: Upgrade/Downgrade Considerations
Focus
Focus

Upgrade/Downgrade Considerations

Table of Contents

Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 10.2.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.2 release. For additional information about PAN-OS 10.2 releases, refer to the PAN-OS 10.2 Release Notes.
Feature
Upgrade Considerations
Downgrade Considerations
Managed Firewall Traffic to Panorama
PAN-OS 10.2 uses TLS version 1.3 to encrypt the service certificate and handshake messages between Panorama, managed firewalls, and Dedicated Log Collectors. As a result, the App-ID traffic between Panorama, managed firewalls, and Dedicated Log Collectors is reclassified from panorama to ssl.
As a result, a Security policy rule is required to allow the ssl application. This allows Panorama, managed firewalls, and Dedicated Log Collectors to continue communication after successful upgrade to PAN-OS 10.2. Review the Ports Used for Panorama for more information on the destination ports required for managed device communication with Panorama.
Downgrading from PAN-OS 10.2 to an earlier PAN-OS release requires you to modify the Security policy rule to remove the ssl application from the application list.
Cloud Identity Engine
After upgrading to PAN-OS 10.2.9, users can use the Cloud Identity Engine to select groups based on the subdomain to synchronize with firewalls. When the firewall is upgraded to PAN-OS 10.2.9, subdomain information is stored locally on the firewall.
When a firewall is downgraded from PAN-OS 10.2.9 to an earlier version, the firewall no longer monitors the subdomain information for the Cloud Identity Engine.
If you have selected a subdomain in the Cloud Identity Engine, after the downgrade the firewall no longer receives group membership changes that are synchronized with Cloud Identity Engine.
If you have not selected a subdomain, the firewall continues to receive group membership changes that are synchronized with Cloud Identity Engine.
When a customer downgrades a firewall from PAN-OS 10.2.9 to an earlier version, the firewall displays a warning in the logs:
“This firewall has groups synchronized from Cloud Identity Engine. Any subDomain groups will not be supported upon downgrading.”
Groups learned from sources other than Cloud Identity Engine are not impacted. The firewall removes the outdated data of group membership, causing the firewall to contact the Cloud Identity Engine to gather the latest data after downgrading. The amount of time to collect the new data varies depending on the number of groups and the size of the groups. After this synchronization, you do not need to take further action to ensure group memberships remain updated based on the synchronization interval defined on the firewall.
Authenticate LSVPN Satellite with Serial Number and IP Address Method
(PAN-OS 10.2.8 and later 10.2 releases)
PAN-OS stores the configuration changes in the database internally. Therefore, the latest saved configuration is applied when you upgrade to this feature.
After you upgrade from PAN-OS 10.0 or earlier releases to PAN-OS 10.1 and later releases (with Username/password and Satellite Cookie Authentication method enabled), and if the satellite cookie authentication expires, it will result in a login failure.
In this case, you should enter the username and password for successful authentication.
  • If you downgrade to PAN-OS 10.1 and later releases, only Username/password and Satellite Cookie Authentication method will be supported.
  • If you download and install a minor version of the plugin and then decide to downgrade to another minor version of the same release, the configuration done on the minor version before downgrade, will take into effect on the downgraded minor version of the same release.
    PAN-OS stores the configuration changes in the database internally. Therefore, the latest saved configuration is applied when you downgrade from this feature.
    For example, if you have installed SD-WAN plugin 10.2.10 with a configuration (configuration 1), and then you decide to downgrade to another minor version of the same release, 10.2.9 with a different configuration (configuration 2). In this case, the configuration of the minor version (before the downgrade), that is configuration 1, will take effect on the downgraded minor version, 10.2.9.
After you upgrade from PAN-OS 10.0 or earlier releases/PAN-OS 10.1 and later release to PAN-OS 10.2.8, consider the following:
  • If you’ve disabled Serial number and IP Address Authentication method and the Satellite Cookie Authentication expires, it will result in a login failure. In this case, the administrator should enter the username and password for successful authentication.
  • If you’ve enabled Serial number and IP Address Authentication method and the satellite serial number is registered with the GlobalProtect portal and the IP address is present in the IP allow list, then the login will be successful.
  • If you’ve enabled Serial number and IP Address Authentication method, but the satellite serial number is not registered with the GlobalProtect portal, or the IP address is not present in the IP allow list, then the login fails. In this case, the firewall does not fall back to any other authentication method and results in an authentication failure. In the case of authentication failure, the satellite will wait until the configured retry interval is elapsed before attempting to authenticate again. Ensure that the satellite serial number is registered with the portal correctly and the satellite IP address is present in the IP allow list for successful authentication.
