Upgrade/Downgrade Considerations
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.1
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 11.1 and later releases.
The following table lists the new features that have upgrade or downgrade impact. Make sure you
understand all upgrade/downgrade considerations before you upgrade to or downgrade from
a PAN-OS 11.1 release or a later release. For additional information about PAN-OS 11.1
and later releases, refer to the PAN-OS Release Notes.
Feature | Upgrade Considerations | Downgrade Considerations |
---|---|---|
Panorama and IKE Gateway
|
When upgrading Panorama from version 11.1 or earlier to 11.2 , inconsistencies may
occur if different IKE versions are configured for the same IKE
gateway across one or more templates, and the Overwrite option is
used for configuration overrides related to that IKE gateway. This
issue doesn't affect IKE gateways where no fields have been
overwritten, and doesn't impact NGFW upgrades.
Workaround: After upgrading Panorama, review the IKE gateway
configuration across all templates. Ensure that the IKE version is
consistent across templates for a specific gateway before pushing
configurations to the firewalls.
|
When downgrading Panorama from version 11.2 to 11.1 or earlier,
inconsistencies may occur if different IKE versions are configured
for the same IKE gateway across one or more templates, and the
Overwrite option is used for configuration overrides related to that
IKE gateway. This issue doesn't affect IKE gateways where no fields
have been overwritten, and doesn't impact NGFW downgrades.
Workaround: After downgrading Panorama, review the IKE gateway
configuration across all templates. Ensure that the IKE version is
consistent across templates for a specific gateway before pushing
configurations to the firewalls.
|
NGFW Clustering
(PAN-OS 11.1.5)
|
When you upgrade from a PAN-OS 11.1.3 release to a PAN-OS 11.1.5 or
later release, upgrade the PA-7500 Series firewalls in an NGFW
cluster in parallel, not individually. Upgrading the devices in
parallel avoids a split-brain scenario.
|
None
|
IPv6 Support on Cellular Interfaces for PA-415-5G Firewalls
(PAN-OS 11.2.3)
(PAN-OS 11.1.5)
|
None
|
Before downgrading a PA-415-5G firewall to a release earlier than
PAN-OS 11.2.3 or earlier than
PAN-OS 11.1.5, if you have an IPv6 address configured on a
cellular interface, configure the interface with an IPv4 address and
remove the IPv6 address. Otherwise, the firewall blocks the
downgrade.
|
NPTv6 with Dynamically Assigned IPv6 Address Prefix
|
None
|
Before downgrading to a release earlier than PAN-OS 11.1.5, disable
NPTv6 on an interface that has a dynamically assigned IPv6 address
or remove the configuration. (The downgrade block is unavailable
between PAN-OS 11.1.5 and 11.1.0; therefore, the image downgrade
succeeds, but auto commit fails.)
|
IKE Gateway with Dynamic IPv6 Address Assignment
|
None
|
If you downgrade to a release that doesn't support IKE gateway with
dynamic IPv6 address assignment (a release earlier than PAN-OS
11.1.5), the NGFW disables the IPSec tunnel. You must load a
supported configuration to match the PAN-OS version to which you
downgraded.
|
Overlapping IP Address Support
|
None
|
A downgrade attempt to a release earlier than PAN-OS 11.1.4 will be
blocked when Duplicate IP Address Support is enabled. An error
message will appear upon a downgrade attempt, Failed
to downgrade. Duplicate IP address is not supported in older
versions. Please remove all duplicate IP address configuration,
disable Duplicate IP Address Support, and commit before
proceeding with the downgrade.
|
Advanced Routing Engine
(PAN-OS 11.2.0)
|
In PAN-OS 11.2.0, when Advanced Routing is enabled, IP multicast is
not supported. An upcoming version will provide support for this
feature. Customers who have multicast configured or who plan to
deploy multicast routing should not upgrade to 11.2.0.
Additionally, in PAN-OS 11.2.0, when Advanced Routing is enabled, the
BGP dampening configuration isn't applied to any peers or peer
group; the configuration is preserved but has no effect on BGP.
Customers can use BGP even if they have applied a Dampening profile
to a specific set of peers. The issue doesn't affect any other BGP
features.
|
None
|
Authenticate LSVPN Satellite with Serial Number and IP Address
Method
(PAN-OS 11.1.3 and later releases)
|
PAN-OS stores the configuration changes in the database internally.
Therefore, the latest saved configuration is applied when you
upgrade to this feature.
After you upgrade from PAN-OS 10.0 or earlier releases to PAN-OS 10.1
and later releases (with Username/password and Satellite Cookie
Authentication method enabled), and if the satellite cookie expires,
it will result in a login failure.
In this case, you should enter the username and password for
successful authentication.
|
|
After you upgrade from PAN-OS 10.0 or earlier releases/PAN-OS 10.1
and later release to PAN-OS 11.1.3, consider the following:
|
| |
Per Policy Persistent DIPP
|
When using Panorama to upgrade the firewall from PAN-OS 11.0.0 to
11.1.1, regular DIPP NAT rules should be converted to persistent
DIPP NAT rules, but that conversion fails and the rules remain as
regular DIPP NAT rules.
|
When using Panorama to downgrade the firewall from PAN-OS 11.1.1 to
11.0 0, per policy persistent DIPP NAT rules are converted to
regular DIPP NAT rules.
|
TLSv1.3 Support for GlobalProtect
|
If you upgrade to PAN-OS 11.1 from an earlier PAN-OS version with
Max Version set to
Max in the SSL/TLS service profile, the
TLS version will be replaced with TLSv1.2 after the upgrade.
