Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 9.1.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 9.1 release. For additional information about PAN-OS 9.1 releases, refer to the PAN-OS 9.1 Release Notes.
PAN-OS 9.1 Upgrade/Downgrade Considerations
Feature
Upgrade Considerations
Downgrade Considerations
Commit Failure to Web Interface and CLI
None.
You must Contact Palo Alto Networks Support before you downgrade a Panorama management server, PA-7000 Series firewall, and PA-5200 Series firewall to avoid commit failures on successful downgrade to PAN-OS 9.0. Refer to PAN-142114 in the PAN-OS 9.1 Limitations when you contact Palo Alto Networks Support.
SD-WAN Plugin
The SD-WAN plugin provides intelligent, dynamic path selection on top of the industry leading security provided by PAN-OS
Enabling your SD-WAN plugin and starting your device creates SD-WAN databases.
Downgrading from PAN-OS 9.1 to an earlier version deletes any SD-WAN databases and removes any SD-WAN specific configurations. Your subscription remains on the device and is re-enabled if you upgrade.
Upgrading a PA-7000 Series Firewall with a first generation switch management card (PA-7050-SMC or PA-7080-SMC)
Before upgrading the firewall, run the following CLI command to check the flash drive’s status:
debug system disk-smart-info disk-1
.
If the value for attribute ID #232,
Available_Reservd_Space 0x0000
, is greater than 20, then proceed with the upgrade. If the value is less than 20, then contact support for assistance.
Before downgrading the firewall, run the following CLI command to check the flash drive’s status:
debug system disk-smart-info disk-1
.
If the value for attribute ID #232,
Available_Reservd_Space 0x0000
, is greater than 20, then proceed with the downgrade. If the value is less than 20, then contact support for assistance.
Username in HTTP Header Insertion Entries
None.
Downgrading from PAN-OS 9.1 removes the dynamic fields header values containing the domain and username.
Dynamic User Groups
None.
Downgrading from PAN-OS 9.1 migrates existing dynamic user groups to XML API user groups, retaining all group members at the time of the downgrade. The firewall continues to enforce any policy rules that apply to these groups.
Option to Hold Web Requests During URL Category Lookup
If you have this feature enabled, upgrading to PAN-OS 9.1 from an earlier version disables this option. Configure URL Filtering to re-enable this feature.
If you have this feature enabled, downgrading from PAN-OS 9.1 to an earlier version disables this option.
URL Filtering BrightCloud Support
With PAN-OS 9.1, BrightCloud is no longer supported as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1, you’ll first need to contact your sales representative to convert your BrightCloud URL Filtering license to a PAN-DB URL Filtering license. Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB URL Filtering license is active on your firewall.
Enhanced Logging for GlobalProtect
When upgrading to PAN-OS 9.1, any existing GlobalProtect logs stay in their current location, however any new logs received after the upgrade are stored in their new locations and categorized by the new GlobalProtect log type.
Any GlobalProtect logs collected after the upgrade will be lost when downgrading from PAN-OS 9.1 to an earlier version.
Identity Provider Certificate
(
PAN-OS 9.1.3 or later
)
Ensure that you configure the signing certificate for your SAML Identity Provider as the
Identity Provider Certificate
before you upgrade to PAN-OS 9.1.3 or later so that your users can continue to authenticate successfully. Always configure the Identity Provider Certificate when you configure your SAML authentication and, as a best practice, enable certificate validation when available.
Log Storage Quota
On upgrade to PAN-OS 9.1, the firewall log storage quota (
Device
Setup
Management
Logging and Reporting Settings
) exceeds 100% of the total disk space available and causes commits to fail.
After you successfully upgrade a firewall to PAN-OS 9.1, modify the log storage quota to equal 100%.
  1. Select
    Device
    Setup
    Management
    Logging and Reporting
    and modify the log storage quota.
  2. Commit the configuration changes.
    admin#
    commit force

Recommended For You