If you downgrade to PAN-OS releases earlier than 10.1, only serial number-based authentication method will be supported.
Advanced Routing
None.
If you downgrade from PAN-OS 10.2.5 or 10.2.4-h2 to a previous version, you must remove the SD-WAN virtual interface (VIF) from the logical router configurations before attempting a downgrade procedure.
That is, you must select a different interface instead of SD-WAN VIF interface in the following Logical Router configurations:
  • Select Logical RouterGeneralInterface and specify a different Interface.
  • Select Logical RouterStatic and specify a different Interface.
  • Select Logical RouterBGPPeer GroupPeer and specify a different Interface for Local Address.
None.
Downgrading from PAN-OS 10.2 to an earlier PAN-OS release requires that you first downgrade to PAN-OS 10.1.3 or later PAN-OS 10.1 release. After you successfully downgrade to PAN-OS 10.1.3 or later PAN-OS 10.1 release, you can continue along your downgrade path to your target PAN-OS release.
Tenant-Level Support for SaaS Policy Recommendations
PAN-OS 10.2.5 and later 10.2 releases
This feature is not available on PAN-OS 11.0.0, 11.0.1, or 11.0.2. Upgrading to PAN-OS 11.0.0, 11.0.1, or 11.0.2 will have the same consequences as downgrading from PAN-OS 10.2.5 to an earlier release.
If you downgrade from PAN-OS 10.2.5 to an earlier release, the PAN-OS firewall administrator will no longer be able to import tenant-level policy recommendations. Policy recommendations that were already imported before downgrading are not affected.
Maximum security zones for PA-3410, PA-3420, and PA-3430 firewalls
None.
When downgrading from PAN-OS 10.2.3-h3 (which now has a maximum Security zone limit of 200) to a lower PAN-OS release with a maximum Security zone limit of 40, attempting to commit a configuration with more than 40 Security zones is not blocked and fails.
Panorama Plugins
  • AWS Plugin
  • Azure Plugin
  • Kubernetes Plugin
  • Software Firewall Licensing Plugin
  • SD-WAN Plugin
  • IPS Signature Converter Plugin
  • ZTP Plugin
  • Enterprise DLP Plugin
  • Openconfig Plugin
  • GCP Plugin
  • Cisco ACI Plugin
  • Nutanix Plugin
  • VCenter Plugin
Before you upgrade to PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.2 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 10.2. See the list of Compatible Plugin Versions for PAN-OS 10.2 for more information.
To downgrade from PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.1 and earlier releases for all plugins installed on Panorama. See the Panorama Plugins Compatibility Matrix for more information.
(Enterprise DLP) After upgrading Panorama to PAN-OS 10.2, you must install Application and Threats content release version 8520 on all managed firewalls running PAN-OS 10.2 or earlier release. This is required to successfully push configuration changes to managed firewalls leveraging Enterprise DLP that you did not upgrade to PAN-OS 10.2.
(Enterprise DLP) After downgrading from PAN-OS 10.2.1 and Enterprise DLP plugin 3.0.1 to PAN-OS 10.1.0 and Enterprise DLP plugin 1.0.0, data filtering profiles created on Panorama for non-file inspection are automatically converted into file-based data filtering profiles.
(Enterprise DLP) Loading a Panorama configuration backup that does contain the Shared Enterprise DLP configuration deletes the shared App exclusion filter required to scan non-file based traffic.
(SD-WAN) Panorama plugin for SD-WAN 2.2 and earlier releases are not supported in PAN-OS 10.2.
Upgrading a Panorama management server to PAN-OS 10.2 when the Panorama plugin for SD-WAN 2.2 or earlier release is installed causes the SD-WAN plugin to be hidden in the Panorama web interface or causes the SD-WAN configuration to be deleted. In both cases, you are unable to install a new SD-WAN plugin version or uninstall the SD-WAN plugin.
(Enterprise DLP) When upgrading to PAN-OS 10.2.3 from an earlier PAN-OS 10.2 version, you must first download and install the DLP 3.0.2 plugin.
VM-Series Firewalls
When upgrading the VM-Series firewall running PAN-OS 10.1.0, 10.1.1, 10.1.2, 10.1.3, or 10.1.4 in an HA deployment, you must first upgrade the VM-Series plugin to version 2.1.5 before upgrading to PAN-OS 10.2.
Additionally, the upgrade must be performed in the following order.
  1. Upgrade VM-Series plugin to 2.1.5 on the Active peer.
  2. Upgrade VM-Series plugin to 2.1.5 on the Passive peer.
  3. Upgrade PAN-OS to 10.2 on the Passive peer.
  4. Upgrade PAN-OS to 10.2 on the Active peer.
Before downgrading the VM-Series firewall from PAN-OS 10.2 to PAN-OS 10.1.3, you must first download the VM-Series plugin to 2.1.4.
