Upgrade/downgrade considerations for PAN-OS 10.0.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.0 release. For additional information about PAN-OS 10.0 releases, refer to the PAN-OS 10.0 Release Notes.
Downgrading the Panorama management server and managed firewalls that currently leverage features that were introduced in PAN-OS 10.0.3 (or later version) or SD-WAN plugin 2.0.1 (or later version) can cause stability issues if you downgrade from the following versions:
Workaround: Before you upgrade to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, save and export your Panorama and firewall configurations. Then, if you need to downgrade PAN-OS or the SD-WAN plugin to a previous version:
If you did not export and save a Panorama and managed firewall configuration prior to upgrading to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, then— before you can successfully downgrade to PAN-OS 10.0.2 (or an earlier version) or SD-WAN plugin 2.0.0—you must remove any feature options or configurations that were introduced in PAN-OS 10.0.3 or in SD-WAN plugin 2.0.1.
If you downgrade from SD-WAN Plugin 2.0.1 to an older Plugin release, the VPN Cluster does not support a mesh configuration or a DDNS configuration. If you had a VPN mesh configuration, you must move the cluster to a Hub-Spoke configuration, configure a hub if you didn't have one, click the button to
Remove DDNS Configuration, commit on Panorama, and push the configuration to devices. If you cannot change the VPN cluster to Hub-Spoke, you must delete the entire cluster, commit on Panorama, and push the configuration to devices before downgrading.
Layer 3 Interface
When you create a new Layer 3 interface in PAN-OS 10.0.3 or 10.0.4 and then downgrade to PAN-OS 9.1.x, the downgrade fails with the message “Upstream NAT not supported in older version,” whether or not SD-WAN is configured on the firewall.
Workaround: After you create a Layer 3 interface in PAN-OS 10.0.3 or 10.0.4, to downgrade to PAN-OS 9.1.x, performs the following steps:
Bonjour Reflector for Network Segmentation
Downgrading from PAN-OS 10.0.1 to an earlier version removes the Bonjour Reflector option from the Layer 3 (L3) and Aggregated Ethernet (AE) interface configuration.
TLS Encryption for Email Log Forwarding and Reporting
Downgrading from PAN-OS 10.0 to an earlier version reverts any email server profiles from the TLS protocol to SMTP.
Authentication with Custom Certificates for Redistribution
Downgrading from PAN-OS 10.0 to an earlier version reverts any custom certificate profiles for redistribution agents to the default certificate. If you are using global client/server settings to connect, you must reconfigure them to use the default certificate.
Streamlined and Resilient Redistribution
Upgrading to PAN-OS 10.0:
Downgrading from PAN-OS 10.0 to an earlier version:
Automatic Content Updates Through Offline Panorama
On downgrade from PAN-OS 10.0, the SCP server profile is deleted and prevent the scheduled dynamic update from successfully uploading content updates to the SCP server.
The firewall blocks a downgrade from PAN-OS 10.0 if HA cluster participation is enabled.
HA Additional Path Monitoring
VLAN path monitoring is not compatible with active/active HA pairing in PAN-OS 10.0. Ensure that you delete all VLAN path monitoring configurations in active/active HA before you upgrade to PAN-OS 10.0. Retaining an earlier active/active HA configuration will result in an autocommit failure.
When you upgrade to PAN-OS 10.0, the firewall automatically transfers your currently monitored destination IP addresses to a newly created destination group and gives this group a default path monitoring name.
The firewall blocks a downgrade from PAN-OS 10.0 if any HA path monitoring groups contain multiple destination IP groups.
If you downgrade from PAN-OS 10.0.0 to 9.1, a commit error occurs if the HA1 interface isn’t configured.
Workaround:You can either select the 9.1 configuration you were using before you upgraded to 10.0, or, before you downgrade to 9.1, you can use the CLI configuration command to configure the HA1 interface (
set deviceconfig high-availability interface ha1) and commit.
