: Upgrade/Downgrade Considerations
Focus
Focus

Upgrade/Downgrade Considerations

Table of Contents
End-of-Life (EoL)

Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 10.0.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.0 release. For additional information about PAN-OS 10.0 releases, refer to the PAN-OS 10.0 Release Notes.
PAN-OS 10.0 Upgrade/Downgrade Considerations
FeatureUpgrade ConsiderationsDowngrade Considerations
Downgrading the Panorama management server and managed firewalls that currently leverage features that were introduced in PAN-OS 10.0.3 (or later version) or SD-WAN plugin 2.0.1 (or later version) can cause stability issues if you downgrade from the following versions:
  • PAN-OS 10.0.3 or a later version to PAN-OS 10.0.2 or an earlier release with SD-WAN plugin 2.0.1 or later version installed.
  • SD-WAN plugin version 2.0.1 or a later version to SD-WAN plugin 2.0.0.
Workaround: Before you upgrade to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, save and export your Panorama and firewall configurations. Then, if you need to downgrade PAN-OS or the SD-WAN plugin to a previous version:
  1. Downgrade the PAN-OS or SD-WAN plugin version on Panorama and managed firewalls.
  2. Select PanoramaSetupOperations and Import named Panorama configuration snapshot.
  3. Load named Panorama configuration snapshot.
  4. Commit and Push.
If you did not export and save a Panorama and managed firewall configuration prior to upgrading to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, then— before you can successfully downgrade to PAN-OS 10.0.2 (or an earlier version) or SD-WAN plugin 2.0.0—you must remove any feature options or configurations that were introduced in PAN-OS 10.0.3 or in SD-WAN plugin 2.0.1.
Enterprise Data Loss Prevention (DLP)
None.
You must uninstall Enterprise DLP before you can successfully downgrade from PAN-OS 10.0 to an earlier release. For Panorama managed firewalls leveraging Enterprise DLP, see Uninstall the Enterprise DLP Plugin on Panorama.
For Panorama managed firewalls and firewalls not managed by Panorama that are not leveraging Enterprise DLP, access the firewall CLI and uninstall Enterprise DLP.
admin> request plugins uninstall dlp
SD-WAN
None.
If you downgrade from SD-WAN Plugin 2.0.1 to an older Plugin release, the VPN Cluster does not support a mesh configuration or a DDNS configuration. If you had a VPN mesh configuration, you must move the cluster to a Hub-Spoke configuration, configure a hub if you didn't have one, click the button to Remove DDNS Configuration, commit on Panorama, and push the configuration to devices.  If you cannot change the VPN cluster to Hub-Spoke, you must delete the entire cluster, commit on Panorama, and push the configuration to devices before downgrading. 
When you have an SD-WAN full mesh configuration with Palo Alto Networks as the DDNS vendor, if you downgrade from 10.0.2 to 10.0.1 or 10.0.0, the commit may fail.
Log Collection
None.
After a successful downgrade to PAN-OS 9.1, querying threat logs using a name-of-threatid return no results for up to 24 hours. After which, queries using the name-of-threatid filter start to return results for logs generated in PAN-OS 9.1 and earlier releases. However, you cannot query logs using this filter for logs generated in PAN-OS 10.0. No action is required on your part.
Layer 3 Interface
None.
When you create a new Layer 3 interface in PAN-OS 10.0.3 or 10.0.4 and then downgrade to PAN-OS 9.1.x, the downgrade fails with the message “Upstream NAT not supported in older version,” whether or not SD-WAN is configured on the firewall.
Workaround: After you create a Layer 3 interface in PAN-OS 10.0.3 or 10.0.4, to downgrade to PAN-OS 9.1.x, performs the following steps:
  1. Issue the following CLI command for each Layer 3 interface you created: delete network interface ethernet [ethernetslot/port] layer3 sdwan-link-settings upstream-nat
  2. Commit the changes.
  3. Downgrade the PAN-OS version.
Bonjour Reflector for Network Segmentation
None.
Downgrading from PAN-OS 10.0.1 to an earlier version removes the Bonjour Reflector option from the Layer 3 (L3) and Aggregated Ethernet (AE) interface configuration.
TLS Encryption for Email Log Forwarding and Reporting
None.
