Unconventional GP upgrade through XDR action script - works, but could use optimization.

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Unconventional GP upgrade through XDR action script - works, but could use optimization.

L0 Member

I have a script to silently upgrade GlobalProtect clients to 6.2.2 using an msi, while avoiding disconnecting active users and reboots.  It's simple and it works, but I looking to improve it by having successful upgrade status or reason for failure reported instead of just getting the success of the script.  Also if the agent doesn't upgrade, I'd like it to retry during the script deployment, but maybe that's not possible as long as the script successfully runs on the agent.


(Why am I not using GlobalProtect to push out upgrade?  It's a long story.  Ability to have separate agent configs based on user/group broke and I need to be able to isolate testing of the upgrade process to communicate to users ahead of time exactly what to expect.)



Agent on LAN: script runs msi from network drive - gp agent upgrades

Agent on VPN: script sees agent connected - gp doesn't get upgraded

Agent not on LAN or VPN but connected to Internet: script doesn't see network drive, gp doesn't get upgraded.


All above scenarios would show script was successfully executed.   I would like to differentiate the computers that didn't upgrade due to being connected to VPN and those that weren't connected to LAN or VPN from the ones that got successfully upgraded.


I know I can separately run the get_registry script and put in HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Version and that will return the values.   I tried incorporating that into my script, but couldn't figure it out.    Also returning statuses to indicate that agent could not be upgraded due to being connected to VPN.


I believe the action script stays active for 4 days.  I was wondering if even though a script ran, but did not upgrade, could it check in again the next day when, for instance, it is not on vpn and can actually install at that time.  I'm guessing not, but that would be ideal.


Script for reference:


import wmi
import os


c = wmi.WMI()


network = c.Win32_NetworkAdapterConfiguration()


for adapter in network:
     if adapter.Description == "PANGP Virtual Ethernet Adapter" and not adapter.IPEnabled:
          os.system('msiexec /i "\\\\SERVER\\.......\\GlobalProtect64-6.2.2.msi" /qn /norestart')



L4 Transporter

Hello @FluffyPancakes ,


Thanks for reaching out on LiveCommunity!


Ashutosh Patil
  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!