VM-Series and Panorama Plugins Release Notes
    : Upgrade/Downgrade Considerations
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series and Panorama Plugins Release Notes
    3. Panorama Plugin for SD-WAN
    4. Upgrade/Downgrade Considerations
    Download PDF

    VM-Series and Panorama Plugins Release Notes

    Upgrade/Downgrade Considerations

    Table of Contents

    Upgrade/Downgrade Considerations

    Upgrade/downgrade considerations for SD-WAN Plugin releases.
    The following tables list the features that have upgrade or downgrade impact. Make sure you understand all upgrade and downgrade considerations before you upgrade to or downgrade from an SD-WAN plugin release. For additional information about the SD-WAN plugin releases, refer to the PAN-OS Release Notes.
    Refer upgrade SD-WAN plugin with compatible PAN-OS release to upgrade the Panorama management server and Palo Alto Networks firewalls that are compatible with the SD-WAN plugin release.
    Refer upgrade and downgrade paths for SD-WAN plugin before upgrading your currently installed SD-WAN plugin version.
    After the upgrade, you must conduct the below checks before committing the changes to Panorama:
    • Verify that the Router Name is configured (PanoramaSD-WANDevices) for each SD-WAN device in the VPN cluster. The Router Name configuration is supported from SD-WAN plugin 3.1.0 and later releases.
    • Verify that the BGP (PanoramaSD-WANDevices) is enabled for each SD-WAN device in the VPN cluster. Ensure that the same BGP address family (IPv4 BGP or IPv6 BGP) is enabled which was configured before the upgrade. IPv6 is supported from SD-WAN plugin 3.1.1 and later releases. Therefore, the upgraded plugin will contain the IPv6 option only if you are upgrading from SD-WAN 3.1.1 or later releases.
    • Verify if the same VPN Authentication type (Pre Shared Key or Certificate) is enabled (PanoramaSD-WANDevicesVPN Tunnel) which was configured before the upgrade. The Certificate authentication type is supported from SD-WAN plugin 3.2.0 and later releases. Therefore, the upgraded plugin will contain the VPN Authentication type (Pre Shared Key or Certificate) only if you are upgrading from SD-WAN plugin 3.2.0 or later releases.
    SD-WAN Plugin 3.3 Upgrade/Downgrade Considerations
    Feature
    Upgrade Considerations
    Downgrade Considerations
    SD-WAN plugin improvements
    (SD-WAN Plugin 3.3.2 version)
    (For HA firewall deployments only) When you upgrade from any SD-WAN plugin earlier versions to 3.3.2, a temporary tunnel or BGP flap may be seen after installing SD-WAN plugin 3.3.2 release followed by commit and commit all operation.
    This improvement isn't available when you upgrade/downgrade from SD-WAN plugin 3.3.2 to any of the following versions released earlier to 3.3.2 (except SD-WAN plugin versions 3.0.8 and 3.2.2):
    • 3.3.1 or versions earlier to 3.3.1
    • 3.2.1 or versions earlier to 3.2.1
    • 3.1.3 or versions earlier to 3.1.3
    • 3.0.7 or versions earlier to 3.0.7
    • 2.2.6 or versions earlier to 2.2.6
    That is, you will experience the tunnel and BGP flaps on the initial commit and commit all after the upgrade.
    Multiple Virtual Routers Support on SD-WAN Branches
    None
    No warning message is displayed when you attempt to downgrade the Panorama with SD-WAN plugin 3.3.1 where the multiple virtual routers support on the branch feature is enabled to any SD-WAN plugin version that does not have this feature support.
    SD-WAN Plugin 3.2 Upgrade/Downgrade Considerations
    Feature
    Upgrade Considerations
    Downgrade Considerations
    SD-WAN plugin improvements
    (SD-WAN Plugin 3.2.2 version)
    (For HA firewall deployments only) When you upgrade from any SD-WAN plugin earlier versions to 3.2.2, a temporary tunnel or BGP flap may be seen after installing SD-WAN plugin 3.2.2 release followed by commit and commit all operation.
