Focus

Upgrade/Downgrade Considerations

Table of Contents

Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 11.1 and later releases.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 11.1 or later release. For additional information about PAN-OS 11.1 and later releases, refer to the PAN-OS Release Notes.
Feature
Upgrade Considerations
Downgrade Considerations
Panorama Management of Multi-Vsys Firewalls with Full Shared Optimization
(12.1.2 and later releases)
Follow these steps to upgrade a firewall with HA enabled, ensuring continuous operation and full compatibility with the new Full shared optimization Feature.
  • First upgrade the passive firewall.
  • After the upgrade is complete, perform a failover to make the upgraded firewall the new active peer.
  • Finally, upgrade the newly passive firewall.
This process ensures that the HA pair remains operational throughout the upgrade. After both firewalls in the HA pair are upgraded, the firewalls are fully compatible with the new Full shared optimization feature.
When upgrading a standalone firewall, simply upgrade the firewall to the version that supports Full shared optimization.
For more information on Full shared optimization, see Device Group Push to a Multi-VSYS Firewall.
When downgrading a firewall from a version that supports full shared optimization to one that does not, the system blocks the downgrade if any shared object count exceeds 30. For example, you cannot downgrade from firewalls running 12.1.x to firewalls running 11.2.x or earlier with more than 30 External Dynamic List (EDL) objects. To proceed, either upgrade the firewall to a preferred release or reduce the shared objects to 30 or fewer.
Specifically, before downgrading from 12.1.x to 11.1.x and earlier releases, you must follow three essential steps.
  1. First, reduce shared object configurations to their previous capacity limits. For example, if you have configured 2500 URL objects per vsys in 12.1.2, reduce them to 500.
  2. Second, turn off the feature: for a standalone firewall, run the command debug device-server pan-url-db cc-id-type off, while for a Panorama-managed firewall, configure the shared-optimization mode on Panorama to Partial.
  3. Third, commit these changes on Panorama and push them to the firewalls to ensure the necessary configuration adjustments are applied.
PA-5450 Firewall
(PAN-OS 12.1.2)
When upgrading the firewall from PAN-OS 10.1.x, you must first upgrade to PAN-OS 10.2.x or 11.x, then complete the upgrade path to PAN-OS 12.1.2.
None
IPv6 Support for Geolocation
(PAN-OS 12.1.2)
None
When downgrading from a VM-Series Tier 3/Tier 2 memory profile to a Tier 1 memory profile, you must first de-select Enable IPv6 Geolocation (DeviceSessionsSession Settings) before downgrading, otherwise you will encounter a commit failure.
Network Discovery plugin
(PAN-OS 12.1.2)
None
You must remove the configuration and then uninstall the Network Discovery plugin when downgrading from PAN-OS 12.1.2.
Panorama and IKE Gateway
(PAN-OS 12.1.2)
When upgrading Panorama from version 11.1 or earlier to 11.2 or 12.1, inconsistencies may occur if different IKE versions are configured for the same IKE gateway across one or more templates, and the Overwrite option is used for configuration overrides related to that IKE gateway. This issue doesn't affect IKE gateways where no fields have been overwritten, and doesn't impact NGFW upgrades.
Workaround: After upgrading Panorama, review the IKE gateway configuration across all templates. Ensure that the IKE version is consistent across templates for a specific gateway before pushing configurations to the firewalls.
When downgrading Panorama from version 11.2 or 12.1 to 11.1 or earlier, inconsistencies may occur if different IKE versions are configured for the same IKE gateway across one or more templates, and the Overwrite option is used for configuration overrides related to that IKE gateway. This issue doesn't affect IKE gateways where no fields have been overwritten, and doesn't impact NGFW downgrades.
Workaround: After downgrading Panorama, review the IKE gateway configuration across all templates. Ensure that the IKE version is consistent across templates for a specific gateway before pushing configurations to the firewalls.
NGFW Clustering
(PAN-OS 12.1.2)
When you upgrade from a PAN-OS 11.1.5 or later 11.1 release to a PAN-OS 12.1.2 or later 12.1 release, upgrade the PA-7500 Series firewalls in an NGFW cluster in parallel, not individually.
None
Upgrade Checks
(PAN-OS 12.1.2)
In PAN-OS 12.1.2, when multiple parallel health check reports for firewalls are generated from Panorama by either the same user or different users, the requests may time out.
