1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. Upgrade to PAN-OS 9.0
    5. Upgrade/Downgrade Considerations
    End-of-Life (EoL)

    Upgrade/Downgrade Considerations

    Upgrade/downgrade considerations for PAN-OS 9.0.
    The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 9.0 release. For additional information about PAN-OS 9.0 releases, refer to the PAN-OS 9.0 Release Notes.
    Review the following when upgrading Panorama to PAN-OS 9.0:
    PAN-OS 9.0 Upgrade/Downgrade Considerations
    Feature
    Upgrade Considerations
    Downgrade Considerations
    VM-Series Plugin
    The VM-Series plugin manages integration with public and private clouds, allowing Palo Alto Networks to release bug fixes, new features, and new cloud integrations independent of a PAN-OS release.
    Save your PAN-OS 8.1. configuration before upgrading to PAN-OS 9.0.
    The plugin is installed automatically when you install or upgrade the VM-Series firewall to PAN-OS 9.0. The plugin can be upgraded or downgraded, but it cannot be removed from PAN-OS.
    The plugin supports all clouds so upgrades might not apply to you. Before you upgrade the plugin, review the release notes.
    (
    PAYG licenses only
    ) You must upgrade to VM-Series plugin 1.0.2 (or later) after you upgrade to a PAN-OS 9.0 release and, then, reboot your firewall to recover your pay-as-you-go (PAYG) license after you upgrade from a PAN-OS 8.1 release.
    Each plugin version provides PAN-OS compatibility information. You can upgrade the plugin version from the VM-Series firewall with
    Device
    Plugins
    Check Now
     or from a bootstrap file.
    If you have upgraded the VM-Series plugin independent of PAN-OS, downgrading to a previous release works the same as for other plugins.
    Downgrading from PAN-OS version 9.0 to 8.1 generates many error messages or disallows the downgrade. Instead of downgrading, restore your 8.1 configuration on a new firewall.
    1. Deactivate any licenses for the VM-Series firewall, and delete the VM.
    2. Deploy a new VM-Series firewall and load your previously saved configuration.
    Use Panorama to manage VM-Series plugin integrations with your managed firewalls
    If you have one or more cloud integrations configured in 8.1 when you upgrade to 9.0 (Google Stackdriver, Azure Application Insights, or AWS CloudWatch), the VM-Series plugin is automatically installed and any existing configuration is migrated to the VM-Series plugin.
    If you have not configured cloud integrations in 8.1, the VM-Series plugin is supplied when you upgrade Panorama to 9.0, but it is not installed.
    In 9.0, if you want to manage cloud integrations from Panorama, go to
    Panorama
    Plugins
    and use
    Check Now
     to view the VM-Series plugin. Load the VM-Series plugin, and install. Once installed the plugin can be upgraded and downgraded.
    If you have upgraded the VM-Series plugin independent of Panorama, downgrading to a previous release works the same as for other plugins.
    Upgrading a PA-7000 Series Firewall with a first generation switch management card (PA-7050-SMC or PA-7080-SMC)
    Before upgrading the firewall, run the following CLI command to check the flash drive’s status:
    debug system disk-smart-info disk-1
    .
    If the value for attribute ID #232,
    Available_Reservd_Space 0x0000
    , is greater than 20, then proceed with the upgrade. If the value is less than 20, then contact support for assistance.
    Before downgrading the firewall, run the following CLI command to check the flash drive’s status:
    debug system disk-smart-info disk-1
    .
    If the value for attribute ID #232,
    Available_Reservd_Space 0x0000
    , is greater than 20, then proceed with the downgrade. If the value is less than 20, then contact support for assistance.
    User-ID Support for Large Numbers of Terminal Servers
    None.
    To downgrade, remove any Alternative IP Addresses that contain an FQDN. If you have configured more than 1000 Terminal Services agents across all virtual systems on the firewall, remove agents until there are no more than 1000 before downgrading.
    Shared User-ID Mapping Across Virtual Systems
    None.
    If you have consolidated the User-ID sources on the hub, you need to reconfigure the User-ID sources on each virtual system.
    WinRM Support for Server Monitoring
    None.
    During a downgrade, any server profiles using WinRM-HTTP or WinRM-HTTPS are migrated to WMI.
    Universally Unique Identifiers for Policy Rules
    When you upgrade, upgrade Panorama first, push the rulebases to the firewalls Panorama manages, and then upgrade the firewalls. If you do not push the policy configuration to the firewalls from Panorama before upgrading the managed firewalls, the upgrade will not be successful.
    In addition, if you are upgrading an HA pair, upon upgrade to PAN-OS 9.0, each peer independently assigns UUIDs for each policy rule. Because of this, the peers will show as out of sync until you sync the configuration (
    Dashboard
    Widgets
    System
    High Availability
    Sync to peer
    ).
    In the ACC, the
    Rule
     field is now
    Rule Name
     to distinguish it from the new
    Rule UUID
     field.
    If you push a log forwarding profile that uses UUIDs from an upgraded Panorama to a firewall that has not been upgraded, the commit on the firewall will not be successful.
    All UUIDs are retained as attributes so they can be reapplied to the rulebase in case you re-upgrade.
