End-of-Life (EoL)
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 9.0.
The following table lists the new features that have
upgrade or downgrade impact. Make sure you understand all upgrade/downgrade
considerations before you upgrade to or downgrade from a PAN-OS
9.0 release. For additional information about PAN-OS 9.0 releases,
refer to the PAN-OS 9.0 Release Notes.
Review the following when upgrading Panorama
to PAN-OS 9.0:
- For M-100 appliances, Palo Alto Networks requires upgrading the memory to 32GB or more for management and log collection tasks. See M-100 Memory Upgrade Guide for more information.
Feature | Upgrade Considerations | Downgrade Considerations |
---|---|---|
VM-Series Plugin The
VM-Series plugin manages integration with public and private clouds,
allowing Palo Alto Networks to release bug fixes, new features,
and new cloud integrations independent of a PAN-OS release. | Save your PAN-OS 8.1.
configuration before upgrading to PAN-OS 9.0. The plugin
is installed automatically when you install or upgrade the VM-Series
firewall to PAN-OS 9.0. The plugin can be upgraded or downgraded,
but it cannot be removed from PAN-OS. The plugin supports
all clouds so upgrades might not apply to you. Before you upgrade
the plugin, review the release notes. ( PAYG
licenses only ) You must upgrade to VM-Series plugin 1.0.2 (or
later) after you upgrade to a PAN-OS 9.0 release and, then, reboot
your firewall to recover your pay-as-you-go (PAYG) license after you
upgrade from a PAN-OS 8.1 release.Each plugin version
provides PAN-OS compatibility information.
You can upgrade the plugin version from the VM-Series firewall with Device Plugins Check Now | If you have upgraded the VM-Series
plugin independent of PAN-OS, downgrading to a previous release
works the same as for other plugins. Downgrading from PAN-OS version
9.0 to 8.1 generates many error messages or disallows the downgrade.
Instead of downgrading, restore your 8.1 configuration on a new firewall.
|
Use Panorama to manage VM-Series plugin integrations
with your managed firewalls | If you have one or more cloud integrations
configured in 8.1 when you upgrade to 9.0 (Google Stackdriver, Azure
Application Insights, or AWS CloudWatch), the VM-Series plugin is
automatically installed and any existing configuration is migrated
to the VM-Series plugin. If you have not configured cloud
integrations in 8.1, the VM-Series plugin is supplied when you upgrade
Panorama to 9.0, but it is not installed. In 9.0, if you want
to manage cloud integrations from Panorama, go to Panorama Plugins Check Now to view the VM-Series plugin. Load the VM-Series
plugin, and install. Once installed the plugin can be upgraded and
downgraded. | If you have upgraded the VM-Series plugin independent
of Panorama, downgrading to a previous release works the same as
for other plugins. |
Upgrading a PA-7000 Series Firewall with
a first generation switch management card (PA-7050-SMC or PA-7080-SMC) | Before upgrading the firewall, run the following
CLI command to check the flash drive’s status: debug system disk-smart-info disk-1 .If
the value for attribute ID #232, Available_Reservd_Space
0x0000 , is greater than 20, then proceed with the upgrade.
If the value is less than 20, then contact support for assistance. | Before downgrading the firewall, run the
following CLI command to check the flash drive’s status: debug system disk-smart-info disk-1 .If
the value for attribute ID #232, Available_Reservd_Space
0x0000 , is greater than 20, then proceed with the downgrade.
