Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

how to downgrade pan os from 9.1.11 to 9.0.10.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

how to downgrade pan os from 9.1.11 to 9.0.10.

L2 Linker

Hi Fellas,

 

Can somebody guide for the subject downgrade process?

 

Long story, short I have received new PA units. I want go live with the new one. But the new one is sitting @ PAN OS version 9.1.11. 

While the old unit which is still in production is running on PAN OS 9.0.10. 

 

I know its easy to upgrade the older firewall to 9.1.11. But sadly our support with the old unit expired, if any issue occurred during the upgrade process the support team will not do the support.

 

I was looking @ the downgrade process. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/downgrade-pan-os/downgra...

But confused with the downgrade path. 

The new unit still in standby mode, not even connected to the internet. So, i have to manually download the image files and update firewall.

 

I am confused with the downgrade path here. 

 

Can some one guide me with the downgrade path and steps?

 

@kiwi mate, can you help me with this process?

1 accepted solution

Accepted Solutions

Hey @sabi4evr_com ,

 

Understood. My suggestion was to export the config, convert it for 9.1 and load it to the new device. You don't need to upgrade the old one. One way that I would do this is by reviewing the exported config and probably convert it manually - the bulk configuration (objects and rule) should be identical.

 

But this really dependes on your environment, how heavy is your configuration and how easy is for you to plan maintenences.

 

Back to your question - I cannot remember that I had the need to downgrade, but since the new firewall will don't have any configuration and it is not processing any traffic it should be straight forward.

- It will be much easier if you can connect FW mgmt to Internet and activete the licenses (this will allowed you to download and load both 9.0.0 base image and latest maintenence image (9.0.x)

- If you need to do it manually. Download base image 9.0.0  from support portal and upload it to FW. Install and reboot the FW

- Once booted download latest 9.0.x maintenence image and upload it to FW. Install and reboot.

- Once booted you should be able to export the running config from old fw, import it to new device and load and commit it.

 

If I am not mistake most of the downgrade considerations are related to the firewall config migration from 9.0 to 9.1, but since your new device is "empty" you don't really care what will happen with the config. And if I remember correctly when you manually upload images you can have only one at a time, so you need to upload the base image, install it an only then to upload and install the maintenence release you are targeting (in your case 9.0.11)

 

View solution in original post

5 REPLIES 5

Hi @sabi4evr_com ,

 

Not very clear for me, why you want to downgrade?

From what I understand you will replace old device with the new one. Why don't you want to start using the new device with 9.1?

 

In my humble opinion it is better to put little more effor now by migrating the existing config to 9.1 so you can import it to the new device.

9.0 will be End-of-Life beginning of March, why don't you save you additional maintenance and do the upgrade and hardware replacement in one shot?

@aleksandar.astardzhiev Hi there.

 

Why don't you want to start using the new device with 9.1?

>> I have the old unit running with full configurations on version 9.0.10. So, if want to export and import all the configurations from 1 device to another both versions should match.

 

In my humble opinion it is better to put little more effor now by migrating the existing config to 9.1. 

>> Very true, i am just worried about the support. The support is expired for this unit. So, I am very sure for some reasons the device didnt booted or crashed. They wont support. It happened though. 1 of my old unit was crashed and couldn't recover, but yes the support was active and helped out at that time.

 

My plan was to downgrade and restore the backup and then upgrade to the latest stable version. 

 

Hey @sabi4evr_com ,

 

Understood. My suggestion was to export the config, convert it for 9.1 and load it to the new device. You don't need to upgrade the old one. One way that I would do this is by reviewing the exported config and probably convert it manually - the bulk configuration (objects and rule) should be identical.

 

But this really dependes on your environment, how heavy is your configuration and how easy is for you to plan maintenences.

 

Back to your question - I cannot remember that I had the need to downgrade, but since the new firewall will don't have any configuration and it is not processing any traffic it should be straight forward.

- It will be much easier if you can connect FW mgmt to Internet and activete the licenses (this will allowed you to download and load both 9.0.0 base image and latest maintenence image (9.0.x)

- If you need to do it manually. Download base image 9.0.0  from support portal and upload it to FW. Install and reboot the FW

- Once booted download latest 9.0.x maintenence image and upload it to FW. Install and reboot.

- Once booted you should be able to export the running config from old fw, import it to new device and load and commit it.

 

If I am not mistake most of the downgrade considerations are related to the firewall config migration from 9.0 to 9.1, but since your new device is "empty" you don't really care what will happen with the config. And if I remember correctly when you manually upload images you can have only one at a time, so you need to upload the base image, install it an only then to upload and install the maintenence release you are targeting (in your case 9.0.11)

 

@aleksandar.astardzhiev Thanks dear. I did the migration and was busy with some other tasks hence the later reply.

Just curious to know about this though. "My suggestion was to export the config, convert it for 9.1 and load it to the new device. You don't need to upgrade the old one. "

how to convert the configuration from 1 version to another? Any tool?

 

If some one else has to follow the thread later in future, the below are the steps I have done.


1. Downgraded the new firewall to the same version as the current firewall version

2. As the device is new, you can either configure your management port to reach the internet and then download the images or download them manually from the palo alto website to upload the base image files and then the require patch file

3.The downgrade process is so simple as the upgrade process, just follow the GUI to install the image files

4. Restore the latest configuration from current unit to new one

5. Connect the cables 1 by 1 from old to new unit

6. Reboot the device and make sure its up and running


But after the final restart it was noticed that the FW device is not coming online. The device is UP, can login via SSH but the login pages or the network was not up and running.

No blinks for status lights or interface lights.

Looking at the services, it was noticed that some cdb service was stopped. Also the auto commit was getting failed.

Came to realize that this is a known issue when we are downgrading the devices from a higher to lower version.

The article explains the technical reason, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMArCAM&lang=en_US%E2%80%A...

I was able to get the device online by running the below command, which worked in my scenario.

Debug management-server client disable cord

while committing you will get some error, mention commit failed.

I believe you have to go into the configure mode and then do a force commit.

Once the commit is done, the interfaces should come up and so is network.

As soon as its live update the dynamic and other updates.

But this wont fix the issue, restarting the device had the same issue.

The issue was properly fixed when we upgraded the firewall version from 9.0.10 to 9.1.12-h3

I believe these issues are common while downgrading and can be fixed while upgrading the PAN OS.

 

 

  • 1 accepted solution
  • 4428 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!