: Upgrade/Downgrade Considerations
Focus
Focus

Upgrade/Downgrade Considerations

Table of Contents
End-of-Life (EoL)

Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 11.0.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 11.0 release. For additional information about PAN-OS 11.0 releases, refer to the PAN-OS 11.0 Release Notes.
Feature
Upgrade Considerations
Downgrade Considerations
Minimum System Memory Requirement for the Panorama Virtual Appliance
Palo Alto Networks has increased the recommended Panorama virtual appliance memory requirement to a minimum of 64GB, up from 32GB. This impacts Panorama virtual appliances in Panorama and Log Collector mode to avoid any logging, management, and operational performance issues related to an under-provisioned Panorama virtual appliance.
For new Panorama virtual appliance deployments, Palo Alto Networks recommends deploying the virtual machine with a minimum of 64GB. For existing Panroama virtual appliance deployments, See Increase the CPUs and Memory of the Panorama Virtual Appliance to increase the memory for an existing Panorama virtual appliance after successful upgrade to PAN-OS 11.0.
None.
TLSv1.3 Support for Administrative Access
The firewall automatically sets Management TLS Mode to excludetlsv1.3_only and Certificate to none when you upgrade the firewall. If you used an SSL/TLS service profile to secure management connections before the upgrade, the profile continues to work.
To enable TLSv1.3 support for administrative access, you’ll need to go to General Settings (DeviceSetupManagementGeneral Settings), set Management TLS Mode to either tlsv1.3_only or mixed-mode, and then select a management server Certificate.
Configuring TLSv1.3 support disables the SSL/TLS service profile used for management connections before the upgrade.
TLSv1.3 support goes away when you downgrade from PAN-OS 11.0 to an earlier PAN-OS version.
If you had enabled TLSv1.3 support or did not use an SSL/TLS service profile for management connections, the firewall supports all TLS versions except TLSv1.3 (TLSv1.0-TLSv1.2) and the associated cipher suites.
However, if you used an SSL/TLS service profile before downgrading, the firewall continues to use that profile.
Custom Syslog Format
None.
You must reduce the custom syslog format (DeviceServer ProfilesSyslog and PanoramaServer ProfilesSyslog) to a maximum of 2,346 characters to successfully downgrade to PAN-OS 10.2.
User Context for the Cloud Identity Engine
Palo Alto Networks strongly recommends creating detailed records of the mapping and tag redistribution architecture before enabling User Context Cloud Service. If a downgrade becomes necessary, use the architecture records to recreate that configuration after downgrading to repopulate the mappings and tags.
After downgrading from PANOS 11.0 to an earlier version, the User Context Cloud Service option is no longer available. In addition, the downgrade clears IP address-to-username mappings, IP address-to-port number mappings, quarantine lists, IP address-to-tag mappings, and Dynamic User Group tags from the downgraded device.
Before downgrading, if you enabled the User Context Cloud Service option, enable the previous configuration for the sources of the mappings, tags, and quarantine lists on the firewall or Panorama so that the information repopulates correctly after you downgrade.
Palo Alto Networks recommends using the following CLI commands on the firewall immediately before downgrading to establish a baseline record of the data. If a downgrade is necessary, this allows you to compare the data before and after downgrade to verify that all necessary data is available on the firewall post-downgrade:
  • Use the show user ip-user-mapping all command to obtain the current number of IP address-to-username mappings.
  • Use the show user ip-port-user-mapping all command to obtain the current number of IP address-to-port number mappings.
  • Use the show object registered-ip all option count command to obtain the current number of IP address-to-tag mappings.
  • Use the show object registered-user all command to obtain the current number of tag-to-username mappings.
  • Use the debug user-id dump hip-profile-database command to obtain a list of all devices associated with a HIP profile.
  • Export the list of quarantined devices as a PDF or CSV.
Using the CLI commands, compare the output before and after downgrading to verify that the amount of data is approximately the same and ensure the necessary data is available on the firewall before using the firewall to enforce policy.
You must manually restore all mappings from XML API sources and any devices that were manually added to a quarantine list.
If the mappings and tags imported using XML API and/or machines that were manually added to the quarantine list are not imported back and validated post downgrade, this can introduce a security risk, as the previously quarantined users and devices may no longer be restricted to accessing the resources they are not authorized to access. For example, if a specific tag was assigned to a user through the XML API that added them to a dynamic user group for quarantine, that user is no longer be in the quarantined dynamic user group until you manually add that user after downgrading. If you added a device manually to the quarantine list before the downgrade, you must add that device manually after downgrading, or the device will no longer be quarantined, introducing a possible security risk.
User Mapping Using NetBIOS Client Probing
As part of our continuous efforts to further strengthen the security of User-ID and eliminate any potential security vulnerabilities due to misconfiguration, the outdated NetBIOS client probing method of user mapping is no longer supported in this version. If you currently use this method to collect user mappings, you must configure an alternate method before upgrading to ensure user identification continues uninterrupted. For more information on alternate mapping methods, refer to the PAN-OS documentation. After upgrading, NetBIOS Client Probing (DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupClient Probing) is no longer available. NetBIOS Client Probing is also no longer available in version 11.0 of the Windows User-ID agent.
None.
OCSP over HTTP ProxyNone.If you downgrade to a PAN-OS version earlier than PAN-OS 11.0, you'll need to use the Certificate Revocation List (CRL) method to confirm the status of certificates. OCSP traffic cannot pass through HTTP proxies in PAN-OS versions earlier than PAN-OS 11.0.
Session offload for VM-Series firewallsVM-Series firewalls running PAN-OS version 11.0.1 with session offload enabled experience problems when upgrading to PAN-OS version 11.0.2. To resolve this issue, remove the session offload configuration prior to upgrading to version 11.0.2. Use show deviceconfig setting session to view the session offload configuration. Remove the session offload configuration using delete deviceconfig setting session offload.None.
PA-5200 Series, PA-7000 Series, WF-500, and WF-500-B Firewalls
While upgrading to PAN-OS 11.0, the firewall may perform a file system integrity check (FSCK), displaying the following message: RAID log disks check in progress, please wait. The FSCK is required for the upgrade and may take an hour or more. Do not reboot or attempt to install another software release while the FSCK is in progress.
None.
Panorama Management of Multi-Vsys Firewalls
Upgrade to PAN-OS 11.0 using Skip Software Version Upgrade only
Before upgrading a Panorama managed multi-vsys firewall to PAN-OS 11.0 using Skip Software Version Upgrade:
  • Delete or rename any locally configured firewall Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, configuration pushes from Panorama fail after the upgrade and display the error <object-name> is already in use.
  • Palo Alto Networks recommends that if a multi-vsys firewall is managed by Panorama, then all vsys configurations should be managed by Panorama.
    This helps avoid commit failures on the managed multi-vsys firewall and allows you to take advantage of optimized shared object pushes from Panorama.
None.
After you successfully upgrade a managed multi-vsys firewall to PAN-OS 10.2 using Skip Software Version Upgrade, the firewalls become out-of-sync on Panorama and a full commit and push is required.
On Panorama, select Commit and Push to Devices the entire Panorama managed configuration to the multi-vsys firewall before you commit and push any configuration changes from Panorama.