Upgrade or Downgrade Considerations in Prisma SD-WAN ION Release 6.4
Learn about the device upgrade and downgrade considerations for Prisma SD-WAN Release 6.4.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
Prisma SD-WAN license - Prisma SD-WAN ION device software version 6.4 or
higher
|
The following section details the upgrade path to Prisma SD-WAN
release 6.4.x. Review the upgrade and downgrade considerations before upgrading to this
release. The table describes the ION element software release naming convention for
release 6.4.x.
| ION ELEMENT SOFTWARE (SW) RELEASE NAMING
CONVENTION |
|---|
| 1st Digit - Primary Release | 2nd Digit - Release Number | 3rd Digit - Main Release Number | 4th Digit - SW Build Number |
| 6 | 4 | 1 | b1 |
Prerequisite—Prior to upgrading branch ION devices
to 6.1.X, ensure that all data center ION devices are running ION
software version 5.4.x or higher.
Upgrade Or Downgrade Path
Use the following paths to upgrade to release 6.3.x, and use the path in reverse to rollback to
the version you started from:
4.7.1 -> 5.0.x -> 5.1.x -> 5.4.x -> 5.6.x -> 6.1.x -> 6.3.x -> 6.4.x
4.7.1 -> 5.0.x -> 5.2.x -> 5.5.x -> 5.6.x -> 6.1.x -> 6.3.x -> 6.4.x
5.0.x -> 5.2.x -> 5.5.x -> 5.6.x -> 6.1.x -> 6.3.x -> 6.4.x
5.1.x -> 5.4.x -> 5.6.x -> 6.1.x -> 6.3.x -> 6.4.x
5.2.x -> 5.5.x -> 5.6.x -> 6.1.x -> 6.3.x -> 6.4.x
5.4.x -> 5.6.x -> 6.1.x -> 6.3.x -> 6.4.x
6.0.x -> 6.1.x -> 6.3.x -> 6.4.x
6.2.x -> 6.3.x -> 6.4.x
6.2.x -> 6.4.x
Upgrade or Downgrade Considerations in Prisma SD-WAN ION Device
Release 6.4.1
The following table lists the new features that have upgrade or
downgrade impact. Make sure you understand all upgrade/downgrade considerations
before you upgrade to or downgrade from Prisma SD-WAN release
6.4.1.
| Feature | Upgrade Considerations | Downgrade Considerations |
|---|
| Performance Policy |
If Performance Policy is attached to the site: - You can use probes when creating a new performance
policy rule, while selecting actions like Create
Incidents, Move Flows, FEC, Packet Duplication or
Visibility.
- You can configure the System Rule type and use the new
SLA parameters (MOS and UDP TRT) in Performance
Policy.
|
When downgrading device from 6.4.1 to 6.3.2/6.3.1: - You can use existing performance policies, however rules
that have new SLA parameters like Probing, MOS, and UDP
TRT will not be sent to the device.
- When creating a new Performance Policy, you cannot apply
System Rules.
|
| Branch Gateway |
If a device is onboarded to a branch gateway site, enable: - L3 Direct Private WAN Forwarding
- L3 LAN Forwarding
|
Remove the configurations related to the Branch Gateway such as
Service & DC Groups, WAN default route distribution and then
downgrade the device.
|
| Auto Operational State | Auto Operational State is enabled by default for new
SVIs and disabled for existing SVIs. After upgrading to version
6.4.1, you need to enable the Auto Operational State, when
required. | When Auto Operational State is enabled, downgrade to
previous releases is not allowed. You can downgrade only after
disabling this configuration. Make the necessary deployment changes
and then disable the configuration. |
| HA over SVI Access Port | When downgrading to earlier releases, if you have
configured an access port, then downgrading will be blocked.
Downgrade is allowed only when a trunk member port is present for
the HA control SVI. | None |
| App IDs |
To upgrade devices to version 6.4.1, ensure that all policies
contain applications with a version higher than or equal to
6.0.1.
|
To downgrade devices from version 6.4.1 to previous versions,
ensure that there are no policies containing applications with
version 6.4.1 or higher.
|
Upgrade/Downgrade Path for Virtual Form Factor in FIPS Mode
When upgrading from 6.1.x or 5.6.x to 6.2.x or later images of virtual
form factor (VFF), there may be a disruption of service links, stats/logs
connections, and remote sessions in FIPS mode. This issue is observed only when
the VFF in FIPS mode is upgraded to 6.2.1 or later.
Upgrade or Downgrade Versions
Follow the below steps if you are on a VFF pre-6.2.1 with FIPS mode
enabled and upgrading to software version greater than or equal to 6.2.1
(includes 6.2.2, 6.3.4, 6.3.5 and 6.4.1), (excluding 6.2.3, 6.3.1, 6.3.2, 6.3.3
already blocked on the Controller).
- First, disable FIPS mode on VFF.
- Upgrade to the desired software version.
- Then, enable FIPS mode. Enabling FIPS mode can take up to 20 minutes.
The above steps do not apply when upgrading directly from
6.1.x to 6.4.2 or higher.
Considering these known limitations and FIPS certified versions are
6.1.2 and 6.4.2 or higher, for VFF in FIPS mode on any older software version
(< 6.2.1), Palo Alto Networks recommend the upgrade path to be 6.4.2 and all
later versions.
Upgrade Advisory
The following ION platforms (ION 1000, ION 2000, and ION 1200) if consistently
use greater than 80% of memory, are at risk of experiencing unexpected reboots
after an upgrade. The risk increases when upgrading from 5.x to 6.x due to the
overall software architecture difference between the release series. Before
performing any upgrades, Palo Alto Networks recommends that you assess available
system memory on the target devices. For guidance on memory management best
practices, see
here.
