This section provides details on downgrade scenarios with HCS feature.
Downgrade would be restricted if HCP is used in Security Policy or HIP Notification in
gateway.
After you disable the HCS, you can follow the standard procedure to downgrade
the PAN-OS to the desired version. Note the following before you downgrade the PAN-OS
version with HCS to a lower version:
You cannot disable the HCS if any HCP is actively being used in a Security
Policy. You must first remove the HCP from all associated security rules before
you can disable the service.
You cannot create a HCP or HCO if any other object in the group already exists
with the exact same name.
A HCP cannot be deleted if it is actively assigned to a HIP Notification. You
must first remove the HCP from the HIP Notification before you can delete
it.
A HCP cannot be deleted while it is being referenced in any Security Policy. You
must first remove the HCP from every security rule that uses it.
Downgrade Restriction due to HCP used in HIP Notification
Downgrade Restriction due to HCO used in HIP Notification
Downgrade Restriction due to HCP in Security Policy
When you push a configuration from Panorama to a firewall running a PAN-OS version that
does not support the HCS, you can expect the following behavior:
Any existing HCPs and HCOs will be deleted from the firewall's configuration
during the push operation. The same applies to the Cloud Redistribution Agent
configuration.
The commit and push fails if an HCP is still actively used in any security
policy or HIP notification.
To ensure a successful downgrade and prevent configuration failures, it is recommended
that before you proceed with the downgrade, perform the following actions:
In your security policy, remove any rules that use a HCP for enforcement.
In your GlobalProtect HIP notifications, remove any references to HCPs.
