Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 10.0.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.0 release. For additional information about PAN-OS 10.0 releases, refer to the PAN-OS 10.0 Release Notes.
PAN-OS 10.0 Upgrade/Downgrade Considerations
Feature
Upgrade Considerations
Downgrade Considerations
Bonjour Reflector for Network Segmentation
None.
Downgrading from PAN-OS 10.0.1 to an earlier version removes the Bonjour Reflector option from the Layer 3 (L3) and Aggregated Ethernet (AE) interface configuration.
TLS Encryption for Email Log Forwarding and Reporting
None.
Downgrading from PAN-OS 10.0 to an earlier version reverts any email server profiles from the TLS protocol to SMTP.
Authentication with Custom Certificates for Redistribution
None.
Downgrading from PAN-OS 10.0 to an earlier version reverts any custom certificate profiles for redistribution agents to the default certificate. If you are using global client/server settings to connect, you must reconfigure them to use the default certificate.
Streamlined and Resilient Redistribution
Upgrading to PAN-OS 10.0:
  • Migrates all User-ID agents to
    Device
    Data Redistribution
    Agents
    .
  • Migrates collector settings to
    Device
    Data Redistribution
    Collector Settings
    .
  • Redistributes IP- User mappings, IP-tags, and user tags to all existing User-ID agents by default.
Downgrading from PAN-OS 10.0 to an earlier version:
  • Migrates all redistribution agents to
    Device
    User Identification
    User-ID Agents
    .
  • Migrates collector settings to
    Device
    User Identification
    User Mapping
    Palo Alto Networks User-ID Agent Setup
    Redistribution
    .
  • Removes any
    Include/Exclude Networks
    profiles for IP-tag or IP-User mapping redistribution.
Automatic Content Updates Through Offline Panorama
None.
On downgrade from PAN-OS 10.0, the SCP server profile is deleted and prevent the scheduled dynamic update from successfully uploading content updates to the SCP server.
HA Clustering
None.
The firewall blocks a downgrade from PAN-OS 10.0 if HA cluster participation is enabled.
HA Additional Path Monitoring
VLAN path monitoring is not compatible with active/active HA pairing in PAN-OS 10.0. Ensure that you delete all VLAN path monitoring configurations in active/active HA before you upgrade to PAN-OS 10.0. Retaining an earlier active/active HA configuration will result in an autocommit failure.
When you upgrade to PAN-OS 10.0, the firewall automatically transfers your currently monitored destination IP addresses to a newly created destination group and gives this group a default path monitoring name.
The firewall blocks a downgrade from PAN-OS 10.0 if any HA path monitoring groups contain multiple destination IP groups.
HA
None.
If you downgrade from PAN-OS 10.0 to 9.1, a commit error occurs if the HA1 interface isn’t configured.
Workaround:
You can either select the 9.1 configuration you were using before you upgraded to 10.0, or, before you downgrade to 9.1, you can use the CLI configuration command to configure the HA1 interface (
set deviceconfig high-availability interface ha1
) and commit.
Enhanced Authentication for Dedicated Log Collectors and WildFire 500 Appliances
None.
On downgrade from PAN-OS 10.0, any users other than the admin configured on the Dedicated Log Collector or WildFire 500 appliance are deleted when downgraded from the Panorama™ management server.
If you downgrade the Dedicated Log Collector or WildFire 500 appliance from the CLI, Panorama still displays all the previously configured user accounts but none will be able to log in to the CLI.
Downgrade from PAN-OS 10.0 is blocked for Dedicated Log Collectors and WildFire 500 appliances in the following scenarios:
  • If the admin user account is deleted. The admin user must exist in order to downgrade the Dedicated Log Collector and WildFire 500 appliance.
  • If TACAS+ or RADIUS EAP are part of the default authentication profile for the WildFire 500 appliance.
  • If there is an authentication sequence configured as the default authentication profile for the WildFire 500 appliance.
Upgrading a PA-7000 Series Firewall with a first generation switch management card (PA-7050-SMC or PA-7080-SMC)
Before upgrading the firewall, run the following CLI command to check the flash drive’s status:
debug system disk-smart-info disk-1
.
