Upgrade/Downgrade Considerations
Table of Contents
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Install a PAN-OS Software Patch
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 10.2
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Install a PAN-OS Software Patch
- Revert Content Updates from Panorama
-
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 10.2.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.2 release. For additional information about PAN-OS 10.2 releases, refer to the PAN-OS 10.2 Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
|---|---|---|
Managed Firewall Traffic to Panorama | PAN-OS 10.2 uses TLS version 1.3 to encrypt the service certificate and handshake messages between Panorama, managed firewalls, and Dedicated Log Collectors. As a result, the App-ID traffic between Panorama, managed firewalls, and Dedicated Log Collectors is reclassified from panorama to ssl . As a result, a Security policy rule is required to allow the ssl application. This allows Panorama, managed firewalls, and Dedicated Log Collectors to continue communication after successful upgrade to PAN-OS 10.2. | Downgrading from PAN-OS 10.2 to an earlier PAN-OS release requires you to modify the Security policy rule to remove the ssl application from the application list. |
Cloud Identity Engine | After upgrading to PAN-OS 10.2.9, users can use the Cloud Identity Engine to select groups based on the subdomain to synchronize with firewalls. When the firewall is upgraded to PAN-OS 10.2.9, subdomain information is stored locally on the firewall. | When a firewall is downgraded from PAN-OS 10.2.9 to an earlier version, the firewall no longer monitors the subdomain information for the Cloud Identity Engine. If you have selected a subdomain in the Cloud Identity Engine, after the downgrade the firewall no longer receives group membership changes that are synchronized with Cloud Identity Engine. If you have not selected a subdomain, the firewall continues to receive group membership changes that are synchronized with Cloud Identity Engine. When a customer downgrades a firewall from PAN-OS 10.2.9 to an earlier version, the firewall displays a warning in the logs:
Groups learned from sources other than Cloud Identity Engine are not impacted. The firewall removes the outdated data of group membership, causing the firewall to contact the Cloud Identity Engine to gather the latest data after downgrading. The amount of time to collect the new data varies depending on the number of groups and the size of the groups. After this synchronization, you do not need to take further action to ensure group memberships remain updated based on the synchronization interval defined on the firewall. |
Authenticate LSVPN Satellite with Serial Number and IP Address Method ( PAN-OS 10.2.8 and later 10.2 releases ) | PAN-OS stores the configuration changes in the database internally. Therefore, the latest saved configuration is applied when you upgrade to this feature. After you upgrade from PAN-OS 10.0 or earlier releases to PAN-OS 10.1 and later releases (with Username/password and Satellite Cookie Authentication method enabled), and if the satellite cookie authentication expires, it will result in a login failure. In this case, you should enter the username and password for successful authentication. |
|
After you upgrade from PAN-OS 10.0 or earlier releases/PAN-OS 10.1 and later release to PAN-OS 10.2.8, consider the following:
| If you downgrade to PAN-OS releases earlier than 10.1, only serial number-based authentication method will be supported. | |
Advanced Routing | None. | If you downgrade from PAN-OS 10.2.5 or 10.2.4-h2 to a previous version, you must remove the SD-WAN virtual interface (VIF) from the logical router configurations before attempting a downgrade procedure. That is, you must select a different interface instead of SD-WAN VIF interface in the following Logical Router configurations:
|
— | None. | Downgrading from PAN-OS 10.2 to an earlier PAN-OS release requires that you first downgrade to PAN-OS 10.1.3 or later PAN-OS 10.1 release. After you successfully downgrade to PAN-OS 10.1.3 or later PAN-OS 10.1 release, you can continue along your downgrade path to your target PAN-OS release. |
Tenant-Level Support for SaaS Policy Recommendations PAN-OS 10.2.5 and later 10.2 releases | This feature is not available on PAN-OS 11.0.0, 11.0.1, or 11.0.2. Upgrading to PAN-OS 11.0.0, 11.0.1, or 11.0.2 will have the same consequences as downgrading from PAN-OS 10.2.5 to an earlier release. | If you downgrade from PAN-OS 10.2.5 to an earlier release, the PAN-OS firewall administrator will no longer be able to import tenant-level policy recommendations. Policy recommendations that were already imported before downgrading are not affected. |
Maximum security zones for PA-3410, PA-3420, and PA-3430 firewalls | None. | When downgrading from PAN-OS 10.2.3-h3 (which now has a maximum Security zone limit of 200) to a lower PAN-OS release with a maximum Security zone limit of 40, attempting to commit a configuration with more than 40 Security zones is not blocked and fails. |
