Upgrade/Downgrade Considerations
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 10.0.
The following table lists the new features that have
upgrade or downgrade impact. Make sure you understand all upgrade/downgrade
considerations before you upgrade to or downgrade from a PAN-OS
10.0 release. For additional information about PAN-OS 10.0 releases,
refer to the PAN-OS 10.0 Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
---|---|---|
— | Downgrading the Panorama management server and
managed firewalls that currently leverage features that were introduced
in PAN-OS 10.0.3 (or later version) or SD-WAN plugin 2.0.1 (or later version)
can cause stability issues if you downgrade from the following versions:
Workaround: Before you upgrade
to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, save and export your Panorama
and firewall configurations. Then, if you need to downgrade
PAN-OS or the SD-WAN plugin to a previous version:
If
you did not export and save a Panorama and managed firewall configuration
prior to upgrading to PAN-OS 10.0.3 or SD-WAN plugin 2.0.1, then— before
you can successfully downgrade to PAN-OS 10.0.2 (or an earlier version)
or SD-WAN plugin 2.0.0—you must remove any feature options or configurations
that were introduced in PAN-OS 10.0.3 or in SD-WAN plugin 2.0.1. | |
Enterprise Data Loss Prevention (DLP) | None. | You must uninstall Enterprise DLP before
you can successfully downgrade from PAN-OS 10.0 to an earlier release.
For Panorama managed firewalls leveraging Enterprise DLP, see Uninstall the Enterprise DLP
Plugin on Panorama. For Panorama managed firewalls
and firewalls not managed by Panorama that are not leveraging Enterprise
DLP, access the firewall CLI and
uninstall Enterprise DLP.
|
SD-WAN | None. | If you downgrade from SD-WAN Plugin 2.0.1
to an older Plugin release, the VPN Cluster does not support a mesh configuration
or a DDNS configuration. If you had a VPN mesh configuration, you
must move the cluster to a Hub-Spoke configuration, configure a
hub if you didn't have one, click the button to Remove DDNS Configuration, commit
on Panorama, and push the configuration to devices. If you
cannot change the VPN cluster to Hub-Spoke, you must delete the
entire cluster, commit on Panorama, and push the configuration to
devices before downgrading. |
When you have an SD-WAN full mesh configuration with
Palo Alto Networks as the DDNS vendor, if you downgrade from 10.0.2
to 10.0.1 or 10.0.0, the commit may fail. | ||
Log Collection | None. | After a successful downgrade to PAN-OS 9.1, querying
threat logs using a name-of-threatid return
no results for up to 24 hours. After which, queries using the name-of-threatid filter
start to return results for logs generated in PAN-OS 9.1 and earlier
releases. However, you cannot query logs using this filter for logs
generated in PAN-OS 10.0. No action is required on your part. |
Layer 3 Interface | None. | When you create a new Layer 3 interface
in PAN-OS 10.0.3 or 10.0.4 and then downgrade to PAN-OS 9.1.x, the downgrade
fails with the message “Upstream NAT not supported in older version,” whether
or not SD-WAN is configured on the firewall. Workaround: After
you create a Layer 3 interface in PAN-OS 10.0.3 or 10.0.4, to downgrade
to PAN-OS 9.1.x, performs the following steps:
|
Bonjour Reflector for Network Segmentation | None. | Downgrading from PAN-OS 10.0.1 to an earlier
version removes the Bonjour Reflector option from the Layer 3 (L3)
and Aggregated Ethernet (AE) interface configuration. |
TLS Encryption for Email Log Forwarding and Reporting | None. | Downgrading from PAN-OS 10.0 to an earlier version reverts any email server profiles from the TLS protocol to SMTP. |
Authentication with Custom Certificates for Redistribution | None. | Downgrading from PAN-OS 10.0 to an earlier version reverts any custom certificate profiles for redistribution agents to the default certificate. If you are using global client/server settings to connect, you must reconfigure them to use the default certificate. |
Streamlined and Resilient Redistribution | Upgrading to PAN-OS 10.0:
| Downgrading from PAN-OS 10.0 to an earlier
version:
|
Automatic Content Updates Through Offline Panorama | None. | On downgrade from PAN-OS 10.0, the SCP server profile
is deleted and prevent the scheduled dynamic update from successfully
uploading content updates to the SCP server. |
HA Clustering | None. | The firewall blocks a downgrade from PAN-OS
10.0 if HA cluster participation is enabled. |
HA Additional Path Monitoring | VLAN path monitoring is not compatible with
active/active HA pairing in PAN-OS 10.0. Ensure that you delete
all VLAN path monitoring configurations in active/active HA before
you upgrade to PAN-OS 10.0. Retaining an earlier active/active HA
configuration will result in an autocommit failure. When you
upgrade to PAN-OS 10.0, the firewall automatically transfers your currently
monitored destination IP addresses to a newly created destination
