Upgrade/Downgrade Considerations
Table of Contents
11.0 (EoL)
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.0
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
End-of-Life (EoL)
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 11.0.
The following table lists the new features that have
upgrade or downgrade impact. Make sure you understand all upgrade/downgrade
considerations before you upgrade to or downgrade from a PAN-OS
11.0 release. For additional information about PAN-OS 11.0 releases,
refer to the PAN-OS 11.0 Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
---|---|---|
Minimum System Memory Requirement for the Panorama
Virtual Appliance | Palo Alto Networks has increased the recommended Panorama virtual appliance memory
requirement to a minimum of 64GB, up from 32GB. This impacts Panorama virtual appliances in Panorama
and Log Collector mode to avoid any logging, management, and operational performance
issues related to an under-provisioned Panorama virtual appliance. For
new Panorama virtual appliance deployments, Palo Alto Networks recommends
deploying the virtual machine with a minimum of 64GB. For existing Panroama
virtual appliance deployments, See Increase the CPUs and Memory
of the Panorama Virtual Appliance to increase the memory
for an existing Panorama virtual appliance after successful upgrade
to PAN-OS 11.0. | None. |
TLSv1.3 Support for Administrative Access | The firewall automatically sets Management TLS
Mode to excludetlsv1.3_only and Certificate to none when
you upgrade the firewall. If you used an SSL/TLS service profile
to secure management connections before the upgrade, the profile
continues to work. To enable TLSv1.3 support for administrative access,
you’ll need to go to General Settings (DeviceSetupManagementGeneral Settings), set Management TLS
Mode to either tlsv1.3_only or mixed-mode,
and then select a management server Certificate. Configuring
TLSv1.3 support disables the SSL/TLS service profile used for management
connections before the upgrade. | TLSv1.3 support goes away when you downgrade from
PAN-OS 11.0 to an earlier PAN-OS version. If you had enabled TLSv1.3
support or did not use an SSL/TLS service profile for management
connections, the firewall supports all TLS versions except TLSv1.3 (TLSv1.0-TLSv1.2)
and the associated cipher suites. However, if you used an SSL/TLS
service profile before downgrading, the firewall continues to use
that profile. |
Custom Syslog Format | None. | You must reduce the custom syslog format (DeviceServer ProfilesSyslog and PanoramaServer ProfilesSyslog) to a maximum of 2,346
characters to successfully downgrade to PAN-OS 10.2. |
User Context for the Cloud Identity Engine | Palo Alto Networks strongly recommends creating detailed
records of the mapping and tag redistribution architecture before
enabling User Context Cloud Service. If a downgrade becomes necessary,
use the architecture records to recreate that configuration after
downgrading to repopulate the mappings and tags. | After downgrading from PANOS 11.0 to an
earlier version, the User Context Cloud Service option is no longer
available. In addition, the downgrade clears IP address-to-username mappings,
IP address-to-port number mappings, quarantine lists, IP address-to-tag mappings,
and Dynamic User Group tags from the downgraded device. Before
downgrading, if you enabled the User Context Cloud Service option,
enable the previous configuration for the sources of the mappings, tags,
and quarantine lists on the firewall or Panorama so that the information repopulates
correctly after you downgrade. Palo Alto Networks recommends
using the following CLI commands on the firewall immediately before downgrading
to establish a baseline record of the data. If a downgrade is necessary,
this allows you to compare the data before and after downgrade to
verify that all necessary data is available on the firewall post-downgrade:
Using the CLI commands, compare the output
before and after downgrading to verify that the amount of data is approximately
the same and ensure the necessary data is available on the firewall
before using the firewall to enforce policy. You must manually restore
all mappings from XML API sources and any
devices that were manually added to a quarantine list. If
the mappings and tags imported using XML API and/or machines that
were manually added to the quarantine list are not imported back
and validated post downgrade, this can introduce a security risk,
as the previously quarantined users and devices may no longer be
restricted to accessing the resources they are not authorized to
access. For example, if a specific tag was assigned to a user through
the XML API that added them to a dynamic user group for quarantine,
that user is no longer be in the quarantined dynamic user group
until you manually add that user after downgrading. If you added
a device manually to the quarantine list before the downgrade, you
must add that device manually after downgrading, or the device will no
longer be quarantined, introducing a possible security risk. |
User Mapping Using NetBIOS Client Probing | As part of our continuous efforts to further strengthen
the security of User-ID and eliminate any potential security vulnerabilities
due to misconfiguration, the outdated NetBIOS client probing method of
user mapping is no longer supported in this version. If you currently
use this method to collect user mappings, you must configure an
alternate method before upgrading to ensure user identification continues
uninterrupted. For more information on alternate mapping methods,
refer to the PAN-OS documentation.
After upgrading, NetBIOS Client Probing (DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupClient Probing) is no longer available.
NetBIOS Client Probing is also no longer available in version 11.0
of the Windows User-ID agent. | None. |
OCSP over HTTP Proxy | None. | If you downgrade to a PAN-OS version earlier than PAN-OS 11.0, you'll need to use the Certificate Revocation List (CRL) method to confirm the status of certificates. OCSP traffic cannot pass through HTTP proxies in PAN-OS versions earlier than PAN-OS 11.0. |
Session offload for VM-Series firewalls | VM-Series firewalls running PAN-OS version 11.0.1 with session offload enabled experience problems when upgrading to PAN-OS version 11.0.2. To resolve this issue, remove the session offload configuration prior to upgrading to version 11.0.2. Use show deviceconfig setting session to view the session offload configuration. Remove the session offload configuration using delete deviceconfig setting session offload. | None. |
PA-5200 Series, PA-7000 Series, WF-500, and WF-500-B Firewalls
|
While upgrading to PAN-OS 11.0, the firewall may perform a file
system integrity check (FSCK), displaying the following message:
RAID log disks check in progress, please
wait. The FSCK is required for the upgrade and
may take an hour or more. Do not reboot or attempt to install
another software release while the FSCK is in progress.
|
None.
|
Panorama Management of Multi-Vsys Firewalls
Upgrade to PAN-OS 11.0 using Skip Software Version Upgrade
only
|
Before upgrading a Panorama managed multi-vsys firewall to PAN-OS
11.0 using Skip Software Version Upgrade:
|
None.
|
After you successfully upgrade a managed multi-vsys firewall to
PAN-OS 10.2 using Skip Software Version Upgrade, the firewalls
become out-of-sync on Panorama and a
full commit and push is required.
On Panorama, select Commit and Push to Devices the
entire Panorama managed configuration to the multi-vsys firewall
before you commit and push any configuration changes from
Panorama.
|