Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 10.2.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.2 release. For additional information about PAN-OS 10.2 releases, refer to the PAN-OS 10.2 Release Notes.
Feature
Upgrade Considerations
Downgrade Considerations
None.
Downgrading from PAN-OS 10.2 to an earlier PAN-OS release requires that you first downgrade to PAN-OS 10.1.3 or later PAN-OS 10.2 release. After you successfully downgrade to PAN-OS 10.1.3 or later PAN-OS 10.2 release, you can continue along your downgrade path to your target PAN-OS release.
Panorama Plugins
  • AWS Plugin
  • Azure Plugin
  • Kubernetes Plugin
  • Software Firewall Licensing Plugin
  • PAN-OS SD-WAN Plugin
  • IPS Signature Converter Plugin
  • ZTP Plugin
  • Enterprise DLP Plugin
  • Openconfig Plugin
  • GCP Plugin
  • Cisco ACI Plugin
  • Nutanix Plugin
  • VCenter Plugin
Before you upgrade to PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.2 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 10.2. See the list of Compatible Plugin Versions for PAN-OS 10.2 for more information.
To downgrade from PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.1 and earlier releases for all plugins installed on Panorama. See the Panorama Plugins Compatibility Matrix for more information.
(
Enterprise DLP
) After upgrading Panorama to PAN-OS 10.2, you must install Application and Threats content release version
8520
on all managed firewalls running PAN-OS 10.2 or earlier release. This is required to successfully push configuration changes to managed firewalls leveraging Enterprise DLP that you did not upgrade to PAN-OS 10.2.
(
Enterprise DLP
) Loading a Panorama configuration backup that does contain the Shared Enterprise DLP configuration deletes the shared App exclusion filter required to scan non-file based traffic.
(
SD-WAN
) Panorama plugin for SD-WAN 2.2 and earlier releases are not supported in PAN-OS 10.2.
Upgrading a Panorama management server to PAN-OS 10.2 when the Panorama plugin for SD-WAN 2.2 or earlier release is installed causes the SD-WAN plugin to be hidden in the Panorama web interface or causes the SD-WAN configuration to be deleted. In both cases, you are unable to install a new SD-WAN plugin version or uninstall the SD-WAN plugin.
(
Enterprise DLP
) After downgrading from PAN-OS 10.2.1 and Enterprise DLP plugin 3.0.1 to PAN-OS 10.1.0 and Enterprise DLP plugin 1.0.0, data filtering profiles created on Panorama for non-file inspection are automatically converted into file-based data filtering profiles.
VM-Series Firewalls
When upgrading the VM-Series firewall running PAN-OS 10.1.0, 10.1.1, 10.1.2, 10.1.3, or 10.1.4 in an HA deployment, you must first upgrade the VM-Series plugin to version 2.1.5 before upgrading to PAN-OS 10.2.
Additionally, the upgrade must be performed in the following order.
  1. Upgrade VM-Series plugin to 2.1.5 on the Active peer.
  2. Upgrade VM-Series plugin to 2.1.5 on the Passive peer.
  3. Upgrade PAN-OS to 10.2 on the Passive peer.
  4. Upgrade PAN-OS to 10.2 on the Active peer.
Before downgrading the VM-Series firewall from PAN-OS 10.2 to PAN-OS 10.1.3, you must first download the VM-Series plugin to 2.1.4.
FIPS-CC
For Panorama and all managed devices in FIPS-CC mode, you must reset the secure connection status of all FIPS-CC devices and re-onboard any managed device added to Panorama when the device was running a PAN-OS 10.2 release. This applies to:
  • Panorama in FIPS-CC mode
  • Firewalls, Dedicated Log Collectors, and WildFire appliances in FIPS-CC mode added to Panorama while running a PAN-OS 10.2 release using the device registration authentication key
This does not apply to managed devices added to Panorama management when the device was running PAN-OS 10.0 or earlier release.
None.
Syslog Server Profile
After successfully upgrading to PAN-OS 10.2, you may be prompted with a warning during reboot that the syslog configuration file format is too old if you have an external syslog server configured (
Device
Server Profiles
Syslog
or
Panorama
Server Profiles
Syslog
).
To resolve this, log in to the firewall CLI or Panorama CLI after the reboot where the warning is displayed and force commit.
admin>
configure
admin#
commit force
None.
Multi-Vsys Firewalls
After you successfully upgrade a managed multi-vsys firewall to PAN-OS 10.2, the firewalls become
out-of-sync
on Panorama. Select
Commit
and
Push to Devices
the entire Panorama managed configuration to the multi-vsys firewall before you commit and push any configuration changes from Panorama.
You must push the current Panorama managed configuration to your managed multi-vsys firewall after a successful upgrade to PAN-OS 10.2 or all subsequent pushes of any configuration changes will fail.
