I've done two previous client updates through the firewalls that went fine. The first was 5.0.4 -> 5.1.5 with the portal set to allow user to update manually. Everything went fine. At the time, I think PAN-OS was 8.1.something
The second was 5.1.5 -> 5.2.6 with the portal set to allow transparently. Everything went fine. PAN-OS was 9.1.7 at the time I believe.
This time I'm doing it transparently again from 5.2.6 -> 5.2.8. PAN-OS is 9.1.10. So far only about 13 out of around 90 computers successfully updated. The rest still show that they're connecting fine in the firewall's GP logs, but they're all 5.2.6
Laptops are all Windows 10, and a mix of builds with the oldest being 1909. Most are 20H2. There's no consistency among builds as far as what's getting updated and what isn't though.
I had one of our developers contact me because they said that they're getting the windows notification "GlobalProtect agent upgrade is in progress. Please wait, the application will restart once the upgrade is complete." The upgrade never takes place though. The message appears repeatedly every once in a while also.
I checked the Windows Application log on their machine and I never see an MsiInstaller event 1040 for "Beginning a Windows Installer transaction: C:\Program Files\Palo Alto Networks\GlobalProtect\globalprotect.msi"
The PanGPS log doesn't show any entries for "msgtype = software-upgrade"
AV we're using is Windows Defender ATP. I examined the Device timeline on the machine and was able to see that there was an entry for file created (by PanGPA.exe) c:\users\<user>\appdata\local\temp\_temp<#>.msi, but no activity beyond that.
The timeline on a machine where the upgrade was successful eventually shows that the temp.msi file is modified, and then globalprotect.msi and update_tmp.bat are created in GlobalProtect program directory.
I had the user download the 5.2.8 update msi file and they were able to manually update successfully.
Not sure what is going on. Is anyone else seeing anything like this?
EDIT: Over the weekend, I changed the Portal Client Upgrade settings from "Allow Transparently" to "Allow Manually", and I am not seeing the prompt to upgrade.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!