3
PAN-194694
Fixed an issue where multiple SNMP requests being made to the firewall caused in the pan_comm process to stop responding.
Addressed
10.2.3
PAN-194601
Fixed an issue that caused the all_task process to stop responding.
Addressed
10.2.3
PAN-194588
( PA-7000 Series firewalls with LFCs (Log Forwarding Cards), PA-7050 firewalls with SMC-B (Switch Management Cards), and PA-7080 firewalls only ) Fixed an issue where the logrcvr_statistics output was not recorded in mp-monitor.log.
Addressed
10.2.3
PAN-194481
Fixed an issue in ESXi where the bootstrapped VM-Series firewalls with the Software Licensing Plugin had :xxx appended to their hostnames.
Addressed
10.2.3
PAN-194408
Fixed an issue where, when policy rules had the apps that implicitly depended on web browsing configured with the service application default , traffic did not match the rule correctly.
Addressed
10.2.3
PAN-194406
Fixed an issue where the MTU from SD-WAN interfaces was recalculated after a configuration push from Panorama or a local commit, which caused traffic disruption.
Addressed
10.2.3
PAN-194262
Fixed an issue where the GlobalProtect application failed to connect when a user or group was configured under the portal Config Selection Criteria .
Addressed
10.2.3
PAN-194152
( PA-5410, PA-5420, PA-5430, and PA-5440 firewalls in HA configurations only ) Fixed an issue where HA1-A and HA1-B port information didn't match to front panel mappings and, when one firewall was on PAN-OS 10.2.3 or a later release and the other was on PAN-OS 10.2.2 or an earlier release, a split-brain situation occurred.
Addressed
10.2.3
PAN-194129
( PA-5450 firewalls only ) Fixed an issue where slot 2 did not use all features correctly if a DPC was used instead of an NPC.
Addressed
10.2.3
PAN-194097
Fixed an issue on firewalls in high availability (HA) active/passive configurations where _ha_d_session_msgbuf overflowed on the passive firewall during an upgrade, which caused the firewall to enter a non-functional state.
Addressed
10.2.3
PAN-193981
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the firewall stopped monitoring HA failure and floating IP addresses did not get moved to the newly active firewall.
Addressed
10.2.3
PAN-193899
Fixed an issue where advanced mode factory reset ( Maintenance Mode Factory Reset Advanced select a specific image ) was only compatible with PAN-OS 10.1.3 or later version images.
Addressed
10.2.3
PAN-193818
Fixed an issue where the firewall device server failed to resolve URL cloud FQDNs, which interrupted URL category lookup.
Addressed
10.2.3
PAN-193766
( VM-Series firewalls only ) Fixed an issue where the GlobalProtect portal was not accessible.
Addressed
10.2.3
PAN-193765
Fixed an issue where commits failed the following error displayed in the configd log: Unable to populate ids into candidate config: Error: Error populating id for 'sg2+DMZ to FirstAM Scanner-1 .
Addressed
10.2.3
PAN-193763
Fixed an issue on the firewall where the dataplane CPU spiked, which caused traffic to be affected during commits or content updates.
Addressed
10.2.3
PAN-193744
( PA-3200 Series firewalls only ) Fixed an issue where, when the HA2 HSCI connection was down, the system log displayed Port HA1-b: down instead of Port HSCI: Down .
Addressed
10.2.3
PAN-193732
( PA-5400 Series firewalls only ) Fixed an issue where the firewall incorrectly handled internal transactions.
Addressed
10.2.3
PAN-193707
Fixed an issue where SAML authentication failed during commits with the following error message: revocation status could not be verified (reason: ) .
Addressed
10.2.3
PAN-193483
( VM-Series firewalls only ) Fixed an issue where, during Layer-7 packet inspection where traffic was being inspected for threat signature and data patterns, multiple processes stopped responding.
Addressed
10.2.3
PAN-193392
Fixed an issue where RTP packets dropped due to conflicting duplicate flows.
Addressed
10.2.3
PAN-193251
Fixed an issue where, when SAML was configured as the authentication method for GlobalProtect, the SAML page did not load when using a browser.
Addressed
10.2.3
PAN-193235
Fixed an issue where duplicate log entries were displayed on Panorama.
Addressed
10.2.3
PAN-193201
Fixed an issue where auto-commits failed after an upgrade if an imported certificate size was greater than the size of a buffer.
Addressed
10.2.3
PAN-193132
( PA-220 firewalls only ) Fixed an issue where a commit and push from Panorama caused high dataplane CPU utilization.
Addressed
10.2.3
PAN-192944
Fixed an issue where the logrcvr process caused an OOM condition.
Addressed
10.2.3
PAN-192739
Fixed an issue where the error message Machine Learning found virus was displayed in threat CSV logs as Threat ID/Name when WildFire Inline ML detected malware.
Addressed
10.2.3
PAN-192726
Fixed an issue where the firewall dropped TCP traffic inside IPSec tunnels.
Addressed
10.2.3
PAN-192673
( PA-7050-SMC-B firewalls only ) Fixed an issue where the LFC syslog-ng service failed to start after an upgrade.
Addressed
10.2.3
PAN-192666
( VM-Series firewalls only ) Fixed an issue where uploading certificates via API failed within the first 30 minutes of a bootstrap.
Addressed
10.2.3
PAN-192551
( PA-5400 Series firewalls only ) Fixed an issue where the firewall incorrectly processed path monitoring packets.
Addressed
10.2.3
PAN-192404
Fixed an issue where ARP broadcasts occurring in the same time interval and network segment as HA path monitoring pings triggered an ARP cache request, which prevented the firewall from sending ICMP echo requests to the monitored destination IP address and caused an HA path monitoring failover.
Addressed
10.2.3
PAN-192330
( Bootstrapped VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the firewall did not automatically receive the Strata Logging Service license.
Addressed
10.2.3
PAN-192052
Fixed an issue where, when next hop MAC address entries weren't found on the offload processor for active traffic, update messages flooded the firewall, which caused resource contention and traffic disruption.
Addressed
10.2.3
PAN-191874
Fixed an issue where monthly scheduled reports did not display information after upgrading to PAN-OS 10.2.0.
Addressed
10.2.3
PAN-191847
Fixed an issue where the Panorama appliance was unable to generate scheduled custom reports due to the large number of files stored in the opt/pancfg/mgmt/custom-reports directory.
Addressed
10.2.3
PAN-191726
Fixed an issue where an SCP export of the device state from the firewall added single quotes ( ' ) to the filename.
Addressed
10.2.3
PAN-191558
Fixed an issue where, after an upgrade to PAN-OS 10.1.5, Global Find did not display all results related to a searched item.
Addressed
10.2.3
PAN-191269
Fixed an issue where the NAT pool leaked for passive mode FTP predict sessions.
Addressed
10.2.3
PAN-191222
Fixed an issue where Panorama became inaccessible when after a push to the collector group.
Addressed
10.2.3
PAN-191218
( PA-5400 Series firewalls only ) Fixed an issue where the session log storage quota could not be changed via the web interface.
Addressed
10.2.3
PAN-191216
Fixed an issue where, on Apple iOS devices, SAML authentication did not connect to the GlobalProtect portal.
Addressed
10.2.3
PAN-191214
Fixed an issue where the Elasticsearch process stopped responding, which caused an OOM condition.
Addressed
10.2.3
PAN-190657
Fixed an issue where IPSec tunnels did not rekey due to the security association being deleted too early.
Addressed
10.2.3
PAN-190448
Fixed an issue in ACC reports where IPv6 addresses were displayed instead of IPv4 addresses.
Addressed
10.2.3
PAN-189894
Fixed an issue with the web interface where the template stack didn't show inherited values of Template > Authentication Portal Settings .
Addressed
10.2.3
PAN-189861
Fixed an issue on firewalls in HA configurations where intermittent system alerts on the active firewall caused the pan_comm process to restart continuously.
Addressed
10.2.3
PAN-189859
Fixed an issue on the firewall where an administrator was unable to Import Custom URL Category Content .
Addressed
10.2.3
PAN-189762
Fixed an issue where a predict session didn't match with the traffic when both source NAT and destination NAT were enabled.
Addressed
10.2.3
PAN-189723
Fixed an issue where you were unable to configure dynamic address groups to use more than 64,000 IP addresses in a Security policy.
Addressed
10.2.3
PAN-189414
Fixed an issue where TCP packets were dropped during the first zone transfer when DNS security was enabled.
Addressed
10.2.3
PAN-189304
Fixed an issue where the Panorama appliance didn't display logs or generate reports for a device group containing MIPs platform that forwarded logs to Strata Logging Service .
Addressed
10.2.3
PAN-189270
Fixed an issue that caused a memory leak on the reportd process.
Addressed
10.2.3
PAN-189225
Fixed an issue where BGP routes were lost or uninstalled after disabling jumbo frames on the firewall.
Addressed
10.2.3
PAN-189114
Fixed an issue where the dataplane went down, which caused an HA failover.
Addressed
10.2.3
PAN-188867
Fixed an issue where the firewall dropped packets when the session payload was too large.
Addressed
10.2.3
PAN-188489
( VM-Series firewalls only ) Fixed an issue where dynamic content updates weren't automatically pushed to the firewall licensed using the Panorama Software Firewall License plugin when Automatically push content when software device registers to Panorama ( Panorama Templates Add Stack ) was enabled.
Addressed
10.2.3
PAN-188338
Fixed an issue where canceling a commit caused the commit process to remain at 70% and the firewall had to be rebooted.
Addressed
10.2.3
PAN-188303
Fixed an issue where the serial number displayed as unknown after running the show system state CLI command.
Addressed
10.2.3
PAN-188096
( VM-Series firewalls only ) Fixed an issue where, on firewalls licensed with Software NGFW Credit (VM-FLEX-4 and higher), HA clustering was unable to be established.
Addressed
10.2.3
PAN-187985
Fixed an issue where you were unable to configure a QoS Profile as percentage for Clear Text Traffic.
Addressed
10.2.3
PAN-187890
Fixed an issue where the Strata Logging Service connection incorrectly displayed as disconnected when a service route was in use.
Addressed
10.2.3
PAN-187805
Fixed an issue where a process ( all_pktproc ) stopped responding and the dataplane restarted during certificate construction or destruction.
Addressed
10.2.3
PAN-187476
Fixed an issue where, when hip-redistribution is enabled, Panorama doesn't display a part of HIP information.
Addressed
10.2.3
PAN-187234
Fixed an intermittent issue where web pages submitted for analysis by Advanced URL Filtering cloud inline categorization experienced high latency.
Addressed
10.2.3
PAN-186891
Fixed an issue where NetFlow packets contained incorrect octet counts.
Addressed
10.2.3
PAN-186418
Fixed an issue where Panorama displayed a discrepancy in RAM configured on the VMware host.
Addressed
10.2.3
PAN-186134
Fixed an issue on Panorama where performing a commit and push intermittently failed to push the committed configuration to managed firewalls.
Addressed
10.2.3
PAN-186075
( VM-Series firewalls only ) Fixed an issue where the firewall rebooted after receiving large packets while in DPDK mode on Azure virtual machines running CX4 (MLx5) drivers.
Addressed
10.2.3
PAN-185787
Fixed an issue where logging in to the Panorama web interface did not work and the following error message displayed: Timed out while getting config lock. Please try again .
Addressed
10.2.3
PAN-185283
Fixed an issue on Panorama where using the name-of-threatid contains log4j filter didn't produce expected results.
Addressed
10.2.3
PAN-184702
( M-700 appliances in Log Collector mode only ) Fixed an issue on the Panorama management server where the Panorama appliance failed to connect to Panorama when added as a managed log collector.
Addressed
10.2.3
PAN-184068
( PA-5200 Series firewalls only ) Fixed an issue where the firewall generated pause frames, which caused network latency.
Addressed
10.2.3
PAN-183788
Fixed an issue with SCEP certificate enrollment where the incorrect Registration Authority (RA) certificate was chosen to encrypt the enrollment request.
Addressed
10.2.3
PAN-185750
Updated an issue to eliminate failed pan_comm software issues that caused the dataplane to restart unexpectedly
Addressed
10.2.3
PAN-183270
Fixed an issue where a bootstrapped firewall connected only to the first log collector in a log collector group.
Addressed
10.2.3
PAN-183184
Fixed an issue where enabling SSL decryption with a Hardware Security Model (HSM) caused a dataplane restart.
Addressed
10.2.3
PAN-183166
Fixed an issue where system, configuration, and alarm logs were queued up on the logrcvr process and were not forwarded out or written to disk until an autocommit was passed.
Addressed
10.2.3
PAN-182689
Fixed an issue where a signature from a previous WildFire package triggered virus detection even though the signature was no longer present in the current WildFire package.
Addressed
10.2.3
PAN-182539
Fixed an issue with Panorama appliances in HA configurations where dedicated log collectors did not send local system or configuration logs to both Panorama appliances.
Addressed
10.2.3
PAN-182212
Fixed an issue where SNMP reported the panVsysActiveTcpCps and panVsysActiveUdpCps value to be 0.
Addressed
10.2.3
PAN-181277
Fixed an issue where VPN tunnels in SD-WAN flapped due to duplicate tunnel IDs.
Addressed
10.2.3
PAN-179543
Fixed an issue where the flow_mgmt process stopped responding when attempting to clear the session table, which caused the dataplane to restart.
Addressed
10.2.3
PAN-179258
Fixed an issue where system disk migration failed.
Addressed
10.2.3
PAN-178243
Fixed an issue where Shared Gateway was not visible in the Virtual System drop down when configuring a Layer3 aggregate subinterface.
Addressed
10.2.3
PAN-178194
Fixed an issue with the web interface where, when only the Advanced URL Filtering license was activated, the message License required for URL filtering to function was incorrectly displayed and the URL Filtering Profile > Inline ML section was disabled.
Addressed
10.2.3
PAN-177482
Fixed an issue where ACC > App Scope > Threat Monitor showed NO DATA TO DISPLAY .
Addressed
10.2.3
PAN-172501
Fixed an issue where you were unable to revert HA mode settings to the default values from the web interface.
Addressed
10.2.3
PAN-171714
Fixed an issue where, when NetBIOS format (domain\user) was used for the IP address-to-username mapping and the firewall received the group mapping information from the Cloud Identity Engine, the firewall did not match the user to the correct group.
Addressed
10.2.3
PAN-157215
Fixed an issue that occurred when two FQDNs were resolved to the same IP address and were configured as the same src/dst of the same rule. If one FQDN was later resolved to a different IP address, the IP address resolved for the second FQDN was also changed, which caused traffic with the original IP address to hit the incorrect rule.
Addressed
10.2.3
PAN-151469
Fixed an issue where packets were dropped unexpectedly due to errors parsing the IP version field.
Known
10.2.4
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.4
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.4
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.4
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.4
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.4
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.4
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.4
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.4
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.4
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
10.2.4
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
10.2.4
PAN-234408
Enterprise DLP cannot detect and block non-file based traffic for ChatGPT from traffic forwarded to the DLP cloud service from an NGFW.
Known
10.2.4
PAN-228273
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.4
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.4
PAN-227342
( PA-7000 Series firewalls only ) In an Active/Active High Availability (HA) setup, enabling hardware offload can result in web traffic being blocked.
Known
10.2.4
PAN-225337
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a Shared and vsys-specific device group configuration object with an indentical name. For example, a Shared address object called SharedAO1 and a vsys-specific address object also called SharedAO1 .
  2. Reference the Shared object in another Shared configuration. For example, reference the Shared address object ( SharedAO1 ) in a Shared address group called SharedAG1 .
  3. Use the Shared configuration object with the reference in a vsys-specific configuration. For example, reference the Shared address group ( SharedAG1 ) in a vsys-specific policy rule.
Workaround: Select Panorama Setup Management and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices —This options pushes all Shared objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the Shared objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the Shared SharedAO1 object was 10.1.1.1 and the device group specific SharedAO1 was 10.2.2.2 , the 10.1.1.1 IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the Shared objects in your configuration.
Known
10.2.4
PAN-223488
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
Closed ElasticSearch shards are not deleted from a Panorama M-Series or virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.4
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.4
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.4
PAN-222253
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server, policy rulebase reordering when you View Rulebase by Groups ( Policy <policy-rulebase> ) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.4
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.4
PAN-221015
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On M-600 appliances in Panorama or Log Collector mode, the es-1 and es-2 ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector ES health status ( Panorama Managed Collectors Health Status ) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>debug elasticsearch es-restart optional all
Known
10.2.4
PAN-220180
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
10.2.4
PAN-219644
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.4
PAN-218521
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.4
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.4
PAN-216821
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
The reportd process crashes after you successfully upgrade an M-200 appliance to PAN-OS 10.2.4.
Known
10.2.4
PAN-215778
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On the M-600 appliance in Management Only mode, XML API Get requests for /config fail with the following error due to exceeding the total configuration size supported on the M-600 appliance. 
504 Gateway timeout
Known
10.2.4
PAN-215082
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
M-300 and M-700 appliances may generate erroneous system logs ( Monitor Logs System ) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.4
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.4
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.4
PAN-212978
This issue is now resolved. See PAN-OS 10.2.4-h3 Addressed Issues .
The Palo Alto Networks firewall stops responding when executing an SD-WAN debug operational CLI command.
Known
10.2.4
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.4
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.4
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.4
PAN-210366
This issue is now resolved. See PAN-OS 10.2.4-h3 Addressed Issues
On the Panorama management server in a high availability (HA) configuration, the primary HA peer may enter a primary-non-functional state and generate a system log ( Monitor Logs System ) with the following message:
High root partition usage: going to state Non-Functional
Known
10.2.4
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.4
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.4
PAN-208325
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate ( Device Setup Management or Panorama Setup Management ).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround: Log in to the firewall CLI or Panorama CLI and fetch the device certificate. 
admin>request certificate fetch
Known
10.2.4
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.2.4
PAN-201855
On the Panorama management server, cloning any template ( Panorama Templates ) corrupts certificates ( Device Certificate Management Certificates ) with the Block Private Key Export setting enabled across all templates. This results in managed firewalls experiencing issues wherever the corrupted certificate is referenced.
For example, you have template A, B, and C where templates A and B have certificates with the Block Private Key Export setting enabled. Cloning template C corrupts the certificates with Block Private Key Export setting enabled in templates A and B.
Workaround: After cloning a template, delete and re-import the corrupted certificates.
Known
10.2.4
PAN-199557
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On M-600 appliances in an Active/Passive high availability (HA) configuration, the configd process restarts due to a memory leak on the Active Panorama HA peer. This causes the Panorama web interface and CLI to become unresponsive.
Workaround: Manually reboot the Active Panorama HA peer.
Known
10.2.4
PAN-198708
On the Panorama management server, the File Type field does not display any data when you view the Detailed Log View in the Data Filtering log ( Monitor Logs Data Filtering <select log> DLP ).
Known
10.2.4
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.4
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.4
PAN-196146
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.4
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.4
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.4
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.4
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.4
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.4
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.4
PAN-190435
When you Commit a configuration change, the Task Manager commit Status goes directly from 0% to Completed and does accurately reflect the commit job progress.
Known
10.2.4
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.4
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.4
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.4
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.4
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.4
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.4
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.4
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.4
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.4
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.4
PAN-185286
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.2.4
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.4
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.4
PAN-182734
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
On an Advanced Routing Engine, if you change the IPSec tunnel configuration, BGP flaps.
Known
10.2.4
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.4
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.4
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.4
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.4
PAN-178194
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.4
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.4
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.4
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.4
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.4
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.2.4
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Known
10.2.4
PAN-160633
This issue is now resolved. See PAN-OS 10.2.5 Addressed Issues .
( PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only ) The dataplane restarts repeatedly due to internal path monitoring failures until a power cycle.
Addressed
10.2.4-h32
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.4-h16
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.4-h10
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.4-h10
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.4-h10
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.4-h10
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.4-h10
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.4-h4
PAN-223501
Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
Addressed
10.2.4-h4
PAN-222712
( PA-5450 firewalls only ) Fixed a low frequency DPC restart issue.
Addressed
10.2.4-h4
PAN-221984
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
Addressed
10.2.4-h4
PAN-221836
Fixed an issue where improper SNI detection caused incorrect URL categorization.
Addressed
10.2.4-h4
PAN-219508
( VM-Series, PA-400 Series, PA-1400, PA-3400, and PA-5400 Series firewalls only ) Fixed an issue where Bidirectional Forwarding Detection (BFD) packets experienced a delay in processing, which caused the BFD connection to flap.
Addressed
10.2.4-h4
PAN-217489
Fixed an issue with firewalls in active/passive high availability (HA) configurations where the passive firewall MAC flapping occurred when the passive firewall was rebooted.
Addressed
10.2.4-h4
PAN-216043
Fixed an issue where wifclient stopped responding due to shared memory corruption.
Addressed
10.2.4-h4
PAN-215655
Fixed an issue where, after a multi-dynamic group push, Security policies with the target device tag was added to a firewall that did not have the tag.
Addressed
10.2.4-h4
PAN-215066
Fixed an issue on Panorama where push scope rendering caused the commit and push or push operation window to hang for several minutes.
Addressed
10.2.4-h4
PAN-214187
Fixed an issue where superreaders were able to execute the request restart system CLI command.
Addressed
10.2.4-h4
PAN-211191
Fixed an issue where the firewall restarted after initiating a mgmtsrvr process restart.
Addressed
10.2.4-h4
PAN-210661
Fixed an issue where firewalls disconnected from Strata Logging Service after renewing the device certificate.
Addressed
10.2.4-h4
PAN-210429
( VM-Series firewalls only ) Fixed an issue where the HTTP service failed to come up on DHCP dataplane interfaces after rebooting the firewall, which resulted in health-check failure on HTTP/80 with a 503 error code on the public load balancer.
Addressed
10.2.4-h4
PAN-195439
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the dataplane interface status went down after a hotplug event triggered by Azure infrastructure.
Addressed
10.2.4-h4
PAN-169586
Fixed an issue where scheduled log view reports in emails didn't match the monitor page query result for the same time interval.
Addressed
10.2.4-h3
PAN-222035
Fixed an issue where when multiple portals were configured in Prisma Access deployments, CIE SAML authentication failed on the secondary portal.
Addressed
10.2.4-h3
PAN-221068
Fixed an issue where the firewall restarted after a failed push from Panorama, which resulted in autocommit failures.
Addressed
10.2.4-h3
PAN-219355
Fixed an issue where disk space became full due to a GPSVC FD leak.
Addressed
10.2.4-h3
PAN-219333
Fixed an issue where a secondary Prisma Access Portal address with port 8443 did not work.
Addressed
10.2.4-h3
PAN-218620
Fixed an issue where scheduled configuration exports and SCP server connection testing failed.
Addressed
10.2.4-h3
PAN-218368
Fixed an issue with incorrect VLAN tagging on Intel based platforms that occurred when opening a response page from a virtual-wire subinterface.
Addressed
10.2.4-h3
PAN-218340
Fixed a memory leak issue related to the configd process that affected selective pushes on Panorama.
Addressed
10.2.4-h3
PAN-218267
Fixed an issue where a partial commit and push operation from Panorama to managed firewalls did not work as expected.
Addressed
10.2.4-h3
PAN-218046
Fixed an issue where the Virtual Routers ( Network Virtual Routers ) setting was not available when configuring a custom admin role Device Admin Roles .
Addressed
10.2.4-h3
PAN-217053
Fixed an issue where the configd process stopped responding after a selective push to multiple device groups failed.
Addressed
10.2.4-h3
PAN-215899
Fixed an issue with Panorama appliances in high availability (HA) configurations where configuration synchronization between the HA peers failed.
Addressed
10.2.4-h3
PAN-215767
Fixed an issue where, after a high availability failover, IKE SA negotiation failed with the error message INVALID_SPI , which resulted in temporary loss of traffic over some proxy IDs.
Addressed
10.2.4-h3
PAN-215324
( PA-5400 Series firewalls with Jumbo Frames enabled only ) Fixed an issue with CPU throttling and buffer depletion.
Addressed
10.2.4-h3
PAN-215315
Fixed an issue where the dataplane stopped responding due to ager and inline packet processing occurring concurrently on different cores for the same session.
Addressed
10.2.4-h3
PAN-214463
Fixed an issue where IKE rekey negotiation failed with a third-party vendor and the firewall acting as the initiator received a response with the VENDOR_ID payload and the error message unexpected critical payload (type 43) .
Addressed
10.2.4-h3
PAN-213973
Fixed an issue where the authd process stopped responding during a cleanup of authentication server context.
Addressed
10.2.4-h3
PAN-212978
Fixed an issue where the firewall stopped responding when executing an SD-WAN configuration or operational CLI command.
Addressed
10.2.4-h3
PAN-210366
Fixed an issue where deleting a device group when a selective configuration push was in progress caused the configd process to stop responding.
Addressed
10.2.4-h3
PAN-208240
Fixed an issue where, when attempting to replace an existing certificate, importing a new certificate with the same name as the existing certificate failed due to mismatched public and private keys.
Addressed
10.2.4-h2
PAN-218285
Fixed an issue where after switching the SPN by suspending the active SPN, the forwarding rule was not correctly pointing to the new active node when moved from 3 rules (TCP/UDP/ICMP) to 1 Layer 3 default rule in GCP.
Addressed
10.2.4-h2
PAN-217484
Fixed an issue where the rasmgr process used 100% CPU due to a maximum duration timer not being set, which caused the GlobalProtect gateway to be unavailable.
Addressed
10.2.4-h2
PAN-217431
Fixed an issue with slot 2 DPCs where URL Filtering did not work as expected after upgrading to PAN-OS 10.1.9.
Addressed
10.2.4-h2
PAN-216710
Fixed an issue with firewalls in active/active HA configurations where GlobalProtect disconnected when the original suspected active-primary firewall became active-secondary.
Addressed
10.2.4-h2
PAN-216036
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to enter a nonfunctional state.
Addressed
10.2.4-h2
PAN-215823
Fixed an issue on log collectors where the reportd process stopped responding.
Addressed
10.2.4-h2
PAN-215496
Fixed an issue where 100G ports did not come up with BIDI QSFP modules.
Addressed
10.2.4-h2
PAN-214406
Fixed an issue with Elasticsearch where ES tunnels weren’t started and were forked incorrectly, which caused them to fail.
Addressed
10.2.4-h2
PAN-213079
Fixed an issue with Captive Portal SAML authentication by increasing the number of retries in the Nginx configuration.
Addressed
10.2.4-h2
PAN-212726
PAN-211519
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent Dynamic IP And Port .
Addressed
10.2.4-h2
PAN-211870
Fixed an issue where path monitoring failure occurred, which caused high availability failover.
Addressed
10.2.4-h2
PAN-195912
Fixed an issue where connections from the firewall to Strata Logging Service failed.
Addressed
10.2.4
WF500-5976
( WF-500 appliances only ) Fixed an issue where files were incorrectly detected as malicious.
Addressed
10.2.4
WF500-5953
Fixed an issue where testing the same file sample using a PowerShell script returned different verdicts in Private Cloud and Public Cloud.
Addressed
10.2.4
WF500-5920
Fixed an issue where an elink parser did not work.
Addressed
10.2.4
PAN-231823
A fix was made to address CVE-2024-5916 .
Addressed
10.2.4
PAN-220741
( Firewalls in active/passive HA configurations only ) Fixed an issue where, when redistribution agent connections to the passive firewall failed, excessive system alerts for the failed connection were generated. With this fix, system alerts are logged every 5 hours instead of 10 minutes.
Addressed
10.2.4
PAN-219686
Fixed an issue where a device group push operation from Panorama failed with the following error on managed firewalls.
vsys -> vsys1 -> plugins unexpected here
vsys is invalid
Commit failed
Addressed
10.2.4
PAN-216656
Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.
Addressed
10.2.4
PAN-216314
( PA-3200 Series firewalls only ) Fixed an issue where, after upgrading to or from PAN-OS 10.1.9 or PAN-OS 10.1.9-h1, offloaded application traffic sessions disconnected even when a session was active. This occurred due to the application default session timeout value being exceeded.
Addressed
10.2.4
PAN-215911
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.2.4
PAN-215488
Fixed an issue where an expired Trusted Root CA was used to sign the forward proxy leaf certificate during SSL Decryption.
Addressed
10.2.4
PAN-215461
Fixed an issue where the packet descriptor leaked over time with GRE tunnels and keepalives.
Addressed
10.2.4
PAN-215125
Fixed an issue where false negatives occurred for some script samples.
Addressed
10.2.4
PAN-214634
Fixed an issue where an elink parser did not work.
Addressed
10.2.4
PAN-214624
Fixed an issue where the logrcvr process stopped responding.
Addressed
10.2.4
PAN-214337
Fixed an issue on the firewall related to the gp_broker configuration transform that led to longer commit times.
Addressed
10.2.4
PAN-214037
( PA-5440, PA-5430, PA-5420, and PA-5410 firewalls only ) Fixed an issue where firewalls in active/active HA configurations experienced packet drop when running asymmetric traffic.
Addressed
10.2.4
PAN-213973
Fixed an issue where the authd process stopped responding during a cleanup of authentication server context.
Addressed
10.2.4
PAN-213661
Fixed an issue where memory allocation failure caused dataplane processes to restart. This issue occurred when decryption was enabled and the device was under heavy L7 usage.
Addressed
10.2.4
PAN-213011
Fixed an issue where, when using multi-factor authentication (MFA) with RADIUS OTP, the challenge message Enter Your Microsoft verification code did not appear when accessing the GlobalProtect portal via browser.
Addressed
10.2.4
PAN-212982
Fixed an issue where the logrcvr process stopped responding with MICA HTTP2 traffic.
Addressed
10.2.4
PAN-212409
Fixed an issue where there were duplicate IPSec Security Associations (SAs) for the same tunnel, gateway, or proxy ID.
Addressed
10.2.4
PAN-211242
Fixed an issue where missed heartbeats caused the Data Processing Card (DPC) and its corresponding Network Processing Card (NPC) to restart due to internal packet path monitoring failure.
Addressed
10.2.4
PAN-210919
Fixed an issue where the Data Processing Card remained in a Starting state after a restart.
Addressed
10.2.4
PAN-210892
( M-600 and M-700 appliances only ) Fixed an issue where the Elasticsearch shard count grew continuously without limit.
Addressed
10.2.4
PAN-210875
Fixed an issue where the pan_task process stopped responding due to software packet buffer 3 trailer corruption, which caused the firewall to restart.
Addressed
10.2.4
PAN-210561
Fixed an issue where the all_task process repeatedly restarted due to missed heartbeats.
Addressed
10.2.4
PAN-210481
Fixed an issue where botnet reports were not generated on the firewall.
Addressed
10.2.4
PAN-210449
Fixed an issue where the value for shared objects used in policy rules were not displayed on multi-vsys firewalls when pushed from Panorama.
Addressed
10.2.4
PAN-210331
Fixed an issue where the firewall did not send device telemetry files to Strata Logging Service with the error message Send File to Strata Logging Service Receiver Failed .
Addressed
10.2.4
PAN-210327
( PA-5200 Series firewalls only ) Fixed an issue where upgrading to PAN-OS 10.1.7, an internal loop caused an increase in the packets received per second.
Addressed
10.2.4
PAN-210237
Fixed an issue where system logs generated by Panorama for commit operations showed the severity as High instead of Informational .
Addressed
10.2.4
PAN-210080
Fixed an issue where the useridd process stopped responding when add and delete member parameters in an incremental sync query were empty.
Addressed
10.2.4
PAN-209660
Fixed an issue where a selective push from Panorama to multiple firewalls failed due to a missing configuration file, which caused a communication error.
Addressed
10.2.4
PAN-209346
Fixed an issue where, after upgrading to PAN-OS 10.2.3, HA peers received conflicting ARP messages that indicated a duplicate IP address.
Addressed
10.2.4
PAN-209305
Fixed a memory space issue where the content and threat detection (CTD) process flow cleanup during inline cloud analysis did not work.
Addressed
10.2.4
PAN-209226
Fixed an issue where the feature bits function reused shared memory, which resulted in a memory allocation error and caused the dataplane to go down.
Addressed
10.2.4
PAN-209069
Fixed an issue where IP addresses in the X-Forwarded-For (XFF) field were not logged when the IP address contained an associated port number.
Addressed
10.2.4
PAN-209021
Fixed an issue where packets were fragmented when SD-WAN VPN tunnel was configured on aggregate ethernet interfaces and sub-interfaces.
Addressed
10.2.4
PAN-208987
( PA-5400 Series only ) Fixed an issue where packets were not transmitted from the firewall if its fragments were received on different slots. This occurred when aggregate ethernet (AE) members in an AE interface were placed on a different slot.
Addressed
10.2.4
PAN-208922
A fix was made to address an issue where an authenticated administrator was able to commit a specifically created configuration to read local files and resources from the system ( CVE-2023-38046 ).
Addressed
10.2.4
PAN-208930
( PA-7000 Series firewalls only ) Fixed an issue where auto-tagging in log forwarding did not work.
Addressed
10.2.4
PAN-208877
Fixed an issue where the all_task process stopped responding when freeing the HTTP2 stream, which caused the dataplane to go down.
Addressed
10.2.4
PAN-208737
Fixed an issue where domain information wasn't populated in IP address-to-username matching after a successful GlobalProtect authentication using an authentication override cookie.
Addressed
10.2.4
PAN-208724
Fixed an issue where port pause frame settings did not work as expected and incorrect pause frames occurred.
Addressed
10.2.4
PAN-208718
Additional debug information was added to capture internal details during traffic congestion.
Addressed
10.2.4
PAN-208711
( PA-5200 Series firewalls only ) The CLI command debug dataplane set pow no-desched yes/no was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
10.2.4
PAN-208537
Fixed an issue where the licensed-device-capacity was reduced when multiple device management license key files were present.
Addressed
10.2.4
PAN-208485
Fixed an issue where NAT policies were not visible on the CLI if they contained more than 32 characters.
Addressed
10.2.4
PAN-208189
Fixed an issue when traffic failed to match and reach all destinations if a Security policy rule includes FQDN objects that resolve to two or more IP addresses.
Addressed
10.2.4
PAN-208157
Fixed an issue where malformed hints sent from the firewall caused the logd process to stop responding on Panorama, which caused a system reboot into maintenance mode.
Addressed
10.2.4
PAN-208079
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where the PAN-DB engine did not start when using a VM-Series firewall Flex based CPU.
Addressed
10.2.4
PAN-207983
Fixed an issue on Panorama in Management Only mode where the logdb database incorrectly collected traffic, threat, GTP, decryption, and corresponding summary logs.
Addressed
10.2.4
PAN-207940
Fixed an issue where platforms with RAID disk checks were performed weekly, which caused logs to incorrectly state that RAID was rebuilding.
Addressed
10.2.4
PAN-207891
Fixed an issue on Panorama where log migration did not complete after an upgrade.
Addressed
10.2.4
PAN-207740
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.2.4
PAN-207738
Fixed an issue where the ocsp-next-update-time CLI command did not execute for leaf certificates with certificate chains that did not specify OCSP or CRL URLs. As a result, the next update time was 60 minutes even if a different time was set.
Addressed
10.2.4
PAN-207663
Fixed a Clientless VPN issue where JSON stringify caused issues with the application rewrite.
Addressed
10.2.4
PAN-207629
Fixed an issue where a selective push to firewalls failed if the firewalls were enabled with multiple vsys and the push scope contained shared objects in device groups.
Addressed
10.2.4
PAN-207623
Fixed an issue on Panorama where log migration did not complete as expected.
Addressed
10.2.4
PAN-207610
( PA-5200 Series and PA-7000 Series firewalls only ) Fixed an issue where Log Admin Activity was not visible on the web interface.
Addressed
10.2.4
PAN-207602
Fixed an issue where file streams were opened or closed twice due to a race condition which caused Linux to stop responding.
Addressed
10.2.4
PAN-207601
Fixed an issue where URL cloud connections were unable to resolve the proxy server hostname.
Addressed
10.2.4
PAN-207533
Fixed an issue with firewalls in HA configurations where ARP and IPv6 multicast packets were transmitted from the passive firewall.
Addressed
10.2.4
PAN-207455
Fixed an issue where the pan_task process stopped responding when processing client certificate requests from the server in TLS1.3.
Addressed
10.2.4
PAN-207426
Fixed an issue where a selective push did not include the Share Unused Address and Service Objects with Devices option on Panorama, which caused the firewall to not receive the objects during the configuration push.
Addressed
10.2.4
PAN-207400
Fixed an issue on Octeon based platforms where fragmented VLAN tagged packets dropped on an aggregate interface.
Addressed
10.2.4
PAN-207390
Fixed an issue where, even after disabling Telemetry, Telemetry system logs were still generated.
Addressed
10.2.4
PAN-207260
A commit option was enabled for Device Group and Template administrators after a password change.
Addressed
10.2.4
PAN-207045
( PA-800 Series firewalls only ) Fixed an issue where PAN-SFP-SX transceivers used on ports 5 to 8 did not renegotiate with peer ports after a reload.
Addressed
10.2.4
PAN-207043
Fixed an issue on PAN-OS 10.2.3 where ports 41-44 remained down when the PAN-QSFP28-DAC-5M cable was connected.
Addressed
10.2.4
PAN-206963
( M-700 Appliances only ) A CLI command was added to check the status of each physical port of a bond1 interface.
Addressed
10.2.4
PAN-206921
Fixed an issue where GlobalProtect client certificate authentication failed on a gateway when the gateway was placed behind a NAT.
Addressed
10.2.4
PAN-206858
Fixed an issue where a segmentation fault occurred due to the useridd process being restarted.
Addressed
10.2.4
PAN-206796
Fixed an issue where cfg.lcaas-region was not reset when it was empty, which caused Strata Logging Service onboarding to fail.
Addressed
10.2.4
PAN-206755
Fixed an issue when a scheduled multi-device group push occurred, the configd process stopped responding, which caused the push to fail.
Addressed
10.2.4
PAN-206658
Fixed a timeout issue in the Intel ixgbe driver that resulted in internal path monitoring failure.
Addressed
10.2.4
PAN-206629
( VM-Series firewalls in AWS environments only ) Fixed an issue where a newly bootstrapped firewalls did not forward logs to Panorama.
Addressed
10.2.4
PAN-206393
( PA-5280 firewalls only ) Fixed an issue where memory allocation errors caused decryption failures that disrupted traffic with SSL forward proxy enabled.
Addressed
10.2.4
PAN-206382
Fixed an issue where authentication sequences were not populated in the drop down when selecting authentication profiles during administrator creation in a template.
Addressed
10.2.4
PAN-206253
( PA-3400 Series firewalls only ) Fixed an issue where the default log rate value was too low, and the maximum configurable log rate was capped incorrectly, which caused the firewall to not generate more than 6826 logs per second.
Addressed
10.2.4
PAN-206251
( PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only ) Fixed an issue where the logrcvr process did not send the system-start SNMP trap during startup.
Addressed
10.2.4
PAN-206233
Fixed an issue where the pan_comm process stopped responding when a content update and a cloud application update occurred at the same time.
Addressed
10.2.4
PAN-206128
( PA-7000 Series firewalls with NPCs (Network Processing Cards) only ) Improved debugging capability for an issue where the firewall restarted due to heartbeat failures and then failed with the following error message: Power not OK .
Addressed
10.2.4
PAN-206077
Fixed an issue on firewalls in active/active HA configurations where, after upgrading to PAN-OS 10.1.6-h6, the active primary firewall did not send HIP reports to the active secondary firewall.
Addressed
10.2.4
PAN-206069
Fixed an issue where the firewall was unable to boot up on older Intel CPUs.
Addressed
10.2.4
PAN-206017
Fixed an issue where the show dos-protection rule command displayed a character limit error.
Addressed
10.2.4
PAN-206005
( PA-3400 Series firewalls only ) Fixed an issue where the l7_misc memory pool was undersized and caused connectivity loss when the limit was reached.
Addressed
10.2.4
PAN-205995
Fixed an issue where logs from unaffected log collector groups were not displayed when a log collector was down.
Addressed
10.2.4
PAN-205955
Fixed an issue where RAID rebuilds occurred even with healthy disks and a clean shutdown.
Addressed
10.2.4
PAN-205877
( PA-5450 firewalls only ) Added debug commands for an issue where a MAC address flap occurred on a neighbor firewall when connecting both MGT-A and MGT-B interfaces.
Addressed
10.2.4
PAN-205829
Fixed an issue where logs did not display Host-ID details for GlobalProtect users despite having a quarantine Security policy rule. This occurred due to a missed local cache lookup.
Addressed
10.2.4
PAN-205804
Fixed an issue on Panorama where a WildFire scheduled update for managed devices triggered multiple UploadInstall jobs per minute.
Addressed
10.2.4
PAN-205729
( PA-3200 Series and PA-7000 Series firewalls only ) Fixed an issue where the CPLD watchdog timeout caused the firewall to reboot unexpectedly.
Addressed
10.2.4
PAN-205699
Fixed an issue where the cloud plugin configuration was automatically deleted from Panorama after a reboot or a configd process restart.
Addressed
10.2.4
PAN-205590
Fixed an issue where the fan tray fault LED light was on even though no alarm was reported in the system environment.
Addressed
10.2.4
PAN-205473
( VM-Series firewalls on Microsoft Hyper-V only ) Fixed an issue where the firewall did not receive any traffic on Layer 3 sub-interfaces from the trunk port.
Addressed
10.2.4
PAN-205453
Fixed an issue where running reports or queries under a user group caused the reportd process to stop responding.
Addressed
10.2.4
PAN-205451
Fixed an issue where the pan_com process stopped responding due to aggressive commits.
Addressed
10.2.4
PAN-205428
Fixed an issue where WildFire submissions failed if the file name contained special characters.
Addressed
10.2.4
PAN-205396
Fixed an issue where SD-WAN adaptive SaaS path monitoring did not work correctly during a next hop link down failure.
Addressed
10.2.4
PAN-205337
Fixed an issue in the Run Now section of custom reports where Threat/Content Name displayed in hypertext, and hovering over the text with the mouse displayed the message undefined .
Addressed
10.2.4
PAN-205260
Fixed an issue where there was an IP address conflict after a reboot due to a transaction ID collision.
Addressed
10.2.4
PAN-205255
Fixed a rare issue that caused the dataplane to restart unexpectedly.
Addressed
10.2.4
PAN-205231
Fixed an issue where a commit operation remained at 55% for longer than expected if more than 7,500 Security policy rules were configured.
Addressed
10.2.4
PAN-205222
Fixed an issue where you were unable to add a new application in a selected policy rule.
Addressed
10.2.4
PAN-205211
Fixed an issue where the reportd process stopped responding while querying logs ( Monitor > Logs > <logtype> ).
Addressed
10.2.4
PAN-205187
Fixed an issue where Elasticsearch did not start properly when a newly installed Panorama virtual appliance powered on for the first time, which caused the Panorama virtual appliance to not query logs forwarded from the managed firewall to a Log Collector.
Addressed
10.2.4
PAN-205096
Fixed an issue where promoted sessions were not synced with all cluster members in an HA cluster.
Addressed
10.2.4
PAN-205030
Fixed an issue where, when a session hit policy based forwarding with symmetric return enabled was not offloaded, the firewall received excessive return-mac update messages, which resulted in resource contention and traffic disruption.
Addressed
10.2.4
PAN-204892
Fixed an issue on Panorama where the web interface was not accessible and displayed the error 504 Gateway Not Reachable due to the mgmtsrvr process not responding.
Addressed
10.2.4
PAN-204851
Fixed an issue where, when performing an advanced factory reset from maintenance mode on a firewall running PAN-OS 10.2.2 or an earlier release and downgrading to PAN-OS 10.1.0 or an earlier release, the firewall entered into maintenance mode after the reboot.
Addressed
10.2.4
PAN-204838
Fixed an issue where the dot1q VLAN tag was missing in ARP reply packets.
Addressed
10.2.4
PAN-204830
Fixed an issue where logging in via the web interface or CLI did not work until an auto-commit was complete.
Addressed
10.2.4
PAN-204749
Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
Addressed
10.2.4
PAN-204690
Fixed an issue where selective configuration pushes failed due to schema validation when both the device group and template stack had the same name.
Addressed
10.2.4
PAN-204663
Fixed an issue on Panorama where you were unable to context switch from one managed firewall to another.
Addressed
10.2.4
PAN-204582
Fixed an issue where, when a firewall acting as a DHCP client received a new DHCP IP address, the firewall did not release old DHCP IP addresses from the IP address stack.
Addressed
10.2.4
PAN-204581
Fixed an issue where, when accessing a web application via the GlobalProtect Clientless VPN, the web application landing page continuously reloaded.
Addressed
10.2.4
PAN-204575
( PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only ) Fixed an issue where the firewall did not forward logs to the log collector.
Addressed
10.2.4
PAN-204482
Fixed an issue where searching threat logs ( Monitor > Logs > Threat ) using the partial hash parameter did not work, which resulted in an invalid operator error.
Addressed
10.2.4
PAN-204456
Fixed an issue related to the logd process that caused high memory consumption.
Addressed
10.2.4
PAN-204335
Fixed an issue where Panorama became unresponsive, and when refreshed, the error 504 Gateway not Reachable was displayed.
Addressed
10.2.4
PAN-204307
( PA-5440, PA-5430, PA-5420 and PA-5410 firewalls only ) Fixed an issue where, when moving interfaces from one aggregate group to another while the interface's link state was down, traffic was not properly routed through the aggregate group until after a second commit.
Addressed
10.2.4
PAN-204271
Fixed an issue where the quarantine device list did not display due to the maximum memory being reached.
Addressed
10.2.4
PAN-204238
Fixed an issue where, when View Rulebase as Groups was enabled, the Tags field did not display a scroll down arrow for navigation.
Addressed
10.2.4
PAN-204216
Fixed an issue where URL categorization failed and the firewall displayed the URL category as not-resolved for all traffic and the following error message was displayed in the device server logs Error(43): A libcurl function was given a bad argument .
Addressed
10.2.4
PAN-204118
Fixed an issue where browser sessions stopped responding for device group template admin users with access domains that had many device groups or templates.
Addressed
10.2.4
PAN-204068
Fixed an issue where a newly created vsys (virtual system) in a template was not able to be pushed from Panorama to the firewall.
Addressed
10.2.4
PAN-203964
( Firewalls in FIPS-CC mode only ) Fixed an issue where the firewall went into maintenance mode due to downloading a corrupted software image, which resulted in the error message FIPS-CC failure. Image File Authentication Error .
Addressed
10.2.4
PAN-203851
Fixed an issue with firewalls in HA configurations where host information profile (HIP) sync did not work between peer firewalls.
Addressed
10.2.4
PAN-203796
Fixed an issue where legitimate syn+ack packets were dropped after an invalid syn+ack packet was ingressed.
Addressed
10.2.4
PAN-203681
( Panorama appliances in FIPS-CC mode only ) Fixed an issue where a leaf certificate was unable to be imported into a template stack.
Addressed
10.2.4
PAN-203663
Fixed an issue where administrators were unable to change the password of a local database for users configured as a local admin user via an authentication profile.
Addressed
10.2.4
PAN-203653
Fixed an issue where dynamic updates were completed even when configuration commits failed, which caused the all_task process to stop responding.
Addressed
10.2.4
PAN-203618
Fixed an issue where, when SSL/TLS Handshake Inspection was enabled, SSL/TLS sessions were incorrectly reset if a Security policy rule with no Security profiles configured was matched.
Addressed
10.2.4
PAN-203604
Fixed an issue where GlobalProtect authentication failed for SAML username with a special character.
Addressed
10.2.4
PAN-203563
Fixed an issue with Content and Threat Detection allocation storage space where performing a commit failed with a CUSTOM_UPDATE_BLOCK error message.
Addressed
10.2.4
PAN-203430
Fixed an issue where, when the User-ID agent had collector name/secret configured, the configuration was mandatory on clients on PAN-OS 10.0 and later releases.
Addressed
10.2.4
PAN-203402
Fixed an intermittent issue where forward session installs were delayed, which resulted in latencies.
Addressed
10.2.4
PAN-203362
Fixed an issue where the rasmgr process restarted due to a null reference.
Addressed
10.2.4
PAN-203339
Fixed an issue where services failed due to the RAID rebuild not being completed on time.
Addressed
10.2.4
PAN-203330
Fixed an issue where the certificate for an External Dynamic List (EDL) incorrectly changed from invalid to valid, which caused the EDL file to be removed.
Addressed
10.2.4
PAN-203320
Fixed an issue where configuring the firewall to connect with Panorama using an auth key and creating the auth key without adding the managed firewall to Panorama first, the auth key was incorrectly decreased incrementally.
Addressed
10.2.4
PAN-203147
( Firewalls in FIPS-CC mode only ) Fixed an issue where the firewall unexpectedly rebooted when downloading a new PAN-OS software image.
Addressed
10.2.4
PAN-203137
( PA-5450 firewalls only ) Fixed an issue where HSCI ports did not come up when QSFP DAC cables were used.
Addressed
10.2.4
PAN-202946
Fixed an issue where the request high-availability session-reestablish command was not available for API.
Addressed
10.2.4
PAN-202918
Fixed an issue where processing route-table entries did not work as expected.
Addressed
10.2.4
PAN-202872
Fixed an issue where an incorrect URL list limit displayed during a commit.
Addressed
10.2.4
PAN-202783
( PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only ) Fixed an issue where sudden, large bursts of traffic destined for an interface that was down caused packet buffers to fill, which stalled path monitor heartbeat packets.
Addressed
10.2.4
PAN-202722
Fixed an issue where the factor completion time for login events learned through XML API displayed as 1969/12/31 19:00:00 .
Addressed
10.2.4
PAN-202593
Fixed an issue where expanding Global Find results displayed only the top level and second level of a searched item.
Addressed
10.2.4
PAN-202544
An enhancement was made to collect CPLD register data after a path monitor failure.
Addressed
10.2.4
PAN-202543
An enhancement was made to improve path monitor data collection by verifying the status of the control network.
Addressed
10.2.4
PAN-202535
Fixed an issue where the Device Telemetry configuration for a region was unable to be set or edited via the web interface.
Addressed
10.2.4
PAN-202451
Fixed an issue where Retrieve Framed-IP-Address attribute from the authentication server fails generating GlobalProtect connection failure with the error Assign private IP address failed .
Addressed
10.2.4
PAN-202450
Fixed an issue where the device-client-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.4
PAN-202295
Fixed an issue where read-only superusers were unable to see the Commit All job status, warnings, or errors for Panorama device groups.
Addressed
10.2.4
PAN-202282
Fixed an issue where stats dump files did not display all necessary reports.
Addressed
10.2.4
PAN-202264
( VM-Series firewalls only ) Fixed an issue where an automatic site license activation for a PAYG license did not register in the Customer Support Portal.
Addressed
10.2.4
PAN-202248
Fixed an issue where, due to a tunnel content inspection (TCI) policy match, IPSec traffic did not pass through the firewall when NAT was performed on the traffic.
Addressed
10.2.4
PAN-202194
Fixed an SD-WAN link issue that occurred when Aggregate Ethernet without a member interface was configured as an SD-WAN interface.
Addressed
10.2.4
PAN-202140
Fixed an issue where the comm process stopped responding due to an OOM condition.
Addressed
10.2.4
PAN-202101
Fixed an issue where firewalls stopped responding after an upgrade due to configuration corruption.
Addressed
10.2.4
PAN-202095
Fixed an issue on the web interface where the language setting is not retained.
Addressed
10.2.4
PAN-202040
( PA-220 firewalls only ) Fixed an issue where ECDSA fingerprints were not displayed.
Addressed
10.2.4
PAN-202012
A debug command was introduced to control Gzip encoding for the GlobalProtect Clientless VPN application.
Addressed
10.2.4
PAN-201973
( PA-3400 Series firewalls only ) Fixed an issue where the management interface could not be assigned as an HA port.
Addressed
10.2.4
PAN-201954
Fixed an issue where NAT policy rules were deleted on managed devices after a successful push from Panorama to multiple device groups. This occurred when NAT policy rules had device_tags selected in the target section.
Addressed
10.2.4
PAN-201910
Fixed an issue where some Security profiles consumed a large amount of memory, which reduced the number of supported Security profiles below the stated maximum for a platform.
Addressed
10.2.4
PAN-201900
Fixed an internal path monitoring failure issue that caused the dataplane to go down.
Addressed
10.2.4
PAN-201860
Fixed an issue where the Device Quarantine list was not redistributed or updated on Panorama and Prisma Access in a full mesh topology.
Addressed
10.2.4
PAN-201858
Fixed an issue where the SD-WAN interface Maximum Transmission Unit (MTU) led to incorrect fragmentation of IPSec traffic.
Addressed
10.2.4
PAN-201839
Fixed an issue where GlobalProtect HIP match failed for Mac users due to invalid characters being present in the subject alternative attributes in the certificate on the HIP report.
Addressed
10.2.4
PAN-201818
Fixed an issue where INIT SCTP packets were dropped after being processed by the CTD, and silent drops occurred even with SCTP no-drop function enabled.
Addressed
10.2.4
PAN-201714
Fixed an issue with GlobalProtect where attempting to authenticate with the GlobalProtect gateway returned a 502 error code.
Addressed
10.2.4
PAN-201701
Fixed an issue where the firewall generated system log alerts if the raid for a system or log disk was corrupted.
Addressed
10.2.4
PAN-201639
Fixed an issue with Saas Application Usage reports where Applications with Risky Characteristics displayed only two applications per section.
Addressed
10.2.4
PAN-201632
Fixed an issue where the all_task stopped responding with a segmentation fault due to an invalid interface port.
Addressed
10.2.4
PAN-201601
Fixed an issue where the all_task process stopped responding after adding customer hyperscan signatures.
Addressed
10.2.4
PAN-201587
Fixed an issue where the App Pcaps directory size was incorrectly detected which caused commit errors.
Addressed
10.2.4
PAN-201580
Fixed an issue where the useridd process stopped responding due to an invalid vsys_id request.
Addressed
10.2.4
PAN-201561
Fixed an issue where LSVPN satellite authentication cookies were not synced across high availability LSVPN portals.
Addressed
10.2.4
PAN-201360
Fixed an issue with Panorama managed log collector statistics where the oldest logs displayed on the primary Panorama appliance and the secondary Panorama appliance did not match.
Addressed
10.2.4
PAN-201357
The CLI command debug dataplane set pow no-desched yes was added to address an issue where the all_pktproc process stopped responding and caused traffic issues.
Addressed
10.2.4
PAN-201136
Fixed an issue where IGMP packets were offloaded with frequent IGMP Join and Leave messages from the client.
Addressed
10.2.4
PAN-201085
( PA-5450 firewalls only ) Fixed an issue where inserting the NPC and DPC on slot2 created excessive logs in the bcm.log file.
Addressed
10.2.4
PAN-200946
Fixed an issue with firewalls in active/passive HA configurations where GRE tunnels went down due to recursive routing when the passive firewall was booting up. When the passive firewall became active and no recursive routing was configured, the GRE tunnel remained down.
Addressed
10.2.4
PAN-200914
( PA-3440 firewalls only ) Fixed an issue where the default NAT DIPP pool oversubscription was set to 2 instead of 4.
Addressed
10.2.4
PAN-200845
( M-600 Appliances in Management-only mode only ) Fixed an issue where XML API queries failed due to the configuration size being larger than expected.
Addressed
10.2.4
PAN-200774
Fixed an issue where SCEP certificate import did not work on the firewall when the certificate name contained a period ( . ).
Addressed
10.2.4
PAN-200676
Fixed an issue with firewalls in active/passive HA configurations where the user counts in the management plane were not synchronized between the active and the passive firewall.
Addressed
10.2.4
PAN-200463
Fixed an issue where disabling strict-username-check did not apply to admin users authenticating with SAML.
Addressed
10.2.4
PAN-200356
Fixed an issue where the Elapsed seconds field incorrectly displayed as 0 for DHCP packets coming from the firewall.
Addressed
10.2.4
PAN-200354
Fixed an issue where the firewall did not initiate scheduled log reports.
Addressed
10.2.4
PAN-200160
Fixed a memory leak issue on Panorama related to the logd process that caused an out-of-memory (OOM) condition.
Addressed
10.2.4
PAN-200116
Fixed an issue where Elasticsearch displayed red due to frequent tunnel check failures between HA clusters.
Addressed
10.2.4
PAN-200103
Fixed an issue where decryption logs were not displayed under Manage Custom Reports for custom Panorama admin users.
Addressed
10.2.4
PAN-200102
Fixed an issue on the firewall web interface that prevented applications from loading under any policy or in any location where application IDs were able to be refreshed.
Addressed
10.2.4
PAN-200035
Fixed an issue where the firewall reported General TLS Protocol Error for TLSv1.3 when the firewall closed a TCP connection to the server via a FIN packet without waiting for the handshake to complete.
Addressed
10.2.4
PAN-200019
Fixed an issue on Panorama where Virtual Routers ( Network > Virtual Routers ) was not available when configuring a custom Panorama admin role ( Panorama > Admin Roles ).
Addressed
10.2.4
PAN-199965
Fixed an issue where the reportd process stopped responding on log collectors during query and report operations due to a race condition between request handling threads.
Addressed
10.2.4
PAN-199821
Fixed an issue where the Include/Exclude IPs filter under Data Redistribution did not consistently filter IP addresses correctly.
Addressed
10.2.4
PAN-199807
Fixed an issue where the dataplane frequently restarted due to high memory usage on wifclient.
Addressed
10.2.4
PAN-199726
Fixed an issue with firewalls in HA configurations where both firewalls responded with gARP messages after a switchover.
Addressed
10.2.4
PAN-199661
( VM-Series firewalls in ESXI environments only ) Fixed an issue where the number of used packet buffers was not calculated properly, and packet buffers displayed as a higher value than the correct value, which triggered PBP Alerts. This occurred when the driver name was not compatible with new DPDK versions.
Addressed
10.2.4
PAN-199612
Fixed a sync issue with firewalls in active/active HA configurations.
Addressed
10.2.4
PAN-199570
Fixed an issue where uploading certificates using a custom admin role did not work as expected after a context switch.
Addressed
10.2.4
PAN-199543
Resolved failed authentication for Radius and TLS where shared secret was striped for FIPS mode
Addressed
10.2.4
PAN-199500
Fixed an issue where, when many NAT policy rules were configured, the pan_comm process stopped responding after a configuration commit due to a high number of debug messages.
Addressed
10.2.4
PAN-199410
Fixed an issue where system logs for syslog activities were categorized as general under Type and EVENT columns.
Addressed
10.2.4
PAN-199214
Fixed an intermittent issue where downloading threat pcap via XML API failed with the following error message: /opt/pancfg/session/pan/user_tmp/XXXXX/YYYYY.pcap does not exist .
Addressed
10.2.4
PAN-199141
Fixed an issue where renaming a device group and then performing a partial commit led to the device group hierarchy being incorrectly changed.
Addressed
10.2.4
PAN-198920
Fixed an issue where configuration changes caused a previously valid interface ID to become invalid due to HA switchovers delaying the configuration push.
Addressed
10.2.4
PAN-198889
Fixed an issue where the logd process stopped responding if some devices in a collector group were on a PAN-OS 10.1 device and others were on a PAN-OS 10.0 release. This issue affected the devices on a PAN-OS 10.0 release.
Addressed
10.2.4
PAN-198871
Fixed an issue when both URL and Advanced URL licenses were installed, the expiry date was not correctly checked.
Addressed
10.2.4
PAN-198718
( PA-5280 firewalls only ) Fixed an issue where memory allocation failures caused increased decryption failures.
Addressed
10.2.4
PAN-198693
Fixed an issue where decrypted SSH sessions were interrupted with a decryption error.
Addressed
10.2.4
PAN-198691
Added an alternate health endpoint to direct health probes on the firewall (https://firewall/unauth/php/health.php) to address an issue where /php/login.php performance was slow when large amounts of traffic were being processed.
Addressed
10.2.4
PAN-198575
Fixed an issue where data did not load when filtering by Threat Name ( ACC > Threat Activity ).
Addressed
10.2.4
PAN-198333
Fixed an issue where the SaaS PDF report incorrectly displayed the sanctioned application tag count as 1.
Addressed
10.2.4
PAN-198306
Fixed an issue where the useridd process stopped responding when booting up the firewall.
Addressed
10.2.4
PAN-198174
Fixed an issue where, when viewing traffic or threat logs from the Application Command Center (ACC) or Monitor tabs, performing a reverse DNS lookup caused the dnsproxy process to restart if DNS server settings were not configured.
Addressed
10.2.4
PAN-198078
Fixed an issue where VXLAN keepalive packets were dropped randomly.
Addressed
10.2.4
PAN-198038
A CLI command was added to address an issue where long-lived sessions were aging out even when there was ongoing traffic.
Addressed
10.2.4
PAN-197953
Fixed an issue where the logd process stopped responding due to forwarded threat logs, which caused Panorama to reboot into maintenance mode.
Addressed
10.2.4
PAN-197935
Fixed an intermittent issue where XML API IP address tag registration failed on firewalls in a multi-vsys environment.
Addressed
10.2.4
PAN-197919
Fixed an issue where, when path monitoring for a static route was configured with a new Ping Interval value, the value was not used as intended.
Addressed
10.2.4
PAN-197908
Fixed an issue where Strata Logging Service flaps occurred for long durations which caused a memory leak related to the mgmtsrvr process.
Addressed
10.2.4
PAN-197877
Fixed an intermittent issue on Panorama where the distributord process stopped responding.
Addressed
10.2.4
PAN-197872
Fixed an issue where the useridd process generated false positive critical errors.
Addressed
10.2.4
PAN-197847
Fixed an issue where disabling the enc-algo-aes-128-gcm cipher did not work when using an SSL/TLS profile.
Addressed
10.2.4
PAN-197737
Fixed an issue where the connection to the PAN-DB server failed with following error message: Failed to send req type[3], curl error: Couldn't resolve host name .
Addressed
10.2.4
PAN-197729
Fixed an issue where repeated configuration pushes from Panorama resulted in a management server memory leak.
Addressed
10.2.4
PAN-197678
Fixed an issue where the dataplane stopped responding, which caused internal path monitoring failure.
Addressed
10.2.4
PAN-197582
Fixed an issue where, after upgrading to PAN-OS 10.1.6, the firewall reset SSL connections that used policy-based forwarding.
Addressed
10.2.4
PAN-197563
Fixed an issue in the User Activity Report where output fields started with the letter b .
Addressed
10.2.4
PAN-197549
Fixed an issue where making GlobalProtect gateway configuration changes resulted in a HIP notification error.
Addressed
10.2.4
PAN-197426
Fixed an issue on Panorama where, when attempting to view the Monitor page , the error invalid term was displayed.
Addressed
10.2.4
PAN-197386
Fixed an issue where traffic that was subject to network packet broker inspection entered a looping state due to incorrect session offload.
Addressed
10.2.4
PAN-197339
Fixed an issue where template configuration for the User-ID agent was not reflected on the template stack on Panorama appliances on PAN-OS 10.2.1.
Addressed
10.2.4
PAN-197298
Fixed an issue where the audit comment archive for Security rule changes output had overlapping formats.
Addressed
10.2.4
PAN-197203
Fixed an intermittent issue where, if SSL/TLS Handshake Inspection was enabled, multiple processes stopped responding when the firewall was processing packets.
Addressed
10.2.4
PAN-197121
Fixed an issue where incorrect user details were displayed under the USER DETAIL drop-down ( ACC > Network activity > User activity ).