Downgrading from PAN-OS 10.0 to an earlier version reverts any email server profiles from the TLS protocol to SMTP.
Authentication with Custom Certificates for Redistribution
None.
Downgrading from PAN-OS 10.0 to an earlier version reverts any custom certificate profiles for redistribution agents to the default certificate. If you are using global client/server settings to connect, you must reconfigure them to use the default certificate.
Streamlined and Resilient RedistributionUpgrading to PAN-OS 10.0:
  • Migrates all User-ID agents to DeviceData RedistributionAgents.
  • Migrates collector settings to DeviceData RedistributionCollector Settings.
  • Redistributes IP- User mappings, IP-tags, and user tags to all existing User-ID agents by default.
Downgrading from PAN-OS 10.0 to an earlier version:
  • Migrates all redistribution agents to DeviceUser IdentificationUser-ID Agents.
  • Migrates collector settings to DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupRedistribution.
  • Removes any Include/Exclude Networks profiles for IP-tag or IP-User mapping redistribution.
Automatic Content Updates Through Offline Panorama
None.
On downgrade from PAN-OS 10.0, the SCP server profile is deleted and prevent the scheduled dynamic update from successfully uploading content updates to the SCP server.
HA Clustering
None.
The firewall blocks a downgrade from PAN-OS 10.0 if HA cluster participation is enabled.
HA Additional Path Monitoring
VLAN path monitoring is not compatible with active/active HA pairing in PAN-OS 10.0. Ensure that you delete all VLAN path monitoring configurations in active/active HA before you upgrade to PAN-OS 10.0. Retaining an earlier active/active HA configuration will result in an autocommit failure.
When you upgrade to PAN-OS 10.0, the firewall automatically transfers your currently monitored destination IP addresses to a newly created destination group and gives this group a default path monitoring name.
The firewall blocks a downgrade from PAN-OS 10.0 if any HA path monitoring groups contain multiple destination IP groups.
On upgrade to PAN-OS 10.0, the destination IP addresses for a HA path group are automatically added into a single destination IP group.
HA
Units will go to a split brain after a device is upgraded to PAN-OS 10.0 if Encryption is enabled in the HA1 interface.
Workaround: Disable HA1 Encryption before the upgrade procedure and re-enable HA1 Encryption after both of the firewalls are in the same version.
If you downgrade from PAN-OS 10.0.0 to 9.1, a commit error occurs if the HA1 interface isn’t configured.
Workaround: You can either select the 9.1 configuration you were using before you upgraded to 10.0, or, before you downgrade to 9.1, you can use the CLI configuration command to configure the HA1 interface (set deviceconfig high-availability interface ha1) and commit.
Enhanced Authentication for Dedicated Log Collectors and WildFire 500 Appliances
None.
On downgrade from PAN-OS 10.0, any users other than the admin configured on the Dedicated Log Collector or WildFire 500 appliance are deleted when downgraded from the Panorama™ management server.
If you downgrade the Dedicated Log Collector or WildFire 500 appliance from the CLI, Panorama still displays all the previously configured user accounts but none will be able to log in to the CLI.
Downgrade from PAN-OS 10.0 is blocked for Dedicated Log Collectors and WildFire 500 appliances in the following scenarios:
  • If the admin user account is deleted. The admin user must exist in order to downgrade the Dedicated Log Collector and WildFire 500 appliance.
  • If TACAS+ or RADIUS EAP are part of the default authentication profile for the WildFire 500 appliance.
  • If there is an authentication sequence configured as the default authentication profile for the WildFire 500 appliance.
Upgrading a PA-7000 Series Firewall with a first generation switch management card (PA-7050-SMC or PA-7080-SMC)
Before upgrading the firewall, run the following CLI command to check the flash drive’s status: debug system disk-smart-info disk-1.
If the value for attribute ID #232, Available_Reservd_Space 0x0000, is greater than 20, then proceed with the upgrade. If the value is less than 20, then contact support for assistance.
Before downgrading the firewall, run the following CLI command to check the flash drive’s status: debug system disk-smart-info disk-1.
If the value for attribute ID #232, Available_Reservd_Space 0x0000, is greater than 20, then proceed with the downgrade. If the value is less than 20, then contact support for assistance.
