topic Global Protect Datafile Version mismatch in General Topics

Global Protect Datafile Version mismatch

SimmSimm — Thu, 22 Mar 2012 14:23:35 GMT

Im working thru the process to roll out the Global Protect VPN software to our laptop users - I have three PA boxes, a 2050 and two 2020s - all are running 4.1.3, all have GP gateway licences & client 1.1.4 installed although we only have one portal licence for the 2050 (and so only one portal configured).

I have the portal setup & publishing a profile with all three gateways in it, it appears to work correctly & connect you to the closest gateway - good ! - the next step is to setup the HIP profiles to control which machines are allowed access to the internal network.

I notice that I have different versions of the GP datafile on each box - Dynamic Update is set to check daily & everything else (URL filter, threats etc) are in sync - but the GP datafiles are not. They are updating, but the versions appear to be different for each gateway.

The versions I have are:

2050 1332385291

2020 1332381691

2020 1332183690

- so the question is why are they different, & will that be a problem when I enable the HIP checks ?

Thanks - Nick.

Re: Global Protect Datafile Version mismatch

jseals — Fri, 23 Mar 2012 01:32:58 GMT

Hi SimmSimm,

It looks like there are a couple different sites we pull these data files from. You may need to get a case open for us to fully review it, but my assumption is each site is giving a different data file.

You can run:

> less mp-log avdata.log

-----Example Output

<GlobalProtect xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.paloaltonetworks.com/"> <result>New version found.</result> <file_version>1332460882</file_version> <lastModified>2012-03-22T17:12:09</lastModified> <file_location>http://c733.r33.cf1.rackcdn.com/epupdate_hist.140</file_location> <encryption_key>21728451bcb06c96dab005f3a8ae55450e16114f731ce0a40b6eb292c246ef6a</encryption_key></GlobalProtect>

-----Example Output

You can then see which location each device went and what data file version it pulled down. Perhaps comparing this output on each device will yield some information for you.

I don't think this will cause an issue if you enable HIP checks, because according to the documentation the files just contain a list of vendors.

"The GlobalProtet Data File, located on the Device tab> Dynamic Updates, contains the OPSWAT file that lists the vendors to be used in the HIP object configuration. You must have valid Global Protect Gateway and Portal licensing and configure theSchedule for the downloads before they will occur."

Thanks,

Jason Seals

Re: Global Protect Datafile Version mismatch

SimmSimm — Fri, 23 Mar 2012 10:29:46 GMT

Jason - thanks - thats useful.

The answer seems to be that the servers are in different timezones & the GP datafile versions seem to be changing hourly:

For the London server in GMT TZ, I see:

<result>New version found.</result>
<file_version>1332471712</file_version>
<lastModified>2012-03-22T20:12:08</lastModified>
<file_location>http://c733.r33.cf1.rackcdn.com/epupdate_hist.142</file_location>
<encryption_key>a74d03595fdfc36b0f4df117f303955b1b250669671a1b140881c60da227743b</encryption_key>
</GlobalProtect>
Fri Mar 23 04:05:04 GMT 2012 : update version exist
Fri Mar 23 04:05:04 GMT 2012 : file location http://c733.r33.cf1.rackcdn.com/epupdate_hist.142

For the Europe server in CET TZ I see:

<GlobalProtect xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.paloaltonetworks.com/">
<result>New version found.</result>
<file_version>1332468075</file_version>
<lastModified>2012-03-22T19:12:09</lastModified>
<file_location>http://c733.r33.cf1.rackcdn.com/epupdate_hist.141</file_location>
<encryption_key>c6bb1d1662a63d7426f91d3d00b6c68c777bbad5d21f6fee99798d4514965fa0</encryption_key>
</GlobalProtect>
Fri Mar 23 04:05:04 CET 2012 : update version exist
Fri Mar 23 04:05:04 CET 2012 : file location http://c733.r33.cf1.rackcdn.com/epupdate_hist.141

& for the Asia server in HKT I see:

<GlobalProtect xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.paloaltonetworks.com/">
<result>New version found.</result>
<file_version>1332442882</file_version>
<lastModified>2012-03-22T12:12:07</lastModified>
<file_location>http://c733.r33.cf1.rackcdn.com/epupdate_hist.135</file_location>
<encryption_key>2f155bda6a20349c1259fce9cedeb554f207bce85b579dfcf0093d4632af94a4</encryption_key>
</GlobalProtect>
Fri Mar 23 04:02:10 HKT 2012 : update version exist
Fri Mar 23 04:02:10 HKT 2012 : file location http://c733.r33.cf1.rackcdn.com/epupdate_hist.135

So I expect that if I set the update to hourly for GP datafile all three should get into sync.

For completeness, the reason that I would like them in sync is that I use Panorama to push a global HIP policy, & appear to have had policy fail to load on one gateway in the past because vendor information that I use in the HIP objects is not available in the version of the datafile on that gateway, but is available on the others.

Thanks - Nick.