New Deployment: Unable to Login After Downgrade from PAN OS 9.1 to 9.0.
26910
Created On 02/28/20 14:21 PM - Last Modified 01/11/21 14:21 PM
Symptom
Unable to login due to invalid credentials after downgrading a PA-VM in AWS or Azure from one Major release to another.
For example PA-VMs in Azure and AWS launch with latest PAN-OS release 9.1 and if downgraded to 9.0, admin is unable to login.
Environment
New deployment in AWS or Azure
Cause
When downgrading firewalls from 9.1.0 to 9.0 or below, by default "Select A Config File for Downgrading" in drop-down is set to: "autosave-pre-cfg-20200XXX.xml". This deletes all configuration including admin credentials and the only way to recover after downgrading is to redeploy a new instance.
Resolution
When downgrading from PAN-OS 9.1.0 to 9.0.x or 8.1.x,
- Do not select 'autosave-pre-cfg-202001XX.xml' from drop-down before clicking 'OK'
- Either select the running-config.xml or custom saved current configuration before clicking 'OK'
Additional Information
You can deploy a PA-VM using a lower base image, to avoid the need to downgrade:
By default both the AWS and Azure Marketplace deploy on the latest base image for PA-VM. You can select to launch off a lower base version.
- In AWS, when choosing the Market Place instance there is an option to "select previous base version".
- In Azure, the option to select a diffrent base version is in step 3.
Does not apply to instances where firewall was upgraded a major version, then downgraded back to the original version. The 'autosave-pre-cfg-202001XX.xml' configuration file will have config of original major version. Example: VM launched on 8.1 upgraded to 9.0, then downgraded back to 8.1. Issue would be seen if downgrading from 8.1 to 8.0.