Upgrade/Downgrade Considerations
Table of Contents
Expand all | Collapse all
-
-
-
-
- Features Introduced in Zero Touch Provisioning 2.0
- Known Issues in the Zero Touch Provisioning 2.0.4 Release
- Known Issues in the Zero Touch Provisioning 2.0.3 Release
- Known Issues in the Zero Touch Provisioning 2.0.2 Release
- Known Issues in the Zero Touch Provisioning 2.0.1 Release
- Known Issues in the Zero Touch Provisioning 2.0.0 Release
- Limitations
-
-
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for SD-WAN Plugin releases.
The following tables list the features that have upgrade or downgrade impact. Make
sure you understand all upgrade and downgrade considerations before you upgrade to or
downgrade from an SD-WAN plugin release. For additional information about the SD-WAN
plugin releases, refer to the PAN-OS Release Notes.
- SD-WAN Plugin 3.3 Upgrade/Downgrade Considerations
- SD-WAN Plugin 3.2 Upgrade/Downgrade Considerations
- SD-WAN Plugin 3.1 Upgrade/Downgrade Considerations
- SD-WAN Plugin 3.0 Upgrade/Downgrade Considerations
- SD-WAN Plugin 2.2 Upgrade/Downgrade Considerations
- SD-WAN Plugin 2.1 Upgrade/Downgrade Considerations
- SD-WAN Plugin 2.0 Upgrade/Downgrade Considerations
Refer upgrade SD-WAN plugin with compatible PAN-OS
release to upgrade the Panorama management server and Palo Alto Networks
firewalls that are compatible with the SD-WAN plugin release.
Refer upgrade and downgrade paths for SD-WAN plugin
before upgrading your currently installed SD-WAN plugin version.
After the upgrade, you must conduct the below checks before committing the
changes to Panorama:
- Verify that the Router Name is configured (PanoramaSD-WANDevices) for each SD-WAN device in the VPN cluster. The Router Name configuration is supported from SD-WAN plugin 3.1.0 and later releases.
- Verify that the BGP (PanoramaSD-WANDevices) is enabled for each SD-WAN device in the VPN cluster. Ensure that the same BGP address family (IPv4 BGP or IPv6 BGP) is enabled which was configured before the upgrade. IPv6 is supported from SD-WAN plugin 3.1.1 and later releases. Therefore, the upgraded plugin will contain the IPv6 option only if you are upgrading from SD-WAN 3.1.1 or later releases.
- Verify if the same VPN Authentication type (Pre Shared Key or Certificate) is enabled (PanoramaSD-WANDevicesVPN Tunnel) which was configured before the upgrade. The Certificate authentication type is supported from SD-WAN plugin 3.2.0 and later releases. Therefore, the upgraded plugin will contain the VPN Authentication type (Pre Shared Key or Certificate) only if you are upgrading from SD-WAN plugin 3.2.0 or later releases.
|
Feature
|
Upgrade Considerations
|
Downgrade Considerations
|
|---|---|---|
|
Multiple Virtual Routers Support on SD-WAN Branches
|
None
|
No warning message is displayed when you attempt to downgrade the
Panorama with SD-WAN plugin 3.3.1 where the multiple virtual routers support
on the branch feature is enabled to any SD-WAN plugin
version that does not have this feature support.
|
|
Feature
|
Upgrade Considerations
|
Downgrade Considerations
|
|---|---|---|
|
SD-WAN plugin improvements
(SD-WAN Plugin 3.2.2 version)
|
(For HA firewall deployments only) When you upgrade from any
SD-WAN plugin earlier versions to 3.2.2, a temporary tunnel or BGP
flap may be seen after installing SD-WAN plugin 3.2.2
release followed by commit and commit all operation.
This improvement isn't available when you upgrade/downgrade from
SD-WAN plugin 3.2.2 to any of the following versions released
earlier to 3.2.2:
That is, you will experience the tunnel and BGP flaps on the
initial commit and commit
all after the upgrade. |
—
|
|
Multiple Virtual Routers Support on SD-WAN Hubs
|
None
|
When you downgrade from SD-WAN plugin release 3.2.1 with the multiple virtual routers on the
SD-WAN hubs feature to an SD-WAN plugin release where
this feature isn't supported, the multiple virtual routers
configuration will be removed automatically without any warning or
error message. However, the downgrade will be successful.
|
|
PAN-233120
|
None
|
When you attempt to downgrade from Panorama 11.1.0 to Panorama
10.1.11 directly, the SD-WAN plugin version does not get downgraded
to the compatible version automatically. Due to this, the Panorama
will throw a commit failure.