Addressed
10.2.4
PAN-197115
Fixed an issue where, when the total number of in-used HIP profiles was greater than 32, traffic from the GlobalProtect Agent did not hit the expected Security policy rule configured with the HIP profile even though a HIP match log was generated.
Addressed
10.2.4
PAN-197097
Fixed an issue where LSVPN did not support IPv6 addresses on the satellite firewall.
Addressed
10.2.4
PAN-196954
Fixed a memory leak issue related to the distributord process.
Addressed
10.2.4
PAN-196874
Fixed an issue where, when the firewall accepted ICMP redirect messages on the management interface, the firewall did not clear the route from the cache.
Addressed
10.2.4
PAN-196840
Fixed an issue where exporting a Security policy rule that contained Korean language characters to CSV format resulted in the policy description being in a non-readable format.
Addressed
10.2.4
PAN-196811
Fixed an issue where logout events without a username caused high CPU usage.
Addressed
10.2.4
PAN-196715
Fixed an issue where you could not directly edit Services and Address objects from the Policies tab.
Addressed
10.2.4
PAN-196704
Fixed an issue where Preview Changes on Panorama Push to Devices incorrectly displayed changes to encrypted entries.
Addressed
10.2.4
PAN-196701
Fixed an issue where the firewall did not properly measure the Panorama connection keepalive timer, which caused a Panorama HA failover to take longer than expected.
Addressed
10.2.4
PAN-196671
( PA-3400 Series firewalls and PA-5410, PA-5420, and PA-5430 firewalls only ) Addressed an issue to improve network latency,
Addressed
10.2.4
PAN-196583
Fixed an issue where the Cisco TrustSEc plugin triggered a flood of redundant register/unregister messages due to a failed IP address tag database search.
Addressed
10.2.4
PAN-196566
Fixed an issue where the useridd process restarted repeatedly which let to an OOM condition.
Addressed
10.2.4
PAN-196558
Fixed an issue where IP address tag policy updates were delayed.
Addressed
10.2.4
PAN-196474
Fixed an issue where, when a decryption profile was configured with TLSv1.2 or later, web pages utilizing TLS1.0 were blocked with an incorrect ERR_TIME_OUT message instead of an ERR_CONNECTION_RESET message.
Addressed
10.2.4
PAN-196467
Fixed an issue where enabling strict IP address checks in a Zone Protection profile caused GRE tunnel packets to be dropped.
Addressed
10.2.4
PAN-196457
Fixed an issue where extraneous logs displayed in the Traffic log when Security policy settings were changed.
Addressed
10.2.4
PAN-196452
Fixed an issue where DNS queries failed from source port 4789 with a NAT configuration.
Addressed
10.2.4
PAN-196450
Fixed an issue where certificates with whitespaces in the name or common name (CN) were not able to be imported.
Addressed
10.2.4
PAN-196410
Fixed an issue where you were unable to customize the risk value in Risk-of-app .
Addressed
10.2.4
PAN-196309
( PA-5450 firewalls only ) Fixed an issue where a firewall configured with a Policy-Based Forwarding policy flapped when a commit was performed, even when the next hop was reachable.
Addressed
10.2.4
PAN-196131
Fixed an issue where the comm process stopped responding when a show command was executed in two sessions.
Addressed
10.2.4
PAN-196105
Fixed an issue on the firewall where using special characters in a password caused authentication to fail when connecting to the GlobalProtect portal with GlobalProtect satellite configured.
Addressed
10.2.4
PAN-196050
Fixed an issue on Panorama where logs did not populate when one log collector in a log collector group was down.
Addressed
10.2.4
PAN-196003
Fixed an issue where the Adjust Columns options for Panorama traffic logs did not correctly auto-adjust the columns.
Addressed
10.2.4
PAN-195988
Fixed an issue where commits failed when an AS path regular expression that included the ( _ ) character was specified in the virtual router BGP configuration export rule.
Addressed
10.2.4
PAN-195893
Fixed an issue where daily PDF summary reports were not generated when the Application Report was selected.
Addressed
10.2.4
PAN-195869
Fixed an issue where scheduled custom reports based on firewall data did not display any information.
Addressed
10.2.4
PAN-195828
Fixed an issue where SNMP reported the panVsysActiveTcpCps and panVsysActiveUdpCps value to be 0.
Addressed
10.2.4
PAN-195792
Fixed an issue where, when generating a stats dump file for a managed device from Panorama ( Panorama > Support > Stats Dump File ), the file did not display any data.
Addressed
10.2.4
PAN-195790
Fixed an issue where syslog traffic that was sent from the management interface to the syslog server even when a destination IP address service route was configured.
Addressed
10.2.4
PAN-195713
Fixed an issue where clientless VPN applications were not displayed in the GlobalProtect portal page.
Addressed
10.2.4
PAN-195695
Fixed an issue where the AppScope Summary report and PDF report export function did not work as expected.
Addressed
10.2.4
PAN-195669
Fixed an issue with Panorama appliances in HA configurations where a passive Panorama appliance generated CMS Redistribution Client is connected to global collector messages.
Addressed
10.2.4
PAN-195659
Fixed an issue with firewalls in HA configurations where ping responses from the target IP addresses were much delayed after a configuration push.
Addressed
10.2.4
PAN-195583
Fixed an issue where, after renaming an object, configuration pushes from Panorama failed with the commit error object name is not an allowed keyword .
Addressed
10.2.4
PAN-195526
Fixed an issue where the firewall system log received a large amount of error messages when attempting a connection between the firewall and Panorama.
Addressed
10.2.4
PAN-195374
( Firewalls in active/passive HA configurations only ) Fixed an issue where, when redistribution agent connections to the passive firewall failed, excessive system alerts for the failed connection were generated. With this fix, system alerts are logged every 5 hours instead of 10 minutes.
Addressed
10.2.4
PAN-195201
Fixed an issue where high volume DNS Security traffic caused the firewall to reboot.
Addressed
10.2.4
PAN-195200
Fixed an issue where Panorama did not attach and email scheduled reports ( Monitor > PDF > Reports > Email Scheduler ) when the size of the email attachments was large.
Addressed
10.2.4
PAN-195114
Fixed an issue where proxy ARP responded on the wrong interface when the same subnet was in two virtual routers.
Addressed
10.2.4
PAN-195107
( PA-7000s Series firewalls with LFCs only ) Fixed an issue where the IP address of the LFC displayed as unknown .
Addressed
10.2.4
PAN-195064
Fixed an issue where the log collector did not forward correlation logs to the syslog server.
Addressed
10.2.4
PAN-194912
Fixed an issue where the CLI command show applications list did not return any outputs.
Addressed
10.2.4
PAN-194812
Fixed an issue where generating reports via XML API failed when the serial number was set as target in the query.
Addressed
10.2.4
PAN-194805
Fixed an issue where scheduled configuration backups to the SCP server failed with error message No ECDSA host key is known .
Addressed
10.2.4
PAN-194737
Fixed an issue where path monitor displayed as deleted when it was disabled, which caused a preview change in the summary for static routes.
Addressed
10.2.4
PAN-194704
Fixed an issue with SIP ALG where improper NAT was applied when Destination NAT ran out of IP addresses.
Addressed
10.2.4
PAN-194615
Fixed an issue where the packet broker session timeout value did not match the master sessions timeout value after the firewall received a TCP FIN or RST packet. The fix ensures that Broker session times out within 1 second after the master session timed out.
Addressed
10.2.4
PAN-194441
Fixed an issue where the dataplane CPU usage was higher than expected due to packet looping in the broker session when the network packet broker was enabled.
Addressed
10.2.4
PAN-194175
Fixed an issue on Panorama where a commit push to managed firewalls failed when objects were added as source address exclusions in a Security policy and Share Unused Address and Service Objects with Devices was unchecked.
Addressed
10.2.4
PAN-194068
( PA-5200 Series firewalls only ) Fixed an issue where the firewall unexpectedly rebooted with the log message Heartbeat failed previously .
Addressed
10.2.4
PAN-194043
Fixed an issue where Managed Devices > Summary did not reflect new tag values after an update.
Addressed
10.2.4
PAN-194031
( PA-220 Firewalls only ) Fixed an issue where system log configurations did not work as expected due to insufficient process timeout after a logrcvr process restart.
Addressed
10.2.4
PAN-194025
Fixed an issue where the ikemgr process stopped responding due to a timing issue, which caused VPN tunnels to go down.
Addressed
10.2.4
PAN-193879
Fixed an issue on Panorama where the push scope was delayed for commit and push operations.
Addressed
10.2.4
PAN-193831
Fixed an issue where internal routes were added to the routing table even after disabling dynamic routing protocols.
Addressed
10.2.4
PAN-193808
Fixed a memory leak issue in the mgmtsrvr process that resulted in an OOM condition.
Addressed
10.2.4
PAN-193733
( Firewalls in multi-vsys environments only ) Fixed an issue where IP tag addresses were not synced to all virtual systems (vsys) when they were pushed to the firewall from Panorama via XML API.
Addressed
10.2.4
PAN-193619
Fixed an issue where air gapped firewalls and Panorama appliances performed excessive validity checks to updates.paloaltonetworks.com, which caused software installs to fail.
Addressed
10.2.4
PAN-193558
Fixed an issue where log retention settings Multi Disk did not display correct values on the firewall web interface when the settings were configured using a Panorama template or template stack.
Addressed
10.2.4
PAN-193396
Fixed an issue where the source user name was displayed in traffic logs even when Show User Names In Logs and Reports was disabled for a custom admin role.
Addressed
10.2.4
PAN-193323
Fixed an issue where root partition utilization reached 100% due to mdb old logs not being purged as expected.
Addressed
10.2.4
PAN-193281
Fixed an issue where the logrcvr process stopped responding after a content update on the firewall.
Addressed
10.2.4
PAN-193245
Fixed an issue where, when using syslog-ng forwarding via SSL, with a Base Common Name (CN) and multiple Subject Alternative Names (SANs) were listed in the certificate.
Addressed
10.2.4
PAN-193175
Fixed an issue where PBP Drops (8507) threat logs were incorrectly logged as SCTP Init Flood (8506) .
Addressed
10.2.4
PAN-193043
Fixed an issue with the where firewalls in Google Cloud Platforms (GCP) inserted the hostname as PA-VM in the syslog header instead of the DHCP assigned hostname when logs were being sent to the syslog server.
Addressed
10.2.4
PAN-193026
Fixed an issue where warning messages were generated during commits when configuration details of two profiles were identical.
Addressed
10.2.4
PAN-192681
Fixed an issue where HIP database storage on the firewall reached full capacity due to the firewall not purging older HIP reports.
Addressed
10.2.4
PAN-192513
Fixed an issue where log migration did not work when converting a Legacy mode Panorama appliance to Log Collector mode.
Addressed
10.2.4
PAN-192456
Fixed an issue where GlobalProtect SSL VPN processing during a high traffic load caused the dataplane to stop responding.
Addressed
10.2.4
PAN-192417
Fixed an issue where botnet reports were not generated on the firewall.
Addressed
10.2.4
PAN-192296
Fixed an issue where, when you saved a SaaS application report as a PDF or sent it to print, the size of the report was smaller than expected.
Addressed
10.2.4
PAN-192244
Fixed an issue where scheduled log export jobs continued to run even after being deleted.
Addressed
10.2.4
PAN-192193
Fixed an issue where exporting a list of managed collectors via the Panorama web interface failed with the following error message: Export Error, Error while exporting
Addressed
10.2.4
PAN-192188
( PA-5450 firewalls only ) Fixed an issue where the show running resource-monitor ingress-backlogs CLI command failed with the following error message: Server error : Failed to intepret the DP response .
Addressed
10.2.4
PAN-192092
Fixed an issue with firewalls in active/passive configurations only where the registered cookie from the satellite firewall to the passive firewall did not sync, which caused authentication between the satellite firewall and the GlobalProtect portal firewall to fail after a failover event.
Addressed
10.2.4
PAN-192076
Added debug logs for visibility into an OpenSSL memory initialization issue that caused unexpected failovers.
Addressed
10.2.4
PAN-191997
Fixed an issue where log queries did not successfully filter the unknown category.
Addressed
10.2.4
PAN-191652
Fixed an issue with Prisma Cloud where a commit push failed due to the error Error: failed to handle TDB_UPDATE_BLOCK .
Addressed
10.2.4
PAN-191463
Fixed an issue where the firewall did not handle packets at Fastpath when the interface pointer was null.
Addressed
10.2.4
PAN-191408
Fixed an issue where the firewall did not correctly receive dynamic address group information from Panorama after a reboot or initial connection.
Addressed
10.2.4
PAN-191390
( VM-Series firewalls only ) Fixed an issue where the management plane CPU was incorrectly calculated as high when logged in the mp-monitor.log.
Addressed
10.2.4
PAN-191352
Fixed an intermittent issue where high latency was observed on the web interface and CLI due to high CPU usage related to the sadc process.
Addressed
10.2.4
PAN-191235
Fixed an issue with firewalls in HA configurations where the passive firewall attempted to connect to a hardware security module (HSM) client when a service route was configured, which caused dynamic updates and software updates to fail.
Addressed
10.2.4
PAN-191032
Fixed an issue on Panorama where Managed Devices displayed Unknown .
Addressed
10.2.4
PAN-190533
Fixed an issue where addresses and address groups were not displayed for users in Security admin roles.
Addressed
10.2.4
PAN-190502
Fixed an issue where the Policy filter and Policy optimizer filter were required to have the exact same syntax, including nested conditions with rules that contained more than one tag when filtering via the neq operator.
Addressed
10.2.4
PAN-190454
Fixed an issue where, while authenticating, the allow list check failed for vsys users when a SAML authentication profile was configured under shared location .
Addressed
10.2.4
PAN-190409
( PA-5450 and PA-3200 Series firewalls that use an FE101 processor only ) Fixed an issue where packets in the same session were forwarded through a different member of an aggregate ethernet group when the session was offloaded. The fix is that you can use the following CLI command to change the default tag setting to the tuple setting:
admin@firewall> set session lag-flow-key-type ?
> tag tag
> tuple tuple
tag is the default behavior (tag based on the CPU, tuple based on the FE).
tuple is the new behavior, where both CPU and FE use the same selection algorithm.
Use the following command to display the algorithm:
admin@firewall> show session lag-flow-key-type
dp0: tuple based on fe100
dp1: tuple based on fe100
Addressed
10.2.4
PAN-190266
Fixed an issue that stopped the all_task process to stop responding at the pan_sdwan_qualify_if_ini function.
Addressed
10.2.4
PAN-189960
Fixed an issue on Panorama where you were unable to view the last address object moved to the shared template list.
Addressed
10.2.4
PAN-189866
Fixed an issue with the web interface where group include lists used server profiles instead of LDAP proxy.
Addressed
10.2.4
PAN-189783
Fixed an issue where container resource limits were not enforced for all processes when running inside a container.
Addressed
10.2.4
PAN-189719
Fixed an issue on Panorama where Test Server Connection failed in an HTTP server profile with the following error message: failed binding local connection end .
Addressed
10.2.4
PAN-189718
Fixed an issue where the number of sessions did not reach the expected maximum value with Security profiles.
Addressed
10.2.4
PAN-189666
Fixed an issue where GlobalProtect portal connections failed after random commits when multiple agent configurations were provisioned and configuration selection criteria using certificate profile was used.
Addressed
10.2.4
PAN-189643
Fixed an issue where, when QoS was enabled on an IPSec tunnel, traffic failed due to applying the wrong tunnel QoS ID.
Addressed
10.2.4
PAN-189518
Fixed an issue where incoming DNS packets with looped compression pointers caused the dnsproxyd process to stop responding.
Addressed
10.2.4
PAN-189425
Fixed an issue on Panorama where Export Panorama and devices config bundle ( Panorama > Setup > Operations ) failed with the following error message: Failed to redirect error to /var/log/pan/appweb3-panmodule.log (Permission denied) .
Addressed
10.2.4
PAN-189379
Fixed an issue where FQDN based Security policy rules did not match correctly.
Addressed
10.2.4
PAN-189375
Fixed an issue where, when migrating the firewall, the firewall dropped packets when trying to re-use the TCP session.
Addressed
10.2.4
PAN-189335
Fixed an issue where the varrcvr process restarted repeatedly, which caused the firewall to restart.
Addressed
10.2.4
PAN-189300
Fixed an issue where Panorama appliances in active/passive HA configurations reported the false positive system log Failed to sync vm-auth-key when a VM authentication key was generated on the active appliance.
Addressed
10.2.4
PAN-189200
Fixed an issue where sinkholes did not occur for AWS Gateway Load Balancer dig queries.
Addressed
10.2.4
PAN-189027
Fixed an issue where the dataplane CPU utilization provided from the web interface or via SNMP was incorrect.
Addressed
10.2.4
PAN-188933
Fixed an issue where the UDP checksum wasn't correctly calculated for VXLAN traffic after applying NAT.
Addressed
10.2.4
PAN-188912
Fixed an issue where authentication failed due to a process responsible for handling authentication requests going into an irrecoverable state.
Addressed
10.2.4
PAN-188519
( VM-Series firewalls only ) Fixed an issue where, when manually deactivating the license, the admin user did not receive the option to download the token file and upload it to the Customer Support Portal (CSP) to deactivate the license.
Addressed
10.2.4
PAN-188904
Fixed an issue where web pages and web page contents were not properly loaded when cloud inline categorization was enabled.
Addressed
10.2.4
PAN-188506
Fixed an issue where the ctd_dns_malicious_fwd counter incorrectly increased incrementally.
Addressed
10.2.4
PAN-188403
Fixed an issue on the web interface where the interzone-default rule hit count was not displayed.
Addressed
10.2.4
PAN-188348
Fixed an issue where encapsulating Security payload packets originating from the firewall were dropped when strict IP address check was enabled in a zone protection profile.
Addressed
10.2.4
PAN-188291
Fixed an issue where, when using Global Find on the web interface to search for a given Hostname Configuration (Device > Setup > Management) , clicking the search result directed you to the appropriate Hostname configuration, but did not change the respective Template field automatically.
Addressed
10.2.4
PAN-188272
( PA-5200 Series and PA-7000 Series firewalls only ) Fixed an issue where Support UTF-8 For Log Output wasn't visible on the web interface.
Addressed
10.2.4
PAN-188118
Fixed an issue with firewalls in FIPS mode that prevented device telemetry from connecting.
Addressed
10.2.4
PAN-187763
Fixed an issue where DNS Security logs did not display a threat category, threat name, or threat ID when domain names contained 64 or more characters.
Addressed
10.2.4
PAN-187438
( PA-5400 Series firewalls only ) Fixed an issue where HSCI interfaces didn’t come up when using BiDi transceivers.
Addressed
10.2.4
PAN-187279
Fixed an issue where not all quarantined devices were displayed as expected.
Addressed
10.2.4
PAN-186530
Fixed an issue where the current date was incorrectly printed as the last license check date.
Addressed
10.2.4
PAN-186471
Fixed an issue where, when exporting to CSV in Global Find, the firewall truncated names of rules that contained over 40 characters.
Addressed
10.2.4
PAN-186412
Fixed an issue where invalid packet-ptr was seen in work entries.
Addressed
10.2.4
PAN-186294
Fixed an issue where commits from Panorama failed on the firewall due to the virtual router name character limit.
Addressed
10.2.4
PAN-186270
Fixed an issue where, when HA was enabled and a dynamic update schedule was configured, the configd process unexpectedly stopped responding during configuration commits.
Addressed
10.2.4
PAN-185770
Fixed an issue where the firewall displayed the error message Malformed Request when an email address included an ampersand ( & ) when configuring an email server profile.
Addressed
10.2.4
PAN-185466
Fixed an issue where WildFire submission did not work as expected.
Addressed
10.2.4
PAN-185394
( PA-7000 Series firewalls only ) Fixed an issue where not all changes to the template were reflected on the firewall.
Addressed
10.2.4
PAN-185360
Fixed an issue where, when Captive Portal Authentication was configured, l3svc_ngx_error.log and l3svc_access.log did not roll over after exceeding 10 megabytes, which caused the root partition to reach full utilization.
Addressed
10.2.4
PAN-185287
( PA-7050 firewalls with Network Processing Cards (NPCs) only ) Debug commands were added to address an issue where the firewall's NPC Slot2 failed and multiple dataplane processes stopped responding.
Addressed
10.2.4
PAN-185234
( VM-Series firewalls only ) Fixed an issue where the packet buffer utilization was displayed as high even when no traffic was traversing the firewall.
Addressed
10.2.4
PAN-184744
Fixed an issue where the firewall did not decrypt SSL traffic due to a lack of internal resources allocated for decryption.
Addressed
10.2.4
PAN-184708
Fixed an issue where scheduled report emails ( Monitor>PDF Reports>Email Scheduler ) were not emailed as expected if they included a SaaS Application Usage report.
Addressed
10.2.4
PAN-183524
Fixed an issue where GTPv2-c and GTP-U traffic was identified with insufficient-data in the traffic logs.
Addressed
10.2.4
PAN-183375
Fixed an issue where traffic arriving on a tunnel with a bad IP address header checksum was not dropped.
Addressed
10.2.4
PAN-183126
Fixed an issue on Panorama where you were able to attempt to push a number of active schedules to the firewall that was greater than the firewall's maximum capacity.
Addressed
10.2.4
PAN-182875
Fixed an issue where certificate generation using SCEP did not take more than one organizational unit (OU).
Addressed
10.2.4
PAN-182732
Fixed an issue where the GlobalProtect gateway inactivity timer wasn't refreshed even though traffic was passing through the tunnel.
Addressed
10.2.4
PAN-182167
Removed a duplicate save filter Icon in the Audit Comment Archive for Security Rule Audit Comments tab.
Addressed
10.2.4
PAN-181968
( PA-400 Series firewalls in active/passive HA configurations only ) Fixed an issue where, when HA failover occurred, link up on all ports took longer than expected, which caused traffic outages.
Addressed
10.2.4
PAN-181334
Fixed an issue where users with custom admin roles and access domains were unable to view address objects or edit Security rules.
Addressed
10.2.4
PAN-181129
Improved protection against unexpected packets and error handling for traffic identified as SIP.
Addressed
10.2.4
PAN-180948
Fixed an issue where an external dynamic list fetch failed with the error message Unable to fetch external dynamic list. Couldn't resolve host name. Using old copy for refresh .
Addressed
10.2.4
PAN-180690
Fixed an issue where the firewall dropped IPv6 Bi-Directional Forwarding (BFD) packets when IP Spoofing was enabled in a Zone Protection Profile.
Addressed
10.2.4
PAN-179174
Fixed an issue where exported PDF report of the ACC was the incorrect color after upgrading from a PAN-OS 10.1 or later release.
Addressed
10.2.4
PAN-178951
Fixed an issue on the firewall where Agentless User-ID lost parent Security group information after the Security group name of the nested groups on Active Directory was changed.
Addressed
10.2.4
PAN-178728
Fixed an issue where the dcsd process stopped responding when attempting to read the config to update its redis database.
Addressed
10.2.4
PAN-177942
Fixed an issue where, when grouping HA peers, access domains that were configured using multi-vsys firewalls deselected devices or virtual systems that were in other configured access domains.
Addressed
10.2.4
PAN-177562
Fixed an issue where PDF reports were not translated to the configured local language.
Addressed
10.2.4
PAN-177201
Fixed an issue where, when a Panorama appliance on a PAN-OS 9.0 or later release pushed built-in external dynamic lists to a firewall on a PAN-OS 8.1 release, the external dynamic list was removed, but the rule was still pushed to the firewall. With this fix, Panorama will show a validation error when attempting to push a pre-defined external dynamic list to a firewall on a PAN-OS 8.1 release.
Addressed
10.2.4
PAN-176989
Fixed an issue where the CLI command to show SD-WAN tunnel members caused the firewall to stop responding.
Addressed
10.2.4
PAN-176379
Fixed an issue where, when multiple routers were configured under a Panorama template, you were only able to select its own virtual router for next hop.
Addressed
10.2.4
PAN-175244
Fixed an issue on Panorama where the configd process stopped responding when adding, deleting or listing an authentication key.
Addressed
10.2.4
PAN-175142
Fixed an issue on Panorama where executing a debug command caused the logrcvr process to stop responding.
Addressed
10.2.4
PAN-175061
Fixed an issue where filtering threat logs using any value under THREAT ID/NAME displayed the error Invalid term .
Addressed
10.2.4
PAN-174953
Fixed an issue where the firewall didn't update URL categories from the management plane to the dataplane cache.
Addressed
10.2.4
PAN-174781
Fixed an issue where the firewall did not send an SMTP 541 error message to the email client after detecting a malicious file attachment.
Addressed
10.2.4
PAN-174680
Fixed an issue where, when adding new configurations, Panorama didn't display a list of suggested template variables when typing in a relevant field.
Addressed
10.2.4
PAN-174027
Fixed an issue on Panorama where attempting to rename mapping for address options caused a push to fail with the following error message: Error: Duplicate address name. .
Addressed
10.2.4
PAN-171927
Fixed an issue where incorrect results were displayed when filtering logs in the Monitor tab.
Addressed
10.2.4
PAN-171300
Fixed an issue on Panorama where a password change in a template did not reset an expired password flag on the firewall, which caused the user to change their password when logging in to a firewall.
Addressed
10.2.4
PAN-170414
Fixed an issue related to an OOM condition in the dataplane, which was caused by multiple panio commands using extra memory.
Addressed
10.2.4
PAN-157199
( PA-220 firewalls only ) Fixed an issue where the GlobalProtect portal was not reachable with IPv6 addresses.
Addressed
10.2.4
PAN-142701
Fixed an issue where the firewall did not delete Stateless SCTP sessions after receiving an SCTP Abort packet.
Known
10.2.5
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.5
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.5
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.5
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.5
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.5
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.5
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.5
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.5
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.5
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
10.2.5
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
10.2.5
PAN-234408
Enterprise DLP cannot detect and block non-file based traffic for ChatGPT from traffic forwarded to the DLP cloud service from an NGFW.
Known
10.2.5
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.5
PAN-228273
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.5
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.5
PAN-225337
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a Shared and vsys-specific device group configuration object with an indentical name. For example, a Shared address object called SharedAO1 and a vsys-specific address object also called SharedAO1 .
  2. Reference the Shared object in another Shared configuration. For example, reference the Shared address object ( SharedAO1 ) in a Shared address group called SharedAG1 .
  3. Use the Shared configuration object with the reference in a vsys-specific configuration. For example, reference the Shared address group ( SharedAG1 ) in a vsys-specific policy rule.
Workaround: Select Panorama Setup Management and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices —This options pushes all Shared objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the Shared objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the Shared SharedAO1 object was 10.1.1.1 and the device group specific SharedAO1 was 10.2.2.2 , the 10.1.1.1 IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the Shared objects in your configuration.
Known
10.2.5
PAN-227368
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The GlobalProtect app cannot connect to a portal or gateway and GlobalProtect Clientless VPN users cannot access applications if authentication takes longer than 20 seconds.
Workaround: Increase the TCP handshake timeout to the maximum value of 60 seconds.
Known
10.2.5
PAN-229865
This issue is now resolved. See PAN-OS 10.2.6 Addressed Issues .
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.5
PAN-226768
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
When the GlobalProtect app is installed on iOS endpoints and the gateway is configured to accept cookies, the app stays in Connecting stage after authentication and the GlobalProtect log displays the error message, User is not in allow list . This happens when the app is restarted or when the app tries to reconnect after disconnection.
Known
10.2.5
PAN-223677
( PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls ) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.5
PAN-223488
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
Closed ElasticSearch shards are not deleted from a Panorama M-Series or virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.5
PAN-223457
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
If the number of group queries exceeds the Okta rate limit threshold, the firewall clears the cache for the groups. To avoid encountering this issue, disable the Okta rate limit.
Known
10.2.5
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.5
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.5
PAN-222418
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
The firewall intermittently records a reconnection message to the authentication server as a error, even if no disconnection occurs.
Known
10.2.5
PAN-222253
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server, policy rulebase reordering when you View Rulebase by Groups ( Policy <policy-rulebase> ) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.5
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.5
PAN-221857
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Users are unable to log in to the GlobalProtect app using SAML authentication after the app is upgraded to 10.2.3-h4 and the GlobalProtect logs display the following error message: Username from SAML SSO response is different from the input. .
Known
10.2.5
PAN-221126
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
Email server profiles ( Device Server Profiles Email and Panorama Server Profiles Email ) to forward logs as email notifications are not forwarded in a readable format.
Workaround: Use a Custom Log Format to forward logs as email notifications in a readable format.
Known
10.2.5
PAN-221015
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On M-600 appliances in Panorama or Log Collector mode, the es-1 and es-2 ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector ES health status ( Panorama Managed Collectors Health Status ) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>debug elasticsearch es-restart optional all
Known
10.2.5
PAN-220180
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
10.2.5
PAN-219644
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.5
PAN-218521
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.5
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.5
PAN-216214
For Panorama-managed firewalls in an Active/Active High Availability (HA) configuration where you configure the firewall HA settings ( Device High Availability ) in a template or template stack ( Panorama Templates ), performing a local commit on one of the HA firewalls triggers an HA config sync on the peer firewall. This causes the HA peer configuration to go Out of Sync .
Known
10.2.5
PAN-215082
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
M-300 and M-700 appliances may generate erroneous system logs ( Monitor Logs System ) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.5
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.5
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.5
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.5
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.5
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.5
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.5
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.5
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.2.5
PAN-198708
On the Panorama management server, the File Type field does not display any data when you view the Detailed Log View in the Data Filtering log ( Monitor Logs Data Filtering <select log> DLP ).
Known
10.2.5
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.5
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.5
PAN-196146
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.5
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.5
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.5
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.5
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.5
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.5
PAN-193004
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The Panorama management server fails to delete old IP Tag data. This causes the /opt/pancfg partition to reach maximum capacity which impacts Panorama performance.
Known
10.2.5
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.5
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.5
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain
Known
10.2.5
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.5
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.5
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.5
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.5
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.5
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.5
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.5
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.5
PAN-185286
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.2.5
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.5
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.5
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.5
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.5
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.5
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.5
PAN-178194
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.5
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.5
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.5
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.5
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.5
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.2.5
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.5-h9
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.5-h9
PAN-248427
Fixed an issue where push operations took longer than expected to complete.
Addressed
10.2.5-h9
PAN-247403
( Panorama virtual appliances only ) Fixed an issue where the push scope CLI command took longer than expected, which caused the web interface to be slow.
Addressed
10.2.5-h9
PAN-245850
Fixed an issue on Panorama appliances in active/passive HA configurations where the firewalls entered an HA out-of-sync status and jobs failed on the passive appliance with the error message Could not merged running config from file.
Addressed
10.2.5-h9
PAN-244746
Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.
Addressed
10.2.5-h9
PAN-235840
Fixed an issue where, after a configuration push from Panorama to managed firewalls, the status displayed as None and the push took longer than expected.
Addressed
10.2.5-h9
PAN-228515
Fixed an issue where the Elasticsearch cluster health status displayed as yellow or red due to Elasticsearch SSH tunnel flaps.
Addressed
10.2.5-h9
PAN-216941
( M-700 Appliances in Log Collector mode only ) Fixed an issue where Panorama stopped processing and saving logs.
Addressed
10.2.5-h6
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.5-h4
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.5-h4
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.5-h4
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.5-h4
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.5-h4
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.5-h1
PAN-229705
Fixed an issue where running the show rule-hit-count CLI command on Panorama displayed the error message Server error : Timed out while getting config lock. Please try again. when attempting to log in or run CLI commands.
Addressed
10.2.5
PAN-231823
A fix was made to address CVE-2024-5916 .
Addressed
10.2.5
PAN-227179
Fixed an issue where routes were not updated in the forwarding table.
Addressed
10.2.5
PAN-225340
Fixed an issue where GlobalProtect users were unable to connect after upgrading to PAN-OS 10.2.4 due to an incorrect client authentication configuration being selected.
Addressed
10.2.5
PAN-225183
Fixed an issue where SSH tunnels were unstable due to ciphers used as part of the high availability SSH configuration.
Addressed
10.2.5
PAN-224273
Fixed an issue where the debug dataplane pow status CLI command did not display extended NIC statistics.
Addressed
10.2.5
PAN-223501
( PA-5200 Series and PA-7000 Series firewalls only ) Fixed an issue where diagnostic information for the dataplane in the dp-monitor.log file was not complete.
Addressed
10.2.5
PAN-223317
Fixed an issue where SSL traffic failed with the error message: Error: General TLS protocol error .
Addressed
10.2.5
PAN-223185
Fixed an issue where the distributord process stopped responding.
Addressed
10.2.5
PAN-222712
( PA-5450 firewalls only ) Fixed a low frequency DPC restart issue.
Addressed
10.2.5
PAN-221984
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where an interface went down after a hotplug event and was only recoverable by restarting the firewall.
Addressed
10.2.5
PAN-221881
Fixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the Monitor tab.
Addressed
10.2.5
PAN-221836
Fixed an issue where improper SNI detection caused incorrect URL categorization.
Addressed
10.2.5
PAN-221708
Fixed an issue where temporary files remained under /opt/pancfg/tmp/sw-images/ even after manually uploading the content or AV file to the firewall.
Addressed
10.2.5
PAN-221647
Fixed an issue where the Apps seen value was not reflected on Panorama.
Addressed
10.2.5
PAN-220910
Fixed an issue where an internal management plane NIC caused a kernel panic when doing a transmit due to the driver reinitializing under certain failure or change conditions on the same interface during transmit.
Addressed
10.2.5
PAN-220899
Fixed an issue where you were unable to choose the manual GlobalProtect gateway.
Addressed
10.2.5
PAN-220747
Fixed an issue where logs were not visible after restarting the log collector.
Addressed
10.2.5
PAN-220626
Fixed an issue where system warning logs were written every 24 hours.
Addressed
10.2.5
PAN-220448
Fixed an issue where the GlobalProtect client connection remained at the prelogin stage when Kerberos SSO failed and was unable to fall back to the realm authentication.
Addressed
10.2.5
PAN-220401
Fixed an issue where, during a reboot, an unexpected error message was displayed that the syslog configuration file format was too old.
Addressed
10.2.5
PAN-220281
( PA-7080 firewalls only ) Fixed an issue where auto-committing changes after rebooting the Log Forwarding Card (LFC) caused the logrcvr process to fail to read the configuration file.
Addressed
10.2.5
PAN-219690
Fixed an issue where GlobalProtect authentication failed when authentication was SAML with CAS and the portal was resolved with IPv6.
Addressed
10.2.5
PAN-219686
Fixed an issue where a device group push operation from Panorama failed with the following error on managed firewalls: vsys <vsys1> plugins unexpected here vsys is invalid Commit failed .
Addressed
10.2.5
PAN-219659
Fixed an issue where root partition frequently filled up and the following error message was displayed: Disk usage for / exceeds limit, xx percent in use, cleaning filesystem .
Addressed
10.2.5
PAN-219640
Fixed an issue where a transformation migration script error caused a commit failure with the error message user-id-agent unexpected here . This occurred after upgrading the firewall from a PAN-OS 9.1 release to a PAN-OS 10.0 release.
Addressed
10.2.5
PAN-219573
Fixed an issue where tag names did not correctly display special characters.
Addressed
10.2.5
PAN-219508
( VM-Series, PA-400 Series, PA-1400, PA-3400, and PA-5400 Series firewalls only ) Fixed an issue where Bidirectional Forwarding Detection (BFD) packets experienced a delay in processing, which caused the BFD connection to flap.
Addressed
10.2.5
PAN-219498
Fixed an issue where the Threat ID/Name detail in Threat logs was not included in syslog messages sent to Splunk.
Addressed
10.2.5
PAN-219351
Fixed an issue where the all_pktproc process stopped responding during Layer 7 processing.
Addressed
10.2.5
PAN-219253
Fixed an issue where, after making changes in a template, the Commit and Push option was grayed out.
Addressed
10.2.5
PAN-218947
Fixed an issue where logs were not displayed in Elasticsearch under ingestion load.
Addressed
10.2.5
PAN-218697
Fixed an issue where the ElasticSearch status frequently changed to red or yellow after a PAN-OS upgrade.
Addressed
10.2.5
PAN-218644
Fixed an issue where the firewall generated incorrect VSA attribute codes when radius was configured with EAP-based authentication protocols.
Addressed
10.2.5
PAN-218620
Fixed an issue where scheduled configuration exports and SCP server connection testing failed.
Addressed
10.2.5
PAN-218404
Fixed an issue where ikemgr stopped responding due to receiving CREATE_CHILD messages with a malformed SA payload.
Addressed
10.2.5
PAN-218335
Fixed an issue with hardware destination MAC filtering on the Log Processing Card (LPC) that caused the logging card interface to be susceptible to unicast flooding.
Addressed
10.2.5
PAN-218318
Fixed an issue where the firewall changed the time zone automatically instead of retrieving the correct time zone from the NTP server.
Addressed
10.2.5
PAN-218264
( PA-3400 and PA-1400 Series firewalls only ) Fixed an issue where packet drops occurred due to slow servicing of internal hardware queries.
Addressed
10.2.5
PAN-218151
Fixed an issue where a configuration push to a new firewall did not work and displayed validation errors.
Addressed
10.2.5
PAN-218107
Fixed an issue with ciphers used for SSH tunnels where packet lengths were too large, which made the SSH tunnel unstable.
Addressed
10.2.5
PAN-218001
( PA-400 Series firewalls only ) Fixed an issue where shut down commands rebooted the system instead of correctly triggering a shutdown.
Addressed
10.2.5
PAN-217681
Fixed an issue caused by out of order TCP segments where the TCP retransmission failed when the TCP segment had the FIN flag and the TCP data was truncated.
Addressed
10.2.5
PAN-217582
( VM-Series firewalls on Google Cloud Platform environments only ) Fixed an issue where firewalls failed to load the virtual machine information source configuration.
Addressed
10.2.5
PAN-217581
Fixed an issue where the firewall did not initiate scheduled log uploads to the FTP server.
Addressed
10.2.5
PAN-217489
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall MAC flapping occurred when the passive firewall was rebooted.
Addressed
10.2.5
PAN-217465
Fixed an issue where the Panorama web interface became unresponsive and displayed the error message 504 Gateway Not Reachable .
Addressed
10.2.5
PAN-217431
( PA-5400 Series firewalls with DPC (Data Processing Cards) only ) Fixed an issue with slot 2 DPCs where URL Filtering did not work as expected after upgrading to PAN-OS 10.1.9.
Addressed
10.2.5
PAN-217284
Fixed an intermittent issue where an LACP flap occurred when the LACP transmission rate was set to Fast .
Addressed
10.2.5
PAN-217169
Fixed an issue where the logrcvr stopped forwarding logs to the syslog server after a restart or crash.
Addressed
10.2.5
PAN-216996
Fixed an issue where multiple User-ID alerts were generated every 10 minutes.
Addressed
10.2.5
PAN-216957
Fixed an issue where allow list checks in an authentication profile did not work if the group Distinguished Name contains the ampersand ( & ) character.
Addressed
10.2.5
PAN-216913
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the brdagent process stopped responding due to missed heartbeats, which caused the firewall to reboot. This occurred when the brdagent process and DPDK-managed ports became out of sync after the Azure infrastructure triggered a hotplug event.
Addressed
10.2.5
PAN-216821
Fixed an issue where the reportd process stopped responding after upgrading an M-200 appliance to PAN-OS 10.2.4.
Addressed
10.2.5
PAN-216662
Fixed an issue where a custom Antispyware profile did not open and displayed the following error message: The server is not responding. Please wait and try your operation again later .
Addressed
10.2.5
PAN-216366
Fixed an issue where, when custom signatures used a certain syntax, false positives were generated on devices on a PAN-OS 10.0 release.
Addressed
10.2.5
PAN-216360
Fixed an issue on Panorama where No Default Selections under Push to Devices was intermittently deselected after performing a commit operation.
Addressed
10.2.5
PAN-216170
( PA-400 Series firewalls in HA configurations only ) Fixed an issue where an HA switchover took longer than expected to bring up ports on the newly active firewall.
Addressed
10.2.5
PAN-216054
Fixed an issue that caused the firewall's fan speed to increase while it was idle.
Addressed
10.2.5
PAN-216048
Fixed an issue where, when upgrading from a PAN-OS 9.1 release to a PAN-OS 10.0 release, commits failed with the error message: hip profiles unexpected here .
Addressed
10.2.5
PAN-216043
Fixed an issue where wifclient stopped responding due to shared memory corruption.
Addressed
10.2.5
PAN-215911
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Addressed
10.2.5
PAN-215808
Fixed an issue where, after upgrading to PAN-OS 10.1, the log forwarding rate toward the syslog server was reduced. With this fix, the overall log forwarding rate has also been improved.
Addressed
10.2.5
PAN-215780
Fixed an issue where changes to Zone Protection profiles made via XML API were not reflected in the zone protection configuration.
Addressed
10.2.5
PAN-215778
Fixed an issue where API Get requests for /config timed out due to insufficient buffer size.
Addressed
10.2.5
PAN-215655
Fixed an issue where, after a multidynamic group push, Security policy rules with the target device tag were added to a firewall that did not have the tag.
Addressed
10.2.5
PAN-215503
Fixed a memory-related issue where the MEMORY_POOL address was mapped incorrectly.
Addressed
10.2.5
PAN-215496
Fixed an issue where 100G ports did not come up with BIDI QSFP modules.
Addressed
10.2.5
PAN-215338
( PA-5400 Series firewalls only ) Fixed an issue where the inner VLAN tag for Q-in-Q traffic was stripped when forwarding.
Addressed
10.2.5
PAN-215317
Fixed an issue where the dataplane stopped responding unexpectedly with the error message comm exited with signal of 10 .
Addressed
10.2.5
PAN-215066
Fixed an issue on Panorama where push scope rendering caused the Commit and Push or Push to Devices operation window to hang for several minutes.
Addressed
10.2.5
PAN-215058
Fixed a memory leak related to the logdb process.
Addressed
10.2.5
PAN-214990
Fixed an issue where firewall copper ports flapped intermittently when device telemetry was enabled.
Addressed
10.2.5
PAN-214815
Fixed an issue where SNMP queries were not replied to due to an internal process timeout.
Addressed
10.2.5
PAN-214753
Fixed an issue where retrieving WildFire Analysis reports when choosing WildFire log entries under Detailed Log View displayed the error Fetching WildFire server xxx report failed!
Addressed
10.2.5
PAN-214727
Fixed an issue where a memory leak related to the useridd process resulted in an OOM condition, which caused the process to stop responding.
Addressed
10.2.5
PAN-214669
Fixed an issue where FIN and RESET packets were sent in reverse order.
Addressed
10.2.5
PAN-214201
Fixed an issue where, after exporting custom reports to CSV format, the letter b appeared at the beginning of each column.
Addressed
10.2.5
PAN-214187
Fixed an issue where superreaders were able to execute the request restart system CLI command.
Addressed
10.2.5
PAN-214026
Fixed an issue where, when using an ECMP weighted-round-robin algorithm, traffic was not redistributed among the links proportionally as expected from the configuration.
Addressed
10.2.5
PAN-213949
Fixed an issue where the VPN responder stopped responding when it received a CREATE_CHILD message with no security association (SA) payload.
Addressed
10.2.5
PAN-213942
( PA-400 Series firewalls ) Fixed an issue where the firewall required an explicit allow rule to forward broadcast traffic.
Addressed
10.2.5
PAN-213932
Fixed an issue where, when an incorrect log filter was configured, the commit did not fail.
Addressed
10.2.5
PAN-213931
Fixed an issue where the logrcvr process cache was not in sync with the mapping on the firewall.
Addressed
10.2.5
PAN-213746
Fixed an issue on Panorama where the Hostkey displayed as undefined if an SSH Service Profile Hostkey configured in a template from the template stack was overridden.
Addressed
10.2.5
PAN-213463
( PA-5200 Series firewalls only ) Fixed an issue where unplugging a PAN-SFP-CG transceiver from an interface with its link speed setting set to 1000 caused the firewall to incorrectly read that interface as up.
Addressed
10.2.5
PAN-213296
Fixed an issue where Single Log-out (SLO) was not correctly triggered from the firewall toward the client, which caused the client to not initiate the SLO request toward the identity provider (IdP). This resulted in the IdP not making the SLO callback to the firewall to remove the user.
Addressed
10.2.5
PAN-213162
Fixed an issue where an SD-WAN object was not displayed under a child device group.
Addressed
10.2.5
PAN-213077
Fixed an issue where the sysdagent process stopped responding, which caused interfaces and the subsequent connections behind them to fail.
Addressed
10.2.5
PAN-213060
Fixed an issue where Panorama did not show the target under the Entities column.
Addressed
10.2.5
PAN-212978
Fixed an issue where the firewall stopped responding when executing an SD-WAN debug CLI command.
Addressed
10.2.5
PAN-212889
Fixed an issue on Panorama where different threat names were used when querying a threat under Threat Monitor ( Monitor > App Scope ) and the ACC. This resulted in the ACC displaying no data after clicking a threat name in Threat Monitor and filtering it in the global filters.
Addressed
10.2.5
PAN-212859
Fixed an issue where the pan_task stopped responding briefly during a commit due to a contention with brdagent updating the configuration.
Addressed
10.2.5
PAN-212848
Fixed an issue where attempting to change the disk-usage cleanup threshold to 90 resulted in the error message Server error : op command for client dagger timed out as client is not available .
Addressed
10.2.5
PAN-212726
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent Dynamic IP And Port .
Addressed
10.2.5
PAN-212577
( PA-5200 Series and PA-7080 firewalls only ) Fixed an issue where commits took longer than expected when more than 45,000 Security policy rules were configured.
Addressed
10.2.5
PAN-212576
Fixed an issue where firewall HA clusters in active/active configurations with Advanced Routing enabled did not relay to ping requests sent to a virtual IP address.
Addressed
10.2.5
PAN-212530
Fixed an issue on log collectors where root partition reached 100% utilization.
Addressed
10.2.5
PAN-212057
Fixed an issue where Advanced Threat Prevention caused SSL delays when no URL licenses were present.
Addressed
10.2.5
PAN-211997
Fixed an issue where large OSPF control packets were fragmented, which caused the neighborship to fail.
Addressed
10.2.5
PAN-211887
Fixed an issue on Panorama that caused recently committed changes to not be displayed when previewing the changes to push to device groups.
Addressed
10.2.5
PAN-211843
Fixed an issue where renaming a Zone Protection profile failed with the error message Obj does not exist.
Addressed
10.2.5
PAN-211602
Fixed an issue where, when viewing a WildFire Analysis report via the web interface, the detailed log view was not accessible if the browser window was resized.
Addressed
10.2.5
PAN-211575
Fixed an issue where a local commit on Panorama remained at 99% for longer than expected before completing.
Addressed
10.2.5
PAN-211519
Fixed an issue where RTP/RTCP packets were dropped for SIP calls by SIP ALG when the source NAT translation type was persistent Dynamic IP And Port .
Addressed
10.2.5
PAN-211441
Fixed a memory leak issue related to SSL crypto operations that resulted in failed commits.
Addressed
10.2.5
PAN-211422
Fixed an issue where the show session packet-buffer-protection buffer-latency CLI command randomly displayed incorrect values.
Addressed
10.2.5
PAN-211398
Fixed an issue where dataplane processes stopped responding when handling HTTP/2 streams.
Addressed
10.2.5
PAN-211191
Fixed an issue where the firewall restarted after initiating a mgmtsrvr process restart.
Addressed
10.2.5
PAN-211041
( Panorama virtual appliances only ) Fixed an issue where DHCP assigned interfaces did not send ICMP unreachable - Fragmentation needed messages when the received packets were higher than the maximum transmission unit (MTU).
Addressed
10.2.5
PAN-210921
( Panorama appliances in Legacy Mode only ) Fixed an issue where Blocked Browsing Summary by Website in the user activity report contained scrambled characters.
Addressed
10.2.5
PAN-210883
Fixed an issue where SSL proxy traffic was dropped when DoS zone protection was enabled.
Addressed
10.2.5
PAN-210740
Fixed a memory leak issue related to the slotd process.
Addressed
10.2.5
PAN-210738
Fixed an issue where fragmented UDP packets were dropped.
Addressed
10.2.5
PAN-210736
Fixed an issue where configuration changes related to the SSH service profile were not reflected when pushed from Panorama. With this fix, the deletion of ciphers, MAC, and kex fields of SSH server profiles and HA profiles won't clear the values under template stacks and will retain the values configured from templates.
Addressed
10.2.5
PAN-210661
Fixed an issue where firewalls disconnected from Strata Logging Service after renewing the device certificate.
Addressed
10.2.5
PAN-210640
Fixed an issue where applications were not displayed after authenticating into the clientless VPN.
Addressed
10.2.5
PAN-210563
Fixed an issue on Panorama where Security policy rules with a Tag target did not appear in the pre-rule list of a Dynamic Address Group that was part of the tag.
Addressed
10.2.5
PAN-210511
Fixed an issue where Panorama commits failed due to an invalid community value error.
Addressed
10.2.5
PAN-210502
Fixed an issue where Panorama was unable to convert to PAN-OS 9.1 syntax for WF-500 appliances.
Addressed
10.2.5
PAN-210456
Fixed an issue where high latency occurred on PA-850-ZTP when SSL decryption was enabled.
Addressed
10.2.5
PAN-210452
Fixed an issue where application PCAP was not generated when Security policy rules were used as a filter.
Addressed
10.2.5
PAN-210451
Fixed an issue where the firewall did not send the source IP address of the user to the RADIUS server with the set authentication radius-vsa-on client-source-ip CLI command.
Addressed
10.2.5
PAN-210429
( VM-Series firewalls only ) Fixed an issue where the HTTP service failed to come up on DHCP dataplane interfaces after rebooting the firewall, which resulted in health-check failure on HTTP/80 with a 503 error code on the public load balancer.
Addressed
10.2.5
PAN-210397
Fixed an issue on Panorama where VM-Series firewalls in HA configurations hosted on Amazon Web Services (AWS) were not displayed under Deploy Master Key .
Addressed
10.2.5
PAN-210364
Fixed an issue where high latency was observed when accessing internal web applications, which interrupted development activities related to the web server.
Addressed
10.2.5
PAN-210325
Fixed an issue on the firewall where the configuration log always displayed commit-all operations as successful even when the commit failed.
Addressed
10.2.5
PAN-210216
A debug command was added to address an issue with firewalls in high availability configurations.
Addressed
10.2.5
PAN-210158
( CN-Series firewalls only ) Fixed an issue where the dataplane stopped responding after a container restart.
Addressed
10.2.5
PAN-210000
Fixed an issue where, when traffic and Threat logs exceeded the threshold of 90% total allowed size, alarms were not generated for other log types.
Addressed
10.2.5
PAN-209937
Fixed an issue where certificate-based authentication for administrators were unable to log in to the Panorama or firewall web interface and received the following error message: Bad Request - Your browser sent a request that this server could not understand .
Addressed
10.2.5
PAN-209930
Fixed an issue where cloned rules pushed from Panorama were not shown on the managed firewall.
Addressed
10.2.5
PAN-209872
Fixed an issue where dataplane ports responded to ICMP requests fewer than 64 bytes with nonzero padding bytes in the ICMP response.
Addressed
10.2.5
PAN-209696
Fixed an issue where link-local address communication for IPv6, BFD, and OSPFv3 neighbors was dropped when IP address spoofing check was enabled in a Zone Protection profile.
Addressed
10.2.5
PAN-209683
Fixed an issue where Panorama was unable to retrieve IP address-to-username mapping from a firewall on a PAN-OS 8.1 release.
Addressed
10.2.5
PAN-209617
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall created an incorrect SCTP association due to the HA sync messages from the active firewall having an incorrect value.
Addressed
10.2.5
PAN-209585
The Palo Alto Networks QoS implementation now supports a new QoS mode called lockless QoS for PA-3400, PA-5410, PA-5420, PA-5430, and PA-5440 firewalls. For firewalls with higher bandwidth QoS requirements, the lockless QoS dedicates cores to the QoS function that improves QoS performance, resulting in improved throughput and latency.
Addressed
10.2.5
PAN-209501
Fixed an issue where the GlobalProtect logdb quota was not displayed in the show system logdb quota output.
Addressed
10.2.5
PAN-209375
Fixed an issue on the firewall where log filtering did not work as expected.
Addressed
10.2.5
PAN-209172
Fixed an issue where the firewall was unable to handle GRE packets for Point-to-Point Tunneling Protocol (PPTP) connections.
Addressed
10.2.5
PAN-209108
Fixed an issue where a Panorama in Management Only mode was unable to display logs from log collectors due to missing schema files.
Addressed
10.2.5
PAN-208902
Fixed an issue where, when a client sent a TCP/FIN packet, the firewall displayed the end reason as aged-out instead of tcp-fin .
Addressed
10.2.5
PAN-208792
Fixed an issue where authentication failed when the service route for RADIUS traffic was configured as use default for IPv4 addresses and included the dataplane interface as the destination route.
Addressed
10.2.5
PAN-208567
Fixed an issue with email formatting where, when a scheduled email contained two or more attachments, only one attachment was visible.
Addressed
10.2.5
PAN-208343
Fixed an issue where telemetry regions were not visible on Panorama.
Addressed
10.2.5
PAN-208325
( PA-5400 Series, PA-3400 Series, and PA-400 Series only ) Fixed an issue where the firewall was unable to automatically renew the device certificate.
Addressed
10.2.5
PAN-208316
Fixed an issue where user-group names were unable to be configured as the source user via the test security-policy-match command.
Addressed
10.2.5
PAN-208201
Fixed an issue on the firewall where the modified date and time was incorrectly updated after a commit operation, PAN-OS upgrade, or reboot.
Addressed
10.2.5
PAN-208198
Fixed an issue with firewalls in active/passive HA configurations where, after rebooting the passive firewall, interfaces were briefly shown as powered up, and then shown as down or shutdown.
Addressed
10.2.5
PAN-208187
Fixed an issue where REST API requests did not work for GlobalProtect gateway tunnels.
Addressed
10.2.5
PAN-208090
Fixed an issue where the ACC report did not display data when querying the filter for the fields Source and Destination IP .
Addressed
10.2.5
PAN-208039
( PA-7000 Series firewalls with SMC-B only ) Fixed an issue where the details of configuration changes were not included in configuration logs on the syslog server.
Addressed
10.2.5
PAN-207842
Fixed an issue where WildFire Analysis reports were not visible when the WF-500 appliance was on private cloud.
Addressed
10.2.5
PAN-207741
Fixed an issue where Large Scale VPN (LSVPN) Portal authentication failed with the error invalid http response. return error(Authentication failed; Retry authentication when the satellite connected to more than one portal.
Addressed
10.2.5
PAN-207700
Fixed an issue where the show system info and show system ztp status CLI commands displayed a different Zero Touch Provisioning (ZTP) status if a firewall upgrade was initiated from Panorama before the initial commit push succeeded.
Addressed
10.2.5
PAN-207661
Fixed an issue with firewalls in active/active HA configurations where the virtual floating IP address configuration under a Panorama template was overridden and displayed From Template Override: undefined as a source.
Addressed
10.2.5
PAN-207604
Fixed an issue where system logs continuously generated the log message Not enough space to load content to SHM .
Addressed
10.2.5
PAN-207457
Fixed an issue where the MLAV allow list did not work for some types of traffic.
Addressed
10.2.5
PAN-207240
Fixed an issue where mprelay repeatedly restarted, which caused commits to remain at 70% before failing with the error message A communication error happened during the configuration commit to the data plane, please try again .
Addressed
10.2.5
PAN-206765
Fixed an issue where log forwarding filters involving negation did not work.
Addressed
10.2.5
PAN-206640
Fixed an issue where the ikemgr process stopped responding, which caused IPSec tunnels to go down.
Addressed
10.2.5
PAN-206396
Fixed an issue where HIP report flip and HIP check failed when a user was part of multiple user groups with different domains.
Addressed
10.2.5
PAN-206391
Fixed an issue where shared objects were seen under the push scope with every configuration push.
Addressed
10.2.5
PAN-206333
Fixed an issue where the Include/Exclude IP filter under Data Distribution did not work correctly.
Addressed
10.2.5
PAN-206278
Fixed an issue where a critical system log was generated when the boot drive for PA-7000 Series firewall Switch Management Cards (SMCs) failed.
Addressed
10.2.5
PAN-206221
Fixed an issue where scheduled configuration pushes with Include Device and Network Templates selected did not work.
Addressed
10.2.5
PAN-205513
Fixed an issue where the stats dump file generated by Panorama for a device firewall differed from the stats dump file generated by the managed device.
Addressed
10.2.5
PAN-205369
Fixed an issue where connections to Strata Logging Service were initialized from the firewall even when Strata Logging Service forwarding was disabled.
Addressed
10.2.5
PAN-205086
Fixed an issue where DNS Security categories were able to be deleted from spyware profiles.
Addressed
10.2.5
PAN-204718
( PA-5200 Series firewalls only ) Fixed an issue where, after upgrading to PAN-OS 10.1.6-h3, a TACACS user login displayed the following error message during the first login attempt: Could not chdir to home directory /opt/pancfg/home/user: Permission denied .
Addressed
10.2.5
PAN-204683
Fixed an issue where logs were unable to be generated due to old logs not getting purged and /opt/panlogs reaching over 100% usage.
Addressed
10.2.5
PAN-204530
Fixed an issue where giving up FTP or SCP sessions for log export took longer than expected after a failure to export the log when one of the destination hosts designated in the scheduled log export was unresponsive.
Addressed
10.2.5
PAN-204420
( WF-500 appliances only ) Fixed an issue where, after an upgrade to a PAN-OS 10.1 release, SNMP traps were not sent to the SNMP server. This occurred due to SNMP trap server settings not being enabled.
Addressed
10.2.5
PAN-204233
Fixed an issue where, when the firewall received a 513 error from the WildFire cloud, the firewall attempted to repeatedly send the same file.
Addressed
10.2.5
PAN-204215
( PA-7000 Series firewalls with Log Processing Cards (LPCs) only ) Fixed an issue where performing a commit operation resulted in the following error messages: log forwarding is setup for data but log-card interface is not setup or log forwarding is setup for traffic but log-card interface is not setup .
Addressed
10.2.5
PAN-203791
( PA-3400 and PA-5400 Series firewalls only ) Fixed an issue where the log type correlation was not configurable and displayed as $.Format.Correlation ( Device > Server Profile > syslog ><Profile-name> > Customer log format > log type ).
Addressed
10.2.5
PAN-203655
Fixed an issue where enabling event-specific traps ( Device > Setup > Operations > Miscellaneous > SNMP Setup ), the new deviating device system logs included incorrect information.
Addressed
10.2.5
PAN-203611
Fixed an issue where URL categorization was not recognized for URLs that contained more than 100 characters.
Addressed
10.2.5
PAN-203222
Fixed an issue where commit-all operations took longer than expected due to cURL failures and timeouts related to external dynamic list retrieval.
Addressed
10.2.5
PAN-203168
Fixed an issue where the WIF state was not cleaned up promptly after usage, which caused allocation failure. This fix increased the wif_state quota.
Addressed
10.2.5
PAN-202981
Fixed an issue on Panorama where global find did not return results for existing universally unique identifiers (UUID).
Addressed
10.2.5
PAN-202963
Fixed an issue where the system log message dsc HA state is changed from 1 to 0 was generated with the severity High . With this fix, the severity was changed to Info .
Addressed
10.2.5
PAN-202524
Fixed an issue where the session ID was missing in the session details section of the ingress-backlogs XML API output.
Addressed
10.2.5
PAN-202516
Fixed an issue where the firewall stopped responding if it received an illegal packet with SRC port = 0 encapsulated within a VXLAN packet.
Addressed
10.2.5
PAN-201855
Fixed an issue where, after cloning a template, a certificate with the block private key option enabled was corrupted.
Addressed
10.2.5
PAN-201721
Fixed an issue with firewalls in HA configurations where HA setup generated the error mismatch due to device update during a content update even though the version was the same.
Addressed
10.2.5
PAN-201515
Fixed an issue with the web interface where the cursor disappeared under the Policies and Objects tabs on the search bar if the cursor was moved quickly.
Addressed
10.2.5
PAN-201466
Fixed an issue where the system log generated on GlobalProtect satellite did not provide the reason for failures to connect to the GlobalProtect portal or gateway.
Addressed
10.2.5
PAN-200757
Fixed an issue with client certificate generation on Panorama, which resulted in a firewall being unable to connect to a log collector.
Addressed
10.2.5
PAN-200394
Fixed an issue where, after a push from Panorama to one or more device groups in a multi-vsys environment, vulnerability profile exceptions were not seen on all firewalls.
Addressed
10.2.5
PAN-199819
Fixed an issue where, if a decryption profile allowed TLS1.3, but the server only supported TLS1.2, and the cipher used by the first connection to the server was a CBC SHA2 cipher suite, the connection failed.
Addressed
10.2.5
PAN-199687
Fixed an issue where content updates failed when using prelicensed keys during the bootstrap process.
Addressed
10.2.5
PAN-199557
Fixed an issue on Panorama where virtual memory usage exceeded the set limit, which caused the configd process to restart.
Addressed
10.2.5
PAN-198453
Fixed an issue where you were unable to resize the Description pop-up window ( Policies > Security > Prerules ).
Addressed
10.2.5
PAN-198050
Fixed an issue where Connection to update server is successful messages displayed even when connections failed.
Addressed
10.2.5
PAN-197493
Fixed an issue where having multiple terminal service agents with the same hostname caused the firewall to reboot.
Addressed
10.2.5
PAN-197467
Fixed an issue on Panorama where the WildFire Test-Configuration feature did not work as expected.
Addressed
10.2.5
PAN-197388
Fixed an issue where, when the firewall forwarded Threat logs via email, the email client truncated the sender and recipient email addresses when they were put between angle brackets (<, >).
Addressed
10.2.5
PAN-196956
Fixed an issue where URL Filtering logs did not display matching entries when filtered by device name.
Addressed
10.2.5
PAN-196923
Fixed an issue where the interface option did not have a source address in the cURL command, which caused a DNS lookup error and resulted in DNS lookup failing for device Telemetry.
Addressed
10.2.5
PAN-196597
Fixed an issue where the dnsproxyd process stopped responding due to corruption.
Addressed
10.2.5
PAN-196417
( PA-7000 Series firewalls only ) Fixed an issue where firewalls experienced slow SNMP responses, which caused the SNMP server to time out before polling completion.
Addressed
10.2.5
PAN-196345
Fixed an issue where scheduled dynamic content updates failed to be retrieved by managed firewalls from Panorama when connectivity was slow.
Addressed
10.2.5
PAN-195788
Fixed an issue where zip files did not download when applying Security inspection and the following error message displayed: resources-unavailable .
Addressed
10.2.5
PAN-195439
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the dataplane interface status went down after a hotplug event triggered by Azure infrastructure.
Addressed
10.2.5
PAN-195251
Fixed an issue where IPSec tunnel re-key generated the critical log message tunnel-status-up .
Addressed
10.2.5
PAN-193521
Fixed an issue where Panorama > Device > Deployment > Software did not display software after running check now for managed devices.
Addressed
10.2.5
PAN-190903
Fixed an issue where MAC addresses in threat capture were swapped between the source MAC and destination MAC addresses.
