Need to upgrade to next available GP version

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Need to upgrade to next available GP version

L2 Linker

Currently FW used 5.2.11.
The team have proposed to perfrom upgrade to next available stable version because there is a scanning internall and detected vulnerabilities for current version.
Question : 
What version is next in line in term of stable, secure and worked.
How should I approach this, as all user machine is using 5.2.11. Need to do testing 1st by batch before can roll-out to new version.

1 accepted solution

Accepted Solutions

L2 Linker

Hello,

Correct me if I'm wrong, does it can download but can't installed? => You can download and not install it
Or can installed more that 2 version at firewall at the same time? => You can't have 2 versions install at the same time. The last installed version take precedence.

 

"Because once you upgrade the GP on firewall, all the users will use the new version." => I'm not agree with this. You can managed the deployment . That's depend on the parameter "Allow user to upgrade Globalprotect" configured on Portal/Agent/Configs/ select your configuration/ App section/

If you have all your user in this configuration and the parameter is "Allow user to upgrade Globalprotect" is configured on Allow with prompt/ allow transparently / Allow Manually, when you install the new version, the users get it.

But if you set this parameter on disallow, the upgrade of the client won't lauch.

 

On our case, we have 2 agent configuration. One with the IT user, one with all users.

When i went to test a new client, i set the parameter "Allow user to upgrade Globalprotect" on disallow for the all users configuration, and for the it users configuration i let the parameter to allow transparently.

After that i installed the version i want to test on the firewall, and at the next connexion for IT users, the client is update, the client is not update for all the user.

After a period of test by the IT user, if it's all good, i decided to push this client for all the user, and i just change the parameter "Allow user to upgrade Globalprotect" for the all user configuration, and i set it to Allow transparently. At this moment, the upgrade become available for all the user, and upgrade is installed at the next connexion.

 

If you want to not take risk, i suggest you to install manually the client on some laptop for testing. And when you are good for the deployment. try to make different Portal configuration Agent for your testing users and for all the users, to deploy first to your testing user, and after to all the users. Then configure the parameter "Allow user to upgrade Globalprotect" on allow transparently for your testing user and disallow for all users, install the gp version you want on the firewall, and see if only the users in the testing groups are making upgrade.

If it's work at expected, you have your configuration for the futur deployment of new version of globalprotect.

 

Actually what is your Portal configuration agent ? do you have multiple or you have one with all the users ?

 

 

 

View solution in original post

7 REPLIES 7

L2 Linker

Hi,

You can use this link for determine what version you should install : https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

Use the preferred version of the version you choose. We use 6.1 version, actually we are on the 6.1.1 and we are migrating to 6.1.2.

 

For testing, you can add a agent configuration in the portal with match only a group of users and configure in the app section :

CHARRIER_0-1699356223921.png

And block the upgare to the other agent configuration where you have all the users.

When you finish testing, modifiy this settings to allow upgrade for all the users.

But how about in the firewall itself. Currently it installed with 5.2.11.
If let say, I preferred version 6.1.11, can I install 6.1.11 on the firewall ? what happen with the existing 5.2.11 ? 
Can both be present at the same time ? 

L2 Linker

Yes, you can install 6.1.11 on the firewall, and the 5.2.11 continue to work.

Just check the parameter "Allow user to upgrade Globalprotect and set it to disallow", otherwise, the client GP upgrade itself at the next user connection.

On our firewall, we have install 6.1.2 and set the parameter to allow for the it users for testing, and set disallow for all other users. The users are on the 6.1.1 version and can connect to globalprotect.

Hello @CHARRIER, thanks for your input but I need to clarify something.
I check with TAC support, and they giving me different input. 
Is it true? I'm confuse and not sure which one is correct.

quote: "You can download the 6.1.2 but you cannot install it, because we can only have one version GP installed on firewall. You mentioned previously that you would like to have some of the users using upgraded GP version for test purpose, that's why I suggested upgrading GP on their laptop. Because once you upgrade the GP on firewall, all the users will use the new version." 

Correct me if I'm wrong, does it can download but can't installed? 
Or can installed more that 2 version at firewall at the same time?

L2 Linker

Hello,

Correct me if I'm wrong, does it can download but can't installed? => You can download and not install it
Or can installed more that 2 version at firewall at the same time? => You can't have 2 versions install at the same time. The last installed version take precedence.

 

"Because once you upgrade the GP on firewall, all the users will use the new version." => I'm not agree with this. You can managed the deployment . That's depend on the parameter "Allow user to upgrade Globalprotect" configured on Portal/Agent/Configs/ select your configuration/ App section/

If you have all your user in this configuration and the parameter is "Allow user to upgrade Globalprotect" is configured on Allow with prompt/ allow transparently / Allow Manually, when you install the new version, the users get it.

But if you set this parameter on disallow, the upgrade of the client won't lauch.

 

On our case, we have 2 agent configuration. One with the IT user, one with all users.

When i went to test a new client, i set the parameter "Allow user to upgrade Globalprotect" on disallow for the all users configuration, and for the it users configuration i let the parameter to allow transparently.

After that i installed the version i want to test on the firewall, and at the next connexion for IT users, the client is update, the client is not update for all the user.

After a period of test by the IT user, if it's all good, i decided to push this client for all the user, and i just change the parameter "Allow user to upgrade Globalprotect" for the all user configuration, and i set it to Allow transparently. At this moment, the upgrade become available for all the user, and upgrade is installed at the next connexion.

 

If you want to not take risk, i suggest you to install manually the client on some laptop for testing. And when you are good for the deployment. try to make different Portal configuration Agent for your testing users and for all the users, to deploy first to your testing user, and after to all the users. Then configure the parameter "Allow user to upgrade Globalprotect" on allow transparently for your testing user and disallow for all users, install the gp version you want on the firewall, and see if only the users in the testing groups are making upgrade.

If it's work at expected, you have your configuration for the futur deployment of new version of globalprotect.

 

Actually what is your Portal configuration agent ? do you have multiple or you have one with all the users ?

 

 

 

L2 Linker

Hello, have you upgrade your GlobalProtect client ?

L2 Linker

@CHARRIER Yes, I manage to perfom the testing with GP 6.1.2 with selected users. 
What I did is just install manually and push by SCCM to UAT users with GP 6.1.2 and they able to use GP as normal.
On the firewall no changes were made. In firewall GP still 5.2.11 installed without GP 6.1.2 downloaded and install. Once testing is complete, I will just download GP 6.1.2 and will changes the Agent setting to "allow download transparent" or "allow transparent".

  • 1 accepted solution
  • 950 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!