GP App is not upgrading transparently when the portal setting "Allow User to Upgrade GlobalProtect" is already set to "Allow Transparently"; Portal and Gateways are on different firewalls

GP App is not upgrading transparently when the portal setting "Allow User to Upgrade GlobalProtect" is already set to "Allow Transparently"; Portal and Gateways are on different firewalls

105059
Created On 09/26/18 13:49 PM - Last Modified 03/25/25 20:52 PM


Symptom


GP App is in the Connected state but is not upgrading transparently when the portal setting Allow User to Upgrade GlobalProtect is already set to Allow Transparently
 

User-added image

Environment


  • GlobalProtect (GP) App
  • GP Portal
  • GP Gateway
     

Cause


The Allow Transparent method only upgrades GP App when all of the following conditions are met:

  • Portal status is Connected.
  • GP App state is Connected (i.e. tunnel to the GP Gateway is established) and it automatically starts the upgrade process (i.e. we're not discussing the manual upgrade process where a user clicks the About > Check Update).
  • Higher version of the GP App is activated on the GP Portal. 


NOTE: 

  • If the portal status is Using cached portal config (i.e. GP App is Using cached portal config), none of the Allow User to Upgrade GlobalProtect settings would upgrade the GP App.
  • The portal status must be Connected for any type of upgrades.

Resolution


  1.  Make sure when GP App connects to a GP Portal, it successfully authenticates and gets the portal config that has Allow Transparently method set.

    PanGPA.log:
<client-upgrade>transparent</client-upgrade>
  1. Make sure the activated version on the GP Portal must be higher than the client's currently installed GP App version.

    PanGPA.log: 
<product-version>5.2.10-6</product-version>			<+++ GP App Installed on client
<version>5.2.12-26</version>					<+++ GP App Activated on portal
  1. Make sure portal status is Connected.

PanGPS.log: 

portal status is Connected.

PanGPA.log:

<portal-status>Connected</portal-status>
  1.  GP App state is Connected.

image.png

  • Transparent Upgrade happens with the help of GP Portal. 
  • After the tunnel is established with the GP Gateway, There is a possibility that the traffic for the upgrade between GP App and the GP Portal gets through the tunnel via GP Gateway due to route changes (i.e. full-tunnel or split-tunnel). 
  • Make sure if the GP Portal traffic for the upgrade goes through the GP Gateway, it should allow that traffic to and from the portal.

Additional Information


View and Collect GlobalProtect Logs
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000Clr1&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language