Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 10.2.
The following table lists the new features that have
upgrade or downgrade impact. Make sure you understand all upgrade/downgrade
considerations before you upgrade to or downgrade from a PAN-OS
10.2 release. For additional information about PAN-OS 10.2 releases,
refer to the PAN-OS 10.2 Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
|---|---|---|
— | None. | Downgrading from PAN-OS 10.2 to an earlier
PAN-OS release requires that you first downgrade to PAN-OS 10.1.3 or
later PAN-OS 10.2 release. After you successfully downgrade to PAN-OS
10.1.3 or later PAN-OS 10.2 release, you can continue along your downgrade
path to your target PAN-OS release. |
Panorama Plugins
| Before you upgrade to PAN-OS 10.2, you must
download the Panorama plugin version supported on PAN-OS 10.2 for all
plugins installed on Panorama. This is required to successfully
upgrade to PAN-OS 10.2. See the list of Compatible Plugin Versions for
PAN-OS 10.2 for more information. | To downgrade from PAN-OS 10.2,
you must download the Panorama plugin version supported on PAN-OS
10.1 and earlier releases for all plugins installed on Panorama. See
the Panorama Plugins Compatibility
Matrix for more information. |
( Enterprise DLP ) After upgrading
Panorama to PAN-OS 10.2, you must install Application and Threats content
release version 8520 on all managed
firewalls running PAN-OS 10.2 or earlier release. This is required
to successfully push configuration changes to managed firewalls leveraging
Enterprise DLP that you did not upgrade to PAN-OS 10.2. | ||
( Enterprise DLP ) Loading a Panorama configuration
backup that does contain the Shared Enterprise DLP configuration
deletes the shared App exclusion filter required to scan non-file
based traffic. | ||
( SD-WAN ) Panorama
plugin for SD-WAN 2.2 and earlier releases are not supported in PAN-OS
10.2.Upgrading a Panorama management server to PAN-OS 10.2
when the Panorama plugin for SD-WAN 2.2 or earlier release is installed
causes the SD-WAN plugin to be hidden in the Panorama web interface
or causes the SD-WAN configuration to be deleted. In both cases,
you are unable to install a new SD-WAN plugin version or uninstall
the SD-WAN plugin. | ||
( Enterprise DLP ) After downgrading
from PAN-OS 10.2.1 and Enterprise DLP plugin 3.0.1 to PAN-OS 10.1.0 and
Enterprise DLP plugin 1.0.0, data filtering profiles created on
Panorama for non-file inspection are automatically converted into file-based
data filtering profiles. | ||
VM-Series Firewalls | When upgrading the VM-Series firewall running
PAN-OS 10.1.0, 10.1.1, 10.1.2, 10.1.3, or 10.1.4 in an HA deployment,
you must first upgrade the VM-Series plugin to version 2.1.5 before upgrading
to PAN-OS 10.2. Additionally, the upgrade must be performed
in the following order.
| Before downgrading the VM-Series firewall
from PAN-OS 10.2 to PAN-OS 10.1.3, you must first download the VM-Series
plugin to 2.1.4. |
FIPS-CC | For Panorama and all managed devices in
FIPS-CC mode, you must reset the secure connection status of all FIPS-CC
devices and re-onboard any managed device added to Panorama when
the device was running a PAN-OS 10.2 release. This applies to:
This
does not apply to managed devices added to Panorama management when the
device was running PAN-OS 10.0 or earlier release. | None. |
Syslog Server Profile | After successfully upgrading to PAN-OS 10.2,
you may be prompted with a warning during reboot that the syslog configuration
file format is too old if you have an external syslog server configured ( Device Server Profiles Syslog Panorama Server Profiles Syslog To
resolve this, log in to the firewall CLI or Panorama CLI after the
reboot where the warning is displayed and force commit.
| None. |
Multi-Vsys Firewalls | After you successfully upgrade a managed
multi-vsys firewall to PAN-OS 10.2, the firewalls become out-of-sync on Panorama.
