Upgrade/Downgrade Considerations
Table of Contents
End-of-Life (EoL)
Upgrade/Downgrade Considerations
Upgrade/downgrade considerations for PAN-OS 9.1.
The following table lists the new features that have
upgrade or downgrade impact. Make sure you understand all upgrade/downgrade
considerations before you upgrade to or downgrade from a PAN-OS
9.1 release. For additional information about PAN-OS 9.1 releases,
refer to the PAN-OS 9.1 Release Notes.
| Feature | Upgrade Considerations | Downgrade Considerations |
|---|---|---|
Commit Failure to Web Interface and CLI | None. | You must Contact Palo Alto Networks Support before
you downgrade a Panorama management server, PA-7000 Series firewall,
and PA-5200 Series firewall to avoid commit failures on successful
downgrade to PAN-OS 9.0. Refer to PAN-142114 in the PAN-OS
9.1 Limitations when you contact Palo Alto Networks Support. |
SD-WAN Plugin The SD-WAN plugin provides
intelligent, dynamic path selection on top of the industry leading
security provided by PAN-OS | Enabling your SD-WAN plugin and starting
your device creates SD-WAN databases. | Downgrading from PAN-OS 9.1 to an earlier
version deletes any SD-WAN databases and removes any SD-WAN specific configurations.
Your subscription remains on the device and is re-enabled if you
upgrade. |
Upgrading a PA-7000 Series Firewall with
a first generation switch management card (PA-7050-SMC or PA-7080-SMC) | Before upgrading the firewall, run the following
CLI command to check the flash drive’s status: debug system disk-smart-info disk-1. If
the value for attribute ID #232, Available_Reservd_Space 0x0000,
is greater than 20, then proceed with the upgrade. If the value
is less than 20, then contact support for assistance. | Before downgrading the firewall, run the
following CLI command to check the flash drive’s status: debug system disk-smart-info disk-1. If
the value for attribute ID #232, Available_Reservd_Space 0x0000,
is greater than 20, then proceed with the downgrade. If the value
is less than 20, then contact support for assistance. |
Username in HTTP Header Insertion Entries | None. | Downgrading from PAN-OS 9.1 removes the
dynamic fields header values containing the domain and username. |
Dynamic User Groups | None. | Downgrading from PAN-OS 9.1 migrates existing
dynamic user groups to XML API user groups, retaining
all group members at the time of the downgrade. The firewall continues
to enforce any policy rules that apply to these groups. |
Option to Hold Web Requests During URL Category
Lookup | If you have this feature enabled, upgrading
to PAN-OS 9.1 from an earlier version disables this option. Configure URL Filtering to re-enable
this feature. | If you have this feature enabled, downgrading
from PAN-OS 9.1 to an earlier version disables this option. |
URL Filtering BrightCloud Support | With PAN-OS 9.1, BrightCloud is no longer
supported as a URL Filtering vendor. Before you can upgrade to PAN-OS
9.1, you’ll first need to contact your sales representative to convert
your BrightCloud URL Filtering license to a PAN-DB URL Filtering
license. Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB
URL Filtering license is active on your firewall. | |
Enhanced Logging for GlobalProtect | When upgrading to PAN-OS 9.1, any existing GlobalProtect logs stay in their current location, however any new logs received after the upgrade are stored in their new locations and categorized by the new GlobalProtect log type. | Any GlobalProtect logs collected after the upgrade will be lost when downgrading from PAN-OS 9.1 to an earlier version. |
Identity Provider Certificate (PAN-OS
9.1.3 or later) | Ensure that you configure the signing certificate
for your SAML Identity Provider as the Identity Provider Certificate before
you upgrade to PAN-OS 9.1.3 or later so that your users can continue to
authenticate successfully. Always configure the Identity Provider
Certificate when you configure your SAML authentication and,
as a best practice, enable certificate validation when available. | |
Log Storage Quota | On upgrade to PAN-OS 9.1, the firewall log
storage quota (DeviceSetup ManagementLogging and Reporting
Settings) exceeds 100% of the total disk
space available and causes commits to fail. After you successfully
upgrade a firewall to PAN-OS 9.1, modify the log storage quota to
equal 100%.
| |
Application Filters Using
Tags | None | Downgrading from PAN-OS 9.1 removes
any tags applied to an application filter. This results in a commit
failure if application filter tags were used. Downgrading
from a content release that includes tag support for specific apps
results in a commit failure if those tags are used in an application
filter. |
| Log Collectors | None | PAN-OS 9.1 upgraded the Log Collector database. You must contact Palo Alto Networks Support before
you downgrade to assist with restoring the Log Collector database
if:
Before you
downgrade Panorama in Panorama mode running PAN-OS 9.1.4 or later
PAN-OS 9.1 release, you must back up the log collector database
and then restore it after succesful downgrade.
|