Verify the SD-WAN device configuration after upgrading your SD-WAN plugin version that your Panorama HA pair or standalone Panorama
management server is running.
After the upgrade, you must conduct the below checks before
committing the changes to Panorama:
Verify that the Router Name is configured (PanoramaSD-WANDevices) for each SD-WAN device in the VPN cluster.
The Router Name configuration is supported from SD-WAN plugin 3.1.0 and later releases.
Verify that the BGP (PanoramaSD-WANDevices) is enabled for each SD-WAN device in the VPN
cluster. Ensure that the same BGP address family (IPv4
BGP or IPv6 BGP) is enabled which was
configured before the upgrade. IPv6 is supported from SD-WAN
plugin 3.1.1 and later releases. Therefore, the upgraded plugin will contain
the IPv6 option only if you are upgrading from SD-WAN 3.1.1
or later releases.
Verify if the same VPN Authentication type (Pre Shared
Key or Certificate) is enabled (PanoramaSD-WANDevicesVPN Tunnel) which was configured before the upgrade. The
Certificate authentication type is supported from SD-WAN plugin 3.2.0 and later releases. Therefore, the
upgraded plugin will contain the VPN Authentication type (Pre
Shared Key or Certificate) only if
you are upgrading from SD-WAN plugin 3.2.0 or later releases.
After the upgrade (on Panorama HA pair or standalone Panorama), the following changes can
be seen:
You will no longer see the zone tabs in PanoramaSD-WANDevices for the added SD-WAN device. Therefore, you must
create the Security policy rules between existing and predefined zones
(zone-to-branch, zone-to-hub, zone-internet, and zone-internal).
In a full mesh VPN cluster, the branch with the lower serial number will be used as
an IKE initiator. In case of upstream NAT, both inbound and outbound NAT should be
present on the NAT device, when inbound NAT is not present PLUG-15276 will be
seen.
MongoDB Synchronization Status with SD-WAN Database
Collections
With some SD-WAN plugin versions, the SD-WAN
database collections in MongoDB could go out of synchronization, which is a known
issue. Hence, you may need to perform additional steps in the upgrade procedure when
upgrading to a latest SD-WAN plugin version from any earlier
versions.
The following table provides whether the SD-WAN MongoDB
collections will be in sync or not with respect to the SD-WAN plugin
versions (that are tested).
S.No
Compatible PAN-OS Software Version with SD-WAN
Plugin Version