    If you are using UUIDs in log forwarding profiles or custom reports, the downgrade and any autocommits will be successful, but any subsequent commits will not be successful.
    If you downgrade Panorama, the Shared Policy column (
    Panorama
    Managed Devices
    Summary
    ) for all devices displays as
    Out of sync
    , due to the missing UUIDs. After you commit and push the configuration to the devices, they will display as
    In sync
    .
    Upgrading Panorama with Local Log Collectors or Dedicated Log Collectors
    PAN-OS 9.0 introduces a new log data format, and as a result, the upgrade procedure may take up to six hours to complete in order for Panorama or the Log Collector to automatically reformat existing log data. During this time, log data is not visible in the
    ACC
     and
    Monitor
     tabs. Additionally, new log data is not forwarded to the appliance until the upgrade is complete.
    Existing log data must be reformatted to the log format introduced in PAN-OS 8.0 upon downgrade using a log migration script provided by Palo Alto Networks. During the reformatting, log data is not visible in the
    ACC
     and
    Monitor
     tabs. Additionally, new log data is not forwarded to Log Collectors until the reformatting is complete.
    All Log Collectors in a collector group must be upgraded at the same time to avoid any log data loss. If the majority of Log Collectors in a collector group are upgraded, the log data for the minority, non-upgraded Log Collectors are not visible in the
    ACC
     and
    Monitor
     tabs.
    For example, if you have three Log Collectors in a collector group, and you upgrade two of the Log Collectors, logs are not forwarded to the third non-upgraded Log Collector. Additionally, the existing log data for the third Log Collector is not displayed in the
    ACC
     or
    Monitor
     tabs.
    Upgrading a Panorama Virtual Appliance in Legacy Mode
    (
    PAN-OS 9.0.6 or later
    )
    You must increase the CPUs and memory on the Panorama virtual appliance in Legacy mode to 8 CPUs and 16GB and increase the system disk to 81GB to successfully upgrade to PAN-OS 9.0.6 or later releases.
    None.
    Built-In External Dynamic List for Bulletproof Hosts
    None.
    Downgrade from PAN-OS 9.0 to earlier release versions is not supported for firewalls with security policy rules that use the predefined external dynamic lists for bulletproof hosts. Additionally, if Panorama pushes the list to a device group that includes pre-9.0 firewalls, the commit will fail.
    Workaround:
     In either of these cases, remove the bulletproof hosts list from any security policy rules that reference it.
    URL Filtering Custom Categories
    Release versions earlier than PAN-OS 9.0 allowed you to configure URL Filtering overrides to create exceptions to URL category enforcement. This enabled you to create exceptions that have priority enforcement over all other exception types: custom categories, external dynamic lists (EDLs), and predefined categories. In PAN-OS 9.0, the URL Filtering profile
    Overrides
     tab, where you would configure these block and allow lists, no longer exists. Now, to configure exceptions to URL categories, you can create a custom URL category (
    Objects
    Custom Objects
    URL Category
    ).
    Any URL Filtering overrides that you configured before upgrading to PAN-OS 9.0 are now converted to custom URL categories. Override priority also goes away, which means the firewall may not enforce the action you had specified for the override before the conversion. As a result of this change, the firewall determines a website’s URL category by evaluating custom URL categories, external dynamic lists (EDLs), predefined URL categories, in order of precedence (highest to lowest).
    Before upgrading to PAN-OS 9.0, initiate an audit of URLs contained in your custom category lists and URL filtering overrides and verify that there are no duplicate entries with conflicting actions. If this is not done prior to the upgrade, actions taken on URLs will be based on the most severe configured action among the duplicates. As a result, overrides with the allow action might be blocked after they are converted to custom URL categories.
    If you had URL Filtering overrides configured before upgrading to PAN-OS 9.0, consider the following:
    • The URL Filtering profile might reach its limit for custom URL categories, causing the PAN-OS 9.0 upgrade to fail.
      Workaround:
       Use this command to reset the ID manager process:
      debug device-server reset id-manager type vsys-custom-url-category | shared-custom-url-category
      .
      If that doesn't work, you might need to remove some custom URL categories.
    • In earlier release versions, URL category overrides receive priority enforcement over custom URL categories when duplicate URL entries are present. Duplicates can include any entry that matches with a specific URL. However, override priority goes away in PAN-OS 9.0 with the conversion of the overrides to custom URL categories. The firewall will enforce new custom URL categories using the Security policy rule with the strictest URL Filtering profile action. From most to least strict, the URL Filtering profile actions are: block, override, continue, alert, and allow. Thus, overrides with the allow action might be blocked after they are converted. This can occur when a URL matches with multiple subdomain entries with different specified actions.
      Workaround:
       To ensure priority enforcement for custom URL categories, especially for sites that you want to allow:
      1. Create a URL Filtering Profile that defines site access for a custom URL category.
        Select
        Objects
        Security Profiles
        URL Filtering
        Categories
        , and set the
        Site Access
         (like allow or block) for Custom URL Categories that you want to exclude from a URL category.
