Problem:
Because of occasional issues with vendor patches, like MS had early this year, (see URL below), very few companies release patches/updates to clients or servers on the day of release. They test the updates first, then release them days or even weeks later after testing has shown no major issues. GlobalProtect has no capability to delay patch checking to address this test cycle.
- Add a “grace period” capability into GlobalProtect to delay the checking of patch levels by "N" days from the date of release. Example: Wait 14 days before checking for Patch Tuesday patches to accomodate the testing of the patches.
- The grace period “out of the box” should be 0 days by default in order to not change existing behavior. Users can then change the default grace period from there.
- Include groups for "batched" updates released by a vendor. For example; Group defined for each MS Patch Tuesday, group defined for each Apple Security Day release, and so on.
- Nested groups and user-defined groups should also be available.
- Ability to set and/or override the default grace period on a per-patch basis or per-group basis. This would allow customers to address urgent issues such as Zero Day exploits (reduced grace period, possibly all the way to 0) and to delay or prevent enforcement (increased grace period, or set to -1 for “do not enforce”) for low priority and/or problematic updates.
Additional improvements (and corrections) always appreciated.
