Upgrade/Downgrade Considerations
Table of Contents
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.0
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 11.0.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 11.0 release. For additional information about PAN-OS 11.0 releases, refer to the PAN-OS 11.0 Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
---|---|---|
Minimum System Memory Requirement for the Panorama Virtual Appliance | Palo Alto Networks has increased the recommended Panorama virtual appliance memory requirement to a minimum of 64GB, up from 32GB. This impacts Panorama virtual appliances in Panorama and Log Collector mode to avoid any logging, management, and operational performance issues related to an under-provisioned Panorama virtual appliance. For new Panorama virtual appliance deployments, Palo Alto Networks recommends deploying the virtual machine with a minimum of 64GB. For existing Panroama virtual appliance deployments, See Increase the CPUs and Memory of the Panorama Virtual Appliance to increase the memory for an existing Panorama virtual appliance after successful upgrade to PAN-OS 11.0. | None. |
TLSv1.3 Support for Administrative Access
| The firewall automatically sets Management TLS Mode to excludetlsv1.3_only and Certificate to none when you upgrade the firewall. If you used an SSL/TLS service profile to secure management connections before the upgrade, the profile continues to work.To enable TLSv1.3 support for administrative access, you’ll need to go to General Settings ( Device Setup Management General Settings Management TLS Mode to either tlsv1.3_only or mixed-mode , and then select a management server Certificate.Configuring TLSv1.3 support disables the SSL/TLS service profile used for management connections before the upgrade. | TLSv1.3 support goes away when you downgrade from PAN-OS 11.0 to an earlier PAN-OS version. If you had enabled TLSv1.3 support or did not use an SSL/TLS service profile for management connections, the firewall supports all TLS versions except TLSv1.3 (TLSv1.0-TLSv1.2) and the associated cipher suites. However, if you used an SSL/TLS service profile before downgrading, the firewall continues to use that profile. |
Custom Syslog Format | None. | You must reduce the custom syslog format ( Device Server Profiles Syslog Panorama Server Profiles Syslog |
User Context for the Cloud Identity Engine | Palo Alto Networks strongly recommends creating detailed records of the mapping and tag redistribution architecture before enabling User Context Cloud Service. If a downgrade becomes necessary, use the architecture records to recreate that configuration after downgrading to repopulate the mappings and tags. | After downgrading from PANOS 11.0 to an earlier version, the User Context Cloud Service option is no longer available. In addition, the downgrade clears IP address-to-username mappings, IP address-to-port number mappings, quarantine lists, IP address-to-tag mappings, and Dynamic User Group tags from the downgraded device. Before downgrading, if you enabled the User Context Cloud Service option, enable the previous configuration for the sources of the mappings, tags, and quarantine lists on the firewall or Panorama so that the information repopulates correctly after you downgrade. Palo Alto Networks recommends using the following CLI commands on the firewall immediately before downgrading to establish a baseline record of the data. If a downgrade is necessary, this allows you to compare the data before and after downgrade to verify that all necessary data is available on the firewall post-downgrade:
Using the CLI commands, compare the output before and after downgrading to verify that the amount of data is approximately the same and ensure the necessary data is available on the firewall before using the firewall to enforce policy. You must manually restore all mappings from XML API sources and any devices that were manually added to a quarantine list. If the mappings and tags imported using XML API and/or machines that were manually added to the quarantine list are not imported back and validated post downgrade, this can introduce a security risk, as the previously quarantined users and devices may no longer be restricted to accessing the resources they are not authorized to access. For example, if a specific tag was assigned to a user through the XML API that added them to a dynamic user group for quarantine, that user is no longer be in the quarantined dynamic user group until you manually add that user after downgrading. If you added a device manually to the quarantine list before the downgrade, you must add that device manually after downgrading, or the device will no longer be quarantined, introducing a possible security risk. |
User Mapping Using NetBIOS Client Probing | As part of our continuous efforts to further strengthen the security of User-ID and eliminate any potential security vulnerabilities due to misconfiguration, the outdated NetBIOS client probing method of user mapping is no longer supported in this version. If you currently use this method to collect user mappings, you must configure an alternate method before upgrading to ensure user identification continues uninterrupted. For more information on alternate mapping methods, refer to the PAN-OS documentation. After upgrading, NetBIOS Client Probing ( Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Client Probing | None. |
OCSP over HTTP Proxy | None. | If you downgrade to a PAN-OS version earlier than PAN-OS 11.0, you'll need to use the Certificate Revocation List (CRL) method to confirm the status of certificates. OCSP traffic cannot pass through HTTP proxies in PAN-OS versions earlier than PAN-OS 11.0. |
Session offload for VM-Series firewalls | VM-Series firewalls running PAN-OS version 11.0.1 with session offload enabled experience problems when upgrading to PAN-OS version 11.0.2. To resolve this issue, remove the session offload configuration prior to upgrading to version 11.0.2. Use show deviceconfig setting session to view the session offload configuration. Remove the session offload configuration using delete deviceconfig setting session offload . | None.
|
PA-5200 Series, PA-7000 Series, WF-500, and WF-500-B Firewalls | While upgrading to PAN-OS 11.0, the firewall may perform a file system integrity check (FSCK), displaying the following message: RAID log disks check in progress, please wait. The FSCK is required for the upgrade and may take an hour or more. Do not reboot or attempt to install another software release while the FSCK is in progress. | None. |
Panorama Management of Multi-Vsys Firewalls Upgrade to PAN-OS 11.0 using Skip Software Version Upgrade only | Before upgrading a Panorama managed multi-vsys firewall to PAN-OS 11.0 using Skip Software Version Upgrade:
| None. |
After you successfully upgrade a managed multi-vsys firewall to PAN-OS 10.2 using Skip Software Version Upgrade, the firewalls become out-of-sync on Panorama and a full commit and push is required. On Panorama, select Commit and Push to Devices the entire Panorama managed configuration to the multi-vsys firewall before you commit and push any configuration changes from Panorama. |