Panos

Upgrade to PAN-OS 7.
PAN-OS New
Features Guide
Version 7.1
Copyright 2007-2015 Palo Alto Networks
Contact Information
Corporate Headquarters:
Palo Alto Networks

4401 Great America Parkway
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-us
About this Guide

This guide describes how to use the new features introduced in PAN-OS 7.1. For additional information, refer to the
following resources:
For information on the additional capabilities and for instructions on configuring the features on the firewall,
refer to https://www.paloaltonetworks.com/documentation.
For access to the knowledge base and community forums, refer to https://live.paloaltonetworks.com.
For contacting support, for information on support programs, to manage your account or devices, or to open a
support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
For the most current PAN-OS and Panorama 7.1 release notes, go to
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes.html.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.

www.paloaltonetworks.com
2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found
at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Revision Date: April 18, 2016
2 PAN-OS 7.1 New Features Guide
Upgrade to PAN-OS 7.1
Upgrade/Downgrade Considerations
Upgrade the Firewall to PAN-OS 7.1
Downgrade from PAN-OS 7.1
PAN-OS 7.1 New Features Guide 7
Table: PAN-OS 7.1 Upgrade/Downgrade Considerations lists the new features that have upgrade or
downgrade impacts. Make sure you understand all potential changes before you upgrade to or downgrade
from PAN-OS 7.1. For additional information about this release, refer to the PAN-OS 7.1 Release Notes.
Table: PAN-OS 7.1 Upgrade/Downgrade Considerations
Feature
Upgrade Considerations
Downgrade Considerations
Role Privileges for

Commit Types
If the permission for any commit type is

disabled in a Panorama Admin Role profile,
the permissions for all commit types are
disabled for that profile after a downgrade.
User Group Capacity

Increase
Before downgrading a PA-5060 or PA-7000

Series firewall that has the multiple virtual
systems capability disabled and that uses
more than 640 distinct user groups in
policies, you must reduce the number of
groups to 640 or less.
User-ID WMI Client

Probing
In PAN-OS 7.0 and earlier releases, client

probing that uses Windows Management
Instrumentation (WMI) includes all public
and private IPv4 and IPv6 addresses by
default. However, after you upgrade to
PAN-OS 7.1, the default for WMI probing is
to exclude public IPv4 addresses. (Public
IPv4 addresses are those outside the scope
of RFC 1918 and RFC 3927). To use WMI
probing for public IPv4 addresses after the
upgrade, you must add their subnetworks to
the User-ID agent Include Networks list.
8TB Disk Support on the

Panorama Virtual
Appliance
After you upgrade to Panorama 7.1, the

Panorama virtual appliance will continue
using only 2TB of any existing virtual disk
that exceeds that capacity. After upgrading,
you must manually add a virtual disk of up to
8TB before Panorama can use more than the
2TB limit.
If you added a virtual disk of more than 2TB

to the Panorama virtual appliance, you must
remove the disk before you can downgrade
to a release earlier than Panorama 7.1.
Feature
Federal Information
Processing Standard
(FIPS) Mode
If your firewall is running a PAN-OS 6.1 or

earlier release and is in FIPS mode, you must
Enable FIPS and Common Criteria Support
using Set CCEAL4 Mode before you upgrade
to PAN-OS 7.0.1 or a later release. If you do
not change to CCEAL4 mode before you
upgrade, the firewall will enter maintenance
mode because FIPS mode is not supported
as of PAN-OS 7.0.1.
After you change from FIPS mode to
CCEAL4 mode, you will need to
import the saved configuration
backup that you created prior to the
mode change. If the configuration
contains IKE and IPSec crypto
profiles that use 3DES, you will need
to delete the profiles and create new
profiles using AES because 3DES is
not supported in CCEAL4 mode.
DES Support for Crypto

Profiles
When downgrading to an earlier PAN-OS

version, the following actions occur:
DES is removed from the crypto profile. If
DES was the only encryption type in the
crypto profile, then DES is converted to
3DES.
If DES was used in an IPSec tunnel
configuration that used a manual key, the
IPSec tunnel entry is removed from the
configuration. After a reboot, any such
IPSec tunnels no longer exist in the
running configuration.
Custom Application
Signatures
Before downgrading to a release earlier than

