- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Upgrading GlobalProtect while on corp network
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Upgrading GlobalProtect while on corp network
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-01-2018 12:29 PM
Hi everyone,
I have a client who said every time they try to upgrade globalprotect, they have mixed results. The issue seems to be that they'll set the GP App to "Allow with prompt". However, the users will never get the prompt while they are on the corporate network. It seems possibly, when the users go home, they'll get the prompt to download and then install, but maybe they shutdown or restart their machines while the install is happening, which then causes issues. This is an assumption of what might possibly be happening.
The real question is, what is the best way to allow the upgrade to happen in the office?
Public DNS record - gp.domainname.com pointing to public IP of firewall e1/1 interface (ex 2.2.2.2)
e1/1 - untrust zone IP 2.2.2.2/24
e1/2 - trust zone IP 10.10.10.1/24
Client on corp network 10.10.10.100/24
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-02-2018 08:15 AM
In this case it is more likely the NAT rule which causes this problem. After you configure a no NAT rule above the existing one it probably looks better, but TLS decryption might still be the next step to check.
From what time do you count this minute and more? Start of computer, loginscreen, after successful login when the desktop is shown? And what is the connection method: always-on pre-logon, always-on user-logon, ...?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-01-2018 02:04 PM
What about configuring the setting "Allow users to upgrade global protect app" to "Internal"?
This will update the agent transparently but only when the client is in the internal network and not connected by VPN.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-01-2018 05:35 PM - edited 09-01-2018 05:36 PM
@vsys_remo I believe an Internal gateway is required for this option? I'd also have to consider the remote workers who are never in the office
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-01-2018 06:13 PM
No, internal gateway isn't required. Only internal host detection. But yes when you have remote workers who are never in the office then this option does not work. Maybe if it is clear who always works from remote, then you could put them into a group and give them another portal config than your default configuration which then would be to allow the update only internally.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-01-2018 06:19 PM
@vsys_remo That's a good suggestion, as an alternative. Is there anyway for transparent or allow with prompt to work, while on the corporate LAN?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-02-2018 05:43 AM
@ce1028 so far I am not aware of problems that the upgrade does not work from internal. Did you test it yourself? Are there any specific version updates that did fail or is the problem in general? Are the clients able to successfully connect to the portal from internal? Is TLS decryption enabled that may be breaks this connection? There could be multiple reasons causing this to fail... the client logs are probably a good place to start the search for a reason.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-02-2018 07:53 AM
@vsys_remo I'm going to spin up a lab soon to try it. I did see the problem at their site. This has always been an issue for them. When internal host detection detects they are internal, they will never receive the prompt.
They do have TLS Decryption enabled. That's a good suggestion to check. I wasn't sure if it was the outbound NATrule causing the issue. Their internet outbound nat rule translates their internal IP to the same public IP of the GP Portal
I also noticed it takes well over 1 minute before GP detects that it's on an internal network.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-02-2018 08:15 AM
In this case it is more likely the NAT rule which causes this problem. After you configure a no NAT rule above the existing one it probably looks better, but TLS decryption might still be the next step to check.
From what time do you count this minute and more? Start of computer, loginscreen, after successful login when the desktop is shown? And what is the connection method: always-on pre-logon, always-on user-logon, ...?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-02-2018 11:57 AM
@vsys_remo I was able to reproduce in my test lab. It was the NAT rule causing the issue!
GP is set to always on. I start counting once GP starts spinning. They have not reported this problem, just something I noticed on all of their machines.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-02-2018 12:31 PM
I noticed that the icon sometimes is way behind the actual status of global protect. But as long as you don't configure the setting "enforce global protect for network access" this isn't a problem, when exactly the internal host detection happens.
- No valid GlobalProtect Subscription License warning in General Topics
- VPN Connection Failed in GlobalProtect Discussions
- Crowd strike installed not installed list using palo alto HIP object in GlobalProtect Discussions
- intermittent disconnect and client probing in GlobalProtect Discussions
- User is trying to connect with MS-RDP. Log shows TCP 3389 but application is not-applicable in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
