Upgrade/Downgrade Considerations

The following table lists the new features that have upgrade or downgrade impacts. Make sure you understand all potential changes before you upgrade to or downgrade from a PAN-OS 8.1 release. For additional information about PAN-OS 8.1 releases, refer to the PAN-OS 8.1 Release Notes.
For M-100 appliances running in Panorama mode, Palo Alto Networks recommends upgrading the memory to 32GB to avoid the risk of running out of memory for management and log collection tasks. See M-100 Memory Upgrade Guide for more information.
PAN-OS 8.1 Upgrade/Downgrade Considerations
Feature
Upgrade Considerations
Downgrade Considerations
Support for Third-Party SFP Transceivers
A small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks) can stop working or experience other issues after you upgrade the firewall to which they are connected to a PAN-OS 8.0 or PAN-OS 8.1 release. Because it is typically impossible to know if a third-party SFP is writable, Palo Alto Networks® recommends that, if your firewall uses third-party SFPs, you do not upgrade to a PAN-OS 8.0 or PAN-OS 8.1 release until you are able to upgrade to a maintenance release for each that addresses this issue. Additionally, when you are ready to upgrade, make sure that you do not reboot the firewall after you download and install the PAN-OS 8.1 (or PAN-OS 8.0) base image until after you download and install a maintenance release that contains the fix for this issue. This is true when upgrading to PAN-OS 8.1 even if you addressed this issue when you upgraded to a PAN-OS 8.0 maintenance release that includes this fix.
For more information about this known issue and maintenance releases related to this issue, refer to the PAN-OS 8.0 or PAN-OS 8.1 release notes, as appropriate.
Support for Multiple Username Formats
During an upgrade, the User Name in the User Objects section for the Group Mapping profile will be migrated as the Primary Username for users.
During an upgrade, the firewall clears the user and group mappings. After the upgrade is complete, the firewall must relearn the mappings before it can apply user-based policies.
If the firewall uses the user@domain format for the primary username, and is in an HA configuration, and has 500,000 or more users, the User-ID manager resets when it relearns the group mappings after the upgrade.
During a downgrade, the Primary Username is used to retrieve the user name and the Allow matching users without domain option and all alternate usernames are removed.
Extensible Authentication Protocol (EAP) Support for RADIUS
Auto has been removed from list of available authentication protocols for a RADIUS Server Profile. During the upgrade, all existing RADIUS Server Profiles using PAP or CHAP will continue to use the selected authentication protocol. If the RADIUS server profile used Auto, the firewall will attempt to change to CHAP or PAP, based on which protocol was in use before the upgrade. If the firewall cannot determine which one was used, CHAP is selected.
After you upgrade, Panorama templates use CHAP as the default authentication protocol. If your Panorama templates used the Auto authentication protocol and your RADIUS server requires PAP, update your Panorama template to use PAP to avoid having to log out and log in again after the upgrade.
Any RADIUS Server Profiles configured to use EAP (PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP) will be migrated to Auto (where CHAP is attempted first, then PAP) Any additional options associated with the EAP protocol, such as Outer Identity and Certificate Profiles, will be removed from the configuration.
HSM Client Upgrade and SafeNet HSM Cluster Support
PAN-OS 8.1 upgrades Thales nShield client version 11.62 to version 12.30. You can upgrade the firewall to use SafeNet client version 5.4.2 or 6.2.2. These HSM client versions provide necessary compatibility with HSM server versions. With an upgraded HSM client version on PAN-OS, you must ensure the corresponding HSM server version is also upgraded.
Downgrading the HSM server versions might not be an option after they are upgraded. Check your HSM vendor documentation for any upgrade/downgrade considerations.
A PAN-OS release is tied to an HSM client version, so if you downgrade from PAN-OS 8.1 to a release prior to PAN-OS 8.0.2 (for example, PAN-OS 8.0.0 or 8.0.1), the downgrade will fail. Downgrading from PAN-OS 8.1 to 8.0.2 or a later release will succeed and the HSM client version will be retained.
FQDN Support for IKE Gateway Peer IP Address
Downgrading will remove the address objects, address groups, and FQDNs from an IKE VPN Peer IP address, so unless the peer IP address is a static IP address, the downgrade will fail.
Dynamic IP Address Support for Destination NAT
Downgrading means that a translated destination NAT address specifying Dynamic IP (with session distribution) isn’t supported, so the downgrade will fail.
FQDN Refresh Time
If you downgrade a VM-Series firewall that used an FQDN Refresh Time in the range 60-599 seconds, the downgrade will fail because the downgraded release doesn’t support an FQDN refresh time that fast; it supports a range of 600-14,399 seconds. Select DeviceSetupServices, change the 8.1 FQDN Refresh Time to a value in the range 600-14,399 seconds, commit, and then downgrade.
DNS Suffix Support
In PAN-OS 8.0.x and earlier releases, you can only add up to 10 DNS suffixes to the GlobalProtect gateway configuration (NetworkGlobalProtectGateways<gateway-config>GlobalProtect Gateway ConfigurationAgentNetwork ServicesDNS Suffix). You must remove additional DNS suffixes from the configuration prior to downgrading from PAN-OS 8.1.0 to PAN-OS 8.0.x or earlier releases.
In Panorama 8.1.0 and earlier releases, you can only push up to 10 DNS suffixes to firewalls running PAN-OS 8.0.x and earlier releases.