If the value is less than 20, then contact support for assistance. |
User-ID Support for Large Numbers of Terminal Servers | None. | To downgrade, remove any Alternative IP
Addresses that contain an FQDN. If you have configured more than
1000 Terminal Services agents across all virtual systems on the
firewall, remove agents until there are no more than 1000 before downgrading. |
Shared User-ID Mapping Across Virtual Systems | None. | If you have consolidated the User-ID sources
on the hub, you need to reconfigure the User-ID sources on each
virtual system. |
WinRM Support for Server Monitoring | None. | During a downgrade, any server profiles
using WinRM-HTTP or WinRM-HTTPS are migrated to WMI. |
Universally Unique Identifiers for Policy Rules | When you upgrade, upgrade Panorama first,
push the rulebases to the firewalls Panorama manages, and then upgrade
the firewalls. If you do not push the policy configuration to the
firewalls from Panorama before upgrading the managed firewalls,
the upgrade will not be successful. In addition, if you are upgrading
an HA pair, upon upgrade to PAN-OS 9.0, each peer independently
assigns UUIDs for each policy rule. Because of this, the peers will
show as out of sync until you sync the configuration ( Dashboard Widgets System High Availability Sync to peer In the
ACC, the Rule field is now Rule Name to
distinguish it from the new Rule UUID field.If
you push a log forwarding profile that uses UUIDs from an upgraded
Panorama to a firewall that has not been upgraded, the commit on
the firewall will not be successful. | All UUIDs are retained as attributes so
they can be reapplied to the rulebase in case you re-upgrade. If
you are using UUIDs in log forwarding profiles or custom reports,
the downgrade and any autocommits will be successful, but any subsequent
commits will not be successful. If you downgrade Panorama, the
Shared Policy column ( Panorama Managed Devices Summary Out of sync ,
due to the missing UUIDs. After you commit and push the configuration
to the devices, they will display as In sync . |
Upgrading Panorama with
Local Log Collectors or Dedicated Log Collectors | PAN-OS 9.0 introduces a new log data format,
and as a result, the upgrade procedure may take up to six hours
to complete in order for Panorama or the Log Collector to automatically
reformat existing log data. During this time, log data is not visible
in the ACC and Monitor tabs.
Additionally, new log data is not forwarded to the appliance until the
upgrade is complete. | Existing log data must be reformatted
to the log format introduced in PAN-OS 8.0 upon downgrade using
a log migration script provided by Palo Alto Networks. During the
reformatting, log data is not visible in the ACC and Monitor tabs.
Additionally, new log data is not forwarded to Log Collectors until
the reformatting is complete. |
All Log Collectors in a collector group
must be upgraded at the same time to avoid any log data loss. If
the majority of Log Collectors in a collector group are upgraded,
the log data for the minority, non-upgraded Log Collectors are not
visible in the ACC and Monitor tabs.For
example, if you have three Log Collectors in a collector group,
and you upgrade two of the Log Collectors, logs are not forwarded
to the third non-upgraded Log Collector. Additionally, the existing
log data for the third Log Collector is not displayed in the ACC or Monitor tabs. | ||
Upgrading a Panorama Virtual Appliance in
Legacy Mode ( PAN-OS 9.0.6 or later ) | You must increase the CPUs and memory
on the Panorama virtual appliance in Legacy mode to 8 CPUs
and 16GB and increase the system disk to 81GB to successfully
upgrade to PAN-OS 9.0.6 or later releases. | None. |
Built-In External Dynamic List for Bulletproof Hosts | None. | Downgrade from PAN-OS 9.0 to earlier release
versions is not supported for firewalls with security policy rules
that use the predefined external dynamic lists for bulletproof hosts.
Additionally, if Panorama pushes the list to a device group that
includes pre-9.0 firewalls, the commit will fail. Workaround: In either
of these cases, remove the bulletproof hosts list from any security
policy rules that reference it. |
URL Filtering Custom Categories | Release versions earlier than PAN-OS 9.0
allowed you to configure URL Filtering overrides to create exceptions
to URL category enforcement. This enabled you to create exceptions
that have priority enforcement over all other exception types: custom
categories, external dynamic lists (EDLs), and predefined categories.
