PAN-OS 6.x to 7.x Issues

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN-OS 6.x to 7.x Issues

L1 Bithead

We currently have Panorama with a total of 2 HA Pairs (PA3050's and PA3020's) deployed. We are planning to use Panorama to upgrade from our current 6.x software to 7.x. Here are some gental questions that perhaps someone who has done this before can answer:

  1. What would be a good estimate for how long the upgrade takes?
  2. Did anyone run into any major issues? If so what?
  3. How stable is the 7.x envirnoment?


Doug Hogue, Sr. Telecommunication/Network Security Analyst
UniFirst Corporation


L1 Bithead

The upgrade depends on if you are on 6.0.x or 6.1.x.  If you are on 6.0.x, you will need to go to 6.1.x first, and then to 7.0.x, so it will be two upgrades. 


We did the upgrade in December from 6.0.x to 7.0.x, and it probably took a couple of hours per pair.  Didn't run into any major issues.  I think there were some SSL decryption bugs in 7.0.3, but I believe those were resolved in 7.0.4 and newer.  Its been stable for us so far.


Hard to say if you would have any issues in your environment.  I would check the features you use against the release notes to see if there are any bugs that would impact you.

L2 Linker

We upgraded an HA pair of PA-3050's to 7.0.4 in January.   We use panorama for configuration/logging, but have done all software upgrades directly in the firewall contexts.    Upgrade was very quick.   Did Panorama during the day.  (For us, since we have a 2TB logging volume we always have to plan time for the disk checks if we have not upgraded or rebooted in 6 months.   This adds an hour and a half to our Panorama upgrade times. )  Actual firewall upgrades were less that 30 minutes per device, including backups.      Out of paranoia, since 7.0.4 had not been out long and 7.0.3 and earlier had had major issues for some customers, we held a couple of days with the HA pair half upgraded, running on 7.0.4   We had no major issues.   The three issues we hit were:


1.  The Global Protect client false password expiration warning (just an annoyance, fixed in 7.0.5)

2.  Management Client fails to timeout (fixed in 7.0.5)

3. Weird issue with the firewall intermittantly failing to properly APP-ID IMAPS traffic as SSL.  (All external IMAPS traffic to one mail server is reported as unknown-TCP at intervals and then it mysteriously starts properly identifying as SSL again.)    We have an open ticket with support on this one and worked around by added a special rule to allow unknownTCP to this server on the IMAPS port.  


There are a bunch of nice new things in 7.0.  My only complaint is that ACC seems way less usable, but maybe I just don't understand the design intent of the new UI.   We are updating to 7.0.5h2 tonight for the security fixes and to fix the two annoyances above.


Good luck,



Don't go from 6.x to anything above 7.0.2 directly. Starting with 7.0.3 the upgrade script was changed and broke some of the migration efforts. If you do that the newly created SSL/TLS profiles are messed up and support has to modify the XML code and move it around. This is due to them assuming everyone runs in shared and not vsys1 even if you only have a single one. We had this happen on the 5060 for a customer.  You can upgrade to 7.0.2 and then safely go to above that. The fix for this code is in 7.0.6 and was supposed to be replaced on 3/1 which it has not yet. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!