Addressed
10.2.5
PAN-190435
Fixed an issue where, after committing a configuration change, the Task Manager commit Status went directly from 0% to Completed instead of reflecting the accurate commit job process.
Addressed
10.2.5
PAN-190055
( VM-Series firewalls only ) Fixed an issue where the firewall did not follow the set Jumbo MTU value.
Addressed
10.2.5
PAN-189442
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to reboot.
Addressed
10.2.5
PAN-189423
Fixed an issue where exporting correlation logs generated an empty file.
Addressed
10.2.5
PAN-189328
Fixed an issue where traffic belonging to the same session was sent out from different ECMP enabled interfaces.
Addressed
10.2.5
PAN-187989
Fixed an issue where a user who did not have permissions of other access domains were able to view the commit and configuration lock.
Addressed
10.2.5
PAN-186956
Fixed an issue where SD-WAN DIA VIF did not become active if default gateways for member interfaces did not respond to pings.
Addressed
10.2.5
PAN-186182
Fixed an issue where software buffer 3 was depleted when URL proxy was enabled and SSL sessions were decrypted to inject the block page. This issue occurred when an HTTP/2 block page was displayed for a large POST request.
Addressed
10.2.5
PAN-185249
Fixed an issue where Template Stack overrides ( Dynamic Updates > App & Threats > Schedule ) were not able to be reverted via the web interface.
Addressed
10.2.5
PAN-185135
( VM-Series firewalls on Kernel-based Virtual Machine (KVM) only ) Fixed an issue where the physical port counters (including SNMP) on the dataplane interfaces increased when DPDK was enabled.
Addressed
10.2.5
PAN-184630
Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).
Addressed
10.2.5
PAN-183297
Fixed an issue where, when the firewall received a large amount of user information, the firewall was unable to output IP address-to-username mapping information via XML API.
Addressed
10.2.5
PAN-182960
Additional error logs were added for an issue where, when multiple Panorama web interface sessions were opened, active lock did not show up on the web interface for any session.
Addressed
10.2.5
PAN-182734
Fixed an issue where, on an Advanced Routing Engine, BGP peering flapped after a commit.
Addressed
10.2.5
PAN-180082
Fixed an issue where errors in brdagent logs caused dataplane path monitoring failure.
Addressed
10.2.5
PAN-177227
( VM-Series firewalls on Amazon Web Services environments only ) Fixed an issue where traffic sent from a GENEVE tunnel to the firewall was dropped if the firewall attempted to encapsulate traffic into an IPSec tunnel.
Addressed
10.2.5
PAN-176412
Fixed an issue where changing the password of a local database user did not work.
Addressed
10.2.5
PAN-172977
Fixed an issue where session offloading did not occur on a tap interface under a high packet load.
Addressed
10.2.5
PAN-172600
Fixed an issue where the CLI command show rule-hit-count did not provide all details of the rule from the device group.
Addressed
10.2.5
PAN-169586
Fixed an issue where scheduled log view reports in emails didn't match the monitor page query result for the same time interval.
Addressed
10.2.5
PAN-168102
Fixed an issue where the API format to check heap usage of a node showed a JSON error.
Addressed
10.2.5
PAN-160633
( PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only ) Fixed an issue where the dataplane restarted repeatedly due to an internal path monitoring failure until a power cycle.
Addressed
10.2.5
PAN-151692
Fixed a permission issue where a Panorama administrator was unable to download or install Dynamic Updates ( Panorama > Device Deployment ).
Known
10.2.6
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.6
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.6
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.6
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.6
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.6
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.6
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.6
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.6
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.6
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
10.2.6
PAN-244648
( PA-5200 Series firewalls only ) After a factory reset, the firewall may get stuck in maintenance mode and be unable to load the boot image. The firewall fails to enable FIPS-CC mode during this time.
Workaround: The following workaround allows the firewall to boot in normal mode but does not apply to FIPS-CC mode. Attempting to enable FIPS-CC mode after using this workaround will cause the firewall to reboot and re-enter maintenace mode.
  1. Enter maintenance mode.
  2. Select Disk Image Advanced Options .
  3. Select Bootstrap with the options panos-10.2.8 , maint , and maint .
  4. Select Bootstrap with the options panos-10.2.8 , sysroot0 , and panos .
  5. Select Bootstrap with the option sysroot0 .
  6. Select Reboot .
Known
10.2.6
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
10.2.6
PAN-234408
Enterprise DLP cannot detect and block non-file based traffic for ChatGPT from traffic forwarded to the DLP cloud service from an NGFW.
Known
10.2.6
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.6
PAN-234929
This issue is now resolved. See PAN-OS 10.2.7-h3 Addressed Issues .
The tabs in the ACC , such as Network Activity , Threat Activity , and Blocked Activity , may not display any data when you apply a Time filter for the Last 15 minutes, Last Hour, Last 6 Hours, or Last 12 Hours. With the Last 24 Hours filter, the data displayed may not be accurate. Additionally, reports run against summary logs may not display accurate results.
Known
10.2.6
PAN-228515
The EleasticSearch SSH flaps on the M-600 appliance in Panorama or Log Collector mode. This causes logs to not display on the Panorama management server ( Monitor Logs ) and the Log Collector health status ( Panorama Managed Collectors Status ) to display as degraded.
Known
10.2.6
PAN-228273
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.6
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.6
PAN-225337
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a Shared and vsys-specific device group configuration object with an indentical name. For example, a Shared address object called SharedAO1 and a vsys-specific address object also called SharedAO1 .
  2. Reference the Shared object in another Shared configuration. For example, reference the Shared address object ( SharedAO1 ) in a Shared address group called SharedAG1 .
  3. Use the Shared configuration object with the reference in a vsys-specific configuration. For example, reference the Shared address group ( SharedAG1 ) in a vsys-specific policy rule.
Workaround: Select Panorama Setup Management and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices —This options pushes all Shared objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the Shared objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the Shared SharedAO1 object was 10.1.1.1 and the device group specific SharedAO1 was 10.2.2.2 , the 10.1.1.1 IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the Shared objects in your configuration.
Known
10.2.6
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.6
PAN-227368
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The GlobalProtect app cannot connect to a portal or gateway and GlobalProtect Clientless VPN users cannot access applications if authentication takes longer than 20 seconds.
Workaround: Increase the TCP handshake timeout to the maximum value of 60 seconds.
Known
10.2.6
PAN-226768
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
When the GlobalProtect app is installed on iOS endpoints and the gateway is configured to accept cookies, the app stays in Connecting stage after authentication and the GlobalProtect log displays the error message, User is not in allow list . This happens when the app is restarted or when the app tries to reconnect after disconnection.
Known
10.2.6
PAN-223677
( PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls ) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.6
PAN-223488
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
Closed ElasticSearch shards are not deleted from a Panorama M-Series or virtual appliance. This causes the ElasticSearch shard purging to not work as expected, resulting in high disk usage.
Known
10.2.6
PAN-223457
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
If the number of group queries exceeds the Okta rate limit threshold, the firewall clears the cache for the groups. To avoid encountering this issue, disable the Okta rate limit.
Known
10.2.6
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.6
PAN-222418
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
The firewall intermittently records a reconnection message to the authentication server as a error, even if no disconnection occurs.
Known
10.2.6
PAN-222253
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server, policy rulebase reordering when you View Rulebase by Groups ( Policy <policy-rulebase> ) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.6
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.6
PAN-221857
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Users are unable to log in to the GlobalProtect app using SAML authentication after the app is upgraded to 10.2.3-h4 and the GlobalProtect logs display the following error message: Username from SAML SSO response is different from the input. .
Known
10.2.6
PAN-221126
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
Email server profiles ( Device Server Profiles Email and Panorama Server Profiles Email ) to forward logs as email notifications are not forwarded in a readable format.
Workaround: Use a Custom Log Format to forward logs as email notifications in a readable format.
Known
10.2.6
PAN-221015
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
On M-600 appliances in Panorama or Log Collector mode, the es-1 and es-2 ElasticSearch processes fail to restart when the M-600 appliance is rebooted. The results in the Managed Collector ES health status ( Panorama Managed Collectors Health Status ) to be degraded.
Workaround: Log in to the Panorama or Log Collector CLI experiencing degraded ElasticSearch health and restart all ElasticSearch processes. 
admin>debug elasticsearch es-restart optional all
Known
10.2.6
PAN-220180
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
10.2.6
PAN-219644
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.6
PAN-218521
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The ElasticSearch process on the M-600 appliance in Log Collector mode may enter a continuous reboot cycle. This results in the M-600 appliance becoming unresponsive, consuming logging disk space, and preventing new log ingestion.
Known
10.2.6
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.6
PAN-215082
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
M-300 and M-700 appliances may generate erroneous system logs ( Monitor Logs System ) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.6
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.6
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.6
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.6
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.6
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.6
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.6
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.6
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.2.6
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.6
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.6
PAN-196146
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.6
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.6
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.6
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.6
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.6
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.6
PAN-193004
This issue is now resolved. See PAN-OS 10.2.7 Addressed Issues .
The Panorama management server fails to delete old IP Tag data. This causes the /opt/pancfg partition to reach maximum capacity which impacts Panorama performance.
Known
10.2.6
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.6
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.6
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.6
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.6
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.6
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.6
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.6
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.6
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.6
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.6
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.6
PAN-185286
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.2.6
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.6
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.6
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.6
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.6
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.6
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.6
PAN-178194
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.6
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.6
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.6
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.6
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.6
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.2.6
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.6-h6
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.6-h6
PAN-249581
Fixed an issue where stale BGP routes were advertised to peers even when they were not present in the local RIB table.
Addressed
10.2.6-h6
PAN-228877
( PA-5200 Series, PA-5400 Series, and PA-7000 Series firewalls only ) Fixed an issue with out-of-memory (OOM) conditions that caused slot restarts due to pan_cmd consuming more than 300MB.
Addressed
10.2.6-h6
PAN-223852
Fixed an issue where all_pktproc stopped responding when network packet broker or decryption broker chains failed.
Addressed
10.2.6-h6
PAN-223652
Fixed an issue where data was not thread safe and led to concurrent read/write issues that caused GPSVC to stop working unexpectedly.
Addressed
10.2.6-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.6-h1
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.6-h1
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.6-h1
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.6-h1
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.6-h1
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.6
PAN-231823
A fix was made to address CVE-2024-5916 .
Addressed
10.2.6
PAN-229865
( PA-220 firewalls only ) Fixed an issue where upgrading to PAN-OS 10.2.5 failed if the firewall was on a PAN-OS 10.1 release.
Addressed
10.2.6
PAN-229705
Fixed an issue where running the show rule-hit-count CLI command on Panorama displayed the error message Server error : Timed out while getting config lock. Please try again. when attempting to log in or run CLI commands.
Addressed
10.2.6
PAN-227639
Fixed an issue where the ACC displayed an incorrect DNS-base application traffic byte count.
Addressed
10.2.6
PAN-227523
A fix was made to address customer and internal bugs ( CVE-2023-38802 ).
Addressed
10.2.6
PAN-227376
Fixed an issue where a memory overrun caused the all_task process to stop responding.
Addressed
10.2.6
PAN-225240
Fixed an issue where the OSPF neighbor state remained in exstart when the OSPF network had more than 40 routes.
Addressed
10.2.6
PAN-223787
( PA-400 Series and PA-1400 Series firewalls only ) Fixed an issue where commits failed with the error message Error unserializing profile objects failed to handle CONFIG_UPDATE_START .
Addressed
10.2.6
PAN-221728
Fixed an issue where selective pushes did not work after upgrading to PAN-OS 10.2.4.
Addressed
10.2.6
PAN-216775
Fixed an issue where the devsrvr process stopped responding at pan_cloud_agent_get_curl_connection() and the URL cloud could not be connected.
Addressed
10.2.6
PAN-214273
Fixed an issue where Elasticsearch logs were not cleared, which caused the root partition to fill up.
Addressed
10.2.6
PAN-205015
Fixed an issue where not all users were included in the user group after an incremental sync between the firewall and the Cloud Identity Engine.
Addressed
10.2.6
PAN-204868
Fixed an issue where disk utilization was continuously high due to the log purger not sufficiently reducing the utilization level.
Addressed
10.2.6
PAN-198509
Fixed an issue where commits failed due to insufficient CFG memory.
Addressed
10.2.6
PAN-198043
Fixed a rare issue where a BuildXmlCache job failed on the firewall.
Known
10.2.7
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.7
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.7
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.7
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.7
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.7
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.7
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.7
PAN-273730
( PA-7000 Series only ) The web interface is unresponsive after upgrading to PAN-OS 10.2.7-h18. The following error is generated: PHP Fatal error: require(): Failed opening required
Workaround: Use the CLI to downgrade or upgrade to another version.
Known
10.2.7
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.7
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.7
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
10.2.7
PAN-244673
Upgrading a flexible-vCPU VM-Series firewall HA deployment from 10.1.x directly to 10.2.3 or later causes the active HA peer to become unresponsive. In this scenario, the upgraded firewall then becomes the active peer.
Workaround : Upgrade the VM-Series firewalls to PAN-OS 10.2.2 before upgrading to the latest PAN-OS 10.2.x version.
Known
10.2.7
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
10.2.7
PAN-234408
Enterprise DLP cannot detect and block non-file based traffic for ChatGPT from traffic forwarded to the DLP cloud service from an NGFW.
Known
10.2.7
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.7
PAN-242910
PAN-OS 10.2.7, 10.2.7-h1, and 10.2.7-h3 only
On the Panorama management server, Panorama administrators ( Panorama Administrators ) that are assigned a custom Panorama admin role ( Panorama Admin Roles ) with Push All Changes enabled are unable to push configuration changes to managed firewalls when Managed Devices and Push For Other Admins are disabled.
Known
10.2.7
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
10.2.7
PAN-242561
On the PAN-OS 10.2.7-h3 version, GlobalProtect tunnel might disconnect shortly after being established when SSL is used as a transport protocol.
Workaround : Disable Internet Protocol version 6 (TCP/IPv6) on the PANGP Virtual Network Adapter.
Known
10.2.7
PAN-238769
FIPS-CC VM only. Upgrading to 10.1.10-h2 or 10.1.11 will change all locally created security Policy actions to Deny. Re-load the back-up config taken before upgrading or the last version to get the previous config back. Also, Unable to login to FIPSCC Mode devices with default credentials after converting the mode for 10.1.12 release , 10.2.7 release , 11.1.0 , 11.1.1, 11.0.3 versions.
Known
10.2.7
PAN-234929
This issue is now resolved. See PAN-OS 10.2.7-h3 Addressed Issues .
The tabs in the ACC , such as Network Activity , Threat Activity , and Blocked Activity , may not display any data when you apply a Time filter for the Last 15 minutes, Last Hour, Last 6 Hours, or Last 12 Hours. With the Last 24 Hours filter, the data displayed may not be accurate. Additionally, reports run against summary logs may not display accurate results.
Known
10.2.7
PAN-228515
The EleasticSearch SSH flaps on the M-600 appliance in Panorama or Log Collector mode. This causes logs to not display on the Panorama management server ( Monitor Logs ) and the Log Collector health status ( Panorama Managed Collectors Status ) to display as degraded.
Known
10.2.7
PAN-228273
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server in FIPS-CC mode, the ElasticSearch cluster fails to come up and the show log-collector-es-cluster health command displays the status is red . This results in log ingestion issues for Panorama in Panorama only or Log Collector mode.
Known
10.2.7
PAN-227344
On the Panorama management server, PDF Summary Reports ( Monitor PDF Reports Manage PDF Summary ) display no data and are blank when predefined reports are included in the summary report.
Known
10.2.7
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.7
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.7
PAN-226768
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
When the GlobalProtect app is installed on iOS endpoints and the gateway is configured to accept cookies, the app stays in Connecting stage after authentication and the GlobalProtect log displays the error message, User is not in allow list . This happens when the app is restarted or when the app tries to reconnect after disconnection.
Known
10.2.7
PAN-223677
( PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls ) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.7
PAN-223457
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
If the number of group queries exceeds the Okta rate limit threshold, the firewall clears the cache for the groups. To avoid encountering this issue, disable the Okta rate limit.
Known
10.2.7
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.7
PAN-222418
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
The firewall intermittently records a reconnection message to the authentication server as a error, even if no disconnection occurs.
Known
10.2.7
PAN-222253
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
On the Panorama management server, policy rulebase reordering when you View Rulebase by Groups ( Policy <policy-rulebase> ) does not persist if you reorder the policy rulebase by dragging and dropping individual policy rules and then moving the entire tag group.
Known
10.2.7
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.7
PAN-221857
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Users are unable to log in to the GlobalProtect app using SAML authentication after the app is upgraded to 10.2.3-h4 and the GlobalProtect logs display the following error message: Username from SAML SSO response is different from the input. .
Known
10.2.7
PAN-221033
The firewall is responding to an ARP request for an IP address in the firewall's NAT address pool when that IP address isn't in the same subnet as the IP address of the ingress interface.
Known
10.2.7
PAN-220180
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
10.2.7
PAN-219644
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
10.2.7
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.7
PAN-215082
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
M-300 and M-700 appliances may generate erroneous system logs ( Monitor Logs System ) to alert that the M-Series appliance memory usage limits are reached.
Known
10.2.7
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.7
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.7
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.7
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.7
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.7
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.7
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.7
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.2.7
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.7
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.7
PAN-196146
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
The VM-Series firewall on Azure does not boot up with a hostname (specified in an init-cgf.txt or user data) when bootstrapped.
Known
10.2.7
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.7
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.7
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.7
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.7
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.7
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.7
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.7
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.7
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.7
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.7
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.7
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.7
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.7
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.7
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.7
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.7
PAN-185286
This issue is now resolved. See PAN-OS 10.2.8 Addressed Issues .
( PA-5400 Series firewalls only ) On the Panorama management server, the device health resources ( Panorama Managed Devices Health ) do not populate.
Known
10.2.7
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.7
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.7
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.7
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.7
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.7
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.7
PAN-178194
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.7
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.7
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.7
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.7
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.7
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.2.7
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.7-h21
PAN-274570
Fixed an issue where the devsrvr process restarted after a failed commit due to an invalid memory access.
Addressed
10.2.7-h21
PAN-273215
Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading.
Addressed
10.2.7-h21
PAN-268823
Fixed an issue where Monitor > Log Display did not display all logs when you applied a filter.
Addressed
10.2.7-h21
PAN-268260
Fixed an issue on hardware firewalls where, when SSL decryption was enabled and Client Hello messages spanned multiple TCP segments, some SSL decrypted sessions failed.
Addressed
10.2.7-h21
PAN-264249
Fixed an issue on the firewall where SNMP queries timed out when using SNMP.
Addressed
10.2.7-h21
PAN-261332
A fix was made to address CVE-2024-2552 .
Addressed
10.2.7-h21
PAN-257327
( PA-5440 firewalls only ) Fixed an issue where a failover event occurred unexpectedly on the firewall.
Addressed
10.2.7-h21
PAN-244950
A fix was made to address CVE-2024-2550 .
Addressed
10.2.7-h21
PAN-243244
Fixed an issue where decryption failed for TLSv1.3 with the error message early close notify .
Addressed
10.2.7-h21
PAN-240596
Fixed an issue where the all_task process stopped responding due to an invalid memory address
Addressed
10.2.7-h21
PAN-225090
Fixed an issue on Panorama where Commit and Push was greyed out when making changes to a template or device group.
Addressed
10.2.7-h21
PAN-222188
A CLI command was introduced to address an issue where SNMP monitoring performance was slower than expected, which resulted in snmpwalk timeouts.
Addressed
10.2.7-h19
PAN-273730
( PA-7000 Series firewalls only ) Fixed an issue where the web interface became unresponsive after upgrading to PAN-OS 10.2.7-h8.
Addressed
10.2.7-h19
PAN-268727
Fixed an issue where traffic was dropped when the accumulation proxy was enabled and header insertion modified packets.
Addressed
10.2.7-h19
PAN-260131
Fixed an issue where the firewall consumed a large amount of memory when forwarding raw logs.
Addressed
10.2.7-h19
PAN-248752
( PA-3200 Series, PA-5200 Series, and PA-850 firewalls only ) Fixed an issue where the firewall did not have enough Linux memory on the dataplane, which caused the firewall to restart.
Addressed
10.2.7-h19
PAN-246772
Fixed an issue on the firewall where the dataplane went down due to a path monitor failure caused by an out-of-memory (OOM) condition related to the pan_task process.
Addressed
10.2.7-h18
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.7-h18
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
10.2.7-h18
PAN-255653
Fixed a high availability (HA) failover issue where, when Management Processing Card (MPC) or Base Card (BC) failures occurred, the HA link went down, which caused fpp-down events on one firewall.
Addressed
10.2.7-h18
PAN-240450
Fixed an issue where commits failed when pushing a configuration to a large number of device groups (vsys) on a firewall.
Addressed
10.2.7-h18
PAN-234560
Fixed an issue where the daily summary report displayed IPv6 addresses instead of IPv4 addresses.
Addressed
10.2.7-h18
PAN-226361
Fixed an issue where sessions bypassed L7 inspection or ended unexpectedly with the error resources unavailable when the firewall incorrectly interpreted the Content and Threat Detection (CTD) global packet queue as being full.
Addressed
10.2.7-h18
PAN-219805
Fixed an issue where the reportd process stopped responding due to a race condition.
Addressed
10.2.7-h16
PAN-264871
Fixed an issue on Panorama where the configd process stopped responding when viewing IP addresses on dynamic address groups with a large number of IP addresses.
Addressed
10.2.7-h16
PAN-262340
Fixed an issue where FQDN resolution failed for address objects, and all FQDN traffic was denied by the interzone-default policy rule.
Addressed
10.2.7-h16
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
10.2.7-h16
PAN-250787
Fixed an issue where network issues between the firewall and the log collector caused logrcvr process memory exhaustion.
Addressed
10.2.7-h16
PAN-242910
Fixed an issue where a custom based non Superuser was unable to push to firewalls.
Addressed
10.2.7-h16
PAN-231823
Fixed an issue where server profile details in the configd process log were incorrectly displayed in plaintext
Addressed
10.2.7-h16
PAN-230755
Fixed an issue where the devsrvr process intermittently restarted when processing traffic with a Cloud App ID.
Addressed
10.2.7-h16
PAN-226361
Fixed an issue where sessions bypassed L7 inspection or ended unexpectedly with the error resources unavailable when the firewall incorrectly interpreted the Content and Threat Detection (CTD) global packet queue as being full.
Addressed
10.2.7-h12
PAN-263226
Fixed an issue where decryption based traffic failed on Explicit Proxy nodes.
Addressed
10.2.7-h12
PAN-261917
Fixed an issue where websites with a no-decrypt policy rule were decrypted in traffic log when using a Google Chrome browser with PQC enabled
Addressed
10.2.7-h12
PAN-258996
Fixed an issue where the firewall displayed the SFP ports as PowerDown when the SFP transceiver was removed and reinserted or the port was shut down and brought back up on the peer device.
Addressed
10.2.7-h12
PAN-255868
( PA-3400 Series firewalls only ) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
10.2.7-h12
PAN-253546
Fixed an issue where a TLS client hello was split into multiple packets and arrived out of order, so the packets were dropped and the session terminated.
Addressed
10.2.7-h12
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.7-h12
PAN-251661
Fixed an issue where a memory overwrite occurred during HTTP/2 header inflation.
Addressed
10.2.7-h12
PAN-251563
Added CPLD enhancement to capture external power issues.
Addressed
10.2.7-h12
PAN-250152
Fixed an issue related to shared-to-shared optimization. To utilize this fix, contact Palo Alto Networks Tech Support.
Addressed
10.2.7-h12
PAN-249814
Fixed an issue where multiple all_task processes stopped responding, which caused the dataplane to fail.
Addressed
10.2.7-h12
PAN-247257
Fixed an issue where the useridd process stopped responding, which caused the firewall to reboot.
Addressed
10.2.7-h12
PAN-244648
Fixed an issue where, when FIPS was enabled in maintenance mode, the firewall rebooted and returned to maintenance mode.
Addressed
10.2.7-h12
PAN-240612
Fixed a kernel panic caused by a third-party issue.
Addressed
10.2.7-h12
PAN-244013
Fixed an issue where the web interface did not display newly added Anti-Spyware signatures or Vulnerability Signatures.
Addressed
10.2.7-h12
PAN-239662
Fixed an issue with firewalls in active/passive HA configurations where the NSSA default route from the active firewall was not generated to advertise even though the backbone area default route was advertised during a graceful restart.
Addressed
10.2.7-h12
PAN-238625
Fixed an issue where, when the physical interface went down, the SD-WAN ethernet connection state still showed UP/path-monitor due to the Active URL SaaS monitor connection state remaining UP/path-monitor.
Addressed
10.2.7-h12
PAN-233191
( PA-5450 firewalls only ) Fixed an issue where the Data Processing Card (DPC) restarted due to path monitor failure after QSFP28 disconnected from the Network Processing Card (NPC).
Addressed
10.2.7-h12
PAN-226768
Fixed an issue where, when the GlobalProtect app was installed on iOS endpoints and the gateway was configured to accept cookies, the app remained in the Connecting stage after authentication, and the GlobalProtect log displayed the error message User is not in allow list . This occurred when the app was restarted or when the app attempted to reconnect after disconnection.
Addressed
10.2.7-h8
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.7-h6
PAN-246431
This issue is resolved in this hotfix but not in PAN-OS 10.2.8.
Fixed an issue where a Push to Device operation remained at the state None when performing a selective push to device groups and templates that included both connected and disconnected firewalls.
Addressed
10.2.7-h6
PAN-242910
This issue is resolved in this hotfix but not in PAN-OS 10.2.8.
Fixed an issue where a custom based non Superuser was unable to push to firewalls.
Addressed
10.2.7-h6
PAN-242627
This issue is resolved in this hotfix but not in PAN-OS 10.2.8.
Fixed an issue where selective push did not work.
Addressed
10.2.7-h6
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
10.2.7-h6
PAN-242027
Fixed an issue where the all-task process repeatedly restarted during memory allocation failures.
Addressed
10.2.7-h6
PAN-239367
Fixed an issue on the firewall where a memory leak associated with the logrcvr process occurred.
Addressed
10.2.7-h6
PAN-238643
This issue is resolved in this hotfix but not in PAN-OS 10.2.8.
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured.
Addressed
10.2.7-h6
PAN-237208
Fixed an issue where the reportd process stopped and the firewall rebooted.
Addressed
10.2.7-h6
PAN-235840
Fixed an issue where, after a configuration push from Panorama to managed firewalls, the status displayed as None and the push took longer than expected.
Addressed
10.2.7-h6
PAN-233789
Fixed an issue with commit and push and push operations where the user was not correctly bound to the scope, which caused all device groups to be selected for a selective push.
Addressed
10.2.7-h6
PAN-231148
Fixed an issue where no DHCP option list was defined when using GlobalProtect.
Addressed
10.2.7-h6
PAN-229090
Fixed an issue where the logrcvr process stopped responding during memory allocation failures.
Addressed
10.2.7-h6
PAN-228515
This issue is resolved in this hotfix but not in PAN-OS 10.2.8.
Fixed an issue where the Elasticsearch cluster health status displayed as yellow or red due to Elasticsearch SSH tunnel flaps.
Addressed
10.2.7-h6
PAN-223259
Fixed an issue where selective pushes failed with the error message Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push .
Addressed
10.2.7-h6
PAN-217293
Fixed a rare issue where URLs were not accessible when the header length was greater than 16,000 over HTTP/2.
Addressed
10.2.7-h6
PAN-199070
Fixed an issue where the all_task and pan_task processes stopped responding, which impacted traffic.
Addressed
10.2.7-h3
PAN-240197
Fixed an issue where configuration changes made in Panorama and pushed to the firewall were not reflected on the firewall.
Addressed
10.2.7-h3
PAN-239144
Fixed an issue where the web interface was slower than expected when logging in, committing, and pushing changes after upgrading to PAN-OS 10.2.7.
Addressed
10.2.7-h3
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
10.2.7-h3
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
10.2.7-h3
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.7-h3
PAN-234929
Fixed an issue where tabs in the ACC such as Network Activity Threat Activity and Blocked Activity did not display data when you applied a Time filter of Last 15 Minutes , Last Hour , Last 6 Hours , or Last 12 Hours , and the data that was displayed with the Last 24 Hours filter was not accurate. Reports that were run against summary logs also did not display accurate results.
Addressed
10.2.7-h3
PAN-234279
Fixed an issue where the ikemgr process crashed due to an IKEv1 timing issue, which caused commits to fail with the following error message: Client ikemgr requesting last config in the middle of a commit/validate, aborting current commit .
Addressed
10.2.7-h3
PAN-232377
Fixed an issue where the AddrObjRefresh job failed when the useridd process restarted.
Addressed
10.2.7-h3
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.7-h3
PAN-231169
( PA-220 firewalls only ) Fixed an issue where an unused plugin incorrectly used memory.
Addressed
10.2.7-h3
PAN-228273
( Panorama appliances in FIPS-CC mode only ) Fixed an issue where the Elasticsearch cluster did not come up, and the show log-collector-es-cluster health CLI command displayed the status as red. This caused log ingestion issues for Panorama appliances in Panorama mode or Log Collector mode.
Addressed
10.2.7-h3
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
10.2.7-h3
PAN-224954
Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.
Addressed
10.2.7-h3
PAN-224067
Fixed an issue where cookie authentication did not work for GlobalProtect when an authentication override domain was configured in the SAML authentication profile.
Addressed
10.2.7-h3
PAN-224060
( PA-220 Series firewalls only ) Fixed an issue where multiple dataplane processes stopped responding after an upgrade.
Addressed
10.2.7-h3
PAN-223652
Fixed an issue where data was not thread safe and led to concurrent read/write issues that caused GPSVC to stop working unexpectedly.
Addressed
10.2.7-h3
PAN-223270
Fixed an issue with Virtual Wire links on firewalls in active/active HA configurations where the forwarding path was not preserved in HTTP/2 cleartext traffic with asymmetric routing.
Addressed
10.2.7-h3
PAN-222002
Fixed an issue where content updates failed with the error message Unable to get key pancontent-8.0.pass from cryptod. Error -9 .
Addressed
10.2.7-h3
PAN-218988
Fixed an issue in FIPS mode where, when importing a certificate with a new private key, and the certificate used the name of an existing certificate on the Panorama, the following error message was displayed: Mismatched public and private keys .
Addressed
10.2.7-h3
PAN-218057
( PA-7000 Series firewalls only ) Fixed an issue where internal path monitoring failed due to a heartbeat miss.
Addressed
10.2.7-h3
PAN-217289
Fixed an intermittent issue where HTTP/2 traffic caused buffer depletion.
Addressed
10.2.7-h3
PAN-216214
( Panorama managed firewalls in active/active HA configurations only ) Fixed an issue where the HA (high availability) status displayed as Out of Sync ( Panorama > Managed Devices > Health ) if local firewall configurations were made on one of the HA peers. This caused the next HA configuration sync to overwrite the local firewall configuration made on the HA peer.
Addressed
10.2.7-h3
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.7-h3
PAN-208395
Fixed an issue where user authentication failed in multi-vsys environments with the error message User is not in allowlist when an authentication profile was created in a shared configuration space.
Addressed
10.2.7-h3
PAN-202361
Fixed an issue where packets queued to the pan_task process were still transmitted when the process was not responding.
Addressed
10.2.7-h3
PAN-189769
Fixed an issue on Amazon Web Services (AWS) Gateway Load Balancer (GWLB) deployments with overlay routing enabled where, when a single firewall was the backend of multiple GWLBs, packets were re-encapsulated with an incorrect source IP address.
Addressed
10.2.7-h3
PAN-181706
Fixed an issue where the logrcvr process stopped responding after upgrading to PAN-OS 10.1.
Addressed
10.2.7-h1
PAN-237871
( WF-500 appliances and PAN-DB private cloud deployments only ) Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.7-h1
PAN-236926
Fixed an issue where Elasticsearch shards failed if they were allocated when tunnels were down, and shards that failed remained unallocated when tunnels went back up.
Addressed
10.2.7
PAN-236605
Fixed an issue where the configd process stopped responding due to a deadlock related to rule-hit-count.
Addressed
10.2.7
PAN-232800
Fixed an issue where critical disk usage for /opt/pancfg increased continuously and the system logs displayed the following message: Disk usage for /opt/pancfg exceeds limit, <value> percent in use .
Addressed
10.2.7
PAN-232132
Fixed an issue where DNS response packets were malformed when an Anti-Spyware Security Profile was enabled.
Addressed
10.2.7
PAN-232059
Fixed an issue with memory management when processing large certificates using TLSv1.3.
Addressed
10.2.7
PAN-231823
A fix was made to address CVE-2024-5916 .
Addressed
10.2.7
PAN-231043
Fixed an issue where websites were not able to be opened via GlobalProtect with SSL-VPN when software cut through was enabled.
Addressed
10.2.7
PAN-229691
Fixed an issue on Panorama where configuration lock timeout errors were observed during normal operational commands by increasing thread stack size on Panorama.
Addressed
10.2.7
PAN-228998
Fixed an issue where multiple license status checks caused an internal process to stop responding.
Addressed
10.2.7
PAN-228877
( PA-7050 firewalls only ) Fixed an issue with OOM conditions that caused slot restarts due to pan_cmd consuming more than 300 MB.
Addressed
10.2.7
PAN-227539
Fixed an issue where excess WIF process memory use caused processes to restart due to OOM conditions.
Addressed
10.2.7
PAN-227368
Fixed an issue where the GlobalProtect app was unable to connect to a portal or gateway and GlobalProtect Clientless VPN users were unable to access applications if authentication took more than 20 seconds.
Addressed
10.2.7
PAN-225337
Fixed an issue on Panorama related to Shared configuration objects where configuration pushes to multi-vsys firewalls when authentication took longer than 20 seconds.
Addressed
10.2.7
PAN-224145
Fixed an issue in multi-vsys environments where, when Panorama was on a PAN-OS 10.2 release and the firewall was on a PAN-OS 10.1 release, commits failed on the firewall when inbound inspection mode was configured in the decryption policy rule.
Addressed
10.2.7
PAN-223488
Fixed an issue where closed ElasticSearch shards were not deleted, which resulted in shard purging not working as expected.
Addressed
10.2.7
PAN-221190
( PA-800 Series firewalls only ) Fixed an issue where the firewall rebooted due to I2C errors when unsupported optics were inserted in ports 5-8.
Addressed
10.2.7
PAN-221126
Fixed an issue where Email server profiles ( Device > Server Profiles > Email and Panorama > Server Profiles > Email ) to forward logs as email notifications were not forwarded in a readable format.
Addressed
10.2.7
PAN-221015
( M-600 Appliances only ) Fixed an issue where ElasticSearch processes did not restart when the appliance was rebooted, which caused the Managed Collector ES health status to be downgraded.
Addressed
10.2.7
PAN-218521
( M-600 Appliances in Log Collector mode only ) Fixed an issue where Panorama continuously rebooted and became unresponsive, which consumed excessive logging disk space and prevented new log ingestion.
Addressed
10.2.7
PAN-215268
Fixed an issue where selective push did not work for firewalls on PAN-OS 9.1 or an earlier release.
Addressed
10.2.7
PAN-214186
Fixed an issue where category length was incorrect, which caused the dataplane to restart.
Addressed
10.2.7
PAN-212761
Fixed an issue where the all_pktproc process stopped responding, which caused the dataplane to go down and caused HA failover.
Addressed
10.2.7
PAN-193004
Fixed an issue where /opt/pancfg partition utilization reached 100%, which caused access to the Panorama web interface to fail.
Known
10.2.8
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.8
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.8
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.8
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.8
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.8
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.8
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.8
PAN-262287
This issue is now resolved. See PAN-OS 10.2.8-h13 Addressed Issues .
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
10.2.8
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.8
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.8
PAN-255868
( PA-3400 Series firewalls only ) After enabling kernel data collection during a silent reboot, the firewall fails and reboots to maintenance mode.
Workaround: To recover the firewall, initiate a reboot from maintenance mode.
Known
10.2.8
PAN-251895
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
When Inline Cloud Analysis features are enabled, the firewall experiences a slow packet buffer leak, resulting in poor performance and dropped traffic.
Workaround: Disable WildFire Inline Cloud Analysis and Advanced Threat Prevention Inline Cloud Analysis on the firewall.
Known
10.2.8
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
10.2.8
PAN-243951
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
10.2.8
PAN-242910
On the Panorama management server, Panorama administrators ( Panorama Administrators ) that are assigned a custom Panorama admin role ( Panorama Admin Roles ) with Push All Changes enabled are unable to push configuration changes to managed firewalls when Managed Devices and Push For Other Admins are disabled.
Known
10.2.8
PAN-234408
Enterprise DLP cannot detect and block non-file based traffic for ChatGPT from traffic forwarded to the DLP cloud service from an NGFW.
Known
10.2.8
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.8
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.8
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.8
PAN-228515
The EleasticSearch SSH flaps on the M-600 appliance in Panorama or Log Collector mode. This causes logs to not display on the Panorama management server ( Monitor Logs ) and the Log Collector health status ( Panorama Managed Collectors Status ) to display as degraded.
Known
10.2.8
PAN-226361
This issue is now resolved. See PAN-OS 10.2.8-h13 Addressed Issues .
Sessions might end unexpectedly with the error resources-unavailable when the firewall incorrectly interprets the Content and Threat Detection (CTD) global packet queue as being full.
Known
10.2.8
PAN-223677
( PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls ) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.8
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.8
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.8
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.8
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.8
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.8
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.8
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.8
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.8
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.8
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.8
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.2.8
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.8
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.8
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.8
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.8
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.8
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.8
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.8
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.8
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.8
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.8
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.8
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.8
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.8
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.8
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.8
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.8
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.8
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.8
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.8
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.8
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.8
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.8
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.8
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.8
PAN-178194
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.8
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.8
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.8
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.8
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.8
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.2.8
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.8-h19
PAN-259351
A fix was made to address CVE-2024-3393 .
Addressed
10.2.8-h18
PAN-273215
Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading.
Addressed
10.2.8-h18
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.8-h18
PAN-269624
Fixed an issue where GlobalProtect clients failed to connect with the error message The device or feature requires a GlobalProtect subscription license .
Addressed
10.2.8-h18
PAN-268909
Fixed an issue where IP address tags were removed from firewalls after a management server or useridd process restart. This occurred when a Panorama serial-number based configuration was used for User-ID redistribution.
Addressed
10.2.8-h18
PAN-264249
Fixed an issue on the firewall where SNMP queries timed out when using SNMP.
Addressed
10.2.8-h18
PAN-263973
Fixed an issue where log collectors had a low incoming log rate.
Addressed
10.2.8-h18
PAN-261673
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where, when Accelerated Networking was enabled, traffic was dropped because of the flow_parse_ip_hdr counter related to an Nvidia driver issue.
Addressed
10.2.8-h18
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
10.2.8-h18
PAN-252974
( PA-450 firewalls only ) Fixed an issue where specific routes were not advertised when BGP Aggregate was configured with the advertise filter.
Addressed
10.2.8-h18
PAN-246699
Fixed an issue on Panorama where Rule Usage and Apps Seen under Security policy rules stopped incrementing.
Addressed
10.2.8-h18
PAN-246420
( PA-5450 Series firewalls only ) Fixed an issue where the firewall rebooted unexpectedly during an upgrade.
Addressed
10.2.8-h18
PAN-244950 and PAN-221352
A fix was made to address CVE-2024-2550 .
Addressed
10.2.8-h18
PAN-240251
Fixed an issue where the vldmgr process incorrectly restarted during an Elasticsearch restart.
Addressed
10.2.8-h18
PAN-230825
Fixed an issue where link flaps occurred on Panorama appliances in high availability (HA) configurations.
Addressed
10.2.8-h18
PAN-228515
Fixed an issue where the Elasticsearch cluster health status displayed as yellow or red due to Elasticsearch SSH tunnel flaps.
Addressed
10.2.8-h18
PAN-222579
Fixed an issue where the useridd and distd process restarted, which resulted in missing mappings.
Addressed
10.2.8-h18
PAN-216941
( Panorama appliances in Log Collector mode only ) Fixed an issue where Panorama stopped processing and saving logs.
Addressed
10.2.8-h15
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.8-h15
PAN-268823
Fixed an issue where Monitor Log Display did not display all logs when you applied a filter.
Addressed
10.2.8-h15
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
10.2.8-h15
PAN-244894
Fixed an issue where turning off mprelay logging caused mprelay heartbeat failure.
Addressed
10.2.8-h15
PAN-244227
Fixed an issue where inconsistent FIB entries across the dataplane were not detected.
Addressed
10.2.8-h15
PAN-238610
Fixed an issue with the Panorama Virtual Appliance where, after the mgmtsrvr restarted on the passive appliance, stale IP address tags were pushed to the connected firewalls with the message clear all registered ip addresses .
Addressed
10.2.8-h15
PAN-226361
Fixed an issue where sessions bypassed L7 inspection or ended unexpectedly with the error resources unavailable when the firewall incorrectly interpreted the Content and Threat Detection (CTD) global packet queue as being full.
Addressed
10.2.8-h13
PAN-264883
( PA-7080 appliances with LPCs only ) Fixed an issue where syslog forwarding over TCP stopped after upgrading.
Addressed
10.2.8-h13
PAN-262946
Fixed an issue on the firewall where logging in via the CLI or web interface did not work due to increased memory usage.
Addressed
10.2.8-h13
PAN-262340
Fixed an issue where FQDN resolution failed for address objects, and all FQDN traffic was denied by the interzone-default policy rule.
Addressed
10.2.8-h13
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
10.2.8-h13
PAN-261484
Fixed an issue on the firewall where DPDK allocated twice the amount of memory as requested for pre-allocation.
Addressed
10.2.8-h13
PAN-259727
( Panorama appliances in HA configurations only ) Fixed an issue where Panorama became unresponsive and displayed a 504 gateway timeout error when accessing the web interface or the CLI.
Addressed
10.2.8-h13
PAN-257736
( PA-5450 firewalls only ) Fixed an issue where traffic to benign applications was was impacted by holding TCP sequential segments for MLC inspection and not releasing the full chain after a benign verdict was received.
Addressed
10.2.8-h13
PAN-257462
Fixed an issue related to the varrcvr process where the management plane CPU was higher than expected.
Addressed
10.2.8-h13
PAN-255509
( PA-5450 firewalls only ) Fixed an issue where BFD sessions flapped intermittently.
Addressed
10.2.8-h13
PAN-253829
Fixed an issue where the CLI command show running security-policy timed out when the Security policy was large.
Addressed
10.2.8-h13
PAN-252270
Fixed an issue on the firewall where changes were incorrectly applied after a reboot or a restart of the configd process.
Addressed
10.2.8-h13
PAN-252036
Fixed an issue where, when the GlobalProtect portal was not configured, accessing the GlobalProtect gateway still loaded a portal malformed page.
Addressed
10.2.8-h13
PAN-250787
Fixed an issue where network issues between the firewall and the log collector caused logrcvr process memory exhaustion.
Addressed
10.2.8-h13
PAN-246708
Fixed an issue where the firewall stopped responding when the all_pktproc repeatedly restarted.
Addressed
10.2.8-h13
PAN-242910
Fixed an issue where a custom based non Superuser was unable to push to firewalls.
Addressed
10.2.8-h13
PAN-241044
Fixed an issue where traffic was denied by the interzone-default policy rule when a Security policy rule with an FQDN destination was configured.
Addressed
10.2.8-h13
PAN-240066
Fixed a duplicate MAC address issue where an ethernet interface sent out Gratuitous ARP (GARP) messages for an IP address that was not configured on it.
Addressed
10.2.8-h13
PAN-240001
Fixed an issue where the pan_task process restarted due to configd and devsrvr process memory requirements.
Addressed
10.2.8-h13
PAN-239354
Fixed an issue where DNS resolution was delayed when an Antispyware policy rule was applied to both client to firewall and firewall to internal DNS server legs of a connection.
Addressed
10.2.8-h13
PAN-226361
Fixed an issue where sessions bypassed L7 inspection or ended unexpectedly with the error resources unavailable when the firewall incorrectly interpreted the Content and Threat Detection (CTD) global packet queue as being full.
Addressed
10.2.8-h10
PAN-263226
Fixed an issue where decryption based traffic failed on Explicit Proxy nodes.
Addressed
10.2.8-h10
PAN-261917
Fixed an issue where websites with a no-decrypt policy rule were decrypted in traffic logs when using a Google Chrome browser with PQC enabled.
Addressed
10.2.8-h10
PAN-254826
Fixed an issue where the firewall stopped responding when processing traffic.
Addressed
10.2.8-h10
PAN-253546
Fixed an issue where a TLS client hello was split into multiple packets and arrived out of order, so the packets were dropped and the session terminated.
Addressed
10.2.8-h10
PAN-247099
Fixed an issue where the firewall decrypted traffic unexpectedly when the client hello was spread across multiple packets.
Addressed
10.2.8-h10
PAN-224195
Fixed an issue where Authentication Portal redirects failed with a 500 Internal error when the Authentication Portal token was disabled.
Addressed
10.2.8-h4
PAN-253317
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
10.2.8-h4
PAN-251895
Fixed an issue where enabling Inline Cloud Analysis features caused a slow packet buffer leak, which resulted in performance issues and dropped traffic.
Addressed
10.2.8-h4
PAN-251563
Added CPLD enhancement to capture external power issues.
Addressed
10.2.8-h4
PAN-251013
Fixed an issue on the web interface where the Virtual Router and Virtual System configurations for the template incorrectly showed as none .
Addressed
10.2.8-h4
PAN-250020
Fixed an issue where MLC2 verdict retrieval failed due to a regression in loopback data flag handling.
Addressed
10.2.8-h4
PAN-248105
Fixed an issue where the GlobalProtect SSL VPN tunnel immediately disconnected due to a keep-alive timeout.
Addressed
10.2.8-h4
PAN-246976
Fixed an issue with unbalanced NAT session distribution with multi-dataplane firewalls when persistent-dipp was enabled.
Addressed
10.2.8-h4
PAN-244648
Fixed an issue where, when FIPS was enabled in maintenance mode, the firewall rebooted and returned to maintenance mode.
Addressed
10.2.8-h4
PAN-244622
Fixed an issue where FIB re-push did not work with Advanced Routing enabled.
Addressed
10.2.8-h4
PAN-244548
Fixed an issue where ECMP sessions changed destination MAC addresses mid-session, which caused connections to be reset.
Addressed
10.2.8-h4
PAN-242309
Fixed an issue where a higher byte count (s2c) was observed for DNS-Base application.
Addressed
10.2.8-h4
PAN-240612
Fixed a kernel panic caused by a third-party issue
Addressed
10.2.8-h4
PAN-240308
Fixed an issue where ElasticSearch did not work as expected when raid-mounts were not fully ready after a reboot.
Addressed
10.2.8-h4
PAN-236133
Fixed an issue where SSL traffic was impacted when SSL Command and Control detector or Incline Cloud Analysis was set to reset-both , reset-client , reset-server , or drop .
Addressed
10.2.8-h4
PAN-225394
Fixed an issue on the firewall where SNMP incorrectly reported high packet descriptor usage.
Addressed
10.2.8-h4
PAN-203981
Fixed an issue where usernames with only numeric characters were not valid.
Addressed
10.2.8-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.8
PAN-240596
Fixed an issue where all_task stopped responding due to an invalid memory address.
Addressed
10.2.8
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
10.2.8
PAN-240197
Fixed an issue where configuration changes made in Panorama and pushed to the firewall weren’t reflected on the firewall.
Addressed
10.2.8
PAN-240174
Fixed an issue where, when LSVPN serial numbers and IP address authentication were enabled, IPv6 address ranges and complete IPv6 addresses that were manually added to the IP address allow or exclude list were not usable after a restart of the gp_broker process or the firewall.
Addressed
10.2.8
PAN-239241
Extended the root certificate for WildFire appliances to December 31, 2032.
Addressed
10.2.8
PAN-239144
Fixed an issue where the web interface was slower than expected when logging in, committing, and pushing changes after upgrading to PAN-OS 10.2.7.
Addressed
10.2.8
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
10.2.8
PAN-237871
( WF-500 appliances and PAN-DB private cloud deployments only ) Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
10.2.8
PAN-237454
Fixed an issue where Panorama stopped redistributing IP address-to-username mappings when packet loss occurred between the distributor and the client.
Addressed
10.2.8
PAN-236244
Fixed an issue where you were unable to select authentication profiles via the web interface.
Addressed
10.2.8
PAN-236233
Fixed an issue where SNMP reports displayed incorrect values for SSL Proxy sessions and SSL Proxy utilization.
Addressed
10.2.8
PAN-235741
Fixed an issue where DNS resolution failed for Panorama and firewall plugins if the DNS Server IP address was obtained through DHCP.
Addressed
10.2.8
PAN-235737
Fixed an issue where the brdagent process stopped responding due to a sudden increase in logging to the bcm.log.
Addressed
10.2.8
PAN-235628
Fixed an issue where you weren’t prompted for login credentials when you disconnected and connected back to the GlobalProtect portal when SAML authentication was selected along with single sign-on (SSO) and Single Log Out (SLO).
Addressed
10.2.8
PAN-235557
Fixed an issue where uploads from tunnels, including GlobalProtect, were slower than expected when the inner and outer sessions were on different dataplanes.
Addressed
10.2.8
PAN-234852
Fixed an issue where DLP logs for the Salesforce application had a report ID of 0 and did not include missing information such as file type, file hash, and the reason for data filtering.
Addressed
10.2.8
PAN-234279
Fixed an issue where the ikemgr process crashed due to an IKEv1 timing issue, which caused commits to fail with the following error message: Client ikemgr requesting last config in the middle of a commit/validate, aborting current commit .
Addressed
10.2.8
PAN-233954
Fixed an issue where the firewall was unable to retrieve correct groups from the LDAP server.
Addressed
10.2.8
PAN-233207
Fixed an issue where the configd process stopped responding when a partial configuration revert operation was performed.
Addressed
10.2.8
PAN-233191
( PA-5450 firewalls only ) Fixed an issue where the Data Processing Card (DPC) restarted due to path monitor failure after QSFP28 disconnected from the Network Processing Card (NPC).
Addressed
10.2.8
PAN-232377
Fixed an issue where the AddrObjRefresh job failed when the useridd process restarted.
Addressed
10.2.8
PAN-232358
( PA-5450 firewalls only ) Fixed an issue where the interface on QSFP28 ports did not go down when the Tx cable was removed from the QSFP28 module.
Addressed
10.2.8
PAN-232250
Fixed an issue where, when SSH service profiles for management access was set to None , the reported output was incorrect.
Addressed
10.2.8
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
10.2.8
PAN-231698
Fixed an issue where you were unable to set the Dynamic Updates schedule threshold to an empty value.
Addressed
10.2.8
PAN-231658
Fixed an issue where DNS resolution failed when interfaces were configured as DHCP and a DNS server was provided via DHCP while also statically configured with DNS servers.
Addressed
10.2.8
PAN-231552
Fixed an issue where traffic returning from a third-party Security chain was dropped.
Addressed
10.2.8
PAN-231459
( PA-5450 firewalls only ) Fixed an issue where a large number of invalid source MAC addresses were shown in drop-stage packet captures.
Addressed
10.2.8
PAN-231422
Fixed an issue where you were unable to configure more than 256 scheduled objects on the firewall.
Addressed
10.2.8
PAN-231329
Fixed an issue where the logrcvr process stopped responding due to a corrupt log in the forwarding pipeline.
Addressed
10.2.8
PAN-230813
Fixed an issue where flex memory leak caused decryption failure and commit failure with the error message Error preparing global objects failed to handle CONFIG_UPDATE_START .
Addressed
10.2.8
PAN-230656
( Firewalls in HA configurations only ) Fixed an issue where a split brain condition occurred on both firewalls after booting up any firewall, and an HA switchover occurred after booting up a firewall with a higher HA priority even when no preemptive option was enabled on the firewall.
Addressed
10.2.8
PAN-230377
Fixed an issue where FEC support was not enabled by default for PAN-SFP28-25GBASE-LR modules.
Addressed
10.2.8
PAN-230362
Fixed an issue where the firewall truncated the payload of a TCP Out of Order segment with a FIN flag.
Addressed
10.2.8
PAN-230359
Fixed an issue where SAML authentication failed with the error message Failed to verify signature against certificate when ds:KeyName was in the IdP metadata.
Addressed
10.2.8
PAN-230106
Fixed an issue where the firewall was unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
Addressed
10.2.8
PAN-230092
Fixed an issue where the routed process stopped responding when committing routing-related changes if Advanced Routing was enabled.
Addressed
10.2.8
PAN-230039
Fixed an issue where migrating from an Enterprise License Agreement (ELA) to a Flexible VM-Series License failed with a deactivation error message.
Addressed
10.2.8
PAN-229952
Fixed an issue where the the print PDF option did not work ( Panorama > Managed Devices > Health ).
Addressed
10.2.8
PAN-229315
Fixed an issue where Octets in NetFlow records were always reported to be 0 despite having a non-zero packet count.
Addressed
10.2.8
PAN-229307
Fixed an issue where half closed SSL decryption sessions stayed active, which caused software packet buffer depletion.
Addressed
10.2.8
PAN-229080
Fixed an issue where the new management IP address on the interface did not take effect.
Addressed
10.2.8
PAN-229069
Fixed an issue where clientless VPN portal users were unable to access clientless applications due to an SSL renegotiation being triggered.
Addressed
10.2.8
PAN-228820
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
Addressed
10.2.8
PAN-228442
Fixed an issue on firewalls in active/passive HA configurations where sessions did not fail over from the active firewall to the passive firewall when upgrading PAN-OS.
Addressed
10.2.8
PAN-228342
Fixed an issue where objects in the running configuration appeared to be deleted under the push scope preview.
Addressed
10.2.8
PAN-228323
Fixed an issue where a large number of Panorama management server cookies were created in the Redis database when the Cloud-Service plugin sent an authentication request every second, and logging in to or using Panorama was slower than expected.
Addressed
10.2.8
PAN-228277
Fixed an issue where commits took longer than expected.
Addressed
10.2.8
PAN-228273
( Panorama appliances in FIPS-CC mode only ) Fixed an issue where the Elasticsearch cluster did not come up, and the show log-collector-es-cluster health CLI command displayed the status as red. This caused log ingestion issues for Panorama appliances in Panorama mode or Log Collector mode.
Addressed
10.2.8
PAN-227804
Fixed an issue where memory corruption caused the comm process to stop responding.
Addressed
10.2.8
PAN-227774
Fixed an issue where commits failed with the error message Management server failed to send phase 1 to client logrcvr .
Addressed
10.2.8
PAN-227641
Fixed an issue where Preview Changes and Change Summary when saving changes did not open a new window when clicked.
Addressed
10.2.8
PAN-227522
Fixed an issue where shared application filters that had application object overrides were overwritten by predefined applications.
Addressed
10.2.8
PAN-227397
Fixed an issue where selective pushes on Panorama removed a previously pushed configuration from the firewalls.
Addressed
10.2.8
PAN-227233
Fixed an issue where the combination signature aggregation criteria in a Vulnerability Protection profile was incorrectly blank even though a value was set.
Addressed
10.2.8
PAN-227058
Fixed an issue where traffic did not match Security policy rules with the destination as FQDN and instead hit the default deny rule.
Addressed
10.2.8
PAN-226935
Fixed an issue where autocommits failed due to duplicate application name entries.
Addressed
10.2.8
PAN-226860
Fixed an issue where macOS X-Auth clients disconnected prematurely from the GlobalProtect gateway during a Phase 2 re-key event.
Addressed
10.2.8
PAN-226768
Fixed an issue where, when the GlobalProtect app was installed on iOS endpoints and the gateway was configured to accept cookies, the app remained in the Connecting stage after authentication, and the GlobalProtect log displayed the error message `User is not in allow list`. This occurred when the app was restarted or when the app attempted to reconnect after disconnection.
Addressed
10.2.8
PAN-226769
Fixed an issue where ElasticSearch used more memory than expected.
Addressed
10.2.8
PAN-226489
Fixed an issue where Panorama was unable to push scheduled Dynamic Updates to firewalls with the error message Failed to add deploy job. Too many (30) deploy jobs pending for device .
Addressed
10.2.8
PAN-226418
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
Addressed
10.2.8
PAN-226260
Fixed an issue where support for CBC ciphers with some authentication algorithms was only available in FIPS mode.
Addressed
10.2.8
PAN-225920
Fixed an issue where duplicate predict sessions did not release NAT resources.
Addressed
10.2.8
PAN-225228
Fixed an issue where filtering Threat logs using any value under THREAT ID/NAME displayed the error Invalid term .
Addressed
10.2.8
PAN-225169
Added a CLI command to view Strata Logging Service queue usage.
Addressed
10.2.8
PAN-225110
Fixed an issue with firewalls in HA configurations where HA configuration syncs did not complete or logging data was missing until firewall processes were manually restarted or the firewalls were rebooted.
Addressed
10.2.8
PAN-225094
Fixed an issue where performing a commit operation failed and the following error message was displayed: failed to handle CUSTOM_UPDATE .
Addressed
10.2.8
PAN-225082
Fixed an issue where GlobalProtect quarantine-delete logs were incorrectly shown on passive firewalls.
Addressed
10.2.8
PAN-225013
( PA-5450 firewalls only ) Fixed an issue where the firewall rebooted unexpectedly when a Network Card was on Slot 2 instead of a DPC.
Addressed
10.2.8
PAN-224955
Fixed an issue where the devsrvr process stopped responding when zone protection had more than 255 profiles.
Addressed
10.2.8
PAN-224772
Fixed a high memory usage issue with the mongodb process that caused an OOM condition.
Addressed
10.2.8
PAN-224656
Fixed an issue where the devsrvr process caused delays when Dynamic Address Groups with large entry lists were being processed during a commit, which caused commits to take longer than expected.
Addressed
10.2.8
PAN-224405
Fixed an issue where the distributord process repeatedly stopped responding.
Addressed
10.2.8
PAN-224354
Fixed an issue where a memory leak related to the distributord process occurred when connections flapped for IP address-to-username mapping redistribution.
Addressed
10.2.8
PAN-224036
( PA-5450 firewalls only ) Fixed an issue where a firewall with QoS configured wasn't able to send packets out of its interfaces after a reboot.
Addressed
10.2.8
PAN-223855
Fixed an issue where the show running ippool CLI command output displayed incorrect used and available NAT IP address pools on DIPP NAT policy rules in multidataplane firewalls.
Addressed
10.2.8
PAN-223852
Fixed an issue where all_pktproc stopped responding when network packet broker or decryption broker chains failed.
Addressed
10.2.8
PAN-223741
Fixed an issue where the mprelay process stopped responding, which caused a slot restart when another slot rebooted.
Addressed
10.2.8
PAN-223481
( PA-5450 firewalls only ) Fixed an issue where the all_pktproc process stopped responding when the firewall was on PAN-OS 10.1.9-h3 or a later release.
Addressed
10.2.8
PAN-223457
Fixed an issue where, if the number of group queries exceeded the Okta rate limit threshold, the firewall cleared the cache for the groups.
Addressed
10.2.8
PAN-223271
Fixed an issue where the file transfer of large zipped and compressed files had the App-ID unknown-tcp .
Addressed
10.2.8
PAN-223263
Fixed an issue on the web interface where the system clock for Mexico_city was displayed in CDT instead of CST on the management dashboard.
Addressed
10.2.8
PAN-223259
Fixed an issue where selective pushes failed with the error Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push .
Addressed
10.2.8
PAN-223094
Fixed an issue where fragmented TCP traffic was dropped due to an IP address ID conflict over the SD-WAN tunnel.
Addressed
10.2.8
PAN-222941
Fixed an issue where viewing the latest logs took longer than expected due to log indexer failures.
Addressed
10.2.8
PAN-222533
( VM-Series firewalls on Microsoft Azure and Amazon Web Services (AWS) environments ) Added support for HA link monitoring and path monitoring.
Addressed
10.2.8
PAN-222500
Fixed an issue where an old configuration unexpectedly merged during a push from Panorama.
Addressed
10.2.8
PAN-222418
Fixed an issue where the firewall intermittently recorded a reconnection message to the authentication server as an error, even if no disconnection occurred.
Addressed
10.2.8
PAN-222253
Fixed an issue on Panorama where policy rulebase reordering under View Rulebase by Groups ( Policy <policy-rulebase> ) did not persist if you reordered the policy rulebase by dragging and dropping individual policy rules and then moved the entire tag group.
Addressed
10.2.8
PAN-222089
Fixed an issue where you were unable to context switch from Panorama to the managed device.
Addressed
10.2.8
PAN-221938
Fixed an issue with network packet broker sessions where the broker session and primary session timeouts were out of sync, which caused traffic drops if the broker session timed out when the primary session was still active.
Addressed
10.2.8
PAN-221857
Fixed an issue where users were unable to log in to the GlobalProtect app using SAML authentication after upgrading to PAN-OS 10.2.3-h4, and the GlobalProtect logs displayed the following error message: Username from SAML SSO response is different from the input .
Addressed
10.2.8
PAN-221763
Fixed an issue on the web interface where text overlapped when editing address and prefix values using Firefox.
Addressed
10.2.8
PAN-221577
Fixed an issue where a static route for a branch or hub over the respective virtual interface wasn't installed in the routing table even when the tunnel to the branch or hub was active.
Addressed
10.2.8
PAN-221316
Fixed an issue where the useridd process memory consumption increased significantly, which caused the process to stop responding and the device to restart.
Addressed
10.2.8
PAN-221208
Fixed an issue where the tunnel monitor was unable to remain up when zone protection with Strict IP was enabled and NAT Traversal was applied.
Addressed
10.2.8
PAN-221003
Fixed an issue where you were unable to uncheck firewalls in HA configurations from the device group when Group HA Peers was enabled.
Addressed
10.2.8
PAN-220790
Fixed an issue where the reportd process stopped responding, which caused Panorama to restart.
Addressed
10.2.8
PAN-220659
Fixed an issue on the firewall where scheduled antivirus updates failed when external dynamic lists were configured on the firewall.
Addressed
10.2.8
PAN-220640
( PA-220 firewalls only ) Fixed an issue where the firewall CPU percentage was miscalculated, and the values that were displayed were incorrect.
Addressed
10.2.8
PAN-220180
Fixed an issue where configured botnet reports ( Monitor > Botnet ) weren’t generated.
Addressed
10.2.8
PAN-219813
Fixed an issue where the configuration log displayed incorrect information after a multi-device group Validate-all operation.
Addressed
10.2.8
PAN-219768
Fixed an issue where you were unable to filter data filtering logs with Threat ID/NAME for custom data patterns created over Panorama.
Addressed
10.2.8
PAN-219644
Fixed an issue where firewalls that forwarded logs to a syslog server over TLS ( Objects > Log Forwarding ) used the default Palo Alto Networks certificate instead of the configured custom certificate.
Addressed
10.2.8
PAN-219585
Fixed an issue where enabling syslog-ng debugs from the root caused 100% disk utilization.
Addressed
10.2.8
PAN-219415
Fixed an issue where BGP routes were installed in the routing table even when the option to install routes was disabled in the configuration.
Addressed
10.2.8
PAN-219300
Fixed an issue where the task manager displayed only limited data.
Addressed
10.2.8
PAN-219260
( M-Series appliances only ) Fixed an issue where the management interface flapped due to low memory reserved for kernel space.
