Support for Third-Party SFP Transceivers

A small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks) can stop working or experience other issues after you upgrade the firewall to which they are connected to a PAN-OS 8.0 release. Because it is typically impossible to know if a third-party SFP is writable, Palo Alto Networks® recommends that, if your firewall uses third-party SFPs, you do not upgrade to a PAN-OS 8.0 release until you are able to upgrade to a maintenance release that addresses this issue. Additionally, when you are ready to upgrade, make sure that you do not reboot the firewall after you download and install the PAN-OS 8.0 base image until after you download and install a maintenance release that contains the fix for this issue.

For more information about this known issue and maintenance releases related to this issue, refer to the PAN-OS 8.0 release notes.

When you upgrade Panorama and the Log Collectors to PAN-OS 8.0, logs generated from earlier PAN-OS versions will be unavailable when viewing charts on the ACC and when generating reports until you migrate the logs to the new format. Refer to Migrate Existing Logs to the New Log Format introduced in PAN-OS 8.0.

With the log query and reporting engine enhancements that improve the speed in generating reports and executing queries, note that the logging rates on the M-Series appliances are lower than in previous Panorama releases. For maximum logging rates in PAN-OS 8.0, see Panorama Models.

PAN-OS 8.0 introduces two new log types (Palo Alto Networks Platform Logs and 3rd Party External Logs). On upgrade, 4% of the total disk space is allocated for the new log databases. As a result, if Panorama or the Dedicated Log Collector do not have 4% of total disk space, the oldest logs are purged to make space available.

You must increase your VM-Series firewall allocated hardware resources before upgrading to PAN-OS 8.0. For more information about new minimum hardware requirements, see VM-Series System Requirements.

When you create or edit an external dynamic list hosted on a web server with an HTTPS URL, you must enable Authentication for External Dynamic Lists to commit your list changes.

After you upgrade, you have the option to customize the service route that the firewall uses to retrieve an external dynamic list from the web server that hosts the list.

Data pattern objects defined with both regular expression patterns and social security number and credit card patterns are separated into two separate data pattern objects following the upgrade to PAN-OS 8.0: one data pattern object contains the regular expression patterns, the other contains the social security and credit card number patterns. The separate data pattern objects continue to remain attached to data filtering profiles they were configured with before the PAN-OS 8.0 upgrade. To learn more, take a First Look at New and Updated Data Filtering Options.

For GlobalProtect agent configurations where you configured an external gateway with a

Manual only

priority (connections are not established automatically) and disabled

Manual

connections (users cannot manually switch to the gateway), GlobalProtect will add a

Manual only

priority rule and activate (enable)

Manual

connections when you upgrade. This allows users to manually switch to the gateway, which is required to support External Gateway Priority by Source Region.

(

PAN-OS 8.0.5 and later releases

) After you upgrade to PAN-OS 8.0.5 or a later release, users who have endpoints with valid authentication override cookies but who were removed from the Allow List of authentication profiles cannot access GlobalProtect portals or gateways (internal or external). This prevents users with valid cookies but disabled accounts from accessing the portals and gateways.

When you upgrade Panorama to version 8.0.2 or a later release, you cannot push templates containing 200 or more GlobalProtect include access routes to firewalls running PAN-OS 8.0.1 or earlier releases. To push more than 200 access routes, you must upgrade the firewalls to PAN-OS 8.0.2 or a later release. Otherwise, you must remove access routes from the template until there are 200 or fewer access routes.

After upgrading a PA-7000 Series firewall, Panorama no longer considers the firewall as a Log Collector and you will no longer be able to view logs and reports from Panorama until you enable log forwarding.

After you enable log forwarding to Panorama, the firewall forwards only new logs. To view log information on Panorama and generate reports from logs generated prior to enabling log collection, you must migrate existing logs to Panorama using a CLI command. See PA-7000 Series Firewall Log Forwarding to Panorama for more details.

Before upgrading the firewall, run the following CLI command to check the flash drive’s status:

debug system disk-smart-info disk-1

.

If the value for attribute ID #232,

Available_Reservd_Space 0x0000

, is greater than 20, then proceed with the upgrade. If the value is less than 20, then contact support for assistance.

After upgrading, the Panorama virtual appliance remains in Legacy mode by default and can still support NFS log storage. However, after you switch to Panorama mode, the virtual appliance can no longer support NFS storage; you must then migrate the logs on the NFS to the Log Collectors.

After upgrading Panorama, you must

Enable reporting and filtering on groups

in the Panorama settings (

Panorama

Setup

Management

) if you want to filter logs and generate reports based on user groups; the option is disabled by default. If you want to disable this feature for specific device groups, you must clear the

Store users and groups from Master Device

option in those device groups (

Panorama

Device Groups

); the option is enabled by default.

After upgrading, you must set the

Event Type

to

login

for every existing Syslog Parse profile assigned to syslog senders in the Server Monitoring list (

Device

User Identification

User Mapping

).