: Upgrade/Downgrade Considerations
Focus
Focus

Upgrade/Downgrade Considerations

Table of Contents

Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 11.1 and later releases.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 11.1 release or a later release. For additional information about PAN-OS 11.1 and later releases, refer to the PAN-OS Release Notes.
Feature
Upgrade Considerations
Downgrade Considerations
NGFW Clustering
(PAN-OS 11.1.5)
When you upgrade from a PAN-OS 11.1.3 release to a PAN-OS 11.1.5 or later release, upgrade the PA-7500 Series firewalls in an NGFW cluster in parallel, not individually. Upgrading the devices in parallel avoids a split-brain scenario.
None
IPv6 Support on Cellular Interfaces for PA-415-5G Firewalls
(PAN-OS 11.2.3)
(PAN-OS 11.1.5)
None
Before downgrading a PA-415-5G firewall to a release earlier than PAN-OS 11.2.3 or earlier than PAN-OS 11.1.5, if you have an IPv6 address configured on a cellular interface, configure the interface with an IPv4 address and remove the IPv6 address. Otherwise, the firewall blocks the downgrade.
NPTv6 with Dynamically Assigned IPv6 Address Prefix
None
Before downgrading to a release earlier than PAN-OS 11.1.5, disable NPTv6 on an interface that has a dynamically assigned IPv6 address or remove the configuration. (The downgrade block is unavailable between PAN-OS 11.1.5 and 11.1.0; therefore, the image downgrade succeeds, but auto commit fails.)
IKE Gateway with Dynamic IPv6 Address Assignment
None
If you downgrade to a release that doesn't support IKE gateway with dynamic IPv6 address assignment (a release earlier than PAN-OS 11.1.5), the NGFW disables the IPSec tunnel. You must load a supported configuration to match the PAN-OS version to which you downgraded.
Overlapping IP Address Support
None
A downgrade attempt to a release earlier than PAN-OS 11.1.4 will be blocked when Duplicate IP Address Support is enabled. An error message will appear upon a downgrade attempt, Failed to downgrade. Duplicate IP address is not supported in older versions. Please remove all duplicate IP address configuration, disable Duplicate IP Address Support, and commit before proceeding with the downgrade.
Advanced Routing Engine
(PAN-OS 11.2.0)
In PAN-OS 11.2.0, when Advanced Routing is enabled, IP multicast is not supported. An upcoming version will provide support for this feature. Customers who have multicast configured or who plan to deploy multicast routing should not upgrade to 11.2.0.
Additionally, in PAN-OS 11.2.0, when Advanced Routing is enabled, the BGP dampening configuration isn't applied to any peers or peer group; the configuration is preserved but has no effect on BGP. Customers can use BGP even if they have applied a Dampening profile to a specific set of peers. The issue doesn't affect any other BGP features.
None
Authenticate LSVPN Satellite with Serial Number and IP Address Method
(PAN-OS 11.1.3 and later releases)
PAN-OS stores the configuration changes in the database internally. Therefore, the latest saved configuration is applied when you upgrade to this feature.
After you upgrade from PAN-OS 10.0 or earlier releases to PAN-OS 10.1 and later releases (with Username/password and Satellite Cookie Authentication method enabled), and if the satellite cookie expires, it will result in a login failure.
In this case, you should enter the username and password for successful authentication.
  • If you downgrade to PAN-OS 10.1 and later releases, only Username/password and Satellite Cookie Authentication method will be supported.
  • If you download and install a minor version of the plugin and then decide to downgrade to another minor version of the same release, the configuration done on the minor version before downgrade, will take into effect on the downgraded minor version of the same release.
    PAN-OS stores the configuration changes in the database internally. Therefore, the latest saved configuration is applied when you downgrade from this feature.
    For example, if you have installed SD-WAN plugin 11.1.5 with a configuration (configuration 1), and then you decide to downgrade to another minor version of the same release, 11.1.4 with a different configuration (configuration 2). In this case, the configuration of the minor version (before the downgrade), that is configuration 1, will take effect on the downgraded minor version, 11.1.4.