Addressed
10.2.8
PAN-219241
Fixed an issue where web content for a failed SAML login had readability and functionality issues for the GlobalProtect app.
Addressed
10.2.8
PAN-219137
( CN-Series firewalls only ) Fixed an issue where firewalls did not upload files to the WildFire public cloud.
Addressed
10.2.8
PAN-218928
Fixed an issue where the reportd process stopped responding after querying logs or generating ACC reports with some filters.
Addressed
10.2.8
PAN-218671
Fixed an issue on Panorama where commits failed after downgrading the SD-WAN plugin.
Addressed
10.2.8
PAN-218663 and PAN-181876
A fix was made to address CVE-2024-2433 .
Addressed
10.2.8
PAN-218611
Fixed an issue where the device telemetry region wasn't updated on the firewall when pushed from the Panorama template stack.
Addressed
10.2.8
PAN-218555
Fixed an issue where the firewall did not receive dynamic address updates pushed from Panorama during initial registration to Panorama.
Addressed
10.2.8
PAN-218352
Fixed an issue where Panorama was slower than expected when WildFire deployment was scheduled every minute to a large number of devices.
Addressed
10.2.8
PAN-218331
Fixed an issue where you were unable to export or download packet captures from the firewall when context switching from Panorama.
Addressed
10.2.8
PAN-218273
Fixed an issue where TCP keepalive packets from the client to the server weren't forwarded when SSL decryption was enabled.
Addressed
10.2.8
PAN-218238
Fixed an issue where you were unable to create a file exception ( Monitor > Threat Log > Detailed Log view > Create Exception ), and the following error message was displayed: no antivirus profile corresponding to threat log .
Addressed
10.2.8
PAN-218119
Fixed an issue where the firewall transmitted packets with an incorrect source MAC address during commit operations.
Addressed
10.2.8
PAN-217831
Fixed an issue memory leak issue related to the logd process that occurred due to a sysd object not being released.
Addressed
10.2.8
PAN-217728
Fixed an issue where uploading a certificate in a manual configuration option for SafenetHSM failed.
Addressed
10.2.8
PAN-217674
Fixed an issue where RADIUS authentication failed when the destination route of the service route was configured with an IPv4 address with more than 14 characters.
Addressed
10.2.8
PAN-217541
Fixed an issue where the useridd process stopped responding after a restart when HIP redistribution was enabled.
Addressed
10.2.8
PAN-217510
Fixed an issue where inbound DHCP packets received by a DHCP client interface that weren’t addressed to itself were silently dropped instead of forwarded.
Addressed
10.2.8
PAN-217493
Fixed an issue where superusers with read-only privileges were unable to view SCEP object configurations.
Addressed
10.2.8
PAN-217280
Fixed an issue where, when Advanced Routing was enabled, the routed process stopped responding during booting up.
Addressed
10.2.8
PAN-217272
Fixed an issue where the DNS proxy log included an excessive number of the following error message: Warning: pan_dnsproxy_log_resolve_fail: Failed to resolve domain name ** AAAA after trying all attempts to name servers
Addressed
10.2.8
PAN-217241
Fixed an issue where predict session conversion failed for RTP and RTCP traffic.
Addressed
10.2.8
PAN-217064
Fixed an issue where commits took longer than expected when the DLP plugin was configured.
Addressed
10.2.8
PAN-217024
Fixed an issue where fetching device certificates failed for internal DNS servers with the error message ERROR Error: Could not resolve host: certificate.paloaltonetworks.com .
Addressed
10.2.8
PAN-216647
Fixed an issue where the sysd node was updated at incorrect times.
Addressed
10.2.8
PAN-216214
( Panorama managed firewalls in active/active HA configurations only ) Fixed an issue where the HA status displayed as Out of Sync ( Panorama > Managed Devices > Health ) if local firewall configurations were made on one of the HA peers. This caused the next HA configuration sync to overwrite the local firewall configuration made on the HA peer.
Addressed
10.2.8
PAN-216101
Fixed an issue where a memory leak related to a process and LLDP packet processing caused an OOM condition on the firewall.
Addressed
10.2.8
PAN-215857
Fixed an issue where the option to reboot the entire firewall was visible to vsys admins.
Addressed
10.2.8
PAN-215583
Fixed an issue on firewalls in HA configurations where the primary firewall went into a non-functional state due to a timeout in the pan_comm logs during the policy-based forwarding (PBF) parse, which caused an HA failover.
Addressed
10.2.8
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
10.2.8
PAN-215436
Fixed an issue with the web interface where the latest logs took longer than expected to display under Monitor .
Addressed
10.2.8
PAN-215082
( M-300 and M-700 appliances only ) Fixed an issue where Panorama generated erroneous system logs ( Monitor Logs System ) to alert that the appliance memory usage limit was reached.
Addressed
10.2.8
PAN-214987
Fixed an issue where Application Filter names weren’t random, and they matched or included internal protocol names.
Addressed
10.2.8
PAN-214942
Fixed an issue where SD-WAN UDP traffic failed over to a non-member path after a flap of an SD-WAN virtual interface.
Addressed
10.2.8
PAN-214847
Fixed an issue where, when certificate authentication for admin user authentication was enabled, vulnerability scans that used usernames or passwords against the management interface reported a vulnerability due to a missing HSTS header in the Access Denied response page.
Addressed
10.2.8
PAN-214773
Fixed an issue where RTP packets traversing intervsys were dropped on the outgoing vsys.
Addressed
10.2.8
PAN-214558
Fixed an issue where overriding a Layer2/vwire subinterface on Panorama caused other subinterfaces to disappear.
Addressed
10.2.8
PAN-214336
Fixed an issue where ICMPv6 unreachable messages were sent with an unspecified source address ( :: ) for VLAN interfaces.
Addressed
10.2.8
PAN-213956
Fixed an issue where the firewall interface did not go down even after the peer link/switch port went down.
Addressed
10.2.8
PAN-213918
Fixed an issue where mlav-test-pe-file.exe was not detected by WildFire Inline ML.
Addressed
10.2.8
PAN-213491
Fixed an issue where the management CPU was high, which caused the web interface to be slower than expected.
Addressed
10.2.8
PAN-213173
Fixed an issue where Preview Changes under Scheduled Pushes did not launch the Change Preview window.
Addressed
10.2.8
PAN-213112
Fixed an issue where executing the show report directory-listing CLI command resulted in no output after upgrading to a PAN-OS 10.1 release.
Addressed
10.2.8
PAN-213103
Fixed an issue where Clientless VPN access failed with the error message temporarily unavailable when accessing the Clientless VPN bookmarked application from the identity provider application portal.
Addressed
10.2.8
PAN-212932
Fixed an issue where the firewall went into a restart loop with the following error message: failed to get mgt settings candidate: configured traffic quota of 0 MB is less than the minimum 32 MB .
Addressed
10.2.8
PAN-212877
Fixed an issue where a race condition caused log flooding, which caused the firewall to go into an unresponsive state.
Addressed
10.2.8
PAN-212770
Fixed an issue on the firewall where the WildFire file size limit value did not match on the web interface and the CLI.
Addressed
10.2.8
PAN-212580
( PA-7050 firewalls only ) Fixed an issue where disk space filled up due to files under /opt/var/s8/lp/log/pan/ not being properly deleted.
Addressed
10.2.8
PAN-211945
Fixed an issue where URL Filtering system logs showed the error message CURL ERROR: bind failed with errno 124: Address family not supported by protocol even though the PAN-DB cloud was connected.
Addressed
10.2.8
PAN-211827
Fixed an issue where Dynamic Updates failed with the following error message: CONFIG_UPDATE_INC: Incremental update to DP failed please try to commit force the latest config .
Addressed
10.2.8
PAN-211821
Fixed an issue on firewalls in HA configurations where committing changes after disabling the QoS feature on multiple Aggregate Ethernet (AE) interfaces caused the dataplane to go down.
Addressed
10.2.8
PAN-211384
Fixed an issue where the size of the redisthost_1 in the Redis database continuously increased, which caused an OOM condition.
Addressed
10.2.8
PAN-210234
Fixed a REST API call to query the template stack configuration did not return the template stack variables or device variables.
Addressed
10.2.8
PAN-208438
Fixed an issue on Panorama where Security policy rules incorrectly displayed as disabled.
Addressed
10.2.8
PAN-208395
Fixed an issue where user authentication failed in multi-vsys environments with the error message User is not in allowlist when an authentication profile was created in a shared configuration space.
Addressed
10.2.8
PAN-208085
Fixed an issue where the BFD peers were deleted during a commit from Panorama. This occurred because the pan_comm thread became deadlocked due to the same sysd object was handled during the commit.
Addressed
10.2.8
PAN-207577
Fixed an issue where Panorama > Setup > Interfaces wasn't accessible for users with custom admin roles even when the interface option was selected for the custom admin roles.
Addressed
10.2.8
PAN-207003
Fixed an issue where the logrcvr process NetFlow buffer wasn't reset which resulted in duplicate NetFlow records.
Addressed
10.2.8
PAN-206325
Fixed an issue where a renamed object was still referenced with the previous name in a Security policy rule, which caused commit failures when using edit API to create the rule.
Addressed
10.2.8
PAN-206041
( PA-7050 firewalls only ) Fixed an issue where the ikemgr process stopped responding.
Addressed
10.2.8
PAN-204808
( PA-400 Series, PA-1400 Series, PA-3400 Series, and PA-5400 Series firewalls only ) Fixed an issue where executing the CLI command show running resource-monitor ingress-backlogs displayed the error message Server error : Dataplane is not up or invalid target-dp(*.dp*)
Addressed
10.2.8
PAN-204663
Fixed an issue on Panorama where you were unable to context switch from one managed firewall to another.
Addressed
10.2.8
PAN-202008
Fixed an issue where Traffic logs exported to CSV files contained inaccuracies and weren’t complete.
Addressed
10.2.8
PAN-201269
Fixed an issue where commits failed with the error message IPv6 addresses are not allowed because IPv6-firewalling is disabled when Security policy rules had an address group with more than 1000 FQDN address objects.
Addressed
10.2.8
PAN-198190
( VM-Series firewalls only ) Fixed an issue where the MTU on the management interface couldn’t be configured to a value greater than 1500.
Addressed
10.2.8
PAN-197189
Fixed an issue where the RST packet wasn't sent to the client when decrypted HTTP/2 traffic was detected by custom vulnerability signatures with action reset-both.
Addressed
10.2.8
PAN-196146
( VM-Series firewalls only ) Fixed an issue where hostname validation failed due to the firewall not taking the hostname provided in init.cfg .
Addressed
10.2.8
PAN-193484
Fixed an issue where DNS failed if the domain name started with a period.
Addressed
10.2.8
PAN-192318
Fixed an issue where executing the CLI command show rule-hit-count device-group displayed the error message Server error : show rule hit count op-command failed .
Addressed
10.2.8
PAN-186957
Fixed an issue where, in SAML Metadata Export , a drop-down did not appear in the input field when IP or Hostname was selected for Type .
Addressed
10.2.8
PAN-185286
( PA-5400 Series firewalls only ) Fixed an issue on Panorama where device health resources did not populate.
Addressed
10.2.8
PAN-181706
Fixed an issue where the logrcvr process stopped responding after upgrading to PAN-OS 10.1.
Addressed
10.2.8
PAN-179952
Fixed an issue on Panorama where not all categories were displayed under Log settings .
Addressed
10.2.8
PAN-179260
Fixed an issue where admins and other superusers were unable to remove a commit lock that was taken by another admin user with the format <domain/user>. As a result, deleting the commit lock failed.
Addressed
10.2.8
PAN-175642
Fixed an issue where system logs to alert for support license expiry weren’t generated.
Addressed
10.2.8
PAN-98605
Fixed an issue where audit comments did not appear in the audit comments archive.
Known
10.2.9
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.9
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.9
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.9
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.9
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.9
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.9
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.9
PAN-262287
This issue is now resolved. See PAN-OS 10.2.9-h14 Addressed Issues .
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
10.2.9
PAN-263226 ( PAN-OS 10.2.9-h9 only )
When SSL decryption is enabled and Client Hello messages span multiple TCP segments, elements from the proxy_l2info memory pool may not be freed properly. Memory leaks in this pool cause some SSL decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the debug dataplane set ssl-decrypt accumulate-client-hello disable yes CLI command.
Known
10.2.9
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.9
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.9
PAN-251895
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
When Inline Cloud Analysis features are enabled, the firewall experiences a slow packet buffer leak, resulting in poor performance and dropped traffic.
Workaround: Disable WildFire Inline Cloud Analysis and Advanced Threat Prevention Inline Cloud Analysis on the firewall.
Known
10.2.9
PAN-251639
This issue is now resolved. See. PAN-OS 10.2.9-h9 Addressed Issues .
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
An out of memory condition might occur due to a memory leak in the varrcvr process when a Wildfire Analysis security profile is enabled.
Known
10.2.9
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.9
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.9
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.9
PAN-226361
This issue is now resolved. See PAN-OS 10.2.9-h14 Addressed Issues .
Sessions might end unexpectedly with the error resources-unavailable when the firewall incorrectly interprets the Content and Threat Detection (CTD) global packet queue as being full.
Known
10.2.9
PAN-223677
( PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls ) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.9
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.9
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.9
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.9
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.9
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.9
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.9
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.9
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.9
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.9
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.9
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.2.9
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.9
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.9
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.9
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.9
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.9
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.9
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.9
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.9
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.9
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.9
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.9
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.9
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.9
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.9
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.9
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.9
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.9
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.9
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.9
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.9
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.9
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.9
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.9
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.9
PAN-178194
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.9
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.9
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.9
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.9
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.9
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Known
10.2.9
PAN-164885
This issue is now resolved. See PAN-OS 10.2.10 Addressed Issues .
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
10.2.9-h19
PAN-259351
A fix was made to address CVE-2024-3393 .
Addressed
10.2.9-h18
PAN-268727
Fixed an issue where traffic was dropped when the accumulation proxy was enabled and header insertion modified packets.
Addressed
10.2.9-h18
PAN-268314
Fixed an issue where new files were not sent to WildFire. With this fix, the WildFire reserved drive space has been increased for greater session caching capability.
Addressed
10.2.9-h18
PAN-267704
Fixed an issue where the firewall did not send an ICMP error packet to Envoy when the MSS was exceeded.
Addressed
10.2.9-h18
PAN-266427
Fixed an issue on the firewall where, when a high number of SD-WAN branch sites or interfaces were not connected, SD-WAN processes and tund processes stopped responding due to a high probing rate.
Addressed
10.2.9-h18
PAN-265900
Fixed an issue where the firewall stopped responding due to a tund process or SD-WAN process restart.
Addressed
10.2.9-h18
PAN-265742
Fixed an issue on the Panorama web interface where the OK button on the GlobalProtect gateway configuration dialog box was not clickable.
Addressed
10.2.9-h18
PAN-265111
Fixed an issue where fragmented SSL hello packets were reordered when going out of the SC/ZTT towards the datacenter.
Addressed
10.2.9-h18
PAN-264169
( PA-5400 Series firewalls only ) Fixed an issue where the firewall sent correlated event logs to the syslog server using the management interface instead of the log interface.
Addressed
10.2.9-h18
PAN-263973
Fixed an issue where log collectors had a low incoming log rate.
Addressed
10.2.9-h18
PAN-262383
Fixed an issue where the firewall was unable to decompress the HTTP2 header, which caused the session to be classified as unknown-tcp instead of web-browsing.
Addressed
10.2.9-h18
PAN-261673
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where, when Accelerated Networking was enabled, traffic was dropped because of the flow_parse_ip_hdr counter related to an Nvidia driver issue.
Addressed
10.2.9-h18
PAN-260564
Fixed an issue on firewalls in HA configurations where a network loop was detected by switches after suspending HA on the active firewall.
Addressed
10.2.9-h18
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
10.2.9-h18
PAN-253213
Fixed an issue where the firewall sent HIP notifications every time it received a HIP report instead of every two hours.
Addressed
10.2.9-h18
PAN-252730
Fixed an issue where the Elasticsearch status for a log collector group changed to red or yellow after performing a collector group push.
Addressed
10.2.9-h18
PAN-246699
Fixed an issue on Panorama where the Rule Usage and Apps Seen under Security policy rules stopped incrementing.
Addressed
10.2.9-h18
PAN-246420
( PA-5450 Series firewalls only ) Fixed an issue where the firewall rebooted unexpectedly during an upgrade.
Addressed
10.2.9-h18
PAN-244950 and PAN-221352
A fix was made to address CVE-2024-2550 .
Addressed
10.2.9-h18
PAN-235877
( PA-400 Series firewalls only ) Fixed an issue where the firewall failed to start up after upgrading PAN-OS due to system file corruption.
Addressed
10.2.9-h18
PAN-226184
Fixed an issue where push operations from Panorama were slow due to the rasmgr process taking longer than expected.
Addressed
10.2.9-h18
PAN-224833
Fixed an issue where the firewall dropped DHCPv6 relay packets if there were duplicate link-local addresses on different subinterfaces.
Addressed
10.2.9-h18
PAN-216941
( Panorama appliances in Log Collector mode only ) Fixed an issue where Panorama stopped processing and saving logs.
Addressed
10.2.9-h16
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.9-h16
PAN-268314
Fixed an issue where new files were not sent to WildFire. With this fix, the WildFire reserved drive space has been increased for greater session caching capability.
Addressed
10.2.9-h16
PAN-268002
Fixed an issue where URL filtering response pages were not displayed for sites that were blocked as a result of SSL/TLS handshake inspection.
Addressed
10.2.9-h16
PAN-267535
Fixed an issue on the firewall where DPDK allocated twice the amount of memory as requested for pre-allocation.
Addressed
10.2.9-h16
PAN-257736
( PA-5450 firewalls only ) Fixed an issue where traffic to benign applications was was impacted by holding TCP sequential segments for MLC inspection and not releasing the full chain after a benign verdict was received.
Addressed
10.2.9-h16
PAN-252036
Fixed an issue where, when the GlobalProtect portal was not configured, accessing the GlobalProtect gateway still loaded a portal malformed page.
Addressed
10.2.9-h16
PAN-250787
Fixed an issue where network issues between the firewall and the log collector caused logrcvr process memory exhaustion.
Addressed
10.2.9-h16
PAN-250394
Fixed an issue where a large amount of group data caused serialization errors and prevented synchronization.
Addressed
10.2.9-h16
PAN-240251
Fixed an issue where the vldmgr process incorrectly restarted during an Elasticsearch restart.
Addressed
10.2.9-h16
PAN-237010
Fixed an issue on Panorama where local commits took longer than expected after an upgrade.
Addressed
10.2.9-h16
PAN-229686
Fixed an issue where eBGP remained in an idle state after disabling and enabling BGP configurations.
Addressed
10.2.9-h16
PAN-226361
an issue where sessions bypassed L7 inspection or ended unexpectedly with the error resources unavailable when the firewall incorrectly interpreted the Content and Threat Detection (CTD) global packet queue as being full.
Addressed
10.2.9-h16
PAN-193285
Fixed an issue where the policy optimizer feature did not add entries back to the mongodb database after removing them during an upgrade or downgrade.
Addressed
10.2.9-h14
PAN-264871
Fixed an issue on Panorama where the configd process stopped responding when viewing IP addresses on dynamic address groups with a large number of IP addresses.
Addressed
10.2.9-h14
PAN-263226
Fixed an issue where decryption based traffic failed on Explicit Proxy nodes.
Addressed
10.2.9-h14
PAN-262340
Fixed an issue where FQDN resolution failed for address objects, and all FQDN traffic was denied by the interzone-default policy rule.
Addressed
10.2.9-h14
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
10.2.9-h14
PAN-260928
Fixed an issue where GlobalProtect failed to connect when using LDAP authentication with machine certificates with the error message You are not authorized to connect to GlobalProtect portal .
Addressed
10.2.9-h14
PAN-260512
Fixed an issue where accessing the IP address of the device address group objects from the user interface caused the configd process to stop responding.
Addressed
10.2.9-h14
PAN-259769
Fixed an issue where the GlobalProtect portal was not accessible via a web browser and displayed the error ERR_EMPTY_RESPONSE .
Addressed
10.2.9-h14
PAN-259002
Fixed an issue where frequent external dynamic list updates caused the configd process to restart.
Addressed
10.2.9-h14
PAN-256077
Fixed an issue where the GlobalProtect client would disconnect consistently due to keep-alive timeouts when using an SSL-only tunnel.
Addressed
10.2.9-h14
PAN-255619
Fixed an intermittent issue where file downloads from websites failed.
Addressed
10.2.9-h14
PAN-255323
( PA-7050 firewalls only ) Fixed an issue where the Network Processing Card (NPC), Data Processing Card (DPC), and Log forwarding Card (LFC) remained in a starting state after an unexpected power cycle.
Addressed
10.2.9-h14
PAN-252669
Fixed an issue where the ikemgr process stopped responding with a SIGSEGV error.
Addressed
10.2.9-h14
PAN-251929
Fixed an issue where inbound decryption did not work when FIPS self tests were turned on.
Addressed
10.2.9-h14
PAN-250020
Fixed an issue where MLC2 verdict retrieval failed due to a regression in loopback data flag handling.
Addressed
10.2.9-h14
PAN-248130
Fixed an issue where the AND operation under a Dynamic Address Group comparison did not work after upgrading the AWS plugin to 3.0.1.
Addressed
10.2.9-h14
PAN-241044
Fixed an issue where traffic was denied by the interzone-default policy rule when a Security policy rule with an FQDN destination was configured.
Addressed
10.2.9-h14
PAN-236133
Fixed an issue where SSL traffic was impacted when SSL Command and Control detector for Incline Cloud Analysis was set to reset-both , reset-client , reset-server , or drop .
Addressed
10.2.9-h14
PAN-233681
Fixed an issue where the authd process on Prisma Access firewalls stopped responding after receiving the SIGUSR1 signal.
Addressed
10.2.9-h14
PAN-226361
Fixed an issue where sessions bypassed L7 inspection or ended unexpectedly with the error resources unavailable when the firewall incorrectly interpreted the Content and Threat Detection (CTD) global packet queue as being full.
Addressed
10.2.9-h14
PAN-222590
Fixed an issue where a semicolon appeared at the end of file names of data filtering logs.
Addressed
10.2.9-h14
PAN-217198
Fixed an issue where Security policy rules did not display values for FQDN.
Addressed
10.2.9-h11
PAN-263226
Fixed an issue where decryption based traffic failed on Explicit Proxy nodes.
Addressed
10.2.9-h11
PAN-261917
Fixed an issue where websites with a no-decrypt policy rule were decrypted in traffic log when using a Google Chrome browser with PQC enabled
Addressed
10.2.9-h11
PAN-260662
Fixed an issue where large file downloads were slower than expected when private IP address visibility was enabled.
Addressed
10.2.9-h11
PAN-260218
Fixed an issue where BGP Aggregate Advertise filters did not work as expected when the summary option was enabled, and only summarized routes were advertised.
Addressed
10.2.9-h11
PAN-258996
Fixed an issue where the firewall displayed the SFP ports as PowerDown when the SFP transceiver was removed and reinserted or the port was shut down and brought back up on the peer device.
Addressed
10.2.9-h11
PAN-251661
Fixed an issue where a memory overwrite occurred during HTTP/2 header inflation.
Addressed
10.2.9-h11
PAN-251563
Added CPLD enhancement to capture external power issues.
Addressed
10.2.9-h11
PAN-240612
Fixed a kernel panic caused by a third-party issue.
Addressed
10.2.9-h11
PAN-233191
( PA-5450 firewalls only ) Fixed an issue where the Data Processing Card (DPC) restarted due to path monitor failure after QSFP28 disconnected from the Network Processing Card (NPC).
Addressed
10.2.9-h11
PAN-226768
Fixed an issue where, when the GlobalProtect app was installed on iOS endpoints and the gateway was configured to accept cookies, the app remained in the Connecting stage after authentication, and the GlobalProtect log displayed the error message User is not in allow list . This occurred when the app was restarted or when the app attempted to reconnect after disconnection.
Addressed
10.2.9-h9
PAN-259480
Fixed an issue where the varrcvr process stopped responding after running out of memory due to how the process queued and dequeued files for WildFire file forwarding when a WildFire Analysis Security profile was enabled.
Addressed
10.2.9-h9
PAN-259344
Fixed an issue where performing a configuration commit on a firewall locally or from Panorama caused a memory leak related to the configd process and resulted in a out-of-memory (OOM) condition.
Addressed
10.2.9-h9
PAN-258941
Fixed an issue where some URLs were not accessible when connected to Prisma Access explicit proxy.
Addressed
10.2.9-h9
PAN-258442
Fixed an issue where changes made to the split tunnel configuration on the Prisma Access gateway were not reflected on the GlobalProtect client.
Addressed
10.2.9-h9
PAN-257919
Fixed an issue where, when using explicit proxy with SAML authentication, initiating SAML authentication with a non-GET request resulted in a 302 redirect response instead of the expected 200 ok response.
Addressed
10.2.9-h9
PAN-257515
Fixed an issue where Possible Domain Fronting Detection for HTTP/2 generated false positives. With this change, domain fronting is limited to HTTP/1.
Addressed
10.2.9-h9
PAN-257355
Fixed an issue where a false positive HTTP/TLS evasion alert was generated when the domain had DNS load balance.
Addressed
10.2.9-h9
PAN-257197
Fixed an issue where ifType and ifSpeed were not populated in asynchronous mode of SNMP operations.
Addressed
10.2.9-h9
PAN-256181
Fixed an issue where the management interface and front panel port interface statistics were not populated in asynchronous mode of SNMP operations.
Addressed
10.2.9-h9
PAN-254422
Fixed an issue where the firewall required a restart when an SD-WAN policy rule was pushed from Panorama.
Addressed
10.2.9-h9
PAN-254241
Fixed an issue where the firewall stopped responding due to a high number of SD-WAN probes being sent.
Addressed
10.2.9-h9
PAN-252517
Fixed an issue where SNMP failed to respond to multiple Object Identifier (OID) queries in a single SNMP GET request.
Addressed
10.2.9-h9
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.9-h9
PAN-251639
Fixed acn issue where an out-of-memory condition occurred due to a memory leak related to the varrvcr process when a WildFire Analysis security profile was enabled.
Addressed
10.2.9-h9
PAN-251013
Fixed an issue on the web interface where the Virtual Router and Virtual System configurations for the template incorrectly showed as none .
Addressed
10.2.9-h9
PAN-250062
Fixed an issue where device telemetry failed after upgrading due to bundle generation failure.
Addressed
10.2.9-h9
PAN-249814
Fixed an issue where multiple all_task processes stopped responding, which caused the dataplane to fail.
Addressed
10.2.9-h9
PAN-247099
Fixed an issue where the firewall decrypted traffic unexpectedly when the client hello was spread across multiple packets.
Addressed
10.2.9-h9
PAN-246960
Fixed an issue where firewalls failed to fetch content updates from the Wildfire Private Cloud due to an Unsupported protocol error.
Addressed
10.2.9-h9
PAN-245125
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where file descriptors were not closed due to invalid configurations.
Addressed
10.2.9-h9
PAN-244013
Fixed an issue where the web interface did not display newly added Anti-Spyware signatures or Vulnerability Signatures until you refreshed the browser or logged out or in via the web interface.
Addressed
10.2.9-h9
PAN-242309
Fixed an issue where a higher byte count (s2c) was observed for DNS-Base application.
Addressed
10.2.9-h9
PAN-239662
Fixed an issue with firewalls in active/passive high availability (HA) configurations where the NSSA default route from the active firewall was not generated to advertise even though the backbone area default route was advertised during a graceful restart.
Addressed
10.2.9-h9
PAN-239143
Fixed an issue with accessing websites when URL filtering profiles were configured with the block-continue action and the server used HTTP/2.
Addressed
10.2.9-h9
PAN-236909
Fixed an issue where, when you committed the first configuration change after booting up the firewall, the external dynamic list file download failed until the list was refreshed. This occurred when the configuration was pushed with a certificate profile.
Addressed
10.2.9-h9
PAN-231440
Fixed an issue where, when a certificate profile was configured on an external dynamic list object but the profile had been deleted or did not exist, commits silently failed with the error Failed to refresh EDL config instead of showing the correct validation error message
Addressed
10.2.9-h9
PAN-223418
Fixed an issue where heartbeats to the brdagent process were lost, resultng in the process not responding, which caused the firewall to reboot.
Addressed
10.2.9-h9
PAN-164885
Fixed an issue on Panorama where Commit and Push or Push to Devices operations failed when an external dynamic list was configured to check for updates every 5 minutes due to the commit and external dynamic fetch processes overlapping.
Addressed
10.2.9-h1
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
10.2.9
PAN-250686
Fixed an issue where selective push operations did not work when more than one admin user simultaneously performed changes and partial commits on Panorama.
Addressed
10.2.9
PAN-247403
( VM-Series firewalls only ) Fixed an issue where the push scope CLI command took longer than expected, which caused the web interface to be slow.
Addressed
10.2.9
PAN-246431
Fixed an issue where a Push to Device operation remained at the state None when performing a selective push to device groups and templates that included both connected and disconnected firewalls.
Addressed
10.2.9
PAN-245701
Fixed an issue where the returned values to SNMP requests for data port statistics were incorrect.
Addressed
10.2.9
PAN-244836
A knob was introduced to toggle the default behavior of BGP in the Advanced Routing stack to not suppress duplicate updates. By default, the prefix updates are suppressed for optimization.
Addressed
10.2.9
PAN-244548
Fixed an issue where ECMP sessions changed destination MAC addresses mid-session, which caused connections to be reset.
Addressed
10.2.9
PAN-244493
Fixed a memory limitation with mapping subinterfaces to VPCE endpoints for GCP IPS, Amazon Web Services (AWS) integration with GWLB, and NSX service chain mapping.
Addressed
10.2.9
PAN-242910
Fixed an issue where a custom based non-Superuser was unable to push to firewalls.
Addressed
10.2.9
PAN-242627
Fixed an issue where selective push did not work.
Addressed
10.2.9
PAN-241018
( VM-Series firewalls in Microsoft Azure environments only ) Fixed a Dataplane Development Kit (DPDK) issue where interfaces remained in a link-down stage after an Azure hot plug event.
Addressed
10.2.9
PAN-240477
Fixed a temporary hardware issue that caused PAN-SFP-PLUS-CU-5M to not be able to link up on PA-5400 Series, PA-3400 Series, and PA-1400 Series firewalls.
Addressed
10.2.9
PAN-240066
Fixed a duplicate MAC address issue where an ethernet interface sent out Gratuitous ARP (GARP) messages for an IP address that was not configured on it.
Addressed
10.2.9
PAN-239722
Fixed an issue where SNMP scans to the firewall took longer than expected and intermittently timed out.
Addressed
10.2.9
PAN-238643
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured.
Addressed
10.2.9
PAN-237991
Fixed an issue where the log collector sent fewer logs than expected to the syslog server.
Addressed
10.2.9
PAN-233692
Fixed an issue on Panorama where the configd process stopped, which caused performance issues.
Addressed
10.2.9
PAN-233684
Fixed an issue on Panorama where Push to Devices or Commit and Push operations took longer than expected on the web interface.
Addressed
10.2.9
PAN-231439
Fixed an issue where, when a VoIP call using dynamic IP and NAT was put on hold, the audio became one-way due to early termination of NAT ports.
Addressed
10.2.9
PAN-230746
Fixed an issue on the web interface where device groups with a large number of managed firewalls displayed the Policy page more slowly than expected.
Addressed
10.2.9
PAN-228515
Fixed an issue where the Elasticsearch cluster health status displayed as yellow or red due to Elasticsearch SSH tunnel flaps.
Addressed
10.2.9
PAN-224500
Fixed an issue where IPv6 addresses in XFF were displayed in Traffic logs.
Addressed
10.2.9
PAN-222188
A CLI command was introduced to address an issue where SNMP monitoring performance was slower than expected, which resulted in snmpwalk timeouts.
Addressed
10.2.9
PAN-215430
Fixed an issue where dynamic IP address NAT with SIP intermittently failed to convert RTP Predict sessions.
Addressed
10.2.9
PAN-212553
Fixed an issue where the ikemgr process stopped responding due to memory corruption, which caused VPN tunnels to go down.
Addressed
10.2.9
PAN-207092
Fixed an issue where logging in using default credentials after changing to FIPS-CC for NSX-T firewalls did not work.
Known
10.2.10
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.10
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.10
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.10
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.10
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.10
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.10
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.10
PAN-263226 ( PAN-OS 10.2.10-h2 and 10.2.10-h3 only )
When SSL decryption is enabled and Client Hello messages span multiple TCP segments, elements from the proxy_l2info memory pool may not be freed properly. Memory leaks in this pool cause some SSL decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the debug dataplane set ssl-decrypt accumulate-client-hello disable yes CLI command.
Known
10.2.10
PAN-262287
This issue is now resolved. See PAN-OS 10.2.10-h4 Addressed Issues .
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
10.2.10
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.10
PAN-259997
This issue is now resolved. See PAN-OS 10.2.10-h3 Addressed Issues .
On PA-3410, PA-3420, and PA-3430 firewalls, the install fails when upgrading from PAN-OS 10.2.3-h3 and later 10.2 releases to PAN-OS 10.2.10 due the number of configured vsys zones exceeding the zone limit in PAN-OS 10.2.10.
Workaround: Before installing PAN-OS 10.2.10, reduce the number of security zones to 40 zones or fewer for PA-3410 and PA-3420 firewalls, and to 100 zones or fewer for PA-3430 firewalls.
Known
10.2.10
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.10
PAN-259733
This issue is now resolved. See PAN-OS 10.2.10-h2 Addressed Issues .
Custom reports created in PAN-OS are not deleted as expected, resulting in high memory use by the reportd process. This can lead to issues, such as out-of-memory conditions, content installation failures, and unexpected firewall reboots.
Known
10.2.10
PAN-259344
This issue is now resolved. See PAN-OS 10.2.10-h3 Addressed Issues .
Performing a configuration commit on a firewall, either locally or from Panorama, causes a memory leak by the configd process and results in an out-of-memory (OOM) condition.
Known
10.2.10
PAN-257957
This issue is now resolved. See PAN-OS 10.2.12 Addressed Issues . Affects 10.2.10-h3 and later 10.2 releases.
If you enable FIPS-CC mode and use the PAP or CHAP authentication methods for your RADIUS server, the authd process may restart unexpectedly. To avoid this issue, use one of the following workarounds:
  • If you use PAN-OS 10.2.10-h3, 10.2.11, or an earlier version, configure the RADIUS server so that it does not send the message authenticator back to client.
  • Use other protocols, such as LDAP, Kerberos, TACACS+, SAML, RADIUS EAP, instead of RADIUS PAP or CHAP.
  • Change from FIPS mode to normal mode.
Known
10.2.10
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.10
PAN-226361
This issue is now resolved. See PAN-OS 10.2.10-h7 Addressed Issues .
Sessions might end unexpectedly with the error resources-unavailable when the firewall incorrectly interprets the Content and Threat Detection (CTD) global packet queue as being full.
Known
10.2.10
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.10
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.10
PAN-223677
( PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls ) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.10
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.10
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.10
PAN-217307
This issue is now resolved. See PAN-OS 10.2.11 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
10.2.10
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.10
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.10
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.10
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.10
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.10
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.10
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.10
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.2.10
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.10
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.10
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.10
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.10
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.10
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.10
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.10
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.10
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.10
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.10
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.10
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.10
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.10
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.10
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.10
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.10
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.10
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.10
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.10
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.10
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.10
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.10
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.10
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.10
PAN-178194
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.10
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.10
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.10
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.10
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.10
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Addressed
10.2.10-h12
PAN-273215
Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading
Addressed
10.2.10-h12
PAN-271774
Fixed an issue where the firewall logs displayed the reason for data filtering action as FW Skipped: XXXX .
Addressed
10.2.10-h12
PAN-268823
Fixed an issue where Monitor > Log Display did not display all logs when you applied a filter.
Addressed
10.2.10-h12
PAN-268727
Fixed an issue where traffic was dropped when the accumulation proxy was enabled and header insertion modified packets.
Addressed
10.2.10-h12
PAN-268314
Fixed an issue where new files were not sent to WildFire. With this fix, the WildFire reserved drive space has been increased for greater session caching capability.
Addressed
10.2.10-h12
PAN-268002
Fixed an issue where URL filtering response pages were not displayed for sites that were blocked as a result of SSL/TLS handshake inspection.
Addressed
10.2.10-h12
PAN-267704
Fixed an issue where the firewall did not send an ICMP error packet to Envoy when the MSS was exceeded.
Addressed
10.2.10-h12
PAN-265111
Fixed an issue where fragmented SSL hello packets were reordered when going out of the SC/ZTT towards the datacenter.
Addressed
10.2.10-h12
PAN-264249
Fixed an issue on the firewall where SNMP queries timed out when using SNMP.
Addressed
10.2.10-h12
PAN-263973
Fixed an issue where log collectors had a low incoming log rate.
Addressed
10.2.10-h12
PAN-263287
The PAN-COMMON-MIB.my file was updated to support new object identifiers (OID) to poll interface use via SNMP with table identifiers.
Addressed
10.2.10-h12
PAN-262383
Fixed an issue where the firewall was unable to decompress the HTTP2 header, which caused the session to be classified as unknown-tcp instead of web-browsing.
Addressed
10.2.10-h12
PAN-261673
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where, when Accelerated Networking was enabled, traffic was dropped because of the flow_parse_ip_hdr counter related to an Nvidia driver issue.
Addressed
10.2.10-h12
PAN-259910
Fixed an issue where the firewall reported the same value over consecutive SNMP polls when asynchronous mode was enabled.
Addressed
10.2.10-h12
PAN-259351
A fix was made to address CVE-2024-3393 .
Addressed
10.2.10-h12
PAN-258166
( PA-220 firewalls only ) Fixed an issue where the root partition frequently reached 100%.
Addressed
10.2.10-h12
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
10.2.10-h12
PAN-257515
Fixed an issue where Possible Domain Fronting Detection for HTTP/2 generated false positives. With this change, domain fronting is limited to HTTP/1.
Addressed
10.2.10-h12
PAN-257327
( PA-5440 firewalls only ) Fixed an issue where a failover event occurred unexpectedly on the firewall.
Addressed
10.2.10-h12
PAN-255930
Fixed an issue where persistent DIPP NAT entries were deleted even when being used during an active session.
Addressed
10.2.10-h12
PAN-253213
Fixed an issue where the firewall sent HIP notifications every time it received a HIP report instead of every two hours.
Addressed
10.2.10-h12
PAN-248067
Fixed an issue where inter firewall tunnels between Mobile User Gateway node and ZTNA tunnel terminators were down due to host routes getting aged out while still in the routing table.
Addressed
10.2.10-h12
PAN-247857
( PA-7050 firewalls in HA configurations only ) Fixed an issue on the firewall where a dataplane process restarted when updating the routing table.
Addressed
10.2.10-h12
PAN-246699
Fixed an issue on Panorama where Rule Usage and Apps Seen under Security policy rules stopped incrementing.
Addressed
10.2.10-h12
PAN-245428
Fixed an issue where FIB entries aged out and were incorrectly removed after an HA failover event.
Addressed
10.2.10-h12
PAN-244894
Fixed an issue where turning off mprelay logging caused mprelay heartbeat failure.
Addressed
10.2.10-h12
PAN-241126
Fixed an issue where the client IP address was incorrect in the authentication logs for Captive Portal authentication events when the client used IPv6.
Addressed
10.2.10-h12
PAN-240739
Fixed an issue where the ECMP FIB update on the dataplane did not clear the pending change flag, which caused the next non-ECMP FIB update to miss the latest generation ID and age out after 5 minutes.
Addressed
10.2.10-h12
PAN-239271
Fixed an issue where changing the firewall's DNS led to connectivity to the hostname-configured User-ID agent.
Addressed
10.2.10-h12
PAN-236685
Fixed an issue where the Traffic log did not display the results of an application filter.
Addressed
10.2.10-h12
PAN-233712
Fixed an issue where the firewall did not install a host route in the FIB when the BGP peer was down, which caused traffic to be dropped.
Addressed
10.2.10-h12
PAN-233581
Fixed an issue on firewalls in active/active HA configurations where SYN+ACK packets of asymmetric TCP sessions were dropped because of a session synchronization issue.
Addressed
10.2.10-h12
PAN-233195
Fixed an issue where logs continued to be ingested when the vldmgr process was restarted.
Addressed
10.2.10-h12
PAN-229367
Fixed an issue where the firewall restarted when a route update message was received while the firewall was processing traffic.
Addressed
10.2.10-h12
PAN-227543
Fixed an issue where the firewall did not match traffic to FQDN objects if the FQDN object contained uppercase characters.
Addressed
10.2.10-h12
PAN-227503
Fixed an issue where the link status of the log interface was unable to be obtained correctly using SNMP.
Addressed
10.2.10-h12
PAN-225213
Fixed an issue where Push All Changes displayed changes that were already committed in the push scope for another device group after performing a selective commit and selective push to the first device group.
Addressed
10.2.10-h10
PAN-268823
Fixed an issue where Monitor > Log Display did not display all logs when you applied a filter.
Addressed
10.2.10-h10
PAN-268727
Fixed an issue where traffic was dropped when the accumulation proxy was enabled and header insertion modified packets.
Addressed
10.2.10-h10
PAN-268314
Fixed an issue where new files were not sent to WildFire. With this fix, the WildFire reserved drive space has been increased for greater session caching capability.
Addressed
10.2.10-h10
PAN-268002
Fixed an issue where URL filtering response pages were not displayed for sites that were blocked as a result of SSL/TLS handshake inspection.
Addressed
10.2.10-h10
PAN-267704
Fixed an issue where the firewall did not send an ICMP error packet to Envoy when the MSS was exceeded.
Addressed
10.2.10-h10
PAN-263973
Fixed an issue where log collectors had a low incoming log rate.
Addressed
10.2.10-h10
PAN-261673
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where, when Accelerated Networking was enabled, traffic was dropped because of the flow_parse_ip_hdr counter related to an Nvidia driver issue.
Addressed
10.2.10-h10
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
10.2.10-h10
PAN-253213
Fixed an issue where the firewall sent HIP notifications every time it received a HIP report instead of every two hours.
Addressed
10.2.10-h10
PAN-246699
Fixed an issue on Panorama where Rule Usage and Apps Seen under Security policy rules stopped incrementing.
Addressed
10.2.10-h10
PAN-233195
Fixed an issue where logs continued to be ingested when the vldmgr process was restarted.
Addressed
10.2.10-h9
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.10-h9
PAN-268314
Fixed an issue where new files were not sent to WildFire. With this fix, the WildFire reserved drive space has been increased for greater session caching capability.
Addressed
10.2.10-h9
PAN-267535
Fixed an issue where all_task processes stopped responding on the remote network firewall, which caused tunnels to go down and the pan_task CPU usage to approach 100%.
Addressed
10.2.10-h9
PAN-265778
Fixed an issue where the GlobalProtect client failed to connect after an upgrade due to the group names not being retrieved on time.
Addressed
10.2.10-h9
PAN-265399
Fixed an issue where DNS queries for uppercase internal domain (SRV record) timed out when DNS Security was enabled.
Addressed
10.2.10-h9
PAN-255915
Fixed an issue where a memory leak in the sslmgr process caused the firewall to restart.
Addressed
10.2.10-h9
PAN-240251
Fixed an issue where the vldmgr process incorrectly restarted during an Elasticsearch restart.
Addressed
10.2.10-h9
PAN-232368
Fixed an issue where commits failed with the error message Error: Max. user groups used in policy 1389 exceed capacity (1000) .
Addressed
10.2.10-h9
PAN-218279
Fixed an issue on Panorama where hostname variables displayed as unknown when exporting template or template stack variables in CSV format.
Addressed
10.2.10-h7
PAN-267662
Fixed an issue where the firewall experienced a memory out-of-bounds access when the firewall was configured with SD-WAN and the SD-WAN plugin was loading, which caused the firewall to stop responding and drop VPN tunnels.
Addressed
10.2.10-h7
PAN-266769
Fixed an issue where the GlobalProtect gateway did not handle IP address changes of the inner gateway when the NGPA new protocol enabled.
Addressed
10.2.10-h7
PAN-265742
Fixed an issue on the Panorama web interface where the OK button on the GlobalProtect gateway configuration dialog box was not clickable.
Addressed
10.2.10-h7
PAN-265462
Fixed an issue where you were unable to download PDFs when connected via Clientless VPN.
Addressed
10.2.10-h7
PAN-264871
Fixed an issue on Panorama where the configd process stopped responding when viewing IP addresses on dynamic address groups with a large number of IP addresses.
Addressed
10.2.10-h7
PAN-264246
Fixed an issue where the Authentication Portal did not work properly with session cookies when the request to the portal contained the header Sec-Fetch-Site=cross-site .
Addressed
10.2.10-h7
PAN-263680
Fixed an issue where Prisma Access gateways consistently stopped responding with process restarts.
Addressed
10.2.10-h7
PAN-262340
Fixed an issue where FQDN resolution failed for address objects, and all FQDN traffic was denied by the interzone-default policy rule.
Addressed
10.2.10-h7
PAN-261484
Fixed an issue on the firewall where DPDK allocated twice the amount of memory as requested for pre-allocation.
Addressed
10.2.10-h7
PAN-260928
Fixed an issue where GlobalProtect failed to connect connect when using LDAP authentication with machine certificates with the error message You are not authorized to connect to GlobalProtect portal .
Addressed
10.2.10-h7
PAN-260512
Fixed an issue where accessing the IP address of the device address group objects from the user interface caused the configd process to stop responding.
Addressed
10.2.10-h7
PAN-259002
Fixed an issue where frequent external dynamic list updates caused the configd process to restart.
Addressed
10.2.10-h7
PAN-257736
( PA-5450 firewalls only ) Fixed an issue where traffic to benign applications was was impacted by holding TCP sequential segments for MLC inspection and not releasing the full chain after a benign verdict was received.
Addressed
10.2.10-h7
PAN-256077
Fixed an issue where the GlobalProtect client would disconnect consistently due to keep-alive timeouts when using an SSL-only tunnel.
Addressed
10.2.10-h7
PAN-255619
Fixed an intermittent issue where file downloads from websites failed.
Addressed
10.2.10-h7
PAN-255509
( PA-5450 firewalls only ) Fixed an issue where BFD sessions flapped intermittently.
Addressed
10.2.10-h7
PAN-250787
Fixed an issue where network issues between the firewall and the log collector caused logrcvr process memory exhaustion.
Addressed
10.2.10-h7
PAN-250394
Fixed an issue where a large amount of group data caused serialization errors and prevented synchronization.
Addressed
10.2.10-h7
PAN-241044
Fixed an issue where traffic was denied by the interzone-default policy rule when a Security policy rule with an FQDN destination was configured.
Addressed
10.2.10-h7
PAN-233681
Fixed an issue where the authd process on Prisma Access firewalls stopped responding after receiving the SIGUSR1 signal.
Addressed
10.2.10-h7
PAN-226361
Fixed an issue where sessions might end unexpectedly with the error resources-unavailable when the firewall incorrectly interprets the Content and Threat Detection (CTD) global packet queue as being full.
Addressed
10.2.10-h7
PAN-222590
Fixed an issue where a semicolon appeared at the end of file names of data filtering logs.
Addressed
10.2.10-h7
PAN-217198
Fixed an issue where Security policy rules did not display values for FQDN.
Addressed
10.2.10-h7
PAN-203231
Fixed an issue where Software Version in the device summary report exported from Panorama included HTML tags.
Addressed
10.2.10-h5
PAN-256077
Fixed an issue where the GlobalProtect client would disconnect consistently due to keep-alive timeouts when using an SSL-only tunnel.
Addressed
10.2.10-h5
PAN-241044
Fixed an issue where traffic was denied by the interzone-default policy rule when a Security policy rule with an FQDN destination was configured.
Addressed
10.2.10-h5
PAN-222590
Fixed an issue where a semicolon appeared at the end of file names of data filtering logs.
Addressed
10.2.10-h5
PAN-217198
Fixed an issue where Security policy rules did not display values for FQDN.
Addressed
10.2.10-h5
PAN-203231
Fixed an issue where Software Version in the device summary report exported from Panorama included HTML tags.
Addressed
10.2.10-h4
PAN-263226
Fixed an issue where decryption based traffic failed on Explicit Proxy nodes.
Addressed
10.2.10-h4
PAN-263164
Fixes a problem where Netflow User ID information was truncated to 31 characters.
Addressed
10.2.10-h4
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Addressed
10.2.10-h4
PAN-261917
Fixed an issue where websites with a no-decrypt policy rule were decrypted in traffic log when using a Google Chrome browser with PQC enabled
Addressed
10.2.10-h4
PAN-261797
( Firewalls and Panorama appliances in FIPS-CC mode only ) Fixed an issue where the authd process restarted if RADIUS PAP/CHAP authentication was used.
Addressed
10.2.10-h4
PAN-261270
Fixed an issue where the firewall decremented the TTL/Hop limit for BGPv6 packets by 1 after IPSec decryption.
Addressed
10.2.10-h4
PAN-260662
Fixed an issue where large file downloads were slower than expected when private IP address visibility was enabled.
Addressed
10.2.10-h4
PAN-258442
Fixed an issue where changes made to the split tunnel configuration on the Prisma Access gateway were not reflected on the GlobalProtect client.
Addressed
10.2.10-h4
PAN-257957
( Firewalls and Panorama appliances in FIPS-CC mode only ) Fixed an issue where the authd process restarted if RADIUS PAP/CHAP authentication was used.
Addressed
10.2.10-h4
PAN-257563
Fixed an issue where the logrcvr component for SASE and MCW displayed incorrect zones in the traffic flow.
Addressed
10.2.10-h4
PAN-255619
Fixed an intermittent issue where file downloads from websites failed.
Addressed
10.2.10-h4
PAN-254826
Fixed an issue where the firewall stopped responding when processing traffic.
Addressed
10.2.10-h4
PAN-254671
Fixed an issue where excessive Timed out while getting config lock error messages were generated when making bulk changes via XML API.
Addressed
10.2.10-h4
PAN-250371
Fixed an issue where the logrcvr process stopped responding, which caused commits to fail with the error message Management server failed to send phase 1 to client logrcvr .
Addressed
10.2.10-h4
PAN-247257
Fixed an issue where the useridd process stopped responding, which caused the firewall to reboot.
Addressed
10.2.10-h4
PAN-242958
Fixed an issue where the firewall intermittently logged connect-agent-failure messages for service connection instances due to bi-directional host ID redistribution.
Addressed
10.2.10-h4
PAN-242331
Fixed an issue where Prisma Access remote network firewalls intermittently created incorrect user-to-IP-address mappings.
Addressed
10.2.10-h4
PAN-240990
Fixed an issue where l3svc.py displayed incorrect logs.
Addressed
10.2.10-h4
PAN-218873
Fixed an issue where a HIP mask was reused when an existing IP address user mapping was updated by a new IP address user mapping that had a different username but the same IP address.
Addressed
10.2.10-h3
PAN-259997
( PA-3410, PA-3420, and PA-3430 firewalls only ) Fixed an issue where the install failed when upgrading from PAN-OS 10.2.3-h3 and later 10.2 releases to PAN-OS 10.2.10 due to the number of configured vsys zones exceeding the zone limit in PAN-OS 10.2.10.
Addressed
10.2.10-h3
PAN-259480
Fixed an issue where the varrcvr process stopped responding after running out of memory due to how the process queued and dequeued files for WildFire file forwarding when a WildFire Analysis Security profile was enabled.
Addressed
10.2.10-h3
PAN-257462
Fixed an issue related to the varrcvr process where the management plane CPU was higher than expected during WildFire updates.
Addressed
10.2.10-h3
PAN-256939
Fixed an issue on the firewall where disk space was low in /opt/pancfg/ , which caused dynamic content installation to fail.
Addressed
10.2.10-h3
PAN-254373
Fixed an issue where the firewall did not handle error code 500 responses from the WildFire cloud correctly.
Addressed
10.2.10-h3
PAN-253400
Fixed an issue where the logrcvr process stopped responding.
Addressed
10.2.10-h3
PAN-249814
Fixed an issue where multiple all_task processes stopped responding, which caused the dataplane to fail.
Addressed
10.2.10-h3
PAN-244746
Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.
Addressed
10.2.10-h3
PAN-235840
Fixed an issue where, after a configuration push from Panorama to managed firewalls, the status displayed as None and the push took longer than expected.
Addressed
10.2.10-h3
PAN-234560
Fixed an issue where the daily summary report displayed IPv6 addresses instead of IPv4 addresses.
Addressed
10.2.10-h2
PAN-259733
Fixed an issue where a custom report was not deleted on Panorama when expected.
Addressed
10.2.10-h2
PAN-259344
Fixed an issue where performing a configuration commit on a firewall locally or from Panorama caused a memory leak related to the configd process and resulted in a out-of-memory (OOM) condition.
Addressed
10.2.10-h2
PAN-258941
Fixed an issue where some URLs were not accessible when connected to Prisma Access explicit proxy.
Addressed
10.2.10-h2
PAN-249266
Fixed an issue where the config process virtual memory was exceeded due to delays in post-commit processing.
Addressed
10.2.10-h2
PAN-247099
Fixed an issue where the firewall decrypted traffic unexpectedly when the client hello was spread across multiple packets.
Addressed
10.2.10-h2
PAN-225087
Fixed an issue where the dataplane logs were corrupted with unexpected IPv6 addresses.
Addressed
10.2.10
PAN-257197
Fixed an issue where ifType and ifSpeed were not populated in asynchronous mode of SNMP operations.
Addressed
10.2.10
PAN-256181
Fixed an issue where the management interface and front panel port interface statistics were not populated in asynchronous mode of SNMP operations.
Addressed
10.2.10
PAN-255868
( PA-3400 Series firewalls only ) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
10.2.10
PAN-255396
Fixed an issue where, when using serial number and IP address authentication, and multiple gateways were configured, the portal returned the last gateway in the list and disregarded the satellite assignment by serial number.
Addressed
10.2.10
PAN-253546
Fixed an issue where a TLS client hello was split into multiple packets and arrived out of order, so the packets were dropped and the session terminated.
Addressed
10.2.10
PAN-253317
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
10.2.10
PAN-252730
Fixed an issue where the Elasticsearch status for a log collector group changed to red or yellow after performing a collector group push.
Addressed
10.2.10
PAN-252517
Fixed an issue where SNMP failed to respond to multiple Object Identifier (OID) queries in a single SNMP GET request.
Addressed
10.2.10
PAN-251895
Fixed an issue where enabling inline Cloud Analysis features caused a slow packet buffer leak, which resulted in performance issues and dropped traffic.
Addressed
10.2.10
PAN-251639
Fixed an issue where an out of memory condition might occur due to a memory leak in the varrcvr process when a Wildfire Analysis security profile is enabled.
Addressed
10.2.10
PAN-251563
Added CPLD enhancement to capture external power issues.
Addressed
10.2.10
PAN-251013
Fixed an issue on the web interface where the Virtual Router and Virtual System configurations for the template incorrectly showed as none .
Addressed
10.2.10
PAN-250083
Fixed an issue on firewalls in HA configurations where packets were dropped over HA3 HSCI due to the default MRU being incorrect.
Addressed
10.2.10
PAN-250020
Fixed an issue where MLC2 verdict retrieval failed due to a regression in loopback data flag handling.
Addressed
10.2.10
PAN-248130
Fixed an issue where the AND operation under a Dynamic Address Group comparison did not work after upgrading the AWS plugin to 3.0.1.
Addressed
10.2.10
PAN-248105
Fixed an issue where the GlobalProtect SSL VPN tunnel immediately disconnected due to a keep-alive timeout.
Addressed
10.2.10
PAN-246976
Fixed an issue with unbalanced NAT session distribution with multidataplane firewalls when persistent-dipp was enabled.
Addressed
10.2.10
PAN-246960
Fixed an issue where firewalls failed to fetch content updates from the WildFire private cloud due to an Unsupported protocol error.
Addressed
10.2.10
PAN-245850
Fixed an issue on Panorama appliances in active/passive HA configurations where the firewalls entered an HA out-of-sync status and jobs failed on the passive appliance with the error message Could not merged running config from file .
Addressed
10.2.10
PAN-245842
Fixed an issue with the syn-cookie option where traffic unexpectedly stopped during packet exchange.
Addressed
10.2.10
PAN-245690
Fixed an issue where the managed collectors health status on Panorama displayed as empty.
Addressed
10.2.10
PAN-245125
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where file descriptors were not closed due to invalid configurations.
Addressed
10.2.10
PAN-244907
Fixed an issue where ports did not go down when moving from an active state to a suspended state.
Addressed
10.2.10
PAN-244746
Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.
Addressed
10.2.10
PAN-244648
( PA-5200 Series only ) Fixed an issue where the firewall did not boot up after a factory reset, and, with FIPS mode enabled, the firewall rebooted into maintenance mode.
Addressed
10.2.10
PAN-244622
Fixed an issue where FIB repush did not work with Advanced Routing enabled.
Addressed
10.2.10
PAN-244013
Fixed an issue where the web interface did not display newly added antispyware signatures or Vulnerability signatures.
Addressed
10.2.10
PAN-243240
Fixed an issue where the using QoS caused packet buffer utilization to increase exponentially and the PKI POOL DFLT pool depleted until a reboot was performed.
Addressed
10.2.10
PAN-242893
Fixed an issue where the verdict for www.googleapis.com displayed the message not-resolved .
Addressed
10.2.10
PAN-242309
Fixed an issue where a higher byte count (s2c) was observed for DNS-Base application.
Addressed
10.2.10
PAN-241230
Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.
Addressed
10.2.10
PAN-241192
Fixed an issue where HIP reports did not match HIP objects configured with certificate check.
Addressed
10.2.10
PAN-240786
Fixed an issue on firewalls in HA configurations where VXLAN sessions were allocated, but not installed or freed, which resulted in a constant high session table usage that was not synced between the firewalls. This resulted in a session count mismatch.
Addressed
10.2.10
PAN-240612
Fixed a kernel panic caused by a third-party issue
Addressed
10.2.10
PAN-240368
Fixed an issue where Authentication Portal redirection for HTTPS websites did not work when Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic was enabled.
Addressed
10.2.10
PAN-240347
Fixed an issue with the web interface where the Dashboard and a Device Group policy rule took longer than expected to load.
Addressed
10.2.10
PAN-240225
Fixed an issue where authentication failed on web-based GlobalProtect portal.
Addressed
10.2.10
PAN-239662
Fixed an issue where the NSSA default route from the firewall was not generated to advertise even though the backbone area default route was advertised during a graceful restart.
Addressed
10.2.10
PAN-239354
Fixed an issue where DNS resolution was delayed when an antispyware policy rule was applied to both client to firewall and firewall to internal DNS server legs of a connection.
Addressed
10.2.10
PAN-238625
Fixed an issue where, when the physical interface went down, the SD-WAN Ethernet connection state still showed UP/path-monitor due to the Active URL SaaS monitor connection state remaining UP/path-monitor.
Addressed
10.2.10
PAN-237608
Fixed an issue where a NetFlow export truncated the source username.
Addressed
10.2.10
PAN-236133
Fixed an issue where SSL traffic was impacted when SSL Command and Control detector for Incline Cloud Analysis was set to reset-both , reset-client , reset-server , or drop .
Addressed
10.2.10
PAN-232550
Fixed an issue where SNMPv3 authentication failed when using SHA-512 Auth protocol.
Addressed
10.2.10
PAN-231642
Fixed an issue on the Panorama web interface where users who were logged in through multiple sessions were able to see an active lock on only one session.
Addressed
10.2.10
PAN-229115
Fixed an issue on the web interface where the screen was blank after logging in to Panorama.
Addressed
10.2.10
PAN-226108
Fixed an issue where the masterd process was unable to start or stop the sysd process.
Addressed
10.2.10
PAN-225394
Fixed an issue on the firewall where SNMP incorrectly reported high packet descriptor usage.
Addressed
10.2.10
PAN-223914
Fixed an issue on Panorama where the reportd process unexpectedly stopped responding.
Addressed
10.2.10
PAN-223418
Fixed an issue where heartbeats to the brdagent process were lost, resulting in the process not responding, which caused the firewall to reboot.
Addressed
10.2.10
PAN-221041
Fixed an issue where the following error message was seen frequently in the system logs: Clearing snmpd.log due to log overflow .
Addressed
10.2.10
PAN-216941
( Panorama appliances in Log Collector mode only ) Fixed an issue where Panorama stopped processing and saving logs.
Addressed
10.2.10
PAN-164885
Fixed an issue on Panorama where Commit and Push or Push to Devices operations failed when an external dynamic list was configured to check for updates every 5 minutes due to the commit and external dynamic fetch processes overlapping.
Known
10.2.11
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.11
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.11
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.11
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.11
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.11
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.11
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.11
PAN-265336
This issue is now resolved. See PAN-OS 10.2.11-h2 Addressed Issues .
Copper ports flap when generating a technical support file, executing telemetry, or retrieving port status using a Management Data Input/Output (MDIO) read.
Known
10.2.11
PAN-264680
This issue is now resolved. See PAN-OS 10.2.11-h3 Addressed Issues .
( PA-220 firewalls only ) Device Setup is not displayed when the Enterprise Data Loss Prevention (E-DLP) plugin is installed.
Workaround: Uninstall the Enterprise DLP plugin.
  1. Log in to the firewall web interface.
  2. Select Device Plugins .
  3. Search for dlp .
  4. Uninstall .
Known
10.2.11
PAN-264580
( PA-3400 Series firewalls only ) Upgrading to PAN-OS 10.2.11 results in the following error: Target image validation failed with error invalid literal for int() with base 10 .
Known
10.2.11
PAN-263226
When SSL decryption is enabled and Client Hello messages span multiple TCP segments, elements from the proxy_l2info memory pool may not be freed properly. Memory leaks in this pool cause some SSL decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the debug dataplane set ssl-decrypt accumulate-client-hello disable yes CLI command.
Known
10.2.11
PAN-262287
This issue is now resolved. See PAN-OS 10.2.11-h4 Addressed Issues .
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
10.2.11
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.11
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.11
PAN-257957
This issue is now resolved. See PAN-OS 10.2.12 Addressed Issues . Affects 10.2.11-h1 and later 10.2 releases.
If you enable FIPS-CC mode and use the PAP or CHAP authentication methods for your RADIUS server, the authd process may restart unexpectedly. To avoid this issue, use one of the following workarounds:
  • If you use PAN-OS 10.2.10-h3, 10.2.11, or an earlier version, configure the RADIUS server so that it does not send the message authenticator back to client.
  • Use other protocols, such as LDAP, Kerberos, TACACS+, SAML, RADIUS EAP, instead of RADIUS PAP or CHAP.
  • Change from FIPS mode to normal mode.
Known
10.2.11
PAN-257601
Fixed in PAN-OS 10.2.11 . Affects 10.2.11-h2 and later 10.2 releases.
( PA-5450 firewalls only ) Networking cards can experience an internal link fault, causing path monitoring failure on the Dataplane Processing Card (DPC).
Known
10.2.11
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in Traffic logs.
Known
10.2.11
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.11
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.11
PAN-226361
This issue is now resolved. See PAN-OS 10.2.11-h4 Addressed Issues .
Sessions might end unexpectedly with the error resources-unavailable when the firewall incorrectly interprets the Content and Threat Detection (CTD) global packet queue as being full.