In PAN-OS 9.0, the URL Filtering profile Overrides tab,
where you would configure these block and allow lists, no longer
exists. Now, to configure exceptions to URL categories, you can
create a custom URL category (Objects Custom Objects URL Category Any
URL Filtering overrides that you configured before upgrading to
PAN-OS 9.0 are now converted to custom URL categories. Override
priority also goes away, which means the firewall may not enforce
the action you had specified for the override before the conversion.
As a result of this change, the firewall determines a website’s
URL category by evaluating custom URL categories, external dynamic
lists (EDLs), predefined URL categories, in order of precedence
(highest to lowest). Before upgrading to PAN-OS 9.0,
initiate an audit of URLs contained in your custom category lists
and URL filtering overrides and verify that there are no duplicate
entries with conflicting actions. If this is not done prior to the
upgrade, actions taken on URLs will be based on the most severe
configured action among the duplicates. As a result, overrides with
the allow action might be blocked after they are converted to custom
URL categories. If you had URL Filtering overrides
configured before upgrading to PAN-OS 9.0, consider the following:
| None. |
URL Filtering Option to Hold Web Requests
During URL Category Lookup ( PAN-OS 9.0.4 or later ) |
|
|
URL Filtering Safe Search Enforcement | Install Applications and Threats content
version 8202 or later if you're performing Safe Search Enforcement,
and also want to enable HTTP/2 Inspection. This content release
makes it possible to enforce Safe Search while HTTP/2 Inspection
is enabled. | None. |
Default Administrator Password Requirements ( PAN-OS 9.0.4
or later ) | The firewall now enforces password complexity
for the default admin account on the first log in to PAN-OS 9.1.
If the current password doesn't meet the complexity requirements,
the device prompts you to change it. On upgrade without password complexity
enabled, the default administrator password must:
On upgrade
with password complexity enabled, the default administrator password
must:
This upgrade change
does not affect other administrative users. | None. |
Split Tunnel to Exclude by Access Route | None. | If you are either downgrading a firewall
from a PAN-OS 9.0 to a PAN-OS 8.1 release or pushing a configuration
from Panorama running a PAN-OS 9.0 release to a firewall running
a PAN-OS 8.1 release, you must remove all address groups from the
access route-based split tunnel configuration ( Network GlobalProtect Gateways <gateway-config> Agent Client Settings <client-settings-config> Split Tunnel Access Route |
VM-50 and VM-50 Lite | If you upgrade from PAN-OS 8.1.7 or earlier
and you are using predefined reports, the reports are disabled upon
upgrade. The VM-50 and VM-50 Lite do not support predefined reports
starting in PAN-OS 8.1.8. | None. |
BGP Minimum Route Advertisement Interval | If you upgrade from PAN-OS 8.0.11 (or a
later PAN-OS 8.0 release) to a PAN-OS 9.0 release, the CLI operational
command set system setting bgp-mrai-timer value is
deprecated. Configure the minimum route advertisement interval for
a BGP peer in the user interface instead (Network Virtual Routers virtual router BGP Peer Group Peer Connection Options | If you downgrade from PAN-OS 9.0 to PAN-OS
8.0.11 (or a PAN-OS 8.0 release later than PAN-OS 8.0.11), the minimum route
advertisement interval you configured for a BGP peer no longer applies
to the peer and the user interface to configure the minimum route
advertisement interval does not exist. The default value of 30 seconds
applies to all BGP peers. Use the CLI operational command setsystem setting bgp-mrai-timer value to
change the interval for all BGP peers. |
Identity Provider Certificate ( PAN-OS 9.0.9
or later ) | Ensure that you configure the signing certificate
for your SAML Identity Provider as the Identity Provider Certificate before
you upgrade to PAN-OS 9.0.9 or later so that your users can continue
to authenticate successfully. Always configure the Identity Provider Certificate
when you configure your SAML authentication and,
as a best practice, enable certificate validation when available. | |
GlobalProtect Portal | None. | On Panorama, you must delete the GlobalProtect
Portal configuration ( Network GlobalProtect Portals |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.