After you upgrade from PAN-OS 10.0 or earlier releases/PAN-OS 10.1 and later release to PAN-OS 11.1.3, consider the following:
  • If you’ve disabled Serial number and IP Address Authentication method and the satellite cookie expires, it will result in a login failure. In this case, the administrator should enter the username and password for successful authentication.
  • If you’ve enabled Serial number and IP Address Authentication method and the satellite serial number is registered with the GlobalProtect portal and the IP address is present in the IP allow list, then the login will be successful.
  • If you’ve enabled Serial number and IP Address Authentication method, but the satellite serial number is not registered with the GlobalProtect portal, or the IP address is not present in the IP allow list, then the login fails. In this case, the firewall does not fall back to any other authentication method and results in an authentication failure. In the case of authentication failure, the satellite will wait until the configured retry interval is elapsed before attempting to authenticate again. Ensure that the satellite serial number is registered with the portal correctly and the satellite IP address is present in the IP allow list for successful authentication.
  • If you downgrade to PAN-OS releases earlier than 10.1, only serial number authentication method is supported.
  • If you downgrade to PAN-OS releases later than 10.1 and earlier than 10.2.8, Username/password and Satellite Cookie Authentication method is supported.
  • If you downgrade to PAN-OS 10.2.8 and later 10.2 releases, both 'Username/password and Satellite Cookie Authentication' and 'Serial number and IP address Authentication' methods are supported.
Per Policy Persistent DIPP
When using Panorama to upgrade the firewall from PAN-OS 11.0.0 to 11.1.1, regular DIPP NAT rules should be converted to persistent DIPP NAT rules, but that conversion fails and the rules remain as regular DIPP NAT rules.
When using Panorama to downgrade the firewall from PAN-OS 11.1.1 to 11.0 0, per policy persistent DIPP NAT rules are converted to regular DIPP NAT rules.
TLSv1.3 Support for GlobalProtect
If you upgrade to PAN-OS 11.1 from an earlier PAN-OS version with Max Version set to Max in the SSL/TLS service profile, the TLS version will be replaced with TLSv1.2 after the upgrade.
If you upgrade to a later PAN-OS version from PAN-OS 11.1 with Max Version set to <TLS Version> in the SSL/TLS service profile, the TLS version will remain with the configured <TLS Version> after the upgrade. There is no replacement of the versions as the versions are already configured in 11.1.x itself.
If you downgrade from PAN-OS 11.1 with TLSv1.3 to an earlier PAN-OS version, the TLSv1.3 will be replaced with TLSv1.2 after you downgrade. The downgrade will succeed but auto commit will fail if you had selected TLS v1.3 aes-chacha20-poly1305 cipher, in PAN-OS 11.1 that is not supported in the earlier PAN-OS versions. You must add or replace the appropriate supported ciphers to the downgraded version and commit the changes manually.
Upgrading the VM-50 and VM-50L
Before upgrading your VM-50 or VM-50L firewall to PAN-OS 11.1, the minimum plugin versions are required to be installed before you begin upgrading:
  • Upgrading from PAN-OS 10.2—Minimum plugin version required is 3.0.6
  • Upgrading from PAN-OS 11.0—Minimum plugin version required is 4.0.3-h1.
None.
VM-Series Firewalls
When upgrading VM-Series firewalls from PAN-OS versions 10.1.x through 11.1.x, you must upgrade the VM-Series plugin version to later than 2.1.6 on all 10.1.x firewalls before performing the upgrade to avoid HA issues.
None.
Collector Groups
All logs generated while running a PAN-OS 10.0 or earlier release are deleted on upgrade to PAN-OS 11.1.1.
To recover logs generated in PAN-OS 11.0 or earlier release, you must upgrade to PAN-OS 11.1.2 or later release where you can manually recover all impacted logs using CLI commands provided by Palo Alto Networks.
Downgrade is not recommended. If you choose to downgrade from 11.1, all logs generated in PAN-OS 11.1 are deleted and need to manually recovered. To recover logs generated in 11.1, you must:
  1. Upgrade to PAN-OS 11.1.2 or later 11.1 release.
    This is required to successfully recover impacted logs.