Panorama Plugins
| Before you upgrade to PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.2 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 10.2. See the list of Compatible Plugin Versions for PAN-OS 10.2 for more information. | To downgrade from PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.1 and earlier releases for all plugins installed on Panorama. See the Panorama Plugins Compatibility Matrix for more information. |
( Enterprise DLP ) After upgrading Panorama to PAN-OS 10.2, you must install Application and Threats content release version 8520 on all managed firewalls running PAN-OS 10.2 or earlier release. This is required to successfully push configuration changes to managed firewalls leveraging Enterprise DLP that you did not upgrade to PAN-OS 10.2. | ( Enterprise DLP ) After downgrading from PAN-OS 10.2.1 and Enterprise DLP plugin 3.0.1 to PAN-OS 10.1.0 and Enterprise DLP plugin 1.0.0, data filtering profiles created on Panorama for non-file inspection are automatically converted into file-based data filtering profiles. | |
( Enterprise DLP ) Loading a Panorama configuration backup that does contain the Shared Enterprise DLP configuration deletes the shared App exclusion filter required to scan non-file based traffic. | ||
( SD-WAN ) Panorama plugin for SD-WAN 2.2 and earlier releases are not supported in PAN-OS 10.2.Upgrading a Panorama management server to PAN-OS 10.2 when the Panorama plugin for SD-WAN 2.2 or earlier release is installed causes the SD-WAN plugin to be hidden in the Panorama web interface or causes the SD-WAN configuration to be deleted. In both cases, you are unable to install a new SD-WAN plugin version or uninstall the SD-WAN plugin. | ||
( Enterprise DLP ) When upgrading to PAN-OS 10.2.3 from an earlier PAN-OS 10.2 version, you must first download and install the DLP 3.0.2 plugin. | ||
VM-Series Firewalls | When upgrading the VM-Series firewall running PAN-OS 10.1.0, 10.1.1, 10.1.2, 10.1.3, or 10.1.4 in an HA deployment, you must first upgrade the VM-Series plugin to version 2.1.5 before upgrading to PAN-OS 10.2. Additionally, the upgrade must be performed in the following order.
| Before downgrading the VM-Series firewall from PAN-OS 10.2 to PAN-OS 10.1.3, you must first download the VM-Series plugin to 2.1.4. |
PA-220 and PA-850 Firewalls | None. | ( PA-220 ) If downgrading from PAN-OS 10.2.0, 10.2.1, or 10.2.2 to PAN-OS 10.1.7, 10.1.6-h4, or later versions, you must first upgrade the firewall to PAN-OS 10.2.3 or later to avoid a conflict with the system's U-Boot version.( PA-850 ) If downgrading from PAN-OS 10.2.0, 10.2.1, or 10.2.2 to PAN-OS 10.1.7 or later, you must first upgrade the firewall to PAN-OS 10.2.3 or later to avoid a conflict with the system's U-Boot version. |
PA-5200 Series, PA-7000 Series, WF-500, and WF-500-B Firewalls | While upgrading to PAN-OS 10.2, the firewall may perform a file system integrity check (FSCK), displaying the following message: RAID log disks check in progress, please wait. The FSCK is required for the upgrade and may take an hour or more. Do not reboot or attempt to install another software release while the FSCK is in progress. | None. |
FIPS-CC | For Panorama and all managed devices in FIPS-CC mode, you must reset the secure connection status of all FIPS-CC devices and re-onboard any managed device added to Panorama when the device was running a PAN-OS 10.2 release. This applies to:
This does not apply to managed devices added to Panorama management when the device was running PAN-OS 10.0 or earlier release. | None. |
Panorama Management of Multi-Vsys Firewalls | Before upgrading a Panorama managed multi-vsys firewall to PAN-OS 10.2:
| All objects in the Panorama Shared location on the multi-vsys firewall are replicated to each vsys. Before you downgrade to PAN-OS 10.2 or earlier release, save and export Panorama and firewall configurations. |
After you successfully upgrade a managed multi-vsys firewall to PAN-OS 10.2, the firewalls become out-of-sync on Panorama and a full commit and push is required. On Panorama, select Commit and Push to Devices the entire Panorama managed configuration to the multi-vsys firewall before you commit and push any configuration changes from Panorama. | ||
Multiple Certificate Support for SSL Inbound Inspection | None. | If you configure SSL Inbound Inspection policy rules with multiple certificates and later downgrade from PAN-OS 10.2 to an earlier PAN-OS version, the policy rule on the downgraded firewall inherits only the first certificate from the alphabetically-sorted list of certificates. Before downgrading, we recommend setting up a different template or device group for firewalls running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate to these firewalls. |
Certificate Management | You must generate or import all new certificates with the following minimum requirements for PAN-OS 10.2.