Known
10.2.11
PAN-223677
( PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls ) By enabling the Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.11
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.11
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.11
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.11
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.11
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.11
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.11
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.11
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.11
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.11
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.2.11
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.11
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.11
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.11
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a JavaScript error.
Known
10.2.11
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.11
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.11
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.11
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.11
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.11
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.11
PAN-188358
After triggering a soft reboot on an M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.11
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.11
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.11
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.11
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.11
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.11
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.11
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.11
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to an M-700 appliance.
Known
10.2.11
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.11
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 Series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.11
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.11
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.11
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.11
PAN-178194
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering inline ML.
Workaround: Configuration settings for URL Filtering inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific websites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.11
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (high availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.11
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the Traffic logs do not display network slice SST and SD values.
Known
10.2.11
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.11
PAN-172274
When you activate the Advanced URL Filtering license, your license entitlements for PAN-DB and Advanced URL Filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.11
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Addressed
10.2.11-h10
PAN-259351
A fix was made to address CVE-2024-3393 .
Addressed
10.2.11-h9
PAN-273215
Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading.
Addressed
10.2.11-h9
PAN-268823
Fixed an issue where Monitor > Log Display did not display all logs when you applied a filter.
Addressed
10.2.11-h9
PAN-268339
Fixed an issue where syslog-ng failed to start due to the syslog-ng.config file being corrupted when upgrading from PAN-OS 10.2.9-h1 to PAN-OS 10.2.11.
Addressed
10.2.11-h9
PAN-264249
Fixed an issue on the firewall where SNMP queries timed out when using SNMP.
Addressed
10.2.11-h9
PAN-263973
Fixed an issue where log collectors had a low incoming log rate.
Addressed
10.2.11-h9
PAN-263287
The PAN-COMMON-MIB.my file was updated to support new object identifiers (OID) to poll interface use via SNMP with table identifiers.
Addressed
10.2.11-h9
PAN-261332
A fix was made to address CVE-2024-2552 .
Addressed
10.2.11-h9
PAN-259910
Fixed an issue where the firewall reported the same value over consecutive SNMP polls when asynchronous mode was enabled.
Addressed
10.2.11-h9
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
10.2.11-h9
PAN-246699
Fixed an issue on Panorama where Rule Usage and Apps Seen under Security policy rules stopped incrementing.
Addressed
10.2.11-h9
PAN-225213
Fixed an issue where Push All Changes displayed changes that were already committed in the push scope for another device group after performing a selective commit and selective push to the first device group.
Addressed
10.2.11-h6
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.11-h6
PAN-267001
Fixed an issue where multicast streams were unstable with ECMP and dropped every 30 seconds.
Addressed
10.2.11-h6
PAN-266704
Fixed an issue where filtering BGP routes by peer name in Advanced Routing Engine (ARE) did not display the correct routes.
Addressed
10.2.11-h6
PAN-266312
Fixed an issue where BFD sessions took longer than expected to establish after an HA failover due to BGP.
Addressed
10.2.11-h6
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
10.2.11-h6
PAN-259870
( PA-7000b firewalls only ) Fixed an issue where Luna Network Hardware Security Modules (HSM) did not work after an upgrade or downgrade.
Addressed
10.2.11-h6
PAN-258912
( PA-7000b firewalls only ) Fixed an issue where the firewall web interface displayed an incorrect HSM client version when the client was upgraded to version 7.2.0.220.
Addressed
10.2.11-h6
PAN-255360
Fixed an issue where the firewall booted into maintenance mode when there was no connectivity to the specified HSM.
Addressed
10.2.11-h6
PAN-226361
Fixed an issue where sessions bypassed L7 inspection or ended unexpectedly with the error resources unavailable when the firewall incorrectly interpreted the Content and Threat Detection (CTD) global packet queue as being full.
Addressed
10.2.11-h4
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
10.2.11-h4
PAN-226361
Fixed an issue where sessions bypassed L7 inspection or ended unexpectedly with the error resources unavailable when the firewall incorrectly interpreted the Content and Threat Detection (CTD) global packet queue as being full.
Addressed
10.2.11-h3
PAN-264680
( PA-220 firewalls only ) Fixed an issue where Device > Setup was not displayed on the web interface.
Addressed
10.2.11-h3
PAN-262340
Fixed an issue where FQDN resolution failed for address objects, and all FQDN traffic was denied by the interzone-default policy rule.
Addressed
10.2.11-h2
PAN-265438
Fixed an issue where the firewall did not update the Nicafe firmware from 2.110 to 2.111.
Addressed
10.2.11-h2
PAN-265336
Fixed an issue where the copper ports flapped when generating a technical support file, executing telemetry, or retrieving port status using a Management Data Input/Output (MDIO) read.
Addressed
10.2.11-h2
PAN-264871
Fixed an issue on Panorama where the configd process stopped responding when viewing IP addresses on dynamic address groups with a large number of IP addresses.
Addressed
10.2.11-h2
PAN-260512
Fixed an issue where accessing the IP address of the device address group objects from the user interface caused the configd process to stop responding.
Addressed
10.2.11-h1
PAN-263226
Fixed an issue where decryption based traffic failed on Explicit Proxy nodes.
Addressed
10.2.11-h1
PAN-261917
Fixed an issue where websites with a no-decrypt policy rule were decrypted in traffic log when using a Google Chrome browser with PQC enabled.
Addressed
10.2.11-h1
PAN-257957
( Firewalls and Panorama appliances in FIPS-CC mode only ) Fixed an issue where the authd process restarted if RADIUS PAP/CHAP authentication was used.
Addressed
10.2.11
PAN-259997
( PA-3410, PA-3420, and PA-3430 firewalls only ) Fixed an issue where the install failed when upgrading from PAN-OS 10.2.3-h3 and later 10.2 releases to PAN-OS 10.2.10 due to the number of configured vsys zones exceeding the zone limit in PAN-OS 10.2.10.
Addressed
10.2.11
PAN-259480
Fixed an issue where the varrcvr process stopped responding after running out of memory due to how the process queued and dequeued files for WildFire file forwarding when a WildFire Analysis Security Profile was enabled.
Addressed
10.2.11
PAN-259473
( PA-5450 firewalls only ) Fixed an issue where the chassis shut down when FAN1 was removed.
Addressed
10.2.11
PAN-259344
Fixed an issue where performing a configuration commit on a firewall locally or from Panorama caused a memory leak related to the configd process and resulted in an out-of-memory (OOM) condition.
Addressed
10.2.11
PAN-257925
( CN-Series firewalls only ) Fixed an issue where the CLI command show system setting ctd state did not work as expected.
Addressed
10.2.11
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
10.2.11
PAN-257515
Fixed an issue where Possible Domain Fronting Detection for HTTP/2 generated false positives. With this change, domain fronting is limited to HTTP/1.
Addressed
10.2.11
PAN-257355
Fixed an issue where a false positive HTTP/TLS evasion alert was generated when the domain had DNS load balance.
Addressed
10.2.11
PAN-257462
Fixed an issue related to the varrcvr process where the management plane CPU was higher than expected during WildFire updates.
Addressed
10.2.11
PAN-257432
Fixed an issue on Panorama where the reportd process stopped responding, which caused a log query issue.
Addressed
10.2.11
PAN-257021
"Fixed an issue on the web interface where Match Evidence log details for Monitor > Correlated events did not populate."
Addressed
10.2.11
PAN-256939
Fixed an issue on the firewall where disk space was low in /opt/pancfg/ , which caused dynamic content installation to fail.
Addressed
10.2.11
PAN-256738
( VM-Series firewalls in HA configurations only ) Fixed an issue where BGP routes from the active firewall were lost when the passive firewall was rebooted.
Addressed
10.2.11
PAN-256666
Fixed an issue where the configd process stopped responding when Commit and Push operations were performed on multiple device groups.
Addressed
10.2.11
PAN-256223
Fixed an issue where device telemetry log collection filled the root partition.
Addressed
10.2.11
PAN-255163
( CN-Series firewalls only ) Fixed an issue where the system database key that stored the configuration status of the dataplane pod was not updated frequently.
Addressed
10.2.11
PAN-254373
Fixed an issue where the firewall did not handle error code 500 responses from the WildFire cloud correctly.
Addressed
10.2.11
PAN-253085
Fixed an issue where the firewall restarted when the parsing of the cross-pkt http origin header failed when processing a translator website.
Addressed
10.2.11
PAN-252411
Fixed an issue where, when log files were purged from the rollup summary logs, the summary report still used the rollup summary data, which resulted in the summary report displaying less data.
Addressed
10.2.11
PAN-251929
Fixed an issue where inbound decryption did not work when FIPS self-tests were turned on.
Addressed
10.2.11
PAN-251847
Fixed an issue on log collectors where the incoming log rate was lower than expected.
Addressed
10.2.11
PAN-251676
Fixed an issue on Panorama appliances in large-scale deployments where configd process core files consumed more space in the /opt/panlogs partition than was available.
Addressed
10.2.11
PAN-251656
Fixed an issue where enabling lockless QoS caused traffic disruptions.
Addressed
10.2.11
PAN-250371
Fixed an issue where the logrcvr process stopped responding, which caused commits to fail with the error message Management server failed to send phase 1 to client logrcvr .
Addressed
10.2.11
PAN-250062
Fixed an issue where device telemetry failed after upgrading due to bundle generation failure.
Addressed
10.2.11
PAN-249814
Fixed an issue where multiple all_task processes stopped responding, which caused the dataplane to fail.
Addressed
10.2.11
PAN-248975
Fixed an issue on the Panorama web interface where no content was displayed after logging in.
Addressed
10.2.11
PAN-248508
( VM-Series firewalls on Amazon Web Services (AWS) environments only ) Fixed an issue where the firewall did not perform MSS clamping when GWLB endpoints were mapped to static subinterfaces.
Addressed
10.2.11
PAN-248211
Fixed an issue on Panorama where commits failed when Advanced Routing was enabled.
Addressed
10.2.11
PAN-247257
Fixed an issue where the useridd process stopped responding, which caused the firewall to reboot.
Addressed
10.2.11
PAN-247099
Fixed an issue where the firewall decrypted traffic unexpectedly when the client hello was spread across multiple packets.
Addressed
10.2.11
PAN-246707
Fixed an issue where failover was not triggered when multiple processes stopped responding.
Addressed
10.2.11
PAN-246420
( PA-5450 Series firewalls only ) Fixed an issue where the firewall rebooted unexpectedly during an upgrade.
Addressed
10.2.11
PAN-245428
Fixed an issue where FIB entries aged out and were incorrectly removed after an HA failover event.
Addressed
10.2.11
PAN-245157
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the firewall restarted after an HA failover when DPDK was enabled.
Addressed
10.2.11
PAN-244894
Fixed an issue where turning off mprelay logging caused mprelay heartbeat failure.
Addressed
10.2.11
PAN-244227
Fixed an issue where inconsistent FIB entries across the dataplane were not detected.
Addressed
10.2.11
PAN-242601
Fixed an issue where the all-task process stopped responding with DNS traffic due to an incorrect cleanup by pan_free .
Addressed
10.2.11
PAN-242519
Fixed an issue where scheduled email reports failed if the @ symbol before the mail client was missing.
Addressed
10.2.11
PAN-242414
Fixed an issue where the CLI command show ntp displayed the NTP status as error instead of sync .
Addressed
10.2.11
PAN-242146
Fixed an issue where the DHCP was unable to find the interface, which resulted in the DHCP process and all connected DHCP services to stop responding.
Addressed
10.2.11
PAN-240993
Fixed an issue where you were unable to revert a sort in the task manager in the Admin column.
Addressed
10.2.11
PAN-240251
Fixed an issue where the vldmgr process incorrectly restarted during an Elasticsearch restart.
Addressed
10.2.11
PAN-239952
( Firewalls in active/passive HA configurations only ) Fixed an issue where HA sync messages from the active firewall took longer than expected to reach the passive firewall.
Addressed
10.2.11
PAN-239575
Fixed an issue where the TCP window size of the server-to-client flow for HTTP/2 connection sessions decremented if HTTP/2 stream sessions were closed due to a Security Profile or a Security policy rule. This caused the connection session to have a TCP window of 0.
Addressed
10.2.11
PAN-239337
Fixed an issue where the log_index was suspended and corrupted BDX files flooded the index_log.
Addressed
10.2.11
PAN-239271
Fixed an issue where changing the firewall's DNS servers could lead to connectivity to the hostname-configured User-ID agent.
Addressed
10.2.11
PAN-238705
( PA-400 Series firewalls only ) Fixed an issue where HA link-monitor did not work.
Addressed
10.2.11
PAN-238562
Fixed an issue where log collectors stopped responding when gathering reports from Panorama.
Addressed
10.2.11
PAN-238508
Fixed an issue where the routed process created excessive logs in the log file.
Addressed
10.2.11
PAN-238355
Fixed an issue where, when a device group was not successfully renamed, unexpected configuration changes to the device group structure occurred.
Addressed
10.2.11
PAN-238249
Fixed an issue where static route path monitor packets from a multislot chassis were intercepted by the firewall performing Static NAT (SNAT).
Addressed
10.2.11
PAN-237678
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall displayed the error message Unable to read QSFP Module ID when the passive link state was set to shutdown.
Addressed
10.2.11
PAN-237582
Fixed an issue where logs were intermittently missing on the log collector due to missing aliases for some indices.
Addressed
10.2.11
PAN-237562
Fixed an issue where firewalls generated link-change system logs for SFP ports even when no cable was connected to the ports.
Addressed
10.2.11
PAN-237478
Fixed an issue where the Traffic log displayed 0 bytes for denied sessions.
Addressed
10.2.11
PAN-237369
( PA-1420 firewalls only ) Fixed an issue where the all_task process stopped responding, which caused the firewall to become unresponsive.
Addressed
10.2.11
PAN-236497
Fixed an issue where the firewall was unable to purge expired GTP-U sessions that remained as allocated sessions even after the TTL was expired.
Addressed
10.2.11
PAN-236261
Fixed an issue where a proxy server was used for external dynamic list communication even when the dataplane interface was configured through service routes.
Addressed
10.2.11
PAN-235336
Fixed an issue where the character limit for dgname exceeded the supported number of characters (31), which caused device group names to be partially displayed during a validate operation.
Addressed
10.2.11
PAN-235081
( VM-Series firewalls only ) Fixed an issue where the firewall sent packets to its own interface after configuring NAT64.
Addressed
10.2.11
PAN-234596
Fixed an issue on firewalls in active/passive HA configurations where the passive firewall incorrectly became active after a reboot.
Addressed
10.2.11
PAN-234560
Fixed an issue where the daily summary report displayed IPv6 addresses instead of IPv4 addresses.
Addressed
10.2.11
PAN-234459
Fixed an issue with the firewall web interface where local SSL decryption exclusion cache entries were not visible.
Addressed
10.2.11
PAN-233689
( PA-7000 Series firewalls only ) Fixed an issue where the Log Forwarding Card (LFC) disk quota usage was reported as 0 MB for all log types.
Addressed
10.2.11
PAN-233541
Fixed an issue where device group and template administrators with access to a specific virtual system were able to see logs for all virtual systems via Context Switch.
Addressed
10.2.11
PAN-233366
Fixed an issue where the DHCP server sent DHCP ACK messages as broadcasts instead of unicasts when responding to DHCP INFORM messages.
Addressed
10.2.11
PAN-233129
Fixed an issue where the firewall sent duplicate logs to syslog server when the log forwarding profile was configured with Shared enabled and was used in a Security policy rule.
Addressed
10.2.11
PAN-232368
Fixed an issue where commits failed with the error message Error: Max. user groups used in policy 1389 exceed capacity (1000) .
Addressed
10.2.11
PAN-231802
Fixed an issue where an Advanced Routing BGP session flapped with commits when BGP peer authentication was enabled.
Addressed
10.2.11
PAN-230326
Fixed an issue where the Network Packet Broker (NPB) user interface was incorrectly displayed on unsupported platforms.
Addressed
10.2.11
PAN-229873
( PA-7050 firewalls only ) Fixed an issue related to brdagent process errors.
Addressed
10.2.11
PAN-229606
Fixed an issue where the brdagent process stopped responding after an upgrade due to initialization failure.
Addressed
10.2.11
PAN-227939
Fixed an issue where the all_task process stopped responding due to high wifclient memory usage, which caused the firewall to reboot.
Addressed
10.2.11
PAN-227887
Fixed an issue where IP address checksums were calculated incorrectly.
Addressed
10.2.11
PAN-225213
Fixed an issue where Push All Changes displayed changes that were already committed in the push scope for another device group after performing a selective commit and selective push to the first device group.
Addressed
10.2.11
PAN-224938
Fixed an issue where the CLI command settings for set system setting logging max-log-rate did not persist after a mgmtsrvr process restart.
Addressed
10.2.11
PAN-224584
Fixed an issue on Panorama where generating UAR reports for 30 days or more was slower than expected, and reports showed the same logs repeatedly in a loop.
Addressed
10.2.11
PAN-224365
Fixed an issue where excessive network path monitoring messages were generated in the system logs.
Addressed
10.2.11
PAN-221711
Fixed an issue on the firewall that caused the LFC to stop responding, which impacted logging capability.
Addressed
10.2.11
PAN-221571
Fixed an issue on the web interface where the Security policy rule hit count remained at 0 for some rules even though the traffic logs showed live hits.
Addressed
10.2.11
PAN-220881
Fixed an issue where the CLI command show logging-status did not correctly display the last log created and forwarded timestamps.
Addressed
10.2.11
PAN-220500
( PA-5450 and PA-400 firewalls only ) Fixed an issue where the request shutdown system CLI command did not completely shut down the system.
Addressed
10.2.11
PAN-217307
Fixed an issue where the log-start and log-end policy rule filters did not return reliable results when set to no or yes .
Addressed
10.2.11
PAN-215670
Fixed an issue where local reports and scheduled reports displayed different data.
Addressed
10.2.11
PAN-215561
Fixed an issue where GlobalProtect authentication failed when new users were added to an existing local database group user list.
Addressed
10.2.11
PAN-214177
Fixed an issue where template configurations were not properly pushed to the firewall during an export or push of the device configuration bundle.
Addressed
10.2.11
PAN-214100
Fixed an issue where selecting a threat name under Threat Monitor displayed the threat ID instead of the threat name.
Addressed
10.2.11
PAN-209542
( PA-5450 firewalls only ) Fixed an issue where, when a log interface was configured, the log interface and the management interface remained connected to the log collector when upgrading to PAN-OS 10.2.2.
Addressed
10.2.11
PAN-205482
Fixed an issue related to the configd process where Panorama displayed the error Server not responding when editing policy rules.
Addressed
10.2.11
PAN-198622
Fixed an issue where username fields under Policies were marked with the same color as the first tag associated to that rule.
Addressed
10.2.11
PAN-196395
( PA-5450 firewalls only ) Fixed an issue where the firewall accepted 12 Aggregate Ethernet interfaces, but you were unable to configure interfaces 9-12 via the web interface.
Addressed
10.2.11
PAN-194968
Fixed an issue on the web interface where Antivirus updates were not able to be downloaded and installed unless Apps and Threads updates were downloaded and installed first, and the Antivirus content list displayed as blank. The resulting error message from the update server was also not reflected in the web interface.
Addressed
10.2.11
PAN-191632
Fixed an issue where console sessions were not cleared after the set idle timeout value.
Known
10.2.12
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.12
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.12
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.12
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.12
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.12
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.12
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.12
PAN-262287
This issue is now resolved. See PAN-OS 10.2.12-h1 Addressed Issues .
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
10.2.12
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.12
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.12
PAN-257601
Fixed in PAN-OS 10.2.11 . Affects 10.2.11-h2 and later 10.2 releases.
( PA-5450 firewalls only ) Networking cards can experience an internal link fault, causing path monitoring failure on the Dataplane Processing Card (DPC).
Known
10.2.12
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.12
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.12
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.12
PAN-223677
( PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls ) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.12
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.12
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.12
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.12
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.12
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.12
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.12
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.12
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.12
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.12
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.2.12
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.12
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.12
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.12
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.12
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.12
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.12
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.12
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.12
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.12
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.12
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.12
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.12
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.12
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.12
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.12
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.12
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.12
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.12
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.12
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.12
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.12
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.12
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.12
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.12
PAN-178194
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.12
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.12
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.12
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.12
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.12
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Addressed
10.2.12-h4
PAN-259351
A fix was made to address CVE-2024-3393 .
Addressed
10.2.12-h3
PAN-273215
Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading.
Addressed
10.2.12-h3
PAN-272413
Fixed an issue where device telemetry did not generate logs after upgrading the firewall.
Addressed
10.2.12-h3
PAN-268823
Fixed an issue where Monitor > Log Display did not display all logs when you applied a filter.
Addressed
10.2.12-h3
PAN-268339
Fixed an issue where syslog-ng failed to start due to the syslog-ng.config file being corrupted when upgrading from PAN-OS 10.2.9-h1 to PAN-OS 10.2.11.
Addressed
10.2.12-h3
PAN-264249
Fixed an issue on the firewall where SNMP queries timed out when using SNMP.
Addressed
10.2.12-h3
PAN-263973
Fixed an issue where log collectors had a low incoming log rate.
Addressed
10.2.12-h3
PAN-263287
The PAN-COMMON-MIB.my file was updated to support new object identifiers (OID) to poll interface use via SNMP with table identifiers.
Addressed
10.2.12-h3
PAN-259910
Fixed an issue where the firewall reported the same value over consecutive SNMP polls when asynchronous mode was enabled.
Addressed
10.2.12-h3
PAN-246699
Fixed an issue on Panorama where Rule Usage and Apps Seen under Security policy rules stopped incrementing.
Addressed
10.2.12-h2
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
10.2.12-h1
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
10.2.12
PAN-264680
( PA-220 firewalls only ) Fixed an issue where Device > Setup was not displayed on the web interface.
Addressed
10.2.12
PAN-263226
Fixed an issue where, when SSL decryption was enabled and Client Hello messages spanned multiple TCP segments, some SSL decrypted sessions failed.
Addressed
10.2.12
PAN-263164
Fixes a problem where Netflow User ID information was truncated to 31 characters.
Addressed
10.2.12
PAN-262593
Fixed an issue where traffic to websites failed on the Google Chrome web browser on Secure Web Gateway (SWG) nodes.
Addressed
10.2.12
PAN-261991
Fixed an issue where traffic that did not match a decryption policy rule, or matched a no-decrypt policy rule, failed when accumulation proxy was enabled and a Zone Protection profile was configured with syn-cookies enabled.
Addressed
10.2.12
PAN-261917
Fixed an issue where websites with a no-decrypt policy rule were decrypted in traffic log when using a Google Chrome browser with PQC enabled.
Addressed
10.2.12
PAN-261489
Fixed an issue where an out-of-memory (OOM) condition caused a firewall outage.
Addressed
10.2.12
PAN-261484
Fixed an issue on the firewall where DPDK allocated twice the amount of memory as requested for pre-allocation.
Addressed
10.2.12
PAN-260928
Fixed an issue where GlobalProtect failed to connect when using LDAP authentication with machine certificates with the error message You are not authorized to connect to GlobalProtect portal .
Addressed
10.2.12
PAN-260738
Fixed an issue on the Panorama web interface where the progress bar did not complete when importing a vulnerability profile configuration through an XML file.
Addressed
10.2.12
PAN-260149
Fixed an issue where the management plane DNS cache size was lower than expected.
Addressed
10.2.12
PAN-259883
Fixed an issue where the firewalls behind an Amazon Web Services (AWS) Gateway Load Balancer (GWLB) stopped responding when processing GENEVE packets with the reserved bit set.
Addressed
10.2.12
PAN-257994
( CN-Series firewalls only ) Fixed an issue where commits failed with the error failed to handle CONFIG_UPDATE_START due to cfgdb files for the container not being symbolically linked to the cfgdb files on the virtual machine.
Addressed
10.2.12
PAN-257957
( Firewalls and Panorama appliances in FIPS-CC mode only ) Fixed an issue where the authd process restarted if RADIUS PAP/CHAP authentication was used.
Addressed
10.2.12
PAN-257652
Fixed an issue where Internal Host Detection for IPv6 did not work after upgrading to a PAN-OS 10.2 release.
Addressed
10.2.12
PAN-255611
Fixed an issue on the firewall where newly added routes were not automatically sorted based on subnets when added to a redistribution profile.
Addressed
10.2.12
PAN-255509
( PA-5450 firewalls only ) Fixed an issue where BFD sessions flapped intermittently.
Addressed
10.2.12
PAN-255323
( PA-7050 firewalls only ) Fixed an issue where the Network Processing Card (NPC), Data Processing Card (DPC), and Log Forwarding Card (LFC) remained in a starting state after an unexpected power cycle.
Addressed
10.2.12
PAN-252974
( PA-450 firewalls only ) Fixed an issue where specific routes were not advertised when BGP Aggregate was configured with the advertise filter.
Addressed
10.2.12
PAN-252669
Fixed an issue where the ikemgr process stopped responding with a SIGSEGV error.
Addressed
10.2.12
PAN-251446
Fixed an issue where a critical system log was generated for a SAML authenticated user whose username length was greater than 32 characters.
Addressed
10.2.12
PAN-250394
Fixed an issue where a large amount of group data caused serialization errors and prevented synchronization.
Addressed
10.2.12
PAN-239246
Fixed an issue where the CLI command debug user-id dump hip-based-profile-database-entry returned an incorrect value in the output for the total size of hip reports .
Addressed
10.2.12
PAN-230825
Fixed an issue where link flaps occurred on Panorama appliances in high-availability (HA) configurations.
Addressed
10.2.12
PAN-227543
Fixed an issue where the firewall did not match traffic to FQDN objects if the FQDN object contained uppercase characters.
Addressed
10.2.12
PAN-226361
Fixed an issue where sessions might end unexpectedly with the error resources-unavailable when the firewall incorrectly interprets the Content and Threat Detection (CTD) global packet queue as being full.
Addressed
10.2.12
PAN-221127
Fixed an issue where a large number of core files were generated, which caused the root partition to become full and the firewall to move into a non-functional state.
Addressed
10.2.12
PAN-210395
Fixed an issue where the GlobalProtect application configuration screen did not display all value names when a language other than English was selected.
Addressed
10.2.12
PAN-203231
Fixed an issue where Software Version in the device summary report exported from Panorama included HTML tags.
Addressed
10.2.12
PAN-189951
Fixed an issue where the CLI command debug device-telemetry on debug caused high CPU load.
Addressed
10.2.12
PAN-76904
( PA-5410 firewalls only ) Fixed an issue where the management interface went down and an error message displayed in the show interface management CLI command output.
Known
10.2.13
WF500-5854
The WildFire analysis report on the firewall log viewer ( Monitoring WildFire Submissions ) does not display the following data fields: File Type, SHA-256, MD-5, and File Size".
Workaround : Download and open the WildFire analysis report in the PDF format using the link in the upper right-hand corner of the Detailed Log View .
Known
10.2.13
WF500-5843
In a WildFire appliance cluster, issuing the show cluster-all peers CLI command when a node within the cluster is being rebooted generates the following error: Server error : An error occured.
Known
10.2.13
WF500-5840
The sample analysis statistics that are returned when issuing the show wildfire local statistics CLI command in WildFire appliance cluster deployments may not accurately reflect the number of samples that have been processed.
Known
10.2.13
WF500-5823
The following WildFire appliance CLI command does not return a signature generation status as expected: show wildfire global signature-status . This does not corrupt or otherwise prevent the WildFire appliance from analyzing a sample.
Known
10.2.13
WF500-5781
The WildFire appliance might erroneously generate and log the following device certification error: Device certificate is missing or invalid. It cannot be renewed.
Known
10.2.13
WF500-5754
In WildFire appliance clusters, issuing the show cluster controller CLI command generates an error when an IPv6 address is configured for the management interface but not for the cluster interface.
Workaround: Ensure all WildFire appliance interfaces that are enabled use matching protocols (all IPv4 or all IPv6).
Known
10.2.13
WF500-5632
The number of registered WildFire appliances reported in Panorama ( Panorama Managed WildFire Appliances Firewalls Connected View ) does not accurately reflect the current status of connected WildFire appliances.
Known
10.2.13
PAN-262287
This issue is now resolved. See PAN-OS 10.2.12-h1 Addressed Issues .
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
10.2.13
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
10.2.13
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
10.2.13
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
10.2.13
PAN-223365
The Panorama management server is unable to query any logs if the ElasticSearch health status for any Log Collector ( Panorama Managed Collector is degraded.
Workaround: Log in to the Log Collector CLI and restart ElasticSearch. 
admindebug elasticsearch es-restart all
Known
10.2.13
PAN-229865
Upgrading a PA-220 firewall running a PAN-OS 10.1 release fails when the target PAN-OS upgrade version is PAN-OS 10.2.5.
Workaround: On your upgrade path to PAN-OS 10.2.5, first upgrade to PAN-OS 10.2.4 and then upgrade to PAN-OS 10.2.5.
Known
10.2.13
PAN-223677
( PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls ) By enabling Lockless QoS feature, a slight degradation in App-ID and Threat performance is expected.
Known
10.2.13
PAN-222586
On PA-5410, PA-5420, and PA-5430 firewalls, the Filter dropdown menus, Forward Methods, and Built-In Actions for Correlation Log settings ( Device Log Settings ) are not displayed and cannot be configured.
Known
10.2.13
PAN-221775
A Malformed Request error is displayed when you Test Connection for an email server profile ( Device Server Profiles Email ) using SMTP over TLS and the Password includes an ampersand (&).
Known
10.2.13
PAN-213746
On the Panorama management server, the Hostkey displayed as undefined undefined if you override an SSH Service Profile ( Device Certificate Management SSH Service Profile ) Hostkey configured in a Template from the Template Stack.
Known
10.2.13
PAN-213119
PA-5410 and PA-5420 firewalls display the following error when you view the Block IP list ( Monitor Block IP ):
show -> dis-block-table is unexpected
Known
10.2.13
PAN-212889
On the Panorama management server, different threat names are used when querying the same threat in the Threat Monitor ( Monitor App Scope Threat Monitor ) and ACC . This results in the ACC displaying no data to display when you are redirected to the ACC after clicking a threat name in the Threat Monitor and filtering the same threat name in the Global Filters.
Known
10.2.13
PAN-212533
Modifying the Administrator Type for an existing administrator ( Device Administrators or Panorama Administrators ) from Superuser to a Role-Based custom admin, or vice versa, does not modify the access privileges of the administrator.
Known
10.2.13
PAN-211531
On the Panorama management server, admins can still perform a selective push to managed firewalls when Push All Changes and Push for Other Admins are disabled in the admin role profile ( Panorama Admin Roles ).
Known
10.2.13
PAN-209288
Certificates are not successfully generated using SCEP ( Device Certificate Management SCEP ).
Known
10.2.13
PAN-208622
A file upload to Box.com exceeding 6 files gets stuck and fails to upload if you specify an Enterprise DLP data filtering profile ( Objects DLP Data Filtering Profiles with the Action set to Block to a Security policy rule ( Policies Security ).
Known
10.2.13
PAN-204689
Upon upgrade to PAN-OS 10.2.4, the following GlobalProtect settings do not work:
  • Allow user to disconnect GlobalProtect App Allow with Passcode
  • Allow user to Disable GlobalProtect App Allow with Passcode
  • Allow User to Uninstall GlobalProtect App Allow with Password
Known
10.2.13
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
10.2.13
PAN-196504
License deactivation fails for VM-Series firewalls licensed using PA-VM Bundle 3 (BND3).
Known
10.2.13
PAN-194996
When using a 10.2.2 Panorama to manage a Panorama Managed Prisma Access 3.1.2 deployment, allocating bandwidth for a remote network deployment fails (the OK button is grayed out).
Workaround : Retry the operation.
Known
10.2.13
PAN-194519
( PA-5450 firewall only ) Trying to configure a custom payload format under Device Server Profiles HTTP yields a Javascript error.
Known
10.2.13
PAN-194515
( PA-5450 firewall only ) The Panorama web interface does not display any predefined template stack variables in the dropdown menu under Device Setup Log Interface IP Address .
Workaround: Configure the log interface IP address on the individual firewall web interface instead of on Panorama.
Known
10.2.13
PAN-194424
( PA-5450 firewall only ) Upgrading to PAN-OS 10.2.2 while having a log interface configured can cause both the log interface and the management interface to remain connected to the log collector.
Workaround: Restart the log receiver service by running the following CLI command: 
debug software restart process log-receiver
Known
10.2.13
PAN-194202
( PA-5450 firewall only ) If the management interface and logging interface are configured on the same subnetwork, the firewall conducts log forwarding using the management interface instead of the logging interface.
Known
10.2.13
PAN-190727
( PA-5450 firewall only ) Documentation for configuring the log interface is unavailable on the web interface and in the PAN-OS Administrator’s Guide.
Known
10.2.13
PAN-189111
After deleting an MP pod and it comes up, the show routing command output appears empty and traffic stops working.
Known
10.2.13
PAN-189076
On a firewall with Advanced Routing enabled, OSPFv3 peers using a broadcast link and a designated router (DR) priority of 0 (zero) are stuck in a two-way state after HA failover.
Workaround: Configure at least one OSPFv3 neighbor with a non-zero priority setting in the same broadcast domain.
Known
10.2.13
PAN-188358
After triggering a soft reboot on a M-700 appliance, the Management port LEDs do not light up when a 10G Ethernet cable is plugged in.
Known
10.2.13
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
10.2.13
PAN-187643
If you enable SCTP security using a Panorama template when SCTP INIT Flood Protection is enabled in the Zone Protection profile using Panorama and you commit all changes, the commit is successful but the SCTP INIT option is not available in the Zone Protection profile.
Workaround: Log out of the firewall and log in again to make the SCIT INIT option available on the web interface.
Known
10.2.13
PAN-187612
On the Panorama management server, not all data profiles ( Objects DLP Data Filtering Profiles ) are displayed after you:
  • Upgrade Panorama to PAN-OS 10.2 and upgrade the Enterprise DLP plugin to version 3.0.
  • Downgrade Panorama to PAN-OS 10.1 and downgrade the Enterprise DLP plugin to version 1.0.
Workaround: Log in to the Panorama CLI and reset the DLP plugin.
admin > request plugins dlp reset
Known
10.2.13
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
10.2.13
PAN-187370
On a firewall with Advanced Routing enabled, if there is also a logical router instance that uses the default configuration and has no interfaces assigned to it, this will result in terminating the management daemon and main routing daemon in the firewall during commit.
Workaround : Do not use a logical router instance with no interfaces bound to it.
Known
10.2.13
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
10.2.13
PAN-186282
On HA deployments on AWS and Azure, Panorama fails to populate match criteria automatically when adding dynamic address groups.
Workaround: Reboot the Panorama HA pair.
Known
10.2.13
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
10.2.13
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
10.2.13
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
10.2.13
PAN-181823
On a PA-5400 Series firewall (minus the PA-5450), setting the peer port to forced 10M or 100M speed causes any multi-gigabit RJ-45 ports on the firewall to go down if they are set to Auto.
Known
10.2.13
PAN-180661
On the Panorama management server, pushing an unsupported Minimum Password Complexity ( Device Setup Management ) to a managed firewall erroneously displays commit time out as the reason the commit failed.
Known
10.2.13
PAN-180104
When upgrading a CN-Series as a DaemonSet deployment to PAN-OS 10.2, CN-NGFW pods fail to connect to CN-MGMT pod if the Kubernetes cluster previously had a CN-Series as a DaemonSet deployment running PAN-OS 10.0 or 10.1.
Workaround : Reboot the worker nodes before upgrading to PAN-OS 10.2.
Known
10.2.13
PAN-178194
A user interface issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.
Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:
  • Define URL exceptions for specific web sites— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception
  • Configuration settings for each inline ML model— 
    admin# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled
Known
10.2.13
PAN-177455
PAN-OS 10.2.0 is not supported on PA-7000 Series firewalls with HA (High Availability) clustering enabled and using an HA4 communication link. Attempting to load PAN-OS 10.2.0 on the firewall causes the PA-7000 100G NPC to go offline. As a result, the firewall fails to boot normally and enters maintenance mode. HA Pairs of Active-Passive and Active-Active firewalls are not affected.
Known
10.2.13
PAN-175915
When the firewall is deployed on N3 and N11 interfaces in 5G networks and 5G-HTTP/2 traffic inspection is enabled in the Mobile Network Protection Profile, the traffic logs do not display network slice SST and SD values.
Known
10.2.13
PAN-174982
In HA active/active configurations where, when interfaces that were associated with a virtual router were deleted, the configuration change did not sync.
Known
10.2.13
PAN-172274
When you activate the advanced URL filtering license, your license entitlements for PAN-DB and advanced URL filtering might not display correctly on the firewall — this is a display anomaly, not a licensing issue, and does not affect access to the services.
Workaround: Issue the following command to retrieve and update the licenses: license request fetch .
Known
10.2.13
PAN-171938
No results are displayed when you Show Application Filter for a Security policy rule ( Policies Security Application Value Show Application Filter ).
Addressed
10.2.13-h2
PAN-259351
A fix was made to address CVE-2024-3393 .
Addressed
10.2.13-h1
PAN-272413
Fixed an issue where device telemetry did not generate logs after upgrading the firewall.
Addressed
10.2.13
PAN-268823
Fixed an issue where Monitor > Log Display did not display all logs when you applied a filter.
Addressed
10.2.13
PAN-268501
Fixed an issue where the firewall was unable to generate a TSF file due to a full root partition.
Addressed
10.2.13
PAN-268339
Fixed an issue where syslog-ng failed to start due to the syslog-ng.config file being corrupted when upgrading from PAN-OS 10.2.9-h1 to PAN-OS 10.2.11.
Addressed
10.2.13
PAN-267660
Fixed an issue where UserID stopped working when the show object registered user CLI command was used with start-point and limit options.
Addressed
10.2.13
PAN-266698
Fixed an issue where an email was able to be transferred to the destination MTA even when the firewall detected a suspicious file with a reset-bot action when it was encrypted by STARTTLS.
Addressed
10.2.13
PAN-266695
Fixed an issue on Panorama where a cyclic nested address group configuration caused the configd process to stop responding after a commit.
Addressed
10.2.13
PAN-266427
Fixed an issue on the firewall where, when a high number of SD-WAN branch sites or interfaces were not connected, SD-WAN processes and tund processes stopped responding due to a high probing rate.
Addressed
10.2.13
PAN-265963
Fixed an issue where the escd process caused a memory leak when session resiliency was enabled on the firewall.
Addressed
10.2.13
PAN-265900
Fixed an issue where the firewall stopped responding due to a tund process or SD-WAN process restart.
Addressed
10.2.13
PAN-265742
Fixed an issue on the Panorama web interface where the OK button on the GlobalProtect gateway configuration dialog box was not clickable.
Addressed
10.2.13
PAN-265686
Fixed an issue where the GlobalProtect portal logged passwords in cleartext.
Addressed
10.2.13
PAN-264249
Fixed an issue on the firewall where SNMP queries timed out when using SNMP.
Addressed
10.2.13
PAN-264246
Fixed an issue where the Authentication Portal did not work properly with session cookies when the request to the portal contained the header Sec-Fetch-Site=cross-site .
Addressed
10.2.13
PAN-263973
Fixed an issue where log collectors had a low incoming log rate.
Addressed
10.2.13
PAN-263843
( VM-Series firewalls only ) Fixed an issue where the firewall received no-license packet buffers instead of memory based packet buffer numbers.
Addressed
10.2.13
PAN-263749
Fixed an issue where disk space that was used by file descriptors was not freed, which caused the root partition to become full and Panorama to be inaccessible.
Addressed
10.2.13
PAN-263674
( VM-Series firewalls in HA configurations only ) Fixed an issue where the firewall rebooted due to multiple HA failovers.
Addressed
10.2.13
PAN-263291
Fixed an issue where Microsoft Outlook did not work as expected when the GlobalProtect clientless VPN was configured.
Addressed
10.2.13
PAN-263287
The PAN-COMMON-MIB.my file was updated to support new object identifiers (OID) to poll interface use via SNMP with table identifiers.
Addressed
10.2.13
PAN-263270
Fixed an issue where, after a commit was performed from Strata Cloud Manager, the SD-WAN configuration containing BGP routes did not display on the hub firewall.
Addressed
10.2.13
PAN-262946
Fixed an issue on the firewall where logging in via the CLI or web interface did not work due to increased memory usage.
Addressed
10.2.13
PAN-261936
Fixed an issue where WildFire submission logs were not displayed when filtered by Sender Address .
Addressed
10.2.13
PAN-261673
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where, when Accelerated Networking was enabled, traffic was dropped because of the flow_parse_ip_hdr counter related to an Nvidia driver issue.
Addressed
10.2.13
PAN-261602
Fixed an issue where GlobalProtect Decryption logs were not forwarded to Panorama.
Addressed
10.2.13
PAN-260842
A CLI command was introduced to address an issue where TCP packets were out of order.
Addressed
10.2.13
PAN-260796
Fixed an issue where servers were not accessible through an active SSL GlobalProtect VPN tunnel until a new connection was established or the session was cleared on the firewall.
Addressed
10.2.13
PAN-260752
Fixed an issue where the firewall did not support TLSv1.3 in the Clientless VPN, which caused the portal page to not load.
Addressed
10.2.13
PAN-260604
Fixed an issue where the firewall displayed inaccurate throughput utilization stats in NetFlow analyzer tools.
Addressed
10.2.13
PAN-260564
Fixed an issue on firewalls in HA configurations where a network loop was detected by switches after suspending HA on the active firewall.
Addressed
10.2.13
PAN-260546
( PA-440 firewalls only ) Fixed an issue where the system clock reset to the epoch date and time after 8 to 12 weeks of shelf life or no power.
Addressed
10.2.13
PAN-260316
Fixed an issue where the all_task process stopped responding and the firewall rebooted.
Addressed
10.2.13
PAN-260290
Fixed an issue for fixed model licenses to support new content size requirements by reducing the total sessions supported to be equivalent to their flex memory counterpart
Addressed
10.2.13
PAN-260279
Fixed an issue where selective push operations failed with the error message: Failed to generate selective push configuration. Schema validation failed. Please try a full push .
Addressed
10.2.13
PAN-259910
Fixed an issue where the firewall reported the same value over consecutive SNMP polls when asynchronous mode was enabled.
Addressed
10.2.13
PAN-259870
( PA-7000b firewalls only ) Fixed an issue where Luna Network Hardware Security Modules (HSM) did not work after an upgrade or downgrade.
Addressed
10.2.13
PAN-259767
Fixed an issue where GlobalProtect users were unable to connect when the option Block sessions if the certificate was not issued to the authenticating device was enabled in the certificate profile.
Addressed
10.2.13
PAN-259727
( Panorama appliances in HA configurations only ) Fixed an issue where Panorama became unresponsive and displayed a 504 gateway timeout error when accessing the web interface or the CLI.
Addressed
10.2.13
PAN-258996
Fixed an issue where the firewall displayed the SFP ports as PowerDown when the SFP transceiver was removed and reinserted or the port was shut down and brought back up on the peer device.
Addressed
10.2.13
PAN-258912
( PA-7000b firewalls only ) Fixed an issue where the firewall web interface displayed an incorrect HSM client version when the client was upgraded to version 7.2.0.220.
Addressed
10.2.13
PAN-258166
( PA-220 firewalls only ) Fixed an issue where the root partition frequently reached 100%.
Addressed
10.2.13
PAN-257736
( PA-5450 firewalls only ) Fixed an issue where traffic to benign applications was was impacted by holding TCP sequential segments for MLC inspection and not releasing the full chain after a benign verdict was received.
Addressed
10.2.13
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
10.2.13
PAN-257327
( PA-5440 firewalls only ) Fixed an issue where a failover event occurred unexpectedly on the firewall.
Addressed
10.2.13
PAN-256560
Fixed an issue where exporting a Custom Report to CSV format did not display the full report if it contained non-ASCII characters.
Addressed
10.2.13
PAN-256115
Fixed an issue where, after replacing a Panorama appliance or log collector, the secondary Panorama appliance or log collector displayed a disconnected status for the inter-log collector connection.
Addressed
10.2.13
PAN-255653
Fixed an HA failover issue where, when Management Processing Card (MPC) or Base Card (BC) failures occurred, the HA link went down, which caused fpp-down events on one firewall.
Addressed
10.2.13
PAN-255190
Fixed an issue where the TCP timeout value was reflected incorrectly when using application override for a custom application in TAP mode.
Addressed
10.2.13
PAN-253829
Fixed an issue where the CLI command show running security-policy timed out when the Security policy was large.
Addressed
10.2.13
PAN-252300
Fixed an issue where you were unable to select device groups in the push scope for user accounts.
Addressed
10.2.13
PAN-252270
Fixed an issue on the firewall where changes were incorrectly applied after a reboot or a restart of the configd process.
Addressed
10.2.13
PAN-251385
Fixed an issue where the configd process stopped responding when processing system logs.
Addressed
10.2.13
PAN-251035
Fixed an issue where selective push operations did not push certificate changes to the firewall.
Addressed
10.2.13
PAN-250928
( PA-5450 firewalls in active/active HA configurations only ) Fixed an issue where firewall traffic was silently dropped when sent to the peer owner.
Addressed
10.2.13
PAN-250585
Fixed an issue where the firewall CPU use increased after upgrading from PAN-OS 10.2.4-h4 to PAN-OS 10.2.8 due to a change in system resource reporting by the REST API.
Addressed
10.2.13
PAN-247857
( PA-7050 firewalls in HA configurations only ) Fixed an issue on the firewall where a dataplane process restarted when updating the routing table.
Addressed
10.2.13
PAN-247190
( VM-Series firewalls only ) Fixed an issue where the firewall was unable to connect to Panorama after manually uploading the license key.
Addressed
10.2.13
PAN-246699
Fixed an issue on Panorama where Rule Usage and Apps Seen under Security policy rules stopped incrementing.
Addressed
10.2.13
PAN-244039
( PA-5450 firewalls only ) Fixed an issue where the firewall dropped packets when attempting to reuse a TCP session.
Addressed
10.2.13
PAN-243235
Fixed an issue where Panorama stopped responding and rebooted repeatedly after an upgrade.
Addressed
10.2.13
PAN-242479
Fixed an issue where a high number of packets caused high packet descriptors on the firewall when handling EtherIP traffic.
Addressed
10.2.13
PAN-241022
Fixed an issue where rib-out routes were not displayed due to the next hop of BGP local routes not getting matched with export filters.
Addressed
10.2.13
PAN-241004
Fixed an issue where DNS Proxy dropped client requests of the type ns for a root domain.
Addressed
10.2.13
PAN-240990
Fixed an issue where l3svc.py displayed incorrect logs.
Addressed
10.2.13
PAN-239165
Fixed an issue where adding an interface in a route filter resulted in an OSPF LSA Type-5 packet check failure, which caused redistributed routes to be removed.
Addressed
10.2.13
PAN-238610
Fixed an issue with the Panorama Virtual Appliance where, after the mgmtsrvr restarted on the passive appliance, stale IP address tags were pushed to the connected firewalls with the message clear all registered ip addresses .
Addressed
10.2.13
PAN-237246
Fixed an issue where the all_pktproc process repeatedly restarted, which caused the firewall to go into a nonfunctional state.
Addressed
10.2.13
PAN-233965
Fixed an issue where the tund process stopped responding, which caused push operation to managed firewalls or making changes to local firewalls to fail.
Addressed
10.2.13
PAN-232530
Fixed an issue where the useridd process ran out of memory and restarted when the number of user or user groups exceeded the threshold.
Addressed
10.2.13
PAN-229686
Fixed an issue where eBGP remained in an idle state after disabling and enabling BGP configurations.
Addressed
10.2.13
PAN-229526
Fixed an issue where the mprelay process stopped responding due to a netflow session refresh taking longer than expected to complete.
Addressed
10.2.13
PAN-224472
Fixed an issue where the TCP timeout did not refresh for sessions using challenge-ACK, which caused the session to timeout.
Addressed
10.2.13
PAN-222590
Fixed an issue where a semicolon appeared at the end of file names of data filtering logs.
Addressed
10.2.13
PAN-218873
Fixed an issue where a HIP mask was reused when an existing IP address user mapping was updated by a new IP address user mapping that had a different username but the same IP address.
Addressed
10.2.13
PAN-218279
Fixed an issue on Panorama where hostname variables displayed as unknown when exporting template or template stack variables in CSV format.
Addressed
10.2.13
PAN-214122
Fixed an issue where the ikemgr process stopped responding when processing a high number of IKEv2 SA requests.
Addressed
10.2.13
PAN-195661
Fixed an issue where the firewall did not insert the IP address tag into the dynamic address group after a device server restart, which caused traffic that matched the dynamic address group Security policy rule base failed.
Addressed
10.2.13
PAN-193285
Fixed an issue where the policy optimizer feature did not add entries back to the mongodb database after removing them during an upgrade or downgrade.
Addressed
10.2.13
PAN-188998
Fixed an issue where the firewall logged excessive SSL VPN debug information.
Known
11.1.0
PAN-262556
The ElasticSearch cluster health status might continue to remain yellow for an extended period after upgrading to PAN-OS 11.1.0.
Known
11.1.0
PAN-262287
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
11.1.0
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.1.0
PAN-257615
This issue is now resolved. See PAN-OS 11.1.2-h9 Addressed Issues .
The Panorama web interface intermittently displays logs or fails to display logs completely.
Known
11.1.0
PAN-259769
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues .
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
11.1.0
PAN-250062
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
11.1.0
PAN-243951
This issue is now resolved. See PAN-OS 11.1.2-h3 Addressed Issues
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
11.1.0
PAN-242910
On the Panorama management server, Panorama administrators ( Panorama Administrators ) that are assigned a custom Panorama admin role ( Panorama Admin Roles ) with Push All Changes enabled are unable to push configuration changes to managed firewalls when Managed Devices and Push For Other Admins are disabled.
Known
11.1.0
PAN-242561
GlobalProtect tunnel might disconnect shortly after being established when SSL is used as a transport protocol.
Workaround : Disable Internet Protocol version 6 (TCP/IPv6) on the PANGP Virtual Network Adapter.
Known
11.1.0
PAN-241041
This issue is now resolved. See PAN-OS 11.1.3 Addressed Issues
On the Panorama management server exporting template or template stack variables ( Panorama Templates ) in CSV format results in an empty CSV file.
Known
11.1.0
PAN-234408
Enterprise DLP cannot detect and block non-file based traffic for ChatGPT from traffic forwarded to the DLP cloud service from an NGFW.
Known
11.1.0
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.1.0
PAN-228491
On the AWS environment, the session failover takes up to 4 minutes.
Known
11.1.0
PAN-225337
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a Shared and vsys-specific device group configuration object with an indentical name. For example, a Shared address object called SharedAO1 and a vsys-specific address object also called SharedAO1 .
  2. Reference the Shared object in another Shared configuration. For example, reference the Shared address object ( SharedAO1 ) in a Shared address group called SharedAG1 .
  3. Use the Shared configuration object with the reference in a vsys-specific configuration. For example, reference the Shared address group ( SharedAG1 ) in a vsys-specific policy rule.
Workaround: Select Panorama Setup Management and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices —This options pushes all Shared objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the Shared objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the Shared SharedAO1 object was 10.1.1.1 and the device group specific SharedAO1 was 10.2.2.2 , the 10.1.1.1 IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the Shared objects in your configuration.
Known
11.1.0
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.0
PAN-220577
With firewalls in AWS environment that are licensed with VM capacity and secure web proxy licenses, it is observed that the enablement of the web-proxy config fails.
Workaround: Reboot the firewall after the web proxy license is applied.
Known
11.1.0
PAN-220180
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
11.1.0
PAN-219644
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.0
PAN-217307
This issue is now resolved. See PAN-OS 11.1.3 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
11.1.0
PAN-208794
In firewalls with transparent proxy, it is observed that a reboot is necessary to view the transit sessions.
Workaround : Edit the virtual router settings with any minor change and commit again. Any changes to the network/interfaces or network/virtual routers usually fixes this issue.
Alternatively, you may try rebooting the firewall. This issue disappears following reboot after the swg is setup and configured.
Known
11.1.0
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.0
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.0
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.1.0
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.0
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.1.0
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.0
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.1.0
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.1.0
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.0
PAN-194978
( PA-1400 Series firewalls only ) In Network Interface Ethernet , hovering the mouse over a power over Ethernet (PoE) Link State icon does not display link speed and link duplex details.
Known
11.1.0
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.1.0
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.0
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
11.1.0
PAN-184708
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
11.1.0
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.0
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.0
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.0
PAN-164885
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.0-h4
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.1.0-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.1.0-h2
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
11.1.0-h2
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
11.1.0-h2
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
11.1.0-h2
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
11.1.0-h2
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Addressed
11.1.0-h1
PAN-237871
( WF-500 appliances and PAN-DB private cloud deployments only ) Fixed an issue where the root-cert was set to expire on December 31, 2023. With this fix, the expiration date has been extended.
Addressed
11.1.0
PAN-233557
Fixed an issue where, after using Panorama to configure per policy persistent DIPP, downgrading the firewall using Panorama and then upgrading the firewall back to a later PAN-OS release, the global DIPP configuration was not successfully converted b ack to the per policy persistent DIPP rules.
Addressed
11.1.0
PAN-227639
Fixed an issue where the ACC displayed an incorrect DNS-base application traffic byte count.
Addressed
11.1.0
PAN-227376
Fixed an issue where a memory overrun caused the all_task process to stop responding.
Addressed
11.1.0
PAN-227368
Fixed an issue where GlobalProtect users could not connect the app to a portal or gateway and GlobalProtect Clientless VPN users were unable to access applications when authentication took longer than 20 seconds.
Addressed
11.1.0
PAN-226418
A CLI command was added to address an issue where long-lived sessions aged out even when there was ongoing traffic.
Addressed
11.1.0
PAN-226198
Fixed an issue on Panorama where the configd process repeatedly restarted when attempting to make configuration changes.
Addressed
11.1.0
PAN-225920
Fixed an issue where duplicate predict sessions didn't release NAT resources.
Addressed
11.1.0
PAN-225886
Fixed an issue where if you enabled explicit proxy mode for the web proxy, intermittent errors and unexpected TCP reconnections may have occurred.
Addressed
11.1.0
PAN-225169
Added a CLI command to view Strata Logging Service queue usage.
Addressed
11.1.0
PAN-224772
Fixed a high memory usage issue with the mongodb process that caused an OOM condition.
Addressed
11.1.0
PAN-224145
Fixed an issue in multi-vsys environments where, when Panorama was on a PAN-OS 10.2 release and the firewall was on a PAN-OS 10.1 release, commits failed on the firewall when inbound inspection mode was configured in the decryption policy rule.
Addressed
11.1.0
PAN-223457
Fixed an issue where, if the number of group queries exceeded the Okta rate limit threshold, the firewall cleared the cache for the groups.
Addressed
11.1.0
PAN-221126
Fixed an issue where email server profiles ( Device > Server Profiles > Email and Panorama > Server Profiles > Email ) to forward logs as email notifications were not forwarded in a readable format.
Addressed
11.1.0
PAN-218555
Fixed an issue where the firewall did not receive dynamic address updates pushed from Panorama during initial registration to Panorama.
Addressed
11.1.0
PAN-213931
Fixed an issue where the logrcvr process cache was not in sync with the mapping on the firewall.
Addressed
11.1.0
PAN-206913
Fixed an issue where, when DHCPv6 client was configured on firewalls in active/passive HA configurations, releasing the IPv6 address from the client released the IPv6 address from only the active firewall.
Known
11.1.1
PAN-263987
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
When a NAT traversal (NAT-T or UDP encapsulation) IPSec tunnel is terminated on a Palo Alto Networks firewall and the NAT rule applied to the NAT-T IPSec tunnel is also on the same firewall, then the data traffic flowing through the NAT-T IPSec tunnel can't be NATed correctly.
Known
11.1.1
PAN-262556
The ElasticSearch cluster health status might continue to remain yellow for an extended period after upgrading to PAN-OS 11.1.1.
Known
11.1.1
PAN-262287
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
11.1.1
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.1.1
PAN-259769
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues .
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
11.1.1
PAN-257615
This issue is now resolved. See PAN-OS 11.1.2-h9 Addressed Issues .
The Panorama web interface intermittently displays logs or fails to display logs completely.
Known
11.1.1
PAN-250062
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
11.1.1
PAN-243951
This issue is now resolved. See PAN-OS 11.1.2-h3 Addressed Issues
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
11.1.1
PAN-242910
On the Panorama management server, Panorama administrators ( Panorama Administrators ) that are assigned a custom Panorama admin role ( Panorama Admin Roles ) with Push All Changes enabled are unable to push configuration changes to managed firewalls when Managed Devices and Push For Other Admins are disabled.
Known
11.1.1
PAN-242837
Default login credentials and SSH fail after enabling FIPS-CC Mode on a firewall or Panorama after converting through the Maintenance Recovery Tool (MRT). The firewall or Panorama becomes stuck and requires a factory reset to recover.
Known
11.1.1
PAN-242561
GlobalProtect tunnel might disconnect shortly after being established when SSL is used as a transport protocol.
Workaround : Disable Internet Protocol version 6 (TCP/IPv6) on the PANGP Virtual Network Adapter.
Known
11.1.1
PAN-238769
FIPS-CC VM only. Upgrading to 10.1.10-h2 or 10.1.11 will change all locally created security Policy actions to Deny. Re-load the back-up config taken before upgrading or the last version to get the previous config back. Also, Unable to login to FIPSCC Mode devices with default credentials after converting the mode for 10.1.12 release , 10.2.7 release , 11.1.0 , 11.1.1, 11.0.3 versions.
Known
11.1.1
PAN-241041
This issue is now resolved. See PAN-OS 11.1.3 Addressed Issues
On the Panorama management server exporting template or template stack variables ( Panorama Templates ) in CSV format results in an empty CSV file.
Known
11.1.1
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.1.1
PAN-225337
This issue is now resolved. See PAN-OS 11.1.2 Addressed Issues
On the Panorama management server, the configuration push to a multi-vsys firewall fails if you:
  1. Create a Shared and vsys-specific device group configuration object with an indentical name. For example, a Shared address object called SharedAO1 and a vsys-specific address object also called SharedAO1 .
  2. Reference the Shared object in another Shared configuration. For example, reference the Shared address object ( SharedAO1 ) in a Shared address group called SharedAG1 .
  3. Use the Shared configuration object with the reference in a vsys-specific configuration. For example, reference the Shared address group ( SharedAG1 ) in a vsys-specific policy rule.
Workaround: Select Panorama Setup Management and edit the Panorama Settings to enable one of the following:
  • Shared Unused Address and Service Objects with Devices —This options pushes all Shared objects, along with device group specific objects, to managed firewalls.
    This is a global setting and applies to all managed firewalls, and may result in pushing too many configuration objects to your managed firewalls.
  • Objects defined in ancestors will take higher precedence —This option specifies that in the event of objects with the same name, ancestor object take precedence over descendent objects. In this case, the Shared objects take precedence over the vsys-specific object.
    This is a global setting and applies to all managed firewalls. In the example above, if the IP address for the Shared SharedAO1 object was 10.1.1.1 and the device group specific SharedAO1 was 10.2.2.2 , the 10.1.1.1 IP address takes precedence.
Alternatively, you can remove the duplicate address objects from the device group configuration to allow only the Shared objects in your configuration.
Known
11.1.1
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.1
PAN-220180
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
11.1.1
PAN-219644
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.1
PAN-217307
This issue is now resolved. See PAN-OS 11.1.3 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
11.1.1
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.1
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.1
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.1.1
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.1
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.1.1
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.1
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.1.1
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.1.1
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.1
PAN-194978
( PA-1400 Series firewalls only ) In Network Interface Ethernet , hovering the mouse over a power over Ethernet (PoE) Link State icon does not display link speed and link duplex details.
Known
11.1.1
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.1.1
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.1
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
11.1.1
PAN-184708
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
11.1.1
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.1
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.1
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.1
PAN-164885
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.1-h2
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.1.1-h1
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.1.1
PAN-239241
Extended the root certificate for WildFire appliances to December 31, 2032.
Addressed
11.1.1
PAN-238792
Fixed the following device certificate issues:
  • The firewall was unable to automatically renew the device certificate-Fetching device certificates failed incorrectly with the error message OTP is not valid .
  • Firewalls disconnected from Strata Logging Service after renewing the device certificate.
  • The device certificate was not correctly generated on the log forwarding card (LFC).
  • WildFire cloud logs did not log thermite certificate usage status.
Addressed
11.1.1
PAN-237935
Extended the offline PAN-DB, Panorama, and WildFire certificates which were previously set to expire on September 2, 2024.
Addressed
11.1.1
PAN-237876
Extended the firewall Panorama root CA certificate which was previously set to expire on April 7th, 2024.
Addressed
11.1.1
PAN-236605
Fixed an issue where the configd process stopped responding due to a deadlock related to rule-hit-count.
Addressed
11.1.1
PAN-235385
Enhanced wifclient cloud connectivity redundancy.
Addressed
11.1.1
PAN-234929
Fixed an issue where tabs in the ACC such as Network Activity Threat Activity and Blocked Activity did not display data when you applied a Time filter of Last 15 Minutes , Last Hour , Last 6 Hours , or Last 12 Hours , and the data that was displayed with the Last 24 Hours filter was not accurate. Reports that were run against summary logs also did not display accurate results.
Addressed
11.1.1
PAN-233957
( PA-5450 firewalls only ) Fixed an issue where the NAT private pool was not used properly when enabling slot 6 DPC.
Addressed
11.1.1
PAN-233191
( PA-5450 firewalls only ) Fixed an issue where the Data Processing Card (DPC) restarted due to path monitor failure after QSFP28 disconnected from the Network Processing Card (NPC).
Addressed
11.1.1
PAN-232358
( PA-5450 firewalls only ) Fixed an issue where the interface on QSFP28 ports did not go down when the Tx cable was removed from the QSFP28 module.
Addressed
11.1.1
PAN-231771
Fixed an issue where the firewall issued /box/getserv/ requests with PAN-OS 7.1.0 and did not take device certificates.
Addressed
11.1.1
PAN-231658
Fixed an issue where DNS resolution failed when interfaces were configured as DHCP and a DNS server was provided via DHCP while also statically configured with DNS servers.
Addressed
11.1.1
PAN-231194
Fixed an issue where the firewall was unable to clear hints from the disk.
Addressed
11.1.1
PAN-227568
When a device certificate is installed, renewed, or removed, the firewall will reconnect to the WildFire cloud to use the newest certificate.
Addressed
11.1.1
PAN-215576
Fixed an issue where the userID-Agent and TS-Agent certificates were set to expire on November 18, 2024. With this fix, the expiration date has been extended to January 2032.
Known
11.1.2
PAN-263987
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
When a NAT traversal (NAT-T or UDP encapsulation) IPSec tunnel is terminated on a Palo Alto Networks firewall and the NAT rule applied to the NAT-T IPSec tunnel is also on the same firewall, then the data traffic flowing through the NAT-T IPSec tunnel can't be NATed correctly.
Known
11.1.2
PAN-262556
The ElasticSearch cluster health status might continue to remain yellow for an extended period after upgrading to PAN-OS 11.1.2.
Known
11.1.2
PAN-262287
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
11.1.2
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.1.2
PAN-259769
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues .
