This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Roll Back GlobalProtect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Roll Back GlobalProtect

Go to solution
RobertShawver
L4 Transporter

‎08-24-2023 09:48 AM

Does palo seriously not provide a way to roll back GlobalProtect?  TAC told me there is no documentation on how to do that. 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎08-24-2023 12:53 PM

Hi @RobertShawver ,

 

I am curious if the behavior would be different if you selected Allow Manually or Allow with Prompt for the Allow User to Upgrade GlobalProtect App option.  You probably know this, but once you change you will need to Refresh Connection or Logout/Login.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

17 REPLIES 17

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎08-24-2023 10:22 AM - edited ‎08-24-2023 10:52 AM

Hi @RobertShawver ,

 

Unless things have changed in a new PAN-OS, I have found that by activating an older version on the portal, the client is prompted if they want to install the older version of GP.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
RobertShawver
L4 Transporter
In response to TomYoung

‎08-24-2023 10:32 AM

Hi @TomYoung 

I'm not sure what you mean by "activating an older version on the gateway".  I was under the impression that came from the Portal, not the gateway.

 

On the firewall, I have gone to Device > GlobalProtect Client downloaded and Activated a lower version.  I then connected to that Portal, but nothing.

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎08-24-2023 10:52 AM

Hi @RobertShawver ,

 

Yes, you are correct.  It is the portal.  I will go back and edit my post.  😁

 

What do you have configured under Network > Global Protect > Portal > Agent > Configs > App > Allow User to Upgrade GlobalProtect App?  I know it has prompted me in the past.  I don't remember what PAN-OS or GP version it was.  Maybe that "feature" has been removed.

 

I am curious.  What happens when you open GP Client > Settings > About > Check for Updates?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Go to solution
RobertShawver
L4 Transporter
In response to TomYoung

‎08-24-2023 11:04 AM - edited ‎08-24-2023 11:11 AM

@TomYoung 

Really appreciate your time!

Network > Global Protect > Portal > Agent > Configs > App > Allow User to Upgrade GlobalProtect App > "Allow Transparently"

What happens when you open GP Client > Settings > About > Check for Updates?

RobertShawver_0-1692899824626.png

"Check for Updates" doesn't exist.  I was having some issues with 6.1.1, so I rolled the dice on 6.2.0-89 and came up craps.  

Users every few hours are getting this:

RobertShawver_1-1692900022328.png

I found a "fix", which was to go to C:\Users\your user id\AppData\Local\Palo Alto Networks\GlobalProtect\ and delete all the dat files.

That only seems to fix them for a few hours however.  It's becoming a real issue for me.  I've talked to two different support people now and they don't know what to do.

 

EDIT: I also do not see any upgrade/downgrade even attempted in the Windows logs.

0 Likes Likes

Go to solution
RobertShawver
L4 Transporter
In response to RobertShawver

‎08-24-2023 11:30 AM

It looks like it should be getting the new config:

RobertShawver_2-1692901808928.png

But it isn't changing the version or doesn't even seem to be attempting to.

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎08-24-2023 12:53 PM

Hi @RobertShawver ,

 

I am curious if the behavior would be different if you selected Allow Manually or Allow with Prompt for the Allow User to Upgrade GlobalProtect App option.  You probably know this, but once you change you will need to Refresh Connection or Logout/Login.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Go to solution
RobertShawver
L4 Transporter
In response to TomYoung

‎08-24-2023 02:09 PM

Hey @TomYoung 

I think you got it!!!!  Well, sort of.  LOL!!!

I changed it to "Allow with Prompt" and now I get this:

RobertShawver_0-1692911192171.pngRobertShawver_1-1692911217583.png

Which is a FAR sight further than before!  It's not seamless, but I think i can make it work.

Because not everyone is having the issue, those with 6.2.0 will just keep on keeping on none the wiser.  Those that are having an issue, I can direct them to check for the update.

 

You are "The Man"!!  Thanks so much!!

Go to solution
RobertShawver
L4 Transporter
In response to RobertShawver

‎08-24-2023 02:11 PM

I am curious, do you know what "internal" means?

 

RobertShawver_2-1692911455662.png

 

 

 

 

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎08-24-2023 02:21 PM - edited ‎08-25-2023 04:26 AM

Hi @RobertShawver ,

 

Great news! 

 

With regard to your other questions, internal is listed here -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/globalprotect/network-globalp....

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Go to solution
Bisham
L0 Member

‎08-15-2024 08:25 PM

I upgraded the GP version from 6.2.1 to 6.2.4 and after that users started getting connection issues. Its stuck in Finding the best available gateway message. I rolled back the version in Firewall but my client is already got upgraded and now its not connecting so how i can downgrade this now? to 6.2.1

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎08-16-2024 01:49 PM

Hi @Bisham ,

 

You can download the install files from (1) the portal login page or (2) the CSP under Updates > Software Updates > GlobalProtect Agent for ....

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Go to solution
RobertShawver
L4 Transporter
In response to Bisham

‎08-19-2024 07:07 AM

Palo makes rolling back GP very difficult if not impossible natively.  You could do it via login script or something like Intune.  Other than that, you can look above to see how I was able to do it - it's a pain for sure though!

0 Likes Likes

Go to solution
Bisham
L0 Member
In response to RobertShawver

‎08-19-2024 07:15 AM

But if i have a higher version 6.2.4 and on portal 6.2.1 is activated then will i be not able to connect to VPN?

0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎08-19-2024 10:48 AM

Hi @Bisham ,

 

Yes, the client can be downgraded from the NGFW.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 1 accepted solution
  • 4941 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks