Globalprotect verison 5.2.8 doesnt upgrade on some of the users

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Globalprotect verison 5.2.8 doesnt upgrade on some of the users

L0 Member

Hi Team,


We have currently updated GlobalProtect to 5.2.11 from 5.2.10. While running report we came to know that some users are still on 5.2.8 and client is not getting updated on those devices. Can you please suggest if there an issue with version 5.2.8? Currently we are planning to push 5.2.11 version on those machines via software center but if we have any option on GlobalProtect Portal which can initiate the upgrade would be great







L2 Linker

When we adopted GlobalProtect I was given bad information.  I was under the impression that the portal upgrade process was an all or nothing process.  So I used other tools to upgrade GP versions.  Royal pain as older releases required that you uninstall the app and then install the new version!  So I used AutoIT to create a script since it is a chicken and egg problem.  When it came to the 5.2.x version we ran into all sorts of issues where some systems upgraded and were completely broken which is no bueno even without COVID19.  If I had known you could control things by AD group I would have saved myself so much pain over the last few years!


Grab a copy of the documentation for GP and do some reading as the info is there!  You can use the portal to upgrade clients and control who gets upgraded!  Here are my notes based on my Windows setup:

  1. Create two AD universal security groups.  One for "Upgrades" and one for "Do Not Upgrade" which gives you some options.  Remember to update the Authentication Profile so these groups can be used in your authentication profile.
  2.   Clone your agent profile for GP.  Save one profile as "Do not upgrade" and one as "Upgrade".  Remember the first match wins so put the "do not upgrade" at the top, then upgrade and then your regular profile(s).  
  3. Edit the two new agent profiles so they use the matching AD security group.
  4. At this point all of your agent profiles are the same so there is zero chance for any harm.  Now add some test users to each of your groups, sync them to the Palo, login to GP on a test system with the test accounts and verify the agent profile is used for the users as you setup.
  5. For the "do not upgrade" agent profile double-check and make sure it is set to Disallow upgrades. (Should be since you are not using this)
  6. For the "upgrade" agent profile update  setup your preferences for upgrades.  I initially did "Allow with Prompt" to do testing and then moved to "Allow Transparently".
  7. Download the release of the GP client you want to use to the Palo and then activate it.  
  8. Upgrades should now flow to those in the "upgrade" AD group.

If all goes according to plan you should now be able to add a few people each day to your AD group to upgrade folks across the company without incurring too much risk in case something goes wrong.  I always test the release myself, with my specific "use cases" of what must work.  I then add some IS staff who have admin rights so if something goes wrong they can recover on their own.  Then I move on to picking one model of each PC with one person for testing.  Since we moved to this process for upgrades things have been smooth sailing ( knock on wood).

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!