Upgrade/Downgrade Considerations
Table of Contents
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 10.2
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 10.2.
The following table lists the new features that have
upgrade or downgrade impact. Make sure you understand all upgrade/downgrade
considerations before you upgrade to or downgrade from a PAN-OS
10.2 release. For additional information about PAN-OS 10.2 releases,
refer to the PAN-OS 10.2 Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
---|---|---|
Managed Firewall Traffic to Panorama
|
PAN-OS 10.2 uses TLS version 1.3 to encrypt the service certificate
and handshake messages between Panorama, managed firewalls, and
Dedicated Log Collectors. As a result, the App-ID traffic between
Panorama, managed firewalls, and Dedicated Log Collectors is
reclassified from panorama to
ssl.
As a result, a Security policy rule is required to allow the
ssl application. This allows
Panorama, managed firewalls, and Dedicated Log Collectors to
continue communication after successful upgrade to PAN-OS 10.2.
Review the Ports Used for Panorama
for more information on the destination ports required for managed
device communication with Panorama.
|
Downgrading from PAN-OS 10.2 to an earlier PAN-OS release requires
you to modify the Security policy rule to remove the
ssl application from the
application list.
|
Cloud Identity Engine |
After upgrading to PAN-OS 10.2.9, users can use the Cloud
Identity Engine to select groups based on the subdomain to
synchronize with firewalls. When the firewall is upgraded to PAN-OS
10.2.9, subdomain information is stored locally on the firewall.
|
When a firewall is downgraded from PAN-OS 10.2.9 to an
earlier version, the firewall no longer monitors the subdomain
information for the Cloud Identity Engine.
If you have selected a subdomain in the Cloud Identity
Engine, after the downgrade the firewall no longer receives group
membership changes that are synchronized with Cloud Identity
Engine.
If you have not selected a subdomain, the firewall
continues to receive group membership changes that are synchronized
with Cloud Identity Engine.
When a customer downgrades a firewall from PAN-OS 10.2.9 to
an earlier version, the firewall displays a warning in the
logs:
Groups learned from sources other than Cloud Identity
Engine are not impacted. The firewall removes the outdated data of
group membership, causing the firewall to contact the Cloud Identity
Engine to gather the latest data after downgrading. The amount of
time to collect the new data varies depending on the number of
groups and the size of the groups. After this synchronization, you
do not need to take further action to ensure group memberships
remain updated based on the synchronization interval defined on the
firewall.
|
Authenticate LSVPN Satellite with Serial Number and IP Address
Method
(PAN-OS 10.2.8 and later 10.2 releases)
|
PAN-OS stores the configuration changes in the database internally.
Therefore, the latest saved configuration is applied when you
upgrade to this feature.
After you upgrade from PAN-OS 10.0 or earlier releases to PAN-OS 10.1
and later releases (with Username/password and Satellite Cookie
Authentication method enabled), and if the satellite cookie
authentication expires, it will result in a login
failure.
In this case, you should enter the username and password for
successful authentication.
|
|
After you upgrade from PAN-OS 10.0 or earlier releases/PAN-OS 10.1
and later release to PAN-OS 10.2.8, consider the following:
|
If you downgrade to PAN-OS releases earlier than 10.1, only serial
number-based authentication method will be supported.
| |
Advanced Routing
|
None.
|
If you downgrade from PAN-OS 10.2.5 or 10.2.4-h2 to a previous
version, you must remove the SD-WAN virtual interface (VIF) from the
logical router
configurations before attempting a downgrade
procedure.
That is, you must select a different interface instead of SD-WAN VIF
interface in the following Logical Router
configurations:
|
— | None. | Downgrading from PAN-OS 10.2 to an earlier PAN-OS
release requires that you first downgrade to PAN-OS 10.1.3 or later
PAN-OS 10.1 release. After you successfully downgrade to PAN-OS
10.1.3 or later PAN-OS 10.1 release, you can continue along your downgrade
path to your target PAN-OS release. |
Tenant-Level Support for SaaS Policy Recommendations
PAN-OS 10.2.5 and later 10.2 releases
|
This feature is not available on PAN-OS 11.0.0, 11.0.1, or 11.0.2.
