Table of Contents
Expand all | Collapse all
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.0
- Troubleshoot Your Panorama Upgrade
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
- PAN-OS Upgrade Checklist
- Upgrade/Downgrade Considerations
- Troubleshoot Your PAN-OS Upgrade
- Upgrade the VM-Series PAN-OS Software (Standalone)
- Upgrade the VM-Series PAN-OS Software (HA Pair)
- Upgrade the VM-Series PAN-OS Software Using Panorama
- Upgrade the VM-Series Model
- Upgrade the VM-Series Model in an HA Pair
- Downgrade a VM-Series Firewall to a Previous Release
Upgrade/downgrade considerations for PAN-OS 11.0.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 11.0 release. For additional information about PAN-OS 11.0 releases, refer to the PAN-OS 11.0 Release Notes.
Minimum System Memory Requirement for the Panorama Virtual Appliance
Palo Alto Networks has increased the recommended Panorama virtual appliance memory requirement to a minimum of 64GB, up from 32GB. This impacts Panorama virtual appliances in Panorama and Log Collector mode to avoid any logging, management, and operational performance issues related to an under-provisioned Panorama virtual appliance.
For new Panorama virtual appliance deployments, Palo Alto Networks recommends deploying the virtual machine with a minimum of 64GB. For existing Panroama virtual appliance deployments, See Increase the CPUs and Memory of the Panorama Virtual Appliance to increase the memory for an existing Panorama virtual appliance after successful upgrade to PAN-OS 11.0.
TLSv1.3 Support for Administrative Access
The firewall automatically sets
Management TLS Modeto
nonewhen you upgrade the firewall. If you used an SSL/TLS service profile to secure management connections before the upgrade, the profile continues to work.
To enable TLSv1.3 support for administrative access, you’ll need to go to General Settings (
Management TLS Modeto either
mixed-mode, and then select a management server Certificate.
Configuring TLSv1.3 support disables the SSL/TLS service profile used for management connections before the upgrade.
TLSv1.3 support goes away when you downgrade from PAN-OS 11.0 to an earlier PAN-OS version.
If you had enabled TLSv1.3 support or did not use an SSL/TLS service profile for management connections, the firewall supports all TLS versions except TLSv1.3 (TLSv1.0-TLSv1.2) and the associated cipher suites.
However, if you used an SSL/TLS service profile before downgrading, the firewall continues to use that profile.
Custom Syslog Format
You must reduce the custom syslog format (
) to a maximum of 2,346 characters to successfully downgrade to PAN-OS 10.2.
User Context for the Cloud Identity Engine
Palo Alto Networks strongly recommends creating detailed records of the mapping and tag redistribution architecture before enabling User Context Cloud Service. If a downgrade becomes necessary, use the architecture records to recreate that configuration after downgrading to repopulate the mappings and tags.
After downgrading from PANOS 11.0 to an earlier version, the User Context Cloud Service option is no longer available. In addition, the downgrade clears IP address-to-username mappings, IP address-to-port number mappings, quarantine lists, IP address-to-tag mappings, and Dynamic User Group tags from the downgraded device.
Before downgrading, if you enabled the User Context Cloud Service option, enable the previous configuration for the sources of the mappings, tags, and quarantine lists on the firewall or Panorama so that the information repopulates correctly after you downgrade.
Palo Alto Networks recommends using the following CLI commands on the firewall immediately before downgrading to establish a baseline record of the data. If a downgrade is necessary, this allows you to compare the data before and after downgrade to verify that all necessary data is available on the firewall post-downgrade:
Using the CLI commands, compare the output before and after downgrading to verify that the amount of data is approximately the same and ensure the necessary data is available on the firewall before using the firewall to enforce policy.
If the mappings and tags imported using XML API and/or machines that were manually added to the quarantine list are not imported back and validated post downgrade, this can introduce a security risk, as the previously quarantined users and devices may no longer be restricted to accessing the resources they are not authorized to access. For example, if a specific tag was assigned to a user through the XML API that added them to a dynamic user group for quarantine, that user is no longer be in the quarantined dynamic user group until you manually add that user after downgrading. If you added a device manually to the quarantine list before the downgrade, you must add that device manually after downgrading, or the device will no longer be quarantined, introducing a possible security risk.
User Mapping Using NetBIOS Client Probing
As part of our continuous efforts to further strengthen the security of User-ID and eliminate any potential security vulnerabilities due to misconfiguration, the outdated NetBIOS client probing method of user mapping is no longer supported in this version. If you currently use this method to collect user mappings, you must configure an alternate method before upgrading to ensure user identification continues uninterrupted. For more information on alternate mapping methods, refer to the PAN-OS documentation. After upgrading, NetBIOS Client Probing (
) is no longer available. NetBIOS Client Probing is also no longer available in version 11.0 of the Windows User-ID agent.
Palo Alto Networks User-ID Agent Setup
OCSP over HTTP Proxy
If you downgrade to a PAN-OS version earlier than PAN-OS 11.0, you'll need to use the Certificate Revocation List (CRL) method to confirm the status of certificates. OCSP traffic cannot pass through HTTP proxies in PAN-OS versions earlier than PAN-OS 11.0.
Session offload for VM-Series firewalls
VM-Series firewalls running PAN-OS version 11.0.1 with session offload enabled experience problems when upgrading to PAN-OS version 11.0.2. To resolve this issue, remove the session offload configuration prior to upgrading to version 11.0.2. Use
show deviceconfig setting sessionto view the session offload configuration. Remove the session offload configuration using
delete deviceconfig setting session offload.