BugZero | Palo Alto Networks BugID PAN-186937 - Fixed an issue where the firewall dropped packets ...

OPERATIONAL DEFECT DATABASE

...

BugZero | Palo Alto Networks BugID PAN-186937 - Fixed an issue where the firewall dropped packets ...

Palo Alto Networks - Defect ID: PAN-186937

Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when Strict IP Address Check was enabled in the zone protection profile (Packet Based Attack > IP Drop) and the packet's source IP address was the same as the egress interface address.

Palo Alto Networks - Defect ID: PAN-186937

Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when Strict IP Address Check was enabled in the zone protection profile (Packet Based Attack > IP Drop) and the packet's source IP address was the same as the egress interface address.

Last updated on August 6th, 2025

BugZero Risk Score
9.8 High

Overall: 9.8

Severity: 10.0

Community: 8.3

Lifecycle: 10.0

What is the BugZero Risk Score?

Palo Alto Networks Integration

Learn more about where this data comes from

Palo Alto Networks Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Overview

Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when **Strict IP Address Check** was enabled in the zone protection profile (**Packet Based Attack > IP Drop**) and the packet's source IP address was the same as the egress interface address.

Impact

packet drop on SSL decryption and ESP IPsec on the same FW

root_cause

The bug was caused when strict IP was on and packet source IP == egress IP. This caused packets, like ESP and SSL decrypt for example, to be erroneously dropped"

workaround

Disable the Strict IP Address Check option in the Zone Protection profile. Alternatively, downgrade to 9.1.11 or earlier or upgrade to 10.0.0 or later if you want to enable the Strict IP Address Check.

Change history

No changes to display

2025-07-22 Added: 9.1.10, 9.1.7, 9.1.3, 9.1.5, 9.1.11, 9.1.9, 9.1.2, 9.1.6, 9.1.4, 9.1.0, 9.1.1, 9.1.8

Links

Relevant Products

Click on a version to see all relevant bugs

Affected versions:9.1.1, 9.1.11, 9.1.9, 9.1.2, 9.1.0, 9.1.7, 9.1.4, 9.1.8, 9.1.6, 9.1.10, 9.1.5, 9.1.3

Fixed versions: 9.1.14

Relevant Products

Click on a version to see all relevant bugs

Affected versions:9.1.1, 9.1.11, 9.1.9, 9.1.2, 9.1.0, 9.1.7, 9.1.4, 9.1.8, 9.1.6, 9.1.10, 9.1.5, 9.1.3

Fixed versions: 9.1.14

Top Palo Alto Networks Defects

9.8Defect ID: PAN-221126
Fixed an issue where email server profiles (**Device > Server Profiles > Email and Panorama > Server Profiles > Email**) to forward logs as email notifications were not forwarded in a readable format.
9.8Defect ID: PAN-186937
Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when **Strict IP Address Check** was enabled in the zone protection profile (**Packet Based Attack > IP Drop**) and the packet's source IP address was the same as the egress interface address.
9.8Defect ID: PAN-189468
Fixed an issue where sessions were dropped with the message `resource-unavailable` due to the content inspection queue filling up.
9.8Defect ID: PAN-219659
Fixed an issue where root partition frequently filled up and the following error message was displayed: `Disk usage for / exceeds limit, xx percent in use, cleaning filesystem`.
9.8Defect ID: PAN-175211
Fixed a memory leak issue in the mgmtsrvr process.

Palo Alto Networks Integration

Learn more about where this data comes from

Palo Alto Networks Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Palo Alto Networks - Defect ID: PAN-186937

Palo Alto Networks - Defect ID: PAN-186937

Last updated on August 6th, 2025

BugZero Risk Score9.8 High

Bug Details

Overview

Impact

root_cause

workaround

Links

Top Palo Alto Networks Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
9.8 High