How to downgrade PAN-OS on the Firewall

To downgrade the PAN-OS version to the previous one.

• Palo Alto Firewalls
• Supported PAN-OS
• Downgrade

1. The downgrade  information is  documented in the Upgrade/Downgrade guide. This article provides some caveats asked by customers.
2. In case of downgrade from 10.1, Determine the downgrade path. This information is the reverse path of upgrade documented in PAN-OS Upgrade Guide.
   
3. Review the release notes for each preferred release, to identify relevant issues.
4. Review the Upgrade/Downgrade considerations to identify features that can have an impact and potentially cause issues. 
5. In the example of downgrade from PAN-OS 10.0.latest and then PAN-OS 9.1.latest.
   1. Download the base version of each major release (e.g 10.0.0) and install and reboot on the current preferred release (which keeps changing with time) of each major release in the downgrade path.
   2. Follow these actions to reach the desired version:
      1. Download base image 10.0.0
      2. Download 10.0.latest install and reboot
      3. Download base image 9.1.0
      4. Download 9.1.latest install and reboot
         

IMPORTANT:

1. Save a backup of the current configuration file before each downgrade, export it, and save it externally.
2. Export the device state if the Firewall is managed by Panorama.
3. After each reboot, verify auto-commit has been successfully completed using the "show jobs all" command
4. ​​​​​​(PA-52xx) When transitioning from PAN-OS 10.1 to PAN-OS 10.0 inspect the status of the raid disks using the "show system raid detail" command.

NOTE: Raid rebuild might occur and the estimate time to complete is ~6.5 hours

Downgrade PAN-OS
Upgrade PAN-OS