Upgrade/downgrade considerations for PAN-OS 10.2.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.2 release. For additional information about PAN-OS 10.2 releases, refer to the PAN-OS 10.2 Release Notes.
Downgrading from PAN-OS 10.2 to an earlier PAN-OS release requires that you first downgrade to PAN-OS 10.1.3 or later PAN-OS 10.2 release. After you successfully downgrade to PAN-OS 10.1.3 or later PAN-OS 10.2 release, you can continue along your downgrade path to your target PAN-OS release.
Before you upgrade to PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.2 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 10.2. See the list of Compatible Plugin Versions for PAN-OS 10.2 for more information.
To downgrade from PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.1 and earlier releases for all plugins installed on Panorama. See the Panorama Plugins Compatibility Matrix for more information.
Enterprise DLP) After upgrading Panorama to PAN-OS 10.2, you must install Application and Threats content release version
8520on all managed firewalls running PAN-OS 10.2 or earlier release. This is required to successfully push configuration changes to managed firewalls leveraging Enterprise DLP that you did not upgrade to PAN-OS 10.2.
SD-WAN) Panorama plugin for SD-WAN 2.2 and earlier releases are not supported in PAN-OS 10.2.
Upgrading a Panorama management server to PAN-OS 10.2 when the Panorama plugin for SD-WAN 2.2 or earlier release is installed causes the SD-WAN plugin to be hidden in the Panorama web interface or causes the SD-WAN configuration to be deleted. In both cases, you are unable to install a new SD-WAN plugin version or uninstall the SD-WAN plugin.
Enterprise DLP) After downgrading from PAN-OS 10.2.1 and Enterprise DLP plugin 3.0.1 to PAN-OS 10.1.0 and Enterprise DLP plugin 1.0.0, data filtering profiles created on Panorama for non-file inspection are automatically converted into file-based data filtering profiles.
When upgrading the VM-Series firewall running PAN-OS 10.1.0, 10.1.1, 10.1.2, 10.1.3, or 10.1.4 in an HA deployment, you must first upgrade the VM-Series plugin to version 2.1.5 before upgrading to PAN-OS 10.2.
Additionally, the upgrade must be performed in the following order.
Before downgrading the VM-Series firewall from PAN-OS 10.2 to PAN-OS 10.1.3, you must first download the VM-Series plugin to 2.1.4.
For Panorama and all managed devices in FIPS-CC mode, you must reset the secure connection status of all FIPS-CC devices and re-onboard any managed device added to Panorama when the device was running a PAN-OS 10.2 release. This applies to:
This does not apply to managed devices added to Panorama management when the device was running PAN-OS 10.0 or earlier release.
Syslog Server Profile
After successfully upgrading to PAN-OS 10.2, you may be prompted with a warning during reboot that the syslog configuration file format is too old if you have an external syslog server configured (
After you successfully upgrade a managed multi-vsys firewall to PAN-OS 10.2, the firewalls become
out-of-syncon Panorama. Select
Push to Devicesthe entire Panorama managed configuration to the multi-vsys firewall before you commit and push any configuration changes from Panorama.
You must push the current Panorama managed configuration to your managed multi-vsys firewall after a successful upgrade to PAN-OS 10.2 or all subsequent pushes of any configuration changes will fail.
Before you push the current Panorama managed configuration, you must delete or rename any locally configured Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, the push from Panorama fails and displays the error
<object-name> is already in use.
All objects in the Panorama Shared location on the multi-vsys firewall are replicated to each vsys.
Before you downgrade to PAN-OS 10.2 or earlier release, save and export Panorama and firewall configurations.
Multiple Certificate Support for SSL Inbound Inspection
If you configure SSL Inbound Inspection policy rules with multiple certificates and later downgrade from PAN-OS 10.2 to an earlier PAN-OS version, the policy rule on the downgraded firewall inherits only the first certificate from the alphabetically-sorted list of certificates.
You must generate or import all new certificates with the following minimum requirements for PAN-OS 10.2.
This is required to continue using Captive Portal authentication and to avoid errors associated with the new minimum certificate requirements for PAN-OS 10.2 with PAN-OS 10.2, for existing certificates with a digest of SHA1 and MD5 along with keys using below 2048 bits.
Scheduled Config Push
If you created a Scheduled Config Push (
) to managed firewalls from Panorama to include the configuration changes of multiple Panorama administrators, you must remove the additional administrators from the Admin Scope of the Scheduled Config Push.
Scheduled Config Push
Downgrade from PAN-OS 10.2 is blocked if the Admin Scope of a Scheduled Config Push includes multiple administrators.
IKE Crypto Profiles and IPSec Crypto Profiles
If you have configured an IKE crypto profile or IPSec crypto profile to use
desas the encryption algorithm and another encryption algorithm, PAN-OS uses the alternate encryption algorithm after upgrading to PAN-OS 10.2.0. If
desis the only encryption method, PAN-OS updates the encryption method to
3desafter upgrading to PAN-OS 10.2.0.
After downgrading from PAN-OS 10.2 to a previous version, if you have configured Group 15, Group 16, or Group 21 as the encryption algorithm, that group is reconfigured to the next highest group. For example, if the configuration uses Group 21 after upgrading, then after downgrading, PAN-OS uses Group 20.
URL Filtering Inline ML
The URL Filtering Inline ML feature is now configured through
Inline Categorizationinstead of
Inline ML. The previously available option to define a policy action for each URL Filtering inline ML model is no longer available - all policy actions are dictated by the global URL category settings
. Upon upgrade to PAN-OS 10.2, if user-defined inline ML actions are present, they are deleted and the global URL category settings take precedence.
Configuration options for Local Inline Categorization is available under the Inline ML of the URL Filtering security profile.
Advanced Threat Prevention Inline Cloud Analysis
Upon downgrade to PAN-OS 10.1 and earlier, the Advanced Threat Prevention license will display on the firewall, however, Inline Cloud Analysis functionality will not be present. All other Threat Prevention features in the downgrade release will function normally.
Dynamic User Groups and User-ID
After downgrading from PAN-OS 10.2.0 to a previous version, the firewall clears all User-ID mappings and dynamic user group tags. After downgrading, the firewall must relearn the mappings from the sources and you must recreate the tags for the dynamic user groups; until this occurs, the firewall cannot enforce security policy for these mappings or dynamic user groups as a source.
Security Policy Rules
After you enable
Wildcard Top Down Match Modeand commit, this mode is not backward compatible. If you subsequently downgrade to an earlier release, the downgrade can break Security policy rules and affect traffic. Also the increase in the number of wildcard address objects supported is not backward compatible with any earlier release that has a limit of 1,000 entries. Back up your configuration before downgrading.
Recommended For You
Recommended videos not found.