  2. Log in to the Log Collector CLI and delete all esdata directories.
    admin> debug elasticsearch erase data
  3. Downgrade to your target PAN-OS version.
  4. Commit and push the changes to the Collector Group and all managed devices.
  5. Log in to the Log Collector CLI and recover the impacted logs.
    admin> debug logdb migrate-lc start log-type all
If you have already downgraded from PAN-OS 11.1 and ElasticSearch is caught in a restart loop, please contact Palo Alto Networks Support
All Log Collectors in a Collector Group must be upgraded at the same time. Upgrading some, but not all Log Collectors, in a Collector Group during an upgrade window is not supported.
None.
Log Collectors running PAN-OS 11.1 must be onboarded using the device registration authentication for inter-Log Collector communication.
On your upgrade path to PAN-OS 11.1, Log Collectors added to Panorama management when running PAN-OS 9.1 or earlier release must first be upgraded to PAN-OS 10.1 or later release and re-onboarded to Panorama management using the device registration authentication key.
Upgrade to PAN-OS 11.1 is blocked if Log Collectors onboarded to Panorama management without the device registration authentication key are detected.
None.
If you are using Collector Groups, the following requirements must be met to upgrade to 11.1.0.
  • You must perform a manual Collector Group push after the upgrade to 11.1 to upgrade managed log collectors.
    PAN-OS requires all log collectors within a Collector Group to be on the same version.
  • You must register your log collectors with Panorama using a device registration authentication key.
    If the device registration authentication key does not initialize correctly, it fails to form the connections to the peer nodes.
None.
After upgrading Log collectors to PAN-OS 11.1, the follow TCP ports are now required for inter-Log Collector communication and must be opened on your network.
  • TCP/9300
  • TCP/9301
  • TCP/9302
None.
Pan Service Proxy
None.
Downgrading a next-generation firewall from PAN-OS 11.1 will fail if it has pan service proxy enabled. To downgrade successfully, disable pan service proxy before you downgrade.
Next-generation firewall: Select NetworkProxy, click the settings icon for Proxy Enablement, choose None, and then click OK.
Panorama: TemplatesNetworkProxy, click the settings icon for Proxy Enablement, choose None, and then click OK.
Authentication sequence
When you upgrade to PAN-OS 11.1.1, the Exit the sequence on failed authentication option is no longer dependent on the Use domain to determine authentication profile option.
If you select the Exit the sequence on failed authentication option, downgrading from PAN-OS 11.1.1 to a previous version is not successful unless the Exit the sequence on failed authentication option is not selected or unless both the Exit the sequence on failed authentication option and the Use domain to determine authentication profile option are selected.
Panorama Management of Multi-Vsys Firewalls
Upgrade from PAN-OS 10.1 to PAN-OS 11.1 using Skip Software Version Upgrade only
Before upgrading a Panorama managed multi-vsys firewall to PAN-OS 11.0 using Skip Software Version Upgrade:
  • Delete or rename any locally configured firewall Shared object that has an identical name to an object in the Panorama Shared configuration. Otherwise, configuration pushes from Panorama fail after the upgrade and display the error <object-name> is already in use.
  • Palo Alto Networks recommends that if a multi-vsys firewall is managed by Panorama, then all vsys configurations should be managed by Panorama.
    This helps avoid commit failures on the managed multi-vsys firewall and allows you to take advantage of optimized shared object pushes from Panorama.
None.
After you successfully upgrade a managed multi-vsys firewall to PAN-OS 10.2 using Skip Software Version Upgrade, the firewalls become out-of-sync on Panorama and a full commit and push is required.
On Panorama, select Commit and Push to Devices the entire Panorama managed configuration to the multi-vsys firewall before you commit and push any configuration changes from Panorama.
(PAN-OS 11.2) TLSv1.3 Support for HSM Integration with SSL Inbound Inspection
None.Downgrading from PAN-OS 11.2 to an earlier version removes support for the establishment and decryption of TLSv1.3 sessions when the private keys of internal servers are stored on an HSM. Even if both client and server support TLSv1.3, the appliance establishes a TLSv1.2 connection.