Select Commit and Push to Devices the
entire Panorama managed configuration to the multi-vsys firewall
before you commit and push any configuration changes from Panorama. You
must push the current Panorama managed configuration to your managed multi-vsys
firewall after a successful upgrade to PAN-OS 10.2 or all subsequent
pushes of any configuration changes will fail. Before you
push the current Panorama managed configuration, you must delete or
rename any locally configured Shared object that has an identical
name to an object in the Panorama Shared configuration. Otherwise,
the push from Panorama fails and displays the error <object-name> is already in use . | All objects in the Panorama Shared location
on the multi-vsys firewall are replicated to each vsys. Before
you downgrade to PAN-OS 10.2 or earlier release, save and export Panorama and
firewall configurations. |
Multiple Certificate Support for SSL Inbound
Inspection | None. | If you configure SSL Inbound Inspection
policy rules with multiple certificates and later downgrade from
PAN-OS 10.2 to an earlier PAN-OS version, the policy rule on the downgraded
firewall inherits only the first certificate from the alphabetically-sorted
list of certificates. Before downgrading, we recommend setting
up a different template or device group for firewalls
running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and
certificate to these firewalls. |
Certificate Management | You must generate or import all
new certificates with the following minimum requirements for PAN-OS
10.2.
This is required to
continue using Captive Portal authentication and to avoid errors
associated with the new minimum certificate requirements for PAN-OS
10.2 with PAN-OS 10.2, for existing certificates with a digest of SHA1
and MD5 along with keys using below 2048 bits. | None. |
Scheduled Config Push | None. | If you created a Scheduled Config Push ( Panorama Scheduled Config Push Downgrade from PAN-OS 10.2 is blocked if the
Admin Scope of a Scheduled Config Push includes multiple administrators. |
IKE Crypto Profiles and IPSec Crypto Profiles | If you have configured an IKE crypto profile
or IPSec crypto profile to use des as the encryption
algorithm and another encryption algorithm, PAN-OS uses the alternate encryption
algorithm after upgrading to PAN-OS 10.2.0. If des is
the only encryption method, PAN-OS updates the encryption method
to 3des after upgrading to PAN-OS 10.2.0. | After downgrading from PAN-OS 10.2 to a
previous version, if you have configured Group 15, Group 16, or
Group 21 as the encryption algorithm, that group is reconfigured
to the next highest group. For example, if the configuration uses
Group 21 after upgrading, then after downgrading, PAN-OS uses Group
20. |
URL Filtering Inline ML | The URL Filtering Inline
ML feature is now configured through Inline Categorization instead
of Inline ML . The previously available option
to define a policy action for each URL Filtering inline ML model
is no longer available - all policy actions are dictated by the global
URL category settings Objects Security Profiles URL Filtering Categories | Configuration options for Local Inline Categorization
is available under the Inline ML of the URL Filtering security profile. |
On the Panorama management server, a configuration
push to managed firewalls containing a URL filtering profile ( Objects Security Profiles URL Filtering
Workaround: To avoid push failures,
downgrade to PAN-OS 10.1.5 or later PAN-OS 10.1 release. | ||
Advanced Threat Prevention Inline Cloud
Analysis | None. | Upon downgrade to PAN-OS 10.1 and earlier,
the Advanced Threat Prevention license will display on the firewall, however,
Inline Cloud Analysis functionality will not be present. All other
Threat Prevention features in the downgrade release will function
normally. |
Dynamic User Groups and User-ID | None. | After downgrading from PAN-OS 10.2.0 to
a previous version, the firewall clears all User-ID mappings and dynamic
user group tags. After downgrading, the firewall must relearn the
mappings from the sources and you must recreate the tags for the
dynamic user groups; until this occurs, the firewall cannot enforce security
policy for these mappings or dynamic user groups as a source. |
Security Policy Rules | None. | After you enable Wildcard Top
Down Match Mode and commit, this mode is not backward
compatible. If you subsequently downgrade to an earlier release,
the downgrade can break Security policy rules and affect traffic.
Also the increase in the number of wildcard address objects supported
is not backward compatible with any earlier release that has a limit
of 1,000 entries. Back up your configuration before downgrading. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
