GlobalProtect version mismatch in HA Pair

GlobalProtect version mismatch in HA Pair

21663
Created On 06/08/22 14:02 PM - Last Modified 11/01/22 22:57 PM


Symptom


GlobalProtect shows as mismatched on Active/Passive HA pair of firewalls after downloading and activating new GlobalProtect Client version one of the Firewall.
 

Environment


  • Palo Alto Firewalls setup as an Active/Passive HA pair.
  • Any PANOS version
  • GlobalProtect Agent.

Cause


  • When you download the GlobalProtect application, it is not activated on the device unless you click the activate button on each of your HA pairs. 
  • Some settings between HA pairs are not synchronized. One of such setting include activating the GlobalProtect Agent.

Resolution


Activate the GlobalProtect version separately on each peer device (GUI: Device > GlobalProtect Client > Activate).

Note:
Downloading the GlobalProtect app updates for the Agent Package can be done in 2 ways:
  1. You can download and install them separately on each Firewall in your HA pair.
  2. You can download them to one peer device and then synchronize this downloaded update with the other peer.

Additional Information


If your Passive device has the latest GP update downloaded and activated and your Active device does not, ensure to check your GP Portal settings to confirm when your clients will be offered the GlobalProtect update on their side. 

To check this behaviour, inside of the WebGUI go to to Network > GlobalProtect > Portals > (portal name) > Agent > (Agent selection) > App > Allow User to Upgrade GlobalProtect App.

Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYitCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language