Is it possible to do an in-place upgrade from 5.12 to 6.05, or must there be an uninstall in between?
If the latter, how can we ensure the uninstallation takes places cleanly and does not require a reboot?
You can upgrade from 5.2.12 to 6.0.5 without uninstalling 5.2.12 first. Depending on how you have your app set up it will either be transparent, prompt the user or not automatically upgrade at all.
Keep in mind, it is the portal that pushes the upgrade, so it wouldn’t trigger until they signed back into the portal (or refreshed their connection). Changing to a different gateway or if they are using a cached portal it won’t trigger.
While we are all on this thread, do most places just push the updates from the firewall or rely on SCCM to push the updates?
You might want to look at 6.0.7, but wait for tac preferred.
5.2.13 is still supported if you want to stay on 5.2.x
In my experience, this was an IPU and users really didn’t notice anything other than the loss of network during the upgrade, and the new GUI. Of course, test in your case, but it should be fairly seamless.
In my experience you can just install 6.0.5 to firewall and clients will auto update next time they try to login. Our clients update in the background and it’s seemless to my end user.
Alternatively, test this during maintenance window to see the expected behavior. You can simply click “activate” on 5.12 after your done test 6.12 upgrade behavior on your laptop.
All your user will see is a disconnected VPN until the agent is updated and then it will reconnect.
If you have the automatic method… and this takes about 1-2 minutes
Pushed via portal … is best method
I also recommend to delete older versions off Palo and only keep 1 previous version.
Keeps hard drive cleaner.
Had problems with older versions not getting upgraded automatically so started using SCCM however that caused issues when you would try to do a repair or uninstall it would complain about not being able to find the source location etc. went back to using the portal and it seems much better on the newer 6 versions
We let the GP Portal manage the upgrade using “Allow Transparently” along with updates to the Welcome Page letting users know what day the upgrade will start.
FYI, there is an unpublished bug in 6.1.2 where the doable password doesn’t always work. We were told to go down to 6.0.7 which according to tac was the preferred version in 6.0.x
Thanks, interesting information. For whatever reason, the network team who manage GP want to deploy the upgraded client using SCCM. Perhaps due to the number of clients we need to upgrade.
It seems to be a mix. A lot of the Windows only places use SCCM, where a number of places that have a mix of Windows and Mac will use the portal.
I also see a number of places that use some type of MDM for the initial deployment then use the portal for upgrading.
We have co-management and went with Intune for Windows devices instead of SCCM. Firewall was not the preferred option as there were some issues with non-admin Mac users (don’t know the exact details)
Edit: Macs get the updated app from Kandji
There is a known issue in 5.2.13 that you cannot disable the VPN tunnel. You can tell the client to, but the tunnel is not torn down.
Is that version not vulnerable?
Thanks, I think there are other benefits of 6 that we want to take advantage of.
Yes this is how we do it. We made that jump. Working well
Would you mind sharing with us which one of these two you mean?