Global Protect Transparent Update

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect Transparent Update

L2 Linker

Hi All,

 

I've been testing a transparent upgrade from 5.1.8 to 5.2.9. (only handful of clients) We're a windows 10 site, 1909 +

 

So far so good however I have come across a client that refuses to update. the device prompted the update and informed the user of the process, client restarted and reconnected but stayed on 5.1.8.

 

Looking at the PanGPS log I can see this just after upgrade start

 

(T10172)Info ( 501): 01/12/22 13:19:33:320 msgtype = software-upgrade
(T10172)Info ( 608): 01/12/22 13:19:33:320 #### updater started, command is C:\Users\********\AppData\Local\Temp\_temp20292.msi
(T10172)Debug( 39): 01/12/22 13:19:33:320 try verify file C:\Users\********\AppData\Local\Temp\_temp20292.msi
(T10172)Error( 165): 01/12/22 13:19:33:391 The file C:\Users\********\AppData\Local\Temp\_temp20292.msi is not signed or corrupted
(T10172)Error( 638): 01/12/22 13:19:33:391 file did not signed by us, return now

 

In the short term this is ok as its reverted and allowed the older version 5.1.8. to continue to work but I'd like to understand the exact issue/cause. I don't want to roll out to 1500 clients and find half don't want to update even if they do continue to work on the older version.

 

I have found an article here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBW9CAO&lang=en_US%E2%80%A...

that specifies a dns related issue but I know the portal fqdn is purely one IP address. There is no different internal address.

That article explains multiple reasons for this error but I can't find proof of any other reasons?

 

One thing I'm also concerned with is the client hasn't tried to upgrade again since? the portal app config specifies a config refresh interval of 1 hour so I would've hoped it would try updating again?

 

 

What other reasons would cause this behaviour and why isn't it trying to update the client on reconnect?

 

Thanks

Ian

1 accepted solution

Accepted Solutions

@nikoolayy1 

 

Do most large organizations use SCCM to update, or do you see them preferring transparent?

View solution in original post

4 REPLIES 4

L6 Presenter

Try enabling auto update from the portal setting Allow User to Upgrade GlobalProtect App to Allow Transparently:

 

 

GlobalProtect Portals Agent App Tab (paloaltonetworks.com)

 

 

You can also test to upgrade with Software Center on Windows or Jamf for Mac or Microsoft Intune if you have it. Software Center in some cases deletes the old software and then installs the new one and this can bypass the bug.

Thanks for the response. This is already setup as Transparent. 

 

Moving forward I think we will utilise Software Center/SCCM rather than the automated PA way.

 

I just wanted to know why the majority do upgrade yet some display this message in the logs.

We had the same issue that after the upgrade fails Globalprotect does not try again and with Software Center we schedule attempts where  SCCM removes the old version and then installs the new agent.

 

 

A good note is that even with the SCCM you can see issues for example if SCCM deletes the old globalprotect agent but some old files remain and then the installation of the new agent fails even with SCCM but it is much rare, so just package a new globalprotect software and try using the SCCM and share if you see issues.

 

An example is a remaining reg key that needs to be deleted separately after the old version of globalprotect is removed.

 

GlobalProtect Error During Installation: An instance of GlobalProtect is already present on the syst...

@nikoolayy1 

 

Do most large organizations use SCCM to update, or do you see them preferring transparent?

  • 1 accepted solution
  • 4411 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!