PA-220 and PA-850 Firewalls
None.
(PA-220) If downgrading from PAN-OS 10.2.0, 10.2.1, or 10.2.2 to PAN-OS 10.1.7, 10.1.6-h4, or later versions, you must first upgrade the firewall to PAN-OS 10.2.3 or later to avoid a conflict with the system's U-Boot version.
(PA-850) If downgrading from PAN-OS 10.2.0, 10.2.1, or 10.2.2 to PAN-OS 10.1.7 or later, you must first upgrade the firewall to PAN-OS 10.2.3 or later to avoid a conflict with the system's U-Boot version.
PA-5200 Series, PA-7000 Series, WF-500, and WF-500-B Firewalls
While upgrading to PAN-OS 10.2, the firewall may perform a file system integrity check (FSCK), displaying the following message: RAID log disks check in progress, please wait. The FSCK is required for the upgrade and may take an hour or more. Do not reboot or attempt to install another software release while the FSCK is in progress.
None.
FIPS-CC
For Panorama and all managed devices in FIPS-CC mode, you must reset the secure connection status of all FIPS-CC devices and re-onboard any managed device added to Panorama when the device was running a PAN-OS 10.2 release. This applies to:
  • Panorama in FIPS-CC mode
  • Firewalls, Dedicated Log Collectors, and WildFire appliances in FIPS-CC mode added to Panorama while running a PAN-OS 10.2 release using the device registration authentication key
This does not apply to managed devices added to Panorama management when the device was running PAN-OS 10.0 or earlier release.
None.
Panorama Management of Multi-Vsys Firewalls
Before upgrading a Panorama managed multi-vsys firewall to PAN-OS 10.2:
  • Delete or rename any locally configured firewall Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, configuration pushes from Panorama fail after the upgrade and display the error <object-name> is already in use.
  • Palo Alto Networks recommends that if a multi-vsys firewall is managed by Panorama, then all vsys configurations should be managed by Panorama.
    This helps avoid commit failures on the managed multi-vsys firewall and allows you to take advantage of optimized shared object pushes from Panorama.
All objects in the Panorama Shared location on the multi-vsys firewall are replicated to each vsys.
Before you downgrade to PAN-OS 10.2 or earlier release, save and export Panorama and firewall configurations.
After you successfully upgrade a managed multi-vsys firewall to PAN-OS 10.2, the firewalls become out-of-sync on Panorama and a full commit and push is required.
On Panorama, select Commit and Push to Devices the entire Panorama managed configuration to the multi-vsys firewall before you commit and push any configuration changes from Panorama.
After upgrading to PAN-OS 10.2, if you preview the changes prior to your Commit, the preview might indicate that shared objects will be deleted during the next configuration push. This is expected because PAN-OS 10.2 removes existing shared objects from individual virtual system (vsys) configs and moves them to the centralized Panorama Shared location.
Multiple Certificate Support for SSL Inbound Inspection
None.
If you configure SSL Inbound Inspection policy rules with multiple certificates and later downgrade from PAN-OS 10.2 to an earlier PAN-OS version, the policy rule on the downgraded firewall inherits only the first certificate from the alphabetically-sorted list of certificates.
Before downgrading, we recommend setting up a different template or device group for firewalls running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate to these firewalls.
Certificate Management
You must generate or import all new certificates with the following minimum requirements for PAN-OS 10.2.
  • RSA 2048 bits or greater, or ECDSA 256 bits or greater
  • Digest of SHA256 or greater
This is required to continue using Captive Portal authentication and to avoid errors associated with the new minimum certificate requirements for PAN-OS 10.2 with PAN-OS 10.2, for existing certificates with a digest of SHA1 and MD5 along with keys using below 2048 bits.
None.
Scheduled Config Push
None.
If you created a Scheduled Config Push (PanoramaScheduled Config Push) to managed firewalls from Panorama to include the configuration changes of multiple Panorama administrators, you must remove the additional administrators from the Admin Scope of the Scheduled Config Push.
Downgrade from PAN-OS 10.2 is blocked if the Admin Scope of a Scheduled Config Push includes multiple administrators.
IKE Crypto Profiles and IPSec Crypto Profiles
If you have configured an IKE crypto profile or IPSec crypto profile to use des as the encryption algorithm and another encryption algorithm, PAN-OS uses the alternate encryption algorithm after upgrading to PAN-OS 10.2.0. If des is the only encryption method, PAN-OS updates the encryption method to 3des after upgrading to PAN-OS 10.2.0.
