How to Downgrade PAN-OS

How to Downgrade PAN-OS

41859
Created On 09/25/18 19:45 PM - Last Updated 04/20/20 21:49 PM


Resolution

Overview

In the event that a Palo Alto Networks firewall needs to be downgraded to a lower version of PAN-OS the procedures described in this document should be followed.

 

Details

Revert

Via the CLI, a revert command can be issued to restore to a previous version.

Note: This feature is not supported for Major upgrades (from 6.1.3 to 6.0.2), due to the logs and other databases modified during the upgrade. Instead, use the 'Re-Install' instructions below. It is recommended that you only use this 'restore' command when downgrading minor versions (from 6.1.3 to 6.1.2)

  1. Verify that the previous PAN-OS version in use prior to the upgrade is still loaded on the partition and is revertable with the CLI command: debug swm status

    > debug swm status

    Partition         State             Version
    --------------------------------------------------------------------------------
    sysroot0          REVERTABLE        6.1.1
    sysroot1          RUNNING-ACTIVE    6.1.3
    maint             READY             6.1.3

     

    In this sample output, the device is running PAN-OS 6.1.3 as indicated by the RUNNING-ACTIVE state. PAN-OS 6.1.1 is the revertable option.

  2. To boot from the partition in use prior to the upgrade, issue the command: debug swm revert.

    Nothing will be un-installed and no configuration changes will be made, but the device will load with the previous PAN-OS version.

    > debug swm revert

    Reverting from 6.1.3 (sysroot0) to 6.1.1 (sysroot1)

     

    To check on the current status:

    > debug swm status

    Partition         State             Version
    --------------------------------------------------------------------------------
    sysroot0          PENDING-REVERT    6.1.1

    sysroot1          RUNNING-ACTIVE    6.1.3
    maint             READY             6.1.3

  3. To reboot after this and to get back to the previous version:
    > request restart system
  4. Reload the saved config file.

Reinstall

  1. If the previous version is no longer available to revert, re-install (no download required) your last PAN-OS version. Perform this step in the GUI by clicking "install" on an older version of the software.
    doc-1992-1.png
  2. Reboot the device.
  3. Reload the saved config file.

 

Factory Reset (If the downgrade is still unsuccessful)

  1. See the following article for instructions on resetting the device to factory defaults: How to Factory Reset a Palo Alto Networks Device
  2. Upgrade content and URL database to latest versions.
  3. Restore the configuration from the saved config file.

Note if you choose to run 'debug swm revert' -
If you had made configuration changes between installing the new PAN-OS and rebooting after a SWM revert, make sure you load the latest configuration version and commit after the revert has completed.
 

owner: panagent



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcYCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language