    This improvement isn't available when you upgrade/downgrade from SD-WAN plugin 3.2.2 to any of the following versions released earlier to 3.2.2 (except SD-WAN plugin version 3.0.8):
    • 3.3.1 or versions earlier to 3.3.1
    • 3.2.1 or versions earlier to 3.2.1
    • 3.1.3 or versions earlier to 3.1.3
    • 3.0.7 or versions earlier to 3.0.7
    • 2.2.6 or versions earlier to 2.2.6
    That is, you will experience the tunnel and BGP flaps on the initial commit and commit all after the upgrade.
    Multiple Virtual Routers Support on SD-WAN Hubs
    None
    When you downgrade from SD-WAN plugin release 3.2.1 with the multiple virtual routers on the SD-WAN hubs feature to an SD-WAN plugin release where this feature isn't supported, the multiple virtual routers configuration will be removed automatically without any warning or error message. However, the downgrade will be successful.
    PAN-233120
    None
    When you attempt to downgrade from Panorama 11.1.0 to Panorama 10.1.11 directly, the SD-WAN plugin version does not get downgraded to the compatible version automatically. Due to this, the Panorama will throw a commit failure.
    Workaround: To downgrade from Panorama 11.1.0 to Panorama 10.1.11:
    1. First, downgrade from Panorama 11.1.0 (with SD-WAN plugin version 3.2.0) to 11.0.2-h2 (with SD-WAN plugin version 3.1.1)
    2. Then, downgrade from Panorama 11.0.2-h2 (with SD-WAN plugin version 3.1.1) to Panorama 10.1.11 (with SD-WAN plugin version 2.2.4)
    SD-WAN IKEv2 Certificate-based Authentication Support
    The existing devices in the SD-WAN configuration will continue to use the pre-shared key (PSK) and wouldn’t automatically change to certificate-based authentication. If you want to change the authentication type to certificate, follow these steps:
    • Delete the VPN cluster
    • Import the certificates (manually or bulk import)
    • Change the Authentication type to Certificate (either manually or through CSV import of devices)
    • reconfigure the devices in the new cluster
    • If the VPN cluster is configured as a pre-shared key (PSK), then downgrade will be allowed.
    • If the VPN clusters are created with certificate-based authentication and the downgrade version does not support IKEv2 certificate authentication, the downgrade won't be allowed. To proceed with the downgrade:
      • Delete the VPN cluster. SD-WAN device authentication will automatically change to PSK on downgrade.
      • After downgrade, configure the new cluster and add the SD-WAN devices to it.
    SD-WAN Plugin 3.1 Upgrade/Downgrade Considerations
    Feature
    Upgrade Considerations
    Downgrade Considerations
    Additional Private Link Types for SD-WAN Interface Profile
    None
    Ensure the following before downgrading from SD-WAN plugin release 3.1.3 to any of the earlier SD-WAN plugin versions:
    • Remove the new private link types (Private 1, Private 2, Private 3, Private 4) from the SD-WAN Interface Profile configuration.
    • Same priority must not be configured for more than four SD-WAN hubs in a VPN cluster.
    • SD-WAN plugin versions earlier to 3.1.3 supports only four SD-WAN hub firewalls. Therefore, remove the additional hubs in a VPN cluster and ensure that not more than four hubs are present in the VPN cluster configuration.
    You cannot upgrade directly to SD-WAN plugin 3.1.2 from any plugin version earlier than 3.1.1. If you are running SD-WAN plugin 3.1.0 or an earlier plugin version on your firewall, you must upgrade to SD-WAN plugin 3.1.1 before you upgrade to SD-WAN plugin 3.1.2.
    None
    DDNS/Dynamic IP addressing using FQDN
    When upgrading to SD-WAN plugin 3.1.1, SD-WAN branches configured with dynamic IP addressing using FQDN didn't work. Instead, upgrade to SD-WAN plugin 3.1.2. You must first Commit on Panorama and then Push to devices.
