Upgrade/Downgrade Considerations
Table of Contents
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Downgrade from Panorama 10.1
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 10.1.
The following table lists the new features that have
upgrade or downgrade impact. Make sure you understand all upgrade/downgrade
considerations before you upgrade to or downgrade from a PAN-OS
10.1 release. For additional information about PAN-OS 10.1 releases,
refer to the PAN-OS 10.1 Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
---|---|---|
LSVPN Satellite Authentication | Upon upgrade to 10.1, any GlobalProtect
LSVPN satellites that previously authenticated to the portal using
serial numbers will now require manual username and password authentication
using an authentication profile configured for local database authentication
for the initial portal authentication. After successful authentication,
the portal will generate a satellite cookie that will be used to
authenticate subsequent sessions with the satellite. Additionally,
if you upgrade your portal to PAN-OS 10.1, but you still have satellites
running an earlier PAN-OS release, those satellites will no longer
be able to authenticate with the portal because they do not support
satellite cookie authentication. To workaround this issue, you will
need to upgrade your satellite devices to version 10.1 or later. | |
Log Collection | After successful upgrade to
PAN-OS 10.1, only downgrade to PAN-OS 10.0.8 or later PAN-OS 10.0
release for any Dedicated Log Collector or Panorama with a local
Log Collector configured is supported. All logs stored on
a Dedicated Log Collector or a local Log Collector become inaccessible
on downgrade to PAN-OS 10.0.7 or earlier PAN-OS release. Additionally,
the Dedicated Log Collector and local Log Collector cannot ingest
new logs after downgrade to PAN-OS 10.0.7 or earlier release. | |
GlobalProtect App for Android Configuration from
an MDM | Upon upgrade to PAN-OS 10.1, the keyword
to configure Per-App VPN on Android devices changed from block list and allow list to blocklist and allow list. Upon
upgrade, modify the app_list setting for your Android MDM configurations
to use the new keywords. | Before downgrading, revert the app_list
keyword setting for your Android MDM configuration back to the previous block list and allow list. |
Unique Master Key for a Managed Firewall | None. | Before downgrading to PAN-OS 10.0, you must deploy an identical master key for Panorama and all managed firewalls, Log Collectors, and WildFire appliances. |
FIPS-CC Mode | If a local administrator changes their password,
the new password must be 8 characters or longer in FIPS-CC mode. | |
5G Multi-Edge Security | None. | To ensure your network protection is uninterrupted
by the downgrade, we recommend that you disable PFCP in the Mobile Network
Protection profile before downgrading so you can edit the same profile
or select the recommended configuration file when downgrading to
ensure a compatible configuration. If you downgrade from PAN-OS
10.1 to an earlier version and you have configured a Mobile Network
Protection Profile to use 5G Multi-Edge Security, the PFCP option
is removed from the profile and all other options (IMSI/APN/RAT
filtering, GTP-U tunnel limiting, GTPv1-C stateful inspection, GTPv2-C
stateful inspection, 5G-HTTP2 for 5G-C, and end user IP address
spoofing for GTP-U) will be unavailable after restarting the firewall.
You must create a new Mobile Network Protection Profile that enables
GTPv1-C stateful inspection, GTPv2-C stateful inspection, or 5G-HTTP2
for 5G-C. Because the PFCP App-ID is available in PAN-OS 10.0, PFCP traffic
is allowed if you have an App-ID rule to allow it but the firewall
does not inspect the traffic. |
Cloud Authentication Service | None. | If you are currently using an authentication
profile with the Cloud Authentication Service in your security policy,
the downgrade is blocked with an error message. Before downgrading,
you must revert any authentication profiles that use the Cloud Authentication Service
to another method. |
Cloud Identity Engine | None. | Downgrading removes the Cloud Identity Engine profile information
from the group mapping and user mapping configurations and from the
instance on the cloud. Any groups used in security policies and
configurations are not removed during downgrade. |
Group Mapping Centralization for Virtual System
Hubs | None. | Any virtual system hub configurations that
are configured to share group mappings are reverted to user mappings
only. |
Device Certificate for Strata Logging Service | Install a device certificate on
the device before you Upgrade the firewall
to PAN-OS 10.1. Otherwise, you have to reboot twice: once
after upgrading and once after installing the certificate. | If you are using the device certificate
to connect to Strata Logging Service and decide to downgrade, then you
may need to reinstall the old certificate on your Panorama-managed or unmanaged firewalls. This
is only necessary if the old certificate expired. |
Device Registration Authentication Key PAN-OS 10.1.3
and later releases only | The device registration authentication key
length is increased when you successfully upgrade the Panorama management
server to PAN 10.1.3. Panorama supports onboarding a firewalls, Dedicated Log Collectors,
and WildFire appliances running
the following releases:
| None. |
Predefined Reports | After successful upgrade of the Panorama
management server to PAN-OS 10.1, managed firewalls running PAN-OS
9.1 or earlier release are unable to generate predefined reports (MonitorReports)
because of the addition of the src_dag and dst_dag log
fields. Workaround: Create custom reports (MonitorManage Custom Reports)
that mimic the failing predefined reports. | None. |
PA-5200 Series, PA-7000 Series, WF-500, and WF-500-B Firewalls
|
While upgrading to PAN-OS 10.1, the firewall may perform a file
system integrity check (FSCK), displaying the following message:
RAID log disks check in progress, please
wait.
The FSCK is required for the upgrade and may take an hour or more. Do
not reboot or attempt to install another software release while the
FSCK is in progress.
|
None.
|