group and gives this group a default path monitoring name. | The firewall blocks a downgrade
from PAN-OS 10.0 if any HA path monitoring groups contain multiple
destination IP groups. |
On upgrade to PAN-OS 10.0, the destination
IP addresses for a HA path group are automatically added into a single
destination IP group. | ||
HA | Units will go to a split brain after a device
is upgraded to PAN-OS 10.0 if Encryption is enabled in the HA1 interface. Workaround: Disable
HA1 Encryption before the upgrade procedure and re-enable HA1 Encryption
after both of the firewalls are in the same version. | If you downgrade from PAN-OS 10.0.0 to 9.1,
a commit error occurs if the HA1 interface isn’t configured. Workaround: You
can either select the 9.1 configuration you were using before you
upgraded to 10.0, or, before you downgrade to 9.1, you can use the
CLI configuration command to configure the HA1 interface (set deviceconfig high-availability interface ha1)
and commit. |
Enhanced Authentication for Dedicated
Log Collectors and WildFire 500 Appliances | None. | On downgrade from PAN-OS 10.0, any users
other than the admin configured on the Dedicated Log Collector or WildFire
500 appliance are deleted when downgraded from the Panorama™ management server. If
you downgrade the Dedicated Log Collector or WildFire 500 appliance
from the CLI, Panorama still displays all the previously configured
user accounts but none will be able to log in to the CLI. |
Downgrade from PAN-OS 10.0 is blocked for
Dedicated Log Collectors and WildFire 500 appliances in the following scenarios:
| ||
Upgrading a PA-7000 Series Firewall with
a first generation switch management card (PA-7050-SMC or PA-7080-SMC) | Before upgrading the firewall, run the following
CLI command to check the flash drive’s status: debug system disk-smart-info disk-1. If
the value for attribute ID #232, Available_Reservd_Space
0x0000, is greater than 20, then proceed with the upgrade.
If the value is less than 20, then contact support for assistance. | Before downgrading the firewall, run the
following CLI command to check the flash drive’s status: debug system disk-smart-info disk-1. If
the value for attribute ID #232, Available_Reservd_Space
0x0000, is greater than 20, then proceed with the downgrade.
If the value is less than 20, then contact support for assistance. |
Enhanced Pattern-Matching Engine for Custom Signatures | None. | Custom signatures in the new threat ID range (6800001-7000000)
prevent downgrade. The firewall issues a warning to export and remove the
offending signatures. Custom signatures that use the newly
supported syntax but are not in the new threat ID range do not prevent
downgrade. After downgrade, these signatures cease to function. Subsequent
commits fail until you remove them. |
Aggregate Interface Group Enhancement | None. | If you configured more than eight AE interface
groups and you subsequently want to downgrade to a PAN-OS release earlier
than 10.0, you must first edit your configuration so that it has
only AE interface groups 1 through 8. |
DNS Security Signature Categories | Upon upgrade to PAN-OS 10.0, the DNS Security
source gets redefined into new signature categories to provide extended granular
controls; as a result, the new categories will overwrite the previously
defined policy action (for Palo Alto Networks DNS Security) based
on the following mapping:
If these settings are inappropriate for
your deployment, reapply any sinkhole, log severity, and packet captures
settings appropriate for the newly defined DNS Security Categories. | If you downgrade from PAN-OS 10.0 to 9.1
or push a configuration change from Panorama running PAN-OS 10.0 to
a firewall running PAN-OS 9.1, the new security categories are removed
from the anti-spyware profile and replaced with a single DNS Security
source (Palo Alto Networks DNS Security), and the policy action
is redefined based on the following mapping:
|
NT LAN Manager protocol | The NT LAN Manager (NTLM) authentication
protocol has been removed in this release. We recommend using Kerberos Single
Sign-On (SSO) or Security Assertion Markup Language (SAML) for SSO
authentication. | None. |
User-ID Redistribution for Dedicated Log Collectors | The Dedicated Log Collector no longer supports redistribution
for User-ID information in this release. We recommend using the
firewall or Panorama to redistribute information. | None. |
Syslog Forwarding Using Ethernet Interfaces | None. | All syslog forwarding is reverted back to
the management interface on downgrade from PAN-OS 10.0. |
Increased Configuration Size
for Panorama | None. | The Panorama management server
may experience performance impacts when performing configuration changes,
commits, and pushes to managed firewalls if the configuration size
exceeds 80MB. |
Master Key Encryption Levels | None. | If you downgrade to an earlier
version of PAN-OS, the device automatically reverts the encryption
algorithm to a level that the downgraded PAN-OS version supports.