PAN-OS 7.0, you must remove any custom
application signatures that have the
following settings:
Operator set to Greater Than or Less
Than
Operator set to Equal To and a Context
set to any value besides
unknown-req-tcp, unknown-rsp-tcp,
unknown-req-udp, or unknown-rsp-udp
Sinkholing of DNS
Signatures
After you upgrade, all Palo Alto Networks

DNS signatures are enabled by default. The
default action for the DNS Signatures is
sinkhole, and the sinkhole IP address is a
Palo Alto Networks server (71.15.192.112).
This IP address is not static and can change
because it is pushed using Palo Alto
Networks content updates.
Feature
Support for
Multi-Tenancy and
Multiple Policy Sets on
the VM-Series NSX
Edition Firewall
If you configured the VMware Service

Manager on Panorama, note the following
changes that occur after you upgrade to
Panorama 7.1:
The VMware Service Manager
configuration that is required for enabling
communication between Panorama and
the NSX Manager is separated from the
Service Definition.
A new Service Definition named Palo
Alto Networks NGFW is created. This
service definition includes the
configuration for deploying VM-Series
firewalls. It also includes a template,
device group, link to the OVA for the
PAN-OS version, and the auth codes you
configured on the VMware service
manager in the earlier version. If you did
not create a template in the earlier
version, then a default template called
NSX_TPL is created for you.
A zone called Palo Alto Networks profile 1
is auto-generated within the template. On
a Template and Device Group Commit,
the VM-Series firewalls will generate a
pair of virtual wire subinterfaces
(ethernet1/1.2 and ethernet1/2.2) and
bind the pair to this new zone.
All existing policy rules are retained with
source and destination zone set to any.
These rules are functional and you do not
need to modify the rules.
External Dynamic List for After you upgrade, Dynamic Block List for IP
IP Addresses
addresses are renamed to External Dynamic
List of Type IP Address. The earlier
maximum limit 10 Dynamic Block Lists for IP
addresses has changed in PAN-OS 7.1. On
each firewall platform, you can now
configure a maximum of 30 unique sources
for External Dynamic Lists of type IP
address, URL or Domain. The firewall does
not impose a limit on the number of lists of a
specific type.
The PA-5000 Series and the PA-7000 Series
firewalls support a maximum of 150,000
total IP addresses; all other platforms
support a maximum of 50,000 total IP
addresses. No limits are enforced for the
number of IP addresses per list. When the
maximum supported IP address limit is
reached on the firewall, the firewall
generates a syslog message.
Feature
PA-3000 Series and

When you upgrade to PAN-OS 7.1, the ARP
PA-500 Firewall Capacity table capacity automatically increases. To
Increases
avoid a mismatch when upgrading a pair of
HA firewalls, you should upgrade both HA
peers within a short period of time. You
should also clear the ARP cache (clear arp)
on both HA peers before you upgrade.

How you upgrade to PAN-OS 7.1 depends on whether you have standalone firewalls or firewalls in a high
availability (HA) configuration and, for either scenario, whether Panorama manages your firewalls. Review
the PAN-OS 7.1 Release Notes and then follow the procedure specific to your configuration:
Upgrade Firewalls Using Panorama
Upgrade a Firewall to PAN-OS 7.1
Upgrade an HA Firewall Pair to PAN-OS 7.1

When upgrading firewalls that you manage with Panorama or firewalls that are configured to
forward content to a WF-500 appliance, you must first upgrade Panorama and its Log Collectors
and upgrade the WF-500 appliance, before upgrading the firewalls.

Review the PAN-OS 7.1 Release Notes and then use the following procedure to upgrade firewalls that
Panorama manages. This procedure applies to standalone firewalls and firewalls deployed in a high
availability (HA) configuration.
When upgrading firewalls that you manage with Panorama, you must upgrade Panorama and its
Log Collectors before you upgrade the firewalls.

