End-of-Life (EoL)
Upgrade/Downgrade Considerations
The following table lists the new features that have
upgrade or downgrade impacts. Make sure you understand all potential
changes before you upgrade to or downgrade from a PAN-OS 8.0 release.
For additional information about PAN-OS 8.0 releases, refer to the PAN-OS 8.0 Release Notes.
For M-100 appliances running in Panorama
mode, Palo Alto Networks recommends upgrading the memory to 32GB
to avoid the risk of running out of memory for management and log
collection tasks. See M-100 Memory Upgrade Guide for
more information.
After upgrading a PA-7000 Series firewall
to 8.0, Panorama no longer considers it as a Log Collector. This
means you will no longer be able to view your logs and reports from
Panorama until you enable PA-7000
Series Firewall Log Forwarding to Panorama. Before upgrading,
make sure you have a log collection infrastructure that will handle
the logging rate and quantity of PA-7000 Series logs.
- To deploy VM-Series firewalls on AWS in a high availability configuration, you must upgrade to PAN-OS 8.0.1.
- Upgrading a PA-200 or PA-500 firewall to PAN-OS 8.0 can take 30-60 minutes to complete. Ensure uninterrupted power to your firewall throughout the upgrade process.
To ensure optimal performance for all
new features, download and install the latest Applications and Threats,
Antivirus, and WildFire content updates (the minimum content versions
required for PAN-OS 8.0 are listed in the PAN-OS 8.0 Release Notes).
As a best practice, enable the firewall to download and install
new content updates as they become available.
Feature | Upgrade Considerations | Downgrade Considerations |
---|---|---|
Hardware Security Modules | ( PAN-OS 8.0.2 and
later releases ) To downgrade to a release earlier than PAN-OS
8.0.2, you must ensure that the master key is stored locally on
Panorama or on the firewall, not on a hardware security module (HSM). | |
Support for Third-Party SFP Transceivers | A small percentage of writable third-party
SFP transceivers (not purchased from Palo Alto Networks) can stop working
or experience other issues after you upgrade the firewall to which
they are connected to a PAN-OS 8.0 release. Because it is typically
impossible to know if a third-party SFP is writable, Palo Alto Networks®
recommends that, if your firewall uses third-party SFPs, you do
not upgrade to a PAN-OS 8.0 release until you are able to upgrade
to a maintenance release that addresses this issue. Additionally,
when you are ready to upgrade, make sure that you do not reboot
the firewall after you download and install the PAN-OS 8.0 base
image until after you download and install a maintenance release
that contains the fix for this issue. This will be the
case again if you upgrade to PAN-OS 8.1 even after you address this
issue in PAN-OS 8.0. For more information about this
known issue and maintenance releases related to this issue, refer to
the PAN-OS 8.0 release notes. | |
Log Query Acceleration
on Panorama | When you upgrade Panorama and the Log Collectors
to PAN-OS 8.0, logs generated from earlier PAN-OS versions will
be unavailable when viewing charts on the ACC and when generating
reports until you migrate the logs to the new format. Refer to Migrate Existing Logs to the New Log Format introduced
in PAN-OS 8.0. | When you downgrade Panorama
and the Log Collectors from Panorama 8.0, you will need to migrate
logs back to the pre-8.0 format. This procedure will take approximately
24 hours for each 2TB of data. You cannot pause or stop the migration,
so you will need to schedule a maintenance window to accommodate.
To downgrade, refer to Downgrade from Panorama 8.0. |
With the log query and reporting engine
enhancements that improve the speed in generating reports and executing queries,
note that the logging rates on the M-Series appliances are lower
than in previous Panorama releases. For maximum logging rates in
PAN-OS 8.0, see Panorama Models. | ||
PAN-OS 8.0 introduces two new log types
(Palo Alto Networks Platform Logs and 3rd Party External Logs).
On upgrade, 4% of the total disk space is allocated for the new
log databases. As a result, if Panorama or the Dedicated Log Collector
do not have 4% of total disk space, the oldest logs are purged to
make space available. | ||
IKE Peer and IPSec Tunnel Capacity Increases | The firewall prevents a downgrade if the
number of IKE gateways or IPSec tunnels you are using in PAN-OS
8.0 exceeds the product limit for the release to which you are downgrading.
