Upgrading GlobalProtect while on corp network

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Upgrading GlobalProtect while on corp network

L4 Transporter

Hi everyone,


I have a client who said every time they try to upgrade globalprotect, they have mixed results. The issue seems to be that they'll set the GP App to "Allow with prompt". However, the users will never get the prompt while they are on the corporate network. It seems possibly, when the users go home, they'll get the prompt to download and then install, but maybe they shutdown or restart their machines while the install is happening, which then causes issues.  This is an assumption of what might possibly be happening.


The real question is, what is the best way to allow the upgrade to happen in the office? 


Public DNS record -  gp.domainname.com pointing to public IP of firewall e1/1 interface  (ex

e1/1 - untrust zone  IP

e1/2 - trust zone  IP

Client on corp network



Accepted Solutions


In this case it is more likely the NAT rule which causes this problem. After you configure a no NAT rule above the existing one it probably looks better, but TLS decryption might still be the next step to check.


From what time do you count this minute and more? Start of computer, loginscreen, after successful login when the desktop is shown? And what is the connection method: always-on pre-logon, always-on user-logon, ...?

View solution in original post


Cyber Elite
Cyber Elite


What about configuring the setting "Allow users to upgrade global protect app" to "Internal"?

This will update the agent transparently but only when the client is in the internal network and not connected by VPN.

@vsys_remo I believe an Internal gateway is required for this option?  I'd also have to consider the remote workers who are never in the office

No, internal gateway isn't required. Only internal host detection. But yes when you have remote workers who are never in the office then this option does not work. Maybe if it is clear who always works from remote, then you could put them into a group and give them another portal config than your default configuration which then would be to allow the update only internally.

@vsys_remo That's a good suggestion, as an alternative.  Is there anyway for transparent or allow with prompt to work, while on the corporate LAN?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!