Upgrade Panorama and Managed Devices in FIPS-CC Mode
Table of Contents
11.0 (EoL)
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.0
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
End-of-Life (EoL)
Upgrade Panorama and Managed Devices in FIPS-CC Mode
Upgrade Panorama and managed firewalls, Log Collectors,
and WildFire appliances in FIPS-CC mode.
On successful upgrade to PAN-OS 11.0, all managed devices in FIPS-CC mode and any managed device
added to Panorama when the device was running a PAN-OS 10.0 release must be
re-onboarded to Panorama management. This requires you to reset the secure
connection status for Panorama in FIPS-CC mode and for any managed devices in
FIPS-CC mode. After resetting the secure connection status, you must add the
firewall, Log Collector, and WildFire appliance added to Panorama using the device registration authentication
key back to Panorama management. This procedure is not required for and
does not impact managed devices added to Panorama while running PAN-OS 10.0 or
earlier release. This is required for all supported Panorama models and Next-Generation firewall hardware and VM-Series
models in FIPS-CC mode.
- Create a list of your managed devices in FIPS-CC mode and any managed device added to Panorama using the device registration authentication key. This will help you later on to focus your efforts when you re-onboard your managed devices to Panorama management.Upgrade Panorama and managed devices to PAN-OS 11.0.After successful upgrade to PAN-OS 11.0, review the system logs on Panorama to identify which managed devices in FIPS-CC mode are unable to connect to Panorama.Reset the secure connection state on Panorama.This step resets connectivity for any managed device added to Panorama management while running a PAN-OS 11.0 release and is irreversible. This step has no impact on the connectivity status of firewalls added when running PAN-OS 10.0 or earlier release that are upgraded to PAN-OS 11.0.
- Log in to the Panorama CLI.Reset the secure connection status.admin> request sc3 resetRestart the management server on Panorama.admin> debug software restart process management-server(HA only) Repeat this step for each peer in the high availability (HA) configuration.Reset the secure connection state on the managed device in FIPS-CC mode.This step resets the managed device connection and is irreversible.
- Log in to the managed device CLI.Reset the secure connection state.admin> request sc3 resetRestart the management server on the managed device.admin> debug software restart process management-serverAdd the impacted managed devices back to Panorama.Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.On upgrade to PAN-OS 11.0, it is required that all certificates meet the following minimum requirements:
- RSA 2048 bits or greater, or ECDSA 256 bits or greater
- Digest of SHA256 or greater
See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more information on regenerating or re-importing your certificates.