None
IPv6 Support on Cellular Interfaces for PA-415-5G Firewalls
(PAN-OS 11.2.3)
(PAN-OS 11.1.5)
None
Before downgrading a PA-415-5G firewall to a release earlier than PAN-OS 11.2.3 or earlier than PAN-OS 11.1.5, if you have an IPv6 address configured on a cellular interface, configure the interface with an IPv4 address and remove the IPv6 address. Otherwise, the firewall blocks the downgrade.
NPTv6 with Dynamically Assigned IPv6 Address Prefix
(PAN-OS 11.1)
None
Before downgrading to a release earlier than PAN-OS 11.1.5, disable NPTv6 on an interface that has a dynamically assigned IPv6 address or remove the configuration. (The downgrade block is unavailable between PAN-OS 11.1.5 and 11.1.0; therefore, the image downgrade succeeds, but auto commit fails.)
IKE Gateway with Dynamic IPv6 Address Assignment
(PAN-OS 11.1)
None
If you downgrade to a release that doesn't support IKE gateway with dynamic IPv6 address assignment (a release earlier than PAN-OS 11.1.5), the NGFW disables the IPSec tunnel. You must load a supported configuration to match the PAN-OS version to which you downgraded.
Overlapping IP Address Support
(PAN-OS 11.1)
None
A downgrade attempt to a release earlier than PAN-OS 11.1.4 will be blocked when Duplicate IP Address Support is enabled. An error message will appear upon a downgrade attempt, Failed to downgrade. Duplicate IP address is not supported in older versions. Please remove all duplicate IP address configuration, disable Duplicate IP Address Support, and commit before proceeding with the downgrade.
Advanced Routing Engine
(PAN-OS 11.2.0)
In PAN-OS 11.2.0, when Advanced Routing is enabled, IP multicast is not supported. An upcoming version will provide support for this feature. Customers who have multicast configured or who plan to deploy multicast routing should not upgrade to 11.2.0.
Additionally, in PAN-OS 11.2.0, when Advanced Routing is enabled, the BGP dampening configuration isn't applied to any peers or peer group; the configuration is preserved but has no effect on BGP. Customers can use BGP even if they have applied a Dampening profile to a specific set of peers. The issue doesn't affect any other BGP features.
None
TLSv1.3 Support for HSM Integration with SSL Inbound Inspection
(PAN-OS 11.2)
None.Downgrading from PAN-OS 11.2 to an earlier version removes support for the establishment and decryption of TLSv1.3 sessions when the private keys of internal servers are stored on an HSM. Even if both client and server support TLSv1.3, the appliance establishes a TLSv1.2 connection.
Authenticate LSVPN Satellite with Serial Number and IP Address Method
(PAN-OS 11.1.3 and later releases)
PAN-OS stores the configuration changes in the database internally. Therefore, the latest saved configuration is applied when you upgrade to this feature.
After you upgrade from PAN-OS 10.0 or earlier releases to PAN-OS 10.1 and later releases (with Username/password and Satellite Cookie Authentication method enabled), and if the satellite cookie expires, it will result in a login failure.
In this case, you should enter the username and password for successful authentication.
  • If you downgrade to PAN-OS 10.1 and later releases, only Username/password and Satellite Cookie Authentication method will be supported.
  • If you download and install a minor version of the plugin and then decide to downgrade to another minor version of the same release, the configuration done on the minor version before downgrade, will take into effect on the downgraded minor version of the same release.
    PAN-OS stores the configuration changes in the database internally. Therefore, the latest saved configuration is applied when you downgrade from this feature.
    For example, if you have installed SD-WAN plugin 11.1.5 with a configuration (configuration 1), and then you decide to downgrade to another minor version of the same release, 11.1.4 with a different configuration (configuration 2). In this case, the configuration of the minor version (before the downgrade), that is configuration 1, will take effect on the downgraded minor version, 11.1.4.
After you upgrade from PAN-OS 10.0 or earlier releases or a PAN-OS 10.1 and later release to PAN-OS 11.1.3, consider the following:
  • If you’ve disabled Serial number and IP Address Authentication method and the satellite cookie expires, it will result in a login failure. In this case, the administrator should enter the username and password for successful authentication.
  • If you’ve enabled Serial number and IP Address Authentication method and the satellite serial number is registered with the GlobalProtect portal and the IP address is present in the IP allow list, then the login will be successful.
