GlobalProtect Agent Updates?

Reply
Highlighted
L4 Transporter

GlobalProtect Agent Updates?

Most of the discussions I've heard, talk about managing your deployment with something other than the firewall (so thousands of users aren't hitting the firewall during an update).  I have questions in two areas:

 

1-How do you handle updates when getting pushed from a centralized manager to windows clients (assuming your clients are internal only during the update, and the firewall is NOT doing the agent update)?  Are you completely uninstalling the client and then updating with the new version?, or are you simply pushing out the update and installing over the old installation?  Anyone have issues/problems that have arisen from this?

 

2-If transparently allowed to update from the firewall, how is the firewall natively handling the GP agent client update - is it just installing new files in specific directories that the overall agent is referring to, or is it completely uninstalling the old agent, and installing the new version?

L4 Transporter

Re: GlobalProtect Agent Updates?

Bump.

L7 Applicator

Re: GlobalProtect Agent Updates?

@Sec101 

1) Just run the update, there is no need to be completely uninstalling GP and re-installing the agent completely. In fact, by default the installer does a pretty bad job of cleaning up after itself when you do an uninstall. 

2) It actually runs the following when you push an upgrade from the firewall.

echo off 
set /a _count=0
"C:\WINDOWS\system32\sc.exe" stop pangps > null
:loop
if %_count% GTR 300 goto exittimeout
"C:\WINDOWS\system32\timeout.exe" /t 3 /nobreak > null
set /a _count=_count + 3
"C:\WINDOWS\system32\sc.exe" query pangps | find "STOPPED"
if errorlevel 1 goto loop
cd C:\Program Files\Palo Alto Networks\GlobalProtect
"C:\WINDOWS\system32\msiexec.exe" /x "{1E447623-3102-407C-AF0F-ACF4C5141A68}" /qn /norestart KEEPREGISTRIES="YES" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 
"C:\WINDOWS\system32\msiexec.exe" /norestart /qn /i "C:\WINDOWS\TEMP\globalprotect.msi" TARGETDIR="C:\Program Files\Palo Alto Networks\GlobalProtect"  CERTIFICATESTORELOOKUP="user-and-machine" CACUNPLUGBEHAVE="yes" USEPROXY="yes" PORTAL="*" BENICE="yes" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 
goto normalexit
:exittimeout
echo %date% %time% - PanGPS service cannot be stopped. time out 300. >> "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log"
exit 1
:normalexit

 

L4 Transporter

Re: GlobalProtect Agent Updates?

@BPry 

If I read your post right- the below

C:\WINDOWS\system32\msiexec.exe" /x "{1E447623-3102-407C-AF0F-ACF4C5141A68}" /qn /norestart KEEPREGISTRIES="YES" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 

it looks like the firewall does actually run an uninstall - \x - before running a new installation? 

But your saying that even when using a third party management tool- it's recommended to just install over the top, as the installer does kind of a bad job cleaning up?  Shouldn't run into any issues with that?  

 

Thanks for the in-depth reply- that gives some insight that I have yet to read anywhere.  Thank you!

L7 Applicator

Re: GlobalProtect Agent Updates?

@Sec101,

Either method does essentially the same thing. The above is what happens when pushed from the firewall, but when you manually load the MSI as an upgrade essentially the same exact process takes place when it does a simple check to see if it's an upgrade or a new install.

When you actually use the uninstall flag the MSI does a somewhat bad job of cleaning up all of the files it installs by default. This has lead to issues in the past with the agent performing its "upgrade" process and not it's true "install" process as it detects an existing install. I believe this has been addressed in the current releases, but it still does a pretty poor job with the whole file cleanup process. 

L4 Transporter

Re: GlobalProtect Agent Updates?

Great feedback.  Many thanks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!