- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-22-2019 06:55 AM
Most of the discussions I've heard, talk about managing your deployment with something other than the firewall (so thousands of users aren't hitting the firewall during an update). I have questions in two areas:
1-How do you handle updates when getting pushed from a centralized manager to windows clients (assuming your clients are internal only during the update, and the firewall is NOT doing the agent update)? Are you completely uninstalling the client and then updating with the new version?, or are you simply pushing out the update and installing over the old installation? Anyone have issues/problems that have arisen from this?
2-If transparently allowed to update from the firewall, how is the firewall natively handling the GP agent client update - is it just installing new files in specific directories that the overall agent is referring to, or is it completely uninstalling the old agent, and installing the new version?
07-29-2019 12:21 PM - edited 07-29-2019 12:22 PM
1) Just run the update, there is no need to be completely uninstalling GP and re-installing the agent completely. In fact, by default the installer does a pretty bad job of cleaning up after itself when you do an uninstall.
2) It actually runs the following when you push an upgrade from the firewall.
echo off 
set /a _count=0
"C:\WINDOWS\system32\sc.exe" stop pangps > null
:loop
if %_count% GTR 300 goto exittimeout
"C:\WINDOWS\system32\timeout.exe" /t 3 /nobreak > null
set /a _count=_count + 3
"C:\WINDOWS\system32\sc.exe" query pangps | find "STOPPED"
if errorlevel 1 goto loop
cd C:\Program Files\Palo Alto Networks\GlobalProtect
"C:\WINDOWS\system32\msiexec.exe" /x "{1E447623-3102-407C-AF0F-ACF4C5141A68}" /qn /norestart KEEPREGISTRIES="YES" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 
"C:\WINDOWS\system32\msiexec.exe" /norestart /qn /i "C:\WINDOWS\TEMP\globalprotect.msi" TARGETDIR="C:\Program Files\Palo Alto Networks\GlobalProtect"  CERTIFICATESTORELOOKUP="user-and-machine" CACUNPLUGBEHAVE="yes" USEPROXY="yes" PORTAL="*" BENICE="yes" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 
goto normalexit
:exittimeout
echo %date% %time% - PanGPS service cannot be stopped. time out 300. >> "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log"
exit 1
:normalexit
07-29-2019 12:21 PM - edited 07-29-2019 12:22 PM
1) Just run the update, there is no need to be completely uninstalling GP and re-installing the agent completely. In fact, by default the installer does a pretty bad job of cleaning up after itself when you do an uninstall.
2) It actually runs the following when you push an upgrade from the firewall.
echo off 
set /a _count=0
"C:\WINDOWS\system32\sc.exe" stop pangps > null
:loop
if %_count% GTR 300 goto exittimeout
"C:\WINDOWS\system32\timeout.exe" /t 3 /nobreak > null
set /a _count=_count + 3
"C:\WINDOWS\system32\sc.exe" query pangps | find "STOPPED"
if errorlevel 1 goto loop
cd C:\Program Files\Palo Alto Networks\GlobalProtect
"C:\WINDOWS\system32\msiexec.exe" /x "{1E447623-3102-407C-AF0F-ACF4C5141A68}" /qn /norestart KEEPREGISTRIES="YES" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 
"C:\WINDOWS\system32\msiexec.exe" /norestart /qn /i "C:\WINDOWS\TEMP\globalprotect.msi" TARGETDIR="C:\Program Files\Palo Alto Networks\GlobalProtect"  CERTIFICATESTORELOOKUP="user-and-machine" CACUNPLUGBEHAVE="yes" USEPROXY="yes" PORTAL="*" BENICE="yes" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 
goto normalexit
:exittimeout
echo %date% %time% - PanGPS service cannot be stopped. time out 300. >> "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log"
exit 1
:normalexit
07-29-2019 01:55 PM - edited 07-29-2019 01:56 PM
If I read your post right- the below
C:\WINDOWS\system32\msiexec.exe" /x "{1E447623-3102-407C-AF0F-ACF4C5141A68}" /qn /norestart KEEPREGISTRIES="YES" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" it looks like the firewall does actually run an uninstall - \x - before running a new installation?
But your saying that even when using a third party management tool- it's recommended to just install over the top, as the installer does kind of a bad job cleaning up? Shouldn't run into any issues with that?
Thanks for the in-depth reply- that gives some insight that I have yet to read anywhere. Thank you!
07-29-2019 07:08 PM
Either method does essentially the same thing. The above is what happens when pushed from the firewall, but when you manually load the MSI as an upgrade essentially the same exact process takes place when it does a simple check to see if it's an upgrade or a new install.
When you actually use the uninstall flag the MSI does a somewhat bad job of cleaning up all of the files it installs by default. This has lead to issues in the past with the agent performing its "upgrade" process and not it's true "install" process as it detects an existing install. I believe this has been addressed in the current releases, but it still does a pretty poor job with the whole file cleanup process.
07-30-2019 08:22 AM
Great feedback. Many thanks!
04-12-2021 08:30 AM
This is an old topic but I was wondering if you could elaborate on how/where you found the .bat file running that upgrades the GlobalProtect clients. As this post is over a year and a half old, I want to see if anything has changed, especially as we are running 10.0.5 now, so we can adapt this to our Kace deployment solution.
- Matt
 
					
				
				
			
		
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