If you upgrade to a later PAN-OS version from PAN-OS 11.1
with Max Version set to
<TLS Version> in the SSL/TLS
service profile, the TLS version will remain with the configured
<TLS Version> after the upgrade.
There is no replacement of the versions as the versions are already
configured in 11.1.x itself.
|
If you downgrade from PAN-OS 11.1 with TLSv1.3 to an earlier PAN-OS
version, the TLSv1.3 will be replaced with TLSv1.2 after you
downgrade. The downgrade will succeed but auto commit will fail if
you had selected TLS v1.3 aes-chacha20-poly1305
cipher, in PAN-OS 11.1 that is not supported in the
earlier PAN-OS versions. You must add or replace the appropriate
supported ciphers to the downgraded version and commit the changes
manually.
|
Upgrading the VM-50 and VM-50L
|
Before upgrading your VM-50 or VM-50L firewall to PAN-OS 11.1, the
minimum plugin versions are required to be installed before you
begin upgrading:
|
None.
|
VM-Series Firewalls
|
When upgrading VM-Series firewalls from PAN-OS versions 10.1.x
through 11.1.x, you must upgrade the VM-Series plugin version to
later than 2.1.6 on all 10.1.x firewalls before performing the
upgrade to avoid HA issues.
|
None.
|
Collector Groups |
All logs generated while running a PAN-OS 10.0 or earlier release are
deleted on upgrade to PAN-OS 11.1.1.
To recover logs generated in PAN-OS 11.0 or earlier release, you must
upgrade to PAN-OS 11.1.2 or later release
where you can manually recover all impacted logs using CLI commands
provided by Palo Alto Networks.
|
Downgrade is not recommended. If you choose
to downgrade from 11.1, all logs generated in PAN-OS 11.1 are
deleted and need to manually recovered. To recover logs generated in
11.1, you must:
If you have already downgraded from PAN-OS 11.1 and ElasticSearch
is caught in a restart loop, please contact Palo Alto Networks
Support |
All Log Collectors in a Collector Group must be upgraded at the same
time. Upgrading some, but not all Log Collectors, in a Collector
Group during an upgrade window is not supported.
|
None.
| |
Log Collectors running PAN-OS 11.1 must be onboarded using the device
registration authentication for inter-Log Collector communication.
On your upgrade path to PAN-OS 11.1, Log Collectors added to Panorama
management when running PAN-OS 9.1 or earlier release must first be
upgraded to PAN-OS 10.1 or later release and re-onboarded to Panorama
management using the device registration authentication
key.
Upgrade to PAN-OS 11.1 is blocked if Log Collectors onboarded to
Panorama management without the device registration authentication
key are detected.
|
None.
| |
None.
| ||
If you are using Collector Groups, the following requirements must be
met to upgrade to 11.1.0.
|
None.
| |
After upgrading Log collectors to PAN-OS 11.1, the follow TCP ports
are now required for inter-Log Collector communication and must be
opened on your network.
|
None.
| |
Pan Service Proxy |
None.
|
Downgrading a next-generation firewall from PAN-OS 11.1 will fail if
it has pan service proxy enabled. To downgrade successfully, disable
pan service proxy before you downgrade.
Next-generation firewall: Select NetworkProxy, click the settings icon for Proxy Enablement, choose
None, and then click
OK.
Panorama: TemplatesNetworkProxy, click the settings icon for Proxy Enablement, choose
None, and then click
OK.
|
Authentication sequence
|
When you upgrade to PAN-OS 11.1.1, the Exit the sequence on failed
authentication option is no longer dependent on the Use
domain to determine authentication profile option.
|
If you select the Exit the sequence on failed authentication
option, downgrading from PAN-OS 11.1.1 to a previous version is not
successful unless the Exit the sequence on failed
authentication option is not selected or unless both the
Exit the sequence on failed authentication option and the
Use domain to determine authentication profile option are
selected.
|
Panorama Management of Multi-Vsys Firewalls
Upgrade from PAN-OS 10.1 to PAN-OS 11.1 using Skip Software
Version Upgrade only
|
Before upgrading a Panorama managed multi-vsys firewall to PAN-OS
11.0 using Skip Software Version Upgrade:
|
None.
|
After you successfully upgrade a managed multi-vsys firewall to
PAN-OS 10.2 using Skip Software Version Upgrade, the firewalls
become out-of-sync on Panorama and a
full commit and push is required.
On Panorama, select Commit and Push to Devices the
entire Panorama managed configuration to the multi-vsys firewall
before you commit and push any configuration changes from
Panorama.
| ||
(PAN-OS 11.2) TLSv1.3 Support for HSM Integration with SSL
Inbound Inspection
| None. | Downgrading from PAN-OS 11.2 to an earlier version removes support for the establishment and decryption of TLSv1.3 sessions when the private keys of internal servers are stored on an HSM. Even if both client and server support TLSv1.3, the appliance establishes a TLSv1.2 connection. |