      2. Create a new security policy rule to prioritize enforcement for URL category exceptions. Attach the URL Filtering profile you just created to that rule (
        Policies
        Security
        Actions
        Profile Settings
        Profiles
        ). Because the firewall evaluates rules from top to bottom, make sure that this rule appears at the top of your security policy (
        Security
        Policies
        ).
      The
      Overrides
       tab objects are removed and
      Custom URL Category
      objects are created for firewalls running PAN-OS 8.1 or earlier releases when managed by a Panorama management server that is upgraded to PAN-OS 9.0.
    • When block and allow overrides are converted to custom URL categories during upgrade, the names of the new custom URL categories are based on the name of the URL Filtering profile in which the override was configured, and begin with the override action. For example: "allow-[URL Filtering profile name]" or "block-URL Filtering profile name]". You'll see an error after you upgrade if the name of a newly-converted custom URL category matches the name of the any of the custom URL categories you've already configured.
      Workaround:
      If you currently have custom URL categories that begin with "allow-" or "block-", consider renaming the custom URL categories so that they don't begin with the words "block-" or "allow-". Do this before you upgrade.
    None.
    URL Filtering Option to Hold Web Requests During URL Category Lookup (
    PAN-OS 9.0.4 or later
    )
    • If you have this feature enabled in PAN-OS 8.1.10 or later, upgrading will disable it. To re-enable it, see Configure URL Filtering.
    • The 8.1 and 9.0 versions of this feature have different CLI commands to enable it. For the correct commands, see the appropriate version of Configure URL Filtering.
    • If you have this feature enabled, downgrading to an earlier version will disable it.
    • This feature is not available in PAN-OS versions 9.0 to 9.0.3 and 8.1.9 or earlier.
    • The 8.1 and 9.0 versions of this feature have different CLI commands to enable it. For the correct commands, see the appropriate version of Configure URL Filtering.
    URL Filtering Safe Search Enforcement
    Install Applications and Threats content version 8202 or later if you're performing Safe Search Enforcement, and also want to enable HTTP/2 Inspection. This content release makes it possible to enforce Safe Search while HTTP/2 Inspection is enabled.
    None.
    Default Administrator Password Requirements (
    PAN-OS 9.0.4 or later
    )
    The firewall now enforces password complexity for the default admin account on the first log in to PAN-OS 9.1. If the current password doesn't meet the complexity requirements, the device prompts you to change it.
    On upgrade without password complexity enabled, the default administrator password must:
    • Have a minimum of eight characters.
    • Include a minimum of one lowercase and one uppercase character, as well as one number or special character.
    On upgrade with password complexity enabled, the default administrator password must:
    • Have either eight characters or the configured minimum length, whichever is greater.
    • Include a minimum of one lowercase and one uppercase character, as well as one number or special character, or the configured complexity rules, whichever is more complex.
    This upgrade change does not affect other administrative users.
    None.
    Split Tunnel to Exclude by Access Route
    None.
    If you are either downgrading a firewall from a PAN-OS 9.0 to a PAN-OS 8.1 release or pushing a configuration from Panorama running a PAN-OS 9.0 release to a firewall running a PAN-OS 8.1 release, you must remove all address groups from the access route-based split tunnel configuration (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    Agent
    Client Settings
    <client-settings-config>
    Split Tunnel
    Access Route
    ).
    VM-50 and VM-50 Lite
    If you upgrade from PAN-OS 8.1.7 or earlier and you are using predefined reports, the reports are disabled upon upgrade. The VM-50 and VM-50 Lite do not support predefined reports starting in PAN-OS 8.1.8.
    None.
    BGP Minimum Route Advertisement Interval
    If you upgrade from PAN-OS 8.0.11 (or a later PAN-OS 8.0 release) to a PAN-OS 9.0 release, the CLI operational command
    set system setting bgp-mrai-timer value
     is deprecated. Configure the minimum route advertisement interval for a BGP peer in the user interface instead (
    Network
    Virtual Routers
    virtual router
    BGP
    Peer Group
    Peer
    Connection Options
    ).
    If you downgrade from PAN-OS 9.0 to PAN-OS 8.0.11 (or a PAN-OS 8.0 release later than PAN-OS 8.0.11), the minimum route advertisement interval you configured for a BGP peer no longer applies to the peer and the user interface to configure the minimum route advertisement interval does not exist. The default value of 30 seconds applies to all BGP peers. Use the CLI operational command
    setsystem setting bgp-mrai-timer value
     to change the interval for all BGP peers.
    Identity Provider Certificate
    (
    PAN-OS 9.0.9 or later
    )
    Ensure that you configure the signing certificate for your SAML Identity Provider as the
    Identity Provider Certificate
     before you upgrade to PAN-OS 9.0.9 or later so that your users can continue to authenticate successfully. Always configure the Identity Provider Certificate when you configure your SAML authentication and, as a best practice, enable certificate validation when available.
    GlobalProtect Portal
    None.
    On Panorama, you must delete the GlobalProtect Portal configuration (
    Network
    GlobalProtect
    Portals
    ) from all template and template stacks before you can successfully downgrade Panorama and managed firewalls to PAN-OS 8.1 or earlier release.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo