1. Home
    2. PAN-OS
    3. PAN-OS Upgrade Guide
    4. Upgrade PAN-OS
    5. Upgrade/Downgrade Considerations

    Upgrade/Downgrade Considerations

    Upgrade/downgrade considerations for PAN-OS 10.2.
    The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.2 release. For additional information about PAN-OS 10.2 releases, refer to the PAN-OS 10.2 Release Notes.
    Feature
    Upgrade Considerations
    Downgrade Considerations
    None.
    Downgrading from PAN-OS 10.2 to an earlier PAN-OS release requires that you first downgrade to PAN-OS 10.1.3 or later PAN-OS 10.2 release. After you successfully downgrade to PAN-OS 10.1.3 or later PAN-OS 10.2 release, you can continue along your downgrade path to your target PAN-OS release.
    Panorama Plugins
    • AWS Plugin
    • Azure Plugin
    • Kubernetes Plugin
    • Software Firewall Licensing Plugin
    • PAN-OS SD-WAN Plugin
    • IPS Signature Converter Plugin
    • ZTP Plugin
    • Enterprise DLP Plugin
    • Openconfig Plugin
    • GCP Plugin
    • Cisco ACI Plugin
    • Nutanix Plugin
    • VCenter Plugin
    Before you upgrade to PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.2 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 10.2. See the list of Compatible Plugin Versions for PAN-OS 10.2 for more information.
    To downgrade from PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.1 and earlier releases for all plugins installed on Panorama. See the Panorama Plugins Compatibility Matrix for more information.
    (
    Enterprise DLP
    ) After upgrading Panorama to PAN-OS 10.2, you must install Application and Threats content release version
    8520
     on all managed firewalls running PAN-OS 10.2 or earlier release. This is required to successfully push configuration changes to managed firewalls leveraging Enterprise DLP that you did not upgrade to PAN-OS 10.2.
    (
    Enterprise DLP
    ) Loading a Panorama configuration backup that does contain the Shared Enterprise DLP configuration deletes the shared App exclusion filter required to scan non-file based traffic.
    (
    SD-WAN
    ) Panorama plugin for SD-WAN 2.2 and earlier releases are not supported in PAN-OS 10.2.
    Upgrading a Panorama management server to PAN-OS 10.2 when the Panorama plugin for SD-WAN 2.2 or earlier release is installed causes the SD-WAN plugin to be hidden in the Panorama web interface or causes the SD-WAN configuration to be deleted. In both cases, you are unable to install a new SD-WAN plugin version or uninstall the SD-WAN plugin.
    (
    Enterprise DLP
    ) After downgrading from PAN-OS 10.2.1 and Enterprise DLP plugin 3.0.1 to PAN-OS 10.1.0 and Enterprise DLP plugin 1.0.0, data filtering profiles created on Panorama for non-file inspection are automatically converted into file-based data filtering profiles.
    VM-Series Firewalls
    When upgrading the VM-Series firewall running PAN-OS 10.1.0, 10.1.1, 10.1.2, 10.1.3, or 10.1.4 in an HA deployment, you must first upgrade the VM-Series plugin to version 2.1.5 before upgrading to PAN-OS 10.2.
    Additionally, the upgrade must be performed in the following order.
    1. Upgrade VM-Series plugin to 2.1.5 on the Active peer.
    2. Upgrade VM-Series plugin to 2.1.5 on the Passive peer.
    3. Upgrade PAN-OS to 10.2 on the Passive peer.
    4. Upgrade PAN-OS to 10.2 on the Active peer.
    Before downgrading the VM-Series firewall from PAN-OS 10.2 to PAN-OS 10.1.3, you must first download the VM-Series plugin to 2.1.4.
    FIPS-CC
    For Panorama and all managed devices in FIPS-CC mode, you must reset the secure connection status of all FIPS-CC devices and re-onboard any managed device added to Panorama when the device was running a PAN-OS 10.2 release. This applies to:
    • Panorama in FIPS-CC mode
    • Firewalls, Dedicated Log Collectors, and WildFire appliances in FIPS-CC mode added to Panorama while running a PAN-OS 10.2 release using the device registration authentication key
    This does not apply to managed devices added to Panorama management when the device was running PAN-OS 10.0 or earlier release.
    None.
    Syslog Server Profile
    After successfully upgrading to PAN-OS 10.2, you may be prompted with a warning during reboot that the syslog configuration file format is too old if you have an external syslog server configured (
    Device
    Server Profiles
    Syslog
     or
    Panorama
    Server Profiles
    Syslog
    ).