    None
    SD-WAN Plugin 3.0 Upgrade/Downgrade Considerations
    FeatureUpgrade ConsiderationsDowngrade Considerations
    SD-WAN plugin improvements
    (SD-WAN Plugin 3.0.8 version)
    (For HA firewall deployments only) When you upgrade from any SD-WAN plugin earlier versions to 3.0.8, a temporary tunnel or BGP flap may be seen after installing SD-WAN plugin 3.0.8 release followed by commit and commit all operation.
    This improvement isn't available when you upgrade/downgrade from SD-WAN plugin 3.0.8 to any of the following versions released earlier to 3.0.8:
    • 3.3.1 or versions earlier to 3.3.1
    • 3.2.1 or versions earlier to 3.2.1
    • 3.1.3 or versions earlier to 3.1.3
    • 3.0.7 or versions earlier to 3.0.7
    • 2.2.6 or versions earlier to 2.2.6
    That is, you will experience the tunnel and BGP flaps on the initial commit and commit all after the upgrade.
    Multiple Virtual Routers Support on SD-WAN Hubs
    None
    When you downgrade from SD-WAN plugin release 3.0.7 with the multiple virtual routers on the SD-WAN hubs feature to an SD-WAN plugin release where this feature isn't supported, the multiple virtual routers configuration will be removed automatically without any warning or error message. However, the downgrade will be successful.
    SD-WAN Plugin 2.2 Upgrade/Downgrade Considerations
    Feature
    Upgrade Considerations
    Downgrade Considerations
    SD-WAN plugin improvements
    (SD-WAN Plugin 2.2.7 version)
    (For HA firewall deployments only) When you upgrade/downgrade from any SD-WAN plugin earlier versions to 2.2.7, a temporary tunnel or BGP flap may be seen after installing SD-WAN plugin 2.2.7 release followed by commit and commit all operation.
    This improvement isn't available when you upgrade/downgrade from SD-WAN plugin 2.2.7 to any of the following versions released earlier to 2.2.7:
    • 3.3.1 or versions earlier to 3.3.1
    • 3.2.1 or versions earlier to 3.2.1
    • 3.1.3 or versions earlier to 3.1.3
    • 3.0.7 or versions earlier to 3.0.7
    • 2.2.6 or versions earlier to 2.2.6
    That is, you will experience the tunnel and BGP flaps on the initial commit and commit all after the upgrade.
    After you upgrade to SD-WAN plugin release 2.2.6, you won't be able to change the existing VPN cluster name.
    None.
    PLUG-11223
    (HA deployments only) When you upgrade from an earlier SD-WAN plugin release to 2.2.5 followed by Commit and Commit All, the key ID will change if it was generated using the firewall that has a higher serial number.
    None.
    For a Panorama virtual appliance, you must increase the memory allocated to the Panorama management server to 64 GB. This is required to avoid commit failures on successful upgrade to SD-WAN plugin 2.2.
    None.
    Review the minimum supported PAN-OS versions before upgrading your firewalls leveraging SD-WAN.
    Panorama plugin for SD-WAN 2.2 supports the following minimum PAN-OS versions for managed firewalls.
    • PAN-OS 10.0—10.0.8
    • PAN-OS 10.1—10.1.4
    None.
    Prisma Access Hub Support
    To downgrade the SD-WAN Plugin from 2.2.0 to 2.1.0:
    1. Use the web interface to delete all of the Prisma Access hub onboarding.
    2. Delete the BGP local address pool subnet.
    3. Commit the configuration.
    4. Downgrade the SD-WAN Plugin to 2.1.0.
    SD-WAN Devices
    For SD-WAN devices (PanoramaSD-WANDevices) in a high availability (HA) configuration, you must enter a unique Site name for each HA peer when adding the SD-WAN device to the Panorama management server. The SD-WAN plugin 2.2 requires that all devices have a unique Site name.
