: Upgrade/Downgrade Considerations
Focus
Focus

Upgrade/Downgrade Considerations

Table of Contents

Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 10.1.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.1 release. For additional information about PAN-OS 10.1 releases, refer to the PAN-OS 10.1 Release Notes.
PAN-OS 10.1 Upgrade/Downgrade Considerations
FeatureUpgrade ConsiderationsDowngrade Considerations
LSVPN Satellite Authentication
Upon upgrade to 10.1, any GlobalProtect LSVPN satellites that previously authenticated to the portal using serial numbers will now require manual username and password authentication using an authentication profile configured for local database authentication for the initial portal authentication. After successful authentication, the portal will generate a satellite cookie that will be used to authenticate subsequent sessions with the satellite.
Additionally, if you upgrade your portal to PAN-OS 10.1, but you still have satellites running an earlier PAN-OS release, those satellites will no longer be able to authenticate with the portal because they do not support satellite cookie authentication. To workaround this issue, you will need to upgrade your satellite devices to version 10.1 or later.
Log Collection
After successful upgrade to PAN-OS 10.1, only downgrade to PAN-OS 10.0.8 or later PAN-OS 10.0 release for any Dedicated Log Collector or Panorama with a local Log Collector configured is supported.
All logs stored on a Dedicated Log Collector or a local Log Collector become inaccessible on downgrade to PAN-OS 10.0.7 or earlier PAN-OS release. Additionally, the Dedicated Log Collector and local Log Collector cannot ingest new logs after downgrade to PAN-OS 10.0.7 or earlier release.
GlobalProtect App for Android Configuration from an MDM
Upon upgrade to PAN-OS 10.1, the keyword to configure Per-App VPN on Android devices changed from block list and allow list to blocklist and allow list.
Upon upgrade, modify the app_list setting for your Android MDM configurations to use the new keywords.
Before downgrading, revert the app_list keyword setting for your Android MDM configuration back to the previous block list and allow list.
Unique Master Key for a Managed Firewall
None.
Before downgrading to PAN-OS 10.0, you must deploy an identical master key for Panorama and all managed firewalls, Log Collectors, and WildFire appliances.
FIPS-CC Mode
If a local administrator changes their password, the new password must be 8 characters or longer in FIPS-CC mode.
5G Multi-Edge Security
None.
To ensure your network protection is uninterrupted by the downgrade, we recommend that you disable PFCP in the Mobile Network Protection profile before downgrading so you can edit the same profile or select the recommended configuration file when downgrading to ensure a compatible configuration.
If you downgrade from PAN-OS 10.1 to an earlier version and you have configured a Mobile Network Protection Profile to use 5G Multi-Edge Security, the PFCP option is removed from the profile and all other options (IMSI/APN/RAT filtering, GTP-U tunnel limiting, GTPv1-C stateful inspection, GTPv2-C stateful inspection, 5G-HTTP2 for 5G-C, and end user IP address spoofing for GTP-U) will be unavailable after restarting the firewall. You must create a new Mobile Network Protection Profile that enables GTPv1-C stateful inspection, GTPv2-C stateful inspection, or 5G-HTTP2 for 5G-C. Because the PFCP App-ID is available in PAN-OS 10.0, PFCP traffic is allowed if you have an App-ID rule to allow it but the firewall does not inspect the traffic.
Cloud Authentication Service
None.
If you are currently using an authentication profile with the Cloud Authentication Service in your security policy, the downgrade is blocked with an error message. Before downgrading, you must revert any authentication profiles that use the Cloud Authentication Service to another method.
Cloud Identity Engine
None.
Downgrading removes the Cloud Identity Engine profile information from the group mapping and user mapping configurations and from the instance on the cloud. Any groups used in security policies and configurations are not removed during downgrade.
Group Mapping Centralization for Virtual System Hubs
None.
Any virtual system hub configurations that are configured to share group mappings are reverted to user mappings only.
Device Certificate for Strata Logging Service
Install a device certificate on the device before you Upgrade the firewall to PAN-OS 10.1. Otherwise, you have to reboot twice: once after upgrading and once after installing the certificate.
If you are using the device certificate to connect to Strata Logging Service and decide to downgrade, then you may need to reinstall the old certificate on your Panorama-managed or unmanaged firewalls. This is only necessary if the old certificate expired.
Device Registration Authentication Key
PAN-OS 10.1.3 and later releases only
The device registration authentication key length is increased when you successfully upgrade the Panorama management server to PAN 10.1.3.
Panorama supports onboarding a firewalls, Dedicated Log Collectors, and WildFire appliances running the following releases:
  • Panorama running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release— Devices running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release, and devices running PAN-OS 10.0 or earlier PAN-OS release.
  • Panorama running PAN-OS 10.1.3 or later release— Devices running PAN-OS 10.1.3 or later release, and devices running PAN-OS 10.0 or earlier PAN-OS release.
None.
Predefined Reports
After successful upgrade of the Panorama management server to PAN-OS 10.1, managed firewalls running PAN-OS 9.1 or earlier release are unable to generate predefined reports (MonitorReports) because of the addition of the src_dag and dst_dag log fields.
Workaround: Create custom reports (MonitorManage Custom Reports) that mimic the failing predefined reports.
None.
PA-5200 Series, PA-7000 Series, WF-500, and WF-500-B Firewalls
While upgrading to PAN-OS 10.1, the firewall may perform a file system integrity check (FSCK), displaying the following message: RAID log disks check in progress, please wait.
The FSCK is required for the upgrade and may take an hour or more. Do not reboot or attempt to install another software release while the FSCK is in progress.
None.