GlobalProtect Agent Updates?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect Agent Updates?

L4 Transporter

Most of the discussions I've heard, talk about managing your deployment with something other than the firewall (so thousands of users aren't hitting the firewall during an update).  I have questions in two areas:

 

1-How do you handle updates when getting pushed from a centralized manager to windows clients (assuming your clients are internal only during the update, and the firewall is NOT doing the agent update)?  Are you completely uninstalling the client and then updating with the new version?, or are you simply pushing out the update and installing over the old installation?  Anyone have issues/problems that have arisen from this?

 

2-If transparently allowed to update from the firewall, how is the firewall natively handling the GP agent client update - is it just installing new files in specific directories that the overall agent is referring to, or is it completely uninstalling the old agent, and installing the new version?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Sec101 

1) Just run the update, there is no need to be completely uninstalling GP and re-installing the agent completely. In fact, by default the installer does a pretty bad job of cleaning up after itself when you do an uninstall. 

2) It actually runs the following when you push an upgrade from the firewall.

echo off 
set /a _count=0
"C:\WINDOWS\system32\sc.exe" stop pangps > null
:loop
if %_count% GTR 300 goto exittimeout
"C:\WINDOWS\system32\timeout.exe" /t 3 /nobreak > null
set /a _count=_count + 3
"C:\WINDOWS\system32\sc.exe" query pangps | find "STOPPED"
if errorlevel 1 goto loop
cd C:\Program Files\Palo Alto Networks\GlobalProtect
"C:\WINDOWS\system32\msiexec.exe" /x "{1E447623-3102-407C-AF0F-ACF4C5141A68}" /qn /norestart KEEPREGISTRIES="YES" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 
"C:\WINDOWS\system32\msiexec.exe" /norestart /qn /i "C:\WINDOWS\TEMP\globalprotect.msi" TARGETDIR="C:\Program Files\Palo Alto Networks\GlobalProtect"  CERTIFICATESTORELOOKUP="user-and-machine" CACUNPLUGBEHAVE="yes" USEPROXY="yes" PORTAL="*" BENICE="yes" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 
goto normalexit
:exittimeout
echo %date% %time% - PanGPS service cannot be stopped. time out 300. >> "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log"
exit 1
:normalexit

 

View solution in original post

6 REPLIES 6

L4 Transporter

Bump.

Cyber Elite
Cyber Elite

@Sec101 

1) Just run the update, there is no need to be completely uninstalling GP and re-installing the agent completely. In fact, by default the installer does a pretty bad job of cleaning up after itself when you do an uninstall. 

2) It actually runs the following when you push an upgrade from the firewall.

echo off 
set /a _count=0
"C:\WINDOWS\system32\sc.exe" stop pangps > null
:loop
if %_count% GTR 300 goto exittimeout
"C:\WINDOWS\system32\timeout.exe" /t 3 /nobreak > null
set /a _count=_count + 3
"C:\WINDOWS\system32\sc.exe" query pangps | find "STOPPED"
if errorlevel 1 goto loop
cd C:\Program Files\Palo Alto Networks\GlobalProtect
"C:\WINDOWS\system32\msiexec.exe" /x "{1E447623-3102-407C-AF0F-ACF4C5141A68}" /qn /norestart KEEPREGISTRIES="YES" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 
"C:\WINDOWS\system32\msiexec.exe" /norestart /qn /i "C:\WINDOWS\TEMP\globalprotect.msi" TARGETDIR="C:\Program Files\Palo Alto Networks\GlobalProtect"  CERTIFICATESTORELOOKUP="user-and-machine" CACUNPLUGBEHAVE="yes" USEPROXY="yes" PORTAL="*" BENICE="yes" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 
goto normalexit
:exittimeout
echo %date% %time% - PanGPS service cannot be stopped. time out 300. >> "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.log"
exit 1
:normalexit

 

@BPry 

If I read your post right- the below

C:\WINDOWS\system32\msiexec.exe" /x "{1E447623-3102-407C-AF0F-ACF4C5141A68}" /qn /norestart KEEPREGISTRIES="YES" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log" 

it looks like the firewall does actually run an uninstall - \x - before running a new installation? 

But your saying that even when using a third party management tool- it's recommended to just install over the top, as the installer does kind of a bad job cleaning up?  Shouldn't run into any issues with that?  

 

Thanks for the in-depth reply- that gives some insight that I have yet to read anywhere.  Thank you!

@Sec101,

Either method does essentially the same thing. The above is what happens when pushed from the firewall, but when you manually load the MSI as an upgrade essentially the same exact process takes place when it does a simple check to see if it's an upgrade or a new install.

When you actually use the uninstall flag the MSI does a somewhat bad job of cleaning up all of the files it installs by default. This has lead to issues in the past with the agent performing its "upgrade" process and not it's true "install" process as it detects an existing install. I believe this has been addressed in the current releases, but it still does a pretty poor job with the whole file cleanup process. 

Great feedback.  Many thanks!

@BPry,

 

This is an old topic but I was wondering if you could elaborate on how/where you found the .bat file running that upgrades the GlobalProtect clients.  As this post is over a year and a half old, I want to see if anything has changed, especially as we are running 10.0.5 now, so we can adapt this to our Kace deployment solution.

 

- Matt

  • 1 accepted solution
  • 11448 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!