PA-VM Firewall loses connection after Downgrade from 9.1 to 9.0
11623
Created On 02/03/20 20:51 PM - Last Modified 07/28/20 20:25 PM
Symptom
The following symptoms are shown after downgrading the PA-VM from 9.1.x to 9.0.x
- Can no longer access the PA-VM firewall using the same administrator credential
- The latest running configuration is removed and replaced by the autosave-pre-cfg
Environment
- PA-VM 9.1.x
- PA-VM under private and public cloud (AWS, Azure, GCP, OCI, KVM, ESXI, etc)
Cause
When downgrading the firewall from PAN-OS 9.1.0 to 9.0.x, it prompts to "Select A Config File for Downgrading"
By default selection in drop-down is set to: "autosave-pre-cfg-202001XX.xml"
This is because firewall is getting downgraded for the first time and no autosave config is available other than pre-config.
If this config is selected to downgrade the device, it will erase all running configuration on firewall and installs 9.0 version.
autosave-pre-cfg-202001XX.xml +++++++++++++++++++++++++++++ <config version="9.1.0"> <mgt-config> <users> <entry name="admin"> <phash>*</phash> <<<< Deleted <permissions> <role-based> <superuser>yes</superuser> </role-based> </permissions> </entry> </users> +++++++++++++++++++++++++
Running Config +++++++++++++++++++++++++ <config version="9.1.0" urldb="paloaltonetworks"> <mgt-config> <users> <entry name="admin"> <phash>"phash deleted"</phash> <<< Admin Username/Password Set <permissions> <role-based> <superuser>yes</superuser> </role-based> </permissions> <public-key>"delete"</public-key> </entry> ++++++++++++++++++++++++
Resolution
Recommended Steps:
1. Save the running configuration under Device>Operation>Save Named Configuration
2. When downgrading the PA-VM make sure to choose the configuration snapshot you have just saved on step #1
(The system will default to "autosave-pre-cfg-XXXXX.xml". Make sure you do not select this pre-cfg)