To successfully download in this case, first delete the oversubscribed
IKE peers or IPSec tunnels to the number supported in the downgraded
release and then downgrade. Alternatively, restore a compatible
configuration and downgrade. | |
VM-Series Firewall Performance Enhancements | You must increase your VM-Series firewall
allocated hardware resources before upgrading to PAN-OS 8.0. For
more information about new minimum hardware requirements, see VM-Series
System Requirements. | Downgrading from PAN-OS 8.0 to an older
release returns VM-Series models to their pre-PAN-OS 8.0 capacities
and performance levels. Downgrading a VM-50, VM-500, or VM-700 firewall is
not supported. |
Authentication for External Dynamic Lists | When you create or edit an external dynamic
list hosted on a web server with an HTTPS URL, you must enable Authentication
for External Dynamic Lists to commit your list changes. | |
Telemetry and Threat Intelligence Sharing |
|
|
External Dynamic List Enhancements | After you upgrade, you have the option to
customize the service route that the firewall uses to retrieve an
external dynamic list from the web server that hosts the list. |
|
Palo Alto Networks Malicious IP Address Feeds | Before downgrading to an earlier release,
ensure that the Palo
Alto Networks Malicious IP Address Feeds and custom external
dynamic lists based on either of these feeds are not used in policy. | |
Globally Unique Threat IDs |
| |
Data Filtering Support for Data Loss Prevention
(DLP) Solutions | Data pattern objects defined with both regular
expression patterns and social security number and credit card patterns
are separated into two separate data pattern objects following the upgrade
to PAN-OS 8.0: one data pattern object contains the regular expression
patterns, the other contains the social security and credit card
number patterns. The separate data pattern objects continue to remain
attached to data filtering profiles they were configured with before
the PAN-OS 8.0 upgrade. To learn more, take a First
Look at New and Updated Data Filtering Options. | |
Tunnel-Mode on GlobalProtect Gateways | If you enable tunneling on a GlobalProtect
internal gateway and then downgrade to an older release of PAN-OS,
the gateway is removed and you must reconfigure the gateway after
you downgrade. If you saved a PAN-OS 7.1 configuration that
includes tunnel-mode gateways and you want to restore the configuration, downgrade
the firewall from PAN-OS 8.0 to PAN-OS 7.1 first, then select and
commit the saved PAN-OS 7.1 configuration. | |
GlobalProtect External Gateways | For GlobalProtect agent configurations where
you configured an external gateway with a Manual only priority (connections
are not established automatically) and disabled Manual connections
(users cannot manually switch to the gateway), GlobalProtect will
add a Manual only priority rule and activate
(enable) Manual connections when you upgrade. This
allows users to manually switch to the gateway, which is required
to support External
Gateway Priority by Source Region. | |
GlobalProtect Portal Authentication | ( PAN-OS 8.0.5 and later releases )
After you upgrade to PAN-OS 8.0.5 or a later release, users who
have endpoints with valid authentication override cookies but who
were removed from the Allow List of authentication profiles cannot
access GlobalProtect portals or gateways (internal or external).
This prevents users with valid cookies but disabled accounts from
accessing the portals and gateways. | ( PAN-OS 8.0.5 and later releases )
After you downgrade to PAN-OS 8.0.4 or an earlier release, user
endpoints with valid authentication override cookies can access
a GlobalProtect portal or gateway (internal or external) even if
the corresponding user accounts were disabled and removed from the
Allow List of authentication profiles. You must reconfigure policies
(using dynamic block lists or source address/user lists) to prevent
portal and gateway access in such cases. |
Authentication Policy and Multi-Factor Authentication |
|
|
GlobalProtect Included Access Route Capacity Enhancement | When you upgrade Panorama to version 8.0.2
or a later release, you cannot push templates containing 200 or
more GlobalProtect include access routes to firewalls running PAN-OS
8.0.1 or earlier releases. To push more than 200 access routes,
you must upgrade the firewalls to PAN-OS 8.0.2 or a later release.
