Upgrade/Downgrade Considerations

The following table lists the new features that have upgrade or downgrade impacts. Make sure you understand all potential changes before you upgrade to or downgrade from a PAN-OS 8.0 release. For additional information about PAN-OS 8.0 releases, refer to the PAN-OS 8.0 Release Notes .
After upgrading a PA-7000 Series firewall to 8.0, Panorama no longer considers it as a Log Collector. This means you will no longer be able to view your logs and reports from Panorama until you enable PA-7000 Series Firewall Log Forwarding to Panorama . Before upgrading, make sure you have a log collection infrastructure that will handle the logging rate and quantity of PA-7000 Series logs.
To ensure optimal performance for all new features, download and install the latest Applications and Threats, Antivirus, and WildFire content updates (the minimum content versions required for PAN-OS 8.0 are listed in the PAN-OS 8.0 Release Notes ). As a best practice, enable the firewall to download and install new content updates as they become available.
PAN-OS 8.0 Upgrade/Downgrade Considerations
Feature
Upgrade Considerations
Downgrade Considerations
Hardware Security Modules
(PAN-OS 8.0.2 and later releases) To downgrade to a release earlier than PAN-OS 8.0.2, you must ensure that the master key is stored locally on Panorama or on the firewall, not on a hardware security module (HSM).
Log Query Acceleration on Panorama
When you upgrade Panorama and the Log Collectors to PAN-OS 8.0, logs generated from earlier PAN-OS versions will be unavailable when viewing charts on the ACC and when generating reports until you migrate the logs to the new format. Refer to Before you upgrade managed firewalls, ensure that Panorama software and logs on Panorama and Log Collectors are updated as needed. to migrate existing logs to the new log format introduced in PAN-OS 8.0.
When you downgrade Panorama and the Log Collectors from Panorama 8.0, you will need to migrate logs back to the pre-8.0 format. This procedure will take approximately 24 hours for each 2TB of data. You cannot pause or stop the migration, so you will need to schedule a maintenance window to accommodate. To downgrade, refer to Downgrade from Panorama 8.0 .
With the log query and reporting engine enhancements that improve the speed in generating reports and executing queries, note that the logging rates on the M-Series appliances are lower than in previous Panorama releases. For maximum logging rates in PAN-OS 8.0, see Panorama Models .
PAN-OS 8.0 introduces two new log types (Palo Alto Networks Platform Logs and 3rd Party External Logs). On upgrade, 4% of the total disk space is allocated for the new log databases. As a result, if Panorama or the Dedicated Log Collector do not have 4% of total disk space, the oldest logs are purged to make space available.
IKE Peer and IPSec Tunnel Capacity Increases
The firewall prevents a downgrade if the number of IKE gateways or IPSec tunnels you are using in PAN-OS 8.0 exceeds the product limit for the release to which you are downgrading. To successfully download in this case, first delete the oversubscribed IKE peers or IPSec tunnels to the number supported in the downgraded release and then downgrade. Alternatively, restore a compatible configuration and downgrade.
VM-Series Firewall Performance Enhancements
You must increase your VM-Series firewall allocated hardware resources before upgrading to PAN-OS 8.0. For more information about new minimum hardware requirements, see VM-Series System Requirements .
Downgrading from PAN-OS 8.0 to an older release returns VM-Series models to their pre-PAN-OS 8.0 capacities and performance levels. Downgrading a VM-50, VM-500, or VM-700 firewall is not supported.
Authentication for External Dynamic Lists
When you create or edit an external dynamic list hosted on a web server with an HTTPS URL, you must enable Authentication for External Dynamic Lists to commit your list changes.
Telemetry and Threat Intelligence Sharing
  • The Statistics Service feature, available in PAN-OS 7.1 and earlier versions, is superseded by the Telemetry and Threat Intelligence feature in PAN-OS 8.0. Any Statistics Service settings you configured before upgrading are carried over to the Telemetry and Threat Intelligence Sharing tab.
  • If you enabled passive DNS monitoring on multiple firewalls through Panorama before upgrading to PAN-OS 8.0, passive DNS monitoring is disabled after you upgrade.
  • The service routes Palo Alto Updates and WildFire Public are merged into Palo Alto Networks Services.
  • Any Telemetry and Threat Intelligence settings you configured before downgrading that are available in the Statistics Service feature are carried over.
  • If you enabled passive DNS monitoring in PAN-OS 8.0 (through the firewall or through Panorama) and downgrade to an earlier release, passive DNS monitoring is disabled.
  • The Palo Alto Networks Services service route is branched into Palo Alto Updates and WildFire Public. These two service routes will use the same settings previously configured for Palo Alto Networks Services.
External Dynamic List Enhancements
After you upgrade, you have the option to customize the service route that the firewall uses to retrieve an external dynamic list from the web server that hosts the list.
  • If you have configured the firewall to use the External Dynamic Lists service route for retrieving external dynamic list updates in PAN-OS 8.0, it switches to the Palo Alto Updates service route upon downgrade. External Dynamic Lists is removed from the service route list.