Enhanced Authentication for Dedicated Log Collectors and WildFire 500 Appliances
On downgrade from PAN-OS 10.0, any users other than the admin configured on the Dedicated Log Collector or WildFire 500 appliance are deleted when downgraded from the Panorama™ management server.
If you downgrade the Dedicated Log Collector or WildFire 500 appliance from the CLI, Panorama still displays all the previously configured user accounts but none will be able to log in to the CLI.
Downgrade from PAN-OS 10.0 is blocked for Dedicated Log Collectors and WildFire 500 appliances in the following scenarios:
Upgrading a PA-7000 Series Firewall with a first generation switch management card (PA-7050-SMC or PA-7080-SMC)
Before upgrading the firewall, run the following CLI command to check the flash drive’s status:
debug system disk-smart-info disk-1.
If the value for attribute ID #232,
Available_Reservd_Space 0x0000, is greater than 20, then proceed with the upgrade. If the value is less than 20, then contact support for assistance.
Before downgrading the firewall, run the following CLI command to check the flash drive’s status:
debug system disk-smart-info disk-1.
If the value for attribute ID #232,
Available_Reservd_Space 0x0000, is greater than 20, then proceed with the downgrade. If the value is less than 20, then contact support for assistance.
Enhanced Pattern-Matching Engine for Custom Signatures
Custom signatures in the new threat ID range (6800001-7000000) prevent downgrade. The firewall issues a warning to export and remove the offending signatures.
Custom signatures that use the newly supported syntax but are not in the new threat ID range do not prevent downgrade. After downgrade, these signatures cease to function. Subsequent commits fail until you remove them.
Aggregate Interface Group Enhancement
If you configured more than eight AE interface groups and you subsequently want to downgrade to a PAN-OS release earlier than 10.0, you must first edit your configuration so that it has only AE interface groups 1 through 8.
DNS Security Signature Categories
Upon upgrade to PAN-OS 10.0, the DNS Security source gets redefined into new signature categories to provide extended granular controls; as a result, the new categories will overwrite the previously defined policy action (for Palo Alto Networks DNS Security) based on the following mapping:
If these settings are inappropriate for your deployment, reapply any sinkhole, log severity, and packet captures settings appropriate for the newly defined DNS Security Categories.
If you downgrade from PAN-OS 10.0 to 9.1, the new security categories are removed from the anti-spyware profile and replaced with a single DNS Security source (Palo Alto Networks DNS Security), and the policy action is redefined based on the following mapping:
NT LAN Manager protocol
The NT LAN Manager (NTLM) authentication protocol has been removed in this release. We recommend using Kerberos Single Sign-On (SSO) or Security Assertion Markup Language (SAML) for SSO authentication.
User-ID Redistribution for Dedicated Log Collectors
The Dedicated Log Collector no longer supports redistribution for User-ID information in this release. We recommend using the firewall or Panorama to redistribute information.
Syslog Forwarding Using Ethernet Interfaces
All syslog forwarding is reverted back to the management interface on downgrade from PAN-OS 10.0.
Increased Configuration Size for Panorama
The Panorama management server may experience performance impacts when performing configuration changes, commits, and pushes to managed firewalls if the configuration size exceeds 80MB.
Master Key Encryption Levels
If you downgrade to an earlier version of PAN-OS, the device automatically reverts the encryption algorithm to a level that the downgraded PAN-OS version supports. The device also automatically re-encrypts encrypted data using that encryption level to ensure that the device can decrypt and use the data as needed. For example, if your device is on PAN-OS 10.0 and uses the AES-256-GCM encryption algorithm (which is not supported on earlier versions of PAN-OS), and you downgrade to PAN-OS 9.1, then the device re-encrypts the encrypted data to AES-256-CBC, which is supported in PAN-OS 9.1.
