How do you manage agent upgrades?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

How do you manage agent upgrades?

L2 Linker

I am trying to manage agent upgrades without allowing the agent to upgrade to new and unstable releases.  For example, I do NOT want 7.5.0 upgraded on any system, but I do want the most recent 7.4 release upgraded on all systems.  I have run into issues getting releases lower than 7.4 to upgrade to 7.4.2 (current version as of today).  I have read the manual and opened a ticket with support and they insist that I cannot use these settings in this manner.   I have attached  a picture that highlights "* Agents with older version will get upgraded to version 7.4", but support insists these settings only applies to 7.4 agents which makes no sense.  The manual does not document this and the dialog says every agent should get upgraded to 7.4.  If the setting only applied to 7.4, it would not give any reference to older agents before 7.4.


Agent Auto-Upgrade:  Enabled

Auto Upgrade Scope:  Only maintenance releases in a specific version

Release Version:  7.4



L3 Networker

Hi @EddieRowe ,


The auto-upgrade work in 3 ways. 


  1. You always upgrade to the latest version regardless of the version installed
    1. Latest agent release
    2. All agents will upgrade to the latest version published
  2. You always upgrade to the latest version of the version installed
    1. Only maintenance releases
    2. Each agent will upgrade to the latest maintenance version
      1. meaning, if you have 7.2.x, 7.3.x and 7.4.x, each version will upgrade to its latest released maintenance version.
  3. You only upgrade a specific version
    1. Only maintenance releases in a specific version
    2. This means that if you use this option, and you assigned it to a group of endpoints where there are different agent versions installed, you will only upgrade to the latest maintenance release of the specified version.

The recommendation is to use "Latest maintenance version" and as long as you do not upgrade your agents to the latest version available, at the moment, 7.5, you should be fine.


L2 Linker

Thanks.  Now, if I can only get Palo Alto support to agree and resolve the issue of agents < 7.4 not upgrading to 7.4 when I am using option 3.

L2 Linker

You can accomplish this by use of the grouping filters. You can set the dynamic group to include agents with a version less than 7.4 and not apply this auto upgrade policy to them; or use a 7.3.x autoupgrade to maintenance versions if you like. Then have a separate group for agents with greater than or = 7.4 to have the auto upgrade policy apply for the 7.4.x line. This will allow you to specify the agent upgrade policies based on the dynamic filters you set.


jrzepka_0-1631295727209.png Use this so your 7.3 agents do not apply the autoupgrade to 7.4 and stay within the 7.3.x version.


jrzepka_1-1631295748116.pngUse this filter so agents in the 7.4.x apply the autoupgrade for the 7.4 maintenance release versions.


Hopefully this cleared up the frustration you were experiencing.

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!