: Upgrade/Downgrade Considerations
Focus
Focus

Upgrade/Downgrade Considerations

Table of Contents

Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 11.0.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 11.0 release. For additional information about PAN-OS 11.0 releases, refer to the PAN-OS 11.0 Release Notes.
Feature
Upgrade Considerations
Downgrade Considerations
Minimum System Memory Requirement for the Panorama Virtual Appliance
Palo Alto Networks has increased the recommended Panorama virtual appliance memory requirement to a minimum of 64GB, up from 32GB. This impacts Panorama virtual appliances in Panorama and Log Collector mode to avoid any logging, management, and operational performance issues related to an under-provisioned Panorama virtual appliance.
For new Panorama virtual appliance deployments, Palo Alto Networks recommends deploying the virtual machine with a minimum of 64GB. For existing Panroama virtual appliance deployments, See Increase the CPUs and Memory of the Panorama Virtual Appliance to increase the memory for an existing Panorama virtual appliance after successful upgrade to PAN-OS 11.0.
None.
TLSv1.3 Support for Administrative Access
The firewall automatically sets
Management TLS Mode
to
excludetlsv1.3_only
and
Certificate
to
none
when you upgrade the firewall. If you used an SSL/TLS service profile to secure management connections before the upgrade, the profile continues to work.
To enable TLSv1.3 support for administrative access, you’ll need to go to General Settings (
Device
Setup
Management
General Settings
), set
Management TLS Mode
to either
tlsv1.3_only
or
mixed-mode
, and then select a management server Certificate.
Configuring TLSv1.3 support disables the SSL/TLS service profile used for management connections before the upgrade.
TLSv1.3 support goes away when you downgrade from PAN-OS 11.0 to an earlier PAN-OS version.
If you had enabled TLSv1.3 support or did not use an SSL/TLS service profile for management connections, the firewall supports all TLS versions except TLSv1.3 (TLSv1.0-TLSv1.2) and the associated cipher suites.
However, if you used an SSL/TLS service profile before downgrading, the firewall continues to use that profile.
Custom Syslog Format
None.
You must reduce the custom syslog format (
Device
Server Profiles
Syslog
and
Panorama
Server Profiles
Syslog
) to a maximum of 2,346 characters to successfully downgrade to PAN-OS 10.2.
User Context for the Cloud Identity Engine
Palo Alto Networks strongly recommends creating detailed records of the mapping and tag redistribution architecture before enabling User Context Cloud Service. If a downgrade becomes necessary, use the architecture records to recreate that configuration after downgrading to repopulate the mappings and tags.
After downgrading from PANOS 11.0 to an earlier version, the User Context Cloud Service option is no longer available. In addition, the downgrade clears IP address-to-username mappings, IP address-to-port number mappings, quarantine lists, IP address-to-tag mappings, and Dynamic User Group tags from the downgraded device.
Before downgrading, if you enabled the User Context Cloud Service option, enable the previous configuration for the sources of the mappings, tags, and quarantine lists on the firewall or Panorama so that the information repopulates correctly after you downgrade.
Palo Alto Networks recommends using the following CLI commands on the firewall immediately before downgrading to establish a baseline record of the data. If a downgrade is necessary, this allows you to compare the data before and after downgrade to verify that all necessary data is available on the firewall post-downgrade:
  • Use the
    show user ip-user-mapping all
    command to obtain the current number of IP address-to-username mappings.
  • Use the
    show user ip-port-user-mapping all
    command to obtain the current number of IP address-to-port number mappings.
  • Use the
    show object registered-ip all option count
    command to obtain the current number of IP address-to-tag mappings.
  • Use the
    show object registered-user all
    command to obtain the current number of tag-to-username mappings.
  • Use the
    debug user-id dump hip-profile-database
    command to obtain a list of all devices associated with a HIP profile.
  • Export the list of quarantined devices as a PDF or CSV.
Using the CLI commands, compare the output before and after downgrading to verify that the amount of data is approximately the same and ensure the necessary data is available on the firewall before using the firewall to enforce policy.
You must manually restore all mappings from XML API sources and any devices that were manually added to a quarantine list.
If the mappings and tags imported using XML API and/or machines that were manually added to the quarantine list are not imported back and validated post downgrade, this can introduce a security risk, as the previously quarantined users and devices may no longer be restricted to accessing the resources they are not authorized to access. For example, if a specific tag was assigned to a user through the XML API that added them to a dynamic user group for quarantine, that user is no longer be in the quarantined dynamic user group until you manually add that user after downgrading. If you added a device manually to the quarantine list before the downgrade, you must add that device manually after downgrading, or the device will no longer be quarantined, introducing a possible security risk.
User Mapping Using NetBIOS Client Probing
As part of our continuous efforts to further strengthen the security of User-ID and eliminate any potential security vulnerabilities due to misconfiguration, the outdated NetBIOS client probing method of user mapping is no longer supported in this version. If you currently use this method to collect user mappings, you must configure an alternate method before upgrading to ensure user identification continues uninterrupted. For more information on alternate mapping methods, refer to the PAN-OS documentation. After upgrading, NetBIOS Client Probing (
Device
User Identification
User Mapping
Palo Alto Networks User-ID Agent Setup
Client Probing
) is no longer available. NetBIOS Client Probing is also no longer available in version 11.0 of the Windows User-ID agent.
None.
OCSP over HTTP Proxy
None.
If you downgrade to a PAN-OS version earlier than PAN-OS 11.0, you'll need to use the Certificate Revocation List (CRL) method to confirm the status of certificates. OCSP traffic cannot pass through HTTP proxies in PAN-OS versions earlier than PAN-OS 11.0.
Session offload for VM-Series firewalls
VM-Series firewalls running PAN-OS version 11.0.1 with session offload enabled experience problems when upgrading to PAN-OS version 11.0.2. To resolve this issue, remove the session offload configuration prior to upgrading to version 11.0.2. Use
show deviceconfig setting session
to view the session offload configuration. Remove the session offload configuration using
delete deviceconfig setting session offload
.
None.

Recommended For You