  • Earlier PAN-OS versions support fewer external dynamic lists. Check that the total number of external dynamic lists on your firewall (both used and not used in policy) does not exceed the limit supported in the PAN-OS version to which your firewall will be downgraded. If it does exceed the limit, you will not be allowed to proceed with the downgrade until you reduce the number of external dynamic lists on the firewall to be within the limit.
Palo Alto Networks Malicious IP Address Feeds
Before downgrading to an earlier release, ensure that the Palo Alto Networks Malicious IP Address Feeds and custom external dynamic lists based on either of these feeds are not used in policy.
Globally Unique Threat IDs
  • Because antivirus and DNS signatures now have globally unique IDs, the threat ID ranges that existed for these signatures in previous release versions no longer apply. If you have used antivirus and DNS threat ID ranges to build any custom logic, to create custom reports, or as part of an integration with a security information and event management (SIEM) solution, revisit those areas to see if you can leverage the new threat categories as a replacement for the ID ranges. See New Threat Categories and How to Use Them .
  • Antivirus and DNS threat exceptions are not migrated with the upgrade to PAN-OS 8.0. After upgrading to PAN-OS 8.0, reconfigure threat exceptions using the new, unique threat IDs (New Threat Categories and How to Use Them ).
Data Filtering Support for Data Loss Prevention (DLP) Solutions
Data pattern objects defined with both regular expression patterns and social security number and credit card patterns are separated into two separate data pattern objects following the upgrade to PAN-OS 8.0: one data pattern object contains the regular expression patterns, the other contains the social security and credit card number patterns. The separate data pattern objects continue to remain attached to data filtering profiles they were configured with before the PAN-OS 8.0 upgrade. To learn more, take a First Look at New and Updated Data Filtering Options .
Tunnel-Mode on GlobalProtect Gateways
If you enable tunneling on a GlobalProtect internal gateway and then downgrade to an older release of PAN-OS, the gateway is removed and you must reconfigure the gateway after you downgrade.
If you saved a PAN-OS 7.1 configuration that includes tunnel-mode gateways and you want to restore the configuration, downgrade the firewall from PAN-OS 8.0 to PAN-OS 7.1 first, then select and commit the saved PAN-OS 7.1 configuration.
GlobalProtect External Gateways
For GlobalProtect agent configurations where you configured an external gateway with a Manual only priority (connections are not established automatically) and disabled Manual connections (users cannot manually switch to the gateway), GlobalProtect will add a Manual only priority rule and activate (enable) Manual connections when you upgrade. This allows users to manually switch to the gateway, which is required to support External Gateway Priority by Source Region .
GlobalProtect Portal Authentication
(PAN-OS 8.0.5 and later releases) After you upgrade to PAN-OS 8.0.5 or a later release, users who have endpoints with valid authentication override cookies but who were removed from the Allow List of authentication profiles cannot access GlobalProtect portals or gateways (internal or external). This prevents users with valid cookies but disabled accounts from accessing the portals and gateways.
(PAN-OS 8.0.5 and later releases) After you downgrade to PAN-OS 8.0.4 or an earlier release, user endpoints with valid authentication override cookies can access a GlobalProtect portal or gateway (internal or external) even if the corresponding user accounts were disabled and removed from the Allow List of authentication profiles. You must reconfigure policies (using dynamic block lists or source address/user lists) to prevent portal and gateway access in such cases.
Authentication Policy and Multi-Factor Authentication
  • Upon upgrading, the firewall changes existing Captive Portal rules to Authentication rules. Within the Authentication rules, the Source User defaults to unknown and the Authentication Enforcement object defaults to one of the objects that the firewall creates automatically: default-browser-challenge, default-web-form, or default-no-captive-portal. Each Authentication rule uses the object that is equivalent to the Action option in the corresponding Captive Portal rule.
  • The firewall does not convert System logs that it generated for authentication events before the upgrade to the new Authentication log type after upgrading.
  • Panorama 8.0 cannot push Authentication rules to firewalls running PAN-OS 7.1 or earlier unless the rules reference one of the predefined Authentication Enforcement objects. Firewalls ingest the Authentication rules as Captive Portal rules with the Action derived from the Authentication Enforcement object.
  • Upon downgrading, the firewall changes Authentication rules to Captive Portal Rules with the Action derived from the Authentication Enforcement object.
  • Upon downgrading, the firewall discards Authentication logs.
GlobalProtect Included Access Route Capacity Enhancement
When you upgrade Panorama to version 8.0.2 or a later release, you cannot push templates containing 200 or more GlobalProtect include access routes to firewalls running PAN-OS 8.0.1 or earlier releases. To push more than 200 access routes, you must upgrade the firewalls to PAN-OS 8.0.2 or a later release. Otherwise, you must remove access routes from the template until there are 200 or fewer access routes.
