Roll Back GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Roll Back GlobalProtect

L4 Transporter

Does palo seriously not provide a way to roll back GlobalProtect?  TAC told me there is no documentation on how to do that. 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @RobertShawver ,

 

I am curious if the behavior would be different if you selected Allow Manually or Allow with Prompt for the Allow User to Upgrade GlobalProtect App option.  You probably know this, but once you change you will need to Refresh Connection or Logout/Login.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

17 REPLIES 17

Cyber Elite
Cyber Elite

Hi @RobertShawver ,

 

Unless things have changed in a new PAN-OS, I have found that by activating an older version on the portal, the client is prompted if they want to install the older version of GP.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung 

I'm not sure what you mean by "activating an older version on the gateway".  I was under the impression that came from the Portal, not the gateway.

 

On the firewall, I have gone to Device > GlobalProtect Client downloaded and Activated a lower version.  I then connected to that Portal, but nothing.

Cyber Elite
Cyber Elite

Hi @RobertShawver ,

 

Yes, you are correct.  It is the portal.  I will go back and edit my post.  😁

 

What do you have configured under Network > Global Protect > Portal > Agent > Configs > App > Allow User to Upgrade GlobalProtect App?  I know it has prompted me in the past.  I don't remember what PAN-OS or GP version it was.  Maybe that "feature" has been removed.

 

I am curious.  What happens when you open GP Client > Settings > About > Check for Updates?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

@TomYoung 

Really appreciate your time!

Network > Global Protect > Portal > Agent > Configs > App > Allow User to Upgrade GlobalProtect App > "Allow Transparently"

What happens when you open GP Client > Settings > About > Check for Updates?

RobertShawver_0-1692899824626.png

"Check for Updates" doesn't exist.  I was having some issues with 6.1.1, so I rolled the dice on 6.2.0-89 and came up craps.  

Users every few hours are getting this:

RobertShawver_1-1692900022328.png

I found a "fix", which was to go to C:\Users\your user id\AppData\Local\Palo Alto Networks\GlobalProtect\ and delete all the dat files.

That only seems to fix them for a few hours however.  It's becoming a real issue for me.  I've talked to two different support people now and they don't know what to do.

 

EDIT: I also do not see any upgrade/downgrade even attempted in the Windows logs.

It looks like it should be getting the new config:

RobertShawver_2-1692901808928.png

But it isn't changing the version or doesn't even seem to be attempting to.

Cyber Elite
Cyber Elite

Hi @RobertShawver ,

 

I am curious if the behavior would be different if you selected Allow Manually or Allow with Prompt for the Allow User to Upgrade GlobalProtect App option.  You probably know this, but once you change you will need to Refresh Connection or Logout/Login.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hey @TomYoung 

I think you got it!!!!  Well, sort of.  LOL!!!

I changed it to "Allow with Prompt" and now I get this:

RobertShawver_0-1692911192171.pngRobertShawver_1-1692911217583.png

Which is a FAR sight further than before!  It's not seamless, but I think i can make it work.

Because not everyone is having the issue, those with 6.2.0 will just keep on keeping on none the wiser.  Those that are having an issue, I can direct them to check for the update.

 

You are "The Man"!!  Thanks so much!!

I am curious, do you know what "internal" means?

 

RobertShawver_2-1692911455662.png

 

 

 

 

Cyber Elite
Cyber Elite

Hi @RobertShawver ,

 

Great news! 

 

With regard to your other questions, internal is listed here -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/network-globalp....

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L0 Member

I upgraded the GP version from 6.2.1 to 6.2.4 and after that users started getting connection issues. Its stuck in Finding the best available gateway message. I rolled back the version in Firewall but my client is already got upgraded and now its not connecting so how i can downgrade this now? to 6.2.1

Cyber Elite
Cyber Elite

Hi @Bisham ,

 

You can download the install files from (1) the portal login page or (2) the CSP under Updates > Software Updates > GlobalProtect Agent for ....

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Palo makes rolling back GP very difficult if not impossible natively.  You could do it via login script or something like Intune.  Other than that, you can look above to see how I was able to do it - it's a pain for sure though!

But if i have a higher version 6.2.4 and on portal 6.2.1 is activated then will i be not able to connect to VPN?

Cyber Elite
Cyber Elite

Hi @Bisham ,

 

Yes, the client can be downgraded from the NGFW.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 5518 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!