: Panorama Plugins Upgrade/Downgrade Considerations
Focus
Focus

Panorama Plugins Upgrade/Downgrade Considerations

Table of Contents

Panorama Plugins Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for Panorama plugins.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand fall upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 10.2 release. For additional information about PAN-OS 10.2 releases, refer to the PAN-OS 10.2 Release Notes.
Panorama Plugins Upgrade/Downgrade Considerations
FeatureUpgrade ConsiderationsDowngrade Considerations
Panorama Plugins
  • AWS Plugin
  • Azure Plugin
  • Kubernetes Plugin
  • Software Firewall Licensing Plugin
  • SD-WAN Plugin
  • IPS Signature Converter Plugin
  • ZTP Plugin
  • Enterprise DLP Plugin
  • Openconfig Plugin
  • GCP Plugin
  • Cisco ACI Plugin
  • Nutanix Plugin
  • VCenter Plugin
  • Cloud Services Plugin (minimum 10.2.3 PAN-OS version required)
Before you upgrade to PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.2 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 10.2. See the list of Compatible Plugin Versions for PAN-OS 10.2 for more information.
To downgrade from PAN-OS 10.2, you must download the Panorama plugin version supported on PAN-OS 10.1 and earlier releases for all plugins installed on Panorama. See the Panorama Plugins Compatibility Matrix for more information.
(Enterprise DLP) After upgrading Panorama to PAN-OS 10.2, you must install Application and Threats content release version 8520 on all managed firewalls running PAN-OS 10.2 or earlier release. This is required to successfully push configuration changes to managed firewalls leveraging Enterprise DLP that you did not upgrade to PAN-OS 10.2.
(Enterprise DLP) Loading a Panorama configuration backup that does contain the Shared Enterprise DLP configuration deletes the shared App exclusion filter required to scan non-file based traffic.
(SD-WAN) Panorama plugin for SD-WAN 2.2 and earlier releases are not supported in PAN-OS 10.2.
Upgrading a Panorama management server to PAN-OS 10.2 when the Panorama plugin for SD-WAN 2.2 or earlier release is installed causes the SD-WAN plugin to be hidden in the Panorama web interface or causes the SD-WAN configuration to be deleted. In both cases, you are unable to install a new SD-WAN plugin version or uninstall the SD-WAN plugin.
SD-WAN
After successful upgrade of Panorama to PAN-OS 10.2 and the Panorama plugin from SD-WAN version 2.0.0 to SD-WAN version 3.0, you must clear the SD-WAN cache on Panorama for existing SD-WAN deployments only.
Clearing the SD-WAN cache does not delete any existing SD-WAN configuration but deletes the IP address, tunnel, and gateway naming conventions for the new format introduced in Panorama plugin for SD-WAN version 3.0.
For new deployments of SD-WAN, you do not need to clear the SD-WAN cache on Panorama if you install the Panorama plugin for SD-WAN version 3.0 on Panorama after you upgrade to PAN-OS 10.2.
  1. Clear the SD-WAN cache on Panorama.
    admin> debug plugins sd_wan drop-config-cache all
None.
Enterprise DLP
When upgrading to PAN-OS 10.2.3 from an earlier PAN-OS 10.2 version, you must first download and install the DLP 3.0.2 plugin.
(DLP Plugin 3.0.3) Before you downgrade the Panorama plugin for Enterprise DLP to version 3.0.2 or later release, you must edit the Max File Size (MB) in the Enterprise DLP data filtering settings to 20MB or less.
Inspection of file larger than 20MB is supported on Enterprise DLP 3.0.3 and later 3.0 releases only.