>
    Strata Copilot
    Changes to Note After Upgrade
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. Upgrade SD-WAN Plugin with Compatible PAN-OS Release
    4. Changes to Note After Upgrade
    Download PDF
    SD-WAN

    Changes to Note After Upgrade

    Table of Contents

    Changes to Note After Upgrade

    Verify the SD-WAN device configuration after upgrading your SD-WAN plugin version that your Panorama HA pair or standalone Panorama management server is running.
    Where Can I Use This?What Do I Need?
    • NGFW
    After the upgrade, you must conduct the below checks before committing the changes to Panorama:
    • Verify that the Router Name is configured (PanoramaSD-WANDevices) for each SD-WAN device in the VPN cluster. The Router Name configuration is supported from SD-WAN plugin 3.1.0 and later releases.
    • Verify that the BGP (PanoramaSD-WANDevices) is enabled for each SD-WAN device in the VPN cluster. Ensure that the same BGP address family (IPv4 BGP or IPv6 BGP) is enabled which was configured before the upgrade. IPv6 is supported from SD-WAN plugin 3.1.1 and later releases. Therefore, the upgraded plugin will contain the IPv6 option only if you are upgrading from SD-WAN 3.1.1 or later releases.
    • Verify if the same VPN Authentication type (Pre Shared Key or Certificate) is enabled (PanoramaSD-WANDevicesVPN Tunnel) which was configured before the upgrade. The Certificate authentication type is supported from SD-WAN plugin 3.2.0 and later releases. Therefore, the upgraded plugin will contain the VPN Authentication type (Pre Shared Key or Certificate) only if you are upgrading from SD-WAN plugin 3.2.0 or later releases.
    After the upgrade (on Panorama HA pair or standalone Panorama), the following changes can be seen:
    • You will no longer see the zone tabs in PanoramaSD-WANDevices for the added SD-WAN device. Therefore, you must create the Security policy rules between existing and predefined zones (zone-to-branch, zone-to-hub, zone-internet, and zone-internal).
    • In a full mesh VPN cluster, the branch with the lower serial number will be used as an IKE initiator. In case of upstream NAT, both inbound and outbound NAT should be present on the NAT device, when inbound NAT is not present PLUG-15276 will be seen.

    MongoDB Synchronization Status with SD-WAN Database Collections

    With some SD-WAN plugin versions, the SD-WAN database collections in MongoDB could go out of synchronization, which is a known issue. Hence, you may need to perform additional steps in the upgrade procedure when upgrading to a latest SD-WAN plugin version from any earlier versions.
    The following table provides whether the SD-WAN MongoDB collections will be in sync or not with respect to the SD-WAN plugin versions (that are tested).
    S.NoCompatible PAN-OS Software Version with SD-WAN Plugin VersionSD-WAN Plugin VersionMongo PortSD-WAN Collections under Mongo on Panorama HA
    1
    10.1.6
    2.1.2
    31377
    Not in synchronization
    2
    10.1.x
    2.1.2
    31377
    Not in synchronization
    3
    10.1.x
    2.2.6 and above
    27017
    In synchronization
    4
    10.2.7-h3
    3.0.7 and above
    27017
    In synchronization

    © 2025 Palo Alto Networks, Inc. All rights reserved.