When you downgrade a firewall to PAN-OS 8.0.1 or an earlier release, a GlobalProtect configuration with more than 200 include access routes will cause a commit fail. To resolve the issue, you must remove access routes until the configuration contains 200 or fewer access routes.
Selective Log Forwarding Based on Log Attributes
  • When you upgrade the firewall, it creates a separate Log Forwarding profile for each log type and severity level that had a destination in the pre-upgrade profile. Each Log Forwarding profile that the firewall creates for a severity level will have the corresponding predefined Filter. For example, a pre-upgrade Log Forwarding profile that specifies destinations for Threat logs with High and Critical severities will become two profiles with the Filter set to (severity eq critical) in one profile and to (severity eq high) in the other.
  • When you upgrade the firewall, it creates a match list profile for each DeviceLog Settings entry that specifies a destination. For entries that apply to specific severity levels, the match list profiles specify a predefined filter. For example, a pre-upgrade entry that specifies destinations for System logs with medium severity will become a match list profile with the Name set to system-medium and the Filter set to (severity eq medium).
Upon downgrading, the only log attribute that the firewall will preserve as a filter in Log Forwarding profiles and DeviceLog Settings entries will be the log severity level.
Log Forwarding from PA-7000 Series Firewalls to Panorama
After upgrading a PA-7000 Series firewall, Panorama no longer considers the firewall as a Log Collector and you will no longer be able to view logs and reports from Panorama until you enable log forwarding.
Before upgrading PA-7000 Series firewalls to PAN-OS 8.0, make sure your Log Collectors have enough capacity to support the log collection rates and volume of logs your PA-7000 Series firewalls will forward to Panorama. See the table in Panorama Models to determine your log collection requirements.
After you enable log forwarding to Panorama, the firewall forwards only new logs. To view log information on Panorama and generate reports from logs generated prior to enabling log collection, you must migrate existing logs to Panorama using a CLI command. See PA-7000 Series Firewall Log Forwarding to Panorama for more details.
Logging Enhancements on the Panorama Virtual Appliance
After upgrading, the Panorama virtual appliance remains in Legacy mode by default and can still support NFS log storage. However, after you switch to Panorama mode, the virtual appliance can no longer support NFS storage; you must then migrate the logs on the NFS to the Log Collectors.
Before downgrading, you must switch the Panorama virtual appliance from Panorama mode to Legacy mode. To store logs after switching the mode, you must use the old virtual disk or NFS storage that Panorama used for logging in Legacy mode.
Group-Based Reporting in Panorama
After upgrading Panorama, you must Enable reporting and filtering on groups in the Panorama settings (PanoramaSetupManagement) if you want to filter logs and generate reports based on user groups; the option is disabled by default. If you want to disable this feature for specific device groups, you must clear the Store users and groups from Master Device option in those device groups (PanoramaDevice Groups); the option is enabled by default.
User-ID Syslog Monitoring Enhancements
After upgrading, you must set the Event Type to login for every existing Syslog Parse profile assigned to syslog senders in the Server Monitoring list (DeviceUser IdentificationUser Mapping).
Windows-based User-ID Agent
After you uninstall the PAN-OS 8.0 Windows-based User-ID agent, perform the workaround described in Downgrade a Windows Agent from PAN-OS 8.0 before you install an earlier agent release.
A PAN-OS 8.0 release of the Windows-based User-ID agent works with firewalls running a release earlier than PAN-OS 8.0.
NSX VM-Series Configuration Through Panorama
  • If you are running NSX Manager 6.2.3 or earlier, create an SSL TLS Profile to allow TLS version 1.0 before upgrading from 7.1.x to 8.0. No SSL TLS profile is required when running NSX Manager 6.2.4 or later.
  • After you upgrade Panorama from a 7.1 release to a Panorama 8.0 release, the Service Manager on Panorama is out of sync. Executing a manual NSX Config-sync renames the service profile by adding the service definition name as a prefix of the service profile name. For example, a service profile called PAN_NSX_1 with a service definition called PAN-SD-1 in a 7.1 release is renamed PAN-SD-1_PAN_NSX_1 in the 8.0 release.
Packet Buffer Protection and Zone Protection Profile
If you enable Packet Buffer Protection or you configure a Zone Protection profile with basic evasion protection or strict evasion protection, and downgrade to a PAN-OS 7.1 release, the downgrade fails with auto-commit errors.
If you saved a PAN-OS 7.1 configuration before upgrading, select the PAN-OS 7.1 configuration when downgrading. This removes the Packet Buffer Protection configuration and allows downgrade to complete successfully.
ECMP Enhancement to IP Hash (PAN-OS 8.0.3 and later releases)
If the ECMP IP Hash setting is configured to Use Source Address Only and you want to downgrade from PAN-OS 8.0.3 (or a later release) to PAN-OS 8.0.2 or an earlier PAN-OS 8.0 release, first save your PAN-OS 8.0.3 (or later) running configuration. Then perform the downgrade and, after the downgrade is complete, reload your saved configuration and Commit.

Related Documentation