GlobalProtect upgrade was not successfully completed in Prisma Access.

3270

Created On 03/15/24 08:20 AM - Last Modified 02/05/25 08:31 AM

GlobalProtect App

Upgrade

GlobalProtect

Prisma Access

Prisma Access (Cloud Managed)

Prisma Access (Panorama Managed)

Symptom

The setting "Allow User to Upgrade GlobalProtect App" is configured other than "Disallow" and "Internal".
GlobalProtect Potal FQDN and the FQDNs "pan-gp-client.s3.amazonaws.com" and "pan-gp-client.s3.dualstack.us-west-2.amazonaws.com" are allowed by security policies with FQDN address objects.
However, GlobalProtect upgrade was not completed.

Environment

Prisma Access
GlobalProtect

Cause

The FQDNs "pan-gp-client.s3.amazonaws.com" and "pan-gp-client.s3.dualstack.us-west-2.amazonaws.com" can age out quickly and IP resolutions can change frequently since the TTL is very short.

Resolution

In order to allow the traffic, create a security policy with a custom URL category that contains the GlobalProtect Potal FQDN and "pan-gp-client.s3.amazonaws.com" and "pan-gp-client.s3.dualstack.us-west-2.amazonaws.com"
When using the custom URL category, PAN-OS checks the SNI (Server Name Indication) in the TLS Client Hello to identify the destination. This allows the traffic to match the security policy.

Additional Information

PAN-OS honors each FQDN's TTL.
The TTL for the FQDNs "pan-gp-client.s3.amazonaws.com" and "pan-gp-client.s3.dualstack.us-west-2.amazonaws.com" is very short (5 seconds).
This means that the relevant IP address might not have been cached in Prisma Access by the time the traffic arrives.
As a result, the traffic may not match the security policy.

Sample output of dig command is below.