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
11.1.2
PAN-257615
This issue is now resolved. See PAN-OS 11.1.2-h9 Addressed Issues .
The Panorama web interface intermittently displays logs or fails to display logs completely.
Known
11.1.2
PAN-255538
On the PA-455 firewall, the LEDs indicating the link status of Ports 3 and 4 are swapped.
Known
11.1.2
PAN-252085
The PA-450R, PA-450R-5G, and PA-455 firewalls can experience an interruption of traffic when switching the combo port connection from fiber to copper.
Workaround: With the copper port connected, initiate a soft reboot of the firewall using the CLI command request restart system . After the reboot, the copper port will be able to process traffic.
Known
11.1.2
PAN-250062
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
11.1.2
PAN-243951
This issue is now resolved. See PAN-OS 11.1.2-h3 Addressed Issues
On the Panorama management sever in an active/passive High Availability (HA) configuration, managed devices ( Panorama Managed Devices Summary ) display as out-of-sync on the passive HA peer when configuration changes are made to the SD-WAN ( Panorama SD-WAN ) configuration on the active HA peer.
Workaround: Manually synchronize the Panorama HA peers.
  1. Log in to the Panorama web interface on the active HA peer.
  2. Select Commit and Commit to Panorama the SD-WAN configuration changes on the active HA peer.
    On the passive HA peer, select Panorama Managed Devices Summary and observe that the managed devices are now out-of-sync .
  3. Log in to the primary HA peer Panorama CLI and trigger a manual synchronization between the active and secondary HA peers.
    request high-availability sync-to-remote running-config
  4. Log back in to the active HA peer Panorama web interface and select Commit Push to Devices and Push .
Known
11.1.2
PAN-241041
This issue is now resolved. See PAN-OS 11.1.3 Addressed Issues
On the Panorama management server exporting template or template stack variables ( Panorama Templates ) in CSV format results in an empty CSV file.
Known
11.1.2
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.1.2
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.2
PAN-220180
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
11.1.2
PAN-219644
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.2
PAN-217307
This issue is now resolved. See PAN-OS 11.1.3 Addressed Issues .
The following Security policy rule ( Policies Security ) filters return no results:
log-start eq no
log-end eq no
log-end eq yes
Known
11.1.2
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.2
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.2
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.1.2
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.2
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.1.2
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.2
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.1.2
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.1.2
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.2
PAN-194978
( PA-1400 Series firewalls only ) In Network Interface Ethernet , hovering the mouse over a power over Ethernet (PoE) Link State icon does not display link speed and link duplex details.
Known
11.1.2
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.1.2
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.2
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
11.1.2
PAN-184708
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
11.1.2
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.2
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.2
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.2
PAN-164885
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.2-h16
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.1.2-h16
PAN-269000
Fixed an issue where the firewall stopped responding due to a NULL pointer dereference when path monitoring failed.
Addressed
11.1.2-h16
PAN-265785
Fixed an issue where the firewall rebooted due to a sysd variable being modified before it was created.
Addressed
11.1.2-h16
PAN-265179
Fixed an issue where a kernel race condition caused the firewall to reboot with a kernel panic.
Addressed
11.1.2-h16
PAN-263973
Fixed an issue where log collectors had a low incoming log rate.
Addressed
11.1.2-h16
PAN-263208
( PA-5400f firewalls only ) Fixed an issue where interrupts were generated at a certain packet rate, and dataplane processes missed heartbeats, which caused the dataplane to go down.
Addressed
11.1.2-h16
PAN-259881
Fixed an issue on Panorama where traffic log details were not displayed under detailed log view .
Addressed
11.1.2-h16
PAN-259351
A fix was made to address CVE-2024-3393 .
Addressed
11.1.2-h16
PAN-256223
Fixed an issue where device telemetry log collection filled the root partition.
Addressed
11.1.2-h16
PAN-255747
Fixed an issue on the firewall where CLI commands returned Server error: op command for client dagger timed out as client is not available .
Addressed
11.1.2-h16
PAN-253485
( Firewalls in active/passive HA configurations only ) Fixed an issue where dataplane packet capture filter configuration failed on the active firewall with the error op command for client dagger timed out as client is not available .
Addressed
11.1.2-h16
PAN-249300
Fixed an issue where, when CUID was enabled, the CUID firewall pub node was slower than expected when processing incoming traffic and User-ID mapping redistribution between PAN-OS nodes was impacted.
Addressed
11.1.2-h16
PAN-219805
Fixed an issue where the reportd process stopped responding due to a race condition.
Addressed
11.1.2-h15
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.1.2-h14
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
11.1.2-h14
PAN-261673
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where, when Accelerated Networking was enabled, traffic was dropped because of the flow_parse_ip_hdr counter related to an Nvidia driver issue.
Addressed
11.1.2-h14
PAN-259151
Fixed an issue where unused objects were pushed to the firewall, which caused configuration pushes to fail with the error Number of address groups exceed platform capacity .
Addressed
11.1.2-h14
PAN-259002
Fixed an issue where frequent external dynamic list updates caused the configd process to restart.
Addressed
11.1.2-h14
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
11.1.2-h14
PAN-257327
Fixed an issue where a failover event occurred unexpectedly on the firewall.
Addressed
11.1.2-h14
PAN-253626
Fixed an issue on Panorama where unused objects were pushed to the firewall, which caused the push operations to intermittently fail.
Addressed
11.1.2-h14
PAN-236191
Fixed an issue where the web interface performance was slower than expected.
Addressed
11.1.2-h14
PAN-222542
( PA-7000 Series firewalls only ) Fixed an issue where Log Forward Cards (LFC) were incorrectly identified as distribution policies, which caused packet loss due to traffic, BFD, and other control packets being forwarded to the LFC.
Addressed
11.1.2-h12
PAN-264421
Fixed an issue on Panorama where Push Scope did not populate automatically after changing the device group configuration.
Addressed
11.1.2-h12
PAN-263226
Fixed an issue where decryption based traffic failed on Explicit Proxy nodes.
Addressed
11.1.2-h12
PAN-262831
( PA-5450 firewalls only ) Fixed an intermittent issue where the all_task process stopped responding, which caused the firewall to restart.
Addressed
11.1.2-h12
PAN-262593
Fixed an issue where traffic to websites failed on the Google Chrome web browser on Secure Web Gateway (SWG) nodes.
Addressed
11.1.2-h12
PAN-261991
Fixed an issue where traffic that did not match a decryption policy rule, or matched a no-decrypt policy rule, failed when accumulation proxy was enabled and a Zone Protection profile was configured with syn-cookies enabled.
Addressed
11.1.2-h12
PAN-261917
Fixed an issue where websites with a no-decrypt policy rule were decrypted in traffic log when using a Google Chrome browser with PQC enabled.
Addressed
11.1.2-h12
PAN-259769
Fixed an issue where the GlobalProtect portal was not accessible via a web browser and displayed the error ERR_EMPTY_RESPONSE .
Addressed
11.1.2-h12
PAN-258736
Fixed an issue where policy rule configurations pushed from Panorama were not reflected on the firewall if the rule had 63 characters.
Addressed
11.1.2-h12
PAN-253213
Fixed an issue where the firewall sent HIP notifications every time it received a HIP report instead of every two hours.
Addressed
11.1.2-h12
PAN-252300
Fixed an issue where you were unable to select device groups in the push scope for user accounts.
Addressed
11.1.2-h12
PAN-245690
Fixed an issue where the Managed Collectors health status on Panorama displayed as empty.
Addressed
11.1.2-h12
PAN-209574
Fixed an issue with HTTP/2 traffic where downloading large files did not work when decryption was enabled.
Addressed
11.1.2-h9
PAN-258225
Fixed an issue on the Panorama web interface where Security policy rules loaded more slowly than expected.
Addressed
11.1.2-h9
PAN-257615
Fixed an issue on Panorama where logs did not display or displayed intermittently on the web interface.
Addressed
11.1.2-h9
PAN-256725
Fixed an issue on the Panorama interface where Traffic and Unified event details loaded more slowly than expected.
Addressed
11.1.2-h9
PAN-255868
( PA-3400 Series firewalls only ) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
11.1.2-h9
PAN-255266
Fixed an issue where you were unable to clone a template stack with the Pre-Shared Key variable.
Addressed
11.1.2-h9
PAN-254411
Fixed an issue where the configd process stopped responding, which caused RR_CONNECTION_REFUSED error messages to be displayed in admin sessions.
Addressed
11.1.2-h9
PAN-253546
Fixed an issue where a TLS client hello was split into multiple packets and arrived out of order, so the packets were dropped and the session terminated.
Addressed
11.1.2-h9
PAN-251563
Added CPLD enhancement to capture external power issues.
Addressed
11.1.2-h9
PAN-247099
Fixed an issue where the firewall decrypted traffic unexpectedly when the client hello was spread across multiple packets.
Addressed
11.1.2-h9
PAN-246772
Fixed an issue on the firewall where the dataplane went down due to a path monitor failure caused by an OOM condition related to the pan_task process.
Addressed
11.1.2-h9
PAN-246059
Fixed an issue where forwarded logs were not visible on Panorama due to the Elasticsearch service not starting when it encountered old and unsupported indices.
Addressed
11.1.2-h9
PAN-245428
Fixed an issue where FIB entries aged out and were incorrectly removed after an HA failover event.
Addressed
11.1.2-h9
PAN-244548
Fixed an issue where ECMP sessions changed destination MAC addresses mid-session, which caused connections to be reset.
Addressed
11.1.2-h9
PAN-243098
Fixed an issue with corrupted images when SSL decryption and Security profiles were configured.
Addressed
11.1.2-h9
PAN-240739
Fixed an issue where the ECMP FIB update on the dataplane didn't clear the pending change flag, which caused the next non-ECMP FIB update to miss the latest generation ID and age out after 5 minutes.
Addressed
11.1.2-h9
PAN-240612
Fixed a kernel panic caused by a third-party issue.
Addressed
11.1.2-h9
PAN-240596
Fixed an issue where the all_task process stopped responding due to an invalid memory address.
Addressed
11.1.2-h9
PAN-236133
Fixed an issue where SSL traffic was impacted when SSL Command and Control detector for Incline Cloud Analysis was set to reset-both , reset-client , reset-server , or drop .
Addressed
11.1.2-h9
PAN-234560
Fixed an issue where the daily summary report displayed IPv6 addresses instead of IPv4 addresses.
Addressed
11.1.2-h4
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.1.2-h4
PAN-251013
Fixed an issue on the web interface where the Virtual Router and Virtual System configurations for the template incorrectly showed as none .
Addressed
11.1.2-h4
PAN-250686
Fixed an issue where selective push operations did not work when more than one admin user simultaneously performed changes and partial commits on Panorama.
Addressed
11.1.2-h4
PAN-249931
Fixed an issue where configuration pushes from Panorama on PAN-OS 11.1.1 to a firewall on a PAN-OS 10.2 release failed.
Addressed
11.1.2-h4
PAN-249808
Fixed an issue where the configd process stopped responding when performing multi-device group pushes via XML API.
Addressed
11.1.2-h4
PAN-247403
( VM-Series firewalls only ) Fixed an issue where the push scope CLI command took longer than expected, which caused the web interface to be slow.
Addressed
11.1.2-h4
PAN-246960
Fixed an issue where firewalls failed to fetch content updates from the Wildfire Private Cloud due to an Unsupported protocol error.
Addressed
11.1.2-h4
PAN-244894
Fixed an issue where turning off mprelay logging caused *mprelay* heartbeat failure.
Addressed
11.1.2-h4
PAN-244622
Fixed an issue where FIB re-push did not work with Advanced Routing enabled.
Addressed
11.1.2-h4
PAN-244227
Fixed an issue where inconsistent FIB entries across the dataplane were not detected.
Addressed
11.1.2-h4
PAN-242309
Fixed an issue where a higher byte count (s2c) was observed for DNS-Base application.
Addressed
11.1.2-h4
PAN-242027
Fixed an issue where the all-task process repeatedly restarted during memory allocation failures.
Addressed
11.1.2-h4
PAN-241141
Fixed an issue where creating more than one address object in the same XML API request resulted in a commit error.
Addressed
11.1.2-h4
PAN-240477
Fixed a temporary hardware issue that caused PAN-SFP-PLUS-CU-5M to not be able to link up on PA-3400 and PA-1400 Series firewalls.
Addressed
11.1.2-h4
PAN-240308
Fixed an issue where ElasticSearch did not work as expected when raid-mounts were not fully ready after a reboot.
Addressed
11.1.2-h4
PAN-239367
Fixed an issue on the firewall where a memory leak associated with the logrcvr process occurred.
Addressed
11.1.2-h4
PAN-239354
Fixed an issue where DNS resolution was delayed when an Antispyware policy rule was applied to both client to firewall and firewall to internal DNS server legs of a connection.
Addressed
11.1.2-h4
PAN-238643
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured
Addressed
11.1.2-h4
PAN-237537
Fixed an issue where, when deleting CTD entries, the all_pktproc process stopped responding which resulted in dataplane failure.
Addressed
11.1.2-h4
PAN-237208
Fixed an issue where the reportd process stopped and the firewall rebooted.
Addressed
11.1.2-h4
PAN-233789
Fixed an issue with push and commit and push operations where the user was not correctly bound to the scope, which caused all device groups to be selected for a selective push.
Addressed
11.1.2-h4
PAN-233692
Fixed an issue on Panorama where the configd process stopped, which caused performance issues.
Addressed
11.1.2-h4
PAN-233684
Fixed an issue on Panorama where Push to Devices or Commit and Push operations took longer than expected on the web interface.
Addressed
11.1.2-h4
PAN-231148
Fixed an issue where no DHCP option list was defined when using GlobalProtect.
Addressed
11.1.2-h4
PAN-230746
Fixed an issue on the web interface where device groups with a large number of managed firewalls displayed the Policy page more slowly than expected.
Addressed
11.1.2-h4
PAN-205482
Fixed an issue related to the configd process where Panorama displayed the error Server not responding when editing policies.
Addressed
11.1.2-h3
PAN-252214
A fix was made to address CVE-2024-3400 .
Addressed
11.1.2-h3
PAN-246949
Fixed an issue where custom admin users were not able to click OK in the push scope selection window when device group or template were disabled under commit in the admin roles.
Addressed
11.1.2-h3
PAN-244013
Fixed an issue on the Panorama web interface where, when a new content package was installed, new Anti-Spyware Signatures and new Vulnerability Signatures were not visible in their respective profiles.
Addressed
11.1.2-h3
PAN-243951
Fixed an issue on Panorama appliances in active/passive HA configurations where managed devices displayed as out-of-sync on the passive appliance when peer configuration changes were made to the SD-WAN configuration on the active peer.
Addressed
11.1.2-h1
PAN-242879
Fixed an issue where the dataplane restarted when advanced features such as Advanced Threat Protection, Advanced WildFire, and Advanced URL Filtering hit max latency under inline mode.
Addressed
11.1.2-h1
PAN-242634
( PA-1400 Series, PA-3400 Series, and PA-5400 Series firewalls only ) Fixed an issue where a large packet burst from the dataplane to the management plane caused the DPDK kernel network interface to become unresponsive.
Addressed
11.1.2-h1
PAN-240166
Fixed an issue where, when explicit proxy was configured on the firewall, websites loaded more slowly than expected or did not load due to DNS using TCP.
Addressed
11.1.2-h1
PAN-239279
Fixed an issue where the proxy did not accept new connections.
Addressed
11.1.2
PAN-242627
Fixed an issue where selective push did not work.
Addressed
11.1.2
PAN-242561
Fixed an issue where GlobalProtect tunnels disconnected shortly after being established when SSL was used as the transfer protocol.
Addressed
11.1.2
PAN-242519
Fixed an issue where scheduled email reports failed if the @ symbol before the mail client was missing.
Addressed
11.1.2
PAN-241504
Fixed an issue on the web interface where filtering logs under the Monitor tab was slower than expected.
Addressed
11.1.2
PAN-239769
Fixed an issue where object references in a rule were renamed, and a selective revert of the changes with Commit changes by me caused a reference error.
Addressed
11.1.2
PAN-238769
( VM-Series firewalls in FIPS-CC mode only ) Fixed an issue where upgrading Panorama caused all locally created Security policy rule actions to Deny.
Addressed
11.1.2
PAN-238586
Fixed an issue where DNS resolution failure from the LFC resulted in WildFire public cloud connectivity failure.
Addressed
11.1.2
PAN-236120
Fixed an issue where the /opt/panlogs partition reached capacity due to the logdb-quota for the User-ID log folder not being matched.
Addressed
11.1.2
PAN-235840
Fixed an issue where, after a configuration push from Panorama to managed firewalls, the status displayed as None and the push took longer than expected.
Addressed
11.1.2
PAN-235585
Fixed an issue where, when custom signatures and predefined signatures shared the same literal pattern part, the custom signature caused an incorrect calculation for the length of the predefined signature, which resulted in App-ID not detecting correctly.
Addressed
11.1.2
PAN-234279
Fixed an issue where the ikemgr process crashed due to an IKEv1 timing issue, which caused commits to fail with the following error message: Client ikemgr requesting last config in the middle of a commit/validate, aborting current commit .
Addressed
11.1.2
PAN-230106
Fixed an issue where the firewall was unable to retrieve the most current external dynamic list information from the server due to hostname resolution failure.
Addressed
11.1.2
PAN-227397
Fixed an issue where selective pushes on Panorama removed a previously pushed configuration from the firewalls.
Addressed
11.1.2
PAN-226785
Fixed an issue where accessing websites with HTTP to HTTPS redirect failed via explicit proxy.
Addressed
11.1.2
PAN-225337
Fixed an issue on Panorama related to Shared configuration objects where configuration pushes to multi-vsys firewalls failed.
Addressed
11.1.2
PAN-225203
Fixed an issue where the Log Forwarding Card (LFC) did not honor the negotiated MSS on the logging connection.
Addressed
11.1.2
PAN-224954
Fixed an issue where, after upgrading and rebooting a Panorama appliance in Panorama or Log Collector mode, managed firewalls continuously disconnected.
Addressed
11.1.2
PAN-223259
Fixed an issue where selective pushes failed with the error message Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push .
Addressed
11.1.2
PAN-216941
( Panorama appliances in Log Collector mode only ) Fixed an issue where Panorama stopped processing and saving logs.
Known
11.1.3
PAN-265336
( PAN-OS 11.1.3-h6 only )
Copper ports flap when generating a technical support file, executing telemetry, or retrieving port status using a Management Data Input/Output (MDIO) read.
Known
11.1.3
PAN-263987
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
When a NAT traversal (NAT-T or UDP encapsulation) IPSec tunnel is terminated on a Palo Alto Networks firewall and the NAT rule applied to the NAT-T IPSec tunnel is also on the same firewall, then the data traffic flowing through the NAT-T IPSec tunnel can't be NATed correctly.
Known
11.1.3
PAN-263940
On a PA-7500 Series firewall node in an NGFW cluster, if the data processing card is in slot 6, packet drops are expected.
Known
11.1.3
PAN-262287
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
11.1.3
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.1.3
PAN-259769
This issue is now resolved. See PAN-OS 11.1.3-h6 Addressed Issues
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
11.1.3
PAN-259733
This issue is now resolved. See PAN-OS 11.1.3-h2 Addressed Issues .
Custom reports created in PAN-OS are not deleted as expected, resulting in high memory use by the reportd process. This can lead to issues, such as out-of-memory conditions, content installation failures, and unexpected firewall reboots.
Known
11.1.3
PAN-257615
This issue is now resolved. See PAN-OS 11.1.3-h4 Addressed Issues .
The Panorama web interface intermittently displays logs or fails to display logs completely.
Known
11.1.3
PAN-255868
This issue is now resolved. See PAN-OS 11.1.3-h1 Addressed Issues .
( PA-3400 Series firewalls only ) After enabling kernel data collection during a silent reboot, the firewall fails and reboots to maintenance mode.
Workaround: To recover the firewall, initiate a reboot from maintenance mode.
Known
11.1.3
PAN-255579
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues .
Demo Mode and Log Forwarding: PA-7500 Series firewalls and Panorama display data plane logs after a delay.
Known
11.1.3
PAN-255285
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues .
If only the HCSI-A link is connected on NGFW cluster nodes (the HSCI-B link is not connected) and the management interfaces goes down, the situation will result in a split brain.
Known
11.1.3
PAN-255116
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
When QoS is applied, traffic on an NGFW cluster node going from an MC-LAG interface to a destination stops when a member of the MC-LAG goes down.
Known
11.1.3
PAN-254927
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
Certain types of data packets sent to threat inspection processing on the Networking cards of PA-7500 Series firewalls cause a pan_task crash.
Known
11.1.3
PAN-254827
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
When you change an IP address on a management interface on any of the NGFW cluster nodes, there's no workflow in cluster-config to detect this change, so the subsequent commit-all will not push the updated management IP address.
Workaround: You must manually make an unrelated change to cluster-config in order for Panorama to detect this change; the subsequent commit-all will push the cluster-config with the updated management IP address to cluster-manager.
Known
11.1.3
PAN-254351
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
An NGFW cluster node could get stuck in suspended state in some cases when you use GRE tunnel termination with keepalive enabled on both ends.
Known
11.1.3
PAN-254240
In the event of an HSCI flap on an NGFW cluster node, traffic reconvergence takes three to four seconds.
Known
11.1.3
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.1.3
PAN-253466
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
In the event of a cluster manager restart on the leader node of an NGFW cluster, traffic stops because the state machine transitions to unknown and the leader is not changing.
Known
11.1.3
PAN-253466
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On an NGFW cluster node, an expected packet buffer leak occurs with FTP/SIP traffic over an extended period of time.
Known
11.1.3
PAN-252358
In the event of a corosync restart, an NGFW cluster node goes to failed state.
Known
11.1.3
PAN-251639
This issue is now resolved. See PAN-OS 11.1.4 Addressed Issues .
When a Wildfire Analysis security profile is enabled, an out of memory condition might occur due to a memory leak in the varrcvr process.
Known
11.1.3
PAN-251551
When an NGFW cluster agent crashes and doesn't recover, leader election will take approximately 45 seconds to begin and traffic failover will occur during that time.
Known
11.1.3
PAN-251501
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
Upon a reboot, an NGFW cluster node will occasionally fail to rejoin a cluster due to a timing issue.
Known
11.1.3
PAN-250903
In a congestion scenario on an HSCI port of an NGFW cluster node, the QoS priorities of cross node traffic streams might be reversed if you're using the default QoS profile with class1 to class8 set as high to low.
Known
11.1.3
PAN-250062
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
11.1.3
PAN-250043
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On an NGFW cluster node, if you configure a QoS interface with an Egress Max (Mbps) that exceeds 68000, the operation will fail with a message indicating "...is not a valid reference.…" The QoS Max bandwidth on any interface cannot be configured to be more than 68000.
Known
11.1.3
PAN-249727
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On an NGFW cluster node, the Custom/Pre-defined URL category is not part of the session flow data and a promoted session after failover does not include it.
Known
11.1.3
PAN-248762
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
A firewall using the Advanced Routing Engine configured with OSPF crashes when connecting to the neighbor while exchanging route maps.
Known
11.1.3
PAN-247974
LACP flap is expected during a device failover in an NGFW cluster due to an L2 ctrld restart on the new leader node.
Known
11.1.3
PAN-240529
Cloud application information is missing from traffic logs on NGFW cluster nodes.
Known
11.1.3
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.1.3
PAN-227978
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
The UI widget does not accurately list the status of the port when NGFW clustering is enabled.
Known
11.1.3
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.3
PAN-220180
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
11.1.3
PAN-219644
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.3
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.3
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.3
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.1.3
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.3
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.1.3
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.3
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.1.3
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.1.3
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.3
PAN-194978
( PA-1400 Series firewalls only ) In Network Interface Ethernet , hovering the mouse over a power over Ethernet (PoE) Link State icon does not display link speed and link duplex details.
Known
11.1.3
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.1.3
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.3
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
11.1.3
PAN-184708
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
11.1.3
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.3
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.3
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.3
PAN-164885
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.3-h13
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.1.3-h13
PAN-269000
Fixed an issue where the firewall stopped responding due to a NULL pointer dereference when path monitoring failed.
Addressed
11.1.3-h13
PAN-265785
Fixed an issue where the firewall rebooted due to a sysd variable being modified before it was created.
Addressed
11.1.3-h13
PAN-263208
( PA-5400f firewalls only ) Fixed an issue where interrupts were generated at a certain packet rate, and dataplane processes missed heartbeats, which caused the dataplane to go down.
Addressed
11.1.3-h13
PAN-260604
Fixed an issue where the firewall displayed inaccurate throughput utilization stats in NetFlow analyzer tools.
Addressed
11.1.3-h13
PAN-259881
Fixed an issue on Panorama where traffic log details were not displayed under detailed log view .
Addressed
11.1.3-h13
PAN-259351
A fix was made to address CVE-2024-3393 .
Addressed
11.1.3-h13
PAN-258799
Fixed an issue where, when updating a Security Policy Policy Optimizer , the web interface stopped responding.
Addressed
11.1.3-h13
PAN-256223
Fixed an issue where device telemetry log collection filled the root partition.
Addressed
11.1.3-h13
PAN-255915
Fixed an issue where a memory leak in the sslmgr process caused the firewall to restart.
Addressed
11.1.3-h13
PAN-254826
Fixed an issue where the firewall stopped responding when processing traffic.
Addressed
11.1.3-h13
PAN-254794
Fixed an issue where the Panorama management server stopped responding.
Addressed
11.1.3-h13
PAN-254577
Fixed an issue where a core file was created on the Log Forwarding Card (LFC) due to a third-party software issue.
Addressed
11.1.3-h11
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.1.3-h10
PAN-265336
( PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-5450 firewalls only ) Fixed an issue where the copper ports flapped when generating a technical support file or executing telemetry.
Addressed
11.1.3-h10
PAN-265287
Fixed an issue where the firewall experienced a packet buffer leak in the dataplane of the network processing card (NPC) when processing certain net messages.
Addressed
11.1.3-h10
PAN-265287
Fixed an issue where the firewall experienced a packet buffer leak in the dataplane of the NPC when processing certain net messages.
Addressed
11.1.3-h10
PAN-263973
Fixed an issue where log collectors had a low incoming log rate.
Addressed
11.1.3-h10
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred caused pan_task processes to stop responding.
Addressed
11.1.3-h10
PAN-261485
Fixed an issue where the firewall dropped the Real Time Transport Protocol (RTP) session for the second SIP call on Persistent-DIPP connections when the source port of the client device was reset.
Addressed
11.1.3-h10
PAN-259733
Fixed an issue where a custom report was not deleted on Panorama when expected.
Addressed
11.1.3-h10
PAN-259151
Fixed an issue where unused objects were pushed to the firewall, which caused configuration pushes to fail with the error Number of address groups exceed platform capacity .
Addressed
11.1.3-h10
PAN-257912
Fixed an issue where the firewall stopped responding when it received RADIUS traffic and user equipment (UE) traffic at the same time on an NPC.
Addressed
11.1.3-h10
PAN-257615
Fixed an issue on Panorama where logs did not display or displayed intermittently on the web interface.
Addressed
11.1.3-h10
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
11.1.3-h10
PAN-257327
( PA-5440 firewalls only ) Fixed an issue where a failover event occurred unexpectedly on the firewall.
Addressed
11.1.3-h10
PAN-256725
Fixed an issue on the Panorama interface where Traffic and Unified event details loaded more slowly than expected.
Addressed
11.1.3-h10
PAN-254794
Fixed an issue where the Panorama management server stopped responding.
Addressed
11.1.3-h10
PAN-253626
Fixed an issue on Panorama where unused objects were pushed to the firewall, which caused the push operations to intermittently fail.
Addressed
11.1.3-h10
PAN-250394
Fixed an issue where a large amount of group data caused serialization errors and prevented synchronization.
Addressed
11.1.3-h10
PAN-246708
Fixed an issue where the firewall stopped responding when the all_pktproc repeatedly restarted.
Addressed
11.1.3-h10
PAN-243098
Fixed an issue with corrupted images when SSL decryption and Security profiles were configured.
Addressed
11.1.3-h10
PAN-222542
( PA-7000 Series firewalls only ) Fixed an issue where Log Forward Cards (LFC) were incorrectly identified as distribution policies, which caused packet loss due to traffic, BFD, and other control packets being forwarded to the LFC.
Addressed
11.1.3-h6
PAN-263226
Fixed an issue where decryption based traffic failed on Explicit Proxy nodes.
Addressed
11.1.3-h6
PAN-262593
Fixed an issue where traffic to websites failed on the Google Chrome web browser on Secure Web Gateway (SWG) nodes.
Addressed
11.1.3-h6
PAN-261991
Fixed an issue where traffic that did not match a decryption policy rule, or matched a no-decrypt policy rule, failed when accumulation proxy was enabled and a Zone Protection profile was configured with syn-cookies enabled.
Addressed
11.1.3-h6
PAN-261917
Fixed an issue where websites with a no-decrypt policy rule were decrypted in traffic log when using a Google Chrome browser with PQC enabled.
Addressed
11.1.3-h6
PAN-259769
Fixed an issue where the GlobalProtect portal was not accessible via a web browser and displayed the error ERR_EMPTY_RESPONSE .
Addressed
11.1.3-h6
PAN-257957
( Firewalls and Panorama appliances in FIPS-CC mode only ) Fixed an issue where the authd process restarted if RADIUS PAP/CHAP authentication was used.
Addressed
11.1.3-h6
PAN-242331
Fixed an issue where Prisma Access remote network firewalls intermittently created incorrect user-to-IP-address mappings.
Addressed
11.1.3-h6
PAN-232214
Fixed an issue where GlobalProtect clients remained in the connecting state during portal pre-login when Kerberos single sign-on (SSO) was enabled.
Addressed
11.1.3-h4
PAN-259480
Fixed an issue where the varrcvr process stopped responding after running out of memory due to how the process queued and dequeued files for WildFire file forwarding when a WildFire Analysis Security profile was enabled.
Addressed
11.1.3-h4
PAN-257925
( CN-Series firewalls only ) Fixed an issue where the CLI command show system setting ctd state did not work as expected.
Addressed
11.1.3-h4
PAN-257615
Fixed an issue on Panorama where logs did not display or displayed intermittently on the web interface.
Addressed
11.1.3-h4
PAN-257462
Fixed an issue related to the varrcvr process where the management plane CPU was higher than expected during WildFire updates.
Addressed
11.1.3-h4
PAN-256385
( CN-Series firewalls only ) Fixed an issue where communication was broken between the management plane and the dataplane when anti-spyware profiles were configured in a Security policy rule.
Addressed
11.1.3-h4
PAN-254373
Fixed an issue where the firewall did not handle error code 500 responses from the WildFire cloud correctly.
Addressed
11.1.3-h4
PAN-251639
Fixed an issue where an out-of-memory condition occurred due to a memory leak related to the varrvcr process when a WildFire Analysis security profile was enabled.
Addressed
11.1.3-h4
PAN-248148
Jumbo frame feature support is enabled.
Addressed
11.1.3-h4
PAN-225213
Fixed an issue where Push All Changes displayed changes that were already committed in the push scope for another device group after performing a selective commit and selective push to the first device group.
Addressed
11.1.3-h2
PAN-259733
Fixed an issue where a custom report was not deleted on Panorama when expected.
Addressed
11.1.3-h2
PAN-259473
( PA-5450 firewalls only ) Fixed an issue where the chassis shut down when FAN1 was removed.
Addressed
11.1.3-h2
PAN-254411
Fixed an issue where the configd process stopped responding, which caused ERR_CONNECTION_REFUSED error messages to be displayed in admin sessions.
Addressed
11.1.3-h2
PAN-253546
Fixed an issue where a TLS client hello was split into multiple packets and arrived out of order, so the packets were dropped and the session terminated.
Addressed
11.1.3-h2
PAN-249814
Fixed an issue where multiple all_task processes stopped responding, which caused the dataplane to fail.
Addressed
11.1.3-h2
PAN-247099
Fixed an issue where the firewall decrypted traffic unexpectedly when the client hello was spread across multiple packets.
Addressed
11.1.3-h1
PAN-256765
Fixed an issue where you were unable to push variables from Panorama in service routes for non-cluster templates.
Addressed
11.1.3-h1
PAN-255868
( PA-3400 Series firewalls only ) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
11.1.3
PAN-251013
Fixed an issue on the web interface where the Virtual Router and Virtual System configurations for the template incorrectly showed as none .
Addressed
11.1.3
PAN-250686
Fixed an issue where selective push operations did not work when more than one admin user simultaneously performed changes and partial commits on Panorama.
Addressed
11.1.3
PAN-249808
Fixed an issue where the configd process stopped responding when performing multi-device group pushes via XML API.
Addressed
11.1.3
PAN-249597
Fixed an issue where the Policy page on the Panorama web interface was slower than expected when a device group had a large number of managed devices.
Addressed
11.1.3
PAN-249019
Fixed an issue where the all_pktproc process stopped responding, which caused the firewall to become unresponsive.
Addressed
11.1.3
PAN-248748
Fixed an issue that caused the dataplane to stop responding when running a packet diagnostic with Jumbo frames enabled.
Addressed
11.1.3
PAN-248105
Fixed an issue where the GlobalProtect SSL VPN tunnel immediately disconnected due to a keep-alive timeout.
Addressed
11.1.3
PAN-247403
( Panorama virtual appliances only ) Fixed an issue where the push scope CLI command took longer than expected, which caused the web interface to be slow.
Addressed
11.1.3
PAN-246707
Fixed an issue where failover was not triggered when multiple processes stopped responding.
Addressed
11.1.3
PAN-246420
( PA-5450 Series firewalls only ) Fixed an issue where the firewall rebooted unexpectedly during an upgrade.
Addressed
11.1.3
PAN-246215
Fixed an issue where the sleep time for a suspended pan_task process caused configuration and policy updates to be blocked.
Addressed
11.1.3
PAN-245701
Fixed an issue where the returned values to SNMP requests for data port statistics were incorrect.
Addressed
11.1.3
PAN-245690
Fixed an issue where the Managed Collectors health status on Panorama displayed as empty.
Addressed
11.1.3
PAN-245428
Fixed an issue where FIB entries aged out and were incorrectly removed after an HA failover event.
Addressed
11.1.3
PAN-245041
Fixed an issue where the WF-500 appliance returned an error verdict for every sample in FIPS mode.
Addressed
11.1.3
PAN-244907
( PA-3400, PA-5400, and PA-1400 Series firewalls only ) Fixed an issue where virtual wire ports did not go down when moving from an active state to a suspended state.
Addressed
11.1.3
PAN-244894
Fixed an issue where turning off mprelay logging caused mprelay heartbeat failure.
Addressed
11.1.3
PAN-244836
A knob was introduced to toggle the default behavior of BGP in the Advanced Routing stack to not suppress duplicate updates. By default, the prefix updates are suppressed for optimization.
Addressed
11.1.3
PAN-244648
Fixed an issue where, when FIPS was enabled in maintenance mode, the firewall rebooted and returned to maintenance mode.
Addressed
11.1.3
PAN-244625
( VM-Series firewalls only ) Fixed an issue where incorrect virtual MAC addresses were used in interfaces.
Addressed
11.1.3
PAN-244622
Fixed an issue where FIB re-push did not work with Advanced Routing enabled.
Addressed
11.1.3
PAN-244548
Fixed an issue where ECMP sessions changed destination MAC addresses mid-session, which caused connections to be reset.
Addressed
11.1.3
PAN-244493
Fixed a memory limitation with mapping subinterfaces to VPCE endpoints for GCP IPS, Amazon Web Services (AWS) integration with GWLB, and NSX service chain mapping.
Addressed
11.1.3
PAN-244227
Fixed an issue where inconsistent FIB entries across the dataplane were not detected.
Addressed
11.1.3
PAN-244013
Fixed an issue where the web interface did not display newly added Anti-Spyware signatures or Vulnerability Signatures.
Addressed
11.1.3
PAN-243463
Fixed an issue where high Enhanced Application Log traffic used excess system resources and caused processes to not work.
Addressed
11.1.3
PAN-242027
Fixed an issue where the all-task process repeatedly restarted during memory allocation failures.
Addressed
11.1.3
PAN-241548
Fixed an issue where the firewall stopped responding when switching from endpoint authentication bypass to endpoint Kerberos authentication with SWG-proxy traffic.
Addressed
11.1.3
PAN-241230
Fixed an issue where the SNMP get request status value for Panorama connections was incorrect.
Addressed
11.1.3
PAN-241164
( PA-410 firewalls only ) Fixed an issue where system and configuration logs sent from the firewall to Panorama contained the serial number field instead of the firewall device name.
Addressed
11.1.3
PAN-241141
Fixed an issue where creating more than one address object in the same XML API request resulted in a commit error.
Addressed
11.1.3
PAN-241041
Fixed an issue where, after upgrading to 11.1.0, exporting CSV files for template stack variables or template variables resulted in an empty file.
Addressed
11.1.3
PAN-241018
( VM-Series firewalls in Microsoft Azure environments only ) Fixed a Dataplane Development Kit (DPDK) issue where interfaces remained in a link-down stage after an Azure hot plug event.
Addressed
11.1.3
PAN-240993
Fixed an issue where you were unable to revert a sort in task manager in the admin column.
Addressed
11.1.3
PAN-240786
Fixed an issue on firewalls in HA configurations where VXLAN sessions were allocated, but not installed or freed, which resulted in a constant high session table usage that was not synced between the firewalls. This resulted in a session count mismatch.
Addressed
11.1.3
PAN-240618
Fixed an issue where configuration commits were successful even when dynamic peer IKE gateways configured on the same interface and IP address that did not have the same IKE crypto profile.
Addressed
11.1.3
PAN-240612
Fixed a kernel panic caused by a third-party issue
Addressed
11.1.3
PAN-240596
Fixed an issue where all_task stopped responding due to an invalid memory address.
Addressed
11.1.3
PAN-240477
Fixed a temporary hardware issue that caused PAN-SFP-PLUS-CU-5M to not be able to link up on PA-3400 and PA-1400 Series firewalls.
Addressed
11.1.3
PAN-240368
Fixed an issue where authentication portal redirection for HTTPS websites did not work when Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic was enabled.
Addressed
11.1.3
PAN-240347
Fixed an issue with the web interface where the Dashboard and a Device Group policy rule took longer than expected to load.
Addressed
11.1.3
PAN-240308
Fixed an issue where ElasticSearch did not work as expected when raid-mounts were not fully ready after a reboot.
Addressed
11.1.3
PAN-240251
Fixed an issue where the vldmgr process incorrectly restarted during an Elasticsearch restart.
Addressed
11.1.3
PAN-239776
Fixed an issue where Panorama went into maintenance mode due to a GlobalProtect quota configuration that was under the minimum required quota.
Addressed
11.1.3
PAN-239722
Fixed an issue where SNMP scans to the firewall took longer than expected and intermittently timed out.
Addressed
11.1.3
PAN-239662
Fixed an issue where the NSSA default route from the firewall was not generated to advertise even though the backbone area default route was advertised during a graceful restart.
Addressed
11.1.3
PAN-239367
Fixed an issue on the firewall where a memory leak associated with the logrcvr process occurred.
Addressed
11.1.3
PAN-239354
Fixed an issue where DNS resolution was delayed when an antispyware policy rule was applied to both client to firewall and firewall to internal DNS server legs of a connection.
Addressed
11.1.3
PAN-239337
Fixed an issue where the log_index was suspended and corrupted BDX files flooded the index_log.
Addressed
11.1.3
PAN-239256
Fixed an issue where ARP entries were unable to be completed for subinterfaces with SNAT configured.
Addressed
11.1.3
PAN-238996
Fixed an issue where commits did not complete and remained in a pending state due to a race condition. With this fix, the commit will fail after 60 seconds and not remain in a pending state.
Addressed
11.1.3
PAN-238643
Fixed an issue where a memory leak caused multiple processes to stop responding when VM Information Sources was configured.
Addressed
11.1.3
PAN-238625
Fixed an issue where, when the physical interface went down, the SD-WAN Ethernet connection state still showed UP/path-monitor due to the Active URL SaaS monitor connection state remaining UP/path-monitor.
Addressed
11.1.3
PAN-238621
Fixed an issue where the HA3 link status remained down when updating the HA3 interface configuration when the AE interface was up.
Addressed
11.1.3
PAN-238562
Fixed an issue where log collectors stopped responding when gathering reports from Panorama.
Addressed
11.1.3
PAN-238508
Fixed an issue where the routed process created excessive logs in the log file.
Addressed
11.1.3
PAN-237678
Fixed an issue with firewalls in active/passive HA configurations where the passive firewall displayed the error message Unable to read QSFP Module ID when the passive link state was set to shutdown.
Addressed
11.1.3
PAN-237537
Fixed an issue where, when deleting CTD entries, the all_pktproc process stopped responding which resulted in dataplane failure.
Addressed
11.1.3
PAN-237478
Fixed an issue where the traffic log displayed 0 bytes for denied sessions.
Addressed
11.1.3
PAN-237454
Fixed an issue where Panorama stopped redistributing IP address-to-username mappings when packet loss occurred between the distributor and the client.
Addressed
11.1.3
PAN-237369
( PA-1420 firewalls only ) Fixed an issue where the all_task process stopped responding, which caused the firewall to become unresponsive.
Addressed
11.1.3
PAN-237246
Fixed an issue where the all_pktproc process repeatedly restarted, which caused the firewall to go into a nonfunctional state.
Addressed
11.1.3
PAN-236802
Fixed an issue on firewalls in HA configurations where unexpected failovers occurred.
Addressed
11.1.3
PAN-236261
Fixed an issue where a proxy server was used for External Dynamic List communication even when the dataplane interface was configured through service routes.
Addressed
11.1.3
PAN-236244
Fixed an issue where you were unable to select Authentication Profiles via the web interface.
Addressed
11.1.3
PAN-236233
Fixed an issue where SNMP reports displayed incorrect values for SSL Proxy sessions and SSL Proxy utilization.
Addressed
11.1.3
PAN-235737
Fixed an issue where the brdagent process stopped responding due to a sudden increase in logging to the bcm.log.
Addressed
11.1.3
PAN-235628
Fixed an issue where you were not prompted for login credentials when you disconnected and connected back to the GlobalProtect portal when SAML authentication was selected along with Single Sign-On (SSO) and Single Log Out (SLO).
Addressed
11.1.3
PAN-235557
Fixed an issue where uploads from tunnels, including GlobalProtect, were slower than expected when the inner and outer sessions were on different dataplanes.
Addressed
11.1.3
PAN-235476
Fixed an issue where threat logs from different Security zones were aggregated into one log.
Addressed
11.1.3
PAN-235168
Fixed an issue where disk space became full even after clearing old logs and content images.
Addressed
11.1.3
PAN-235081
( VM-Series firewalls only ) Fixed an issue where the firewall sent packets to its own interface after configuring NAT64.
Addressed
11.1.3
PAN-234596
Fixed an issue on firewalls in active/passive HA configurations where the passive firewall incorrectly became active after a reboot.
Addressed
11.1.3
PAN-234459
Fixed an issue with the firewall web interface where local SSL decryption exclusion cache entries were not visible.
Addressed
11.1.3
PAN-234290
Fixed an issue where the firewall displayed incorrect interface transfer rates when running the CLI command show system state filter-pretty sys.s1.px with a filter.
Addressed
11.1.3
PAN-234169
Fixed an issue where downloading files failed or was slower than expected due to malware scanning even when the session was matched to a Security policy rule with no Anti-Virus profile attached.
Addressed
11.1.3
PAN-234031
Fixed an issue on multi-core firewalls where the firewall displayed packets out of order when capturing packets on the transmit stage.
Addressed
11.1.3
PAN-233833
Fixed an issue where enabling Jumbo frames resulted in software packet buffer depletion.
Addressed
11.1.3
PAN-233789
Fixed an issue with Push and Commit and Push operations where the user was not correctly bound to the scope, which caused all device groups to be selected for a selective push.
Addressed
11.1.3
PAN-233692
Fixed an issue on Panorama where the configd process stopped, which caused performance issues.
Addressed
11.1.3
PAN-233684
Fixed an issue on Panorama where Push to Devices or Commit and Push operations took longer than expected on the web interface.
Addressed
11.1.3
PAN-233603
( CN-Series firewalls only ) Fixed an issue where slot information was not correct after a slotd process restart on the management pod.
Addressed
11.1.3
PAN-233541
Fixed an issue where device group and template administrators with access to a specific virtual system were able to see logs for all virtual systems via Context Switch.
Addressed
11.1.3
PAN-233517
Fixed an issue on Panorama where managed device templates and device groups took longer than expected to display in the Push to Devices window.
Addressed
11.1.3
PAN-233463
Fixed an issue where the X-Forwarded-For (XFF) IP addressed value was not displayed in traffic logs.
Addressed
11.1.3
PAN-233207
Fixed an issue where the configd process stopped responding when a partial configuration revert operation was performed.
Addressed
11.1.3
PAN-233039
Fixed an issue where GENEVE encapsulated packets coming from a GFE Proxy mapped to an incorrect Security policy rule.
Addressed
11.1.3
PAN-232953
Fixed an issue where you were able to cancel the same commit repeatedly, which displayed the error message Cannot stop job <job> at this time .
Addressed
11.1.3
PAN-232368
Fixed an issue where commits failed with the error message Error: Max. user groups used in policy 1389 exceed capacity (1000).
Addressed
11.1.3
PAN-232250
Fixed an issue where, when SSH service profiles for management access were set to None , the reported output was incorrect.
Addressed
11.1.3
PAN-231802
Fixed an issue where an Advanced Routing BGP session flapped with commits when BGP peer authentication was enabled.
Addressed
11.1.3
PAN-231552
Fixed an issue where traffic returning from a third-party Security chain was dropped.
Addressed
11.1.3
PAN-231507
( PA-1400 Series firewalls only ) Fixed an issue where, when an HSCI interface was used as an HA2 interface, HA2 packets were intermittently dropped on the passive firewall, which caused the HA2 connection to flap due to missing HA2 keepalive messages.
Addressed
11.1.3
PAN-231480
Fixed an issue where the firewall CLI output for GlobalProtect log quota settings did not match the settings configured on the Panorama web interface.
Addressed
11.1.3
PAN-231439
Fixed an issue where, when a VoIP call using dynamic IP and NAT was put on hold, the audio became one-way due to early termination of NAT ports.
Addressed
11.1.3
PAN-231395
Fixed an intermittent issue where the OCSP query failed.
Addressed
11.1.3
PAN-231148
Fixed an issue where no DHCP option list was defined when using GlobalProtect.
Addressed
11.1.3
PAN-230813
Fixed an issue where flex memory leak caused decryption failure and commit failure with the error message Error preparing global objects failed to handle CONFIG_UPDATE_START .
Addressed
11.1.3
PAN-230746
Fixed an issue on the web interface where device groups with a large number of managed firewalls displayed the Policy page more slowly than expected.
Addressed
11.1.3
PAN-230656
( Firewalls in HA configurations only ) Fixed an issue where a split brain condition occurred on both firewalls after booting up any firewall, and an HA switchover occurred after booting up a firewall with a higher HA priority even when no preemptive option was enabled on the firewall.
Addressed
11.1.3
PAN-230377
Fixed an issue where FEC support was not enabled by default for PAN-25G-SFP28-LR modules.
Addressed
11.1.3
PAN-230372
Fixed an issue where OCSP queries did not work after upgrading to a PAN-OS 11.0 release.
Addressed
11.1.3
PAN-230039
Fixed an issue where migrating from an Enterprise License Agreement (ELA) to a Flexible VM-Series License failed with a deactivation error message.
Addressed
11.1.3
PAN-229985
( VM-Series firewalls in Amazon Web Services (AWS) only ) Fixed an issue where, when Gateway Load Balancer (GWLB) overlay routing was enabled, GWLB packets re-encapsulated with the incorrect flow cookie in the GENEVE header when transmitting the response back to GWLB.
Addressed
11.1.3
PAN-229874
Fixed an issue where the firewall was unable to form OSPFv3 adjacency when using an ESP authentication profile.
Addressed
11.1.3
PAN-229873
( PA-7050 firewalls only ) Fixed an issue related to brdagent process errors.
Addressed
11.1.3
PAN-229315
Fixed an issue where Octets in NetFlow records were always reported to be 0 despite having a non-zero packet count.
Addressed
11.1.3
PAN-229069
Fixed an issue where clientless VPN portal users were unable to access clientless applications due to an SSL renegotiation being triggered.
Addressed
11.1.3
PAN-228457
( PA-7000 firewalls only ) Fixed an issue where the GTP logs forwarded from the firewall to the log collector did not include the pcap.
Addressed
11.1.3
PAN-228442
Fixed an issue on firewalls in active/passive HA configurations where sessions did not fail over from the active firewall to the passive firewall when upgrading PAN-OS.
Addressed
11.1.3
PAN-228323
Fixed an issue where a large number of Panorama management server cookies were created in the Redis database when the Cloud-Service plugin sent an authentication request every second, and logging in to or using Panorama was slower than expected.
Addressed
11.1.3
PAN-227973
Fixed an issue where commits failed after renaming an address object or object group with a selective commit.
Addressed
11.1.3
PAN-227939
Fixed an issue where the all_task process stopped responding due to high wifclient memory usage, which caused the firewall to reboot.
Addressed
11.1.3
PAN-227887
Fixed an issue where IP address checksums were calculated incorrectly.
Addressed
11.1.3
PAN-227510
Fixed an issue where the error message Failed to establish GRPC connection to UrlCat service: failed to start grpc connection was displayed in the system log when the Advanced URL Filtering license was applied but not configured.
Addressed
11.1.3
PAN-227064
Fixed an issue with high availability (HA) sync failure when performing a partial commit after creating a Security policy via REST API.
Addressed
11.1.3
PAN-226489
Fixed an issue where Panorama was unable to push scheduled dynamic updates to firewalls with the error message Failed to add deploy job. Too many (30) deploy jobs pending for device .
Addressed
11.1.3
PAN-225090
Fixed an issue on Panorama where Commit and Push was grayed out when making changes to a template or device group.
Addressed
11.1.3
PAN-225064
Fixed an issue where Panorama stopped responding and entered a non-functional state after moving multiple Security policy rules at the same time from one device group to another device group.
Addressed
11.1.3
PAN-224938
Fixed an issue where the CLI command settings for set system setting logging max-log-rate did not persist after a mgmtsrvr process restart.
Addressed
11.1.3
PAN-224584
Fixed an issue on Panorama where generating UAR reports for 30 days or more was slower than expected, and reports showed the same logs repeatedly in a loop.
Addressed
11.1.3
PAN-224424
( PA-3440 firewalls only ) Fixed an issue where you were unable to set the link speed as 25Gbps from the drop-down in the template for Ethernet ports 1/23 through 1/26.
Addressed
11.1.3
PAN-224060
( PA-220 Series firewalls only ) Fixed an issue where multiple dataplane processes stopped responding after an upgrade.
Addressed
11.1.3
PAN-223365
Fixed an issue where Panorama was unable to query any logs if the Elasticsearch health status for any log collector was degraded.
Addressed
11.1.3
PAN-223172
Fixed an issue on Panorama where host IDs manually added to the device quarantine list were unexpectedly removed.
Addressed
11.1.3
PAN-222188
A CLI command was introduced to address an issue where SNMP monitoring performance was slower than expected, which resulted in snmpwalk timeouts.
Addressed
11.1.3
PAN-222002
Fixed an issue where content updates failed with the error message Unable to get key pancontent-8.0.pass from cryptod. Error -9 .
Addressed
11.1.3
PAN-220931
( Panorama appliances in FIPS-CC mode only ) Fixed an issue where scheduled email reports did not contain PDF attachments.
Addressed
11.1.3
PAN-219805
Fixed an issue where the reportd process stopped responding due to a race condition.
Addressed
11.1.3
PAN-219113
Fixed an issue where, when a port on the NPC was configured for log forwarding, the ingress traffic on the card was sent for processing to the LPC, and the LPC card was reloaded when the ingress volume of traffic was high.
Addressed
11.1.3
PAN-217619
Fixed an issue where supported Bi-DI transceivers were not recognized which caused ports to not come up.
Addressed
11.1.3
PAN-217307
Fixed an issue where the log-start and log-end policy rule filters did not return reliable results when set to no or yes .
Addressed
11.1.3
PAN-217241
Fixed an issue where predict session conversion failed for RTP and RTCP traffic.
Addressed
11.1.3
PAN-209574
Fixed an issue with HTTP/2 traffic where downloading large files did not work when decryption was enabled.
Addressed
11.1.3
PAN-205482
Fixed an issue related to the configd process where Panorama displayed the error Server not responding when editing policies.
Addressed
11.1.3
PAN-199141
Fixed an issue where renaming a device group and then performing a partial commit led to the device group hierarchy being incorrectly changed.
Addressed
11.1.3
PAN-196395
( PA-5450 firewalls only ) Fixed an issue where the firewall accepted 12 aggregate ethernet interfaces, but you were unable to configure interfaces 9-12 via the web interface.
Addressed
11.1.3
PAN-174454
Fixed an issue where the firewall did not fetch group and user membership due to the Okta sync domain not matching the active Cloud Identity Engine domain.
Known
11.1.4
PAN-263226
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
When SSL decryption is enabled and Client Hello messages span multiple TCP segments, elements from the proxy_l2info memory pool may not be freed properly. Memory leaks in this pool cause some SSL decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the debug dataplane set ssl-decrypt accumulate-client-hello disable yes CLI command.
Known
11.1.4
PAN-263987
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
When a NAT traversal (NAT-T or UDP encapsulation) IPSec tunnel is terminated on a Palo Alto Networks firewall and the NAT rule applied to the NAT-T IPSec tunnel is also on the same firewall, then the data traffic flowing through the NAT-T IPSec tunnel can't be NATed correctly.
Known
11.1.4
PAN-263940
On a PA-7500 Series firewall node in an NGFW cluster, if the data processing card is in slot 6, packet drops are expected.
Known
11.1.4
PAN-262556
The ElasticSearch cluster health status might continue to remain yellow for an extended period after upgrading to PAN-OS 11.1
Known
11.1.4
PAN-262287
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
11.1.4
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.1.4
PAN-259769
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues .
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
11.1.4
PAN-259733
This issue is now resolved. See PAN-OS 11.1.4-h1 Addressed Issues
.
Custom reports created in PAN-OS are not deleted as expected, resulting in high memory use by the reportd process. This can lead to issues, such as out-of-memory conditions, content installation failures, and unexpected firewall reboots.
Known
11.1.4
PAN-257957
This issue affects 11.1.4-h1.
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
If you enable FIPS-CC mode and use the PAP or CHAP authentication methods for your RADIUS server, the authd process may restart unexpectedly. To avoid this issue, use one of the following workarounds:
  • If you use PAN-OS 10.2.10-h3, 10.2.11, or an earlier version, configure the RADIUS server so that it does not send the message authenticator back to client.
  • Use other protocols, such as LDAP, Kerberos, TACACS+, SAML, RADIUS EAP, instead of RADIUS PAP or CHAP.
  • Change from FIPS mode to normal mode.
Known
11.1.4
PAN-257615
This issue is now resolved. See PAN-OS 11.1.4-h1 Addressed Issues .
The Panorama web interface intermittently displays logs or fails to display logs completely.
Known
11.1.4
PAN-255579
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues .
Demo Mode and Log Forwarding: PA-7500 Series firewalls and Panorama display data plane logs after a delay.
Known
11.1.4
PAN-255285
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues .
If only the HCSI-A link is connected on NGFW cluster nodes (the HSCI-B link is not connected) and the management interfaces goes down, the situation will result in a split brain.
Known
11.1.4
PAN-255116
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
When QoS is applied, traffic on an NGFW cluster node going from an MC-LAG interface to a destination stops when a member of the MC-LAG goes down.
Known
11.1.4
PAN-254927
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
Certain types of data packets sent to threat inspection processing on the Networking cards of PA-7500 Series firewalls cause a pan_task crash.
Known
11.1.4
PAN-254827
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
When you change an IP address on a management interface on any of the NGFW cluster nodes, there's no workflow in cluster-config to detect this change, so the subsequent commit-all will not push the updated management IP address.
Workaround: You must manually make an unrelated change to cluster-config in order for Panorama to detect this change; the subsequent commit-all will push the cluster-config with the updated management IP address to cluster-manager.
Known
11.1.4
PAN-254351
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
An NGFW cluster node could get stuck in suspended state in some cases when you use GRE tunnel termination with keepalive enabled on both ends.
Known
11.1.4
PAN-254240
In the event of an HSCI flap on an NGFW cluster node, traffic reconvergence takes three to four seconds.
Known
11.1.4
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.1.4
PAN-253557
In the event of a cluster manager restart on the leader node of an NGFW cluster, traffic stops because the state machine transitions to unknown and the leader is not changing.
Known
11.1.4
PAN-253466
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On an NGFW cluster node, an expected packet buffer leak occurs with FTP/SIP traffic over an extended period of time.
Known
11.1.4
PAN-252358
In the event of a corosync restart, an NGFW cluster node goes to failed state.
Known
11.1.4
PAN-251551
When an NGFW cluster agent crashes and doesn't recover, leader election will take approximately 45 seconds to begin and traffic failover will occur during that time.
Known
11.1.4
PAN-251501
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
Upon a reboot, an NGFW cluster node will occasionally fail to rejoin a cluster due to a timing issue.
Known
11.1.4
PAN-250903
In a congestion scenario on an HSCI port of an NGFW cluster node, the QoS priorities of cross node traffic streams might be reversed if you're using the default QoS profile with class1 to class8 set as high to low.
Known
11.1.4
PAN-250062
This issue is now resolved. See PAN-OS 11.1.4-h4 Addressed Issues .
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
11.1.4
PAN-250043
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On an NGFW cluster node, if you configure a QoS interface with an Egress Max (Mbps) that exceeds 68000, the operation will fail with a message indicating "...is not a valid reference.…" The QoS Max bandwidth on any interface cannot be configured to be more than 68000.
Known
11.1.4
PAN-249727
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On an NGFW cluster node, the Custom/Pre-defined URL category is not part of the session flow data and a promoted session after failover does not include it.
Known
11.1.4
PAN-248762
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
A firewall using the Advanced Routing Engine configured with OSPF crashes when connecting to the neighbor while exchanging route maps.
Known
11.1.4
PAN-247974
LACP flap is expected during a device failover in an NGFW cluster due to an L2 ctrld restart on the new leader node.
Known
11.1.4
PAN-240529
Cloud application information is missing from traffic logs on NGFW cluster nodes.
Known
11.1.4
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.1.4
PAN-227978
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
The UI widget does not accurately list the status of the port when NGFW clustering is enabled.
Known
11.1.4
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.4
PAN-220180
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
11.1.4
PAN-219644
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.4
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.4
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.4
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.1.4
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.4
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.1.4
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.4
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.1.4
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.1.4
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.4
PAN-194978
( PA-1400 Series firewalls only ) In Network Interface Ethernet , hovering the mouse over a power over Ethernet (PoE) Link State icon does not display link speed and link duplex details.
Known
11.1.4
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.1.4
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.4
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
11.1.4
PAN-184708
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
11.1.4
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.4
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.4
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.4
PAN-164885
This issue is now resolved. See PAN-OS 11.1.5 Addressed Issues
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.4-h9
PAN-273215
Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading.
Addressed
11.1.4-h9
PAN-271912
Fixed an issue on Panorama where the *configd* process stopped responding when filtering in the configuration audit window after upgrading to PAN-OS 11.1.3.
Addressed
11.1.4-h9
PAN-271613
Fixed an issue where configuration pushes from Panorama to the firewall failed due to an OOXML commit error.
Addressed
11.1.4-h9
PAN-271314
Fixed an issue where pushing changes to a prefix list used for BGP from Panorama affected OSPF routes.
Addressed
11.1.4-h9
PAN-270224
Fixed an issue where indices were not opened after a query.
Addressed
11.1.4-h9
PAN-269956
Fixed an issue where the all_pktproc process stopped responding, which caused internal path monitor failures.
Addressed
11.1.4-h9
PAN-269899
Fixed an issue where the Panorama web interface was slower than expected when querying for device tags.
Addressed
11.1.4-h9
PAN-269673
Fixed an issue where ElasticSearch was not set up after an upgrade.
Addressed
11.1.4-h9
PAN-269000
Fixed an issue where the firewall stopped responding due to a NULL pointer dereference when path monitoring failed.
Addressed
11.1.4-h9
PAN-268972
Fixed an issue where Panorama was slower than expected when using a high number of device group tags in a non-shared context.
Addressed
11.1.4-h9
PAN-268501
Fixed an issue where the firewall was unable to generate a TSF file due to a full root partition.
Addressed
11.1.4-h9
PAN-266639
Fixed an issue where administrators were unable to edit or add virtual router configurations when a filter was applied to the viewer.
Addressed
11.1.4-h9
PAN-266114
Fixed an issue where, when a new set of URL logs came in, the content of the earlier URL and traffic logs were lost.
Addressed
11.1.4-h9
PAN-265973
Fixed an issue where administrator sessions were logged out with an ERR_CONNECTION_REFUSED error on the browser.
Addressed
11.1.4-h9
PAN-265742
Fixed an issue on the Panorama web interface where the OK button on the GlobalProtect gateway configuration dialog box was not clickable.
Addressed
11.1.4-h9
PAN-265219
( VM-Series firewalls only ) Fixed an issue where GRE traffic did not work properly.
Addressed
11.1.4-h9
PAN-264871
Fixed an issue on Panorama where the configd process stopped responding when viewing IP addresses on dynamic address groups with a large number of IP addresses.
Addressed
11.1.4-h9
PAN-264249
Fixed an issue on the firewall where SNMP queries timed out when using SNMP.
Addressed
11.1.4-h9
PAN-263973
Fixed an issue where log collectors had a low incoming log rate.
Addressed
11.1.4-h9
PAN-263287
The PAN-COMMON-MIB.my file was updated to support new object identifiers (OID) to poll interface use via SNMP with table identifiers.
Addressed
11.1.4-h9
PAN-263208
( PA-5400f firewalls only ) Fixed an issue where interrupts were generated at a certain packet rate, and dataplane processes missed heartbeats, which caused the dataplane to go down.
Addressed
11.1.4-h9
PAN-263017
Fixed an issue where the firewall was unable to mount a disk partition due to a corrupted filesystem.
Addressed
11.1.4-h9
PAN-261485
Fixed an issue where the firewall dropped the Real Time Transport Protocol (RTP) session for the second SIP call on Persistent-DIPP connections when the source port of the client device was reset.
Addressed
11.1.4-h9
PAN-260604
Fixed an issue where the firewall displayed inaccurate throughput utilization stats in NetFlow analyzer tools.
Addressed
11.1.4-h9
PAN-260512
Fixed an issue where accessing the IP address of the device address group objects from the user interface caused the configd process to stop responding.
Addressed
11.1.4-h9
PAN-260461
Fixed an issue where traffic logs showed a non-zero destination port number on ICMP echo sessions through the firewall.
Addressed
11.1.4-h9
PAN-260417
Fixed an issue on Panorama where UpdateLicDB was triggered every few minutes when firewalls with PAYG licenses were onboarded.
Addressed
11.1.4-h9
PAN-260235
Fixed an issue where the firewall sent Threat logs and URL logs to an external syslog server without Security profile settings when Enhanced Application Logging was enabled.
