Changes to Note After Upgrade
Table of Contents
11.0
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.0
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Changes to Note After Upgrade
Verify the SD-WAN device configuration after upgrading your SD-WAN plugin version
that your Panorama HA pair or standalone Panorama management server is running.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
After the upgrade, you must conduct the below checks before
committing the changes to Panorama:
- Verify that the Router Name is configured (PanoramaSD-WANDevices) for each SD-WAN device in the VPN cluster. The Router Name configuration is supported from SD-WAN plugin 3.1.0 and later releases.
- Verify that the BGP (PanoramaSD-WANDevices) is enabled for each SD-WAN device in the VPN cluster. Ensure that the same BGP address family (IPv4 BGP or IPv6 BGP) is enabled which was configured before the upgrade. IPv6 is supported from SD-WAN plugin 3.1.1 and later releases. Therefore, the upgraded plugin will contain the IPv6 option only if you are upgrading from SD-WAN 3.1.1 or later releases.
- Verify if the same VPN Authentication type (Pre Shared Key or Certificate) is enabled (PanoramaSD-WANDevicesVPN Tunnel) which was configured before the upgrade. The Certificate authentication type is supported from SD-WAN plugin 3.2.0 and later releases. Therefore, the upgraded plugin will contain the VPN Authentication type (Pre Shared Key or Certificate) only if you are upgrading from SD-WAN plugin 3.2.0 or later releases.
After the upgrade (on Panorama HA pair or standalone Panorama), the following changes can
be seen:
- You will no longer see the zone tabs in PanoramaSD-WANDevices for the added SD-WAN device. Therefore, you must create the Security policy rules between existing and predefined zones (zone-to-branch, zone-to-hub, zone-internet, and zone-internal).
- In a full mesh VPN cluster, the branch with the lower serial number will be used as an IKE initiator. In case of upstream NAT, both inbound and outbound NAT should be present on the NAT device, when inbound NAT is not present PLUG-15276 will be seen.
MongoDB Synchronization Status with SD-WAN Database Collections
With some SD-WAN plugin versions, the SD-WAN database collections in
MongoDB could go out of synchronization, which is a known issue. Hence, you may need
to perform additional steps in the upgrade procedure when upgrading to SD-WAN plugin
version 2.2.6 from any earlier releases.
The following table provides whether the SD-WAN MongoDB collections will be
in sync or not with respect to the SD-WAN plugin versions (that are tested).
| S.No | Compatible PAN-OS Software Version with SD-WAN Plugin Version | SD-WAN Plugin Version | Mongo Port | SD-WAN Collections under Mongo on Panorama HA |
|---|---|---|---|---|
|
1
|
10.1.6
|
2.1.2
|
31377
|
Not in synchronization
|
|
2
|
10.1.x
|
2.1.2
|
31377
|
Not in synchronization
|
|
3
|
10.1.x
|
2.2.6
|
27017
|
In synchronization
|
|
4
|
10.2.7-h3
|
3.0.7
|
27017
|
In synchronization
|