Step 1
Step 2
1.
Save a backup of the current
configuration file on each managed
firewall you plan to upgrade.
Although the firewall
automatically creates a
2.
configuration backup, it is a best
practice to create and externally
store a backup before you
upgrade.
Install the content updates.
Make sure the firewalls you plan
to upgrade are running content
release version 564 or later.
Log in to Panorama, select Panorama > Setup > Operations,

and Export Panorama and devices config bundle to generate
and export the latest configuration backup of Panorama and
of each managed device.
Save the exported file to a location external to the firewall.
You can use this backup to restore the configuration if you
have problems with the upgrade.
1.
Select Panorama > Device Deployment > Dynamic Updates.
2.
Check Now (located in the lower left-hand corner of the

window) to check for the latest updates. If an update is
available, the Action column displays a Download link.
3.
Download the desired version. After a successful download,

the link in the Action column changes from Download to
Install.
4.
Click Install, select the devices on which you want to install

the update, and click OK.
Upgrade Firewalls Using Panorama (Continued)

Step 3
Step 4
1.
Determine the software upgrade path.
You cannot skip installation of any major
release versions in the path to your
target PAN-OS release. For example, if
2.
you intend to upgrade from PAN-OS
3.
6.0.13 to PAN-OS 7.1.1, you must:
Download and install PAN-OS 6.1.0
and reboot.
and reboot (7.0.1 is the base image for
the 7.0 release; not 7.0.0).
Download PAN-OS 7.1.0 (you do not
need to install it).
and reboot.
To access the web interface of the firewall you intend to

upgrade, use the Context drop-down in Panorama or log in to
the firewall directly.
Download the software updates.
1.
On Panorama, select Panorama > Device Deployment >

Software and Check Now for the latest updates. If an update
is available, the Action column displays a Download link.
2.
Download the file or files that correspond to the Platform of

the firewalls to which you are upgrading and the version to
which you need to upgrade (including any intermediate major
release versions). You must download a separate installation
file for each platform you intend to upgrade. For example, to
upgrade your PA-3050 firewalls and PA-5060 firewalls to
7.1.0, download the images that have filename
PanOS_3000-7.1.0 and PanOS_5000-7.1.0. After a successful
download, the Action column changes to Install for that
image.
Select Device > Software.

Check which version has a check mark in the Currently
Installed column and proceed as follows:
If PAN-OS 7.0.1 or later is currently installed, continue to
Step 4.
If a version earlier than PAN-OS 7.0.1 is currently installed,
follow the upgrade path to 7.0.1 before you upgrade to 7.1.
Refer to the Release Notes for your currently installed
PAN-OS version for upgrade instructions.
Upgrade Firewalls Using Panorama (Continued)

Step 5
Install the software updates on the

firewalls.
To avoid downtime when
updating the software on
firewalls in an HA configuration,
update one peer at a time.
For firewalls in an active/active
configuration, it doesnt matter
which HA peer you update first.
For an active/passive
configuration, you must update
the passive peer first, suspend
the active peer (fail over), update
the active peer, and then return
the active peer to a functional
state (fail back).
Perform the steps that apply to your firewall deployment:

Non-HA firewallsClick Install in the Action column for the
appropriate update, select all firewalls for which you intend to
update, Reboot device after install, and click OK.
Active/active HA firewalls:
a. Click Install, clear Group HA Peers, select either of the HA
peers, Reboot device after install, and click OK. Wait for
the firewall to finish rebooting before you proceed.
b. Click Install, clear Group HA Peers, select the HA peer that
you didnt update in the previous step, Reboot device after
install, and click OK.
Active/passive HA firewallsIn this example, the active firewall
is named fw1 and the passive firewall is named fw2:
a. Click Install in the Action column for the appropriate
update, clear Group HA Peers, select fw2, Reboot device
after install, and click OK. Wait for fw2 to finish rebooting
before you proceed.
b. Access fw1, select Device > High Availability > Operational
Commands, and Suspend local device.
c. Access fw2 and, on the Dashboard High Availability widget,
verify that the Local firewall state is active and the Peer
firewall is suspended.
d. Access Panorama, select Panorama > Device Deployment >
Software, click Install in the Action column for the
appropriate update, clear Group HA Peers, select fw1,
Reboot device after install, and click OK. Wait for fw1 to
finish rebooting before you proceed.
e. Access fw1, select Device > High Availability > Operational
Commands, and click Make local device functional. Wait
two minutes before you proceed.
f. On fw1, select the Dashboard tab and, in the High
Availability widget, verify that the Local firewall state is
active and the Peer firewall is passive.
Step 6
Verify the software and content release

version running on each managed
firewall.
1.
On Panorama, select Panorama > Managed Devices.
2.
Locate the firewalls and review the content and software

versions in the table.