Addressed
11.1.4-h9
PAN-259910
Fixed an issue where the firewall reported the same value over consecutive SNMP polls when asynchronous mode was enabled.
Addressed
11.1.4-h9
PAN-259881
Fixed an issue on Panorama where traffic log details were not displayed under detailed log view .
Addressed
11.1.4-h9
PAN-259802
( Panorama appliances in high availability (HA) clusters only ) Fixed an issue where, after replacing a secondary Panorama appliance in a Panorama HA cluster, the ElasticSearch cluster was unable to establish SSL tunnels due to SSLHandshakeException errors.
Addressed
11.1.4-h9
PAN-259078
Fixed an issue where WildFire Analysis reports were not generated and the following error message was displayed: Error 500: Internal Server Error .
Addressed
11.1.4-h9
PAN-258799
Fixed an issue where, when updating a Security Policy Policy Optimizer , the web interface stopped responding.
Addressed
11.1.4-h9
PAN-257961
Fixed an issue on Panorama where Test Security Policy Match failed when the From or To zone fields were populated.
Addressed
11.1.4-h9
PAN-255915
Fixed an issue where a memory leak in the sslmgr process caused the firewall to restart.
Addressed
11.1.4-h9
PAN-254904
Fixed an issue on Panorama where a core file was generated by /usr/local/bin/logd during a restart.
Addressed
11.1.4-h9
PAN-254577
Fixed an issue where a core file was created on the Log Forwarding Card (LFC) due to a third-party software issue.
Addressed
11.1.4-h9
PAN-253829
Fixed an issue where the CLI command show running security-policy timed out when the Security policy was large.
Addressed
11.1.4-h9
PAN-252381
Fixed an issue where the Panorama web interface was slower than expected when opening interfaces, virtual routers, and zones in a template or template stack.
Addressed
11.1.4-h9
PAN-250394
Fixed an issue where a large amount of group data caused serialization errors and prevented synchronization.
Addressed
11.1.4-h9
PAN-249581
Fixed an issue where stale BGP routes were advertised to peers even when they were not present in the local RIB table.
Addressed
11.1.4-h9
PAN-246699
Fixed an issue on Panorama where the Rule Usage and Apps Seen under Security policy rules stopped incrementing.
Addressed
11.1.4-h9
PAN-246567
Fixed an issue where a firewall with a copper SFP transceiver (PAN-SFP-CG) flapped during a commit.
Addressed
11.1.4-h9
PAN-242331
Fixed an issue where Prisma Access remote network firewalls intermittently created incorrect user-to-IP-address mappings.
Addressed
11.1.4-h9
PAN-241004
Fixed an issue where DNS Proxy dropped client requests of the type ns for a root domain.
Addressed
11.1.4-h9
PAN-235808
( Panorama appliances in Log Collector mode only ) Fixed an issue where an unnamed core file was generated after a reboot.
Addressed
11.1.4-h9
PAN-233197
Fixed an issue where the CLI command to set the FEC parameter for the front panel ports was not supported on platforms supporting 25G and 100G.
Addressed
11.1.4-h7
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.1.4-h7
PAN-268823
Fixed an issue where Monitor Log Display did not display all logs when you applied a filter.
Addressed
11.1.4-h7
PAN-265785
Fixed an issue where the firewall rebooted due to a sysd variable being modified before it was created.
Addressed
11.1.4-h7
PAN-264883
( PA-7080 appliances with LPCs only ) Fixed an issue where syslog forwarding over TCP stopped after upgrading.
Addressed
11.1.4-h7
PAN-263369
Fixed an issue where commits from Panorama to Panorama virtual appliances failed with the error message Internal error during commit processing. Commit/Validate failed after upgrading Panorama.
Addressed
11.1.4-h7
PAN-261673
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where, when Accelerated Networking was enabled, traffic was dropped because of the flow_parse_ip_hdr counter related to an Nvidia driver issue.
Addressed
11.1.4-h7
PAN-261371
( PA-5410 firewalls in active/passive high availability (HA) configurations only ) Fixed an issue where the reportd process restarted, which caused the firewall to reboot.
Addressed
11.1.4-h7
PAN-261209
( Firewalls in active/active HA configuration only ) Fixed an issue where the firewall displayed the HA2 status as down when the HSCI port was used for both HA2 and HA3.
Addressed
11.1.4-h7
PAN-260905
Fixed an issue where the HS: Fiber Port Eth1/2 did not come up on a cold boot and remained in an incorrect state.
Addressed
11.1.4-h7
PAN-260549
Fixed an issue where the management plane CPU usage was not calculated correctly on firewalls with integrated an dataplane and management plane.
Addressed
11.1.4-h7
PAN-260316
Fixed an issue where the all_task process stopped responding and the firewall rebooted.
Addressed
11.1.4-h7
PAN-259351
( PA-3410 and PA-3220 firewalls only ) Fixed an issue where the all_task process repeatedly restarted, which caused the firewall to reboot.
Addressed
11.1.4-h7
PAN-259002
Fixed an issue where frequent external dynamic list updates caused the configd process to restart.
Addressed
11.1.4-h7
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
11.1.4-h7
PAN-257327
Fixed an issue where a failover event occurred unexpectedly on the firewall.
Addressed
11.1.4-h7
PAN-256223
Fixed an issue where device telemetry log collection filled the root partition.
Addressed
11.1.4-h7
PAN-254794
Fixed an issue where the Panorama management server stopped responding.
Addressed
11.1.4-h7
PAN-249384
Fixed an issue on Panorama where configuration locks were observed during a partial rulebase commit.
Addressed
11.1.4-h7
PAN-243240
Fixed an issue where the using QoS caused packet buffer utilization to increase exponentially and the PKI POOL DFLT pool depleted until a reboot was performed.
Addressed
11.1.4-h7
PAN-242479
Fixed an issue where a high number of packets caused high packet descriptors on the firewall when handling EtherIP traffic.
Addressed
11.1.4-h7
PAN-230893
Added a CLI command to address an issue where system lock files blocked authentication.
Addressed
11.1.4-h4
PAN-265963
Fixed an issue where the escd process caused a memory leak when session resiliency was enabled on the firewall.
Addressed
11.1.4-h4
PAN-265349
Fixed an issue where multiple segments of HTTP proxy connect messages were not handled correctly by proxy.
Addressed
11.1.4-h4
PAN-264421
Fixed an issue on Panorama where Push Scope did not populate automatically after changing the device group configuration.
Addressed
11.1.4-h4
PAN-263987
Fixed an issue on the firewall where, when a NAT transversal IPSec tunnel was terminated, and the NAT rule that was applied to the NAT-T IPSec tunnel was on the same firewall, traffic flowing through the tunnel was not correctly translated.
Addressed
11.1.4-h4
PAN-263559
Fixed an issue where the dataplane stopped responding and the firewall unexpectedly rebooted due to multiple process restarts.
Addressed
11.1.4-h4
PAN-263226
Fixed an issue where, when SSL decryption was enabled and Client Hello messages spanned multiple TCP segments, some SSL decrypted sessions failed.
Addressed
11.1.4-h4
PAN-262593
Fixed an issue where traffic to websites failed on the Google Chrome web browser on Secure Web Gateway (SWG) nodes.
Addressed
11.1.4-h4
PAN-262340
Fixed an issue where FQDN resolution failed for address objects, and all FQDN traffic was denied by the interzone-default policy rule.
Addressed
11.1.4-h4
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred when App-ID stopped responding caused the firewall to restart.
Addressed
11.1.4-h4
PAN-261991
Fixed an issue where traffic that did not match a decryption policy rule, or matched a no-decrypt policy rule, failed when accumulation proxy was enabled and a Zone Protection profile was configured with syn-cookies enabled.
Addressed
11.1.4-h4
PAN-261917
Fixed an issue where websites with a no-decrypt policy rule were decrypted in traffic log when using a Google Chrome browser with PQC enabled.
Addressed
11.1.4-h4
PAN-261909
Fixed an issue where the GlobalProtect client did not display the dialog box for an MFA verification code.
Addressed
11.1.4-h4
PAN-261489
Fixed an issue where an out-of-memory (OOM) condition caused a firewall outage.
Addressed
11.1.4-h4
PAN-261484
Fixed an issue on the firewall where DPDK allocated twice the amount of memory as requested for pre-allocation.
Addressed
11.1.4-h4
PAN-261001
Fixed an issue where GlobalProtect users were unable to switch gateways after upgrading to GlobalProtect version 6.2.3.
Addressed
11.1.4-h4
PAN-260974
Fixed an issue where the Cloud Identity Engine (CIE) user context did not correctly redistribute user/IP address port mapping to on-premises firewalls.
Addressed
11.1.4-h4
PAN-259997
( PA-3410, PA-3420, and PA-3430 firewalls only ) Fixed an issue where the install failed when upgrading from PAN-OS 10.2.3-h3 and later 10.2 releases to PAN-OS 10.2.10 due to the number of configured vsys zones exceeding the zone limit in PAN-OS 10.2.10.
Addressed
11.1.4-h4
PAN-259769
Fixed an issue where the GlobalProtect portal was not accessible via a web browser and displayed the error ERR_EMPTY_RESPONSE .
Addressed
11.1.4-h4
PAN-259151
Fixed an issue where unused objects were pushed to the firewall, which caused configuration pushes to fail with the error Number of address groups exceed platform capacity .
Addressed
11.1.4-h4
PAN-258736
Fixed an issue where policy rule configurations pushed from Panorama were not reflected on the firewall if the rule had 63 characters.
Addressed
11.1.4-h4
PAN-258225
Fixed an issue on the Panorama web interface where Security policy rules loaded more slowly than expected.
Addressed
11.1.4-h4
PAN-257957
( Firewalls and Panorama appliances in FIPS-CC mode only ) Fixed an issue where the authd process restarted if RADIUS PAP/CHAP authentication was used.
Addressed
11.1.4-h4
PAN-257925
( CN-Series firewalls only ) Fixed an issue where the CLI command show system setting ctd state did not work as expected.
Addressed
11.1.4-h4
PAN-256725
Fixed an issue on the Panorama interface where Traffic and Unified event details loaded more slowly than expected.
Addressed
11.1.4-h4
PAN-256666
Fixed an issue where the configd process stopped responding when Commit and Push operations were performed on multiple device groups.
Addressed
11.1.4-h4
PAN-256385
( CN-Series firewalls only ) Fixed an issue where communication was broken between the management plane and the dataplane when anti-spyware profiles were configured in a Security policy rule.
Addressed
11.1.4-h4
PAN-256350
Fixed an issue where, when you cloned an admin role or an LDAP server profile and then changed the name of the clone, the configuration change was not reflected on the managed firewall after pushing the configuration from Panorama.
Addressed
11.1.4-h4
PAN-256320
( Firewalls in active/passive HA configurations only ) Fixed an issue where GTP sessions remained as allocated sessions on the passive firewall even when there were no active sessions.
Addressed
11.1.4-h4
PAN-255930
Fixed an issue where persistent DIPP NAT entries were deleted even when being used during an active session.
Addressed
11.1.4-h4
PAN-255266
Fixed an issue where you were unable to clone a template stack with the Pre-Shared Key variable.
Addressed
11.1.4-h4
PAN-254826
Fixed an issue where the firewall stopped responding when processing traffic.
Addressed
11.1.4-h4
PAN-254671
Fixed an issue where excessive Timed out while getting config lock error messages were generated when making bulk changes via XML API.
Addressed
11.1.4-h4
PAN-254423
Fixed an issue on Panorama where custom role-based admin users with read only access were able to make changes to configurations.
Addressed
11.1.4-h4
PAN-253626
Fixed an issue on Panorama where unused objects were pushed to the firewall, which caused the push operations to intermittently fail.
Addressed
11.1.4-h4
PAN-253213
Fixed an issue where the firewall sent HIP notifications every time it received a HIP report instead of every two hours.
Addressed
11.1.4-h4
PAN-252300
Fixed an issue where you were unable to select device groups in the push scope for user accounts.
Addressed
11.1.4-h4
PAN-251676
Fixed an issue on Panorama appliances in large-scale deployments where configd process core files consumed more space in the /opt/panlogs partition than was available.
Addressed
11.1.4-h4
PAN-251655
Fixed an issue where the firewall stopped forwarding files to the WildFire cloud and a restart of the varrcvr process was required.
Addressed
11.1.4-h4
PAN-250787
Fixed an issue where network issues between the firewall and the log collector caused logrcvr process memory exhaustion.
Addressed
11.1.4-h4
PAN-250419
Fixed an issue where XML API explorer inserted a plus (+) character in the Xpath when a space was used in the object name.
Addressed
11.1.4-h4
PAN-250062
Fixed an issue where device telemetry failed after upgrading due to bundle generation failure.
Addressed
11.1.4-h4
PAN-249266
Fixed an issue where the config process virtual memory was exceeded due to delays in post-commit processing.
Addressed
11.1.4-h4
PAN-249011
Fixed an issue where the firewall became unresponsive when committing a configuration change with a large number of uncommitted changes in the replay database.
Addressed
11.1.4-h4
PAN-247099
Fixed an issue where the firewall decrypted traffic unexpectedly when the client hello was spread across multiple packets.
Addressed
11.1.4-h4
PAN-246304
Fixed an issue on Panorama where commits failed due to a timeout in the sysd process during decryption.
Addressed
11.1.4-h4
PAN-246220
Fixed an issue where a dynamic peer connection was rejected when using an FQDN for the peer address.
Addressed
11.1.4-h4
PAN-244039
( PA-5450 firewalls only ) Fixed an issue where the firewall dropped packets when attempting to reuse a TCP session.
Addressed
11.1.4-h4
PAN-243098
Fixed an issue with corrupted images when SSL decryption and Security profiles were configured.
Addressed
11.1.4-h4
PAN-241781
Fixed an issue where partial commit and commit-all operations took more time than expected to create the job ID.
Addressed
11.1.4-h4
PAN-241044
Fixed an issue where traffic was denied by the interzone-default policy rule when a Security policy rule with an FQDN destination was configured.
Addressed
11.1.4-h4
PAN-234560
Fixed an issue where the daily summary report displayed IPv6 addresses instead of IPv4 addresses.
Addressed
11.1.4-h4
PAN-233727
Fixed an issue on the web interface where the following error message was incorrectly displayed for an IKE gateway with a valid configuration: ikev2->pq-ppk->negotiation-mode is invalid .
Addressed
11.1.4-h4
PAN-237582
Fixed an issue where logs were intermittently missing on the log collector due to missing aliases for some indices
Addressed
11.1.4-h4
PAN-234094
Fixed an issue on Panorama where Deploy Master Key resulted in the error message Failed to communicate with device due to a low connection timeout value.
Addressed
11.1.4-h4
PAN-232214
Fixed an issue where GlobalProtect clients remained in the connecting state during portal pre-login when Kerberos single sign-on (SSO) was enabled.
Addressed
11.1.4-h4
PAN-230825
Fixed an issue where link flaps occurred on Panorama appliances in HA configurations.
Addressed
11.1.4-h1
PAN-245690
Fixed an issue where the Managed Collectors health status on Panorama displayed as empty.
Addressed
11.1.4-h1
PAN-259733
Fixed an issue where a custom report was not deleted on Panorama when expected.
Addressed
11.1.4-h1
PAN-259480
Fixed an issue where the varrcvr process stopped responding after running out of memory due to how the process queued and dequeued files for WildFire file forwarding when a WildFire Analysis Security profile was enabled.
Addressed
11.1.4-h1
PAN-257615
Fixed an issue on Panorama where logs did not display or displayed intermittently on the web interface.
Addressed
11.1.4-h1
PAN-257462
Fixed an issue related to the varrcvr process where the management plane CPU was higher than expected during WildFire updates.
Addressed
11.1.4-h1
PAN-257028
( Firewalls in active/passive HA configurations only ) Fixed an issue where firewalls entered a non-functional state and displayed the error message Dataplane down: path monitor failure during the fail-over .
Addressed
11.1.4-h1
PAN-255711
Fixed an issue where the firewall displayed a malformed request error when selecting a custom format and clicking OK on the configuration window due to the log type Correlation incorrectly being displayed ( Device > Log Setting - Correlation > Syslog Server Profile > Custom Log Format > Correlation ).
Addressed
11.1.4-h1
PAN-254373
Fixed an issue where the firewall did not handle error code 500 responses from the WildFire cloud correctly.
Addressed
11.1.4-h1
PAN-225213
Fixed an issue where Push All Changes displayed changes that were already committed in the push scope for another device group after performing a selective commit and selective push to the first device group.
Addressed
11.1.4
PAN-256181
Fixed an issue where the management interface and front panel port interface statistics were not populated in asynchronous mode of SNMP operations.
Addressed
11.1.4
PAN-255868
( PA-3400 Series firewalls only ) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
11.1.4
PAN-253317
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
11.1.4
PAN-252517
Fixed an issue where SNMP failed to respond to multiple Object Identifier (OID) queries in a single SNMP GET request.
Addressed
11.1.4
PAN-251639
Fixed an issue where an out of memory condition might occur due to a memory leak in the varrcvr process when a Wildfire Analysis security profile is enabled.
Addressed
11.1.4
PAN-250597
Fixed an issue where Global Find for a Panorama pushed shared address object displayed Others in the results.
Addressed
11.1.4
PAN-250270
Fixed an issue where partial commits did not merge changes when the complete rule base was updated with edit operations via XML API.
Addressed
11.1.4
PAN-249814
Fixed an issue where multiple all_task processes stopped responding, which caused the dataplane to fail.
Addressed
11.1.4
PAN-245157
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where the firewall restarted after an HA failover when DPDK was enabled.
Addressed
11.1.4
PAN-245125
( VM-Series firewalls in Microsoft Azure environments only ) Fixed an issue where file descriptors were not closed due to invalid configurations.
Addressed
11.1.4
PAN-244746
Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.
Addressed
11.1.4
PAN-238183
Fixed an issue where Panorama displayed deviating device system logs for non-connected interfaces.
Addressed
11.1.4
PAN-236497
Fixed an issue where the firewall was unable to purge expired GTP-U sessions that remained as allocated sessions even after the TTL was expired.
Addressed
11.1.4
PAN-234977
Fixed an issue where, when a Layer 2 interface that was a member of a VLAN was down, all traffic transmitted over the VLAN was dropped.
Addressed
11.1.4
PAN-231642
Fixed an issue on the Panorama web interface where users that were logged in through multiple sessions were able to see an active lock on only one session.
Addressed
11.1.4
PAN-214773
Fixed an issue where RTP packets traversing inter-vsys were dropped on the outgoing vsys.
Addressed
11.1.4
PAN-202095
Fixed an issue on the web interface where the language setting was not retained.
Known
11.1.5
PAN-263940
On a PA-7500 Series firewall node in an NGFW cluster, if the data processing card is in slot 6, packet drops are expected.
Known
11.1.5
PAN-262556
The ElasticSearch cluster health status might continue to remain yellow for an extended period after upgrading to PAN-OS 11.1
Known
11.1.5
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.1.5
PAN-259733
This issue is now resolved. See PAN-OS 11.1.4-h1 Addressed Issues
.
Custom reports created in PAN-OS are not deleted as expected, resulting in high memory use by the reportd process. This can lead to issues, such as out-of-memory conditions, content installation failures, and unexpected firewall reboots.
Known
11.1.5
PAN-257615
This issue is now resolved. See PAN-OS 11.1.4-h1 Addressed Issues .
The Panorama web interface intermittently displays logs or fails to display logs completely.
Known
11.1.5
PAN-254240
In the event of an HSCI flap on an NGFW cluster node, traffic reconvergence takes three to four seconds.
Known
11.1.5
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.1.5
PAN-252358
In the event of a corosync restart, an NGFW cluster node goes to failed state.
Known
11.1.5
PAN-251551
When an NGFW cluster agent crashes and doesn't recover, leader election will take approximately 45 seconds to begin and traffic failover will occur during that time.
Known
11.1.5
PAN-250903
In a congestion scenario on an HSCI port of an NGFW cluster node, the QoS priorities of cross node traffic streams might be reversed if you're using the default QoS profile with class1 to class8 set as high to low.
Known
11.1.5
PAN-247974
LACP flap is expected during a device failover in an NGFW cluster due to an L2 ctrld restart on the new leader node.
Known
11.1.5
PAN-240529
Cloud application information is missing from traffic logs on NGFW cluster nodes.
Known
11.1.5
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.1.5
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.5
PAN-220180
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
11.1.5
PAN-219644
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.5
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.5
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.5
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.1.5
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.5
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.1.5
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.5
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.1.5
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.1.5
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.5
PAN-194978
( PA-1400 Series firewalls only ) In Network Interface Ethernet , hovering the mouse over a power over Ethernet (PoE) Link State icon does not display link speed and link duplex details.
Known
11.1.5
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.1.5
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.5
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
11.1.5
PAN-184708
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
11.1.5
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.5
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.5
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Addressed
11.1.5-h1
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.1.5
PAN-268823
Fixed an issue where Monitor > Log Display did not display all logs when you applied a filter.
Addressed
11.1.5
PAN-265963
Fixed an issue where the escd process caused a memory leak when session resiliency was enabled on the firewall.
Addressed
11.1.5
PAN-265785
Fixed an issue where the firewall rebooted due to a sysd variable being modified before it was created.
Addressed
11.1.5
PAN-265462
Fixed an issue where you were unable to download PDFs when connected via a Clientless VPN.
Addressed
11.1.5
PAN-265344
Fixed an issue where Import GlobalProtect Client Package did not work after clicking OK after selecting a valid package under Device > GlobalProtect Client > Upload ).
Addressed
11.1.5
PAN-265287
Fixed an issue where the firewall experienced a packet buffer leak in the dataplane of the network processing card (NPC) when processing certain net messages.
Addressed
11.1.5
PAN-264806
( PA-3440 firewalls only ) Fixed an issue where the firewall was unable to validate or commit a configuration when it was imported from another firewall model.
Addressed
11.1.5
PAN-264369
Fixed an issue where the 7 Day Threat Report was empty in the scheduled reports sent via email.
Addressed
11.1.5
PAN-264249
Fixed an issue on the firewall where SNMP queries timed out when using SNMP.
Addressed
11.1.5
PAN-263987
Fixed an issue on the firewall where, when a NAT transversal IPSec tunnel was terminated, and the NAT rule that was applied to the NAT-T IPSec tunnel was on the same firewall, traffic flowing through the tunnel was not correctly translated.
Addressed
11.1.5
PAN-263956
( PA-440 firewalls only ) Fixed an issue where a firewall running PAN-OS 11.1.2-h3 only displayed the Auto option for the interface duplex setting.
Addressed
11.1.5
PAN-263505
( PA-850 firewalls only ) Fixed an issue where the firewall stopped responding and rebooted after upgrading to PAN-OS 11.1.4.
Addressed
11.1.5
PAN-263287
The PAN-COMMON-MIB.my file was updated to support new object identifiers (OID) to poll interface use via SNMP with table identifiers.
Addressed
11.1.5
PAN-263278
Fixed an issue where the management interface flapped when IPv6 was disabled and DHCPv6 was enabled.
Addressed
11.1.5
PAN-263226
Fixed an issue where, when SSL decryption was enabled and Client Hello messages spanned multiple TCP segments, some SSL decrypted sessions failed.
Addressed
11.1.5
PAN-263164
Fixed an issue where Netflow User ID information was truncated to 31 characters.
Addressed
11.1.5
PAN-262902
Fixed an issue on the web interface where cloning region objects did not work.
Addressed
11.1.5
PAN-262593
Fixed an issue where traffic to websites failed on the Google Chrome web browser on Secure Web Gateway (SWG) nodes.
Addressed
11.1.5
PAN-262415
Fixed an issue where a partial configuration load failed for configuration files that contained regenerate-hostkeys .
Addressed
11.1.5
PAN-262410
Fixed an issue where the App Scope graph did not display for all days when selecting Last 60 days or Last 90 days .
Addressed
11.1.5
PAN-262340
Fixed an issue where FQDN resolution failed for address objects, and all FQDN traffic was denied by the interzone-default policy rule.
Addressed
11.1.5
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred when App-ID stopped responding caused the firewall to restart.
Addressed
11.1.5
PAN-262254
Fixed an issue where the firewall experienced an OOM condition and the useridd process stopped responding, which caused the firewall to drop interfaces from their respective aggregate groups.
Addressed
11.1.5
PAN-261991
Fixed an issue where traffic that did not match a decryption policy rule, or matched a no-decrypt policy rule, failed when accumulation proxy was enabled and a Zone Protection profile was configured with syn-cookies enabled.
Addressed
11.1.5
PAN-261935
Fixed an issue where the firewall unexpectedly rebooted when replacing or inserting SFPs from an old firewall into a new RMA firewall.
Addressed
11.1.5
PAN-261831
( Firewalls in HA configuration only ) Fixed an issue where link-down events did not occur after an HA failover.
Addressed
11.1.5
PAN-261671
Fixed an issue where GlobalProtect clients randomly fell back to the SSL tunnel as the gateway dropped the initial three keepalive packets.
Addressed
11.1.5
PAN-261639
Fixed an issue where the firewall incorrectly logged the XFF IP in threat logs when a single HTTP header was used.
Addressed
11.1.5
PAN-261489
Fixed an issue where an out-of-memory (OOM) condition caused a firewall outage.
Addressed
11.1.5
PAN-261485
Fixed an issue where the firewall dropped the Real Time Transport Protocol (RTP) session for the second SIP call on Persistent-DIPP connections when the source port of the client device was reset.
Addressed
11.1.5
PAN-261484
Fixed an issue on the firewall where DPDK allocated twice the amount of memory as requested for pre-allocation.
Addressed
11.1.5
PAN-261371
( PA-5410 firewalls in active/passive HA configurations only ) Fixed an issue where the reportd process restarted, which caused the firewall to reboot.
Addressed
11.1.5
PAN-261209
( Firewalls in active/active HA configuration only ) Fixed an issue where the firewall displayed the HA2 status as down when the HSCI port was used for both HA2 and HA3.
Addressed
11.1.5
PAN-261174
Fixed an issue on Panorama where importing a certificate for a template stack configuration incorrectly prompted for a passphrase as a required field.
Addressed
11.1.5
PAN-261028
Fixed an issue where the firewall did not autocommit after a reboot when the cellular interface was configured as a local interface for the IPSec Satellite and the IP address was allocated dynamically.
Addressed
11.1.5
PAN-261019
Fixed an issue where Evasive Empire C2 Traffic Detection generated benign verdicts and max latency timeout logs simultaneously when the MICA ATP action was configured as reset-both .
Addressed
11.1.5
PAN-260974
Fixed an issue where the Cloud Identity Engine (CIE) user context did not correctly redistribute user/IP address port mapping to on-premises firewalls.
Addressed
11.1.5
PAN-260928
Fixed an issue where GlobalProtect failed to connect when using LDAP authentication with machine certificates with the error message You are not authorized to connect to GlobalProtect portal .
Addressed
11.1.5
PAN-260905
Fixed an issue where the HS: Fiber Port Eth1/2 did not come up on a cold boot and remained in an incorrect state.
Addressed
11.1.5
PAN-260842
A CLI command was introduced to address an issue where TCP packets were out of order.
Addressed
11.1.5
PAN-260633
Fixed an issue where the firewall did not send a client certificate after a TLS Certificate Request when establishing a secure syslog connection.
Addressed
11.1.5
PAN-260549
Fixed an issue where the management plane CPU usage was not calculated correctly on firewalls with integrated an dataplane and management plane.
Addressed
11.1.5
PAN-260546
( PA-440 firewalls only ) Fixed an issue where the system clock reset to the epoch date and time after 8 to 12 weeks of shelf life or no power.
Addressed
11.1.5
PAN-260512
Fixed an issue where accessing the IP address of the device address group objects from the user interface caused the configd process to stop responding.
Addressed
11.1.5
PAN-260316
Fixed an issue where the all_task process stopped responding and the firewall rebooted.
Addressed
11.1.5
PAN-260218
Fixed an issue where BGP Aggregate Advertise filters did not work as expected when the summary option was enabled, and only summarized routes were advertised.
Addressed
11.1.5
PAN-260193
Fixed an issue where GlobalProtect on macOS clients did not connect when using a client certificate and the X.509 policy was set to Use System Default .
Addressed
11.1.5
PAN-260132
Fixed an issue where secondary IP addresses with a /32 prefix configured on Layer 3 interfaces were not reachable in FRR mode.
Addressed
11.1.5
PAN-260114
Fixed an issue where the firewall generated a devsrvr core file when processes were restarted.
Addressed
11.1.5
PAN-259910
Fixed an issue where the firewall reported the same value over consecutive SNMP polls when asynchronous mode was enabled.
Addressed
11.1.5
PAN-259883
Fixed an issue where the firewalls behind an Amazon Web Services (AWS) Gateway Load Balancer (GWLB) stopped responding when processing GENEVE packets with the reserved bit set.
Addressed
11.1.5
PAN-259881
Fixed an issue on Panorama where traffic log details were not displayed under detailed log view .
Addressed
11.1.5
PAN-259802
( Panorama appliances in HA clusters only ) Fixed an issue where, after replacing a secondary Panorama appliance in a Panorama HA cluster, the ElasticSearch cluster was unable to establish SSL tunnels due to SSLHandshakeException errors.
Addressed
11.1.5
PAN-259769
Fixed an issue where the GlobalProtect portal was not accessible via a web browser and displayed the error ERR_EMPTY_RESPONSE .
Addressed
11.1.5
PAN-259706
Fixed an issue on Panorama where the web interface was slower than expected or unresponsive when monitoring definitions were added in the Kubernetes plugin.
Addressed
11.1.5
PAN-259535
Fixed an issue where the firewall failed to boot up after running power cycle tests due to ehmon process heartbeat failures.
Addressed
11.1.5
PAN-259370
Fixed an issue on the web interface where Correlation Log Detail > Match Evidence did not populate.
Addressed
11.1.5
PAN-259351
A fix was made to address CVE-2024-3393 .
Addressed
11.1.5
PAN-259344
Fixed an issue where performing a configuration commit on a firewall locally or from Panorama caused a memory leak related to the configd process and resulted in an OOM condition.
Addressed
11.1.5
PAN-259200
Fixed an issue where the firewall displayed truncated zone names in the Block IP List log when a zone name contained more than 14 characters.
Addressed
11.1.5
PAN-259151
Fixed an issue where unused objects were pushed to the firewall, which caused configuration pushes to fail with the error Number of address groups exceed platform capacity .
Addressed
11.1.5
PAN-259002
Fixed an issue where frequent external dynamic list updates caused the configd process to restart.
Addressed
11.1.5
PAN-258996
Fixed an issue where the firewall displayed the SFP ports as PowerDown when the SFP transceiver was removed and reinserted or the port was shut down and brought back up on the peer device.
Addressed
11.1.5
PAN-258757
Fixed an issue on Panorama where upgrades failed with validation errors.
Addressed
11.1.5
PAN-258734
Fixed an issue where virtual wire ports did not go down when moving from an active state to a suspended state.
Addressed
11.1.5
PAN-258576
Fixed an issue on the Panorama web interface where products in HIP objects were not displayed correctly.
Addressed
11.1.5
PAN-258442
Fixed an issue where changes made to the split tunnel configuration on the Prisma Access gateway were not reflected on the GlobalProtect client.
Addressed
11.1.5
PAN-258240
( Firewalls in HA configurations only ) Fixed an issue where HA path monitoring did not work as expected when using vwire.
Addressed
11.1.5
PAN-258225
Fixed an issue on the Panorama web interface where Security policy rules loaded more slowly than expected.
Addressed
11.1.5
PAN-258188
Fixed an issue on Panorama Template where the virtual wire subinterface page did not display all fields and the OK button did not work.
Addressed
11.1.5
PAN-258166
( PA-220 firewalls only ) Fixed an issue where the root partition frequently reached 100%.
Addressed
11.1.5
PAN-257961
Fixed an issue on Panorama where Test Security Policy Match failed when the From or To zone fields were populated.
Addressed
11.1.5
PAN-257957
( Firewalls and Panorama appliances in FIPS-CC mode only ) Fixed an issue where the authd process restarted if RADIUS PAP/CHAP authentication was used.
Addressed
11.1.5
PAN-257925
( CN-Series firewalls only ) Fixed an issue where the CLI command show system setting ctd state did not work as expected.
Addressed
11.1.5
PAN-257912
Fixed an issue where the firewall stopped responding when it received RADIUS traffic and user equipment (UE) traffic at the same time on a Network Processing Card (NPC)
Addressed
11.1.5
PAN-257747
Fixed an issue where the firewall incorrectly displayed the error message IoT Security license is required for feature to function even when the firewall had a valid Enterprise IoT security license.
Addressed
11.1.5
PAN-257660
Fixed an issue where show commands were hidden for superusers in read-only roles.
Addressed
11.1.5
PAN-257652
Fixed an issue where Internal Host Detection for IPv6 did not work after upgrading to a PAN-OS 10.2 release.
Addressed
11.1.5
PAN-257638
Fixed an issue where the firewall dataplane stopped responding, which caused BGP flaps between hubs and branches.
Addressed
11.1.5
PAN-257624
Fixed an issue where the firewall web interface was blank after logging in.
Addressed
11.1.5
PAN-257619
Fixed an issue on Panorama where the Task Manager took longer than expected to display managed FW report tasks details when its empty
Addressed
11.1.5
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
11.1.5
PAN-257600
Fixed an issue where the firewall returned a 404 error for all sites accessed through the clientless VPN portal.
Addressed
11.1.5
PAN-257432
Fixed an issue on Panorama where the reportd process stopped responding, which caused a log query issue.
Addressed
11.1.5
PAN-257390
( PA-5250 firewalls only ) Fixed an issue where the logrcvr process stopped responding due to a segmentation fault.
Addressed
11.1.5
PAN-257327
( PA-5440 firewalls only ) Fixed an issue where a failover event occurred unexpectedly on the firewall.
Addressed
11.1.5
PAN-257267
( VM-Series firewalls only ) Fixed an issue where observed warning message during commit completion & critical system log when configuration size exceeded the maximum recommended configuration size.
Addressed
11.1.5
PAN-257117
Fixed an issue where CSV or PDF exports of zones did not contain all zones.
Addressed
11.1.5
PAN-257028
( Firewalls in active/passive HA configurations only ) Fixed an issue where firewalls entered a non-functional state and displayed the error message Dataplane down: path monitor failure during the fail-over .
Addressed
11.1.5
PAN-257021
"Fixed an issue on the web interface where Match Evidence log details for Monitor > Correlated events did not populate."
Addressed
11.1.5
PAN-256960
Fixed an issue where a custom portal login page was not displayed correctly in the GlobalProtect portal when using a customized portal landing page.
Addressed
11.1.5
PAN-256939
Fixed an issue on the firewall where disk space was low in /opt/pancfg/ , which caused dynamic content installation to fail.
Addressed
11.1.5
PAN-256738
( VM-Series firewalls in HA configurations only ) Fixed an issue where BGP routes from the active firewall were lost when the passive firewall was rebooted.
Addressed
11.1.5
PAN-256725
Fixed an issue on the Panorama interface where Traffic and Unified event details loaded more slowly than expected.
Addressed
11.1.5
PAN-256669
Fixed an issue where the memory usage reported by SNMP did not match the memory usage reported by the top command.
Addressed
11.1.5
PAN-256666
Fixed an issue where the configd process stopped responding when Commit and Push operations were performed on multiple device groups.
Addressed
11.1.5
PAN-256652
Fixed an issue where content updates were processed incorrectly, which caused a mismatch between a Threat ID's signature and its corresponding action.
Addressed
11.1.5
PAN-256518
Fixed an issue where Panorama was unable to push firmware updates to a VM-Series firewall with a PAYG license.
Addressed
11.1.5
PAN-256449
Fixed an issue where DHCPv6 relay was not working in Advanced Routing mode when the firewall was configured as a DHCP relay agent.
Addressed
11.1.5
PAN-256385
( CN-Series firewalls only ) Fixed an issue where communication was broken between the management plane and the dataplane when anti-spyware profiles were configured in a Security policy rule.
Addressed
11.1.5
PAN-256362
Fixed an issue in Panorama where shared address objects used in the GlobalProtect configuration agents were not considered as used and not pushed to Firewall that causes commit-all failure error
Addressed
11.1.5
PAN-256350
Fixed an issue where, when you cloned an admin role or an LDAP server profile and then changed the name of the clone, the configuration change was not reflected on the managed firewall after pushing the configuration from Panorama.
Addressed
11.1.5
PAN-256327
( Panorama virtual appliances on Microsoft Azure environments only ) Fixed an issue where the logd process repeatedly restarted due to a buffer overflow when generating a traffic summary from a traffic log.
Addressed
11.1.5
PAN-256249
Fixed an issue on the web interface that occurred when changing the pre-shared key to a variable ( Network > Network Profiles > IKE Gateways ).
Addressed
11.1.5
PAN-256223
Fixed an issue where device telemetry log collection filled the root partition.
Addressed
11.1.5
PAN-256115
Fixed an issue where, after replacing a Panorama appliance or log collector, the secondary Panorama appliance or log collector displayed a disconnected status for the inter-log collector connection.
Addressed
11.1.5
PAN-256051
Fixed an issue on the firewall where enabling flow basic caused the firewall to stop responding due to a masterd process restart.
Addressed
11.1.5
PAN-255930
Fixed an issue where persistent DIPP NAT entries were deleted even when being used during an active session.
Addressed
11.1.5
PAN-255895
Fixed an issue where Panorama administrators with the Panorama Administrator dynamic administrator type were not able to create or modify BGP timer profiles or BGP dampening profiles.
Addressed
11.1.5
PAN-255820
Fixed an issue where the WildFire signature generation check box in Panorama did not register a change in the configuration.
Addressed
11.1.5
PAN-255773
Fixed an issue where errors related to applications in Content-preview caused commit failures.
Addressed
11.1.5
PAN-255711
Fixed an issue where the firewall displayed a malformed request error when selecting a custom format and clicking OK on the configuration window due to the log type Correlation incorrectly being displayed ( Device > Log Setting - Correlation > Syslog Server Profile > Custom Log Format > Correlation ).
Addressed
11.1.5
PAN-255660
( Firewalls in active/active HA configurations only ) Fixed an issue where the path monitor displayed as up even when routes to the destination IP address were removed.
Addressed
11.1.5
PAN-255579
( PA-7500 Series firewalls and Panorama appliances only ) Fixed an issue where dataplane logs were displayed after a delay.
Addressed
11.1.5
PAN-255396
Fixed an issue where, when using serial number and IP address authentication, and multiple gateways were configured, the portal returned the last gateway in the list and disregarded the satellite assignment by serial number.
Addressed
11.1.5
PAN-255391
Fixed an issue where the firewall was unable to filter logs using the ISO 8601 timestamp format after upgrading to PAN-OS 11.0.4 or a later release.
Addressed
11.1.5
PAN-255360
Fixed an issue where the firewall booted into maintenance mode when there was no connectivity to the specified hardware security module (HSM).
Addressed
11.1.5
PAN-255285
Fixed an issue where, when only the HSCI-A link was connected on firewall cluster nodes, and the management interface went down, a split brain condition occurred.
Addressed
11.1.5
PAN-255282
( PA-450 firewalls in HA configurations only ) Fixed an issue where the firewall remained in an active state and all traffic stopped until a failover to the passive firewall was performed.
Addressed
11.1.5
PAN-255252
Fixed an issue where Panorama administrators with the type Dynamic were unable to create, modify, or delete BGP Dampening profiles.
Addressed
11.1.5
PAN-255163
( CN-Series firewalls only ) Fixed an issue where the system database key that stored the configuration status of the dataplane pod was not updated frequently.
Addressed
11.1.5
PAN-255116
Fixed an issue where, when QoS was enabled, traffic on an NGFW cluster node that went from an MC-LAG interface to a destination stopped when a member of the MC-LAG went down.
Addressed
11.1.5
254927
( PA-7500 Series firewalls only ) Fixed an issue where data packets sent to threat inspection processing on the networking card caused the pan_task process to stop responding.
Addressed
11.1.5
PAN-254901
Fixed an issue where GlobalProtect user-to-IP address mapping was removed even though the tunnel for the specific user was up and traffic was being passed.
Addressed
11.1.5
PAN-254875
( PA-410 firewalls only ) Fixed an issue where the firewall rebooted unexpectedly due to multiple all_task process restarts.
Addressed
11.1.5
PAN-254827
Fixed an issue where, when you changed an IP address on a management interface on an NGFW cluster node, commit-all operations did not push the updated IP address.
Addressed
11.1.5
PAN-254826
Fixed an issue where the firewall stopped responding when processing traffic.
Addressed
11.1.5
PAN-254797
( PA-5400 Series firewalls only ) Fixed an issue where you were unable to use SNMP polling o monitor the status of power supply units.
Addressed
11.1.5
PAN-254704
( LSVPN Portal firewalls in active/passive HA configurations only ) Fixed an issue where the satellite cookie key did not sync between LSVPN portal HA firewalls, which resulted in re-authentication of satellites with the portal during the event of HA failover.
Addressed
11.1.5
PAN-254671
Fixed an issue where excessive Timed out while getting config lock error messages were generated when making bulk changes via XML API.
Addressed
11.1.5
PAN-254629
Fixed an issue on the Management Processing Card where excessive logs were generated for an error.
Addressed
11.1.5
PAN-254577
Fixed an issue where a core file was created on the Log Forwarding Card due to a third-party software issue.
Addressed
11.1.5
PAN-254423
Fixed an issue on Panorama where custom role-based admin users with read only access were able to make changes to configurations.
Addressed
11.1.5
PAN-254422
Fixed an issue where the firewall required a restart when an SD-WAN policy rule was pushed from Panorama.
Addressed
11.1.5
PAN-254351
Fixed an issue where an NGFW cluster node remained in a suspended state when GRE tunnel termination was used with keepalive enabled on both ends.
Addressed
11.1.5
PAN-254301
Fixed an issue where GlobalProtect logs showed the public IPv4 address in the private IPv4 address field for logs generated during portal/gateway negotiation.
Addressed
11.1.5
PAN-254241
Fixed an issue where the firewall stopped responding due to a high number of SD-WAN probes being sent.
Addressed
11.1.5
PAN-254181
( CN-Series firewalls only ) Fixed an issue where firewall pods and application pods repeatedly restarted.
Addressed
11.1.5
PAN-254124
( PA-7050 firewalls with DPC and 100G NPCs only ) Fixed an issue on the firewall where you were unable to change the flow key type from tag to tuple.
Addressed
11.1.5
PAN-253829
Fixed an issue where the CLI command show running security-policy timed out when the Security policy was large.
Addressed
11.1.5
PAN-253819
Fixed an issue where a User Activity Report was not generated by Run Now or not emailed through the Email Schedule when the locale setting was not English.
Addressed
11.1.5
PAN-253626
Fixed an issue on Panorama where unused objects were pushed to the firewall, which caused the push operations to intermittently fail.
Addressed
11.1.5
PAN-253584
Fixed an issue where ikemgr process unexpectedly stopped due to a memory mapping in an incorrect location.
Addressed
11.1.5
PAN-253557
Fixed an issue where, after a cluster manager restart on the leader node of an NGFW cluster, traffic stopped due to only the state machine transitioning to unknown and not the leader.
Addressed
11.1.5
PAN-253452
Fixed an issue where GlobalProtect users were unable to connect to the GlobalProtect gateway and received the error Gateway does not exist .
Addressed
11.1.5
PAN-253466
Fixed an issue where, on NFGW cluster nodes, an expected packet buffer leak occurred with FTP/SIP traffic over an extended period of time.
Addressed
11.1.5
PAN-253250
Fixed an issue where, when ASPath Prepend was configured, AS override did not work.
Addressed
11.1.5
PAN-253085
Fixed an issue where the firewall restarted when the parsing of the cross-pkt http origin header failed when processing a translator website.
Addressed
11.1.5
PAN-252974
( PA-450 firewalls only ) Fixed an issue where specific routes were not advertised when BGP Aggregate was configured with the advertise filter.
Addressed
11.1.5
PAN-252867
Fixed an issue where an incorrect memory reference in an IoT API caused the wifclient process to stop responding.
Addressed
11.1.5
PAN-252816
Fixed an issue where multiple SSHD process restarts triggered a firewall reboot when the login banner and SSH host keys were updated at the same time.
Addressed
11.1.5
PAN-252801
Fixed an issue where the LSVPN tunnel monitoring status displayed as No data available after re-key events.
Addressed
11.1.5
PAN-252411
Fixed an issue where, when log files were purged from the rollup summary logs, the summary report still used the rollup summary data, which resulted in the summary report displaying less data.
Addressed
11.1.5
PAN-252370
Fixed an issue where services with the reserved keyword application-default were allowed.
Addressed
11.1.5
PAN-252270
Fixed an issue on the firewall where changes were incorrectly applied after a reboot or a restart of the configd process.
Addressed
11.1.5
PAN-252224
Fixed an issue where Panorama did not forward logs to a syslog server over an SSL connection using CRL as a revocation verification method.
Addressed
11.1.5
PAN-252161
Fixed an issue where the gp_broker process stopped responding.
Addressed
11.1.5
PAN-252131
( PA-5200 Series and PA-7000 Series firewalls only ) Fixed an issue where an unsupported SFP caused the firewall to restart.
Addressed
11.1.5
PAN-252036
Fixed an issue where, when the GlobalProtect portal was not configured, accessing the GlobalProtect gateway still loaded a portal malformed page.
Addressed
11.1.5
PAN-252029
Fixed an issue where the firewall stopped responding when processing authentication requests.
Addressed
11.1.5
PAN-251929
Fixed an issue where inbound decryption did not work when FIPS self tests were turned on.
Addressed
11.1.5
PAN-251732
Fixed an issue where Oracle traffic over generic routing encapsulation (GRE) was dropped when the traffic passed through the firewall using tunnel content inspection (TCI).
Addressed
11.1.5
PAN-251684
Fixed an issue where the LEDs for copper ports lighted up when SFP links were up.
Addressed
11.1.5
PAN-251676
Fixed an issue on Panorama appliances in large-scale deployments where configd process core files consumed more space in the /opt/panlogs partition than was available.
Addressed
11.1.5
PAN-251661
Fixed an issue where a memory overwrite occurred during HTTP/2 header inflation.
Addressed
11.1.5
PAN-251656
Fixed an issue where enabling lockless QoS caused traffic disruptions.
Addressed
11.1.5
PAN-251501
Fixed an issue where, after a reboot, NGFW cluster nodes failed to rejoin a cluster due to a timing issue.
Addressed
11.1.5
PAN-251372
Fixed an issue where a policy-based forwarding (PBF) did not work for a server-to-client (S-C) flow when the source port was specified.
Addressed
11.1.5
PAN-251035
Fixed an issue where selective push operations did not push certificate changes to the firewall.
Addressed
11.1.5
PAN-250948
Fixed an issues where GlobalProtect on Microsoft Windows devices did not attempt CNAME resolution for sinkhole.paloaltonetworks.com.
Addressed
11.1.5
PAN-250909
Fixed an issue where, when creating a Security policy rule via the CLI, validation was not implemented and the same object was able to be referenced in the policy twice.
Addressed
11.1.5
PAN-250756
Fixed an issue where querying threat logs using the threat name, such as generic:<site> did not work.
Addressed
11.1.5
PAN-250716
Fixed an issue where Panorama > Push to Devices displayed device group and template entries that had been changed by other administrators.
Addressed
11.1.5
PAN-250703
Fixed an issue where the task manager failed with a 504 error when a large number of previous jobs or tasks were present.
Addressed
11.1.5
PAN-250530
Fixed an issue where management traffic routed via the dataplane was being decrypted instead of bypassing the decryption lookup.
Addressed
11.1.5
PAN-250462
Fixed an issue where the session logout time for the firewall was incorrect when viewing via context switch from Panorama.
Addressed
11.1.5
PAN-250455
Fixed an issue where GlobalProtect portal authentication incorrectly timed out after 30 seconds when the timeout value was set to 1 minute.
Addressed
11.1.5
PAN-250443
( VM-Series firewalls only ) Fixed an issue where multiple processes exited due to an OOM condition and caused a network outage.
Addressed
11.1.5
PAN-250419
Fixed an issue where XML API explorer inserted a plus (+) character in the Xpath when a space was used in the object name.
Addressed
11.1.5
PAN-250405
( CN-Series firewalls only ) Fixed an issue on the firewall where websrvr related messages displayed repeatedly.
Addressed
11.1.5
PAN-250394
Fixed an issue where a large amount of group data caused serialization errors and prevented synchronization.
Addressed
11.1.5
PAN-250311
Fixed an issue where the domain was not mapped when using certificate profile authentication on GlobalProtect.
Addressed
11.1.5
PAN-250258
Fixed an issue on the firewall where the Certificate Name character limit was 31 characters instead of 63 characters.
Addressed
11.1.5
PAN-250146
Fixed an issue on the web interface where templates incorrectly showed that telemetry was enabled when it was not enabled. With this fix, the telemetry setting is not displayed in the template on the web interface.
Addressed
11.1.5
PAN-250127
Fixed an issue where commits failed with the error message set is not allowed when default originate was enabled with a route map that included a set action.
Addressed
11.1.5
PAN-250062
Fixed an issue where device telemetry failed after upgrading due to bundle generation failure.
Addressed
11.1.5
PAN-250043
Fixed an issue where, on an NGFW cluster node, operations failed when QoS interfaces were configured with an egress max that exceeded 68,000 Mbps.
Addressed
11.1.5
PAN-250021
Fixed an issue where Change Summary and Preview Changes displayed inconsistent information when changing an admin user password.
Addressed
11.1.5
PAN-250005
Fixed an issue where the Advanced Routing migration script did not migrate BGP import policy rules correctly when the policy rule was configured with an exact match condition.
Addressed
11.1.5
PAN-249855
Fixed an issue where the firewall dropped the active source of the Multicast source via MSDP when they were not received from the MSDP peer firewall.
Addressed
11.1.5
PAN-249727
Fixed an issue where, on an NGFW cluster node, the Custom/Pre-defined URL category was not in the session flow data, which caused it to be excluded from the promoted session after a failover.
Addressed
11.1.5
PAN-249548
Fixed an issue where the firewall stopped responding during a high availability (HA) failover with continued traffic.
Addressed
11.1.5
PAN-249533
Fixed an issue where an internal error message was displayed when you selected Exclude video traffic from the tunnel (Windows and macOS only) .
Addressed
11.1.5
PAN-249404
Fixed an issue on the Panorama web interface where the commit lock for a device group and template with the same name was not visible.
Addressed
11.1.5
PAN-249266
Fixed an issue where the config process virtual memory was exceeded due to delays in post-commit processing.
Addressed
11.1.5
PAN-249194
Fixed an issue where SaaS quality profile probes were dropped on the SD-WAN hub.
Addressed
11.1.5
PAN-249132
Fixed an issue on Panorama DG where the address group object created with Disable Override property in Parent DG was overridden by child DG via CLI.
Addressed
11.1.5
PAN-249072
Fixed an issue where content upgrade installation failed with the error Error: can't find cert <cert> when using cloud interfaces .
Addressed
11.1.5
PAN-248945
Fixed an issue where commits failed when you committed a configuration to advertise the default route (0.0.0.0/0) as a BGP network statement ( Advanced Routing > BGP settings ).
Addressed
11.1.5
PAN-248841
Fixed an issue where the SSL response time was not displayed in the GlobalProtect log.
Addressed
11.1.5
PAN-248762
Fixed an issue where, when the Advanced Routing Engine was configured with OSPF, the firewall stopped responding when attempting to connect to the neighbor while exchanging route maps.
Addressed
11.1.5
PAN-248618
Fixed an issue where the show chassis inventory in the XML API output did not include the chassis serial number.
Addressed
11.1.5
PAN-248542
Fixed an issue where the NPB policy type was missing from configuration policy updates, which caused error messages to incorrectly display in the system logs.
Addressed
11.1.5
PAN-248312
Fixed an issue where the firewall did not re-encapsulate the DNS Security Sinkhole Domain Response into GENEVE when the firewall was integrated with AWS Gateway Load Balancer (GWLB) and Cloud NGFW.
Addressed
11.1.5
PAN-248285
Fixed an issue where the firewall went into maintenance mode or stopped responding.
Addressed
11.1.5
PAN-248211
Fixed an issue on Panorama where commits failed when Advanced Routing was enabled.
Addressed
11.1.5
PAN-247857
( PA-7050 firewalls in HA configurations only ) Fixed an issue on the firewall where a dataplane process restarted when updating the routing table.
Addressed
11.1.5
PAN-247754
Fixed an issue where successful Commit and Push operations performed by SAML authenticated users were not reflected on the firewall.
Addressed
11.1.5
PAN-247230
Fixed an issue where the syslog forwarding configuration did not include the full path for Security policy rules.
Addressed
11.1.5
PAN-247190
( VM-Series firewalls only ) Fixed an issue where the firewall was unable to connect to Panorama after manually uploading the license key.
Addressed
11.1.5
PAN-247052
Fixed an intermittent issue where the OSPF ABR option was disabled when a static route was added.
Addressed
11.1.5
PAN-246803
Fixed an issue with failed pre-login cookies that caused GlobalProtect portal configurations to show as empty.
Addressed
11.1.5
PAN-246567
Fixed an issue where a firewall with a copper SFP transceiver (PAN-SFP-CG) flapped during a commit.
Addressed
11.1.5
PAN-246416
Fixed an issue where the firewall stopped responding when processing specific HTTP response packets due to an incorrect offset calculation.
Addressed
11.1.5
PAN-246304
Fixed an issue on Panorama where commits failed due to a timeout in the sysd process during decryption.
Addressed
11.1.5
PAN-246256
Fixed an issue where the firewall received the following error message in the system logs after rebooting: fail to read ncores: cfg.paltform.cores .
Addressed
11.1.5
PAN-246220
Fixed an issue where a dynamic peer connection was rejected when using an FQDN for the peer address.
Addressed
11.1.5
PAN-246209
Fixed an issue where IPSec VPN tunnels went down after receiving a DHCP server message that the DHCP client cleared the IP address on the interface.
Addressed
11.1.5
PAN-245993
Fixed an issue where API calls to move the BGP export rules failed with the error The request could not be handled .
Addressed
11.1.5
PAN-245845
Fixed an issue where the firewall displayed a message that the license was invalid even though all licenses were up to date.
Addressed
11.1.5
PAN-245682
Fixed an issue on Panorama where Commit and Push progress displayed over 100%.
Addressed
11.1.5
PAN-245545
Fixed an issue where, when you were connected to the VPN and enabled the client accelerator, you were disconnected from the VPN.
Addressed
11.1.5
PAN-245058
Fixed an issue on the Panorama web interface where tagging a new user failed the error message Tags addition failed .
Addressed
11.1.5
PAN-244743
Fixed an issue where intermittent 500 errors occurred when making API calls to the firewall.
Addressed
11.1.5
PAN-244708
Fixed an issue where the GlobalProtect VPN connection inactivity TTL value became negative, which caused the VPN to disconnect when the system time was changed back to the past time.
Addressed
11.1.5
PAN-244262
Fixed an issue where interface settings were not saved when the template was overridden in the candidate configuration while enabling DNS settings.
Addressed
11.1.5
PAN-244035
( PA-5220 firewalls only ) Fixed an issue on the web interface where the displayed dataplane CPU usage was up to 20% less than the correct CPU usage.
Addressed
11.1.5
PAN-243969
Fixed an issue on Panorama managed firewalls where you were unable to add a new Layer 3 interface to a template with a zone, VR, IP address, and SD-WAN interface profile configured.
Addressed
11.1.5
PAN-243968
Fixed an issue where the correct portal agent configuration for GlobalProtect was not matched. This occurred when CRL checks failed due to unavailability.
Addressed
11.1.5
PAN-243957
Fixed an issue where the firewall TLS/SSL service profile exclusion settings were not correctly applied on the captive portal.
Addressed
11.1.5
PAN-243908
Fixed an issue where custom object import for spyware got stuck on uploading page and seen uploaded successfully after refreshing GUI tab.
Addressed
11.1.5
PAN-243816
Fixed an issue where new users were unable to change their password during the first login when the Max session count was set to 1 and Require Password Change on First Login was enabled.
Addressed
11.1.5
PAN-243787
Fixed an issue where the CLI command delete user-file ssh-known-hosts did not remove the SSH host keys.
Addressed
11.1.5
PAN-243786
Fixed an issue on Panorama where custom GlobalProtect reports displayed inaccurate values.
Addressed
11.1.5
PAN-243773
Fixed an issue where the DHCP server stopped responding with the error IP address is already in use .
Addressed
11.1.5
PAN-243674
Fixed an issue where you were unable to configure NDP proxy with IPv6 address /88 on a Layer 3 interface.
Addressed
11.1.5
PAN-243240
Fixed an issue where the using QoS caused packet buffer utilization to increase exponentially and the PKI POOL DFLT pool depleted until a reboot was performed.
Addressed
11.1.5
PAN-243223
Fixed an issue where authentication to the GlobalProtect gateway failed due to an invalid Satellite certificate.
Addressed
11.1.5
PAN-243190
Fixed an issue where the show commands for HSCI ports did not provide information about optics and light levels.
Addressed
11.1.5
PAN-243123
Fixed an issue where SNMPv3 traps were not sent when using FQDN server addresses.
Addressed
11.1.5
PAN-243098
Fixed an issue with corrupted images when SSL decryption and Security profiles were configured.
Addressed
11.1.5
PAN-242960
Fixed an issue where the firewall did not honor the peer Desired Minimum Tx Interval when in a BFD INIT state.
Addressed
11.1.5
PAN-242958
Fixed an issue where the firewall intermittently logged connect-agent-failure messages for service connection instances due to bi-directional host ID redistribution.
Addressed
11.1.5
PAN-242957
Fixed an issue where the Rule usage columns of overridden default policy rules on the Security policy page stopped responding.
Addressed
11.1.5
PAN-242826
Fixed an issue with the REST API syntax when creating a DHCP server configuration for an existing subinterface.
Addressed
11.1.5
PAN-242739
Fixed an issue on the firewall where the dataplane repeatedly restarted.
Addressed
11.1.5
PAN-242479
Fixed an issue where a high number of packets caused high packet descriptors on the firewall when handling EtherIP traffic.
Addressed
11.1.5
PAN-242431
Fixed an issue where the BGP timer setting was in read-only mode for custom admin users when Advanced Routing was enabled.
Addressed
11.1.5
PAN-242331
Fixed an issue where Prisma Access remote network firewalls intermittently created incorrect user-to-IP-address mappings.
Addressed
11.1.5
PAN-242130
Fixed an issue where the firewall displayed the speed and duplex of its dataplane interfaces as Unknown even though the link was up.
Addressed
11.1.5
PAN-241871
Fixed an issue where the firewall was unable to create new IPSec tunnels when the tunnel monitor flapped.
Addressed
11.1.5
PAN-241821
Fixed an issue where Global Search did not show results past the second level.
Addressed
11.1.5
PAN-241781
Fixed an issue where partial commit and commit-all operations took more time than expected to create the job ID.
Addressed
11.1.5
PAN-241772
Fixed an issue where, when TLSv1.3 was used, an incorrect error message invalid padding was displayed instead of the expected error message Invalid server certificate .
Addressed
11.1.5
PAN-241655
Fixed an issue where the firewall incorrectly categorized URLs as phishing due to machine learning analysis MLAV incorrectly marking the URLs as malicious.
Addressed
11.1.5
PAN-241536
Fixed an issue on Panorama where admin users with the Custom Panorama Admin role were unable to add, edit, or delete route filters under Routing Profiles
Addressed
11.1.5
PAN-241519
Fixed an issue where incorrect log filters were displayed under unified logs.
Addressed
11.1.5
PAN-241295
Fixed an issue where Panorama pushed permitted IP address lists were editable on the firewall.
Addressed
11.1.5
PAN-241044
Fixed an issue where traffic was denied by the interzone-default policy rule when a Security policy rule with an FQDN destination was configured.
Addressed
11.1.5
PAN-241004
Fixed an issue where DNS Proxy dropped client requests of the type ns for a root domain.
Addressed
11.1.5
PAN-240990
Fixed an issue where l3svc.py displayed incorrect logs.
Addressed
11.1.5
PAN-240723
Fixed an issue where Threat logs were logged within a 5 second interval instead of the exact detection time when the logging rate was low.
Addressed
11.1.5
PAN-240225
Fixed an issue where authentication failed on web-based GlobalProtect portal.
Addressed
11.1.5
PAN-239952
( Firewalls in active/passive HA configurations only ) Fixed an issue where HA sync messages from the active firewall took longer than expected to reach the passive firewall.
Addressed
11.1.5
PAN-239695
Fixed an issue where the firewall stopped responding due to an internal server error when accessing certificates with the block private key option enabled.
Addressed
11.1.5
PAN-239532
Fixed an issue where the firewall was unable to identify the URL category in the session details.
Addressed
11.1.5
PAN-239409
Fixed an issue where the lodash.js version installed on the firewall was not accurately reflected in PanXML.
Addressed
11.1.5
PAN-239246
Fixed an issue where the CLI command debug user-id dump hip-based-profile-database-entry returned an incorrect value in the output for the total size of hip reports .
Addressed
11.1.5
PAN-239201
Fixed an issue where partial commit or partial validation operations failed for non-super user administrators with the error <device-group-name> is invalid. meta data not found for dg <device-group-name> .
Addressed
11.1.5
PAN-239165
Fixed an issue where adding an interface in a route filter resulted in an OSPF LSA Type-5 packet check failure, which caused redistributed routes to be removed.
Addressed
11.1.5
PAN-239143
Fixed an issue with accessing websites when URL filtering profiles were configured with the block-continue action and the server used HTTP/2.
Addressed
11.1.5
PAN-239138
Fixed an issue where a decryption rule with the Log Successful TLS handshakes option disabled still generated successful decryption logs.
Addressed
11.1.5
PAN-239036
Fixed an issue where the configd process stopped responding on Panorama due to an out-of-memory condition.
Addressed
11.1.5
PAN-238813
Fixed an issue where the DNS proxy was unable to handle UDP DNS replies with a length of over 512 bytes.
Addressed
11.1.5
PAN-238793
( Panorama virtual appliances in Microsoft Azure environments only ) Fixed an issue where a bootstrapped Panorama appliance did not automatically retrieve the CDL license, which resulted in the firewall not automatically sending logs to CDL.
Addressed
11.1.5
PAN-238741
Fixed an issue where, after a selective push of the configuration, a parent device group object with multiple child device groups was not shown in the device group's push scope.
Addressed
11.1.5
PAN-238303
( PA-5220 firewalls only ) Fixed an issue where multicast streaming did not recover when multicast traffic was offloaded.
Addressed
11.1.5
PAN-238266
Fixed an issue where the default lag-flow-key-type was different between the dataplane and the forwarding engine.
Addressed
11.1.5
PAN-237582
Fixed an issue where logs were intermittently missing on the log collector due to missing aliases for some indices.
Addressed
11.1.5
PAN-237109
Fixed an issue where the application page was not launched directly after the login page when only one application was configured.
Addressed
11.1.5
PAN-236909
Fixed an issue where, when you committed the first configuration change after booting up the firewall, the external dynamic list file download failed until the list was refreshed. This occurred when the configuration was pushed with a certificate profile.