Enhanced Pattern-Matching Engine for Custom Signatures
None.
Custom signatures in the new threat ID range (6800001-7000000) prevent downgrade. The firewall issues a warning to export and remove the offending signatures.
Custom signatures that use the newly supported syntax but are not in the new threat ID range do not prevent downgrade. After downgrade, these signatures cease to function. Subsequent commits fail until you remove them.
Aggregate Interface Group Enhancement
None.
If you configured more than eight AE interface groups and you subsequently want to downgrade to a PAN-OS release earlier than 10.0, you must first edit your configuration so that it has only AE interface groups 1 through 8.
DNS Security Signature Categories
Upon upgrade to PAN-OS 10.0, the DNS Security source gets redefined into new signature categories to provide extended granular controls; as a result, the new categories will overwrite the previously defined policy action (for Palo Alto Networks DNS Security) based on the following mapping:
  • Block or sinkhole policy actions reconfigure all signature categories to default settings.
  • Alert policy actions reconfigure all signature categories to alert.
  • Allow policy actions reconfigure all signature categories to allow.
If these settings are inappropriate for your deployment, reapply any sinkhole, log severity, and packet captures settings appropriate for the newly defined DNS Security Categories.
If you downgrade from PAN-OS 10.0 to 9.1 or push a configuration change from Panorama running PAN-OS 10.0 to a firewall running PAN-OS 9.1, the new security categories are removed from the anti-spyware profile and replaced with a single DNS Security source (Palo Alto Networks DNS Security), and the policy action is redefined based on the following mapping:
  • If any signature category in PAN-OS 10.0 is configured to sinkhole, the action in PAN-OS 9.1 is reconfigured to sinkhole.
  • If any signature category in PAN-OS 10.0 is configured to block, the action in PAN-OS 9.1 is reconfigured to block.
  • If all signature categories in PAN-OS 10.0 are configured to allow, the action in PAN-OS 9.1 is reconfigured to allow.
  • If the log-severity for any signature category is not set to none, the action is reconfigured to alert.
NT LAN Manager protocol
The NT LAN Manager (NTLM) authentication protocol has been removed in this release. We recommend using Kerberos Single Sign-On (SSO) or Security Assertion Markup Language (SAML) for SSO authentication.
None.
User-ID Redistribution for Dedicated Log Collectors
The Dedicated Log Collector no longer supports redistribution for User-ID information in this release. We recommend using the firewall or Panorama to redistribute information.
None.
Syslog Forwarding Using Ethernet Interfaces
None.
All syslog forwarding is reverted back to the management interface on downgrade from PAN-OS 10.0.
Increased Configuration Size for Panorama
None.
The Panorama management server may experience performance impacts when performing configuration changes, commits, and pushes to managed firewalls if the configuration size exceeds 80MB.
Master Key Encryption Levels
None.
If you downgrade to an earlier version of PAN-OS, the device automatically reverts the encryption algorithm to a level that the downgraded PAN-OS version supports. The device also automatically re-encrypts encrypted data using that encryption level to ensure that the device can decrypt and use the data as needed. For example, if your device is on PAN-OS 10.0 and uses the AES-256-GCM encryption algorithm (which is not supported on earlier versions of PAN-OS), and you downgrade to PAN-OS 9.1, then the device re-encrypts the encrypted data to AES-256-CBC, which is supported in PAN-OS 9.1.
Legacy telemetry support still enabled
Device telemetry is changed for PAN-OS 10.0 so that more data is being collected, and the data is being sent to Cortex Data Lake. However, if you had telemetry enabled so that you were sharing threat intelligence data with Palo Alto Networks prior to PAN-OS 10.0, then this legacy data collection and sharing is still occurring after you upgrade.
None.
Device-ID
In PAN-OS 9.1 and earlier, the firewall used the Palo Alto Networks Services service route to send Enhanced Application Logs (EAL logs).
In PAN-OS 10.0 and later versions, the firewall sends EAL logs using the Data Services service route, which uses the management interface by default. Other services, such as Data Loss Prevention (DLP), also use this service route. You can configure any Layer 3 (L3) interface, including the management or dataplane interfaces, for the service route.