Before you push the current Panorama managed configuration, you must delete or rename any locally configured Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, the push from Panorama fails and displays the error
<object-name> is already in use
.
All objects in the Panorama Shared location on the multi-vsys firewall are replicated to each vsys.
Before you downgrade to PAN-OS 10.2 or earlier release, save and export Panorama and firewall configurations.
Multiple Certificate Support for SSL Inbound Inspection
None.
If you configure SSL Inbound Inspection policy rules with multiple certificates and later downgrade from PAN-OS 10.2 to an earlier PAN-OS version, the policy rule on the downgraded firewall inherits only the first certificate from the alphabetically-sorted list of certificates.
Before downgrading, we recommend setting up a different template or device group for firewalls running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate to these firewalls.
Certificate Management
You must generate or import all new certificates with the following minimum requirements for PAN-OS 10.2.
  • RSA 2048 bits or greater, or ECDSA 256 bits or greater
  • Digest of SHA256 or greater
This is required to continue using Captive Portal authentication and to avoid errors associated with the new minimum certificate requirements for PAN-OS 10.2 with PAN-OS 10.2, for existing certificates with a digest of SHA1 and MD5 along with keys using below 2048 bits.
None.
Scheduled Config Push
None.
If you created a Scheduled Config Push (
Panorama
Scheduled Config Push
) to managed firewalls from Panorama to include the configuration changes of multiple Panorama administrators, you must remove the additional administrators from the Admin Scope of the Scheduled Config Push.
Downgrade from PAN-OS 10.2 is blocked if the Admin Scope of a Scheduled Config Push includes multiple administrators.
IKE Crypto Profiles and IPSec Crypto Profiles
If you have configured an IKE crypto profile or IPSec crypto profile to use
des
as the encryption algorithm and another encryption algorithm, PAN-OS uses the alternate encryption algorithm after upgrading to PAN-OS 10.2.0. If
des
is the only encryption method, PAN-OS updates the encryption method to
3des
after upgrading to PAN-OS 10.2.0.
After downgrading from PAN-OS 10.2 to a previous version, if you have configured Group 15, Group 16, or Group 21 as the encryption algorithm, that group is reconfigured to the next highest group. For example, if the configuration uses Group 21 after upgrading, then after downgrading, PAN-OS uses Group 20.
URL Filtering Inline ML
The URL Filtering Inline ML feature is now configured through
Inline Categorization
instead of
Inline ML
. The previously available option to define a policy action for each URL Filtering inline ML model is no longer available - all policy actions are dictated by the global URL category settings
Objects
Security Profiles
URL Filtering
Categories
. Upon upgrade to PAN-OS 10.2, if user-defined inline ML actions are present, they are deleted and the global URL category settings take precedence.
Configuration options for Local Inline Categorization is available under the Inline ML of the URL Filtering security profile.
On the Panorama management server, a configuration push to managed firewalls containing a URL filtering profile (
Objects
Security Profiles
URL Filtering
) with Inline Categorization fails if:
  • Panorama is running PAN-OS 10.2 and the managed firewall is downgraded to PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
  • Panorama is running PAN-OS 10.2 and the managed firewall is downgraded to PAN-OS 10.0 release.
  • Panorama and managed firewalls are downgraded to PAN-OS 10.1.4 or earlier PAN-OS 10.1 release.
  • Panorama is downgraded to PAN-OS 10.1.4 or earlier PAN-OS 10.1 release and managed firewalls are downgraded to a PAN-OS 10.0 release.
  • Panorama and managed firewalls are downgraded to a PAN-OS 10.0 release.
Workaround:
To avoid push failures, downgrade to PAN-OS 10.1.5 or later PAN-OS 10.1 release.
Advanced Threat Prevention Inline Cloud Analysis
None.
Upon downgrade to PAN-OS 10.1 and earlier, the Advanced Threat Prevention license will display on the firewall, however, Inline Cloud Analysis functionality will not be present. All other Threat Prevention features in the downgrade release will function normally.
Dynamic User Groups and User-ID
None.
After downgrading from PAN-OS 10.2.0 to a previous version, the firewall clears all User-ID mappings and dynamic user group tags. After downgrading, the firewall must relearn the mappings from the sources and you must recreate the tags for the dynamic user groups; until this occurs, the firewall cannot enforce security policy for these mappings or dynamic user groups as a source.
Security Policy Rules
None.
After you enable
Wildcard Top Down Match Mode
and commit, this mode is not backward compatible. If you subsequently downgrade to an earlier release, the downgrade can break Security policy rules and affect traffic. Also the increase in the number of wildcard address objects supported is not backward compatible with any earlier release that has a limit of 1,000 entries. Back up your configuration before downgrading.

Recommended For You