Review the PAN-OS 7.1 Release Notes and then use the following procedure to upgrade a firewall not in an
HA configuration to PAN-OS 7.1.
When upgrading firewalls configured to forward content to a WF-500 appliance, you must first upgrade the
WF-500 appliance to PAN-OS 7.1 before upgrading the connected firewalls.
Ensure the devices are connected to a reliable power source. A loss of power during an upgrade
can make the devices unusable.
Upgrade PAN-OS
Step 1
Step 2
Step 3
1.
configuration file.
2.
automatically creates a
configuration backup, it is a best
3.
upgrade.
Make sure the firewall is running content 1.
release version 564 or later.
2.
Select Device > Setup > Operations and Export named

configuration snapshot.
Select the XML file that contains your running configuration
(for example, running-config.xml) and click OK to export the
configuration file.
Select Device > Dynamic Updates.
Check the Applications and Threats or Applications section
to determine what update is currently running.
3.
If the firewall is not running the minimum required update,

Check Now to retrieve a list of available updates.
4.
Locate and Download the appropriate update.
5.
After the download completes, Install the update.
1.
Determine the upgrade path.
You cannot skip installation of any major 2.
releases in the path to your target
PAN-OS version. Therefore, if you intend
to upgrade to a version that is more than
one major release away, you must still
download, install, and reboot the firewall
for each intermediate major release
along the upgrade path.
For example, if you want to upgrade from
PAN-OS 6.0.13 to PAN-OS 7.1.1, you
must:
and reboot.
the 7.0 release, not 7.0.0).
and reboot.

If PAN-OS 6.1.0 or a later release is currently installed,
continue to Step 4.
If only a version of PAN-OS prior to 6.1.0 is currently
installed, you must follow the upgrade path to 6.1.0 before
you can upgrade to 7.1. Refer to the Release Notes for your
currently installed PAN-OS version for upgrade
instructions.
Upgrade PAN-OS (Continued)

Step 4
Step 5
Install PAN-OS 7.1.

If your firewall does not have
Internet access from the
management port, you can
download the software update
from the Palo Alto Networks
Support Portal. You can then
manually Upload it to your
firewall.
1.
Check Now for latest updates.
2.
Locate and Download the version to which you intend to

upgrade.
3.
4.
After the installation successfully completes, reboot using one

of the following methods:
If you are prompted to reboot, click Yes.
If you are not prompted to reboot, select Device > Setup >
Operations and Reboot Device (Device Operations
section).
Verify that the firewall is passing traffic.
Select Monitor > Session Browser.
Upgrade an HA Firewall Pair to PAN-OS 7.1

Review the PAN-OS 7.1 Release Notes and then use the following procedure to upgrade a pair of firewalls
in a high availability (HA) configuration. This procedure applies to both active/passive and active/active
configurations.
When upgrading peers in an HA configuration, you must upgrade each firewall separately. Consequently,
there is a period of time when PAN-OS versions differ on the individual firewalls in the HA pair. If you have
session synchronization enabled, this will continue to function during the upgrade process as long as you are
upgrading from one feature release to the next consecutive feature release, PAN-OS 7.0.x to PAN-OS 7.1
in this case. If you are upgrading the pair from an older feature release of PAN-OS, session syncing between
the firewalls will not work and, if a failover occurs before both firewalls are running the same version of
PAN-OS, session forwarding could be impacted. In this case, if session continuity is required, you must
temporarily permit non-syn-tcp while the session table is rebuilt as describe in the following procedure.
Ensure the devices are connected to a reliable power source. A loss of power during an upgrade
can make the devices unusable.
When you upgrade to PAN-OS 7.1, the ARP table capacity automatically increases. To avoid a
mismatch, you should upgrade both peers within a short period of time. You should also clear the
ARP cache (clear arp) on both peers before you upgrade.
Upgrade PAN-OS
Step 1

configuration file.
automatically creates a backup of
the configuration, it is a best
upgrade.
Perform these steps on each firewall in the pair:

1.

2.

configuration file.
3.