Upgrading to PAN-OS 11.0.0, 11.0.1, or 11.0.2 will have the same
consequences as downgrading from PAN-OS 10.2.5 to an earlier
release.
|
If you downgrade from PAN-OS 10.2.5 to an earlier release, the PAN-OS
firewall administrator will no longer be able to import tenant-level
policy recommendations. Policy recommendations that were already
imported before downgrading are not affected.
|
Maximum security zones for PA-3410, PA-3420, and PA-3430 firewalls | None. | When downgrading from PAN-OS 10.2.3-h3 (which
now has a maximum Security zone limit of 200) to a lower PAN-OS
release with a maximum Security zone limit of 40, attempting to
commit a configuration with more than 40 Security zones is not blocked
and fails. |
Panorama Plugins
| Before you upgrade to PAN-OS 10.2, you must download
the Panorama plugin version supported on PAN-OS 10.2 for all plugins
installed on Panorama. This is required to successfully upgrade
to PAN-OS 10.2. See the list of Compatible Plugin Versions for
PAN-OS 10.2 for more information. | To downgrade from PAN-OS 10.2, you must download
the Panorama plugin version supported on PAN-OS 10.1 and earlier
releases for all plugins installed on Panorama. See the Panorama Plugins Compatibility
Matrix for more information. |
(Enterprise DLP) After upgrading Panorama
to PAN-OS 10.2, you must install Application and Threats content
release version 8520 on all managed
firewalls running PAN-OS 10.2 or earlier release. This is required
to successfully push configuration changes to managed firewalls leveraging
Enterprise DLP that you did not upgrade to PAN-OS 10.2. | (Enterprise DLP)
After downgrading from PAN-OS 10.2.1 and Enterprise DLP plugin 3.0.1
to PAN-OS 10.1.0 and Enterprise DLP plugin 1.0.0, data filtering profiles
created on Panorama for non-file inspection are automatically converted
into file-based data filtering profiles. | |
(Enterprise DLP) Loading a Panorama configuration
backup that does contain the Shared Enterprise DLP configuration
deletes the shared App exclusion filter required to scan non-file
based traffic. | ||
(SD-WAN) Panorama plugin for SD-WAN 2.2
and earlier releases are not supported in PAN-OS 10.2. Upgrading
a Panorama management server to PAN-OS 10.2 when the Panorama plugin
for SD-WAN 2.2 or earlier release is installed causes the SD-WAN plugin
to be hidden in the Panorama web interface or causes the SD-WAN configuration
to be deleted. In both cases, you are unable to install a new SD-WAN
plugin version or uninstall the SD-WAN plugin. | ||
(Enterprise DLP) When upgrading
to PAN-OS 10.2.3 from an earlier PAN-OS 10.2 version, you must first
download and install the DLP 3.0.2 plugin. | ||
VM-Series Firewalls | When upgrading the VM-Series firewall running PAN-OS
10.1.0, 10.1.1, 10.1.2, 10.1.3, or 10.1.4 in an HA deployment, you
must first upgrade the VM-Series plugin to version 2.1.5 before upgrading
to PAN-OS 10.2. Additionally, the upgrade must be performed
in the following order.
| Before downgrading the VM-Series firewall
from PAN-OS 10.2 to PAN-OS 10.1.3, you must first download the VM-Series
plugin to 2.1.4. |
PA-220 and PA-850 Firewalls | None. | (PA-220) If downgrading from PAN-OS 10.2.0,
10.2.1, or 10.2.2 to PAN-OS 10.1.7, 10.1.6-h4, or later versions,
you must first upgrade the firewall to PAN-OS 10.2.3 or later to
avoid a conflict with the system's U-Boot version. (PA-850)
If downgrading from PAN-OS 10.2.0, 10.2.1, or 10.2.2 to PAN-OS 10.1.7
or later, you must first upgrade the firewall to PAN-OS 10.2.3 or
later to avoid a conflict with the system's U-Boot version. |
PA-5200 Series, PA-7000 Series, WF-500, and WF-500-B Firewalls
|
While upgrading to PAN-OS 10.2, the firewall may perform a file
system integrity check (FSCK), displaying the following message:
RAID log disks check in progress, please
wait. The FSCK is required for the upgrade and
may take an hour or more. Do not reboot or attempt to install
another software release while the FSCK is in progress.
|
None.
|
FIPS-CC | For Panorama and all managed devices in
FIPS-CC mode, you must reset the secure connection status of all FIPS-CC
devices and re-onboard any managed device added to Panorama when
the device was running a PAN-OS 10.2 release. This applies to:
This
does not apply to managed devices added to Panorama management when the
device was running PAN-OS 10.0 or earlier release. | None. |
Panorama Management of Multi-Vsys Firewalls
|
Before upgrading a Panorama managed multi-vsys firewall to PAN-OS
10.2:
|
All objects in the Panorama Shared location on the multi-vsys
firewall are replicated to each vsys.
Before you downgrade to PAN-OS 10.2 or earlier release, save and export Panorama and
firewall configurations.
|
After you successfully upgrade a managed multi-vsys firewall to
PAN-OS 10.2, the firewalls become
out-of-sync on Panorama and a full
commit and push is required.
On Panorama, select Commit and Push to Devices the
entire Panorama managed configuration to the multi-vsys firewall
before you commit and push any configuration changes from
Panorama.