If the value for attribute ID #232,
Available_Reservd_Space 0x0000
, is greater than 20, then proceed with the upgrade. If the value is less than 20, then contact support for assistance.
Before downgrading the firewall, run the following CLI command to check the flash drive’s status:
debug system disk-smart-info disk-1
.
If the value for attribute ID #232,
Available_Reservd_Space 0x0000
, is greater than 20, then proceed with the downgrade. If the value is less than 20, then contact support for assistance.
Enhanced Pattern-Matching Engine for Custom Signatures
None.
Custom signatures in the new threat ID range (6800001-7000000) prevent downgrade. The firewall issues a warning to export and remove the offending signatures.
Custom signatures that use the newly supported syntax but are not in the new threat ID range do not prevent downgrade. After downgrade, these signatures cease to function. Subsequent commits fail until you remove them.
Aggregate Interface Group Enhancement
None.
If you configured more than eight AE interface groups and you subsequently want to downgrade to a PAN-OS release earlier than 10.0, you must first edit your configuration so that it has only AE interface groups 1 through 8.
DNS Security Signature Categories
Upon upgrade to PAN-OS 10.0, the DNS Security source gets redefined into new signature categories to provide extended granular controls; as a result, the new categories will overwrite the previously defined policy action (for Palo Alto Networks DNS Security) based on the following mapping:
  • Block or sinkhole policy actions reconfigure all signature categories to default settings.
  • Alert policy actions reconfigure all signature categories to alert.
  • Allow policy actions reconfigure all signature categories to allow.
If these settings are inappropriate for your deployment, reapply any sinkhole, log severity, and packet captures settings appropriate for the newly defined DNS Security Categories.
If you downgrade from PAN-OS 10.0 to 9.1, the new security categories are removed from the anti-spyware profile and replaced with a single DNS Security source (Palo Alto Networks DNS Security), and the policy action is redefined based on the following mapping:
  • If any signature category is configured to sinkhole, the action is reconfigured to sinkhole.
  • If any signature category is configured to block, the action is reconfigured to block.
  • If all signature categories are configured to allow, the action is reconfigured to allow.
  • If the log-severity for any signature category is
    not
    set to none, the action is reconfigured to alert.
NT LAN Manager protocol
The NT LAN Manager (NTLM) authentication protocol has been removed in this release. We recommend using Kerberos Single Sign-On (SSO) or Security Assertion Markup Language (SAML) for SSO authentication.
None.
User-ID Redistribution for Dedicated Log Collectors
The Dedicated Log Collector no longer supports redistribution for User-ID information in this release. We recommend using the firewall or Panorama to redistribute information.
None.
Syslog Forwarding Using Ethernet Interfaces
None.
All syslog forwarding is reverted back to the management interface on downgrade from PAN-OS 10.0.
Increased Configuration Size for Panorama
None.
The Panorama management server may experience performance impacts when performing configuration changes, commits, and pushes to managed firewalls if the configuration size exceeds 80MB.
Master Key Encryption Levels
None.
If you downgrade to an earlier version of PAN-OS, the device automatically reverts the encryption algorithm to a level that the downgraded PAN-OS version supports. The device also automatically re-encrypts encrypted data using that encryption level to ensure that the device can decrypt and use the data as needed. For example, if your device is on PAN-OS 10.0 and uses the AES-256-GCM encryption algorithm (which is not supported on earlier versions of PAN-OS), and you downgrade to PAN-OS 9.1, then the device re-encrypts the encrypted data to AES-256-CBC, which is supported in PAN-OS 9.1.
Legacy telemetry support still enabled
Device telemetry is changed for PAN-OS 10.0 so that more data is being collected, and the data is being sent to Cortex Data Lake. However, if you had telemetry enabled so that you were sharing threat intelligence data with Palo Alto Networks prior to PAN-OS 10.0, then this legacy data collection and sharing is still occurring after you upgrade.
None.
Device-ID
In PAN-OS 9.1 and earlier, the firewall used the Palo Alto Networks Services service route to send Enhanced Application Logs (EAL logs).
