: Upgrade/Downgrade Considerations
Focus
Focus

Upgrade/Downgrade Considerations

Table of Contents
End-of-Life (EoL)

Upgrade/Downgrade Considerations

Upgrade/downgrade considerations for PAN-OS 9.1.
The following table lists the new features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade to or downgrade from a PAN-OS 9.1 release. For additional information about PAN-OS 9.1 releases, refer to the PAN-OS 9.1 Release Notes.
PAN-OS 9.1 Upgrade/Downgrade Considerations
FeatureUpgrade ConsiderationsDowngrade Considerations
Commit Failure to Web Interface and CLI
None.
You must Contact Palo Alto Networks Support before you downgrade a Panorama management server, PA-7000 Series firewall, and PA-5200 Series firewall to avoid commit failures on successful downgrade to PAN-OS 9.0. Refer to PAN-142114 in the PAN-OS 9.1 Limitations when you contact Palo Alto Networks Support.
SD-WAN Plugin
The SD-WAN plugin provides intelligent, dynamic path selection on top of the industry leading security provided by PAN-OS
Enabling your SD-WAN plugin and starting your device creates SD-WAN databases.
Downgrading from PAN-OS 9.1 to an earlier version deletes any SD-WAN databases and removes any SD-WAN specific configurations. Your subscription remains on the device and is re-enabled if you upgrade.
Upgrading a PA-7000 Series Firewall with a first generation switch management card (PA-7050-SMC or PA-7080-SMC)
Before upgrading the firewall, run the following CLI command to check the flash drive’s status: debug system disk-smart-info disk-1.
If the value for attribute ID #232, Available_Reservd_Space 0x0000, is greater than 20, then proceed with the upgrade. If the value is less than 20, then contact support for assistance.
Before downgrading the firewall, run the following CLI command to check the flash drive’s status: debug system disk-smart-info disk-1.
If the value for attribute ID #232, Available_Reservd_Space 0x0000, is greater than 20, then proceed with the downgrade. If the value is less than 20, then contact support for assistance.
Username in HTTP Header Insertion Entries
None.
Downgrading from PAN-OS 9.1 removes the dynamic fields header values containing the domain and username.
Dynamic User Groups
None.
Downgrading from PAN-OS 9.1 migrates existing dynamic user groups to XML API user groups, retaining all group members at the time of the downgrade. The firewall continues to enforce any policy rules that apply to these groups.
Option to Hold Web Requests During URL Category Lookup
If you have this feature enabled, upgrading to PAN-OS 9.1 from an earlier version disables this option. Configure URL Filtering to re-enable this feature.
If you have this feature enabled, downgrading from PAN-OS 9.1 to an earlier version disables this option.
URL Filtering BrightCloud Support
With PAN-OS 9.1, BrightCloud is no longer supported as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1, you’ll first need to contact your sales representative to convert your BrightCloud URL Filtering license to a PAN-DB URL Filtering license. Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB URL Filtering license is active on your firewall.
Enhanced Logging for GlobalProtect
When upgrading to PAN-OS 9.1, any existing GlobalProtect logs stay in their current location, however any new logs received after the upgrade are stored in their new locations and categorized by the new GlobalProtect log type. Any GlobalProtect logs collected after the upgrade will be lost when downgrading from PAN-OS 9.1 to an earlier version.
Identity Provider Certificate
(PAN-OS 9.1.3 or later)
Ensure that you configure the signing certificate for your SAML Identity Provider as the Identity Provider Certificate before you upgrade to PAN-OS 9.1.3 or later so that your users can continue to authenticate successfully. Always configure the Identity Provider Certificate when you configure your SAML authentication and, as a best practice, enable certificate validation when available.
Log Storage Quota
On upgrade to PAN-OS 9.1, the firewall log storage quota (DeviceSetup ManagementLogging and Reporting Settings) exceeds 100% of the total disk space available and causes commits to fail.
After you successfully upgrade a firewall to PAN-OS 9.1, modify the log storage quota to equal 100%.
  1. Select DeviceSetupManagementLogging and Reporting and modify the log storage quota.
  2. Commit the configuration changes.
    admin# commit force
Application Filters Using Tags
None
Downgrading from PAN-OS 9.1 removes any tags applied to an application filter. This results in a commit failure if application filter tags were used.
Downgrading from a content release that includes tag support for specific apps results in a commit failure if those tags are used in an application filter.
Log Collectors
None
PAN-OS 9.1 upgraded the Log Collector database.
You must contact Palo Alto Networks Support before you downgrade to assist with restoring the Log Collector database if:
  • Panorama in Log Collector Mode running PAN-Os 9.1.4 or later PAN-OS 9.1 release.
  • Panorama in Panorama mode or Log Collector mode running PAN-Os 9.1.3 or earlier PAN-OS 9.1 release.
Before you downgrade Panorama in Panorama mode running PAN-OS 9.1.4 or later PAN-OS 9.1 release, you must back up the log collector database and then restore it after succesful downgrade.
  1. Log in to the Panorama CLI.
  2. Backup the local Log Collector database.
    Run the command below for corr, devmon, and mgmt.
    admin> request mongo backup instance <instance_name>
  3. Clear the entire database instance.
    Run the command below for corr, devmon, and mgmt.
    admin> debug mongo clear instance <instance_name>
  4. Downgrade from Panorama 9.1.
  5. Restore the local Log Collector database.
    Run the command below for corr, devmon, and mgmt.
    admin> request mongo restore instance <instance_name>