Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 10.1.
The following table lists the new features that have
upgrade or downgrade impact. Make sure you understand all upgrade/downgrade
considerations before you upgrade to or downgrade from a PAN-OS
10.1 release. For additional information about PAN-OS 10.1 releases,
refer to the PAN-OS 10.1 Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
|---|---|---|
LSVPN Satellite Authentication | Upon upgrade to 10.1, any GlobalProtect
LSVPN satellites that previously authenticated to the portal using
serial numbers will now require manual username and password authentication
using an authentication profile configured for local database authentication
for the initial portal authentication. After successful authentication,
the portal will generate a satellite cookie that will be used to
authenticate subsequent sessions with the satellite. Additionally,
if you upgrade your portal to PAN-OS 10.1, but you still have satellites
running an earlier PAN-OS release, those satellites will no longer
be able to authenticate with the portal because they do not support
satellite cookie authentication. To workaround this issue, you will
need to upgrade your satellite devices to version 10.1 or later. | |
Log Collection | After successful upgrade to
PAN-OS 10.1, only downgrade to PAN-OS 10.0.8 or later PAN-OS 10.0
release for any Dedicated Log Collector or Panorama with a local
Log Collector configured is supported. All logs stored on
a Dedicated Log Collector or a local Log Collector become inaccessible
on downgrade to PAN-OS 10.0.7 or earlier PAN-OS release. Additionally,
the Dedicated Log Collector and local Log Collector cannot ingest
new logs after downgrade to PAN-OS 10.0.7 or earlier release. | |
GlobalProtect App for Android Configuration from
an MDM | Upon upgrade to PAN-OS 10.1, the keyword
to configure Per-App VPN on Android devices changed from block list and allow list to blocklist and allow list .Upon
upgrade, modify the app_list setting for your Android MDM configurations
to use the new keywords. | Before downgrading, revert the app_list
keyword setting for your Android MDM configuration back to the previous block list and allow list . |
Unique Master Key for a Managed Firewall | None. | Before downgrading to PAN-OS 10.0, you must
deploy an identical master key for Panorama
and all managed firewalls, Log Collectors, and WildFire appliances. |
FIPS-CC Mode | If a local administrator changes their password,
the new password must be 8 characters or longer in FIPS-CC mode. | |
5G Multi-Edge Security | None. | To ensure your network protection is uninterrupted
by the downgrade, we recommend that you disable PFCP in the Mobile Network
Protection profile before downgrading so you can edit the same profile
or select the recommended configuration file when downgrading to
ensure a compatible configuration. If you downgrade from PAN-OS
10.1 to an earlier version and you have configured a Mobile Network
Protection Profile to use 5G Multi-Edge Security, the PFCP option
is removed from the profile and all other options (IMSI/APN/RAT
filtering, GTP-U tunnel limiting, GTPv1-C stateful inspection, GTPv2-C
stateful inspection, 5G-HTTP2 for 5G-C, and end user IP address
spoofing for GTP-U) will be unavailable after restarting the firewall.
You must create a new Mobile Network Protection Profile that enables
GTPv1-C stateful inspection, GTPv2-C stateful inspection, or 5G-HTTP2
for 5G-C. Because the PFCP App-ID is available in PAN-OS 10.0, PFCP traffic
is allowed if you have an App-ID rule to allow it but the firewall
does not inspect the traffic. |
Cloud Authentication Service | None. | If you are currently using an authentication
profile with the Cloud Authentication Service in your security policy,
the downgrade is blocked with an error message. Before downgrading,
you must revert any authentication profiles that use the Cloud Authentication Service
to another method. |
Cloud Identity Engine | None. | Downgrading removes the Cloud Identity Engine profile information
from the group mapping and user mapping configurations and from the
instance on the cloud. Any groups used in security policies and
configurations are not removed during downgrade. |
Group Mapping Centralization for Virtual System
Hubs | None. | Any virtual system hub configurations that
are configured to share group mappings are reverted to user mappings
only. |
Device Certificate for Cortex Data Lake | Install a device certificate on
the device before you Upgrade the firewall
to PAN-OS 10.1. Otherwise, you have to reboot twice: once
after upgrading and once after installing the certificate. | If you are using the device certificate
to connect to Cortex Data Lake and decide to downgrade, then you
may need to reinstall the old certificate on your Panorama-managed or unmanaged firewalls. This
is only necessary if the old certificate expired. |
Device Registration Authentication Key PAN-OS 10.1.3
and later releases only | The device registration authentication key
length is increased when you successfully upgrade the Panorama management
server to PAN 10.1.3. Panorama supports onboarding a firewalls, Dedicated Log Collectors,
and WildFire appliances running
the following releases:
| None. |
Predefined Reports | After successful upgrade of the Panorama
management server to PAN-OS 10.1, managed firewalls running PAN-OS
9.1 or earlier release are unable to generate predefined reports ( Monitor Reports src_dag and dst_dag log
fields.Workaround: Create custom reports (Monitor Manage Custom Reports | None. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
