: Upgrade/Downgrade Considerations
Focus
Focus

Upgrade/Downgrade Considerations

Table of Contents

Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 11.0.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 11.1 release. For additional information about PAN-OS 11.1 releases, refer to the PAN-OS 11.1 Release Notes.
Feature
Upgrade Considerations
Downgrade Considerations
Per Policy Persistent DIPP
When using Panorama to upgrade the firewall from PAN-OS 11.0.0 to 11.1.1, regular DIPP NAT rules should be converted to persistent DIPP NAT rules, but that conversion fails and the rules remain as regular DIPP NAT rules.
When using Panorama to downgrade the firewall from PAN-OS 11.1.1 to 11.0 0, per policy persistent DIPP NAT rules are converted to regular DIPP NAT rules.
TLSv1.3 Support for GlobalProtect
If you upgrade to PAN-OS 11.1 from an earlier PAN-OS version with
Max Version
set to
Max
in the SSL/TLS service profile, the TLS version will be replaced with TLSv1.2 after the upgrade.
If you upgrade to a later PAN-OS version from PAN-OS 11.1 with
Max Version
set to
<TLS Version>
in the SSL/TLS service profile, the TLS version will remain with the configured
<TLS Version>
after the upgrade. There is no replacement of the versions as the versions are already configured in 11.1.x itself.
If you downgrade from PAN-OS 11.1 with TLSv1.3 to an earlier PAN-OS version, the TLSv1.3 will be replaced with TLSv1.2 after you downgrade. The downgrade will succeed but auto commit will fail if you had selected TLS v1.3
aes-chacha20-poly1305
cipher, in PAN-OS 11.1 that is not supported in the earlier PAN-OS versions. You must add or replace the appropriate supported ciphers to the downgraded version and commit the changes manually.
Upgrading the VM-50 and VM-50L
Before upgrading your VM-50 or VM-50L firewall to PAN-OS 11.1, you must first upgrade your VM-Series plugin to version 4.0.3-h1.
None.
Collector Groups
After upgrade to PAN-OS 11.1, downgrade to PAN-OS 11.0 or earlier releases is not supported.
Downgrade to PAN-OS 11.0 or earlier release from PAN-OS 11.1 is not supported and may result in log loss.
All Log Collectors in a Collector Group must be upgraded at the same time. Upgrading some, but not all Log Collectors, in a Collector Group during an upgrade window is not supported.
None.
All logs generated while running a PAN-OS 10.0 or earlier release are deleted on upgrade to PAN-OS 11.1. Before the upgrade begins, you are prompted that these logs are deleted on upgrade.
None.
Log Collectors running PAN-OS 11.1 must be onboarded using the device registration authentication for inter-Log Collector communication.
On your upgrade path to PAN-OS 11.1, Log Collectors added to Panorama management when running PAN-OS 9.1 or earlier release must first be upgraded to PAN-OS 10.1 or later release and re-onboarded to Panorama management using the device registration authentication key.
Upgrade to PAN-OS 11.1 is blocked if Log Collectors onboarded to Panorama management without the device registration authentication key are detected.
None.
If you are using Collector Groups, the following requirements must be met to upgrade to 11.1.0.
  • You must perform a manual Collector Group push after the upgrade to 11.1 to upgrade managed log collectors.
    PAN-OS requires all log collectors within a Collector Group to be on the same version.
  • You must register your log collectors with Panorama using a device registration authentication key.
    If the device registration authentication key does not initialize correctly, it fails to form the connections to the peer nodes.
Downgrade is not recommended. If you choose to downgrade from 11.1, the following actions are required. These actions must be performed on Panorama running 11.1 before you begin downgrading.
  • Manually delete all
    esdata
    directories with the following CLI command:
    debug elasticsearch erase data
    Use the
    logdb migrate
    command to restore the logs if needed.
  • Commit and push the changes to the Collector Group and all managed devices.
If you have already downgraded from PAN-OS 11.1 and ElasticSearch is caught in a restart loop, please contact Palo Alto Networks Support
After upgrading Log collectors to PAN-OS 11.1, the follow TCP ports are now required for inter-Log Collector communication and must be opened on your network.
  • TCP/9300
  • TCP/9301
  • TCP/9302
None.
Pan Service Proxy
None.
Downgrading a next-generation firewall from PAN-OS 11.1 will fail if it has pan service proxy enabled. To downgrade successfully, disable pan service proxy before you downgrade.
Next-generation firewall: Select
Network
Proxy
, click the settings icon for Proxy Enablement, choose
None
, and then click
OK
.
Panorama:
Templates
Network
Proxy
, click the settings icon for Proxy Enablement, choose
None
, and then click
OK
.
Authentication sequence
When you upgrade to PAN-OS 11.1.1, the
Exit the sequence on failed authentication
option is no longer dependent on the
Use domain to determine authentication profile
option.
If you select the
Exit the sequence on failed authentication
option, downgrading from PAN-OS 11.1.1 to a previous version is not successful unless the
Exit the sequence on failed authentication
option is not selected or unless both the
Exit the sequence on failed authentication
option and the
Use domain to determine authentication profile
option are selected.

Recommended For You