Legacy telemetry support still enabled
Device telemetry is changed for PAN-OS 10.0 so that more data is being collected, and the data is being sent to Cortex Data Lake. However, if you had telemetry enabled so that you were sharing threat intelligence data with Palo Alto Networks prior to PAN-OS 10.0, then this legacy data collection and sharing is still occurring after you upgrade.
In PAN-OS 9.1 and earlier, the firewall used the Palo Alto Networks Services service route to send Enhanced Application Logs (EAL logs).
In PAN-OS 10.0 and later versions, the firewall sends EAL logs using the Data Services service route, which uses the management interface by default. Other services, such as Data Loss Prevention (DLP), also use this service route. You can configure any Layer 3 (L3) interface, including the management or dataplane interfaces, for the service route.
If your firewall currently sends EAL logs (for example, if you are using Cortex XDR), the firewall automatically uses the Data Services service route after you upgrade to PAN-OS 10.0. If you want to use a different interface for the service route, you can change the service route to any L3 interface.
If you are using a log forwarding card (LFC) with the 7000 series, when you upgrade to PAN-OS 10.0, you must configure the management plane or dataplane interface for the service route because the LFC ports do not support the requirements for the service route. We recommend using the dataplane interface for the Data Services service route.
Panorama Support for Multiple IP-Tag Sources
Captive Portal (Authentication Portal)
On upgrade to PAN-OS 10.0, the firewall generates a token parameter for the Authentication Portal URL when the user's web traffic matches an Authentication Policy rule.
Workaround:If you have shared or bookmarked a URL for the Authentication Portal page, after you upgrade to PAN-OS 10.0, update the bookmarked URL by removing the
urlparameter or disable the token generation using the following CLI command in Configure mode:
set deviceconfig setting captive-portal disable-token yes, then commit the changes using the
Local Administrator Authentication
If you have a local administrator account that authenticates using a remote authentication server such as a SAML Identity Provider (IdP), you must ensure that the username that the authentication server sends to the firewall or Panorama is identical to the username in the local administrator account settings on the firewall or Panorama and doesn't contain a domain.
Workaround:Use the following CLI command:
set auth strict-username-check no
Upgrading to PAN-OS 10.0 removes the
Noneoption for the Identity Provider Certificate in the SAML Identity Provider server profile. If you are using SAML authentication, verify your SAML Identity Provider server profile has a valid Identity Provider (IdP) certificate before upgrading to PAN-OS 10.0. To ensure the integrity of the SAML Responses or Assertions from Identity Provider (IdP), the firewall or Panorama requires an IdP certificate. The firewall or Panorama always validates the signature of the SAML Responses or Assertions against the IdP certificate that you configure.
Custom Admin Role
On the Panorama management server, you are unable to commit any configuration changes after you successfully downgrade from PAN-OS 10.0 to PAN-OS 9.1 or earlier release due to custom admin roles (
) configured on Panorama.
Workaround:Log in to the Panorama CLI and load the running config
PA-3200 Series Firewalls in an Active/Passive HA Pair with NAT Configured
When you have an active/passive HA pair of PA-3200 Series firewalls running PAN-OS 10.0.0 with NAT configured, if you upgrade one firewall to PAN-OS 10.0.1, the firewall goes to non-functional state due to a NAT oversubscription mismatch between the HA peers. The upgraded firewall goes to non-functional state because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription rates.
Workaround: After an upgrade, modify the NAT oversubscription rate on one firewall so that the rates on the HA pair match.
When you have an active/passive HA pair of PA-3200 Series firewalls running PAN-OS 10.0.1 with NAT configured, if you downgrade one firewall to PAN-OS 10.0.0, the firewall goes to non-functional state due to a NAT oversubscription mismatch between the HA peers. The downgraded firewall goes to non-functional state because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription rates.
Workaround: After a downgrade, modify the NAT oversubscription rate on one firewall so that the rates on the HA pair match.
Recommended For You
Recommended videos not found.