Global Protect upgrade allow transparantly does not work properly

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect upgrade allow transparantly does not work properly

L2 Linker

I am currently testing a profile in the GP portal to allow transparant upgrades for a select group of users.

The profile 'Any' is not allowed to upgrade.

Current version of GP agent: 5.1.4. Upgrade version now active: 5.2.4


All users in the selected group reported they received the interactive popups to perform download and install.

One user performed a 'refresh connection'.

Another user performed a cold boot of their laptop.


So for now, it looks like the setting 'allow transparantly' does allow these user to perform the upgrade, but it does not perform the upgrade silent, which I believe is the idea of this setting?



Accepted Solutions

The situation is resolved.

The Global Protect settings in the portal config were never wrong.


We are using Panorama to manage the firewalls.

The issue was that there was a pending change in superadmin context which failed to commit the relevant firewall which happend to be in the Network configuration section, which had nothing to do with Global Protect.


In Panorama the commit and push would say Ok, but in the commit details the relevant FW stated commit failed, this was overlooked.

Therefore the changes in Network configuration and thus in Global Protect settings were never actually committed.


This is somewhat of GUI design issue with Panorama. It doesn't do a great job in letting you know if the commit (and push) completely went ok all the way.

View solution in original post


L2 Linker
Allow Transparently—Automatically upgrade the app software whenever a new version becomes available on the portal (It will typically connect, download, update, and then reconnect all with no interaction).

Ensure that the user is not expecting the upgrade process to happen before the GlobalProtect client is connected to their network. This upgrade will not take place until after the connection to its network has been made to avoid loss of productivity for the end-user. After the connection has been established, it will then begin the task of downloading the upgrade automatically and transparently in the background. 

After the installation of the new version, the connection may drop and reconnect to establish a connection with the new client version. Also, verify if users are experiencing high traffic in their network. If there is a high traffic situation, some clients could fail to download the package. GlobalProtect will delay the task by a randomly determined interval (1 to 30 minutes). There is no guarantee that every download will succeed the first time, but it will succeed eventually.

The automatic update also depends on what the previous version was installed. If it is an older version, some existing information may have not been carried forward.


Note: The transparent upgrade will only work if the GlobalProtect user is running a lower GlobalProtect version than what has been activated on the firewall


Note: Make sure you have DNS records for the portal on your internal DNS servers so it can resolve to the portal address and be able to download the new client version.

Come on, is this the best we can do in the community? Copy paste a knowledge base article? Without even reading the OP?


I already found that one and verified this information before posting.


The only thing that can be true in that text is:

"The automatic update also depends on what the previous version was installed. If it is an older version, some existing information may have not been carried forward."


In that, if 5.2 does something different compared to 5.1 and thus will not work transparantly. However, so far I have been unable to find that particular information to confirm this is true or not.

Another thing that I haven't been able to confirm yet is the usage of pre-logon.


While the documentation says the upgrade only works in user mode AFTER the connection to the network is made.

The pre-logon portal profile is currently set to disallowed upgrades.

I'm assuming that would mean that the upgrade popup cannot be triggered in the device mode, thus can never install an upgrade before windows logon and/or do it transparantly.




I tested uninstalling the GP agent 5.2 and remove all registry and configuration files.

Manually install old/current version 5.1.4 again.

Perform a first time connection, upon logging in to the portal again I am presented the interactive upgrade. /sad

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!