Panorama Plugins Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for Panorama plugins.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand fall upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.2 release. For additional information about PAN-OS 10.2 releases, refer to the PAN-OS 10.2 Release Notes.
Panorama Plugins Upgrade/Downgrade Considerations
Feature
Upgrade Considerations
Downgrade Considerations
Panorama Plugins
  • AWS Plugin
  • Azure Plugin
  • Kubernetes Plugin
  • Software Firewall Licensing Plugin
  • PAN-OS SD-WAN Plugin
  • IPS Signature Converter Plugin
  • ZTP Plugin
  • Enterprise DLP Plugin
  • Openconfig Plugin
  • GCP Plugin
  • Cisco ACI Plugin
  • Nutanix Plugin
  • VCenter Plugin
Before you upgrade to PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.2 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 10.2. See the list of Compatible Plugin Versions for PAN-OS 10.2 for more information.
To downgrade from PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.1 and earlier releases for all plugins installed on Panorama. See the Panorama Plugins Compatibility Matrix for more information.
(
Enterprise DLP
) After upgrading Panorama to PAN-OS 10.2, you must install Application and Threats content release version
8520
on all managed firewalls running PAN-OS 10.2 or earlier release. This is required to successfully push configuration changes to managed firewalls leveraging Enterprise DLP that you did not upgrade to PAN-OS 10.2.
(
Enterprise DLP
) Loading a Panorama configuration backup that does contain the Shared Enterprise DLP configuration deletes the shared App exclusion filter required to scan non-file based traffic.
(
SD-WAN
) Panorama plugin for SD-WAN 2.2 and earlier releases are not supported in PAN-OS 10.2.
Upgrading a Panorama management server to PAN-OS 10.2 when the Panorama plugin for SD-WAN 2.2 or earlier release is installed causes the SD-WAN plugin to be hidden in the Panorama web interface or causes the SD-WAN configuration to be deleted. In both cases, you are unable to install a new SD-WAN plugin version or uninstall the SD-WAN plugin.
PAN-OS SD-WAN
After successful upgrade of Panorama to PAN-OS 10.2 and the Panorama plugin from SD-WAN version 2.0.0 to SD-WAN version 3.0, you must clear the SD-WAN cache on Panorama for existing SD-WAN deployments only.
Clearing the SD-WAN cache does not delete any existing SD-WAN configuration but deletes the IP address, tunnel, and gateway naming conventions for the new format introduced in Panorama plugin for SD-WAN version 3.0.
For new deployments of SD-WAN, you do not need to clear the SD-WAN cache on Panorama if you install the Panorama plugin for SD-WAN version 3.0 on Panorama after you upgrade to PAN-OS 10.2.
  1. Clear the SD-WAN cache on Panorama.
    admin>
    debug plugins sd_wan drop-config-cache all
None.

Recommended For You