Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 10.2.
The following table lists the new features that have
upgrade or downgrade impact. Make sure you understand all upgrade/downgrade
considerations before you upgrade to or downgrade from a PAN-OS
10.2 release. For additional information about PAN-OS 10.2 releases,
refer to the PAN-OS 10.2 Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
---|---|---|
— | None. | Downgrading from PAN-OS 10.2 to an earlier PAN-OS
release requires that you first downgrade to PAN-OS 10.1.3 or later
PAN-OS 10.2 release. After you successfully downgrade to PAN-OS
10.1.3 or later PAN-OS 10.2 release, you can continue along your downgrade
path to your target PAN-OS release. |
Panorama Plugins
| Before you upgrade to PAN-OS 10.2, you must download
the Panorama plugin version supported on PAN-OS 10.2 for all plugins
installed on Panorama. This is required to successfully upgrade
to PAN-OS 10.2. See the list of Compatible Plugin Versions for
PAN-OS 10.2 for more information. | To downgrade from PAN-OS
10.2, you must download the Panorama plugin version supported on
PAN-OS 10.1 and earlier releases for all plugins installed on Panorama. See
the Panorama Plugins Compatibility
Matrix for more information. |
( Enterprise DLP ) After upgrading Panorama
to PAN-OS 10.2, you must install Application and Threats content
release version 8520 on all managed
firewalls running PAN-OS 10.2 or earlier release. This is required
to successfully push configuration changes to managed firewalls leveraging
Enterprise DLP that you did not upgrade to PAN-OS 10.2. | ||
( Enterprise DLP ) Loading a Panorama configuration
backup that does contain the Shared Enterprise DLP configuration
deletes the shared App exclusion filter required to scan non-file
based traffic. | ||
( SD-WAN ) Panorama
plugin for SD-WAN 2.2 and earlier releases are not supported in
PAN-OS 10.2.Upgrading a Panorama management server to PAN-OS
10.2 when the Panorama plugin for SD-WAN 2.2 or earlier release
is installed causes the SD-WAN plugin to be hidden in the Panorama
web interface or causes the SD-WAN configuration to be deleted.
In both cases, you are unable to install a new SD-WAN plugin version
or uninstall the SD-WAN plugin. | ||
( Enterprise DLP ) After downgrading
from PAN-OS 10.2.1 and Enterprise DLP plugin 3.0.1 to PAN-OS 10.1.0
and Enterprise DLP plugin 1.0.0, data filtering profiles created
on Panorama for non-file inspection are automatically converted
into file-based data filtering profiles. | ||
VM-Series Firewalls | When upgrading the VM-Series firewall running PAN-OS
10.1.0, 10.1.1, 10.1.2, 10.1.3, or 10.1.4 in an HA deployment, you
must first upgrade the VM-Series plugin to version 2.1.5 before upgrading
to PAN-OS 10.2. Additionally, the upgrade must be performed
in the following order.
| Before downgrading the VM-Series firewall
from PAN-OS 10.2 to PAN-OS 10.1.3, you must first download the VM-Series
plugin to 2.1.4. |
FIPS-CC | For Panorama and all managed devices in
FIPS-CC mode, you must reset the secure connection status of all FIPS-CC
devices and re-onboard any managed device added to Panorama when
the device was running a PAN-OS 10.2 release. This applies to:
This
does not apply to managed devices added to Panorama management when the
device was running PAN-OS 10.0 or earlier release. | None. |
Syslog Server Profile | After successfully upgrading to PAN-OS 10.2, you
may be prompted with a warning during reboot that the syslog configuration
file format is too old if you have an external syslog server configured ( Device Server Profiles Syslog Panorama Server Profiles Syslog To
resolve this, log in to the firewall CLI or Panorama CLI after the
reboot where the warning is displayed and force commit.
| None. |
Multi-Vsys Firewalls | After you successfully upgrade a managed
multi-vsys firewall to PAN-OS 10.2, the firewalls become out-of-sync on
Panorama. Select Commit and Push
to Devices the entire Panorama managed configuration
to the multi-vsys firewall before you commit and push any configuration changes
from Panorama. You must push the current Panorama managed configuration
to your managed multi-vsys firewall after a successful upgrade to
PAN-OS 10.2 or all subsequent pushes of any configuration changes will
fail. Before you push the current Panorama managed configuration,
you must delete or rename any locally configured Shared object that has
an identical name to an object in the Panorama Shared configuration.
