- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-11-2023 05:49 AM
Hello, im sure there is a document somewhere on how to do this but I cant seem to find it. We have a requirement to ensure our users are on the most current version of GP. Does anyone have a link to the document on how to set this up within the checks the FW runs when the users attempt to start a VPN connection?
04-11-2023 06:00 AM
You can create a HIP object setup like the example that I've included in the message below. You can then setup a profile and use it within your rulebase or configuration selection criteria as desired.
<entry name="GlobalProtect-6.1.1">
<host-info>
<criteria>
<client-version>
<contains>6.1.1</contains>
</client-version>
</criteria>
</host-info>
</entry>
I would recommend that you create rules to allow clients meeting your outdated criteria enough access to upgrade through the client itself instead of forcing a redownload through the portal or anything like that. Makes it easier on the client since GlobalProtect tends to occasionally run into issues keeping itself updated.
Additionally I always use at least an N+1 supported agent configuration. The newest target GlobalProtect client version that I want everyone to have, and then the last target client version that those who might not have the latest upgrade would be running. Then I use a hip-notification to alert the user running the older release that the client is out of date and needs to be updated, but also that they won't have access to sensitive resources until they have the latest desired agent. Then just configure the policies as your organization requires and it's a fairly seamless transition from version to version.
04-11-2023 06:02 AM
Thank you. I figured it was done this way.
04-11-2023 08:27 AM
Not sure if this is the right place to add this but I am trying to identify the best approach to keeping the GP client updated to the latest version. Also need to try and do this witout client intervention. Can we upgrade in the background?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!