Upgrade/Downgrade Considerations
Table of Contents
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 9.1.
The following table lists the new features that have
upgrade or downgrade impact. Make sure you understand all upgrade/downgrade
considerations before you upgrade to or downgrade from a PAN-OS
9.1 release. For additional information about PAN-OS 9.1 releases,
refer to the PAN-OS 9.1 Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
|---|---|---|
Commit Failure to Web Interface and CLI | None. | You must Contact Palo Alto Networks Support before
you downgrade a Panorama management server, PA-7000 Series firewall,
and PA-5200 Series firewall to avoid commit failures on successful
downgrade to PAN-OS 9.0. Refer to PAN-142114 in the PAN-OS
9.1 Limitations when you contact Palo Alto Networks Support. |
SD-WAN Plugin The SD-WAN plugin
provides intelligent, dynamic path selection on top of the industry
leading security provided by PAN-OS | Enabling your SD-WAN plugin and starting
your device creates SD-WAN databases. | Downgrading from PAN-OS 9.1 to an earlier
version deletes any SD-WAN databases and removes any SD-WAN specific configurations.
Your subscription remains on the device and is re-enabled if you
upgrade. |
Upgrading a PA-7000 Series Firewall with
a first generation switch management card (PA-7050-SMC or PA-7080-SMC) | Before upgrading the firewall, run the following
CLI command to check the flash drive’s status: debug system disk-smart-info disk-1 .If
the value for attribute ID #232, Available_Reservd_Space
0x0000 , is greater than 20, then proceed with the upgrade.
If the value is less than 20, then contact support for assistance. | Before downgrading the firewall, run the
following CLI command to check the flash drive’s status: debug system disk-smart-info disk-1 .If
the value for attribute ID #232, Available_Reservd_Space
0x0000 , is greater than 20, then proceed with the downgrade.
If the value is less than 20, then contact support for assistance. |
Username in HTTP Header Insertion Entries | None. | Downgrading from PAN-OS 9.1 removes the
dynamic fields header values containing the domain and username. |
Dynamic User Groups | None. | Downgrading from PAN-OS 9.1 migrates existing
dynamic user groups to XML API user groups, retaining
all group members at the time of the downgrade. The firewall continues
to enforce any policy rules that apply to these groups. |
Option to Hold Web Requests During URL
Category Lookup | If you have this feature enabled, upgrading
to PAN-OS 9.1 from an earlier version disables this option. Configure URL Filtering to
re-enable this feature. | If you have this feature enabled, downgrading
from PAN-OS 9.1 to an earlier version disables this option. |
URL Filtering BrightCloud Support | With PAN-OS 9.1, BrightCloud is no longer supported
as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1,
you’ll first need to contact your sales representative to convert
your BrightCloud URL Filtering license to a PAN-DB URL Filtering
license. Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB
URL Filtering license is active on your firewall. | |
Enhanced Logging for GlobalProtect | When upgrading to PAN-OS 9.1, any existing
GlobalProtect logs stay in their current location, however any new
logs received after the upgrade are stored in their new locations
and categorized by the new GlobalProtect log type. | Any GlobalProtect logs collected after the
upgrade will be lost when downgrading from PAN-OS 9.1 to an earlier
version. |
Identity Provider Certificate ( PAN-OS 9.1.3
or later ) | Ensure that you configure the signing certificate
for your SAML Identity Provider as the Identity Provider Certificate before
you upgrade to PAN-OS 9.1.3 or later so that your users can continue to
authenticate successfully. Always configure the Identity Provider
Certificate when you configure your SAML authentication and,
as a best practice, enable certificate validation when available. | |
Log Storage Quota | On upgrade to PAN-OS 9.1, the firewall log
storage quota ( Device Setup Management Logging and Reporting Settings After you successfully upgrade a firewall to PAN-OS
9.1, modify the log storage quota to equal 100%.
| |
Application Filters Using Tags | None | Downgrading from PAN-OS 9.1 removes any
tags applied to an application filter. This results in a commit
failure if application filter tags were used. Downgrading
from a content release that includes tag support for specific apps
results in a commit failure if those tags are used in an application filter. |