Table: PAN-OS 7.1 Upgrade/Downgrade Considerations lists the new features that have upgrade or downgrade impacts. Make sure you understand all potential changes before you upgrade to or downgrade from PAN-OS 7.1. For additional information about this release, refer to the PAN-OS 7.1 Release Notes.
Table: PAN-OS 7.1 Upgrade/Downgrade Considerations
Feature Upgrade Considerations Downgrade Considerations
Role Privileges for Commit Types If the permission for any commit type is disabled in a Panorama Admin Role profile, the permissions for all commit types are disabled for that profile after a downgrade.
User Group Capacity Increase Before downgrading a PA-5060 or PA-7000 Series firewall that has the multiple virtual systems capability disabled and that uses more than 640 distinct user groups in policies, you must reduce the number of groups to 640 or less.
User-ID WMI Client Probing In PAN-OS 7.0 and earlier releases, client probing that uses Windows Management Instrumentation (WMI) includes all public and private IPv4 and IPv6 addresses by default. However, after you upgrade to PAN-OS 7.1, the default for WMI probing is to exclude public IPv4 addresses. (Public IPv4 addresses are those outside the scope of RFC 1918 and RFC 3927). To use WMI probing for public IPv4 addresses after the upgrade, you must add their subnetworks to the User-ID agent Include Networks list.
8TB Disk Support on the Panorama Virtual Appliance After you upgrade to Panorama 7.1, the Panorama virtual appliance will continue using only 2TB of any existing virtual disk that exceeds that capacity. After upgrading, you must manually add a virtual disk of up to 8TB before Panorama can use more than the 2TB limit. If you added a virtual disk of more than 2TB to the Panorama virtual appliance, you must remove the disk before you can downgrade to a release earlier than Panorama 7.1.
Federal Information Processing Standard (FIPS) Mode If your firewall is running a PAN-OS 6.1 or earlier release and is in FIPS mode, you must Enable FIPS and Common Criteria Support using Set CCEAL4 Mode before you upgrade to PAN-OS 7.0.1 or a later release. If you do not change to CCEAL4 mode before you upgrade, the firewall will enter maintenance mode because FIPS mode is not supported as of PAN-OS 7.0.1. After you change from FIPS mode to CCEAL4 mode, you will need to import the saved configuration backup that you created prior to the mode change. If the configuration contains IKE and IPSec crypto profiles that use 3DES, you will need to delete the profiles and create new profiles using AES because 3DES is not supported in CCEAL4 mode.
DES Support for Crypto Profiles When downgrading to an earlier PAN-OS version, the following actions occur: DES is removed from the crypto profile. If DES was the only encryption type in the crypto profile, then DES is converted to 3DES. If DES was used in an IPSec tunnel configuration that used a manual key, the IPSec tunnel entry is removed from the configuration. After a reboot, any such IPSec tunnels no longer exist in the running configuration.
Custom Application Signatures Before downgrading to a release earlier than PAN-OS 7.0, you must remove any custom application signatures that have the following settings: Operator set to Greater Than or Less Than Operator set to Equal To and a Context set to any value besides unknown-req-tcp, unknown-rsp-tcp, unknown-req-udp, or unknown-rsp-udp
Sinkholing of DNS Signatures After you upgrade, all Palo Alto Networks DNS signatures are enabled by default. The default action for the DNS Signatures is sinkhole, and the sinkhole IP address is a Palo Alto Networks server (71.15.192.112). This IP address is not static and can change because it is pushed using Palo Alto Networks content updates.
Support for Multi-Tenancy and Multiple Policy Sets on the VM-Series NSX Edition Firewall If you configured the VMware Service Manager on Panorama, note the following changes that occur after you upgrade to Panorama 7.1: The VMware Service Manager configuration that is required for enabling communication between Panorama and the NSX Manager is separated from the Service Definition. A new Service Definition named Palo Alto Networks NGFW is created. This service definition includes the configuration for deploying VM-Series firewalls. It also includes a template, device group, link to the OVA for the PAN-OS version, and the auth codes you configured on the VMware service manager in the earlier version. If you did not create a template in the earlier version, then a default template called NSX_TPL is created for you. A zone called Palo Alto Networks profile 1 is auto-generated within the template. On a Template and Device Group Commit, the VM-Series firewalls will generate a pair of virtual wire subinterfaces (ethernet1/1.2 and ethernet1/2.2) and bind the pair to this new zone. All existing policy rules are retained with source and destination zone set to ‘any’. These rules are functional and you do not need to modify the rules.
External Dynamic List for IP Addresses After you upgrade, Dynamic Block List for IP addresses are renamed to External Dynamic List of Type IP Address. The earlier maximum limit 10 Dynamic Block Lists for IP addresses has changed in PAN-OS 7.1. On each firewall platform, you can now configure a maximum of 30 unique sources for External Dynamic Lists of type IP address, URL or Domain. The firewall does not impose a limit on the number of lists of a specific type. The PA-5000 Series and the PA-7000 Series firewalls support a maximum of 150,000 total IP addresses; all other platforms support a maximum of 50,000 total IP addresses. No limits are enforced for the number of IP addresses per list. When the maximum supported IP address limit is reached on the firewall, the firewall generates a syslog message.
PA-3000 Series and PA-500 Firewall Capacity Increases When you upgrade to PAN-OS 7.1, the ARP table capacity automatically increases. To avoid a mismatch when upgrading a pair of HA firewalls, you should upgrade both HA peers within a short period of time. You should also clear the ARP cache ( clear arp ) on both HA peers before you upgrade.
Save User Credentials The Allow user to save password option, which was available in PAN-OS 7.0, is superseded by the Save User Credentials setting in PAN-OS 7.1. After you upgrade the firewall or Panorama to PAN-OS 7.1, the setting is discarded. Because the default behavior—which allows GlobalProtect to save user credentials—is the same for both options, no additional configuration is required to retain this behavior. However, to enforce behavior other than the default—for example, to prevent GlobalProtect from saving credentials altogether or from saving the password only—you must manually configure the Save User Credentials option after upgrading to PAN-OS 7.1.
Authentication with Secure Encrypted Cookies The Authentication Modifier option, which was available in PAN-OS 7.0, is superseded by the Authentication Override options in PAN-OS 7.1. After you upgrade the firewall or Panorama to PAN-OS 7.1, any authentication modifier settings are discarded. Because the new Authentication Override options are disabled by default, to configure GlobalProtect portals and gateways to accept secure encrypted cookies, you must manually configure the new Authentication Override options in PAN-OS 7.1.
QoS After you downgrade from PAN-OS 7.1.16 or a later release to PAN-OS 7.1.15 or an earlier release, you must reset the QoS Egress Max to 16,000 Mbps or less to avoid commit failures ( Network > QoS > <interface> > Physical Interface).
Gateway Configuration with Tunnel Mode When tunnel mode is enabled in a GlobalProtect gateway configuration, the gateway configuration is discarded after a downgrade to an earlier major release unless you use the automatically generated saved configuration prior to upgrading.
GlobalProtect portals and gateways Loading a configuration other than running-config.xml when downgrading from PAN-OS 7.1.8 to a PAN-OS 7.0 release removes authentication profiles from GlobalProtect portals and gateways, which causes an auto-commit failure. To prevent this issue, select running-config.xml when downgrading from PAN-OS 7.1.8 to a PAN-OS 7.0 release.

Related Documentation