GP App is not upgrading transparently when the portal setting "Allow User to Upgrade GlobalProtect" is already set to "Allow Transparently"

GP App is not upgrading transparently when the portal setting "Allow User to Upgrade GlobalProtect" is already set to "Allow Transparently"

82327
Created On 09/26/18 13:49 PM - Last Modified 08/17/22 02:03 AM


Symptom


GP App is in the Connected state but is not upgrading transparently when the portal setting Allow User to Upgrade GlobalProtect is already set to Allow Transparently
 

User-added image

Environment


GP App
GP Portal
GP Gateway
 

Cause


The Allow Transparent method only upgrades GP App when all of the following conditions are met:
  • Portal status is Connected
  • GP App state is Connected (i.e. tunnel to the GP Gateway is established) and it automatically starts the upgrade process (i.e. we're not discussing the manual upgrade process where a user clicks the About > Check Update)
  • Higher version of the GP App is activated on the GP Portal 

NOTE: If the portal status is Using cached portal config (i.e. GP App is Using cached portal config), none of the Allow User to Upgrade GlobalProtect settings would upgrade the GP App. At least, portal status must be Connected for any type of upgrades

Resolution


1. Make sure when GP App connects to a GP Portal, it successfully authenticates and gets the portal config that has Allow Transparently method set

PanGPA.log

<client-upgrade>transparent</client-upgrade>


2. Make sure the activated version on the GP Portal must be higher than the client's currently installed GP App version

PanGPA.log
 

<product-version>5.2.10-6</product-version>				<+++ GP App Installed on client
<version>5.2.12-26</version>						    <+++ GP App Activated on portal


3. Make sure portal status is Connected

PanGPS.log
 

portal status is Connected.


PanGPA.log
 

<portal-status>Connected</portal-status>


4. GP App state is Connected

image.png

5. Transparent Upgrade happens with the help of GP Portal, however, after the tunnel is established with the GP Gateway. There is a possibility that the traffic for the upgrade between GP App and the GP Portal gets through the tunnel via GP Gateway due to route changes (i.e. full-tunnel or split-tunnel). Please make sure if the GP Portal traffic for the upgrade goes through the GP Gateway, it should allow that traffic to and from the portal.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000Clr1&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language