Downgrade Scenario
Focus
Focus
GlobalProtect

Downgrade Scenario

Table of Contents

Downgrade Scenario

This section provides details on downgrade scenarios with HCS feature.
Downgrade would be restricted if HCP is used in Security Policy or HIP Notification in gateway.
After you disable the HCS, you can follow the standard procedure to downgrade the PAN-OS to the desired version. Note the following before you downgrade the PAN-OS version with HCS to a lower version:
  • You cannot disable the HCS if any HCP is actively being used in a Security Policy. You must first remove the HCP from all associated security rules before you can disable the service.
  • You cannot create a HCP or HCO if any other object in the group already exists with the exact same name.
  • A HCP cannot be deleted if it is actively assigned to a HIP Notification. You must first remove the HCP from the HIP Notification before you can delete it.
  • A HCP cannot be deleted while it is being referenced in any Security Policy. You must first remove the HCP from every security rule that uses it.
Downgrade Restriction due to HCP used in HIP Notification
Downgrade Restriction due to HCO used in HIP Notification
Downgrade Restriction due to HCP in Security Policy
When you push a configuration from Panorama to a firewall running a PAN-OS version that does not support the HCS, you can expect the following behavior:
  • Any existing HCPs and HCOs will be deleted from the firewall's configuration during the push operation. The same applies to the Cloud Redistribution Agent configuration.
  • The commit and push fails if an HCP is still actively used in any security policy or HIP notification.
To ensure a successful downgrade and prevent configuration failures, it is recommended that before you proceed with the downgrade, perform the following actions:
  • In your security policy, remove any rules that use a HCP for enforcement.
  • In your GlobalProtect HIP notifications, remove any references to HCPs.