Downgrading the Panorama management server and managed firewalls that currently leverage features that were introduced in PAN-OS 10.0.3 (or later version) or SD-WAN plugin 2.0.1 (or later version) can cause stability issues if you downgrade from the following versions:

Workaround

: Before you upgrade to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, save and export your Panorama and firewall configurations. Then, if you need to downgrade PAN-OS or the SD-WAN plugin to a previous version:

If you did not export and save a Panorama and managed firewall configuration prior to upgrading to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, then— before you can successfully downgrade to PAN-OS 10.0.2 (or an earlier version) or SD-WAN plugin 2.0.0—you must remove any feature options or configurations that were introduced in PAN-OS 10.0.3 or in SD-WAN plugin 2.0.1.

You must uninstall Enterprise DLP before you can successfully downgrade from PAN-OS 10.0 to an earlier release. For Panorama managed firewalls leveraging Enterprise DLP, see Uninstall the Enterprise DLP Plugin on Panorama.

For Panorama managed firewalls and firewalls not managed by Panorama that are not leveraging Enterprise DLP, access the firewall CLI and uninstall Enterprise DLP.

If you downgrade from SD-WAN Plugin 2.0.1 to an older Plugin release, the VPN Cluster does not support a mesh configuration or a DDNS configuration. If you had a VPN mesh configuration, you must move the cluster to a Hub-Spoke configuration, configure a hub if you didn't have one, click the button to 

Remove DDNS Configuration

, commit on Panorama, and push the configuration to devices.  If you cannot change the VPN cluster to Hub-Spoke, you must delete the entire cluster, commit on Panorama, and push the configuration to devices before downgrading. 

After a successful downgrade to PAN-OS 9.1, querying threat logs using a

name-of-threatid

return no results for up to 24 hours. After which, queries using the

name-of-threatid

filter start to return results for logs generated in PAN-OS 9.1 and earlier releases. However, you cannot query logs using this filter for logs generated in PAN-OS 10.0. No action is required on your part.

When you create a new Layer 3 interface in PAN-OS 10.0.3 or 10.0.4 and then downgrade to PAN-OS 9.1.x, the downgrade fails with the message “Upstream NAT not supported in older version,” whether or not SD-WAN is configured on the firewall.

Workaround

: After you create a Layer 3 interface in PAN-OS 10.0.3 or 10.0.4, to downgrade to PAN-OS 9.1.x, performs the following steps:

Downgrading from PAN-OS 10.0.1 to an earlier version removes the Bonjour Reflector option from the Layer 3 (L3) and Aggregated Ethernet (AE) interface configuration.

On downgrade from PAN-OS 10.0, the SCP server profile is deleted and prevent the scheduled dynamic update from successfully uploading content updates to the SCP server.

The firewall blocks a downgrade from PAN-OS 10.0 if HA cluster participation is enabled.

The firewall blocks a downgrade from PAN-OS 10.0 if any HA path monitoring groups contain multiple destination IP groups.

If you downgrade from PAN-OS 10.0.0 to 9.1, a commit error occurs if the HA1 interface isn’t configured.

Workaround:

You can either select the 9.1 configuration you were using before you upgraded to 10.0, or, before you downgrade to 9.1, you can use the CLI configuration command to configure the HA1 interface (

set deviceconfig high-availability interface ha1

) and commit.

On downgrade from PAN-OS 10.0, any users other than the admin configured on the Dedicated Log Collector or WildFire 500 appliance are deleted when downgraded from the Panorama™ management server.

If you downgrade the Dedicated Log Collector or WildFire 500 appliance from the CLI, Panorama still displays all the previously configured user accounts but none will be able to log in to the CLI.

Before downgrading the firewall, run the following CLI command to check the flash drive’s status:

debug system disk-smart-info disk-1

.

If the value for attribute ID #232,

Available_Reservd_Space 0x0000

, is greater than 20, then proceed with the downgrade. If the value is less than 20, then contact support for assistance.

Custom signatures in the new threat ID range (6800001-7000000) prevent downgrade. The firewall issues a warning to export and remove the offending signatures.

Custom signatures that use the newly supported syntax but are not in the new threat ID range do not prevent downgrade. After downgrade, these signatures cease to function. Subsequent commits fail until you remove them.

If you configured more than eight AE interface groups and you subsequently want to downgrade to a PAN-OS release earlier than 10.0, you must first edit your configuration so that it has only AE interface groups 1 through 8.

If you downgrade from PAN-OS 10.0 to 9.1 or push a configuration change from Panorama running PAN-OS 10.0 to a firewall running PAN-OS 9.1, the new security categories are removed from the anti-spyware profile and replaced with a single DNS Security source (Palo Alto Networks DNS Security), and the policy action is redefined based on the following mapping:

None.

None.

All syslog forwarding is reverted back to the management interface on downgrade from PAN-OS 10.0.

The Panorama management server may experience performance impacts when performing configuration changes, commits, and pushes to managed firewalls if the configuration size exceeds 80MB.

If you downgrade to an earlier version of PAN-OS, the device automatically reverts the encryption algorithm to a level that the downgraded PAN-OS version supports. The device also automatically re-encrypts encrypted data using that encryption level to ensure that the device can decrypt and use the data as needed. For example, if your device is on PAN-OS 10.0 and uses the AES-256-GCM encryption algorithm (which is not supported on earlier versions of PAN-OS), and you downgrade to PAN-OS 9.1, then the device re-encrypts the encrypted data to AES-256-CBC, which is supported in PAN-OS 9.1.

None.

None.

On downgrade to PAN-OS 9.1 or earlier releases, firewalls managed by a Panorama management server associated with a child device group do not receive IP-tag mappings from Panorama.

None.

None.

None.

On the Panorama management server, you are unable to commit any configuration changes after you successfully downgrade from PAN-OS 10.0 to PAN-OS 9.1 or earlier release due to custom admin roles (

Panorama

Admin Roles

) configured on Panorama.

Workaround:

Log in to the Panorama CLI and load the running config

When you have an active/passive HA pair of PA-3200 Series firewalls running PAN-OS 10.0.1 with NAT configured, if you downgrade one firewall to PAN-OS 10.0.0, the firewall goes to non-functional state due to a NAT oversubscription mismatch between the HA peers. The downgraded firewall goes to non-functional state because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription rates.

Workaround

: After a downgrade, modify the NAT oversubscription rate on one firewall so that the rates on the HA pair match.

None.