Otherwise, you must remove access routes from the template until
there are 200 or fewer access routes. | When you downgrade a firewall to PAN-OS
8.0.1 or an earlier release, a GlobalProtect configuration with
more than 200 include access routes will cause a commit fail. To
resolve the issue, you must remove access routes until the configuration
contains 200 or fewer access routes. |
Selective Log Forwarding Based on Log Attributes |
| Upon downgrading, the only log attribute
that the firewall will preserve as a filter in Log Forwarding profiles
and Device Log Settings |
Log Forwarding from PA-7000 Series Firewalls
to Panorama | After upgrading a PA-7000 Series firewall,
Panorama no longer considers the firewall as a Log Collector and
you will no longer be able to view logs and reports from Panorama
until you enable log forwarding. Before upgrading
PA-7000 Series firewalls to PAN-OS 8.0, make sure your Log Collectors
have enough capacity to support the log collection rates and volume
of logs your PA-7000 Series firewalls will forward to Panorama. See
the table in Panorama Models to determine your log
collection requirements. After you enable log forwarding
to Panorama, the firewall forwards only new logs. To view log information
on Panorama and generate reports from logs generated prior to enabling
log collection, you must migrate existing logs to Panorama using
a CLI command. See PA-7000
Series Firewall Log Forwarding to Panorama for more details. | |
Upgrading a PA-7000 Series Firewall with
a first generation switch management card (PA-7050-SMC or PA-7080-SMC) | Before upgrading the firewall, run the following
CLI command to check the flash drive’s status: debug system disk-smart-info disk-1 .If
the value for attribute ID #232, Available_Reservd_Space
0x0000 , is greater than 20, then proceed with the upgrade.
If the value is less than 20, then contact support for assistance. | Before downgrading the firewall, run the
following CLI command to check the flash drive’s status: debug system disk-smart-info disk-1 .If
the value for attribute ID #232, Available_Reservd_Space
0x0000 , is greater than 20, then proceed with the downgrade.
If the value is less than 20, then contact support for assistance. |
Logging Enhancements on the Panorama Virtual Appliance | After upgrading, the Panorama virtual appliance
remains in Legacy mode by default and can still support NFS log
storage. However, after you switch to Panorama mode, the virtual appliance
can no longer support NFS storage; you must then migrate the logs
on the NFS to the Log Collectors. | Before downgrading, you must switch the
Panorama virtual appliance from Panorama mode to Legacy mode. To
store logs after switching the mode, you must use the old virtual
disk or NFS storage that Panorama used for logging in Legacy mode. |
Group-Based Reporting in Panorama | After upgrading Panorama, you must Enable reporting
and filtering on groups in the Panorama settings (Panorama Setup Management Store
users and groups from Master Device option in those device
groups (Panorama Device Groups | |
User-ID Syslog Monitoring Enhancements | After upgrading, you must set the Event Type to login for every
existing Syslog Parse profile assigned to syslog senders in the Server
Monitoring list (Device User Identification User Mapping | |
Windows-based User-ID Agent | After you uninstall the PAN-OS 8.0 Windows-based User-ID
agent, perform the workaround described in Downgrade
a Windows Agent from PAN-OS 8.0 before you install an earlier
agent release. A PAN-OS 8.0 release of the Windows-based User-ID
agent works with firewalls running a release earlier than PAN-OS
8.0. | |
NSX VM-Series Configuration Through Panorama |
| |
Packet Buffer Protection and Zone Protection Profile | If you enable Packet Buffer Protection or
you configure a Zone Protection profile with basic evasionprotection or strictevasion protection ,
and downgrade to a PAN-OS 7.1 release, the downgrade fails with auto-commit
errors.If you saved a PAN-OS 7.1 configuration before upgrading, select
the PAN-OS 7.1 configuration when downgrading. This removes the
Packet Buffer Protection configuration and allows downgrade to complete
successfully. | |
ECMP Enhancement to IP Hash ( PAN-OS 8.0.3
and later releases ) | If the ECMP IP Hash setting
is configured to Use Source Address Only and
you want to downgrade from PAN-OS 8.0.3 (or a later release) to PAN-OS
8.0.2 or an earlier PAN-OS 8.0 release, first save your PAN-OS 8.0.3
(or later) running configuration. Then perform the downgrade and,
after the downgrade is complete, reload your saved configuration
and Commit . | |
QoS | After you downgrade from a PAN-OS 8.0 release
to PAN-OS 7.1.15 or an earlier release, you must reset the QoS Egress Max to
16,000 Mbps or less to avoid commit failures (Network QoS <interface> Physical Interface | |
BGP Minimum Route Advertisement Interval | If you upgrade from a PAN-OS version earlier
than PAN-OS 8.0.11 (such as PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 8.0.1) to
PAN-OS 8.0.11, you can use the CLI operational command setsystem setting bgp-mrai-timer value to
configure a BGP minimum route advertisement interval for all BGP
peer groups (range is 1 to 600 seconds; default is 30 seconds). | If you downgrade from PAN-OS 8.0.11 (or
a later PAN-OS 8.0 release) to a release earlier than PAN-OS 8.0.11,
the BGP minimum route advertisement interval that you configured
with the CLI operational command set system setting bgp-mrai-timer value reverts
to the hard-coded value of 30 seconds. |
Recommended For You
Recommended Videos
Recommended videos not found.