After upgrading to PAN-OS 10.2, if you preview the changes prior
to your Commit, the preview might
indicate that shared objects will be deleted during the next
configuration push. This is expected because PAN-OS 10.2 removes
existing shared objects from individual virtual system (vsys)
configs and moves them to the centralized Panorama
Shared location. | ||
Multiple Certificate Support for SSL Inbound Inspection | None. | If you configure SSL Inbound Inspection
policy rules with multiple certificates and later downgrade from PAN-OS
10.2 to an earlier PAN-OS version, the policy rule on the downgraded firewall
inherits only the first certificate from the alphabetically-sorted
list of certificates. Before downgrading, we recommend setting
up a different template or device group for firewalls
running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate
to these firewalls. |
Certificate Management | You must generate or import
all new certificates with the following minimum requirements for
PAN-OS 10.2.
This is required to continue
using Captive Portal authentication and to avoid errors associated
with the new minimum certificate requirements for PAN-OS 10.2 with
PAN-OS 10.2, for existing certificates with a digest of SHA1 and
MD5 along with keys using below 2048 bits. | None. |
Scheduled Config Push | None. | If you created a Scheduled Config Push (PanoramaScheduled Config Push)
to managed firewalls from Panorama to include the configuration changes
of multiple Panorama administrators, you must remove the additional administrators
from the Admin Scope of the Scheduled Config Push. Downgrade
from PAN-OS 10.2 is blocked if the Admin Scope of a Scheduled Config
Push includes multiple administrators. |
IKE Crypto Profiles and IPSec Crypto Profiles | If you have configured an IKE crypto profile
or IPSec crypto profile to use des as the
encryption algorithm and another encryption algorithm, PAN-OS uses
the alternate encryption algorithm after upgrading to PAN-OS 10.2.0.
If des is the only encryption method, PAN-OS
updates the encryption method to 3des after
upgrading to PAN-OS 10.2.0. | After downgrading from PAN-OS 10.2 to a
previous version, if you have configured Group 15, Group 16, or
Group 21 as the encryption algorithm, that group is reconfigured
to the next highest group. For example, if the configuration uses
Group 21 after upgrading, then after downgrading, PAN-OS uses Group
20. |
URL Filtering Inline ML |
In PAN-OS 10.2, the Inline ML tab in URL
Filtering profiles is renamed Inline
Categorization.
If inline ML was configured before upgrading, then local inline
categorization will automatically be enabled after upgrading.
To configure local inline categorization, add or select a URL
Filtering profile (ObjectsSecurity ProfilesURL Filtering), click Inline Categorization,
and Enable local inline categorization.
The option to define a policy action for
inline ML models goes away in PAN-OS 10.2. The upgrade removes
the previously defined actions, and the firewall enforces the
actions configured in the global URL category settings (ObjectsSecurity ProfilesURL FilteringCategories). |
Downgrading PAN-OS 10.2 to an earlier version reverts the
Inline Categorization tab in URL
Filtering profiles to Inline ML.
If cloud or local inline categorization was configured before
downgrading, then inline ML, including the JavaScript Exploit
Detection and Phishing Detection ML models, will automatically be
enabled after downgrading.
To configure inline ML, select ObjectsSecurity ProfilesURL Filtering, and click Inline ML.
|
Before upgrading a Panorama management server to PAN-OS 10.2, verify that managed firewalls with inline categorization enabled are running PAN-OS 10.1.5 or a later release. This ensures the proper transformation of the firewall configurations, preventing push failures. | Configuration pushes from a Panorama management server to managed firewalls with inline
categorization enabled fail if:
Workaround: To avoid push failures, downgrade to PAN-OS 10.1.5 or a later PAN-OS 10.1
release. | |
Advanced Threat Prevention Inline Cloud Analysis | None. | Upon downgrade to PAN-OS 10.1 or earlier versions, the Advanced Threat Prevention license will
display on the firewall, however, Inline Cloud Analysis
functionality will not be present. All other Threat Prevention
features in the downgrade release will function normally. |
Dynamic User Groups and User-ID | None. | After downgrading from PAN-OS 10.2.0 to
a previous version, the firewall clears all User-ID mappings and dynamic
user group tags. After downgrading, the firewall must relearn the
mappings from the sources and you must recreate the tags for the
dynamic user groups; until this occurs, the firewall cannot enforce security
policy for these mappings or dynamic user groups as a source. |
Security Policy Rules | None. | After you enable Wildcard Top Down
Match Mode and commit, this mode is not backward compatible.
If you subsequently downgrade to an earlier release, the downgrade can
break Security policy rules and affect traffic. Also the increase
in the number of wildcard address objects supported is not backward compatible
with any earlier release that has a limit of 1,000 entries. Back
up your configuration before downgrading. |
Administrator-Level Push
| After you upgrade to PAN-OS 10.2,
Commit and Push to
Devices the entire Panorama managed configuration to
your managed firewalls. This is required to push selective configuration to your
managed devices and leverage the improved shared
configuration object management for multi-vsys firewalls managed by
Panorama. |
None.
|