Step 2
Step 3
Step 4
Make sure each device is running

content release version 564 or later.
1.
Select Device > Dynamic Updates.
2.
Check the Applications and Threats or Applications section

to determine what update is currently running.
3.
If the firewall is not running the minimum required update,

Check Now to retrieve a list of available updates.
4.
Locate and Download the content release version you intend

to install.
5.
1.
Determine the upgrade path.
You cannot skip installation of any major 2.
releases in the path to your desired
PAN-OS version. Therefore, if you intend
to upgrade to a version that is more than
one major release away, you must
download, install, and reboot the firewall
for each intermediate major PAN-OS
releases along the upgrade path.
For example, if you want to upgrade from
PAN-OS 6.0.13 to PAN-OS 7.1.1, you
must:
and reboot.
the 7.0 release; not 7.0.0).
and reboot.
Install PAN-OS 7.1 on the passive device
(active/passive) or on the
active-secondary device (active/active).
firewall.

If PAN-OS 6.1.0 or a later release is currently installed,
continue to Step 4.
If only a version of PAN-OS prior to 6.1.0 is currently
installed, you must follow the upgrade path to 7.0.1 before
you can upgrade to 7.1. Refer to the Release Notes for your
currently installed PAN-OS version for upgrade
instructions.
1.
Check Now for the latest updates.
2.

upgrade.
3.
4.
After the installation completes successfully, reboot using one

section). After the reboot, the device will not be functional
until the active/active-primary device is suspended.

Step 5
Step 6
Suspend the active/active-primary

firewall.
Install PAN-OS 7.1 on the other peer in

the pair.
firewall.
1.
On the active (active-passive) or active-primary (active-active)

peer, select Device > High Availability > Operational
Commands.
2.
Suspend local device.
3.
Select Dashboard and verify that the state of the passive

device changes to active in the High Availability widget.
4.
Verify that the firewall that took over as active (or

active-primary) and is passing traffic (Monitor > Session
Browser).
5.
(Optional) If you have session synchronization enabled and

you are not upgrading directly from PAN-OS 6.1.x, run the
set session tcp-reject-non-syn no operational
command. This will rebuild the session table so that sessions
that started prior to the upgrade will continue.
1.
Check Now for the latest updates.
2.

upgrade.
3.
4.

Operations and Reboot Device in the Device Operations
section. After the reboot, the device will not be functional
until the active/active-primary device is suspended.
5.
(Optional) If you configured the firewall to temporarily allow

non-syn-tcp traffic in order to enable the firewall to rebuild
the session table in Step 4, revert back by running the
set session tcp-reject-non-syn yes command.
If the preemptive option is configured, the current
passive peer will revert to active when state
synchronization is complete.

Step 7
Verify that the firewalls are passing

traffic as expected.
In an active/passive deployment, the
active peer (only) should be passing
traffic while both peers should be
passing traffic in an active/active
deployment.
Run the following CLI commands to confirm that the upgrade

succeeded:
(Active peer(s) only) To verify that active peers are passing
traffic, run the show session all command.
To verify session synchronization, run the show
high-availability interface ha2 command and make sure
that the Hardware Interface counters on the CPU table are
increasing as follows:
In an active/passive configuration, only the active peer
show packets transmitted and the passive device will only
show packets received.
If you have enabled HA2 keep-alive, the hardware
interface counters on the passive peer will show
both transmit and receive packets. This occurs
because HA2 keep-alive is bidirectional which
means that both peers transmit HA2 keep-alive
packets.
In an active/active configuration, you will see
packets received and packets transmitted on both
peers.

The way you downgrade from PAN-OS 7.1 depends on whether you are downgrading to a previous feature
release (where the first or second digit in the PAN-OS version changes, for example 7.1 to 7.0 or 6.0 to 5.0)
or you are downgrading to a maintenance release within the same feature release version (where the third
digit in the release version changes, for example, from 7.1.1 to 7.1.0). When downgrading from one feature
release to an earlier feature release, the configuration may be migrated to accommodate new features.
Therefore, before downgrading you must restore the configuration for the feature release to which you are
downgrading. You can downgrade from one maintenance release to another within the same feature release
without having to worry about restoring the configuration:
Downgrade to a Previous Maintenance Release
Downgrade to a Previous Feature Release
Downgrade While Maintaining Enhanced Capacities on PA-3050 Firewalls and PA-3020 Firewalls
Always downgrade into a configuration that matches the software version. Unmatched software
versions and configurations can result in failed downgrades or force the system into maintenance
mode. This only applies to a downgrade from one feature release to another (for example 7.1.1 to
7.0.9), not to downgrades to maintenance releases within the same feature release version (for
example, 7.1.1 to 7.1.0).
If you have a problem with a downgrade, you may need to enter maintenance mode and reset the
device to factory default and then restore the configuration from the original config file that was
exported prior to the upgrade.

