Upgrade/Downgrade Considerations
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.1
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 11.0.
The following table lists the new features that have upgrade or downgrade impact. Make sure you
understand all upgrade/downgrade considerations before you upgrade to or downgrade from
a PAN-OS 11.1 release. For additional information about PAN-OS 11.1 and later releases,
refer to the PAN-OS Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
|---|---|---|
Advanced Routing Engine (PAN-OS 11.2.0 ) | In PAN-OS 11.2.0, when Advanced Routing is enabled, IP multicast is
not supported. An upcoming version will provide support for this
feature. Customers who have multicast configured or who plan to
deploy multicast routing should not upgrade to 11.2.0. Additionally, in PAN-OS 11.2.0, when Advanced Routing is enabled, the
BGP dampening configuration isn't applied to any peers or peer
group; the configuration is preserved but has no effect on BGP.
Customers can use BGP even if they have applied a Dampening profile
to a specific set of peers. The issue doesn't affect any other BGP
features. | None |
Per Policy Persistent DIPP | When using Panorama to upgrade the firewall from PAN-OS 11.0.0 to
11.1.1, regular DIPP NAT rules should be converted to persistent
DIPP NAT rules, but that conversion fails and the rules remain as
regular DIPP NAT rules. | When using Panorama to downgrade the firewall from PAN-OS 11.1.1 to
11.0 0, per policy persistent DIPP NAT rules are converted to
regular DIPP NAT rules. |
TLSv1.3 Support for GlobalProtect | If you upgrade to PAN-OS 11.1 from an earlier PAN-OS version with
Max Version set to
Max in the SSL/TLS service profile, the
TLS version will be replaced with TLSv1.2 after the upgrade.If you upgrade to a later PAN-OS version from PAN-OS 11.1
with Max Version set to
<TLS Version> in the SSL/TLS
service profile, the TLS version will remain with the configured
<TLS Version> after the upgrade.
There is no replacement of the versions as the versions are already
configured in 11.1.x itself. | If you downgrade from PAN-OS 11.1 with TLSv1.3 to an earlier PAN-OS
version, the TLSv1.3 will be replaced with TLSv1.2 after you
downgrade. The downgrade will succeed but auto commit will fail if
you had selected TLS v1.3 aes-chacha20-poly1305
cipher, in PAN-OS 11.1 that is not supported in the
earlier PAN-OS versions. You must add or replace the appropriate
supported ciphers to the downgraded version and commit the changes
manually. |
Upgrading the VM-50 and VM-50L | Before upgrading your VM-50 or VM-50L firewall to PAN-OS 11.1, the
minimum plugin versions are required to be installed before you
begin upgrading:
| None. |
VM-Series Firewalls | When upgrading VM-Series firewalls from PAN-OS versions 10.1.x
through 11.1.x, you must upgrade the VM-Series plugin version to
later than 2.1.6 on all 10.1.x firewalls before performing the
upgrade to avoid HA issues. | None. |
Collector Groups | All logs generated while running a PAN-OS 10.0 or earlier release are
deleted on upgrade to PAN-OS 11.1.1. To recover logs generated in PAN-OS 11.0 or earlier release, you must
upgrade to PAN-OS 11.1.2 or later release
where you can manually recover all impacted logs using CLI commands
provided by Palo Alto Networks. | Downgrade is not recommended. If you choose
to downgrade from 11.1, all logs generated in PAN-OS 11.1 are
deleted and need to manually recovered. To recover logs generated in
11.1, you must:
If you have already downgraded from PAN-OS 11.1 and ElasticSearch
is caught in a restart loop, please contact Palo Alto Networks
Support |
All Log Collectors in a Collector Group must be upgraded at the same
time. Upgrading some, but not all Log Collectors, in a Collector
Group during an upgrade window is not supported. | None. | |
Log Collectors running PAN-OS 11.1 must be onboarded using the device
registration authentication for inter-Log Collector communication. On your upgrade path to PAN-OS 11.1, Log Collectors added to Panorama
management when running PAN-OS 9.1 or earlier release must first be
upgraded to PAN-OS 10.1 or later release and re-onboarded to Panorama
management using the device registration authentication
key. Upgrade to PAN-OS 11.1 is blocked if Log Collectors onboarded to
Panorama management without the device registration authentication
key are detected. | None. | |
If you are using Collector Groups, the following requirements must be
met to upgrade to 11.1.0.
| None. | |
After upgrading Log collectors to PAN-OS 11.1, the follow TCP ports
are now required for inter-Log Collector communication and must be
opened on your network.
| None. | |
Pan Service Proxy | None. | Downgrading a next-generation firewall from PAN-OS 11.1 will fail if
it has pan service proxy enabled. To downgrade successfully, disable
pan service proxy before you downgrade. Next-generation firewall: Select Network Proxy None , and then click
OK .Panorama: Templates Network Proxy None , and then click
OK . |
Authentication sequence | When you upgrade to PAN-OS 11.1.1, the Exit the sequence on failed
authentication option is no longer dependent on the Use
domain to determine authentication profile option. | If you select the Exit the sequence on failed authentication
option, downgrading from PAN-OS 11.1.1 to a previous version is not
successful unless the Exit the sequence on failed
authentication option is not selected or unless both the
Exit the sequence on failed authentication option and the
Use domain to determine authentication profile option are
selected. |
Panorama Management of Multi-Vsys Firewalls Upgrade from PAN-OS 10.1 to PAN-OS 11.1 using Skip Software
Version Upgrade only | Before upgrading a Panorama managed multi-vsys firewall to PAN-OS
11.0 using Skip Software Version Upgrade:
| None. |
After you successfully upgrade a managed multi-vsys firewall to
PAN-OS 10.2 using Skip Software Version Upgrade, the firewalls
become out-of-sync on Panorama and a
full commit and push is required. On Panorama, select Commit and Push to Devices the
entire Panorama managed configuration to the multi-vsys firewall
before you commit and push any configuration changes from
Panorama. |