Workaround: To downgrade from Panorama 11.1.0 to Panorama
10.1.11:
|
|
SD-WAN IKEv2 Certificate-based Authentication Support
|
The existing devices in the SD-WAN configuration will continue to use
the pre-shared key (PSK) and wouldn’t automatically change to
certificate-based authentication. If you want to change the
authentication type to certificate, follow
these steps:
|
|
|
Feature
|
Upgrade Considerations
|
Downgrade Considerations
|
|---|---|---|
|
Additional Private Link Types for SD-WAN Interface Profile
|
None
|
Ensure the following before downgrading from SD-WAN plugin release
3.1.3 to any of the earlier SD-WAN plugin versions:
|
| — |
You cannot upgrade directly to SD-WAN plugin 3.1.2 from any plugin
version earlier than 3.1.1. If you are running SD-WAN plugin 3.1.0
or an earlier plugin version on your firewall, you must upgrade to
SD-WAN plugin 3.1.1 before you upgrade to SD-WAN plugin 3.1.2.
|
None
|
|
DDNS/Dynamic IP addressing using FQDN
|
When upgrading to SD-WAN plugin 3.1.1, SD-WAN branches configured
with dynamic IP addressing using FQDN didn't work. Instead, upgrade
to SD-WAN plugin 3.1.2. You must first Commit on Panorama and then
Push to devices.
|
None
|
| Feature | Upgrade Considerations | Downgrade Considerations |
|---|---|---|
|
SD-WAN plugin improvements
(SD-WAN Plugin 3.0.8 version)
|
(For HA firewall deployments only) When you upgrade from any
SD-WAN plugin earlier versions to 3.0.8, a temporary tunnel or
BGP flap may be seen after installing SD-WAN plugin 3.0.8
release followed by commit and commit all operation.
This improvement isn't available when you upgrade/downgrade from
SD-WAN plugin 3.0.8 to any of the following versions released
earlier to 3.0.8:
That is, you will experience the tunnel and BGP flaps on the
initial commit and commit
all after the upgrade. |
—
|
|
Multiple Virtual Routers Support on SD-WAN Hubs
|
None
|
When you downgrade from SD-WAN plugin release 3.0.7 with the multiple virtual routers on the
SD-WAN hubs feature to an SD-WAN plugin release where
this feature isn't supported, the multiple virtual routers
configuration will be removed automatically without any warning or
error message. However, the downgrade will be successful.
|
Feature | Upgrade Considerations | Downgrade Considerations |
|---|---|---|
| — |
After you upgrade to SD-WAN plugin release 2.2.6, you won't be able
to change the existing VPN cluster name.
|
None.
|
| PLUG-11223 |
(HA deployments only) When you upgrade from an earlier
SD-WAN plugin release to 2.2.5 followed by
Commit and Commit
All, the key ID will change if it was generated
using the firewall that has a higher serial number.
|
None.
|
| — | For a Panorama virtual appliance, you must increase the memory
allocated to the Panorama management server to 64 GB. This is
required to avoid commit failures on successful upgrade to SD-WAN
plugin 2.2. | None. |
| — | Review the minimum supported PAN-OS versions before
upgrading your firewalls leveraging SD-WAN. Panorama plugin
for SD-WAN 2.2 supports the following minimum PAN-OS versions for managed
firewalls.
| None. |
Prisma Access Hub Support | — | To downgrade the SD-WAN Plugin from 2.2.0
to 2.1.0:
|
SD-WAN Devices | For SD-WAN devices (PanoramaSD-WANDevices)
in a high availability (HA) configuration, you must enter a unique
Site name for each HA peer when adding the SD-WAN device to the Panorama
management server. The SD-WAN plugin 2.2 requires that all devices
have a unique Site name. On upgrade to SD-WAN plugin 2.2,
commits on Panorama fail if two SD-WAN devices have the same Site
name. | None. |
| Feature | Upgrade Considerations | Downgrade Considerations |
|---|---|---|
| — | To upgrade from SD-WAN Plugin 2.0.2 or earlier 2.0 versions to 2.1.0, complete the following
steps during a maintenance timeframe:
| None |
| Feature | Upgrade Considerations | Downgrade Considerations |
|---|---|---|
| — | To upgrade from SD-WAN Plugin 2.0.x to 2.0.3, complete
the following steps during a maintenance timeframe:
| None |
| — | Downgrading the Panorama management server
and managed firewalls that currently leverage features that were introduced
in PAN-OS 10.0.3 (or later version) or SD-WAN plugin 2.0.1 (or later
version) can cause stability issues if you downgrade from the following
versions:
Workaround: Before you upgrade to
PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, save and export your Panorama
and firewall configurations. Then, if you need to downgrade
PAN-OS or the SD-WAN plugin to a previous version:
If
you did not export and save a Panorama and managed firewall configuration
prior to upgrading to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, then—
before you can successfully downgrade to PAN-OS 10.0.2 (or an earlier version)
or SD-WAN plugin 2.0.0—you must remove any feature options or configurations that
were introduced in PAN-OS 10.0.3 or in SD-WAN plugin 2.0.1. | |
Remove Private AS | None | If you change the Remove Private
AS setting, commit to all SD-WAN cluster nodes, and subsequently
downgrade to an SD-WAN Plugin version earlier than 2.0.2, then all
configuration related to Remove Private AS must
be done outside of the SD-WAN plugin or directly on the firewalls. |
Full Mesh and DDNS | None | If you downgrade from SD-WAN Plugin 2.0.1
to an earlier plugin version, the VPN Cluster will not support a
mesh configuration or a DDNS configuration. If you had configured
a VPN mesh configuration, then you must move the cluster to a Hub-Spoke configuration,
configure a hub if you didn't have one, Remove DDNS Configuration,
commit on Panorama, and then push the configuration to your firewalls. If
you cannot change the VPN cluster to a Hub-Spoke configuration,
then you must delete the entire cluster, commit on Panorama, and
then push the configuration to your firewalls before you downgrade. |