>
    Manage Upgrade Options for the GlobalProtect App
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access Overview
    5. Manage Upgrade Options for the GlobalProtect App
    Download PDF

    Manage Upgrade Options for the GlobalProtect App

    Table of Contents

    Manage Upgrade Options for the GlobalProtect App

    Control how Prisma Access manages the GlobalProtect app. Control the active app versions on the Prisma Access portal. Manage the active GlobalProtect version.
    Prisma Access hosts the GlobalProtect app version that macOS and Windows users in your organization can download from the Prisma Access portal. Prisma Access offers several versions of the GlobalProtect app, and you can choose to make one of those versions the active version. You can also manage mobile users' access to the GlobalProtect app, or perform staged upgrades.

    Select the Active GlobalProtect App Version

    Prisma Access manages the GlobalProtect app version for Windows and macOS users in your organization. While Prisma Access hosts several GlobalProtect app versions, only one of the hosted versions is active. When mobile users log in to the Prisma Access portal, the active version is the one they download and use on their Windows and macOS devices.
    The System Status page also provides you information about your current Panorama version, Cloud Services plugin version, and dataplane version. You can receive notifications and alerts on this page when plugin or Panorama versions become end of support (EoS) for use with Prisma Access. See Notifications and Alerts for Panorama, Cloud Services Plugin, and PAN-OS Dataplane Versions for details.
    If your currently-active version is end-of-life, Prisma Access notifies you and requests that you activate a supported version.
    You can select different GlobalProtect versions in a multitenant deployment. The GlobalProtect app version settings you apply are per tenant and not global; you control the app version on a per-tenant basis.
    You can replace the current active version with another hosted version from the Service Setup page by completing the following steps.
    1. Select
      Panorama
      Cloud Services
      Configuration
      Service Setup
      .
    2. Select
      Activate new GlobalProtect App version
       and compare it to the active GlobalProtect version.
      If your current GlobalProtect version is end-of-life (EoL), a message displays in this area on the Service Setup page; if you receive this message, upgrade your GlobalProtect app version by continuing to the next step.
    3. Select the version to which you want to upgrade.
      A window displays to verify your choice.
      After the app has been activated, you receive a success message.
    4. View the System Status page to verify that the GlobalProtect app version you selected as active is the
      Active GlobalProtect App version
      .

    Manage Users’ Access to GlobalProtect App Updates

    To manage mobile users' access to the active GlobalProtect app version that is hosted by Prisma Access, complete the following steps.
    1. In Panorama, select
      Network
      GlobalProtect
      Portals
      .
    2. Select the
      Mobile_User_Template
       from the
      Template
       drop-down.
    3. Select
      GlobalProtect_Portal
       to edit the Prisma Access portal configuration.
    4. Select the
      Agent
       tab and select the app configuration.
    5. Select the
      App
       tab.
    6. In the
      App Configurations
       area, select a choice in
      Allow User to Upgrade GlobalProtect App
       to specify whether mobile users can upgrade their GlobalProtect app version to the active version that is hosted on Prisma Access and, if they can, whether they can choose when to upgrade:
      • Allow with Prompt
         (default)—Prompt users when a new version is activated and allow users to upgrade their software when it is convenient.
      • Disallow
        —Prevent users from upgrading the app software.
      • Allow Manually
        —Allow users to manually check for and initiate upgrades by selecting
        Check Version
         in the GlobalProtect app.
      • Allow Transparently
        —Automatically upgrade the app software whenever a new version becomes available on the portal.
      • Internal
        —Automatically upgrade the app software whenever a new version becomes available on the portal, but wait until the endpoint is connected internally to the corporate network. This prevents delays caused by upgrades over low-bandwidth connections.

    Perform Staged Updates of the GlobalProtect App

    If you manage a large organization, you might want to update mobile users to the latest version of the GlobalProtect app in stages. For example, you could assign a smaller group to update their GlobalProtect app before rolling out the update to everybody in your organization. To do so, complete the following task.
    1. If you have not yet created it, create a user group for the first group of users to which you want to roll out the GlobalProtect app update.
      You can use User-ID to map users to groups, or select
      Device
      Local User Database
      User Groups
       to manually create a group.
    2. Create a new GlobalProtect agent configuration to use for the first group of users.
      1. In Panorama, select
        Network
        GlobalProtect
        Portals
        .
      2. Select the
        Mobile_User_Template
         from the
        Template
         drop-down.
      3. Select
        GlobalProtect_Portal
         to edit the Prisma Access portal configuration.
      4. Select the
        Agent
         tab.
      5. Select the
        DEFAULT
         configuration and
        Clone
         it.
        You can also
        Add
         a new configuration; but cloning the existing configuration copies over required information for the new configuration.
      6. Specify a
        Name
         for the configuration.
      7. Select the
        Config Selection Criteria
         tab.
      8. In the
        User/User Group
         area, select the user you created in Step 1.
      9. Select the
        App
         tab.
      10. Change
        Allow User to Upgrade GlobalProtect App
         to either
        Allow with Prompt
         or
        Allow Transparently
        .
        Allow with Prompt
         prompts users when a new version is activated and allows them to upgrade their software when it is convenient;
        Allow Transparently
         automatically upgrades the app software whenever a new version becomes available on the portal.
      11. Click
        OK
         to save your changes.
    3. Select
      Move Up
       to move your configuration above the default configuration.
      When an app connects, the portal compares the source information in the packet against the agent configurations you have defined. As with security rule evaluation, the portal looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.
    4. Repeat these steps for the
      DEFAULT
       configuration, but change
      Allow User to Upgrade GlobalProtect App
       to
      Disallow
       to prevent users from updating to the latest GlobalProtect app software.
    5. When you want to let the rest of the users update their apps, change
      Allow User to Upgrade GlobalProtect App
       in the
      DEFAULT
       configuration to a selection that allows it (either
      Allow with Prompt
       or
      Allow Transparently
      ).

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.