Because maintenance releases do not introduce new features, you can downgrade to a previous
maintenance release in the same feature release without having to restore the previous configuration. A
maintenance release is a release in which the third digit in the release version changes, for example a
downgrade from 7.1.1 to 7.1.0 is considered a maintenance release downgrade because only the third digit
in the release version is different.
Use the following procedure to downgrade to a previous maintenance release within the same feature
release.
Step 1
Step 2
1.
configuration file.
2.
practice to create a backup
3.
before you downgrade and store
it externally.
Install the previous maintenance release
image.
firewall.

configuration file.
Save the exported file to a location external to the firewall. You
can use this backup to restore the configuration if you have
problems with the downgrade.
1.
Select Device > Software and Check Now for available images.
2.
Locate the version to which you want to downgrade. If the

image is not already downloaded, then Download it. (If the
image is already downloaded, you can skip this step.)
3.
After the download completes, Install the image.
4.

Operations and Reboot Device (Device Operations section).

This procedure will restore your device to the configuration that was running before you upgraded to a
different feature release. Any changes made since the upgrade are lost so it is important to back up your
current configuration so you can restore those changes when you return to the newer feature release.
Downgrades from PAN-OS 7.1 to any version earlier than PAN-OS 5.0.5 is not supported
because the log management subsystem has been significantly enhanced between PAN-OS 5.0
and PAN-OS 6.0. Because of the changes implemented in the log partitions, a firewall that is
downgraded to PAN-OS 5.0.4 and earlier releases cannot accurately estimate the disk capacity
available for storing logs and the log partition can reach maximum capacity without a user
notification. Such a situation allows the log partition to reach 100% capacity, which results in a
loss of logs.
Use the following procedure to downgrade to a previous feature release.

Step 1
Step 2
1.
configuration file.
2.
practice to create a backup
3.
before you upgrade and store it
externally.
Install the previous feature release
image.
Autosave versions are created
when you upgrade to a new
release beginning with PAN-OS
4.1. If you are downgrading to a
release prior to PAN-OS 4.1, you
may need to do a factory reset
and restore the device.

configuration file.
have problems with the downgrade.
1.
Select Device > Software and Check Now for available images.
2.
Locate the image to which you want to downgrade. If the

image is not already downloaded, then Download it. (If the
image is already downloaded, you can skip this step.)
3.
After the download completes, Install the image.
4.
Select a configuration to load after the device reboots from

the Select a Config File for Downgrading drop-down. In most
cases, you should select the autosaved configuration that was
created when you upgraded from the release to which you are
now downgrading. For example, if you are running PAN-OS
7.1.1 and want to downgrade to PAN-OS 7.0.3, select
autosave-7.0.3.
5.

section).
Downgrade While Maintaining Enhanced Capacities on PA-3050 Firewalls

and PA-3020 Firewalls
PA-3000 Series and PA-500 firewalls support larger capacities in PAN-OS 7.1 than in prior PAN-OS releases.
If you want to downgrade a PA-3000 Series or PA-500 firewall to an older PAN-OS release, perform
Step 1 through Step 5 and Step 8 to downgrade successfully.
If you want to downgrade a PA-3000 Series firewall and preserve the capacity increases gained when
upgrading to PAN-OS 7.1 but you have not used the debug system arp-mac-capacity increase
operational command, then perform all steps in the following procedure.
Downgrade PA-3000 Series and PA-500 Firewalls and Preserve PA-3000 Series Firewall Capacity Increases on Downgrade
Step 1
Determine the decreased number of

