PAN-275077 is this bug still affected in 11.1.10-h1?

V.Sambath — Wed, 15 Apr 2026 10:44:05 GMT

I am currently observing behavior where both Sinkhole and Alert actions are being logged simultaneously for the same malicious domain.

When performing an nslookup from the affected endpoint, the domain resolves correctly to the Sinkhole IP, which indicates that the sinkhole functionality is working as expected. However, I continue to see “Alert” logs being generated.

I have also attempted increasing the DNS timeout to 200 ms, but the behavior persists.

Could anyone please confirm if PAN-275077 is still present in recent 11.1.0-h1 PAN-OS versions, or if this issue is resurfacing under a different bug ID?

Re: PAN-275077 is this bug still affected in 11.1.10-h1?

JayGolf — Thu, 07 May 2026 01:32:17 GMT

Hi @V.Sambath ,

Yes, PAN-275077 would still apply to 11.1.0-h1, since the fix was introduced in later 11.1.7-h2/11.1.8 and later. I’d recommend upgrading to a fixed/preferred 11.1 release, such as 11.1.13-h3 (Please review the release notes before doing any upgrade).

topic Re: PAN-275077 is this bug still affected in 11.1.10-h1? in Next-Generation Firewall Discussions

PAN-275077 is this bug still affected in 11.1.10-h1?

Re: PAN-275077 is this bug still affected in 11.1.10-h1?