If your firewall currently sends EAL logs (for example, if you are using Cortex XDR), the firewall automatically uses the Data Services service route after you upgrade to PAN-OS 10.0. If you want to use a different interface for the service route, you can change the service route to any L3 interface.
If you are using a log forwarding card (LFC) with the 7000 series, when you upgrade to PAN-OS 10.0, you must configure the management plane or dataplane interface for the service route because the LFC ports do not support the requirements for the service route. We recommend using the dataplane interface for the Data Services service route.
None.
Panorama Support for Multiple IP-Tag Sources
None.
On downgrade to PAN-OS 9.1 or earlier releases, firewalls managed by a Panorama management server associated with a child device group do not receive IP-tag mappings from Panorama.
Captive Portal (Authentication Portal)
On upgrade to PAN-OS 10.0, the firewall generates a token parameter for the Authentication Portal URL when the user's web traffic matches an Authentication Policy rule.
Workaround: If you have shared or bookmarked a URL for the Authentication Portal page, after you upgrade to PAN-OS 10.0, update the bookmarked URL by removing the url parameter or disable the token generation using the following CLI command in Configure mode: set deviceconfig setting captive-portal disable-token yes, then commit the changes using the commit command.
None.
Local Administrator Authentication
If you have a local administrator account that authenticates using a remote authentication server such as a SAML Identity Provider (IdP), you must ensure that the username that the authentication server sends to the firewall or Panorama is identical to the username in the local administrator account settings on the firewall or Panorama and doesn't contain a domain.
Workaround: Use the following CLI command: set auth strict-username-check no
None.
SAML Authentication
Upgrading to PAN-OS 10.0 removes the None option for the Identity Provider Certificate in the SAML Identity Provider server profile. If you are using SAML authentication, verify your SAML Identity Provider server profile has a valid Identity Provider (IdP) certificate before upgrading to PAN-OS 10.0. To ensure the integrity of the SAML Responses or Assertions from Identity Provider (IdP), the firewall or Panorama requires an IdP certificate. The firewall or Panorama always validates the signature of the SAML Responses or Assertions against the IdP certificate that you configure.
None.
Custom Admin Role
None.
On the Panorama management server, you are unable to commit any configuration changes after you successfully downgrade from PAN-OS 10.0 to PAN-OS 9.1 or earlier release due to custom admin roles (PanoramaAdmin Roles) configured on Panorama.
Workaround: Log in to the Panorama CLI and load the running config
admin> configure
admin# load config from running-config.xml
admin# commit force
PA-3200 Series Firewalls in an Active/Passive HA Pair with NAT Configured
When you have an active/passive HA pair of PA-3200 Series firewalls running PAN-OS 10.0.0 with NAT configured, if you upgrade one firewall to PAN-OS 10.0.1, the firewall goes to non-functional state due to a NAT oversubscription mismatch between the HA peers. The upgraded firewall goes to non-functional state because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription rates.
Workaround: After an upgrade, modify the NAT oversubscription rate on one firewall so that the rates on the HA pair match.
When you have an active/passive HA pair of PA-3200 Series firewalls running PAN-OS 10.0.1 with NAT configured, if you downgrade one firewall to PAN-OS 10.0.0, the firewall goes to non-functional state due to a NAT oversubscription mismatch between the HA peers. The downgraded firewall goes to non-functional state because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription rates.
Workaround: After a downgrade, modify the NAT oversubscription rate on one firewall so that the rates on the HA pair match.
Address Groups and Service Groups
On upgrade to PAN-OS 10.0, the Panorama management server checks for duplicate addresses in address groups (ObjectsAddress Groups) and services in service groups (ObjectsService Groups) that you created with CLI, and fails to commit any configuration changes if duplicate address objects and services exist.
Workaround: Before you upgrade to PAN-OS 10.0, modify your address group and service group configurations and rename any duplicate address objects or services.
None.
Predefined Reports
After successful upgrade of the Panorama management server to PAN-OS 10.0, managed firewalls running PAN-OS 9.1 or earlier release are unable to generate predefined reports (MonitorReports) because of the addition of the src_dag and dst_dag log fields.
Workaround: Create custom reports (MonitorManage Custom Reports) that mimic the failing predefined reports.
None.