OPSWAT SDK V4 Support
PAN-OS 8.1 supports OPSWAT SDK V4. When you upgrade to PAN-OS 8.1, the Antivirus and Anti-Spyware HIP categories merge to form the new Anti-Malware category. Vendor and product names are also updated for OPSWAT SDK V4 in all HIP categories.
The latest GlobalProtect data file must be installed on your firewall following an upgrade to PAN-OS 8.1. Until the data file is installed, HIP functionality is not available. For PAN-OS 8.1, the GLobalProtect data file is for OPSWAT SDK V4. GlobalProtect data file installation can only be triggered when a data file update schedule is configured under DeviceDynamic UpdatesGlobalProtect Data File. We recommend that you set the Schedule recurrence to Hourly.
PAN-OS 8.0 and earlier releases do not support OPSWAT SDK V4. When you downgrade to an earlier version of PAN-OS, the Anti-Malware category is dropped. You must manually reconfigure the Antivirus and Anti-Spyware categories to display this information in the OPSWAT SDK V3 format. After your system is rebooted, all HIP match logs are persistent, while all existing HIP reports are deleted.
The latest GlobalProtect data file must be installed on your firewall following a downgrade to PAN-OS 8.0 or earlier releases. Until the data file is installed, HIP functionality is not available. For PAN-OS 8.0 and earlier releases, the GlobalProtect data file is for OPSWAT SDK V3. GlobalProtect data file installation can only be triggered when a data file update schedule is configured under DeviceDynamic UpdatesGlobalProtect Data File. We recommend that you set the Schedule recurrence to Hourly.
When configurations are pushed from Panorama 8.1 to a PAN-OS 8.0 or earlier firewall, the Anti-Malware category is dropped from the HIP Match log and HIP Object. You must manually reconfigure the Antivirus and Anti-Spyware categories to display this information in the OPSWAT SDK V3 format. Vendor and product names may also be different for OPSWAT SDK V3, so you must review and manually reconfigure as necessary.
Content Revert from Panorama
When downgrading a firewall from PAN-OS 8.1 to an earlier PAN-OS release, Panorama will display the content version installed on the firewall while it was running PAN-OS 8.1 regardless of the version currently running on the firewall.
Support for Panorama Virtual Appliances in New Environments
On upgrade to PAN-OS 8.1, you are no longer able to change in to Legacy mode. If your Panorama virtual appliance is in Legacy mode on upgrade, the mode will be preserved. However, if you change the Panorama virtual appliance mode, you cannot change back into Legacy mode.
Management Only Mode
When downgrading a Panorama appliance from PAN-OS 8.1 to an earlier PAN-OS release, the Panorama appliance must be in Panorama mode or Log Collector mode. Downgrade from PAN-OS 8.1 is not supported for a Panorama appliance in Management Only mode.
Configuration Reusability for Templates and Template Stacks
On upgrade to PAN-OS 8.1, templates with devices attached to them will be converted into template stacks that contain the original template and have the device attached to the template stack. The template stack name will be <Template Name>_mig_stack.
You are unable to downgrade from PAN-OS 8.1 to an earlier PAN-OS release if variables are used in your template or template stack configuration. Variables must be removed from the template and template stack configuration to downgrade.
The number of supported templates in a template stack is reduced from 16 to 8.
VM-Series Firewall for VMware NSX
You must install VMware NSX plugin 2.0.1 before upgrading Panorama to 8.1.
You must select a template stack when configuring a service definition for your VM-Series for NSX deployment. Selecting a template causes a commit failure when attempting to commit the changes to Panorama.
Reporting Engine Enhancements
In PAN-OS 8.1, firewalls write logs from the perspective of who initiated the network connection, resulting in the source (SRC) and destination (DST) values being swapped when compared to PAN-OS 8.0 and earlier releases. When writing queries in the ACC tab, Monitor tab, and Custom Reports (PanoramaMonitorManage Custom Reports), you must swap the SRC and DST values based on the direction of the threat to ensure that the displayed query results are accurate.
You must swap the SRC and DST values for in your auto-tag configuration based on the direction of the threat to ensure Threat, URL, Data Filtering, and WildFire Submissions logs are correctly tagged.
On upgrade to PAN-OS 8.1, all existing Threat, URL Filtering, Data Filtering, and Wildfire Submission log data on Log Collectors preserve original log format where the DST value is the IP address that initiated the connection, and the SRC is the IP address with whom the connection is initiated that exists in PAN-OS 8.0 and earlier releases.
BGP Minimum Route Advertisement Interval
If you upgrade from PAN-OS 8.0.11 (or a later PAN-OS 8.0 release) to a PAN-OS 8.1 release, the CLI operational command set system setting bgp-mrai-timer value is deprecated and value configured in the CLI is gone; the BGP peers revert to having a minimum route advertisement interval of 30 seconds. Configure the minimum route advertisement interval for a BGP peer in the user interface instead (NetworkVirtual Routersvirtual routerBGPPeer GroupPeerConnection Options).
If you downgrade from PAN-OS 8.1 to PAN-OS 8.0.11 (or a PAN-OS 8.0 release later than PAN-OS 8.0.11), the minimum route advertisement interval you configured for a BGP peer no longer applies to the peer and the user interface to configure the BGP minimum router advertisement interval does not exist. The default value of 30 seconds applies to all BGP peers. Use the CLI operational command set system setting bgp-mrai-timer value to set an interval for all BGP peers.

Related Documentation