This is required to continue using Captive Portal authentication and to avoid errors associated with the new minimum certificate requirements for PAN-OS 10.2 with PAN-OS 10.2, for existing certificates with a digest of SHA1 and MD5 along with keys using below 2048 bits. | None. |
Scheduled Config Push | None. | If you created a Scheduled Config Push ( Panorama Scheduled Config Push Downgrade from PAN-OS 10.2 is blocked if the Admin Scope of a Scheduled Config Push includes multiple administrators. |
IKE Crypto Profiles and IPSec Crypto Profiles | If you have configured an IKE crypto profile or IPSec crypto profile to use des as the encryption algorithm and another encryption algorithm, PAN-OS uses the alternate encryption algorithm after upgrading to PAN-OS 10.2.0. If des is the only encryption method, PAN-OS updates the encryption method to 3des after upgrading to PAN-OS 10.2.0. | After downgrading from PAN-OS 10.2 to a previous version, if you have configured Group 15, Group 16, or Group 21 as the encryption algorithm, that group is reconfigured to the next highest group. For example, if the configuration uses Group 21 after upgrading, then after downgrading, PAN-OS uses Group 20. |
URL Filtering Inline ML | In PAN-OS 10.2, the Inline ML tab in URL Filtering profiles is renamed Inline Categorization . If inline ML was configured before upgrading, then local inline categorization will automatically be enabled after upgrading. To configure local inline categorization, add or select a URL Filtering profile ( Objects Security Profiles URL Filtering Inline Categorization , and Enable local inline categorization .
The option to define a policy action for inline ML models goes away in PAN-OS 10.2. The upgrade removes the previously defined actions, and the firewall enforces the actions configured in the global URL category settings ( Objects Security Profiles URL Filtering Categories | Downgrading PAN-OS 10.2 to an earlier version reverts the Inline Categorization tab in URL Filtering profiles to Inline ML .If cloud or local inline categorization was configured before downgrading, then inline ML, including the JavaScript Exploit Detection and Phishing Detection ML models, will automatically be enabled after downgrading. To configure inline ML, select Objects Security Profiles URL Filtering Inline ML . |
Before upgrading a Panorama management server to PAN-OS 10.2, verify that managed firewalls with inline categorization enabled are running PAN-OS 10.1.5 or a later release. This ensures the proper transformation of the firewall configurations, preventing push failures. | Configuration pushes from a Panorama management server to managed firewalls with inline categorization enabled fail if:
Workaround: To avoid push failures, downgrade to PAN-OS 10.1.5 or a later PAN-OS 10.1 release. | |
Advanced Threat Prevention Inline Cloud Analysis | None. | Upon downgrade to PAN-OS 10.1 or earlier versions, the Advanced Threat Prevention license will display on the firewall, however, Inline Cloud Analysis functionality will not be present. All other Threat Prevention features in the downgrade release will function normally. |
Dynamic User Groups and User-ID | None. | After downgrading from PAN-OS 10.2.0 to a previous version, the firewall clears all User-ID mappings and dynamic user group tags. After downgrading, the firewall must relearn the mappings from the sources and you must recreate the tags for the dynamic user groups; until this occurs, the firewall cannot enforce security policy for these mappings or dynamic user groups as a source. |
Security Policy Rules | None. | After you enable Wildcard Top Down Match Mode and commit, this mode is not backward compatible. If you subsequently downgrade to an earlier release, the downgrade can break Security policy rules and affect traffic. Also the increase in the number of wildcard address objects supported is not backward compatible with any earlier release that has a limit of 1,000 entries. Back up your configuration before downgrading. |
Administrator-Level Push | After you upgrade to PAN-OS 10.2, Commit and Push to Devices the entire Panorama managed configuration to your managed firewalls. | None. |