Unconventional GP upgrade through XDR action script - works, but could use optimization.

FluffyPancakes — Wed, 28 Feb 2024 19:51:44 GMT

I have a script to silently upgrade GlobalProtect clients to 6.2.2 using an msi, while avoiding disconnecting active users and reboots. It's simple and it works, but I looking to improve it by having successful upgrade status or reason for failure reported instead of just getting the success of the script. Also if the agent doesn't upgrade, I'd like it to retry during the script deployment, but maybe that's not possible as long as the script successfully runs on the agent.

(Why am I not using GlobalProtect to push out upgrade? It's a long story. Ability to have separate agent configs based on user/group broke and I need to be able to isolate testing of the upgrade process to communicate to users ahead of time exactly what to expect.)

Scenarios:

Agent on LAN: script runs msi from network drive - gp agent upgrades

Agent on VPN: script sees agent connected - gp doesn't get upgraded

Agent not on LAN or VPN but connected to Internet: script doesn't see network drive, gp doesn't get upgraded.

All above scenarios would show script was successfully executed. I would like to differentiate the computers that didn't upgrade due to being connected to VPN and those that weren't connected to LAN or VPN from the ones that got successfully upgraded.

I know I can separately run the get_registry script and put in HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Version and that will return the values. I tried incorporating that into my script, but couldn't figure it out. Also returning statuses to indicate that agent could not be upgraded due to being connected to VPN.

I believe the action script stays active for 4 days. I was wondering if even though a script ran, but did not upgrade, could it check in again the next day when, for instance, it is not on vpn and can actually install at that time. I'm guessing not, but that would be ideal.

Script for reference:

import wmi
import os

c = wmi.WMI()

network = c.Win32_NetworkAdapterConfiguration()

for adapter in network:
if adapter.Description == "PANGP Virtual Ethernet Adapter" and not adapter.IPEnabled:
os.system('msiexec /i "\\\\SERVER\\.......\\GlobalProtect64-6.2.2.msi" /qn /norestart')

Re: Unconventional GP upgrade through XDR action script - works, but could use optimization.

aspatil — Fri, 01 Mar 2024 08:05:13 GMT

Hello @FluffyPancakes ,

Thanks for reaching out on LiveCommunity!

Cortex XDR just execute script and wait for output. It does not care what are you doing with that script.

4 days active because, it waits for agent connection status. If agent is connected script runs and completes.

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

topic Unconventional GP upgrade through XDR action script - works, but could use optimization. in Cortex XDR Discussions

Unconventional GP upgrade through XDR action script - works, but could use optimization.

Re: Unconventional GP upgrade through XDR action script - works, but could use optimization.