03-09-2017 08:07 AM
I want to do some testing on new global protect clients but I don't want to make it update anyone tell I can test it, How do I get the software to test with out making it the default cleint on the firewall?
03-09-2017 08:13 AM
You always can download manually from the support site (not sure if you do have enough privileges):
03-09-2017 08:34 AM
Thanks trance I found that and downloaded one of them, do you know if the client is a different version from what is offered on the firewall if it will still work
03-09-2017 08:41 AM
I believe the client is identical. So either you installing it manually or downloading over the PA GP portal = same
03-09-2017 08:44 AM
no I mean I have 2.2 offered on my firewall. If I install a new version from downloading it from the software portal will it work with my firewall if I have only downloaded and offering 2.2 and the client installed on my pc is 3?
03-09-2017 08:48 AM
Good question :0 Give a go as l am not sure really. Never test this before
03-09-2017 09:42 AM
I will let you know what I find out. I will download different GP versions and see if they can connect.
03-09-2017 10:38 AM
Interesting; one would think that as long as the client falls within the usable packeges for the portal/gateway that you should be fine when you load things up manually. Please let us know if this actually works, I do this all the time on my AnyConnect clients but I've never tried on GP.
03-09-2017 11:44 AM
jprovine,
One thing to consider and an option we've used for testing.
First any time you are doing testing make sure you change the GlobalProtect -> Portal -> Agent -> App setting for "Allow User to Upgrade GlobalProtect App" to either Disallow or Allow Manually. If you have anything else it may try to override what you are testing with the production version.
When we test a new client I set the above App setting to Disallow and Download/Activate the version I want to test. I then download it and install from vpn.firewall.com (your DNS name) manually. Once we have done this we just Activate the production version we are using again.
Brian
03-09-2017 12:06 PM
well so far I manually installed version version 2.3.1-7 and I get this error "server certificate verification failure" The version enabled on the firewall is 2.2
03-10-2017 09:10 AM
So have any one else done any upgrading of their globalprotect clients? How did you do it and was there is documentation? I did find out that you can not offer more than one globalprotect client at a time from the firewall. I am waiting to see if you can connect using a different version of globalprotect that what is being offered from the firewall. My initialize testin says that you can not but I have a ticket open asking that question in case their is something I missed.
03-13-2017 06:05 AM
So Brian you downloaded and set the agent on the firewall to the new one and then downloaded the agent from the firewall to your test machine and I assume that in order to do that you have to set it to upgrade manually. So if I am understanding correctly there is no way to truly block anyone else from upgrading while you are testing?
Does changing the active globalprotect client on the firewall affect the users who are using an older version of globalprotect from connecting? Does it prompt them to upgrade?
So far I have found the upgrade of the client very poorly thought out by PA
03-14-2017 08:20 AM
I found out that if you have a cert on your firewall for globalprotect that it will have issues if you download it from the PA site and it will also ask to remove the currently globalprotect client install before installing the new one. So testing the upgrade doesn't seem to be working. It appears you have to change to it on the firewall, make it active and available to everyone and then you won't have cert issue and it will upgrade a previous install
03-14-2017 01:13 PM
jprovine,
That deals with the cert being used by the site you are connecting to. You can ignore that in the client/agent configuration in the Portal section if you want for testing.
Basically the certificate asociated with https://vpn.yoursite.com does not match what the client is looking for.
Brian
03-14-2017 01:29 PM - edited 03-14-2017 03:03 PM
jprovine,
You can use any supported version of the GlobalProtect client.
Another option would be to download the clients to the firewall you want to test with. Set them as active and download each one to your computer. Then set the one you are currently using back to active.
We have not had problems playing with multiple versions of the GlobalProtect client.
Brian
<EDIT>
I have never tried downloading the GlobalProtect client from Palo Altos web page and using it. We have always downloaded it to the firewalls.
</EDIT>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
