We are currently running GP 4.1.11, I want to upgrade to 5.0.10, because it seems to have many fixes in it that make life easier for us. If I activate it, will it cause any interruption to people currently using GlobalProtect on the older client? My feeling is it is non-disruptive. But I can’t find any verbiage that says so. I have allow user to upgrade globalprotect set to “Disallowed”, until we are 100% ready. I have another GP agent config that will allow a small group of users to install.
Thanks for the assistance :).
Nope, it’s fine. The only thing that will happen is that NEW connections will be offered the chance to upgrade (if it’s configured that way) but activating a new GlobalProtect client download version has NOTHING to do with established tunnels.
There is an option in the agent config to actually transparently update without ANY prompt. I would turn that on, commit, wait a day, then upgrade, so they refresh and get the config that allows the transparently update before you activate the update.
What is machines don’t have admin rights?
I went from 4.1 something to 5.1.1 for 100 users with out admin rights on the fly right be before we added 500 more. It worked so well. New connects got a prompt to Download . Then A prompt to upgrade .
So far so good
If a machine has a newer version than on the firewall, it will even offer a downgrade lol.
Nope, it’s fine. The only thing that will happen is that NEW connections will be offered the chance to upgrade (if it’s configured that way) but activating a new GlobalProtect client download version has NOTHING to do with established tunnels.
Okay, I figured. Wanted to be 100% sure since I will be doing this in the middle of the day.
Thank you! I also have the agent set to disallow upgrades. So it shouldn’t even prompt the users.
They don’t need it to update GP.
Change it to “Transparently”
Thanks. Should have RTFM - “For the initial download and installation of the GlobalProtect agent, the user of the client endpoint must be logged in with administrator rights. For subsequent upgrades, administrator rights are not required.’https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/globalprotect/device-globalprotect-client.html
Yes, we created another portal thing for users in a group, with transparent set up. We are testing :). However, test users are reporting more random glitches with the newer client. Mainly being connected to the VPN but not being able to go anywhere randomly. They have to disconnect and reconnect.
We are running latest on 100 users and I am seeing just a little bit of that on my machine, but I also turned on HIP checks on the security rules that give VPN users access at the same time so I had attributed it to that.