The earliest recollection of this bug is traced back to PAN-OS 10.1.0 - July 22, 2025. This bug is fixed in PAN-OS versions 10.1.3. If you have configured a virtual system as a User-ID hub and a firewall that receives IP address-to-username mapping from the hub has a security policy that includes a QoS policy rule, the firewall does not match the user to the QoS policy rule if the traffic attempts to access a virtual system that is not the hub. Fixed an issue where, when you configured a virtual system (vsys) as a User-ID hub, and a firewall that receives IP address-to-username mapping from the hub had a Security policy that includes a QoS policy rule, the firewall did not match the user to the QoS policy rule if the traffic attempted to access a vsys that was not the hub. For more information: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/pan-os-10-1-0-known-and-addressed-issues/pan-os-10-1-0-known-issues https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/pan-os-10-1-1-known-and-addressed-issues/pan-os-10-1-1-known-issues https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/pan-os-10-1-2-known-and-addressed-issues/pan-os-10-1-2-known-issues https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/pan-os-10-1-3-known-and-addressed-issues/pan-os-10-1-3-addressed-issues