    To resolve this, log in to the firewall CLI or Panorama CLI after the reboot where the warning is displayed and force commit.
    admin>
     configure
    admin#
     commit force
    None.
    Multi-Vsys Firewalls
    After you successfully upgrade a managed multi-vsys firewall to PAN-OS 10.2, the firewalls become
    out-of-sync
     on Panorama. Select
    Commit
     and
    Push to Devices
     the entire Panorama managed configuration to the multi-vsys firewall before you commit and push any configuration changes from Panorama.
    You must push the current Panorama managed configuration to your managed multi-vsys firewall after a successful upgrade to PAN-OS 10.2 or all subsequent pushes of any configuration changes will fail.
    Before you push the current Panorama managed configuration, you must delete or rename any locally configured Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, the push from Panorama fails and displays the error
    <object-name> is already in use
    .
    All objects in the Panorama Shared location on the multi-vsys firewall are replicated to each vsys.
    Before you downgrade to PAN-OS 10.2 or earlier release, save and export Panorama and firewall configurations.
    Multiple Certificate Support for SSL Inbound Inspection
    None.
    If you configure SSL Inbound Inspection policy rules with multiple certificates and later downgrade from PAN-OS 10.2 to an earlier PAN-OS version, the policy rule on the downgraded firewall inherits only the first certificate from the alphabetically-sorted list of certificates.
    Before downgrading, we recommend setting up a different template or device group for firewalls running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate to these firewalls.
    Certificate Management
    You must generate or import all new certificates with the following minimum requirements for PAN-OS 10.2.
    • RSA 2048 bits or greater, or ECDSA 256 bits or greater
    • Digest of SHA256 or greater
    This is required to continue using Captive Portal authentication and to avoid errors associated with the new minimum certificate requirements for PAN-OS 10.2 with PAN-OS 10.2, for existing certificates with a digest of SHA1 and MD5 along with keys using below 2048 bits.
    None.
    Scheduled Config Push
    None.
    If you created a Scheduled Config Push (
    Panorama
    Scheduled Config Push
    ) to managed firewalls from Panorama to include the configuration changes of multiple Panorama administrators, you must remove the additional administrators from the Admin Scope of the Scheduled Config Push.
    Downgrade from PAN-OS 10.2 is blocked if the Admin Scope of a Scheduled Config Push includes multiple administrators.
    IKE Crypto Profiles and IPSec Crypto Profiles
    If you have configured an IKE crypto profile or IPSec crypto profile to use
    des
     as the encryption algorithm and another encryption algorithm, PAN-OS uses the alternate encryption algorithm after upgrading to PAN-OS 10.2.0. If
    des
     is the only encryption method, PAN-OS updates the encryption method to
    3des
     after upgrading to PAN-OS 10.2.0.
    After downgrading from PAN-OS 10.2 to a previous version, if you have configured Group 15, Group 16, or Group 21 as the encryption algorithm, that group is reconfigured to the next highest group. For example, if the configuration uses Group 21 after upgrading, then after downgrading, PAN-OS uses Group 20.
    URL Filtering Inline ML
    The URL Filtering Inline ML feature is now configured through
    Inline Categorization
     instead of
    Inline ML
    . The previously available option to define a policy action for each URL Filtering inline ML model is no longer available - all policy actions are dictated by the global URL category settings
    Objects
    Security Profiles
    URL Filtering
    Categories
    . Upon upgrade to PAN-OS 10.2, if user-defined inline ML actions are present, they are deleted and the global URL category settings take precedence.
    Configuration options for Local Inline Categorization is available under the Inline ML of the URL Filtering security profile.
    Advanced Threat Prevention Inline Cloud Analysis
    None.
    Upon downgrade to PAN-OS 10.1 and earlier, the Advanced Threat Prevention license will display on the firewall, however, Inline Cloud Analysis functionality will not be present. All other Threat Prevention features in the downgrade release will function normally.
    Dynamic User Groups and User-ID
    After downgrading from PAN-OS 10.2.0 to a previous version, the firewall clears all User-ID mappings and dynamic user group tags. After downgrading, the firewall must relearn the mappings from the sources and you must recreate the tags for the dynamic user groups; until this occurs, the firewall cannot enforce security policy for these mappings or dynamic user groups as a source.
    Security Policy Rules
    After you enable
    Wildcard Top Down Match Mode
     and commit, this mode is not backward compatible. If you subsequently downgrade to an earlier release, the downgrade can break Security policy rules and affect traffic. Also the increase in the number of wildcard address objects supported is not backward compatible with any earlier release that has a limit of 1,000 entries. Back up your configuration before downgrading.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo