Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 9.1.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 9.1 release. For additional information about PAN-OS 9.1 releases, refer to the PAN-OS 9.1 Release Notes.
PAN-OS 9.1 Upgrade/Downgrade Considerations
Upgrade Considerations
Downgrade Considerations
SD-WAN Plugin
The SD-WAN plugin provides intelligent, dynamic path selection on top of the industry leading security provided by PAN-OS
Enabling your SD-WAN plugin and starting your device creates SD-WAN databases.
Downgrading from PAN-OS 9.1 to an earlier version deletes any SD-WAN databases and removes any SD-WAN specific configurations. Your subscription remains on the device and is re-enabled if you upgrade.
Username in HTTP Header Insertion Entries
Downgrading from PAN-OS 9.1 removes the dynamic fields header values containing the domain and username.
Dynamic User Groups
Downgrading from PAN-OS 9.1 migrates existing dynamic user groups to XML API user groups, retaining all group members at the time of the downgrade. The firewall continues to enforce any policy rules that apply to these groups.
Option to Hold Web Requests During URL Category Lookup
If you have this feature enabled, upgrading to PAN-OS 9.1 from an earlier version disables this option. Configure URL Filtering to re-enable this feature.
If you have this feature enabled, downgrading from PAN-OS 9.1 to an earlier version disables this option.
URL Filtering BrightCloud Support
With PAN-OS 9.1, BrightCloud is no longer supported as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1, you’ll first need to contact your sales representative to convert your BrightCloud URL Filtering license to a PAN-DB URL Filtering license. Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB URL Filtering license is active on your firewall.
Enhanced Logging for GlobalProtect
When upgrading to PAN-OS 9.1, any existing GlobalProtect logs stay in their current location, however any new logs received after the upgrade are stored in their new locations and categorized by the new GlobalProtect log type.
Any GlobalProtect logs collected after the upgrade will be lost when downgrading from PAN-OS 9.1 to an earlier version.

Recommended For You