ARP entries the older release supports.
Access the Product Selection Tool and find the ARP capacity of
the release to which you are downgrading.
Step 2
Determine if you currently have more

static ARP entries than the number
supported in Step 1.
1.
In the CLI, use the clear arp all command to delete the
dynamic ARP entries.
2.
Use the show arp all command to display a count of all the
ARP entries. Because you just deleted the dynamic ARP
entries, only the static ARP entries are counted.
Export the running configuration.
1.
Select Device > Setup > Operations > Save named

configuration snapshot, enter a Name, and click OK.
2.
Export named configuration snapshot, select the name of

the file you created from the drop-down, and click OK.
1.
Select Network > Virtual Routers > Static Routes.
Step 3
Step 4
If your current static ARP entries

(determined by Step 2) exceed the
decreased number of ARP entries
supported (determined by Step 1), delete
enough static ARP entries to get the
firewall below the downgraded capacity.
2.
Select IPv4 or IPv6.
3.
Select a static route and Delete it; repeat as necessary.
4.
Click OK and Commit.
Step 5
Downgrade the PAN-OS version to

7.0.1.
Select Device > Software, select the 7.0.1 software image that is
downloaded, and Install it.
Step 6
Enable larger capacities on a PA-3050 or In the CLI, use the debug system arp-mac-capacity increase
PA-3020 firewall.
operational command.
This command is available only in
PAN-OS 6.1.0 and PAN-OS
7.0.1.
Step 7
Upgrade the PAN-OS version to 7.1.
Step 8
Import the saved configuration.
Select Device > Setup > Operations > Import named

configuration snapshot, select the file you created in Step 3 to
import, and click OK.
Step 9
Downgrade the PAN-OS version to 7.0.1 Select Device > Software, select the 7.0.1 software image that is
again.
downloaded, and Install it.

Panos

Uploaded by

Copyright:

Available Formats

Panos

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Panos

Uploaded by

Copyright:

Available Formats

Upgrade to PAN-OS 7.

Copyright 2007-2015 Palo Alto Networks

Palo Alto Networks

About this Guide

To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.

Palo Alto Networks, Inc.

2 PAN-OS 7.1 New Features Guide

Palo Alto Networks, Inc.

Copyright 2007-2015 Palo Alto Networks

Upgrade to PAN-OS 7.1

Upgrade the Firewall to PAN-OS 7.1

Downgrade from PAN-OS 7.1

Palo Alto Networks, Inc.

PAN-OS 7.1 New Features Guide 7

Copyright 2007-2015 Palo Alto Networks

Upgrade to PAN-OS 7.1

Role Privileges for

If the permission for any commit type is

User Group Capacity

Before downgrading a PA-5060 or PA-7000

User-ID WMI Client

In PAN-OS 7.0 and earlier releases, client

8TB Disk Support on the

After you upgrade to Panorama 7.1, the

If you added a virtual disk of more than 2TB

8 PAN-OS 7.1 New Features Guide

Palo Alto Networks, Inc.

Copyright 2007-2015 Palo Alto Networks

Upgrade to PAN-OS 7.1

If your firewall is running a PAN-OS 6.1 or

DES Support for Crypto

When downgrading to an earlier PAN-OS

Before downgrading to a release earlier than

After you upgrade, all Palo Alto Networks

Palo Alto Networks, Inc.

PAN-OS 7.1 New Features Guide 9

Copyright 2007-2015 Palo Alto Networks

Upgrade to PAN-OS 7.1

If you configured the VMware Service

10 PAN-OS 7.1 New Features Guide

Palo Alto Networks, Inc.

Copyright 2007-2015 Palo Alto Networks

Upgrade to PAN-OS 7.1

PA-3000 Series and

Palo Alto Networks, Inc.

PAN-OS 7.1 New Features Guide 11

Copyright 2007-2015 Palo Alto Networks

Upgrade the Firewall to PAN-OS 7.1

Upgrade to PAN-OS 7.1

Upgrade the Firewall to PAN-OS 7.1

Upgrade Firewalls Using Panorama

Upgrade a Firewall to PAN-OS 7.1

Upgrade an HA Firewall Pair to PAN-OS 7.1

Upgrade Firewalls Using Panorama

Upgrade Firewalls Using Panorama

Log in to Panorama, select Panorama > Setup > Operations,

Select Panorama > Device Deployment > Dynamic Updates.

Check Now (located in the lower left-hand corner of the

Download the desired version. After a successful download,

Click Install, select the devices on which you want to install