In PAN-OS 10.0 and later versions, the firewall sends EAL logs using the Data Services service route, which uses the management interface by default. Other services, such as Data Loss Prevention (DLP), also use this service route. You can configure any Layer 3 (L3) interface, including the management or dataplane interfaces, for the service route.
If your firewall currently sends EAL logs (for example, if you are using Cortex XDR), the firewall automatically uses the Data Services service route after you upgrade to PAN-OS 10.0. If you want to use a different interface for the service route, you can change the service route to any L3 interface.
If you are using a log forwarding card (LFC) with the 7000 series, when you upgrade to PAN-OS 10.0, you must configure the management plane or dataplane interface for the service route because the LFC ports do not support the requirements for the service route. We recommend using the dataplane interface for the Data Services service route.
None.
Panorama Support for Multiple IP-Tag Sources
None.
On downgrade to PAN-OS 9.1 or earlier releases, firewalls managed by a Panorama management server associated with a child device group do not receive IP-tag mappings from Panorama.
Address Groups and Service Groups
On upgrade to PAN-OS 10.0, the Panorama management server checks for duplicate addresses in address groups (
Objects
Address Groups
) and services in service groups (
Objects
Service Groups
), and fails to commit any configuration changes if duplicate address objects and services exist.
Workaround:
Before you upgrade to PAN-OS 10.0, modify your address group and service group configurations and rename any duplicate address objects or services.
None.
Captive Portal (Authentication Portal)
On upgrade to PAN-OS 10.0, the firewall generates a token parameter for the Authentication Portal URL when the user's web traffic matches an Authentication Policy rule.
Workaround:
If you have shared or bookmarked a URL for the Authentication Portal page, after you upgrade to PAN-OS 10.0, update the bookmarked URL by removing the
url
parameter or disable the token generation using the following CLI command in Configure mode:
set deviceconfig setting captive-portal disable-token yes
, then commit the changes using the
commit
command.
None.
Local Administrator Authentication
If you have a local administrator account that authenticates using a remote authentication server such as a SAML Identity Provider (IdP), you must ensure that the username that the authentication server sends to the firewall or Panorama is identical to the username in the local administrator account settings on the firewall or Panorama and doesn't contain a domain.
Workaround:
Use the following CLI command:
set auth strict-username-check no
None.
SAML Authentication
Upgrading to PAN-OS 10.0 removes the
None
option for the Identity Provider Certificate in the SAML Identity Provider server profile. If you are using SAML authentication, verify your SAML Identity Provider server profile has a valid Identity Provider (IdP) certificate before upgrading to PAN-OS 10.0. To ensure the integrity of the SAML Responses or Assertions from Identity Provider (IdP), the firewall or Panorama requires an IdP certificate. The firewall or Panorama always validates the signature of the SAML Responses or Assertions against the IdP certificate that you configure.
None.
Custom Admin Role
None.
On the Panorama management server, you are unable to commit any configuration changes after you successfully downgrade from PAN-OS 10.0 to PAN-OS 9.1 or earlier release due to custom admin roles (
Panorama
Admin Roles
) configured on Panorama.
Workaround:
Log in to the Panorama CLI and load the running config
admin>
configure
admin#
load config from running-config.xml
admin#
commit force
PA-3200 Series Firewalls in an Active/Passive HA Pair with NAT Configured
When you have an active/passive HA pair of PA-3200 Series firewalls running PAN-OS 10.0.0 with NAT configured, if you upgrade one firewall to PAN-OS 10.0.1, the firewall goes to non-functional state due to a NAT oversubscription mismatch between the HA peers. The upgraded firewall goes to non-functional state because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription rates.
Workaround
: After an upgrade, modify the NAT oversubscription rate on one firewall so that the rates on the HA pair match.
When you have an active/passive HA pair of PA-3200 Series firewalls running PAN-OS 10.0.1 with NAT configured, if you downgrade one firewall to PAN-OS 10.0.0, the firewall goes to non-functional state due to a NAT oversubscription mismatch between the HA peers. The downgraded firewall goes to non-functional state because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription rates.
Workaround
: After a downgrade, modify the NAT oversubscription rate on one firewall so that the rates on the HA pair match.

Recommended For You