After downgrading from PAN-OS 10.2 to a previous version, if you have configured Group 15, Group 16, or Group 21 as the encryption algorithm, that group is reconfigured to the next highest group. For example, if the configuration uses Group 21 after upgrading, then after downgrading, PAN-OS uses Group 20.
URL Filtering Inline ML
In PAN-OS 10.2, the Inline ML tab in URL Filtering profiles is renamed Inline Categorization.
If inline ML was configured before upgrading, then local inline categorization will automatically be enabled after upgrading.
To configure local inline categorization, add or select a URL Filtering profile (ObjectsSecurity ProfilesURL Filtering), click Inline Categorization, and Enable local inline categorization.
The option to define a policy action for inline ML models goes away in PAN-OS 10.2. The upgrade removes the previously defined actions, and the firewall enforces the actions configured in the global URL category settings (ObjectsSecurity ProfilesURL FilteringCategories).
Downgrading PAN-OS 10.2 to an earlier version reverts the Inline Categorization tab in URL Filtering profiles to Inline ML.
If cloud or local inline categorization was configured before downgrading, then inline ML, including the JavaScript Exploit Detection and Phishing Detection ML models, will automatically be enabled after downgrading.
To configure inline ML, select ObjectsSecurity ProfilesURL Filtering, and click Inline ML.
Before upgrading a Panorama management server to PAN-OS 10.2, verify that managed firewalls with inline categorization enabled are running PAN-OS 10.1.5 or a later release. This ensures the proper transformation of the firewall configurations, preventing push failures.
Configuration pushes from a Panorama management server to managed firewalls with inline categorization enabled fail if:
  • Panorama is running PAN-OS 10.2 and the managed firewall is downgraded to PAN-OS 10.1.4 or an earlier PAN-OS 10.1 release.
  • Panorama is running PAN-OS 10.2 and the managed firewall is downgraded to the PAN-OS 10.0 release.
  • Panorama and managed firewalls are downgraded to PAN-OS 10.1.4 or earlier PAN-OS 10.1 releases.
  • Panorama is downgraded to PAN-OS 10.1.4 or an earlier PAN-OS 10.1 release and the managed firewalls are downgraded to a PAN-OS 10.0 release.
  • Panorama and managed firewalls are downgraded to a PAN-OS 10.0 release.
Workaround: To avoid push failures, downgrade to PAN-OS 10.1.5 or a later PAN-OS 10.1 release.
Advanced Threat Prevention Inline Cloud Analysis
None.
Upon downgrade to PAN-OS 10.1 or earlier versions, the Advanced Threat Prevention license will display on the firewall, however, Inline Cloud Analysis functionality will not be present. All other Threat Prevention features in the downgrade release will function normally.
Dynamic User Groups and User-ID
None.
After downgrading from PAN-OS 10.2.0 to a previous version, the firewall clears all User-ID mappings and dynamic user group tags. After downgrading, the firewall must relearn the mappings from the sources and you must recreate the tags for the dynamic user groups; until this occurs, the firewall cannot enforce security policy for these mappings or dynamic user groups as a source.
Security Policy Rules
None.
After you enable Wildcard Top Down Match Mode and commit, this mode is not backward compatible. If you subsequently downgrade to an earlier release, the downgrade can break Security policy rules and affect traffic. Also the increase in the number of wildcard address objects supported is not backward compatible with any earlier release that has a limit of 1,000 entries. Back up your configuration before downgrading.
Administrator-Level Push
After you upgrade to PAN-OS 10.2, Commit and Push to Devices the entire Panorama managed configuration to your managed firewalls.
This is required to push selective configuration to your managed devices and leverage the improved shared configuration object management for multi-vsys firewalls managed by Panorama.
None.
User-ID
  • To improve security and reduce the risk of vulnerabilities, the default TLS version that the firewall uses is upgraded to TLS version 1.3 when you upgrade to PAN-OS 10.2 from a previous version.
  • The name of the application the firewall uses for User-ID changes from "paloalto-userid-agent" to "ssl" when you upgrade to PAN-OS 10.2 from a previous version. If you have any security policy rules to allow traffic for "paloalto-userid-agent" you must update them to allow traffic for "ssl" instead and commit the changes to the configuration. This change also applies to the traffic logs.
  • When you downgrade from PAN-OS 10.2 to a previous version, the firewall uses TLS 1.2 by default instead of TLS 1.3.
  • The name of the application the firewall uses for User-ID changes from "ssl" to "paloalto-userid-agent" when you downgrade from PAN-OS 10.2 to a previous version. If you have any security policy rules to allow traffic for "ssl" you must update them to allow traffic for "paloalto-userid-agent" instead and commit the changes to the configuration. This change also applies to the traffic logs.