Otherwise, the push from Panorama fails and displays the error <object-name> is already in use . | All objects in the Panorama Shared location
on the multi-vsys firewall are replicated to each vsys. Before
you downgrade to PAN-OS 10.2 or earlier release, save and export Panorama and
firewall configurations. |
Multiple Certificate Support for SSL Inbound Inspection | None. | If you configure SSL Inbound Inspection
policy rules with multiple certificates and later downgrade from PAN-OS
10.2 to an earlier PAN-OS version, the policy rule on the downgraded firewall
inherits only the first certificate from the alphabetically-sorted
list of certificates. Before downgrading, we recommend setting
up a different template or device group for firewalls
running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate
to these firewalls. |
Certificate Management | You must generate or import
all new certificates with the following minimum requirements for
PAN-OS 10.2.
This is required to continue
using Captive Portal authentication and to avoid errors associated
with the new minimum certificate requirements for PAN-OS 10.2 with
PAN-OS 10.2, for existing certificates with a digest of SHA1 and
MD5 along with keys using below 2048 bits. | None. |
Scheduled Config Push | None. | If you created a Scheduled Config Push ( Panorama Scheduled Config Push Downgrade
from PAN-OS 10.2 is blocked if the Admin Scope of a Scheduled Config
Push includes multiple administrators. |
IKE Crypto Profiles and IPSec Crypto Profiles | If you have configured an IKE crypto profile
or IPSec crypto profile to use des as the
encryption algorithm and another encryption algorithm, PAN-OS uses
the alternate encryption algorithm after upgrading to PAN-OS 10.2.0.
If des is the only encryption method, PAN-OS
updates the encryption method to 3des after
upgrading to PAN-OS 10.2.0. | After downgrading from PAN-OS 10.2 to a
previous version, if you have configured Group 15, Group 16, or
Group 21 as the encryption algorithm, that group is reconfigured
to the next highest group. For example, if the configuration uses
Group 21 after upgrading, then after downgrading, PAN-OS uses Group
20. |
URL Filtering Inline ML | The URL Filtering Inline ML feature is now
configured through Inline Categorization instead
of Inline ML . The previously available option
to define a policy action for each URL Filtering inline ML model
is no longer available - all policy actions are dictated by the global
URL category settings Objects Security Profiles URL Filtering Categories | Configuration options for Local Inline Categorization
is available under the Inline ML of the URL Filtering security profile. |
Advanced Threat Prevention Inline Cloud Analysis | None. | Upon downgrade to PAN-OS 10.1 and earlier,
the Advanced Threat Prevention license will display on the firewall,
however, Inline Cloud Analysis functionality will not be present.
All other Threat Prevention features in the downgrade release will function
normally. |
Dynamic User Groups and User-ID | After downgrading from PAN-OS 10.2.0 to
a previous version, the firewall clears all User-ID mappings and dynamic
user group tags. After downgrading, the firewall must relearn the
mappings from the sources and you must recreate the tags for the
dynamic user groups; until this occurs, the firewall cannot enforce security
policy for these mappings or dynamic user groups as a source. | |
Security Policy Rules | After you enable Wildcard Top Down
Match Mode and commit, this mode is not backward compatible.
If you subsequently downgrade to an earlier release, the downgrade can
break Security policy rules and affect traffic. Also the increase
in the number of wildcard address objects supported is not backward compatible
with any earlier release that has a limit of 1,000 entries. Back
up your configuration before downgrading. |
Recommended For You
Recommended Videos
Recommended videos not found.