Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 10.1.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.1 release. For additional information about PAN-OS 10.1 releases, refer to the PAN-OS 10.1 Release Notes.
PAN-OS 10.1 Upgrade/Downgrade Considerations
Upgrade Considerations
Downgrade Considerations
Log Collection
All logs stored on a Dedicated Log Collector or a local Log Collector become inaccessible on downgrade to PAN-OS 10.0. Additionally, the Dedicated Log Collector and local Log Collector cannot ingest new logs after downgrade to PAN-OS 10.0.
Unique Master Key for a Managed Firewall
Before downgrading to PAN-OS 10.0, you must deploy an identical master key for Panorama and all managed firewalls, Log Collectors, and WildFire appliances.
If a local administrator changes their password, the new password must be 8 characters or longer in FIPS-CC mode.
5G Multi-Edge Security
To ensure your network protection is uninterrupted by the downgrade, we recommend that you disable PFCP in the Mobile Network Protection profile before downgrading so you can edit the same profile or select the recommended configuration file when downgrading to ensure a compatible configuration.
If you downgrade from PAN-OS 10.1 to an earlier version and you have configured a Mobile Network Protection Profile to use 5G Multi-Edge Security, the PFCP option is removed from the profile and all other options (IMSI/APN/RAT filtering, GTP-U tunnel limiting, GTPv1-C stateful inspection, GTPv2-C stateful inspection, 5G-HTTP2 for 5G-C, and end user IP address spoofing for GTP-U) will be unavailable after restarting the firewall. You must create a new Mobile Network Protection Profile that enables GTPv1-C stateful inspection, GTPv2-C stateful inspection, or 5G-HTTP2 for 5G-C. Because the PFCP App-ID is available in PAN-OS 10.0, PFCP traffic is allowed if you have an App-ID rule to allow it but the firewall does not inspect the traffic.
Cloud Authentication Service
If you are currently using an authentication profile with the Cloud Authentication Service in your security policy, the downgrade is blocked with an error message. Before downgrading, you must revert any authentication profiles that use the Cloud Authentication Service to another method.
Cloud Identity Engine
Downgrading removes the Cloud Identity Engine profile information from the group mapping and user mapping configurations and from the instance on the cloud. Any groups used in security policies and configurations are not removed during downgrade.
Group Mapping Centralization for Virtual System Hubs
Any virtual system hub configurations that are configured to share group mappings are reverted to user mappings only.
Collector Group for a Panorama HA pair in an Active/Passive High Availability Configuration
Local Log Collectors for Panorama management servers in active/passive high availability (HA) configuration cannot be added to the same Collector Group (
Collector Groups
Before you upgrade your Panorama servers to PAN-OS 10.1.0, configure HA (
High Availability
), add the local Log Collectors of the HA peers to the same Collector Group, and upgrade to PAN 10.1.0.
Device Certificate for Cortex Data Lake
Install a device certificate on the device before you Upgrade the firewall to PAN-OS 10.1. Otherwise, you have to reboot twice: once after upgrading and once after installing the certificate.
If you are using the device certificate to connect to Cortex Data Lake and decide to downgrade, then you may need to reinstall the old certificate on your Panorama-managed or unmanaged firewalls. This is only necessary if the old certificate expired.

Recommended For You