Addressed
11.1.5
PAN-236830
Fixed an issue where traffic that was correctly detected on the firewall as the threat category DNS was detected on Panorama as the threat category N/A .
Addressed
11.1.5
PAN-236574
Fixed an issue where User-ID traffic was incorrectly identified as SSL application instead of paloalto-userid-agent application.
Addressed
11.1.5
PAN-236447
Fixed an issue where the firewall rebooted and the kernel log displayed the following message: 0.000000] Linux version 4.18.0-240.1.1.27.pan.x86_64 .
Addressed
11.1.5
PAN-236182
Fixed an issue where, when forward message processing received an invalid payload with a message length of 0 in the buffer header, the firewall rebooted unexpectedly.
Addressed
11.1.5
PAN-236059
Fixed an issue on firewalls in HA configuration where the IoT content version was not synced from the active firewall to the passive firewall.
Addressed
11.1.5
PAN-235808
( Panorama appliances in Log Collector mode only ) Fixed an issue where an unnamed core file was generated after a reboot.
Addressed
11.1.5
PAN-235529
Fixed an issue where the Active Directory IP-address-to-user mappings were not updated on Mappings & Tags on the Cloud Identity Engine.
Addressed
11.1.5
PAN-235110
( PA-220 firewalls only ) Fixed an issue where the web interface did not load after an upgrade.
Addressed
11.1.5
PAN-234461
Fixed an issue where excess distributord process memory use caused processes to restart due to OOM conditions.
Addressed
11.1.5
PAN-234272
Fixed an issue where scheduled device group reports included data from other device groups.
Addressed
11.1.5
PAN-234107
Fixed an issue where Smart Card authentication failed when the SAN field contained additional details.
Addressed
11.1.5
PAN-234082
( Panorama virtual appliances only ) Fixed an issue where Saas reports were generated with a report period of 0 days.
Addressed
11.1.5
PAN-233681
Fixed an issue where the authd process on Prisma Access firewalls stopped responding after receiving the SIGUSR1 signal.
Addressed
11.1.5
PAN-232833
Fixed an issue where the following error message displayed for IoT trial licenses: IoT Security license is required for the feature to function .
Addressed
11.1.5
PAN-232792
Fixed an issue on the Panorama where the web interface did not display the Scheduled Config Push page.
Addressed
11.1.5
PAN-232594
( Panorama managed CN-Series firewalls in HA configurations only ) Fixed an issue where an error occurred while adding tags.
Addressed
11.1.5
PAN-232550
Fixed an issue where SNMPv3 authentication failed when using SHA-512 Auth protocol.
Addressed
11.1.5
PAN-232263
( Panorama virtual appliances only ) Fixed an issue where multiple processes stopped responding due to a traffic outage, which was caused by a corrupted content file.
Addressed
11.1.5
PAN-231065
Fixed an issue on Panorama where the CLI command show applications list <Application-group/application filters> device-group <name of device-group> returned incomplete result.
Addressed
11.1.5
PAN-230934
Fixed an issue where HTTP/S, SSH, and PING were enabled on the AUX port by default even when these administrative management services were not enabled on the interface.
Addressed
11.1.5
PAN-230902
Fixed an issue on the Panorama web interface where you were unable to configure L3 net-inspect rules for a template stack.
Addressed
11.1.5
PAN-230893
Added a CLI command to address an issue where system lock files blocked authentication.
Addressed
11.1.5
PAN-230825
Fixed an issue where link flaps occurred on Panorama appliances in HA configurations.
Addressed
11.1.5
PAN-228555
Fixed an issue where GlobalProtect logs returned no data when using the filter ( private_ip eq 0.0.0.0 ) .
Addressed
11.1.5
PAN-227978
Fixed an issue where the web interface did not accurately list the status of the port when NGFW clustering was enabled.
Addressed
11.1.5
PAN-226789
( VM-Series firewalls in Amazon Web Services (AWS) environments only ) Fixed an issue template values were missing in newly spun firewalls in auto scale deployments without an explicit push with forced template values from Panorama.
Addressed
11.1.5
PAN-226365
Fixed an issue with the output format of certificate issuer and subject fields during certificate creation.
Addressed
11.1.5
PAN-226280
Fixed an issue where the ConfigPushScheduler REST API failed when the target device was a firewall with a non-default management profile.
Addressed
11.1.5
PAN-226125
Fixed an issue where the Management Interface Telnet Service was disabled but the service was still allowed.
Addressed
11.1.5
PAN-225806
Fixed an issue where LACP packets did not reach the dataplane, which caused the firewall to stop forwarding traffic.
Addressed
11.1.5
PAN-225228
Fixed an issue where filtering threat logs using any value under THREAT ID/NAME displayed the error Invalid term .
Addressed
11.1.5
PAN-224729
Fixed an issue where you were unable to create duplicate entries in Advanced Routing AS path prepend the BGP filter route map.
Addressed
11.1.5
PAN-221096
Fixed an issue where IPSec transport mode failed when the firewall was the initiator.
Addressed
11.1.5
PAN-218873
Fixed an issue where a HIP mask was reused when an existing IP address user mapping was updated by a new IP address user mapping that had a different username but the same IP address.
Addressed
11.1.5
PAN-215882
Fixed an issue where you were unable to connect to the GlobalProtect gateway when the gateway was scaled up automatically.
Addressed
11.1.5
PAN-214430
Fixed an issue where some commands did not have executable permissions.
Addressed
11.1.5
PAN-212197
Fixed an issue where you were able to create local administrator usernames that contained only numbers.
Addressed
11.1.5
PAN-207972
Fixed an issue on the web interface where the BGP routing table did not display advertised routes.
Addressed
11.1.5
PAN-202619
Fixed an issue where, when SPI values were different for static and dynamic Satellite tunnel IP addresses during IPSec tunnel renegotiation, traffic issues occurred between the satellite and the gateway.
Addressed
11.1.5
PAN-197428
Fixed an issue where IKE negotiation with distinguished name identification did not work.
Addressed
11.1.5
PAN-193285
Fixed an issue where the policy optimizer feature did not add entries back to the mongodb database after removing them during an upgrade or downgrade.
Addressed
11.1.5
PAN-192176
Fixed an issue where the management server access log file did not rotate, which caused the root partition to become full and led to system instability.
Addressed
11.1.5
PAN-164885
Fixed an issue on Panorama where Commit and Push or Push to Devices operations failed when an external dynamic list was configured to check for updates every 5 minutes due to the commit and external dynamic fetch processes overlapping.
Addressed
11.1.5
PAN-76904
( PA-5410 firewalls only ) Fixed an issue where the management interface went down and an error message displayed in the show interface management CLI command output.
Known
11.1.6
PAN-263940
On a PA-7500 Series firewall node in an NGFW cluster, if the data processing card is in slot 6, packet drops are expected.
Known
11.1.6
PAN-262556
The ElasticSearch cluster health status might continue to remain yellow for an extended period after upgrading to PAN-OS 11.1
Known
11.1.6
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.1.6
PAN-259733
This issue is now resolved. See PAN-OS 11.1.4-h1 Addressed Issues
.
Custom reports created in PAN-OS are not deleted as expected, resulting in high memory use by the reportd process. This can lead to issues, such as out-of-memory conditions, content installation failures, and unexpected firewall reboots.
Known
11.1.6
PAN-257615
This issue is now resolved. See PAN-OS 11.1.4-h1 Addressed Issues .
The Panorama web interface intermittently displays logs or fails to display logs completely.
Known
11.1.6
PAN-254240
In the event of an HSCI flap on an NGFW cluster node, traffic reconvergence takes three to four seconds.
Known
11.1.6
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.1.6
PAN-252358
In the event of a corosync restart, an NGFW cluster node goes to failed state.
Known
11.1.6
PAN-251551
When an NGFW cluster agent crashes and doesn't recover, leader election will take approximately 45 seconds to begin and traffic failover will occur during that time.
Known
11.1.6
PAN-250903
In a congestion scenario on an HSCI port of an NGFW cluster node, the QoS priorities of cross node traffic streams might be reversed if you're using the default QoS profile with class1 to class8 set as high to low.
Known
11.1.6
PAN-247974
LACP flap is expected during a device failover in an NGFW cluster due to an L2 ctrld restart on the new leader node.
Known
11.1.6
PAN-240529
Cloud application information is missing from traffic logs on NGFW cluster nodes.
Known
11.1.6
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.1.6
PAN-224502
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.
Known
11.1.6
PAN-220180
Configured botnet reports ( Monitor Botnet ) are not generated.
Known
11.1.6
PAN-219644
Firewalls forwarding logs to a syslog server over TLS ( Objects Log Forwarding ) use the default Palo Alto Networks certificate instead of the custom certificate configured on the firewall.
Known
11.1.6
PAN-207733
When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.
Known
11.1.6
PAN-207611
When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.
Known
11.1.6
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.1.6
PAN-207040
If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.
Known
11.1.6
PAN-206913
When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the request dhcp client ipv6 release all CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.
Known
11.1.6
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.1.6
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.1.6
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.1.6
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.1.6
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.1.6
PAN-194978
( PA-1400 Series firewalls only ) In Network Interface Ethernet , hovering the mouse over a power over Ethernet (PoE) Link State icon does not display link speed and link duplex details.
Known
11.1.6
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.1.6
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.1.6
PAN-186283
Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.
Workaround : Use Commit Push to Devices to synchronize the templates.
Known
11.1.6
PAN-184708
Scheduled report emails ( Monitor PDF Reports Email Scheduler ) are not emailed if:
  • A scheduled report email contains a Report Group ( Monitor PDF Reports Report Group ) which includes a SaaS Application Usage report.
  • A scheduled report contains only a SaaS Application Usage Report.
Workaround: To receive a scheduled report email for all other PDF report types:
  1. Select Monitor PDF Reports Report Groups and remove all SaaS Application Usage reports from all Report Groups.
  2. Select Monitor PDF Reports Email Scheduler and edit the scheduled report email that contains only a SaaS Application Usage report. For the Recurrence, select Disable and click OK .
    Repeat this step for all scheduled report emails that contain only a SaaS Application Usage report.
  3. Commit .
    ( Panorama managed firewalls ) Select Commit Commit and Push
Known
11.1.6
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.1.6
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.1.6
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Known
11.1.6
PAN-164885
On the Panorama management server, pushes to managed firewalls ( Commit Push to Devices or Commit and Push ) may fail when an EDL ( Objects External Dynamic Lists ) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.
Addressed
11.1.6
PAN-273215
Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading.
Addressed
11.1.6
PAN-271913
Fixed an issue on firewalls in high availability (HA) configurations where, when using the Cloud Identity Engine (CIE), the firewall experienced consistent memory leaks on the active firewall, which caused unexpected failovers.
Addressed
11.1.6
PAN-270224
Fixed an issue where indices were not opened after a query.
Addressed
11.1.6
PAN-269539
Fixed an issue where whitespace was added before the timestamp in syslog logs forwarded from Panorama.
Addressed
11.1.6
PAN-269106
Fixed issue where the wifclient restarted and multiple processes stopped responding.
Addressed
11.1.6
PAN-269000
Fixed an issue where the firewall stopped responding due to a NULL pointer dereference when path monitoring failed.
Addressed
11.1.6
PAN-268951
Fixed a CPS counter query issue that caused SNMP polling timeouts on the firewall.
Addressed
11.1.6
PAN-268727
Fixed an issue where traffic was dropped when the accumulation proxy was enabled and header insertion modified packets.
Addressed
11.1.6
PAN-268474
Fixed an issue on the firewall where the PAN-DB URL Filtering license displayed as Valid even when the firewall did not have the license, which caused traffic to drop.
Addressed
11.1.6
PAN-268419
Fixed an issue where Managed Devices > Summary displayed incorrect subcolumns.
Addressed
11.1.6
PAN-268319
Fixed an issue where Receive Time and Time Generated were not visible as attributes in the Filter Builder for system logs and URL filtering logs.
Addressed
11.1.6
PAN-268229
Fixed an issue where the firewall stopped responding during session setup for ECMP hit-count updates.
Addressed
11.1.6
PAN-268228
Fixed an issue where Panorama administrators were unable to select Edit Selection when pushing changes to devices if they logged in using TACACS authentication.
Addressed
11.1.6
PAN-267934
Fixed an issue where commits remained at 98%, which resulted in the BGP connection flapping.
Addressed
11.1.6
PAN-267590
Fixed a lock usage error that caused the ikemgr process to stop responding.
Addressed
11.1.6
PAN-267348
Fixed an issue on the Panorama web interface where WildFire Activity by File Type in the ACC did not display the file type name.
Addressed
11.1.6
PAN-267321
Fixed an issue where packets were dropped when BFD inter-dataplane packet forwarding failed.
Addressed
11.1.6
PAN-267285
Fixed an issue where a port was able to be connected from outside the network. With this fix, the port is restricted to the local interface.
Addressed
11.1.6
PAN-267091
Fixed an issue on Panorama where Elasticsearch repeatedly restarted.
Addressed
11.1.6
PAN-266900
Fixed an issue on the Panorama web interface where you were unable to click OK after selecting an install package type and file from the dropdown and selecting a firewall.
Addressed
11.1.6
PAN-266639
Fixed an issue where administrators were unable to edit or add virtual router configurations when a filter was applied to the viewer.
Addressed
11.1.6
PAN-266581
Fixed an issue where a failed SSL connection to a syslog server resulted in a /tmp/srvr.crt.xxxxxx file not being removed, which caused index node (inode) exhaustion.
Addressed
11.1.6
PAN-266167
Fixed an issue where the restart option for IPSec tunnels was greyed out ( Network > IPSec Tunnels > IKE Info ).
Addressed
11.1.6
PAN-266003
Fixed an issue on the firewall where a configuration policy push caused both active and passive firewalls to go down when a high number of spyware profiles and vulnerability profiles were pushed to the dataplane.
Addressed
11.1.6
PAN-265621
Fixed an issue where the restart option for IPSec tunnels was greyed out when you attempted to restart the tunnel from Network > IPSec Tunnels > IKE Info .
Addressed
11.1.6
PAN-265399
Fixed an issue where DNS queries for uppercase internal domain (SRV record) timed out when DNS Security was enabled.
Addressed
11.1.6
PAN-265366
Fixed an issue where firewall experienced frequent reboots when ipv6 trafic is routed to explicit proxy, causing explicit proxy to crash.
Addressed
11.1.6
PAN-265160
Fixed an issue where the firewall created multiple connections to a syslog server and remained in the FINWAIT1 state, which caused logs to drop while being forwarded to the syslog server.
Addressed
11.1.6
PAN-264981
Fixed an issue on the Panorama web interface where it took longer than expected to edit Security policy rules.
Addressed
11.1.6
PAN-264883
( PA-7080 appliances with LPCs only ) Fixed an issue where syslog forwarding over TCP stopped after upgrading.
Addressed
11.1.6
PAN-264678
Fixed an issue where Preview Changes did not display configuration changes in Commit and push > Push Scope .
Addressed
11.1.6
PAN-264662
Fixed an issue where HTTP POST requests were blocked for URLs that had the block-continue category configured.
Addressed
11.1.6
PAN-263843
( VM-Series firewalls only ) Fixed an issue where the firewall received no-license packet buffers instead of memory based packet buffer numbers.
Addressed
11.1.6
PAN-263208
( PA-5400f firewalls only ) Fixed an issue where interrupts were generated at a certain packet rate, and dataplane processes missed heartbeats, which caused the dataplane to go down.
Addressed
11.1.6
PAN-263012
Fixed an issue where commits failed from a Panorama appliance with a default master key to a firewall with a master key configured and a VM Information source configured.
Addressed
11.1.6
PAN-262973
Fixed an issue where changes made by a custom role Panorama administrator did not display in the push scope for other custom role administrators when a full commit was performed.
Addressed
11.1.6
PAN-262540
Fixed an issue where application traffic transactions that reused TCP ports did not work with decryption.
Addressed
11.1.6
PAN-262511
Fixed an issue on firewalls in HA configurations where OSPF neighbors were not established after an HA failover.
Addressed
11.1.6
PAN-260796
Fixed an issue where servers were not accessible through an active SSL GlobalProtect VPN tunnel until a new connection was established or the session was cleared on the firewall.
Addressed
11.1.6
PAN-260604
Fixed an issue where the firewall displayed inaccurate throughput utilization stats in NetFlow analyzer tools.
Addressed
11.1.6
PAN-260417
Fixed an issue on Panorama where UpdateLicDB was triggered every few minutes when firewalls with PAYG licenses were onboarded.
Addressed
11.1.6
PAN-257736
( PA-5450 firewalls only ) Fixed an issue where traffic to benign applications was impacted by holding TCP sequential segments for MLC inspection and not releasing the full chain after a benign verdict was received.
Addressed
11.1.6
PAN-256552
Fixed an issue where the logrcvr stopped responding, which caused the firewall to restart.
Addressed
11.1.6
PAN-255747
Fixed an issue on the firewall where CLI commands returned Server error: op command for client dagger timed out as client is not available .
Addressed
11.1.6
PAN-255653
Fixed an HA failover issue where, when Management Processing Card (MPC) or Base Card (BC) failures occurred, the HA link went down, which caused fpp-down events on one firewall.
Addressed
11.1.6
PAN-253485
( Firewalls in active/passive HA configurations only ) Fixed an issue where dataplane packet capture filter configuration failed on the active firewall with the error op command for client dagger timed out as client is not available .
Addressed
11.1.6
PAN-252669
Fixed an issue where the ikemgr process stopped responding with a SIGSEGV error.
Addressed
11.1.6
PAN-251973
Fixed an issue where the firewall did not detect evasions due to TCP checksum offloading not being enabled.
Addressed
11.1.6
PAN-249581
Fixed an issue where stale BGP routes were advertised to peers even when they were not present in the local RIB table.
Addressed
11.1.6
PAN-249384
Fixed an issue on Panorama where configuration locks were observed during a partial rulebase commit.
Addressed
11.1.6
PAN-243920
Fixed an issue where the firewall name was truncated in the logs when the name used more than 31 characters.
Addressed
11.1.6
PAN-233197
Fixed an issue where the CLI command to set the FEC parameter for the front panel ports was not supported on platforms supporting 25G and 100G.
Known
11.2.1
PAN-262287
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
11.2.1
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.2.1
PAN-259853
When the DHCP server is enabled for GlobalProtect, the commit error message is not properly displayed when Any is selected as the source interface in the service router configuration ( Device Setup Service Service Router Configuration ).
Known
11.2.1
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
11.2.1
PAN-259423
When the GlobalProtect DHCP feature is enabled with two primary DHCP servers on the GlobalProtect gateway, the gpsvc gets stuck during renewal and after HA failover.
Known
11.2.1
PAN-257615
This issue is now resolved. See PAN-OS 11.2.3 Addressed Issues .
The Panorama web interface intermittently displays logs or fails to display logs completely.
Known
11.2.1
PAN-254108
when upgrading or downgrading a Panorama management server ( Panorama Software ), managed device ( Panorama Device Deployment Software ), or standalone firewall ( Device Software ), Base Releases and Preferred Releases settings are checked (enabled) by default and cause no PAN-OS software images to display.
Workaround: Uncheck (disable) Base Releases or Preferred Releases to display either the available base PAN-OS or preferred PAN-OS releases available to download and install.
Known
11.2.1
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.2.1
PAN-252661
If you change the service route of gp-ip-mgmt in Device > Setup > Services > Service Features > gp-ip-mgmt and Commit , the change won’t take effect. gp-ip-mgmt continues to use the last committed service route.
Workaround: After you change the service route interface for gp-ip-mgmt, navigate to either a GlobalProtect portal or gateway, click OK to save the configuration, and Commit the changes. This commit will include the service route change.
Known
11.2.1
PAN-251639
When a Wildfire Analysis security profile is enabled, an out of memory condition might occur due to a memory leak in the varrcvr process.
Known
11.2.1
PAN-250246
Panorama and the firewall display inconsistent IP addresses for device group members after manually syncing.
Known
11.2.1
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
11.2.1
PAN-248836
The Advanced DNS Security trial license and trial license information cannot be activated and viewed, respectively, on a managed firewall (with expired or active status) from Panorama. These tasks can only be performed on the firewall.
Known
11.2.1
PAN-247728
When Advanced Routing is enabled, IP multicast is not supported. An upcoming version will provide support for this feature. Customers who have multicast configured or who plan to deploy multicast routing should not upgrade to 11.2.0. Additionally, when Advanced Routing is enabled, the BGP dampening configuration isn't applied to any peers or peer group; the configuration is preserved but has no effect on BGP. Customers can use BGP even if they have applied a Dampening profile to a specific set of peers. The issue doesn't affect any other BGP features.
Known
11.2.1
PAN-241994
The VMX hardware version was upgraded from vmx-10 to vmx-15 on ESXi and NSX-T. Support for vmx-15 is supported on ESXi 6.7 U2 and onwards. Palo Alto Networks recommends that you upgrade your ESXi version if it is less than 6.7 U2. For more information, see the compatibility matrix .
Known
11.2.1
PAN-239612
When the firewall is running PAN-OS 11.2.0 and Advanced Routing is enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay agent doesn't work.
Known
11.2.1
PAN-236649
If you change the configuration of a firewall acting as a PPPoEv4 or PPPoEv6 client, old routes from the Forwarding Information Base (FIB) and route table for an inherited configuration with dynamic-identifier or client remain visible. Old routes also remain visible for an inherited interface when you execute the CLI command, show interface all .
Workaround: Unconfigure and configure the Inherited Interface.
Known
11.2.1
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.2.1
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.2.1
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.2.1
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.2.1
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.2.1
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.2.1
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.2.1
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.2.1
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.2.1
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.2.1
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.2.1
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Addressed
11.2.1-h1
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.2.1
PAN-257919
Fixed an issue where, when using explicit proxy with SAML authentication, initiating SAML authentication with a non-GET request resulted in a 302 redirect response instead of the expected 200 ok response.
Addressed
11.2.1
PAN-256343
Fixed an issue where, when Advanced Routing Engine was enabled and OSPFv3 was configured, the CLI command show advanced-routing ospf interface caused traffic to be disrupted, and the interface and area information did not display in CLI or the web interface.
Addressed
11.2.1
PAN-255868
( PA-3400 Series firewalls only ) Fixed an issue where the firewall entered maintenance mode after enabling kernel data collection during the silent reboot.
Addressed
11.2.1
PAN-255227
Fixed an issue where the the MAC address was sent to the DHCP server instead of the hostname on macOS endpoints.
Addressed
11.2.1
PAN-254236
Fixed an issue where Client Hello packets were dropped when SSL/TLS handshake inspection was enabled.
Addressed
11.2.1
PAN-249292
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where CPU usage was higher than expected after a hotplug event when Accelerated Networking was enabled for the management interface.
Addressed
11.2.1
PAN-236909
Fixed an issue where, when you committed the first configuration change after booting up the firewall, the external dynamic list file download failed until the list was refreshed. This occurred when the configuration was pushed with a certificate profile.
Addressed
11.2.1
PAN-164885
Fixed an issue on Panorama where Commit and Push or Push to Devices operations failed when an external dynamic list was configured to check for updates every 5 minutes due to the commit and external dynamic fetch processes overlapping.
Known
11.2.2
PAN-263226
When SSL decryption is enabled and Client Hello messages span multiple TCP segments, elements from the proxy_l2info memory pool may not be freed properly. Memory leaks in this pool cause some SSL decryption sessions to fail.
Workaround: Disable Client Hello accumulation using the debug dataplane set ssl-decrypt accumulate-client-hello disable yes CLI command.
Known
11.2.2
PAN-262287
Dereferencing a NULL pointer that occurs might cause pan_task processes to crash.
Known
11.2.2
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.2.2
PAN-260212
When viewing Applications ( Objects Applications ), child App-IDs may be listed under the incorrect container App-ID.
Known
11.2.2
PAN-259769
GlobalProtect portal is not accessible via a web browser and the app displays the error ERR_EMPTY_RESPONSE .
Known
11.2.2
PAN-259853
When the DHCP server is enabled for GlobalProtect, the commit error message is not properly displayed when Any is selected as the source interface in the service router configuration ( Device Setup Service Service Router Configuration ).
Known
11.2.2
PAN-259423
When the GlobalProtect DHCP feature is enabled with two primary DHCP servers on the GlobalProtect gateway, the gpsvc gets stuck during renewal and after HA failover.
Known
11.2.2
PAN-257615
This issue is now resolved. See PAN-OS 11.2.3 Addressed Issues .
The Panorama web interface intermittently displays logs or fails to display logs completely.
Known
11.2.2
PAN-254108
when upgrading or downgrading a Panorama management server ( Panorama Software ), managed device ( Panorama Device Deployment Software ), or standalone firewall ( Device Software ), Base Releases and Preferred Releases settings are checked (enabled) by default and cause no PAN-OS software images to display.
Workaround: Uncheck (disable) Base Releases or Preferred Releases to display either the available base PAN-OS or preferred PAN-OS releases available to download and install.
Known
11.2.2
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.2.2
PAN-252661
If you change the service route of gp-ip-mgmt in Device Setup Services Service Features gp-ip-mgmt and Commit , the change won’t take effect. gp-ip-mgmt continues to use the last committed service route.
Workaround: After you change the service route interface for gp-ip-mgmt, navigate to either a GlobalProtect portal or gateway, click OK to save the configuration, and Commit the changes. This commit will include the service route change.
Known
11.2.2
PAN-251639
When a Wildfire Analysis security profile is enabled, an out of memory condition might occur due to a memory leak in the varrcvr process.
Known
11.2.2
PAN-250246
Panorama and the firewall display inconsistent IP addresses for device group members after manually syncing.
Known
11.2.2
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
11.2.2
PAN-248836
The Advanced DNS Security trial license and trial license information cannot be activated and viewed, respectively, on a managed firewall (with expired or active status) from Panorama. These tasks can only be performed on the firewall.
Known
11.2.2
PAN-247728
When Advanced Routing is enabled, IP multicast is not supported. An upcoming version will provide support for this feature. Customers who have multicast configured or who plan to deploy multicast routing should not upgrade to 11.2.0. Additionally, when Advanced Routing is enabled, the BGP dampening configuration isn't applied to any peers or peer group; the configuration is preserved but has no effect on BGP. Customers can use BGP even if they have applied a Dampening profile to a specific set of peers. The issue doesn't affect any other BGP features.
Known
11.2.2
PAN-241994
The VMX hardware version was upgraded from vmx-10 to vmx-15 on ESXi and NSX-T. Support for vmx-15 is supported on ESXi 6.7 U2 and onwards. Palo Alto Networks recommends that you upgrade your ESXi version if it is less than 6.7 U2. For more information, see the compatibility matrix .
Known
11.2.2
PAN-239612
When the firewall is running PAN-OS 11.2.0 and Advanced Routing is enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay agent doesn't work.
Known
11.2.2
PAN-236649
If you change the configuration of a firewall acting as a PPPoEv4 or PPPoEv6 client, old routes from the Forwarding Information Base (FIB) and route table for an inherited configuration with dynamic-identifier or client remain visible. Old routes also remain visible for an inherited interface when you execute the CLI command, show interface all .
Workaround: Unconfigure and configure the Inherited Interface.
Known
11.2.2
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.2.2
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.2.2
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.2.2
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.2.2
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.2.2
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.2.2
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.2.2
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.2.2
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.2.2
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.2.2
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.2.2
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Addressed
11.2.2-h2
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.2.2-h1
PAN-263349
Fixed an error in the bundling of software components.
Addressed
11.2.2
PAN-258702
( WF-500 appliances only ) Fixed an issue where the varrcvr process stopped responding when files were being forwarded to the WildFire cloud.
Addressed
11.2.2
PAN-255773
Fixed an issue where errors related to applications in Content-preview caused commit failures.
Addressed
11.2.2
PAN-248508
( VM-Series firewalls on Amazon Web Services (AWS) environments only ) Fixed an issue where the firewall did not perform MSS clamping when GWLB endpoints were mapped to static subinterfaces.
Addressed
11.2.2
PAN-247099
Fixed an issue where the firewall decrypted traffic unexpectedly when the client hello was spread across multiple packets.
Addressed
11.2.2
PAN-251929
Fixed an issue where inbound decryption did not work when FIPS self tests were turned on.
Known
11.2.3
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.2.3
PAN-260212
When viewing Applications ( Objects Applications ), child App-IDs may be listed under the incorrect container App-ID.
Known
11.2.3
PAN-259853
When the DHCP server is enabled for GlobalProtect, the commit error message is not properly displayed when Any is selected as the source interface in the service router configuration ( Device Setup Service Service Router Configuration ).
Known
11.2.3
PAN-259423
When the GlobalProtect DHCP feature is enabled with two primary DHCP servers on the GlobalProtect gateway, the gpsvc gets stuck during renewal and after HA failover.
Known
11.2.3
PAN-254236
TLSv1.3 hybridized Kyber support in the latest versions of Chrome and Edge browsers results in dropped Client Hello packets when SSL/TLS handshake inspection is enabled.
Workaround: Disable SSL/TLS handshake inspection .
Known
11.2.3
PAN-254108
when upgrading or downgrading a Panorama management server ( Panorama Software ), managed device ( Panorama Device Deployment Software ), or standalone firewall ( Device Software ), Base Releases and Preferred Releases settings are checked (enabled) by default and cause no PAN-OS software images to display.
Workaround: Uncheck (disable) Base Releases or Preferred Releases to display either the available base PAN-OS or preferred PAN-OS releases available to download and install.
Known
11.2.3
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.2.3
PAN-252661
If you change the service route of gp-ip-mgmt in Device > Setup > Services > Service Features > gp-ip-mgmt and Commit , the change won’t take effect. gp-ip-mgmt continues to use the last committed service route.
Workaround: After you change the service route interface for gp-ip-mgmt, navigate to either a GlobalProtect portal or gateway, click OK to save the configuration, and Commit the changes. This commit will include the service route change.
Known
11.2.3
PAN-251639
When a Wildfire Analysis security profile is enabled, an out of memory condition might occur due to a memory leak in the varrcvr process.
Known
11.2.3
PAN-250246
Panorama and the firewall display inconsistent IP addresses for device group members after manually syncing.
Known
11.2.3
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
11.2.3
PAN-248836
The Advanced DNS Security trial license and trial license information cannot be activated and viewed, respectively, on a managed firewall (with expired or active status) from Panorama. These tasks can only be performed on the firewall.
Known
11.2.3
PAN-247728
When Advanced Routing is enabled, IP multicast is not supported. An upcoming version will provide support for this feature. Customers who have multicast configured or who plan to deploy multicast routing should not upgrade to 11.2.0. Additionally, when Advanced Routing is enabled, the BGP dampening configuration isn't applied to any peers or peer group; the configuration is preserved but has no effect on BGP. Customers can use BGP even if they have applied a Dampening profile to a specific set of peers. The issue doesn't affect any other BGP features.
Known
11.2.3
PAN-241994
The VMX hardware version was upgraded from vmx-10 to vmx-15 on ESXi and NSX-T. Support for vmx-15 is supported on ESXi 6.7 U2 and onwards. Palo Alto Networks recommends that you upgrade your ESXi version if it is less than 6.7 U2. For more information, see the compatibility matrix .
Known
11.2.3
PAN-239612
When the firewall is running PAN-OS 11.2.0 and Advanced Routing is enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay agent doesn't work.
Known
11.2.3
PAN-236649
If you change the configuration of a firewall acting as a PPPoEv4 or PPPoEv6 client, old routes from the Forwarding Information Base (FIB) and route table for an inherited configuration with dynamic-identifier or client remain visible. Old routes also remain visible for an inherited interface when you execute the CLI command, show interface all .
Workaround: Unconfigure and configure the Inherited Interface.
Known
11.2.3
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.2.3
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.2.3
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.2.3
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.2.3
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.2.3
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.2.3
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.2.3
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.2.3
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.2.3
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.2.3
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.2.3
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Addressed
11.2.3-h5
PAN-273215
Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading.
Addressed
11.2.3-h5
PAN-271613
Fixed an issue where configuration pushes from Panorama to the firewall failed due to an OOXML commit error.
Addressed
11.2.3-h5
PAN-269404
Fixed an issue where the firewall did not reset the maximum latency timer for hold mode.
Addressed
11.2.3-h5
PAN-268823
Fixed an issue where Monitor > Log Display did not display all logs when you applied a filter.
Addressed
11.2.3-h5
PAN-264549
Fixed an issue where, after modifying a policy rule on Panorama, pushes to the Cloud NGFW failed with the error saas-user-list unexpected here .
Addressed
11.2.3-h5
PAN-259078
Fixed an issue where WildFire Analysis reports were not generated and the following error message was displayed: Error 500: Internal Server Error .
Addressed
11.2.3-h3
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.2.3-h3
PAN-247230
Fixed an issue where the syslog forwarding configuration did not include the full path for Security policy rules.
Addressed
11.2.3-h3
PAN-259997
( PA-3410, PA-3420, and PA-3430 firewalls only ) Fixed an issue where the install failed when upgrading from PAN-OS 10.2.3-h3 and later 10.2 releases to PAN-OS 10.2.10 due to the number of configured vsys zones exceeding the zone limit in PAN-OS 10.2.10.
Addressed
11.2.3
PAN-263387
Fixed an issue where the firewall web interface was blank after logging in.
Addressed
11.2.3
PAN-263226
Fixed an issue where decryption based traffic failed on Explicit Proxy nodes.
Addressed
11.2.3
PAN-262593
Fixed an issue where traffic to websites failed on the Google Chrome web browser on Secure Web Gateway (SWG) nodes.
Addressed
11.2.3
PAN-262287
Fixed an issue where dereferencing a NULL pointer that occurred when App-ID stopped responding caused the firewall to restart.
Addressed
11.2.3
PAN-262013
Fixed an issue where Prisma Access mobile users did not receive no such name DNS responses from the firewall and were timed out.
Addressed
11.2.3
PAN-261991
Fixed an issue where traffic that did not match a decryption policy rule, or matched a no-decrypt policy rule, failed when accumulation proxy was enabled and a Zone Protection profile was configured with syn-cookies enabled.
Addressed
11.2.3
PAN-261917
Fixed an issue where websites with a no-decrypt policy rule were decrypted in the traffic log when using a Google Chrome browser with PQC enabled.
Addressed
11.2.3
PAN-261797
Fixed an issue where fragmented IP packets were dropped silently.
Addressed
11.2.3
PAN-261270
Fixed an issue where the firewall decremented the TTL/Hop limit for BGPv6 packets by 1 after IPSec decryption.
Addressed
11.2.3
PAN-260059
Fixed an issue where Device Telemetry Regions did not show up with the latest content due to content files not being parsed for the region list when Telemetry was turned off.
Addressed
11.2.3
PAN-259964
Fixed an issue where the firewall was not able to handle a high traffic load, which caused some logs to be lost.
Addressed
11.2.3
PAN-259769
Fixed an issue where the GlobalProtect portal was not accessible via a web browser and displayed the error ERR_EMPTY_RESPONSE .
Addressed
11.2.3
PAN-259733
Fixed an issue where a custom report was not deleted on Panorama when expected.
Addressed
11.2.3
PAN-259480
Fixed an issue where the varrcvr process stopped responding after running out of memory due to how the process queued and dequeued files for WildFire file forwarding when a WildFire Analysis Security profile was enabled.
Addressed
11.2.3
PAN-259473
( PA-5450 firewalls only ) Fixed an issue where the chassis shut down when FAN1 was removed.
Addressed
11.2.3
PAN-259151
Fixed an issue where unused objects were pushed to the firewall, which caused configuration pushes to fail with the error Number of address groups exceed platform capacity .
Addressed
11.2.3
PAN-258442
Fixed an issue where changes made to the split tunnel configuration on the Prisma Access gateway were not reflected on the GlobalProtect client.
Addressed
11.2.3
PAN-257957
( Firewalls and Panorama appliances in FIPS-CC mode only ) Fixed an issue where the authd process restarted if RADIUS PAP/CHAP authentication was used.
Addressed
11.2.3
PAN-257925
( CN-Series firewalls only ) Fixed an issue where the CLI command show system setting ctd state did not work as expected.
Addressed
11.2.3
PAN-257624
Fixed an issue where the firewall web interface was blank after logging in.
Addressed
11.2.3
PAN-257615
Fixed an issue on Panorama where logs did not display or displayed intermittently on the web interface.
Addressed
11.2.3
PAN-257563
Fixed an issue where the logrcvr component for SASE and MCW displayed incorrect zones in the traffic flow.
Addressed
11.2.3
PAN-257515
Fixed an issue where Possible Domain Fronting Detection for HTTP/2 generated false positives. With this change, domain fronting is limited to HTTP/1.
Addressed
11.2.3
PAN-257462
Fixed an issue related to the varrcvr process where the management plane CPU was higher than expected.
Addressed
11.2.3
PAN-257432
Fixed an issue on Panorama where the reportd process stopped responding, which caused a log query issue.
Addressed
11.2.3
PAN-257390
( PA-5250 firewalls only ) Fixed an issue where the logrcvr process stopped responding due to a segmentation fault.
Addressed
11.2.3
PAN-257355
Fixed an issue where a false positive HTTP/TLS evasion alert was generated when the domain had DNS load balance.
Addressed
11.2.3
PAN-257197
Fixed an issue where ifType and ifSpeed were not populated in asynchronous mode of SNMP operations.
Addressed
11.2.3
PAN-256939
Fixed an issue on the firewall where disk space was low in /opt/pancfg/ , which caused dynamic content installation to fail.
Addressed
11.2.3
PAN-256765
Fixed an issue where you were unable to push variables from Panorama in service routes for non-cluster templates.
Addressed
11.2.3
PAN-256738
( VM-Series firewalls in HA configurations only ) Fixed an issue where BGP routes from the active firewall were lost when the passive firewall was rebooted.
Addressed
11.2.3
PAN-256666
Fixed an issue where the configd process stopped responding when Commit and Push operations were performed on multiple device groups.
Addressed
11.2.3
PAN-256385
( CN-Series firewalls only ) Fixed an issue where communication was broken between the management plane and the dataplane when Anti-Spyware profiles were configured in a Security policy rule.
Addressed
11.2.3
PAN-256327
( Panorama virtual appliances on Microsoft Azure environments only ) Fixed an issue where the logd process repeatedly restarted due to a buffer overflow when generating a traffic summary from a traffic log.
Addressed
11.2.3
PAN-256249
Fixed an issue on the web interface that occurred when changing the pre-shared key to a variable ( Network > Network Profiles > IKE Gateways ).
Addressed
11.2.3
PAN-256223
Fixed an issue where device telemetry log collection filled the root partition.
Addressed
11.2.3
PAN-256181
Fixed an issue where the management interface and front panel port interface statistics were not populated in asynchronous mode of SNMP operations.
Addressed
11.2.3
PAN-255895
Fixed an issue where Panorama administrators with the Panorama Administrator dynamic administrator type were not able to create or modify BGP timer profiles or BGP dampening profiles.
Addressed
11.2.3
PAN-255820
Fixed an issue where the WildFire signature generation check box in Panorama did not register a change in the configuration.
Addressed
11.2.3
PAN-255711
Fixed an issue where the firewall displayed a malformed request error when selecting a custom format and clicking OK on the configuration window due to the log type Correlation incorrectly being displayed ( Device > Log Setting - Correlation > Syslog Server Profile > Custom Log Format > Correlation ).
Addressed
11.2.3
PAN-255611
Fixed an issue on the firewall where newly added routes were not automatically sorted based on subnets when added to a redistribution profile.
Addressed
11.2.3
PAN-255441
Fixed an issue where BGP-ARE routes were not advertised due to a peer route map filter.
Addressed
11.2.3
PAN-255396
Fixed an issue where, when using serial number and IP address authentication, and multiple gateways were configured, the portal returned the last gateway in the list and disregarded the satellite assignment by serial number.
Addressed
11.2.3
PAN-255391
Fixed an issue where the firewall was unable to filter logs using the ISO 8601 timestamp format after upgrading to PAN-OS 11.0.4 or a later release.
Addressed
11.2.3
PAN-255266
Fixed an issue where you were unable to clone a template stack with the Pre-Shared Key variable.
Addressed
11.2.3
PAN-255252
Fixed an issue where Panorama administrators with the type Dynamic were unable to create, modify, or delete BGP Dampening profiles.
Addressed
11.2.3
PAN-255163
( CN-Series firewalls only ) Fixed an issue where the system database key that stored the configuration status of the dataplane pod was not updated frequently.
Addressed
11.2.3
PAN-254826
Fixed an issue where the firewall stopped responding when processing traffic.
Addressed
11.2.3
PAN-254629
Fixed an issue on the Management Processing Card where excessive logs were generated for an error.
Addressed
11.2.3
PAN-254621
Fixed an issue where the firewall frequently rebooted due to the brdagent process not responding.
Addressed
11.2.3
PAN-254577
Fixed an issue where a core file was created on the Log Forwarding Card (LFC) due to a third-party software issue.
Addressed
11.2.3
PAN-254425
Fixed an issue where the firewall did not restrict port 9905 to localhost .
Addressed
11.2.3
PAN-254423
Fixed an issue on Panorama where custom role-based admin users with read-only access were able to make changes to configurations.
Addressed
11.2.3
PAN-254422
Fixed an issue where the firewall required a restart when an SD-WAN policy rule was pushed from Panorama.
Addressed
11.2.3
PAN-254411
Fixed an issue where the configd process stopped responding, which caused ERR_CONNECTION_REFUSED error messages to be displayed in admin sessions.
Addressed
11.2.3
PAN-254373
Fixed an issue where the firewall did not handle error code 500 responses from the WildFire cloud correctly.
Addressed
11.2.3
PAN-254241
Fixed an issue where the firewall stopped responding due to a high number of SD-WAN probes being sent.
Addressed
11.2.3
PAN-254181
( CN-Series firewalls only ) Fixed an issue where firewall pods and application pods repeatedly restarted.
Addressed
11.2.3
PAN-253829
Fixed an issue where the CLI command show running security-policy timed out when the Security policy was large.
Addressed
11.2.3
PAN-253819
Fixed an issue where a User Activity Report was not generated by Run Now or not emailed through the Email Schedule when the locale setting was not English.
Addressed
11.2.3
PAN-253452
Fixed an issue where GlobalProtect users were unable to connect to the GlobalProtect gateway and received the error Gateway does not exist .
Addressed
11.2.3
PAN-253317
( VM-Series firewalls on Microsoft Azure environments only ) Fixed an issue where you were unable to log in to the firewall after a private data reset.
Addressed
11.2.3
PAN-252867
Fixed an issue where an incorrect memory reference in an IoT API caused the wifclient process to stop responding.
Addressed
11.2.3
PAN-252517
Fixed an issue where SNMP failed to respond to multiple Object Identifier (OID) queries in a single SNMP GET request.
Addressed
11.2.3
PAN-252411
Fixed an issue where, when log files were purged from the rollup summary logs, the summary report still used the rollup summary data, which resulted in the summary report displaying less data.
Addressed
11.2.3
PAN-251909
Fixed an issue where a Panorama pushed configuration failed to commit on the firewall due to the address object referenced by the interface not being shared with the firewall.
Addressed
11.2.3
PAN-251732
Fixed an issue where Oracle traffic over generic routing encapsulation (GRE) was dropped when the traffic passed through the firewall using ttunnel content inspection (TCI).
Addressed
11.2.3
PAN-251676
Fixed an issue on Panorama appliances in large-scale deployments where configd process core files consumed more space in the /opt/panlogs partition than was available.
Addressed
11.2.3
PAN-251661
Fixed an issue where a memory overwrite occurred during HTTP/2 header inflation.
Addressed
11.2.3
PAN-251656
Fixed an issue where enabling lockless QoS caused traffic disruptions.
Addressed
11.2.3
PAN-251655
Fixed an issue where the firewall stopped forwarding files to the WildFire cloud and a restart of the varrcvr process was required.
Addressed
11.2.3
PAN-251446
Fixed an issue where a critical system log was generated for a SAML authenticated user whose username length was greater than 32 characters.
Addressed
11.2.3
PAN-251047
Fixed an issue where the useridd process logs were flooded with an error message related to service profiles.
Addressed
11.2.3
PAN-250948
Fixed an issues where GlobalProtect on Microsoft Windows devices did not attempt CNAME resolution for sinkhole.paloaltonetworks.com.
Addressed
11.2.3
PAN-250909
Fixed an issue where, when creating a Security policy rule via the CLI, validation was not implemented and the same object was able to be referenced in the policy twice.
Addressed
11.2.3
PAN-250787
Fixed an issue where network issues between the firewall and the log collector caused logrcvr process memory exhaustion.
Addressed
11.2.3
PAN-250597
Fixed an issue where Global Find for a Panorama pushed shared address object displayed Others in the results.
Addressed
11.2.3
PAN-250462
Fixed an issue where the session logout time for the firewall was incorrect when viewing via context switch from Panorama.
Addressed
11.2.3
PAN-250419
Fixed an issue where XML API explorer inserted a plus (+) character in the Xpath when a space was used in the object name.
Addressed
11.2.3
PAN-250405
( CN-Series firewalls only ) Fixed an issue on the firewall where websrvr related messages displayed repeatedly.
Addressed
11.2.3
PAN-250311
Fixed an issue where the domain was not mapped when using certificate profile authentication on GlobalProtect.
Addressed
11.2.3
PAN-250258
Fixed an issue on the firewall where the Certificate Name character limit was 31 characters instead of 63 characters.
Addressed
11.2.3
PAN-250127
Fixed an issue where commits failed with the error message set is not allowed when default originate was enabled with a route map that included a set action.
Addressed
11.2.3
PAN-250024
Fixed an issue related to the reportd process where you were unable to log in to Panorama via the web interface and received a 500 error.
Addressed
11.2.3
PAN-250021
Fixed an issue where Change Summary and Preview Changes displayed inconsistent information when changing an admin user password.
Addressed
11.2.3
PAN-250005
Fixed an issue where the Advanced Routing migration script did not migrate BGP import policy rules correctly when the policy rule was configured with an exact match condition.
Addressed
11.2.3
PAN-249855
Fixed an issue where the firewall dropped the active source of the Multicast source via MSDP when they were not received from the MSDP peer firewall.
Addressed
11.2.3
PAN-249404
Fixed an issue on the Panorama web interface where the commit lock for a device group and template with the same name was not visible.
Addressed
11.2.3
PAN-249266
Fixed an issue where the config process virtual memory was exceeded due to delays in post-commit processing.
Addressed
11.2.3
PAN-248975
Fixed an issue on the Panorama web interface where no content was displayed after logging in.
Addressed
11.2.3
PAN-248841
Fixed an issue where the SSL response time was not displayed in the GlobalProtect log.
Addressed
11.2.3
PAN-248542
Fixed an issue where the NPB policy type was missing from configuration policy updates, which caused error messages to incorrectly display in the system logs.
Addressed
11.2.3
PAN-248211
Fixed an issue on Panorama where commits failed when Advanced Routing was enabled.
Addressed
11.2.3
PAN-248130
Fixed an issue where the AND operation under a Dynamic Address Group comparison did not work after upgrading the AWS plugin to 3.0.1.
Addressed
11.2.3
PAN-247857
( PA-7050 firewalls in HA configurations only ) Fixed an issue on the firewall where a dataplane process restarted when updating the routing table.
Addressed
11.2.3
PAN-247754
Fixed an issue where successful Commit and Push operations performed by SAML authenticated users were not reflected on the firewall.
Addressed
11.2.3
PAN-247575
Fixed an issue where the error message import of <issuecert> failed. Please check the validity of the key pair and try again for unmatched keys for EC certificates.
Addressed
11.2.3
PAN-247426
Fixed an issue where a proxy server was used for External Dynamic List communication even when the dataplane interface was configured through service routes.
Addressed
11.2.3
PAN-247257
Fixed an issue where the useridd process stopped responding, which caused the firewall to reboot.
Addressed
11.2.3
PAN-247230
Fixed an issue where the syslog forwarding configuration did not include the full path for Security policy rules.
Addressed
11.2.3
PAN-246772
Fixed an issue on the firewall where the dataplane went down due to a path monitor failure caused by an out-of-memory (OOM) condition related to the pan_task process.
Addressed
11.2.3
PAN-246769
Fixed an issue on Panorama where deny logs were not displayed.
Addressed
11.2.3
PAN-246220
Fixed an issue where a dynamic peer connection was rejected when using an FQDN for the peer address.
Addressed
11.2.3
PAN-246056
Fixed an issue where single TLS session packets were sent to multiple firewalls when off-loading was enabled and ECMP was disabled.
Addressed
11.2.3
PAN-245892
Fixed an issue where Log Filtering ( Monitor > Logs ) was slower than expected.
Addressed
11.2.3
PAN-245556
Fixed an issue where the firewall dropped VxLAN packets via v-wire after upgrading to PAN-OS 10.1.10 or a later release, which impacted SMB traffic and resulted in silent packet drops.
Addressed
11.2.3
PAN-244746
Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.
Addressed
11.2.3
PAN-243957
Fixed an issue where the firewall TLS/SSL service profile exclusion settings were not correctly applied on the captive portal.
Addressed
11.2.3
PAN-243387
Fixed an issue where sessions ended with the message resources-unavailable when traffic hit a Security profile.
Addressed
11.2.3
PAN-243240
Fixed an issue where the using QoS caused packet buffer utilization to increase exponentially and the PKI POOL DFLT pool depleted until a reboot was performed.
Addressed
11.2.3
PAN-243098
Fixed an issue with corrupted images when SSL decryption and Security profiles were configured.
Addressed
11.2.3
PAN-243081
Fixed an issue on the firewall where log filtering with special characters in the username incorrectly returned results.
Addressed
11.2.3
PAN-242958
Fixed an issue where the firewall intermittently logged connect-agent-failure messages for service connection instances due to bi-directional host ID redistribution.
Addressed
11.2.3
PAN-242331
Fixed an issue where Prisma Access remote network firewalls intermittently created incorrect user-to-IP-address mappings.
Addressed
11.2.3
PAN-242147
( PA-1410 firewalls only ) Fixed an issue where the firewall did not block STP packets when the ports on the connected routers were in access mode.
Addressed
11.2.3
PAN-241781
Fixed an issue where partial commit and commit-all operations took more time than expected to create the job ID.
Addressed
11.2.3
PAN-241044
Fixed an issue where traffic was denied by the interzone-default policy rule when a Security policy rule with an FQDN destination was configured.
Addressed
11.2.3
PAN-239246
Fixed an issue where the CLI command debug user-id dump hip-based-profile-database-entry returned an incorrect value in the output for the total size of hip reports .
Addressed
11.2.3
PAN-237582
Fixed an issue where logs were intermittently missing on the log collector due to missing aliases for some indices.
Addressed
11.2.3
PAN-236497
Fixed an issue where the firewall was unable to purge expired GTP-U sessions that remained as allocated sessions even after the TTL was expired.
Addressed
11.2.3
PAN-235110
( PA-220 firewalls only ) Fixed an issue where the web interface did not load after an upgrade.
Addressed
11.2.3
PAN-234560
Fixed an issue where the daily summary report displayed IPv6 addresses instead of IPv4 addresses.
Addressed
11.2.3
PAN-232550
Fixed an issue where SNMPv3 authentication failed when using SHA-512 Auth protocol.
Addressed
11.2.3
PAN-231642
Fixed an issue on the Panorama web interface where users that were logged in through multiple sessions were able to see an active lock on only one session.
Addressed
11.2.3
PAN-230326
Fixed an issue where the Network Packet Broker (NPB) user interface was incorrectly displayed on unsupported platforms.
Addressed
11.2.3
PAN-226785
Fixed an issue where accessing websites with HTTP to HTTPS redirect failed via explicit proxy.
Known
11.2.4
PAN-260851
From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application ( Objects Applications ) tag.
Known
11.2.4
PAN-260212
When viewing Applications ( Objects Applications ), child App-IDs may be listed under the incorrect container App-ID.
Known
11.2.4
PAN-259853
When the DHCP server is enabled for GlobalProtect, the commit error message is not properly displayed when Any is selected as the source interface in the service router configuration ( Device Setup Service Service Router Configuration ).
Known
11.2.4
PAN-259423
When the GlobalProtect DHCP feature is enabled with two primary DHCP servers on the GlobalProtect gateway, the gpsvc gets stuck during renewal and after HA failover.
Known
11.2.4
PAN-254236
TLSv1.3 hybridized Kyber support in the latest versions of Chrome and Edge browsers results in dropped Client Hello packets when SSL/TLS handshake inspection is enabled.
Workaround: Disable SSL/TLS handshake inspection .
Known
11.2.4
PAN-254108
when upgrading or downgrading a Panorama management server ( Panorama Software ), managed device ( Panorama Device Deployment Software ), or standalone firewall ( Device Software ), Base Releases and Preferred Releases settings are checked (enabled) by default and cause no PAN-OS software images to display.
Workaround: Uncheck (disable) Base Releases or Preferred Releases to display either the available base PAN-OS or preferred PAN-OS releases available to download and install.
Known
11.2.4
PAN-253963
The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.
Known
11.2.4
PAN-252661
If you change the service route of gp-ip-mgmt in Device > Setup > Services > Service Features > gp-ip-mgmt and Commit , the change won’t take effect. gp-ip-mgmt continues to use the last committed service route.
Workaround: After you change the service route interface for gp-ip-mgmt, navigate to either a GlobalProtect portal or gateway, click OK to save the configuration, and Commit the changes. This commit will include the service route change.
Known
11.2.4
PAN-251639
When a Wildfire Analysis security profile is enabled, an out of memory condition might occur due to a memory leak in the varrcvr process.
Known
11.2.4
PAN-250246
Panorama and the firewall display inconsistent IP addresses for device group members after manually syncing.
Known
11.2.4
PAN-250062
Device telemetry might fail at configured intervals due to bundle generation issues.
Known
11.2.4
PAN-248836
The Advanced DNS Security trial license and trial license information cannot be activated and viewed, respectively, on a managed firewall (with expired or active status) from Panorama. These tasks can only be performed on the firewall.
Known
11.2.4
PAN-247728
When Advanced Routing is enabled, IP multicast is not supported. An upcoming version will provide support for this feature. Customers who have multicast configured or who plan to deploy multicast routing should not upgrade to 11.2.0. Additionally, when Advanced Routing is enabled, the BGP dampening configuration isn't applied to any peers or peer group; the configuration is preserved but has no effect on BGP. Customers can use BGP even if they have applied a Dampening profile to a specific set of peers. The issue doesn't affect any other BGP features.
Known
11.2.4
PAN-241994
The VMX hardware version was upgraded from vmx-10 to vmx-15 on ESXi and NSX-T. Support for vmx-15 is supported on ESXi 6.7 U2 and onwards. Palo Alto Networks recommends that you upgrade your ESXi version if it is less than 6.7 U2. For more information, see the compatibility matrix .
Known
11.2.4
PAN-239612
When the firewall is running PAN-OS 11.2.0 and Advanced Routing is enabled, DHCPv4 relay agent functions successfully, but DHCPv6 relay agent doesn't work.
Known
11.2.4
PAN-236649
If you change the configuration of a firewall acting as a PPPoEv4 or PPPoEv6 client, old routes from the Forwarding Information Base (FIB) and route table for an inherited configuration with dynamic-identifier or client remain visible. Old routes also remain visible for an inherited interface when you execute the CLI command, show interface all .
Workaround: Unconfigure and configure the Inherited Interface.
Known
11.2.4
PAN-234015
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
Known
11.2.4
PAN-207442
For M-700 appliances in an active/passive high availability ( Panorama High Availability ) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful ( Tasks ), however the sync status on the Dashboard displays as Out of Sync for both HA peers.
Workaround : Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.
  1. Log in to the Panorama web interface of the active-primary HA peer.
  2. Select Commit and Commit to Panorama .
  3. In the active-primary HA peer Dashboard , click Sync to Peer in the High Availability widget.
Known
11.2.4
PAN-206909
The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status ( Panorama Managed Collector ) displaying connected and the managed colletor Health status displaying as healthy.
This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.
  1. Log in to the Dedicated Log Collector CLI .
  2. Confirm the Dedicated Log Collector is disconnected from Panorama. 
    admin> show panorama-status
    Verify the Connected status is no .
  3. Restart the mgmtsrvr process. 
    admin> debug software restart process management-server
Known
11.2.4
PAN-197588
The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.
Known
11.2.4
PAN-197419
( PA-1400 Series firewalls only ) In Network Interface Ethernet , the power over Ethernet (PoE) ports do not display a Tag value.
Known
11.2.4
PAN-196758
On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes ( Commit Push to Devices Edit Selections or Commit Commit and Push Edit Selections ).
Known
11.2.4
PAN-195968
( PA-1400 Series firewalls only ) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.
Known
11.2.4
PAN-187685
On the Panorama management server, the Template Status displays no synchronization status ( Panorama Managed Devices Summary ) after a bootstrapped firewall is successfully added to Panorama.
Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select Commit Push to Devices .
Known
11.2.4
PAN-187407
The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.
Known
11.2.4
PAN-184406
Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.
Known
11.2.4
PAN-183404
Static IP addresses are not recognized when "and" operators are used with IP CIDR range.
Known
11.2.4
PAN-181933
If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.
Addressed
11.2.4-h2
PAN-273215
Fixed an issue where a syntax error in the index generation script caused a high management plane CPU load after upgrading.
Addressed
11.2.4-h2
PAN-271613
Fixed an issue where configuration pushes from Panorama to the firewall failed due to an OOXML commit error.
Addressed
11.2.4-h2
PAN-269404
Fixed an issue where the firewall did not reset the maximum latency timer for hold mode.
Addressed
11.2.4-h2
PAN-259078
Fixed an issue where WildFire Analysis reports were not generated and the following error message was displayed: Error 500: Internal Server Error .
Addressed
11.2.4-h1
PAN-272809
A fix was made to address CVE-2024-0012 ( PAN-SA-2024-0015 ) and CVE-2024-9474 .
Addressed
11.2.4
PAN-270802
Fixed an issue where, after modifying a policy rule on Panorama, pushes to the Cloud NGFW failed with the error saas-user-list unexpected here .
Addressed
11.2.4
PAN-268823
Fixed an issue where Monitor > Log Display did not display all logs when you applied a filter.
Addressed
11.2.4
PAN-267386
Fixed an issue where VPC IDs and Security keys were not mapped to the correct interfaces for Google IPS.
Addressed
11.2.4
PAN-266769
Fixed an issue where the GlobalProtect gateway did not handle IP address changes of the inner gateway when the NGPA new protocol was enabled.
Addressed
11.2.4
PAN-266581
Fixed an issue where a failed SSL connection to a syslog server resulted in a /tmp/srvr.crt.xxxxxx file not being removed, which caused index node (inode) exhaustion.
Addressed
11.2.4
PAN-266114
Fixed an issue where, when a new set of URL logs came in, the content of the earlier URL and traffic logs were lost.
Addressed
11.2.4
PAN-265785
Fixed an issue where the firewall rebooted due to a sysd variable being modified before it was created.
Addressed
11.2.4
PAN-264249
Fixed an issue on the firewall where SNMP queries timed out when using SNMP.
Addressed
11.2.4
PAN-264246
Fixed an issue where the Authentication Portal did not work properly with session cookies when the request to the portal contained the header Sec-Fetch-Site=cross-site .
Addressed
11.2.4
PAN-263680
Fixed an issue where Prisma Access gateways consistently stopped responding with process restarts.
Addressed
11.2.4
PAN-263559
Fixed an issue where the dataplane stopped responding and the firewall unexpectedly rebooted due to multiple process restarts.
Addressed
11.2.4
PAN-263287
The PAN-COMMON-MIB.my file was updated to support new object identifiers (OID) to poll interface use via SNMP with table identifiers.
Addressed
11.2.4
PAN-262340
Fixed an issue where FQDN resolution failed for address objects, and all FQDN traffic was denied by the interzone-default policy rule.
Addressed
11.2.4
PAN-262254
Fixed an issue where the firewall experienced an OOM condition and the useridd process stopped responding, which caused the firewall to drop interfaces from their respective aggregate groups.
Addressed
11.2.4
PAN-261489
Fixed an issue where an out-of-memory (OOM) condition caused a firewall outage.
Addressed
11.2.4
PAN-260662
Fixed an issue where large file downloads were slower than expected when private IP address visibility was enabled.
Addressed
11.2.4
PAN-260512
Fixed an issue where accessing the IP address of the device address group objects from the user interface caused the configd process to stop responding.
Addressed
11.2.4
PAN-260316
Fixed an issue where the all_task process stopped responding and the firewall rebooted.
Addressed
11.2.4
PAN-259910
Fixed an issue where the firewall reported the same value over consecutive SNMP polls when asynchronous mode was enabled.
Addressed
11.2.4
PAN-259767
Fixed an issue where GlobalProtect users were unable to connect when the option Block sessions if the certificate was not issued to the authenticating device was enabled in the certificate profile.
Addressed
11.2.4
PAN-259002
Fixed an issue where frequent external dynamic list updates caused the configd process to restart.
Addressed
11.2.4
PAN-257736
( PA-5450 firewalls only ) Fixed an issue where traffic to benign applications was was impacted by holding TCP sequential segments for MLC inspection and not releasing the full chain after a benign verdict was received.
Addressed
11.2.4
PAN-257601
( PA-5450 firewalls only ) Fixed an issue where Networking Cards (NC) experienced an internal link fault which caused path monitoring failure on the Dataplane Processing Card (DPC).
Addressed
11.2.4
PAN-257327
( PA-5440 firewalls only ) Fixed an issue where a failover event occurred unexpectedly on the firewall.
Addressed
11.2.4
PAN-256077
Fixed an issue where the GlobalProtect client would disconnect consistently due to keep-alive timeouts when using an SSL-only tunnel.
Addressed
11.2.4
PAN-254704
( LSVPN Portal firewalls in active/passive HA configurations only ) Fixed an issue where the satellite cookie key did not sync between LSVPN portal HA firewalls, which resulted in re-authentication of satellites with the portal during the event of HA failover.
Addressed
11.2.4
PAN-251973
Fixed an issue where the firewall did not detect evasions due to TCP checksum offloading not being enabled.
Addressed
11.2.4
PAN-250394
Fixed an issue where a large amount of group data caused serialization errors and prevented synchronization.
Addressed
11.2.4
PAN-250371
Fixed an issue where the logrcvr process stopped responding, which caused commits to fail with the error message Management server failed to send phase 1 to client logrcvr .
Addressed
11.2.4
PAN-240990
Fixed an issue where l3svc.py displayed incorrect logs.
Addressed
11.2.4
PAN-239952
( Firewalls in active/passive HA configurations only ) Fixed an issue where HA sync messages from the active firewall took longer than expected to reach the passive firewall.
Addressed
11.2.4
PAN-230893
Added a CLI command to address an issue where system lock files blocked authentication.
Addressed
11.2.4
PAN-230825
Fixed an issue where link flaps occurred on Panorama appliances in HA configurations.
Addressed
11.2.4
PAN-225213
Fixed an issue where Push All Changes displayed changes that were already committed in the push scope for another device group after performing a selective commit and selective push to the first device group.
Addressed
11.2.4
PAN-222542
( PA-7000 Series firewalls only ) Fixed an issue where Log Forward Cards (LFC) were incorrectly identified as distribution policies, which caused packet loss due to traffic, BFD, and other control packets being forwarded to the LFC.
Addressed
11.2.4
PAN-214773
Fixed an issue where RTP packets traversing inter-vsys were dropped on the outgoing vsys.
free-Counters.org