GP Client not updating transparently on Win10 machines (5.2.6 -> 5.2.8)

cancel
Showing results for 
Search instead for 
Did you mean: 

GP Client not updating transparently on Win10 machines (5.2.6 -> 5.2.8)

L1 Bithead

I've done two previous client updates through the firewalls that went fine.  The first was 5.0.4 -> 5.1.5 with the portal set to allow user to update manually.  Everything went fine.  At the time, I think PAN-OS was 8.1.something

The second was 5.1.5 -> 5.2.6 with the portal set to allow transparently.  Everything went fine.  PAN-OS was 9.1.7 at the time I believe.


This time I'm doing it transparently again from 5.2.6 -> 5.2.8.  PAN-OS is 9.1.10. So far only about 13 out of around 90 computers successfully updated.  The rest still show that they're connecting fine in the firewall's GP logs, but they're all 5.2.6

 

Laptops are all Windows 10, and a mix of builds with the oldest being 1909.  Most are 20H2.  There's no consistency among builds as far as what's getting updated and what isn't though.

 

I had one of our developers contact me because they said that they're getting the windows notification "GlobalProtect agent upgrade is in progress. Please wait, the application will restart once the upgrade is complete."  The upgrade never takes place though.  The message appears repeatedly every once in a while also.

 

I checked the Windows Application log on their machine and I never see an MsiInstaller event 1040 for "Beginning a Windows Installer transaction: C:\Program Files\Palo Alto Networks\GlobalProtect\globalprotect.msi"

The PanGPS log doesn't show any entries for "msgtype = software-upgrade"

 

AV we're using is Windows Defender ATP.  I examined the Device timeline on the machine and was able to see that there was an entry for file created (by PanGPA.exe) c:\users\<user>\appdata\local\temp\_temp<#>.msi, but no activity beyond that.

The timeline on a machine where the upgrade was successful eventually shows that the temp.msi file is modified, and then globalprotect.msi and update_tmp.bat are created in GlobalProtect program directory.

 

I had the user download the 5.2.8 update msi file and they were able to manually update successfully.

 

Not sure what is going on.  Is anyone else seeing anything like this?

 

EDIT:  Over the weekend, I changed the Portal Client Upgrade settings from "Allow Transparently" to "Allow Manually", and I am not seeing the prompt to upgrade.

1 ACCEPTED SOLUTION

Accepted Solutions

Problem for me was internal DNS was wrong for the GP Portal. Changed DNS record so that the Portal was reachable from inside the network, then everything immediately started working.

View solution in original post

2 REPLIES 2

L1 Bithead

The "Check for Updates" button appears in the "About" window when set to "Allow Manually"

Didn't help me though, it just says it's downloading the upgrade and will prompt again when ready to install. Then it never prompts.

Problem for me was internal DNS was wrong for the GP Portal. Changed DNS record so that the Portal was reachable from inside the network, then everything immediately started working.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!