The device also automatically re-encrypts encrypted data using that encryption
level to ensure that the device can decrypt and use the data as
needed. For example, if your device is on PAN-OS 10.0 and uses the
AES-256-GCM encryption algorithm (which is not supported on earlier
versions of PAN-OS), and you downgrade to PAN-OS 9.1, then the device re-encrypts
the encrypted data to AES-256-CBC, which is supported in PAN-OS
9.1. |
Legacy telemetry support still enabled | Device telemetry is changed for PAN-OS 10.0
so that more data is being collected, and the data is being sent
to Cortex Data Lake. However, if you had telemetry enabled so that
you were sharing threat intelligence data with Palo Alto Networks prior
to PAN-OS 10.0, then this legacy data collection and sharing is
still occurring
after you upgrade. | None. |
Device-ID | In PAN-OS 9.1 and earlier, the firewall
used the Palo Alto Networks Services service route to send Enhanced
Application Logs (EAL logs). In PAN-OS 10.0 and later versions,
the firewall sends EAL logs using the Data Services service route,
which uses the management interface by default. Other services,
such as Data Loss Prevention (DLP), also use this service route.
You can configure any Layer 3 (L3) interface, including the management
or dataplane interfaces, for the service route. If your firewall
currently sends EAL logs (for example, if you are using Cortex XDR),
the firewall automatically uses the Data Services service route
after you upgrade to PAN-OS 10.0. If you want to use a different interface
for the service route, you can change the service route to any L3
interface. If you are using a log forwarding card (LFC) with
the 7000 series, when you upgrade to PAN-OS 10.0, you must configure
the management plane or dataplane interface for the service route
because the LFC ports do not support the requirements for the service route.
We recommend using the dataplane interface for the Data Services
service route. | None. |
Panorama Support for Multiple IP-Tag Sources | None. | On downgrade to PAN-OS 9.1 or earlier releases,
firewalls managed by a Panorama management server associated with
a child device group do
not receive IP-tag mappings from Panorama. |
Captive Portal (Authentication Portal) | On upgrade to PAN-OS 10.0, the firewall
generates a token parameter for the Authentication Portal URL when the
user's web traffic matches an Authentication Policy rule. Workaround: If
you have shared or bookmarked a URL for the Authentication Portal
page, after you upgrade to PAN-OS 10.0, update the bookmarked URL
by removing the url parameter or disable
the token generation using the following CLI command in Configure
mode: set deviceconfig setting captive-portal disable-token yes,
then commit the changes using the commit command. | None. |
Local Administrator Authentication | If you have a local administrator account
that authenticates using a remote authentication server such as
a SAML Identity Provider (IdP), you must ensure that the username that
the authentication server sends to the firewall or Panorama is identical
to the username in the local administrator account settings on the
firewall or Panorama and doesn't contain a domain. Workaround: Use
the following CLI command: set auth strict-username-check no | None. |
SAML Authentication | Upgrading to PAN-OS 10.0 removes the None option
for the Identity Provider Certificate in the SAML Identity Provider
server profile. If you are using SAML authentication, verify your
SAML Identity Provider server profile has a valid Identity Provider
(IdP) certificate before upgrading to PAN-OS 10.0. To ensure the
integrity of the SAML Responses or Assertions from Identity Provider
(IdP), the firewall or Panorama requires an IdP certificate. The
firewall or Panorama always validates the signature of the SAML
Responses or Assertions against the IdP certificate that you configure. | None. |
Custom Admin Role | None. | On the Panorama management server, you are unable
to commit any configuration changes after you successfully downgrade
from PAN-OS 10.0 to PAN-OS 9.1 or earlier release due to custom admin
roles (PanoramaAdmin Roles)
configured on Panorama. Workaround: Log in to the Panorama CLI and
load the running config
|
PA-3200 Series Firewalls in an Active/Passive
HA Pair with NAT Configured | When you have an active/passive HA pair
of PA-3200 Series firewalls running PAN-OS 10.0.0 with NAT configured,
if you upgrade one firewall to PAN-OS 10.0.1, the firewall goes
to non-functional state due to a NAT oversubscription mismatch between
the HA peers. The upgraded firewall goes to non-functional state
because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription
rates. Workaround: After an upgrade, modify the NAT oversubscription
rate on one firewall so that the rates on the HA pair match. | When you have an active/passive HA pair
of PA-3200 Series firewalls running PAN-OS 10.0.1 with NAT configured,
if you downgrade one firewall to PAN-OS 10.0.0, the firewall goes
to non-functional state due to a NAT oversubscription mismatch between
the HA peers. The downgraded firewall goes to non-functional state
because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription
rates. Workaround: After a downgrade, modify the NAT
oversubscription rate on one firewall so that the rates on the HA
pair match. |
Address Groups and Service Groups | On upgrade to PAN-OS 10.0, the Panorama
management server checks for duplicate addresses in address groups (ObjectsAddress Groups)
and services in service groups (ObjectsService Groups) that you created
with CLI, and fails to commit any configuration changes if duplicate
address objects and services exist. Workaround: Before
you upgrade to PAN-OS 10.0, modify your address group and service
group configurations and rename any duplicate address objects or
services. | None. |
Predefined Reports | After successful upgrade of the Panorama
management server to PAN-OS 10.0, managed firewalls running PAN-OS
9.1 or earlier release are unable to generate predefined reports (MonitorReports)
because of the addition of the src_dag and dst_dag log
fields. Workaround: Create custom reports (MonitorManage Custom Reports)
that mimic the failing predefined reports. | None. |