    On upgrade to SD-WAN plugin 2.2, commits on Panorama fail if two SD-WAN devices have the same Site name.
    None.
    SD-WAN Plugin 2.1 Upgrade/Downgrade Considerations
    FeatureUpgrade ConsiderationsDowngrade Considerations
    To upgrade from SD-WAN Plugin 2.0.2 or earlier 2.0 versions to 2.1.0, complete the following steps during a maintenance timeframe:
    1. Upgrade to SD-WAN Plugin 2.1.0.
    2. Make a small configuration change of your choice in the SD-WAN cluster configuration. For example, change the SD-WAN hub priority and change it back.
    3. Issue a local Panorama Commit.
    4. Push the configuration to all devices in the VPN cluster at once. On the Push Scope Selection, select Force Template Values.
    5. Reboot all SD-WAN hubs. If the hubs are an HA pair, follow the HA reboot procedure.
    None
    SD-WAN Plugin 2.0 Upgrade/Downgrade Considerations
    FeatureUpgrade ConsiderationsDowngrade Considerations
    To upgrade from SD-WAN Plugin 2.0.x to 2.0.3, complete the following steps during a maintenance timeframe:
    1. Upgrade to SD-WAN Plugin 2.0.3.
    2. Make a small configuration change of your choice in the SD-WAN cluster configuration. For example, change the SD-WAN hub priority and change it back.
    3. Issue a local Panorama Commit.
    4. Push the configuration to all devices in the VPN cluster at once. On the Push Scope Selection, select Force Template Values.
    5. Reboot all SD-WAN hubs. If the hubs are an HA pair, follow the HA reboot procedure.
    None
    Downgrading the Panorama management server and managed firewalls that currently leverage features that were introduced in PAN-OS 10.0.3 (or later version) or SD-WAN plugin 2.0.1 (or later version) can cause stability issues if you downgrade from the following versions:
    • PAN-OS 10.0.3 or a later version to PAN-OS 10.0.2 or an earlier release with SD-WAN plugin 2.0.1 or later version installed.
    • SD-WAN plugin version 2.0.1 or a later version to SD-WAN plugin 2.0.0.
    Workaround: Before you upgrade to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, save and export your Panorama and firewall configurations. Then, if you need to downgrade PAN-OS or the SD-WAN plugin to a previous version:
    1. Downgrade the PAN-OS or SD-WAN plugin version on Panorama and managed firewalls.
    2. Select PanoramaSetupOperations and Import named Panorama configuration snapshot.
    3. Load named Panorama configuration snapshot.
    4. Commit and Push.
    If you did not export and save a Panorama and managed firewall configuration prior to upgrading to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, then— before you can successfully downgrade to PAN-OS 10.0.2 (or an earlier version) or SD-WAN plugin 2.0.0—you must remove any feature options or configurations that were introduced in PAN-OS 10.0.3 or in SD-WAN plugin 2.0.1.
    Remove Private AS
    None
    If you change the Remove Private AS setting, commit to all SD-WAN cluster nodes, and subsequently downgrade to an SD-WAN Plugin version earlier than 2.0.2, then all configuration related to Remove Private AS must be done outside of the SD-WAN plugin or directly on the firewalls.
    Full Mesh and DDNS
    None
    If you downgrade from SD-WAN Plugin 2.0.1 to an earlier plugin version, the VPN Cluster will not support a mesh configuration or a DDNS configuration. If you had configured a VPN mesh configuration, then you must move the cluster to a Hub-Spoke configuration, configure a hub if you didn't have one, Remove DDNS Configuration, commit on Panorama, and then push the configuration to your firewalls.  If you cannot change the VPN cluster to a Hub-Spoke configuration, then you must delete the entire cluster, commit on Panorama, and then push the configuration to your firewalls before you downgrade. 

    © 2025 Palo Alto Networks, Inc. All rights reserved.