  • If you’ve enabled Serial number and IP Address Authentication method, but the satellite serial number is not registered with the GlobalProtect portal, or the IP address is not present in the IP allow list, then the login fails. In this case, the firewall does not fall back to any other authentication method and results in an authentication failure. In the case of authentication failure, the satellite will wait until the configured retry interval is elapsed before attempting to authenticate again. Ensure that the satellite serial number is registered with the portal correctly and the satellite IP address is present in the IP allow list for successful authentication.
  • If you downgrade to PAN-OS releases earlier than 10.1, only the serial number authentication method is supported.
  • If you downgrade to PAN-OS releases later than 10.1 and earlier than 10.2.8, Username/password and Satellite Cookie Authentication method is supported.
  • If you downgrade to PAN-OS 10.2.8 and later 10.2 releases, both 'Username/password and Satellite Cookie Authentication' and 'Serial number and IP address Authentication' methods are supported.
Per Policy Persistent DIPP
(PAN-OS 11.1)
When using Panorama to upgrade the firewall from PAN-OS 11.0.0 to 11.1.1, regular DIPP NAT rules should be converted to persistent DIPP NAT rules, but that conversion fails and the rules remain as regular DIPP NAT rules.
When using Panorama to downgrade the firewall from PAN-OS 11.1.1 to 11.0 0, per policy persistent DIPP NAT rules are converted to regular DIPP NAT rules.
TLSv1.3 Support for GlobalProtect
(PAN-OS 11.1)
If you upgrade to PAN-OS 11.1 from an earlier PAN-OS version with Max Version set to Max in the SSL/TLS service profile, the TLS version will be replaced with TLSv1.2 after the upgrade.
If you upgrade to a later PAN-OS version from PAN-OS 11.1 with Max Version set to <TLS Version> in the SSL/TLS service profile, the TLS version will remain with the configured <TLS Version> after the upgrade. There is no replacement of the versions as the versions are already configured in 11.1.x itself.
If you downgrade from PAN-OS 11.1 with TLSv1.3 to an earlier PAN-OS version, the TLSv1.3 will be replaced with TLSv1.2 after you downgrade. The downgrade will succeed but auto commit will fail if you had selected TLS v1.3 aes-chacha20-poly1305 cipher, in PAN-OS 11.1 that is not supported in the earlier PAN-OS versions. You must add or replace the appropriate supported ciphers to the downgraded version and commit the changes manually.
Upgrading Virtual Panorama on VM ESXi
(PAN-OS 12.1.2)
Starting in PAN-OS 12.1.2, the VM Panorama requires a minimum 224GB disk. Before upgrading to 12.1.2, you must perform a disk migration to 224GB.
None.
Upgrading the VM-50, VM-50L, and VM-100
(PAN-OS 12.1.2)
Starting in PAN-OS 12.1.2, the VM-50, VM-50L, VM-100 require minimum 8GB of memory. If your VM-Series has less than 8GB of memory, the firewall blocks the upgrade to PAN-OS 12.1.2
Additionally, the maximum session count has changed for the VM-100 and VM-300 models with the following allocated memory:
  • VM-100 with 8GB—64,000
  • VM-300 with 9GB—128,000
None.
Upgrading Flexible VM-Series Firewalls
(PAN-OS 12.1.2)
Starting with PAN-OS 12.1.2, flexible VM-Series firewall require minimum 8GB of memory. If your VM-Series has less than 8GB of memory, the firewall blocks the upgrade to PAN-OS 12.1.2
Additionally, the maximum session count has changed for the following tier/memory combinations:
  • Tier 1 with 8GB—64,000
  • Tier 2 with 9GB—128,000
  • Tier 2 with 10GB—128,000
  • Tier 2 with 12GB—256,000
  • Tier 2 with 14GB—512,000
None.
Upgrading the VM-50 and VM-50L
(PAN-OS 11.1)
Before upgrading your VM-50 or VM-50L firewall to PAN-OS 11.1, the minimum plugin versions are required to be installed before you begin upgrading:
  • Upgrading from PAN-OS 10.2—Minimum plugin version required is 3.0.6
  • Upgrading from PAN-OS 11.0—Minimum plugin version required is 4.0.3-h1.
None.
VM-Series Firewalls
(PAN-OS 11.1)
When upgrading VM-Series firewalls from PAN-OS versions 10.1.x through 11.1.x, you must upgrade the VM-Series plugin version to later than 2.1.6 on all 10.1.x firewalls before performing the upgrade to avoid HA issues.
None.
Collector Groups
(PAN-OS 11.1)
All logs generated while running a PAN-OS 10.0 or earlier release are deleted on upgrade to PAN-OS 11.1.1.
To recover logs generated in PAN-OS 11.0 or earlier release, you must upgrade to PAN-OS 11.1.2 or later release where you can manually recover all impacted logs using CLI commands provided by Palo Alto Networks.
Downgrade is not recommended. If you choose to downgrade from 11.1, all logs generated in PAN-OS 11.1 are deleted and need to be manually recovered. To recover logs generated in 11.1, you must:
  1. Upgrade to PAN-OS 11.1.2 or later 11.1 release.
    This is required to successfully recover impacted logs.
  2. Log in to the Log Collector CLI and delete all esdata directories.
    admin> debug elasticsearch erase data
  3. Downgrade to your target PAN-OS version.
  4. Commit and push the changes to the Collector Group and all managed devices.
  5. Log in to the Log Collector CLI and recover the impacted logs.
    admin> debug logdb migrate-lc start log-type all
If you have already downgraded from PAN-OS 11.1 and ElasticSearch is caught in a restart loop, please contact Palo Alto Networks Support
All Log Collectors in a Collector Group must be upgraded at the same time. Upgrading some, but not all Log Collectors, in a Collector Group during an upgrade window is not supported.
None.
Log Collectors running PAN-OS 11.1 must be onboarded using the device registration authentication for inter-Log Collector communication.
On your upgrade path to PAN-OS 11.1, Log Collectors added to Panorama management when running PAN-OS 9.1 or earlier release must first be upgraded to PAN-OS 10.1 or later release and re-onboarded to Panorama management using the device registration authentication key.
Upgrade to PAN-OS 11.1 is blocked if Log Collectors onboarded to Panorama management without the device registration authentication key are detected.
None.
If you are using Collector Groups, the following requirements must be met to upgrade to 11.1.0.
  • You must perform a manual Collector Group push after the upgrade to 11.1 to upgrade managed log collectors.
    PAN-OS requires all log collectors within a Collector Group to be on the same version.
  • You must register your log collectors with Panorama using a device registration authentication key.
    If the device registration authentication key does not initialize correctly, it fails to form the connections to the peer nodes.
None.
After upgrading Log collectors to PAN-OS 11.1, the follow TCP ports are now required for inter-Log Collector communication and must be opened on your network.
  • TCP/9300
  • TCP/9301
  • TCP/9302
None.
Pan Service Proxy
(PAN-OS 11.1)
None.
Downgrading a next-generation firewall from PAN-OS 11.1 will fail if it has pan service proxy enabled. To downgrade successfully, disable pan service proxy before you downgrade.
Next-Generation firewall: Select NetworkProxy, click the settings icon for Proxy Enablement, choose None, and then click OK.
Panorama: SelectTemplatesNetworkProxy, click the settings icon for Proxy Enablement, choose None, and then click OK.
Authentication sequence
(PAN-OS 11.1)
When you upgrade to PAN-OS 11.1.1, the Exit the sequence on failed authentication option is no longer dependent on the Use domain to determine authentication profile option.
If you select the Exit the sequence on failed authentication option, downgrading from PAN-OS 11.1.1 to a previous version is not successful unless the Exit the sequence on failed authentication option is not selected or unless both the Exit the sequence on failed authentication option and the Use domain to determine authentication profile option are selected.
Panorama Management of Multi-Vsys Firewalls
(Upgrade from PAN-OS 10.1 to PAN-OS 11.1 using Skip Software Version Upgrade only)
Before upgrading a Panorama managed multi-vsys firewall to PAN-OS 11.0 using Skip Software Version Upgrade:
  • Delete or rename any locally configured firewall Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, configuration pushes from Panorama fail after the upgrade and display the error <object-name> is already in use.
  • Palo Alto Networks recommends that if a multi-vsys firewall is managed by Panorama, then all vsys configurations should be managed by Panorama.
    This helps avoid commit failures on the managed multi-vsys firewall and allows you to take advantage of optimized shared object pushes from Panorama.
None
After you successfully upgrade a managed multi-vsys firewall to PAN-OS 10.2 using Skip Software Version Upgrade, the firewalls become out-of-sync on Panorama and a full commit and push is required.
On Panorama, select Commit and Push to Devices the entire Panorama managed configuration to the multi-vsys firewall before you commit and push any configuration changes from Panorama.